diff options
| author | Ken D'Ambrosio <ken@jots.org> | 2026-05-11 18:50:51 +0000 |
|---|---|---|
| committer | Ken D'Ambrosio <ken@jots.org> | 2026-05-11 18:50:51 +0000 |
| commit | b40e95ca17f8c9f17af5f475d001c8ec33728e6d (patch) | |
| tree | 46c242d916fca387164d760c482dda7fc6d7fd5f /app.rb | |
| parent | 723a9bc34c30ddb0decedd9efe64af5b91b71541 (diff) | |
v1.01: replace bcrypt with PBKDF2-SHA256; update README and DESIGN docsv1.01
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Diffstat (limited to 'app.rb')
| -rw-r--r-- | app.rb | 13 |
1 files changed, 11 insertions, 2 deletions
@@ -3,7 +3,7 @@ require 'sinatra' require 'json' require 'yaml' -require 'bcrypt' +require 'openssl' require 'mini_magick' require 'fileutils' require 'securerandom' @@ -164,6 +164,15 @@ helpers do parts.each_with_index.map { |p, i| { name: p, path: parts[0..i].join('/') } } end + def pbkdf2_verify(password, stored) + _algo, iterations, salt, expected_hex = stored.split('$') + actual = OpenSSL::PKCS5.pbkdf2_hmac(password, salt, iterations.to_i, 32, 'SHA256') + actual_hex = actual.unpack1('H*') + OpenSSL.fixed_length_secure_compare(actual_hex, expected_hex) + rescue + false + end + def blank_to_nil(s) v = s.to_s.strip v.empty? ? nil : v @@ -322,7 +331,7 @@ end post '/admin/login' do hash = APP_CONFIG[:admin_password_hash].to_s - if !hash.empty? && BCrypt::Password.new(hash) == params['password'] + if !hash.empty? && pbkdf2_verify(params['password'].to_s, hash) session[:admin] = true redirect params['return_to']&.start_with?('/') ? params['return_to'] : '/admin/edit/' else |