Skip to content

Add remember me cookie assertions#97

Closed
mdchaney wants to merge 4 commits intostevepolitodesign:mainfrom
mdchaney:add-remember-me-cookie-assertions
Closed

Add remember me cookie assertions#97
mdchaney wants to merge 4 commits intostevepolitodesign:mainfrom
mdchaney:add-remember-me-cookie-assertions

Conversation

@mdchaney
Copy link
Copy Markdown

@mdchaney mdchaney commented Jun 12, 2024

Just adds the assertions mentioned in #87.

mdchaney added 2 commits June 11, 2024 21:04
@mdchaney
Remove extraneous check for request.local?
c4e6e7b 
Closes stevepolitodesign#88.
@mdchaney
Adds assertions for remember_me cookie.
2e6e5b0 
Asserts cookie is http_only, secure, and same-site is "strict".
Closes stevepolitodesign#87.
stevepolitodesign
stevepolitodesign reviewed Jun 14, 2024
View reviewed changes
app/controllers/concerns/authentication.rb Outdated

def store_location
session[:user_return_to] = request.original_url if request.get? && request.local?
session[:user_return_to] = request.original_url if request.get?
Copy link
Copy Markdown
Owner

@stevepolitodesign stevepolitodesign Jun 14, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Was this meant to be part of #96?

Copy link
Copy Markdown
Author

@mdchaney mdchaney Jun 14, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes. Ignore this mess for now.

test/controllers/sessions_controller_test.rb
Comment on lines +48 to +52
remember_me_cookie = cookies.get_cookie("remember_token")

assert remember_me_cookie.http_only?
assert remember_me_cookie.secure?
assert_equal "Strict", remember_me_cookie.to_h["SameSite"]
Copy link
Copy Markdown
Owner

@stevepolitodesign stevepolitodesign Jun 14, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm surprised this passed, since it doesn't look like the implementation changed?

rails-authentication-from-scratch/app/controllers/concerns/authentication.rb

Lines 37 to 39 in b3e253f

def remember(active_session)
cookies.permanent.encrypted[:remember_token] = active_session.remember_token
end

Copy link
Copy Markdown
Owner

@stevepolitodesign stevepolitodesign Jun 14, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, it did not pass.

@mdchaney would you be able to make the implementation change too, as outlined in #53?

Copy link
Copy Markdown
Author

@mdchaney mdchaney Jun 14, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Didn't pass. I tested this in the wrong directory (long story). I'm going to fix this.

mdchaney added 2 commits June 14, 2024 11:49
@mdchaney
Adds security features to remember_token cookie.
ba52446 
1. Set to "secure" in production
2. Set to HttpOnly
3. SameSite set to strict.

Closes stevepolitodesign#87.
@mdchaney
Undoing prior accidental commit.
515871f
@mdchaney
Copy link
Copy Markdown
Author

mdchaney commented Jun 14, 2024

Makeing a new pull request.

@mdchaney mdchaney closed this Jun 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stevepolitodesign stevepolitodesign stevepolitodesign left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mdchaney @stevepolitodesign