global_session 3.2.1 → 3.2.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: fe9830dded408fa5a939935b137d93c43e6b3dde
-  data.tar.gz: 50eacb0893c75b8344aa48c43cea959a33755b1b
+  metadata.gz: d83ba1f6c19528e40345cc22eec6ae2563449877
+  data.tar.gz: f27293a41104efc18b42e50419741ec805ba2d6d
 SHA512:
-  metadata.gz: d5d6e4ad5700e5b7a3ff95a23f256305f3ca09f9b7e3c664ad64f9ac6138aed97a627f07d19fd04e98040b6ca6e1cab9717aefb8ce7ed91e790f7f7efaf9ded3
-  data.tar.gz: dcc7dcb1e4ac1e2f197819ebd0e666f0219dc96abe7cfa32f440a453f95d74db63113ee6fecf82edc07ca86645f9fa9b62b28cfea73dc4763806dae030a3ad1c
+  metadata.gz: fa6d5e4bf3e3ced8c5f1377012156ab7102044f6df16d415bebc122bffefaad571318a5f3f0924545463178ae72e605e8b0870d59c2030e9ccab53b7ea1de03d
+  data.tar.gz: 84e1237cd3e053eee017d4d545630a88c801163c90451d97018ae7f74ad78877773c1bf684cf74bce81f1759ea761b68fa9a75b56c99cb128cab9ca228124aeb

data/CHANGELOG.md

@@ -1,4 +1,4 @@
-3.2.1 (pending)
+3.2.1 (2015-07-10)
 ---------------
 
 Fixed a bug with automatic cookie renewal; cookies were not being renewed unless

data/Rakefile

@@ -33,6 +33,7 @@ if require_succeeds? 'jeweler'
     gem.description = %Q{This Rack middleware allows several web apps in an authentication domain to share session state, facilitating single sign-on in a distributed web app. It only provides session sharing and does not concern itself with authentication or replication of the user database.}
     gem.email = "support@rightscale.com"
     gem.authors = ['Tony Spataro']
+    gem.required_ruby_version = '~> 2.0'
     gem.files.exclude 'Gemfile*'
     gem.files.exclude 'features/**/*'
     gem.files.exclude 'fixtures/**/*'

data/VERSION

@@ -1 +1 @@
-3.2.1
+3.2.2

data/global_session.gemspec

@@ -2,16 +2,16 @@
 # DO NOT EDIT THIS FILE DIRECTLY
 # Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
 # -*- encoding: utf-8 -*-
-# stub: global_session 3.2.1 ruby lib
+# stub: global_session 3.2.2 ruby lib
 
 Gem::Specification.new do |s|
   s.name = "global_session"
-  s.version = "3.2.1"
+  s.version = "3.2.2"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.require_paths = ["lib"]
   s.authors = ["Tony Spataro"]
-  s.date = "2015-07-10"
+  s.date = "2015-09-10"
   s.description = "This Rack middleware allows several web apps in an authentication domain to share session state, facilitating single sign-on in a distributed web app. It only provides session sharing and does not concern itself with authentication or replication of the user database."
   s.email = "support@rightscale.com"
   s.extra_rdoc_files = [
@@ -21,7 +21,7 @@ Gem::Specification.new do |s|
   s.files = [
     ".ruby-version",
     ".travis.yml",
-    "CHANGELOG.rdoc",
+    "CHANGELOG.md",
     "LICENSE",
     "README.rdoc",
     "Rakefile",
@@ -51,6 +51,7 @@ Gem::Specification.new do |s|
   ]
   s.homepage = "https://github.com/rightscale/global_session"
   s.licenses = ["MIT"]
+  s.required_ruby_version = Gem::Requirement.new("~> 2.0")
   s.rubygems_version = "2.2.3"
   s.summary = "Secure single-domain session sharing plugin for Rack and Rails."
 

data/lib/global_session/rack.rb

@@ -19,6 +19,7 @@
 # OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
 # WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 
+
 require File.expand_path(File.join(File.dirname(__FILE__), "..", "global_session"))
 
 # Make sure the namespace exists, to satisfy Rails auto-loading
@@ -105,8 +106,18 @@ module GlobalSession
         @cookie_name      = @configuration['cookie']['name']
       end
 
