In this exponentially growing digital world, everybody is worried about one thing.
Yes, it is SECURITY.
The need for a security is inevitable in today’s cyber ecosystem of phishing and breaches.
The fundamental mechanism used by most websites
to achieve security is
In simple terms, the user/customer needs to log in using a username/email
and password to access various contents of the website.
Let’s say, we have a
We can create this customer record as follows:
Note: We are using the following code snippet to authenticate the customer. The following code returns early when a customer with a matching email is not present.
Now, the above code snippet is , wherein an attacker can determine if a customer with the given email exists or not.
It is a instead of using password manager applications.
After confirming that an account exists in the database, the attacker can try a password associated with that same email address from other leaked databases over the world wide web. If an account email address is known, it allows the attacker to attempt a targeted brute force or phishing (“spear-phishing”) attack as well.
Rails introduces a new class method
authenticate_by will cryptographically digest the given password attributes, which helps mitigate timing-based enumeration attacks. This method finds a record using the non-password attributes and then authenticates that record using the password attributes.
It returns the record,
if authentication succeeds;
otherwise, it returns
This method raises an
if the set of attributes doesn’t contain
at least one password attribute and one non-password attribute.
Check out the PR (including #43779, #43958, and #43997) that made this happen!