Use urlsafe_base64 for url sensitive chars #19
Conversation
| @@ -12,7 +12,7 @@ def self.included(base) | |||
|
|
|||
| # Random code, used for salt and temporary tokens. | |||
| def self.generate_random_token | |||
| SecureRandom.base64(15).tr('+/=lIO0', 'pqrsxyz') | |||
| SecureRandom.urlsafe_base64(15).tr('lIO0', 'sxyz') | |||
There was a problem hiding this comment.
Using urlsafe here is definitely preferable, although I wonder if we can deprecate this model entirely by using rails built in has_secure_token?
|
The behavior is the almost same around this change. |
|
Unless I'm mistaken, this changes behavior that could affect how someone handles the tokens (if it's not URL safe to begin with, someone might be running a strip method before using it in URLs). It likely won't affect most users, but I would err on the side of caution. Edit: Ah, my bad. I should have read up on what tr does first. Looks like this is basically identical functionality. I'll go ahead and merge, seeing as it doesn't affect how users should handle the method it shouldn't need a changelog either. |
We can use the urlsafe one.