add support for plaintext (unencrypted) passwords

rbCAS / casino-activerecord_authenticator

Provides mechanism to use ActiveRecord as an authenticator for CASino.

MIT License

19 stars 61 forks source link

add support for plaintext (unencrypted) passwords #23

Closed ramanbuttar closed 8 years ago

pencil commented 8 years ago

This would also allow logging in with the hashed password which defeats the purpose of hashing passwords.

Plaintext passwords are not something we want to support because of the security concerns you mentioned in #22.

ramanbuttar commented 8 years ago

The way the if statements are structured, plaintext check is last so it shouldn't allow the behaviour you mentioned. I included tests to cover such a case as well.

Unfortunately, this is intrinsic knowledge and not captured in the commit as a comment currently. It would be nice to have it in as an option, along with appropriate warnings.