RubyGems - file-rack - Versions diffs - 1.0.0 - Mend

file-rack 1.0.0

Files changed (3) hide show

checksums.yaml ADDED

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 9248733450c739c3a357513ae258df3041656687
+  data.tar.gz: e4a605b6a64f1e141015ab74a9e86e520682a6f5
+SHA512:
+  metadata.gz: a7d3d5db06550f5b1236c4b1baf524e92667602582fe9aaf69bf4c80d9eb9ff5529315fb0e3a08c0c110cd3b39d561689c94fe6b819d9397aeae78b7edaa115b
+  data.tar.gz: '00296450b26275e88bcd05621721c1f8fd90d31956d1b24d56798d1fca3635dab6724e82cdbf74b38e2384e281f561b0d48f08d19d23a367952207ea0c2c904d'

data/lib/rack/session/file.rb ADDED

@@ -0,0 +1,188 @@
+require 'pstore'
+require 'tmpdir'
+require 'openssl'
+require 'rack/request'
+require 'rack/response'
+require 'rack/session/abstract/id'
+module Rack
+  module Session
+    # Rack::Session::File provides simple filed based session management.
+    # By default, the session is stored in /tmp while cookie holds only
+    # session id.
+    #
+    # When the :secret key is set (recommended), cookie data is checked
+    # for data integrity. The :old_secret key is also accepted allowing
+    # smooth secret rotation.
+    #
+    # Garbage collection is controlled via :gc_probability and :gc_maxlife.
+    # Every call to write_session, garbage collector is called with probability
+    # of :gc_probability. It scans :dir for sessions files and deletes ones
+    # with mtime older than :gc_maxlife.
+    #
+    # Supported options for constructor are:
+    #
+    #   :dir            directory into which save sessions
+    #   :prefix         session file prefix
+    #   :key            under what cookie save the session_id
+    #   :domain         domain should the session_id cookie is valid for
+    #   :path           path the session_id cookie is valid for
+    #   :expire_after   session_id cookie expires after this seconds
+    #   :secret         secret to use for integrity check
+    #   :old_secret     secret previously used, allowing smooth secret rotation
+    #
+    #   :gc_probability probability of gc to run, in interval [0; 1]
+    #   :gc_maxlife     how old (in seconds) session files should be cleaned up
+    #
+    # Default values:
+    #
+    #   :dir            File.join(Dir.tmpdir(), 'file-rack')
+    #   :prefix         'file-rack-session-'
+    #   :key            rack.session
+    #   :domain         nil
+    #   :path           nil
+    #   :expire_after   nil
+    #   :secret         nil
+    #   :old_secret     nil
+    #   :gc_probability 0.01
+    #   :gc_maxlife     1200
+    #
+    # Example:
+    #
+    #   use Rack::Session::File, dir: '/tmp',
+    #                            prefix: 'session-',
+    #
+    #   All parameters are optional.
+    class File < Abstract::Persisted
+      SESSION_ID = 'session_id'.freeze
+      def initialize(app, options = {})
+        @secrets = options.values_at(:secret, :old_secret).compact
+        @hmac = options.fetch(:hmac, OpenSSL::Digest::SHA1)
+        @dir = options[:dir] || ::File.join(Dir.tmpdir(), 'file-rack')
+        @prefix = options[:prefix] || 'file-rack-session-'
+        FileUtils.mkdir_p @dir
+        @gc_probability = options[:gc_probability] || 0.01
+        @gc_maxlife = options[:gc_maxlife] || 1200
+        warn <<~MSG unless secure?(options)
+          SECURITY WARNING: No secret option provided to Rack::Session::Cookie.
+          This poses a security threat. It is strongly recommended that you
+          provide a secret to prevent exploits that may be possible from crafted
+          cookies. This will not be supported in future versions of Rack, and
+          future versions will even invalidate your existing user cookies.
+          Called from: #{caller[0]}.
+        MSG
+        super(app, options.merge!(cookie_only: false))
+      end
+      private
+      def find_session(req, sid)
+        data = load_data(req)
+        data = persistent_session_id(data)
+        [data[SESSION_ID], data]
+      end
+      def write_session(req, session_id, session, options)
+        if options[:renew]
+          session[SESSION_ID] = generate_sid
+        end
+        store = PStore.new(path_for_sid(session_id))
+        store.transaction { store[:session] = session }
+        try_gc_run!
+        if @secrets.first
+          "#{session_id}--#{generate_hmac(session_id, @secrets.first)}"
+        else
+          session_id
+        end
+      end
+      def delete_session(req, session_id, options)
+        begin
+          File.delete(path_for_sid(session_id))
+        rescue => e
+          warn "Cannot delete session #{session_id}: #{e}"
+        end
+        unless options[:drop]
+          generate_sid
+        else
+          nil
+        end
+      end
+      def load_data(req)
+        sid = req.cookies[@key]
+        if @secrets.size > 0 and sid
+          sid, digest = sid.split('--', 2)
+          sid = nil unless digest_match?(sid, digest)
+        end
+        if sid
+          store = PStore.new(path_for_sid(sid), read_only: true)
+          store.transaction { store[:session] }
+        else
+          {}
+        end
+      end
+      def persistent_session_id(data, sid = nil)
+        data ||= {}
+        data[SESSION_ID] ||= sid
+        unless data[SESSION_ID]
+          begin
+            data[SESSION_ID] = generate_sid
+          end while ::File.exist? path_for_sid(data[SESSION_ID])
+        end
+        data
+      end
+      def path_for_sid(sid)
+        ::File.join @dir, "#{@prefix}#{sid}"
+      end
+      def digest_match?(data, digest)
+        return unless data && digest
+        @secrets.any? do |secret|
+          Rack::Utils.secure_compare(digest, generate_hmac(data, secret))
+        end
+      end
+      def generate_hmac(data, secret)
+        OpenSSL::HMAC.hexdigest(@hmac.new, secret, data)
+      end
+      def secure?(options)
+        @secrets.size >= 1
+      end
+      def try_gc_run!
+        return unless Random.rand < @gc_probability
+        threshold = Time.now - @gc_maxlife
+        Dir.chdir(@dir) do
+          Dir.entries(@dir).each do |entry|
+            next unless entry[/#{@prefix}/]
+            begin
+              ::File.delete(entry) if ::File.mtime(entry) < threshold
+            rescue => e
+              warn "Cannot delete session file #{entry}: #{e}"
+            end
+          end
+        end
+      end
+    end
+  end
+end

metadata ADDED

@@ -0,0 +1,60 @@
+--- !ruby/object:Gem::Specification
+name: file-rack
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Gray Wolf
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2017-10-18 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rack
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+description: 'File-based rack session mechanism keeping only session_id in the cookie.
+'
+email: file-rack@wolfsden.cz
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/rack/session/file.rb
+homepage: https://rubygems.org/gems/file-rack
+licenses:
+- MIT
+metadata: {}
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project:
+rubygems_version: 2.6.13
+signing_key:
+specification_version: 4
+summary: File-based rack session mechanism
+test_files: []