Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add remember me cookie assertions #97

Closed
wants to merge 4 commits into from
Closed

Add remember me cookie assertions #97

wants to merge 4 commits into from

Conversation

mdchaney
Copy link

Just adds the assertions mentioned in #87.

mdchaney added 2 commits June 11, 2024 21:04
@mdchaney
Remove extraneous check for request.local?
c4e6e7b 
Closes stevepolitodesign#88.
@mdchaney
Adds assertions for remember_me cookie.
2e6e5b0 
Asserts cookie is http_only, secure, and same-site is "strict".
Closes stevepolitodesign#87.
stevepolitodesign
stevepolitodesign reviewed Jun 14, 2024
View reviewed changes
app/controllers/concerns/authentication.rb Outdated
@@ -53,6 +53,6 @@ def user_signed_in?
end

def store_location
session[:user_return_to] = request.original_url if request.get? && request.local?
session[:user_return_to] = request.original_url if request.get?
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Was this meant to be part of #96?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes. Ignore this mess for now.

test/controllers/sessions_controller_test.rb Outdated
Comment on lines 48 to 52
remember_me_cookie = cookies.get_cookie("remember_token")

assert remember_me_cookie.http_only?
assert remember_me_cookie.secure?
assert_equal "Strict", remember_me_cookie.to_h["SameSite"]
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm surprised this passed, since it doesn't look like the implementation changed?

rails-authentication-from-scratch/app/controllers/concerns/authentication.rb

Lines 37 to 39 in b3e253f

def remember(active_session)
cookies.permanent.encrypted[:remember_token] = active_session.remember_token
end

Copy link
Owner

@stevepolitodesign stevepolitodesign Jun 14, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, it did not pass.

@mdchaney would you be able to make the implementation change too, as outlined in #53?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Didn't pass. I tested this in the wrong directory (long story). I'm going to fix this.

mdchaney added 2 commits June 14, 2024 11:49
@mdchaney
Adds security features to remember_token cookie.
ba52446 
1. Set to "secure" in production
2. Set to HttpOnly
3. SameSite set to strict.

Closes stevepolitodesign#87.
@mdchaney
Undoing prior accidental commit.
515871f
@mdchaney
Copy link
Author

Makeing a new pull request.

@mdchaney mdchaney closed this Jun 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stevepolitodesign stevepolitodesign stevepolitodesign left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mdchaney @stevepolitodesign