Merge pull request rails#54310 from byroot/message-verifier-fallback

byroot · web-flow · commit 241e12547933 · 2025-01-21T14:18:53.000+01:00
AS::MessageVerifier#verify always accept both safe and unsafe encoding
diff --git a/activesupport/lib/active_support/message_verifier.rb b/activesupport/lib/active_support/message_verifier.rb
@@ -154,6 +154,8 @@ class InvalidSignature < StandardError; end
     #   not URL-safe. In other words, they can contain "+" and "/". If you want to
     #   generate URL-safe strings (in compliance with "Base 64 Encoding with URL
     #   and Filename Safe Alphabet" in RFC 4648), you can pass +true+.
+    #   Note that MessageVerifier will always accept both URL-safe and URL-unsafe
+    #   encoded messages, to allow a smooth transition between the two settings.
     #
     # [+:force_legacy_metadata_serializer+]
     #   Whether to use the legacy metadata serializer, which serializes the
@@ -318,6 +320,13 @@ def inspect # :nodoc:
     end
 
     private
+      def decode(encoded, url_safe: @url_safe)
+        catch :invalid_message_format do
+          return super
+        end
+        super(encoded, url_safe: !url_safe)
+      end
+
       def sign_encoded(encoded)
         digest = generate_digest(encoded)
         encoded << SEPARATOR << digest
diff --git a/activesupport/test/message_verifier_test.rb b/activesupport/test/message_verifier_test.rb
@@ -4,6 +4,7 @@
 require "openssl"
 require "active_support/time"
 require "active_support/json"
+require "active_support/core_ext/securerandom"
 require_relative "messages/message_codec_tests"
 
 class MessageVerifierTest < ActiveSupport::TestCase
@@ -81,6 +82,25 @@ def test_verify_exception_on_invalid_message
       "Unable to assert that the message payload is unpadded, because it does not require padding"
   end
 
+  test "URL-safe and URL-unsafe can decode each other messages" do
+    safe_verifier = ActiveSupport::MessageVerifier.new(@secret, url_safe: true, serializer: JSON)
+    unsafe_verifier = ActiveSupport::MessageVerifier.new(@secret, url_safe: false, serializer: JSON)
+
+    data = "??"
+
+    assert_equal safe_verifier.generate(data), safe_verifier.generate(data)
+    assert_not_equal safe_verifier.generate(data), unsafe_verifier.generate(data)
+
+    assert_equal data, unsafe_verifier.verify(safe_verifier.generate(data))
+    assert_equal data, safe_verifier.verify(unsafe_verifier.generate(data))
+
+    50.times do
+      data = SecureRandom.base58(Random.rand(10..50))
+      assert_equal data, unsafe_verifier.verify(safe_verifier.generate(data))
+      assert_equal data, safe_verifier.verify(unsafe_verifier.generate(data))
+    end
+  end
+
   def test_alternative_serialization_method
     prev = ActiveSupport.use_standard_json_time_format
     ActiveSupport.use_standard_json_time_format = true
