aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib/action_controller/metal/http_authentication.rb
Commit message (Collapse)AuthorAgeFilesLines
* Add `Style/RedundantFreeze` to remove redudant `.freeze`Yasuo Honda2018-09-291-2/+2
| | | | | | | | | | | | | | | | | | | | | Since Rails 6.0 will support Ruby 2.4.1 or higher `# frozen_string_literal: true` magic comment is enough to make string object frozen. This magic comment is enabled by `Style/FrozenStringLiteralComment` cop. * Exclude these files not to auto correct false positive `Regexp#freeze` - 'actionpack/lib/action_dispatch/journey/router/utils.rb' - 'activerecord/lib/active_record/connection_adapters/sqlite3_adapter.rb' It has been fixed by https://github.com/rubocop-hq/rubocop/pull/6333 Once the newer version of RuboCop released and available at Code Climate these exclude entries should be removed. * Replace `String#freeze` with `String#-@` manually if explicit frozen string objects are required - 'actionpack/test/controller/test_case_test.rb' - 'activemodel/test/cases/type/string_test.rb' - 'activesupport/lib/active_support/core_ext/string/strip.rb' - 'activesupport/test/core_ext/string_ext_test.rb' - 'railties/test/generators/actions_test.rb'
* Enable `Performance/UnfreezeString` copyuuji.yaginuma2018-09-231-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In Ruby 2.3 or later, `String#+@` is available and `+@` is faster than `dup`. ```ruby # frozen_string_literal: true require "bundler/inline" gemfile(true) do source "https://rubygems.org" gem "benchmark-ips" end Benchmark.ips do |x| x.report('+@') { +"" } x.report('dup') { "".dup } x.compare! end ``` ``` $ ruby -v benchmark.rb ruby 2.5.1p57 (2018-03-29 revision 63029) [x86_64-linux] Warming up -------------------------------------- +@ 282.289k i/100ms dup 187.638k i/100ms Calculating ------------------------------------- +@ 6.775M (± 3.6%) i/s - 33.875M in 5.006253s dup 3.320M (± 2.2%) i/s - 16.700M in 5.032125s Comparison: +@: 6775299.3 i/s dup: 3320400.7 i/s - 2.04x slower ```
* Clarify example of the test `ActionController::HttpAuthentication::Token` ↵bogdanvlviv2018-07-211-4/+3
| | | | | | [ci skip] Follow up #33401, 5491f8115711d8b34d52f8ba5e52ba39a49b08fe.
* [ci skip] Fix syntax error + make example easier to follow.Kasper Timm Hansen2018-07-201-2/+3
| | | | Follow up to 9f152a606
* Fix basic auth problem in ActionController::HttpAuthentication::Basic doc黄松2018-07-201-2/+2
|
* Merge pull request #24510 from ↵Rafael Mendonça França2017-11-251-7/+4
|\ | | | | | | | | | | vipulnsward/make-variable_size_secure_compare-public Make variable_size_secure_compare public
| * Changed default behaviour of `ActiveSupport::SecurityUtils.secure_compare`,Vipul A M2017-06-071-7/+4
| | | | | | | | | | | | | | to make it not leak length information even for variable length string. Renamed old `ActiveSupport::SecurityUtils.secure_compare` to `fixed_length_secure_compare`, and started raising `ArgumentError` in case of length mismatch of passed strings.
* | Bump RuboCop to 0.51.0Koichi ITO2017-11-101-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ## Summary RuboCop 0.51.0 was released. https://github.com/bbatsov/rubocop/releases/tag/v0.51.0 And rubocop-0-51 channel is available in Code Climate. https://github.com/codeclimate/codeclimate-rubocop/issues/109 This PR will bump RuboCop to 0.51.0 and fixes the following new offenses. ```console % bundle exec rubocop Inspecting 2358 files (snip) Offenses: actionpack/lib/action_controller/metal/http_authentication.rb:251:59: C: Prefer double-quoted strings unless you need single quotes to avoid extra backslashes for escaping. [key.strip, value.to_s.gsub(/^"|"$/, "").delete('\'')] ^^^^ activesupport/test/core_ext/load_error_test.rb:8:39: C: Prefer double-quoted strings unless you need single quotes to avoid extra backslashes for escaping. assert_raise(LoadError) { require 'no_this_file_don\'t_exist' } ^^^^^^^^^^^^^^^^^^^^^^^^^^^ 2358 files inspected, 2 offenses detected ```
* | Make actionpack frozen string friendlyKir Shatrov2017-07-241-1/+3
| |
* | Revert "Merge pull request #29540 from kirs/rubocop-frozen-string"Matthew Draper2017-07-021-1/+0
| | | | | | | | | | This reverts commit 3420a14590c0e6915d8b6c242887f74adb4120f9, reversing changes made to afb66a5a598ce4ac74ad84b125a5abf046dcf5aa.
