Revert "Merge pull request rails#42843 from buckley-w-david/message-verifier-default-serializer"

This reverts commit a40d781, reversing
changes made to ad2529b.

Author: tenderlove

activestorage/app/controllers/active_storage/disk_controller.rb

@@ -42,13 +42,11 @@ def named_disk_service(name)
     end
 
     def decode_verified_key
-      key = ActiveStorage.verifier.verified(params[:encoded_key], purpose: :blob_key)
-      key&.deep_symbolize_keys
+      ActiveStorage.verifier.verified(params[:encoded_key], purpose: :blob_key)
     end
 
     def decode_verified_token
-      token = ActiveStorage.verifier.verified(params[:encoded_token], purpose: :blob_token)
-      token&.deep_symbolize_keys
+      ActiveStorage.verifier.verified(params[:encoded_token], purpose: :blob_token)
     end
 
     def acceptable_content?(token)

activesupport/lib/active_support/message_verifier.rb

@@ -72,7 +72,7 @@ module ActiveSupport
   #
   # === Alternative serializers
   #
-  # By default MessageVerifier uses JSON to serialize the message. If you want to use
+  # By default MessageVerifier uses Marshal to serialize the message. If you want to use
   # another serialization method, you can set the serializer in the options
   # hash upon initialization:
   #
@@ -115,20 +115,11 @@ class InvalidSignature < StandardError; end
     SEPARATOR = "--" # :nodoc:
     SEPARATOR_LENGTH = SEPARATOR.length # :nodoc:
 
-    cattr_accessor :default_message_verifier_serializer, instance_accessor: false, default: :marshal
-
     def initialize(secret, digest: nil, serializer: nil)
       raise ArgumentError, "Secret should not be nil." unless secret
       @secret = secret
       @digest = digest&.to_s || "SHA1"
-      @serializer = serializer ||
-        if @@default_message_verifier_serializer.equal?(:marshal)
-          Marshal
-        elsif @@default_message_verifier_serializer.equal?(:hybrid)
-          JsonWithMarshalFallback
-        elsif @@default_message_verifier_serializer.equal?(:json)
-          JSON
-        end
+      @serializer = serializer || Marshal
     end
 
     # Checks if a signed message could have been generated by signing an object

activesupport/lib/active_support/railtie.rb

@@ -167,15 +167,6 @@ class Railtie < Rails::Railtie # :nodoc:
       end
     end
 
-    initializer "active_support.set_default_message_verifier_serializer" do |app|
-      config.after_initialize do
-        unless app.config.active_support.default_message_verifier_serializer.nil?
-          ActiveSupport::MessageVerifier.default_message_verifier_serializer =
-            app.config.active_support.default_message_verifier_serializer
-        end
-      end
-    end
-
     initializer "active_support.set_marshal_serialization" do |app|
       config.after_initialize do
         unless app.config.active_support.use_marshal_serialization.nil?

activesupport/test/message_verifier_test.rb

@@ -19,7 +19,7 @@ def load(value)
 
   def setup
     @verifier = ActiveSupport::MessageVerifier.new("Hey, I'm a secret!")
-    @data = { "some" => "data", "now" => Time.utc(2010) }
+    @data = { some: "data", now: Time.utc(2010) }
     @secret = SecureRandom.random_bytes(32)
   end
 
@@ -70,13 +70,38 @@ def test_verify_with_parse_json_times
     ActiveSupport.parse_json_times, Time.zone = previous
   end
 
+  def test_raise_error_when_argument_class_is_not_loaded
+    # To generate the valid message below:
+    #
+    #   AutoloadClass = Struct.new(:foo)
+    #   valid_message = @verifier.generate(foo: AutoloadClass.new('foo'))
+    #
+    valid_message = "BAh7BjoIZm9vbzonTWVzc2FnZVZlcmlmaWVyVGVzdDo6QXV0b2xvYWRDbGFzcwY6CUBmb29JIghmb28GOgZFVA==--f3ef39a5241c365083770566dc7a9eb5d6ace914"
+    exception = assert_raise(ArgumentError, NameError) do
+      @verifier.verified(valid_message)
+    end
+    assert_includes ["uninitialized constant MessageVerifierTest::AutoloadClass",
+                    "undefined class/module MessageVerifierTest::AutoloadClass"], exception.message
+    exception = assert_raise(ArgumentError, NameError) do
+      @verifier.verify(valid_message)
+    end
+    assert_includes ["uninitialized constant MessageVerifierTest::AutoloadClass",
+                    "undefined class/module MessageVerifierTest::AutoloadClass"], exception.message
+  end
+
   def test_raise_error_when_secret_is_nil
     exception = assert_raise(ArgumentError) do
       ActiveSupport::MessageVerifier.new(nil)
     end
     assert_equal "Secret should not be nil.", exception.message
   end
 
