Create unique digests for email verification tokens (!118768) · Merge requests · GitLab.org / GitLab

Alex Buijs requested to merge prevent-hash-collisions-for-verification-tokens into master Apr 26, 2023

What does this MR do and why?

This fixes the ActiveRecord::RecordNotUnique errors that were thrown when saving email verification tokens.

Before this fix, when a random 6-digit code for email verification was generated, it was hashed and stored in the users.unlock_token or users.confirmation_token columns. Since those columns have unique indexes, an error is thrown when already existing values are inserted.

The key for hashing was always identical: a hash generated by ActiveSupport::KeyGenerator#generate_key, salted with the Devise.secret_key. The input was 'Devise unlock_token' or 'Devise confirmation_token', resulting in identical digests when 2 identical tokens for the same column are generated.

Given there are only 10^6 identical 6-digit tokens and given the Birthday problem, there exists a 50% chance of an identical token out of every 1178 generated tokens.

This fixes that issue by replacing the generic key with the user's email, thereby creating a unique digest for identical codes.

Issue: #408124 (closed)

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Apr 26, 2023 by Alex Buijs

Create unique digests for email verification tokens

What does this MR do and why?

MR acceptance checklist

Merge request reports