gloo 3.6.2 → 3.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a5821f97e00507549b9270307c7965649e57f9b2db2ddca0c443fa5705fe4e50
-  data.tar.gz: 31fc695bb6f0e367cc8a034a35c6548eb958db3946f874b80bde1748c9691c6f
+  metadata.gz: 0c8d357cda5602195adcfddc50c58705d34670b6ac01848eb8a1d66243571356
+  data.tar.gz: 86687c8e18f4843dc9bca97111e140c26750479fce8619341a902284dde5a573
 SHA512:
-  metadata.gz: 6ca5dcd7554a5f640a8ec16512de56bfe76638de1a87f7267fafd57b727cb3a3044d77ad0f099cb4d390c90ec8b0dd6e30b3ce7eb3875731c2082fb6ba626f43
-  data.tar.gz: 99acc770c29d36ed41e117f5b0ca4ceb20dcefa6bb6115d16116f890502dcdf8cae49f92cbb1ce4724261939be602edab8e516519a3dfddc9c6a5e3aa5f48c99
+  metadata.gz: baa186fd096e79a6152b7c287e23048a4b2fa67af5aa5db1c4e860918f42477b75e52fabbae8309506adfa32a77f5616bc2c4f4b22b6972142cb3977c9c965c9
+  data.tar.gz: 8467cf3db96cd931cad4dc06910a4933c65284b25675a3f884e17d5639cb8b3d9b50ff8bd1c171d329f318317390e715a9a5af62dceed681509fe336d28c3439

data/lib/VERSION

@@ -1 +1 @@
-3.6.2
+3.8.0

data/lib/VERSION_NOTES

@@ -1,3 +1,16 @@
+3.8.0 - 2025.01.23
+- Fixes issue with sessions
+- Adds authenticity token tag and supporting session id and validation
+
+
+
+3.7.0 - 2025.01.09
+ - Adds File message to get SHA256 hash
+ - Asset Fingerprinting
+ - Adds message to web app to show assets (in the terminal)
+ - Adds asset helper tags
+
+
 3.6.2 - 2024.12.19
  - Bug fix for URI open
 

data/lib/gloo/app/platform.rb

@@ -12,6 +12,7 @@ module Gloo
     class Platform
 
       DEFAULT_TMP_FILE = 'tmp.txt'.freeze
+      RETURN = "\n".freeze
 
       attr_reader :prompt, :table
 

data/lib/gloo/objs/security/csrf_token.rb

@@ -0,0 +1,72 @@
+# Author::    Eric Crane  (mailto:eric.crane@mac.com)
+# Copyright:: Copyright (c) 2025 Eric Crane.  All rights reserved.
+#
+# Helper class to generate and verify a csrf token.
+#
+require 'securerandom'
+require 'base64'
+require 'active_support/security_utils'
+
+module Gloo
+  module Objs
+    class CsrfToken
+
+      TOKEN_LENGTH = 32
+      AUTHENTICITY_TOKEN = 'authenticity_token'.freeze
+
+      # 
+      # Generate a random token
+      #
+      def self.generate_csrf_token
+        SecureRandom.base64( TOKEN_LENGTH ) 
+      end
+
+      # 
+      # Generate a masked token.
+      #
+      def self.mask_token( base_token )
+        one_time_pad = SecureRandom.random_bytes( base_token.bytesize )
+        masked_token = one_time_pad.bytes.zip( base_token.bytes ).map { |a, b| a ^ b }.pack('C*')
+        return Base64.urlsafe_encode64( one_time_pad + masked_token ) # Encode the result
+      end
+
+      # 
+      # Unmask a masked token.
+      #
+      def self.unmask_token( masked_token )
+        decoded = Base64.urlsafe_decode64( masked_token )
+        one_time_pad, masked_token = decoded[0...decoded.length / 2], decoded[decoded.length / 2..]
+        return one_time_pad.bytes.zip( masked_token.bytes ).map { |a, b| (a ^ b).chr }.join
+      end
+
+      # 
+      # Compare two tokens.
+      # Use ActiveSupport::SecurityUtils.secure_compare to avoid timing attacks.
+      #
+      def self.compare_tokens( token1, token2 )
+        return ActiveSupport::SecurityUtils.secure_compare( token1, token2 )
+      end
+
+      # 
+      # Return a hidden field with the masked csrf token.
+      #
+      def self.get_csrf_token_hidden_field( base_token )
+        form_token = mask_token( base_token )
+   
+        return "<input type='hidden' name='#{AUTHENTICITY_TOKEN}' value='#{form_token}' />"
+      end
+
+      # 
+      # Validate a masked csrf token that came from a form submit.
+      #
+      def self.valid_csrf_token?( base_token, masked_token )
+        return false unless base_token && masked_token
+
+        unmasked_token = unmask_token( masked_token )
+
+        return compare_tokens( base_token, unmasked_token )
+      end
+
+    end
+  end
+end

