← Extractions

Devise pitfalls and way to tighten security — Rafał Rothenberger at wroclove.rb 2022

Rafał Rothenberger's wroclove.rb 2022 talk examines security pitfalls in Devise: bcrypt's 72-byte password limit leaking peppers, how to fix it with Argon2id or HMAC preprocessing, using devise_token_auth with refresh tokens in HttpOnly cookies for APIs, and preventing enumeration and timing attacks via async jobs and rate limiting. Q&A covered external auth providers like Auth0 and whether the speaker had filed upstream issues.

Model
claude-opus-4-7
Ingestion
da5b91b8
Input tokens
499,306
fresh
351,550
cached
141,291
cache write
6,465
Output tokens
15,554
Duration
248.6s
Roundtrips
14
Tool calls
28
Cost
$0.00
Nodes/edges extracted
26 / 47
Read set (nodes/edges)
108 / 2

Nodes (26)

update Rafał Rothenberger person
attrs (empty) {"role" => "software developer"}
description Conference speaker. Conference speaker. Software developer at Monterail who describes himself as 'a bit of a security freak'. Delivered '...
short_description Conference speaker. Software developer and security-minded Ruby engineer at Monterail.
create Monterail company
kind (empty) company
name (empty) Monterail
slug (empty) monterail
attrs (empty) {"industry" => "software consultancy"}
description (empty) Software company where Rafał Rothenberger works as a software developer (transcribed as 'Montreal' in the automated t...
short_description (empty) Polish software house employing Rafał Rothenberger.
update Devise pitfalls and way to tighten security talk
description Talk at wroclove.rb 2022. Rafał Rothenberger's wroclove.rb 2022 talk about security edge cases in Devise. Covers: (1) bcrypt background — salt ...
short_description Talk at wroclove.rb 2022. wroclove.rb 2022 talk on Devise security pitfalls, pepper leaks, tokens and enumeration attacks.
update Devise tool
description Popular Rails authentication gem. Has a love-hate reputation: per Ivan Nemytchenko's wroclove.rb 2018 audience survey... Popular Rails authentication gem for password resets, sessions, registration and user management. Has a love-hate rep...
create bcrypt tool
kind (empty) tool
name (empty) bcrypt
slug (empty) bcrypt
attrs (empty) {"category" => "library"}
description (empty) Password-hashing function (not a general hashing function). Takes fixed-size input and produces fixed-size output; mo...
short_description (empty) Password-hashing function with a fixed 72-byte input limit.
create Argon2 tool
kind (empty) tool
name (empty) Argon2
slug (empty) argon2
attrs (empty) {"category" => "library"}
description (empty) Password-hashing function, winner of the 2015 Password Hashing Competition. Argon2id variant recommended by Rafał Rot...
short_description (empty) Modern password-hashing function, winner of the 2015 PHC.
create devise_token_auth tool
kind (empty) tool
name (empty) devise_token_auth
slug (empty) devise_token_auth
attrs (empty) {"category" => "library"}
description (empty) Ruby gem providing opaque-token-based authentication for APIs, built to work alongside Devise so an application can k...
short_description (empty) Token-based authentication gem complementing Devise for Ruby APIs.
create OWASP resource
kind (empty) resource
name (empty) OWASP
slug (empty) owasp
attrs (empty) {"type" => "documentation"}
description (empty) Open Web Application Security Project. Maintains cheat-sheet series and guidance on everything web-application-securi...
short_description (empty) Open Web Application Security Project — web security resources and cheat sheets.
create Auth0 company
kind (empty) company
name (empty) Auth0
slug (empty) auth0
attrs (empty) {"industry" => "identity and access management"}
description (empty) Cloud identity-as-a-service provider mentioned in Q&A as an alternative to Devise. Rafał noted that offloading passwo...
short_description (empty) Identity-as-a-service provider for authentication and user management.
create Salt concept
kind (empty) concept
name (empty) Salt
slug (empty) salt
attrs (empty) {"category" => "practice"}
description (empty) Random string/bytes added to a password before hashing so that two users with the same password produce different has...
