actionpack 5.1.7 → 5.2.4.3

data/lib/action_dispatch/http/url.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "active_support/core_ext/module/attribute_accessors"
 
 module ActionDispatch
@@ -7,8 +9,7 @@ module ActionDispatch
       HOST_REGEXP     = /(^[^:]+:\/\/)?(\[[^\]]+\]|[^:]+)(?::(\d+$))?/
       PROTOCOL_REGEXP = /^([^:]+)(:)?(\/\/)?$/
 
-      mattr_accessor :tld_length
-      self.tld_length = 1
+      mattr_accessor :tld_length, default: 1
 
       class << self
         # Returns the domain part of a host given the domain level.
@@ -101,10 +102,8 @@ module ActionDispatch
         end
 
         def add_trailing_slash(path)
-          # includes querysting
           if path.include?("?")
             path.sub!(/\?/, '/\&')
-          # does not have a .format
           elsif !path.include?(".")
             path.sub!(/[^\/]\z|\A\z/, '\&/')
           end
@@ -158,7 +157,7 @@ module ActionDispatch
           subdomain  = options.fetch :subdomain, true
           domain     = options[:domain]
 
-          host = ""
+          host = "".dup
           if subdomain == true
             return _host if domain.nil?
 
@@ -275,7 +274,7 @@ module ActionDispatch
       def standard_port
         case protocol
         when "https://" then 443
-          else 80
+        else 80
         end
       end
 

data/lib/action_dispatch/journey.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "action_dispatch/journey/router"
 require "action_dispatch/journey/gtg/builder"
 require "action_dispatch/journey/gtg/simulator"

data/lib/action_dispatch/journey/formatter.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "action_controller/metal/exceptions"
 
 module ActionDispatch
@@ -15,7 +17,7 @@ module ActionDispatch
 
       def generate(name, options, path_parameters, parameterize = nil)
         constraints = path_parameters.merge(options)
-        missing_keys = nil # need for variable scope
+        missing_keys = nil
 
         match_route(name, constraints) do |route|
           parameterized_parts = extract_parameterized_parts(route, options, path_parameters, parameterize)
@@ -48,7 +50,7 @@ module ActionDispatch
         unmatched_keys = (missing_keys || []) & constraints.keys
         missing_keys = (missing_keys || []) - unmatched_keys
 
-        message = "No route matches #{Hash[constraints.sort_by { |k, v| k.to_s }].inspect}"
+        message = "No route matches #{Hash[constraints.sort_by { |k, v| k.to_s }].inspect}".dup
         message << ", missing required keys: #{missing_keys.sort.inspect}" if missing_keys && !missing_keys.empty?
         message << ", possible unmatched constraints: #{unmatched_keys.sort.inspect}" if unmatched_keys && !unmatched_keys.empty?
 

data/lib/action_dispatch/journey/gtg/builder.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "action_dispatch/journey/gtg/transition_table"
 
 module ActionDispatch

data/lib/action_dispatch/journey/gtg/simulator.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "strscan"
 
 module ActionDispatch
@@ -18,14 +20,6 @@ module ActionDispatch
           @tt = transition_table
         end
 
-        def simulate(string)
-          ms = memos(string) { return }
-          MatchData.new(ms)
-        end
-
-        alias :=~    :simulate
-        alias :match :simulate
-
         def memos(string)
           input = StringScanner.new(string)
           state = [0]

data/lib/action_dispatch/journey/gtg/transition_table.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "action_dispatch/journey/nfa/dot"
 
 module ActionDispatch
@@ -82,7 +84,7 @@ module ActionDispatch
         end
 
         def visualizer(paths, title = "FSM")
-          viz_dir   = File.join File.dirname(__FILE__), "..", "visualizer"
+          viz_dir   = File.join __dir__, "..", "visualizer"
           fsm_js    = File.read File.join(viz_dir, "fsm.js")
           fsm_css   = File.read File.join(viz_dir, "fsm.css")
           erb       = File.read File.join(viz_dir, "index.html.erb")
@@ -109,7 +111,6 @@ module ActionDispatch
           svg         = to_svg
           javascripts = [states, fsm_js]
 
