Application's @message_verifier should support different digest or serializers

rubyonrails-core
1

Taken from the code: https://github.com/rails/rails/blob/main/railties/lib/rails/application.rb#L181

# Returns a message verifier object.
#
# This verifier can be used to generate and verify signed messages in the application.
#
# It is recommended not to use the same verifier for different things, so you can get different
# verifiers passing the +verifier_name+ argument.
#
# ==== Parameters
#
# * +verifier_name+ - the name of the message verifier.
#
# ==== Examples
#
#     message = Rails.application.message_verifier('sensitive_data').generate('my sensible data')
#     Rails.application.message_verifier('sensitive_data').verify(message)
#     # => 'my sensible data'
#
# See the +ActiveSupport::MessageVerifier+ documentation for more information.
def message_verifier(verifier_name)
  @message_verifiers[verifier_name] ||= begin
    secret = key_generator.generate_key(verifier_name.to_s)
    ActiveSupport::MessageVerifier.new(secret)
  end
end

Since the documentation already states it’s a good practise to use multiple verifiers, why not extend this by allowing different digest and serializers.

By adding optional arguments, this could facilitate the creation of MessageVerifiers that use a different digest or serializer.

2

@aabelmann Good suggestion! Do you have a use-case in mind?

3

@zzak A project I’m currently working on has multiple domains using a single rails instance, each domain has a different requirement for the message verifier.

4

@aabelmann Ok, I see what you mean. It looks like you can specify the digest and serializer when calling MessageVerifier.new, but it doesn’t look like the interface you showed before for Rails.application.message_verifier exposes this contract. Unless there is another way to set the verifier (or create your own) – I think this would be a good addition. I will have to look deeper into this though. :bow: