activesupport 5.1.7 → 6.1.7

data/lib/active_support/locale/en.yml

@@ -44,10 +44,12 @@ en:
       delimiter: ","
       # Number of decimals, behind the separator (the number 1 with a precision of 2 gives: 1.00)
       precision: 3
+      # Determine how rounding is performed (see BigDecimal::mode)
+      round_mode: default
       # If set to true, precision will mean the number of significant digits instead
       # of the number of decimal digits (1234 with precision 2 becomes 1200, 1.23543 becomes 1.2)
       significant: false
-      # If set, the zeros after the decimal separator will always be stripped (eg.: 1.200 will be 1.2)
+      # If set, the zeros after the decimal separator will always be stripped (e.g.: 1.200 will be 1.2)
       strip_insignificant_zeros: false
 
     # Used in NumberHelper.number_to_currency()
@@ -56,10 +58,11 @@ en:
         # Where is the currency sign? %u is the currency unit, %n the number (default: $5.00)
         format: "%u%n"
         unit: "$"
-        # These five are to override number.format and are optional
+        # These six are to override number.format and are optional
         separator: "."
         delimiter: ","
         precision: 2
+        # round_mode:
         significant: false
         strip_insignificant_zeros: false
 
@@ -87,10 +90,11 @@ en:
     # Used in NumberHelper.number_to_human_size() and NumberHelper.number_to_human()
     human:
       format:
-        # These five are to override number.format and are optional
+        # These six are to override number.format and are optional
         # separator:
         delimiter: ""
         precision: 3
+        # round_mode:
         significant: true
         strip_insignificant_zeros: true
       # Used in number_to_human_size()

data/lib/active_support/log_subscriber/test_helper.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "active_support/log_subscriber"
 require "active_support/logger"
 require "active_support/notifications"

data/lib/active_support/log_subscriber.rb

@@ -1,10 +1,12 @@
+# frozen_string_literal: true
+
 require "active_support/core_ext/module/attribute_accessors"
 require "active_support/core_ext/class/attribute"
 require "active_support/subscriber"
 
 module ActiveSupport
-  # ActiveSupport::LogSubscriber is an object set to consume
-  # ActiveSupport::Notifications with the sole purpose of logging them.
+  # <tt>ActiveSupport::LogSubscriber</tt> is an object set to consume
+  # <tt>ActiveSupport::Notifications</tt> with the sole purpose of logging them.
   # The log subscriber dispatches notifications to a registered object based
   # on its given namespace.
   #
@@ -14,7 +16,7 @@ module ActiveSupport
   #   module ActiveRecord
   #     class LogSubscriber < ActiveSupport::LogSubscriber
   #       def sql(event)
-  #         "#{event.payload[:name]} (#{event.duration}) #{event.payload[:sql]}"
+  #         info "#{event.payload[:name]} (#{event.duration}) #{event.payload[:sql]}"
   #       end
   #     end
   #   end
@@ -27,13 +29,39 @@ module ActiveSupport
   # subscriber, the line above should be called after your
   # <tt>ActiveRecord::LogSubscriber</tt> definition.
   #
-  # After configured, whenever a "sql.active_record" notification is published,
-  # it will properly dispatch the event (ActiveSupport::Notifications::Event) to
-  # the sql method.
+  # A logger also needs to be set with <tt>ActiveRecord::LogSubscriber.logger=</tt>.
+  # This is assigned automatically in a Rails environment.
+  #
+  # After configured, whenever a <tt>"sql.active_record"</tt> notification is published,
+  # it will properly dispatch the event
+  # (<tt>ActiveSupport::Notifications::Event</tt>) to the sql method.
+  #
+  # Being an <tt>ActiveSupport::Notifications</tt> consumer,
+  # <tt>ActiveSupport::LogSubscriber</tt> exposes a simple interface to check if
+  # instrumented code raises an exception. It is common to log a different
+  # message in case of an error, and this can be achieved by extending
+  # the previous example:
+  #
+  #   module ActiveRecord
+  #     class LogSubscriber < ActiveSupport::LogSubscriber
+  #       def sql(event)
+  #         exception = event.payload[:exception]
+  #
+  #         if exception
+  #           exception_object = event.payload[:exception_object]
+  #
+  #           error "[ERROR] #{event.payload[:name]}: #{exception.join(', ')} " \
+  #                 "(#{exception_object.backtrace.first})"
+  #         else
+  #           # standard logger code
+  #         end
+  #       end
+  #     end
+  #   end
   #
   # Log subscriber also has some helpers to deal with logging and automatically
-  # flushes all logs when the request finishes (via action_dispatch.callback
-  # notification) in a Rails environment.
+  # flushes all logs when the request finishes
+  # (via <tt>action_dispatch.callback</tt> notification) in a Rails environment.
   class LogSubscriber < Subscriber
     # Embed in a String to clear all previous ANSI sequences.
     CLEAR   = "\e[0m"
@@ -49,8 +77,7 @@ module ActiveSupport
     CYAN    = "\e[36m"
     WHITE   = "\e[37m"
 
