TokenAuthenticatable provides comparison method

Avoids attempting save on comparison, as that could potentially reveal that a resource exists. Uses secure comparison incase this is reused somewhere sensitive.

TokenAuthenticatable provides comparison method
Avoids attempting save on comparison, as that could potentially reveal that a resource exists. Uses secure comparison incase this is reused somewhere sensitive.
1ede6eb0 · James Edwards-Jones · d4f29787 · 1ede6eb0
Commit 1ede6eb0 authored Oct 17, 2018 by James Edwards-Jones
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 0 deletions

app/models/concerns/token_authenticatable.rb app/models/concerns/token_authenticatable.rb +5 -0

No files found.
--- a/app/models/concerns/token_authenticatable.rb
+++ b/app/models/concerns/token_authenticatable.rb
@@ -53,6 +53,11 @@ module TokenAuthenticatable
      define_method("reset_#{token_field}!") do
        strategy.reset_token!(self)
      end
+      define_method("#{token_field}_matches?") do |other_token|
+        token = read_attribute(token_field)
+        token.present? && ActiveSupport::SecurityUtils.variable_size_secure_compare(other_token, token)
+      end
    end
  end
 end