-      # Rack request chain. Sets up the global session ticket from
-      # the environment and passes it up the chain.
+      # Rack request chain. Parses a global session from the request if present;
+      # makes a new session if absent; populates env['global_session'] with the
+      # session object and calls through to the next middleware.
+      #
+      # On return, auto-renews the session if appropriate and writes a new
+      # session cookie if anything in the session has changed.
+      #
+      # When reading session cookies or authorization headers, this middleware
+      # URL-decodes cookie/token values before passing them into the gem's
+      # other logic. Some user agents and proxies "helpfully" URL-encode cookies
+      # which we need to undo in order to prevent subtle signature failures due
+      # to Base64 decoding issues resulting from "=" being URL-encoded.
       #
       # @return [Array] valid Rack response tuple e.g. [200, 'hello world']
       # @param [Hash] env Rack request environment
@@ -163,7 +174,7 @@ module GlobalSession
         if header_data && header_data.size == 2 && header_data.first.downcase == 'bearer'
           env['global_session.req.renew']  = false
           env['global_session.req.update'] = false
-          env['global_session']            = @directory.load_session(header_data.last)
+          env['global_session']            = @directory.load_session(CGI.unescape(header_data.last))
           true
         else
           false
@@ -176,10 +187,11 @@ module GlobalSession
       # @param [Hash] env Rack request environment
       def read_cookie(env)
         if @cookie_retrieval && (cookie = @cookie_retrieval.call(env))
-          env['global_session'] = @directory.load_session(cookie)
+          env['global_session'] = @directory.load_session(CGI.unescape(cookie))
           true
         elsif env['rack.cookies'].has_key?(@cookie_name)
-          env['global_session'] = @directory.load_session(env['rack.cookies'][@cookie_name])
+          cookie = env['rack.cookies'][@cookie_name]
+          env['global_session'] = @directory.load_session(CGI.unescape(cookie))
           true
         else
           false

data/lib/global_session/rails/action_controller_instance_methods.rb

@@ -142,7 +142,7 @@ module GlobalSession
 
         logger.info(request_id)
 
-        parameters = respond_to?(:filter_parameters) ? filter_parameters(params) : params.dup
+        parameters = respond_to?(:filter_parameters, true) ? filter_parameters(params) : params.dup
         parameters = parameters.except!(:controller, :action, :format, :_method)
 
         logger.info "  Parameters: #{parameters.inspect}" unless parameters.empty?

data/lib/global_session/session/v1.rb

@@ -66,7 +66,7 @@ module GlobalSession::Session
               'tc' => @created_at.to_i, 'te' => @expired_at.to_i,
               'ds' => @signed}
 
-      if @signature && !@dirty_secure
+      if @signature && !dirty?
         #use cached signature unless we've changed secure state
         authority = @authority
       else
@@ -170,16 +170,6 @@ module GlobalSession::Session
       return value
     end
 
-    # Renews this global session, changing its expiry timestamp into the future.
-    # Causes a new signature will be computed when the session is next serialized.
-    #
-    # === Return
-    # true:: Always returns true
-    def renew!(expired_at=nil)
-      super(expired_at)
-      @dirty_secure = true
-    end
-
     # Return the SHA1 hash of the most recently-computed RSA signature of this session.
     # This isn't really intended for the end user; it exists so the Web framework integration
     # code can optimize request speed by caching the most recently verified signature in the

data/lib/global_session/session/v2.rb

@@ -67,7 +67,7 @@ module GlobalSession::Session
               'tc' => @created_at.to_i, 'te' => @expired_at.to_i,
               'ds' => @signed}
 
-      if @signature && !@dirty_secure
+      if @signature && !dirty?
         #use cached signature unless we've changed secure state
         authority = @authority
       else
@@ -171,16 +171,6 @@ module GlobalSession::Session
       return value
     end
 
-    # Renews this global session, changing its expiry timestamp into the future.
-    # Causes a new signature will be computed when the session is next serialized.
-    #
-    # === Return
-    # true:: Always returns true
-    def renew!(expired_at=nil)
-      super(expired_at)
-      @dirty_secure = true
-    end
-
     # Return the SHA1 hash of the most recently-computed RSA signature of this session.
     # This isn't really intended for the end user; it exists so the Web framework integration
     # code can optimize request speed by caching the most recently verified signature in the

data/lib/global_session/session/v3.rb

@@ -130,7 +130,7 @@ module GlobalSession::Session
               'tc' => @created_at.to_i, 'te' => @expired_at.to_i,
               'ds' => @signed}
 
-      if @signature && !@dirty_secure
+      if @signature && !dirty?
         #use cached signature unless we've changed secure state
         authority = @authority
       else
@@ -235,16 +235,6 @@ module GlobalSession::Session
       return value
     end
 
-    # Renews this global session, changing its expiry timestamp into the future.
-    # Causes a new signature will be computed when the session is next serialized.
-    #
-    # === Return
-    # true:: Always returns true
-    def renew!(expired_at=nil)
-      super(expired_at)
-      @dirty_secure = true
-    end
-
     # Return the SHA1 hash of the most recently-computed RSA signature of this session.
     # This isn't really intended for the end user; it exists so the Web framework integration
     # code can optimize request speed by caching the most recently verified signature in the

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: global_session
 version: !ruby/object:Gem::Version
-  version: 3.2.1
+  version: 3.2.2
 platform: ruby
 authors:
 - Tony Spataro
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-07-10 00:00:00.000000000 Z
+date: 2015-09-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: json
@@ -178,9 +178,9 @@ require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - "~>"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: '2.0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="