DEV Community: Patrick Gramatowski

[SECURITY IN RAILS] Preventing enumeration attacks, data leaks, and timing based attacks 🔐🛤️

Patrick Gramatowski — Tue, 03 Jun 2025 19:49:49 +0000

Enumeration attacks 🕵️‍♂️

Enumeration attacks are a class of security vulnerabilities where attackers exploit differences in system responses to infer valid user information. In authentication systems, this often occurs when the application provides distinct error messages - such as “Invalid username” versus “Invalid password”. Such discrepancies enable attackers to identify valid usernames, paving the way for brute-force or dictionary attacks on passwords.

Beyond the technical risk, this also represents a privacy issue. User identifiers like email addresses are often structured (e.g., name.surname@domain.com), which can reveal personal information. In certain applications, especially those handling sensitive user data - exposing whether an email exists can be a significant breach of user privacy.

source: upguard.com

OWASP on Authentication and Error Messages: 'Incorrectly implemented error messages in the case of authentication functionality can be used for the purposes of user ID and password enumeration. An application should respond (both HTTP and HTML) in a generic manner.'

Prevent enumeration attacks and data leaks by changing error messages to generic:

For the registration form, validations checking for the uniqueness of personal data against current database records must be omitted. If a user attempts to create an account with an email address that already exists in the database, the system should display a success message and, on the backend, simply refrain from creating a new account.

source: stackexchange.com

For the login form:

If the account is confirmed and both email and password are correct, return success.
If the account is not confirmed and both email and password are correct, return success (display unconfirmed email message).
Otherwise, return a generic message like invalid credentials.

[IMPORTANT] When a user tries to log in with an unconfirmed email but enters an incorrect password, devise_token_auth gem currently bypasses password validation and directly informs the user that the email is not confirmed. To address this issue, we will enable paranoid mode in Devise. This will ensure that the system only renders the email not confirmed message if the password is valid. If the password is incorrect, the system will respond with a generic invalid credentials message.

Ref: devise_token_auth/sessions_controller.rb

# config/initializers/devise.rb

# It will change confirmation, password recovery and other workflows
# to behave the same regardless if the e-mail provided was right or wrong.
# Does not affect registerable.
config.paranoid = true

source: techtarget.com

For the reset password form, similar to the registration form, we should not validate the email against current database records to check if it exists. Instead, whenever a user enters an email in a valid format, we should always return a success message. Then, on the backend, we can decide whether to send the email or not. Enabling paranoid mode in Devise also handles this by ensuring that success messages are returned regardless of the email's presence in the database.

source: discourse.org

To prevent enumeration attacks, it is crucial to standardize error messages so that no information about the validity of usernames or passwords is revealed. By returning generic error messages regardless of which credentials are incorrect, we reduce the risk of attackers identifying valid usernames and improve the overall security of the authentication system. This approach also prevents potential data leaks, safeguarding sensitive user information from being exposed.

Timing based attacks ⏱️

The Medium article "Introduction to Timing Attacks!" explains that 'A timing attack is a security exploit that enables an attacker to spot vulnerabilities in a local or a remote system to extract potentially sensitive or secret information by observing the concerned system's response time to various inputs.'

source: propelauth.com

Prevent timing based enumeration attacks for login forms with the Rack-Attack gem:

To enhance the security of your application and protect against timing based enumeration attacks for login forms, consider implementing throttling constraints for each vulnerable form using the Rack-Attack gem. Rack-Attack is a middleware for Ruby applications that provides a simple way to throttle and block abusive requests.

This code essentially limits login attempts for a given ip parameter to X (limit) requests per Y (period) seconds:

# config/initializers/rack_attack.rb

class Rack::Attack
  throttle("logins/ip", limit: 5, period: 20.seconds) do |req|
    req.ip if req.path.starts_with?("/admin/sign_in", "/api/v1/auth/sign_in") && req.post?
  end
end

there is also a throttling option for emails, but it is important to note that this can lead to DDos attacks, as someone can block other users by spamming the login form with their emails. To learn more see here Rack-Attack Throttling documentation.