data/lib/gloo/objs/system/file_handle.rb

@@ -11,6 +11,10 @@ module Gloo
       KEYWORD = 'file'.freeze
       KEYWORD_SHORT = 'dir'.freeze
 
+      FILE_NAME_ERR = 'file and path name expected'.freeze
+      FILE_MISSING_ERR = 'file not found'.freeze
+
+
       #
       # The name of the object type.
       #
@@ -33,7 +37,7 @@ module Gloo
       # Get a list of message names that this object receives.
       #
       def self.messages
-        basic = %w[read write get_name get_ext get_parent]
+        basic = %w[read write get_name get_ext get_parent get_sha256]
         checks = %w[exists? is_file? is_dir?]
         search = %w[find_match]
         show = %w[show page open]
@@ -73,7 +77,7 @@ module Gloo
       # Read the contents of the file into the object.
       #
       def msg_read
-        return unless value && File.file?( value )
+        return unless check_file_exists?
 
         data = File.read( value )
         if @params&.token_count&.positive?
@@ -165,6 +169,44 @@ module Gloo
         end
       end
 
+      #
+      # Get the SHA256 hash of the file contents.
+      #
+      def msg_get_sha256
+        return unless check_file_exists?
+
+        file_hash = FileHandle.hash_for_file( value )
+        @engine.heap.it.set_to file_hash
+      end
+
+      # 
+      # Get the SHA256 hash of the file contents.
+      #
+      def self.hash_for_file( file_path )
+        require 'digest'
+        file_data = File.read( file_path )
+        file_hash = Digest::SHA256.hexdigest( file_data )
+        return file_hash
+      end
+
+      #
+      # Check to see if the file exists.
+      # Show error if not.
+      #
+      def check_file_exists?
+        if value.blank?
+          @engine.log.error FILE_NAME_ERR
+          return false
+        end
+
+        unless File.exist?( value )
+          @engine.log.error FILE_MISSING_ERR
+          return false
+        end
+
+        return true
+      end
+
     end
   end
 end

data/lib/gloo/objs/web/uri.rb

@@ -154,8 +154,6 @@ module Gloo
         cmd_with_param = "#{cmd} \"#{url}\""
 
         if OS.mac?
-          engine.log.warn 'Opening URL.' if engine
-
           `#{cmd_with_param}`
         else
           # This does not work in Linux or in WSL on Windows:

data/lib/gloo/objs/web_svr/svr.rb

@@ -51,7 +51,8 @@ module Gloo
       ELAPSED = 'elapsed'.freeze
       DB = 'db'.freeze
       PAGE = 'page'.freeze
-
+      CURRENT_PAGE = 'current_page'.freeze
+      
       # Container with pages in the web app.
       PAGES = 'pages'.freeze
 
@@ -303,7 +304,7 @@ module Gloo
       # Important to do this after the response is sent
       # to avoid holding on to data that is no longer needed.
       # 
-      def clear_session_data
+      def reset_session_data
         session_container.children.each do |session_var|
           session_var.value = ''
         end
@@ -405,7 +406,10 @@ module Gloo
       # Get a list of message names that this object receives.
       #
       def self.messages
-        return super + [ 'start', 'stop', 'routes' ]
+        return super + [ 'start', 'stop', 
+          'list_routes', 'list_assets', 
+          'add_session_to_response', 'clear_session_data',
+          'list_asset_img', 'list_asset_css', 'list_asset_js' ]
       end
 
