actionpack 3.0.0.beta3 → 3.0.0.beta4

data/lib/action_dispatch/http/response.rb

@@ -1,6 +1,7 @@
 require 'digest/md5'
 require 'active_support/core_ext/module/delegation'
 require 'active_support/core_ext/object/blank'
+require 'active_support/core_ext/class/attribute_accessors'
 
 module ActionDispatch # :nodoc:
   # Represents an HTTP response generated by a controller action. One can use
@@ -139,7 +140,7 @@ module ActionDispatch # :nodoc:
     def to_a
       assign_default_content_type_and_charset!
       handle_conditional_get!
-      self["Set-Cookie"] = @cookie.join("\n") unless @cookie.blank?
+      self["Set-Cookie"] = self["Set-Cookie"].join("\n") if self["Set-Cookie"].respond_to?(:join)
       self["ETag"]       = @_etag if @_etag
       super
     end
@@ -169,7 +170,7 @@ module ActionDispatch # :nodoc:
     #   assert_equal 'AuthorOfNewPage', r.cookies['author']
     def cookies
       cookies = {}
-      if header = @cookie
+      if header = self["Set-Cookie"]
         header = header.split("\n") if header.respond_to?(:to_str)
         header.each do |cookie|
           if pair = cookie.split(';').first
@@ -181,37 +182,6 @@ module ActionDispatch # :nodoc:
       cookies
     end
 
-    def set_cookie(key, value)
-      case value
-      when Hash
-        domain  = "; domain="  + value[:domain]    if value[:domain]
-        path    = "; path="    + value[:path]      if value[:path]
-        # According to RFC 2109, we need dashes here.
-        # N.B.: cgi.rb uses spaces...
-        expires = "; expires=" + value[:expires].clone.gmtime.
-          strftime("%a, %d-%b-%Y %H:%M:%S GMT")    if value[:expires]
-        secure = "; secure"  if value[:secure]
-        httponly = "; HttpOnly" if value[:httponly]
-        value = value[:value]
-      end
-      value = [value]  unless Array === value
-      cookie = Rack::Utils.escape(key) + "=" +
-        value.map { |v| Rack::Utils.escape v }.join("&") +
-        "#{domain}#{path}#{expires}#{secure}#{httponly}"
-
-      @cookie << cookie
-    end
-
-    def delete_cookie(key, value={})
-      @cookie.reject! { |cookie|
-        cookie =~ /\A#{Rack::Utils.escape(key)}=/
-      }
-
-      set_cookie(key,
-                 {:value => '', :path => nil, :domain => nil,
-                   :expires => Time.at(0) }.merge(value))
-    end
-
     private
       def assign_default_content_type_and_charset!
         return if headers[CONTENT_TYPE].present?

data/lib/action_dispatch/middleware/cookies.rb

@@ -52,9 +52,15 @@ module ActionDispatch
   # * <tt>:httponly</tt> - Whether this cookie is accessible via scripting or
   #   only HTTP. Defaults to +false+.
   class Cookies
+    HTTP_HEADER = "Set-Cookie".freeze
+    TOKEN_KEY   = "action_dispatch.secret_token".freeze
+
+    # Raised when storing more than 4K of session data.
+    class CookieOverflow < StandardError; end
+
     class CookieJar < Hash #:nodoc:
       def self.build(request)
-        secret = request.env["action_dispatch.secret_token"]
+        secret = request.env[TOKEN_KEY]
         new(secret).tap do |hash|
           hash.update(request.cookies)
         end
@@ -134,9 +140,9 @@ module ActionDispatch
         @signed ||= SignedCookieJar.new(self, @secret)
       end
 
-      def write(response)
-        @set_cookies.each { |k, v| response.set_cookie(k, v) }
-        @delete_cookies.each { |k, v| response.delete_cookie(k, v) }
+      def write(headers)
+        @set_cookies.each { |k, v| ::Rack::Utils.set_cookie_header!(headers, k, v) }
+        @delete_cookies.each { |k, v| ::Rack::Utils.delete_cookie_header!(headers, k, v) }
       end
     end
 