-          # Annoying hack warnings
           fun_routes  = fun_routes
           stylesheets = stylesheets
           svg         = svg

data/lib/action_dispatch/journey/nfa/builder.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "action_dispatch/journey/nfa/transition_table"
 require "action_dispatch/journey/gtg/transition_table"
 

data/lib/action_dispatch/journey/nfa/dot.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module ActionDispatch
   module Journey # :nodoc:
     module NFA # :nodoc:
@@ -7,16 +9,16 @@ module ActionDispatch
             "  #{from} -> #{to} [label=\"#{sym || 'ε'}\"];"
           }
 
-          #memo_nodes = memos.values.flatten.map { |n|
-          #  label = n
-          #  if Journey::Route === n
-          #    label = "#{n.verb.source} #{n.path.spec}"
-          #  end
-          #  "  #{n.object_id} [label=\"#{label}\", shape=box];"
-          #}
-          #memo_edges = memos.flat_map { |k, memos|
-          #  (memos || []).map { |v| "  #{k} -> #{v.object_id};" }
-          #}.uniq
+          # memo_nodes = memos.values.flatten.map { |n|
+          #   label = n
+          #   if Journey::Route === n
+          #     label = "#{n.verb.source} #{n.path.spec}"
+          #   end
+          #   "  #{n.object_id} [label=\"#{label}\", shape=box];"
+          # }
+          # memo_edges = memos.flat_map { |k, memos|
+          #   (memos || []).map { |v| "  #{k} -> #{v.object_id};" }
+          # }.uniq
 
           <<-eodot
 digraph nfa {

data/lib/action_dispatch/journey/nfa/simulator.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "strscan"
 
 module ActionDispatch

data/lib/action_dispatch/journey/nfa/transition_table.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "action_dispatch/journey/nfa/dot"
 
 module ActionDispatch

data/lib/action_dispatch/journey/nodes/node.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "action_dispatch/journey/visitors"
 
 module ActionDispatch

data/lib/action_dispatch/journey/parser_extras.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "action_dispatch/journey/scanner"
 require "action_dispatch/journey/nodes/node"
 

data/lib/action_dispatch/journey/path/pattern.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module ActionDispatch
   module Journey # :nodoc:
     module Path # :nodoc:
@@ -117,7 +119,8 @@ module ActionDispatch
 
         class UnanchoredRegexp < AnchoredRegexp # :nodoc:
           def accept(node)
-            %r{\A#{visit node}}
+            path = visit node
+            path == "/" ? %r{\A/} : %r{\A#{path}(?:\b|\Z|/)}
           end
         end
 

data/lib/action_dispatch/journey/route.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module ActionDispatch
   # :stopdoc:
   module Journey
@@ -10,11 +12,11 @@ module ActionDispatch
       module VerbMatchers
         VERBS = %w{ DELETE GET HEAD OPTIONS LINK PATCH POST PUT TRACE UNLINK }
         VERBS.each do |v|
-          class_eval <<-eoc
-          class #{v}
-            def self.verb; name.split("::").last; end
-            def self.call(req); req.#{v.downcase}?; end
-          end
+          class_eval <<-eoc, __FILE__, __LINE__ + 1
+            class #{v}
+              def self.verb; name.split("::").last; end
+              def self.call(req); req.#{v.downcase}?; end
+            end
           eoc
         end
 
@@ -89,8 +91,15 @@ module ActionDispatch
         end
       end
 
+      # Needed for `rails routes`. Picks up succinctly defined requirements
+      # for a route, for example route
+      #
+      #   get 'photo/:id', :controller => 'photos', :action => 'show',
+      #     :id => /[A-Z]\d{5}/
+      #
+      # will have {:controller=>"photos", :action=>"show", :id=>/[A-Z]\d{5}/}
+      # as requirements.
       def requirements
-        # needed for rails `rails routes`
         @defaults.merge(path.requirements).delete_if { |_, v|
           /.+?/ == v
         }

data/lib/action_dispatch/journey/router.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "action_dispatch/journey/router/utils"
 require "action_dispatch/journey/routes"
 require "action_dispatch/journey/formatter"
@@ -59,7 +61,7 @@ module ActionDispatch
           return [status, headers, body]
         end
 
