frikandel 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 5d21550e8f406f5cfadd7246e3a5b511e6719b2d
+  data.tar.gz: c205899f482cc2e2e6fc64f69070c7b5f4cdda59
+SHA512:
+  metadata.gz: 40977fc969914d45e38951d1bcd37577bb8376f8e8c9e13dbf56d2076194973409de535136ee6af30e3c31b5ab34f52b1350e630cc6723c179b0c131f8288b0b
+  data.tar.gz: 62eb2c7883e57b57c297db621bc5eccf42ab4f653a93ff7e7867fa7bc57d386c7765fd11914cdb5f954085c1aea8842d1a27dc33346598b30ebdd7b79334630c

data/.gitignore

@@ -0,0 +1,22 @@
+*.gem
+*.rbc
+.bundle
+.config
+.ruby-*
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp
+
+spec/dummy/log/
+.ruby-gemset
+.ruby-version

data/.rspec

@@ -0,0 +1,2 @@
+--color
+--format progress

data/.travis.yml

@@ -0,0 +1,7 @@
+language: ruby
+rvm:
+  - 1.9.3
+  - 2.0.0
+  - 2.1.0
+  - jruby-19mode
+

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in frikandel.gemspec
+gemspec

data/Guardfile

@@ -0,0 +1,10 @@
+# A sample Guardfile
+# More info at https://github.com/guard/guard#readme
+
+guard :rspec do
+  watch(%r{^spec/.+_spec\.rb$})
+  watch(%r{^lib/(.+)\.rb$})     { |m| "spec/lib/#{m[1]}_spec.rb" }
+  watch('spec/spec_helper.rb')  { "spec" }
+
+end
+

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2014 Taktsoft
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,82 @@
+# Frikandel
+
+This Gem adds a TTL (Time To Live) Date to every cookie that your application sets. When the cookie has expired, the users session gets reset. This should help protect from Session-Fixation-Attacks.
+
+
+## Requirements
+
+Rails 3.2 and 4.x are currently supported.
+
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'frikandel'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+
+    $ gem install frikandel
+
+
+## Usage
+
+To activate frikandel's Session-Fixation-Protection for your application, you only need to include a module in your `ApplicationController`:
+
+```ruby
+class ApplicationController < ActionController::Base
+  include Frikandel::LimitSessionLifetime
+
+  # ...
+end
+```
+
+## Configuration
+
+To configure frikandel's TTL-values, you can add an initializer in `config/initializers` namend `frikandel.rb` and insert the following lines:
+
+```ruby
+Frikandel::Configuration.max_ttl = 2.days
+Frikandel::Configuration.ttl = 4.hours
+```
+
+The value at `Frikandel::Configuration.max_ttl` is the absolute value in seconds that a cookie is valid. In this example, all cookies will be invalidated after two days in all cases. This timestamp doesn't get refreshed.
+
+The second value `Frikandel::Configuration.ttl` states how long (in seconds) a session/cookie is valid, when the cookie timestamp gets not refreshed. The timestamp gets refrehed everytime a user visits the site.
+
+The default values are `24.hours` for `max_ttl` and `2.hours` for `ttl`. If you are okay with this settings, you don't need to create an initializer for frikandel.
+
+
+### Customize on_expired_session behavior
+
+You can also overwrite what should happen when a cookie times out on the controller-level. The default behaviour is to do a `reset_session` and `redirect_to root_path`. For example, if you want to overwrite the default behavior when a user is on the `PublicController`, you want to overwrite the `on_expired_session`-method in your controller:
+
+```ruby
+class PublicController < ApplicationController
+  def on_expired_session
+    raise "Your Session Has Expired! Oh No!"
+  end
+end
+```
+
+If you want to revert the original behavior in a sub-class of your `PublicController`, you simply re-alias the method to `original_on_expired_session` like this:
+
+```ruby
+class AdminController < PublicController
+  alias on_expired_session original_on_expired_session
+end
+```
+
+## Contributing
+1. Fork it
+2. Create your feature branch (git checkout -b my-new-feature)
+3. Commit your changes (git commit -am 'Add some feature')
+4. Push to the branch (git push origin my-new-feature)
+5. Create new Pull Request

