devise-authy modifies strings unsafely

twilio / authy-devise

Authy Devise plugin to add Two-Factor Authentication

MIT License

200 stars 84 forks source link

devise-authy modifies strings unsafely #85

Closed kevinelliott closed 2 years ago

kevinelliott commented 6 years ago

In preparation for using frozen string literals, the devise-authy gem needs to be updated to handle them properly.

❯❯❯ RUBYOPT="--enable-frozen-string-literal" bundle exec rails server
/Users/kevin/.rvm/gems/ruby-2.4.3@workfit/gems/bundler-1.16.1/lib/bundler/runtime.rb:84:in `rescue in block (2 levels) in require': There was an error while trying to load the gem 'devise-authy'. (Bundler::GemRequireError)
Gem Load Error is: can't modify frozen String

The value for users is that frozen literals reduce memory consumption (in some cases up to 30% depending on how heavy string usage is) and performance gain potential is there too.

The resolution in this case might be in the dependency gem httpclient and addressable, but also every file in the gem should make use of the frozen string literal comment.

When strings need to be mutated, there are ways to accomplish this through the use of +"" and "".dup.

philnash commented 6 years ago

Hey @kevinelliott,

Thanks for this report. I've just taken over maintaining the gem and I will make sure we are frozen string literal safe as soon as I can.

philnash commented 6 years ago

From investigation the files that appear to violate frozen string literals are part of the Rails 4 test application that is embedded in the spec directory. This shouldn't be affecting loading the gem within an application though.

I will continue to investigate what can be done here.

philnash commented 5 years ago

OK, after further investigation, I believe that this is caused by httpclient. I will look to add the frozen string literal comment to the library to signify that authy-devise is ready.

philnash commented 2 years ago

This library is no longer actively maintained. The Authy API has been replaced with the Twilio Verify API. Twilio will support the Authy API through November 1, 2022 for SMS/Voice. After this date, we’ll start to deprecate the service for SMS/Voice. Any requests sent to the API after May 1, 2023, will automatically receive an error. Push and TOTP will continue to be supported through July 2023.

Learn more about migrating from Authy to Verify.

Please visit the Twilio Docs for:

Verify + Ruby (Rails) quickstart
Twilio Ruby helper library
Verify API reference
Coming soon: Look out for a new Devise plugin to use Twilio Verify with Devise

Please direct any questions to Twilio Support. Thank you!