diff options
author | Michael Coyne <mikeycgto@gmail.com> | 2017-10-09 21:08:38 -0400 |
---|---|---|
committer | Michael Coyne <mikeycgto@gmail.com> | 2017-10-09 21:15:02 -0400 |
commit | 04a7b7165ad204014c5850f62c921f7291d6ba5d (patch) | |
tree | 36ddc8789347674dc4adf940583862b654723d4e /actionpack/test/dispatch/cookies_test.rb | |
parent | ac1ee519fa513f1c2188180e8830938c71edb48c (diff) | |
download | rails-04a7b7165ad204014c5850f62c921f7291d6ba5d.tar.gz rails-04a7b7165ad204014c5850f62c921f7291d6ba5d.tar.bz2 rails-04a7b7165ad204014c5850f62c921f7291d6ba5d.zip |
Update security guide for signed cookie rotations
The example was slightly incorrect. This commit also adds a test case
for this example to cookies middleware unit tests.
Diffstat (limited to 'actionpack/test/dispatch/cookies_test.rb')
-rw-r--r-- | actionpack/test/dispatch/cookies_test.rb | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/actionpack/test/dispatch/cookies_test.rb b/actionpack/test/dispatch/cookies_test.rb index 2051f7546f..40cbad3b0d 100644 --- a/actionpack/test/dispatch/cookies_test.rb +++ b/actionpack/test/dispatch/cookies_test.rb @@ -917,6 +917,25 @@ class CookiesTest < ActionController::TestCase assert_equal "bar", encryptor.decrypt_and_verify(@response.cookies["foo"]) end + def test_rotating_signed_cookies_digest + @request.env["action_dispatch.signed_cookie_digest"] = "SHA256" + @request.env["action_dispatch.cookies_rotations"].rotate :signed, digest: "SHA1" + + key_generator = @request.env["action_dispatch.key_generator"] + + old_secret = key_generator.generate_key(@request.env["action_dispatch.signed_cookie_salt"]) + old_value = ActiveSupport::MessageVerifier.new(old_secret).generate(45) + + @request.headers["Cookie"] = "user_id=#{old_value}" + get :get_signed_cookie + + assert_equal 45, @controller.send(:cookies).signed[:user_id] + + secret = key_generator.generate_key(@request.env["action_dispatch.signed_cookie_salt"]) + verifier = ActiveSupport::MessageVerifier.new(secret, digest: "SHA256") + assert_equal 45, verifier.verify(@response.cookies["user_id"]) + end + def test_legacy_hmac_aes_cbc_encrypted_marshal_cookie_is_upgraded_to_authenticated_encrypted_cookie key_generator = @request.env["action_dispatch.key_generator"] encrypted_cookie_salt = @request.env["action_dispatch.encrypted_cookie_salt"] |