codeword 0.2.0.beta3 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f6ffa70037e0cddb9a44c6fc47a7bd9e8f903570f3e78a2961221d25cd465e5b
-  data.tar.gz: 500afbda48f4632781878ef18b174505b1380b1d1afa86dd85e9f56c70d4b053
+  metadata.gz: edc4c98d1d7d4aaeecc0e2d0b7afcb8a532753e057ae77998f804d4fc74203b7
+  data.tar.gz: 0abf677be13b090ab310441dd01e07b403fe7296b747f92b8729dc87cc1b21d1
 SHA512:
-  metadata.gz: dd9703d78d830e6127fe13f77160d6ce6279b16f427a17283a100fb885934f5c97ffc6a345442b09e54c8fde882fee14474fef5e9e171d70dc90ad3133c0cd57
-  data.tar.gz: ef8fef69c8596dbb4f978f969841251de17ec1f87f245c4afc65254211f5ecac9e7ef94c48813b9f82e9c6f034b41c37c8904e805056f50b639cf5ec34316271
+  metadata.gz: bd5f76a4bd9cc4560fb55d2645bbe6229c00fec7a9969b003835ef85927ede1fac0eb27dcc918fe626671643e64d5e1cd2ee448379b4f5209e42deab498e70b4
+  data.tar.gz: 24e3c1cddb91cf2a2f08582fbde8184b81abcdf96c29fb70c10fcbcba2dcadd281a53c5e931eda35f25cb66bef32e878c121da4cd9c45f5d8f402d28f5e183c9

data/CHANGELOG.md

@@ -1,9 +1,17 @@
-## [Unreleased]
+## [0.2.0] - 2025-09-25
 
+- BREAKING: Only support namespaced Rails credentials under `codeword` (e.g. `codeword.codeword`, `codeword.hint`, `codeword.cookie_lifetime_in_weeks`)
 - BREAKING: Drop support for Rails < 7.2
 - BREAKING: Rename `check_for_codeword` to `require_codeword!`
 - BREAKING: Deprecate Rails secrets in favor of Rails credentials
-- BREAKING: Drop support for Rails < 6.0
+- BREAKING: Remove lowercase ENV variable support (only uppercase ENV variables are now supported)
+
+- Prevent open redirects by using `allow_other_host: false`
+- Harden cookie with `httponly: true`, `same_site: :lax`, and `secure: request.ssl?`
+- `codeword_cookie_lifetime` now returns an `ActiveSupport::Duration`; cookie expiry uses `from_now`
+- Updated crawler detection regex (removed duplicate `spider` and generic `click` token)
+
+Migration: see [UPGRADE-0.2.md](./UPGRADE-0.2.md) for steps to upgrade from 0.1.x to 0.2.0.
 
 ## [0.1.1] - 2021-12-17
 

data/README.md

@@ -21,22 +21,22 @@ gem 'codeword'
 mount Codeword::Engine, at: '/codeword'
 ```
 
-4. Include the `Codeword` module in your application_controller.rb file and check for codeword:
+4. Include the `Codeword::Authentication` module in your application_controller.rb file and check for codeword:
 
 ```ruby
 # app/controllers/application_controller.rb
 class ApplicationController < ActionController::Base
-  include Codeword
+  include Codeword::Authentication
 
   before_action :require_codeword!
 end
 ```
 
-5. Skip the check for codeword in the controller(s) you would like to restrict:
+5. Skip the check for codeword in the controller(s) you would like to allow:
 
 ```ruby
 class APIController < ApplicationController
-  skip_before_action :require_codeword!, raise: false
+  skip_before_action :require_codeword!
 end
 ```
 
@@ -56,17 +56,11 @@ ENV['CODEWORD_HINT'] = 'Something that you do not tell everyone.'
 
 You can add your codeword via Rails credentials in your `credentials.yml.enc` file (`$ bin/rails credentials:edit`):
 
-```yml
-codeword: "love"
-codeword_hint: "Pepé Le Pew"
-```
-
-Alternately, credentials in Rails >= 5.2 may be organized under the `codeword` namespace:
-
 ```yml
 codeword:
   codeword: "love"
   hint: "Pepé Le Pew"
+  cookie_lifetime_in_weeks: 4
 ```
 
 **Codewords are not case-sensitive, by design. Keep it simple.**

data/UPGRADE-0.2.md

@@ -0,0 +1,51 @@
+# Migrating from 0.1.x to 0.2.0
+
+This guide walks you through the changes required to upgrade from 0.1.x to 0.2.0.
+
+## TL;DR checklist
+
+- Update to Rails >= 7.2.
+- Move credentials to the namespaced structure under `codeword`.
+- Ensure controllers use `require_codeword!` (and skip it only where access is allowed).
+- Stop relying on external `return_to` redirects; they are blocked now.
+
+## 1) Credentials: namespaced only
+
+Codeword now reads credentials only from the namespaced structure:
+
+```yml
+# config/credentials.yml.enc
+codeword:
+  codeword: "love"
+  hint: "Pepé Le Pew"
+  cookie_lifetime_in_weeks: 4
+```
+
+- Non‑namespaced keys like `codeword_hint:` at the root are no longer read.
+- Environment variable fallbacks still work: `ENV['CODEWORD']`, `ENV['CODEWORD_HINT']`, `ENV['COOKIE_LIFETIME_IN_WEEKS']`.
+
+## 2) Controller hook rename and usage
+
+- Use `require_codeword!` to enforce the codeword gate.
+
+```ruby
+class ApplicationController < ActionController::Base
+  include Codeword::Authentication
+  before_action :require_codeword!
+end
+```
+
+- Skip it only for controllers/actions you want to allow without the codeword:
+
+```ruby
+class APIController < ApplicationController
+  skip_before_action :require_codeword!
+end
+```
+
+- The old `check_for_codeword` name is deprecated; switch to `require_codeword!`.
+
+## 3) Redirect hardening (open redirects)
+
+- After a successful unlock, external `return_to` URLs are no longer allowed. Redirects now use `allow_other_host: false` and will fall back to the root path if unsafe.
+- If you previously depended on redirecting to external domains, move that flow behind your own internal path and perform external navigation server‑side or client‑side after the unlock.

data/app/controllers/codeword/codeword_controller.rb

@@ -1,6 +1,6 @@
 module Codeword
   class CodewordController < Codeword::ApplicationController
-    CRAWLER_REGEX = /crawl|googlebot|slurp|spider|bingbot|tracker|click|parser|spider/
+    CRAWLER_REGEX = /crawl|googlebot|slurp|spider|bingbot|tracker|parser/
 
     skip_before_action :require_codeword!, raise: false
 
@@ -14,7 +14,7 @@ module Codeword
       if params[:codeword].present?
         @codeword = params[:codeword].to_s.downcase
         @return_to = params[:return_to]
-        if @codeword == codeword_code.to_s.downcase
+        if @codeword == Codeword::Configuration.codeword_code.to_s.downcase
           set_cookie
           run_redirect
         else
@@ -28,15 +28,23 @@ module Codeword
     private
 
     def set_cookie
-      cookies[:codeword] = { value: @codeword.to_s.downcase, expires: (Time.now + codeword_cookie_lifetime) }
+      cookies[:codeword] = {
+        value: @codeword.to_s.downcase,
+        expires: Codeword::Configuration.codeword_cookie_lifetime.from_now,
+        httponly: true,
+        secure: request.ssl?,
+        same_site: :lax
+      }
     end
 
     def run_redirect
       if @return_to.present?
-        redirect_to @return_to.to_s
+        redirect_to @return_to.to_s, allow_other_host: false
       else
         redirect_to '/'
       end
+    rescue ActionController::Redirecting::UnsafeRedirectError
+      redirect_to '/'
     end
   end
 end

data/app/helpers/codeword/codeword_helper.rb

@@ -3,7 +3,7 @@
 module Codeword
   module CodewordHelper
     def codeword_hint
-      @codeword_hint ||= ENV['CODEWORD_HINT'] || ENV['codeword_hint'] || ::Codeword.from_config(:hint)
+      @codeword_hint ||= ENV['CODEWORD_HINT'] || Codeword::Configuration.from_credentials(:hint)
     end
   end
 end

data/codeword.gemspec

@@ -8,7 +8,7 @@ Gem::Specification.new do |spec|
   spec.authors     = ['Dan Kim', 'gb Studio']
   spec.email       = ['git@dan.kim']
 
-  spec.summary     = 'Lock staging servers from search engines and prying eyespec.'
+  spec.summary     = 'Lock staging servers from search engines and prying eyes.'
   spec.description = 'A simple gem to more elegantly place a staging server or other in-progress application behind a basic codeword. It’s easy to implement, share with clients/collaborators, and more beautiful than the typical password-protection sheet.'
   spec.homepage    = 'https://github.com/dankimio/codeword'
   spec.license     = 'MIT'
@@ -23,8 +23,8 @@ Gem::Specification.new do |spec|
 
   spec.add_dependency 'rails', '>= 7.2'
 
-  spec.add_development_dependency 'capybara', '~> 2.9'
+  spec.add_development_dependency 'capybara'
   spec.add_development_dependency 'debug'
   spec.add_development_dependency 'launchy', '~> 2.4'
-  spec.add_development_dependency 'rspec-rails', '~> 6.0'
+  spec.add_development_dependency 'rspec-rails', '~> 7.0'
 end

data/lib/codeword/authentication.rb

@@ -0,0 +1,17 @@
+module Codeword
+  module Authentication
+    extend ActiveSupport::Concern
+
+    def require_codeword!
+      return unless respond_to?(:codeword) && Codeword::Configuration.codeword_code
+      return if cookies[:codeword].present? && cookies[:codeword] == Codeword::Configuration.codeword_code.to_s.downcase
+
+      redirect_to codeword.unlock_path(
+        return_to: request.fullpath.split('?codeword')[0],
+        codeword: params[:codeword]
+      )
+    end
+
+    alias_method :check_for_codeword, :require_codeword!
+  end
+end

data/lib/codeword/configuration.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+module Codeword
+  module Configuration
+    def self.from_credentials(setting)
+      store = Rails.application.credentials
+
+      store.dig(:codeword, setting)
+    end
+
+    def self.cookie_lifetime
+      @cookie_lifetime ||=
+        ENV['COOKIE_LIFETIME_IN_WEEKS'] ||
+        from_credentials(:cookie_lifetime_in_weeks)
+    end
+
+    def self.codeword_code
+      @codeword_code ||= ENV['CODEWORD'] || from_credentials(:codeword)
+    end
+
+    def self.codeword_cookie_lifetime
+      weeks = cookie_lifetime.to_f
+      if weeks.positive?
+        weeks.weeks
+      else
+        5.years
+      end
+    end
+  end
+end

data/lib/codeword/version.rb

@@ -1,3 +1,3 @@
 module Codeword
-  VERSION = '0.2.0.beta3'.freeze
+  VERSION = '0.2.0'.freeze
 end

data/lib/codeword.rb

@@ -1,49 +1,8 @@
 # frozen_string_literal: true
 
 require 'codeword/engine'
+require 'codeword/authentication'
+require 'codeword/configuration'
 
 module Codeword
-  extend ActiveSupport::Concern
-
-  def self.from_config(setting)
-    store = Rails.application.credentials
-
-    store.codeword.respond_to?(:fetch) &&
-      store.codeword.fetch(setting, store.public_send("codeword_#{setting}")) ||
-      store.public_send("codeword_#{setting}") || store.public_send(setting)
-  end
-
-  private
-
-  def require_codeword!
-    return unless respond_to?(:codeword) && codeword_code
-    return if cookies[:codeword].present? && cookies[:codeword] == codeword_code.to_s.downcase
-
-    redirect_to codeword.unlock_path(
-      return_to: request.fullpath.split('?codeword')[0],
-      codeword: params[:codeword]
-    )
-  end
-
-  alias_method :check_for_codeword, :require_codeword!
-
-  def cookie_lifetime
-    @cookie_lifetime ||=
-      ENV['COOKIE_LIFETIME_IN_WEEKS'] ||
-      ENV['cookie_lifetime_in_weeks'] ||
-      Codeword.from_config(:cookie_lifetime_in_weeks)
-  end
-
-  def codeword_code
-    @codeword_code ||= ENV['CODEWORD'] || ENV['codeword'] || Codeword.from_config(:codeword)
-  end
-
-  def codeword_cookie_lifetime
-    seconds = (cookie_lifetime.to_f * 1.week).to_i
-    if seconds.positive?
-      seconds
-    else
-      5.years
-    end
-  end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: codeword
 version: !ruby/object:Gem::Version
-  version: 0.2.0.beta3
+  version: 0.2.0
 platform: ruby
 authors:
 - Dan Kim
@@ -28,16 +28,16 @@ dependencies:
   name: capybara
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '2.9'
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '2.9'
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -72,14 +72,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '6.0'
+        version: '7.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '6.0'
+        version: '7.0'
 description: A simple gem to more elegantly place a staging server or other in-progress
   application behind a basic codeword. It’s easy to implement, share with clients/collaborators,
   and more beautiful than the typical password-protection sheet.
@@ -95,6 +95,7 @@ files:
 - LICENSE.txt
 - README.md
 - Rakefile
+- UPGRADE-0.2.md
 - app/controllers/codeword/application_controller.rb
 - app/controllers/codeword/codeword_controller.rb
 - app/helpers/codeword/application_helper.rb
@@ -106,11 +107,12 @@ files:
 - codeword.gemspec
 - config/routes.rb
 - lib/codeword.rb
+- lib/codeword/authentication.rb
+- lib/codeword/configuration.rb
 - lib/codeword/engine.rb
 - lib/codeword/version.rb
 - mise.toml
 - screenshot.png
-- script/rails
 homepage: https://github.com/dankimio/codeword
 licenses:
 - MIT
@@ -134,5 +136,5 @@ required_rubygems_version: !ruby/object:Gem::Requirement
 requirements: []
 rubygems_version: 3.7.1
 specification_version: 4
-summary: Lock staging servers from search engines and prying eyespec.
+summary: Lock staging servers from search engines and prying eyes.
 test_files: []

data/script/rails

@@ -1,8 +0,0 @@
-#!/usr/bin/env ruby
-# This command will automatically be run when you run "rails" with Rails 3 gems installed from the root of your application.
-
-ENGINE_ROOT = File.expand_path('..', __dir__)
-ENGINE_PATH = File.expand_path('../lib/codeword/engine', __dir__)
-
-require 'rails/all'
-require 'rails/engine/commands'