HI Jeremy,
Thanks a lot for your quick and very good answer.
I'm continuously impressed by the sheer flexibility and power hidden within
Sequel. I deeply regret not taking the time to find Sequel many years ago.
On Monday, 8 June 2015 23:01:48 UTC+8, Jeremy Evans wrote:
>
> On Monday, June 8, 2015 at 7:43:40 AM UTC-7, Mats Persson wrote:
>>
>> Hi,
>>
>> What's the best Sequel way to protect sensitive columns such as
>> passwords, etc from being exposed when a model is inspect'ed?? Is it even
>> possible?
>>
>>
>> # Example
>>
>> DB = Sequel.sqlite
>> Sequel::Model.plugin(:schema)
>>
>> class User < Sequel::Model
>> set_schema do
>> primary_key :id
>> String :name
>> String :password
>> String :supersecret
>> end
>> end
>>
>> User.create_table! unless DB.tables.include?(:users)
>>
>> u = User.create(name: 'Joe Blogs', password: 's3cr3t', supersecret:
>> 'topsecret')
>>
>> # dumping a user without the password and secret
>> puts u.inspect #=> #<User @values={ :id=>1, :name=>"Joe Blogs" }>
>>
>>
>> Thanks for your time.
>>
>
> Don't select the password/supersecret columns by default:
>
> class User < Sequel::Model(DB[:users].select(:id, :name)); end
>
> Your example is showing SQLite, so that's probably the best way to go.
>
> If you have an app where password security is important and you are using
> PostgreSQL, my recommendation is to deny the database user access to the
> password/supersecret columns, and add a database function that the database
> user is allowed to execute that can be used to check passwords/secrets.
> That makes it much more difficult for an attacker to extract passwords
> from the database in the event of an vulnerability.
>
> Thanks,
> Jeremy
>
--
You received this message because you are subscribed to the Google Groups
"sequel-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/sequel-talk.
For more options, visit https://groups.google.com/d/optout.