+  def test_backward_compatibility_messages_signed_without_metadata
+    signed_message = "BAh7BzoJc29tZUkiCWRhdGEGOgZFVDoIbm93SXU6CVRpbWUNIIAbgAAAAAAHOgtvZmZzZXRpADoJem9uZUkiCFVUQwY7BkY=--d03c52c91dfe4ccc5159417c660461bcce005e96"
+    assert_equal @data, @verifier.verify(signed_message)
+  end
+
+
   def test_rotating_secret
     old_message = ActiveSupport::MessageVerifier.new("old", digest: "SHA1").generate("old")
 
@@ -99,35 +124,6 @@ def test_multiple_rotations
     assert_equal "older", verifier.verified(older_message)
   end
 
-  def test_rotations_with_metadata
-    old_message = ActiveSupport::MessageVerifier.new("old").generate("old", purpose: :rotation)
-
-    verifier = ActiveSupport::MessageVerifier.new(@secret)
-    verifier.rotate "old"
-
-    assert_equal "old", verifier.verified(old_message, purpose: :rotation)
-  end
-end
-
-class DefaultMarshalSerializerMessageVerifierTest < MessageVerifierTest
-  def setup
-    @default_verifier = ActiveSupport::MessageVerifier.default_message_verifier_serializer
-    ActiveSupport::MessageVerifier.default_message_verifier_serializer = :marshal
-
-    @verifier = ActiveSupport::MessageVerifier.new("Hey, I'm a secret!")
-    @data = { some: "data", now: Time.utc(2010) }
-    @secret = SecureRandom.random_bytes(32)
-  end
-
-  def teardown
-    ActiveSupport::MessageVerifier.default_message_verifier_serializer = @default_verifier
-  end
-
-  def test_backward_compatibility_messages_signed_without_metadata
-    signed_message = "BAh7BzoJc29tZUkiCWRhdGEGOgZFVDoIbm93SXU6CVRpbWUNIIAbgAAAAAAHOgtvZmZzZXRpADoJem9uZUkiCFVUQwY7BkY=--d03c52c91dfe4ccc5159417c660461bcce005e96"
-    assert_equal @data, @verifier.verify(signed_message)
-  end
-
   def test_on_rotation_is_called_and_verified_returns_message
     older_message = ActiveSupport::MessageVerifier.new("older", digest: "SHA1").generate({ encoded: "message" })
 
@@ -142,127 +138,13 @@ def test_on_rotation_is_called_and_verified_returns_message
     assert rotated
   end
 
