refactor Devise.secure_compare

lib/devise.rb

@@ -472,11 +472,11 @@ def self.friendly_token
   # constant-time comparison algorithm to prevent timing attacks
   def self.secure_compare(a, b)
     return false if a.blank? || b.blank? || a.bytesize != b.bytesize
-    l = a.unpack "C#{a.bytesize}"
+    l = a.each_byte
 
-    res = 0
-    b.each_byte { |byte| res |= byte ^ l.shift }
-    res == 0
+    b.each_byte.inject(0) do |res, byte|
+      res | byte ^ l.next
+    end.zero?
   end
 end
 

test/devise_test.rb

@@ -91,6 +91,7 @@ class DeviseTest < ActiveSupport::TestCase
       assert_not Devise.secure_compare(empty, empty)
     end
     assert_not Devise.secure_compare("size_1", "size_four")
+    assert Devise.secure_compare("size_four", "size_four")
   end
 
   test 'Devise.email_regexp should match valid email addresses' do