MortalToken is a convenience wrapper for HMAC-based authentication. Tokens self-destruct after a specified time period; no need to store and look them up for verification. They may optionally contain a message, which is visible but tamper-proof.
require 'mortal-token'
MortalToken.secret = 'asdf092$78roasdjfjfaklmsdadASDFopijf98%2ejA#Df@sdf'
token = MortalToken.create(60 * 60) # 1 hr
give_to_client token.to_s
token_str = get_from_client
if MortalToken.valid? token_str
# it's valid
else
# it's invalid or expired
end
require 'mortal-token'
MortalToken.secret = 'asdf092$78roasdjfjfaklmsdadASDFopijf98%2ejA#Df@sdf'
token = MortalToken.create(60 * 60, 'some message')
give_to_client token.to_s
token_str = get_from_client
token, digest = MortalToken.recover(token_str)
if token == digest
# It's valid. But remember - the message could have been read by anyone with access to the token.
do_stuff_with token.message
else
# it's invalid or expired
end
You may tweak certain parameters of the library in order to make it more secure, less, faster, etc. These are the defaults:
MortalToken.digest = 'sha512' # The digest algorithm used by HMAC
MortalToken.salt_length = 8 # Number of bits in tokens' salts
rake test