-    mattr_accessor :colorize_logging
-    self.colorize_logging = true
+    mattr_accessor :colorize_logging, default: true
 
     class << self
       def logger
@@ -69,6 +96,11 @@ module ActiveSupport
       def flush_all!
         logger.flush if logger.respond_to?(:flush)
       end
+
+      private
+        def fetch_public_methods(subscriber, inherit_all)
+          subscriber.public_methods(inherit_all) - LogSubscriber.public_instance_methods(true)
+        end
     end
 
     def logger
@@ -88,7 +120,6 @@ module ActiveSupport
     end
 
   private
-
     %w(info debug warn error fatal unknown).each do |level|
       class_eval <<-METHOD, __FILE__, __LINE__ + 1
         def #{level}(progname = nil, &block)

data/lib/active_support/logger.rb

@@ -1,10 +1,11 @@
+# frozen_string_literal: true
+
 require "active_support/logger_silence"
 require "active_support/logger_thread_safe_level"
 require "logger"
 
 module ActiveSupport
   class Logger < ::Logger
-    include ActiveSupport::LoggerThreadSafeLevel
     include LoggerSilence
 
     # Returns true if the logger destination matches one of the sources
@@ -13,7 +14,7 @@ module ActiveSupport
     #   ActiveSupport::Logger.logger_outputs_to?(logger, STDOUT)
     #   # => true
     def self.logger_outputs_to?(logger, *sources)
-      logdev = logger.instance_variable_get("@logdev")
+      logdev = logger.instance_variable_get(:@logdev)
       logger_source = logdev.dev if logdev.respond_to?(:dev)
       sources.any? { |source| source == logger_source }
     end
@@ -76,23 +77,9 @@ module ActiveSupport
       end
     end
 
-    def initialize(*args)
+    def initialize(*args, **kwargs)
       super
       @formatter = SimpleFormatter.new
-      after_initialize if respond_to? :after_initialize
-    end
-
-    def add(severity, message = nil, progname = nil, &block)
-      return true if @logdev.nil? || (severity || UNKNOWN) < level
-      super
-    end
-
-    Logger::Severity.constants.each do |severity|
-      class_eval(<<-EOT, __FILE__, __LINE__ + 1)
-        def #{severity.downcase}?                # def debug?
-          Logger::#{severity} >= level           #   DEBUG >= level
-        end                                      # end
-      EOT
     end
 
     # Simple formatter which only displays the message.

data/lib/active_support/logger_silence.rb

@@ -1,28 +1,21 @@
+# frozen_string_literal: true
+
 require "active_support/concern"
 require "active_support/core_ext/module/attribute_accessors"
-require "concurrent"
-
-module LoggerSilence
-  extend ActiveSupport::Concern
+require "active_support/logger_thread_safe_level"
 
-  included do
-    cattr_accessor :silencer
-    self.silencer = true
-  end
+module ActiveSupport
+  module LoggerSilence
+    extend ActiveSupport::Concern
 
-  # Silences the logger for the duration of the block.
-  def silence(temporary_level = Logger::ERROR)
-    if silencer
-      begin
-        old_local_level            = local_level
-        self.local_level           = temporary_level
+    included do
+      cattr_accessor :silencer, default: true
+      include ActiveSupport::LoggerThreadSafeLevel
+    end
 