-        return [404, { "X-Cascade" => "pass" }, ["Not Found"]]
+        [404, { "X-Cascade" => "pass" }, ["Not Found"]]
       end
 
       def recognize(rails_req)

data/lib/action_dispatch/journey/router/utils.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module ActionDispatch
   module Journey # :nodoc:
     class Router # :nodoc:
@@ -5,7 +7,7 @@ module ActionDispatch
         # Normalizes URI path.
         #
         # Strips off trailing slash and ensures there is a leading slash.
-        # Also converts downcase url encoded string to uppercase.
+        # Also converts downcase URL encoded string to uppercase.
         #
         #   normalize_path("/foo")  # => "/foo"
         #   normalize_path("/foo/") # => "/foo"
@@ -13,23 +15,24 @@ module ActionDispatch
         #   normalize_path("")      # => "/"
         #   normalize_path("/%ab")  # => "/%AB"
         def self.normalize_path(path)
+          path ||= ""
           encoding = path.encoding
-          path = "/#{path}"
+          path = "/#{path}".dup
           path.squeeze!("/".freeze)
           path.sub!(%r{/+\Z}, "".freeze)
           path.gsub!(/(%[a-f0-9]{2})/) { $1.upcase }
-          path = "/" if path == "".freeze
+          path = "/".dup if path == "".freeze
           path.force_encoding(encoding)
           path
         end
 
         # URI path and fragment escaping
-        # http://tools.ietf.org/html/rfc3986
+        # https://tools.ietf.org/html/rfc3986
         class UriEncoder # :nodoc:
           ENCODE   = "%%%02X".freeze
           US_ASCII = Encoding::US_ASCII
           UTF_8    = Encoding::UTF_8
-          EMPTY    = "".force_encoding(US_ASCII).freeze
+          EMPTY    = "".dup.force_encoding(US_ASCII).freeze
           DEC2HEX  = (0..255).to_a.map { |i| ENCODE % i }.map { |s| s.force_encoding(US_ASCII) }
 
           ALPHA = "a-zA-Z".freeze
@@ -61,11 +64,11 @@ module ActionDispatch
           end
 
           private
-            def escape(component, pattern) # :doc:
+            def escape(component, pattern)
               component.gsub(pattern) { |unsafe| percent_encode(unsafe) }.force_encoding(US_ASCII)
             end
 
-            def percent_encode(unsafe) # :doc:
+            def percent_encode(unsafe)
               safe = EMPTY.dup
               unsafe.each_byte { |b| safe << DEC2HEX[b] }
               safe
@@ -86,6 +89,10 @@ module ActionDispatch
           ENCODER.escape_fragment(fragment.to_s)
         end
 
+        # Replaces any escaped sequences with their unescaped representations.
+        #
+        #   uri = "/topics?title=Ruby%20on%20Rails"
+        #   unescape_uri(uri)  #=> "/topics?title=Ruby on Rails"
         def self.unescape_uri(uri)
           ENCODER.unescape_uri(uri)
         end

data/lib/action_dispatch/journey/routes.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module ActionDispatch
   module Journey # :nodoc:
     # The Routing table. Contains all routes for a system. Routes can be
@@ -49,7 +51,7 @@ module ActionDispatch
       def ast
         @ast ||= begin
           asts = anchored_routes.map(&:ast)
-          Nodes::Or.new(asts) unless asts.empty?
+          Nodes::Or.new(asts)
         end
       end
 

data/lib/action_dispatch/journey/scanner.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+
 require "strscan"
 
 module ActionDispatch

data/lib/action_dispatch/journey/visitors.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module ActionDispatch
   # :stopdoc:
   module Journey
@@ -154,7 +156,7 @@ module ActionDispatch
         end
       end
 
-      # Loop through the requirements AST
+      # Loop through the requirements AST.
       class Each < FunctionalVisitor # :nodoc:
         def visit(node, block)
           block.call(node)
@@ -175,7 +177,7 @@ module ActionDispatch
             last_child = node.children.last
             node.children.inject(seed) { |s, c|
               string = visit(c, s)
-              string << "|".freeze unless last_child == c
+              string << "|" unless last_child == c
               string
             }
           end
@@ -185,7 +187,7 @@ module ActionDispatch
           end
 
           def visit_GROUP(node, seed)
-            visit(node.left, seed << "(".freeze) << ")".freeze
+            visit(node.left, seed.dup << "(") << ")"
           end
 