       #
@@ -434,8 +438,9 @@ module Gloo
 
       # 
       # Helper message to show all routes in the running server.
+      # A Debugging tool.
       # 
-      def msg_routes
+      def msg_list_routes
         if @router
           @router.show_routes
         else
@@ -443,6 +448,70 @@ module Gloo
         end
       end
 
+      # 
+      # Helper message to show all assets in the running server.
+      # A Debugging tool.
+      # 
+      def msg_list_assets
+        if @router
+          Gloo::WebSvr::AssetInfo.list_all( @engine )
+        else
+          @engine.err SERVER_NOT_RUNNING
+        end
+      end
+
+      # 
+      # List all asset images in the running server.
+      # A Debugging tool.
+      # 
+      def msg_list_asset_img
+        if @router
+          @asset.list_image_assets
+        else
+          @engine.err SERVER_NOT_RUNNING
+        end
+      end
+
+      # 
+      # List all asset css in the running server.
+      # A Debugging tool.
+      # 
+      def msg_list_asset_css
+        if @router
+          @asset.list_css_assets
+        else
+          @engine.err SERVER_NOT_RUNNING
+        end
+      end
+
+      # 
+      # List all asset javascript in the running server.
+      # A Debugging tool.
+      # 
+      def msg_list_asset_js
+        if @router
+          @asset.list_js_assets
+        else
+          @engine.err SERVER_NOT_RUNNING
+        end
+      end
+
+      # 
+      # Add the session data to the response.
+      # This will be done for the current (next) request only.
+      # 
+      def msg_add_session_to_response
+        @session.add_session_to_response if @session
+      end
+
+      # 
+      # Clear out the session data, and remove it from the response.
+      # 
+      def msg_clear_session_data
+        reset_session_data
+        @session.clear_session_data if @session
+      end
+
 
       # ---------------------------------------------------------------------
       #    Start and Stop Events
@@ -482,7 +551,7 @@ module Gloo
         @engine.log.info "Stopping web server…"
 
         # Last chance to clear out session data.
-        clear_session_data
+        reset_session_data
 
         @web_server.stop
         @web_server = nil
@@ -519,13 +588,18 @@ module Gloo
 
       #
       # Run the on request script if there is one.
+      # Set thee current page object so the app knows
+      # which page is being requested.
       #
-      def run_on_request
+      def run_on_request current_page
+        for_page = find_child CURRENT_PAGE
+        alias_value = current_page.pn
+        for_page.set_value( alias_value ) if for_page
         o = find_child ON_REQUEST
         return unless o
         o = Gloo::Objs::Alias.resolve_alias( @engine, o )
 
-        Gloo::Exec::Dispatch.message( @engine, 'run', o )
+        Gloo::Exec::Dispatch.message( @engine, 'run', o, CURRENT_PAGE => current_page )
       end
 
       #
@@ -544,6 +618,10 @@ module Gloo
       # This is done before the on_request event is fired.
       # 
       def set_request_data( request )
+        # Clear out the redirect if there is one since this is the start of
+        # a new request.
+        @redirect = nil
+
         data = find_child RESQUEST_DATA
         return unless data
         data = Gloo::Objs::Alias.resolve_alias( @engine, data )

data/lib/gloo/web_svr/asset.rb

@@ -116,6 +116,38 @@ module Gloo
         return Gloo::WebSvr::Response.new( @engine, code, type, data )
       end
 