-        yield self
-      ensure
-        self.local_level = old_local_level
-      end
-    else
-      yield self
+    # Silences the logger for the duration of the block.
+    def silence(severity = Logger::ERROR)
+      silencer ? log_at(severity) { yield self } : yield(self)
     end
   end
 end

data/lib/active_support/logger_thread_safe_level.rb

@@ -1,31 +1,78 @@
+# frozen_string_literal: true
+
 require "active_support/concern"
+require "active_support/core_ext/module/attribute_accessors"
+require "concurrent"
+require "fiber"
 
 module ActiveSupport
   module LoggerThreadSafeLevel # :nodoc:
     extend ActiveSupport::Concern
 
-    def after_initialize
-      @local_levels = Concurrent::Map.new(initial_capacity: 2)
+    included do
+      cattr_accessor :local_levels, default: Concurrent::Map.new(initial_capacity: 2), instance_accessor: false
+    end
+
+    Logger::Severity.constants.each do |severity|
+      class_eval(<<-EOT, __FILE__, __LINE__ + 1)
+        def #{severity.downcase}?                # def debug?
+          Logger::#{severity} >= level           #   DEBUG >= level
+        end                                      # end
+      EOT
     end
 
     def local_log_id
-      Thread.current.__id__
+      Fiber.current.__id__
     end
 
     def local_level
-      @local_levels[local_log_id]
+      self.class.local_levels[local_log_id]
     end
 
     def local_level=(level)
-      if level
-        @local_levels[local_log_id] = level
+      case level
+      when Integer
+        self.class.local_levels[local_log_id] = level
+      when Symbol
+        self.class.local_levels[local_log_id] = Logger::Severity.const_get(level.to_s.upcase)
+      when nil
+        self.class.local_levels.delete(local_log_id)
       else
-        @local_levels.delete(local_log_id)
+        raise ArgumentError, "Invalid log level: #{level.inspect}"
       end
     end
 
     def level
       local_level || super
     end
+
+    # Change the thread-local level for the duration of the given block.
+    def log_at(level)
+      old_local_level, self.local_level = local_level, level
+      yield
+    ensure
+      self.local_level = old_local_level
+    end
+
+    # Redefined to check severity against #level, and thus the thread-local level, rather than +@level+.
+    # FIXME: Remove when the minimum Ruby version supports overriding Logger#level.
+    def add(severity, message = nil, progname = nil, &block) #:nodoc:
+      severity ||= UNKNOWN
+      progname ||= @progname
+
+      return true if @logdev.nil? || severity < level
+
+      if message.nil?
+        if block_given?
+          message  = yield
+        else
+          message  = progname
+          progname = @progname
+        end
+      end
+
+      @logdev.write \
+        format_message(format_severity(severity), Time.now, progname, message)
+    end
   end
 end

data/lib/active_support/message_encryptor.rb

@@ -1,7 +1,10 @@
+# frozen_string_literal: true
+
 require "openssl"
 require "base64"
-require "active_support/core_ext/array/extract_options"
+require "active_support/core_ext/module/attribute_accessors"
 require "active_support/message_verifier"
+require "active_support/messages/metadata"
 
