| Main Branch | Dev Branch |
|---|---|
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
 |
|
 |
 |
- Description
- Requirements
- Installation
- ChangeLog
- Setup
- Encoding
- Decoding
- Walkthrough Example
- Contributing
- Security Policy
- Code of Conduct
- License
Encoded Token is a more secure and efficient replacement for secure tokens. Used in features such as:
- password reset links:
/password_resets/xxx_encoded_token_xxx - email confirmation links:
/email_confirmations/xxx_encoded_token_xxx - invitation links:
/invitations/xxx_encoded_token_xxx - file sharing links:
/file_shares/xxx_encoded_token_xxx - password rollback links:
/password_rollbacks/xxx_encoded_token_xxx
EncodedToken works by encoding a record's ID, or UUID, into a token string that can be used within a URL.
When the application receives an incoming request, it decodes the token and loads the record from the database using the decoded ID. No searching or indexing needed!
EncodedToken is more secure: removing the need to directly search the database with an insecure parameter, completely elliminates a potential SQL Injection attack vector.
EncodedToken is more efficient: reducing the number of database queries. Imagine being able to filter out all random requests, and only hit the database when the token actually contains an integer ID or string UUID.
EncodedToken promotes best practice: because there is an inherent reluctance to include a user's ID in a public URL, creating new models to manage the token requests helps to keep everything RESTful and efficient. (See the Walkthrough Example)
With only 2 methods, it really couldn't be any simpler to use!
>>> EncodedToken is pure Ruby and is framework agnostic. <<<
- Ruby 2.5+
Add this line to your Gemfile:
gem 'encoded_token'
All changes can be found in the ChangeLog file.
Before use, EncodedToken needs to be configured with an integer seed, of at least five characters in length, which it uses to generate the encryption ciphers.
The seed may only be set once, either with an environment variable:
ENV['ENCODED_TOKEN_SEED']="12345"... or directly with:
EncodedToken.seed = 12345>>> Changing the seed will invalidate any tokens generated from a previous seed! <<<
Tokens are produced by encoding an ID. The ID can be:
- a String UUID, such as "4ef2091f-023b-4af6-9e9f-f46465f897ba"
- an Integer ID, such as 12345
- a String integer, such as "12345"
EncodedToken.encode(12345)
#=> "b4ex6AEB62jlBGpVAGNou8iRmD7pnHGHafQlAHB7w0J"
EncodedToken.encode("12345")
#=> "oTyhEKYsv7rueZt87wPTgJqlnATC7cittp0ncawkupTF1amtV"
EncodedToken.encode("4ef2091f-023b-4af6-9e9f-f46465f897ba")
#=> "c0WKM0w75r7cfMIrqfIMn374f1rcrff7171UfjrB34JsJd4zBB"- with
:encode- an invalid ID will raise anArgumentError - with
:encode!- an invalid ID will raise the originalRuntimeErrorexception.
EncodedToken.encode(:test)
# => ArgumentError,
# :id must be an Integer or String. UUID format must be '8-4-4-4-12'.
EncodedToken.encode!(:test)
#=> Non-numeric or UUID argument. (RuntimeError)Encoded tokens are decoded to return a String of the original ID
EncodedToken.decode("b4ex6AEB62jlBGpVAGNou8iRmD7pnHGHafQlAHB7w0J")
#=> "12345"
EncodedToken.decode("oTyhEKYsv7rueZt87wPTgJqlnATC7cittp0ncawkupTF1amtV")
#=> "12345"
EncodedToken.decode("c0WKM0w75r7cfMIrqfIMn374f1rcrff7171UfjrB34JsJd4zBB")
#=> "4ef2091f-023b-4af6-9e9f-f46465f897ba"- with
:decode- an invalid ID will returnnil - with
:decode!- an invalid ID will raise the originalRuntimeErrorexception.
EncodedToken.decode(:test)
#=> nil
EncodedToken.decode!(:test)
#=> Token is not a string. (RuntimeError)A complete walkthrough, showing the best way to use EncodedToken can be found in the Password Rollback Example file.
In all cases please respect our Contributor Code of Conduct.
If you have found a security related issue, please follow our Security Policy.
Please try to answer the following questions in your bug report:
- What did you do?
- What did you expect to happen?
- What happened instead?
Make sure to include as much relevant information as possible, including:
- Ruby version.
- EncodedToken version.
- OS version.
- The steps needed to replicate the issue.
- Any stack traces you have are very valuable.
We encourage contributions via GitHub pull requests.
Our Developer Guide details how to fork the project; get it running locally; run the tests; check the documentation; check your style; and submit a pull request.
We as members, contributors, and leaders pledge to make participation in our community a harassment-free experience for everyone, regardless of age, body size, visible or invisible disability, ethnicity, sex characteristics, gender identity and expression, level of experience, education, socio-economic status, nationality, personal appearance, race, religion, or sexual identity and orientation.
Read the full details in our Contributor Code of Conduct.
The MIT License (MIT)
Copyright (c) 2020 CodeMeister
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.