0

我有一个使用 Roda + Sequel 堆栈构建的 API。这是我的User模型的样子:

# frozen_string_literal: true

# {User} is model responsible for storing {User} authentication informations like email and password.
#
# @!attribute id
#   @return [UUID] ID of the {User} in UUID format.
#
# @!attribute email
#   @return [String] Email of the {User}, it's stored in the PostgreSQL citext column.
#
# @!attribute password_hash
#   @return [String] {User} hashed password with bcrypt.
#
# @!attribute created_at
#   @return [DateTime] Time when {User} was created.
#
# @!attribute updated_at
#   @return [DateTime] Time when {User} was updated
class User < Sequel::Model
  # It returns instance BCrypt::Password based on value in password_hash column.
  #
  # @return [BCrypt::Password ] based on value in password_hash column.
  #
  # @example Get {User} password hash:
  #   User.new(password: 'test').password #=> "$2a$12$FktSw7HPYEUYSPBdmmsiXe26II6UV5gvyn2ECwOflTYHP94Hrm2mS"
  def password
    @password ||= BCrypt::Password.new(password_hash)
  end

  # It sets password_hash column with hashed user password.
  #
  # @return [String] user password hash.
  #
  # @example Set {User} password:
  #   User.new(password: 'test').password_hash #=> "$2a$12$FktSw7HPYEUYSPBdmmsiXe26II6UV5gvyn2ECwOflTYHP94Hrm2mS"
  def password=(new_password)
    @password = BCrypt::Password.create(new_password)

    self.password_hash = @password
  end
end

我有以下测试:

describe 'update user password' do
  let(:params) { { password: 'new-password' } }

  before do
    put '/api/v1/update_password', params

    user.reload
  end

  it 'returns 200 HTTP status' do
    expect(response.status).to eq 200
  end
   
  This one is failing.
  it 'updates user password' do
    expect(user.password == 'new-password').to eq true
  end
  
  # This one is passing.
  it 'updates user password' do
    expect(BCrypt::Password.new(user.password_hash).is_password?('new-password')).to eq true
  end
end

这个例子失败了:

  it 'updates user password' do
    expect(user.password == 'new-password').to eq true
  end

但这一个正在通过:

 it 'updates user password' do
    expect(BCrypt::Password.new(user.password_hash).is_password?('new-password')).to eq true
  end

有人可以向我解释为什么我的第一个示例失败了吗?

4

2 回答 2

1

重写这个

it 'updates user password' do
  expect(user.password == 'new-password').to eq true
end

对这个

it 'updates user password' do
  expect(user.password).to eq(BCrypt::Password.create('new-password'))
end

您的 ruby​​ 对象User包含该密码的散列版本

user.password
=> "$2a$12$FktSw7HPYEUYSPBdmmsiXe26II6UV5gvyn2ECwOflTYHP94Hrm2mS"
'$2a$12$FktSw7HPYEUYSPBdmmsiXe26II6UV5gvyn2ECwOflTYHP94Hrm2mS' == 'new-password'
=> false

为了比较它们,您必须加密您的“新密码”并比较两个哈希值。您可以使用 bcrypt 轻松加密任何字符串,但解密需要很长时间(数年)。在验证密码之前很常见,input password使用与您的数据库包含的相同的算法加密您的密码

于 2020-12-28T12:43:16.383 回答
0

你自己回答你的问题:你在保存密码之前对密码进行哈希处理(在密码设置器中User.rb

  # It sets password_hash column with hashed user password.
  #
  # @return [String] user password hash.
  #
  # @example Set {User} password:
  #   User.new(password: 'test').password_hash #=> "$2a$12$FktSw7HPYEUYSPBdmmsiXe26II6UV5gvyn2ECwOflTYHP94Hrm2mS"
  def password=(new_password)
    @password = BCrypt::Password.create(new_password)

    self.password_hash = @password
  end

在您的第一个测试中,您尝试将散列密码与未散列的字符串进行比较。

于 2020-12-28T10:17:00.360 回答