Permalink
Browse files

Add option to make `remember_token` cookie secure

This is important if you have an app running on HTTPS, otherwise the
auth cookie is leaked when you visit a HTTP URL and can be intercepted.

Read more:

* http://blog.teamtreehouse.com/how-to-create-totally-secure-cookies
* http://guides.rubyonrails.org/action_controller_overview.html

Also:

* Fix documentation of `Clearance::Backdoor` (was missing namespace).
  • Loading branch information...
1 parent fc1c423 commit eb18df84801f0119d5d388ba110c61bcb8420b95 @mackuba mackuba committed with croaky Mar 25, 2013
View
@@ -1,7 +1,7 @@
PATH
remote: .
specs:
- clearance (1.0.0.rc5)
+ clearance (1.0.0.rc6)
bcrypt-ruby
email_validator
rails (>= 3.0)
@@ -158,7 +158,7 @@ GEM
treetop (1.4.12)
polyglot
polyglot (>= 0.3.1)
- tzinfo (0.3.35)
+ tzinfo (0.3.37)
xpath (0.1.4)
nokogiri (~> 1.3)
View
@@ -55,6 +55,7 @@ Override any of the defaults in `config/initializers/clearance.rb`:
Clearance.configure do |config|
config.cookie_expiration = lambda { 1.year.from_now.utc }
+ config.secure_cookie = false
config.mailer_sender = 'reply@example.com'
config.password_strategy = Clearance::PasswordStrategies::BCrypt
config.user_model = User
@@ -1,7 +1,7 @@
PATH
remote: ../
specs:
- clearance (1.0.0.rc5)
+ clearance (1.0.0.rc6)
bcrypt-ruby
email_validator
rails (>= 3.0)
@@ -1,7 +1,7 @@
PATH
remote: ../
specs:
- clearance (1.0.0.rc5)
+ clearance (1.0.0.rc6)
bcrypt-ruby
email_validator
rails (>= 3.0)
@@ -1,7 +1,7 @@
PATH
remote: ../
specs:
- clearance (1.0.0.rc5)
+ clearance (1.0.0.rc6)
bcrypt-ruby
email_validator
rails (>= 3.0)
@@ -10,7 +10,7 @@ module Clearance
# # config/environments/test.rb
# MyRailsApp::Application.configure do
# # ...
- # config.middleware.use ClearanceBackDoor
+ # config.middleware.use Clearance::BackDoor
# # ...
# end
#
@@ -1,10 +1,16 @@
module Clearance
class Configuration
- attr_accessor :cookie_expiration, :mailer_sender, :password_strategy, :user_model
+ attr_accessor \
+ :cookie_expiration,
+ :mailer_sender,
+ :password_strategy,
+ :secure_cookie,
+ :user_model
def initialize
@cookie_expiration = lambda { 1.year.from_now.utc }
@mailer_sender = 'reply@example.com'
+ @secure_cookie = false
end
def user_model
View
@@ -12,6 +12,7 @@ def add_cookie_to_headers(headers)
headers, REMEMBER_TOKEN_COOKIE,
:value => current_user.remember_token,
:expires => Clearance.configuration.cookie_expiration.call,
+ :secure => Clearance.configuration.secure_cookie,
:path => '/'
)
end
@@ -4,6 +4,10 @@
before { Timecop.freeze }
after { Timecop.return }
+ let(:headers) {{}}
+ let(:session) { Clearance::Session.new(env_without_remember_token) }
+ let(:user) { create(:user) }
+
it 'finds a user from a cookie' do
user = create(:user)
env = env_with_remember_token(user.remember_token)
@@ -58,6 +62,33 @@
end
end
+ context 'if secure_cookie is set' do
+ before do
+ Clearance.configuration.secure_cookie = true
+ session.sign_in(user)
+ end
+
+ it 'sets a secure cookie' do
+ session.add_cookie_to_headers(headers)
+
+ headers['Set-Cookie'].should =~ /remember_token=.+; secure/
+ end
+
+ after { restore_default_config }
+ end
+
+ context 'if secure_cookie is not set' do
+ before do
+ session.sign_in(user)
+ end
+
+ it 'sets a standard cookie' do
+ session.add_cookie_to_headers(headers)
+
+ headers['Set-Cookie'].should_not =~ /remember_token=.+; secure/
+ end
+ end
+
it 'does not set a remember token when signed out' do
headers = {}
session = Clearance::Session.new(env_without_remember_token)
@@ -87,11 +118,6 @@ def env_without_remember_token
env_with_cookies({})
end
- def restore_default_config
- Clearance.configuration = nil
- Clearance.configure {}
- end
-
def serialize_cookies(hash)
header = {}
View
@@ -1,6 +1,8 @@
require 'spec_helper'
describe Clearance::Configuration do
+ after { restore_default_config }
+
describe 'when no user_model_name is specified' do
before do
Clearance.configure do |config|
@@ -31,4 +33,27 @@
Clearance.configuration.user_model.should == ::MyUser
end
end
+
+ describe 'when secure_cookie is set to true' do
+ before do
+ Clearance.configure do |config|
+ config.secure_cookie = true
+ end
+ end
+
+ it 'returns true' do
+ Clearance.configuration.secure_cookie.should be_true
+ end
+ end
+
+ describe 'when secure_cookie is not specified' do
+ before do
+ Clearance.configure do |config|
+ end
+ end
+
+ it 'defaults to false' do
+ Clearance.configuration.secure_cookie.should be_false
+ end
+ end
end
View
@@ -25,3 +25,8 @@
config.mock_with :mocha
config.use_transactional_fixtures = true
end
+
+def restore_default_config
+ Clearance.configuration = nil
+ Clearance.configure {}
+end

0 comments on commit eb18df8

Please sign in to comment.