hanami-action 3.0.0.rc1

data/lib/hanami/action/cookie_jar.rb

@@ -0,0 +1,214 @@
+# frozen_string_literal: true
+
+require "rack/utils"
+require "hanami/utils/hash"
+
+module Hanami
+  class Action
+    # A set of HTTP Cookies
+    #
+    # It acts as an Hash
+    #
+    # @since 0.1.0
+    #
+    # @see Hanami::Action::Cookies#cookies
+    class CookieJar
+      # @since 0.4.5
+      # @api private
+      COOKIE_SEPARATOR = ";,"
+
+      # Initialize the CookieJar
+      #
+      # @param env [Hash] a raw Rack env
+      # @param headers [Hash] the response headers
+      #
+      # @return [CookieJar]
+      #
+      # @since 0.1.0
+      def initialize(env, headers, default_options)
+        @_headers        = headers
+        @cookies         = Utils::Hash.deep_symbolize(extract(env))
+        @default_options = default_options
+      end
+
+      # Finalize itself, by setting the proper headers to add and remove
+      # cookies, before the response is returned to the webserver.
+      #
+      # @return [void]
+      #
+      # @since 0.1.0
+      #
+      # @see Hanami::Action::Cookies#finish
+      def finish
+        @cookies.delete(Action::RACK_SESSION)
+        if changed?
+          @cookies.each do |k, v|
+            next unless changed?(k)
+
+            v.nil? ? delete_cookie(k) : set_cookie(k, _merge_default_values(v))
+          end
+        end
+      end
+
+      # Returns the object associated with the given key
+      #
+      # @param key [Symbol] the key
+      #
+      # @return [Object,nil] return the associated object, if found
+      #
+      # @since 0.2.0
+      def [](key)
+        @cookies[key]
+      end
+
+      # Associate the given value with the given key and store them
+      #
+      # @param key [Symbol] the key
+      # @param value [#to_s,Hash] value that can be serialized as a string or
+      #   expressed as a Hash
+      # @option value [String] :value - Value of the cookie
+      # @option value [String] :domain - The domain
+      # @option value [String] :path - The path
+      # @option value [Integer] :max_age - Duration expressed in seconds
+      # @option value [Time] :expires - Expiration time
+      # @option value [TrueClass,FalseClass] :secure - Restrict cookie to secure
+      #   connections
+      # @option value [TrueClass,FalseClass] :httponly - Restrict JavaScript
+      #   access
+      #
+      # @return [void]
+      #
+      # @since 0.2.0
+      #
+      # @see http://en.wikipedia.org/wiki/HTTP_cookie
+      def []=(key, value)
+        changes << key
+        @cookies[key] = value
+      end
+
+      # Iterates cookies
+      #
+      # @param blk [Proc] the block to be yielded
+      # @yield [key, value] the key/value pair for each cookie
+      #
+      # @return [void]
+      #
+      # @since 1.1.0
+      #
+      # @example
+      #   require "hanami/action"
+      #   class MyAction < Hanami::Action
+      #     include Hanami::Action::Cookies
+      #
+      #     def handle(req, res)
+      #       # read cookies
+      #       req.cookies.each do |key, value|
+      #         # ...
+      #       end
+      #     end
+      #   end
+      def each(&blk)
+        @cookies.each(&blk)
+      end
+
+      private
+
+      # Keep track of changed keys
+      #
+      # @since 0.7.0
+      # @api private
+      def changes
+        @changes ||= Set.new
+      end
+
+      # Check if the entire set of cookies has changed within the current request.
+      # If <tt>key</tt> is given, it checks the associated cookie has changed.
+      #
+      # @since 0.7.0
+      # @api private
+      def changed?(key = nil)
+        if key.nil?
+          changes.any?
+        else
+          changes.include?(key)
+        end
+      end
+
+      # Merge default cookies options with values provided by user
+      #
+      # Cookies values provided by user are respected
+      #
+      # @since 0.4.0
+      # @api private
+      def _merge_default_values(value)
+        cookies_options = if value.is_a?(::Hash)
+                            value.merge! _add_expires_option(value)
+                          else
+                            {value: value}
+                          end
+        @default_options.merge cookies_options
+      end
+
+      # Add expires option to cookies if :max_age presents
+      #
+      # @since 0.4.3
+      # @api private
+      def _add_expires_option(value)
+        if value.key?(:max_age) && !value.key?(:expires)
+          {expires: (Time.now + value[:max_age])}
+        else
+          {}
+        end
+      end
+
+      # Extract the cookies from the raw Rack env.
+      #
+      # This implementation is borrowed from Rack::Request#cookies.
+      #
+      # @since 0.1.0
+      # @api private
+      def extract(env)
+        hash   = env[Action::COOKIE_HASH_KEY] ||= {}
+        string = env[Action::HTTP_COOKIE]
+
+        return hash if string == env[Action::COOKIE_STRING_KEY]
+
+        # TODO: Next Rack 1.7.x ?? version will have ::Rack::Utils.parse_cookies
+        # We can then replace the following lines.
+        hash.clear
+
+        # According to RFC 2109:
+        #   If multiple cookies satisfy the criteria above, they are ordered in
+        #   the Cookie header such that those with more specific Path attributes
+        #   precede those with less specific.  Ordering with respect to other
+        #   attributes (e.g., Domain) is unspecified.
+        cookies = ::Rack::Utils.parse_query(string, COOKIE_SEPARATOR) { |s|
+          begin
+            ::Rack::Utils.unescape(s)
+          rescue StandardError
+            s
+          end
+        }
+        cookies.each { |k, v| hash[k] = v.is_a?(Array) ? v.first : v }
+        env[Action::COOKIE_STRING_KEY] = string
+        hash
+      end
+
+      # Set a cookie in the headers
+      #
+      # @since 0.1.0
+      # @api private
+      def set_cookie(key, value)
+        ::Rack::Utils.set_cookie_header!(@_headers, key, value)
+      end
+
+      # Remove a cookie from the headers
+      #
+      # @since 0.1.0
+      # @api private
+      def delete_cookie(key)
+        ::Rack::Utils.delete_cookie_header!(@_headers, key, {})
+      end
+    end
+  end
+end

