MessageVerifier makes it easy to generate and verify messages which are signed to prevent tampering.
This is useful for cases like remember-me tokens and auto-unsubscribe links where the session store isn’t suitable or available.
Remember Me:
cookies[:remember_me] = @verifier.generate([@user.id, 2.weeks.from_now])
In the authentication filter:
id, time = @verifier.verify(cookies[:remember_me])
if time < Time.now
self.current_user = User.find(id)
end
Methods
Public Class methods
[ show source ]
# File activesupport/lib/active_support/message_verifier.rb, line 24
24: def initialize(secret, digest = 'SHA1')
25: @secret = secret
26: @digest = digest
27: end
Public Instance methods
[ show source ]
# File activesupport/lib/active_support/message_verifier.rb, line 40
40: def generate(value)
41: data = ActiveSupport::Base64.encode64s(Marshal.dump(value))
42: "#{data}--#{generate_digest(data)}"
43: end
[ show source ]
# File activesupport/lib/active_support/message_verifier.rb, line 29
29: def verify(signed_message)
30: raise InvalidSignature if signed_message.blank?
31:
32: data, digest = signed_message.split("--")
33: if data.present? && digest.present? && secure_compare(digest, generate_digest(data))
34: Marshal.load(ActiveSupport::Base64.decode64(data))
35: else
36: raise InvalidSignature
37: end
38: end
Private Instance methods
[ show source ]
# File activesupport/lib/active_support/message_verifier.rb, line 57
57: def generate_digest(data)
58: require 'openssl' unless defined?(OpenSSL)
59: OpenSSL::HMAC.hexdigest(OpenSSL::Digest.const_get(@digest).new, @secret, data)
60: end
constant-time comparison algorithm to prevent timing attacks
[ show source ]
# File activesupport/lib/active_support/message_verifier.rb, line 47
47: def secure_compare(a, b)
48: return false unless a.bytesize == b.bytesize
49:
50: l = a.unpack "C#{a.bytesize}"
51:
52: res = 0
53: b.each_byte { |byte| res |= byte ^ l.shift }
54: res == 0
55: end