Encrypt and sign cookies in the CookieJar.

[jwoertink]

Purpose

Fixes #2025

Description

Warning

This is a breaking change because any cookies out there that were encrypted before this change won't decrypt properly.

I've seen this flaky spec pop up a few times in the past, but it's pretty rare... In fact, it's a 1/256 chance rare lol. This appears to be an oversight that's just never been caught. We've been missing the whole verification part of the encryption.

I'd like to get your opinion on this, @akadusei if you get some time

Checklist

• - An issue already exists detailing the issue/or feature request that this PR fixes
• - All specs are formatted with crystal tool format spec src
• - Inline documentation has been added and/or updated
• - Lucky builds on docker with ./script/setup
• - All builds and specs pass on docker with ./script/test

[Copilot]

Pull request overview

This pull request updates Lucky’s cookie encryption to include signature verification during decryption, addressing the rare (≈1/256) flaky failure caused by unauthenticated CBC decryption accepting random valid padding (Issue #2025).

Changes:

• Switch Lucky::CookieJar to encrypt cookies via MessageEncryptor#encrypt_and_sign and decrypt via #verify_and_decrypt.
• Add a legacy fallback path intended to support pre-signature (unsigned) cookies.
• Update padding-oracle reference links in MessageEncryptor documentation.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 5 comments.

File	Description
src/lucky/support/message_encryptor.cr	Documentation reference update for padding oracle attacks.
src/lucky/cookies/cookie_jar.cr	Moves cookie encryption to “encrypt + HMAC sign” format, and attempts to support legacy unsigned cookies during decryption.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.