RubyGems - mbuzz - Versions diffs - 0.7.2 → 0.7.3 - Mend

mbuzz 0.7.2 → 0.7.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +20 -0
data/lib/mbuzz/middleware/tracking.rb +33 -36
data/lib/mbuzz/version.rb +1 -1
data/lib/mbuzz.rb +0 -3
metadata +1 -1

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0d8514076473bbc4fa543510e84789f8cb91ccc99e916b3cef4f4928aaf6baf5
-  data.tar.gz: 159074f0dbac29eb6b721bab4288ce976e4e4361ba503caffc36f37e79cf315e
+  metadata.gz: 717fff0f77150fb5f0a2ddcd60e59aaccaacdddbe41acd88ec7b953b568ec448
+  data.tar.gz: caedfee3a6e6ced3dcfadcfcce5b80a9f13679b73710f0933b6c2d8573c2accb
 SHA512:
-  metadata.gz: 3d515f639e577a68d9daa8afe13de92dec0a5556cfad2e335ea482f7db0240ff996dd1fb6bbf3388e7f632cb8300e439028091cf1c551627c9be1c22e73ca666
-  data.tar.gz: 9fbe4999f2ce0855d83847d61b4684f30217c01c9074df4cced51e4083167cf3ca24e0e5223f2e57fd859aab6d88f60a68a0adc3074bd0a7f4356c0f9d3e5116
+  metadata.gz: ce5da1805916ac523dc3d9a40e8b3126ee8f7b1d95cc3fe042d6e800e796e38227f117edd9acb72e1ec4e357cd83d378fe87b3f87eb063c2857f267ae2508c56
+  data.tar.gz: 190f2ddbf15dbc17cde637ee4f8ed4d00a8b06d47f0d16fce9b54e96e67e7e8191359f57cc3a5e218c9028ccac072e14e0035a1c1cc0f5c9a4e95b3c14b73c41

data/CHANGELOG.md CHANGED Viewed

@@ -5,6 +5,26 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+## [0.7.3] - 2026-02-02
+### Breaking Changes
+- **Session cookie removed** — `_mbuzz_sid` cookie is no longer set or read. Sessions are fully server-side.
+- **`SESSION_COOKIE_NAME` and `SESSION_COOKIE_MAX_AGE` constants removed** from `Mbuzz` module.
+### Added
+- **Navigation-aware session creation** — middleware now gates `POST /sessions` on real page navigations using browser-enforced `Sec-Fetch-*` headers (whitelist), with a framework-specific blacklist fallback for older browsers and bots.
+  - Turbo Frame, htmx, Unpoly, and XHR sub-requests no longer create spurious sessions.
+  - Prefetches and iframe loads are correctly filtered out.
+- New public methods on `Mbuzz::Middleware::Tracking`: `should_create_session?`, `sec_fetch_headers?`, `page_navigation?`, `framework_sub_request?`
+### Migration Guide
+1. Remove any code that reads or depends on the `_mbuzz_sid` cookie.
+2. Remove references to `Mbuzz::SESSION_COOKIE_NAME` or `Mbuzz::SESSION_COOKIE_MAX_AGE`.
+3. Visitor cookie (`_mbuzz_vid`) is unaffected — still set on every request.
 ## [0.7.0] - 2026-01-09
 ### Breaking Changes

