ash-project/ash_authentication
1
0
Fork 0
mirror of https://github.com/team-alembic/ash_authentication.git synced 2024-09-19 21:03:23 +12:00
Code Issues Projects Releases Packages Wiki Activity

chore: no bcrypt

Browse source
This commit is contained in:
Zach Daniel 2024-05-09 10:30:48 -04:00
parent 8070e011cd
commit e27d7e5eae
8 changed files with 35 additions and 57 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.tool-versions
View file

@ -1,2 +0,0 @@
elixir 1.15.6
erlang 26.1

2
config/test.exs
View file

@ -10,7 +10,7 @@ config :ash_authentication, Example.Repo,
pool: Ecto.Adapters.SQL.Sandbox,
pool_size: 10
config :bcrypt_elixir, :log_rounds, 4
# config :bcrypt_elixir, :log_rounds, 4
config :ash, :disable_async?, true

72
documentation/dsls/DSL:-AshAuthentication.Strategy.Password.md
View file

@ -1,6 +1,7 @@
<!--
This file was generated by Spark. Do not edit it by hand.
-->
# DSL: AshAuthentication.Strategy.Password
Strategy for authenticating using local resources as the source of truth.
@ -47,7 +48,7 @@ end
By default the password strategy will automatically generate the register,
sign-in, reset-request and reset actions for you, however you're free to
define them yourself. If you do, then the action will be validated to ensure
define them yourself. If you do, then the action will be validated to ensure
that all the needed configuration is present.
If you wish to work with the actions directly from your code you can do so via
@ -94,87 +95,66 @@ Dispatching to plugs directly:
See the [Testing guide](/documentation/topics/testing.md) for tips on testing resources using this strategy.
## authentication.strategies.password
```elixir
password name \\ :password
```
Strategy for authenticating using local resources as the source of truth.
### Nested DSLs
* [resettable](#authentication-strategies-password-resettable)
- [resettable](#authentication-strategies-password-resettable)
### Examples
```
password :password do
identity_field :email
hashed_password_field :hashed_password
hash_provider AshAuthentication.BcryptProvider
confirmation_required? true
end
```
### Options
| Name | Type | Default | Docs |
|------|------|---------|------|
| [`identity_field`](#authentication-strategies-password-identity_field){: #authentication-strategies-password-identity_field } | `atom` | `:username` | The name of the attribute which uniquely identifies the user, usually something like `username` or `email_address`. |
| [`hashed_password_field`](#authentication-strategies-password-hashed_password_field){: #authentication-strategies-password-hashed_password_field } | `atom` | `:hashed_password` | The name of the attribute within which to store the user's password once it has been hashed. |
| [`hash_provider`](#authentication-strategies-password-hash_provider){: #authentication-strategies-password-hash_provider } | `module` | `AshAuthentication.BcryptProvider` | A module which implements the `AshAuthentication.HashProvider` behaviour, to provide cryptographic hashing of passwords. |
| [`confirmation_required?`](#authentication-strategies-password-confirmation_required?){: #authentication-strategies-password-confirmation_required? } | `boolean` | `true` | Whether a password confirmation field is required when registering or changing passwords. |
| [`register_action_accept`](#authentication-strategies-password-register_action_accept){: #authentication-strategies-password-register_action_accept } | `list(atom)` | `[]` | A list of additional fields to be accepted in the register action. |
| [`password_field`](#authentication-strategies-password-password_field){: #authentication-strategies-password-password_field } | `atom` | `:password` | The name of the argument used to collect the user's password in plaintext when registering, checking or changing passwords. |
| [`password_confirmation_field`](#authentication-strategies-password-password_confirmation_field){: #authentication-strategies-password-password_confirmation_field } | `atom` | `:password_confirmation` | The name of the argument used to confirm the user's password in plaintext when registering or changing passwords. |
| [`register_action_name`](#authentication-strategies-password-register_action_name){: #authentication-strategies-password-register_action_name } | `atom` | | The name to use for the register action. Defaults to `register_with_<strategy_name>` |
| [`registration_enabled?`](#authentication-strategies-password-registration_enabled?){: #authentication-strategies-password-registration_enabled? } | `boolean` | `true` | If you do not want new users to be able to register using this strategy, set this to false. |
| [`sign_in_action_name`](#authentication-strategies-password-sign_in_action_name){: #authentication-strategies-password-sign_in_action_name } | `atom` | | The name to use for the sign in action. Defaults to `sign_in_with_<strategy_name>` |
| [`sign_in_enabled?`](#authentication-strategies-password-sign_in_enabled?){: #authentication-strategies-password-sign_in_enabled? } | `boolean` | `true` | If you do not want new users to be able to sign in using this strategy, set this to false. |
| [`sign_in_tokens_enabled?`](#authentication-strategies-password-sign_in_tokens_enabled?){: #authentication-strategies-password-sign_in_tokens_enabled? } | `boolean` | `true` | Whether or not to support generating short lived sign in tokens. Requires the resource to have tokens enabled. |
| [`sign_in_token_lifetime`](#authentication-strategies-password-sign_in_token_lifetime){: #authentication-strategies-password-sign_in_token_lifetime } | `pos_integer \| {pos_integer, :days \| :hours \| :minutes \| :seconds}` | `{60, :seconds}` | A lifetime for which a generated sign in token will be valid, if `sign_in_tokens_enabled?`. Unit defaults to `:seconds`. |
| Name | Type | Default | Docs |
| -------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------- | ---------------------------------- | --------------------------------------------------------------------------------------------------------------------------- |
| [`identity_field`](#authentication-strategies-password-identity_field){: #authentication-strategies-password-identity_field } | `atom` | `:username` | The name of the attribute which uniquely identifies the user, usually something like `username` or `email_address`. |