short_description (empty) Random per-password value stored with the hash to prevent rainbow-table attacks.
create Pepper concept
kind (empty) concept
name (empty) Pepper
slug (empty) pepper
attrs (empty) {"category" => "practice"}
description (empty) Random element added to the password during hashing that is kept as a secret outside the database (e.g. in applicatio...
short_description (empty) Secret site-wide value added to passwords and stored outside the database.
create HMAC concept
kind (empty) concept
name (empty) HMAC
slug (empty) hmac
attrs (empty) {"category" => "pattern"}
description (empty) Keyed hash construction (e.g. HMAC-SHA256) useful as a preprocessing step for passwords when stuck with bcrypt but wa...
short_description (empty) Keyed hash construction usable to preprocess passwords with a secret pepper.
create Password Shucking concept
kind (empty) concept
name (empty) Password Shucking
slug (empty) password-shucking
attrs (empty) {"category" => "pattern"}
description (empty) Attack on schemes that wrap a plain hash (e.g. SHA-256) inside bcrypt. Attackers use large databases of broken SHA-25...
short_description (empty) Attack combining plain-hash pre-images with a bcrypt layer to break wrapped hashes.
create Enumeration Attack concept
kind (empty) concept
name (empty) Enumeration Attack
slug (empty) enumeration-attack
attrs (empty) {"category" => "pattern"}
description (empty) Attack that lets a third party discover which email addresses or usernames have accounts on a service. Happens on reg...
short_description (empty) Attack that discovers which accounts exist by observing form responses or timing.
create Timing-Based Enumeration concept
kind (empty) concept
name (empty) Timing-Based Enumeration
slug (empty) timing-based-enumeration
attrs (empty) {"category" => "pattern"}
description (empty) Enumeration variant where the attacker measures response-time distributions for known-absent vs. candidate emails. Sy...
short_description (empty) Using response-time differences to determine whether accounts exist.
create Using external auth providers instead of Devise question
kind (empty) question
name (empty) Using external auth providers instead of Devise
slug (empty) using-external-auth-providers-instead-of-devise
attrs (empty) {"answer_summary" => "External providers are great — less passwords is always better — but the token/refresh part of ...
description (empty) Audience question asking about using third-party auth services like Auth0 to handle users and authentication instead ...
short_description (empty) Q&A: what about services like Auth0 instead of Devise?
create Refresh Tokens in HttpOnly Cookies concept
kind (empty) concept
name (empty) Refresh Tokens in HttpOnly Cookies
slug (empty) refresh-tokens-in-httponly-cookies
attrs (empty) {"category" => "pattern"}
description (empty) Pattern for API token auth: store long-lived refresh tokens in cookies rather than localStorage/sessionStorage. Cooki...
short_description (empty) Storing long-lived refresh tokens in HttpOnly, Secure, SameSite cookies rather than JS storage.
create AES tool
kind (empty) tool
name (empty) AES
slug (empty) aes
attrs (empty) {"category" => "library"}
description (empty) Symmetric encryption cipher. Mentioned by Rafał Rothenberger as an alternative to hashing when using a pepper: encryp...
short_description (empty) Symmetric encryption cipher usable to encrypt passwords with a rotatable pepper.
create Use Argon2id when you need pepper takeaway
kind (empty) takeaway
name (empty) Use Argon2id when you need pepper
slug (empty) use-argon2id-when-you-need-pepper
attrs (empty) {"type" => "recommendation"}
description (empty) If pepper is needed or unbounded-length passwords are desired, use Argon2id. It is the 2015 PHC winner, supports salt...
short_description (empty) For new apps, replace bcrypt with Argon2id to get native salt+pepper support.
create Limit Devise password length to 72 bytes takeaway
kind (empty) takeaway
name (empty) Limit Devise password length to 72 bytes
slug (empty) limit-devise-password-length-to-72-bytes
attrs (empty) {"type" => "recommendation"}
description (empty) If you stick with bcrypt in Devise, set the password length limit to 72 bytes (bytes, not characters) so that users d...
