From 6690d662920f0db854f7303cd2a5a36c72299199 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Valim?= Date: Mon, 5 Apr 2010 10:52:47 +0200 Subject: Rename config.cookie_secret to config.secret_token and pass it as configuration in request.env. This is another step forward removing global configuration. --- actionpack/lib/action_controller/metal/cookies.rb | 3 +-- .../lib/action_controller/metal/http_authentication.rb | 17 ++++++++++++----- 2 files changed, 13 insertions(+), 7 deletions(-) (limited to 'actionpack/lib/action_controller/metal') diff --git a/actionpack/lib/action_controller/metal/cookies.rb b/actionpack/lib/action_controller/metal/cookies.rb index 4aaa705203..d787f014cd 100644 --- a/actionpack/lib/action_controller/metal/cookies.rb +++ b/actionpack/lib/action_controller/metal/cookies.rb @@ -10,8 +10,7 @@ module ActionController #:nodoc: private def cookies - raise "You must set config.cookie_secret in your app's config" if config.secret.blank? - request.cookie_jar(:signing_secret => config.secret) + request.cookie_jar end end end diff --git a/actionpack/lib/action_controller/metal/http_authentication.rb b/actionpack/lib/action_controller/metal/http_authentication.rb index 424828f7e8..6bd6c15990 100644 --- a/actionpack/lib/action_controller/metal/http_authentication.rb +++ b/actionpack/lib/action_controller/metal/http_authentication.rb @@ -159,7 +159,7 @@ module ActionController # Authenticate with HTTP Digest, returns true or false def authenticate_with_http_digest(realm = "Application", &password_procedure) - HttpAuthentication::Digest.authenticate(config.secret, request, realm, &password_procedure) + HttpAuthentication::Digest.authenticate(request, realm, &password_procedure) end # Render output including the HTTP Digest authentication header @@ -169,14 +169,15 @@ module ActionController end # Returns false on a valid response, true otherwise - def authenticate(secret_key, request, realm, &password_procedure) - request.authorization && validate_digest_response(secret_key, request, realm, &password_procedure) + def authenticate(request, realm, &password_procedure) + request.authorization && validate_digest_response(request, realm, &password_procedure) end # Returns false unless the request credentials response value matches the expected value. # First try the password as a ha1 digest password. If this fails, then try it as a plain # text password. - def validate_digest_response(secret_key, request, realm, &password_procedure) + def validate_digest_response(request, realm, &password_procedure) + secret_key = secret_token(request) credentials = decode_credentials_header(request) valid_nonce = validate_nonce(secret_key, request, credentials[:nonce]) @@ -225,7 +226,7 @@ module ActionController end def authentication_header(controller, realm) - secret_key = controller.config.secret + secret_key = secret_token(controller.request) nonce = self.nonce(secret_key) opaque = opaque(secret_key) controller.headers["WWW-Authenticate"] = %(Digest realm="#{realm}", qop="auth", algorithm=MD5, nonce="#{nonce}", opaque="#{opaque}") @@ -238,6 +239,12 @@ module ActionController controller.status = 401 end + def secret_token(request) + secret = request.env["action_dispatch.secret_token"] + raise "You must set config.secret_token in your app's config" if secret.blank? + secret + end + # Uses an MD5 digest based on time to generate a value to be used only once. # # A server-specified data string which should be uniquely generated each time a 401 response is made. -- cgit v1.2.3