Added cookies.permanent, cookies.signed, and cookies.permanent.signed accessor for common cookie actions [DHH]
This commit is contained in:
parent
2419fae092
commit
c06aff0a7e
@ -50,56 +50,148 @@ module Cookies
|
||||
|
||||
included do
|
||||
helper_method :cookies
|
||||
cattr_accessor :cookie_verifier_secret
|
||||
end
|
||||
|
||||
protected
|
||||
# Returns the cookie container, which operates as described above.
|
||||
def cookies
|
||||
@cookies ||= CookieJar.build(request, response)
|
||||
end
|
||||
end
|
||||
|
||||
class CookieJar < Hash #:nodoc:
|
||||
def self.build(request, response)
|
||||
new.tap do |hash|
|
||||
hash.update(request.cookies)
|
||||
hash.response = response
|
||||
protected
|
||||
# Returns the cookie container, which operates as described above.
|
||||
def cookies
|
||||
@cookies ||= CookieJar.build(request, response)
|
||||
end
|
||||
end
|
||||
|
||||
attr_accessor :response
|
||||
|
||||
# Returns the value of the cookie by +name+, or +nil+ if no such cookie exists.
|
||||
def [](name)
|
||||
super(name.to_s)
|
||||
end
|
||||
|
||||
# Sets the cookie named +name+. The second argument may be the very cookie
|
||||
# value, or a hash of options as documented above.
|
||||
def []=(key, options)
|
||||
if options.is_a?(Hash)
|
||||
options.symbolize_keys!
|
||||
value = options[:value]
|
||||
else
|
||||
value = options
|
||||
options = { :value => value }
|
||||
class CookieJar < Hash #:nodoc:
|
||||
def self.build(request, response)
|
||||
new.tap do |hash|
|
||||
hash.update(request.cookies)
|
||||
hash.response = response
|
||||
end
|
||||
end
|
||||
|
||||
super(key.to_s, value)
|
||||
attr_accessor :response
|
||||
|
||||
# Returns the value of the cookie by +name+, or +nil+ if no such cookie exists.
|
||||
def [](name)
|
||||
super(name.to_s)
|
||||
end
|
||||
|
||||
# Sets the cookie named +name+. The second argument may be the very cookie
|
||||
# value, or a hash of options as documented above.
|
||||
def []=(key, options)
|
||||
if options.is_a?(Hash)
|
||||
options.symbolize_keys!
|
||||
value = options[:value]
|
||||
else
|
||||
value = options
|
||||
options = { :value => value }
|
||||
end
|
||||
|
||||
super(key.to_s, value)
|
||||
|
||||
options[:path] ||= "/"
|
||||
response.set_cookie(key, options)
|
||||
end
|
||||
options[:path] ||= "/"
|
||||
response.set_cookie(key, options)
|
||||
end
|
||||
|
||||
# Removes the cookie on the client machine by setting the value to an empty string
|
||||
# and setting its expiration date into the past. Like <tt>[]=</tt>, you can pass in
|
||||
# an options hash to delete cookies with extra data such as a <tt>:path</tt>.
|
||||
def delete(key, options = {})
|
||||
options.symbolize_keys!
|
||||
options[:path] ||= "/"
|
||||
value = super(key.to_s)
|
||||
response.delete_cookie(key, options)
|
||||
value
|
||||
# Removes the cookie on the client machine by setting the value to an empty string
|
||||
# and setting its expiration date into the past. Like <tt>[]=</tt>, you can pass in
|
||||
# an options hash to delete cookies with extra data such as a <tt>:path</tt>.
|
||||
def delete(key, options = {})
|
||||
options.symbolize_keys!
|
||||
options[:path] ||= "/"
|
||||
value = super(key.to_s)
|
||||
response.delete_cookie(key, options)
|
||||
value
|
||||
end
|
||||
|
||||
# Returns a jar that'll automatically set the assigned cookies to have an expiration date 20 years from now. Example:
|
||||
#
|
||||
# cookies.permanent[:prefers_open_id] = true
|
||||
# # => Set-Cookie: prefers_open_id=true; path=/; expires=Sun, 16-Dec-2029 03:24:16 GMT
|
||||
#
|
||||
# This jar is only meant for writing. You'll read permanent cookies through the regular accessor.
|
||||
#
|
||||
# This jar allows chaining with the signed jar as well, so you can set permanent, signed cookies. Examples:
|
||||
#
|
||||
# cookies.permanent.signed[:remember_me] = current_user.id
|
||||
# # => Set-Cookie: discount=BAhU--848956038e692d7046deab32b7131856ab20e14e; path=/; expires=Sun, 16-Dec-2029 03:24:16 GMT
|
||||
def permanent
|
||||
@permanent ||= PermanentCookieJar.new(self)
|
||||
end
|
||||
|
||||
# Returns a jar that'll automatically generate a signed representation of cookie value and verify it when reading from
|
||||
# the cookie again. This is useful for creating cookies with values that the user is not supposed to change. If a signed
|
||||
# cookie was tampered with by the user (or a 3rd party), an ActiveSupport::MessageVerifier::InvalidSignature exception will
|
||||
# be raised.
|
||||
#
|
||||
# This jar requires that you set a suitable secret for the verification on ActionController::Base.cookie_verifier_secret.
|
||||
#
|
||||
# Example:
|
||||
#
|
||||
# cookies.signed[:discount] = 45
|
||||
# # => Set-Cookie: discount=BAhpMg==--2c1c6906c90a3bc4fd54a51ffb41dffa4bf6b5f7; path=/
|
||||
#
|
||||
# cookies.signed[:discount] # => 45
|
||||
def signed
|
||||
@signed ||= SignedCookieJar.new(self)
|
||||
end
|
||||
end
|
||||
|
||||
class PermanentCookieJar < CookieJar #:nodoc:
|
||||
def initialize(parent_jar)
|
||||
@parent_jar = parent_jar
|
||||
end
|
||||
|
||||
def []=(key, options)
|
||||
if options.is_a?(Hash)
|
||||
options.symbolize_keys!
|
||||
else
|
||||
options = { :value => options }
|
||||
end
|
||||
|
||||
options[:expires] = 20.years.from_now
|
||||
@parent_jar[key] = options
|
||||
end
|
||||
|
||||
def signed
|
||||
@signed ||= SignedCookieJar.new(self)
|
||||
end
|
||||
|
||||
def controller
|
||||
@parent_jar.controller
|
||||
end
|
||||
|
||||
def method_missing(method, *arguments, &block)
|
||||
@parent_jar.send(method, *arguments, &block)
|
||||
end
|
||||
end
|
||||
|
||||
class SignedCookieJar < CookieJar #:nodoc:
|
||||
def initialize(parent_jar)
|
||||
unless ActionController::Base.cookie_verifier_secret
|
||||
raise "You must set ActionController::Base.cookie_verifier_secret to use signed cookies"
|
||||
end
|
||||
|
||||
@parent_jar = parent_jar
|
||||
@verifier = ActiveSupport::MessageVerifier.new(ActionController::Base.cookie_verifier_secret)
|
||||
end
|
||||
|
||||
def [](name)
|
||||
@verifier.verify(@parent_jar[name])
|
||||
end
|
||||
|
||||
def []=(key, options)
|
||||
if options.is_a?(Hash)
|
||||
options.symbolize_keys!
|
||||
options[:value] = @verifier.generate(options[:value])
|
||||
else
|
||||
options = { :value => @verifier.generate(options) }
|
||||
end
|
||||
|
||||
@parent_jar[key] = options
|
||||
end
|
||||
|
||||
def method_missing(method, *arguments, &block)
|
||||
@parent_jar.send(method, *arguments, &block)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
@ -1,5 +1,7 @@
|
||||
require 'abstract_unit'
|
||||
|
||||
ActionController::Base.cookie_verifier_secret = "thisISverySECRET123"
|
||||
|
||||
class CookieTest < ActionController::TestCase
|
||||
class TestController < ActionController::Base
|
||||
def authenticate
|
||||
@ -47,6 +49,21 @@ def authenticate_with_http_only
|
||||
cookies["user_name"] = { :value => "david", :httponly => true }
|
||||
head :ok
|
||||
end
|
||||
|
||||
def set_permanent_cookie
|
||||
cookies.permanent[:user_name] = "Jamie"
|
||||
head :ok
|
||||
end
|
||||
|
||||
def set_signed_cookie
|
||||
cookies.signed[:user_id] = 45
|
||||
head :ok
|
||||
end
|
||||
|
||||
def set_permanent_signed_cookie
|
||||
cookies.permanent.signed[:remember_me] = 100
|
||||
head :ok
|
||||
end
|
||||
end
|
||||
|
||||
tests TestController
|
||||
@ -134,6 +151,24 @@ def test_cookies_persist_throughout_request
|
||||
response = get :authenticate
|
||||
assert response.headers["Set-Cookie"] =~ /user_name=david/
|
||||
end
|
||||
|
||||
def test_permanent_cookie
|
||||
get :set_permanent_cookie
|
||||
assert_match /Jamie/, @response.headers["Set-Cookie"]
|
||||
assert_match %r(#{20.years.from_now.year}), @response.headers["Set-Cookie"]
|
||||
end
|
||||
|
||||
def test_signed_cookie
|
||||
get :set_signed_cookie
|
||||
assert_equal 45, @controller.send(:cookies).signed[:user_id]
|
||||
end
|
||||
|
||||
def test_permanent_signed_cookie
|
||||
get :set_permanent_signed_cookie
|
||||
assert_match %r(#{20.years.from_now.year}), @response.headers["Set-Cookie"]
|
||||
assert_equal 100, @controller.send(:cookies).signed[:remember_me]
|
||||
end
|
||||
|
||||
|
||||
private
|
||||
def assert_cookie_header(expected)
|
||||
|
@ -1,5 +1,23 @@
|
||||
*Edge*
|
||||
|
||||
* Added cookies.permanent, cookies.signed, and cookies.permanent.signed accessor for common cookie actions [DHH]. Examples:
|
||||
|
||||
cookies.permanent[:prefers_open_id] = true
|
||||
# => Set-Cookie: prefers_open_id=true; path=/; expires=Sun, 16-Dec-2029 03:24:16 GMT
|
||||
|
||||
cookies.signed[:discount] = 45
|
||||
# => Set-Cookie: discount=BAhpMg==--2c1c6906c90a3bc4fd54a51ffb41dffa4bf6b5f7; path=/
|
||||
|
||||
cookies.signed[:discount]
|
||||
# => 45 (if the cookie was changed, you'll get a InvalidSignature exception)
|
||||
|
||||
cookies.permanent.signed[:remember_me] = current_user.id
|
||||
# => Set-Cookie: discount=BAhU--848956038e692d7046deab32b7131856ab20e14e; path=/; expires=Sun, 16-Dec-2029 03:24:16 GMT
|
||||
|
||||
...to use the signed cookies, you need to set a secret to ActionController::Base.cookie_verifier_secret (automatically done in config/initializers/cookie_verification_secret.rb for new Rails applications).
|
||||
|
||||
* Added config/initializers/cookie_verification_secret.rb with an auto-generated secret for using ActionController::Base#cookies.signed [DHH]
|
||||
|
||||
* Fixed that the debugger wouldn't go into IRB mode because of left-over ARGVs [DHH]
|
||||
|
||||
* I18n support for plugins. #2325 [Antonio Tapiador, Sven Fuchs]
|
||||
|
7
railties/lib/rails/generators/rails/app/templates/config/initializers/cookie_verification_secret.rb.tt
Normal file
7
railties/lib/rails/generators/rails/app/templates/config/initializers/cookie_verification_secret.rb.tt
Normal file
@ -0,0 +1,7 @@
|
||||
# Be sure to restart your server when you modify this file.
|
||||
|
||||
# Your secret key for verifying the integrity of signed cookies.
|
||||
# If you change this key, all old signed cookies will become invalid!
|
||||
# Make sure the secret is at least 30 characters and all random,
|
||||
# no regular words or you'll be exposed to dictionary attacks.
|
||||
ActionController::Base.cookie_verification_secret = '<%= app_secret %>';
|
Loading…
Reference in New Issue
Block a user