discourse/app/models/user_password.rb

# frozen_string_literal: true

class UserPassword < ActiveRecord::Base
  MAX_PASSWORD_LENGTH = 200
  TARGET_PASSWORD_ALGORITHM =
    "$pbkdf2-#{Rails.configuration.pbkdf2_algorithm}$i=#{Rails.configuration.pbkdf2_iterations},l=32$"
  PASSWORD_SALT_LENGTH = 16

  belongs_to :user, required: true

  validates :user_id, uniqueness: true
  validate :password_validator
  before_save :ensure_password_is_hashed
  after_save :clear_raw_password

  def password
    # this getter method is still required, but we store the set password in @raw_password instead of making it easily accessible from the getter
    nil
  end

  def password=(pw)
    return if pw.blank?

    self.password_hash_will_change!
    @raw_password = pw
  end

  def password_validation_required?
    @raw_password.present?
  end

  def confirm_password?(pw)
    # nothing to confirm if this record has not been persisted yet
    return false if !persisted?
    return false if password_hash != hash_password(pw, password_salt, password_algorithm)
    regen_password!(pw) if password_algorithm != TARGET_PASSWORD_ALGORITHM

    true
  end

  private

  def clear_raw_password
    @raw_password = nil
  end

  def password_validator
    UserPasswordValidator.new(attributes: :password).validate_each(self, :password, @raw_password)
  end

  def hash_password(pw, salt, algorithm)
    raise StandardError.new("password is too long") if pw.size > MAX_PASSWORD_LENGTH
    PasswordHasher.hash_password(password: pw, salt: salt, algorithm: algorithm)
  end

  def ensure_password_is_hashed
    return if @raw_password.blank?

    self.password_salt = SecureRandom.hex(PASSWORD_SALT_LENGTH)
    self.password_algorithm = TARGET_PASSWORD_ALGORITHM
    self.password_hash = hash_password(@raw_password, password_salt, password_algorithm)
  end

  def regen_password!(pw)
    # Regenerate password_hash with new algorithm and persist, we skip validation here since it has already run once when the hash was persisted the first time
    salt = SecureRandom.hex(PASSWORD_SALT_LENGTH)
    update_columns(
      password_algorithm: TARGET_PASSWORD_ALGORITHM,
      password_salt: salt,
      password_hash: hash_password(pw, salt, TARGET_PASSWORD_ALGORITHM),
    )
  end
end

# == Schema Information
#
# Table name: user_passwords
#
#  id                  :integer          not null, primary key
#  user_id             :integer          not null
#  password_hash       :string(64)       not null
#  password_salt       :string(32)       not null
#  password_algorithm  :string(64)       not null
#  password_expired_at :datetime
#  created_at          :datetime         not null
#  updated_at          :datetime         not null
#
# Indexes
#
#  index_user_passwords_on_user_id  (user_id) UNIQUE
#
FEATURE: Allow site admin to mark a user's password as expired (#27314) This commit adds the ability for site administrators to mark users' passwords as expired. Note that this commit does not add any client side interface to mark a user's password as expired. The following changes are introduced in this commit: 1. Adds a `user_passwords` table and `UserPassword` model. While the `user_passwords` table is currently used to only store expired passwords, it will be used in the future to store a user's current password as well. 2. Adds a `UserPasswordExpirer.expire_user_password` method which can be used from the Rails console to mark a user's password as expired. 3. Updates `SessionsController#create` to check that the user's current password has not been marked as expired after confirming the password. If the password is determined to be expired based on the existence of a `UserPassword` record with the `password_expired_at` column set, we will not log the user in and will display a password expired notice. A forgot password email is automatically send out to the user as well. 2024-06-04 15:42:53 +08:00			`# frozen_string_literal: true`

