user.valid_password? not work if encrypt provider is sha512 and user.stretches has specified

[holysoros]

How to reproduce the bug

change the config/initializers/sorcery.rb as below:

user.stretches = 10
user.encryption_algorithm = :sha512

In rails console, create a user with password, for example 'secretpass'

Then exit the console;

Start rails console again, user.valid_password?(secretpass) will return false!

Problem Analysis

valid_password?(pass) in lib/sorcey/model.rb don't set stretches to value user specified. The set_encryption_attributes class method will set stretches, authenticate and encrypt will call the set_encryption_attributes class method, but valid_password? don't.

Proposed Solution

call set_encryption_attributes in authenticates_with_sorcery! as below:

module Sorcery
  module Model
    def authenticates_with_sorcery!
      ...
      ::Sorcery::Controller::Config.user_config.tap{|blk| blk.call(@sorcery_config) if blk}
      set_encryption_attributes
      ...
    end
  end
end

[bitberry-dev]

Hi guys, I have the same problem, fixed in a similar way.

[joshbuker]

I wasn't a huge fan of how this overwriting of a singleton config worked, so this will be changed in v1 to no longer be an issue. The config values will live on the instance of the hashing provider instead: sorcery-core/lib/sorcery/config.rb

@bitberry-dev if this is still an issue in the latest version of Sorcery (v0.16.1), can you please open an issue on the current repo? Sorcery/sorcery - Create new issue

[bitberry-dev]

@athix Of course, I will re-check this bug soon and open a new issue