Method: ActiveSupport::MessageVerifier#initialize
- Defined in:
- lib/active_support/message_verifier.rb
#initialize(secret, **options) ⇒ MessageVerifier
Initialize a new MessageVerifier with a secret for the signature.
Options
:digest
-
Digest used for signing. The default is
"SHA1"
. SeeOpenSSL::Digest
for alternatives. :serializer
-
The serializer used to serialize message data. You can specify any object that responds to
dump
andload
, or you can choose from several preconfigured serializers::marshal
,:json_allow_marshal
,:json
,:message_pack_allow_marshal
,:message_pack
.The preconfigured serializers include a fallback mechanism to support multiple deserialization formats. For example, the
:marshal
serializer will serialize usingMarshal
, but can deserialize usingMarshal
, ActiveSupport::JSON, or ActiveSupport::MessagePack. This makes it easy to migrate between serializers.The
:marshal
,:json_allow_marshal
, and:message_pack_allow_marshal
serializers support deserializing usingMarshal
, but the others do not. Beware thatMarshal
is a potential vector for deserialization attacks in cases where a message signing secret has been leaked. If possible, choose a serializer that does not supportMarshal
.The
:message_pack
and:message_pack_allow_marshal
serializers use ActiveSupport::MessagePack, which can roundtrip some Ruby types that are not supported by JSON, and may provide improved performance. However, these require themsgpack
gem.When using Rails, the default depends on
config.active_support.message_serializer
. Otherwise, the default is:marshal
. :url_safe
-
By default, MessageVerifier generates RFC 4648 compliant strings which are not URL-safe. In other words, they can contain “+” and “/”. If you want to generate URL-safe strings (in compliance with “Base 64 Encoding with URL and Filename Safe Alphabet” in RFC 4648), you can pass
true
. :force_legacy_metadata_serializer
-
Whether to use the legacy metadata serializer, which serializes the message first, then wraps it in an envelope which is also serialized. This was the default in Rails 7.0 and below.
If you don’t pass a truthy value, the default is set using
config.active_support.use_message_serializer_for_metadata
.
153 154 155 156 157 158 |
# File 'lib/active_support/message_verifier.rb', line 153 def initialize(secret, **) raise ArgumentError, "Secret should not be nil." unless secret super(**) @secret = secret @digest = [:digest]&.to_s || "SHA1" end |