From c4e6e7bc119585d3699ccf0f6d076e1eca4518a0 Mon Sep 17 00:00:00 2001 From: Michael Chaney Date: Tue, 11 Jun 2024 21:04:25 -0500 Subject: [PATCH 1/4] Remove extraneous check for request.local? Closes #88. --- app/controllers/concerns/authentication.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/concerns/authentication.rb b/app/controllers/concerns/authentication.rb index 751f0c2..85633da 100644 --- a/app/controllers/concerns/authentication.rb +++ b/app/controllers/concerns/authentication.rb @@ -53,6 +53,6 @@ def user_signed_in? end def store_location - session[:user_return_to] = request.original_url if request.get? && request.local? + session[:user_return_to] = request.original_url if request.get? end end From 2e6e5b0757cedd4d2c530ea047f689f1fd7015cf Mon Sep 17 00:00:00 2001 From: Michael Chaney Date: Tue, 11 Jun 2024 21:11:02 -0500 Subject: [PATCH 2/4] Adds assertions for remember_me cookie. Asserts cookie is http_only, secure, and same-site is "strict". Closes #87. --- test/controllers/sessions_controller_test.rb | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/test/controllers/sessions_controller_test.rb b/test/controllers/sessions_controller_test.rb index 928d560..09ceea5 100644 --- a/test/controllers/sessions_controller_test.rb +++ b/test/controllers/sessions_controller_test.rb @@ -44,6 +44,12 @@ class SessionsControllerTest < ActionDispatch::IntegrationTest assert_not_nil current_user assert_not_nil cookies[:remember_token] + + remember_me_cookie = cookies.get_cookie("remember_token") + + assert remember_me_cookie.http_only? + assert remember_me_cookie.secure? + assert_equal "Strict", remember_me_cookie.to_h["SameSite"] end test "should forget user when logging out" do From ba5244614f859786648493d74c8878a723ec895b Mon Sep 17 00:00:00 2001 From: Michael Chaney Date: Fri, 14 Jun 2024 11:49:30 -0500 Subject: [PATCH 3/4] Adds security features to remember_token cookie. 1. Set to "secure" in production 2. Set to HttpOnly 3. SameSite set to strict. Closes #87. --- app/controllers/concerns/authentication.rb | 7 ++++++- test/controllers/sessions_controller_test.rb | 1 - 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/app/controllers/concerns/authentication.rb b/app/controllers/concerns/authentication.rb index 85633da..3fc0004 100644 --- a/app/controllers/concerns/authentication.rb +++ b/app/controllers/concerns/authentication.rb @@ -35,7 +35,12 @@ def redirect_if_authenticated end def remember(active_session) - cookies.permanent.encrypted[:remember_token] = active_session.remember_token + cookies.permanent.encrypted[:remember_token] = { + value: active_session.remember_token, + secure: Rails.env.production?, + httponly: true, + same_site: :strict + } end private diff --git a/test/controllers/sessions_controller_test.rb b/test/controllers/sessions_controller_test.rb index 09ceea5..ada661b 100644 --- a/test/controllers/sessions_controller_test.rb +++ b/test/controllers/sessions_controller_test.rb @@ -48,7 +48,6 @@ class SessionsControllerTest < ActionDispatch::IntegrationTest remember_me_cookie = cookies.get_cookie("remember_token") assert remember_me_cookie.http_only? - assert remember_me_cookie.secure? assert_equal "Strict", remember_me_cookie.to_h["SameSite"] end From 515871f985d42414061c3128744bc3f4f68c5be6 Mon Sep 17 00:00:00 2001 From: Michael Chaney Date: Fri, 14 Jun 2024 11:51:53 -0500 Subject: [PATCH 4/4] Undoing prior accidental commit. --- app/controllers/concerns/authentication.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/concerns/authentication.rb b/app/controllers/concerns/authentication.rb index 3fc0004..7873303 100644 --- a/app/controllers/concerns/authentication.rb +++ b/app/controllers/concerns/authentication.rb @@ -58,6 +58,6 @@ def user_signed_in? end def store_location - session[:user_return_to] = request.original_url if request.get? + session[:user_return_to] = request.original_url if request.get? && request.local? end end