-  def test_raise_error_when_argument_class_is_not_loaded
-    # To generate the valid message below:
-    #
-    #   AutoloadClass = Struct.new(:foo)
-    #   valid_message = @verifier.generate(foo: AutoloadClass.new('foo'))
-    #
-    valid_message = "BAh7BjoIZm9vbzonTWVzc2FnZVZlcmlmaWVyVGVzdDo6QXV0b2xvYWRDbGFzcwY6CUBmb29JIghmb28GOgZFVA==--f3ef39a5241c365083770566dc7a9eb5d6ace914"
-    exception = assert_raise(ArgumentError, NameError) do
-      @verifier.verified(valid_message)
-    end
-    assert_includes ["uninitialized constant MessageVerifierTest::AutoloadClass",
-                    "undefined class/module MessageVerifierTest::AutoloadClass"], exception.message
-    exception = assert_raise(ArgumentError, NameError) do
-      @verifier.verify(valid_message)
-    end
-    assert_includes ["uninitialized constant MessageVerifierTest::AutoloadClass",
-                    "undefined class/module MessageVerifierTest::AutoloadClass"], exception.message
-  end
-end
-
-class MarshalSerializeAndFallbackMessageVerifierTest < DefaultMarshalSerializerMessageVerifierTest
-  def setup
-    @default_verifier = ActiveSupport::MessageVerifier.default_message_verifier_serializer
-    @default_use_marshal = ActiveSupport::JsonWithMarshalFallback.use_marshal_serialization
-    @default_fallback = ActiveSupport::JsonWithMarshalFallback.fallback_to_marshal_deserialization
-    ActiveSupport::MessageVerifier.default_message_verifier_serializer = :hybrid
-    ActiveSupport::JsonWithMarshalFallback.use_marshal_serialization = true
-    ActiveSupport::JsonWithMarshalFallback.fallback_to_marshal_deserialization = true
-
-    @verifier = ActiveSupport::MessageVerifier.new("Hey, I'm a secret!")
-    @data = { some: "data", now: Time.utc(2010) }
-    @secret = SecureRandom.random_bytes(32)
-  end
-
-  def teardown
-    ActiveSupport::MessageVerifier.default_message_verifier_serializer = @default_verifier
-    ActiveSupport::JsonWithMarshalFallback.use_marshal_serialization = @default_use_marshal
-    ActiveSupport::JsonWithMarshalFallback.fallback_to_marshal_deserialization = @default_fallback
-  end
-end
-
-class JsonSerializeMarshalFallbackMessageVerifierTest < MessageVerifierTest
-  def setup
-    @default_verifier = ActiveSupport::MessageVerifier.default_message_verifier_serializer
-    @default_use_marshal = ActiveSupport::JsonWithMarshalFallback.use_marshal_serialization
-    @default_fallback = ActiveSupport::JsonWithMarshalFallback.fallback_to_marshal_deserialization
-    ActiveSupport::MessageVerifier.default_message_verifier_serializer = :hybrid
-    ActiveSupport::JsonWithMarshalFallback.use_marshal_serialization = false
-    ActiveSupport::JsonWithMarshalFallback.fallback_to_marshal_deserialization = true
-
-    @verifier = ActiveSupport::MessageVerifier.new("Hey, I'm a secret!")
-    @data = { "some" => "data", "now" => Time.utc(2010) }
-    @secret = SecureRandom.random_bytes(32)
-  end
-
-  def teardown
-    ActiveSupport::MessageVerifier.default_message_verifier_serializer = @default_verifier
-    ActiveSupport::JsonWithMarshalFallback.use_marshal_serialization = @default_use_marshal
-    ActiveSupport::JsonWithMarshalFallback.fallback_to_marshal_deserialization = @default_fallback
-  end
-
-  def test_on_rotation_is_called_and_verified_returns_message
-    older_message = ActiveSupport::MessageVerifier.new("older", digest: "SHA1").generate({ encoded: "message" })
-
-    verifier = ActiveSupport::MessageVerifier.new(@secret, digest: "SHA512")
-    verifier.rotate "old",   digest: "SHA256"
-    verifier.rotate "older", digest: "SHA1"
-
-    rotated = false
-    message = verifier.verified(older_message, on_rotation: proc { rotated = true })
-
-    assert_equal({ "encoded" => "message" }, message)
-    assert rotated
-  end
-
-  def test_backward_compatibility_messages_signed_marshal_serialized
-    marshal_serialized_signed_message = "BAh7B0kiCXNvbWUGOgZFVEkiCWRhdGEGOwBUSSIIbm93BjsAVEl1OglUaW1lDSCAG8AAAAAABjoJem9uZUkiCFVUQwY7AEY=--ae7480422168507f4a8aec6b1d68bfdfd5c6ef48"
-    assert_equal @data, @verifier.verify(marshal_serialized_signed_message)
-  end
-end
-
-class JsonSerializeAndNoFallbackMessageVerifierTest < JsonSerializeMarshalFallbackMessageVerifierTest
-  def setup
-    @default_verifier = ActiveSupport::MessageVerifier.default_message_verifier_serializer
-    @default_use_marshal = ActiveSupport::JsonWithMarshalFallback.use_marshal_serialization
-    @default_fallback = ActiveSupport::JsonWithMarshalFallback.fallback_to_marshal_deserialization
-    ActiveSupport::MessageVerifier.default_message_verifier_serializer = :hybrid
-    ActiveSupport::JsonWithMarshalFallback.use_marshal_serialization = false
-    ActiveSupport::JsonWithMarshalFallback.fallback_to_marshal_deserialization = false
-
-    @verifier = ActiveSupport::MessageVerifier.new("Hey, I'm a secret!")
-    @data = { "some" => "data", "now" => Time.utc(2010) }
-    @secret = SecureRandom.random_bytes(32)
-  end
-
-  def teardown
-    ActiveSupport::MessageVerifier.default_message_verifier_serializer = @default_verifier
-    ActiveSupport::JsonWithMarshalFallback.use_marshal_serialization = @default_use_marshal
-    ActiveSupport::JsonWithMarshalFallback.fallback_to_marshal_deserialization = @default_fallback
-  end
-
-  def test_backward_compatibility_messages_signed_marshal_serialized
-    marshal_serialized_signed_message = "BAh7B0kiCXNvbWUGOgZFVEkiCWRhdGEGOwBUSSIIbm93BjsAVEl1OglUaW1lDSCAG8AAAAAABjoJem9uZUkiCFVUQwY7AEY=--ae7480422168507f4a8aec6b1d68bfdfd5c6ef48"
-    assert_raise(JSON::ParserError) do
-      @verifier.verify(marshal_serialized_signed_message)
-    end
-  end
-end
-
-class DefaultJsonSerializerMessageVerifierTest < JsonSerializeAndNoFallbackMessageVerifierTest
-  def setup
-    @default_verifier = ActiveSupport::MessageVerifier.default_message_verifier_serializer
-    ActiveSupport::MessageVerifier.default_message_verifier_serializer = :json
+  def test_rotations_with_metadata
+    old_message = ActiveSupport::MessageVerifier.new("old").generate("old", purpose: :rotation)
 
