access_token 0.1.1 → 0.1.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +8 -0
- data/lib/access_token.rb +10 -1
- data/lib/access_token/version.rb +1 -1
- metadata +3 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: e246af0e94a0d8c7632d4370f5a117fce1e469bb
|
|
4
|
+
data.tar.gz: b83d79d4804ec42c9f40e4c5b66620637c7677d3
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 251de5820ba056112f3ab9f8c25da1aaefb6bf6f87c33cb5c7c1dee58019aec4eb6aab3d7556758774d4ffed68ae4a68029a0c8b1f341262517e49bd3b02aaac
|
|
7
|
+
data.tar.gz: 5b295898302875abc0d2f0dd4d7160b8ff4506df015f90085aa800ef2482fe9709d87e2c4e47cca3ea14d9351111248b4f7110db74b35376e1d37de91128cce2
|
data/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,13 @@
|
|
|
1
1
|
# Changelog
|
|
2
2
|
|
|
3
|
+
#### v0.1.2 — unreleased
|
|
4
|
+
|
|
5
|
+
- Add secure comparison to avoid timing attack.
|
|
6
|
+
|
|
7
|
+
#### v0.1.1 - Sep 13, 2015
|
|
8
|
+
|
|
9
|
+
- Replace multiple Redis command calls (multi + set + expires) for just one (setex).
|
|
10
|
+
|
|
3
11
|
#### v0.1.0 - May 31, 2015
|
|
4
12
|
|
|
5
13
|
- Initial release
|
data/lib/access_token.rb
CHANGED
|
@@ -69,7 +69,7 @@ class AccessToken
|
|
|
69
69
|
|
|
70
70
|
return unless data
|
|
71
71
|
return unless fresh?(data[TIME_KEY])
|
|
72
|
-
return unless request_signature
|
|
72
|
+
return unless secure_compare?(request_signature, data[SIGNATURE_KEY])
|
|
73
73
|
|
|
74
74
|
data[ID_KEY]
|
|
75
75
|
end
|
|
@@ -81,4 +81,13 @@ class AccessToken
|
|
|
81
81
|
def fresh?(timestamp)
|
|
82
82
|
timestamp > Time.now.to_i - ttl
|
|
83
83
|
end
|
|
84
|
+
|
|
85
|
+
def secure_compare?(a, b)
|
|
86
|
+
return false if a.blank? || b.blank? || a.bytesize != b.bytesize
|
|
87
|
+
l = a.unpack "C#{a.bytesize}"
|
|
88
|
+
|
|
89
|
+
res = 0
|
|
90
|
+
b.each_byte { |byte| res |= byte ^ l.shift }
|
|
91
|
+
res == 0
|
|
92
|
+
end
|
|
84
93
|
end
|
data/lib/access_token/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: access_token
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.1.
|
|
4
|
+
version: 0.1.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Nando Vieira
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2015-
|
|
11
|
+
date: 2015-12-18 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: parsel
|
|
@@ -317,3 +317,4 @@ signing_key:
|
|
|
317
317
|
specification_version: 4
|
|
318
318
|
summary: Access token for client-side and API authentication.
|
|
319
319
|
test_files: []
|
|
320
|
+
has_rdoc:
|