[Suggestion] Performance issue

[yury-dymov]

Hello! First of all thank you for the great library!

I faced a performance issue recently and after profiling figured out that it mostly related to BCrypt.

Please refer https://github.com/codahale/bcrypt-ruby 'Cost Factors' section. Tuning default cost value from 10 to 6 improved performance for creating token_hash from 0.08s to 0.04s on my environment for each request. I went further and set it 1 and now it is better than 0.01s but I am not sure that security-wise it will work good for everybody but anyway default value for token authorization is huge overhead.

Kind regards, Yuri.

[dks17]

Good suggestion. I think encryption level should be the same for both passwords and tokens because of they both are stored in one database, closely to each other. They should have the same cryptographic strength.

But @yury-dymov you are right. Hight cost value reduces performance and it is redundantly. I think the best way it is the cost value should depends on token life span. The shorter life span the lower cost value. For example password is stored long time (years), but token expires in 2 weeks after they are issued.

I noticed that devise raised up to 11 default cost value.

I would like that bcrypt token generator cost value depends on token_lifespan period (figures are approximate):

token_lifespan          cost
< 2weeks                   4 
> 2weeks and < 1month      8 
1month <                  11

This would increase performance in production without serious security consequences. Or should allow to users set configuration parameter like token_cost independently?

[lynndylanhurley]

@dks17 - just to clarify, by changing the initializer setting that you linked to, does that update the value used for this gem? Or is this something we would need to build support for?

[dks17]

@lynndylanhurley - it uses like default devise config, and I think that it should be overridden. But this relates only user password. I will create pr for this.