aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/test/dispatch/cookies_test.rb
diff options
context:
space:
mode:
authorMichael Coyne <mikeycgto@gmail.com>2017-10-09 21:08:38 -0400
committerMichael Coyne <mikeycgto@gmail.com>2017-10-09 21:15:02 -0400
commit04a7b7165ad204014c5850f62c921f7291d6ba5d (patch)
tree36ddc8789347674dc4adf940583862b654723d4e /actionpack/test/dispatch/cookies_test.rb
parentac1ee519fa513f1c2188180e8830938c71edb48c (diff)
downloadrails-04a7b7165ad204014c5850f62c921f7291d6ba5d.tar.gz
rails-04a7b7165ad204014c5850f62c921f7291d6ba5d.tar.bz2
rails-04a7b7165ad204014c5850f62c921f7291d6ba5d.zip
Update security guide for signed cookie rotations
The example was slightly incorrect. This commit also adds a test case for this example to cookies middleware unit tests.
Diffstat (limited to 'actionpack/test/dispatch/cookies_test.rb')
-rw-r--r--actionpack/test/dispatch/cookies_test.rb19
1 files changed, 19 insertions, 0 deletions
diff --git a/actionpack/test/dispatch/cookies_test.rb b/actionpack/test/dispatch/cookies_test.rb
index 2051f7546f..40cbad3b0d 100644
--- a/actionpack/test/dispatch/cookies_test.rb
+++ b/actionpack/test/dispatch/cookies_test.rb
@@ -917,6 +917,25 @@ class CookiesTest < ActionController::TestCase
assert_equal "bar", encryptor.decrypt_and_verify(@response.cookies["foo"])
end
+ def test_rotating_signed_cookies_digest
+ @request.env["action_dispatch.signed_cookie_digest"] = "SHA256"
+ @request.env["action_dispatch.cookies_rotations"].rotate :signed, digest: "SHA1"
+
+ key_generator = @request.env["action_dispatch.key_generator"]
+
+ old_secret = key_generator.generate_key(@request.env["action_dispatch.signed_cookie_salt"])
+ old_value = ActiveSupport::MessageVerifier.new(old_secret).generate(45)
+
+ @request.headers["Cookie"] = "user_id=#{old_value}"
+ get :get_signed_cookie
+
+ assert_equal 45, @controller.send(:cookies).signed[:user_id]
+
+ secret = key_generator.generate_key(@request.env["action_dispatch.signed_cookie_salt"])
+ verifier = ActiveSupport::MessageVerifier.new(secret, digest: "SHA256")
+ assert_equal 45, verifier.verify(@response.cookies["user_id"])
+ end
+
def test_legacy_hmac_aes_cbc_encrypted_marshal_cookie_is_upgraded_to_authenticated_encrypted_cookie
key_generator = @request.env["action_dispatch.key_generator"]
encrypted_cookie_salt = @request.env["action_dispatch.encrypted_cookie_salt"]