class ActionDispatch::Cookies::EncryptedKeyRotatingCookieJar
:nodoc:
def commit(name, options)
def commit(name, options) options[:value] = @encryptor.encrypt_and_sign(serialize(options[:value]), **cookie_metadata(name, options)) raise CookieOverflow if options[:value].bytesize > MAX_COOKIE_SIZE end
def initialize(parent_jar)
def initialize(parent_jar) super if request.use_authenticated_cookie_encryption key_len = ActiveSupport::MessageEncryptor.key_len(encrypted_cookie_cipher) secret = request.key_generator.generate_key(request.authenticated_encrypted_cookie_salt, key_len) @encryptor = ActiveSupport::MessageEncryptor.new(secret, cipher: encrypted_cookie_cipher, serializer: SERIALIZER) else key_len = ActiveSupport::MessageEncryptor.key_len("aes-256-cbc") secret = request.key_generator.generate_key(request.encrypted_cookie_salt, key_len) sign_secret = request.key_generator.generate_key(request.encrypted_signed_cookie_salt) @encryptor = ActiveSupport::MessageEncryptor.new(secret, sign_secret, cipher: "aes-256-cbc", serializer: SERIALIZER) end request.cookies_rotations.encrypted.each do |(*secrets)| options = secrets.extract_options! @encryptor.rotate(*secrets, serializer: SERIALIZER, **options) end if upgrade_legacy_hmac_aes_cbc_cookies? legacy_cipher = "aes-256-cbc" secret = request.key_generator.generate_key(request.encrypted_cookie_salt, ActiveSupport::MessageEncryptor.key_len(legacy_cipher)) sign_secret = request.key_generator.generate_key(request.encrypted_signed_cookie_salt) @encryptor.rotate(secret, sign_secret, cipher: legacy_cipher, digest: digest, serializer: SERIALIZER) elsif prepare_upgrade_legacy_hmac_aes_cbc_cookies? future_cipher = encrypted_cookie_cipher secret = request.key_generator.generate_key(request.authenticated_encrypted_cookie_salt, ActiveSupport::MessageEncryptor.key_len(future_cipher)) @encryptor.rotate(secret, nil, cipher: future_cipher, serializer: SERIALIZER) end end
def parse(name, encrypted_message, purpose: nil)
def parse(name, encrypted_message, purpose: nil) deserialize(name) do |rotate| @encryptor.decrypt_and_verify(encrypted_message, on_rotation: rotate, purpose: purpose) end rescue ActiveSupport::MessageEncryptor::InvalidMessage, ActiveSupport::MessageVerifier::InvalidSignature, JSON::ParserError nil end