* | Enforce frozen string in RubocopKir Shatrov2017-07-011-0/+1
|/
* [docs] fix ActionController documentationHrvoje Šimić2017-03-121-1/+1
| | | | [ci skip]
* Privatize unneededly protected methods in Action PackAkira Matsuda2016-12-241-2/+2
|
* Add more rubocop rules about whitespacesRafael Mendonça França2016-10-291-3/+3
|
* Add three new rubocop rulesRafael Mendonça França2016-08-161-1/+1
| | | | | | | | Style/SpaceBeforeBlockBraces Style/SpaceInsideBlockBraces Style/SpaceInsideHashLiteralBraces Fix all violations in the repository.
* applies remaining conventions across the projectXavier Noria2016-08-061-1/+0
|
* applies new string literal convention in actionpack/libXavier Noria2016-08-061-18/+18
| | | | | The current code base is not uniform. After some discussion, we have chosen to go with double quotes by default.
* Actionpack documentation typos [ci skip]Tom Kadwill2016-04-231-2/+2
|
* [ci skip] This modifies the HTTP Token authentication example's ↵Nick Malcolm2016-04-121-1/+6
| | | | `authenticate` method, to use the `secure_compare` method with two constant-length strings. This defends against timing attacks, and is best practice. Using `==` for sensitive actions is not recommended, and this was the source of a CVE fixed in October 2015: https://github.com/rails/rails/commit/17e6f1507b7f2c2a883c180f4f9548445d6dfbda
* use secure string comparisons for basic auth username / passwordAaron Patterson2016-01-221-1/+6
| | | | | | this will avoid timing attacks against applications that use basic auth. CVE-2015-7576
* Merge pull request #14212 from tylerhunt/fix-token-regexSean Griffin2015-12-151-1/+1
|\ | | | | | | Handle tab in token authentication header.
| * Handle tab in token authentication header.Tyler Hunt2014-02-261-1/+1
| | | | | | | | | | | | | | | | | | | | | | The HTTP spec allows for LWS to precede the header content, which could include multiple SP and HT characters. Update the regex used to match the Token authorization header to account for this, instead of matching on a single SP. See http://www.w3.org/Protocols/rfc2616/rfc2616-sec2.html and http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html for the relevant parts of the specification.
* | Use `Mime[:foo]` instead of `Mime::Type[:FOO]` for back compatJeremy Daer2015-10-061-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Rails 4.x and earlier didn't support `Mime::Type[:FOO]`, so libraries that support multiple Rails versions would've had to feature-detect whether to use `Mime::Type[:FOO]` or `Mime::FOO`. `Mime[:foo]` has been around for ages to look up registered MIME types by symbol / extension, though, so libraries and plugins can safely switch to that without breaking backward- or forward-compatibility. Note: `Mime::ALL` isn't a real MIME type and isn't registered for lookup by type or extension, so it's not available as `Mime[:all]`. We use it internally as a wildcard for `respond_to` negotiation. If you use this internal constant, continue to reference it with `Mime::ALL`. Ref. efc6dd550ee49e7e443f9d72785caa0f240def53
* | Document Bearer prefix for Authorization header [ci skip]Eliot Sykes2015-09-231-5/+7
| |
* | Updated Mime Negotiations docs [ci skip]amitkumarsuroliya2015-09-231-2/+2
| | | | | | As we all know that Accessing mime types via constants is deprecated. Now, we are using `Mime::Type[:JSON]` instead of `Mime::JSON`
* | add a method for getting the http auth saltAaron Patterson2015-08-291-2/+2
| |
* | env to get_header conversionAaron Patterson2015-08-291-1/+1
| |
* | Authorization scheme should be case insensitive. Fixes #21199Dennis Suratna2015-08-111-1/+1
| |
* | Stop using deprecated `render :text` in testPrem Sichanugrist2015-07-171-1/+1
| | | | | | | | | | | | | | | | | | This will silence deprecation warnings. Most of the test can be changed from `render :text` to render `:plain` or `render :body` right away. However, there are some tests that needed to be fixed by hand as they actually assert the default Content-Type returned from `render :body`.
