hubssolib 3.0.0 → 3.0.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f418c1a21497375e396be12fd95387b6a436ed42c8145dc681ee041eded447a3
-  data.tar.gz: 06d7868acf059c7c9df758d960b508e6e063fb0f1b012ff520a549772079a486
+  metadata.gz: 856e89d2f8189bee83fdc33ec1cfea64c19a14e79d16703c434fd88f8502e933
+  data.tar.gz: 13d52a8023ec552a6756f4dd9f1e89533cd7d5c30b8898028c15b827d4bb5826
 SHA512:
-  metadata.gz: fa015b2a0853402ee85b23c788bfd52a15cbda02c000ad0c6f6eba882e664393fe7927119f2b53c2f396d9b8f6d9337b85bdfa5fe50866e07a9fe7942b8700cf
-  data.tar.gz: 006b768e21fe802806c946062b0e74be65cad124833f861455f09f684887c09104f281450b08295bf9c17f472e1839c291b6f6422212cbf9717d03d8925ba3c6
+  metadata.gz: a1c68c61d8a3522cf78299a2163d17fbd1627d19bdcc687de54f764bea4ae5b9e295ffeb6d1bceb3a0605d53234121dfa89bf62216710f47aa89bc30b66fb2e8
+  data.tar.gz: 6bc61f08b7b633d8ba4c11e794a46f69475fad73fa5e94f9ae2a25c7169fb8c778540b717da807c22c1f2063a3f059573e280874f98ca43968945f8c1a9be71d

data/CHANGELOG.md

@@ -1,22 +1,59 @@
-## 3.0.0, 28-Jan-2025
+## 3.0.2, 04-Feb 2025
 
-* The Hub "login indication" URL approach is now dropped, so layout templates **must be updated.**
+Fixes a bug that could cause cookie deletions for login state indication to sometimes fail to work as expected.
+
+## 3.0.0, 28-Jan-2025 and 3.0.1, 03-Feb-2025
+
+* The Hub "login indication" URL approach is now dropped, so layout templates **should be updated.**
 
 In Hub v1 and v2, login indication was done via an image that was served by the Hub application itself, wrapped in a link that visited a "conditional login" endpoint which stored the return-to URL, ensured HTTPS was in use and visited either the log in, or log out page as required. In client applications it looked a bit like this:
 
 ```html
-  <a class="img" href="<%= ENV['HUB_PATH_PREFIX'] %>/account/login_conditional">
-    <img src="<%= ENV['HUB_PATH_PREFIX'] %>/account/login_indication" alt="Account" height="22" width="90" />
-  </a>
+<a class="img" href="<%= ENV['HUB_PATH_PREFIX'] %>/account/login_conditional">
+  <img src="<%= ENV['HUB_PATH_PREFIX'] %>/account/login_indication" alt="Account" height="22" width="90" />
+</a>
 ```
 
-This dates back to a time when CSS support was not that widespread and RISC OS Open needed the web site to work well on web browsers available at the time. Things have improved enormously since then, so now a cleaner, pure CSS solution is used. This has the enormous advantage of requiring no image fetch request-response into the Hub application. Just use:
+This dates back to a time when CSS support was not that widespread and RISC OS Open needed the web site to work well on web browsers available at the time. Things have improved considerably since then, so now a cleaner, pure CSS solution is used. This requires no image fetch via the Hub application. Just use:
 
 ```ruby
 <%= hubssolib_account_link() %>
 ```
 
-...in place of the markup above.
+...in place of the markup above. You probably want to add some supporting CSS too; for example:
+
+```css
+#hubssolib_login_indication a#hubssolib_logged_in_link,
+#hubssolib_login_indication a#hubssolib_logged_out_link {
+  display:         block;
+  text-align:      center;
+  text-decoration: none;
+  font:            sans-serif;
+  font-size:       10pt;
+  line-height:     20px;
+  height:          20px;
+  width:           88px;
+  border:          1px solid #ccc;
+}
+
+#hubssolib_login_indication a#hubssolib_logged_in_link {
+  color:        #050;
+  border-color: #050;
+  background:   #efe;
+}
+
+#hubssolib_login_indication a#hubssolib_logged_out_link {
+  color:        #500;
+  border-color: #500;
+  background:   #fee;
+}
+
+#hubssolib_login_indication a#hubssolib_login_noscript {
+  text-decoration: none;
+}
+```
+
+Version 3.0.1 patches the system to make sure that the correct current login state is shown even if a browser has a page cached. To achieve this, JavaScript is used to check cookie state and update the indication on-the-fly. There is a `noscript` fallback that uses the old, inefficient `login_indication` image mechanism - just in case. The CSS styles above are designed to match those images, though of course, they certainly don't have to!
 
 
 

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    hubssolib (3.0.0)
+    hubssolib (3.0.2)
       base64 (~> 0.2)
       drb (~> 2.2)
 

data/README.md

@@ -48,7 +48,7 @@ Finally you can install the Hub application using whatever mechanism you prefer
 
 Some configuration is needed using externally set environment variables. These are actually picked up by the Hub gem but you won't know what values to set until the application, DRb server and gem are all installed.
 
