authboss v2.0.0-rc3 Release Notes

Release Date: 2018-05-25 // almost 6 years ago
  • 🔄 Changed

    • Recover and Confirm now use split tokens

      The reason for this change is that there's a timing attack possible because of the use of memcmp() by databases to check if the token exists. By using a separate piece of the token as a selector, we use memcmp() in one place, but a crypto constant time compare in the other to check the other value, and this value cannot be leaked by timing, and since you need both to recover/confirm as the user, this attack should now be mitigated.

      This requires users to implement additional fields on the user and rename the Storer methods.