Merge pull request rails#43997 from jonathanhefner/authenticate_by-do…

…c-query-caveat Refine `authenticate_by` security guarantee [ci-skip]
willtcarey · Dec 26, 2021 · 94c28ac · 94c28ac
2 parents fc9b3c0 + 9637b29
commit 94c28ac
Showing 1 changed file with 5 additions and 4 deletions.
diff --git a/activerecord/lib/active_record/secure_password.rb b/activerecord/lib/active_record/secure_password.rb
@@ -12,10 +12,11 @@ module ClassMethods
       # attributes. Returns the record if authentication succeeds; otherwise,
       # returns +nil+.
       #
-      # Regardless of whether a record is found or authentication succeeds,
-      # +authenticate_by+ will take the same amount of time. This prevents
-      # timing-based enumeration attacks, wherein an attacker can determine if a
-      # passworded record exists even without knowing the password.
+      # Regardless of whether a record is found, +authenticate_by+ will
+      # cryptographically digest the given password attributes. This behavior
+      # helps mitigate timing-based enumeration attacks, wherein an attacker can
+      # determine if a passworded record exists even without knowing the
+      # password.
       #
       # Raises an ArgumentError if the set of attributes doesn't contain at
       # least one password and one non-password attribute.