Skip to content

Case insensitive tokens#249

Open
StevenClontz wants to merge 11 commits intomikker:masterfrom
StevenClontz:StevenClontz/case-insensitive-tokens
Open

Case insensitive tokens#249
StevenClontz wants to merge 11 commits intomikker:masterfrom
StevenClontz:StevenClontz/case-insensitive-tokens

Conversation

@StevenClontz
Copy link
Contributor

@StevenClontz StevenClontz commented Feb 24, 2025

closes #248

@StevenClontz StevenClontz mentioned this pull request Feb 24, 2025
Open
@StevenClontz StevenClontz marked this pull request as ready for review February 24, 2025 16:29
bluefantail
bluefantail reviewed Mar 2, 2025
View reviewed changes
StevenClontz
StevenClontz commented Mar 2, 2025
View reviewed changes
mikker
mikker reviewed Mar 3, 2025
View reviewed changes
app/models/passwordless/session.rb Outdated
Comment on lines 35 to 38
def token=(token)
Passwordless.config.case_insensitive_tokens ? modified_token = token.upcase : modified_token = token
self.token_digest = Passwordless.digest(modified_token)
@token = (modified_token)
Copy link
Owner

@mikker mikker Mar 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we should do anything at write time. Rather, let's just upcase in SQL when searching for tokens

Copy link
Contributor Author

@StevenClontz StevenClontz Mar 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
def token=(token)
Passwordless.config.case_insensitive_tokens ? modified_token = token.upcase : modified_token = token
self.token_digest = Passwordless.digest(modified_token)
@token = (modified_token)
def token=(plaintext)
self.token_digest = Passwordless.digest(plaintext)
@token = (plaintext)

Copy link
Contributor Author

@StevenClontz StevenClontz Mar 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we have to do this at write time - we're persisting the token digest, not the token, so I believe we cannot upcase the token digest when searching for tokens.

mikker
mikker reviewed Mar 10, 2025
View reviewed changes
@StevenClontz StevenClontz requested a review from mikker March 10, 2025 16:11
mikker
mikker requested changes Apr 3, 2025
View reviewed changes
app/models/passwordless/session.rb
Comment on lines +36 to +42
token = token.upcase if Passwordless.config.case_insensitive_tokens
self.token_digest = Passwordless.digest(token)
@token = token
end

def authenticate(token)
token = token.upcase if Passwordless.config.case_insensitive_tokens
Copy link
Owner

@mikker mikker Apr 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is only case-insensitive so long as you're using a key generator that only outputs UPPER CASE keys. I think the option is a bit misleading then. We should do the upcasing as part of the db lookup instead, so we're case-insensitive no matter the generator output.

Copy link
Contributor Author

@StevenClontz StevenClontz Apr 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure I follow. I believe this should work for a key generator that uses lower case keys (or mixed case, though that'd be silly). I'll add tests to confirm this when I have a chance.

Note that since the generator output is hashed before it is persisted to the database, we cannot store a mixed case token and hope to look it up with a case insensitive token.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mikker mikker mikker requested changes

+1 more reviewer

@bluefantail bluefantail bluefantail left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support case-insensitive tokens?

3 participants

@StevenClontz @mikker @bluefantail