omniauth-onetime 1.0.4 → 1.0.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 40834fd3d8b50476dadb4e1fb04acab0ff4a384e
-  data.tar.gz: 21f91f93bbb1c40cf8bdc38dea8450f236d71772
+  metadata.gz: 0e85bdc6ee5c9c9ab310e1413f99edf649bbdd81
+  data.tar.gz: 6704b9a92227d5289fba78c2237d00039f13a921
 SHA512:
-  metadata.gz: a5d4809b47eee98df3b95322445d847bc3abb7b00901a710c8987e5414b6d66fc690dd4edc83c8bb1a8a0067f31faeab0666a7138d452b97c14d8d5cac1044df
-  data.tar.gz: d5f3e9eeadfa45f7b921f12017da747bccdaa2cf9f02826cf2046e2cddb04068e51228c419b1eca4e07bb717bdf8bc0649ef166adc4b1e086e4e942adbd1961d
+  metadata.gz: 7b71cf561ebcc9bee91dd0dc1a4afd34d034416c0651bb0aefa2974655602627a85bb29200498cb772c78995f29376658297358c2777905b7e93ff16b66b6d38
+  data.tar.gz: ef1ddba2ff02665ebf465a2a2fc9db343e6451f839cb74da05611a6cd12ef2eb3a7361b436436469486f7c66378af04323e312fa3ff35a70d46a2ae025249900

data/README.md

@@ -59,7 +59,7 @@ end
 `config/routes.rb` file something like this:
 
 ```ruby
-post '/auth/:provider/callback', to: 'sessions#create'
+match '/auth/:provider/callback', to: 'sessions#create', via: [:get, :post]
 ```
 
 `app/controllers/sessions_controller.rb` file something like this:
@@ -200,7 +200,8 @@ system using this gem. Using the default settings of an 8 letter password:
 26^8 = 208,827,064,576 permutations
 
 In order to compromise a password in 5 minutes an adversary will have to
-hash nearly 700 million passwords per second.
+hash nearly 700 million passwords per second to ensure the password is cracked
+within the time the password is valid.
 
 26^8 permutations / 300 seconds = 696,090,216 hashes per second
 
@@ -217,6 +218,14 @@ A Zynq 7045 FPGA device was able to achieve
 [226 hashes per second](http://www.openwall.com/presentations/Passwords14-Energy-Efficient-Cracking/slide-50.html "Energy-efficient bcrypt cracking, slide 50")
 at bcrypt cost 12.
 
+The above scenario also assumes that the attack is either not through the web
+app itself (ie there has already been a security breach) or that the web app is
+not a limiting factor on the number of attempts. If a web app also employed a
+solution like  [Rack::Attack](https://github.com/kickstarter/rack-attack) to
+limit sign-in attempts to 1 per second per ip then the chance
+of cracking a random 8 letter password is 300 (approximate attempts) in 26^8
+(permutations) or 1 in 696,090,216.
+
 It's probably wise to keep this in mind:
 
 [![xlcd: Security](http://imgs.xkcd.com/comics/security.png)](https://xkcd.com/538/)

data/lib/omniauth/omniauth-onetime/version.rb

@@ -19,6 +19,6 @@
 #
 module OmniAuth
   module Onetime
-    VERSION = '1.0.4'.freeze
+    VERSION = '1.0.5'.freeze
   end
 end

data/lib/omniauth/strategies/onetime.rb

@@ -142,7 +142,9 @@ module OmniAuth
       def send_password(email, plaintext)
         # break the password into groups of 4 letters for readability and
         # usability
-        body = plaintext.scan(/.{4}/).join(' ')
+        pw = plaintext.scan(/.{4}/).join(' ')
+        link = "#{callback_url}?email=#{email}&password=#{plaintext}"
+        body = "Enter this code: #{pw}\nOr click this link:\n#{link}"
         ActionMailer::Base
           .mail(options[:email_options].merge(to: email, body: body))
           .deliver_now

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-onetime
 version: !ruby/object:Gem::Version
-  version: 1.0.4
+  version: 1.0.5
 platform: ruby
 authors:
 - thoughtafter