Move Clearance to require signed cookie#6387
Conversation
There was a problem hiding this comment.
Pull request overview
This PR updates the app’s Clearance authentication configuration to stop supporting legacy unsigned remember_token cookies, enforcing signed cookies going forward.
Changes:
- Remove the Clearance signed-cookie migration mode by switching
config.signed_cookiefrom:migratetotrue.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| config.cookie_expiration = ->(_cookies) { 2.weeks.from_now.utc } | ||
| config.routes = false | ||
| config.signed_cookie = :migrate | ||
| config.signed_cookie = true |
There was a problem hiding this comment.
PR title mentions requiring a "secure cookie", but this change actually enforces a signed remember_token cookie by removing the :migrate shim. Consider updating the title (or adding a clarifying note in the description) so it matches the behavior being changed.
colby-swandale
changed the title
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #6387 +/- ##
==========================================
- Coverage 97.08% 87.34% -9.74%
==========================================
Files 489 489
Lines 10392 10566 +174
==========================================
- Hits 10089 9229 -860
- Misses 303 1337 +1034 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Remove the
:migratecompatibility shim for signed cookies. After 4+ years and 130+ re-issuances on a 2-week expiry, no unsigned cookies remain. Changeconfig.signed_cookiefrom:migratetotrue. The:migratesetting was added in April 2021 to transparently upgrade unsignedremember_tokencookies to signed ones. With a 2-week cookie expiry, all active cookies have been re-issued over a hundred times since then, no unsigned cookies remain to migrate.