			`class UserPassword < ActiveRecord::Base`
DEV: Migrate user passwords data to UserPassword table (#28746) * Add migrations to ensure password hash is synced across users & user_passwords * Persist password-related data in user_passwords instead of users * Merge User#expire_old_email_tokens with User#expire_tokens_if_password_changed * Add post deploy migration to mark password-related columns from users table as read-only * Refactored UserPassword#confirm_password? and changes required to accommodate hashing the password after validations 2024-10-10 09:23:06 +08:00			`MAX_PASSWORD_LENGTH = 200`
			`TARGET_PASSWORD_ALGORITHM =`
			`"$pbkdf2-#{Rails.configuration.pbkdf2_algorithm}$i=#{Rails.configuration.pbkdf2_iterations},l=32$"`
			`PASSWORD_SALT_LENGTH = 16`

			`belongs_to :user, required: true`
FEATURE: Allow site admin to mark a user's password as expired (#27314) This commit adds the ability for site administrators to mark users' passwords as expired. Note that this commit does not add any client side interface to mark a user's password as expired. The following changes are introduced in this commit: 1. Adds a `user_passwords` table and `UserPassword` model. While the `user_passwords` table is currently used to only store expired passwords, it will be used in the future to store a user's current password as well. 2. Adds a `UserPasswordExpirer.expire_user_password` method which can be used from the Rails console to mark a user's password as expired. 3. Updates `SessionsController#create` to check that the user's current password has not been marked as expired after confirming the password. If the password is determined to be expired based on the existence of a `UserPassword` record with the `password_expired_at` column set, we will not log the user in and will display a password expired notice. A forgot password email is automatically send out to the user as well. 2024-06-04 15:42:53 +08:00
DEV: make UserPassword 1:1 to User (#28528) * add data migration to keep only unexpired or most recently expired user password * refactor to 1:1 relationship between User and UserPassword * add migration to remove redundant indexes on user passwords 2024-09-03 11:09:33 +08:00			`validates :user_id, uniqueness: true`
DEV: Migrate user passwords data to UserPassword table (#28746) * Add migrations to ensure password hash is synced across users & user_passwords * Persist password-related data in user_passwords instead of users * Merge User#expire_old_email_tokens with User#expire_tokens_if_password_changed * Add post deploy migration to mark password-related columns from users table as read-only * Refactored UserPassword#confirm_password? and changes required to accommodate hashing the password after validations 2024-10-10 09:23:06 +08:00			`validate :password_validator`
			`before_save :ensure_password_is_hashed`
			`after_save :clear_raw_password`

			`def password`
			`# this getter method is still required, but we store the set password in @raw_password instead of making it easily accessible from the getter`
			`nil`
			`end`

			`def password=(pw)`
			`return if pw.blank?`

			`self.password_hash_will_change!`
			`@raw_password = pw`
			`end`

			`def password_validation_required?`
			`@raw_password.present?`
			`end`

			`def confirm_password?(pw)`
			`# nothing to confirm if this record has not been persisted yet`
			`return false if !persisted?`
			`return false if password_hash != hash_password(pw, password_salt, password_algorithm)`
			`regen_password!(pw) if password_algorithm != TARGET_PASSWORD_ALGORITHM`

			`true`
			`end`

			`private`

			`def clear_raw_password`
			`@raw_password = nil`
			`end`

			`def password_validator`
			`UserPasswordValidator.new(attributes: :password).validate_each(self, :password, @raw_password)`
			`end`

			`def hash_password(pw, salt, algorithm)`
			`raise StandardError.new("password is too long") if pw.size > MAX_PASSWORD_LENGTH`
			`PasswordHasher.hash_password(password: pw, salt: salt, algorithm: algorithm)`
			`end`