@@ -166,8 +172,11 @@ module ActionDispatch
     end
 
     class SignedCookieJar < CookieJar #:nodoc:
+      MAX_COOKIE_SIZE = 4096 # Cookies can typically store 4096 bytes.
+      SECRET_MIN_LENGTH = 30 # Characters
+
       def initialize(parent_jar, secret)
-        raise "You must set config.secret_token in your app's config" if secret.blank?
+        ensure_secret_secure(secret)
         @parent_jar = parent_jar
         @verifier   = ActiveSupport::MessageVerifier.new(secret)
       end
@@ -176,6 +185,8 @@ module ActionDispatch
         if signed_message = @parent_jar[name]
           @verifier.verify(signed_message)
         end
+      rescue ActiveSupport::MessageVerifier::InvalidSignature
+        nil
       end
 
       def []=(key, options)
@@ -186,12 +197,34 @@ module ActionDispatch
           options = { :value => @verifier.generate(options) }
         end
 
+        raise CookieOverflow if options[:value].size > MAX_COOKIE_SIZE
         @parent_jar[key] = options
       end
 
       def method_missing(method, *arguments, &block)
         @parent_jar.send(method, *arguments, &block)
       end
+
+    protected
+
+      # To prevent users from using something insecure like "Password" we make sure that the
+      # secret they've provided is at least 30 characters in length.
+      def ensure_secret_secure(secret)
+        if secret.blank?
+          raise ArgumentError, "A secret is required to generate an " +
+            "integrity hash for cookie session data. Use " +
+            "config.secret_token = \"some secret phrase of at " +
+            "least #{SECRET_MIN_LENGTH} characters\"" +
+            "in config/application.rb"
+        end
+
+        if secret.length < SECRET_MIN_LENGTH
+          raise ArgumentError, "Secret should be something secure, " +
+            "like \"#{ActiveSupport::SecureRandom.hex(16)}\".  The value you " +
+            "provided, \"#{secret}\", is shorter than the minimum length " +
+            "of #{SECRET_MIN_LENGTH} characters"
+        end
+      end
     end
 
     def initialize(app)
@@ -202,12 +235,13 @@ module ActionDispatch
       status, headers, body = @app.call(env)
 
       if cookie_jar = env['action_dispatch.cookies']
-        response = Rack::Response.new(body, status, headers)
-        cookie_jar.write(response)
-        response.to_a
-      else
-        [status, headers, body]
+        cookie_jar.write(headers)
+        if headers[HTTP_HEADER].respond_to?(:join)
+          headers[HTTP_HEADER] = headers[HTTP_HEADER].join("\n")
+        end
       end
+
+      [status, headers, body]
     end
   end
 end

data/lib/action_dispatch/middleware/flash.rb

@@ -49,6 +49,16 @@ module ActionDispatch
       def [](k)
         @flash[k]
       end
+
+      # Convenience accessor for flash.now[:alert]=
+      def alert=(message)
+        self[:alert] = message
+      end
+
+      # Convenience accessor for flash.now[:notice]=
+      def notice=(message)
+        self[:notice] = message
+      end
     end
 
     class FlashHash < Hash
@@ -166,7 +176,7 @@ module ActionDispatch
 
       @app.call(env)
     ensure
-      if (session = env['rack.session']) && (flash = session['flash']) && flash.empty?
+      if (session = env['rack.session']) && session.key?('flash') && session['flash'].empty?
         session.delete('flash')
       end
     end

data/lib/action_dispatch/middleware/params_parser.rb

@@ -1,4 +1,6 @@
+require 'active_support/core_ext/hash/conversions'
 require 'action_dispatch/http/request'
+require 'active_support/core_ext/hash/indifferent_access'
 
 module ActionDispatch
   class ParamsParser
@@ -36,7 +38,7 @@ module ActionDispatch
         when Proc
           strategy.call(request.raw_post)
         when :xml_simple, :xml_node
-          data = Hash.from_xml(request.body) || {}
+          data = Hash.from_xml(request.body.read) || {}
           request.body.rewind if request.body.respond_to?(:rewind)
           data.with_indifferent_access
         when :yaml

data/lib/action_dispatch/middleware/session/abstract_store.rb

@@ -1,5 +1,6 @@
 require 'rack/utils'
 require 'rack/request'
+require 'action_dispatch/middleware/cookies'
 require 'active_support/core_ext/object/blank'
 
 module ActionDispatch
@@ -11,9 +12,6 @@ module ActionDispatch
       ENV_SESSION_KEY = 'rack.session'.freeze
       ENV_SESSION_OPTIONS_KEY = 'rack.session.options'.freeze
 
-      HTTP_COOKIE = 'HTTP_COOKIE'.freeze
-      SET_COOKIE = 'Set-Cookie'.freeze
-
       class SessionHash < Hash
         def initialize(by, env)
           super()
@@ -22,13 +20,6 @@ module ActionDispatch
           @loaded = false
         end
 
