TokenAuthenticatable provides comparison method

Avoids attempting save on comparison, as that could potentially reveal that a resource exists. Uses secure comparison incase this is reused somewhere sensitive.

TokenAuthenticatable provides comparison method
1ad34167 · James Edwards-Jones · 36979875 · 1ad34167
Commit 1ad34167 authored 6 years ago by James Edwards-Jones
--- a/app/models/concerns/token_authenticatable.rb
+++ b/app/models/concerns/token_authenticatable.rb
@@ -59,6 +59,11 @@ module TokenAuthenticatable
        write_new_token(token_field, unique: unique)
        save! if Gitlab::Database.read_write?
      end
+
+      define_method("#{token_field}_matches?") do |other_token|
+        token = read_attribute(token_field)
+        token.present? && ActiveSupport::SecurityUtils.variable_size_secure_compare(other_token, token)
+      end
    end
  end
 end