aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib/action_dispatch/middleware/session
Commit message (Collapse)AuthorAgeFilesLines
* Enable `Layout/EmptyLinesAroundAccessModifier` copRyuta Kamizono2019-06-132-3/+0
| | | | | | | | | | | We sometimes say "✂️ newline after `private`" in a code review (e.g. https://github.com/rails/rails/pull/18546#discussion_r23188776, https://github.com/rails/rails/pull/34832#discussion_r244847195). Now `Layout/EmptyLinesAroundAccessModifier` cop have new enforced style `EnforcedStyle: only_before` (https://github.com/rubocop-hq/rubocop/pull/7059). That cop and enforced style will reduce the our code review cost.
* Fix possible dev mode RCEAaron Patterson2019-03-101-3/+4
| | | | | | | | | | | | If the secret_key_base is nil in dev or test generate a key from random bytes and store it in a tmp file. This prevents the app developers from having to share / checkin the secret key for dev / test but also maintains a key between app restarts in dev/test. [CVE-2019-5420] Co-Authored-By: eileencodes <eileencodes@gmail.com> Co-Authored-By: John Hawthorn <john@hawthorn.email>
* Remove secret_token rack env and cookie upgrade codeRafael Mendonça França2019-01-171-5/+0
| | | | Now that secret_token was removed all this code is now dead.
* Remove reference to session_store.rb initializerJustin Searls2018-06-121-1/+1
| | | | | | | | Rails no longer generates this file, but Google is still packed with results suggesting it should exist, so that the doc still pointed me to it threw me off (had I deleted it or something?). Probably be better to be vague and prompt the user to stick it in a config file they own. #33124
* [Action Pack] require => require_relativeAkira Matsuda2017-10-214-5/+5
| | | | | This basically reverts e9fca7668b9eba82bcc832cb0061459703368397, d08da958b9ae17d4bbe4c9d7db497ece2450db5f, d1fe1dcf8ab1c0210a37c2a78c1ee52cf199a66d, and 68eaf7b4d5f2bb56d939f71c5ece2d61cf6680a3
* [ci skip] Prefer credentials to secrets in docs.Kasper Timm Hansen2017-09-131-19/+5
| | | | | | | Removes most mentions of secrets.secret_key_base and explains credentials instead. Also removes some very stale upgrade notices about Rails 3/4.
* Add credentials using a generic EncryptedConfiguration class (#30067)David Heinemeier Hansson2017-09-111-5/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * WIP: Add credentials using a generic EncryptedConfiguration class This is sketch code so far. * Flesh out EncryptedConfiguration and test it * Better name * Add command and generator for credentials * Use the Pathnames * Extract EncryptedFile from EncryptedConfiguration and add serializers * Test EncryptedFile * Extract serializer validation * Stress the point about losing comments * Allow encrypted configuration to be read without parsing for display * Use credentials by default and base them on the master key * Derive secret_key_base in test/dev, source it from credentials in other envs And document the usage. * Document the new credentials setup * Stop generating the secrets.yml file now that we have credentials * Document what we should have instead Still need to make it happen, tho. * [ci skip] Keep wording to `key base`; prefer defaults. Usually we say we change defaults, not "spec" out a release. Can't use backticks in our sdoc generated documentation either. * Abstract away OpenSSL; prefer MessageEncryptor. * Spare needless new when raising. * Encrypted file test shouldn't depend on subclass. * [ci skip] Some woordings. * Ditch serializer future coding. * I said flip it. Flip it good. * [ci skip] Move require_master_key to the real production.rb. * Add require_master_key to abort the boot process. In case the master key is required in a certain environment we should inspect that the key is there and abort if it isn't. * Print missing key message and exit immediately. Spares us a lengthy backtrace and prevents further execution. I've verified the behavior in a test app, but couldn't figure the test out as loading the app just exits immediately with: ``` /Users/kasperhansen/Documents/code/rails/activesupport/lib/active_support/testing/isolation.rb:23:in `load': marshal data too short (ArgumentError) from /Users/kasperhansen/Documents/code/rails/activesupport/lib/active_support/testing/isolation.rb:23:in `run' from /Users/kasperhansen/.rbenv/versions/2.4.1/lib/ruby/gems/2.4.0/gems/minitest-5.10.2/lib/minitest.rb:830:in `run_one_method' from /Users/kasperhansen/.rbenv/versions/2.4.1/lib/ruby/gems/2.4.0/gems/minitest-5.10.2/lib/minitest/parallel.rb:32:in `block (2 levels) in start' ``` It's likely we need to capture and prevent the exit somehow. Kernel.stub(:exit) didn't work. Leaving it for tomorrow. * Fix require_master_key config test. Loading the app would trigger the `exit 1` per require_master_key's semantics, which then aborted the test. Fork and wait for the child process to finish, then inspect the exit status. Also check we aborted because of a missing master key, so something else didn't just abort the boot. Much <3 to @tenderlove for the tip. * Support reading/writing configs via methods. * Skip needless deep symbolizing. * Remove save; test config reader elsewhere. * Move secret_key_base check to when we're reading it. Otherwise we'll abort too soon since we don't assign the secret_key_base to secrets anymore. * Add missing string literal comments; require unneeded yaml require. * ya ya ya, rubocop. * Add master_key/credentials after bundle. Then we can reuse the existing message on `rails new bc4`. It'll look like: ``` Using web-console 3.5.1 from https://github.com/rails/web-console.git (at master@ce985eb) Using rails 5.2.0.alpha from source at `/Users/kasperhansen/Documents/code/rails` Using sass-rails 5.0.6 Bundle complete! 16 Gemfile dependencies, 72 gems now installed. Use `bundle info [gemname]` to see where a bundled gem is installed. Adding config/master.key to store the master encryption key: 97070158c44b4675b876373a6bc9d5a0 Save this in a password manager your team can access. If you lose the key, no one, including you, can access anything encrypted with it. create config/master.key ``` And that'll be executed even if `--skip-bundle` was passed. * Ensure test app has secret_key_base. * Assign secret_key_base to app or omit. * Merge noise * Split options for dynamic delegation into its own method and use deep symbols to make it work * Update error to point to credentials instead * Appease Rubocop * Validate secret_key_base when reading it. Instead of relying on the validation in key_generator move that into secret_key_base itself. * Fix generator and secrets test. Manually add config.read_encrypted_secrets since it's not there by default anymore. Move mentions of config/secrets.yml to config/credentials.yml.enc. * Remove files I have no idea how they got here. * [ci skip] swap secrets for credentials. * [ci skip] And now, changelogs are coming.
* Use tt in doc for ActionPack [ci skip]Yoshiyuki Hirano2017-08-261-3/+3
|
* Use frozen string literal in actionpack/Kir Shatrov2017-07-294-0/+8
|
* [Action Dispatch] require => require_relativeAkira Matsuda2017-07-014-5/+5
|
* [docs] fix ActionDispatch documentationHrvoje Šimić2017-03-131-1/+1
|
* Reduce string objects by using \ instead of + or << for concatenating stringsAkira Matsuda2017-01-121-2/+2
| | | | (I personally prefer writing one string in one line no matter how long it is, though)
* Privatize unneededly protected methods in Action PackAkira Matsuda2016-12-241-6/+5
|
* Add more rubocop rules about whitespacesRafael Mendonça França2016-10-291-2/+2
|
* Remove deprecated code in ActionDispatch::Session::SessionRestoreErrorRafael Mendonça França2016-10-101-11/+1
|
* fixes remaining RuboCop issues [Vipul A M, Xavier Noria]Xavier Noria2016-09-011-1/+1
|
* applies remaining conventions across the projectXavier Noria2016-08-061-1/+0
|
* normalizes indentation and whitespace across the projectXavier Noria2016-08-062-36/+36
|
* modernizes hash syntax in actionpackXavier Noria2016-08-061-1/+1
|
* applies new string literal convention in actionpack/libXavier Noria2016-08-064-12/+12
| | | | | The current code base is not uniform. After some discussion, we have chosen to go with double quotes by default.
* Add a test case for verifying `cookie_only` is set even if user tries to set ↵Prathamesh Sonpatki2016-07-071-1/+1
| | | | it false
* Corrected secret_key_basevs4vijay2016-02-151-1/+1
|
* Refer to rails command instead of rake in a bunch of placesDavid Heinemeier Hansson2015-12-181-1/+1
| | | | Still more to do. Please assist!
* Deprecate exception#original_exception in favor of exception#causeYuki Nishijima2015-11-031-6/+14
|
* inherit from our AbstractStoreAaron Patterson2015-09-251-5/+1
|
* Update documentation to reflect Rack::Session::Abstract changeseileencodes2015-09-091-1/+1
| | | | | `Rack::Session::Abstract::ID` is now deprecated and `Rack::Session::Abstract::Persisted` should be used instead.
* implement abstract store methodsAaron Patterson2015-09-042-5/+5
| | | | converts old ID methods to the new abstract store methods in Rack
* stop using deprecated Abstract::ID classAaron Patterson2015-09-042-2/+2
|
* stop inheriting from Rack::RequestAaron Patterson2015-09-041-1/+1
| | | | | | Just include the modules necessary in the Request object to implement the things we need. This should make it easier to build delegate request objects because the API is smaller
* use a request object in the session middlewareAaron Patterson2015-08-222-21/+25
| | | | | This commit allows us to use one request object rather than allocating multiple request objects to deal with the session.
* Explained how to set session expiry through session_store configIain Beeston2015-02-273-3/+20
| | | | | | Most session stores offer an :expire_after option, but it's largely undocumented. Cookie store also supports a number of options via rack (these used to be documented in rails 2.3)
* Regenerate sid when sbdy tries to fixate the sessionSantiago Pastorino2014-08-041-3/+3
| | | | | | Fixed broken test. Thanks Stephen Richards for reporting.
* [ci skip] /javascript/ -> JavaScript - cover whole appAkshay Vishnoi2014-07-041-1/+1
|
* Update documentation to use Rails.application insteadMarcel Morgan2014-04-131-1/+1
| | | | | | | References to ``AppName::Application` removed in favour of ``Rails.application`` as generated with a new rails 4.1 app. [ci skip]
* The digest option is no longer honoured since Rails 3.0 [ci skip]Godfrey Chan2014-03-201-1/+1
| | | | Closes #8513
* Renamed session_serializer option to cookies_serializerGodfrey Chan2014-02-112-27/+0
|
* Allow session serializer key in config.session_storeLukasz Sarnacki2014-01-292-0/+27
| | | | | | | | | | | | | MessageEncryptor has :serializer option, where any serializer object can be passed. This commit make it possible to set this serializer from configuration level. There are predefined serializers (:marshal_serializer, :json_serialzier) and custom serializer can be passed as String, Symbol (camelized and constantized in ActionDispatch::Session namepspace) or serializer object. Default :json_serializer was also added to generators to provide secure defalt.
* Update secret_key_base Docsrobertomiranda2013-12-151-2/+3
|
* [ci skip] Removing some gender sensitive object pronounsTejas Dinkar2013-12-021-2/+2
|
* Improve documentation around the cookie store auto-upgrade to encryptionTrevor Turk2013-04-011-22/+37
|
* Allow transparent upgrading of legacy signed cookies to encrypted cookies; ↵Trevor Turk2013-03-281-36/+1
| | | | Automatically configure cookie-based sessions to use the best cookie jar given the app's config
* Use Encoding::UTF_8 constant :do_not_litter:Akira Matsuda2013-01-281-1/+1
|
* Revert cb3181e - no longer required.Mark J. Titorenko2013-01-081-2/+0
|
* Fix CookieStore middleware inheritance hierarchy s.t. it inherits from ↵Mark J. Titorenko2013-01-081-3/+26
| | | | Rack::Session::Abstract::ID rather than Rack::Session::Cookie.
* Avoid Rack security warning no secret providedSantiago Pastorino2013-01-081-0/+2
| | | | This avoids "SECURITY WARNING: No secret option provided to Rack::Session::Cookie."
* Remove suggestion that Procs can be used as session secrets.James Coglan2013-01-051-7/+4
|
* Fix UpgradeSignatureToEncryptionCookieStore docSantiago Pastorino2012-11-191-9/+4
|
* Improve UpgradeSignatureToEncryptionCookieStore docsSantiago Pastorino2012-11-161-1/+14
| | | | | I suck at English, please help me reviewing this <3 <3 <3 [ci skip]
* Add UpgradeSignatureToEncryptionCookieStoreSantiago Pastorino2012-11-161-0/+17
| | | | | | This allows easy upgrading from the old signed Cookie Store <= 3.2 or the deprecated one in 4.0 (the ones that doesn't use key derivation) to the new one that signs using key derivation
* Call get_cookie to allow the method to be overriden by subclassesSantiago Pastorino2012-11-161-1/+1
|
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-30 10:29:52 +0000