RSpec
Ruby on Rails
Ruby
- 1.0.0
- 1.1.6
- 1.2.6
- 2.0.3
- 2.1.0
- 2.2.1
- 2.3.8 (0)
- 3.0.0 (0)
- 3.0.9 (0)
- 3.1.0 (0)
- 3.2.1 (3)
- 3.2.8 (0)
- 3.2.13 (0)
- 4.0.2 (0)
- 4.1.8 (0)
- 4.2.1 (0)
- 4.2.7 (0)
- 4.2.9 (0)
- 5.0.0.1 (4)
- 5.1.7 (0)
- 5.2.3 (38)
- 6.0.0 (0)
- 6.1.3.1 (0)
- 6.1.7.7 (0)
- 7.0.0 (0)
- 7.1.3.2 (-1)
- 7.1.3.4 (0)
- What's this?
-
new
-
create_message
(>= v7.1.3.2)
-
decode
-
digest_length_in_hex
(>= v7.0.0)
-
digest_matches_data?
(>= v7.0.0)
-
encode
-
extract_encoded
(>= v7.1.3.2)
-
generate
-
generate_digest
-
get_data_and_digest_from
(>= v7.0.0)
-
inspect
(>= v7.1.3.2)
-
read_message
(>= v7.1.3.2)
-
secure_compare
(<= v4.1.8)
-
separator_at?
(>= v7.1.3.2)
-
separator_index_for
(>= v7.0.0)
-
sign_encoded
(>= v7.1.3.2)
-
valid_message?
-
verified
-
verify
-
InvalidSignature
= private
= protected
MessageVerifier makes it easy to generate and verify messages which are signed to prevent tampering.
This is useful for cases like remember-me tokens and auto-unsubscribe links where the session store isn’t suitable or available.
Remember Me:
cookies[:remember_me] = @verifier.generate([@user.id, 2.weeks.from_now])
In the authentication filter:
id, time = @verifier.verify(cookies[:remember_me]) if Time.now < time self.current_user = User.find(id) end
By default it uses Marshal to serialize the message. If you want to use another serialization method, you can set the serializer in the options hash upon initialization:
@verifier = ActiveSupport::MessageVerifier.new('s3Krit', serializer: YAML)
MessageVerifier creates HMAC signatures using SHA1 hash algorithm by default. If you want to use a different hash algorithm, you can change it by providing `:digest` key as an option while initializing the verifier:
@verifier = ActiveSupport::MessageVerifier.new('s3Krit', digest: 'SHA256')
szeryf -
March 29, 2010
Wrong example
In the authentication filter example above, the time condition should be reversed: we only want to find the user if time is still in the future (because it’s the valid-until time).
So the example should look like this:
id, time = @verifier.verify(cookies[:remember_me]) if time > Time.now self.current_user = User.find(id) end
aamer -
August 14, 2011
Security issue
One thing to note about the code above is that it could have a security issue. If the user changes his/her password, the authentication token should expire. Hence, in a production scenario you should put in the password salt or something to allow the token to become invalidated.
ksylvest -
May 4, 2014
Security
In regards to @aamer’s comment on including the password salt this is a bad idea. `ActiveSupport::MessageVerifier` is NOT encrypted so:
verifier = ActiveSupport::MessageVerifier.new('secret') id = 'id' salt = 'salt' verifier.generate("#{id}-#{salt}") # "BAhJIgxpZC1zYWx0BjoGRVQ=--c880254708d18ce4a686bcd96a25cf0d2117e1e0" Base64.decode64(token.split("--").first) # "...id-salt..."
Note how the salt and id are both exposed! Instead a different token (reset_passowrd_token) should be used.
