[ruby-cvs:71151] normal:r64060 (trunk): webrick: Support bcrypt password hashing

normal at ruby-lang.org normal at ruby-lang.org
Thu Jul 26 12:21:52 JST 2018


normal	2018-07-26 12:21:52 +0900 (Thu, 26 Jul 2018)

  New Revision: 64060

  https://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=64060

  Log:
    webrick: Support bcrypt password hashing
    
    This adds a password_hash keyword argument to
    WEBrick::HTTPAuth::Htpasswd#initialize.  If set to :bcrypt, it
    will create bcrypt hashes instead of crypt hashes, and will
    raise an exception if the .htpasswd file uses crypt hashes.
    
    If :bcrypt is used, then instead of calling
    BasicAuth.make_passwd (which uses crypt),
    WEBrick::HTTPAuth::Htpasswd#set_passwd will set the bcrypt
    password directly.  It isn't possible to change the
    make_passwd API to accept the password hash format, as that
    would break configurations who use Htpasswd#auth_type= to set
    a custom auth_type.
    
    This modifies WEBrick::HTTPAuth::BasicAuth to handle checking
    both crypt and bcrypt hashes.
    
    There are commented out requires for 'string/crypt', to handle
    when String#crypt is deprecated and the undeprecated version is
    moved to a gem.
    
    There is also a commented out warning for the case when
    the password_hash keyword is not specified and 'string/crypt'
    cannot be required.  I think the warning makes sense to nudge
    users to using bcrypt.
    
    I've updated the tests to test nil, :crypt, and :bcrypt values
    for the password_hash keyword, skipping the bcrypt tests if the
    bcrypt library cannot be required.
    
    [ruby-core:88111] [Feature #14940]
    
    From: Jeremy Evans <code at jeremyevans.net>

  Modified files:
    trunk/lib/webrick/httpauth/basicauth.rb
    trunk/lib/webrick/httpauth/htpasswd.rb
    trunk/test/webrick/test_httpauth.rb


More information about the ruby-cvs mailing list