castle-rb 3.6.2 → 4.3.0

data/lib/castle/context/default.rb

@@ -4,36 +4,54 @@ module Castle
   module Context
     class Default
       def initialize(request, cookies = nil)
-        @client_id = Extractors::ClientId.new(request, cookies || request.cookies).call
-        @headers = Extractors::Headers.new(request).call
-        @request_ip = Extractors::IP.new(request).call
+        @pre_headers = HeadersFilter.new(request).call
+        @cookies = cookies || request.cookies
+        @request = request
       end
 
       def call
-        defaults.merge!(additional_defaults)
-      end
-
-      private
-
-      def defaults
         {
-          client_id: @client_id,
+          client_id: client_id,
           active: true,
           origin: 'web',
-          headers: @headers,
-          ip: @request_ip,
+          headers: headers,
+          ip: ip,
           library: {
             name: 'castle-rb',
             version: Castle::VERSION
           }
-        }
+        }.tap do |result|
+          result[:locale] = locale if locale
+          result[:user_agent] = user_agent if user_agent
+        end
       end
 
-      def additional_defaults
-        {}.tap do |result|
-          result[:locale] = @headers['Accept-Language'] if @headers['Accept-Language']
-          result[:user_agent] = @headers['User-Agent'] if @headers['User-Agent']
-        end
+      private
+
+      # @return [String]
+      def locale
+        @pre_headers['Accept-Language']
+      end
+
+      # @return [String]
+      def user_agent
+        @pre_headers['User-Agent']
+      end
+
+      # @return [String]
+      def ip
+        Extractors::IP.new(@pre_headers).call
+      end
+
+      # @return [String]
+      def client_id
+        Extractors::ClientId.new(@pre_headers, @cookies).call
+      end
+
+      # formatted and filtered headers
+      # @return [Hash]
+      def headers
+        Extractors::Headers.new(@pre_headers).call
       end
     end
   end

data/lib/castle/context/sanitizer.rb

@@ -15,6 +15,7 @@ module Castle
           return unless context
           return context unless context.key?(:active)
           return context if [true, false].include?(context[:active])
+
           context.reject { |key| key == :active }
         end
       end

data/lib/castle/events.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+module Castle
+  # list of events based on https://docs.castle.io/api_reference/#list-of-recognized-events
+  module Events
+    # Record when a user succesfully logs in.
+    LOGIN_SUCCEEDED = '$login.succeeded'
+    # Record when a user failed to log in.
+    LOGIN_FAILED = '$login.failed'
+    # Record when a user logs out.
+    LOGOUT_SUCCEEDED = '$logout.succeeded'
+    # Record when a user updated their profile (including password, email, phone, etc).
+    PROFILE_UPDATE_SUCCEEDED = '$profile_update.succeeded'
+    # Record errors when updating profile.
+    PROFILE_UPDATE_FAILED = '$profile_update.failed'
+    # Capture account creation, both when a user signs up as well as when created manually
+    # by an administrator.
+    REGISTRATION_SUCCEEDED = '$registration.succeeded'
+    # Record when an account failed to be created.
+    REGISTRATION_FAILED = '$registration.failed'
+    # The user completed all of the steps in the password reset process and the password was
+    # successfully reset.Password resets do not required knowledge of the current password.
+    PASSWORD_RESET_SUCCEEDED = '$password_reset.succeeded'
+    # Use to record when a user failed to reset their password.
+    PASSWORD_RESET_FAILED = '$password_reset.failed'
+    # The user successfully requested a password reset.
+    PASSWORD_RESET_REQUEST_SUCCCEEDED = '$password_reset_request.succeeded'
+    # The user failed to request a password reset.
+    PASSWORD_RESET_REQUEST_FAILED = '$password_reset_request.failed'
+    # User account has been reset.
+    INCIDENT_MITIGATED = '$incident.mitigated'
+    # User confirmed malicious activity.
+    REVIEW_ESCALATED = '$review.escalated'
+    # User confirmed safe activity.
+    REVIEW_RESOLVED = '$review.resolved'
+    # Record when a user is prompted with additional verification, such as two-factor
+    # authentication or a captcha.
+    CHALLENGE_REQUESTED = '$challenge.requested'
+    # Record when additional verification was successful.
+    CHALLENGE_SUCCEEDED = '$challenge.succeeded'
+    # Record when additional verification failed.
+    CHALLENGE_FAILED = '$challenge.failed'
+    # Record when a user attempts an in-app transaction, such as a purchase or withdrawal.
+    TRANSACTION_ATTEMPTED = '$transaction.attempted'
+    # Record when a user session is extended, or use any time you want
+    # to re-authenticate a user mid-session.
+    SESSION_EXTENDED = '$session.extended'
+  end
+end

data/lib/castle/extractors/client_id.rb

@@ -4,13 +4,17 @@ module Castle
   module Extractors
     # used for extraction of cookies and headers from the request
     class ClientId
-      def initialize(request, cookies)
-        @request = request
+      # @param headers [Hash]
+      # @param cookies [NilClass|Hash]
+      def initialize(headers, cookies)
+        @headers = headers
         @cookies = cookies || {}
       end
 
