From 233001749cd00e147f93c17c17e49e5f6094721e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Mendon=C3=A7a=20Fran=C3=A7a?= Date: Tue, 19 Nov 2013 22:26:52 -0200 Subject: Add application verifier It is an application global verifier that can be used to generate and verify signed messages. See the documentation of ActiveSupport::MessageVerifier for more information. --- railties/lib/rails/application.rb | 12 ++++++++ railties/test/application/configuration_test.rb | 41 +++++++++++++++++++++++++ 2 files changed, 53 insertions(+) (limited to 'railties') diff --git a/railties/lib/rails/application.rb b/railties/lib/rails/application.rb index d1e88cfafd..ccd97af655 100644 --- a/railties/lib/rails/application.rb +++ b/railties/lib/rails/application.rb @@ -158,6 +158,18 @@ module Rails end end + def verifier + @verifier ||= begin + if config.respond_to?(:message_verifier_salt) + salt = config.message_verifier_salt + end + + salt = salt || 'application verifier' + secret = key_generator.generate_key(salt) + ActiveSupport::MessageVerifier.new(secret) + end + end + # Stores some of the Rails initial environment parameters which # will be used by middlewares and engines to configure themselves. def env_config diff --git a/railties/test/application/configuration_test.rb b/railties/test/application/configuration_test.rb index 03a735b1c1..e532190252 100644 --- a/railties/test/application/configuration_test.rb +++ b/railties/test/application/configuration_test.rb @@ -268,6 +268,47 @@ module ApplicationTests assert_equal 'some_value', verifier.verify(last_response.body) end + test "application verifier can be used in the entire application" do + make_basic_app do |app| + app.config.secret_key_base = 'b3c631c314c0bbca50c1b2843150fe33' + app.config.session_store :disabled + end + + class ::OmgController < ActionController::Base + def index + render text: Rails.application.verifier.generate("some_value") + end + end + + get "/" + + assert_equal 'some_value', Rails.application.verifier.verify(last_response.body) + + secret = app.key_generator.generate_key('application verifier') + verifier = ActiveSupport::MessageVerifier.new(secret) + assert_equal 'some_value', verifier.verify(last_response.body) + end + + test "application verifier use the configure salt" do + make_basic_app do |app| + app.config.secret_key_base = 'b3c631c314c0bbca50c1b2843150fe33' + app.config.session_store :disabled + app.config.message_verifier_salt = 'another salt' + end + + class ::OmgController < ActionController::Base + def index + render text: Rails.application.verifier.generate("some_value") + end + end + + get "/" + + secret = app.key_generator.generate_key('another salt') + verifier = ActiveSupport::MessageVerifier.new(secret) + assert_equal 'some_value', verifier.verify(last_response.body) + end + test "protect from forgery is the default in a new app" do make_basic_app -- cgit v1.2.3