sha256 password before passing to bcrypt to avoid issues with 72 bytes truncation for passwords

le0pard · le0pard · commit 633cc8d9db6a · 2025-11-05T15:17:31.000+02:00
diff --git a/lib/devise/encryptor.rb b/lib/devise/encryptor.rb
@@ -1,24 +1,50 @@
 # frozen_string_literal: true
 
 require 'bcrypt'
+require 'digest'
 
 module Devise
   module Encryptor
     def self.digest(klass, password)
       if klass.pepper.present?
         password = "#{password}#{klass.pepper}"
       end
+      # This converts the password (of any length) into a fixed
+      # 64-character hex string, safely under the 72-char limit
+      password = Digest::SHA256.hexdigest(password)
+
+      # BCrypt the pre-hashed string
       ::BCrypt::Password.create(password, cost: klass.stretches).to_s
     end
 
+    # Compares a potential password with a stored hash.
+    #
+    # It attempts the new (SHA-256 -> BCrypt) method first.
+    # If that fails, it falls back to the old (direct BCrypt) method
+    # to support existing passwords that were not pre-hashed
     def self.compare(klass, hashed_password, password)
       return false if hashed_password.blank?
-      bcrypt   = ::BCrypt::Password.new(hashed_password)
+
+      begin
+        bcrypt = ::BCrypt::Password.new(hashed_password)
+      rescue ::BCrypt::Errors::InvalidHash
+        return false
+      end
+
       if klass.pepper.present?
         password = "#{password}#{klass.pepper}"
       end
-      password = ::BCrypt::Engine.hash_secret(password, bcrypt.salt)
-      Devise.secure_compare(password, hashed_password)
+
+      # This is for passwords created with the new `digest` method.
+      pre_hashed_password = Digest::SHA256.hexdigest(password)
+      new_style_hash = ::BCrypt::Engine.hash_secret(pre_hashed_password, bcrypt.salt)
+
+      return true if Devise.secure_compare(new_style_hash, hashed_password)
+
+      # This is for passwords created before this change
+      # We re-run the original logic
+      old_style_hash = ::BCrypt::Engine.hash_secret(password, bcrypt.salt)
+      Devise.secure_compare(old_style_hash, hashed_password)
     end
   end
 end
diff --git a/test/encryptor_test.rb b/test/encryptor_test.rb
@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+require 'bcrypt'
+
+class EncryptorTest < ActiveSupport::TestCase
+  test 'encrypt/decrypt passwords' do
+    hashed_password = Devise::Encryptor.digest(Devise, 'example')
+    assert Devise::Encryptor.compare(Devise, hashed_password, 'example')
+    assert_not Devise::Encryptor.compare(Devise, hashed_password, 'example1')
+  end
+
+  test 'encrypt/decrypt support passwords longer 72 bytes' do
+    hashed_password = Devise::Encryptor.digest(Devise, 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa123')
+    assert Devise::Encryptor.compare(Devise, hashed_password, 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa123')
+    assert_not Devise::Encryptor.compare(Devise, hashed_password, 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa125')
+  end
+
+  test 'encrypt/decrypt support old bcrypt only passwords' do
+    password = 'example'
+    password_with_pepper = "#{password}#{Devise.pepper}"
+    old_hashed_password =::BCrypt::Password.create(password_with_pepper, cost: Devise.stretches)
+
+    assert Devise::Encryptor.compare(Devise, old_hashed_password, password)
+    assert_not Devise::Encryptor.compare(Devise, old_hashed_password, 'examplo')
+  end
+end