data/lib/hanami/action/cookies.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+module Hanami
+  class Action
+    # Cookies API
+    #
+    # This module isn't included by default.
+    #
+    # @since 0.1.0
+    #
+    # @see Hanami::Action::Cookies#cookies
+    module Cookies
+      private
+
+      # Finalize the response by flushing cookies into the response
+      #
+      # @since 0.1.0
+      # @api private
+      #
+      # @see Hanami::Action#finish
+      def finish(req, res, *)
+        res.cookies.finish
+        super
+      end
+    end
+  end
+end

data/lib/hanami/action/csrf_protection.rb

@@ -0,0 +1,217 @@
+# frozen_string_literal: true
+
+require "hanami/utils/blank"
+require "rack/utils"
+require "securerandom"
+require_relative "errors"
+
+module Hanami
+  # @api private
+  class Action
+    # CSRF Protection
+    #
+    # This security mechanism is enabled automatically if sessions are turned on.
+    #
+    # It stores a "challenge" token in session. For each "state changing request"
+    # (eg. <tt>POST</tt>, <tt>PATCH</tt> etc..), we should send a special param
+    # <tt>_csrf_token</tt> or header <tt>X-CSRF-Token</tt> which contain the "challenge"
+    # token.
+    #
+    # If the request token matches with the challenge token, the flow can continue.
+    # Otherwise the application detects an attack attempt, it reset the session
+    # and <tt>Hanami::Action::InvalidCSRFTokenError</tt> is raised.
+    #
+    # We can specify a custom handling strategy, by overriding <tt>#handle_invalid_csrf_token</tt>.
+    #
+    # Form helper (<tt>#form_for</tt>) automatically sets a hidden field with the
+    # correct token. A special view method (<tt>#csrf_token</tt>) is available in
+    # case the form markup is manually crafted.
+    #
+    # We can disable this check on action basis, by overriding <tt>#verify_csrf_token?</tt>.
+    #
+    # @since 0.4.0
+    #
+    # @see https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29
+    # @see https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
+    #
+    # @example Custom Handling
+    #   module Web::Controllers::Books
+    #     class Create < Web::Action
+    #       def handl(*)
+    #         # ...
+    #       end
+    #
+    #       private
+    #
+    #       def handle_invalid_csrf_token
+    #         Web::Logger.warn "CSRF attack: expected #{ session[:_csrf_token] }, was #{ params[:_csrf_token] }"
+    #         # manual handling
+    #       end
+    #     end
+    #   end
+    #
+    # @example Bypass Security Check
+    #   module Web::Controllers::Books
+    #     class Create < Web::Action
+    #       def handle(*)
+    #         # ...
+    #       end
+    #
+    #       private
+    #
+    #       def verify_csrf_token?(req, res)
+    #         false
+    #       end
+    #     end
+    #   end
+    module CSRFProtection
+      # Session and params key for CSRF token.
+      #
+      # This key is shared with <tt>hanami-action</tt> and <tt>hanami-helpers</tt>
+      #
+      # @since 0.4.0
+      # @api private
+      CSRF_TOKEN = :_csrf_token
+
+      # Idempotent HTTP methods
+      #
+      # By default, the check isn't performed if the request method is included
+      # in this list.
+      #
+      # @since 0.4.0
+      # @api private
+      IDEMPOTENT_HTTP_METHODS = Hash[
+        Action::GET => true,
+        Action::HEAD => true,
+        Action::TRACE => true,
+        Action::OPTIONS => true
+      ].freeze
+
+      # @since 0.4.0
+      # @api private
+      def self.included(action)
+        unless Hanami.respond_to?(:env?) && Hanami.env?(:test)
+          action.include Hanami::Action::Session
+          action.class_eval do
+            before :set_csrf_token, :verify_csrf_token
+          end
+        end
+      end
+
+      private
+
+      # Set CSRF Token in session
+      #
+      # @since 0.4.0
+      # @api private
+      def set_csrf_token(_req, res)
+        res.session[CSRF_TOKEN] ||= generate_csrf_token
+      end
+
+      # Get CSRF Token in request.
+      #
+      # Retreives the CSRF token from the request param <tt>_csrf_token</tt> or the request header
+      # <tt>X-CSRF-Token</tt>.
+      #
+      # @api private
+      def request_csrf_token(req)
+        req.params.raw[CSRF_TOKEN.to_s] || req.get_header("HTTP_X_CSRF_TOKEN")
+      end
+
+      # Verify if CSRF token from params, matches the one stored in session.
+      # If not, it raises an error.
+      #
+      # Don't override this method.
+      #
+      # To bypass the security check, please override <tt>#verify_csrf_token?</tt>.
+      # For custom handling of an attack, please override <tt>#handle_invalid_csrf_token</tt>.
+      #
+      # @since 0.4.0
+      # @api private
+      def verify_csrf_token(req, res)
+        handle_invalid_csrf_token(req, res) if invalid_csrf_token?(req, res)
+      end
+
+      # Verify if CSRF token from params, matches the one stored in session.
+      #
+      # Don't override this method.
+      #
+      # @since 0.4.0
+      # @api private
+      def invalid_csrf_token?(req, res)
+        return false unless verify_csrf_token?(req, res)
+
+        missing_csrf_token?(req, res) ||
+          !::Rack::Utils.secure_compare(req.session[CSRF_TOKEN], request_csrf_token(req))
+      end
+
+      # Verify the CSRF token was passed in params.
+      #
+      # @api private
+      def missing_csrf_token?(req, *)
+        Hanami::Utils::Blank.blank?(request_csrf_token(req))
+      end
+
+      # Generates a random CSRF Token
+      #
+      # @since 0.4.0
+      # @api private
+      def generate_csrf_token
+        SecureRandom.hex(32)
+      end
+
+      # Decide if perform the check or not.
+      #
+      # Override and return <tt>false</tt> if you want to bypass security check.
+      #
+      # @since 0.4.0
+      #
+      # @example
+      #   module Web::Controllers::Books
+      #     class Create < Web::Action
+      #       def call(*)
+      #         # ...
+      #       end
+      #
+      #       private
+      #
+      #       def verify_csrf_token?(req, res)
+      #         false
+      #       end
+      #     end
+      #   end
+      def verify_csrf_token?(req, *)
+        !IDEMPOTENT_HTTP_METHODS[req.request_method]
+      end
+
+      # Handle CSRF attack.
+      #
+      # The default policy resets the session and raises an exception.
+      #
+      # Override this method, for custom handling.
+      #
+      # @raise [Hanami::Action::InvalidCSRFTokenError]
+      #
+      # @since 0.4.0
+      #
+      # @example
+      #   module Web::Controllers::Books
+      #     class Create < Web::Action
+      #       def call(*)
+      #         # ...
+      #       end
+      #
+      #       private
+      #
+      #       def handle_invalid_csrf_token(req, res)
+      #         # custom invalid CSRF management goes here
+      #       end
+      #     end
+      #   end
+      def handle_invalid_csrf_token(*, res)
+        res.session.clear
+        raise InvalidCSRFTokenError
+      end
+    end
+  end
+end

