User.find_by(token: token) is vulnerable to Timing attacks

[yuki24]

user = User.find_by(token: token)

This is in fact insecure and shouldn't be encouraged.

• https://en.wikipedia.org/wiki/Timing_attack
• Is devise's token_authenticatable secure?
• A short story on Timing-Attack

[vasilakisfil]

I thought that was possible only on LAN networks but probably you are right we should make it more secure. 2 ways I am thinking:

• requiring the client to send the email as well so that we can first find the user based on the email and then do the secure compare on the token
• returning a JWT to the client that is encrypts both the token and the email and do the same as above but client has only 1 thing to send.

I think I like the second option better so I will rewrite the section tomorrow.

[vasilakisfil]

fixed by #19
Eventually went for regular token/email authentication that I also had in the previous tutorial (first find user by email, then check the token using ActiveSupport::SecurityUtils.secure_compare). Feels like JWT tokens are for more special use cases.

Thank you!