			`def ensure_password_is_hashed`
			`return if @raw_password.blank?`

			`self.password_salt = SecureRandom.hex(PASSWORD_SALT_LENGTH)`
			`self.password_algorithm = TARGET_PASSWORD_ALGORITHM`
			`self.password_hash = hash_password(@raw_password, password_salt, password_algorithm)`
			`end`
FEATURE: Allow site admin to mark a user's password as expired (#27314) This commit adds the ability for site administrators to mark users' passwords as expired. Note that this commit does not add any client side interface to mark a user's password as expired. The following changes are introduced in this commit: 1. Adds a `user_passwords` table and `UserPassword` model. While the `user_passwords` table is currently used to only store expired passwords, it will be used in the future to store a user's current password as well. 2. Adds a `UserPasswordExpirer.expire_user_password` method which can be used from the Rails console to mark a user's password as expired. 3. Updates `SessionsController#create` to check that the user's current password has not been marked as expired after confirming the password. If the password is determined to be expired based on the existence of a `UserPassword` record with the `password_expired_at` column set, we will not log the user in and will display a password expired notice. A forgot password email is automatically send out to the user as well. 2024-06-04 15:42:53 +08:00
DEV: Migrate user passwords data to UserPassword table (#28746) * Add migrations to ensure password hash is synced across users & user_passwords * Persist password-related data in user_passwords instead of users * Merge User#expire_old_email_tokens with User#expire_tokens_if_password_changed * Add post deploy migration to mark password-related columns from users table as read-only * Refactored UserPassword#confirm_password? and changes required to accommodate hashing the password after validations 2024-10-10 09:23:06 +08:00			`def regen_password!(pw)`
			`# Regenerate password_hash with new algorithm and persist, we skip validation here since it has already run once when the hash was persisted the first time`
			`salt = SecureRandom.hex(PASSWORD_SALT_LENGTH)`
			`update_columns(`
			`password_algorithm: TARGET_PASSWORD_ALGORITHM,`
			`password_salt: salt,`
			`password_hash: hash_password(pw, salt, TARGET_PASSWORD_ALGORITHM),`
			`)`
			`end`
FEATURE: Allow site admin to mark a user's password as expired (#27314) This commit adds the ability for site administrators to mark users' passwords as expired. Note that this commit does not add any client side interface to mark a user's password as expired. The following changes are introduced in this commit: 1. Adds a `user_passwords` table and `UserPassword` model. While the `user_passwords` table is currently used to only store expired passwords, it will be used in the future to store a user's current password as well. 2. Adds a `UserPasswordExpirer.expire_user_password` method which can be used from the Rails console to mark a user's password as expired. 3. Updates `SessionsController#create` to check that the user's current password has not been marked as expired after confirming the password. If the password is determined to be expired based on the existence of a `UserPassword` record with the `password_expired_at` column set, we will not log the user in and will display a password expired notice. A forgot password email is automatically send out to the user as well. 2024-06-04 15:42:53 +08:00			`end`

			`# == Schema Information`
			`#`
			`# Table name: user_passwords`
			`#`
			`# id :integer not null, primary key`
			`# user_id :integer not null`
			`# password_hash :string(64) not null`
			`# password_salt :string(32) not null`
			`# password_algorithm :string(64) not null`
			`# password_expired_at :datetime`
			`# created_at :datetime not null`
			`# updated_at :datetime not null`
			`#`
			`# Indexes`
			`#`
DEV: make UserPassword 1:1 to User (#28528) * add data migration to keep only unexpired or most recently expired user password * refactor to 1:1 relationship between User and UserPassword * add migration to remove redundant indexes on user passwords 2024-09-03 11:09:33 +08:00			`# index_user_passwords_on_user_id (user_id) UNIQUE`
FEATURE: Allow site admin to mark a user's password as expired (#27314) This commit adds the ability for site administrators to mark users' passwords as expired. Note that this commit does not add any client side interface to mark a user's password as expired. The following changes are introduced in this commit: 1. Adds a `user_passwords` table and `UserPassword` model. While the `user_passwords` table is currently used to only store expired passwords, it will be used in the future to store a user's current password as well. 2. Adds a `UserPasswordExpirer.expire_user_password` method which can be used from the Rails console to mark a user's password as expired. 3. Updates `SessionsController#create` to check that the user's current password has not been marked as expired after confirming the password. If the password is determined to be expired based on the existence of a `UserPassword` record with the `password_expired_at` column set, we will not log the user in and will display a password expired notice. A forgot password email is automatically send out to the user as well. 2024-06-04 15:42:53 +08:00			`#`