From 3be5f0895ce479c60dcf757efb936c963fb09970 Mon Sep 17 00:00:00 2001 From: Georg Leciejewski Date: Wed, 8 Mar 2023 11:34:23 +0100 Subject: [PATCH 1/3] update argon2 to v2.2.0 gem due to errors loading argon2_wrap library with rubygems 3.4.6 --- Gemfile.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 2219113f..2fd5f26d 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -59,8 +59,8 @@ GEM bundler rake thor (>= 0.14.0) - argon2 (2.1.1) - ffi (~> 1.14) + argon2 (2.2.0) + ffi (~> 1.15) ffi-compiler (~> 1.0) ast (2.4.2) bcrypt (3.1.18) From a51eceb0388d5d98d852014407c558a5ca3115fd Mon Sep 17 00:00:00 2001 From: Georg Leciejewski Date: Wed, 8 Mar 2023 13:02:38 +0100 Subject: [PATCH 2/3] add encrypt_cookie option in the same way as signed_cookie. using the new option overrides signed_cookie settings. no tests so far --- lib/clearance/configuration.rb | 17 ++++++++ lib/clearance/session.rb | 44 +++++++++++++++------ spec/support/request_with_remember_token.rb | 4 +- 3 files changed, 52 insertions(+), 13 deletions(-) diff --git a/lib/clearance/configuration.rb b/lib/clearance/configuration.rb index cb5bc17a..1318b7e0 100644 --- a/lib/clearance/configuration.rb +++ b/lib/clearance/configuration.rb @@ -96,6 +96,12 @@ class Configuration # @return [Boolean|:migrate] attr_reader :signed_cookie + # Controls whether cookies are encrypted. + # Defaults to `nil` for backwards compatibility. + # When not nil overrides signed_cookie settings and if true uses Rails' encrypted cookies + # @return [Boolean|:migrate] + attr_reader :encrypt_cookie + # The array of sign in guards to run when signing a user in. # Defaults to an empty array. Sign in guards respond to `call` and are # initialized with a session and the current stack. Each guard can decide @@ -144,6 +150,7 @@ def initialize @routes = true @secure_cookie = false @signed_cookie = false + @encrypted_cookie = nil @sign_in_guards = [] @user_parameter = nil @sign_in_on_password_reset = true @@ -159,6 +166,16 @@ def signed_cookie=(value) end end + def encrypted_cookie=(value) + if [true, false, :migrate].include? value + @encrypted_cookie = value + else + raise "Clearance's enrcypted_cookie configuration value is invalid. " \ + "Valid values are true, false, or :migrate. " \ + "Set this option via Clearance.configure in an initializer" + end + end + # The class representing the configured user model. # In the default configuration, this is the `User` class. # @return [Class] diff --git a/lib/clearance/session.rb b/lib/clearance/session.rb index 6d25698a..ab0a889b 100644 --- a/lib/clearance/session.rb +++ b/lib/clearance/session.rb @@ -108,24 +108,44 @@ def cookies # @api private def set_remember_token(token) - case Clearance.configuration.signed_cookie - when true, :migrate - cookies.signed[remember_token_cookie] = cookie_options(token) - when false - cookies[remember_token_cookie] = cookie_options(token) + if !Clearance.configuration.encrypt_cookie.nil? + case Clearance.configuration.encrypt_cookie + when true, :migrate + cookies.encrypted[remember_token_cookie] = cookie_options(token) + when false + cookies[remember_token_cookie] = cookie_options(token) + end + else + case Clearance.configuration.signed_cookie + when true, :migrate + cookies.signed[remember_token_cookie] = cookie_options(token) + when false + cookies[remember_token_cookie] = cookie_options(token) + end end remember_token end # @api private def remember_token - case Clearance.configuration.signed_cookie - when true - cookies.signed[remember_token_cookie] - when :migrate - cookies.signed[remember_token_cookie] || cookies[remember_token_cookie] - when false - cookies[remember_token_cookie] + if !Clearance.configuration.encrypt_cookie.nil? + case Clearance.configuration.encrypt_cookie + when true + cookies.encrypted[remember_token_cookie] + when :migrate + cookies.encrypted[remember_token_cookie] || cookies[remember_token_cookie] + when false + cookies[remember_token_cookie] + end + else + case Clearance.configuration.signed_cookie + when true + cookies.signed[remember_token_cookie] + when :migrate + cookies.signed[remember_token_cookie] || cookies[remember_token_cookie] + when false + cookies[remember_token_cookie] + end end end diff --git a/spec/support/request_with_remember_token.rb b/spec/support/request_with_remember_token.rb index ba3d6b0f..3cb5303b 100644 --- a/spec/support/request_with_remember_token.rb +++ b/spec/support/request_with_remember_token.rb @@ -1,7 +1,9 @@ module RememberTokenHelpers def request_with_remember_token(remember_token) cookies = ActionDispatch::Request.new({}).cookie_jar - if Clearance.configuration.signed_cookie + if Clearance.configuration.encrypt_cookie + cookies.encrypted[Clearance.configuration.cookie_name] = remember_token + elsif Clearance.configuration.signed_cookie cookies.signed[Clearance.configuration.cookie_name] = remember_token else cookies[Clearance.configuration.cookie_name] = remember_token From 36cfc31ee7049e6adbe08ee4fae53fb6191d5f06 Mon Sep 17 00:00:00 2001 From: Georg Leciejewski Date: Wed, 8 Mar 2023 13:02:38 +0100 Subject: [PATCH 3/3] add encrypt_cookie option in the same way as signed_cookie. using the new option overrides signed_cookie settings. no tests so far --- lib/clearance/configuration.rb | 17 ++++++++ lib/clearance/session.rb | 44 +++++++++++++++------ spec/support/request_with_remember_token.rb | 4 +- 3 files changed, 52 insertions(+), 13 deletions(-) diff --git a/lib/clearance/configuration.rb b/lib/clearance/configuration.rb index cb5bc17a..af0401b7 100644 --- a/lib/clearance/configuration.rb +++ b/lib/clearance/configuration.rb @@ -96,6 +96,12 @@ class Configuration # @return [Boolean|:migrate] attr_reader :signed_cookie + # Controls whether cookies are encrypted. + # Defaults to `nil` for backwards compatibility. + # When not nil overrides signed_cookie settings and if true uses Rails' encrypted cookies + # @return [Boolean|:migrate] + attr_reader :encrypted_cookie + # The array of sign in guards to run when signing a user in. # Defaults to an empty array. Sign in guards respond to `call` and are # initialized with a session and the current stack. Each guard can decide @@ -144,6 +150,7 @@ def initialize @routes = true @secure_cookie = false @signed_cookie = false + @encrypted_cookie = nil @sign_in_guards = [] @user_parameter = nil @sign_in_on_password_reset = true @@ -159,6 +166,16 @@ def signed_cookie=(value) end end + def encrypted_cookie=(value) + if [true, false, :migrate].include? value + @encrypted_cookie = value + else + raise "Clearance's enrcypted_cookie configuration value is invalid. " \ + "Valid values are true, false, or :migrate. " \ + "Set this option via Clearance.configure in an initializer" + end + end + # The class representing the configured user model. # In the default configuration, this is the `User` class. # @return [Class] diff --git a/lib/clearance/session.rb b/lib/clearance/session.rb index 6d25698a..85a3c7c2 100644 --- a/lib/clearance/session.rb +++ b/lib/clearance/session.rb @@ -108,24 +108,44 @@ def cookies # @api private def set_remember_token(token) - case Clearance.configuration.signed_cookie - when true, :migrate - cookies.signed[remember_token_cookie] = cookie_options(token) - when false - cookies[remember_token_cookie] = cookie_options(token) + if !Clearance.configuration.encrypted_cookie.nil? + case Clearance.configuration.encrypted_cookie + when true, :migrate + cookies.encrypted[remember_token_cookie] = cookie_options(token) + when false + cookies[remember_token_cookie] = cookie_options(token) + end + else + case Clearance.configuration.signed_cookie + when true, :migrate + cookies.signed[remember_token_cookie] = cookie_options(token) + when false + cookies[remember_token_cookie] = cookie_options(token) + end end remember_token end # @api private def remember_token - case Clearance.configuration.signed_cookie - when true - cookies.signed[remember_token_cookie] - when :migrate - cookies.signed[remember_token_cookie] || cookies[remember_token_cookie] - when false - cookies[remember_token_cookie] + if !Clearance.configuration.encrypted_cookie.nil? + case Clearance.configuration.encrypted_cookie + when true + cookies.encrypted[remember_token_cookie] + when :migrate + cookies.encrypted[remember_token_cookie] || cookies[remember_token_cookie] + when false + cookies[remember_token_cookie] + end + else + case Clearance.configuration.signed_cookie + when true + cookies.signed[remember_token_cookie] + when :migrate + cookies.signed[remember_token_cookie] || cookies[remember_token_cookie] + when false + cookies[remember_token_cookie] + end end end diff --git a/spec/support/request_with_remember_token.rb b/spec/support/request_with_remember_token.rb index ba3d6b0f..4f84ddbf 100644 --- a/spec/support/request_with_remember_token.rb +++ b/spec/support/request_with_remember_token.rb @@ -1,7 +1,9 @@ module RememberTokenHelpers def request_with_remember_token(remember_token) cookies = ActionDispatch::Request.new({}).cookie_jar - if Clearance.configuration.signed_cookie + if Clearance.configuration.encrypted_cookie + cookies.encrypted[Clearance.configuration.cookie_name] = remember_token + elsif Clearance.configuration.signed_cookie cookies.signed[Clearance.configuration.cookie_name] = remember_token else cookies[Clearance.configuration.cookie_name] = remember_token