* | Add missing "header" word in documentation of Token#authentication_request ↵Prathamesh Sonpatki2015-06-141-1/+1
| | | | | | | | [ci skip]
* | allow `Bearer` as well as `Token`phoet2015-06-011-1/+1
| |
* | Give authentication methods the ability to customize response message.Keenan Brock2015-05-031-14/+16
| | | | | | | | Digest allowed the messages. Add the same feature to basic and token
* | Tiny optimization of http auth Realm unquotingStrech (Sergey Fedorov)2015-04-141-2/+2
| |
* | Freeze static arguments for gsubbrainopia2015-04-021-2/+2
| |
* | Prefer string patterns for gsubbrainopia2015-04-021-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://github.com/ruby/ruby/pull/579 - there is a new optimization since ruby 2.2 Previously regexp patterns were faster (since a string was converted to regexp underneath anyway). But now string patterns are faster and better reflect the purpose. Benchmark.ips do |bm| bm.report('regexp') { 'this is ::a random string'.gsub(/::/, '/') } bm.report('string') { 'this is ::a random string'.gsub('::', '/') } bm.compare! end # string: 753724.4 i/s # regexp: 501443.1 i/s - 1.50x slower
* | Doc fix [ci skip]Sushruth Sivaramakrishnan2015-03-051-1/+1
| |
* | Fixed undefined method error when doing authentication.Zhang Kai Yu2015-01-241-2/+2
| |
* | Minor documentation edits [ci skip]Robin Dupret2014-12-281-1/+1
| |
* | Update example test documentationBen Prew2014-12-281-4/+2
| | | | | | Example does not work with session headers, should use request headers. [ci skip]
* | Merge pull request #17186 from tgxworld/header_authentication_tokenMatthew Draper2014-11-271-2/+9
|\ \ | | | | | | | | | Allow authentication header to not have to specify 'token=' key.
| * | Allow authentication header to not have to specify 'token=' key.Guo Xiang Tan2014-10-101-2/+9
| | | | | | | | | | | | Fixes: https://github.com/rails/rails/issues/17108.
* | | Wrap code snippets in +, not backticks, in sdocclaudiob2014-11-201-3/+3
|/ / | | | | | | | | | | | | | | I grepped the source code for code snippets wrapped in backticks in the comments and replaced the backticks with plus signs so they are correctly displayed in the Rails documentation. [ci skip]
* | Improve token_and_options regex and testXinjiang Lu2014-07-011-1/+1
| | | | | | | | add a test case to test the regex for the helper method raw_params
* | Fix parsed token value with header `Authorization token=`.Larry Lv2014-06-131-2/+2
| |
* | Set the status before of setting the response bodyGuillermo Iguaran2014-06-131-2/+2
| | | | | | | | | | | | | | The 401 status should be set first because setting the response body in a live controller also closes the response to further changes. Fixes #14229.
* | Merge pull request #11346 from tomykaira/fix_10257Rafael Mendonça França2014-05-201-2/+14
|\ \ | | | | | | Check authentication scheme in Basic auth
| * | Run login_procedure only when the auth_scheme is validtomykaira2013-07-081-7/+14
| | |
| * | Check authentication scheme in Basic authtomykaira2013-07-071-1/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `authenticate_with_http_basic` and its families should check the authentication schema is "Basic". Different schema, such as OAuth2 Bearer should be rejected by basic auth, but it was passing as the test shows. This fixes #10257.
* | | Replace trivial regexp with string or index, twice as fastKelley Reynolds2014-03-281-1/+1
| |/ |/|
* | Update Docs in favor to use render plain instead of text optionrobertomiranda2014-02-181-6/+6
|/ | | | ref #14062