+      # extracts client id
+      # @return [String]
       def call
-        @request.env['HTTP_X_CASTLE_CLIENT_ID'] || @cookies['__cid'] || ''
+        @headers['X-Castle-Client-Id'] || @cookies['__cid'] || ''
       end
     end
   end

data/lib/castle/extractors/headers.rb

@@ -5,47 +5,41 @@ module Castle
     # used for extraction of cookies and headers from the request
     class Headers
       # Headers that we will never scrub, even if they land on the configuration blacklist.
-      ALWAYS_INCLUDED_HEADERS = %w[User-Agent].freeze
+      ALWAYS_WHITELISTED = %w[User-Agent].freeze
 
       # Headers that will always be scrubbed, even if whitelisted.
-      ALWAYS_SCRUBBED_HEADERS = %w[Cookie Authorization].freeze
+      ALWAYS_BLACKLISTED = %w[Cookie Authorization].freeze
 
-      # Rack does not add the HTTP_ prefix to Content-Length for some reason
-      CONTENT_LENGTH = 'CONTENT_LENGTH'
+      private_constant :ALWAYS_WHITELISTED, :ALWAYS_BLACKLISTED
 
-      # Prefix that Rack adds for HTTP headers
-      HTTP_HEADER_PREFIX = 'HTTP_'
-
-      private_constant :ALWAYS_INCLUDED_HEADERS, :ALWAYS_SCRUBBED_HEADERS,
-                       :CONTENT_LENGTH, :HTTP_HEADER_PREFIX
-
-      # @param request [Rack::Request]
-      def initialize(request)
-        @request_env = request.env
-        @formatter = HeaderFormatter.new
+      # @param headers [Hash]
+      def initialize(headers)
+        @headers = headers
+        @no_whitelist = Castle.config.whitelisted.empty?
       end
 
       # Serialize HTTP headers
       # @return [Hash]
       def call
-        @request_env.keys.each_with_object({}) do |env_header, acc|
-          next unless env_header.to_s.start_with?(HTTP_HEADER_PREFIX) || env_header == CONTENT_LENGTH
-
-          header = @formatter.call(env_header)
-
-          if ALWAYS_SCRUBBED_HEADERS.include?(header)
-            acc[header] = true
-          elsif ALWAYS_INCLUDED_HEADERS.include?(header)
-            acc[header] = @request_env[env_header]
-          elsif Castle.config.blacklisted.include?(header)
-            acc[header] = true
-          elsif Castle.config.whitelisted.empty? || Castle.config.whitelisted.include?(header)
-            acc[header] = @request_env[env_header]
-          else
-            acc[header] = true
-          end
+        @headers.each_with_object({}) do |(name, value), acc|
+          acc[name] = header_value(name, value)
         end
       end
+
+      private
+
+      # scrub header value
+      # @param name [String]
+      # @param value [String]
+      # @return [TrueClass | FalseClass | String]
+      def header_value(name, value)
+        return true if ALWAYS_BLACKLISTED.include?(name)
+        return value if ALWAYS_WHITELISTED.include?(name)
+        return true if Castle.config.blacklisted.include?(name)
+        return value if @no_whitelist || Castle.config.whitelisted.include?(name)
+
+        true
+      end
     end
   end
 end

data/lib/castle/extractors/ip.rb

@@ -4,14 +4,78 @@ module Castle
   module Extractors
     # used for extraction of ip from the request
     class IP
-      def initialize(request)
-        @request = request
+      # ordered list of ip headers for ip extraction
+      DEFAULT = %w[X-Forwarded-For Remote-Addr].freeze
+      # list of header which are used with proxy depth setting
+      DEPTH_RELATED = %w[X-Forwarded-For].freeze
+
+      private_constant :DEFAULT
+
+      # @param headers [Hash]
+      def initialize(headers)
+        @headers = headers
+        @ip_headers = Castle.config.ip_headers.empty? ? DEFAULT : Castle.config.ip_headers
+        @proxies = Castle.config.trusted_proxies + Castle::Configuration::TRUSTED_PROXIES
+        @trust_proxy_chain = Castle.config.trust_proxy_chain
+        @trusted_proxy_depth = Castle.config.trusted_proxy_depth
       end
 
