New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add expiry metadata to Cookies and freshen expires option to support duration #30121

Merged
merged 1 commit into from Aug 20, 2017

Conversation

Projects
None yet
7 participants
@assain
Contributor

assain commented Aug 7, 2017

@kaspth

This PR adds:

  • Expiry meta data to signed/encrypted cookies.
  • Duration support to :expires option, i.e. you can specify when the cookie should expire relatively.
    e.g. cookies.signed[:user_name] = { value: "bob", expires: 2.hours }
@rails-bot

This comment has been minimized.

Show comment
Hide comment
@rails-bot

rails-bot Aug 7, 2017

Thanks for the pull request, and welcome! The Rails team is excited to review your changes, and you should hear from @sgrif (or someone else) soon.

If any changes to this PR are deemed necessary, please add them as extra commits. This ensures that the reviewer can see what has changed since they last reviewed the code. Due to the way GitHub handles out-of-date commits, this should also make it reasonably obvious what issues have or haven't been addressed. Large or tricky changes may require several passes of review and changes.

This repository is being automatically checked for code quality issues using Code Climate. You can see results for this analysis in the PR status below. Newly introduced issues should be fixed before a Pull Request is considered ready to review.

Please see the contribution instructions for more information.

rails-bot commented Aug 7, 2017

Thanks for the pull request, and welcome! The Rails team is excited to review your changes, and you should hear from @sgrif (or someone else) soon.

If any changes to this PR are deemed necessary, please add them as extra commits. This ensures that the reviewer can see what has changed since they last reviewed the code. Due to the way GitHub handles out-of-date commits, this should also make it reasonably obvious what issues have or haven't been addressed. Large or tricky changes may require several passes of review and changes.

This repository is being automatically checked for code quality issues using Code Climate. You can see results for this analysis in the PR status below. Newly introduced issues should be fixed before a Pull Request is considered ready to review.

Please see the contribution instructions for more information.

@assain assain changed the title from Set Cookie Expiration Using `:expires_in` & `:expires_at` to Set Cookie Expiration Using :expires_in & :expires_at Aug 7, 2017

Show outdated Hide outdated actionpack/lib/action_dispatch/middleware/cookies.rb
Show outdated Hide outdated actionpack/lib/action_dispatch/middleware/cookies.rb
Show outdated Hide outdated actionpack/test/dispatch/cookies_test.rb
Show outdated Hide outdated actionpack/lib/action_dispatch/middleware/cookies.rb
Show outdated Hide outdated actionpack/test/dispatch/cookies_test.rb
Show outdated Hide outdated actionpack/test/dispatch/cookies_test.rb
Show outdated Hide outdated actionpack/test/dispatch/cookies_test.rb
Show outdated Hide outdated actionpack/test/dispatch/cookies_test.rb
Show outdated Hide outdated actionpack/lib/action_dispatch/middleware/cookies.rb

@assain assain changed the title from Set Cookie Expiration Using :expires_in & :expires_at to Add expires_at metadata to Cookies and freshen expires option to support duration Aug 14, 2017

@kaspth

There's a failing test that now has it's signed data changed because we're verifying the integrity of the expiry.

def cookie_expires_in_two_hours
cookies[:user_name] = { value: "assain", expires: 2.hours }
head :ok

This comment has been minimized.

@kaspth

kaspth Aug 14, 2017

Member

Why do we need the head :ok don't these default to head :no_content?

@kaspth

kaspth Aug 14, 2017

Member

Why do we need the head :ok don't these default to head :no_content?

This comment has been minimized.

@assain

assain Aug 15, 2017

Contributor

@kaspth 😄
But, deleting the line throws ActionController::UnknownFormat:
ActionController::UnknownFormat: CookiesTest::TestController#cookie_expires_in_two_hours is missing a template for this request format and variant.

@assain

assain Aug 15, 2017

Contributor

@kaspth 😄
But, deleting the line throws ActionController::UnknownFormat:
ActionController::UnknownFormat: CookiesTest::TestController#cookie_expires_in_two_hours is missing a template for this request format and variant.

Show outdated Hide outdated actionpack/test/dispatch/cookies_test.rb
Show outdated Hide outdated actionpack/lib/action_dispatch/middleware/cookies.rb
Show outdated Hide outdated actionpack/lib/action_dispatch/middleware/cookies.rb
Show outdated Hide outdated actionpack/lib/action_dispatch/middleware/cookies.rb
Show outdated Hide outdated actionpack/lib/action_dispatch/middleware/cookies.rb
Show outdated Hide outdated actionpack/lib/action_dispatch/middleware/cookies.rb
Show outdated Hide outdated actionpack/lib/action_dispatch/middleware/cookies.rb
def test_vanilla_cookie_with_expires_set_relatively
travel_to Time.utc(2017, 8, 15) do
get :cookie_expires_in_two_hours
assert_cookie_header "user_name=assain; path=/; expires=Tue, 15 Aug 2017 02:00:00 -0000"

This comment has been minimized.

