clearance 2.2.0 → 2.2.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of clearance might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/Gemfile.lock +1 -1
- data/NEWS.md +10 -0
- data/lib/clearance/user.rb +9 -0
- data/lib/clearance/version.rb +1 -1
- data/spec/models/user_spec.rb +29 -0
- metadata +3 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 54c7e8cc7022fa2b109ce9834c1b27752a4b84b4acbe2f65728ecc66119ad8a1
|
|
4
|
+
data.tar.gz: d7ee7f5c36b5feeb71799e791c283ca9644984cd5eb0cdcbefdd3882f9c726ba
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 754bdef335e4cfdc4239cf96f923847ee4330053eae153a69e19be7fa91d96641e1b8465d223d2c88858758c14eab9485147a95dbe792bed23a690b54e07cbd1
|
|
7
|
+
data.tar.gz: eb2c85479b87c42ee2f5e1824a07b55b8a72104fd690d01262182257bedfec12d33ade009acd9b01320a9ca1d26a1a8b5a511585a5e45f607a695cac23d5fd9f
|
data/Gemfile.lock
CHANGED
data/NEWS.md
CHANGED
|
@@ -3,6 +3,16 @@
|
|
|
3
3
|
The noteworthy changes for each Clearance version are included here. For a
|
|
4
4
|
complete changelog, see the git history for each version via the version links.
|
|
5
5
|
|
|
6
|
+
## [2.2.1] - August 7, 2020
|
|
7
|
+
|
|
8
|
+
### Fixed
|
|
9
|
+
|
|
10
|
+
- Prevent user enumeration by timing attacks. Trying to log in with an
|
|
11
|
+
unrecognized email address will now take the same amount of time as for a user
|
|
12
|
+
that does exist in the system.
|
|
13
|
+
|
|
14
|
+
[2.2.1]: https://github.com/thoughtbot/clearance/compare/v2.2.0...v2.2.1
|
|
15
|
+
|
|
6
16
|
## [2.2.0] - July 9, 2020
|
|
7
17
|
|
|
8
18
|
### Added
|
data/lib/clearance/user.rb
CHANGED
|
@@ -117,6 +117,8 @@ module Clearance
|
|
|
117
117
|
if password.present? && user.authenticated?(password)
|
|
118
118
|
user
|
|
119
119
|
end
|
|
120
|
+
else
|
|
121
|
+
prevent_timing_attack
|
|
120
122
|
end
|
|
121
123
|
end
|
|
122
124
|
|
|
@@ -130,6 +132,13 @@ module Clearance
|
|
|
130
132
|
|
|
131
133
|
private
|
|
132
134
|
|
|
135
|
+
DUMMY_PASSWORD = "*"
|
|
136
|
+
|
|
137
|
+
def prevent_timing_attack
|
|
138
|
+
new(password: DUMMY_PASSWORD)
|
|
139
|
+
nil
|
|
140
|
+
end
|
|
141
|
+
|
|
133
142
|
def password_strategy
|
|
134
143
|
Clearance.configuration.password_strategy || PasswordStrategies::BCrypt
|
|
135
144
|
end
|
data/lib/clearance/version.rb
CHANGED
data/spec/models/user_spec.rb
CHANGED
|
@@ -47,6 +47,35 @@ describe User do
|
|
|
47
47
|
expect(User.authenticate(user.email, "bad_password")).to be_nil
|
|
48
48
|
end
|
|
49
49
|
|
|
50
|
+
it "takes the same amount of time to authenticate regardless of whether user exists" do
|
|
51
|
+
user = create(:user)
|
|
52
|
+
password = user.password
|
|
53
|
+
|
|
54
|
+
user_exists_time = Benchmark.realtime do
|
|
55
|
+
User.authenticate(user.email, password)
|
|
56
|
+
end
|
|
57
|
+
|
|
58
|
+
user_does_not_exist_time = Benchmark.realtime do
|
|
59
|
+
User.authenticate("bad_email@example.com", password)
|
|
60
|
+
end
|
|
61
|
+
|
|
62
|
+
expect(user_does_not_exist_time). to be_within(0.001).of(user_exists_time)
|
|
63
|
+
end
|
|
64
|
+
|
|
65
|
+
it "takes the same amount of time to fail authentication regardless of whether user exists" do
|
|
66
|
+
user = create(:user)
|
|
67
|
+
|
|
68
|
+
user_exists_time = Benchmark.realtime do
|
|
69
|
+
User.authenticate(user.email, "bad_password")
|
|
70
|
+
end
|
|
71
|
+
|
|
72
|
+
user_does_not_exist_time = Benchmark.realtime do
|
|
73
|
+
User.authenticate("bad_email@example.com", "bad_password")
|
|
74
|
+
end
|
|
75
|
+
|
|
76
|
+
expect(user_does_not_exist_time). to be_within(0.001).of(user_exists_time)
|
|
77
|
+
end
|
|
78
|
+
|
|
50
79
|
it "is retrieved via a case-insensitive search" do
|
|
51
80
|
user = create(:user)
|
|
52
81
|
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: clearance
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.2.
|
|
4
|
+
version: 2.2.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dan Croak
|
|
@@ -25,7 +25,7 @@ authors:
|
|
|
25
25
|
autorequire:
|
|
26
26
|
bindir: bin
|
|
27
27
|
cert_chain: []
|
|
28
|
-
date: 2020-07
|
|
28
|
+
date: 2020-08-07 00:00:00.000000000 Z
|
|
29
29
|
dependencies:
|
|
30
30
|
- !ruby/object:Gem::Dependency
|
|
31
31
|
name: bcrypt
|
|
@@ -308,7 +308,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
308
308
|
- !ruby/object:Gem::Version
|
|
309
309
|
version: '0'
|
|
310
310
|
requirements: []
|
|
311
|
-
rubygems_version: 3.
|
|
311
|
+
rubygems_version: 3.0.3
|
|
312
312
|
signing_key:
|
|
313
313
|
specification_version: 4
|
|
314
314
|
summary: Rails authentication & authorization with email & password.
|