Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Application#message_verifier method to return a message verifier #12995

Merged
merged 12 commits into from Dec 5, 2013

Conversation

@rafaelfranca
Copy link
Member

rafaelfranca commented Nov 22, 2013

This verifier can be used to generate and verify signed messages in the application.

message = Rails.application.message_verifier.generate('my sensible data')
Rails.application.message_verifier.verify(message)
# => 'my sensible data'

It is recommended to not use the same verifier to different things, so you can get different verifiers passing the name argument.

message = Rails.application.message_verifier('cookies').generate('my sensible cookie data')

By default all the verifiers will share the same salt, so messages generated by one can be verifier by another one.

We recommend to use different salts to different verifiers and you can configure using config.message_verifier_salts.

Rails.application.config.message_verifier_salts = { 'cookies' => 'cookies salt' }

See the ActiveSupport::MessageVerifier documentation for more information.

@laurocaetano
Copy link
Contributor

laurocaetano commented Nov 22, 2013

❤️ 💚 💛 :shipit:

@NZKoz
Copy link
Member

NZKoz commented Nov 22, 2013

yes, the name is sufficient, no need to second-handle the salt configuration anywhere else. Their sole purpose is to get different deterministic bytes out of the KeyGenerator

#
# This verify can be used to generate and verify signed messages in the application.
#
# It is recommended to not use the same verifier to different things, so you can get different

This comment has been minimized.

Copy link
@carlosantoniodasilva

carlosantoniodasilva Nov 22, 2013

Member

not to? And for different things maybe.

# verifiers passing the +verifier_name+ argument.
#
# By default all the verifiers will share the same salt, so messages generated by one can be
# verifier by another one.

This comment has been minimized.

Copy link
@carlosantoniodasilva
# verifier by another one.
#
# It is recommended to use different salts to different verifiers and you can configure using
# `config.message_verifier_salts`.

This comment has been minimized.

Copy link
@carlosantoniodasilva

carlosantoniodasilva Nov 22, 2013

Member

Worth showing how this can be configured here?

salts = {}
end

if config.respond_to?(:default_message_verifier_salt)

This comment has been minimized.

Copy link
@carlosantoniodasilva

carlosantoniodasilva Nov 22, 2013

Member

Should we have these configs already set so we don't need to check for respond_to?

assert_equal 'some_value', verifier.verify(message)
end

test "application verifier use the configured salt" do

This comment has been minimized.

Copy link
@carlosantoniodasilva
assert_not_equal Rails.application.message_verifier.object_id, Rails.application.message_verifier('text').object_id
end

test "application verifier use the configured salt for different verifiers" do

This comment has been minimized.

Copy link
@carlosantoniodasilva
@carlosantoniodasilva
Copy link
Member

carlosantoniodasilva commented Nov 22, 2013

Great bro 👍

@NZKoz
Copy link
Member

NZKoz commented Nov 24, 2013

I think you can just remove the whole notion of 'configured salts'. Whatever the user passes in can be the salt, e.g.

Rails::Application.message_verifier("yo bro")
@rafaelfranca
Copy link
Member Author

rafaelfranca commented Dec 2, 2013

Updated

Rails.application.message_verifier.verify(message)
# => 'my sensible data'

It is recommended not not use the same verifier for different things, so you can get different

This comment has been minimized.

Copy link
@carlosantoniodasilva
@@ -158,6 +160,31 @@ def key_generator
end
end

# Return a message verifier object.

This comment has been minimized.

Copy link
@carlosantoniodasilva
@@ -158,6 +160,31 @@ def key_generator
end
end

# Return a message verifier object.
#
# This verify can be used to generate and verify signed messages in the application.

This comment has been minimized.

Copy link
@carlosantoniodasilva

carlosantoniodasilva Dec 2, 2013

Member

This verifier.

@carlosantoniodasilva
Copy link
Member

carlosantoniodasilva commented Dec 3, 2013

Seems great 👍

@dhh
Copy link
Member

dhh commented Dec 4, 2013

@NZKoz, can you do a final review and merge if we're kosher?

@NZKoz
Copy link
Member

NZKoz commented Dec 4, 2013

My only comment would be to switch the documentation to always be passing a salt/name for the verifier, but that's nit picking.

merge at will @rafaelfranca !

@rafaelfranca
Copy link
Member Author

rafaelfranca commented Dec 4, 2013

@NZKoz that make sense. I'll do it since I'll have to fix the conflics

rafaelfranca added a commit that referenced this pull request Dec 5, 2013
Add Application#message_verifier method to return a message verifier
@rafaelfranca rafaelfranca merged commit 4f330b0 into master Dec 5, 2013
@rafaelfranca rafaelfranca deleted the application-verifier branch Dec 5, 2013
@lukaszx0
Copy link
Member

lukaszx0 commented Dec 5, 2013

👍

@AquaGeek
Copy link

AquaGeek commented Jan 3, 2014

This is awesome — nice work! Would a similar thing for MessageEncryptor be helpful as well?

@rafaelfranca
Copy link
Member Author

rafaelfranca commented Jan 3, 2014

@AquaGeek maybe. I'll take a look on this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

7 participants
You can’t perform that action at this time.