| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit changes encrypted cookies from AES in CBC HMAC mode to
Authenticated Encryption using AES-GCM. It also provides a cookie jar
to transparently upgrade encrypted cookies to this new scheme. Some
other notable changes include:
- There is a new application configuration value:
+use_authenticated_cookie_encryption+. When enabled, AEAD encrypted
cookies will be used.
- +cookies.signed+ does not raise a +TypeError+ now if the name of an
encrypted cookie is used. Encrypted cookies using the same key as
signed cookies would be verified and serialization would then fail
due the message still be encrypted.
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, `read_encrypted_secrets` is set with initializer.
Therefore if refer to `secrets` in config, `read_encrypted_secrets` is false,
so can not get the value of `secrets.yml.enc`.
In order to be able to refer to secrets in config, modified to refer to
`config.read_encrypted_secrets` when calling `secrets`.
Fixes #28618.
|
| |
|
| |
|
| |
|
|
|
|
| |
(I personally prefer writing one string in one line no matter how long it is, though)
|
|
|
|
| |
[ci skip]
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
inherits from Rails::Application
Until Rails 4.1, `before_configuration` run as soon as the application constant
inherits from `Rails::Application`.
However, in d25fe31c40928712b5e08fe0afb567c3bc88eddf, it has been modified to
run at instantiation process.
This modify to `before_configuration` is run at same timing as to Rails 4.1.
Fixes #19880
|
| |
|
|
|
|
|
| |
The current code base is not uniform. After some discussion,
we have chosen to go with double quotes by default.
|
|
|
|
| |
environments
|
|
|
|
|
| |
Idiomatically trailing hashes in method calls do not use
explicit curlies.
|
|
|
|
|
|
| |
With the exception of what is loaded in active_support/rails,
each file is responsible for its own dependencies. You cannot
rely on runtime order of execution.
|
|
|
|
| |
Adding period in the end.
|
|
|
|
|
|
| |
These should allow external code to run blocks of user code to do
"work", at a similar unit size to a web request, without needing to get
intimate with ActionDipatch.
|
|
|
|
|
|
| |
s/config\/production/config\/environments\/production/
[ci skip]
|
|
|
|
| |
That would make possible to use it with action cable configuration.
|
| |
|
|
|
|
|
|
|
| |
If `SECRET_KEY_BASE` or other `secret` gets passed as other then string
we need to raise `ArgumentError` to know that it's a wrong argument.
Closes #22072
|
|\ |
|
| | |
|
| | |
|
|/
|
|
|
| |
We shouldn't merge the app middleware in to the config middleware for
engines.
|
|
|
|
|
|
|
|
|
| |
Stems from https://github.com/rails/rails/pull/20105#issuecomment-100900939
where @senny said:
> From my point of view, all the docs (guides, API) are version bound.
> They should describe that version and continue to be available when newer versions are released.
> The cross referencing can be done by the interested user.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Removing `#build_original_fullpath` because it is no longer
used by the Rails' source code or called in the `#call` method becasue
the previous commit now uses `fullpath` from Rack.
The method was nodoc'ed so it's safe to remove.
NOTE: I did this as a separate commit so if this does cause a problem
with engines etc reverting is easy.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In Rack, `#fullpath` checks if there is a query string and builds the
query correctly:
```
def path
script_name + path_info
end
def fullpath
query_string.empty? ? path : "#{path}?#{query_string}"
end
```
We can utilize this instead of manually building the fullpath because
they are the same result. This also reduces allocations in `#call`
because we don't need `build_original_fullpath` to create the paths and
query strings. We don't need to build `fullpath` twice.
|
|
|
|
|
|
| |
* Fix a few typos
* Wrap some lines around 80 chars
* Rephrase some statements
|
| |
|
|
|
|
|
| |
A special `if` statement to support `Psych` for Ruby < 2.0 can be
dropped now that Rails requires Ruby >= 2.0.
|
| |
|
|
|
|
| |
Just prefer secrets over config
|
|\
| |
| |
| | |
Allow fallback to LegacyKeyGenerator when secret_key_base is not set but secrets.secret_token is
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
- `secrets.secret_token` is now used in all places `config.secret_token` was
- `secrets.secret_token`, when not present in `config/secrets.yml`,
now falls back to the value of `config.secret_token`
- when `secrets.secret_token` is set, it over-writes
`config.secret_token` so they are the same (for backwards-compatibility)
- Update docs to reference app.secrets in all places
- Remove references to `config.secret_token`, `config.secret_key_base`
- Warn that missing secret_key_base is deprecated
- Add tests for secret_token, key_generator, and message_verifier
- the legacy key generator is used with the message verifier when
secrets.secret_key_base is blank and secret_token is set
- app.key_generator raises when neither secrets.secret_key_base nor
secret_token are set
- app.env_config raises when neither secrets.secret_key_base nor
secret_token are set
- Add changelog
Run focused tests via
ruby -w -Itest test/application/configuration_test.rb -n '/secret_|key_/'
|
|/ |
|
|
|
|
| |
This seems to be the style settled on in most of the templates.
|
|
|
|
|
|
|
| |
When copying migrations some engines might depend on schema from other
engine so we can't blindly reverse all railties collection as that would
affect the order they were originally loaded. This patch helps to only
apply the order from engines specified in `railties_order`
|
|
|
|
|
|
| |
You can now configure custom digest for cookies in the same way as `serializer`:
config.action_dispatch.cookies_digest = 'SHA256'
|
| |
|
| |
|
|
|
|
| |
this means we can meaningfully override methods in the subclass
|
|
|
|
|
| |
This is a convenience for loading configuration for the current Rails
environment.
|
|
|
|
| |
This PR fixes #8930 and some stuff from #8985
|
|
|
|
|
|
|
| |
Like rake tasks and runner blocks these blocks should also being shared
between applications since they are stored at the classes.
Fixes #14748
|
|
|
|
| |
Fixes #14620
|
| |
|