Module: PaygatePk::Util::Security
- Defined in:
- lib/paygate_pk/util/security.rb
Overview
Constant-time string compare without Rack/ActiveSupport
Class Method Summary collapse
-
.secure_compare(expected_hash, incoming_hash) ⇒ Object
Constant-time string compare without Rack/ActiveSupport.
Class Method Details
.secure_compare(expected_hash, incoming_hash) ⇒ Object
Constant-time string compare without Rack/ActiveSupport
13 14 15 16 17 18 19 20 21 22 23 24 |
# File 'lib/paygate_pk/util/security.rb', line 13 def secure_compare(expected_hash, incoming_hash) return false unless expected_hash.is_a?(String) && incoming_hash.is_a?(String) return false unless expected_hash.bytesize == incoming_hash.bytesize OpenSSL.fixed_length_secure_compare(expected_hash, incoming_hash) rescue NoMethodError # Fallback if Ruby/OpenSSL is too old (very rare on modern Ruby) # XOR-based constant-time fallback diff = 0 expected_hash.bytes.zip(incoming_hash.bytes) { |x, y| diff |= (x ^ y) } diff.zero? end |