aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib/action_dispatch/middleware/cookies.rb
Commit message (Collapse)AuthorAgeFilesLines
* Merge pull request #30709 from ↵Kasper Timm Hansen2017-09-281-3/+10
|\ | | | | | | | | mikeycgto/actiondispatch-use-aead-encrypted-cookies-patch Fixes for use_authenticated_cookie_encryption
| * Fixes for use_authenticated_cookie_encryptionMichael Coyne2017-09-271-3/+10
| | | | | | | | Use CBC encryption is this configuration value is set to false
* | Fix cookies/session tests broken after merging key rotation.Kasper Timm Hansen2017-09-251-2/+3
|/ | | | | | | | | | | | Based on, yet closes https://github.com/rails/rails/pull/30708 Fix the session test by properly truncating the legacy encryption key for cbc encryption. Borrowed straight from 👆. Fix the cookies test a little differently than the PR. Basically keep every config within the config block. [ Michael Coyne & Kasper Timm Hansen ]
* Fix "warning: `*' interpreted as argument prefix"Ryuta Kamizono2017-09-251-2/+2
|
* Use new rotation signature in cookies.Kasper Timm Hansen2017-09-241-11/+12
| | | | [ Michael Coyne & Kasper Timm Hansen ]
* Add key rotation cookies middlewareMichael Coyne2017-09-241-100/+82
| | | | | | Using the action_dispatch.cookies_rotations interface, key rotation is now possible with cookies. Thus the secret_key_base as well as salts, ciphers, and digests, can be rotated without expiring sessions.
* [ci skip] Prefer credentials to secrets in docs.Kasper Timm Hansen2017-09-131-9/+7
| | | | | | | Removes most mentions of secrets.secret_key_base and explains credentials instead. Also removes some very stale upgrade notices about Rails 3/4.
* This commit adds:Assain2017-09-041-4/+7
| | | | | | | | * Documentation for Duration support added to signed/encrypted cookies * Changelog entries for the duration support and expiry metadata added to cookies [ci skip]
* freshen :expires option with duration support and add expiry metadata to cookiesAssain2017-08-201-3/+15
|
* Use frozen string literal in actionpack/Kir Shatrov2017-07-291-0/+2
|
* Revert "Merge pull request #29540 from kirs/rubocop-frozen-string"Matthew Draper2017-07-021-1/+0
| | | | | This reverts commit 3420a14590c0e6915d8b6c242887f74adb4120f9, reversing changes made to afb66a5a598ce4ac74ad84b125a5abf046dcf5aa.
* Enforce frozen string in RubocopKir Shatrov2017-07-011-0/+1
|
* set message_encryptor default cipher to aes-256-gcmAssain2017-06-121-1/+1
| | | | - Introduce a method to select default cipher, and maintain backward compatibility
* Use mattr_accessor default: option throughout the projectGenadi Samokovarov2017-06-031-2/+1
|
* AEAD encrypted cookies and sessionsMichael Coyne2017-05-221-3/+48
| | | | | | | | | | | | | | | | This commit changes encrypted cookies from AES in CBC HMAC mode to Authenticated Encryption using AES-GCM. It also provides a cookie jar to transparently upgrade encrypted cookies to this new scheme. Some other notable changes include: - There is a new application configuration value: +use_authenticated_cookie_encryption+. When enabled, AEAD encrypted cookies will be used. - +cookies.signed+ does not raise a +TypeError+ now if the name of an encrypted cookie is used. Encrypted cookies using the same key as signed cookies would be verified and serialization would then fail due the message still be encrypted.
* [docs] fix ActionDispatch documentationHrvoje Šimić2017-03-131-5/+5
|
* Reduce string objects by using \ instead of + or << for concatenating stringsAkira Matsuda2017-01-121-1/+1
| | | | (I personally prefer writing one string in one line no matter how long it is, though)
* Merge pull request #26905 from bogdanvlviv/docsAndrew White2016-11-131-2/+2
|\ | | | | Add missing `+` around a some literals.
| * Add missing `+` around a some literals.bogdanvlviv2016-10-271-2/+2
| | | | | | | | | | | | Mainly around `nil` [ci skip]
* | Add more rubocop rules about whitespacesRafael Mendonça França2016-10-291-2/+2
|/
* Start passing cipher from EncryptedCookieJar since we use it to determine ↵Vipul A M2016-09-011-7/+5
| | | | key length
* Follow up of #25602Vipul A M2016-09-011-4/+6
| | | | | | | | | Since keys are truncated, ruby 2.4 doesn't accept keys greater than their lenghts. keys of same value but different lenght and greater than key size of cipher, produce the same results as reproduced at https://gist.github.com/rhenium/b81355fe816dcfae459cc5eadfc4f6f9 Since our default cipher is 'aes-256-cbc', key length for which is 32 bytes, limit the length of key being passed to Encryptor to 32 bytes. This continues to support backwards compat with any existing signed data, already encrupted and signed with 32+ byte keys. Also fixes the passing of this value in multiple tests.
* Add three new rubocop rulesRafael Mendonça França2016-08-161-2/+2
| | | | | | | | Style/SpaceBeforeBlockBraces Style/SpaceInsideBlockBraces Style/SpaceInsideHashLiteralBraces Fix all violations in the repository.
* normalizes indentation and whitespace across the projectXavier Noria2016-08-061-21/+21
|
* modernizes hash syntax in actionpackXavier Noria2016-08-061-1/+1
|
* applies new string literal convention in actionpack/libXavier Noria2016-08-061-14/+14
| | | | | The current code base is not uniform. After some discussion, we have chosen to go with double quotes by default.
* Join values using '; ' as per RFC specAndrew White2016-02-161-1/+1
| | | | | | | Multiple cookie values should be separated by '; ' according to RFC 6265, section 5.4.4[1]. [1]: https://tools.ietf.org/html/rfc6265#section-5.4
* Add require and move escape to private methodAndrew White2016-02-161-1/+6
|
* Escape cookie's key and value in ActionController::TestCaseTakayuki Matsubara2015-12-301-1/+1
| | | | | Get an incorrect cookie value in controller action method if cookie value contains an escapable string.
* Stop violating law of demeter in response cookie_jareileencodes2015-12-061-0/+6
| | | | | | | | | | | This adds a new method to request and response so we don't need to violate the law of demeter. We are changing `Request` and `Response` so that they always have a `cookie_jar` This is a continuation on work to combine integration and controller test code bases in Rails.
* Add missing example for cookies.encrypted [ci skip]Nicolas Cavigneaux2015-11-201-0/+7
|
* Don't set a nil Set-Cookie header when there aren't any cookies. Omit the ↵Jeremy Daer2015-10-011-1/+3
| | | | header.
* build the Set-Cookie header functionallyAaron Patterson2015-09-241-5/+18
| | | | | Use the Rack utility methods for functional header manipulation. This helps to eliminate coupling on the header hash
* Push key_generator into SerializedCookieJarsKasper Timm Hansen2015-09-081-4/+4
| | | | It's only used there.
* Move the request method in to the AbstractCookieJarKasper Timm Hansen2015-09-081-4/+3
| | | | | `CookieJar` is only at the start of the chain and has its own request method, so we don't need it in the module.
* Pull up parse to the legacy upgrading moduleKasper Timm Hansen2015-09-081-10/+5
| | | | It was the same in both legacy versions of the signed and encrypted cookie jars.
* Call super to remove the decrypt_and_verify methodKasper Timm Hansen2015-09-081-8/+4
| | | | The `EncryptedCookieJar` already calls it for us, so just delegate to its `parse` implementation.
* Call super to remove the verify methodKasper Timm Hansen2015-09-081-8/+2
| | | | | `SignedCookieJar`'s parse method already attempts to verify the message, so we can just call super and try the old verifier if it fails.
* Add parse method to share deserialization logic.Kasper Timm Hansen2015-09-081-19/+12
| | | | Cuts down on the duplicated reading parts.
* Add commit in the EncryptedCookieJarKasper Timm Hansen2015-09-081-17/+7
| | | | Gets rid of the option parsing and makes what the encryptor does stand out.
* Use commit in the SignedCookieJarKasper Timm Hansen2015-09-081-15/+6
| | | | Lets us avoid worrying about parsing the options and doing just what we need.
* Add commit method to share option normalizationKasper Timm Hansen2015-09-081-4/+12
| | | | Remove the clutter to make PermanentCookieJar's one change stand out.
* Add AbstractCookieJar class.Kasper Timm Hansen2015-09-081-1/+3
| | | | Eventually this will be the superclass of all the chained jars.
* stop inheriting from Rack::RequestAaron Patterson2015-09-041-2/+2
| | | | | | Just include the modules necessary in the Request object to implement the things we need. This should make it easier to build delegate request objects because the API is smaller
* Fix bug where cookies mutated by request were not persistedeileencodes2015-09-011-0/+7
| | | | | | | | | | | | | | | With changes made in 8363b8 and ae29142 cookies that are mutated on the request like `cookies.signed = x` were not retained in subsequent tests, breaking cookie authentiation in controller tests. The test added demonstrates the issue. The reason we need to select from non-deleted cookies is because without checking the `@delete_cookies` the `cookie_jar` `@cookies` will send the wrong cookies to be updated. The code must check for `@deleted_cookies` before sending an `#update` with the requests cookie_jar cookies. This follows how the cookie_jar cookies from the request were updated before these changes.
* Remove unused requiresMarcin Olichwirowicz2015-08-251-2/+0
| | | | They are already required in `actionpack/lib/action_dispatch.rb` (L25-L26)
* Remove unused block argumentsamitkumarsuroliya2015-08-251-1/+1
|
* convert more `@env` access to get / set headerAaron Patterson2015-08-231-11/+13
|
* remove dead codeAaron Patterson2015-08-061-5/+0
| | | | | we don't recycle requests anymore, so we shouldn't need to recycle cookie jars
* ask the request for the cookie jarAaron Patterson2015-08-061-1/+8
| | | | this prevents the middleware from knowing the specific key for the jar
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-07 10:48:55 +0000