You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If the user login via OAuth without password, we have to generate a random password for this user in order to bypass the NOT NULL of the encrypted_password in users table as default.
password=SecureRandom.urlsafe_base64
or
password=Devise.friendly_token[0,20]
Sometimes the result of urlsafe_base64 returns a string without number, then it causes password insecurity according to the security extension devise_security_extension
You can check by comparing the generated value of urlsafe_base64 to the pattern of strong password in the security gem config
The Devise has provided a method but still uses the same urlsafe_base64 method, therefore this case is still possible to happen.
# Generate a friendly string randomly to be used as token.# By default, the length is 20 characters.defself.friendly_token(length=20)# To calculate real characters, we must perform this operation.# See SecureRandom.urlsafe_base64rlength=(length * 3) / 4SecureRandom.urlsafe_base64(rlength).tr('lIO0','sxyz')end
Solution:
Override the default generator of Devise password.
Lesson:
Dig into the gem source to see how the data is generated.
By the urlsafe_base64 sometimes return a string without number?
Problem:
When use Devise with Devise security gem for ensuring the password is always strong enough.
If the user login via OAuth without password, we have to generate a random password for this user in order to bypass the
NOT NULL
of theencrypted_password
inusers
table as default.or
Sometimes the result of
urlsafe_base64
returns a string without number, then it causes password insecurity according to the security extensiondevise_security_extension
You can check by comparing the generated value of
urlsafe_base64
to the pattern of strong password in the security gem configThe Devise has provided a method but still uses the same
urlsafe_base64
method, therefore this case is still possible to happen.Solution:
Override the default generator of Devise password.
Lesson:
Dig into the gem source to see how the data is generated.
By the
urlsafe_base64
sometimes return a string without number?Reference:
https://stackoverflow.com/questions/3681827/how-to-auto-generate-passwords-in-rails-devise
The text was updated successfully, but these errors were encountered: