If Rodauth is configured to use a password hash column on the accounts table, and to require password on account verification, there is an extra bcrypt hashing that occurs while updating the account hash in memory after updating it in the database.
Because the values used to update the account will contain a BCrypt::Password object, and BCrypt::Password#== will perform password hashing on the right-hand operand (even for non-string operands), the comparison with Sequel::CURRENT_TIMESTAMP will cause it to be hashed, using the same cost that password hashing uses. I found this out when profiling an account verification request that was taking 500ms+ locally, which seemed too long for a default password hash cost.
We fix that by using Object#equal?, which compares object ids directly, and is not overridden by BCrypt::Password.
Thanks for the report. Does this approach also fix the issue?: Sequel::CURRENT_TIMESTAMP == v. If so, I'd like to use that instead of comparing by identity.
If Rodauth is configured to use a password hash column on the accounts table, and to require password on account verification, there is an extra bcrypt hashing that occurs while updating the account hash in memory after updating it in the database.
Because the values used to update the account will contain a
BCrypt::Password
object, andBCrypt::Password#==
will perform password hashing on the right-hand operand (even for non-string operands), the comparison withSequel::CURRENT_TIMESTAMP
will cause it to be hashed, using the same cost that password hashing uses. I found this out when profiling an account verification request that was taking 500ms+ locally, which seemed too long for a default password hash cost.We fix that by using
Object#equal?
, which compares object ids directly, and is not overridden byBCrypt::Password
.