Class: Authlogic::CryptoProviders::Guidance
- Inherits:
-
Object
- Object
- Authlogic::CryptoProviders::Guidance
- Defined in:
- lib/authlogic/crypto_providers.rb
Overview
Guide users to choose a better crypto provider.
Constant Summary collapse
- AES256_DEPRECATED =
<<~EOS.freeze You have selected AES256 as your authlogic crypto provider. This choice is not suitable for password storage. Authlogic will drop its AES256 crypto provider in the next major version. If you're unable to transition away from AES256 please let us know immediately. We recommend using a one-way algorithm instead. There are many choices; we recommend scrypt. Use the transition_from_crypto_providers option to make this painless for your users. EOS
- BUILTIN_PROVIDER_PREFIX =
"Authlogic::CryptoProviders::".freeze
- NONADAPTIVE_ALGORITHM =
<<~EOS.freeze You have selected %s as your authlogic crypto provider. This algorithm does not have any practical known attacks against it. However, there are better choices. Authlogic has no plans yet to deprecate this crypto provider. However, we recommend transitioning to a more secure, adaptive hashing algorithm, like scrypt. Adaptive algorithms are designed to slow down brute force attacks, and over time the iteration count can be increased to make it slower, so it remains resistant to brute-force search attacks even in the face of increasing computation power. Use the transition_from_crypto_providers option to make the transition painless for your users. EOS
- VULNERABLE_ALGORITHM =
<<~EOS.freeze You have selected %s as your authlogic crypto provider. It is a poor choice because there are known attacks against this algorithm. Authlogic has no plans yet to deprecate this crypto provider. However, we recommend transitioning to a secure hashing algorithm. We recommend an adaptive algorithm, like scrypt. Use the transition_from_crypto_providers option to make the transition painless for your users. EOS
Instance Method Summary collapse
- #impart_wisdom ⇒ Object
-
#initialize(provider) ⇒ Guidance
constructor
A new instance of Guidance.
Constructor Details
#initialize(provider) ⇒ Guidance
Returns a new instance of Guidance.
76 77 78 |
# File 'lib/authlogic/crypto_providers.rb', line 76 def initialize(provider) @provider = provider end |
Instance Method Details
#impart_wisdom ⇒ Object
80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 |
# File 'lib/authlogic/crypto_providers.rb', line 80 def impart_wisdom return unless @provider.is_a?(Class) # We can only impart wisdom about our own built-in providers. absolute_name = @provider.name return unless absolute_name.start_with?(BUILTIN_PROVIDER_PREFIX) # Inspect the string name of the provider, rather than using the # constants in our `when` clauses. If we used the constants, we'd # negate the benefits of the `autoload` above. name = absolute_name.demodulize case name when "AES256" ::ActiveSupport::Deprecation.warn(AES256_DEPRECATED) when "MD5", "Sha1" warn(format(VULNERABLE_ALGORITHM, name)) when "Sha256", "Sha512" warn(format(NONADAPTIVE_ALGORITHM, name)) end end |