codeword 0.2.0.beta2 → 0.2.0.beta4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 58628581dfc6ebc297114f5d05ca82b625d1f777eb28fb66cb83caf818b5337b
-  data.tar.gz: a554b130eb17b6fe35e60ecb7bd6d318b1c43e61665ed8438e1b6476c4e4b985
+  metadata.gz: cb390e385a9ce1fe7f4e8f987be5e02d1542795d209d74d282887f93cbc03c33
+  data.tar.gz: 9f53cfbc92b062d4c531d025535f93213ac7bebed588233aa37b7c7036501764
 SHA512:
-  metadata.gz: f76067c4a6e801c693e970c60ea94179fb35d8e4d03f1c52cd6fcfdf2735a87004357d4490d296d3ebcd380b859e89ce894165098a74a49aec39806b6e04caed
-  data.tar.gz: a3c85b0d037a52c7df10bbad807e2f05e6a71fd4e030f4dff514c93ddb5f7c6d20303235aed514064310d828878219d04385ec37ec84818e74add0a42a2b3a3a
+  metadata.gz: 966df1e8a10079976ff0efe940935c67a634ae0de335d702e6c74a8af314d88c18d1beb97edf7dbdeb93e09e1c5e305ed355ae898a1799879d33c701b019cc5b
+  data.tar.gz: a62f1f572a373e268f661bfedfab93049f85ec034d07547735a7b5049d8920defd71a82aad11dba4137ae905278c3de4500eb94c4225ddefe2ce2b35aa0a3f97

data/CHANGELOG.md

@@ -1,7 +1,15 @@
 ## [Unreleased]
 
+- BREAKING: Only support namespaced Rails credentials under `codeword` (e.g. `codeword.codeword`, `codeword.hint`, `codeword.cookie_lifetime_in_weeks`)
+- BREAKING: Drop support for Rails < 7.2
+- BREAKING: Rename `check_for_codeword` to `require_codeword!`
 - BREAKING: Deprecate Rails secrets in favor of Rails credentials
-- BREAKING: Drop support for Rails < 6.0
+- BREAKING: Remove lowercase ENV variable support (only uppercase ENV variables are now supported)
+
+- Prevent open redirects by using `allow_other_host: false`
+- Harden cookie with `httponly: true`, `same_site: :lax`, and `secure: request.ssl?`
+- `codeword_cookie_lifetime` now returns an `ActiveSupport::Duration`; cookie expiry uses `from_now`
+- Updated crawler detection regex (removed duplicate `spider` and generic `click` token)
 
 ## [0.1.1] - 2021-12-17
 

data/LICENSE.txt

@@ -1,6 +1,6 @@
 The MIT License (MIT)
 
-Copyright (c) 2021 Dan Kim
+Copyright (c) 2025 Dan Kim
 Copyright (c) 2013 gb Studio, llc
 
 Permission is hereby granted, free of charge, to any person obtaining a copy

data/README.md

@@ -17,9 +17,29 @@ gem 'codeword'
 3. Mount the engine in your application’s routes file (usually first, for best results):
 
 ```ruby
+# config/routes.rb
 mount Codeword::Engine, at: '/codeword'
 ```
 
+4. Include the `Codeword::Authentication` module in your application_controller.rb file and check for codeword:
+
+```ruby
+# app/controllers/application_controller.rb
+class ApplicationController < ActionController::Base
+  include Codeword::Authentication
+
+  before_action :require_codeword!
+end
+```
+
+5. Skip the check for codeword in the controller(s) you would like to allow:
+
+```ruby
+class APIController < ApplicationController
+  skip_before_action :require_codeword!
+end
+```
+
 ## Usage
 
 To set a codeword, define CODEWORD in your environments/your_environment.rb file like so:
@@ -36,17 +56,11 @@ ENV['CODEWORD_HINT'] = 'Something that you do not tell everyone.'
 
 You can add your codeword via Rails credentials in your `credentials.yml.enc` file (`$ bin/rails credentials:edit`):
 
-```yml
-codeword: 'love'
-codeword_hint: 'Pepé Le Pew'
-```
-
-Alternately, credentials in Rails >= 5.2 may be organized under the `codeword` namespace:
-
 ```yml
 codeword:
-  codeword: 'love'
-  hint: 'Pepé Le Pew'
+  codeword: "love"
+  hint: "Pepé Le Pew"
+  cookie_lifetime_in_weeks: 4
 ```
 
 **Codewords are not case-sensitive, by design. Keep it simple.**
@@ -60,13 +74,13 @@ codeword:
 2. In your application_controller.rb file, add:
 
 ```ruby
-skip_before_action :check_for_codeword, raise: false
+skip_before_action :require_codeword!, raise: false
 ```
 
 4. In the controller(s) you would like to restrict:
 
 ```ruby
-before_action :check_for_codeword
+before_action :require_codeword!
 ```
 