-        def session_id
-          ActiveSupport::Deprecation.warn(
-            "ActionDispatch::Session::AbstractStore::SessionHash#session_id " +
-            "has been deprecated. Please use request.session_options[:id] instead.", caller)
-          @env[ENV_SESSION_OPTIONS_KEY][:id]
-        end
-
         def [](key)
           load! unless @loaded
           super(key.to_s)
@@ -45,35 +36,14 @@ module ActionDispatch
           h
         end
 
-        def update(hash = nil)
-          if hash.nil?
-            ActiveSupport::Deprecation.warn('use replace instead', caller)
-            replace({})
-          else
-            load! unless @loaded
-            super(hash.stringify_keys)
-          end
-        end
-
-        def delete(key = nil)
-          if key.nil?
-            ActiveSupport::Deprecation.warn('use clear instead', caller)
-            clear
-          else
-            load! unless @loaded
-            super(key.to_s)
-          end
-        end
-
-        def data
-         ActiveSupport::Deprecation.warn(
-           "ActionDispatch::Session::AbstractStore::SessionHash#data " +
-           "has been deprecated. Please use #to_hash instead.", caller)
-          to_hash
+        def update(hash)
+          load! unless @loaded
+          super(hash.stringify_keys)
         end
 
-        def close
-          ActiveSupport::Deprecation.warn('sessions should no longer be closed', caller)
+        def delete(key)
+          load! unless @loaded
+          super(key.to_s)
         end
 
         def inspect
@@ -81,11 +51,11 @@ module ActionDispatch
           super
         end
 
-        private
-          def loaded?
-            @loaded
-          end
+        def loaded?
+          @loaded
+        end
 
+        private
           def load!
             stale_session_check! do
               id, session = @by.send(:load_session, @env)
@@ -124,30 +94,15 @@ module ActionDispatch
       }
 
       def initialize(app, options = {})
-        # Process legacy CGI options
-        options = options.symbolize_keys
-        if options.has_key?(:session_path)
-          options[:path] = options.delete(:session_path)
-        end
-        if options.has_key?(:session_key)
-          options[:key] = options.delete(:session_key)
-        end
-        if options.has_key?(:session_http_only)
-          options[:httponly] = options.delete(:session_http_only)
-        end
-
         @app = app
         @default_options = DEFAULT_OPTIONS.merge(options)
-        @key = @default_options[:key]
-        @cookie_only = @default_options[:cookie_only]
+        @key = @default_options.delete(:key).freeze
+        @cookie_only = @default_options.delete(:cookie_only)
+        ensure_session_key!
       end
 
       def call(env)
-        session = SessionHash.new(self, env)
-
-        env[ENV_SESSION_KEY] = session
-        env[ENV_SESSION_OPTIONS_KEY] = @default_options.dup
-
+        prepare!(env)
         response = @app.call(env)
 
         session_data = env[ENV_SESSION_KEY]
@@ -157,53 +112,62 @@ module ActionDispatch
           session_data.send(:load!) if session_data.is_a?(AbstractStore::SessionHash) && !session_data.send(:loaded?)
 
           sid = options[:id] || generate_sid
+          session_data = session_data.to_hash
 
-          unless set_session(env, sid, session_data.to_hash)
-            return response
-          end
+          value = set_session(env, sid, session_data)
+          return response unless value
 
-          cookie = Rack::Utils.escape(@key) + '=' + Rack::Utils.escape(sid)
-          cookie << "; domain=#{options[:domain]}" if options[:domain]
-          cookie << "; path=#{options[:path]}" if options[:path]
-          if options[:expire_after]
-            expiry = Time.now + options[:expire_after]
-            cookie << "; expires=#{expiry.httpdate}"
-          end
-          cookie << "; Secure" if options[:secure]
-          cookie << "; HttpOnly" if options[:httponly]
-
-          headers = response[1]
-          unless headers[SET_COOKIE].blank?
-            headers[SET_COOKIE] << "\n#{cookie}"
-          else
-            headers[SET_COOKIE] = cookie
+          cookie = { :value => value }
+          unless options[:expire_after].nil?
+            cookie[:expires] = Time.now + options.delete(:expire_after)
           end
+
+          request = ActionDispatch::Request.new(env)
+          set_cookie(request, cookie.merge!(options))
         end
 
         response
       end
 
       private
+
+        def prepare!(env)
+          env[ENV_SESSION_KEY] = SessionHash.new(self, env)
+          env[ENV_SESSION_OPTIONS_KEY] = @default_options.dup
+        end
+
         def generate_sid
           ActiveSupport::SecureRandom.hex(16)
         end
 
