9becc41df9
This method is intended to replace code like the following, which
returns early when a user with a matching email is not found:
```ruby
User.find_by(email: "...")&.authenticate("...")
```
Such code is vulnerable to timing-based enumeration attacks, wherein an
attacker can determine if a user account with a given email exists.
After confirming that an account exists, the attacker can try passwords
associated with that email address from other leaked databases, in case
the user re-used a password across multiple sites (a common practice).
Additionally, knowing an account email address allows the attacker to
attempt a targeted phishing ("spear phishing") attack.
`authenticate_by` addresses the vulnerability by taking the same amount
of time regardless of whether a user with a matching email is found.
|
||
|---|---|---|
| .. | ||
| mysql2_specific_schema.rb | ||
| oracle_specific_schema.rb | ||
| postgresql_specific_schema.rb | ||
| schema.rb | ||
| sqlite_specific_schema.rb | ||