diff options
| author | mo khan <mo@mokhan.ca> | 2014-11-15 10:34:55 -0700 |
|---|---|---|
| committer | mo khan <mo@mokhan.ca> | 2014-11-15 10:34:55 -0700 |
| commit | acb6b46a6127c1e6ce99eb7777728e98f1b02060 (patch) | |
| tree | ffd95d1f931ade12e87e22cf6f6139c6fd5f2209 | |
| parent | 2059e8bd25d0ad79aaa1099314eddda5cd8c7f4e (diff) | |
| -rw-r--r-- | app/models/session.rb | 11 | ||||
| -rw-r--r-- | db/migrate/20141115172026_add_key_to_sessions.rb | 6 | ||||
| -rw-r--r-- | db/schema.rb | 4 | ||||
| -rw-r--r-- | spec/controllers/application_controller_spec.rb | 4 | ||||
| -rw-r--r-- | spec/controllers/sessions_controller_spec.rb | 4 | ||||
| -rw-r--r-- | spec/models/session_spec.rb | 5 | ||||
| -rw-r--r-- | spec/support/authentication.rb | 2 |
7 files changed, 26 insertions, 10 deletions
diff --git a/app/models/session.rb b/app/models/session.rb index 4e1cc0f..006e847 100644 --- a/app/models/session.rb +++ b/app/models/session.rb @@ -1,11 +1,12 @@ class Session < ActiveRecord::Base belongs_to :user + before_create :create_key def access(request) self.ip_address = request.remote_ip if save { - value: self.id, + value: self.key, httponly: true, secure: Rails.env.production? || Rails.env.staging?, expires: 2.weeks.from_now @@ -25,7 +26,13 @@ class Session < ActiveRecord::Base end def authenticate!(session_key) - active.find(session_key) + active.find_by!(key: session_key) end end + + private + + def create_key + self.key = SecureRandom.uuid + end end diff --git a/db/migrate/20141115172026_add_key_to_sessions.rb b/db/migrate/20141115172026_add_key_to_sessions.rb new file mode 100644 index 0000000..4788f1d --- /dev/null +++ b/db/migrate/20141115172026_add_key_to_sessions.rb @@ -0,0 +1,6 @@ +class AddKeyToSessions < ActiveRecord::Migration + def change + add_column :sessions, :key, :string, null: false + add_index :sessions, :key + end +end diff --git a/db/schema.rb b/db/schema.rb index 021eeba..12b3512 100644 --- a/db/schema.rb +++ b/db/schema.rb @@ -11,7 +11,7 @@ # # It's strongly recommended that you check this file into your version control system. -ActiveRecord::Schema.define(version: 20141115170606) do +ActiveRecord::Schema.define(version: 20141115172026) do # These are extensions that must be enabled in order to support this database enable_extension "plpgsql" @@ -50,8 +50,10 @@ ActiveRecord::Schema.define(version: 20141115170606) do t.datetime "created_at" t.datetime "updated_at" t.datetime "revoked_at" + t.string "key", null: false end + add_index "sessions", ["key"], name: "index_sessions_on_key", using: :btree add_index "sessions", ["revoked_at"], name: "index_sessions_on_revoked_at", using: :btree create_table "users", force: true do |t| diff --git a/spec/controllers/application_controller_spec.rb b/spec/controllers/application_controller_spec.rb index 6c4756a..c8e472d 100644 --- a/spec/controllers/application_controller_spec.rb +++ b/spec/controllers/application_controller_spec.rb @@ -12,7 +12,7 @@ describe ApplicationController do let(:user) { create(:user, password: 'password', password_confirmation: 'password') } let(:user_session) { create(:session, user: user) } - before { cookies.signed[:raphael] = user_session.id } + before { cookies.signed[:raphael] = user_session.key } before { get :index } it "lets you continue to do whatever the heck you were trying to do" do @@ -26,7 +26,7 @@ describe ApplicationController do context "when not signed in" do before :each do - cookies.signed[:raphael] = rand(100) + cookies.signed[:raphael] = SecureRandom.uuid get :index end diff --git a/spec/controllers/sessions_controller_spec.rb b/spec/controllers/sessions_controller_spec.rb index 9a5144c..fdfbd53 100644 --- a/spec/controllers/sessions_controller_spec.rb +++ b/spec/controllers/sessions_controller_spec.rb @@ -35,7 +35,7 @@ describe SessionsController do end it 'assigns a session key to a secure cookie' do - expect(cookies.signed[:raphael]).to eql(Session.last.id) + expect(cookies.signed[:raphael]).to eql(Session.last.key) end end end @@ -44,7 +44,7 @@ describe SessionsController do let(:user_session) { create(:session) } before :each do - cookies.signed[:raphael] = user_session.id + cookies.signed[:raphael] = user_session.key delete :destroy, { id: 'mine' } end diff --git a/spec/models/session_spec.rb b/spec/models/session_spec.rb index 4195404..4da0210 100644 --- a/spec/models/session_spec.rb +++ b/spec/models/session_spec.rb @@ -7,6 +7,7 @@ describe Session do session = Session.last expect(session.user_id).to eql(1) expect(session.ip_address).to eql("127.0.0.1") + expect(session.key).to_not be_nil end end @@ -15,7 +16,7 @@ describe Session do context "when the session key is legit" do it 'returns the session' do - expect(Session.authenticate!(user_session.id)).to eql(user_session) + expect(Session.authenticate!(user_session.key)).to eql(user_session) end end @@ -29,7 +30,7 @@ describe Session do let(:revoked_session) { create(:session, revoked_at: Time.now) } it 'raises an error' do - expect(-> { Session.authenticate(revoked_session.id) }).to raise_error + expect(-> { Session.authenticate(revoked_session.key) }).to raise_error end end end diff --git a/spec/support/authentication.rb b/spec/support/authentication.rb index 18c4f31..47a7dc6 100644 --- a/spec/support/authentication.rb +++ b/spec/support/authentication.rb @@ -1,6 +1,6 @@ module HttpAuthentication def http_login(user, password = 'password') user_session = create(:session, user: user) - cookies.signed[:raphael] = user_session.id + cookies.signed[:raphael] = user_session.key end end |