heroku-bouncer 0.2.1 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 0404185bf3da1eecc4a7e9009a715c2adb5a220e
-  data.tar.gz: dc7d6fb8e45947c9d58419d7b0d7d446bd1cdc6c
+  metadata.gz: 6758e63ada289a67c98dfdd75ac078539adf76b1
+  data.tar.gz: 42bd2f4be9cda6bbb7adf8079fe5d256c9be5e7c
 SHA512:
-  metadata.gz: 9f464a678eebff16cd70e25991fd75bab614f3985e1bbf4ce82adef7524f6a7c16c33ab71495935eb22982a08f25c0f5b7563af4fc628807a40263a28669df4c
-  data.tar.gz: 2f2e046e1259375465c2048466f7a2bd0c5f6e6ce4069b13e43cb476da6db00d33ce6fd36e62354376556342e48fcb20508c55357145a010365c37160e24494b
+  metadata.gz: eea8f556d0c0b6fa6fe9894a0d7e75ff7a24a2ad468a6612a8b3a704aae32f32f89f23074bbfa2b4fbfdb45e40a80d8f58532d3df0ef18f09c451ec82df859af
+  data.tar.gz: 6c67c0eeac7851fb9702e04f6565c0e08d02341820768470f580392cc811c38329ed33ca64b4776e3b04aa5eaf9e16bb471dd1d80206c1a85ab5bde5482f6e61

data/Gemfile.lock

@@ -2,6 +2,7 @@ PATH
   remote: .
   specs:
     heroku-bouncer (0.2.1)
+      encrypted_cookie (~> 0.0.4)
       faraday (~> 0.8)
       multi_json (~> 1.0)
       omniauth-heroku (>= 0.1.0)
@@ -10,6 +11,7 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
+    encrypted_cookie (0.0.4)
     faraday (0.8.7)
       multipart-post (~> 1.1)
     hashie (2.0.5)

data/README.md

@@ -13,7 +13,10 @@ requires Heroku OAuth on all requests.
     ```
 
 2. Set `HEROKU_OAUTH_ID` and `HEROKU_OAUTH_SECRET` in your environment.
-3. Use the middleware:
+3. Optionally, set the `COOKIE_SECRET` environment variable to a long
+   random string. Otherwise, the OAuth ID and secret are concatenated
+   for use as a secret.
+4. Use the middleware:
 
     ```ruby
     require 'heroku/bouncer'
@@ -85,7 +88,5 @@ you like](https://gist.github.com/wuputah/5534428).
 
 ## There be dragons
 
-* This middleware uses a session stored in a cookie. The cookie secret
-  is `HEROKU_ID + HEROKU_SECRET`. So keep these secret.
 * There's no tests yet. You may encounter bugs. Please report them (or
   fix them in a pull request).

data/lib/heroku/bouncer.rb

@@ -2,6 +2,7 @@ require 'sinatra/base'
 require 'omniauth-heroku'
 require 'faraday'
 require 'multi_json'
+require 'encrypted_cookie'
 
 Heroku ||= Module.new
 
@@ -13,8 +14,13 @@ class Heroku::Bouncer < Sinatra::Base
   ID = (ENV['HEROKU_OAUTH_ID'] || ENV['HEROKU_ID']).to_s
   SECRET = (ENV['HEROKU_OAUTH_SECRET'] ||  ENV['HEROKU_SECRET']).to_s
 
-  enable :sessions
-  set :session_secret, ID + SECRET
+  enable :raise_errors
+  disable :show_exceptions
+
+  use Rack::Session::EncryptedCookie,
+    :secret => (ENV['COOKIE_SECRET'] || (ID + SECRET)).to_s,
+    :expire_after => 8 * 60 * 60,
+    :key => (ENV['COOKIE_NAME'] || '_bouncer_session').to_s
 
   # sets up the /auth/heroku endpoint
   unless ID.empty? || SECRET.empty?

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: heroku-bouncer
 version: !ruby/object:Gem::Version
-  version: 0.2.1
+  version: 0.3.0
 platform: ruby
 authors:
 - Jonathan Dance
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-06-17 00:00:00.000000000 Z
+date: 2013-06-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth-heroku
@@ -66,6 +66,20 @@ dependencies:
     - - ~>
       - !ruby/object:Gem::Version
         version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: encrypted_cookie
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.0.4
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.0.4
 description: ID please.
 email:
 - jd@heroku.com