faraday_csrf 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 9e3c3f8f9e0e8bce5cf6e116ec115c2741ee1e44
+  data.tar.gz: fd5624762051970efca4212b3e6022b3332af389
+SHA512:
+  metadata.gz: 9aa73632ba3154af1acb07d4788de366b69df48af51894d494ce9cf35015daaa84244b85833e740b8e1980c34e702ff4d52a5819c6958ecb14386829ebd1f681
+  data.tar.gz: 04ab1e08705cf52287375721f8a9207a27d05fcfc467f9f890f7dea5658822c8c4088668965eb748263fc769f0a10bea7e40643c8007c460f09dcddc9db50b31

data/.gitignore

@@ -0,0 +1,10 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+/vcr_cassettes

data/.rspec

@@ -0,0 +1,3 @@
+--color
+--require spec_helper
+--order rand

data/.rubocop.yml

@@ -0,0 +1,17 @@
+Style/MethodDefParentheses:
+  Enabled: false
+
+Style/Documentation:
+  Enabled: false
+
+Style/SignalException:
+  Enabled: false
+
+Style/MultilineOperationIndentation:
+  Enabled: false
+
+Style/RaiseArgs:
+  EnforcedStyle: compact
+
+Style/IfUnlessModifier:
+  Enabled: false

data/.ruby-version

@@ -0,0 +1 @@
+ruby-2.2.2

data/.travis.yml

@@ -0,0 +1,4 @@
+language: ruby
+rvm:
+  - 2.2.2
+before_install: gem install bundler -v 1.10.5

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in faraday_csrf.gemspec
+gemspec

data/README.md

@@ -0,0 +1,43 @@
+[![Build Status](https://travis-ci.org/unmanbearpig/faraday_csrf.svg?branch=master)](https://travis-ci.org/unmanbearpig/faraday_csrf)
+[![Code Climate](https://codeclimate.com/github/unmanbearpig/faraday_csrf/badges/gpa.svg)](https://codeclimate.com/github/unmanbearpig/faraday_csrf)
+
+# Faraday CSRF middleware
+
+Transparently handles Rails (and maybe not only Rails) CSRF protection, in case you need to send requests to an app that doesn't provide an API.
+It tries to extract a CSRF token from each request and later inserts it into (POST, PUT, DELETE, etc.) requests that probably require it.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'faraday_csrf'
+```
+You need to add it to your stack, you would also need a cookie_jar
+(gem 'faraday-cookie_jar').
+
+
+## Usage
+
+Create a Faraday connection like this:
+
+```ruby
+conn = Faraday.new url: 'https://a-rails-app.example.com/' do |conn|
+  conn.use :csrf
+  conn.request :url_encoded
+  conn.use :cookie_jar
+  conn.adapter Faraday.default_adapter
+end
+```
+
+When you would make a get request, the CSRF thingy would try to
+parse the page and extract the token from it.
+When you make a POST request after that, it would add the token to it.
+
+You have to use faraday-cookie_jar gem for handling cookies, and use :url_encoded middleware or something of that nature to allow this middleware to insert tokens.
+
+You can get the token it extracted by accessing response_env[:csrf_token].
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/unmanbearpig/faraday_csrf.

data/Rakefile

@@ -0,0 +1,9 @@
+require "bundler/gem_tasks"
+
+begin
+  require 'rspec/core/rake_task'
+  RSpec::Core::RakeTask.new(:spec)
+
+  task :default => :spec
+rescue LoadError
+end

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "faraday_csrf"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start

data/bin/setup

@@ -0,0 +1,7 @@
+#!/bin/bash
+set -euo pipefail
+IFS=$'\n\t'
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/faraday_csrf.gemspec

