introduce secure auth cookie.

3 files changed, 14 insertions, 0 deletions

diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
index b78e660..a6e9a12 100644
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -13,6 +13,7 @@ class SessionsController < ApplicationController
   def create
     if @session = @login_command.run(self)
       session[:user_session_id] = @session.id
+      cookies.signed[:raphael] = @session.access(request)
       redirect_to root_path(anchor: '')
     else
       flash[:error] = I18n.translate(:invalid_credentials)
diff --git a/app/models/session.rb b/app/models/session.rb
index c66afec..253cfa0 100644
--- a/app/models/session.rb
+++ b/app/models/session.rb
@@ -1,3 +1,12 @@
 class Session < ActiveRecord::Base
   belongs_to :user
+
+  def access(request)
+    {
+      value: id,
+      httponly: true,
+      secure: Rails.env.production? || Rails.env.staging?,
+      expires: 2.weeks.from_now
+    }
+  end
 end
diff --git a/spec/controllers/sessions_controller_spec.rb b/spec/controllers/sessions_controller_spec.rb
index 2eb2f95..9100777 100644
--- a/spec/controllers/sessions_controller_spec.rb
+++ b/spec/controllers/sessions_controller_spec.rb
@@ -48,6 +48,10 @@ describe SessionsController do
         expect(session[:user_session_id]).to eql(last_session.id)
         expect(last_session.ip_address).to eql("0.0.0.0")
       end
+
+      it 'assigns a session key to a secure cookie' do
+        expect(cookies.signed[:raphael]).to eql(Session.last.id)
+      end
     end
   end