short_description (empty) Align Devise password length with bcrypt's real limit to prevent silent truncation.
create Never store tokens in plain text takeaway
kind (empty) takeaway
name (empty) Never store tokens in plain text
slug (empty) never-store-tokens-in-plain-text
attrs (empty) {"type" => "recommendation"}
description (empty) Tokens are passwords: possession of one lets you act as the user. Never store them in plain text; hash them in the da...
short_description (empty) Treat tokens as passwords — hash them before writing to the database.
create Use devise_token_auth for API tokens takeaway
kind (empty) takeaway
name (empty) Use devise_token_auth for API tokens
slug (empty) use-devise_token_auth-for-api-tokens
attrs (empty) {"type" => "recommendation"}
description (empty) For API authentication, prefer devise_token_auth — a simple, popular, secure-by-default opaque-token solution that co...
short_description (empty) Prefer devise_token_auth over rolling custom token auth or JWTs.
create Keep refresh tokens in HttpOnly Secure SameSite cookies takeaway
kind (empty) takeaway
name (empty) Keep refresh tokens in HttpOnly Secure SameSite cookies
slug (empty) keep-refresh-tokens-in-httponly-secure-samesite-cookies
attrs (empty) {"type" => "recommendation"}
description (empty) Store refresh tokens in cookies with HttpOnly (inaccessible to JavaScript), Secure (HTTPS only), SameSite=Strict (sen...
short_description (empty) Put long-lived refresh tokens in server-controlled cookies, not JS-accessible storage.
create Make existence checks asynchronous to prevent enumeration takeaway
kind (empty) takeaway
name (empty) Make existence checks asynchronous to prevent enumeration
slug (empty) make-existence-checks-asynchronous-to-prevent-enumeration
attrs (empty) {"type" => "recommendation"}
description (empty) On registration, password-reset and confirmation forms, do not check account existence synchronously. Schedule a Side...
short_description (empty) Move registration/reset existence checks into background jobs so timing is constant.
create Rate-limit login forms with a skip path takeaway
kind (empty) takeaway
name (empty) Rate-limit login forms with a skip path
slug (empty) rate-limit-login-forms-with-a-skip-path
attrs (empty) {"type" => "recommendation"}
description (empty) Login forms can't easily be made async, so rate-limit them to prevent timing-based enumeration. Limiting by email can...
short_description (empty) Rate-limit login by email, but provide an easy way to fall back to IP-based limiting.
create Have you reported these issues upstream to Devise? question
kind (empty) question
name (empty) Have you reported these issues upstream to Devise?
slug (empty) have-you-reported-these-issues-upstream-to-devise
attrs (empty) {"answer_summary" => "He emailed Devise 3 months ago with no reply; plans a fix but notes breaking API changes in sec...
description (empty) Audience question about whether the speaker filed an issue with the Devise maintainers. Answer: he emailed about the ...
short_description (empty) Q&A: did you open an issue on the Devise repo?

Edges (47)

update Rafał RothenbergerauthoredDevise pitfalls and way to tighten security
context (empty) Delivered this talk at wroclove.rb 2022.
create Rafał Rothenbergerattendedwroclove.rb 2022
context (empty) Speaker at the conference.
relation (empty) attended
source_node_id (empty) 93350e8e-015f-44d6-ac36-17096d5c834a
target_node_id (empty) cfc5cfd3-25a6-46c2-8b5d-626986c71c24
create Rafał Rothenbergerworks_atMonterail
attrs (empty) {"role" => "software developer"}
context (empty) Introduced himself as a software developer at Monterail.
relation (empty) works_at
source_node_id (empty) 93350e8e-015f-44d6-ac36-17096d5c834a
target_node_id (empty) bb79602c-33cf-441b-a266-544ea3d8e4f4
update Devise pitfalls and way to tighten securitypresented_atwroclove.rb 2022
context (empty) Talk delivered at wroclove.rb 2022.
