Phil Nash

Developer evangelist for Twilio and Authy. I love writing JavaScript and Ruby. console.log('🍻');

Testing Signed and Encrypted Cookies in Rails Application

Recently I’ve been refactoring the tests for a gem I maintain and I needed to test that it sets the right cookies at the right time. But the cookies in use in the gem are signed cookies and that caused a slight hiccup for me. I’d never tested the value in a signed cookie before and it wasn’t immediately obvious what to do.
So I thought I would share what I found out in case it helps.

Cookies on Rails

In Rails applications there are three flavours of cookies available:
simple session cookies, signed cookies and encrypted cookies. You can
set any of these by using the
cookies
object in a controller, like this:
class CookiesController <  ApplicationController
  def index
    cookies["simple"] = "Hello, I am easy to read."
    cookies.signed["protected"] = "Hello, I can be read, but I can't be tampered with."
    cookies.encrypted["private"] = "Hello, I can't be read or tampered with."
  end
end
Simple cookies
Simple cookies are made up of plain text. If you inspected the cookie above called “simple” in the browser you would see the text “Hello, I am easy to read.”
Simple cookies are ok for storing data that doesn’t really matter. The end user can read and change it and your application shouldn’t be affected.
Signed cookies
Signed cookies are not sent to the browser as plain text. Instead they comprise of a payload and signature separated by two dashes
--
. Before the dashes, the payload is base 64 encoded data. To read the data you can base 64 decode it. This data isn’t secret, but it can’t be tampered with because the second part of the cookie is a signature.
The signature is created by taking an
HMAC SHA1
digest of the application’s
secret_key_base
and the data in the cookie. If the contents of the cookie are changed when you try to read the cookie, the signature will no longer match the contents and Rails will return
nil
. Under the hood this is all handled by the
ActiveSupport::MessageVerifier
. As you can see above, you don’t need to worry about that, you can treat the
cookies.signed
object as if it were a hash.
Signed cookies are useful for data that can be read by the user, but you need to trust is the same when you get it back to the server again.
Encrypted cookies
Encrypted cookies take this one step further and encrypt the data in the cookie, then sign it. This is handled by the
ActiveSupport::MessageEncryptor
and means that without the
secret_key_base
you cannot read or write to this cookie. Thankfully there’s no need to worry about the encryption yourself, using the
cookies.encrypted
object you can set encrypted cookies as though they were a regular hash.
Encrypted cookies are useful for private data that you want to store with the user, but you don’t want them, or anyone, to read.

Testing cookies

Suppose we now want to test the controller we saw above. We want to
ensure that all of our cookies are set correctly. The test might look
something like this:
class CookiesControllerTest < ActionDispatch::IntegrationTest
  test "should set cookies when getting the index" do
    get root_url
    assert_response :success
    assert_equal "Hello, I am easy to read.", cookies["simple"]
    assert_equal "Hello, I can be read, but I can't be tampered with.", cookies["protected"]
    assert_equal "Hello, I can't be read or tampered with.", cookies["private"]
  end
end
Or with RSpec Rails:
RSpec.describe CookiesController, type: :request do
  it "should set cookies when getting the index" do
    get root_url
    expect(response).to have_http_status(:success)
    expect(cookies["simple"]).to eq("Hello, I am easy to read.")
    expect(cookies["protected"]).to eq("Hello, I can be read, but I can't be tampered with.")
    expect(cookies["private"]).to eq("Hello, I can't be read or tampered with.")
  end
end
But this would fail at the test for the signed cookie and wouldn’t pass for the encrypted cookie either. You can’t just call on those cookies straight out of the jar if they have been signed or encrypted.
You might think you should test against the
signed
and
encrypted
version of the cookies, like this:
    assert_equal "Hello, I can be read, but I can't be tampered with.", cookies.signed["protected"]
    assert_equal "Hello, I can't be read or tampered with.", cookies.encrypted["private"]
That doesn’t work either. At least it doesn’t work if you are using the currently recommended way of testing controllers, with
ActionDispatch::IntegrationTest
in Minitest or
type: :request
in RSpec.
If you have the older style
ActionController::TestCase
or
type: :controller
tests, then
cookies.signed
and
cookies.encrypted 
will work. If you have an application with the older style tests, do carry on reading just in case you decide to refactor them to come in line with the current Rails way.
With the tests above, the
cookies
object is actually an instance of
Rack::Test::CookieJar
, which does not have knowledge of your Rails application secrets.

So how do we test these cookies?

This is where I got to with the gem I was working on. I needed to test the result of a signed cookie, but I had a
Rack::Test::CookieJar
object. The good news is we can bring the Rails application’s own
ActionDispatch::Cookies::CookieJar
back into play to decode your signed cookies and decrypt your encrypted cookies.
To do so, you instantiate an instance of
ActionDispatch::Cookies::CookieJar 
using the
request
object from the test and a hash of your cookie data. You can then call
signed
or
encrypted
on that cookie jar.
So now the test looks like:
class CookiesControllerTest < ActionDispatch::IntegrationTest
  test "should set cookies when getting the index" do
    get root_url
    assert_response :success
    assert_equal "Hello, I am easy to read.", cookies["simple"]
    jar = ActionDispatch::Cookies::CookieJar.build(request, cookies.to_hash)
    assert_equal "Hello, I can be read, but I can't be tampered with.", jar.signed["protected"]
    assert_equal "Hello, I can't be read or tampered with.", jar.encrypted["private"]
  end
end
Or the spec would look like:
RSpec.describe CookiesController, type: :request do
  it "gets cookies from the response" do
    get root_url
    expect(response).to have_http_status(:success)
    expect(cookies["simple"]).to eq("Hello, I am easy to read.")
    jar = ActionDispatch::Cookies::CookieJar.build(request, cookies.to_hash)
    expect(jar.signed["protected"]).to eq("Hello, I can be read, but I can't be tampered with.")
    expect(jar.encrypted["private"]).to eq("Hello, I can't be read or tampered with.")
  end
end

Red, Green, Re-snack-tor

In this post we’ve seen how to test signed or encrypted cookies in Rails. Hopefully your test suite is running green and your cookies are covered now.
I’m going to get back to the refactor I was working on. There are plenty more tests to cover now that these cookies have been polished off.

Tags

Comments

More by Phil Nash

Topics of interest