Class: ActiveSupport::MessageVerifier

Inherits:

Object

Object
ActiveSupport::MessageVerifier

show all

Defined in:: lib/active_support/message_verifier.rb

Overview

MessageVerifier makes it easy to generate and verify messages which are signed to prevent tampering.

This is useful for cases like remember-me tokens and auto-unsubscribe links where the session store isn’t suitable or available.

Remember Me:

cookies[:remember_me] = @verifier.generate([@user.id, 2.weeks.from_now])

In the authentication filter:

id, time = @verifier.verify(cookies[:remember_me])
if time < Time.now
  self.current_user = User.find(id)
end

By default it uses Marshal to serialize the message. If you want to use another serialization method, you can set the serializer attribute to something that responds to dump and load, e.g.:

@verifier.serializer = YAML

Defined Under Namespace

Classes: InvalidSignature

Instance Method Summary collapse

#generate(value) ⇒ Object
#initialize(secret, options = {}) ⇒ MessageVerifier constructor

A new instance of MessageVerifier.
#verify(signed_message) ⇒ Object

Constructor Details

#initialize(secret, options = {}) ⇒ `MessageVerifier`

Returns a new instance of MessageVerifier.

# File 'lib/active_support/message_verifier.rb', line 30

def initialize(secret, options = {})
  unless options.is_a?(Hash)
    ActiveSupport::Deprecation.warn "The second parameter should be an options hash. Use :digest => 'algorithm' to specify the digest algorithm."
    options = { :digest => options }
  end

  @secret = secret
  @digest = options[:digest] || 'SHA1'
  @serializer = options[:serializer] || Marshal
end

Instance Method Details

#generate(value) ⇒ `Object`

# File 'lib/active_support/message_verifier.rb', line 52

def generate(value)
  data = ::Base64.strict_encode64(@serializer.dump(value))
  "#{data}--#{generate_digest(data)}"
end

#verify(signed_message) ⇒ `Object`

Raises:

(InvalidSignature)

# File 'lib/active_support/message_verifier.rb', line 41

def verify(signed_message)
  raise InvalidSignature if signed_message.blank?

  data, digest = signed_message.split("--")
  if data.present? && digest.present? && secure_compare(digest, generate_digest(data))
    @serializer.load(::Base64.decode64(data))
  else
    raise InvalidSignature
  end
end