From 1551eaab01da2b20e3f61fd4d513e7f2f9d74cc3 Mon Sep 17 00:00:00 2001
From: David Taylor <david@taylorhq.com>
Date: Wed, 20 Apr 2022 19:15:40 +0100
Subject: [PATCH] FIX: Do not error when json-serialized cookies are used
 (#16522)

We intend to switch to the `:json` serializer, which will stringify all keys. However, we need a clean revert path. This commit ensures that our `_t` cookie handling works with both marshal (the current default) and json (the new default) serialization.
---
 lib/auth/default_current_user_provider.rb      |  2 +-
 .../auth/default_current_user_provider_spec.rb | 18 ++++++++++++++++++
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/lib/auth/default_current_user_provider.rb b/lib/auth/default_current_user_provider.rb
index 31a68790eaf..8f10226254a 100644
--- a/lib/auth/default_current_user_provider.rb
+++ b/lib/auth/default_current_user_provider.rb
@@ -90,7 +90,7 @@ class Auth::DefaultCurrentUserProvider
       request = ActionDispatch::Request.new(env)
       # don't even initialize a cookie jar if we don't have a cookie at all
       if request.cookies[TOKEN_COOKIE].present?
-        request.cookie_jar.encrypted[TOKEN_COOKIE]
+        request.cookie_jar.encrypted[TOKEN_COOKIE]&.with_indifferent_access
       end
     end
   end
diff --git a/spec/lib/auth/default_current_user_provider_spec.rb b/spec/lib/auth/default_current_user_provider_spec.rb
index 7fd7d4a3ca9..ef5fe47dc02 100644
--- a/spec/lib/auth/default_current_user_provider_spec.rb
+++ b/spec/lib/auth/default_current_user_provider_spec.rb
@@ -738,4 +738,22 @@ describe Auth::DefaultCurrentUserProvider do
     env = { "HTTP_COOKIE" => "_t=#{cookie}", "REMOTE_ADDR" => ip }
     expect(provider('/', env).current_user).to eq(nil)
   end
+
+  it "copes with json-serialized auth cookies" do
+    # We're switching to :json during the Rails 7 upgrade, but we want a clean revert path
+    # back to Rails 6 if needed
+
+    @provider = provider('/', { # The upcoming default
+      ActionDispatch::Cookies::COOKIES_SERIALIZER => :json,
+      method: "GET",
+    })
+    @provider.log_on_user(user, {}, @provider.cookie_jar)
+    cookie = @provider.cookie_jar["_t"]
+
+    ip = "10.0.0.1"
+    env = { "HTTP_COOKIE" => "_t=#{cookie}", "REMOTE_ADDR" => ip }
+    provider2 = provider('/', env)
+    expect(provider2.current_user).to eq(user)
+    expect(provider2.cookie_jar.encrypted["_t"].keys).to include("user_id", "token") # (strings)
+  end
 end