@kaspth

kaspth Aug 16, 2017

Member

Won't this return a different time zone depending on where you run it?

@kaspth

kaspth Aug 16, 2017

Member

Won't this return a different time zone depending on where you run it?

This comment has been minimized.

@assain

assain Aug 16, 2017

Contributor

Should I change this? 😅

@assain

assain Aug 16, 2017

Contributor

Should I change this? 😅

This comment has been minimized.

@kaspth

kaspth Aug 16, 2017

Member

Only if it needs to change, which is what I'm asking you about 😊

@kaspth

kaspth Aug 16, 2017

Member

Only if it needs to change, which is what I'm asking you about 😊

This comment has been minimized.

@assain

assain Aug 16, 2017

Contributor

I used Time.utc method, since there were other tests using it while setting the :expires option. Was that method the root of your concern? 😅

@assain

assain Aug 16, 2017

Contributor

I used Time.utc method, since there were other tests using it while setting the :expires option. Was that method the root of your concern? 😅

This comment has been minimized.

@kaspth

kaspth Aug 17, 2017

Member

Ah, read utc as new, which isn't the same. But now I'm a little curious why the time is "02:00" and not "00:00".

@kaspth

kaspth Aug 17, 2017

Member

Ah, read utc as new, which isn't the same. But now I'm a little curious why the time is "02:00" and not "00:00".

This comment has been minimized.

@assain

assain Aug 17, 2017

Contributor

In get :cookie_expires_in_two_hours the cookie is being set to expire in two hours and since:
Time.utc(2017, 8, 15) => 2017-08-15 00:00:00 UTC
Two hours from_now in rfc 2822:
Tue, 15 Aug 2017 02:00:00 -0000
Hope, I got your question right 😄

@assain

assain Aug 17, 2017

Contributor

In get :cookie_expires_in_two_hours the cookie is being set to expire in two hours and since:
Time.utc(2017, 8, 15) => 2017-08-15 00:00:00 UTC
Two hours from_now in rfc 2822:
Tue, 15 Aug 2017 02:00:00 -0000
Hope, I got your question right 😄

This comment has been minimized.

@kaspth

kaspth Aug 17, 2017

Member

Ah right, all good 👍

@kaspth

kaspth Aug 17, 2017

Member

Ah right, all good 👍

{ expires_at: options[:expires] }
end
end

This comment has been minimized.

@assain

assain Aug 17, 2017

Contributor

@kaspth 😄
Here's the suggested changes!

@assain

assain Aug 17, 2017

Contributor

@kaspth 😄
Here's the suggested changes!

Show outdated Hide outdated actionpack/test/dispatch/session/cookie_store_test.rb

@assain assain changed the title from Add expires_at metadata to Cookies and freshen expires option to support duration to Add expiry metadata to Cookies and freshen expires option to support duration Aug 17, 2017

@kaspth

One final comment, otherwise I think it's there codewise.

We should update the documentation as well.

We'll also need entries in the Action Pack changelog:

  1. That :expires supports ActiveSupport::Durations
  2. That cookie expiry integrity is now enforced for signed/encrypted cookies

Write a title and short description for each.

Later we'll add something to the upgrading guide.

Show outdated Hide outdated actionpack/test/dispatch/session/cookie_store_test.rb
@mikeycgto

This comment has been minimized.

Show comment
Hide comment
@mikeycgto

mikeycgto Aug 17, 2017

Contributor
Contributor

mikeycgto commented Aug 17, 2017

@kaspth kaspth assigned kaspth and unassigned sgrif Aug 19, 2017

@@ -299,7 +304,7 @@ def test_session_store_with_expire_after
get "/no_session_access"
assert_response :success
assert_equal "_myapp_session=#{cookie_body}; path=/; expires=#{expected_expiry}; HttpOnly",
assert_equal "_myapp_session=#{cookies[SessionKey]}; path=/; expires=#{expected_expiry}; HttpOnly",
headers["Set-Cookie"]
end

This comment has been minimized.

@assain

assain Aug 20, 2017

Contributor

Here's the suggested changes @kaspth 😄

@assain

assain Aug 20, 2017

Contributor

Here's the suggested changes @kaspth 😄

@assain

This comment has been minimized.

Show comment
Hide comment
@assain

assain Aug 20, 2017

Contributor

@kaspth, The checks have passed 😄

Contributor

assain commented Aug 20, 2017

@kaspth, The checks have passed 😄

@kaspth kaspth merged commit cdcd6c0 into rails:master Aug 20, 2017

2 checks passed

codeclimate All good!
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@kaspth

This comment has been minimized.

Show comment
Hide comment
@kaspth

kaspth Aug 20, 2017

Member

Indeed they have! 😊

Member

kaspth commented Aug 20, 2017

Indeed they have! 😊

@jfine

This comment has been minimized.

Show comment
Hide comment
@jfine

jfine Aug 28, 2017

Contributor

Great addition!

Contributor

jfine commented Aug 28, 2017

Great addition!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment