Project | Refactor Rails' Cookie Implementation and Improve Signing with Expiry and Purpose | |
Organization | Ruby on Rails | |
Repositories | https://github.com/rails/rails | |
GSoC link | https://summerofcode.withgoogle.com/projects/#6118848381059072 | |
Mentor | Kasper Timm Hansen | |
Student | Assain K C | |
The main goal of this project is to add expiry and purpose to cookies so that cookies won't last forever and trying to use a cookie for something it wasn't meant for will fail. The project also focuses on backwards compatibility.
We started off by adding expiry and purpose metadata support to ActiveSupport::MessageVerifier
and ActiveSupport::MessageEncryptor
because:
- Auto expiring signed/encrypted messages that can be used only for a particular purpose, has its own class of applications. E.g. In Active Storage.
- Signed and Encrypted Cookie Jars use
ActiveSupport::MessageVerifier
andActiveSupport::MessageEncryptor
for signing and encrypting cookies.
On balance, we decided to start from ActiveSupport::MessageVerifier
and ActiveSupport::MessageEncryptor
and work backwards.
Here's the breakdown of our major milestones:
- #29263 Default Message Encryptor Cipher to AES-256-GCM from AES-256-CBC.
- #29599 Add Purpose and Expiry to Messages Encrypted using Message Encryptor.
- #29854 Add Expiry & Purpose to Message Verifier
- #29906 Add Additional Tests to Message Verifier
- #29892 Document Expiry & Purpose Metadata Added to Message Encryptor & Message Verifier
- #30121 Add Expiry Metadata to Cookies and Freshen
:expires
Option to Support Duration - #30407 Document Expiry Metadata Added to Cookies.
- Add Purpose Metadata to Cookies
*** The checked milestones link to the corresponding merged Pull Requests which contain further information. However, the purpose feature for cookies is still under progress!
In short, we've refreshed and bolstered Rails with:
- Auto expiring signed and encrypted messages that can be given a purpose.
- Auto expiring signed and encrypted cookies.
Now, you don't have to worry about forever cookies and rogue browsers sending in expired cookies.
The next big leap in our mission to improve Rails is to add the purpose feature to cookies once Key Rotation is in place. This way, we can make Rails' cookies system even more robust by preventing cookies from being repurposed!
First and foremost, I'd like to thank my wonderful mentor Kapser Timm Hansen for the constant support and guidance throughout the project. Thanks a billion, Kasper, for enlightening me with your prudent wisdom and teaching me to stand on my own feet.
Special thanks to Michael Coyne, Matthew Draper, Marko Bogdanović and all the awesome people in the Rails Team for giving us your precious time and enlightening us with your expertise.
Last but not least, I'd like to thank Google for blessing us with this fantastic learning opportunity through The Google Summer of Code program, which has helped me open the doors and explore the amazing world of open source software with Ruby on Rails.