create Devise pitfalls and way to tighten securityaboutDevise
context (empty) Entire talk documents security pitfalls in Devise.
relation (empty) about
source_node_id (empty) e6de36cb-0179-45f5-a1c3-164fe0066ca4
target_node_id (empty) 9113bde3-534a-47d0-8333-e171c4b55e79
create Devise pitfalls and way to tighten securityaboutbcrypt
context (empty) Discusses bcrypt's 72-byte input limit and how Devise misuses it.
relation (empty) about
source_node_id (empty) e6de36cb-0179-45f5-a1c3-164fe0066ca4
target_node_id (empty) bd34f1fa-f7bd-432d-a3e3-5cee01abfe25
create Devise pitfalls and way to tighten securityaboutArgon2
context (empty) Recommends Argon2id as the modern replacement for bcrypt.
relation (empty) about
source_node_id (empty) e6de36cb-0179-45f5-a1c3-164fe0066ca4
target_node_id (empty) 48217b19-5f30-46fa-82d8-58ddaa6e35a2
create Devise pitfalls and way to tighten securityaboutdevise_token_auth
context (empty) Recommended solution for API token authentication alongside Devise.
relation (empty) about
source_node_id (empty) e6de36cb-0179-45f5-a1c3-164fe0066ca4
target_node_id (empty) de4297ca-f228-4c07-a484-ad60ced09cd4
create Devise pitfalls and way to tighten securityaboutSalt
context (empty) Background section explains salt in password hashing.
relation (empty) about
source_node_id (empty) e6de36cb-0179-45f5-a1c3-164fe0066ca4
target_node_id (empty) 3d74db32-26f9-4949-8327-d39e91b6f438
create Devise pitfalls and way to tighten securityaboutPepper
context (empty) Central to the Devise/bcrypt pepper-leak issue.
relation (empty) about
source_node_id (empty) e6de36cb-0179-45f5-a1c3-164fe0066ca4
target_node_id (empty) 76d1ae5f-49be-4a50-91d5-df0c84f2d8b0
create Devise pitfalls and way to tighten securityaboutHMAC
context (empty) Suggests HMAC-SHA256 as preprocessing when stuck with bcrypt plus pepper.
relation (empty) about
source_node_id (empty) e6de36cb-0179-45f5-a1c3-164fe0066ca4
target_node_id (empty) b4f5dc79-4858-4ae2-9dc8-82f2edc18ad4
create Devise pitfalls and way to tighten securityaboutPassword Shucking
context (empty) Explains why HMAC, not plain SHA, must be used to preprocess passwords.
relation (empty) about
source_node_id (empty) e6de36cb-0179-45f5-a1c3-164fe0066ca4
target_node_id (empty) fd2430b9-42a9-42fb-8b7d-7a24c7295b0a
create Devise pitfalls and way to tighten securityaboutEnumeration Attack
context (empty) Dedicated section on enumeration attacks on registration/reset/login forms.
relation (empty) about
source_node_id (empty) e6de36cb-0179-45f5-a1c3-164fe0066ca4
target_node_id (empty) 9f6817c3-212a-4897-a050-6ec96be162b5
create Devise pitfalls and way to tighten securityaboutTiming-Based Enumeration
context (empty) Section on how timing leaks account existence even with neutralized messages.
relation (empty) about
source_node_id (empty) e6de36cb-0179-45f5-a1c3-164fe0066ca4
target_node_id (empty) 037240de-553a-4c8a-885c-24bbe414320d
create Devise pitfalls and way to tighten securityaboutRefresh Tokens in HttpOnly Cookies
context (empty) Section argues for refresh tokens in HttpOnly Secure SameSite cookies.
relation (empty) about
source_node_id (empty) e6de36cb-0179-45f5-a1c3-164fe0066ca4
target_node_id (empty) b70269d9-8fc9-4dfc-935b-53753037f174
create Devise pitfalls and way to tighten securityaboutAES
context (empty) Mentions encrypting passwords with AES (Dropbox-style) as pepper-rotation alternative.
