1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
|
# frozen-string-literal: true
module Rodauth
def self.create_database_authentication_functions(db, opts={})
table_name = opts[:table_name] || :account_password_hashes
get_salt_name = opts[:get_salt_name] || :rodauth_get_salt
valid_hash_name = opts[:valid_hash_name] || :rodauth_valid_password_hash
argon2 = opts[:argon2]
case db.database_type
when :postgres
search_path = opts[:search_path] || 'public, pg_temp'
primary_key_type =
case db.schema(table_name).find { |row| row.first == :id }[1][:db_type]
when 'uuid' then :uuid
else :int8
end
table_name = db.literal(table_name) unless table_name.is_a?(String)
argon_sql = <<END
CASE
WHEN password_hash ~ '^\\$argon2id'
THEN substring(password_hash from '\\$argon2id\\$v=\\d+\\$m=\\d+,t=\\d+,p=\\d+\\$.+\\$')
ELSE substr(password_hash, 0, 30)
END INTO salt
END
db.run <<END
CREATE OR REPLACE FUNCTION #{get_salt_name}(acct_id #{primary_key_type}) RETURNS text AS $$
DECLARE salt text;
BEGIN
SELECT
#{argon2 ? argon_sql : "substr(password_hash, 0, 30) INTO salt"}
FROM #{table_name}
WHERE acct_id = id;
RETURN salt;
END;
$$ LANGUAGE plpgsql
SECURITY DEFINER
SET search_path = #{search_path};
END
db.run <<END
CREATE OR REPLACE FUNCTION #{valid_hash_name}(acct_id #{primary_key_type}, hash text) RETURNS boolean AS $$
DECLARE valid boolean;
BEGIN
SELECT password_hash = hash INTO valid
FROM #{table_name}
WHERE acct_id = id;
RETURN valid;
END;
$$ LANGUAGE plpgsql
SECURITY DEFINER
SET search_path = #{search_path};
END
when :mysql
argon_sql = <<END
CASE
WHEN password_hash REGEXP '^.argon2id'
THEN left(password_hash, CHAR_LENGTH(password_hash) - INSTR(REVERSE(password_hash), '$'))
ELSE substr(password_hash, 1, 30)
END
END
db.run <<END
CREATE FUNCTION #{get_salt_name}(acct_id int8) RETURNS varchar(255)
SQL SECURITY DEFINER
READS SQL DATA
BEGIN
RETURN (SELECT
#{argon2 ? argon_sql : "substr(password_hash, 1, 30)"}
FROM #{table_name}
WHERE acct_id = id);
END;
END
db.run <<END
CREATE FUNCTION #{valid_hash_name}(acct_id int8, hash varchar(255)) RETURNS tinyint(1)
SQL SECURITY DEFINER
READS SQL DATA
BEGIN
DECLARE valid tinyint(1);
DECLARE csr CURSOR FOR
SELECT password_hash = hash
FROM #{table_name}
WHERE acct_id = id;
OPEN csr;
FETCH csr INTO valid;
CLOSE csr;
RETURN valid;
END;
END
when :mssql
argon_sql = <<END
CASE
WHEN password_hash LIKE '[$]argon2id%'
THEN left(password_hash, len(password_hash) - charindex('$', reverse(password_hash)))
ELSE substring(password_hash, 0, 30)
END
END
db.run <<END
CREATE FUNCTION #{get_salt_name}(@account_id bigint) RETURNS nvarchar(255)
WITH EXECUTE AS OWNER
AS
BEGIN
DECLARE @salt nvarchar(255);
SELECT @salt =
#{argon2 ? argon_sql : "substring(password_hash, 0, 30)"}
FROM #{table_name}
WHERE id = @account_id;
RETURN @salt;
END;
END
db.run <<END
CREATE FUNCTION #{valid_hash_name}(@account_id bigint, @hash nvarchar(255)) RETURNS bit
WITH EXECUTE AS OWNER
AS
BEGIN
DECLARE @valid bit;
DECLARE @ph nvarchar(255);
SELECT @ph = password_hash
FROM #{table_name}
WHERE id = @account_id;
IF(@hash = @ph)
SET @valid = 1;
ELSE
SET @valid = 0
RETURN @valid;
END;
END
end
end
def self.drop_database_authentication_functions(db, opts={})
table_name = opts[:table_name] || :account_password_hashes
get_salt_name = opts[:get_salt_name] || :rodauth_get_salt
valid_hash_name = opts[:valid_hash_name] || :rodauth_valid_password_hash
case db.database_type
when :postgres
primary_key_type =
case db.schema(table_name).find { |row| row.first == :id }[1][:db_type]
when 'uuid' then :uuid
else :int8
end
db.run "DROP FUNCTION #{get_salt_name}(#{primary_key_type})"
db.run "DROP FUNCTION #{valid_hash_name}(#{primary_key_type}, text)"
when :mysql, :mssql
db.run "DROP FUNCTION #{get_salt_name}"
db.run "DROP FUNCTION #{valid_hash_name}"
end
end
def self.create_database_previous_password_check_functions(db, opts={})
create_database_authentication_functions(db, {:table_name=>:account_previous_password_hashes, :get_salt_name=>:rodauth_get_previous_salt, :valid_hash_name=>:rodauth_previous_password_hash_match}.merge(opts))
end
def self.drop_database_previous_password_check_functions(db, opts={})
drop_database_authentication_functions(db, {:table_name=>:account_previous_password_hashes, :get_salt_name=>:rodauth_get_previous_salt, :valid_hash_name=>:rodauth_previous_password_hash_match}.merge(opts))
end
end
|
