gloo 3.7.0 → 3.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c1dfa24d10974fad30c699b9935d765525ceda2eef22c642be9f30fd8f717ce7
-  data.tar.gz: c631fafd6862b14c03994767ad520cc95380868ea9a1c60a68f0da67399d9fab
+  metadata.gz: 0c8d357cda5602195adcfddc50c58705d34670b6ac01848eb8a1d66243571356
+  data.tar.gz: 86687c8e18f4843dc9bca97111e140c26750479fce8619341a902284dde5a573
 SHA512:
-  metadata.gz: a020b85943d3fa84e2940dc37a4bf61d541a89e55de775b0a22fd001b7e57de84a852748d0084e92bf1490e5f561761b62cbea9c94cbfa57e422632bf77134c5
-  data.tar.gz: 04ca71cc0e8c3c483d31155799876e336d372d2bee8f1a923f429c3aee0c2902528af4ebe289d3a6e5709274205ca7d5feaaf164e1f8187c48ce6a5c4315a847
+  metadata.gz: baa186fd096e79a6152b7c287e23048a4b2fa67af5aa5db1c4e860918f42477b75e52fabbae8309506adfa32a77f5616bc2c4f4b22b6972142cb3977c9c965c9
+  data.tar.gz: 8467cf3db96cd931cad4dc06910a4933c65284b25675a3f884e17d5639cb8b3d9b50ff8bd1c171d329f318317390e715a9a5af62dceed681509fe336d28c3439

data/lib/VERSION

@@ -1 +1 @@
-3.7.0
+3.8.0

data/lib/VERSION_NOTES

@@ -1,3 +1,9 @@
+3.8.0 - 2025.01.23
+- Fixes issue with sessions
+- Adds authenticity token tag and supporting session id and validation
+
+
+
 3.7.0 - 2025.01.09
  - Adds File message to get SHA256 hash
  - Asset Fingerprinting

data/lib/gloo/objs/security/csrf_token.rb

@@ -0,0 +1,72 @@
+# Author::    Eric Crane  (mailto:eric.crane@mac.com)
+# Copyright:: Copyright (c) 2025 Eric Crane.  All rights reserved.
+#
+# Helper class to generate and verify a csrf token.
+#
+require 'securerandom'
+require 'base64'
+require 'active_support/security_utils'
+
+module Gloo
+  module Objs
+    class CsrfToken
+
+      TOKEN_LENGTH = 32
+      AUTHENTICITY_TOKEN = 'authenticity_token'.freeze
+
+      # 
+      # Generate a random token
+      #
+      def self.generate_csrf_token
+        SecureRandom.base64( TOKEN_LENGTH ) 
+      end
+
+      # 
+      # Generate a masked token.
+      #
+      def self.mask_token( base_token )
+        one_time_pad = SecureRandom.random_bytes( base_token.bytesize )
+        masked_token = one_time_pad.bytes.zip( base_token.bytes ).map { |a, b| a ^ b }.pack('C*')
+        return Base64.urlsafe_encode64( one_time_pad + masked_token ) # Encode the result
+      end
+
+      # 
+      # Unmask a masked token.
+      #
+      def self.unmask_token( masked_token )
+        decoded = Base64.urlsafe_decode64( masked_token )
+        one_time_pad, masked_token = decoded[0...decoded.length / 2], decoded[decoded.length / 2..]
+        return one_time_pad.bytes.zip( masked_token.bytes ).map { |a, b| (a ^ b).chr }.join
+      end
+
+      # 
+      # Compare two tokens.
+      # Use ActiveSupport::SecurityUtils.secure_compare to avoid timing attacks.
+      #
+      def self.compare_tokens( token1, token2 )
+        return ActiveSupport::SecurityUtils.secure_compare( token1, token2 )
+      end
+
+      # 
+      # Return a hidden field with the masked csrf token.
+      #
+      def self.get_csrf_token_hidden_field( base_token )
+        form_token = mask_token( base_token )
+   
+        return "<input type='hidden' name='#{AUTHENTICITY_TOKEN}' value='#{form_token}' />"
+      end
+
+      # 
+      # Validate a masked csrf token that came from a form submit.
+      #
+      def self.valid_csrf_token?( base_token, masked_token )
+        return false unless base_token && masked_token
+
+        unmasked_token = unmask_token( masked_token )
+
+        return compare_tokens( base_token, unmasked_token )
+      end
+
+    end
+  end
+end

data/lib/gloo/objs/web_svr/svr.rb

@@ -51,7 +51,8 @@ module Gloo
       ELAPSED = 'elapsed'.freeze
       DB = 'db'.freeze
       PAGE = 'page'.freeze
-
+      CURRENT_PAGE = 'current_page'.freeze
+      
       # Container with pages in the web app.
       PAGES = 'pages'.freeze
 
