Migration from Devise

Question

Migration from Devise

brandonparsons opened this issue 8 years ago · 4 comments

Hi there,

I'd like to use comeonin for a port of an app I'm moving over from Rails. My passwords are currently hashed by Rails using Devise. Is it possible to migrate over directly, or convert the passwords somehow?

Answer 1 · 2016-11-25T04:08:27.000Z

Each password hash should have the necessary information contained within it, and you should have no problem using Comeonin to check passwords used in your Rails app.

Having Devise check the password hashes generated by Comeonin is a little more complex, but is possible.

If you could provide me with an example password hash generated using Devise, I can give you some more advice.

Answer 2 · 2016-11-25T17:04:19.000Z

@riverrun Hi there - thanks for getting back to me!

Luckily it seems like I'm on the easier end of the bargain. I'm hoping that I can just move the database over to the new app using Comeonin. Then when users attempt to log in, I'd use Comeonin to check the password against the Rails/Devise hash, and if successful, write a new hash generated by Comeonin's default algorithm and use that from then on. Hopefully the whole process would be transparent to my end users.

Here's some example data from the current Rails/Devise implementation:

u = User.first
u.update password: "asdfasdf", password_confirmation: "asdfasdf"

u.encrypted_password
=> "$2a$10$VRqlEG1zAldYrjQSR3gACuxbb4QFVTzq2QWEq369eINekOKrpIseK"

So hashing asdfasdf in my current Rails app gets us "$2a$10$VRqlEG1zAldYrjQSR3gACuxbb4QFVTzq2QWEq369eINekOKrpIseK".

I suppose I'm after something like the following in my new Elixir app (pseudo-code):

u = %User{....}
attempted_password = "asdfasdf"
current_hash = u.old_encrypted_password # "$2a$10$VRqlEG1zAldYrjQSR3gACuxbb4QFVTzq2QWEq369eINekOKrpIseK"

if Comeonin.validate_old_brcypt_2a_hash(attempted_password, current_hash) do
  User.sign_in(user) # ......
  User.set_new_encrypted_password( Comeonin.hashpwsalt(attempted_password) )
else
  User.failed_login(user)
end

Answer 3 · 2016-11-28T13:11:47.000Z

That pseudo code looks fine. A couple of comments:

You can use the regular Comeonin.Bcrypt.checkpw(attempted password, current_hash) function - it can check both the '2b' and '2a' hashes
If the hashes in your database also start with '$2a$10$', this indicates that the number of rounds is 2^10, which on current hardware is probably too low, so creating a new hash with Comeonin.Bcrypt.hashpwsalt is probably well worth it (the default number of rounds for Comeonin.Bcrypt is 12).

If you have any further questions, just let me know.

Answer 4 · 2016-11-28T14:09:15.000Z

Great - thanks David! Didn't know that checkpw would work on both types of hashes. That should make this conversion much easier.

…

On Mon, Nov 28, 2016 at 6:11 AM David Whitlock ***@***.***> wrote: That pseudo code looks fine. A couple of comments: 1. You can use the regular Comeonin.Bcrypt.checkpw(attempted password, current_hash) function - it can check both the '2b' and '2a' hashes 2. If the hashes in your database also start with '$2a$10$', this indicates that the number of rounds is 10^2, which on current hardware is probably too low, so creating a new hash with Comeonin.Bcrypt.hashpwsalt is probably well worth it (the default number of rounds for Comeonin.Bcrypt is 12, but I'm thinking of increasing it to 13 or 14 in the near future). If you have any further questions, just let me know. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#97 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABN86gXxMedzdrDFhPF5ikGUK5eVQi4aks5rCtMTgaJpZM4K4z6C> .