Merge pull request #8112 from rails/encrypted_cookies

Encrypted cookies

4 files changed, 62 insertions, 7 deletions

diff --git a/railties/test/application/configuration_test.rb b/railties/test/application/configuration_test.rb
index c4c1100f19..b9d18f4582 100644
--- a/railties/test/application/configuration_test.rb
+++ b/railties/test/application/configuration_test.rb
@@ -225,21 +225,24 @@ module ApplicationTests
       assert_equal Pathname.new(app_path).join("somewhere"), Rails.public_path
     end
 
-    test "config.secret_token is sent in env" do
+    test "Use key_generator when secret_key_base is set" do
       make_basic_app do |app|
-        app.config.secret_token = 'b3c631c314c0bbca50c1b2843150fe33'
+        app.config.secret_key_base = 'b3c631c314c0bbca50c1b2843150fe33'
         app.config.session_store :disabled
       end
 
       class ::OmgController < ActionController::Base
         def index
           cookies.signed[:some_key] = "some_value"
-          render text: env["action_dispatch.secret_token"]
+          render text: cookies[:some_key]
         end
       end
 
       get "/"
-      assert_equal 'b3c631c314c0bbca50c1b2843150fe33', last_response.body
+
+      secret = app.key_generator.generate_key('signed cookie')
+      verifier = ActiveSupport::MessageVerifier.new(secret)
+      assert_equal 'some_value', verifier.verify(last_response.body)
     end
 
     test "protect from forgery is the default in a new app" do
@@ -568,7 +571,6 @@ module ApplicationTests
 
       assert_respond_to app, :env_config
       assert_equal      app.env_config['action_dispatch.parameter_filter'],  app.config.filter_parameters
-      assert_equal      app.env_config['action_dispatch.secret_token'],      app.config.secret_token
       assert_equal      app.env_config['action_dispatch.show_exceptions'],   app.config.action_dispatch.show_exceptions
       assert_equal      app.env_config['action_dispatch.logger'],            Rails.logger
       assert_equal      app.env_config['action_dispatch.backtrace_cleaner'], Rails.backtrace_cleaner
diff --git a/railties/test/application/middleware/remote_ip_test.rb b/railties/test/application/middleware/remote_ip_test.rb
index 9d97bae9ae..fde13eeb94 100644
--- a/railties/test/application/middleware/remote_ip_test.rb
+++ b/railties/test/application/middleware/remote_ip_test.rb
@@ -1,4 +1,6 @@
 require 'isolation/abstract_unit'
+# FIXME remove DummyKeyGenerator and this require in 4.1
+require 'active_support/key_generator'
 
 module ApplicationTests
   class RemoteIpTest < ActiveSupport::TestCase
@@ -8,7 +10,7 @@ module ApplicationTests
       remote_ip = nil
       env = Rack::MockRequest.env_for("/").merge(env).merge!(
         'action_dispatch.show_exceptions' => false,
-        'action_dispatch.secret_token' => 'b3c631c314c0bbca50c1b2843150fe33'
+        'action_dispatch.key_generator'   => ActiveSupport::DummyKeyGenerator.new('b3c631c314c0bbca50c1b2843150fe33')
       )
 
       endpoint = Proc.new do |e|
diff --git a/railties/test/application/middleware/session_test.rb b/railties/test/application/middleware/session_test.rb
index 5ce41caf61..b1a19d590c 100644
--- a/railties/test/application/middleware/session_test.rb
+++ b/railties/test/application/middleware/session_test.rb
@@ -128,5 +128,56 @@ module ApplicationTests
       get '/foo/read_cookie'   # Cookie shouldn't be changed
       assert_equal '"1"', last_response.body
     end
+
+    test "session using encrypted cookie store" do
+      app_file 'config/routes.rb', <<-RUBY
+        AppTemplate::Application.routes.draw do
+          get ':controller(/:action)'
+        end
+      RUBY
+
+      controller :foo, <<-RUBY
+        class FooController < ActionController::Base
+          def write_session
+            session[:foo] = 1
+            render nothing: true
+          end
+
+          def read_session
+            render text: session[:foo]
+          end
+
+          def read_encrypted_cookie
+            render text: cookies.encrypted[:_myapp_session]['foo']
+          end
+
+          def read_raw_cookie
+            render text: cookies[:_myapp_session]
+          end
+        end
+      RUBY
+
+      add_to_config <<-RUBY
+        config.session_store :encrypted_cookie_store, key: '_myapp_session'
+        config.action_dispatch.derive_signed_cookie_key = true
+      RUBY
+
+      require "#{app_path}/config/environment"
+
+      get '/foo/write_session'
+      get '/foo/write_session'
+      get '/foo/read_session'
+      assert_equal '1', last_response.body
+
+      get '/foo/read_encrypted_cookie'
+      assert_equal '1', last_response.body
+
+      secret = app.key_generator.generate_key('encrypted cookie')
+      sign_secret = app.key_generator.generate_key('signed encrypted cookie')
+      encryptor = ActiveSupport::MessageEncryptor.new(secret, sign_secret)
+
+      get '/foo/read_raw_cookie'
+      assert_equal 1, encryptor.decrypt_and_verify(last_response.body)['foo']
+    end
   end
 end
diff --git a/railties/test/application/url_generation_test.rb b/railties/test/application/url_generation_test.rb
index 2a48adae5c..0905757442 100644
--- a/railties/test/application/url_generation_test.rb
+++ b/railties/test/application/url_generation_test.rb
@@ -14,7 +14,7 @@ module ApplicationTests
       require "action_controller/railtie"
 
       class MyApp < Rails::Application
-        config.secret_token = "3b7cd727ee24e8444053437c36cc66c4"
+        config.secret_key_base = "3b7cd727ee24e8444053437c36cc66c4"
         config.session_store :cookie_store, key: "_myapp_session"
         config.active_support.deprecation = :log
         config.eager_load = false