Signing... with an expiration date

Question

Signing... with an expiration date

jeremy opened this issue 10 years ago · comments

Once we can sign with purpose, we'll also want to be explicit about how long the signed Global ID is valid. It needs an expiration date!

See the work in progress on expiration @ rails/rails#16462 - they can use some help on this as well ❤️

We'll want to be able to pass :expires_in or :expires_at when we create signed Global IDs. When we parse a sgid, we'll rely on the MessageVerifier to raise when it's past the expiration date. We'll have to rescue that error and return nil.

Furthermore, we'll want expiration by default, so we'll never inadvertently send out forever-valid signed Global IDs. So, SignedGlobalID.expires_in = 1.month for example, and expose config.global_id.expires_in = ... to the Railtie. Allow passing expires_in: nil to override and use no expiry.

Tony Han commented 10 years ago

cool!!

Tony Han · Answer 1 · Thu Aug 21 2014 08:50:07 GMT+0800 (China Standard Time)

It seems we should wait for the merging of rails/rails#16462 although we can implement this like http://api.rubyonrails.org/classes/ActiveSupport/MessageVerifier.html , right?

Jeremy Daer · Answer 2 · Thu Aug 21 2014 13:13:40 GMT+0800 (China Standard Time)

That PR needs more work, so it may take some time. We could implement it here, much like we're handling purpose, and port it to use MessageVerifier support when it's available.

Tony Han · Answer 3 · Thu Aug 21 2014 13:19:57 GMT+0800 (China Standard Time)

@jeremy Good idea.I'd like to work on this cause if my purpose PR can be merged :)

Tony Han · Answer 4 · Thu Aug 21 2014 21:05:18 GMT+0800 (China Standard Time)

Besides expires_in, should we implement expires_at too?

Jeremy Daer · Answer 5 · Thu Aug 21 2014 21:17:13 GMT+0800 (China Standard Time)

👍 to expires_at, yes. But only expires_in for the global defaults 😁

Tony Han · Answer 6 · Thu Aug 21 2014 23:11:23 GMT+0800 (China Standard Time)

@jeremy But I have a question: If we accepts both expires_at and expires_in, which one should we use?

Jeremy Daer · Answer 7 · Fri Aug 22 2014 07:41:15 GMT+0800 (China Standard Time)

@tony612 Passing both... shouldn't happen. Suppose an explicit :expires_at should take precedence.

Tony Han · Answer 8 · Fri Aug 22 2014 08:29:31 GMT+0800 (China Standard Time)

@jeremy Glad to see @kaspth has done much work 👍 . I'll stop my work though I just wrote the tests yesterday.

Jeremy Daer · Answer 9 · Fri Aug 22 2014 13:15:00 GMT+0800 (China Standard Time)

@tony612 Thank you! Your review and feedback are welcome on #29 👍

Kasper Timm Hansen · Answer 10 · Fri Aug 22 2014 16:47:40 GMT+0800 (China Standard Time)

If you want, you can push those tests to a branch which I can rebase off of.
We're gonna need @jeremy to create a branch on the main repo, which you can PR against.

Kasper

Den 22/08/2014 kl. 02.29 skrev Tony Han notifications@github.com:

@jeremy Glad to see @kaspth has done much work . I'll stop my work though I just wrote the tests yesterday.

—
Reply to this email directly or view it on GitHub.

Tony Han · Answer 11 · Fri Aug 22 2014 18:45:08 GMT+0800 (China Standard Time)

@kaspth It doesn't matter, I'll review your code and give some feedback if I find something 😃

Kasper Timm Hansen · Answer 12 · Fri Aug 22 2014 18:46:11 GMT+0800 (China Standard Time)

@tony612 Sweet! ❤️

Jeremy Daer · Answer 13 · Mon Aug 25 2014 21:59:16 GMT+0800 (China Standard Time)

Implemented by @kaspth ❤️

Kasper Timm Hansen · Answer 14 · Mon Aug 25 2014 23:00:29 GMT+0800 (China Standard Time)

Sweet! Thanks, @jeremy ❤️
I'll follow the rails issue and keep giving feedback there.