 module ActiveSupport
   # MessageEncryptor is a simple way to encrypt values which get stored
@@ -13,13 +16,82 @@ module ActiveSupport
   # This can be used in situations similar to the <tt>MessageVerifier</tt>, but
   # where you don't want users to be able to determine the value of the payload.
   #
-  #   salt  = SecureRandom.random_bytes(64)
-  #   key   = ActiveSupport::KeyGenerator.new('password').generate_key(salt, 32) # => "\x89\xE0\x156\xAC..."
-  #   crypt = ActiveSupport::MessageEncryptor.new(key)                           # => #<ActiveSupport::MessageEncryptor ...>
-  #   encrypted_data = crypt.encrypt_and_sign('my secret data')                  # => "NlFBTTMwOUV5UlA1QlNEN2xkY2d6eThYWWh..."
-  #   crypt.decrypt_and_verify(encrypted_data)                                   # => "my secret data"
+  #   len   = ActiveSupport::MessageEncryptor.key_len
+  #   salt  = SecureRandom.random_bytes(len)
+  #   key   = ActiveSupport::KeyGenerator.new('password').generate_key(salt, len) # => "\x89\xE0\x156\xAC..."
+  #   crypt = ActiveSupport::MessageEncryptor.new(key)                            # => #<ActiveSupport::MessageEncryptor ...>
+  #   encrypted_data = crypt.encrypt_and_sign('my secret data')                   # => "NlFBTTMwOUV5UlA1QlNEN2xkY2d6eThYWWh..."
+  #   crypt.decrypt_and_verify(encrypted_data)                                    # => "my secret data"
+  #
+  # === Confining messages to a specific purpose
+  #
+  # By default any message can be used throughout your app. But they can also be
+  # confined to a specific +:purpose+.
+  #
+  #   token = crypt.encrypt_and_sign("this is the chair", purpose: :login)
+  #
+  # Then that same purpose must be passed when verifying to get the data back out:
+  #
+  #   crypt.decrypt_and_verify(token, purpose: :login)    # => "this is the chair"
+  #   crypt.decrypt_and_verify(token, purpose: :shipping) # => nil
+  #   crypt.decrypt_and_verify(token)                     # => nil
+  #
+  # Likewise, if a message has no purpose it won't be returned when verifying with
+  # a specific purpose.
+  #
+  #   token = crypt.encrypt_and_sign("the conversation is lively")
+  #   crypt.decrypt_and_verify(token, purpose: :scare_tactics) # => nil
+  #   crypt.decrypt_and_verify(token)                          # => "the conversation is lively"
+  #
+  # === Making messages expire
+  #
+  # By default messages last forever and verifying one year from now will still
+  # return the original value. But messages can be set to expire at a given
+  # time with +:expires_in+ or +:expires_at+.
+  #
+  #   crypt.encrypt_and_sign(parcel, expires_in: 1.month)
+  #   crypt.encrypt_and_sign(doowad, expires_at: Time.now.end_of_year)
+  #
+  # Then the messages can be verified and returned up to the expire time.
+  # Thereafter, verifying returns +nil+.
+  #
+  # === Rotating keys
+  #
+  # MessageEncryptor also supports rotating out old configurations by falling
+  # back to a stack of encryptors. Call +rotate+ to build and add an encryptor
+  # so +decrypt_and_verify+ will also try the fallback.
+  #
+  # By default any rotated encryptors use the values of the primary
+  # encryptor unless specified otherwise.
+  #
+  # You'd give your encryptor the new defaults:
+  #
+  #   crypt = ActiveSupport::MessageEncryptor.new(@secret, cipher: "aes-256-gcm")
+  #
+  # Then gradually rotate the old values out by adding them as fallbacks. Any message
+  # generated with the old values will then work until the rotation is removed.
+  #
+  #   crypt.rotate old_secret            # Fallback to an old secret instead of @secret.
+  #   crypt.rotate cipher: "aes-256-cbc" # Fallback to an old cipher instead of aes-256-gcm.
+  #
+  # Though if both the secret and the cipher was changed at the same time,
+  # the above should be combined into:
+  #
+  #   crypt.rotate old_secret, cipher: "aes-256-cbc"
   class MessageEncryptor
-    DEFAULT_CIPHER = "aes-256-cbc"
+    prepend Messages::Rotator::Encryptor
+
+    cattr_accessor :use_authenticated_message_encryption, instance_accessor: false, default: false
+
+    class << self
+      def default_cipher #:nodoc:
+        if use_authenticated_message_encryption
+          "aes-256-gcm"
+        else
+          "aes-256-cbc"
+        end
+      end
+    end
 
     module NullSerializer #:nodoc:
       def self.load(value)
@@ -45,7 +117,7 @@ module ActiveSupport
     OpenSSLCipherError = OpenSSL::Cipher::CipherError
 