           INSTANCE = new

data/lib/action_dispatch/middleware/callbacks.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module ActionDispatch
   # Provides callbacks to be executed before and after dispatching the request.
   class Callbacks

data/lib/action_dispatch/middleware/cookies.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "active_support/core_ext/hash/keys"
 require "active_support/key_generator"
 require "active_support/message_verifier"
@@ -43,6 +45,22 @@ module ActionDispatch
       get_header Cookies::ENCRYPTED_SIGNED_COOKIE_SALT
     end
 
+    def authenticated_encrypted_cookie_salt
+      get_header Cookies::AUTHENTICATED_ENCRYPTED_COOKIE_SALT
+    end
+
+    def use_authenticated_cookie_encryption
+      get_header Cookies::USE_AUTHENTICATED_COOKIE_ENCRYPTION
+    end
+
+    def encrypted_cookie_cipher
+      get_header Cookies::ENCRYPTED_COOKIE_CIPHER
+    end
+
+    def signed_cookie_digest
+      get_header Cookies::SIGNED_COOKIE_DIGEST
+    end
+
     def secret_token
       get_header Cookies::SECRET_TOKEN
     end
@@ -58,6 +76,11 @@ module ActionDispatch
     def cookies_digest
       get_header Cookies::COOKIES_DIGEST
     end
+
+    def cookies_rotations
+      get_header Cookies::COOKIES_ROTATIONS
+    end
+
     # :startdoc:
   end
 
@@ -77,16 +100,17 @@ module ActionDispatch
   #   cookies[:lat_lon] = JSON.generate([47.68, -122.37])
   #
   #   # Sets a cookie that expires in 1 hour.
-  #   cookies[:login] = { value: "XJ-122", expires: 1.hour.from_now }
+  #   cookies[:login] = { value: "XJ-122", expires: 1.hour }
+  #
+  #   # Sets a cookie that expires at a specific time.
+  #   cookies[:login] = { value: "XJ-122", expires: Time.utc(2020, 10, 15, 5) }
   #
   #   # Sets a signed cookie, which prevents users from tampering with its value.
-  #   # The cookie is signed by your app's `secrets.secret_key_base` value.
   #   # It can be read using the signed method `cookies.signed[:name]`
   #   cookies.signed[:user_id] = current_user.id
   #
   #   # Sets an encrypted cookie value before sending it to the client which
   #   # prevent users from reading and tampering with its value.
-  #   # The cookie is signed by your app's `secrets.secret_key_base` value.
   #   # It can be read using the encrypted method `cookies.encrypted[:name]`
   #   cookies.encrypted[:discount] = 45
   #
@@ -94,7 +118,7 @@ module ActionDispatch
   #   cookies.permanent[:login] = "XJ-122"
   #
   #   # You can also chain these methods:
-  #   cookies.permanent.signed[:login] = "XJ-122"
+  #   cookies.signed.permanent[:login] = "XJ-122"
   #
   # Examples of reading:
   #
@@ -112,7 +136,7 @@ module ActionDispatch
   #
   #  cookies[:name] = {
   #    value: 'a yummy cookie',
-  #    expires: 1.year.from_now,
+  #    expires: 1.year,
   #    domain: 'domain.com'
   #  }
   #
@@ -137,8 +161,8 @@ module ActionDispatch
   #
   # * <tt>:tld_length</tt> - When using <tt>:domain => :all</tt>, this option can be used to explicitly
   #   set the TLD length when using a short (<= 3 character) domain that is being interpreted as part of a TLD.
-  #   For example, to share cookies between user1.lvh.me and user2.lvh.me, set <tt>:tld_length</tt> to 1.
-  # * <tt>:expires</tt> - The time at which this cookie expires, as a \Time object.
+  #   For example, to share cookies between user1.lvh.me and user2.lvh.me, set <tt>:tld_length</tt> to 2.
+  # * <tt>:expires</tt> - The time at which this cookie expires, as a \Time or ActiveSupport::Duration object.
   # * <tt>:secure</tt> - Whether this cookie is only transmitted to HTTPS servers.
   #   Default is +false+.
   # * <tt>:httponly</tt> - Whether this cookie is accessible via scripting or
@@ -149,10 +173,15 @@ module ActionDispatch
     SIGNED_COOKIE_SALT = "action_dispatch.signed_cookie_salt".freeze
     ENCRYPTED_COOKIE_SALT = "action_dispatch.encrypted_cookie_salt".freeze
     ENCRYPTED_SIGNED_COOKIE_SALT = "action_dispatch.encrypted_signed_cookie_salt".freeze
+    AUTHENTICATED_ENCRYPTED_COOKIE_SALT = "action_dispatch.authenticated_encrypted_cookie_salt".freeze
+    USE_AUTHENTICATED_COOKIE_ENCRYPTION = "action_dispatch.use_authenticated_cookie_encryption".freeze
+    ENCRYPTED_COOKIE_CIPHER = "action_dispatch.encrypted_cookie_cipher".freeze
+    SIGNED_COOKIE_DIGEST = "action_dispatch.signed_cookie_digest".freeze
     SECRET_TOKEN = "action_dispatch.secret_token".freeze
     SECRET_KEY_BASE = "action_dispatch.secret_key_base".freeze
     COOKIES_SERIALIZER = "action_dispatch.cookies_serializer".freeze
     COOKIES_DIGEST = "action_dispatch.cookies_digest".freeze
+    COOKIES_ROTATIONS = "action_dispatch.cookies_rotations".freeze
 
     # Cookies can typically store 4096 bytes.
     MAX_COOKIE_SIZE = 4096
@@ -160,7 +189,7 @@ module ActionDispatch
     # Raised when storing more than 4K of session data.
     CookieOverflow = Class.new StandardError
 
-    # Include in a cookie jar to allow chaining, e.g. cookies.permanent.signed
+    # Include in a cookie jar to allow chaining, e.g. cookies.permanent.signed.
     module ChainedCookieJars
       # Returns a jar that'll automatically set the assigned cookies to have an expiration date 20 years from now. Example:
       #
@@ -181,10 +210,10 @@ module ActionDispatch
       # the cookie again. This is useful for creating cookies with values that the user is not supposed to change. If a signed
       # cookie was tampered with by the user (or a 3rd party), +nil+ will be returned.
       #
-      # If +secrets.secret_key_base+ and +secrets.secret_token+ (deprecated) are both set,
+      # If +secret_key_base+ and +secrets.secret_token+ (deprecated) are both set,
       # legacy cookies signed with the old key generator will be transparently upgraded.
       #
-      # This jar requires that you set a suitable secret for the verification on your app's +secrets.secret_key_base+.
+      # This jar requires that you set a suitable secret for the verification on your app's +secret_key_base+.
       #
       # Example:
       #
@@ -193,35 +222,28 @@ module ActionDispatch
       #
       #   cookies.signed[:discount] # => 45
       def signed
-        @signed ||=
-          if upgrade_legacy_signed_cookies?
-            UpgradeLegacySignedCookieJar.new(self)
-          else
-            SignedCookieJar.new(self)
-          end
+        @signed ||= SignedKeyRotatingCookieJar.new(self)
       end
 
       # Returns a jar that'll automatically encrypt cookie values before sending them to the client and will decrypt them for read.
       # If the cookie was tampered with by the user (or a 3rd party), +nil+ will be returned.
       #
-      # If +secrets.secret_key_base+ and +secrets.secret_token+ (deprecated) are both set,
+      # If +secret_key_base+ and +secrets.secret_token+ (deprecated) are both set,
       # legacy cookies signed with the old key generator will be transparently upgraded.
       #
-      # This jar requires that you set a suitable secret for the verification on your app's +secrets.secret_key_base+.
+      # If +config.action_dispatch.encrypted_cookie_salt+ and +config.action_dispatch.encrypted_signed_cookie_salt+
+      # are both set, legacy cookies encrypted with HMAC AES-256-CBC will be transparently upgraded.
+      #
+      # This jar requires that you set a suitable secret for the verification on your app's +secret_key_base+.
       #
       # Example:
       #
       #   cookies.encrypted[:discount] = 45
-      #   # => Set-Cookie: discount=ZS9ZZ1R4cG1pcUJ1bm80anhQang3dz09LS1mbDZDSU5scGdOT3ltQ2dTdlhSdWpRPT0%3D--ab54663c9f4e3bc340c790d6d2b71e92f5b60315; path=/
+      #   # => Set-Cookie: discount=DIQ7fw==--K3n//8vvnSbGq9dA--7Xh91HfLpwzbj1czhBiwOg==; path=/
       #
       #   cookies.encrypted[:discount] # => 45
       def encrypted
-        @encrypted ||=
-          if upgrade_legacy_signed_cookies?
-            UpgradeLegacyEncryptedCookieJar.new(self)
-          else
-            EncryptedCookieJar.new(self)
-          end
+        @encrypted ||= EncryptedKeyRotatingCookieJar.new(self)
       end
 
