devise_invitable icon indicating copy to clipboard operation
devise_invitable copied to clipboard

Published 20 hours ago verified publisher icon scambra

Plaintext tokens

Open jjb opened this issue 10 years ago • 1 comments
trafficstars

In Feb 2014 I brought up the idea of plaintext tokens: https://github.com/scambra/devise_invitable/issues/444

As of devise 3.5.2, devise no longer uses them for email confirmation (oddly categorized as a bug fix)

  • discussion: https://github.com/plataformatec/devise/issues/3640
  • change: https://github.com/plataformatec/devise/commit/eb640ed344fb5e227e82b1f3a914ca9fabb938e0
  • changelog: https://github.com/plataformatec/devise/blob/master/CHANGELOG.md

Could devise_invitable now consider changing accordingly?

The reason they rationalized being able to do it is because they no longer log users in after confirming (in case the system uses 2-factor). I think maybe devise invitable doesn't have to worry about that, since the user is always brand new?

jjb avatar Aug 20 '15 16:08 jjb

I have been thinking in this and not sure if it's safe. If raw token is stored, getting access to DB can allow to get access to an account, it would be a new account, but an accounting binded to an email, so it's similar to reasons to store encrypted token for remember password. In a social media web, for example, attacker could contact with inviter, and inviter would think it's talking with a friend, so attacker would be forging identity.

Maybe a config option could be added, default to encrypted which is safest.

scambra avatar Oct 15 '15 10:10 scambra