     # Initialize a new MessageEncryptor. +secret+ must be at least as long as
-    # the cipher key size. For the default 'aes-256-cbc' cipher, this is 256
+    # the cipher key size. For the default 'aes-256-gcm' cipher, this is 256
     # bits. If you are using a user-entered secret, you can generate a suitable
     # key by using <tt>ActiveSupport::KeyGenerator</tt> or a similar key
     # derivation function.
@@ -57,41 +129,38 @@ module ActiveSupport
     #
     # Options:
     # * <tt>:cipher</tt>     - Cipher to use. Can be any cipher returned by
-    #   <tt>OpenSSL::Cipher.ciphers</tt>. Default is 'aes-256-cbc'.
+    #   <tt>OpenSSL::Cipher.ciphers</tt>. Default is 'aes-256-gcm'.
     # * <tt>:digest</tt> - String of digest to use for signing. Default is
     #   +SHA1+. Ignored when using an AEAD cipher like 'aes-256-gcm'.
     # * <tt>:serializer</tt> - Object serializer to use. Default is +Marshal+.
-    def initialize(secret, *signature_key_or_options)
-      options = signature_key_or_options.extract_options!
-      sign_secret = signature_key_or_options.first
+    def initialize(secret, sign_secret = nil, cipher: nil, digest: nil, serializer: nil)
       @secret = secret
       @sign_secret = sign_secret
-      @cipher = options[:cipher] || DEFAULT_CIPHER
-      @digest = options[:digest] || "SHA1" unless aead_mode?
+      @cipher = cipher || self.class.default_cipher
+      @digest = digest || "SHA1" unless aead_mode?
       @verifier = resolve_verifier
-      @serializer = options[:serializer] || Marshal
+      @serializer = serializer || Marshal
     end
 
     # Encrypt and sign a message. We need to sign the message in order to avoid
-    # padding attacks. Reference: http://www.limited-entropy.com/padding-oracle-attacks.
-    def encrypt_and_sign(value)
-      verifier.generate(_encrypt(value))
+    # padding attacks. Reference: https://www.limited-entropy.com/padding-oracle-attacks/.
+    def encrypt_and_sign(value, expires_at: nil, expires_in: nil, purpose: nil)
+      verifier.generate(_encrypt(value, expires_at: expires_at, expires_in: expires_in, purpose: purpose))
     end
 
     # Decrypt and verify a message. We need to verify the message in order to
-    # avoid padding attacks. Reference: http://www.limited-entropy.com/padding-oracle-attacks.
-    def decrypt_and_verify(value)
-      _decrypt(verifier.verify(value))
+    # avoid padding attacks. Reference: https://www.limited-entropy.com/padding-oracle-attacks/.
+    def decrypt_and_verify(data, purpose: nil, **)
+      _decrypt(verifier.verify(data), purpose)
     end
 
     # Given a cipher, returns the key length of the cipher to help generate the key of desired size
-    def self.key_len(cipher = DEFAULT_CIPHER)
+    def self.key_len(cipher = default_cipher)
       OpenSSL::Cipher.new(cipher).key_len
     end
 
     private
-
-      def _encrypt(value)
+      def _encrypt(value, **metadata_options)
         cipher = new_cipher
         cipher.encrypt
         cipher.key = @secret
@@ -100,17 +169,17 @@ module ActiveSupport
         iv = cipher.random_iv
         cipher.auth_data = "" if aead_mode?
 
-        encrypted_data = cipher.update(@serializer.dump(value))
+        encrypted_data = cipher.update(Messages::Metadata.wrap(@serializer.dump(value), **metadata_options))
         encrypted_data << cipher.final
 
         blob = "#{::Base64.strict_encode64 encrypted_data}--#{::Base64.strict_encode64 iv}"
-        blob << "--#{::Base64.strict_encode64 cipher.auth_tag}" if aead_mode?
+        blob = "#{blob}--#{::Base64.strict_encode64 cipher.auth_tag}" if aead_mode?
         blob
       end
 
