Skip to content

Instantly share code, notes, and snippets.

@assain

assain/GSoC 2017.md

Last active August 12, 2018 15:29
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save assain/fed04b9b610b8c190566a1956f523cc1 to your computer and use it in GitHub Desktop.
Save assain/fed04b9b610b8c190566a1956f523cc1 to your computer and use it in GitHub Desktop.
Download ZIP
GSoC 2017 Final Report
Raw
GSoC 2017.md

Google Summer of Code

Google Summer of Code 2017

Refactor Rails' Cookie Implementation and Improve Signing with Expiry and Purpose

Ruby on Rails Project Refactor Rails' Cookie Implementation and Improve Signing with Expiry and Purpose
Organization Ruby on Rails
Repositories https://github.com/rails/rails
GSoC link https://summerofcode.withgoogle.com/projects/#6118848381059072
Mentor Kasper Timm Hansen
Student Assain K C

Project Goal

The main goal of this project is to add expiry and purpose to cookies so that cookies won't last forever and trying to use a cookie for something it wasn't meant for will fail. The project also focuses on backwards compatibility.

Road Map

We started off by adding expiry and purpose metadata support to ActiveSupport::MessageVerifier and ActiveSupport::MessageEncryptor because:

  • Auto expiring signed/encrypted messages that can be used only for a particular purpose, has its own class of applications. E.g. In Active Storage.
  • Signed and Encrypted Cookie Jars use ActiveSupport::MessageVerifier and ActiveSupport::MessageEncryptor for signing and encrypting cookies.

On balance, we decided to start from ActiveSupport::MessageVerifier and ActiveSupport::MessageEncryptor and work backwards.

The Story So Far

Here's the breakdown of our major milestones:

  • #29263 Default Message Encryptor Cipher to AES-256-GCM from AES-256-CBC.
  • #29599 Add Purpose and Expiry to Messages Encrypted using Message Encryptor.
  • #29854 Add Expiry & Purpose to Message Verifier
  • #29906 Add Additional Tests to Message Verifier
  • #29892 Document Expiry & Purpose Metadata Added to Message Encryptor & Message Verifier
  • #30121 Add Expiry Metadata to Cookies and Freshen :expires Option to Support Duration
  • #30407 Document Expiry Metadata Added to Cookies.
  • Add Purpose Metadata to Cookies

*** The checked milestones link to the corresponding merged Pull Requests which contain further information. However, the purpose feature for cookies is still under progress!

In short, we've refreshed and bolstered Rails with:

  • Auto expiring signed and encrypted messages that can be given a purpose.
  • Auto expiring signed and encrypted cookies.

Now, you don't have to worry about forever cookies and rogue browsers sending in expired cookies.

Future Work

The next big leap in our mission to improve Rails is to add the purpose feature to cookies once Key Rotation is in place. This way, we can make Rails' cookies system even more robust by preventing cookies from being repurposed!

Acknowledgements

First and foremost, I'd like to thank my wonderful mentor Kapser Timm Hansen for the constant support and guidance throughout the project. Thanks a billion, Kasper, for enlightening me with your prudent wisdom and teaching me to stand on my own feet.

Special thanks to Michael Coyne, Matthew Draper, Marko Bogdanović and all the awesome people in the Rails Team for giving us your precious time and enlightening us with your expertise.

Last but not least, I'd like to thank Google for blessing us with this fantastic learning opportunity through The Google Summer of Code program, which has helped me open the doors and explore the amazing world of open source software with Ruby on Rails.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment