Increase the size of the friendly token.

The chance of someone to successfully guess a random token in the website is: (number_of_users / 2388636399360109977557402041718133080829429159844757507642063199359529632522467783435119230976)
2022-11-09 12:18:31 -05:00 · 2010-09-25 11:51:54 +02:00 · 2010-09-25 11:51:54 +02:00 · 2aa1d2f3b7
commit 2aa1d2f3b7
parent c12d75eecf
5 changed files with 6 additions and 4 deletions
--- a/CHANGELOG.rdoc
+++ b/CHANGELOG.rdoc
@ -7,6 +7,8 @@
  * sign_out_via is available in the router to configure the method used for sign out (by github.com/martinrehfeld)
  * Improved Ajax requests handling in failure app (by github.com/spastorino)
  * Add request_keys to easily use request specific values (like subdomain) in authentication
+  * Increased the size of friendly_token to 60 characters (reduces the chances of a successful brute attack)
+  * Ensure the friendly token does not include "_" or "-" since some e-mails may not autolink it properly (by github.com/rymai)

 * bugfix
  * after_sign_in_path_for always receives a resource
--- a/lib/devise.rb
+++ b/lib/devise.rb
@ -347,7 +347,7 @@ module Devise

  # Generate a friendly string randomically to be used as token.
  def self.friendly_token
-    ActiveSupport::SecureRandom.base64(15).tr('+/=', '-_ ').strip.delete("\n")
+    ActiveSupport::SecureRandom.base64(44).tr('+/=', 'xyz')
  end
 end

--- a/lib/devise/encryptors/base.rb
+++ b/lib/devise/encryptors/base.rb
@ -13,7 +13,7 @@ module Devise
      end

      def self.salt(stretches)
-        Devise.friendly_token
+        Devise.friendly_token[0,20]
      end
    end
  end
--- a/test/models/database_authenticatable_test.rb
+++ b/test/models/database_authenticatable_test.rb
@ -41,7 +41,7 @@ class DatabaseAuthenticatableTest < ActiveSupport::TestCase

  test 'should generate a base64 hash using SecureRandom for password salt' do
    swap_with_encryptor User, :sha1 do
-      ActiveSupport::SecureRandom.expects(:base64).with(15).returns('friendly_token')
+      ActiveSupport::SecureRandom.expects(:base64).with(44).returns('friendly_token')
      assert_equal 'friendly_token', new_user.password_salt
    end
  end
--- a/test/rails_app/lib/shared_user.rb
+++ b/test/rails_app/lib/shared_user.rb
@ -39,7 +39,7 @@ module SharedUser
    self.facebook_token = access_token.token

    unless encrypted_password.present?
-      self.password = Devise.friendly_token
+      self.password = Devise.friendly_token[0, 10]
      self.password_confirmation = nil
    end