clearance 2.2.0 → 2.2.1

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of clearance might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 1a6869cfdd76b965d10f6809fe4ad1639a57d242de11fd4a414ac017c515c94c
4
- data.tar.gz: 759e38cd4bd2525c5f35ab53c1f994317d13f3e449248b2fdec521808b398346
3
+ metadata.gz: 54c7e8cc7022fa2b109ce9834c1b27752a4b84b4acbe2f65728ecc66119ad8a1
4
+ data.tar.gz: d7ee7f5c36b5feeb71799e791c283ca9644984cd5eb0cdcbefdd3882f9c726ba
5
5
  SHA512:
6
- metadata.gz: fb078764b744a5763476b7e0098196b9cbafe21043943591e6a0deeeeee291fb3b745cdd3ce666f4fdce031dcf5602f3d7fab42424658c726f0da3a82bfecccd
7
- data.tar.gz: 43108490f1763fbb0a46edfde7c13dbe09af98e29998345868e96b0d7d49e02ec9788a1147c78301563e8a26ae2b659200dd2864b9ff798ca8fba99833a1bf84
6
+ metadata.gz: 754bdef335e4cfdc4239cf96f923847ee4330053eae153a69e19be7fa91d96641e1b8465d223d2c88858758c14eab9485147a95dbe792bed23a690b54e07cbd1
7
+ data.tar.gz: eb2c85479b87c42ee2f5e1824a07b55b8a72104fd690d01262182257bedfec12d33ade009acd9b01320a9ca1d26a1a8b5a511585a5e45f607a695cac23d5fd9f
@@ -1,7 +1,7 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- clearance (2.2.0)
4
+ clearance (2.2.1)
5
5
  actionmailer (>= 5.0)
6
6
  activemodel (>= 5.0)
7
7
  activerecord (>= 5.0)
data/NEWS.md CHANGED
@@ -3,6 +3,16 @@
3
3
  The noteworthy changes for each Clearance version are included here. For a
4
4
  complete changelog, see the git history for each version via the version links.
5
5
 
6
+ ## [2.2.1] - August 7, 2020
7
+
8
+ ### Fixed
9
+
10
+ - Prevent user enumeration by timing attacks. Trying to log in with an
11
+ unrecognized email address will now take the same amount of time as for a user
12
+ that does exist in the system.
13
+
14
+ [2.2.1]: https://github.com/thoughtbot/clearance/compare/v2.2.0...v2.2.1
15
+
6
16
  ## [2.2.0] - July 9, 2020
7
17
 
8
18
  ### Added
@@ -117,6 +117,8 @@ module Clearance
117
117
  if password.present? && user.authenticated?(password)
118
118
  user
119
119
  end
120
+ else
121
+ prevent_timing_attack
120
122
  end
121
123
  end
122
124
 
@@ -130,6 +132,13 @@ module Clearance
130
132
 
131
133
  private
132
134
 
135
+ DUMMY_PASSWORD = "*"
136
+
137
+ def prevent_timing_attack
138
+ new(password: DUMMY_PASSWORD)
139
+ nil
140
+ end
141
+
133
142
  def password_strategy
134
143
  Clearance.configuration.password_strategy || PasswordStrategies::BCrypt
135
144
  end
@@ -1,3 +1,3 @@
1
1
  module Clearance
2
- VERSION = "2.2.0".freeze
2
+ VERSION = "2.2.1".freeze
3
3
  end
@@ -47,6 +47,35 @@ describe User do
47
47
  expect(User.authenticate(user.email, "bad_password")).to be_nil
48
48
  end
49
49
 
50
+ it "takes the same amount of time to authenticate regardless of whether user exists" do
51
+ user = create(:user)
52
+ password = user.password
53
+
54
+ user_exists_time = Benchmark.realtime do
55
+ User.authenticate(user.email, password)
56
+ end
57
+
58
+ user_does_not_exist_time = Benchmark.realtime do
59
+ User.authenticate("bad_email@example.com", password)
60
+ end
61
+
62
+ expect(user_does_not_exist_time). to be_within(0.001).of(user_exists_time)
63
+ end
64
+
65
+ it "takes the same amount of time to fail authentication regardless of whether user exists" do
66
+ user = create(:user)
67
+
68
+ user_exists_time = Benchmark.realtime do
69
+ User.authenticate(user.email, "bad_password")
70
+ end
71
+
72
+ user_does_not_exist_time = Benchmark.realtime do
73
+ User.authenticate("bad_email@example.com", "bad_password")
74
+ end
75
+
76
+ expect(user_does_not_exist_time). to be_within(0.001).of(user_exists_time)
77
+ end
78
+
50
79
  it "is retrieved via a case-insensitive search" do
51
80
  user = create(:user)
52
81
 
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: clearance
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.2.0
4
+ version: 2.2.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dan Croak
@@ -25,7 +25,7 @@ authors:
25
25
  autorequire:
26
26
  bindir: bin
27
27
  cert_chain: []
28
- date: 2020-07-09 00:00:00.000000000 Z
28
+ date: 2020-08-07 00:00:00.000000000 Z
29
29
  dependencies:
30
30
  - !ruby/object:Gem::Dependency
31
31
  name: bcrypt
@@ -308,7 +308,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
308
308
  - !ruby/object:Gem::Version
309
309
  version: '0'
310
310
  requirements: []
311
- rubygems_version: 3.1.2
311
+ rubygems_version: 3.0.3
312
312
  signing_key:
313
313
  specification_version: 4
314
314
  summary: Rails authentication & authorization with email & password.