data/lib/hanami/action/errors.rb

@@ -0,0 +1,109 @@
+# frozen_string_literal: true
+
+module Hanami
+  class Action
+    # Base class for all Action errors.
+    #
+    # @api public
+    # @since 2.0.0
+    class Error < ::StandardError
+    end
+
+    # Unknown status HTTP Status error
+    #
+    # @since 2.0.2
+    #
+    # @see Hanami::Action::Response#status=
+    # @see https://guides.hanamirb.org/v2.0/actions/status-codes/
+    class UnknownHttpStatusError < Error
+      # @since 2.0.2
+      # @api private
+      def initialize(code)
+        super("unknown HTTP status: `#{code.inspect}'")
+      end
+    end
+
+    # Unknown format error
+    #
+    # This error is raised when a action sets a format that it isn't recognized
+    # both by `Hanami::Action::Configuration` and the list of Rack mime types
+    #
+    # @since 2.0.0
+    #
+    # @see Hanami::Action::Mime#format=
+    class UnknownFormatError < Error
+      # @since 2.0.0
+      # @api private
+      def initialize(format)
+        message = <<~MSG
+          Cannot find a corresponding MIME type for format `#{format.inspect}'.
+        MSG
+
+        unless blank?(format)
+          message += <<~MSG
+
+            Configure one via: `config.actions.formats.add(:#{format}, "MIME_TYPE_HERE")' in `config/app.rb' to share between actions of a Hanami app.
+
+            Or make it available only in the current action: `config.formats.add(:#{format}, "MIME_TYPE_HERE")'.
+          MSG
+        end
+
+        super(message)
+      end
+
+      private
+
+      def blank?(format)
+        format.to_s.match(/\A[[:space:]]*\z/)
+      end
+    end
+
+    # Error raised when body parsing fails.
+    #
+    # @api public
+    # @since x.x.x
+    class BodyParsingError < Error
+    end
+
+    # Error raised when session is accessed but not enabled.
+    #
+    # This error is raised when `session` or `flash` is accessed/set on request/response objects
+    # in actions which do not include `Hanami::Action::Session`.
+    #
+    # @see Hanami::Action::Session
+    # @see Hanami::Action::Request#session
+    # @see Hanami::Action::Response#session
+    # @see Hanami::Action::Response#flash
+    #
+    # @api public
+    # @since 2.0.0
+    class MissingSessionError < Error
+      # @api private
+      # @since 2.0.0
+      def initialize(session_method)
+        super(<<~TEXT)
+          Sessions are not enabled. To use `#{session_method}`:
+
+          Configure sessions in your Hanami app, e.g.
+
+            module MyApp
+              class App < Hanami::App
+                # See Rack::Session::Cookie for options
+                config.actions.sessions = :cookie, {**cookie_session_options}
+              end
+            end
+
+          Or include session support directly in your action class:
+
+            include Hanami::Action::Session
+        TEXT
+      end
+    end
+
+    # Invalid CSRF Token
+    #
+    # @since 0.4.0
+    class InvalidCSRFTokenError < Error
+    end
+  end
+end