aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib
diff options
context:
space:
mode:
authorRafael Mendonça França <rafaelmfranca@gmail.com>2019-01-16 20:12:40 -0500
committerRafael Mendonça França <rafaelmfranca@gmail.com>2019-01-17 16:08:34 -0500
commit1a6a3e06ed7242d9a4ed66e9c3d77035bf1362a1 (patch)
tree040abfe7591fd0290655d85e6ddd503cb0744688 /actionpack/lib
parent46ac5fe69a20d4539a15929fe48293e1809a26b0 (diff)
downloadrails-1a6a3e06ed7242d9a4ed66e9c3d77035bf1362a1.tar.gz
rails-1a6a3e06ed7242d9a4ed66e9c3d77035bf1362a1.tar.bz2
rails-1a6a3e06ed7242d9a4ed66e9c3d77035bf1362a1.zip
Remove secret_token rack env and cookie upgrade code
Now that secret_token was removed all this code is now dead.
Diffstat (limited to 'actionpack/lib')
-rw-r--r--actionpack/lib/action_dispatch/middleware/cookies.rb35
-rw-r--r--actionpack/lib/action_dispatch/middleware/session/cookie_store.rb5
2 files changed, 1 insertions, 39 deletions
diff --git a/actionpack/lib/action_dispatch/middleware/cookies.rb b/actionpack/lib/action_dispatch/middleware/cookies.rb
index 26d3fd936f..cb28baa229 100644
--- a/actionpack/lib/action_dispatch/middleware/cookies.rb
+++ b/actionpack/lib/action_dispatch/middleware/cookies.rb
@@ -61,10 +61,6 @@ module ActionDispatch
get_header Cookies::SIGNED_COOKIE_DIGEST
end
- def secret_token
- get_header Cookies::SECRET_TOKEN
- end
-
def secret_key_base
get_header Cookies::SECRET_KEY_BASE
end
@@ -181,7 +177,6 @@ module ActionDispatch
USE_AUTHENTICATED_COOKIE_ENCRYPTION = "action_dispatch.use_authenticated_cookie_encryption"
ENCRYPTED_COOKIE_CIPHER = "action_dispatch.encrypted_cookie_cipher"
SIGNED_COOKIE_DIGEST = "action_dispatch.signed_cookie_digest"
- SECRET_TOKEN = "action_dispatch.secret_token"
SECRET_KEY_BASE = "action_dispatch.secret_key_base"
COOKIES_SERIALIZER = "action_dispatch.cookies_serializer"
COOKIES_DIGEST = "action_dispatch.cookies_digest"
@@ -215,9 +210,6 @@ module ActionDispatch
# the cookie again. This is useful for creating cookies with values that the user is not supposed to change. If a signed
# cookie was tampered with by the user (or a 3rd party), +nil+ will be returned.
#
- # If +secret_key_base+ and +secrets.secret_token+ (deprecated) are both set,
- # legacy cookies signed with the old key generator will be transparently upgraded.
- #
# This jar requires that you set a suitable secret for the verification on your app's +secret_key_base+.
#
# Example:
@@ -233,9 +225,6 @@ module ActionDispatch
# Returns a jar that'll automatically encrypt cookie values before sending them to the client and will decrypt them for read.
# If the cookie was tampered with by the user (or a 3rd party), +nil+ will be returned.
#
- # If +secret_key_base+ and +secrets.secret_token+ (deprecated) are both set,
- # legacy cookies signed with the old key generator will be transparently upgraded.
- #
# If +config.action_dispatch.encrypted_cookie_salt+ and +config.action_dispatch.encrypted_signed_cookie_salt+
# are both set, legacy cookies encrypted with HMAC AES-256-CBC will be transparently upgraded.
#
@@ -264,10 +253,6 @@ module ActionDispatch
private
- def upgrade_legacy_signed_cookies?
- request.secret_token.present? && request.secret_key_base.present?
- end
-
def upgrade_legacy_hmac_aes_cbc_cookies?
request.secret_key_base.present? &&
request.encrypted_signed_cookie_salt.present? &&
@@ -592,10 +577,6 @@ module ActionDispatch
request.cookies_rotations.signed.each do |*secrets, **options|
@verifier.rotate(*secrets, serializer: SERIALIZER, **options)
end
-
- if upgrade_legacy_signed_cookies?
- @verifier.rotate request.secret_token, serializer: SERIALIZER
- end
end
private
@@ -640,10 +621,6 @@ module ActionDispatch
@encryptor.rotate(secret, sign_secret, cipher: legacy_cipher, digest: digest, serializer: SERIALIZER)
end
-
- if upgrade_legacy_signed_cookies?
- @legacy_verifier = ActiveSupport::MessageVerifier.new(request.secret_token, digest: digest, serializer: SERIALIZER)
- end
end
private
@@ -652,7 +629,7 @@ module ActionDispatch
@encryptor.decrypt_and_verify(encrypted_message, on_rotation: rotate, purpose: purpose)
end
rescue ActiveSupport::MessageEncryptor::InvalidMessage, ActiveSupport::MessageVerifier::InvalidSignature
- parse_legacy_signed_message(name, encrypted_message)
+ nil
end
def commit(name, options)
@@ -660,16 +637,6 @@ module ActionDispatch
raise CookieOverflow if options[:value].bytesize > MAX_COOKIE_SIZE
end
-
- def parse_legacy_signed_message(name, legacy_signed_message)
- if defined?(@legacy_verifier)
- deserialize(name) do |rotate|
- rotate.call
-
- @legacy_verifier.verified(legacy_signed_message)
- end
- end
- end
end
def initialize(app)
diff --git a/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb b/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb
index df680c1c5f..02ccfbc81a 100644
--- a/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb
+++ b/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb
@@ -16,11 +16,6 @@ module ActionDispatch
# The cookie jar used for storage is automatically configured to be the
# best possible option given your application's configuration.
#
- # If you only have secret_token set, your cookies will be signed, but
- # not encrypted. This means a user cannot alter their +user_id+ without
- # knowing your app's secret key, but can easily read their +user_id+. This
- # was the default for Rails 3 apps.
- #
# Your cookies will be encrypted using your apps secret_key_base. This
# goes a step further than signed cookies in that encrypted cookies cannot
# be altered or read by users. This is the default starting in Rails 4.