Rotate SHA1 encrypted cookies to SHA256

alphagov · Jul 19, 2022 · f52a24e · f52a24e
1 parent 758e7fb
commit f52a24e
Showing 1 changed file with 17 additions and 0 deletions.
diff --git a/config/application.rb b/config/application.rb
@@ -131,5 +131,22 @@ class Application < Rails::Application
 
     # Do not swallow errors in after_commit/after_rollback callbacks.
     # config.active_record.raise_in_transactional_callbacks = true
+
+    # Rotate SHA1 cookies to SHA256 (the new Rails 7 default)
+    # TODO: Remove this after existing user sessions have been rotated
+    # https://guides.rubyonrails.org/v7.0/upgrading_ruby_on_rails.html#key-generator-digest-class-changing-to-use-sha256
+    Rails.application.config.action_dispatch.cookies_rotations.tap do |cookies|
+      salt = Rails.application.config.action_dispatch.authenticated_encrypted_cookie_salt
+      secret_key_base = Rails.application.secrets.secret_key_base
+      next if secret_key_base.blank?
+
+      key_generator = ActiveSupport::KeyGenerator.new(
+        secret_key_base, iterations: 1000, hash_digest_class: OpenSSL::Digest::SHA1
+      )
+      key_len = ActiveSupport::MessageEncryptor.key_len
+      secret = key_generator.generate_key(salt, key_len)
+
+      cookies.rotate :encrypted, secret
+    end
   end
 end