stevepolitodesign/example.md

Last active December 14, 2021 21:50

Star (0) You must be signed in to star a gist
Fork (0) You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/stevepolitodesign/9b92b107e76aa272a6425959b8b5b289.js"></script>
Save stevepolitodesign/9b92b107e76aa272a6425959b8b5b289 to your computer and use it in GitHub Desktop.

Use authenticate_by and not authenticate

Raw

Rails 7 introduces the authenticate_by class method which prevents timing-based enumeration attacks. This is an alternative to calling authenticate on an instance of a User.

class User < ActiveRecord::Base
  has_secure_password
end

Before

user = User.create(email: '[email protected]', password: 'abc123', password_confirmation: 'abc123') 
user.authenticate('abc123')
# => #<User>

After

User.create(email: '[email protected]', password: 'abc123', password_confirmation: 'abc123')
User.authenticate_by(email: '[email protected]', password: 'abc123')
# => #<User>