relation (empty) about
source_node_id (empty) e6de36cb-0179-45f5-a1c3-164fe0066ca4
target_node_id (empty) d98cffd9-2a67-4d4b-88c7-eea0bddeaebf
create Devise pitfalls and way to tighten securityaboutOWASP
context (empty) Cites OWASP cheat sheets as a recommendation source for password hashing.
relation (empty) about
source_node_id (empty) e6de36cb-0179-45f5-a1c3-164fe0066ca4
target_node_id (empty) e9952c7c-7f1d-4bbb-9d3b-8c839d1f1d19
create Devise pitfalls and way to tighten securityaboutSidekiq
context (empty) Recommends moving existence checks into Sidekiq jobs to prevent timing enumeration.
relation (empty) about
source_node_id (empty) e6de36cb-0179-45f5-a1c3-164fe0066ca4
target_node_id (empty) 2365c22d-c83e-4553-b865-ec22d0b5b225
create Devise pitfalls and way to tighten securityaboutGalileo Galilei
context (empty) Jokingly invokes Galileo's unit of time when introducing timing attacks.
relation (empty) about
source_node_id (empty) e6de36cb-0179-45f5-a1c3-164fe0066ca4
target_node_id (empty) e175920b-8e1c-419e-8a72-d15d89f07e78
create Rafał RothenbergerrecommendsArgon2
context (empty) Recommends Argon2id as Devise replacement when pepper is needed.
relation (empty) recommends
source_node_id (empty) 93350e8e-015f-44d6-ac36-17096d5c834a
target_node_id (empty) 48217b19-5f30-46fa-82d8-58ddaa6e35a2
create Rafał Rothenbergerrecommendsdevise_token_auth
context (empty) Explicitly recommends it for API token authentication.
relation (empty) recommends
source_node_id (empty) 93350e8e-015f-44d6-ac36-17096d5c834a
target_node_id (empty) de4297ca-f228-4c07-a484-ad60ced09cd4
create Rafał RothenbergerrecommendsOWASP
context (empty) Recommends the OWASP cheat-sheet series for web application security.
relation (empty) recommends
source_node_id (empty) 93350e8e-015f-44d6-ac36-17096d5c834a
target_node_id (empty) e9952c7c-7f1d-4bbb-9d3b-8c839d1f1d19
create Rafał RothenbergerrecommendsRefresh Tokens in HttpOnly Cookies
context (empty) Advocates storing refresh tokens in HttpOnly Secure SameSite cookies.
relation (empty) recommends
source_node_id (empty) 93350e8e-015f-44d6-ac36-17096d5c834a
target_node_id (empty) b70269d9-8fc9-4dfc-935b-53753037f174
create Use Argon2id when you need pepperfrom_talkDevise pitfalls and way to tighten security
context (empty) Primary remediation recommended in the talk.
relation (empty) from_talk
source_node_id (empty) 901e5904-7d4e-43a4-93a2-84ec1eea0c01
target_node_id (empty) e6de36cb-0179-45f5-a1c3-164fe0066ca4
create Use Argon2id when you need pepperaboutArgon2
context (empty) Recommendation is about adopting Argon2id.
relation (empty) about
source_node_id (empty) 901e5904-7d4e-43a4-93a2-84ec1eea0c01
target_node_id (empty) 48217b19-5f30-46fa-82d8-58ddaa6e35a2
create Limit Devise password length to 72 bytesfrom_talkDevise pitfalls and way to tighten security
context (empty) Alternative mitigation for teams staying on bcrypt.
relation (empty) from_talk
source_node_id (empty) c290efa6-8522-47e4-ab99-480b2a3f1036
target_node_id (empty) e6de36cb-0179-45f5-a1c3-164fe0066ca4
create Limit Devise password length to 72 bytesaboutDevise
context (empty) Concrete configuration change for Devise.
