Return hash with_indifferent_access on Session::JsonSerializer

[huoxito]

We need to be able to access data, flash messages example, as both
flash[:success] and flash["success"].

Hey guys I've been trying to write a regression test for this to prove my point but couldn't so far. I'm doing something like this in dispatch/cookies_test.rb

  def test_flash_message_using_json_serializer
    @request.env["action_dispatch.session_serializer"] = :json
    get :set_flash_message
    assert_equal 'beer!', flash[:success]
    assert_equal 'beer!', flash["success"]
  end

I've been running spree build on rails edge and realized a bunch of tests failing were related to missing flash message content on the view. It took me a while to see that rails generate a session_store with serializer: :json and successfully reproduce that on a spree app itself.

This is related to b23ffd0 and fd48786. Let me know if doesn't make any sense. I can't access flash[:success] on views unless I add that call in JsonSerializer.

// @lukesarnacki @guilleiguaran was this working properly for you guys?

[chancancode]

What's the reason for changing to JSON.load? We can't use that for security reasons. If you encountered any problems with JSON.parse here, we find out what those are and fix those problems.

[huoxito]

@chancancode sorry I was doing some testing and forgot to use parse instead of load in the end. Realized that before your comment and push forced already.

[chancancode]

@huoxito 👍 I have another comment here about nested hash that got lost after the force-push. Since you mentioned problems with flash I thought that might be why.

[huoxito]

oops replied to that one here #13910 (comment)

[guilleiguaran]

@huoxito a test-case for this in the test suite would be nice :)

[lukesarnacki]

I am testing this case and actually getting same results with both Marshal and JSON. Not sure if I am missing something because I've just got up, or problem lays somewhere else.

[lukesarnacki]

@huoxito you won't be able to test flash that way. What you are doing is just assigning flash and then getting it in your view without even touching session so JsonSerializer is not used at all. I haven't looked into flash and session tests, but probably these are better places to try it (this is guess only though). I will let you know if I find anything.

[huoxito]

yeah @lukesarnacki thanks I was trying to modify this test here https://github.com/rails/rails/blob/9b2a017aa82f95911280ed597e4bf3193c9399e9/actionpack/test/dispatch/cookies_test.rb#L398-407 to create a new MessageEncryptor instance and verify the result of the decrypt_and_verify but no luck yet. Also tried to set something like request.flash. Will give it another try again later tonight.

[huoxito]

@guilleiguaran just added a test case \o/ please let me know if that doesn't make sense

🍻

[lukesarnacki]

Thanks for your work on this @huoxito :). I am wondering about design of this solution though.

Main difference between Marshal and JSON is that generating latter doesn't persist data types. So consider such code:

h  = { hodor: "HODOR"}.with_indifferent_access

JSON.parse(JSON.generate(h, quirks_mode: true), quirks_mode: true).class
# => Hash

Marshal.load(Marshal.dump(h)).class
# => ActiveSupport::HashWithIndifferentAccess

Marshal (or ActionDispatch::Session::MarshalSerializer) itself can't make flash HWIA, what it does is keeping information if flash was passed as HWIA. Since JsonSerializer can't do the same, you suggested adding HWIA on top of load method. So in that case simple JsonSerializer unit test would be enough imho. Testing FlashHash etc. would be needed if we wanted to solve this on higher level and i.e. making FlashHash with indifferent access. And for me this is actually good question - where do we want to handle this?

Since session should be simple, maybe json as default is not a problem (if at least HWIA behaviour would be there), but maybe it would be good to rethink this a little bit.

@chancancode @guilleiguaran

EDIT: Same test using Marshal also wouldn't pass, which is my concern as well (cause it seems like focusing on wrong thing). @huoxito but maybe wait for more experienced guys opinions as I am kind of rails code newbie ;).

[huoxito]

interesting @lukesarnacki thanks for pointing that out I hadn't realized it. Either way I suppose this is just a matter of where should we call with_indifferent_access? Or are we talking about drop JsonSerializer as default? First time I touched that cookie / sessions code so I'm all ears here too.

[guilleiguaran]

I would like to hear more opinions about this before of take a decision.

/cc @chancancode @rafaelfranca

[chancancode]

Update: there are some additional work to be done for the serialization, we are tacking those in #13945, this will probably be fixed as part of that work