Module: JWT::JWA::Hmac::SecurityUtils
- Defined in:
- lib/jwt/jwa/hmac.rb
Overview
Copy of github.com/rails/rails/blob/v7.0.3.1/activesupport/lib/active_support/security_utils.rb rubocop:disable Naming/MethodParameterName, Style/StringLiterals, Style/NumericPredicate
Class Method Summary collapse
-
.fixed_length_secure_compare(a, b) ⇒ Object
:nocov:.
-
.secure_compare(a, b) ⇒ Object
Secure string comparison for strings of variable length.
Class Method Details
.fixed_length_secure_compare(a, b) ⇒ Object
:nocov:
55 56 57 |
# File 'lib/jwt/jwa/hmac.rb', line 55 def fixed_length_secure_compare(a, b) OpenSSL.fixed_length_secure_compare(a, b) end |
.secure_compare(a, b) ⇒ Object
Secure string comparison for strings of variable length.
While a timing attack would not be able to discern the content of a secret compared via secure_compare, it is possible to determine the secret length. This should be considered when using secure_compare to compare weak, short secrets to user input.
74 75 76 |
# File 'lib/jwt/jwa/hmac.rb', line 74 def secure_compare(a, b) a.bytesize == b.bytesize && fixed_length_secure_compare(a, b) end |