Add #set_unusable_password helper method to user model

ellmetha · ellmetha · commit 2a608210fe45 · 2023-02-19T20:09:52.000-05:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,7 @@
 ## 0.1.1 (UNDER DEVELOPMENT)
 
 * Ensure `MartenAuth::User#check_password` returns `false` in case the password is not a correctly encoded value
+* Add a `MartenAuth::User#set_unusable_password` method for situations where it's necessary to assign a non-usable password to a user
 
 ## 0.1.0 (2023-02-11)
 
diff --git a/spec/marten_auth/models/user_spec.cr b/spec/marten_auth/models/user_spec.cr
@@ -61,6 +61,23 @@ describe MartenAuth::User do
     end
   end
 
+  describe "#set_unusable_password" do
+    it "assigns a unique and invalid hash to the user password field" do
+      user = User.new(email: "test@example.com", password: nil)
+
+      user.set_unusable_password
+
+      user.password!.size.should eq 41
+      user.password!.starts_with?('!').should be_true
+      user.check_password(user.password!).should be_false
+
+      old_unusable_password = user.password
+
+      user.set_unusable_password
+      user.password.should_not eq old_unusable_password
+    end
+  end
+
   describe "#session_auth_hash" do
     it "it returns the expected HMAC computed from the password" do
       user = create_user(email: "test@example.com", password: "insecure")
diff --git a/src/marten_auth/models/user.cr b/src/marten_auth/models/user.cr
@@ -42,6 +42,16 @@ module MartenAuth
       self.password = Crypto::Bcrypt::Password.create(raw_password).to_s
     end
 
+    # Allows to assign a non-usable password to the user.
+    #
+    # The assigned value is not a valid hash and will never be usable by the user.
+    def set_unusable_password : Nil
+      self.password = String.build do |s|
+        s << UNUSABLE_PASSWORD_PREFIX
+        s << Random::Secure.random_bytes((UNUSABLE_PASSWORD_SUFFIX_LENGTH / 2).to_i).hexstring
+      end
+    end
+
     # Returns the authentication hash (HMAC computed from the password) that should be embedded in sessions.
     def session_auth_hash : String
       key_salt = "MartenAuth::User#session_auth_hash"
@@ -51,5 +61,8 @@ module MartenAuth
 
       OpenSSL::HMAC.hexdigest(OpenSSL::Algorithm::SHA256, key, password!)
     end
+
+    private UNUSABLE_PASSWORD_PREFIX        = "!" # This ensures that the password will never be a valid encoded hash.
+    private UNUSABLE_PASSWORD_SUFFIX_LENGTH = 40
   end
 end