relation (empty) about
source_node_id (empty) c290efa6-8522-47e4-ab99-480b2a3f1036
target_node_id (empty) 9113bde3-534a-47d0-8333-e171c4b55e79
create Never store tokens in plain textfrom_talkDevise pitfalls and way to tighten security
context (empty) Stated as a rule: tokens are passwords.
relation (empty) from_talk
source_node_id (empty) 0b3688aa-dcc9-4cfe-908b-46b12683d6ab
target_node_id (empty) e6de36cb-0179-45f5-a1c3-164fe0066ca4
create Use devise_token_auth for API tokensfrom_talkDevise pitfalls and way to tighten security
context (empty) Recommendation for API authentication.
relation (empty) from_talk
source_node_id (empty) bf141786-c255-4381-af91-10c20c179f39
target_node_id (empty) e6de36cb-0179-45f5-a1c3-164fe0066ca4
create Use devise_token_auth for API tokensaboutdevise_token_auth
context (empty) Recommends this specific gem.
relation (empty) about
source_node_id (empty) bf141786-c255-4381-af91-10c20c179f39
target_node_id (empty) de4297ca-f228-4c07-a484-ad60ced09cd4
create Keep refresh tokens in HttpOnly Secure SameSite cookiesfrom_talkDevise pitfalls and way to tighten security
context (empty) Central recommendation of the refresh-token section.
relation (empty) from_talk
source_node_id (empty) b19a2719-ad4e-410e-8d36-e90b3577331d
target_node_id (empty) e6de36cb-0179-45f5-a1c3-164fe0066ca4
create Keep refresh tokens in HttpOnly Secure SameSite cookiesaboutRefresh Tokens in HttpOnly Cookies
context (empty) Restates the HttpOnly-cookie pattern as a recommendation.
relation (empty) about
source_node_id (empty) b19a2719-ad4e-410e-8d36-e90b3577331d
target_node_id (empty) b70269d9-8fc9-4dfc-935b-53753037f174
create Make existence checks asynchronous to prevent enumerationfrom_talkDevise pitfalls and way to tighten security
context (empty) Core mitigation for timing-based enumeration.
relation (empty) from_talk
source_node_id (empty) e6e08fb2-58cb-4e19-acf5-8db5b8acb660
target_node_id (empty) e6de36cb-0179-45f5-a1c3-164fe0066ca4
create Make existence checks asynchronous to prevent enumerationaboutTiming-Based Enumeration
context (empty) Prevents timing attacks by constant-time responses.
relation (empty) about
source_node_id (empty) e6e08fb2-58cb-4e19-acf5-8db5b8acb660
target_node_id (empty) 037240de-553a-4c8a-885c-24bbe414320d
create Make existence checks asynchronous to prevent enumerationaboutSidekiq
context (empty) Uses Sidekiq background jobs as the mechanism.
relation (empty) about
source_node_id (empty) e6e08fb2-58cb-4e19-acf5-8db5b8acb660
target_node_id (empty) 2365c22d-c83e-4553-b865-ec22d0b5b225
create Rate-limit login forms with a skip pathfrom_talkDevise pitfalls and way to tighten security
context (empty) Recommendation for login forms where async check isn't feasible.
relation (empty) from_talk
source_node_id (empty) 1a5f75ed-3aee-4783-a235-c21c873a7da8
target_node_id (empty) e6de36cb-0179-45f5-a1c3-164fe0066ca4
create Rate-limit login forms with a skip pathaboutEnumeration Attack
context (empty) Prevents enumeration on login forms via rate limiting.
relation (empty) about
source_node_id (empty) 1a5f75ed-3aee-4783-a235-c21c873a7da8
target_node_id (empty) 9f6817c3-212a-4897-a050-6ec96be162b5
create Using external auth providers instead of Deviseasked_atDevise pitfalls and way to tighten security
context (empty) Asked during Q&A after the talk.