+      #
+      # Check if the given name is an asset.
+      # 
+      def is_asset? name
+        return name == ASSET_FOLDER
+      end
+
+
+      # ---------------------------------------------------------------------
+      #    Asset with Fingerprints
+      # ---------------------------------------------------------------------
+
+      # 
+      # Register an asset with the web server.
+      # Adds fingerprint to the file names for later access.
+      # 
+      # full_path is the FILE from which we build the SHA256 hash
+      # pn is the path and name within the assets directory
+      # name is the simple file name (icon.png)
+      # 
+      def register_asset name, pn, full_path
+        asset_pn = "/asset/#{pn}"
+        return AssetInfo.new( @engine, full_path, name, asset_pn ).register
+      end
+
+      # 
+      # Get the published name for the given asset name.
+      #
+      def published_name asset_name
+        return AssetInfo.find_published_name_for( asset_name )
+      end
+
 
       # ---------------------------------------------------------------------
       #    Dynamic Add Assets
@@ -170,7 +202,8 @@ module Gloo
 
             add_files_in_folder( full_path, child, pn )
           else
-            add_file_obj( container, name, pn )
+            info = register_asset( name, pn, full_path )
+            add_file_obj( container, name, pn, info )
           end
         end
       end
@@ -227,7 +260,7 @@ module Gloo
       # 
       # Add a file object (page route) to the given container.
       # 
-      def add_file_obj( can, name, pn )
+      def add_file_obj( can, name, pn, info )
         name = name.gsub( '.', '_' )
         @log.debug "Adding route for file: #{name}"
 
@@ -236,6 +269,66 @@ module Gloo
         return if child
 
         @factory.create_file( name, pn, can )
+        # @factory.create_file( info.published_name, pn, can )
+      end
+
+
+      # ---------------------------------------------------------------------
+      #    List Asset Helpers
+      # ---------------------------------------------------------------------
+
+      # 
+      # List all image assets.
+      # This looks in the image container and lists the images found earlier.
+      # A Debugging tool.
+      # 
+      def list_image_assets
+        data = []
+        @images.children.each do |o|
+          data << [ o.name, o.pn, o.value ]
+        end
+        headers = [ "Name", "PN", "Value" ]
+
+        puts Gloo::App::Platform::RETURN
+        title = "Image Assets with Routes"
+        @engine.platform.table.show headers, data, title
+        puts Gloo::App::Platform::RETURN
+      end
+
+      # 
+      # List all js assets.
+      # This looks in the js container and lists the js files found earlier.
+      # A Debugging tool.
+      # 
+      def list_js_assets
+        data = []
+        @javascript.children.each do |o|
+          data << [ o.name, o.pn, o.value ]
+        end
+        headers = [ "Name", "PN", "Value" ]
+
+        puts Gloo::App::Platform::RETURN
+        title = "JavaScript Assets with Routes"
+        @engine.platform.table.show headers, data, title
+        puts Gloo::App::Platform::RETURN
+      end
+
+      # 
+      # List all css assets.
+      # This looks in the css container and lists the css files found earlier.
+      # A Debugging tool.
+      #
+      def list_css_assets
+        data = []
+        @stylesheets.children.each do |o|
+          data << [ o.name, o.pn, o.value ]
+        end
+        headers = [ "Name", "PN", "Value" ]
+
+        puts Gloo::App::Platform::RETURN
+        title = "Stylesheet Assets with Routes"
+        @engine.platform.table.show headers, data, title        
+        puts Gloo::App::Platform::RETURN
       end
 