-      def _decrypt(encrypted_message)
+      def _decrypt(encrypted_message, purpose)
         cipher = new_cipher
-        encrypted_data, iv, auth_tag = encrypted_message.split("--".freeze).map { |v| ::Base64.strict_decode64(v) }
+        encrypted_data, iv, auth_tag = encrypted_message.split("--").map { |v| ::Base64.strict_decode64(v) }
 
         # Currently the OpenSSL bindings do not raise an error if auth_tag is
         # truncated, which would allow an attacker to easily forge it. See
@@ -128,7 +197,8 @@ module ActiveSupport
         decrypted_data = cipher.update(encrypted_data)
         decrypted_data << cipher.final
 
-        @serializer.load(decrypted_data)
+        message = Messages::Metadata.verify(decrypted_data, purpose)
+        @serializer.load(message) if message
       rescue OpenSSLCipherError, TypeError, ArgumentError
         raise InvalidMessage
       end
@@ -137,9 +207,7 @@ module ActiveSupport
         OpenSSL::Cipher.new(@cipher)
       end
 
-      def verifier
-        @verifier
-      end
+      attr_reader :verifier
 
       def aead_mode?
         @aead_mode ||= new_cipher.authenticated?

data/lib/active_support/message_verifier.rb

@@ -1,6 +1,10 @@
+# frozen_string_literal: true
+
 require "base64"
 require "active_support/core_ext/object/blank"
 require "active_support/security_utils"
+require "active_support/messages/metadata"
+require "active_support/messages/rotator"
 
 module ActiveSupport
   # +MessageVerifier+ makes it easy to generate and verify messages which are
@@ -27,17 +31,83 @@ module ActiveSupport
   #
   # +MessageVerifier+ creates HMAC signatures using SHA1 hash algorithm by default.
   # If you want to use a different hash algorithm, you can change it by providing
-  # `:digest` key as an option while initializing the verifier:
+  # +:digest+ key as an option while initializing the verifier:
   #
   #   @verifier = ActiveSupport::MessageVerifier.new('s3Krit', digest: 'SHA256')
+  #
+  # === Confining messages to a specific purpose
+  #
+  # By default any message can be used throughout your app. But they can also be
+  # confined to a specific +:purpose+.
+  #
+  #   token = @verifier.generate("this is the chair", purpose: :login)
+  #
+  # Then that same purpose must be passed when verifying to get the data back out:
+  #
+  #   @verifier.verified(token, purpose: :login)    # => "this is the chair"
+  #   @verifier.verified(token, purpose: :shipping) # => nil
+  #   @verifier.verified(token)                     # => nil
+  #
+  #   @verifier.verify(token, purpose: :login)      # => "this is the chair"
+  #   @verifier.verify(token, purpose: :shipping)   # => ActiveSupport::MessageVerifier::InvalidSignature
+  #   @verifier.verify(token)                       # => ActiveSupport::MessageVerifier::InvalidSignature
+  #
+  # Likewise, if a message has no purpose it won't be returned when verifying with
+  # a specific purpose.
+  #
+  #   token = @verifier.generate("the conversation is lively")
+  #   @verifier.verified(token, purpose: :scare_tactics) # => nil
+  #   @verifier.verified(token)                          # => "the conversation is lively"
+  #
+  #   @verifier.verify(token, purpose: :scare_tactics)   # => ActiveSupport::MessageVerifier::InvalidSignature
+  #   @verifier.verify(token)                            # => "the conversation is lively"
+  #
+  # === Making messages expire
+  #
+  # By default messages last forever and verifying one year from now will still
+  # return the original value. But messages can be set to expire at a given
+  # time with +:expires_in+ or +:expires_at+.
+  #
+  #   @verifier.generate(parcel, expires_in: 1.month)
+  #   @verifier.generate(doowad, expires_at: Time.now.end_of_year)
+  #
+  # Then the messages can be verified and returned up to the expire time.
+  # Thereafter, the +verified+ method returns +nil+ while +verify+ raises
+  # <tt>ActiveSupport::MessageVerifier::InvalidSignature</tt>.
+  #
+  # === Rotating keys
+  #
+  # MessageVerifier also supports rotating out old configurations by falling
+  # back to a stack of verifiers. Call +rotate+ to build and add a verifier to
+  # so either +verified+ or +verify+ will also try verifying with the fallback.
+  #
+  # By default any rotated verifiers use the values of the primary
+  # verifier unless specified otherwise.
+  #
+  # You'd give your verifier the new defaults:
+  #
+  #   verifier = ActiveSupport::MessageVerifier.new(@secret, digest: "SHA512", serializer: JSON)
+  #
+  # Then gradually rotate the old values out by adding them as fallbacks. Any message
+  # generated with the old values will then work until the rotation is removed.
+  #
+  #   verifier.rotate old_secret          # Fallback to an old secret instead of @secret.
+  #   verifier.rotate digest: "SHA256"    # Fallback to an old digest instead of SHA512.
+  #   verifier.rotate serializer: Marshal # Fallback to an old serializer instead of JSON.
+  #
+  # Though the above would most likely be combined into one rotation:
+  #
+  #   verifier.rotate old_secret, digest: "SHA256", serializer: Marshal
   class MessageVerifier
+    prepend Messages::Rotator::Verifier
+
     class InvalidSignature < StandardError; end
 
