devise-token-auth
  • Installation
  • Configuration
    • Initializer Settings
    • OmniAuth
    • Email Authentication
    • Customizing Devise Verbiage
    • Cross Origin Requests (CORS)
  • Usage
    • Mounting Routes
    • Controller Integration
    • Model Integration
    • Using Multiple User Classes
    • Excluding Modules
    • Custom Controller/Email Overrides
    • Reset password flow
    • Testing
  • FAQ
  • Conceptual Diagrams
    • Token Management
    • Batch Requests
  • Security
Powered by GitBook
On this page

Security

This gem takes the following steps to ensure security.

This gem uses auth tokens that are:

  • changed after every request (can be turned off),

  • of cryptographic strength,

  • hashed using BCrypt (not stored in plain-text),

  • securely compared (to protect against timing attacks),

  • invalidated after 2 weeks (thus requiring users to login again)

These measures were inspired by this stackoverflow post.

This gem further mitigates timing attacks by using this technique.

But the most important step is to use HTTPS. You are on the hook for that.

PreviousToken Management

Last updated 8 months ago