Add Application#message_verifier method to return a message verifier

[rafaelfranca]

This verifier can be used to generate and verify signed messages in the application.

message = Rails.application.message_verifier.generate('my sensible data')
Rails.application.message_verifier.verify(message)
# => 'my sensible data'

It is recommended to not use the same verifier to different things, so you can get different verifiers passing the name argument.

message = Rails.application.message_verifier('cookies').generate('my sensible cookie data')

By default all the verifiers will share the same salt, so messages generated by one can be verifier by another one.

We recommend to use different salts to different verifiers and you can configure using config.message_verifier_salts.

Rails.application.config.message_verifier_salts = { 'cookies' => 'cookies salt' }

See the ActiveSupport::MessageVerifier documentation for more information.

[laurocaetano]

❤️ 💚 💛

[NZKoz]

yes, the name is sufficient, no need to second-handle the salt configuration anywhere else. Their sole purpose is to get different deterministic bytes out of the KeyGenerator

[carlosantoniodasilva]

not to? And for different things maybe.

[carlosantoniodasilva]

Great bro 👍

[NZKoz]

I think you can just remove the whole notion of 'configured salts'. Whatever the user passes in can be the salt, e.g.

Rails::Application.message_verifier("yo bro")

[rafaelfranca]

Updated

[carlosantoniodasilva]

not to

[carlosantoniodasilva]

Seems great 👍

[dhh]

@NZKoz, can you do a final review and merge if we're kosher?

[NZKoz]

My only comment would be to switch the documentation to always be passing a salt/name for the verifier, but that's nit picking.

merge at will @rafaelfranca !

[rafaelfranca]

@NZKoz that make sense. I'll do it since I'll have to fix the conflics

[lukaszx0]

👍

[AquaGeek]

This is awesome — nice work! Would a similar thing for MessageEncryptor be helpful as well?

[rafaelfranca]

@AquaGeek maybe. I'll take a look on this