Migrating existing authentication to has_secure_password

0
votes

In my application, I have two different user accounts. The old account type was using a custom built authentication system. The newer one implements has_secure_password. Now I'm ready to move the old account type to the same system. In the database, that user type has a hashed_password column.

I have it working so that creating new users works, and they can login just fine on the new system. The problem is that I need existing users to be able to migrate their passwords from the hashed_password to password_digest. What is the best way to go about doing this?

1
ruby-on-railsruby-on-rails-3
Is it OK with you that you're going to have to set a new password for each user (rather than their current password)? - Jesse Wolgamott
@JesseWolgamott, probably not. It's an application in wide use, and I get the feeling my boss would not like that. - Bholzer
You're gonna have a hard time. You cannot decrypt the hash, and the 2 auth system use different hashing algorithms. In short: you can't do what you're trying to do. - Jesse Wolgamott

1 Answers

2
votes

It's possible, but you'll have to juggle a bit. Let's say you've used MD5 to hash passwords before you wanted to migrate. Make sure you have made a backup before you migrate :) Add a boolean column migrated_password to the database, default true. In your migration, do something like User.update_all(migrated_password: false) for existing users.

Use the current MD5 hashes as input for the has_secure_password function. Alter your login code to handle two paths, depending on the value of the migrated_password column. If the password is migrated (or the user registered after the migration), you use has_secure_password straight out of the box.

If it isn't, you hash the password with MD5 before feeding it to the authenticate method. If the login is successful, change the password of that user with the input password from the params and update the migrated_password column to false (wrap those two actions in a transaction).

After a certain amount of time you can delete the the migrated_password column and the migration code, and let users use your password reset functionality if they still need access but haven't migrated in time.