       # Returns the +signed+ or +encrypted+ jar, preferring +encrypted+ if +secret_key_base+ is set.
@@ -240,29 +262,20 @@ module ActionDispatch
         def upgrade_legacy_signed_cookies?
           request.secret_token.present? && request.secret_key_base.present?
         end
-    end
 
-    # Passing the ActiveSupport::MessageEncryptor::NullSerializer downstream
-    # to the Message{Encryptor,Verifier} allows us to handle the
-    # (de)serialization step within the cookie jar, which gives us the
-    # opportunity to detect and migrate legacy cookies.
-    module VerifyAndUpgradeLegacySignedMessage # :nodoc:
-      def initialize(*args)
-        super
-        @legacy_verifier = ActiveSupport::MessageVerifier.new(request.secret_token, serializer: ActiveSupport::MessageEncryptor::NullSerializer)
-      end
+        def upgrade_legacy_hmac_aes_cbc_cookies?
+          request.secret_key_base.present? &&
+            request.encrypted_signed_cookie_salt.present? &&
+            request.encrypted_cookie_salt.present? &&
+            request.use_authenticated_cookie_encryption
+        end
 
-      def verify_and_upgrade_legacy_signed_message(name, signed_message)
-        deserialize(name, @legacy_verifier.verify(signed_message)).tap do |value|
-          self[name] = { value: value }
+        def encrypted_cookie_cipher
+          request.encrypted_cookie_cipher || "aes-256-gcm"
         end
-      rescue ActiveSupport::MessageVerifier::InvalidSignature
-        nil
-      end
 
-      private
-        def parse(name, signed_message)
-          super || verify_and_upgrade_legacy_signed_message(name, signed_message)
+        def signed_cookie_digest
+          request.signed_cookie_digest || "SHA1"
         end
     end
 
@@ -325,6 +338,9 @@ module ActionDispatch
       end
       alias :has_key? :key?
 
+      # Returns the cookies as Hash.
+      alias :to_hash :to_h
+
       def update(other_hash)
         @cookies.update other_hash.stringify_keys
         self
@@ -341,20 +357,24 @@ module ActionDispatch
         @cookies.map { |k, v| "#{escape(k)}=#{escape(v)}" }.join "; "
       end
 
-      def handle_options(options) #:nodoc:
+      def handle_options(options) # :nodoc:
+        if options[:expires].respond_to?(:from_now)
+          options[:expires] = options[:expires].from_now
+        end
+
         options[:path] ||= "/"
 
         if options[:domain] == :all || options[:domain] == "all"
-          # if there is a provided tld length then we use it otherwise default domain regexp
+          # If there is a provided tld length then we use it otherwise default domain regexp.
           domain_regexp = options[:tld_length] ? /([^.]+\.?){#{options[:tld_length]}}$/ : DOMAIN_REGEXP
 
-          # if host is not ip and matches domain regexp
+          # If host is not ip and matches domain regexp.
           # (ip confirms to domain regexp so we explicitly check for ip)
           options[:domain] = if (request.host !~ /^[\d.]+$/) && (request.host =~ domain_regexp)
             ".#{$&}"
           end
         elsif options[:domain].is_a? Array
-          # if host matches one of the supplied domains without a dot in front of it
+          # If host matches one of the supplied domains without a dot in front of it.
           options[:domain] = options[:domain].find { |domain| request.host.include? domain.sub(/^\./, "") }
         end
       end
@@ -404,7 +424,7 @@ module ActionDispatch
         @delete_cookies[name.to_s] == options
       end
 
