double_trouble 0.1.0

data/LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2010 Jakub Kuźma
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc

@@ -0,0 +1,11 @@
+= Double Trouble
+
+Adds nonces to your Rails' forms.
+
+== Installation
+
+  gem install form_nonce
+
+== Copyright
+
+Copyright (c) 2010 Jakub Kuźma. See LICENSE[http://github.com/qoobaa/form_nonce/raw/master/LICENSE] for details.

data/lib/double_trouble/cached_nonce.rb

@@ -0,0 +1,36 @@
+module DoubleTrouble
+  class CachedNonce
+    cattr_accessor :expires_in
+    self.expires_in = 1.hour
+
+    attr_accessor :nonce
+
+    def self.valid?(nonce)
+      new(nonce).valid?
+    end
+
+    def self.store!(nonce)
+      new(nonce).save!
+    end
+
+    def initialize(nonce)
+      self.nonce = nonce
+    end
+
+    def save
+      valid? && ::Rails.cache.write(cache_key, true, :expires_in => self.class.expires_in)
+    end
+
+    def save!
+      save || raise(InvalidNonce)
+    end
+
+    def valid?
+      nonce.present? && !::Rails.cache.exist?(cache_key, :expires_in => self.class.expires_in)
+    end
+
+    def cache_key
+      "double_trouble_cached_nonce.#{nonce}"
+    end
+  end
+end

data/lib/double_trouble/errors.rb

@@ -0,0 +1,3 @@
+module DoubleTrouble
+  class InvalidNonce < StandardError; end
+end

data/lib/double_trouble/form_tag_helper_hack.rb

@@ -0,0 +1,20 @@
+# HAX: monkey patching is required to make it work
+
+module ActionView::Helpers::FormTagHelper
+  private
+
+  def form_tag_html_with_double_trouble(html_options)
+    extra_tags = double_trouble_extra_tags_for_form
+    (form_tag_html_without_double_trouble(html_options) + extra_tags).html_safe
+  end
+
+  alias_method_chain :form_tag_html, :double_trouble
+
+  def double_trouble_extra_tags_for_form
+    (protect_against_double_trouble?) ? content_tag(:div, double_trouble_nonce_tag, :style => "margin:0;padding:0;display:inline") : ""
+  end
+
+  def double_trouble_nonce_tag
+    tag(:input, :type => "hidden", :name => double_trouble_nonce_param.to_s, :value => double_trouble_form_nonce)
+  end
+end

data/lib/double_trouble/protection.rb

@@ -0,0 +1,54 @@
+module DoubleTrouble
+  module Protection
+    def self.included(base)
+      base.class_eval do
+        class_inheritable_accessor :allow_double_trouble_protection
+        class_inheritable_accessor :double_trouble_resource_name
+        cattr_accessor             :double_trouble_nonce_store
+        cattr_accessor             :double_trouble_nonce_param
+        helper_method              :protect_against_double_trouble?, :double_trouble_nonce_param, :double_trouble_form_nonce
+
+        self.allow_double_trouble_protection = true
+        extend(ClassMethods)
+      end
+    end
+
+    module ClassMethods
+      def protect_from_double_trouble(resource_name, options = {})
+        self.double_trouble_resource_name   = resource_name
+        self.double_trouble_nonce_param   ||= :form_nonce
+        self.double_trouble_nonce_store   ||= CachedNonce
+
+        around_filter :double_trouble_protection, options.slice(:only, :except)
+      end
+    end
+
+    protected
+
+    def double_trouble_protection
+      if protect_against_double_trouble?
+        nonce    = params[double_trouble_nonce_param]
+        store    = double_trouble_nonce_store
+
+        store.valid?(nonce) || raise(InvalidNonce)
+        yield
+        instance_variable_get("@#{double_trouble_resource_name}").tap do |resource|
+          resource.present? && !resource.new_record? && store.store!(nonce)
+        end
+      else
+        yield
+      end
+    end
+
+    def double_trouble_form_nonce
+      ActiveSupport::SecureRandom.base64(32)
+    end
+
+    def protect_against_double_trouble?
+      allow_double_trouble_protection &&
+        double_trouble_resource_name &&
+        double_trouble_nonce_store &&
+        double_trouble_nonce_param
+    end
+  end
+end

data/lib/double_trouble/version.rb

@@ -0,0 +1,3 @@
+module DoubleTrouble
+  VERSION = "0.1.0"
+end

data/lib/double_trouble.rb

@@ -0,0 +1,15 @@
+require "active_support"
+require "action_pack"
+require "action_controller"
+require "action_controller/base"
+require "action_view"
+require "action_view/helpers/form_tag_helper"
+require "active_support/cache"
+
+require "double_trouble/errors"
+require "double_trouble/cached_nonce"
+require "double_trouble/form_tag_helper_hack"
+require "double_trouble/protection"
+require "double_trouble/version"
+
+ActionController::Base.send(:include, DoubleTrouble::Protection)

metadata

@@ -0,0 +1,120 @@
+--- !ruby/object:Gem::Specification 
+name: double_trouble
+version: !ruby/object:Gem::Version 
+  hash: 27
+  prerelease: false
+  segments: 
+  - 0
+  - 1
+  - 0
+  version: 0.1.0
+platform: ruby
+authors: 
+- "Jakub Ku\xC5\xBAma"
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2010-07-09 00:00:00 +02:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: rails
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - "="
+      - !ruby/object:Gem::Version 
+        hash: 19
+        segments: 
+        - 2
+        - 3
+        - 8
+        version: 2.3.8
+  type: :runtime
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency 
+  name: test-unit
+  prerelease: false
+  requirement: &id002 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 2
+        - 0
+        version: "2.0"
+  type: :development
+  version_requirements: *id002
+- !ruby/object:Gem::Dependency 
+  name: mocha
+  prerelease: false
+  requirement: &id003 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  type: :development
+  version_requirements: *id003
+description: Adds nonces to your Rails' forms
+email: qoobaa@gmail.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: []
+
+files: 
+- lib/double_trouble/errors.rb
+- lib/double_trouble/cached_nonce.rb
+- lib/double_trouble/form_tag_helper_hack.rb
+- lib/double_trouble/version.rb
+- lib/double_trouble/protection.rb
+- lib/double_trouble.rb
+- LICENSE
+- README.rdoc
+has_rdoc: true
+homepage: http://github.com/qoobaa/double_trouble
+licenses: []
+
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 21
+      segments: 
+      - 1
+      - 3
+      - 7
+      version: 1.3.7
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.3.7
+signing_key: 
+specification_version: 3
+summary: Adds nonces to your Rails' forms
+test_files: []
+