Prevent timing based enumeration attacks for other forms (registration, password reset, etc.):

Instead of directly calling the desired use_case, we can call an indirect use_case to schedule the requested action.

# app/controllers/api/v1/auth/user_registrations_controller.rb

def create
  ::Auth::UseCases::ScheduleUserRegistration.new.call(params: create_params)
  # ...
end

We now validate incoming parameters and create a temporary record to store them. This temporary storage layer was introduced to address two key concerns:

Avoiding PII storage in Redis
Rather than storing personally identifiable information (PII) - such as registration or password reset form inputs in volatile systems like Redis, we use a dedicated database table designed specifically for temporary records.

Ensuring end-to-end encryption
All sensitive data stored in these temporary records is encrypted, maintaining strong security and privacy guarantees throughout the entire lifecycle of the process.

# app/concepts/auth/use_cases/schedule_user_registration.rb

module Auth
  module UseCases
    class ScheduleUserRegistration < BaseUseCase
      def call(params:)
        # validate params
        reference_record = RegistrationRequest.create!(params)
        RegisterUserJob.perform_async(reference_record.id)
      end

      # ...
    end
  end
end

By referencing these encrypted temporary records in subsequent steps (e.g., background jobs or finalization use case handlers), we minimize exposure of sensitive user data and maintain better control over its lifecycle and security posture.

  # db/migrate/...

  def change
    create_table :registration_requests, id: :uuid do |t|
      t.string :email
      ## Database authenticatable
      t.string :encrypted_password, null: false, default: ""

      t.string :first_name
      t.string :last_name

      t.timestamps
    end
  end

# app/models/registration_request.rb

class RegistrationRequest < ApplicationRecord
  devise :database_authenticatable

  encrypts :email, deterministic: true, downcase: true
  encrypts :first_name
  # https://guides.rubyonrails.org/active_record_encryption.html
end

In the next step, we retrieve the corresponding temporary record and use it to trigger the logic required to process the requested action - such as completing a registration or resetting a password. Once the action is successfully handled, the temporary record is securely deleted, ensuring that no sensitive data lingers beyond its necessary lifespan.

# app/sidekiq/register_user_job.rb

class RegisterUserJob
  include Sidekiq::Job

  def perform(id)
    registration_request = RegistrationRequest.find(id)
    user = User.find_by(email: registration_request.email)
    return registration_request.destroy! if user.present?

    user = Auth::UseCases::RegisterUser.new.call(params: registration_request_params)
    Auth::UseCases::SendConfirmationEmail.new.call(user)
    registration_request.destroy!
  end

  # ...
end

Now the logic responsible for handling the requested action is as follows:

# app/concepts/auth/use_cases/register_user.rb

module Auth
  module UseCases
    class RegisterUser < BaseUseCase
      def call(params:)
        user = nil
        ActiveRecord::Base.transaction do
          user = User.build(params)
          user.skip_password_validation = true
          user.save!
          user.skip_password_validation = false
        end

        user
      end
    end
  end
end

As shown in the example, we introduce a slight deviation from standard behavior by leveraging the skip_password_validation mechanism. This is necessary when transferring the password from a temporary reference record (e.g., RegistrationRequest) to a persistent user record (User).

Because we cannot decrypt the password value (for security reasons), we instead copy the encrypted password directly, assigning:

user.encrypted_password = registration_request.encrypted_password

However, when creating a new User record, Devise (used in Rails) expects a plain-text password to be provided and validated by default. To bypass this requirement without compromising security, we override the password_required? method to return false when using encrypted password values directly:

# app/models/user.rb

class User < ApplicationRecord
  attr_accessor :skip_password_validation  # virtual attribute to skip password validation while saving

  # ...

  protected

  def password_required?
    super && !skip_password_validation
  end

This approach allows the user creation process to proceed securely, using the encrypted password from the temporary record, without triggering unnecessary validation errors.

To protect against timing based attacks, it is necessary to implement security measures for various forms in the application. Use the Rack-Attack gem to lower the vulnerability to these attacks on login forms.

For other forms, such as registration or password reset, move the processing logic to background tasks instead of executing them directly. This approach helps hide response times and prevents attackers from recognizing patterns based on time changes, thus increasing the overall security and resilience of the application.

source: propelauth.com

Refs:

Devise pitfalls and way to tighten security

OWASP - Authentication and Error Messages

^{Cover image source: DeepAI}

Must-Know Ruby on Rails Gems for Improved Productivity

Patrick Gramatowski — Wed, 18 Dec 2024 17:24:39 +0000

A Ruby on Rails gem is a reusable package of Ruby code that enhances application functionality. Gems provide pre-built solutions for tasks like database integration or handling web requests, saving development time and effort. They streamline projects and enable faster delivery, especially in Ruby on Rails development.

There are several categories of Ruby on Rails gems:

Performance Optimization
Security Enhancement
Productivity and Developer Tools
Testing and Quality Assurance
Frontend and UI

With so many gems available, choosing the right one can feel overwhelming. Which one should you pick, and why? In the following sections, I'll walk you through the must-know gems.

🤔 What are Must-have Ruby on Rails Gems?

Ruby on Rails gems extend the functionality of a Rails application and make development faster, easier, and more efficient.

Bundler

The Bundler gem is one of the most popular, with over 2,000,000,000 downloads. It provides a consistent environment for Ruby projects by tracking and installing the exact gems and versions needed. Based on your Gemfile, a single call to Bundler with $ bundle install will automatically download and install all the required gems.

RuboCop

RuboCop is a Ruby code style checking and code formatting tool. It aims to enforce the community-driven Ruby Style Guide. In addition to identifying issues in your code, RuboCop can automatically correct many for you. This gem is used widely across Ruby on Rails development services to ensure code quality and maintainability.

Bullet

The Bullet Gem helps boost your application's performance by minimizing the number of queries it executes.
It monitors your queries during development and alerts you when to add eager loading to address N+1 queries, when existing eager loading is unnecessary, and when to use counter cache.

📝 Summary

Gems significantly speed up the development process, improve code quality, automate repetitive tasks, and enhance application security and performance. The world of gems is tremendous; there are more than 183,000 gems in the latest official Ruby gems base. Whatever gem you choose, you make one step closer to fostering your application development process.

🙋 Want to Dive Deeper?

Explore this topic in greater detail in my blog post published on @monterail blog, where I've covered more Ruby on Rails Gems that help build more performant, secure, and maintainable applications. It is a perfect read for developers looking to enhance their Ruby on Rails applications.

^{Cover image source: Lokalise}

How not to let your Tech Lead drown? 🛟

Patrick Gramatowski — Sun, 01 Dec 2024 11:27:39 +0000

I want to start by clarifying that have no doubt our tech leads are excellent swimmers, but when I was a kid, my mother used to remind me that “you can drown in six inches of water”. With that in mind, I’d like to share how I strive not to be one of those six inches for the tech leads I work with.

^{Image source: ‘Baywatch’ Remake In The Works At Fremantle As Buyers Circle by Peter White}

Communication flow 🤝

When you join a new project, it's time for “onboarding”. This is the point at which you get to know the team members and begin to get familiar with the technical and business logic of the project. After the initial familiarization with the project, the time comes for the first tasks. As you work on your first tasks, you are likely to have questions for the rest of the team, these first interactions lead to the formation of what I call “communication flow”, which I understand as habits in the way you communicate with other team members. As it happens with people, each of us has some habits, and on this point I wanted to encourage you to start paying attention to your communication habits and consciously control them.

💬 Real-Life Example:

While working on one of my previous projects, during one of our retrospective sessions, the project's tech lead pointed out that it makes his job much easier when I leave a reaction emoji under each message, so he can always be sure that the message has been read by me.

^{Image source: How the Evolution of Emojis Changed the Way We Communicate by Aoife Markey}

As you can see, even something as trivial and simple as an emoji can make a difference. 👀

📚 Explore More:

Asynchronous communication: Best practices and tips

The team 👩‍💻👨‍💻

In addition to the tech lead, many other team members are there to support you, including Product Managers (PM), Quality Assurance (QA) specialists, Product Owners (PO), Business Analysts (BAs), and Designers. Each of these roles plays a vital part in the team's collaborative effort.

^{Image source: Communications Strategies Are Like Ogres, Like Onions by Kim Ronkin Casey}

Think of these roles as layers of an onion 🧅 — each one represents a team or subgroup that contributes to the overall project. Being mindful of these layers and ensuring effective communication between them is essential for maintaining alignment and avoiding gaps that could lead to delays or misunderstandings.

📚 Explore More:

How to improve team communication: 6 strategies and tips
Best Communication Practices We Use To Keep Our Clients In The Loop

Knowledge sharing (documentation, updates, notes) 📄

Documentation is a crucial part of a programmer's work, serving as a key source of knowledge about the project. It goes beyond code-related details and should also be designed to support non-technical team members, such as product owners, project managers, and quality assurance specialists. To ensure that everyone stays on the same page as the project evolves, every team member should keep an eye on the documentation to keep it updated and clearly communicate any changes that may impact others' work.

💬 Real-Life Example:

I made it a habit with every task I work on to include clear instructions on how to test the specific changes, pointing out where technical support might be needed, and specifying where to find the latest changes (e.g. staging). This has become my standard approach, helping reduce confusion and ensuring smoother collaboration throughout the testing and review process.

I believe that clear communication and well-organized documentation are the cornerstones of effective and seamless team collaboration.

💡 Tip:

Visuals like diagrams can greatly enhance clarity and improve organization. For more on this, be sure to check out my article - Visualize to organize: How diagrams improve project documentation.

^{Image source: reddit.com/r/ProgrammerHumor}

📚 Explore More:

Diátaxis - A systematic approach to technical documentation authoring.
Creating technical documentation for non-technical people: tips from our team

Learn how NOT to make decisions 🚦

As a programmer, you will often be faced with situations where you will have to make decisions that can affect an important part of a functionality, the behavior of a specific component, or even the entire project. It is important not to make these decisions in a hurry, without consulting your team.

^{Image source: The Innovation & Transformation case story of Maersk Line by Henrik von Scheel & Mads Clausager}

When making important decisions, it's essential to think through all the details before acting. Involving your team in the process can uncover valuable insights, and help spot potential problems or overlooked risks. This avoids costly mistakes during product development, such as bugs leading to delays, which in turn can lead to lost sales which directly affects the client's business.

🚨 Warning:

It’s crucial to understand the client's business needs in order to be able to estimate the so-called "Cost of Delay", since it can significantly affect the client’s outcomes.

^{Image source: The Innovation & Transformation case story of Maersk Line by Henrik von Scheel & Mads Clausager}

📚 Explore More:

Software Engineer: The Art of Decision-Making Delay
Cost of Delay – Decision Making Framework
Project Managers: Your New Weekly Client Call Agenda

Grow 🌱

The best way not to drown your tech lead is to become one. Learn, gain experience, actively participate in the life of the project and the company, contribute in the way you feel most comfortable. The more experience and knowledge you have, the more responsibility you can take on.

🚀 Ideas:

Volunteer for complex or unfamiliar tasks, which will allow you to learn by doing.

Spend time with more experienced engineers, observing how they solve problems and make decisions.

Write blog posts or internal documentation about the challenges you faced and how you solved them, following the principle - "if you can't teach/explain it well, you don't understand it well enough".

^{Image source: The Failure of Power & Responsibility by Ed Berliner}

True development comes from exposing yourself to new experiences, and as you gain knowledge and skills, you naturally take on more and more responsibility.

Conclusions 🎯

The purpose of my post was to raise awareness of how important each team member is, and how you, as an individual, can contribute to the effectiveness of the entire team.

By understanding that you can bring the greatest value to the team, not through your technical skills, but through your communication skills, because before you write the first line of code, you need to know what, how and when it should work. Because we don't write code for code's sake, but to solve problems, and to solve any problem long-term, we have to start by understanding the nature of the problem.

^{Cover image source: DeepAI}