data/lib/mbuzz/middleware/tracking.rb CHANGED Viewed

@@ -23,12 +23,11 @@ module Mbuzz
         store_in_current_attributes(context, request)
-        create_session_async(context, request) if context[:new_session]
+        create_session_async(context, request) if should_create_session?(env)
         RequestContext.with_context(request: request) do
           status, headers, body = @app.call(env)
           set_visitor_cookie(headers, context, request)
-          set_session_cookie(headers, context, request)
           [status, headers, body]
         ensure
           reset_current_attributes
@@ -51,25 +50,46 @@ module Mbuzz
         Mbuzz.config.all_skip_extensions.any? { |ext| path.end_with?(ext) }
       end
+      # Navigation detection — only create sessions for real page navigations.
+      # Sec-Fetch-* headers (browser-enforced, unforgeable) are the primary signal;
+      # framework-specific blacklist covers old browsers and bots.
+      def should_create_session?(env)
+        return page_navigation?(env) if sec_fetch_headers?(env)
+        !framework_sub_request?(env)
+      end
+      def sec_fetch_headers?(env)
+        !env["HTTP_SEC_FETCH_MODE"].nil?
+      end
+      def page_navigation?(env)
+        env["HTTP_SEC_FETCH_MODE"] == "navigate" &&
+          env["HTTP_SEC_FETCH_DEST"] == "document" &&
+          env["HTTP_SEC_PURPOSE"].nil?
+      end
+      def framework_sub_request?(env)
+        !env["HTTP_TURBO_FRAME"].nil? ||
+          !env["HTTP_HX_REQUEST"].nil? ||
+          !env["HTTP_X_UP_VERSION"].nil? ||
+          env["HTTP_X_REQUESTED_WITH"] == "XMLHttpRequest"
+      end
       private
-      # Build all request-specific context as a frozen hash
-      # This ensures thread-safety by using local variables only
-      # IMPORTANT: All values needed by async session creation must be captured here,
-      # NOT accessed from the request object in the background thread (see #create_session)
+      # Build all request-specific context as a frozen hash.
+      # Thread-safety: all values needed by async session creation are captured here,
+      # NOT accessed from the request object in the background thread.
       def build_request_context(request)
-        existing_session_id = session_id_from_cookie(request)
-        new_session = existing_session_id.nil?
         ip = extract_ip(request)
         user_agent = request.user_agent.to_s
         {
           visitor_id: resolve_visitor_id(request),
-          session_id: existing_session_id || generate_session_id,
+          session_id: SecureRandom.uuid,
           user_id: user_id_from_session(request),
-          new_session: new_session,
-          # Session creation data - captured here for thread-safety
-          # Background thread must NOT read from request object
           url: request.url,
           referrer: request.referer,
           ip: ip,
@@ -86,14 +106,6 @@ module Mbuzz
         request.cookies[VISITOR_COOKIE_NAME]
       end
-      def session_id_from_cookie(request)
-        request.cookies[SESSION_COOKIE_NAME]
-      end
-      def generate_session_id
-        SecureRandom.uuid
-      end
       def user_id_from_session(request)
         request.session[SESSION_USER_ID_KEY] if request.session
       end
@@ -126,7 +138,7 @@ module Mbuzz
         Rails.logger.error("[Mbuzz] #{message}")
       end
-      # Cookie setting - visitor and session cookies
+      # Cookie setting - visitor identity only (sessions are server-side)
       def set_visitor_cookie(headers, context, request)
         Rack::Utils.set_cookie_header!(
@@ -136,14 +148,6 @@ module Mbuzz
         )
       end
-      def set_session_cookie(headers, context, request)
-        Rack::Utils.set_cookie_header!(
-          headers,
-          SESSION_COOKIE_NAME,
-          session_cookie_options(context, request)
-        )
-      end
       def visitor_cookie_options(context, request)
         base_cookie_options(request).merge(
           value: context[:visitor_id],
@@ -151,13 +155,6 @@ module Mbuzz
         )
       end
-      def session_cookie_options(context, request)
-        base_cookie_options(request).merge(
-          value: context[:session_id],
-          max_age: SESSION_COOKIE_MAX_AGE
-        )
-      end
       def base_cookie_options(request)
         options = {
           path: VISITOR_COOKIE_PATH,

data/lib/mbuzz/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module Mbuzz
-  VERSION = "0.7.2"
+  VERSION = "0.7.3"
 end

data/lib/mbuzz.rb CHANGED Viewed

@@ -27,9 +27,6 @@ module Mbuzz
   VISITOR_COOKIE_PATH = "/"
   VISITOR_COOKIE_SAME_SITE = "Lax"
-  SESSION_COOKIE_NAME = "_mbuzz_sid"
-  SESSION_COOKIE_MAX_AGE = 30 * 60 # 30 minutes
   SESSION_USER_ID_KEY = "user_id"
   ENV_USER_ID_KEY = "mbuzz.user_id"
   ENV_VISITOR_ID_KEY = "mbuzz.visitor_id"

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: mbuzz
 version: !ruby/object:Gem::Version
-  version: 0.7.2
+  version: 0.7.3
 platform: ruby
 authors:
 - mbuzz team