     end

data/lib/gloo/web_svr/asset_info.rb

@@ -0,0 +1,112 @@
+# Author::    Eric Crane  (mailto:eric.crane@mac.com)
+# Copyright:: Copyright (c) 2025 Eric Crane.  All rights reserved.
+#
+# Information about a single asset.
+# 
+# Full Path is the full path to the file in the file system.
+# Name is the name of the file with extension.
+# PN is the path within assets and the name. 
+#    ie: /asset/stylesheet/stylesheet.css
+# Hash is the SHA256 hash of the file.
+# Published Name is the name of the file that is published
+#    to the web server, and includes the hash.
+# 
+
+module Gloo
+  module WebSvr
+    class AssetInfo
+
+      # Class Variables
+      @@index_by_published = {}
+      @@index_by_pn = {}
+
+      attr_reader :name, :pn, :published_name, :published_pn, :hash
+
+
+      # ---------------------------------------------------------------------
+      #    Initialization
+      # ---------------------------------------------------------------------
+
+      #
+      # Set up an asset information object.
+      #
+      def initialize( engine, full_path, name, pn )
+        @engine = engine
+        @log = @engine.log
+
+        @full_path = full_path
+        @name = name
+        @pn = pn
+      end
+
+
+      # ---------------------------------------------------------------------
+      #    Functions
+      # ---------------------------------------------------------------------
+
+      # 
+      # Register the asset with indexes, inflating all needed data elements.
+      # 
+      def register
+        @log.debug "*** REGISTERING ASSET: #{@name}"
+        @log.debug "*** #{@full_path} "
+        @log.debug "*** #PN: #{@pn} name: #{@name}"
+
+        @hash = Gloo::Objs::FileHandle.hash_for_file( @full_path )
+
+        # Build published name
+        ext = File.extname( @pn )           # Gets just the extension
+        n = @name[ 0..-ext.length - 1 ]
+        pn = @pn[ 0..-ext.length - 1 ]
+
+        @published_name = "#{n}-#{@hash}#{ext}"
+        @published_pn = "#{pn}-#{@hash}#{ext}"
+
+        @log.debug "*** Published Name: #{@published_name}"
+        @log.debug "*** Published Path: #{@published_pn}"
+
+        # Add to indexes
+        AssetInfo.index self
+      end
+
+      # 
+      # Index the the given asset info record.
+      # 
+      def self.index info
+        @@index_by_pn[ info.pn ] = info
+        @@index_by_published[ info.published_pn ] = info
+      end
+
+      #
+      # Find the asset info for the given published name.
+      #
+      def self.find_published_name_for pn
+        return @@index_by_pn[ pn ].published_pn
+      end
+
+      # 
+      # Find the asset info for the given published name.
+      # 
+      def self.find_info_for pn
+        return @@index_by_published[ pn ]
+      end
+
+      # 
+      # List All assets.
+      # 
+      def self.list_all engine
+        data = []
+        @@index_by_pn.each do |pn, info|
+          data << [ info.name, info.pn, info.published_pn ]
+        end
+        headers = [ "Name", "Asset Path", "Published" ]
+
+        puts Gloo::App::Platform::RETURN
+        title = "Assets in Running Web App"
+        engine.platform.table.show headers, data, title
+        puts Gloo::App::Platform::RETURN
+      end
+
+    end
+  end
+end

data/lib/gloo/web_svr/embedded_renderer.rb

@@ -29,6 +29,58 @@ module Gloo
       end
 
 
+      # ---------------------------------------------------------------------
+      #    Tag Helpers
+      # ---------------------------------------------------------------------
+
+      # 
+      # Render a favicon tag.
+      # By default the name is 'favicon.ico' and does not need to be provided
+      # if that is the correct file name.
+      # 
+      def favicon_tag( name = 'favicon.ico' )
+        icon_path = "/#{Asset::ASSET_FOLDER}/#{Asset::IMAGE_FOLDER}/#{name}"
+        published_name = @engine.running_app.obj.asset.published_name( icon_path )
+        return "<link rel='shortcut icon' type='image/x-icon' href='#{published_name}' />"
+      end
+
+      # 
+      # Render an image tag for the given image name.
+      # Include optional proterties as part of the tag.
+      #
+      def image_tag( img_name, properties = '' )
+        image_path = "/#{Asset::ASSET_FOLDER}/#{Asset::IMAGE_FOLDER}/#{img_name}"
+        published_name = @engine.running_app.obj.asset.published_name( image_path )
+        return "<image src='#{published_name}' #{properties} />"
+      end
+
+      # 
+      # Render a script tag for the given script name.
+      #
+      def js_tag( name )
+        js_path = "/#{Asset::ASSET_FOLDER}/#{Asset::JAVASCRIPT_FOLDER}/#{name}"
+        published_name = @engine.running_app.obj.asset.published_name( js_path )
+        return "<script src='#{published_name}'></script>"
+      end
+
+      #
+      # Render a stylesheet tag for the given stylesheet name.
+      #
+      def css_tag( name )
+        css_path = "/#{Asset::ASSET_FOLDER}/#{Asset::STYLESHEET_FOLDER}/#{name}"
+        published_name = @engine.running_app.obj.asset.published_name( css_path )
+        return "<link rel='stylesheet' media='all' href='#{published_name}' />"
+      end
+
+      # 
+      # Embed a hidden field with the autenticity token.
+      # 
+      def autenticity_token_tag
+        session_id = @engine.running_app.obj&.session&.get_session_id
+        return Gloo::Objs::CsrfToken.get_csrf_token_hidden_field( session_id )
+      end
+
+
       # ---------------------------------------------------------------------
       #    Obj Helper Functions
       # ---------------------------------------------------------------------

