Update security guide for signed cookie rotations

The example was slightly incorrect. This commit also adds a test case for this example to cookies middleware unit tests.

Update security guide for signed cookie rotations
The example was slightly incorrect. This commit also adds a test case for this example to cookies middleware unit tests.
04a7b716 · Michael Coyne · ac1ee519 · 04a7b716 · 04a7b716
隐藏空白更改
内联并排

Showing with 22 addition and 2 deletion

actionpack/test/dispatch/cookies_test.rb actionpack/test/dispatch/cookies_test.rb +19 -0

guides/source/security.md guides/source/security.md +3 -2

未找到文件。
--- a/actionpack/test/dispatch/cookies_test.rb
+++ b/actionpack/test/dispatch/cookies_test.rb
@@ -917,6 +917,25 @@ def test_use_authenticated_cookie_encryption_uses_legacy_hmac_aes_cbc_encryption
    assert_equal "bar", encryptor.decrypt_and_verify(@response.cookies["foo"])
  end

+  def test_rotating_signed_cookies_digest
+    @request.env["action_dispatch.signed_cookie_digest"] = "SHA256"
+    @request.env["action_dispatch.cookies_rotations"].rotate :signed, digest: "SHA1"
+
+    key_generator = @request.env["action_dispatch.key_generator"]
+
+    old_secret = key_generator.generate_key(@request.env["action_dispatch.signed_cookie_salt"])
+    old_value = ActiveSupport::MessageVerifier.new(old_secret).generate(45)
+
+    @request.headers["Cookie"] = "user_id=#{old_value}"
+    get :get_signed_cookie
+
+    assert_equal 45, @controller.send(:cookies).signed[:user_id]
+
+    secret = key_generator.generate_key(@request.env["action_dispatch.signed_cookie_salt"])
+    verifier = ActiveSupport::MessageVerifier.new(secret, digest: "SHA256")
+    assert_equal 45, verifier.verify(@response.cookies["user_id"])
+  end
+
  def test_legacy_hmac_aes_cbc_encrypted_marshal_cookie_is_upgraded_to_authenticated_encrypted_cookie
    key_generator = @request.env["action_dispatch.key_generator"]
    encrypted_cookie_salt = @request.env["action_dispatch.encrypted_cookie_salt"]

--- a/guides/source/security.md
+++ b/guides/source/security.md
@@ -169,11 +169,12 @@ you would first assign the new configuration value:
 Rails.application.config.action_dispatch.signed_cookie_digest = "SHA256"
 ```

-Then you'd set up a rotation with the old configuration to keep it alive.
+Now add a rotation for the old SHA1 digest so existing cookies are
+seamlessly upgraded to the new SHA256 digest.

 ```ruby
 Rails.application.config.action_dispatch.cookies_rotations.tap do |cookies|
-  cookies.rotate :signed, digest: "SHA256"
+  cookies.rotate :signed, digest: "SHA1"
 end
 ```