authentication-zero icon indicating copy to clipboard operation
authentication-zero copied to clipboard
verified publisher icon lazaronixon

Use authenticate_by starting with Rails 7.1

Open gobijan opened this issue 3 years ago • 1 comments

Rails 7.1 brings a new authentication mechanism that helps mitigate timing-based enumeration attacks. See egde-docs here:

https://edgeapi.rubyonrails.org/classes/ActiveRecord/SecurePassword/ClassMethods.html#method-i-authenticate_by

This issue could be kept as a reminder to switch behaviour as soon as it's released.

gobijan avatar Feb 27 '22 21:02 gobijan

Yeah... I'm aware about it, We can implement a version check here in this case, but let's wait it be released

lazaronixon avatar Feb 27 '22 21:02 lazaronixon

Side note, I wouldn't worry too much about timing-based enumeration attacks, given you can just figure out whether a user (+ verified) exists by trying to set a passport reset email to it.

But adding authenticate_by is probably a good idea anyway.

Woolworths avatar Apr 24 '23 12:04 Woolworths

Implemented on https://github.com/lazaronixon/authentication-zero/commit/5bed71051f349910a36b834f2a47aa076f2723e6

lazaronixon avatar Jul 19 '23 05:07 lazaronixon