From 3e6641c07e549b7b74fb70d1d1c0a210c59449ff Mon Sep 17 00:00:00 2001 From: tms Date: Sat, 23 Feb 2013 13:40:21 -0500 Subject: [PATCH] Unsign auth token cookies per discussion on #215 --- app/controllers/application_controller.rb | 2 +- lib/current_user.rb | 3 ++- spec/controllers/session_controller_spec.rb | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index f23bf4b3c38..00415285f6c 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -117,7 +117,7 @@ class ApplicationController < ActionController::Base user.auth_token = SecureRandom.hex(16) user.save! end - cookies.permanent.signed[:_t] = { :value => user.auth_token, :httponly => true } + cookies.permanent[:_t] = { :value => user.auth_token, :httponly => true } end # This is odd, but it seems that in Rails `render json: obj` is about diff --git a/lib/current_user.rb b/lib/current_user.rb index f16eed3fbd8..a5bf653fff1 100644 --- a/lib/current_user.rb +++ b/lib/current_user.rb @@ -2,6 +2,7 @@ module CurrentUser def self.lookup_from_env(env) request = Rack::Request.new(env) + puts request.inspect auth_token = request.cookies[:_t] user = nil if auth_token && auth_token.length == 32 @@ -16,7 +17,7 @@ module CurrentUser if session[:current_user_id].blank? # maybe we have a cookie? - auth_token = cookies.signed[:_t] + auth_token = cookies[:_t] if auth_token && auth_token.length == 32 @current_user = User.where(auth_token: auth_token).first session[:current_user_id] = @current_user.id if @current_user diff --git a/spec/controllers/session_controller_spec.rb b/spec/controllers/session_controller_spec.rb index 3ed3717356e..59be7306925 100644 --- a/spec/controllers/session_controller_spec.rb +++ b/spec/controllers/session_controller_spec.rb @@ -38,7 +38,7 @@ describe SessionController do end it 'sets a cookie with the auth token' do - cookies.signed[:_t].should == user.auth_token + cookies[:_t].should == user.auth_token end end