+        def set_cookie(request, options)
+          request.cookie_jar[@key] = options
+        end
+
         def load_session(env)
           request = Rack::Request.new(env)
-          sid = request.cookies[@key]
-          unless @cookie_only
-            sid ||= request.params[@key]
-          end
+          sid   = request.cookies[@key]
+          sid ||= request.params[@key] unless @cookie_only
           sid, session = get_session(env, sid)
           [sid, session]
         end
 
+        def ensure_session_key!
+          if @key.blank?
+            raise ArgumentError, 'A key is required to write a ' +
+              'cookie containing the session data. Use ' +
+              'config.session_store SESSION_STORE, { :key => ' +
+              '"_myapp_session" } in config/application.rb'
+          end
+        end
+
         def get_session(env, sid)
           raise '#get_session needs to be implemented.'
         end
 
         def set_session(env, sid, session_data)
-          raise '#set_session needs to be implemented.'
+          raise '#set_session needs to be implemented and should return ' <<
+            'the value to be stored in the cookie (usually the sid)'
         end
     end
   end

data/lib/action_dispatch/middleware/session/cookie_store.rb

@@ -38,23 +38,11 @@ module ActionDispatch
     # "rake secret" and set the key in config/environment.rb.
     #
     # Note that changing digest or secret invalidates all existing sessions!
-    class CookieStore
-      # Cookies can typically store 4096 bytes.
-      MAX = 4096
-      SECRET_MIN_LENGTH = 30 # characters
-
-      DEFAULT_OPTIONS = {
-        :key          => '_session_id',
-        :domain       => nil,
-        :path         => "/",
-        :expire_after => nil,
-        :httponly     => true
-      }.freeze
-
+    class CookieStore < AbstractStore
       class OptionsHash < Hash
         def initialize(by, env, default_options)
-          @session_data = env[CookieStore::ENV_SESSION_KEY]
-          default_options.each { |key, value| self[key] = value }
+          @session_data = env[AbstractStore::ENV_SESSION_KEY]
+          merge!(default_options)
         end
 
         def [](key)
@@ -62,172 +50,38 @@ module ActionDispatch
         end
       end
 
-      ENV_SESSION_KEY = "rack.session".freeze
-      ENV_SESSION_OPTIONS_KEY = "rack.session.options".freeze
-      HTTP_SET_COOKIE = "Set-Cookie".freeze
-
-      # Raised when storing more than 4K of session data.
-      class CookieOverflow < StandardError; end
-
       def initialize(app, options = {})
-        # Process legacy CGI options
-        options = options.symbolize_keys
-        if options.has_key?(:session_path)
-          options[:path] = options.delete(:session_path)
-        end
-        if options.has_key?(:session_key)
-          options[:key] = options.delete(:session_key)
-        end
-        if options.has_key?(:session_http_only)
-          options[:httponly] = options.delete(:session_http_only)
-        end
-
-        @app = app
-
-        # The session_key option is required.
-        ensure_session_key(options[:key])
-        @key = options.delete(:key).freeze
-
-        # The secret option is required.
-        ensure_secret_secure(options[:secret])
-        @secret = options.delete(:secret).freeze
-
-        @digest = options.delete(:digest) || 'SHA1'
-        @verifier = verifier_for(@secret, @digest)
-
-        @default_options = DEFAULT_OPTIONS.merge(options).freeze
-
+        super(app, options.merge!(:cookie_only => true))
         freeze
       end
 