 ### Link it with no typing:

data/app/controllers/codeword/codeword_controller.rb

@@ -1,8 +1,8 @@
 module Codeword
   class CodewordController < Codeword::ApplicationController
-    CRAWLER_REGEX = /crawl|googlebot|slurp|spider|bingbot|tracker|click|parser|spider/
+    CRAWLER_REGEX = /crawl|googlebot|slurp|spider|bingbot|tracker|parser/
 
-    skip_before_action :check_for_codeword
+    skip_before_action :require_codeword!, raise: false
 
     def unlock
       user_agent = request.env['HTTP_USER_AGENT'].presence
@@ -14,7 +14,7 @@ module Codeword
       if params[:codeword].present?
         @codeword = params[:codeword].to_s.downcase
         @return_to = params[:return_to]
-        if @codeword == codeword_code.to_s.downcase
+        if @codeword == Codeword::Configuration.codeword_code.to_s.downcase
           set_cookie
           run_redirect
         else
@@ -28,15 +28,23 @@ module Codeword
     private
 
     def set_cookie
-      cookies[:codeword] = { value: @codeword.to_s.downcase, expires: (Time.now + codeword_cookie_lifetime) }
+      cookies[:codeword] = {
+        value: @codeword.to_s.downcase,
+        expires: Codeword::Configuration.codeword_cookie_lifetime.from_now,
+        httponly: true,
+        secure: request.ssl?,
+        same_site: :lax
+      }
     end
 
     def run_redirect
       if @return_to.present?
-        redirect_to @return_to.to_s
+        redirect_to @return_to.to_s, allow_other_host: false
       else
         redirect_to '/'
       end
+    rescue ActionController::Redirecting::UnsafeRedirectError
+      redirect_to '/'
     end
   end
 end

data/app/helpers/codeword/codeword_helper.rb

@@ -3,7 +3,7 @@
 module Codeword
   module CodewordHelper
     def codeword_hint
-      @codeword_hint ||= ENV['CODEWORD_HINT'] || ENV['codeword_hint'] || ::Codeword.from_config(:hint)
+      @codeword_hint ||= ENV['CODEWORD_HINT'] || Codeword::Configuration.from_credentials(:hint)
     end
   end
 end

data/codeword.gemspec

@@ -6,9 +6,9 @@ Gem::Specification.new do |spec|
   spec.name        = 'codeword'
   spec.version     = Codeword::VERSION
   spec.authors     = ['Dan Kim', 'gb Studio']
-  spec.email       = ['itsdanya@gmail.com']
+  spec.email       = ['git@dan.kim']
 
-  spec.summary     = 'Lock staging servers from search engines and prying eyespec.'
+  spec.summary     = 'Lock staging servers from search engines and prying eyes.'
   spec.description = 'A simple gem to more elegantly place a staging server or other in-progress application behind a basic codeword. It’s easy to implement, share with clients/collaborators, and more beautiful than the typical password-protection sheet.'
   spec.homepage    = 'https://github.com/dankimio/codeword'
   spec.license     = 'MIT'
@@ -21,10 +21,10 @@ Gem::Specification.new do |spec|
     `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
   end
 
-  spec.add_dependency 'rails', '>= 6.1'
+  spec.add_dependency 'rails', '>= 7.2'
 
-  spec.add_development_dependency 'capybara', '~> 2.9'
+  spec.add_development_dependency 'capybara'
   spec.add_development_dependency 'debug'
   spec.add_development_dependency 'launchy', '~> 2.4'
-  spec.add_development_dependency 'rspec-rails', '~> 6.0'
+  spec.add_development_dependency 'rspec-rails', '~> 7.0'
 end

data/lib/codeword/authentication.rb

@@ -0,0 +1,17 @@
+module Codeword
+  module Authentication
+    extend ActiveSupport::Concern
+
+    def require_codeword!
+      return unless respond_to?(:codeword) && Codeword::Configuration.codeword_code
+      return if cookies[:codeword].present? && cookies[:codeword] == Codeword::Configuration.codeword_code.to_s.downcase
+
+      redirect_to codeword.unlock_path(
+        return_to: request.fullpath.split('?codeword')[0],
+        codeword: params[:codeword]
+      )
+    end
+
+    alias_method :check_for_codeword, :require_codeword!
+  end
+end

data/lib/codeword/configuration.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+module Codeword
+  module Configuration
+    def self.from_credentials(setting)
+      store = Rails.application.credentials
+
+      store.dig(:codeword, setting)
+    end
+
+    def self.cookie_lifetime
+      @cookie_lifetime ||=
+        ENV['COOKIE_LIFETIME_IN_WEEKS'] ||
+        from_credentials(:cookie_lifetime_in_weeks)
+    end
+
+    def self.codeword_code
+      @codeword_code ||= ENV['CODEWORD'] || from_credentials(:codeword)
+    end
+
+    def self.codeword_cookie_lifetime
+      weeks = cookie_lifetime.to_f
+      if weeks.positive?
+        weeks.weeks
+      else
+        5.years
+      end
+    end
+  end
+end