relation (empty) asked_at
source_node_id (empty) f0af6e23-2462-487f-acbc-3e34b44919f7
target_node_id (empty) e6de36cb-0179-45f5-a1c3-164fe0066ca4
create Using external auth providers instead of DeviseaboutAuth0
context (empty) Specifically asked about Auth0.
relation (empty) about
source_node_id (empty) f0af6e23-2462-487f-acbc-3e34b44919f7
target_node_id (empty) 64154eec-fcd9-43eb-8d6d-7276f55dbb2c
create Using external auth providers instead of DeviseaboutDevise
context (empty) Comparing external providers with Devise.
relation (empty) about
source_node_id (empty) f0af6e23-2462-487f-acbc-3e34b44919f7
target_node_id (empty) 9113bde3-534a-47d0-8333-e171c4b55e79
create Have you reported these issues upstream to Devise?asked_atDevise pitfalls and way to tighten security
context (empty) Asked during Q&A.
relation (empty) asked_at
source_node_id (empty) 856a9372-07d1-4d16-89de-d741ebcc8baa
target_node_id (empty) e6de36cb-0179-45f5-a1c3-164fe0066ca4
create Have you reported these issues upstream to Devise?aboutDevise
context (empty) About the Devise maintainers' response to security reports.
relation (empty) about
source_node_id (empty) 856a9372-07d1-4d16-89de-d741ebcc8baa
target_node_id (empty) 9113bde3-534a-47d0-8333-e171c4b55e79
create Deviseusesbcrypt
context (empty) Devise uses bcrypt for password hashing by default.
relation (empty) uses
source_node_id (empty) 9113bde3-534a-47d0-8333-e171c4b55e79
target_node_id (empty) bd34f1fa-f7bd-432d-a3e3-5cee01abfe25
create DeviseusesPepper
context (empty) Devise supports an application-level pepper, appended to the password before bcrypt.
relation (empty) uses
source_node_id (empty) 9113bde3-534a-47d0-8333-e171c4b55e79
target_node_id (empty) 76d1ae5f-49be-4a50-91d5-df0c84f2d8b0
create devise_token_authrelated_toDevise
context (empty) Built to complement Devise for token-based API authentication.
relation (empty) related_to
source_node_id (empty) de4297ca-f228-4c07-a484-ad60ced09cd4
target_node_id (empty) 9113bde3-534a-47d0-8333-e171c4b55e79
create Argon2usesSalt
context (empty) Argon2 takes salt as an explicit argument rather than appending it.
relation (empty) uses
source_node_id (empty) 48217b19-5f30-46fa-82d8-58ddaa6e35a2
target_node_id (empty) 3d74db32-26f9-4949-8327-d39e91b6f438
create Argon2usesPepper
context (empty) Argon2 supports pepper as an explicit argument.
relation (empty) uses
source_node_id (empty) 48217b19-5f30-46fa-82d8-58ddaa6e35a2
target_node_id (empty) 76d1ae5f-49be-4a50-91d5-df0c84f2d8b0

Read set

108 nodes

tool Devise search_nodes tool Tyrant search_nodes tool Active Admin search_nodes concept Strong Parameters search_nodes tool activerecord-multi-tenant search_nodes talk Securing Rails applications search_nodes tool acts_as_tenant search_nodes tool JSON API Resources search_nodes talk Devise pitfalls and way to tighten security search_nodes+get_node_edges talk Multi-region data governance in Rails application search_nodes tool Brotli search_nodes takeaway Signed On-the-fly URLs search_nodes concept Unique Per-Site Email Leak Detection search_nodes event wroclove.rb 2022 search_nodes event wroclove.rb 2023 search_nodes event wroclove.rb 2024 search_nodes event wroclove.rb 2019 search_nodes event wroclove.rb 2018 search_nodes event wroclove.rb 2026 search_nodes event wroclove.rb 2025 search_nodes talk Building LLM powered applications in Ruby search_nodes talk Data Management With Ruby search_nodes talk Fix Production Bugs 20x Faster search_nodes takeaway Switch on HTTP/2 search_nodes takeaway Contribute to Arkency aggregates repository search_nodes tool acts_as_api search_nodes tool Pundit search_nodes resource awesome-ddd search_nodes tool Codecov search_nodes question Protecting against ffmpeg vulnerabilities search_nodes tool