From 8eefdb6d7056dc0d4d63a5c34a4b12701ba21c88 Mon Sep 17 00:00:00 2001
From: Santiago Pastorino <santiago@wyeworks.com>
Date: Fri, 16 Nov 2012 17:17:08 -0200
Subject: Add UpgradeSignatureToEncryptionCookieStore

This allows easy upgrading from the old signed Cookie Store <= 3.2
or the deprecated one in 4.0 (the ones that doesn't use key derivation)
to the new one that signs using key derivation
---
 actionpack/lib/action_dispatch.rb                       | 11 ++++++-----
 actionpack/lib/action_dispatch/middleware/cookies.rb    | 10 ++++++++--
 .../action_dispatch/middleware/session/cookie_store.rb  | 17 +++++++++++++++++
 3 files changed, 31 insertions(+), 7 deletions(-)

(limited to 'actionpack')

diff --git a/actionpack/lib/action_dispatch.rb b/actionpack/lib/action_dispatch.rb
index ab1755acd5..1d716a3248 100644
--- a/actionpack/lib/action_dispatch.rb
+++ b/actionpack/lib/action_dispatch.rb
@@ -81,11 +81,12 @@ module ActionDispatch
   end
 
   module Session
-    autoload :AbstractStore,        'action_dispatch/middleware/session/abstract_store'
-    autoload :CookieStore,          'action_dispatch/middleware/session/cookie_store'
-    autoload :EncryptedCookieStore, 'action_dispatch/middleware/session/cookie_store'
-    autoload :MemCacheStore,        'action_dispatch/middleware/session/mem_cache_store'
-    autoload :CacheStore,           'action_dispatch/middleware/session/cache_store'
+    autoload :AbstractStore,                           'action_dispatch/middleware/session/abstract_store'
+    autoload :CookieStore,                             'action_dispatch/middleware/session/cookie_store'
+    autoload :EncryptedCookieStore,                    'action_dispatch/middleware/session/cookie_store'
+    autoload :UpgradeSignatureToEncryptionCookieStore, 'action_dispatch/middleware/session/cookie_store'
+    autoload :MemCacheStore,                           'action_dispatch/middleware/session/mem_cache_store'
+    autoload :CacheStore,                              'action_dispatch/middleware/session/cache_store'
   end
 
   mattr_accessor :test_app
diff --git a/actionpack/lib/action_dispatch/middleware/cookies.rb b/actionpack/lib/action_dispatch/middleware/cookies.rb
index 7936dcb515..2f148752cb 100644
--- a/actionpack/lib/action_dispatch/middleware/cookies.rb
+++ b/actionpack/lib/action_dispatch/middleware/cookies.rb
@@ -85,7 +85,7 @@ module ActionDispatch
     SIGNED_COOKIE_SALT = "action_dispatch.signed_cookie_salt".freeze
     ENCRYPTED_COOKIE_SALT = "action_dispatch.encrypted_cookie_salt".freeze
     ENCRYPTED_SIGNED_COOKIE_SALT = "action_dispatch.encrypted_signed_cookie_salt".freeze
-
+    TOKEN_KEY   = "action_dispatch.secret_token".freeze
 
     # Raised when storing more than 4K of session data.
     CookieOverflow = Class.new StandardError
@@ -112,7 +112,8 @@ module ActionDispatch
         key_generator = env[GENERATOR_KEY]
         options = { signed_cookie_salt: env[SIGNED_COOKIE_SALT],
                     encrypted_cookie_salt: env[ENCRYPTED_COOKIE_SALT],
-                    encrypted_signed_cookie_salt: env[ENCRYPTED_SIGNED_COOKIE_SALT] }
+                    encrypted_signed_cookie_salt: env[ENCRYPTED_SIGNED_COOKIE_SALT],
+                    token_key: env[TOKEN_KEY] }
 
         host = request.host
         secure = request.ssl?
@@ -251,6 +252,11 @@ module ActionDispatch
         @signed ||= SignedCookieJar.new(self, @key_generator, @options)
       end
 
+      # Only needed for supporting the +UpgradeSignatureToEncryptionCookieStore+, users and plugin authors should not use this
+      def signed_using_old_secret #:nodoc:
+        @signed_using_old_secret ||= SignedCookieJar.new(self, ActiveSupport::DummyKeyGenerator.new(@options[:token_key]), @options)
+      end
+
       # Returns a jar that'll automatically encrypt cookie values before sending them to the client and will decrypt them for read.
       # If the cookie was tampered with by the user (or a 3rd party), an ActiveSupport::MessageVerifier::InvalidSignature exception
       # will be raised.
diff --git a/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb b/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb
index 55a9314524..d7f83a1cc6 100644
--- a/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb
+++ b/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb
@@ -93,5 +93,22 @@ module ActionDispatch
         request.cookie_jar.encrypted
       end
     end
+
+    # This cookie store helps you upgrading apps that use +CookieStore+ to the new default +EncryptedCookieStore+
+    #
+    # To use this CookieStore set MyApp.config.session_store :upgrade_signature_to_encryption_cookie_store, key: '_myapp_session'
+    # in your config/initializers/session_store.rb
+    class UpgradeSignatureToEncryptionCookieStore < EncryptedCookieStore
+      private
+
+      def get_cookie(env)
+        signed_using_old_secret_cookie_jar(env)[@key] || cookie_jar(env)[@key]
+      end
+
+      def signed_using_old_secret_cookie_jar(env)
+        request = ActionDispatch::Request.new(env)
+        request.cookie_jar.signed_using_old_secret
+      end
+    end
   end
 end
-- 
cgit v1.2.3