Testing Signed and Encrypted Cookies in Rails Application

Written by philnash | Published 2020/01/21
Tech Story Tags: ruby | ruby-on-rails | programming | cookies | mvc | cryptography | encoding | software-development | web-monetization

TLDR There are three flavours of cookies available: simple session cookies, signed cookies and encrypted cookies. Signed cookies are not sent to the browser as plain text. Encrypted cookies take this one step further and encrypt the data in the cookie, then sign it. You can't just call on cookies straight out of the jar if they have been signed or encrypted. The good news is we can bring the application’s own tests into play to test the result of a signed cookie, but I had a problem with the Ruby gem I was working on.via the TL;DR App
Recently I’ve been refactoring the tests for a gem I maintain and I needed to test that it sets the right cookies at the right time. But the cookies in use in the gem are signed cookies and that caused a slight hiccup for me. I’d never tested the value in a signed cookie before and it wasn’t immediately obvious what to do.
So I thought I would share what I found out in case it helps.

Cookies on Rails

In Rails applications there are three flavours of cookies available:
simple session cookies, signed cookies and encrypted cookies. You can
set any of these by using the 
cookies
object in a controller, like this:
class CookiesController <  ApplicationController
  def index
    cookies["simple"] = "Hello, I am easy to read."
    cookies.signed["protected"] = "Hello, I can be read, but I can't be tampered with."
    cookies.encrypted["private"] = "Hello, I can't be read or tampered with."
  end
end
Simple cookies
Simple cookies are made up of plain text. If you inspected the cookie above called “simple” in the browser you would see the text “Hello, I am easy to read.”
Simple cookies are ok for storing data that doesn’t really matter. The end user can read and change it and your application shouldn’t be affected.
Signed cookies
Signed cookies are not sent to the browser as plain text. Instead they comprise of a payload and signature separated by two dashes 
--
. Before the dashes, the payload is base 64 encoded data. To read the data you can base 64 decode it. This data isn’t secret, but it can’t be tampered with because the second part of the cookie is a signature.
The signature is created by taking an 
HMAC SHA1
digest of the application’s 
secret_key_base
and the data in the cookie. If the contents of the cookie are changed when you try to read the cookie, the signature will no longer match the contents and Rails will return 
nil
. Under the hood this is all handled by the 
ActiveSupport::MessageVerifier
. As you can see above, you don’t need to worry about that, you can treat the 
cookies.signed
object as if it were a hash.
Signed cookies are useful for data that can be read by the user, but you need to trust is the same when you get it back to the server again.
Encrypted cookies
Encrypted cookies take this one step further and encrypt the data in the cookie, then sign it. This is handled by the 
ActiveSupport::MessageEncryptor
 and means that without the 
secret_key_base
you cannot read or write to this cookie. Thankfully there’s no need to worry about the encryption yourself, using the 
cookies.encrypted
object you can set encrypted cookies as though they were a regular hash.
Encrypted cookies are useful for private data that you want to store with the user, but you don’t want them, or anyone, to read.

Testing cookies

Suppose we now want to test the controller we saw above. We want to
ensure that all of our cookies are set correctly. The test might look
something like this:
class CookiesControllerTest < ActionDispatch::IntegrationTest
  test "should set cookies when getting the index" do
    get root_url
    assert_response :success
    assert_equal "Hello, I am easy to read.", cookies["simple"]
    assert_equal "Hello, I can be read, but I can't be tampered with.", cookies["protected"]
    assert_equal "Hello, I can't be read or tampered with.", cookies["private"]
  end
end
Or with RSpec Rails:
RSpec.describe CookiesController, type: :request do
  it "should set cookies when getting the index" do
    get root_url
    expect(response).to have_http_status(:success)
    expect(cookies["simple"]).to eq("Hello, I am easy to read.")
    expect(cookies["protected"]).to eq("Hello, I can be read, but I can't be tampered with.")
    expect(cookies["private"]).to eq("Hello, I can't be read or tampered with.")
  end
end
But this would fail at the test for the signed cookie and wouldn’t pass for the encrypted cookie either. You can’t just call on those cookies straight out of the jar if they have been signed or encrypted.
You might think you should test against the 
signed
and 
encrypted
version of the cookies, like this:
    assert_equal "Hello, I can be read, but I can't be tampered with.", cookies.signed["protected"]
    assert_equal "Hello, I can't be read or tampered with.", cookies.encrypted["private"]
That doesn’t work either. At least it doesn’t work if you are using the currently recommended way of testing controllers, with 
ActionDispatch::IntegrationTest
in Minitest or 
type: :request
in RSpec.
If you have the older style 
ActionController::TestCase
or 
type: :controller
tests, then 
cookies.signed
and 
cookies.encrypted
will work. If you have an application with the older style tests, do carry on reading just in case you decide to refactor them to come in line with the current Rails way.
With the tests above, the 
cookies
object is actually an instance of 
Rack::Test::CookieJar
, which does not have knowledge of your Rails application secrets.

So how do we test these cookies?

This is where I got to with the gem I was working on. I needed to test the result of a signed cookie, but I had a 
Rack::Test::CookieJar
object. The good news is we can bring the Rails application’s own 
ActionDispatch::Cookies::CookieJar
back into play to decode your signed cookies and decrypt your encrypted cookies.
To do so, you instantiate an instance of 
ActionDispatch::Cookies::CookieJar
using the 
request
object from the test and a hash of your cookie data. You can then call 
signed
or 
encrypted
on that cookie jar.
So now the test looks like:
class CookiesControllerTest < ActionDispatch::IntegrationTest
  test "should set cookies when getting the index" do
    get root_url
    assert_response :success
    assert_equal "Hello, I am easy to read.", cookies["simple"]
    jar = ActionDispatch::Cookies::CookieJar.build(request, cookies.to_hash)
    assert_equal "Hello, I can be read, but I can't be tampered with.", jar.signed["protected"]
    assert_equal "Hello, I can't be read or tampered with.", jar.encrypted["private"]
  end
end
Or the spec would look like:
RSpec.describe CookiesController, type: :request do
  it "gets cookies from the response" do
    get root_url
    expect(response).to have_http_status(:success)
    expect(cookies["simple"]).to eq("Hello, I am easy to read.")
    jar = ActionDispatch::Cookies::CookieJar.build(request, cookies.to_hash)
    expect(jar.signed["protected"]).to eq("Hello, I can be read, but I can't be tampered with.")
    expect(jar.encrypted["private"]).to eq("Hello, I can't be read or tampered with.")
  end
end

Red, Green, Re-snack-tor

In this post we’ve seen how to test signed or encrypted cookies in Rails. Hopefully your test suite is running green and your cookies are covered now.
I’m going to get back to the refactor I was working on. There are plenty more tests to cover now that these cookies have been polished off.
Written by philnash | 🥑 Developer relations engineer at @DataStax | 🎤 speaker | 📝 writer | 🌭 sausage dog owner | he/him
Published by HackerNoon on 2020/01/21
ABOUTHow hackers start their afternoons. We publish tech stories and build publishing software.

READEntirely free library read by hundreds of millions to learn anything about any technology.

WRITEHackerNoon elevates quality technology writing far and wide across the interwebs.

PARTNERHackerNoon works directly with tech companies to place ads by content relevancy