omniauth-onetime 1.0.4 → 1.0.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 40834fd3d8b50476dadb4e1fb04acab0ff4a384e
4
- data.tar.gz: 21f91f93bbb1c40cf8bdc38dea8450f236d71772
3
+ metadata.gz: 0e85bdc6ee5c9c9ab310e1413f99edf649bbdd81
4
+ data.tar.gz: 6704b9a92227d5289fba78c2237d00039f13a921
5
5
  SHA512:
6
- metadata.gz: a5d4809b47eee98df3b95322445d847bc3abb7b00901a710c8987e5414b6d66fc690dd4edc83c8bb1a8a0067f31faeab0666a7138d452b97c14d8d5cac1044df
7
- data.tar.gz: d5f3e9eeadfa45f7b921f12017da747bccdaa2cf9f02826cf2046e2cddb04068e51228c419b1eca4e07bb717bdf8bc0649ef166adc4b1e086e4e942adbd1961d
6
+ metadata.gz: 7b71cf561ebcc9bee91dd0dc1a4afd34d034416c0651bb0aefa2974655602627a85bb29200498cb772c78995f29376658297358c2777905b7e93ff16b66b6d38
7
+ data.tar.gz: ef1ddba2ff02665ebf465a2a2fc9db343e6451f839cb74da05611a6cd12ef2eb3a7361b436436469486f7c66378af04323e312fa3ff35a70d46a2ae025249900
data/README.md CHANGED
@@ -59,7 +59,7 @@ end
59
59
  `config/routes.rb` file something like this:
60
60
 
61
61
  ```ruby
62
- post '/auth/:provider/callback', to: 'sessions#create'
62
+ match '/auth/:provider/callback', to: 'sessions#create', via: [:get, :post]
63
63
  ```
64
64
 
65
65
  `app/controllers/sessions_controller.rb` file something like this:
@@ -200,7 +200,8 @@ system using this gem. Using the default settings of an 8 letter password:
200
200
  26^8 = 208,827,064,576 permutations
201
201
 
202
202
  In order to compromise a password in 5 minutes an adversary will have to
203
- hash nearly 700 million passwords per second.
203
+ hash nearly 700 million passwords per second to ensure the password is cracked
204
+ within the time the password is valid.
204
205
 
205
206
  26^8 permutations / 300 seconds = 696,090,216 hashes per second
206
207
 
@@ -217,6 +218,14 @@ A Zynq 7045 FPGA device was able to achieve
217
218
  [226 hashes per second](http://www.openwall.com/presentations/Passwords14-Energy-Efficient-Cracking/slide-50.html "Energy-efficient bcrypt cracking, slide 50")
218
219
  at bcrypt cost 12.
219
220
 
221
+ The above scenario also assumes that the attack is either not through the web
222
+ app itself (ie there has already been a security breach) or that the web app is
223
+ not a limiting factor on the number of attempts. If a web app also employed a
224
+ solution like [Rack::Attack](https://github.com/kickstarter/rack-attack) to
225
+ limit sign-in attempts to 1 per second per ip then the chance
226
+ of cracking a random 8 letter password is 300 (approximate attempts) in 26^8
227
+ (permutations) or 1 in 696,090,216.
228
+
220
229
  It's probably wise to keep this in mind:
221
230
 
222
231
  [![xlcd: Security](http://imgs.xkcd.com/comics/security.png)](https://xkcd.com/538/)
@@ -19,6 +19,6 @@
19
19
  #
20
20
  module OmniAuth
21
21
  module Onetime
22
- VERSION = '1.0.4'.freeze
22
+ VERSION = '1.0.5'.freeze
23
23
  end
24
24
  end
@@ -142,7 +142,9 @@ module OmniAuth
142
142
  def send_password(email, plaintext)
143
143
  # break the password into groups of 4 letters for readability and
144
144
  # usability
145
- body = plaintext.scan(/.{4}/).join(' ')
145
+ pw = plaintext.scan(/.{4}/).join(' ')
146
+ link = "#{callback_url}?email=#{email}&password=#{plaintext}"
147
+ body = "Enter this code: #{pw}\nOr click this link:\n#{link}"
146
148
  ActionMailer::Base
147
149
  .mail(options[:email_options].merge(to: email, body: body))
148
150
  .deliver_now
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: omniauth-onetime
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.0.4
4
+ version: 1.0.5
5
5
  platform: ruby
6
6
  authors:
7
7
  - thoughtafter