Devise password encryption

Question

Hey so I was using Rails for my app but now I'm migrating to ReactJs + Node.

I cannot discover how Devise encrypted the password so I can send the request from my frontend to my backend.

I'm using Postgres for my db.

Answer 1

Based on the previous answer here is a step-by-step instruction how you can "use" passwords stored with Ruby Devise gem in NodeJs based app.

In your Ruby codebase:

1. Look for config/initializers/devise.rb file
2. You should be able to find a line with config.pepper declaration e.g. config.pepper = '24a37cf1ccf5f682fc6f2'
3. Copy value that is assigned to this property

In your NodeJs codebase:

1. Install bcrypt package
2. Compare encrypted passwords saved by Devise in the database using the following code

const bcrypt = require('bcrypt');

// this is what you have copied in previous section, step 3.
const pepper = '24a37cf1ccf5f682fc6f2';

// you should get it probably from user input
const plaintext = 'admin123';

// you should get it from your Devise database table `encrypted_password` column
const encrypted_password = '$2a$12$K0ByB.6YI2/OYrB4fQOYLes9WMlxvjJ8Zgt9U44NEdtmCeGkKvCX2'; 

const equal = bcrypt.compareSync(plaintext + pepper, encrypted_password);

console.log(equal); // if true `plaintext` is equal to what is saved as `encrypted_password`

NOTE: Cost factor and salt used by Devise doesn't matter as those values are saved in DB as part of the encrypted_password string, see How bcrypt.js compare method knows the number of salting rounds? and Do I need to store the salt with bcrypt?)

Answer 2

Devise is using bcrypt gem for encryption (https://github.com/codahale/bcrypt-ruby), you can also look at how Devise is doing it here: https://github.com/plataformatec/devise/blob/f39c6fd92774cb66f96f546d8d5e8281542b4e78/lib/devise/encryptor.rb

For more details on the algorithm, you can look here: https://github.com/codahale/bcrypt-ruby/blob/master/lib/bcrypt/password.rb

Hope that helps