Posts by José Valim

Thank you, Carlos Antonio!

Carlos Antônio, our first employee, is moving forward after 5 years at Plataformatec. In this blog post, we share a bit about our story, open source projects, and what Carlos is leaving as legacy to us.

Comparing protocols and extensions in Swift and Elixir

Swift has been recently announced by Apple and I have been reading the docs and playing with the language out of curiority. I was pleasantly surprised with many features in the language, like the handling of optional values (and types) and with immutability being promoted throughout the language. The language also feels extensible. For extensibility, … »

Tips for keeping your Open Source Software issues tracker tidy

Charlie Somerville recently tweeted he wished there was a good guide about maintaining open source software: I wish there was a good guide on maintaining OSS projects. I'm a maintainer of a reasonably popular project and I have NFI what I'm doing. — Charlie Somerville (@charliesome) April 26, 2014 In between consultancy jobs and building … »

E-mail enumeration in Devise in paranoid mode

It has been reported that malicious users can do e-mail enumeration on sign in via timing attacks despite paranoid mode being enabled. Whenever you try to reset your password or confirm your account, Devise gives you precise information on how to proceed, if the e-mail given is valid, if the token has not expired and … »

Devise 3.1: Now with more secure defaults

We are glad to announce that Devise 3.1.0.rc is out. On this version, we have focused on some security enhancements regarding our defaults and the deprecation of TokenAuthenticatable. This blog post explains the rationale behind those changes and how to upgrade. Devise 3.1.0.rc runs on both Rails 3.2 and Rails 4.0. There is a TL;DR … »

CSRF token fixation attacks in Devise

Devise has been reported to be vulnerable to CSRF token fixation attacks. The attack can only be exploited if the attacker can set the target session, either by subdomain cookies (similar to described here) or by fixation over the same Wi-Fi network. If the user knows the CSRF token, cross-site forgery requests can be made. … »