Browse files

Use derived keys everywhere, http_authentication was missing it

  • Loading branch information...
1 parent fb0cea2 commit 5d23925f84f0241e28b3fbce740150136ba08254 @spastorino spastorino committed Nov 2, 2012
View
5 actionpack/lib/action_controller/metal/http_authentication.rb
@@ -249,9 +249,8 @@ def authentication_request(controller, realm, message = nil)
end
def secret_token(request)
- secret = request.env["action_dispatch.secret_token"]
- raise "You must set config.secret_token in your app's config" if secret.blank?
- secret
+ key_generator = request.env["action_dispatch.key_generator"]
+ key_generator.generate_key('http authentication')
end
# Uses an MD5 digest based on time to generate a value to be used only once.
View
4 actionpack/test/controller/http_digest_authentication_test.rb
@@ -1,4 +1,6 @@
require 'abstract_unit'
+# FIXME remove DummyKeyGenerator and this require in 4.1
+require 'active_support/key_generator'
class HttpDigestAuthenticationTest < ActionController::TestCase
class DummyDigestController < ActionController::Base
@@ -41,7 +43,7 @@ def authenticate_with_request
setup do
# Used as secret in generating nonce to prevent tampering of timestamp
@secret = "session_options_secret"
- @request.env["action_dispatch.secret_token"] = @secret
+ @request.env["action_dispatch.key_generator"] = ActiveSupport::DummyKeyGenerator.new(@secret)
end
teardown do
View
5 railties/lib/rails/application.rb
@@ -120,7 +120,6 @@ def key_generator
# Currently stores:
#
# * "action_dispatch.parameter_filter" => config.filter_parameters,
- # * "action_dispatch.secret_token" => config.secret_token,
# * "action_dispatch.show_exceptions" => config.action_dispatch.show_exceptions,
# * "action_dispatch.show_detailed_exceptions" => config.consider_all_requests_local,
# * "action_dispatch.logger" => Rails.logger,
@@ -135,11 +134,13 @@ def env_config
ActiveSupport::Deprecation.warn "You didn't set config.secret_token_key. " +
"This should be used instead of the old deprecated config.secret_token. " +
"Set config.secret_token_key instead of config.secret_token in config/initializers/secret_token.rb"
+ if config.secret_token.blank?
+ raise "You must set config.secret_token_key in your app's config"
+ end
end
super.merge({
"action_dispatch.parameter_filter" => config.filter_parameters,
- "action_dispatch.secret_token" => config.secret_token,
"action_dispatch.show_exceptions" => config.action_dispatch.show_exceptions,
"action_dispatch.show_detailed_exceptions" => config.consider_all_requests_local,
"action_dispatch.logger" => Rails.logger,
View
8 railties/lib/rails/application/configuration.rb
@@ -10,12 +10,12 @@ class Configuration < ::Rails::Engine::Configuration
:cache_classes, :cache_store, :consider_all_requests_local, :console,
:eager_load, :exceptions_app, :file_watcher, :filter_parameters,
:force_ssl, :helpers_paths, :logger, :log_formatter, :log_tags,
- :railties_order, :relative_url_root, :secret_token_key,
+ :railties_order, :relative_url_root, :secret_token, :secret_token_key,
:serve_static_assets, :ssl_options, :static_cache_control, :session_options,
:time_zone, :reload_classes_only_on_change,
:queue, :queue_consumer, :beginning_of_week
- attr_writer :secret_token, :log_level
+ attr_writer :log_level
attr_reader :encoding
def initialize(*)
@@ -146,10 +146,6 @@ def session_store(*args)
def whiny_nils=(*)
ActiveSupport::Deprecation.warn "config.whiny_nils option is deprecated and no longer works"
end
-
- def secret_token
- @secret_token_key || @secret_token
- end
end
end
end
View
1 railties/test/abstract_unit.rb
@@ -14,5 +14,6 @@
module TestApp
class Application < Rails::Application
config.root = File.dirname(__FILE__)
+ config.secret_token_key = 'b3c631c314c0bbca50c1b2843150fe33'
end
end
View
18 railties/test/application/configuration_test.rb
@@ -225,23 +225,6 @@ def assert_utf8
assert_equal Pathname.new(app_path).join("somewhere"), Rails.public_path
end
- test "config.secret_token_key is sent in env" do
- make_basic_app do |app|
- app.config.secret_token_key = 'b3c631c314c0bbca50c1b2843150fe33'
- app.config.session_store :disabled
- end
-
- class ::OmgController < ActionController::Base
- def index
- cookies.signed[:some_key] = "some_value"
- render text: env["action_dispatch.secret_token"]
- end
- end
-
- get "/"
- assert_equal 'b3c631c314c0bbca50c1b2843150fe33', last_response.body
- end
-
test "Use key_generator when secret_token_key is set" do
make_basic_app do |app|
app.config.secret_token_key = 'b3c631c314c0bbca50c1b2843150fe33'
@@ -588,7 +571,6 @@ def index
assert_respond_to app, :env_config
assert_equal app.env_config['action_dispatch.parameter_filter'], app.config.filter_parameters
- assert_equal app.env_config['action_dispatch.secret_token'], app.config.secret_token
assert_equal app.env_config['action_dispatch.show_exceptions'], app.config.action_dispatch.show_exceptions
assert_equal app.env_config['action_dispatch.logger'], Rails.logger
assert_equal app.env_config['action_dispatch.backtrace_cleaner'], Rails.backtrace_cleaner
View
4 railties/test/application/middleware/remote_ip_test.rb
@@ -1,4 +1,6 @@
require 'isolation/abstract_unit'
+# FIXME remove DummyKeyGenerator and this require in 4.1
+require 'active_support/key_generator'
module ApplicationTests
class RemoteIpTest < ActiveSupport::TestCase
@@ -8,7 +10,7 @@ def remote_ip(env = {})
remote_ip = nil
env = Rack::MockRequest.env_for("/").merge(env).merge!(
'action_dispatch.show_exceptions' => false,
- 'action_dispatch.secret_token' => 'b3c631c314c0bbca50c1b2843150fe33'
+ 'action_dispatch.key_generator' => ActiveSupport::DummyKeyGenerator.new('b3c631c314c0bbca50c1b2843150fe33')
)
endpoint = Proc.new do |e|

0 comments on commit 5d23925

Please sign in to comment.