Rails 3 / Devise：密码盐不再被创建？ [英] Rails 3 / Devise: Password salt no longer being created?

问题描述

我一直在使用Devise进行用户身份验证的一段时间。每当用户创建时，它将为他们生成密码盐以及加密的密码。

I've been working on a project for a while now which uses Devise for user authentication. Whenever a user was created, it would generate a password salt for them along with their encrypted password.

当我来到这个项目的尾部时，我是测试用户注册，并注意到我的新角色没有为这些新用户在数据库中创建密码盐，而我的老用户都有盐。新用户可以登录，但我担心Devise不再会产生盐。

As I'm coming to the tail end of this project, I was testing user registration and noticed that my new roles were not creating a password salt in the database for these new users, whereas my older users all had salts. The new users can sign in fine, yet I'm concerned why Devise is no longer creating salts.

当我升级时，Devise遇到的唯一奇怪的事情就是要做模块，并记住日志中的一些关于删除可加密的bcrypt，现在是默认加密，或者是这样的事情。这是我做的...不知道这是否与目前的问题有关。

The only oddity with Devise I encountered had to do when I upgraded the module and remember the logs saying something about removing encryptable as bcrypt is now the default encryption, or something to that effect. Which I did so...not sure if this has anything to do with the current issue.

另外，也许这是我的项目是pooched，我创建一个全新的Rails应用程序从零开始，并添加了Devise，甚至这个新项目不会为用户创造盐。

In addition, thinking maybe it was my project that was pooched, I created a brand new Rails application from scratch and added Devise to it, and even that new project isn't creating salts for users.

Devise有一种新的方法来设置或者有人知道为什么盐不再被创造了吗？不幸的是，Devise wiki在这个问题上没有什么可说的，Google迄今为止一直是无果的搜索。

Is there a new way in Devise to set up password salts, or does anyone know why the salts aren't being created anymore? Unfortunately the Devise wiki doesn't have a whole lot to say on the subject, and Google has been a fruitless search so far.

或者甚至有必要首先要有盐吗？

Or...is it even necessary to have salts in the first place? Seems more secure to have them, I would think.

我的配置用户/ devise在下面。

My config of users/devise is below.

config / initializers / devise.rb

Devise.setup do |config|

  config.mailer_sender = "mail@domain.com"

  require 'devise/orm/active_record'

  config.authentication_keys = [ :login ]

  config.stretches = 10

  config.encryptor = :bcrypt

  # Setup a pepper to generate the encrypted password.
  config.pepper = "79c2bf3b[...]"

end

app / models / user.rb

  devise :database_authenticatable, :registerable, :confirmable,
         :recoverable, :rememberable, :trackable, :validatable

更新

我能够找到Devise升级后的通知，内容为...

I was able to locate the notice from after Devise was upgraded, which reads...

[DEVISE] From version 1.2, there is no need to set your encryptor to bcrypt since encryptors are only enabled if you include :encryptable in your models. To update your app, please:

1) Remove config.encryptor from your initializer;
2) Add t.encryptable to your old migrations;
3) [Optional] Remove password_salt in a new recent migration. Bcrypt does not require it anymore.

所以看来，如果你坚持使用bcrypt，那么password_salt是不推荐的，这就解释了为什么它不再被创建。所以答案，但我的问题的另一部分仍然是...这是一个很好的练习，还是应该去除bcrypt之外的另一个加密？

So it appears that the password_salt is deprecated if you stick with bcrypt, which explains why it's not created anymore. So that answers that, but the other part of my question still remains...is this a good enough practice or should I go with another encryption besides bcrypt?

推荐答案

每个JoséValim：

Per José Valim:

Devise 1.2.1不需要
password_salt列，你
正在使用bcrypt。如果你需要一种
的盐，我相信有一个方法
称为authentication_salt，您可以使用
来检索这些值。
（来源）

这篇关于Rails 3 / Devise：密码盐不再被创建？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！