Skip to content

Case insensitive tokens #249

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 11 commits into
base: master
Choose a base branch
from
Open

Case insensitive tokens #249

wants to merge 11 commits into from

Conversation

StevenClontz
Copy link
Contributor

closes #248

@StevenClontz StevenClontz mentioned this pull request Feb 24, 2025
Open
@StevenClontz StevenClontz marked this pull request as ready for review February 24, 2025 16:29
bluefantail
bluefantail reviewed Mar 2, 2025
View reviewed changes
StevenClontz
StevenClontz commented Mar 2, 2025
View reviewed changes
mikker
mikker reviewed Mar 3, 2025
View reviewed changes
app/models/passwordless/session.rb Outdated
Comment on lines 35 to 38
def token=(token)
Passwordless.config.case_insensitive_tokens ? modified_token = token.upcase : modified_token = token
self.token_digest = Passwordless.digest(modified_token)
@token = (modified_token)
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we should do anything at write time. Rather, let's just upcase in SQL when searching for tokens

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
def token=(token)
Passwordless.config.case_insensitive_tokens ? modified_token = token.upcase : modified_token = token
self.token_digest = Passwordless.digest(modified_token)
@token = (modified_token)
def token=(plaintext)
self.token_digest = Passwordless.digest(plaintext)
@token = (plaintext)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we have to do this at write time - we're persisting the token digest, not the token, so I believe we cannot upcase the token digest when searching for tokens.

mikker
mikker reviewed Mar 10, 2025
View reviewed changes
@StevenClontz StevenClontz requested a review from mikker March 10, 2025 16:11
mikker
mikker requested changes Apr 3, 2025
View reviewed changes
app/models/passwordless/session.rb
Comment on lines +36 to +42
token = token.upcase if Passwordless.config.case_insensitive_tokens
self.token_digest = Passwordless.digest(token)
@token = token
end

def authenticate(token)
token = token.upcase if Passwordless.config.case_insensitive_tokens
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is only case-insensitive so long as you're using a key generator that only outputs UPPER CASE keys. I think the option is a bit misleading then. We should do the upcasing as part of the db lookup instead, so we're case-insensitive no matter the generator output.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure I follow. I believe this should work for a key generator that uses lower case keys (or mixed case, though that'd be silly). I'll add tests to confirm this when I have a chance.

Note that since the generator output is hashed before it is persisted to the database, we cannot store a mixed case token and hope to look it up with a case insensitive token.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bluefantail bluefantail bluefantail left review comments

@mikker mikker mikker requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support case-insensitive tokens?
3 participants
@StevenClontz @mikker @bluefantail