data/lib/gloo/web_svr/handler.rb

@@ -46,6 +46,9 @@ module Gloo
         request.request_params.log_id_keys
 
         if page
+          # Run the on_request script with the found page.
+          @server_obj.run_on_request( page )
+
           if page.is_a? Gloo::Objs::FileHandle
             result = handle_file page
           else

data/lib/gloo/web_svr/request.rb

@@ -59,9 +59,15 @@ module Gloo
 
         # Run the on_request script if there is one.
         @handler.server_obj.set_request_data self
-        @handler.server_obj.run_on_request
         
-        result, page_obj = @handler.handle self
+        # Check authenticity token if it's given.
+        if @request_params.check_authenticity_token( @engine )
+          result, page_obj = @handler.handle self
+        else
+          # Render the error page.
+          result = @handler.server_error_result
+        end
+
         finish_timer
 
         # Run the on_response script if there is one.

data/lib/gloo/web_svr/request_params.rb

@@ -56,6 +56,29 @@ module Gloo
       end
 
 
+      # ---------------------------------------------------------------------
+      #    Authenticity Token checking
+      # ---------------------------------------------------------------------
+
+      # 
+      # Check the authenticity token if it is present.
+      # Returns true if it is present and valid, and
+      # also if it is not present.
+      # Returns false if it is present but not valid.
+      # 
+      def check_authenticity_token engine
+        auth_token = @query_params[ Gloo::Objs::CsrfToken::AUTHENTICITY_TOKEN ]
+        if auth_token
+          session_id = engine.running_app.obj&.session&.get_session_id
+          return false unless session_id
+
+          return Gloo::Objs::CsrfToken.valid_csrf_token?( session_id, auth_token )
+        end
+
+        return true
+      end
+
+
       # ---------------------------------------------------------------------
       #    Helper functions
       # ---------------------------------------------------------------------

data/lib/gloo/web_svr/response.rb

@@ -122,9 +122,12 @@ module Gloo
           headers[ 'Location' ] = @location
         end
 
-        session = @engine&.running_app&.obj&.session      
+        session = @engine&.running_app&.obj&.session
         headers = session.add_session_for_response( headers ) if session
   
+        # Clear out session data after the response is prepared.
+        @engine&.running_app&.obj&.reset_session_data
+
         return headers
       end
 

data/lib/gloo/web_svr/routing/router.rb

@@ -201,6 +201,13 @@ module Gloo
         # Create a list of path segments.
         # 
         def detect_segments path
+          # For Assets, substitute the published name with fingerprint
+          # for the simple asset name (if it is found).
+          asset_info = Gloo::WebSvr::AssetInfo.find_info_for( path )
+          unless asset_info.blank?
+            path = asset_info.pn
+          end
+
           # Split the path into segments.
           @route_segments = path.split SEGMENT_DIVIDER
 

data/lib/gloo/web_svr/routing/show_routes.rb

@@ -10,7 +10,6 @@ module Gloo
       class ShowRoutes
 
         SEGMENT_DIVIDER = '/'.freeze
-        RETURN = "\n".freeze
 
 
         # ---------------------------------------------------------------------
@@ -76,10 +75,10 @@ module Gloo
         # Show the Routes title.
         # 
         def show_table
-          puts RETURN
+          puts Gloo::App::Platform::RETURN
           title = "Routes in Running Web App"
           @engine.platform.table.show headers, @found_routes, title
-          puts RETURN
+          puts Gloo::App::Platform::RETURN
         end
 