data/lib/codeword/engine.rb

@@ -1,9 +1,5 @@
 module Codeword
   class Engine < ::Rails::Engine
     isolate_namespace Codeword
-
-    initializer 'codeword.app_controller' do |_app|
-      ActiveSupport.on_load(:action_controller) { include Codeword }
-    end
   end
 end

data/lib/codeword/version.rb

@@ -1,3 +1,3 @@
 module Codeword
-  VERSION = '0.2.0.beta2'.freeze
+  VERSION = '0.2.0.beta4'.freeze
 end

data/lib/codeword.rb

@@ -1,51 +1,8 @@
 # frozen_string_literal: true
 
 require 'codeword/engine'
+require 'codeword/authentication'
+require 'codeword/configuration'
 
 module Codeword
-  extend ActiveSupport::Concern
-
-  included do
-    before_action :check_for_codeword
-  end
-
-  def self.from_config(setting)
-    store = Rails.application.credentials
-
-    store.codeword.respond_to?(:fetch) &&
-      store.codeword.fetch(setting, store.public_send("codeword_#{setting}")) ||
-      store.public_send("codeword_#{setting}") || store.public_send(setting)
-  end
-
-  private
-
-  def check_for_codeword
-    return unless respond_to?(:codeword) && codeword_code
-    return if cookies[:codeword].present? && cookies[:codeword] == codeword_code.to_s.downcase
-
-    redirect_to codeword.unlock_path(
-      return_to: request.fullpath.split('?codeword')[0],
-      codeword: params[:codeword]
-    )
-  end
-
-  def cookie_lifetime
-    @cookie_lifetime ||=
-      ENV['COOKIE_LIFETIME_IN_WEEKS'] ||
-      ENV['cookie_lifetime_in_weeks'] ||
-      Codeword.from_config(:cookie_lifetime_in_weeks)
-  end
-
-  def codeword_code
-    @codeword_code ||= ENV['CODEWORD'] || ENV['codeword'] || Codeword.from_config(:codeword)
-  end
-
-  def codeword_cookie_lifetime
-    seconds = (cookie_lifetime.to_f * 1.week).to_i
-    if seconds.positive?
-      seconds
-    else
-      5.years
-    end
-  end
 end

data/mise.toml

@@ -0,0 +1,2 @@
+[tools]
+ruby = "3.4.5"

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: codeword
 version: !ruby/object:Gem::Version
-  version: 0.2.0.beta2
+  version: 0.2.0.beta4
 platform: ruby
 authors:
 - Dan Kim
 - gb Studio
 bindir: bin
 cert_chain: []
-date: 2025-02-05 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -16,28 +16,28 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '6.1'
+        version: '7.2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '6.1'
+        version: '7.2'
 - !ruby/object:Gem::Dependency
   name: capybara
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '2.9'
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '2.9'
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -72,25 +72,24 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '6.0'
+        version: '7.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '6.0'
+        version: '7.0'
 description: A simple gem to more elegantly place a staging server or other in-progress
   application behind a basic codeword. It’s easy to implement, share with clients/collaborators,
   and more beautiful than the typical password-protection sheet.
 email:
-- itsdanya@gmail.com
+- git@dan.kim
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
 - ".gitignore"
-- ".ruby-version"
 - CHANGELOG.md
 - Gemfile
 - LICENSE.txt
@@ -107,10 +106,12 @@ files:
 - codeword.gemspec
 - config/routes.rb
 - lib/codeword.rb
+- lib/codeword/authentication.rb
+- lib/codeword/configuration.rb
 - lib/codeword/engine.rb
 - lib/codeword/version.rb
+- mise.toml
 - screenshot.png
-- script/rails
 homepage: https://github.com/dankimio/codeword
 licenses:
 - MIT
@@ -132,7 +133,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.2
+rubygems_version: 3.7.1
 specification_version: 4
-summary: Lock staging servers from search engines and prying eyespec.
+summary: Lock staging servers from search engines and prying eyes.
 test_files: []

data/.ruby-version

@@ -1 +0,0 @@
-3.4.1

data/script/rails

@@ -1,8 +0,0 @@
-#!/usr/bin/env ruby
-# This command will automatically be run when you run "rails" with Rails 3 gems installed from the root of your application.
-
-ENGINE_ROOT = File.expand_path('..', __dir__)
-ENGINE_PATH = File.expand_path('../lib/codeword/engine', __dir__)
-
-require 'rails/all'
-require 'rails/engine/commands'