Create unique digests for email verification tokens
What does this MR do and why?
This fixes the ActiveRecord::RecordNotUnique
errors that were thrown when saving email verification tokens.
Before this fix, when a random 6-digit code for email verification was generated, it was hashed and stored in the users.unlock_token
or users.confirmation_token
columns. Since those columns have unique indexes, an error is thrown when already existing values are inserted.
The key for hashing was always identical: a hash generated by ActiveSupport::KeyGenerator#generate_key
, salted with the Devise.secret_key
. The input was 'Devise unlock_token'
or 'Devise confirmation_token'
, resulting in identical digests when 2 identical tokens for the same column are generated.
Given there are only 10^6
identical 6-digit tokens and given the Birthday problem, there exists a 50% chance of an identical token out of every 1178 generated tokens.
This fixes that issue by replacing the generic key with the user's email, thereby creating a unique digest for identical codes.
Issue: #408124 (closed)
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.