webpagetest.org search_nodes concept Breadth-First Search for Code Removal search_nodes takeaway Be kind and build useful things search_nodes question DDoS risk of on-the-fly processing search_nodes person Rafał Rothenberger get_node_edges company SpaceX search_nodes project monolith framework search_nodes takeaway Name Things To Find Their Properties search_nodes project Ruby Romania search_nodes tool RealtimeBoard search_nodes company Transloadit search_nodes tool Tailwind CSS search_nodes tool Sync Space VR search_nodes tool MobX search_nodes takeaway Trailblazer tracing saves thousands of debugging hours search_nodes talk Is the monolith a problem search_nodes company Visuality search_nodes talk International cooperation in IT teams search_nodes talk Enterprise Rails Panel search_nodes tool BME280 search_nodes talk Events events events search_nodes project Petri Nets Performance Prediction Gem search_nodes concept Logux Proxy search_nodes tool GraphQL search_nodes resource Rocket Real-Time Benchmark search_nodes concept Service Autonomy search_nodes concept Function as a Service search_nodes talk Building a Production-Ready AI App: MCP & OAuth on Rails search_nodes concept Direct Upload to Cloud search_nodes concept Waterfall Analysis search_nodes takeaway Timeline Diagrams Reveal Possible Race Conditions search_nodes concept Timeline Visualization search_nodes takeaway Replay-Based Debugging search_nodes concept Stalling For Time search_nodes concept Page Load Time Budget search_nodes tool Sidekiq search_nodes takeaway Prefer Small Sidekiq Jobs search_nodes concept Sidekiq Batches search_nodes takeaway Keep Sidekiq Job Parameters Simple search_nodes question Scaling Sidekiq Elastically search_nodes question Application-Level Back Pressure For Sidekiq search_nodes talk Under The Hood And On The Surface Of Sidekiq search_nodes question Wrapper Job vs Logic In Job search_nodes talk Sidekiq Batches Lightning Talk search_nodes question Sidekiq Retry Race Condition Fixed In 7 search_nodes question Isn't asking password confirmation business logic? search_nodes takeaway Use Unique Per-Site Emails To Catch Leaks search_nodes question How does GDPR deletion work if encrypted events are in backups? search_nodes concept tus protocol search_nodes tool DBM / SDBM / GDBM search_nodes concept Cynefin Framework search_nodes concept HTTP Method Idempotence search_nodes concept JSON API search_nodes takeaway Don't follow JSON API religiously search_nodes question JSON API or GraphQL — what do you recommend? search_nodes concept Aspect-Oriented Programming search_nodes talk Ever shorter feedback loop search_nodes talk Lightning Talk on Email Leaks and Senior Developer Titles search_nodes talk One machine please, make it Turing search_nodes concept HTTP/2 Server Push search_nodes concept HTTP Caching with ETag and Last-Modified search_nodes tool Uppy search_nodes concept Preloading and Prefetching search_nodes talk Counterintuitive Rails pt. 1 search_nodes talk Nightmare neighbours caveats of Rails based mutlitenancy search_nodes question What is an enterprise Rails application? search_nodes resource Rails Architect Master Class search_nodes talk Toolbelt of a Seasoned Bug Hunter search_nodes talk Better WebPerformance with Rails search_nodes tool Ruby on Rails search_nodes tool Ember.js search_nodes tool Rack search_nodes tool Discourse search_nodes tool Ruby search_nodes tool Heroku search_nodes talk Towards the post framework future search_nodes person Galileo Galilei search_nodes talk Functional Programming as Naming Lightning Talk search_nodes

2 edges

talk Devise pitfalls and way to tighten security presented_at event wroclove.rb 2022
person Rafał Rothenberger authored talk Devise pitfalls and way to tighten security