Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add remember me cookie assertions #97

Closed
wants to merge 4 commits into from
Closed

Add remember me cookie assertions #97

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
c4e6e7b
Remove extraneous check for request.local?
mdchaney Jun 12, 2024
2e6e5b0
Adds assertions for remember_me cookie.
mdchaney Jun 12, 2024
ba52446
Adds security features to remember_token cookie.
mdchaney Jun 14, 2024
515871f
Undoing prior accidental commit.
mdchaney Jun 14, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion app/controllers/concerns/authentication.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,6 @@ def user_signed_in?
end

def store_location
session[:user_return_to] = request.original_url if request.get? && request.local?
session[:user_return_to] = request.original_url if request.get?
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Was this meant to be part of #96?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes. Ignore this mess for now.

end
end
6 changes: 6 additions & 0 deletions test/controllers/sessions_controller_test.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,12 @@ class SessionsControllerTest < ActionDispatch::IntegrationTest

assert_not_nil current_user
assert_not_nil cookies[:remember_token]

remember_me_cookie = cookies.get_cookie("remember_token")

assert remember_me_cookie.http_only?
assert remember_me_cookie.secure?
assert_equal "Strict", remember_me_cookie.to_h["SameSite"]
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm surprised this passed, since it doesn't look like the implementation changed?

rails-authentication-from-scratch/app/controllers/concerns/authentication.rb

Lines 37 to 39 in b3e253f

def remember(active_session)
cookies.permanent.encrypted[:remember_token] = active_session.remember_token
end

Copy link
Owner

@stevepolitodesign stevepolitodesign Jun 14, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, it did not pass.

@mdchaney would you be able to make the implementation change too, as outlined in #53?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Didn't pass. I tested this in the wrong directory (long story). I'm going to fix this.

end

test "should forget user when logging out" do
Expand Down
Loading