Skip to content

Add Application#message_verifier method to return a message verifier #12995

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 12 commits into from
Dec 5, 2013
Merged

Add Application#message_verifier method to return a message verifier #12995

merged 12 commits into from
Dec 5, 2013

Conversation

rafaelfranca
Copy link
Member

This verifier can be used to generate and verify signed messages in the application.

message = Rails.application.message_verifier.generate('my sensible data')
Rails.application.message_verifier.verify(message)
# => 'my sensible data'

It is recommended to not use the same verifier to different things, so you can get different verifiers passing the name argument.

message = Rails.application.message_verifier('cookies').generate('my sensible cookie data')

By default all the verifiers will share the same salt, so messages generated by one can be verifier by another one.

We recommend to use different salts to different verifiers and you can configure using config.message_verifier_salts.

Rails.application.config.message_verifier_salts = { 'cookies' => 'cookies salt' }

See the ActiveSupport::MessageVerifier documentation for more information.

@laurocaetano
Copy link
Contributor

❤️ 💚 💛 :shipit:

@NZKoz
Copy link
Member

NZKoz commented Nov 22, 2013

yes, the name is sufficient, no need to second-handle the salt configuration anywhere else. Their sole purpose is to get different deterministic bytes out of the KeyGenerator

carlosantoniodasilva
carlosantoniodasilva reviewed Nov 22, 2013
View reviewed changes
railties/lib/rails/application.rb
#
# This verify can be used to generate and verify signed messages in the application.
#
# It is recommended to not use the same verifier to different things, so you can get different
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not to? And for different things maybe.

@carlosantoniodasilva
Copy link
Member

Great bro 👍

@NZKoz
Copy link
Member

NZKoz commented Nov 24, 2013

I think you can just remove the whole notion of 'configured salts'. Whatever the user passes in can be the salt, e.g.

Rails::Application.message_verifier("yo bro")

@rafaelfranca
Copy link
Member Author

Updated

carlosantoniodasilva
carlosantoniodasilva reviewed Dec 2, 2013
View reviewed changes
railties/CHANGELOG.md
Rails.application.message_verifier.verify(message)
# => 'my sensible data'

It is recommended not not use the same verifier for different things, so you can get different
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not to

@carlosantoniodasilva
Copy link
Member

Seems great 👍

@dhh
Copy link
Member

dhh commented Dec 4, 2013

@NZKoz, can you do a final review and merge if we're kosher?

@NZKoz
Copy link
Member

NZKoz commented Dec 4, 2013

My only comment would be to switch the documentation to always be passing a salt/name for the verifier, but that's nit picking.

merge at will @rafaelfranca !

@rafaelfranca
Copy link
Member Author

@NZKoz that make sense. I'll do it since I'll have to fix the conflics

rafaelfranca added a commit that referenced this pull request Dec 5, 2013
@rafaelfranca
Merge pull request #12995 from rails/application-verifier
4f330b0 
Add Application#message_verifier method to return a message verifier
@rafaelfranca rafaelfranca merged commit 4f330b0 into master Dec 5, 2013
@rafaelfranca rafaelfranca deleted the application-verifier branch December 5, 2013 01:17
@lukaszx0
Copy link
Member

lukaszx0 commented Dec 5, 2013

👍

@AquaGeek
Copy link

AquaGeek commented Jan 3, 2014

This is awesome — nice work! Would a similar thing for MessageEncryptor be helpful as well?

@rafaelfranca
Copy link
Member Author

@AquaGeek maybe. I'll take a look on this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
4.1.0
Development

Successfully merging this pull request may close these issues.
7 participants
@rafaelfranca @laurocaetano @NZKoz @carlosantoniodasilva @dhh @lukaszx0 @AquaGeek