-*   `HUB_CONNECTION_URI` — as already discussed, this must hold a DRb URI giving the connection socket on which the server listens and to which clients connect.
+*   `HUB_CONNECTION_URI` — as already discussed, this holds a DRb URI giving the connection socket on which the server listens and to which clients connect; it defaults to `~/.hub_drb`.
 *   `HUB_PATH_PREFIX` — sometimes the Hub Gem redirects to various locations within the Hub application. If you have installed the application away from document root, specify the prefix to put onto redirection paths here (otherwise, provide an empty string). For example, when redirecting to the `account` controller's `login` method, the path used is `HUB_PATH_PREFIX + '/account/login'`.
 *   `HUB_BYPASS_SSL` - normally Hub sets cookies as secure-only in Production mode, requiring `https` fetches. This isn't enforced in e.g. development mode. If you want to allow insecure transport in Production, set `HUB_BYPASS_SSL` to `true`.
 
@@ -69,11 +69,22 @@ bundle exec rails s -b 127.0.0.1 --port 3000
 ...and then launch integrating applications with:
 
 ```
-HUB_PATH_PREFIX="http://127.0.0.1:3000" be rails s -b 127.0.0.1 --port <other-port>
+HUB_BYPASS_SSL="true" HUB_PATH_PREFIX="http://127.0.0.1:3000" be rails s -b 127.0.0.1 --port <other-port>
 ```
 
 ...and fetch `http://127.0.0.1:<other-port>` in your web browser.
 
+## Your application's session cookies
+
+It is often a good idea to clear application cookies when Hub users log in or out, so that there is no stale session data hanging around. **The Hub application auto-clears *all* cookies *ending with* the name `app_session`** for this purpose. Therefore, your application might include a `config/initializers/session_store.rb` file that says something like this:
+
+```ruby
+# Be sure to restart your server when you modify this file.
+Rails.application.config.session_store :cookie_store, key: 'yourappname_app_session'
+```
+
+This of course only applies if you're using cookies for your session data.
+
 ## Testing the installation
 
 Visit your application in a Web browser and follow the links to sign up for a new account. To sign up, provide a name that will be displayed to users and a valid e-mail address. A confirmation message is sent to the address, containing a link that must be followed to activate the account. One created, users can log in and out of their accounts (with the possibility of sending a password reset request to their e-mail address in case they forget how to log in) and change their screen names. Users cannot change their recorded e-mail address — instead, they must create a new account under the new address.

data/hubssolib.gemspec

@@ -4,7 +4,7 @@ spec = Gem::Specification.new do |s|
   s.platform = Gem::Platform::RUBY
   s.name     = 'hubssolib'
 
-  s.version  = '3.0.0'
+  s.version  = '3.0.2'
   s.author   = 'Andrew Hodgkinson and others'
   s.email    = 'ahodgkin@rowing.org.uk'
   s.homepage = 'http://pond.org.uk/'

data/lib/hub_sso_lib.rb

@@ -42,7 +42,11 @@ module HubSsoLib
   HUB_IDLE_TIME_LIMIT = 4 * 60 * 60
 
   # Shared cookie name.
-  HUB_COOKIE_NAME = 'hubapp_shared_id'
+  HUB_COOKIE_NAME = :hubapp_shared_id
+
+  # Principally for #hubssolib_account_link.
+  HUB_LOGIN_INDICATOR_COOKIE       = :hubapp_shared_id_alive
+  HUB_LOGIN_INDICATOR_COOKIE_VALUE = 'Y'
 
   # Bypass SSL, for testing purposes? Rails 'production' mode will
   # insist on SSL otherwise. Development & test environments do not,
@@ -523,20 +527,60 @@ module HubSsoLib
     # used in page templates to avoid needing any additional images or other
     # such resources and using pure HTML + CSS for the login indication.
     #
+    # JavaScript is used so that e.g. "back" button fully-cached displays by a
+    # browser will get updated with the correct login state, where needed (so
+    # long as the 'pageshow' event is supported). NOSCRIPT browsers use the old
+    # no-cache image fallback, which is much less efficient, but works.
+    #
     def hubssolib_account_link
-      logged_in = self.hubssolib_logged_in?()
+      logged_in        = self.hubssolib_logged_in?()
 
-      text, klass, style = if logged_in
-        ['Account', 'hubssolib_logged_in',  'border: 1px solid #050; color: #050; background: #efe;']
-      else
-        ['Log in',  'hubssolib_logged_out', 'border: 1px solid #500; color: #500; background: #fee;']
-      end
+      ui_href          = "#{HUB_PATH_PREFIX}/account/login_conditional"
+      noscript_img_src = "#{HUB_PATH_PREFIX}/account/login_indication.png"
+      noscript_img_tag = helpers.image_tag(noscript_img_src, size: '90x22', border: '0', alt: 'Log in or out')
 
-      style << ' display: block; width: 88px; height; 20px;'
-      style << ' text-align: center; line-height: 20px;'
-      style << ' font: sans-serif; font-size: 10pt'
+      logged_in_link   = helpers.link_to('Account',        ui_href, id: 'hubssolib_logged_in_link')
+      logged_out_link  = helpers.link_to('Log in',         ui_href, id: 'hubssolib_logged_out_link')
+      noscript_link    = helpers.link_to(noscript_img_tag, ui_href, id: 'hubssolib_login_noscript')
 
-      "<a href=\"#{HUB_PATH_PREFIX}/account/login_conditional\" class=\"#{klass}\" style=\"#{style}\">#{text}</a>".html_safe()
+      # Yes, it's ugly, but yes, it works and it's a lot better for the server
+      # to avoid the repeated image fetches. It probably works out as overall
+      # more efficient for clients too - despite all the JS etc. work, there's
+      # no network fetch overhead or image rendering. On mobile in particular,
+      # the JS solution is likely to use less battery power.
+      #
+      safe_markup = <<~HTML
+        <div id="hubssolib_login_indication">
+          <noscript>
+            #{noscript_link}
+          </noscript>
+        </div>
+        <script type="text/javascript">
+          const logged_in_html  = "#{helpers.j(logged_in_link)}";
+          const logged_out_html = "#{helpers.j(logged_out_link)}";
+          const container       = document.getElementById('hubssolib_login_indication')
+
+          function hubSsoLibLoginStateWriteLink() {
+            const regexp = '#{helpers.j(HUB_LOGIN_INDICATOR_COOKIE)}\\s*=\\s*([^;]+)';
+            const flag   = document.cookie.match(regexp)?.pop() || '';
+
+            if (flag === '#{HUB_LOGIN_INDICATOR_COOKIE_VALUE}') {
+              container.innerHTML = logged_in_html;
+            } else {
+              container.innerHTML = logged_out_html;
+            }
+          }
+          #{
+            # Immediate update, plus on-load update - including fully cached
+            # loads in the browser when the "Back" button is used. No stale
+            # login indications should thus arise from cached data.
+          }
+          hubSsoLibLoginStateWriteLink();
+          window.addEventListener('pageshow', hubSsoLibLoginStateWriteLink);
+        </script>
+      HTML
+
+      return safe_markup.html_safe()
     end
 
     # Check if the user is authorized to perform the current action. If calling
@@ -665,7 +709,7 @@ module HubSsoLib
     def hubssolib_beforehand
 
       # Does this action require a logged in user?
-
+      #
       if (self.class.respond_to? :hubssolib_permissions)
         login_is_required = !self.class.hubssolib_permissions.permitted?('', action_name)
       else
@@ -673,19 +717,31 @@ module HubSsoLib
       end
 
       # If we require login but we're logged out, redirect to Hub login.
-
+      # NOTE EARLY EXIT
+      #
       logged_in = hubssolib_logged_in?
 
-      if (login_is_required and logged_in == false)
-        hubssolib_store_location
-        return hubssolib_must_login
-      end
+      if logged_in == false
+        cookies.delete(HUB_LOGIN_INDICATOR_COOKIE, domain: :all, path: '/')
 
-      # If we reach here the user is either logged, or the method does
-      # not require them to be. In the latter case, if we're not logged
-      # in there is no more work to do - exit early.
+        if login_is_required
+          hubssolib_store_location
+          return hubssolib_must_login
+        else
+          return true
+        end
+      end
 
-      return true unless logged_in # true -> let action processing continue
+      # Definitely logged in.
+      #
+      cookies[HUB_LOGIN_INDICATOR_COOKIE] = {
+        value:    HUB_LOGIN_INDICATOR_COOKIE_VALUE,
+        path:     '/',
+        domain:   :all,
+        expires:  1.year, # I.e. *not* session-scope
+        secure:   ! hub_bypass_ssl?,
+        httponly: false
+      }
 
       # So we reach here knowing we're logged in, but the action may or
       # may not require authorisation.
@@ -983,11 +1039,11 @@ module HubSsoLib
       key         = hub_session.session_key_rotation unless hub_session.nil?
 
       cookies[HUB_COOKIE_NAME] = {
-        :value    => key,
-        :domain   => :all,
-        :path     => '/',
-        :secure   => ! hub_bypass_ssl?,
-        :httponly => true
+        value:    key,
+        path:     '/',
+        domain:   :all,
+        secure:   ! hub_bypass_ssl?,
+        httponly: true
       }
 
       return hub_session

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: hubssolib
 version: !ruby/object:Gem::Version
-  version: 3.0.0
+  version: 3.0.2
 platform: ruby
 authors:
 - Andrew Hodgkinson and others
 bindir: bin
 cert_chain: []
-date: 2025-01-28 00:00:00.000000000 Z
+date: 2025-02-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: drb