I am moving from an old system that uses simple MD5 unconnected passwords in Devise. Although I could collapse my own cipher as recommended in the Devify wiki, I really want to migrate to the bcrypt password mechanism.
It also seems more reasonable than loading rainbow tables and trying to discover all unencrypted passwords ...
So, I am wondering if there could be any side effects to the following code, especially around saving! causing any callbacks that have unintended behavior:
## config/initializers/legacy.rb require 'bcrypt' require 'digest/md5' module Devise module Models module DatabaseAuthenticatable def valid_password?(password) if self.legacy_password_hash if ::Digest::MD5.hexdigest(password) == self.legacy_password_hash ## authenticated; now convert to bcrypt password self.password = password self.legacy_password_hash = nil self.save! return true else ## so that we don't get a bcrypt invalid hash exception return false end else return ::BCrypt::Password.new(self.encrypted_password) == "#{password}#{self.class.pepper}" end end end end end
Matt
source share