Reputation: 11
Authlogic: How to prevent reuse of previous password?
how can you find out the user's past encrypted password to check if he is using the old password as the new one, in previous "Authlogic" versions it was easy to check, but in newer versions, I cannot find out the password hash, even if I know the old salt and the new password, is there a way to determine if the user is using the old password as the new one?
Upvotes: 1
Views: 98
Answers (1)
Reputation: 17528
how can you .. check if [the user] is using the old password as the new one .. I cannot find out the password hash, even if I know the old salt and the new password ..
If you have always used the same crypto_provider, it should be fairly simple.
salt = current_user.password_salt
old_crypted_pw = current_user.crypted_password
new_plaintext_password = params[:new_password]
provider = User.crypto_provider
new_crypted_pw = provider.encrypt(new_plaintext_password, salt)
if new_crypted_pw == old_crypted_pw
raise 'Cannot reuse password'
# ...
Documentation of these methods can be found in authlogic/acts_as_authentic/password.rb.
If you are transitioning from one crypto provider to another (the transition_from_crypto_providers feature) then you must try to match against all User.crypto_providers.
Upvotes: 0
Related Questions
- updating authlogic not recognizing old previous passwords
- Require old password to change new password authlogic authentication
- Authlogic ignoring password parameter
- Change user password with password confirmation
- Authlogic - how to set password_confirmation only for update?
- Authlogic: turn off uniqueness constraint
- Authlogic: How can I only validate the password if the password is being updated?
- Set Authlogic validate_login_field to false on user update
- How to clear the password fill on registration/sign up error with authlogic?
- I get an Exception when trying to implement reset password with Authlogic