-    def initialize(secret, options = {})
+    def initialize(secret, digest: nil, serializer: nil)
       raise ArgumentError, "Secret should not be nil." unless secret
       @secret = secret
-      @digest = options[:digest] || "SHA1"
-      @serializer = options[:serializer] || Marshal
+      @digest = digest || "SHA1"
+      @serializer = serializer || Marshal
     end
 
     # Checks if a signed message could have been generated by signing an object
@@ -52,7 +122,7 @@ module ActiveSupport
     def valid_message?(signed_message)
       return if signed_message.nil? || !signed_message.valid_encoding? || signed_message.blank?
 
-      data, digest = signed_message.split("--".freeze)
+      data, digest = signed_message.split("--")
       data.present? && digest.present? && ActiveSupport::SecurityUtils.secure_compare(digest, generate_digest(data))
     end
 
@@ -77,11 +147,12 @@ module ActiveSupport
     #
     #   incompatible_message = "test--dad7b06c94abba8d46a15fafaef56c327665d5ff"
     #   verifier.verified(incompatible_message) # => TypeError: incompatible marshal file format
-    def verified(signed_message)
+    def verified(signed_message, purpose: nil, **)
       if valid_message?(signed_message)
         begin
-          data = signed_message.split("--".freeze)[0]
-          @serializer.load(decode(data))
+          data = signed_message.split("--")[0]
+          message = Messages::Metadata.verify(decode(data), purpose)
+          @serializer.load(message) if message
         rescue ArgumentError => argument_error
           return if argument_error.message.include?("invalid base64")
           raise
@@ -101,19 +172,19 @@ module ActiveSupport
     #
     #   other_verifier = ActiveSupport::MessageVerifier.new 'd1ff3r3nt-s3Krit'
     #   other_verifier.verify(signed_message) # => ActiveSupport::MessageVerifier::InvalidSignature
-    def verify(signed_message)
-      verified(signed_message) || raise(InvalidSignature)
+    def verify(*args, **options)
+      verified(*args, **options) || raise(InvalidSignature)
     end
 
     # Generates a signed message for the provided value.
     #
-    # The message is signed with the +MessageVerifier+'s secret. Without knowing
-    # the secret, the original value cannot be extracted from the message.
+    # The message is signed with the +MessageVerifier+'s secret.
+    # Returns Base64-encoded message joined with the generated signature.
     #
     #   verifier = ActiveSupport::MessageVerifier.new 's3Krit'
     #   verifier.generate 'a private message' # => "BAhJIhRwcml2YXRlLW1lc3NhZ2UGOgZFVA==--e2d724331ebdee96a10fb99b089508d1c72bd772"
-    def generate(value)
-      data = encode(@serializer.dump(value))
+    def generate(value, expires_at: nil, expires_in: nil, purpose: nil)
+      data = encode(Messages::Metadata.wrap(@serializer.dump(value), expires_at: expires_at, expires_in: expires_in, purpose: purpose))
       "#{data}--#{generate_digest(data)}"
     end