@@ -303,7 +304,7 @@ module Gloo
       # Important to do this after the response is sent
       # to avoid holding on to data that is no longer needed.
       # 
-      def clear_session_data
+      def reset_session_data
         session_container.children.each do |session_var|
           session_var.value = ''
         end
@@ -407,6 +408,7 @@ module Gloo
       def self.messages
         return super + [ 'start', 'stop', 
           'list_routes', 'list_assets', 
+          'add_session_to_response', 'clear_session_data',
           'list_asset_img', 'list_asset_css', 'list_asset_js' ]
       end
 
@@ -494,6 +496,22 @@ module Gloo
         end
       end
 
+      # 
+      # Add the session data to the response.
+      # This will be done for the current (next) request only.
+      # 
+      def msg_add_session_to_response
+        @session.add_session_to_response if @session
+      end
+
+      # 
+      # Clear out the session data, and remove it from the response.
+      # 
+      def msg_clear_session_data
+        reset_session_data
+        @session.clear_session_data if @session
+      end
+
 
       # ---------------------------------------------------------------------
       #    Start and Stop Events
@@ -533,7 +551,7 @@ module Gloo
         @engine.log.info "Stopping web server…"
 
         # Last chance to clear out session data.
-        clear_session_data
+        reset_session_data
 
         @web_server.stop
         @web_server = nil
@@ -570,13 +588,18 @@ module Gloo
 
       #
       # Run the on request script if there is one.
+      # Set thee current page object so the app knows
+      # which page is being requested.
       #
-      def run_on_request
+      def run_on_request current_page
+        for_page = find_child CURRENT_PAGE
+        alias_value = current_page.pn
+        for_page.set_value( alias_value ) if for_page
         o = find_child ON_REQUEST
         return unless o
         o = Gloo::Objs::Alias.resolve_alias( @engine, o )
 
-        Gloo::Exec::Dispatch.message( @engine, 'run', o )
+        Gloo::Exec::Dispatch.message( @engine, 'run', o, CURRENT_PAGE => current_page )
       end
 
       #
@@ -595,6 +618,10 @@ module Gloo
       # This is done before the on_request event is fired.
       # 
       def set_request_data( request )
+        # Clear out the redirect if there is one since this is the start of
+        # a new request.
+        @redirect = nil
+
         data = find_child RESQUEST_DATA
         return unless data
         data = Gloo::Objs::Alias.resolve_alias( @engine, data )

data/lib/gloo/web_svr/embedded_renderer.rb

@@ -72,6 +72,14 @@ module Gloo
         return "<link rel='stylesheet' media='all' href='#{published_name}' />"
       end
 
+      # 
+      # Embed a hidden field with the autenticity token.
+      # 
+      def autenticity_token_tag
+        session_id = @engine.running_app.obj&.session&.get_session_id
+        return Gloo::Objs::CsrfToken.get_csrf_token_hidden_field( session_id )
+      end
+
 
       # ---------------------------------------------------------------------
       #    Obj Helper Functions

data/lib/gloo/web_svr/handler.rb

@@ -46,6 +46,9 @@ module Gloo
         request.request_params.log_id_keys
 
         if page
+          # Run the on_request script with the found page.
+          @server_obj.run_on_request( page )
+
           if page.is_a? Gloo::Objs::FileHandle
             result = handle_file page
           else

data/lib/gloo/web_svr/request.rb

@@ -59,9 +59,15 @@ module Gloo
 
         # Run the on_request script if there is one.
         @handler.server_obj.set_request_data self
-        @handler.server_obj.run_on_request
         
-        result, page_obj = @handler.handle self
+        # Check authenticity token if it's given.
+        if @request_params.check_authenticity_token( @engine )
+          result, page_obj = @handler.handle self
+        else
+          # Render the error page.
+          result = @handler.server_error_result
+        end
+
         finish_timer
 