-    @verifier = ActiveSupport::MessageVerifier.new("Hey, I'm a secret!")
-    @data = { "some" => "data", "now" => Time.utc(2010) }
-    @secret = SecureRandom.random_bytes(32)
-  end
+    verifier = ActiveSupport::MessageVerifier.new(@secret)
+    verifier.rotate "old"
 
-  def teardown
-    ActiveSupport::MessageVerifier.default_message_verifier_serializer = @default_verifier
+    assert_equal "old", verifier.verified(old_message, purpose: :rotation)
   end
 end
 
@@ -317,22 +199,7 @@ def verifier_options
     end
 end
 
-class MessageVerifierMetadataJsonWithMarshalFallbackTest < MessageVerifierMetadataTest
-  private
-    def verifier_options
-      { serializer: ActiveSupport::JsonWithMarshalFallback }
-    end
-end
-
-class MessageVerifierMetadataJsonTest < MessageVerifierMetadataTest
-  private
-    def verifier_options
-      { serializer: JSON }
-    end
-end
-
-
-class MessageVerifierMetadataCustomJSONTest < MessageVerifierMetadataTest
+class MessageVerifierMetadataJSONTest < MessageVerifierMetadataTest
   private
     def verifier_options
       { serializer: MessageVerifierTest::JSONSerializer.new }

guides/source/configuring.md

@@ -63,7 +63,6 @@ Below are the default values associated with each target version. In cases of co
 - [`config.action_dispatch.default_headers`](#config-action-dispatch-default-headers): `{ "X-Frame-Options" => "SAMEORIGIN", "X-XSS-Protection" => "0", "X-Content-Type-Options" => "nosniff", "X-Permitted-Cross-Domain-Policies" => "none", "Referrer-Policy" => "strict-origin-when-cross-origin" }`
 - [`config.add_autoload_paths_to_load_path`](#config-add-autoload-paths-to-load-path): `false`
 - [`config.active_support.default_message_encryptor_serializer`](#config-active-support-default-message-encryptor-serializer): `:json`
-- [`config.active_support.default_message_verifier_serializer`](#config-active-support-default-message-verifier-serializer): `:json`
 
 #### Default Values for Target Version 7.0
 
@@ -1910,19 +1909,6 @@ Used to help migrate apps from `Marshal` to `JSON` as the default serializer for
 
 Defaults to `true`.
 
-#### `config.active_support.default_message_verifier_serializer`
-
-Specifies what serializer the `MessageVerifier` class will use by default.
-
-Options are `:json`, `:hybrid`, and `:marshal`. `:hybrid` uses the `JsonWithMarshalFallback` class.
-
-The default value depends on the `config.load_defaults` target version:
-
-| Starting with version | The default value is |
-| --------------------- | -------------------- |
-| (original)            | `:marshal`           |
-| 7.1                   | `:json`              |
-
 ### Configuring Active Job
 
 `config.active_job` provides the following configuration options: