Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix auth_tag retrieval on JRuby #32

Merged
merged 2 commits into from
Jan 22, 2024
Merged

Fix auth_tag retrieval on JRuby #32

merged 2 commits into from
Jan 22, 2024

Conversation

jcmfernandes
Copy link
Contributor

Address the issue reported in #23 (comment).

This was referenced Jan 17, 2024
Merged
Closed
Merged
@ioquatix ioquatix merged commit d6a7228 into rack:main Jan 22, 2024
20 checks passed
@mhenrixon
Copy link

@ioquatix @jcmfernandes, how can I fix the following message after an upgrade?

invalid secret: 9, must be >=64

I use it in a test for sidekiq-unique-jobs:

RSpec.describe SidekiqUniqueJobs::Web do
  include Rack::Test::Methods
  include RSpecHtmlMatchers

  def app
    @app ||= Rack::Builder.new do
      use Rack::Session::Cookie,
          key: "rack.session",
          domain: "foo.com",
          path: "/",
          expire_after: 2_592_000,
          secret: "change_me",
          old_secret: "also_change_me"

      run Sidekiq::Web
    end
  end

  before do
    flush_redis
  end
end

I am a little stumped by this, but I figured that rack-session was upgraded as part of upgrading Sinatra when updating Sidekiq 🤦‍♂️🙈

@mhenrixon
Copy link

I am a little stumped by this, but I figured that rack-session was upgraded as part of upgrading Sinatra when updating Sidekiq 🤦‍♂️🙈

Alright, I just needed to make the secrets long enough, and it worked.

@jcmfernandes
Copy link
Contributor Author

I'm glad you sorted it out @mhenrixon. The error has nothing to do with this PR though. Unlike the cookie-based session management that shipped with rack v2, rack-session (rightfully) requires longer secrets.

@tungleduyxyz tungleduyxyz mentioned this pull request Jan 30, 2024
Merged
@kyledrake
Copy link

kyledrake commented Oct 28, 2024
edited
Loading

I'm glad you sorted it out @mhenrixon. The error has nothing to do with this PR though. Unlike the cookie-based session management that shipped with rack v2, rack-session (rightfully) requires longer secrets.

@jcmfernandes If this is the case, it might make sense for rack-session to provide documentation or a rotation mechanism for old keys to migrate to newer ones. If a rack 2 production app switched to this, it would throw exceptions for all requests that used the old secret, until a new one was used, which would then break all existing sessions.

There hasn't been a lot of issues filed about this, so it's possible this isn't an issue a lot of people are having, but it could make for a very bad day for someone out there in production that's not running on a fresh code base.

ioquatix pushed a commit that referenced this pull request Jan 4, 2025
@jcmfernandes @ioquatix
Fix auth_tag retrieval on JRuby (#32)
625a83a
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@headius headius headius left review comments

@ioquatix ioquatix ioquatix approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@jcmfernandes @mhenrixon @kyledrake @headius @ioquatix