Add caution re Argon2id::Password equality

The downside of the convenience of using `Argon2id::Password#==` for verification means it might break expectations of how equality works for those objects.
mudge · Nov 6, 2024 · ff99dbe · ff99dbe
1 parent 64e5e32
commit ff99dbe
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -149,6 +149,18 @@ password.is_password?("opensesame")    #=> true
 password.is_password?("notopensesame") #=> false
 ```
 
+> [!CAUTION]
+> `Argon2id::Password#==` only works if the plain text password is on the right, e.g. the following behaviour may be surprising:
+>
+> ```ruby
+> password = Argon2id::Password.create("password")
+> password == "password" #=> true
+> "password" == password #=> false
+> password == password   #=> false
+> ```
+>
+> If you want to avoid this ambiguity, prefer the `Argon2id::Password#is_password?` alias instead.
+
 The various parts of the encoded hash can be retrieved:
 
 ```ruby