         # Run the on_response script if there is one.

data/lib/gloo/web_svr/request_params.rb

@@ -56,6 +56,29 @@ module Gloo
       end
 
 
+      # ---------------------------------------------------------------------
+      #    Authenticity Token checking
+      # ---------------------------------------------------------------------
+
+      # 
+      # Check the authenticity token if it is present.
+      # Returns true if it is present and valid, and
+      # also if it is not present.
+      # Returns false if it is present but not valid.
+      # 
+      def check_authenticity_token engine
+        auth_token = @query_params[ Gloo::Objs::CsrfToken::AUTHENTICITY_TOKEN ]
+        if auth_token
+          session_id = engine.running_app.obj&.session&.get_session_id
+          return false unless session_id
+
+          return Gloo::Objs::CsrfToken.valid_csrf_token?( session_id, auth_token )
+        end
+
+        return true
+      end
+
+
       # ---------------------------------------------------------------------
       #    Helper functions
       # ---------------------------------------------------------------------

data/lib/gloo/web_svr/response.rb

@@ -122,9 +122,12 @@ module Gloo
           headers[ 'Location' ] = @location
         end
 
-        session = @engine&.running_app&.obj&.session      
+        session = @engine&.running_app&.obj&.session
         headers = session.add_session_for_response( headers ) if session
   
+        # Clear out session data after the response is prepared.
+        @engine&.running_app&.obj&.reset_session_data
+
         return headers
       end
 

data/lib/gloo/web_svr/session.rb

@@ -15,6 +15,7 @@ module Gloo
     class Session
 
       SESSION_CONTAINER = 'session'.freeze
+      SESSION_ID_NAME = 'session_id'.freeze
 
       
       # ---------------------------------------------------------------------
@@ -29,6 +30,8 @@ module Gloo
         @log = @engine.log
 
         @server_obj = server_obj
+        @include_in_response = false
+        @clearing_session = false
       end
 
 
@@ -52,8 +55,12 @@ module Gloo
               data = decode_decrypt( data ) 
               return unless data
               
+              @session_id = data[ SESSION_ID_NAME ]
+
               data.each do |key, value|
-                @server_obj.set_session_var( key, value )
+                unless key == SESSION_ID_NAME
+                  @server_obj.set_session_var( key, value )
+                end
               end
             end
           end
@@ -64,18 +71,62 @@ module Gloo
 
 
       # ---------------------------------------------------------------------
-      #    Get Session Data for Response
+      #    Set Session Data for Response
       # ---------------------------------------------------------------------
 
+      # 
+      # Temporarily set the flag to add the session data to the response.
+      # Once this is done, the flag will be cleared and it will not
+      # be added to the next request unless specifically set.
+      # 
+      def add_session_to_response
+        @include_in_response = true
+      end
+
+      def init_session_id
+        @session_id = Gloo::Objs::CsrfToken.generate_csrf_token
+        return @session_id
+      end
+
+      # 
+      # Initialize the session id and add it to the data.
+      # Use the current session ID if it is there.
+      # 
+      def get_session_id
+        if @clearing_session
+          @clearing_session = false
+          return nil
+        end
+
+        init_session_id if @session_id.blank?
+
+        return @session_id
+      end
+
+      # 
+      # Clear out the session Id.
+      # Set the flag to add the session data to the response.
+      # 
+      def clear_session_data
+        @session_id = nil
+        @clearing_session = true
+        add_session_to_response
+      end
+
       # 
       # If there is session data, encrypt and add it to the response.
       # Once done, clear out the session data.
       # 
       def add_session_for_response( headers )
         # Are we using sessions?
-        if @server_obj.use_session?
+        if @server_obj.use_session? && @include_in_response
+          # Reset the flag because we are adding to the session data now
+          @include_in_response = false
+
           # Build and add encrypted session data
           data = @server_obj.get_session_data
+          data[ SESSION_ID_NAME ] = get_session_id
+
           unless data.empty?
             data = encrypt_encode( data )
             session_hash = { 
@@ -90,9 +141,6 @@ module Gloo
 
             Rack::Utils.set_cookie_header!( headers, session_name, session_hash )
           end
-
-          # Clear out session data
-          @server_obj.clear_session_data
         end
 
         return headers

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: gloo
 version: !ruby/object:Gem::Version
-  version: 3.7.0
+  version: 3.8.0
 platform: ruby
 authors:
 - Eric Crane
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2025-01-09 00:00:00.000000000 Z
+date: 2025-01-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -462,6 +462,7 @@ files:
 - lib/gloo/objs/ror/erb.rb
 - lib/gloo/objs/ror/eval.rb
 - lib/gloo/objs/security/cipher.rb
+- lib/gloo/objs/security/csrf_token.rb
 - lib/gloo/objs/security/password.rb
 - lib/gloo/objs/system/file_handle.rb
 - lib/gloo/objs/system/ssh_exec.rb