data/Rakefile

@@ -0,0 +1,7 @@
+require "bundler/gem_tasks"
+require 'rspec/core/rake_task'
+
+RSpec::Core::RakeTask.new('spec')
+
+# If you want to make this the default task
+task :default => :spec

data/frikandel.gemspec

@@ -0,0 +1,31 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'frikandel/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "frikandel"
+  spec.version       = Frikandel::VERSION
+  spec.authors       = ["Taktsoft"]
+  spec.email         = ["developers@taktsoft.com"]
+  spec.summary       = %q{This gem adds a ttl to the session cookie of your application.}
+  spec.description   = spec.summary
+  spec.homepage      = "https://github.com/taktsoft/frikandel"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files -z`.split("\x0")
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = Dir["spec/**/*"]
+  spec.require_paths = ["lib"]
+
+  spec.add_development_dependency "bundler", "~> 1.5"
+  spec.add_development_dependency "rake"
+  spec.add_development_dependency "sqlite3" unless RUBY_PLATFORM == 'java'
+  spec.add_development_dependency "jdbc-sqlite3" if RUBY_PLATFORM == 'java'
+  spec.add_development_dependency "activerecord-jdbcsqlite3-adapter" if RUBY_PLATFORM == 'java'
+  spec.add_development_dependency "rspec-rails"
+  spec.add_development_dependency "guard-rspec"
+  spec.add_development_dependency "pry"
+
+  spec.add_dependency "rails", ['>= 3.2.0', '< 5.0']
+end

data/lib/frikandel.rb

@@ -0,0 +1,32 @@
+require "frikandel/version"
+require "frikandel/configuration"
+
+module Frikandel
+  module LimitSessionLifetime
+    extend ActiveSupport::Concern
+
+    included do
+      append_before_filter :validate_session_timestamp
+      append_after_filter :persist_session_timestamp
+    end
+
+  private
+
+    def validate_session_timestamp
+      if session.key?(:ttl) && session.key?(:max_ttl) && (session[:ttl] < Frikandel::Configuration.ttl.ago || session[:max_ttl] < Time.now)
+        on_expired_session
+      end
+    end
+
+    def persist_session_timestamp
+      session[:ttl] = Time.now
+      session[:max_ttl] ||= Frikandel::Configuration.max_ttl.from_now
+    end
+
+    def on_expired_session
+      reset_session
+      redirect_to root_path
+    end
+    alias original_on_expired_session on_expired_session
+  end
+end

data/lib/frikandel/configuration.rb

@@ -0,0 +1,19 @@
+module Frikandel
+  class Configuration
+    include Singleton
+    extend SingleForwardable
+
+    attr_accessor :ttl, :max_ttl
+
+    def_delegators :instance, :defaults!, :ttl, :ttl=, :max_ttl, :max_ttl=
+
+    def initialize
+      defaults!
+    end
+
+    def defaults!
+      self.ttl = 2.hours
+      self.max_ttl = 24.hours
+    end
+  end
+end

data/lib/frikandel/version.rb

@@ -0,0 +1,3 @@
+module Frikandel
+  VERSION = "1.0.0"
+end

data/spec/controllers/application_controller_spec.rb

@@ -0,0 +1,57 @@
+require "spec_helper"
+require "support/application_controller"
+
+describe ApplicationController do
+
+  it "holds the session for at least .1 seconds" do
+    get :home
+    session[:user_id] = 1337
+    sleep 0.1
+    get :home
+
+    session[:user_id].should be_present
+    session[:user_id].should eq 1337
+  end
+
+  it "destroys the session after SESSION_TTL" do
+    get :home
+    session[:user_id] = 2337
+    request.session[:ttl] = (Frikandel::Configuration.ttl + 1.minute).seconds.ago
+    get :home
+
+    session[:user_id].should be_blank
+  end
+
+  it "destroys the session after SESSION_MAX_TTL" do
+    get :home
+    session[:user_id] = 3337
+
+    request.session[:max_ttl] = 1.minute.ago
+    get :home
+
+    session[:user_id].should be_blank
+  end
+
+  it "works when there was no session in the request" do
+    get :home
+    session[:user_id] = 4337
+    request.session = nil
+    get :home
+
+    session[:user_id].should be_blank
+  end
+
+  it "is configurable" do
+    old_value = Frikandel::Configuration.ttl
+    Frikandel::Configuration.ttl = 1.minute
+    get :home
+    session[:ttl] = 30.minutes.ago
+    session[:user_id] = 5337
+
+    get :home
+    session[:user_id].should be_blank
+
+    Frikandel::Configuration.ttl = old_value
+  end
+
+end

data/spec/controllers/customized_on_expired_cookie_controller_spec.rb

@@ -0,0 +1,39 @@
+require "spec_helper"
+require "support/application_controller"
+
+class SessionExpiredError < StandardError; end
+
+class CustomizedOnExpiredSessionController < ApplicationController
+  def on_expired_session
+    raise SessionExpiredError.new("Your Session is DEAD!")
+  end
+  alias my_on_expired_session on_expired_session
+end
+
+describe CustomizedOnExpiredSessionController do
+
+  it "uses the overwritten on_expired_cookie function" do
+    get :home
+    request.session[:max_ttl] = 1.minute.ago
+
+    expect { get :home }.to raise_error SessionExpiredError
+  end
+
+  it "can revert the on_expired_cookie function back to the original" do
+    # NOTE: Don't confuse original_on_expired_session with my_on_expired_session!
+    class CustomizedOnExpiredSessionController < ApplicationController
+      alias on_expired_session original_on_expired_session # Setting it to the Gems original
+    end
+
+    get :home
+    request.session[:max_ttl] = 1.minute.ago
+
+    begin
+      expect { get :home }.to_not raise_error
+    ensure
+      class CustomizedOnExpiredSessionController < ApplicationController
+        alias on_expired_session my_on_expired_session # Reverting it back to the Customized function thats defined in this test
+      end
+    end
+  end
+end

data/spec/dummy/README.rdoc

@@ -0,0 +1,28 @@
+== README
+
+This README would normally document whatever steps are necessary to get the
+application up and running.
+
+Things you may want to cover:
+
+* Ruby version
+
+* System dependencies
+
+* Configuration
+
+* Database creation
+
+* Database initialization
+
+* How to run the test suite
+
+* Services (job queues, cache servers, search engines, etc.)
+
+* Deployment instructions
+
+* ...
+
+
+Please feel free to use a different markup language if you do not plan to run
+<tt>rake doc:app</tt>.

data/spec/dummy/Rakefile

@@ -0,0 +1,6 @@
+# Add your own tasks in files placed in lib/tasks ending in .rake,
+# for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
+
+require File.expand_path('../config/application', __FILE__)
+
+Dummy::Application.load_tasks

data/spec/dummy/app/assets/javascripts/application.js

@@ -0,0 +1,13 @@
+// This is a manifest file that'll be compiled into application.js, which will include all the files
+// listed below.
+//
+// Any JavaScript/Coffee file within this directory, lib/assets/javascripts, vendor/assets/javascripts,
+// or vendor/assets/javascripts of plugins, if any, can be referenced here using a relative path.
+//
+// It's not advisable to add code directly here, but if you do, it'll appear at the bottom of the
+// compiled file.
+//
+// Read Sprockets README (https://github.com/sstephenson/sprockets#sprockets-directives) for details
+// about supported directives.
+//
+//= require_tree .

data/spec/dummy/app/assets/stylesheets/application.css

@@ -0,0 +1,13 @@
+/*
+ * This is a manifest file that'll be compiled into application.css, which will include all the files
+ * listed below.
+ *
+ * Any CSS and SCSS file within this directory, lib/assets/stylesheets, vendor/assets/stylesheets,
+ * or vendor/assets/stylesheets of plugins, if any, can be referenced here using a relative path.
+ *
+ * You're free to add application-wide styles to this file and they'll appear at the top of the
+ * compiled file, but it's generally better to create a new file per style scope.
+ *
+ *= require_self
+ *= require_tree .
+ */

data/spec/dummy/app/controllers/application_controller.rb

@@ -0,0 +1,5 @@
+class ApplicationController < ActionController::Base
+  # Prevent CSRF attacks by raising an exception.
+  # For APIs, you may want to use :null_session instead.
+  protect_from_forgery with: :exception
+end