@@ -0,0 +1,32 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'faraday_csrf/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "faraday_csrf"
+  spec.version       = FaradayCsrf::VERSION
+  spec.authors       = ["unmanbearpig"]
+  spec.email         = ["unmanbearpig@gmail.com"]
+
+  spec.summary       = %q{Faraday middleware that automatically adds CSRF tokens to requests}
+  spec.homepage      = 'https://github.com/unmanbearpig/faraday_csrf'
+
+  spec.description   = "Transparently handles Rails (and maybe not only Rails) CSRF protection, in case you need to send requests to an app that doesn't provide an API"
+
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+  spec.add_dependency "faraday"
+  spec.add_dependency "nokogiri"
+
+
+  spec.add_development_dependency "bundler", "> 1.9"
+  spec.add_development_dependency "rake", "~> 10.4.2"
+  spec.add_development_dependency "rspec", "~> 3.3"
+  spec.add_development_dependency "rspec-expectations", "~> 3.3"
+  spec.add_development_dependency "webmock", "~> 1.21"
+  spec.add_development_dependency "vcr", "~> 2.9"
+  spec.add_development_dependency "faraday-cookie_jar", "~> 0.0.6"
+end

data/lib/faraday_csrf/creates_token_handler.rb

@@ -0,0 +1,46 @@
+require 'faraday_csrf/token_handler'
+require 'faraday_csrf/token_extractors/first_successful_extractor'
+require 'faraday_csrf/token_extractors/meta_tag_regex_extractor'
+require 'faraday_csrf/token_extractors/meta_tag_nokogiri_extractor'
+
+module Faraday
+  class CSRF
+    class CreatesTokenHandler
+      def initialize(app:, fetch_token_from_url: nil)
+        @app = app
+        @fetch_token_from_url = fetch_token_from_url
+      end
+
+      def self.create *args
+        new(*args).token_handler
+      end
+
+      def token_handler
+        TokenHandler.new extractor: extractor,
+                         injector: injector,
+                         fetcher: fetcher
+      end
+
+      def extractors_to_try
+        [MetaTagRegexExtractor,
+         MetaTagNokogiriExtractor]
+      end
+
+      def extractor
+        FirstSuccessfulExtractor.new(extractors_to_try)
+      end
+
+      def injector
+        InjectsTokenIntoBody.new
+      end
+
+      def fetcher
+        if @fetch_token_from_url
+          TokenFetcher.new app: @app, url: @fetch_token_from_url
+        else
+          Proc.new {}
+        end
+      end
+    end
+  end
+end

data/lib/faraday_csrf/injects_token_into_body.rb

@@ -0,0 +1,37 @@
+require 'faraday_csrf/token'
+
+module Faraday
+  class CSRF
+    class InjectsTokenIntoBody
+      class MissingToken < Exception
+      end
+
+      DEFAULT_IGNORE_METHODS = [:get, :head]
+
+      attr_reader :ignore_methods
+
+      def initialize(ignore_methods: DEFAULT_IGNORE_METHODS)
+        @ignore_methods  = ignore_methods
+      end
+
+      def inject(token, into:)
+        return unless should_inject?(into)
+
+        raise MissingToken unless token
+
+        inject!(token, env: into)
+      end
+
+      def inject!(token, env:)
+        env.body.merge! token.to_h
+        token.expire!
+      end
+
+      def should_inject? env
+        return false if ignore_methods.include?(env.method)
+        return false unless env.body.respond_to? :merge!
+        true
+      end
+    end
+  end
+end

data/lib/faraday_csrf/token.rb

@@ -0,0 +1,55 @@
+require 'faraday'
+
+module Faraday
+  class CSRF
+    class Token
+      class NotFound < RuntimeError; end
+
+      attr_reader :name, :value
+      protected :name, :value
+
+      def initialize(name: nil, value:)
+        unless value
+          raise ArgumentError.new 'Token must have a value'
+        end
+
+        @name = name || self.class.default_name
+        @value = value
+        @expired = false
+      end
+
+      def self.default_name
+        'authenticity_token'
+      end
+
+      def expire!
+        @name = nil
+        @value = nil
+        @expired = true
+        self
+      end
+
+      def expired?
+        @expired
+      end
+
+      def ==(other)
+        name == other.name &&
+          value == other.value &&
+          expired? == other.expired?
+      end
+
+      alias_method :to_s, :value
+
+      def inspect
+        return "CSRF::Token(~expired~)" if expired?
+        "CSRF::Token('#{name}' => '#{value}')"
+      end
+
+      def to_h
+        return {} if expired?
+        { name => value }
+      end
+    end
+  end
+end

