kotovalexarian-likes-github/rails--rails
1
0
Fork 0
mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00
Code Releases Activity

Update security guide for signed cookie rotations

Browse source 
The example was slightly incorrect. This commit also adds a test case
for this example to cookies middleware unit tests.
This commit is contained in:
Michael Coyne 2017-10-09 21:08:38 -04:00
parent ac1ee519fa
commit 04a7b7165a
No known key found for this signature in database
GPG key ID: 0C6C5D257131F86F
2 changed files with 22 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
actionpack/test/dispatch/cookies_test.rb
View file

@ -917,6 +917,25 @@ class CookiesTest < ActionController::TestCase
assert_equal "bar", encryptor.decrypt_and_verify(@response.cookies["foo"])
end
def test_rotating_signed_cookies_digest
@request.env["action_dispatch.signed_cookie_digest"] = "SHA256"
@request.env["action_dispatch.cookies_rotations"].rotate :signed, digest: "SHA1"
key_generator = @request.env["action_dispatch.key_generator"]
old_secret = key_generator.generate_key(@request.env["action_dispatch.signed_cookie_salt"])
old_value = ActiveSupport::MessageVerifier.new(old_secret).generate(45)
@request.headers["Cookie"] = "user_id=#{old_value}"
get :get_signed_cookie
assert_equal 45, @controller.send(:cookies).signed[:user_id]
secret = key_generator.generate_key(@request.env["action_dispatch.signed_cookie_salt"])
verifier = ActiveSupport::MessageVerifier.new(secret, digest: "SHA256")
assert_equal 45, verifier.verify(@response.cookies["user_id"])
end
def test_legacy_hmac_aes_cbc_encrypted_marshal_cookie_is_upgraded_to_authenticated_encrypted_cookie
key_generator = @request.env["action_dispatch.key_generator"]
encrypted_cookie_salt = @request.env["action_dispatch.encrypted_cookie_salt"]

5
guides/source/security.md
View file

@ -169,11 +169,12 @@ you would first assign the new configuration value:
Rails.application.config.action_dispatch.signed_cookie_digest = "SHA256"
```
Then you'd set up a rotation with the old configuration to keep it alive.
Now add a rotation for the old SHA1 digest so existing cookies are
seamlessly upgraded to the new SHA256 digest.
```ruby
Rails.application.config.action_dispatch.cookies_rotations.tap do |cookies|
cookies.rotate :signed, digest: "SHA256"
cookies.rotate :signed, digest: "SHA1"
end
```