Fix signed cookies by explicitly passing config to the cookie jar

actionpack/lib/action_controller/metal/cookies.rb

@@ -10,7 +10,8 @@ module ActionController #:nodoc:
 
     private
       def cookies
-        request.cookie_jar
+        raise "You must set config.cookie_secret in your app's config" if config.secret.blank?
+        request.cookie_jar(:signing_secret => config.secret)
       end
   end
 end

actionpack/lib/action_dispatch/middleware/cookies.rb

@@ -1,7 +1,7 @@
 module ActionDispatch
   class Request
-    def cookie_jar
+    def cookie_jar(config = {})
-      env['action_dispatch.cookies'] ||= Cookies::CookieJar.build(self)
+      env['action_dispatch.cookies'] ||= Cookies::CookieJar.build(self, config)
     end
   end
 
@@ -51,17 +51,18 @@ module ActionDispatch
   #   only HTTP. Defaults to +false+.
   class Cookies
     class CookieJar < Hash #:nodoc:
-      def self.build(request)
+      def self.build(request, config = {})
-        new.tap do |hash|
+        new(config).tap do |hash|
           hash.update(request.cookies)
         end
       end
 
-      def initialize
+      def initialize(config = {})
+        @config = config
         @set_cookies = {}
         @delete_cookies = {}
 
-        super
+        super()
       end
 
       # Returns the value of the cookie by +name+, or +nil+ if no such cookie exists.
@@ -111,7 +112,7 @@ module ActionDispatch
       #   cookies.permanent.signed[:remember_me] = current_user.id
       #   # => Set-Cookie: discount=BAhU--848956038e692d7046deab32b7131856ab20e14e; path=/; expires=Sun, 16-Dec-2029 03:24:16 GMT
       def permanent
-        @permanent ||= PermanentCookieJar.new(self)
+        @permanent ||= PermanentCookieJar.new(self, @config)
       end
 
       # Returns a jar that'll automatically generate a signed representation of cookie value and verify it when reading from
@@ -119,7 +120,7 @@ module ActionDispatch
       # cookie was tampered with by the user (or a 3rd party), an ActiveSupport::MessageVerifier::InvalidSignature exception will
       # be raised.
       #
-      # This jar requires that you set a suitable secret for the verification on ActionController::Base.cookie_verifier_secret.
+      # This jar requires that you set a suitable secret for the verification on your app's config.cookie_secret.
       #
       # Example:
       #
@@ -128,7 +129,7 @@ module ActionDispatch
       #
       #   cookies.signed[:discount] # => 45
       def signed
-        @signed ||= SignedCookieJar.new(self)
+        @signed ||= SignedCookieJar.new(self, @config)
       end
 
       def write(response)
@@ -138,8 +139,9 @@ module ActionDispatch
     end
 
     class PermanentCookieJar < CookieJar #:nodoc:
-      def initialize(parent_jar)
+      def initialize(parent_jar, config = {})
         @parent_jar = parent_jar
+        @config = config
       end
 
       def []=(key, options)
@@ -154,11 +156,7 @@ module ActionDispatch
       end
 
       def signed
-        @signed ||= SignedCookieJar.new(self)
+        @signed ||= SignedCookieJar.new(self, @config)
-      end
-
-      def controller
-        @parent_jar.controller
       end
 
       def method_missing(method, *arguments, &block)
@@ -167,18 +165,16 @@ module ActionDispatch
     end
 
     class SignedCookieJar < CookieJar #:nodoc:
-      def initialize(parent_jar)
+      def initialize(parent_jar, config = {})
-        unless ActionController::Base.config.secret
+        raise 'Missing cookie signing secret' if config[:signing_secret].blank?
-          raise "You must set ActionController::Base.config.secret"
-        end
-
         @parent_jar = parent_jar
-        @verifier = ActiveSupport::MessageVerifier.new(ActionController::Base.config.secret)
+        @config = config
+        @verifier = ActiveSupport::MessageVerifier.new(config[:signing_secret])
       end
 
       def [](name)
-        if value = @parent_jar[name]
+        if signed_message = @parent_jar[name]
-          @verifier.verify(value)
+          @verifier.verify(signed_message)
         end
       end