From f52a24ecc2e97908b7d8e8c73835fc273de83c36 Mon Sep 17 00:00:00 2001
From: Aga Dufrat <aga.dufrat@digital.cabinet-office.gov.uk>
Date: Mon, 18 Jul 2022 16:59:39 +0100
Subject: [PATCH] Rotate SHA1 encrypted cookies to SHA256

---
 config/application.rb | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/config/application.rb b/config/application.rb
index 45c2dcaf4..53832619e 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -131,5 +131,22 @@ class Application < Rails::Application
 
     # Do not swallow errors in after_commit/after_rollback callbacks.
     # config.active_record.raise_in_transactional_callbacks = true
+
+    # Rotate SHA1 cookies to SHA256 (the new Rails 7 default)
+    # TODO: Remove this after existing user sessions have been rotated
+    # https://guides.rubyonrails.org/v7.0/upgrading_ruby_on_rails.html#key-generator-digest-class-changing-to-use-sha256
+    Rails.application.config.action_dispatch.cookies_rotations.tap do |cookies|
+      salt = Rails.application.config.action_dispatch.authenticated_encrypted_cookie_salt
+      secret_key_base = Rails.application.secrets.secret_key_base
+      next if secret_key_base.blank?
+
+      key_generator = ActiveSupport::KeyGenerator.new(
+        secret_key_base, iterations: 1000, hash_digest_class: OpenSSL::Digest::SHA1
+      )
+      key_len = ActiveSupport::MessageEncryptor.key_len
+      secret = key_generator.generate_key(salt, key_len)
+
+      cookies.rotate :encrypted, secret
+    end
   end
 end