GuardAPI Logo
GuardAPI

Fix Broken User Authentication in Hanami

Broken authentication in Hanami typically arises from naive credential verification, such as comparing plaintext passwords or using standard string comparison operators susceptible to timing attacks. To secure a Hanami application, you must implement cryptographically strong hashing and constant-time verification.

The Vulnerable Pattern

module Web::Actions::Sessions
  class Create
    include Web::Action
    def call(params)
      user = UserRepository.new.find_by_email(params[:email])
      # VULNERABLE: Plaintext comparison and susceptible to timing attacks
      if user && user.password == params[:password]
        session[:user_id] = user.id
      else
        self.status = 401
      end
    end
  end
end

The Secure Implementation

The vulnerable code uses a standard '==' operator, which returns early on the first mismatched character, allowing an attacker to brute-force credentials byte-by-byte via timing analysis. It also implies plaintext storage. The secure version implements Argon2, a memory-hard hashing algorithm that resists GPU cracking. By using 'Argon2::Password.verify_password', we ensure the comparison is computationally expensive and timing-neutral, effectively neutralizing side-channel leaks and credential stuffing efficiency.

require 'argon2'

module Web::Actions::Sessions
class Create
include Web::Action


def call(params)
  user = UserRepository.new.find_by_email(params[:email])
  
  # SECURE: Use Argon2 for hashing and constant-time verification
  if user && valid_credentials?(user, params[:password])
    session[:user_id] = user.id
    redirect_to '/dashboard'
  else
    halt 401, 'Invalid credentials'
  end
end

private

def valid_credentials?(user, password)
  Argon2::Password.verify_password(password, user.password_digest)
rescue Argon2::Errors::Argon2Error
  false
end


end
end

System Alert • ID: 8756
Target: Hanami API
Potential Vulnerability

Your Hanami API might be exposed to Broken User Authentication

74% of Hanami apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X