hestia 0.1.0 → 0.2.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.travis.yml +1 -0
- data/Gemfile.rails42 +6 -0
- data/README.md +15 -3
- data/Rakefile +1 -0
- data/hestia.gemspec +1 -1
- data/lib/hestia/signed_cookie_jar_extension/action_pack_4.rb +5 -1
- data/lib/hestia/version.rb +1 -1
- metadata +6 -5
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 10feace28dda56911b32013d3fb9b41c85e3b101
|
|
4
|
+
data.tar.gz: 4e8e5c002fe8102089b2c8f1745b96d2a235cde0
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 83cc7fd6f3d6ec36b8c14558254b9b35e2b9825e1fb12c2cbd97067139de47ab8c8722cb016232b5a61dc89e1306d0deeb9414246d548e8484a5082b5eb3a916
|
|
7
|
+
data.tar.gz: 0f252f5d0324503808dfd62da05af883b94bff63d7f4eeab79120e72dd3616fb919c326c4d24e17b479183f4f0e3a206a4ec4966790c8413bf635ef70f8ac32a
|
data/.travis.yml
CHANGED
data/Gemfile.rails42
ADDED
data/README.md
CHANGED
|
@@ -1,5 +1,9 @@
|
|
|
1
1
|
# Hestia
|
|
2
2
|
|
|
3
|
+
***
|
|
4
|
+
|
|
5
|
+
[](https://travis-ci.org/fac/hestia)
|
|
6
|
+
|
|
3
7
|
Add support for deprecating/rotating the signed cookie secret token in rails. Out of the box if you change `config.secret_token` in rails, as soon as you deploy the change all your existing signed cookies are rendered invalid with lovely side effects such as all of your users being logged out. Thing is, it would be nice to rotate the secret token occasionally, without that side effect.
|
|
4
8
|
|
|
5
9
|
Enter hestia! You can now change your `config.secret_token`, and move the old value to `config.deprecated_secret_token` to allow existing cookies to be read in as valid cookies, but all cookies being sent out of the app are signed using the new secret token value. After a while all your users that have been active since the change will have cookies signed by the new token, and you can remove the old token from `config.deprecated_secret_token`. Hey presto, you just changed your `config.secret_token` without logging anyone out or losing any existing cookies.
|
|
@@ -26,6 +30,16 @@ And then require the railtie during your application boot process somewhere:
|
|
|
26
30
|
require "hestia/railtie"
|
|
27
31
|
```
|
|
28
32
|
|
|
33
|
+
## Supported Rails Versions
|
|
34
|
+
|
|
35
|
+
We currently support (& test against):
|
|
36
|
+
|
|
37
|
+
* Rails 3.2
|
|
38
|
+
* Rails 4.1
|
|
39
|
+
* Rails 4.2
|
|
40
|
+
|
|
41
|
+
Pull requests always welcome to support other versions!
|
|
42
|
+
|
|
29
43
|
## Usage
|
|
30
44
|
|
|
31
45
|
### Rails 3.2
|
|
@@ -47,9 +61,7 @@ You should already have `Rails.application.config.secret_token` set to a value (
|
|
|
47
61
|
|
|
48
62
|
*You can also set `config.deprecated_secret_token` to an array of strings to allow incoming cookies to be valid when signed with any of the secrets.*
|
|
49
63
|
|
|
50
|
-
### Rails 4
|
|
51
|
-
|
|
52
|
-
We support Rails 4.1. Rails 4.0 & 4.2 are unsupported at this time. (Pull requests welcome!)
|
|
64
|
+
### Rails 4.1, 4.2
|
|
53
65
|
|
|
54
66
|
Following the instructions for Rails 3.2 should work, but make sure you haven't set `config.secret_key_base` to a value otherwise Rails will take over and upgrade your cookies from signed to encrypted ones.
|
|
55
67
|
|
data/Rakefile
CHANGED
data/hestia.gemspec
CHANGED
|
@@ -21,7 +21,7 @@ Gem::Specification.new do |spec|
|
|
|
21
21
|
spec.required_ruby_version = '>= 2.0'
|
|
22
22
|
|
|
23
23
|
spec.add_runtime_dependency "rack"
|
|
24
|
-
spec.add_runtime_dependency "actionpack", ">= 3.2.21", "<
|
|
24
|
+
spec.add_runtime_dependency "actionpack", ">= 3.2.21", "< 5.0.0"
|
|
25
25
|
|
|
26
26
|
spec.add_development_dependency "bundler", "~> 1.7"
|
|
27
27
|
spec.add_development_dependency "rake", "~> 10.0"
|
|
@@ -1,3 +1,5 @@
|
|
|
1
|
+
require "active_support/message_encryptor"
|
|
2
|
+
|
|
1
3
|
module Hestia
|
|
2
4
|
module SignedCookieJarExtension
|
|
3
5
|
module ActionPack4
|
|
@@ -29,8 +31,10 @@ module Hestia
|
|
|
29
31
|
ActiveSupport::LegacyKeyGenerator.new(secret).generate_key(@options[:signed_cookie_salt])
|
|
30
32
|
end
|
|
31
33
|
|
|
34
|
+
serializer = ActiveSupport::MessageEncryptor::NullSerializer
|
|
35
|
+
|
|
32
36
|
# Finally, override @verifier with our own multi verifier containing all the secrets
|
|
33
|
-
@verifier = Hestia::MessageMultiVerifier.new(current_secret: active_secret, deprecated_secrets: deprecated_secrets, options: {serializer:
|
|
37
|
+
@verifier = Hestia::MessageMultiVerifier.new(current_secret: active_secret, deprecated_secrets: deprecated_secrets, options: {serializer: serializer})
|
|
34
38
|
end
|
|
35
39
|
end
|
|
36
40
|
end
|
data/lib/hestia/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: hestia
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.2.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Caius Durling
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2016-08-02 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rack
|
|
@@ -33,7 +33,7 @@ dependencies:
|
|
|
33
33
|
version: 3.2.21
|
|
34
34
|
- - "<"
|
|
35
35
|
- !ruby/object:Gem::Version
|
|
36
|
-
version:
|
|
36
|
+
version: 5.0.0
|
|
37
37
|
type: :runtime
|
|
38
38
|
prerelease: false
|
|
39
39
|
version_requirements: !ruby/object:Gem::Requirement
|
|
@@ -43,7 +43,7 @@ dependencies:
|
|
|
43
43
|
version: 3.2.21
|
|
44
44
|
- - "<"
|
|
45
45
|
- !ruby/object:Gem::Version
|
|
46
|
-
version:
|
|
46
|
+
version: 5.0.0
|
|
47
47
|
- !ruby/object:Gem::Dependency
|
|
48
48
|
name: bundler
|
|
49
49
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -99,6 +99,7 @@ files:
|
|
|
99
99
|
- ".travis.yml"
|
|
100
100
|
- Gemfile.rails3
|
|
101
101
|
- Gemfile.rails41
|
|
102
|
+
- Gemfile.rails42
|
|
102
103
|
- LICENSE.txt
|
|
103
104
|
- README.md
|
|
104
105
|
- Rakefile
|
|
@@ -137,7 +138,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
137
138
|
version: '0'
|
|
138
139
|
requirements: []
|
|
139
140
|
rubyforge_project:
|
|
140
|
-
rubygems_version: 2.
|
|
141
|
+
rubygems_version: 2.6.6
|
|
141
142
|
signing_key:
|
|
142
143
|
specification_version: 4
|
|
143
144
|
summary: Support for deprecating/rotating signed cookie secret tokens in rails
|