Why is BCrypt failing to authenticate in this context?

Question

when I create users (in sinatra), I do this

require 'Bcrypt'

post '/users' do
    @user = User.new(params[:user])
    @user.password_hash = BCrypt::Password.create(params[:password])
    p @user.password_hash == params[:password]              # this prints TRUE!
    @user.save!
    session[:user_id] = @user.id
    redirect '/'
end

then when I try to verify the same user I get this

post '/sessions' do
  @user = User.find_by_email(params[:email])
  p @user.id                                                # prints 14
  p @user.password_hash                                     # prints correct hash
  p @user.password_hash.class                               # prints String
  p BCrypt::Password.new(@user.password_hash).class         # prints BCrypt::Password 
  p params[:password]                                       # prints "clown123"
  p BCrypt::Password.new(@user.password_hash) == params[:password] # prints FALSE!

    # redirect '/'
end

What broke? The example given in the BCrypt docs (which doesn't use a database) works every time. Could something in my db (postgres) be altering the password_hash?

using the very latest version of bcrypt, and ruby 1.9.3 (I've tried ruby 2.0 and up as well with the same results)

Sam · Answer 1 · 2014-04-07T00:41:01.097

What DB column type are you using? You could try without the DB and use sessions instead. The following worked correctly for me,

# app.rb

require 'sinatra'
require 'bcrypt'

enable :sessions

get '/user' do
  session[:password_hash] = BCrypt::Password.create(params[:password])
  return 'success'
end

get '/session' do
  result = BCrypt::Password.new(session[:password_hash]) == params[:password]
  return "Result: #{result}"
end

Then in the browser,

http://localhost:4567/user?password=secret

# => success

http://localhost:4567/session?password=secret

# => Result: true

http://localhost:4567/session?password=invalid

# => Result: false

If that works, try introducing the DB again,

require 'sinatra'
require 'bcrypt'

# your postgres config here...

get '/pg-user' do
  user = User.new(password_hash: BCrypt::Password.create(params[:password]))
  user.save!
  return 'success'
end

get '/pg-session' do
  user = User.last
  result = BCrypt::Password.new(user.password_hash) == params[:password]
  return "Result: #{result}"
end

thanks - turns out that my params were coming in from my sign-up form in a weird fashion, and the problem wasn't my database after all — dwilbank, Apr 07 '14 at 10:46

Why is BCrypt failing to authenticate in this context?

1 Answers1