&& will short circuit, vulnerable to potential timing attacks, use & instead
What I use:
# initializers/good_job.rb
unless Rails.env.development?
# https://github.com/bensheldon/good_job#dashboard
GoodJob::Engine.middleware.use(Rack::Auth::Basic) do |username, password|
env_username = Rails.application.credentials.config.dig(:good_job_web, :username)
env_password = Rails.application.credentials.config.dig(:good_job_web, :password)
# Protect against timing attacks:
# - See https://codahale.com/a-lesson-in-timing-attacks/
# - See https://thisdata.com/blog/timing-attacks-against-string-comparison/
# - Use & (do not use &&) so that it doesn't short circuit.
ActiveSupport::SecurityUtils.secure_compare(username, env_username) & ActiveSupport::SecurityUtils.secure_compare(password, env_password)
end
end
&&
will short circuit, vulnerable to potential timing attacks, use&
insteadWhat I use: