aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/test/dispatch/cookies_test.rb
Commit message (Collapse)AuthorAgeFilesLines
* Fix typo in the value of ENCRYPTED_SIGNED_COOKIE_SALT constant (#35619)Emil Shakirov2019-04-011-2/+2
| | | | | | | | * Fix typo in the value of ENCRYPTED_SIGNED_COOKIE_SALT constant * Fix value of cookie in with authenticated encryption flag off in tests [Emil Shakirov + Ryuta Kamizono]
* Don't override @set_cookies on CookieJar#update_cookies_from_jar'André Luis Leal Cardoso Junior2019-03-171-0/+13
| | | | | | When building the cookie_jar for the current test request. It was possible for this method to override keys currently being set on the test itself. In situations such as when making two requests mixing creating the cookie on the test and the controller.
* Cookie doesn't expire anymore unless a flag is set:Edouard CHIN2019-02-041-9/+2
| | | | | | | | | | | | | | | | | | | | | | | | | - There is a regression in 6.0 introduced by #32937 where cookie doesn't expire anymore unless the new `use_cookies_with_metadata` configuration is set to `true`. This causes issue for app migration from 5.2 to 6.0 because the `use_cookies_with_metadata` flag can't be set to true until all servers are running on 6.0. Here is a small reproduction script that you can run in the console ```ruby ActionDispatch::Cookies request = ActionDispatch::Request.empty request.env["action_dispatch.key_generator"] = ActiveSupport::KeyGenerator.new('1234567890') request.env["action_dispatch.signed_cookie_salt"] = 'signed cookie' request.env["action_dispatch.cookies_rotations"] = ActiveSupport::Messages::RotationConfiguration.new request.env["action_dispatch.use_authenticated_cookie_encryption"] = true signed_cookie = request.cookie_jar.signed signed_cookie[:foobar] = { value: '123', expires: 1.day.ago } p signed_cookie[:foobar] ```
* Remove secret_token rack env and cookie upgrade codeRafael Mendonça França2019-01-171-185/+0
| | | | Now that secret_token was removed all this code is now dead.
* Changelog for the new purpose metadata and improved testsAssain2018-08-131-8/+4
|
* Purpose Metadata For Signed And Encrypted CookiesAssain2018-08-121-0/+166
| | | | | | | | | | | | | | | | Purpose metadata prevents cookie values from being copy-pasted and ensures that the cookie is used only for its originally intended purpose. The Purpose and Expiry metadata are embedded inside signed/encrypted cookies and will not be readable on previous versions of Rails. We can switch off purpose and expiry metadata embedded in signed and encrypted cookies using config.action_dispatch.use_cookies_with_metadata = false if you want your cookies to be readable on older versions of Rails.
* Replace `assert !` with `assert_not`Daniel Colson2018-04-191-2/+2
| | | | | This autocorrects the violations after adding a custom cop in 3305c78dcd.
* Consistent behavior for session and cookies with to_h and to_hash methodIgor Kasyanchuk2018-01-311-0/+6
|
* Use assert_empty and assert_not_emptyDaniel Colson2018-01-251-2/+2
|
* Update security guide for signed cookie rotationsMichael Coyne2017-10-091-0/+19
| | | | | The example was slightly incorrect. This commit also adds a test case for this example to cookies middleware unit tests.
* Test for nil, people not likely to assign it false.Kasper Timm Hansen2017-09-281-2/+2
|
* Fixes for use_authenticated_cookie_encryptionMichael Coyne2017-09-271-0/+18
| | | | Use CBC encryption is this configuration value is set to false
* Use new rotation signature in cookies.Kasper Timm Hansen2017-09-241-57/+8
| | | | [ Michael Coyne & Kasper Timm Hansen ]
* Add key rotation cookies middlewareMichael Coyne2017-09-241-125/+164
| | | | | | Using the action_dispatch.cookies_rotations interface, key rotation is now possible with cookies. Thus the secret_key_base as well as salts, ciphers, and digests, can be rotated without expiring sessions.
* freshen :expires option with duration support and add expiry metadata to cookiesAssain2017-08-201-0/+32
|
* Use frozen string literal in actionpack/Kir Shatrov2017-07-291-0/+2
|
* Revert "Merge pull request #29540 from kirs/rubocop-frozen-string"Matthew Draper2017-07-021-1/+0
| | | | | This reverts commit 3420a14590c0e6915d8b6c242887f74adb4120f9, reversing changes made to afb66a5a598ce4ac74ad84b125a5abf046dcf5aa.
* Enforce frozen string in RubocopKir Shatrov2017-07-011-0/+1
|
* AEAD encrypted cookies and sessionsMichael Coyne2017-05-221-86/+120
| | | | | | | | | | | | | | | | This commit changes encrypted cookies from AES in CBC HMAC mode to Authenticated Encryption using AES-GCM. It also provides a cookie jar to transparently upgrade encrypted cookies to this new scheme. Some other notable changes include: - There is a new application configuration value: +use_authenticated_cookie_encryption+. When enabled, AEAD encrypted cookies will be used. - +cookies.signed+ does not raise a +TypeError+ now if the name of an encrypted cookie is used. Encrypted cookies using the same key as signed cookies would be verified and serialization would then fail due the message still be encrypted.
* Revert "Merge pull request #27586 from maclover7/jm-fix-27584"Rafael Mendonça França2017-01-111-9/+0
| | | | | | | This reverts commit 5eff7a9ca7bb2ee7f16db1ab4d11cebe28757ba5, reversing changes made to 5f03172f54a58a57a48a3121562beb2cef866cbe. Reason: It caused a regression. The test case is on the PR.
* Update `cookies` helper on all HTTP requestsJon Moss2017-01-051-0/+9
| | | | | | | | | Regression introduced by ae29142142324545a328948e059e8b8118fd7a33 / 8363b879fe759f0645179f4521cc64795efbee6e. Previously, cookies were only updated on `GET` requests. Now we will update the helper for all requests, as part of `process`. Added regression tests for all available HTTP method helpers in `ActionController::TestCase`.
* "Use assert_nil if expecting nil. This will fail in minitest 6."Akira Matsuda2016-12-251-4/+4
|
* Do not clear HTTP_COOKIES header after requestJon Moss2016-12-111-0/+10
|
* Add more rubocop rules about whitespacesRafael Mendonça França2016-10-291-6/+6
|
* improve error message when include assertions failMichael Grosser2016-09-161-3/+3
| | | | | | assert [1, 3].includes?(2) fails with unhelpful "Asserting failed" message assert_includes [1, 3], 2 fails with "Expected [1, 3] to include 2" which makes it easier to debug and more obvious what went wrong
* Start passing cipher from EncryptedCookieJar since we use it to determine ↵Vipul A M2016-09-011-13/+12
| | | | key length
* Follow up of #25602Vipul A M2016-09-011-11/+25
| | | | | | | | | Since keys are truncated, ruby 2.4 doesn't accept keys greater than their lenghts. keys of same value but different lenght and greater than key size of cipher, produce the same results as reproduced at https://gist.github.com/rhenium/b81355fe816dcfae459cc5eadfc4f6f9 Since our default cipher is 'aes-256-cbc', key length for which is 32 bytes, limit the length of key being passed to Encryptor to 32 bytes. This continues to support backwards compat with any existing signed data, already encrupted and signed with 32+ byte keys. Also fixes the passing of this value in multiple tests.
* Add three new rubocop rulesRafael Mendonça França2016-08-161-16/+16
| | | | | | | | Style/SpaceBeforeBlockBraces Style/SpaceInsideBlockBraces Style/SpaceInsideHashLiteralBraces Fix all violations in the repository.
* modernizes hash syntax in actionpackXavier Noria2016-08-061-15/+15
|
* applies new string literal convention in actionpack/testXavier Noria2016-08-061-106/+106
| | | | | The current code base is not uniform. After some discussion, we have chosen to go with double quotes by default.
* existant => existentAbhishek Jain2016-06-091-2/+2
|
* Push `before_sending` to super classeileencodes2015-12-061-1/+1
| | | | | | | | | | | | We want to get rid of the `Live::Response` so we are consolidating methods from `Live::Response` and `Response` by merging them together. This adds an `#empty` method to the request so we don't need to hard-code the empty array each time we call an empty `ActionDispatch::Request`. The work here is a continuation on combining controller and integration test code bases into one.
* Don't set a nil Set-Cookie header when there aren't any cookies. Omit the ↵Jeremy Daer2015-10-011-74/+93
| | | | header.
* Fix bug where cookies mutated by request were not persistedeileencodes2015-09-011-0/+9
| | | | | | | | | | | | | | | With changes made in 8363b8 and ae29142 cookies that are mutated on the request like `cookies.signed = x` were not retained in subsequent tests, breaking cookie authentiation in controller tests. The test added demonstrates the issue. The reason we need to select from non-deleted cookies is because without checking the `@delete_cookies` the `cookie_jar` `@cookies` will send the wrong cookies to be updated. The code must check for `@deleted_cookies` before sending an `#update` with the requests cookie_jar cookies. This follows how the cookie_jar cookies from the request were updated before these changes.
* Get rid of mocha tests - part 1Marcin Olichwirowicz2015-08-241-1/+3
|
* Improve error messages in cookies_testeileencodes2015-06-271-3/+3
| | | | | | | | | | | | | | | Using `assert_predicate` and `assert_match` instead of just `assert` is preferrable because better error messages are output. In the case of `assert response.cookies.empty?` the error message was `Failed assertion, no message given.` but now with `assert_predicate` it will be `Expected {"user_name"=>"david"} to be empty?.` For `assert_match(/user_name=david/, response.headers["Set-Cookie"])` as well, the message returned was unhelpful - `Failed assertion, no message given.` but now will tell what was expected and what was returned with `Expected /user_name=david/ to match "user_name=nope; path=/".`
* Merge pull request #10380 from JonRowe/test_all_domain_2_letter_tldRafael Mendonça França2015-01-021-0/+7
|\ | | | | | | Assert that 2 letter tlds with 3 letter domain names work when option specified.
| * add test asserting that 2 letter tlds with 3 letter domain names work when ↵Jon Rowe2013-04-301-0/+7
| | | | | | | | option specified
* | Merge pull request #17792 from rockrep/masterRafael Mendonça França2014-12-041-0/+10
|\ \ | | | | | | | | | allow 'all' for :domain option in addition to :all
| * | allow 'all' for :domain option in addition to :allrockrep2014-11-261-0/+10
| | |
* | | Remove "rescue" clause around "require 'openssl'"claudiob2014-12-031-10/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Some `require 'openssl'` statements were surrounded by `rescue` blocks to deal with Ruby versions that did not support `OpenSSL::Digest::SHA1` or `OpenSSL::PKCS5`. [As @jeremy explains](https://github.com/rails/rails/commit/a6a0904fcb12b876469c48b1c885aadafe9188cf#commitcomment-8826666) in the original commit: > If jruby didn't have jruby-openssl gem, the require wouldn't work. Not sure whether either of these are still relevant today. According to the [release notes for JRuby 1.7.13](http://www.jruby.org/2014/06/24/jruby-1-7-13.html): > jruby-openssl 0.9.5 bundled which means the above `rescue` block is not needed anymore. All the Ruby versions supported by the current version of Rails provide those OpenSSL libraries, so Travis CI should also be happy by removing the `rescue` blocks. --- Just to confirm, with JRuby: $ ruby --version #=> jruby 1.7.16.1 (1.9.3p392) 2014-10-28 4e93f31 on Java HotSpot(TM) 64-Bit Server VM 1.8.0_20-b26 +jit [darwin-x86_64] $ irb irb(main):001:0> require 'openssl' #=> true irb(main):002:0> OpenSSL::Digest::SHA1 #=> OpenSSL::Digest::SHA1 irb(main):003:0> OpenSSL::PKCS5 # => OpenSSL::PKCS5 And with Ruby 2.1: $ ruby --version #=> ruby 2.1.2p95 (2014-05-08 revision 45877) [x86_64-darwin13.0] $ irb irb(main):001:0> require 'openssl' #=> true irb(main):002:0> OpenSSL::Digest::SHA1 #=> OpenSSL::Digest::SHA1 irb(main):003:0> OpenSSL::PKCS5 #=> OpenSSL::PKCS5
* | | Fix "nonexistent" typo in testsMelissa Xie2014-12-021-2/+2
| | |
* | | Use less iterations for KeyGenerator in testsPeter Suschlik2014-08-271-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This commit improves performance of cookie tests: Ruby | After | Before ----- | --------:| --------: MRI | 5.03s | 9.28s JRuby | 25.45s | 1648.23s Please note the improvement for JRuby.
* | | Expectations firstAkira Matsuda2014-08-181-1/+1
| | |
* | | Use AS::JSON for (de)serializing cookiesGodfrey Chan2014-08-171-0/+39
| | | | | | | | | | | | | | | | | | | | | | | | Use the Active Support JSON encoder for cookie jars using the `:json` or `:hybrid` serializer. This allows you to serialize custom Ruby objects into cookies by defining the `#as_json` hook on such objects. Fixes #16520.
* | | Fixed broken reference caused by 14965baGodfrey Chan2014-08-171-2/+2
| | |
* | | Add config option for cookies digestŁukasz Strzałkowski2014-08-121-0/+50
| | | | | | | | | | | | | | | | | | You can now configure custom digest for cookies in the same way as `serializer`: config.action_dispatch.cookies_digest = 'SHA256'
* | | Fixed an issue with migrating legacy json cookies.Godfrey Chan2014-04-231-0/+117
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Previously, the `VerifyAndUpgradeLegacySignedMessage` assumes all incoming cookies are marshal-encoded. This is not the case when `secret_token` is used in conjunction with the `:json` or `:hybrid` serializer. In those case, when upgrading to use `secret_key_base`, this would cause a `TypeError: incompatible marshal file format` and a 500 error for the user. Fixes #14774. *Godfrey Chan*
* | | Re-write legacy (marshal) cookies on readGodfrey Chan2014-02-111-15/+17
| | |
* | | Changed the tests to ensure HybridSerializer actually migrates the cookies ↵Godfrey Chan2014-02-111-10/+18
| | | | | | | | | | | | (currently failing)