Skip to content

Case insensitive tokens #249

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 11 commits into
base: master
Choose a base branch
from
Open

Case insensitive tokens #249

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
649aacd
add config and tests
StevenClontz Feb 24, 2025
6e842c1
check for nil
StevenClontz Feb 24, 2025
df4f7d4
add instructions on running tests to readme
StevenClontz Feb 24, 2025
99c0b13
fix tests
StevenClontz Feb 24, 2025
68fb37a
avoid frozen_string_literal issue
StevenClontz Feb 24, 2025
206cd6b
add test for case sensitive specifically
StevenClontz Feb 24, 2025
d0c99e1
Update README.md
StevenClontz Mar 8, 2025
eb49874
Update app/models/passwordless/session.rb
StevenClontz Mar 8, 2025
9830f08
Apply suggestions from code review
StevenClontz Mar 10, 2025
23afdac
remove invalid test
StevenClontz Mar 10, 2025
8144f94
upcase token when setting token (to get correct digest)
StevenClontz Mar 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 18 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -296,6 +296,14 @@ end

Passwordless will keep generating tokens until it finds one that hasn't been used yet. So be sure to use some kind of method where matches are unlikely.

If your app should not distinguish between lowercase and uppercase letters in tokens, `Passwordless.config.case_insensitive_tokens` may be set to `true`.

```ruby
Passwordless.configure do |config|
config.case_insensitive_tokens = true # allows `abc123` and `AbC123` to match `ABC123`
end
```

### Timeout and Expiry

The _timeout_ is the time by which the generated token and magic link is invalidated. After this the token cannot be used to sign in to your app and the user will need to request a new token.
Expand Down Expand Up @@ -346,6 +354,16 @@ class User < ApplicationRecord
end
```

## Testing

To run tests locally on a fork of this repository:

```
$ bundle
$ bin/rails db:create RAILS_ENV=test
$ bin/rails test
```

## Test helpers

To help with testing, a set of test helpers are provided.
Expand Down
9 changes: 6 additions & 3 deletions app/models/passwordless/session.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,12 +32,14 @@ class Session < ApplicationRecord
# hashed version in the database
attr_reader :token

def token=(plaintext)
self.token_digest = Passwordless.digest(plaintext)
@token = (plaintext)
def token=(token)
token = token.upcase if Passwordless.config.case_insensitive_tokens
self.token_digest = Passwordless.digest(token)
@token = token
end

def authenticate(token)
token = token.upcase if Passwordless.config.case_insensitive_tokens
Comment on lines +36 to +42
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is only case-insensitive so long as you're using a key generator that only outputs UPPER CASE keys. I think the option is a bit misleading then. We should do the upcasing as part of the db lookup instead, so we're case-insensitive no matter the generator output.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure I follow. I believe this should work for a key generator that uses lower case keys (or mixed case, though that'd be silly). I'll add tests to confirm this when I have a chance.

Note that since the generator output is hashed before it is persisted to the database, we cannot store a mixed case token and hope to look it up with a case insensitive token.

token_digest == Passwordless.digest(token)
end

Expand Down Expand Up @@ -81,6 +83,7 @@ def set_defaults

self.token, self.token_digest = loop {
token = Passwordless.config.token_generator.call(self)
token = token.upcase if Passwordless.config.case_insensitive_tokens
digest = Passwordless.digest(token)
break [token, digest] if token_digest_available?(digest)
}
Expand Down
1 change: 1 addition & 0 deletions lib/passwordless/config.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ class Configuration
option :parent_mailer, default: "ActionMailer::Base"
option :restrict_token_reuse, default: true
option :token_generator, default: ShortTokenGenerator.new
option :case_insensitive_tokens, default: false
option :combat_brute_force_attacks, default: !Rails.env.test?

option :expires_at, default: lambda { 1.year.from_now }
Expand Down
26 changes: 26 additions & 0 deletions test/models/passwordless/session_test.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,24 @@ class SessionTest < ActiveSupport::TestCase
refute session.authenticate("no")
end

test("authenticate with case insensitive tokens") do
Passwordless.config.case_insensitive_tokens = true
session = create_session(token: "hi123")

assert session.authenticate("hi123")
assert session.authenticate("Hi123")
assert session.authenticate("HI123")
refute session.authenticate("no123")

Passwordless.config.case_insensitive_tokens = false
session = create_session(token: "hi123")

assert session.authenticate("hi123")
refute session.authenticate("Hi123")
refute session.authenticate("HI123")
refute session.authenticate("no123")
end

test("#expired?") do
expired_session = create_session(expires_at: 1.hour.ago)

Expand Down Expand Up @@ -68,6 +86,14 @@ def call(_session)
assert_equal "hi", session.token
assert_equal Passwordless.digest("hi"), session.token_digest
end

test("setting token manually when case insensitive") do
Passwordless.config.case_insensitive_tokens = true
session = Session.new(token: "hi")
assert_equal "hi".upcase, session.token
assert_equal Passwordless.digest("hi".upcase), session.token_digest
Passwordless.config.case_insensitive_tokens = false
end

test("with a custom expire at function") do
custom_expire_at = Time.parse("01-01-2100").utc
Expand Down