data/lib/faraday_csrf/token_extractors/first_successful_extractor.rb

@@ -0,0 +1,36 @@
+require 'faraday_csrf/token'
+
+module Faraday
+  class CSRF
+    class FirstSuccessfulExtractor
+      attr_reader :extractors
+
+      def initialize(extractors_to_try)
+        @extractors = extractors_to_try
+        unless extractors.any?
+          raise ArgumentError.new "Pass at least one extractor into FirstSuccessfulExtractor"
+        end
+      end
+
+      def extract_from input_data
+        results = extractors.lazy
+                  .map { |x| call_it x, input_data }
+                  .reject(&:nil?)
+
+        if results.any?
+          results.first
+        else
+          raise Token::NotFound.new "None of the extractors #{extractors} could find a token"
+        end
+      end
+
+      private
+
+      def call_it extractor, input_data
+        extractor.extract_from(input_data)
+      rescue Token::NotFound
+        # just skip it
+      end
+    end
+  end
+end

data/lib/faraday_csrf/token_extractors/meta_tag_nokogiri_extractor.rb

@@ -0,0 +1,19 @@
+require 'faraday_csrf/token_extractors/nokogiri_extractor'
+
+module Faraday
+  class CSRF
+    class MetaTagNokogiriExtractor < NokogiriExtractor
+      protected
+
+      def name
+        find('meta[name=csrf-param]').attr('content').text
+      rescue Token::NotFound
+        nil
+      end
+
+      def value
+        find('meta[name=csrf-token]').attr('content').text
+      end
+    end
+  end
+end

data/lib/faraday_csrf/token_extractors/meta_tag_regex_extractor.rb

@@ -0,0 +1,58 @@
+require 'faraday_csrf/token'
+
+module Faraday
+  class CSRF
+    # Much faster than using Nokogiri
+    # use it in combination with Nokogiri extractor,
+    # since it might be not as robust
+    class MetaTagRegexExtractor
+      attr_reader :html
+
+      class ExtractionError < RuntimeError; end
+
+      def initialize(html)
+        @html = html
+      end
+
+      def value
+        content_from_meta_tag('csrf-token')
+      end
+
+      def name
+        content_from_meta_tag('csrf-param')
+      rescue ExtractionError
+        nil
+      end
+
+      def token
+        Token.new value: value, name: name
+      rescue RuntimeError
+        raise Token::NotFound.new 'Could not find CSRF token'
+      end
+
+      private
+
+      def content_from_meta_tag tag_name
+        content_from_tag(find_meta_tag(tag_name))
+      end
+
+      def find_meta_tag(name)
+        html.match(/<meta [^>]*name="#{name}"[^>]+>/)[0]
+      rescue NoMethodError
+        raise ExtractionError.new "Could not find meta tag with name '#{name}'"
+      end
+
+      def content_from_tag token_string
+        token_string.match(/ content="([^"]+)"/)[1]
+      rescue NoMethodError
+        raise ExtractionError.new "Could not find content inside the html tag '#{token_string}'"
+      end
+
+      class << self
+        def extract_from html
+          new(html).token
+        end
+      end
+    end
+  end
+end

data/lib/faraday_csrf/token_extractors/nokogiri_extractor.rb

@@ -0,0 +1,44 @@
+require 'nokogiri'
+
+module Faraday
+  class CSRF
+    class NokogiriExtractor
+      attr_reader :document
+      protected :document
+
+      def initialize(document)
+        @document = document
+      end
+
+      def self.extract_from html
+        new(Nokogiri::HTML(html)).token
+      end
+
+      def token
+        Token.new name: name,
+                  value: value
+      end
+
+      protected
+
+      def name
+        raise NotImplementedError
+      end
+
+      def value
+        raise NotImplementedError
+      end
+
+      def find(css)
+        search_result = document.css(css)
+
+        unless search_result.any?
+          raise Token::NotFound.new(
+                  "Could not find element with selector '#{css}'")
+        end
+
+        search_result
+      end
+    end
+  end
+end

data/lib/faraday_csrf/token_fetcher.rb

@@ -0,0 +1,20 @@
+module Faraday
+  class CSRF
+    class TokenFetcher
+      def initialize(app:, url:)
+        @app = app
+        @url = url
+      end
+
+      def call request_env
+        new_env = request_env.dup
+        new_env.url = request_env.url.dup
+        new_env.url.path = @url
+
+        new_env.method = :get
+
+        @app.call(new_env)
+      end
+    end
+  end
+end

data/lib/faraday_csrf/token_handler.rb

@@ -0,0 +1,29 @@
+require "faraday_csrf/token_fetcher"
+require "faraday_csrf/injects_token_into_body"
+
+module Faraday
+  class CSRF
+    class TokenHandler
+      attr_accessor :token
+
+      def initialize(extractor:, injector:, fetcher:)
+        @extractor = extractor
+        @injector = injector
+        @fetcher = fetcher
+      end
+
+      def handle_request request_env
+        @injector.inject(@token, into: request_env)
+      rescue InjectsTokenIntoBody::MissingToken
+        @fetcher.call request_env
+        retry
+      end
+
+      def handle_response response_env
+        @token = @extractor.extract_from(response_env.body)
+      rescue Token::NotFound
+        nil
+      end
+    end
+  end
+end

data/lib/faraday_csrf/version.rb

@@ -0,0 +1,3 @@
+module FaradayCsrf
+  VERSION = "0.1.0"
+end

data/lib/faraday_csrf.rb

@@ -0,0 +1,27 @@
+require "faraday_csrf/version"
+require 'faraday_csrf/creates_token_handler'
+
+module Faraday
+  class CSRF
+    attr_reader :app
+
+    def initialize(app, options = {})
+      @app = app
+      @handler = options.fetch(:token_handler) do
+        CreatesTokenHandler.create(options.merge(app: self))
+      end
+    end
+
+    def call request_env
+      @handler.handle_request request_env
+
+      app.call(request_env).on_complete do |response_env|
+        @handler.handle_response response_env
+      end
+    end
+  end
+end
+
+if Faraday::Middleware.respond_to? :register_middleware
+  Faraday::Middleware.register_middleware :csrf => Faraday::CSRF
+end

metadata

@@ -0,0 +1,193 @@
+--- !ruby/object:Gem::Specification
+name: faraday_csrf
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- unmanbearpig
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2015-10-28 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: faraday
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: nokogiri
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">"
+      - !ruby/object:Gem::Version
+        version: '1.9'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">"
+      - !ruby/object:Gem::Version
+        version: '1.9'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 10.4.2
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 10.4.2
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.3'
+- !ruby/object:Gem::Dependency
+  name: rspec-expectations
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.3'
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.21'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.21'
+- !ruby/object:Gem::Dependency
+  name: vcr
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.9'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.9'
+- !ruby/object:Gem::Dependency
+  name: faraday-cookie_jar
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.0.6
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.0.6
+description: Transparently handles Rails (and maybe not only Rails) CSRF protection,
+  in case you need to send requests to an app that doesn't provide an API
+email:
+- unmanbearpig@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- ".rubocop.yml"
+- ".ruby-version"
+- ".travis.yml"
+- Gemfile
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- faraday_csrf.gemspec
+- lib/faraday_csrf.rb
+- lib/faraday_csrf/creates_token_handler.rb
+- lib/faraday_csrf/injects_token_into_body.rb
+- lib/faraday_csrf/token.rb
+- lib/faraday_csrf/token_extractors/first_successful_extractor.rb
+- lib/faraday_csrf/token_extractors/meta_tag_nokogiri_extractor.rb
+- lib/faraday_csrf/token_extractors/meta_tag_regex_extractor.rb
+- lib/faraday_csrf/token_extractors/nokogiri_extractor.rb
+- lib/faraday_csrf/token_fetcher.rb
+- lib/faraday_csrf/token_handler.rb
+- lib/faraday_csrf/version.rb
+homepage: https://github.com/unmanbearpig/faraday_csrf
+licenses: []
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.8
+signing_key: 
+specification_version: 4
+summary: Faraday middleware that automatically adds CSRF tokens to requests
+test_files: []
+has_rdoc: