access_token 0.1.1 → 0.1.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +8 -0
- data/lib/access_token.rb +10 -1
- data/lib/access_token/version.rb +1 -1
- metadata +3 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: e246af0e94a0d8c7632d4370f5a117fce1e469bb
|
|
4
|
+
data.tar.gz: b83d79d4804ec42c9f40e4c5b66620637c7677d3
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 251de5820ba056112f3ab9f8c25da1aaefb6bf6f87c33cb5c7c1dee58019aec4eb6aab3d7556758774d4ffed68ae4a68029a0c8b1f341262517e49bd3b02aaac
|
|
7
|
+
data.tar.gz: 5b295898302875abc0d2f0dd4d7160b8ff4506df015f90085aa800ef2482fe9709d87e2c4e47cca3ea14d9351111248b4f7110db74b35376e1d37de91128cce2
|
data/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,13 @@
|
|
|
1
1
|
# Changelog
|
|
2
2
|
|
|
3
|
+
#### v0.1.2 — unreleased
|
|
4
|
+
|
|
5
|
+
- Add secure comparison to avoid timing attack.
|
|
6
|
+
|
|
7
|
+
#### v0.1.1 - Sep 13, 2015
|
|
8
|
+
|
|
9
|
+
- Replace multiple Redis command calls (multi + set + expires) for just one (setex).
|
|
10
|
+
|
|
3
11
|
#### v0.1.0 - May 31, 2015
|
|
4
12
|
|
|
5
13
|
- Initial release
|
data/lib/access_token.rb
CHANGED
|
@@ -69,7 +69,7 @@ class AccessToken
|
|
|
69
69
|
|
|
70
70
|
return unless data
|
|
71
71
|
return unless fresh?(data[TIME_KEY])
|
|
72
|
-
return unless request_signature
|
|
72
|
+
return unless secure_compare?(request_signature, data[SIGNATURE_KEY])
|
|
73
73
|
|
|
74
74
|
data[ID_KEY]
|
|
75
75
|
end
|
|
@@ -81,4 +81,13 @@ class AccessToken
|
|
|
81
81
|
def fresh?(timestamp)
|
|
82
82
|
timestamp > Time.now.to_i - ttl
|
|
83
83
|
end
|
|
84
|
+
|
|
85
|
+
def secure_compare?(a, b)
|
|
86
|
+
return false if a.blank? || b.blank? || a.bytesize != b.bytesize
|
|
87
|
+
l = a.unpack "C#{a.bytesize}"
|
|
88
|
+
|
|
89
|
+
res = 0
|
|
90
|
+
b.each_byte { |byte| res |= byte ^ l.shift }
|
|
91
|
+
res == 0
|
|
92
|
+
end
|
|
84
93
|
end
|
data/lib/access_token/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: access_token
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.1.
|
|
4
|
+
version: 0.1.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Nando Vieira
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2015-
|
|
11
|
+
date: 2015-12-18 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: parsel
|
|
@@ -317,3 +317,4 @@ signing_key:
|
|
|
317
317
|
specification_version: 4
|
|
318
318
|
summary: Access token for client-side and API authentication.
|
|
319
319
|
test_files: []
|
|
320
|
+
has_rdoc:
|