+      # Order of headers:
+      #   .... list of headers defined by ip_headers
+      #   X-Forwarded-For
+      #   Remote-Addr
+      # @return [String]
       def call
-        return @request.env['HTTP_CF_CONNECTING_IP'] if @request.env['HTTP_CF_CONNECTING_IP']
-        return @request.remote_ip if @request.respond_to?(:remote_ip)
-        @request.ip
+        all_ips = []
+
+        @ip_headers.each do |ip_header|
+          ips = ips_from(ip_header)
+          ip_value = remove_proxies(ips)
+
+          return ip_value if ip_value
+
+          all_ips.push(*ips)
+        end
+
+        # fallback to first listed ip
+        all_ips.first
+      end
+
+      private
+
+      # @param ips [Array<String>]
+      # @return [Array<String>]
+      def remove_proxies(ips)
+        return ips.first if @trust_proxy_chain
+
+        ips.reject { |ip| proxy?(ip) }.last
+      end
+
+      # @param ip [String]
+      # @return [Boolean]
+      def proxy?(ip)
+        @proxies.any? { |proxy| proxy.match(ip) }
+      end
+
+      # @param header [String]
+      # @return [Array<String>]
+      def ips_from(header)
+        value = @headers[header]
+
+        return [] unless value
+
+        ips = value.strip.split(/[,\s]+/)
+
+        limit_proxy_depth(ips, header)
+      end
+
+      # @param ips [Array<String>]
+      # @param ip_header [String]
+      # @return [Array<String>]
+      def limit_proxy_depth(ips, ip_header)
+        ips.pop(@trusted_proxy_depth) if DEPTH_RELATED.include?(ip_header)
+
+        ips
       end
     end
   end

data/lib/castle/headers_filter.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+module Castle
+  # used for preparing valuable headers list
+  class HeadersFilter
+    # headers filter
+    # HTTP_ - this is how Rack prefixes incoming HTTP headers
+    # CONTENT_LENGTH - for responses without Content-Length or Transfer-Encoding header
+    # REMOTE_ADDR - ip address header returned by web server
+    VALUABLE_HEADERS = /^
+      HTTP(?:_|-).*|
+      CONTENT(?:_|-)LENGTH|
+      REMOTE(?:_|-)ADDR
+    $/xi.freeze
+
+    private_constant :VALUABLE_HEADERS
+
+    # @param request [Rack::Request]
+    def initialize(request)
+      @request_env = request.env
+      @formatter = HeadersFormatter
+    end
+
+    # Serialize HTTP headers
+    # @return [Hash]
+    def call
+      @request_env.keys.each_with_object({}) do |header_name, acc|
+        next unless header_name.match(VALUABLE_HEADERS)
+
+        formatted_name = @formatter.call(header_name)
+        acc[formatted_name] = @request_env[header_name]
+      end
+    end
+  end
+end

data/lib/castle/headers_formatter.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module Castle
+  # formats header name
+  class HeadersFormatter
+    class << self
+      # @param header [String]
+      # @return [String]
+      def call(header)
+        format(header.to_s.gsub(/^HTTP(?:_|-)/i, ''))
+      end
+
+      private
+
+      # @param header [String]
+      # @return [String]
+      def format(header)
+        header.split(/_|-/).map(&:capitalize).join('-')
+      end
+    end
+  end
+end

data/lib/castle/validators/not_supported.rb

@@ -7,6 +7,7 @@ module Castle
         def call(options, keys)
           keys.each do |key|
             next unless options.key?(key)
+
             raise Castle::InvalidParametersError, "#{key} is/are not supported"
           end
         end

data/lib/castle/validators/present.rb

@@ -7,6 +7,7 @@ module Castle
         def call(options, keys)
           keys.each do |key|
             next unless options[key].to_s.empty?
+
             raise Castle::InvalidParametersError, "#{key} is missing or empty"
           end
         end

data/lib/castle/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Castle
-  VERSION = '3.6.2'
+  VERSION = '4.3.0'
 end

data/spec/integration/rails/rails_spec.rb

@@ -0,0 +1,61 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+require_relative 'support/all'
+
+RSpec.describe HomeController, type: :request do
+  describe '#index' do
+    let(:request) do
+      {
+        'event' => '$login.succeeded',
+        'user_id' => '123',
+        'properties' => { 'key' => 'value' },
+        'user_traits' => { 'key' => 'value' },
+        'timestamp' => now.utc.iso8601(3),
+        'sent_at' => now.utc.iso8601(3),
+        'context' => {
+          'client_id' => '',
+          'active' => true,
+          'origin' => 'web',
+          'headers' => {
+            'Accept' => 'text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5',
+            'Authorization' => true,
+            'Content-Length' => '0',
+            'Cookie' => true,
+            'Host' => 'www.example.com',
+            'X-Forwarded-For' => '5.5.5.5, 1.2.3.4',
+            'Remote-Addr' => '127.0.0.1'
+          },
+          'ip' => '1.2.3.4',
+          'library' => {
+            'name' => 'castle-rb',
+            'version' => Castle::VERSION
+          }
+        }
+      }
+    end
+    let(:now) { Time.now }
+    let(:headers) do
+      {
+        'HTTP_AUTHORIZATION' => 'Basic 123',
+        'HTTP_X_FORWARDED_FOR' => '5.5.5.5, 1.2.3.4'
+      }
+    end
+
+    before do
+      Timecop.freeze(now)
+      stub_request(:post, 'https://api.castle.io/v1/track')
+      get '/', headers: headers
+    end
+
+    after { Timecop.return }
+
+    it do
+      assert_requested :post, 'https://api.castle.io/v1/track', times: 1 do |req|
+        JSON.parse(req.body) == request
+      end
+    end
+
+    it { expect(response).to be_successful }
+  end
+end