Contents

# frozen_string_literal: true

module MinimalistAuthentication
  module VerifiableToken
    extend ActiveSupport::Concern

    TOKEN_EXPIRATION_HOURS = 6

    # generate secure verification_token and record generation time
    def regenerate_verification_token
      update_token
    end

    def secure_update(token, attributes)
      if matches_verification_token?(token)
        update(attributes) && clear_token
      else
        errors.add(:base, "Verification token check failed")
        false
      end
    end

    def matches_verification_token?(token)
      token.present? && verification_token_valid? && secure_match?(token)
    end

    def verification_token_valid?
      return false if verification_token.blank? || verification_token_generated_at.blank?

      verification_token_generated_at > TOKEN_EXPIRATION_HOURS.hours.ago
    end

    private

    def clear_token
      update_token(token: nil, time: nil)
    end

    def update_token(token: self.class.generate_unique_secure_token, time: Time.now.utc)
      update!(
        verification_token:              token,
        verification_token_generated_at: time
      )
    end

    # Compare the tokens in a time-constant manner, to mitigate timing attacks.
    def secure_match?(token)
      ActiveSupport::SecurityUtils.secure_compare(
        ::Digest::SHA256.hexdigest(token),
        ::Digest::SHA256.hexdigest(verification_token)
      )
    end
  end
end

Version data entries

5 entries across 5 versions & 1 rubygems

Version	Path
minimalist_authentication-3.1.0	lib/minimalist_authentication/verifiable_token.rb
minimalist_authentication-3.0.0	lib/minimalist_authentication/verifiable_token.rb
minimalist_authentication-2.7.0	lib/minimalist_authentication/verifiable_token.rb
minimalist_authentication-2.6.2	lib/minimalist_authentication/verifiable_token.rb
minimalist_authentication-2.6.1	lib/minimalist_authentication/verifiable_token.rb