-      # Removes all cookies on the client machine by calling <tt>delete</tt> for each cookie
+      # Removes all cookies on the client machine by calling <tt>delete</tt> for each cookie.
       def clear(options = {})
         @cookies.each_key { |k| delete(k, options) }
       end
@@ -415,8 +435,7 @@ module ActionDispatch
         end
       end
 
-      mattr_accessor :always_write_cookie
-      self.always_write_cookie = false
+      mattr_accessor :always_write_cookie, default: false
 
       private
 
@@ -470,6 +489,18 @@ module ActionDispatch
         def request; @parent_jar.request; end
 
       private
+        def expiry_options(options)
+          if request.use_authenticated_cookie_encryption
+            if options[:expires].respond_to?(:from_now)
+              { expires_in: options[:expires] }
+            else
+              { expires_at: options[:expires] }
+            end
+          else
+            {}
+          end
+        end
+
         def parse(name, data); data; end
         def commit(options); end
     end
@@ -493,6 +524,7 @@ module ActionDispatch
 
     module SerializedCookieJars # :nodoc:
       MARSHAL_SIGNATURE = "\x04\x08".freeze
+      SERIALIZER = ActiveSupport::MessageEncryptor::NullSerializer
 
       protected
         def needs_migration?(value)
@@ -503,12 +535,16 @@ module ActionDispatch
           serializer.dump(value)
         end
 
-        def deserialize(name, value)
+        def deserialize(name)
+          rotate = false
+          value  = yield -> { rotate = true }
+
           if value
-            if needs_migration?(value)
-              Marshal.load(value).tap do |v|
-                self[name] = { value: v }
-              end
+            case
+            when needs_migration?(value)
+              self[name] = Marshal.load(value)
+            when rotate
+              self[name] = serializer.load(value)
             else
               serializer.load(value)
             end
@@ -530,77 +566,98 @@ module ActionDispatch
         def digest
           request.cookies_digest || "SHA1"
         end
-
-        def key_generator
-          request.key_generator
-        end
     end
 
-    class SignedCookieJar < AbstractCookieJar # :nodoc:
+    class SignedKeyRotatingCookieJar < AbstractCookieJar # :nodoc:
       include SerializedCookieJars
 
       def initialize(parent_jar)
         super
-        secret = key_generator.generate_key(request.signed_cookie_salt)
-        @verifier = ActiveSupport::MessageVerifier.new(secret, digest: digest, serializer: ActiveSupport::MessageEncryptor::NullSerializer)
+
+        secret = request.key_generator.generate_key(request.signed_cookie_salt)
+        @verifier = ActiveSupport::MessageVerifier.new(secret, digest: signed_cookie_digest, serializer: SERIALIZER)
+
+        request.cookies_rotations.signed.each do |*secrets, **options|
+          @verifier.rotate(*secrets, serializer: SERIALIZER, **options)
+        end
+
+        if upgrade_legacy_signed_cookies?
+          @verifier.rotate request.secret_token, serializer: SERIALIZER
+        end
       end
 
       private
         def parse(name, signed_message)
-          deserialize name, @verifier.verified(signed_message)
+          deserialize(name) do |rotate|
+            @verifier.verified(signed_message, on_rotation: rotate)
+          end
         end
 
         def commit(options)
-          options[:value] = @verifier.generate(serialize(options[:value]))
+          options[:value] = @verifier.generate(serialize(options[:value]), expiry_options(options))
 
           raise CookieOverflow if options[:value].bytesize > MAX_COOKIE_SIZE
         end
     end
 
-    # UpgradeLegacySignedCookieJar is used instead of SignedCookieJar if
-    # secrets.secret_token and secrets.secret_key_base are both set. It reads
-    # legacy cookies signed with the old dummy key generator and signs and
-    # re-saves them using the new key generator to provide a smooth upgrade path.
-    class UpgradeLegacySignedCookieJar < SignedCookieJar #:nodoc:
-      include VerifyAndUpgradeLegacySignedMessage
-    end
-
-    class EncryptedCookieJar < AbstractCookieJar # :nodoc:
+    class EncryptedKeyRotatingCookieJar < AbstractCookieJar # :nodoc:
       include SerializedCookieJars
 