| [`hashed_password_field`](#authentication-strategies-password-hashed_password_field){: #authentication-strategies-password-hashed_password_field } | `atom` | `:hashed_password` | The name of the attribute within which to store the user's password once it has been hashed. |
| [`hash_provider`](#authentication-strategies-password-hash_provider){: #authentication-strategies-password-hash_provider } | `module` | `AshAuthentication.BcryptProvider` | A module which implements the `AshAuthentication.HashProvider` behaviour, to provide cryptographic hashing of passwords. |
| [`confirmation_required?`](#authentication-strategies-password-confirmation_required?){: #authentication-strategies-password-confirmation_required? } | `boolean` | `true` | Whether a password confirmation field is required when registering or changing passwords. |
| [`register_action_accept`](#authentication-strategies-password-register_action_accept){: #authentication-strategies-password-register_action_accept } | `list(atom)` | `[]` | A list of additional fields to be accepted in the register action. |
| [`password_field`](#authentication-strategies-password-password_field){: #authentication-strategies-password-password_field } | `atom` | `:password` | The name of the argument used to collect the user's password in plaintext when registering, checking or changing passwords. |
| [`password_confirmation_field`](#authentication-strategies-password-password_confirmation_field){: #authentication-strategies-password-password_confirmation_field } | `atom` | `:password_confirmation` | The name of the argument used to confirm the user's password in plaintext when registering or changing passwords. |
| [`register_action_name`](#authentication-strategies-password-register_action_name){: #authentication-strategies-password-register_action_name } | `atom` | | The name to use for the register action. Defaults to `register_with_<strategy_name>` |
| [`registration_enabled?`](#authentication-strategies-password-registration_enabled?){: #authentication-strategies-password-registration_enabled? } | `boolean` | `true` | If you do not want new users to be able to register using this strategy, set this to false. |
| [`sign_in_action_name`](#authentication-strategies-password-sign_in_action_name){: #authentication-strategies-password-sign_in_action_name } | `atom` | | The name to use for the sign in action. Defaults to `sign_in_with_<strategy_name>` |
| [`sign_in_enabled?`](#authentication-strategies-password-sign_in_enabled?){: #authentication-strategies-password-sign_in_enabled? } | `boolean` | `true` | If you do not want new users to be able to sign in using this strategy, set this to false. |
| [`sign_in_tokens_enabled?`](#authentication-strategies-password-sign_in_tokens_enabled?){: #authentication-strategies-password-sign_in_tokens_enabled? } | `boolean` | `true` | Whether or not to support generating short lived sign in tokens. Requires the resource to have tokens enabled. |
| [`sign_in_token_lifetime`](#authentication-strategies-password-sign_in_token_lifetime){: #authentication-strategies-password-sign_in_token_lifetime } | `pos_integer \| {pos_integer, :days \| :hours \| :minutes \| :seconds}` | `{60, :seconds}` | A lifetime for which a generated sign in token will be valid, if `sign_in_tokens_enabled?`. Unit defaults to `:seconds`. |
## authentication.strategies.password.resettable
Configure password reset options for the resource
### Options
| Name | Type | Default | Docs |
|------|------|---------|------|
| [`sender`](#authentication-strategies-password-resettable-sender){: #authentication-strategies-password-resettable-sender .spark-required} | `(any, any, any -> any) \| module` | | The sender to use when sending password reset instructions. |
| [`token_lifetime`](#authentication-strategies-password-resettable-token_lifetime){: #authentication-strategies-password-resettable-token_lifetime } | `pos_integer \| {pos_integer, :days \| :hours \| :minutes \| :seconds}` | `{3, :days}` | How long should the reset token be valid. If no unit is provided `:hours` is assumed. |
| [`request_password_reset_action_name`](#authentication-strategies-password-resettable-request_password_reset_action_name){: #authentication-strategies-password-resettable-request_password_reset_action_name } | `atom` | | The name to use for the action which generates a password reset token. Defaults to `request_password_reset_with_<strategy_name>`. |
| [`password_reset_action_name`](#authentication-strategies-password-resettable-password_reset_action_name){: #authentication-strategies-password-resettable-password_reset_action_name } | `atom` | | The name to use for the action which actually resets the user's password. Defaults to `password_reset_with_<strategy_name>`. |
| Name | Type | Default | Docs |
| --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------- | ------------ | --------------------------------------------------------------------------------------------------------------------------------- |
| [`sender`](#authentication-strategies-password-resettable-sender){: #authentication-strategies-password-resettable-sender .spark-required} | `(any, any, any -> any) \| module` | | The sender to use when sending password reset instructions. |
| [`token_lifetime`](#authentication-strategies-password-resettable-token_lifetime){: #authentication-strategies-password-resettable-token_lifetime } | `pos_integer \| {pos_integer, :days \| :hours \| :minutes \| :seconds}` | `{3, :days}` | How long should the reset token be valid. If no unit is provided `:hours` is assumed. |
| [`request_password_reset_action_name`](#authentication-strategies-password-resettable-request_password_reset_action_name){: #authentication-strategies-password-resettable-request_password_reset_action_name } | `atom` | | The name to use for the action which generates a password reset token. Defaults to `request_password_reset_with_<strategy_name>`. |
| [`password_reset_action_name`](#authentication-strategies-password-resettable-password_reset_action_name){: #authentication-strategies-password-resettable-password_reset_action_name } | `atom` | | The name to use for the action which actually resets the user's password. Defaults to `password_reset_with_<strategy_name>`. |
### Introspection
Target: `AshAuthentication.Strategy.Password.Resettable`
### Introspection
Target: `AshAuthentication.Strategy.Password`
<style type="text/css">.spark-required::after { content: "*"; color: red !important; }</style>

2
documentation/topics/testing.md
View file

@ -10,5 +10,5 @@ AshAuthentication uses `bcrypt_elixir` for hashing passwords for secure storage,
# in config/test.exs
# Do NOT set this value for production
config :bcrypt_elixir, log_rounds: 1
# config :bcrypt_elixir, log_rounds: 1
```

8
lib/ash_authentication/bcrypt_provider.ex → lib/ash_authentication/fake_provider.ex
View file

@ -1,4 +1,4 @@
defmodule AshAuthentication.BcryptProvider do
defmodule AshAuthentication.FakeProvider do
@moduledoc """
Provides the default implementation of `AshAuthentication.HashProvider` using `Bcrypt`.
"""
@ -15,7 +15,7 @@ defmodule AshAuthentication.BcryptProvider do
"""
@impl true
@spec hash(String.t()) :: {:ok, String.t()} | :error
def hash(input) when is_binary(input), do: {:ok, Bcrypt.hash_pwd_salt(input)}
def hash(input) when is_binary(input), do: {:ok, input}
def hash(_), do: :error
@doc """
@ -30,7 +30,7 @@ defmodule AshAuthentication.BcryptProvider do
@impl true
@spec valid?(input :: String.t(), hash :: String.t()) :: boolean
def valid?(input, hash) when is_binary(input) and is_binary(hash),
do: Bcrypt.verify_pass(input, hash)
do: input == hash
@doc """
Simulate a password check to help avoid timing attacks.
@ -42,5 +42,5 @@ defmodule AshAuthentication.BcryptProvider do
"""
@impl true
@spec simulate :: false
def simulate, do: Bcrypt.no_user_verify()
def simulate, do: :ok
end

2
lib/ash_authentication/strategies/password.ex
View file

@ -95,7 +95,7 @@ defmodule AshAuthentication.Strategy.Password do
"""
defstruct confirmation_required?: false,
hash_provider: AshAuthentication.BcryptProvider,
hash_provider: AshAuthentication.FakeProvider,
hashed_password_field: :hashed_password_field,
identity_field: :username,
name: nil,

2
lib/ash_authentication/strategies/password/dsl.ex
View file

@ -53,7 +53,7 @@ defmodule AshAuthentication.Strategy.Password.Dsl do
type: {:behaviour, AshAuthentication.HashProvider},
doc:
"A module which implements the `AshAuthentication.HashProvider` behaviour, to provide cryptographic hashing of passwords.",
default: AshAuthentication.BcryptProvider
default: AshAuthentication.FakeProvider
],
confirmation_required?: [
type: :boolean,

2
mix.exs
View file

@ -175,7 +175,7 @@ defmodule AshAuthentication.MixProject do
[
{:ash, ash_version("~> 3.0.0-rc.6")},
{:assent, "~> 0.2 and >= 0.2.8"},
{:bcrypt_elixir, "~> 3.0"},
# {:bcrypt_elixir, "~> 3.0"},
{:castore, "~> 1.0"},
{:finch, "~> 0.18.0"},
{:jason, "~> 1.4"},