-      def call(env)
-        env[ENV_SESSION_KEY] = AbstractStore::SessionHash.new(self, env)
-        env[ENV_SESSION_OPTIONS_KEY] = OptionsHash.new(self, env, @default_options)
-
-        status, headers, body = @app.call(env)
-
-        session_data = env[ENV_SESSION_KEY]
-        options = env[ENV_SESSION_OPTIONS_KEY]
-
-        if !session_data.is_a?(AbstractStore::SessionHash) || session_data.send(:loaded?) || options[:expire_after]
-          session_data.send(:load!) if session_data.is_a?(AbstractStore::SessionHash) && !session_data.send(:loaded?)
-          session_data = marshal(session_data.to_hash)
-
-          raise CookieOverflow if session_data.size > MAX
-
-          cookie = Hash.new
-          cookie[:value] = session_data
-          unless options[:expire_after].nil?
-            cookie[:expires] = Time.now + options[:expire_after]
-          end
-
-          cookie = build_cookie(@key, cookie.merge(options))
-          unless headers[HTTP_SET_COOKIE].blank?
-            headers[HTTP_SET_COOKIE] << "\n#{cookie}"
-          else
-            headers[HTTP_SET_COOKIE] = cookie
-          end
-        end
-
-        [status, headers, body]
-      end
-
       private
-        # Should be in Rack::Utils soon
-        def build_cookie(key, value)
-          case value
-          when Hash
-            domain  = "; domain="  + value[:domain] if value[:domain]
-            path    = "; path="    + value[:path]   if value[:path]
-            # According to RFC 2109, we need dashes here.
-            # N.B.: cgi.rb uses spaces...
-            expires = "; expires=" + value[:expires].clone.gmtime.
-              strftime("%a, %d-%b-%Y %H:%M:%S GMT") if value[:expires]
-            secure = "; secure" if value[:secure]
-            httponly = "; HttpOnly" if value[:httponly]
-            value = value[:value]
-          end
-          value = [value] unless Array === value
-          cookie = Rack::Utils.escape(key) + "=" +
-            value.map { |v| Rack::Utils.escape(v) }.join("&") +
-            "#{domain}#{path}#{expires}#{secure}#{httponly}"
+
+        def prepare!(env)
+          env[ENV_SESSION_KEY] = SessionHash.new(self, env)
+          env[ENV_SESSION_OPTIONS_KEY] = OptionsHash.new(self, env, @default_options)
         end
 
         def load_session(env)
-          request = Rack::Request.new(env)
-          session_data = request.cookies[@key]
-          data = unmarshal(session_data) || persistent_session_id!({})
+          request = ActionDispatch::Request.new(env)
+          data = request.cookie_jar.signed[@key]
+          data = persistent_session_id!(data)
           data.stringify_keys!
           [data["session_id"], data]
         end
 
-        # Marshal a session hash into safe cookie data. Include an integrity hash.
-        def marshal(session)
-          @verifier.generate(persistent_session_id!(session))
-        end
-
-        # Unmarshal cookie data to a hash and verify its integrity.
-        def unmarshal(cookie)
-          persistent_session_id!(@verifier.verify(cookie)) if cookie
-        rescue ActiveSupport::MessageVerifier::InvalidSignature
-          nil
-        end
-
-        def ensure_session_key(key)
-          if key.blank?
-            raise ArgumentError, 'A key is required to write a ' +
-              'cookie containing the session data. Use ' +
-              'config.action_controller.session_store :cookie_store, { :key => ' +
-              '"_myapp_session" } in config/application.rb'
-          end
-        end
-
-        # To prevent users from using something insecure like "Password" we make sure that the
-        # secret they've provided is at least 30 characters in length.
-        def ensure_secret_secure(secret)
-          # There's no way we can do this check if they've provided a proc for the
-          # secret.
-          return true if secret.is_a?(Proc)
-
-          if secret.blank?
-            raise ArgumentError, "A secret is required to generate an " +
-              "integrity hash for cookie session data. Use " +
-              "config.secret_token = \"some secret phrase of at " +
-              "least #{SECRET_MIN_LENGTH} characters\"" +
-              "in config/application.rb"
-          end
-
-          if secret.length < SECRET_MIN_LENGTH
-            raise ArgumentError, "Secret should be something secure, " +
-              "like \"#{ActiveSupport::SecureRandom.hex(16)}\".  The value you " +
-              "provided, \"#{secret}\", is shorter than the minimum length " +
-              "of #{SECRET_MIN_LENGTH} characters"
-          end
-        end
-
-        def verifier_for(secret, digest)
-          key = secret.respond_to?(:call) ? secret.call : secret
-          ActiveSupport::MessageVerifier.new(key, digest)
-        end
-
-        def generate_sid
-          ActiveSupport::SecureRandom.hex(16)
-        end
-
-        def persistent_session_id!(data)
-          (data ||= {}).merge!(inject_persistent_session_id(data))
+        def set_cookie(request, options)
+          request.cookie_jar.signed[@key] = options
         end
 
-        def inject_persistent_session_id(data)
-          requires_session_id?(data) ? { "session_id" => generate_sid } : {}
+        def set_session(env, sid, session_data)
+          persistent_session_id!(session_data, sid)
         end
 
-        def requires_session_id?(data)
-          if data
-            data.respond_to?(:key?) && !data.key?("session_id")
-          else
-            true
-          end
+        def persistent_session_id!(data, sid=nil)
+          data ||= {}
+          data["session_id"] ||= sid || generate_sid
+          data
         end
     end
   end