       def initialize(parent_jar)
         super
 
-        if ActiveSupport::LegacyKeyGenerator === key_generator
-          raise "You didn't set secrets.secret_key_base, which is required for this cookie jar. " \
-            "Read the upgrade documentation to learn more about this new config option."
+        if request.use_authenticated_cookie_encryption
+          key_len = ActiveSupport::MessageEncryptor.key_len(encrypted_cookie_cipher)
+          secret = request.key_generator.generate_key(request.authenticated_encrypted_cookie_salt, key_len)
+          @encryptor = ActiveSupport::MessageEncryptor.new(secret, cipher: encrypted_cookie_cipher, serializer: SERIALIZER)
+        else
+          key_len = ActiveSupport::MessageEncryptor.key_len("aes-256-cbc")
+          secret = request.key_generator.generate_key(request.encrypted_cookie_salt, key_len)
+          sign_secret = request.key_generator.generate_key(request.encrypted_signed_cookie_salt)
+          @encryptor = ActiveSupport::MessageEncryptor.new(secret, sign_secret, cipher: "aes-256-cbc", serializer: SERIALIZER)
+        end
+
+        request.cookies_rotations.encrypted.each do |*secrets, **options|
+          @encryptor.rotate(*secrets, serializer: SERIALIZER, **options)
+        end
+
+        if upgrade_legacy_hmac_aes_cbc_cookies?
+          legacy_cipher = "aes-256-cbc"
+          secret = request.key_generator.generate_key(request.encrypted_cookie_salt, ActiveSupport::MessageEncryptor.key_len(legacy_cipher))
+          sign_secret = request.key_generator.generate_key(request.encrypted_signed_cookie_salt)
+
+          @encryptor.rotate(secret, sign_secret, cipher: legacy_cipher, digest: digest, serializer: SERIALIZER)
         end
 
-        secret = key_generator.generate_key(request.encrypted_cookie_salt || "")[0, ActiveSupport::MessageEncryptor.key_len]
-        sign_secret = key_generator.generate_key(request.encrypted_signed_cookie_salt || "")
-        @encryptor = ActiveSupport::MessageEncryptor.new(secret, sign_secret, digest: digest, serializer: ActiveSupport::MessageEncryptor::NullSerializer)
+        if upgrade_legacy_signed_cookies?
+          @legacy_verifier = ActiveSupport::MessageVerifier.new(request.secret_token, digest: digest, serializer: SERIALIZER)
+        end
       end
 
       private
         def parse(name, encrypted_message)
-          deserialize name, @encryptor.decrypt_and_verify(encrypted_message)
-        rescue ActiveSupport::MessageVerifier::InvalidSignature, ActiveSupport::MessageEncryptor::InvalidMessage
-          nil
+          deserialize(name) do |rotate|
+            @encryptor.decrypt_and_verify(encrypted_message, on_rotation: rotate)
+          end
+        rescue ActiveSupport::MessageEncryptor::InvalidMessage, ActiveSupport::MessageVerifier::InvalidSignature
+          parse_legacy_signed_message(name, encrypted_message)
         end
 
         def commit(options)
-          options[:value] = @encryptor.encrypt_and_sign(serialize(options[:value]))
+          options[:value] = @encryptor.encrypt_and_sign(serialize(options[:value]), expiry_options(options))
 
           raise CookieOverflow if options[:value].bytesize > MAX_COOKIE_SIZE
         end
-    end
 
-    # UpgradeLegacyEncryptedCookieJar is used by ActionDispatch::Session::CookieStore
-    # instead of EncryptedCookieJar if secrets.secret_token and secrets.secret_key_base
-    # are both set. It reads legacy cookies signed with the old dummy key generator and
-    # encrypts and re-saves them using the new key generator to provide a smooth upgrade path.
-    class UpgradeLegacyEncryptedCookieJar < EncryptedCookieJar #:nodoc:
-      include VerifyAndUpgradeLegacySignedMessage
+        def parse_legacy_signed_message(name, legacy_signed_message)
+          if defined?(@legacy_verifier)
+            deserialize(name) do |rotate|
+              rotate.call
+
+              @legacy_verifier.verified(legacy_signed_message)
+            end
+          end
+        end
     end
 
     def initialize(app)