         # 

data/lib/gloo/web_svr/session.rb

@@ -15,6 +15,7 @@ module Gloo
     class Session
 
       SESSION_CONTAINER = 'session'.freeze
+      SESSION_ID_NAME = 'session_id'.freeze
 
       
       # ---------------------------------------------------------------------
@@ -29,6 +30,8 @@ module Gloo
         @log = @engine.log
 
         @server_obj = server_obj
+        @include_in_response = false
+        @clearing_session = false
       end
 
 
@@ -52,8 +55,12 @@ module Gloo
               data = decode_decrypt( data ) 
               return unless data
               
+              @session_id = data[ SESSION_ID_NAME ]
+
               data.each do |key, value|
-                @server_obj.set_session_var( key, value )
+                unless key == SESSION_ID_NAME
+                  @server_obj.set_session_var( key, value )
+                end
               end
             end
           end
@@ -64,18 +71,62 @@ module Gloo
 
 
       # ---------------------------------------------------------------------
-      #    Get Session Data for Response
+      #    Set Session Data for Response
       # ---------------------------------------------------------------------
 
+      # 
+      # Temporarily set the flag to add the session data to the response.
+      # Once this is done, the flag will be cleared and it will not
+      # be added to the next request unless specifically set.
+      # 
+      def add_session_to_response
+        @include_in_response = true
+      end
+
+      def init_session_id
+        @session_id = Gloo::Objs::CsrfToken.generate_csrf_token
+        return @session_id
+      end
+
+      # 
+      # Initialize the session id and add it to the data.
+      # Use the current session ID if it is there.
+      # 
+      def get_session_id
+        if @clearing_session
+          @clearing_session = false
+          return nil
+        end
+
+        init_session_id if @session_id.blank?
+
+        return @session_id
+      end
+
+      # 
+      # Clear out the session Id.
+      # Set the flag to add the session data to the response.
+      # 
+      def clear_session_data
+        @session_id = nil
+        @clearing_session = true
+        add_session_to_response
+      end
+
       # 
       # If there is session data, encrypt and add it to the response.
       # Once done, clear out the session data.
       # 
       def add_session_for_response( headers )
         # Are we using sessions?
-        if @server_obj.use_session?
+        if @server_obj.use_session? && @include_in_response
+          # Reset the flag because we are adding to the session data now
+          @include_in_response = false
+
           # Build and add encrypted session data
           data = @server_obj.get_session_data
+          data[ SESSION_ID_NAME ] = get_session_id
+
           unless data.empty?
             data = encrypt_encode( data )
             session_hash = { 
@@ -90,9 +141,6 @@ module Gloo
 
             Rack::Utils.set_cookie_header!( headers, session_name, session_hash )
           end
-
-          # Clear out session data
-          @server_obj.clear_session_data
         end
 
         return headers

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: gloo
 version: !ruby/object:Gem::Version
-  version: 3.6.2
+  version: 3.8.0
 platform: ruby
 authors:
 - Eric Crane
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2024-12-19 00:00:00.000000000 Z
+date: 2025-01-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -462,6 +462,7 @@ files:
 - lib/gloo/objs/ror/erb.rb
 - lib/gloo/objs/ror/eval.rb
 - lib/gloo/objs/security/cipher.rb
+- lib/gloo/objs/security/csrf_token.rb
 - lib/gloo/objs/security/password.rb
 - lib/gloo/objs/system/file_handle.rb
 - lib/gloo/objs/system/ssh_exec.rb
@@ -514,6 +515,7 @@ files:
 - lib/gloo/verbs/version.rb
 - lib/gloo/verbs/wait.rb
 - lib/gloo/web_svr/asset.rb
+- lib/gloo/web_svr/asset_info.rb
 - lib/gloo/web_svr/config.rb
 - lib/gloo/web_svr/embedded_renderer.rb
 - lib/gloo/web_svr/handler.rb