From 60609bb50d5b99d78a01a945a539cccd061cd7e7 Mon Sep 17 00:00:00 2001 From: Santiago Pastorino Date: Wed, 31 Oct 2012 01:06:46 -0200 Subject: Sign cookies using key deriver --- .../lib/action_controller/metal/request_forgery_protection.rb | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'actionpack/lib/action_controller/metal') diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb index a50f0ca8c1..265ce5d6f3 100644 --- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb +++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb @@ -121,11 +121,11 @@ module ActionController #:nodoc: class NullCookieJar < ActionDispatch::Cookies::CookieJar #:nodoc: def self.build(request) - secret = request.env[ActionDispatch::Cookies::TOKEN_KEY] - host = request.host - secure = request.ssl? + key_generator = request.env[ActionDispatch::Cookies::GENERATOR_KEY] + host = request.host + secure = request.ssl? - new(secret, host, secure) + new(key_generator, host, secure) end def write(*) -- cgit v1.2.3 From 5d23925f84f0241e28b3fbce740150136ba08254 Mon Sep 17 00:00:00 2001 From: Santiago Pastorino Date: Fri, 2 Nov 2012 20:26:11 -0200 Subject: Use derived keys everywhere, http_authentication was missing it --- actionpack/lib/action_controller/metal/http_authentication.rb | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'actionpack/lib/action_controller/metal') diff --git a/actionpack/lib/action_controller/metal/http_authentication.rb b/actionpack/lib/action_controller/metal/http_authentication.rb index 6d46586367..1537b8b806 100644 --- a/actionpack/lib/action_controller/metal/http_authentication.rb +++ b/actionpack/lib/action_controller/metal/http_authentication.rb @@ -249,9 +249,8 @@ module ActionController end def secret_token(request) - secret = request.env["action_dispatch.secret_token"] - raise "You must set config.secret_token in your app's config" if secret.blank? - secret + key_generator = request.env["action_dispatch.key_generator"] + key_generator.generate_key('http authentication') end # Uses an MD5 digest based on time to generate a value to be used only once. -- cgit v1.2.3 From 47da5744741f0af668d2f915e09003be35dcce66 Mon Sep 17 00:00:00 2001 From: Santiago Pastorino Date: Thu, 1 Nov 2012 20:02:09 -0200 Subject: Allow users to change the default salt if they want, shouldn't be necessary --- actionpack/lib/action_controller/metal/http_authentication.rb | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'actionpack/lib/action_controller/metal') diff --git a/actionpack/lib/action_controller/metal/http_authentication.rb b/actionpack/lib/action_controller/metal/http_authentication.rb index 1537b8b806..d3b5bafee1 100644 --- a/actionpack/lib/action_controller/metal/http_authentication.rb +++ b/actionpack/lib/action_controller/metal/http_authentication.rb @@ -249,8 +249,9 @@ module ActionController end def secret_token(request) - key_generator = request.env["action_dispatch.key_generator"] - key_generator.generate_key('http authentication') + key_generator = request.env["action_dispatch.key_generator"] + http_auth_salt = request.env["action_dispatch.http_auth_salt"] + key_generator.generate_key(http_auth_salt) end # Uses an MD5 digest based on time to generate a value to be used only once. -- cgit v1.2.3