merb-core 0.9.5 → 0.9.6

data/lib/merb-core/dispatch/cookies.rb

@@ -1,62 +1,48 @@
 module Merb
 
-  # Cookies are read and written through Merb::Controller#cookies. The cookies
-  # you read are those received in request along with those that have been set
-  # during the current request. The cookies you write will be sent out with the
-  # response. Cookies are read by value (so you won't get the cookie object
-  # itself back -- just the value it holds).
-  class Cookies
-
-    # ==== Parameters
-    # request_cookies<Hash>:: Initial cookie store.
-    # headers<Hash>:: The response headers.
-    def initialize(request_cookies, headers)
-      @_cookies = request_cookies
-      @_headers = headers
+  class Cookies < Mash
+  
+    def initialize(constructor = {}, cookie_defaults = {})
+      @_options_lookup = Mash.new
+      @_cookie_defaults = cookie_defaults
+      super constructor
     end
-
+    
+    # Implicit assignment of cookie key and value.
+    #
     # ==== Parameters
     # name<~to_s>:: Name of the cookie.
+    # value<~to_s>:: Value of the cookie.
     #
-    # ==== Returns
-    # String:: Value of the cookie.
-    def [](name)
-      @_cookies[name]
+    # ==== Notes
+    # By using this method, a cookie key is marked for being
+    # included in the Set-Cookie response header.
+    def []=(key, value)
+      @_options_lookup[key] ||= {}
+      super
     end
-
+    
+    # Explicit assignment of cookie key, value and options
+    #
     # ==== Parameters
     # name<~to_s>:: Name of the cookie.
-    # options<Hash, ~to_s>:: Options for the cookie being set (see below).
+    # value<~to_s>:: Value of the cookie.
+    # options<Hash>:: Additional options for the cookie (see below).
     #
     # ==== Options (options)
-    # :value<~to_s>:: Value of the cookie
     # :path<String>:: The path for which this cookie applies. Defaults to "/".
     # :expires<Time>:: Cookie expiry date.
     # :domain<String>:: The domain for which this cookie applies.
     # :secure<Boolean>:: Security flag.
     #
-    # ==== Alternatives
-    # If options is not a hash, it will be used as the cookie value directly.
-    #
-    # ==== Examples
-    #   cookies[:user] = "dave" # => Sets a simple session cookie
-    #   cookies[:token] = { :value => user.token, :expires => Time.now + 2.weeks }
-    #     # => Will set a cookie that expires in 2 weeks
-    def []=(name, options)
-      value = ''
-      if options.is_a?(Hash)
-        options = Mash.new(options)
-        value = options.delete(:value)
-      else
-        value = options
-        options = Mash.new
-      end
-      @_cookies[name] = value
-      set_cookie(name, Merb::Request.escape(value), options)
-      Merb.logger.info("Cookie set: #{name} => #{value} -- #{options.inspect}")
-      options
+    # ==== Notes
+    # By using this method, a cookie key is marked for being
+    # included in the Set-Cookie response header.
+    def set_cookie(name, value, options = {})
+      @_options_lookup[name] = options
+      self[name] = value
     end
-
+    
     # Removes the cookie on the client machine by setting the value to an empty
     # string and setting its expiration date into the past.
     #
@@ -64,50 +50,80 @@ module Merb
     # name<~to_s>:: Name of the cookie to delete.
     # options<Hash>:: Additional options to pass to +set_cookie+.
     def delete(name, options = {})
-      cookie = @_cookies.delete(name)
-      options = Mash.new(options)
-      options[:expires] = Time.at(0)
-
-      if domain = options[:domain] || Merb::Controller._session_cookie_domain
-        options[:domain] = domain
-      end
-
-      set_cookie(name, "", options)
-      Merb.logger.info("Cookie deleted: #{name} => #{cookie.inspect}")
-      cookie
+      set_cookie(name, "", options.merge(:expires => Time.at(0)))
     end
     
-    # ==== Parameters
-    # name<~to_s>:: Name of the cookie.
-    # value<~to_s>:: Value of the cookie.
-    # options<Hash>:: Additional options for the cookie (see below).
+    # Generate any necessary headers.
     #
-    # ==== Options (options)
-    # :path<String>:: The path for which this cookie applies. Defaults to "/".
-    # :expires<Time>:: Cookie expiry date.
-    # :domain<String>:: The domain for which this cookie applies.
-    # :secure<Boolean>:: Security flag.
-    def set_cookie(name, value, options)
-      options[:path] = '/' unless options[:path]
-      if expiry = options[:expires]
-        options[:expires] = expiry.gmtime.strftime(Merb::Const::COOKIE_EXPIRATION_FORMAT)
+    # ==== Returns
+    # Hash:: The headers to set, or an empty array if no cookies are set.
+    def extract_headers(controller_defaults = {})
+      defaults = @_cookie_defaults.merge(controller_defaults)
+      cookies = []
+      self.each do |name, value|
+        # Only set cookies that marked for inclusion in the response header. 
+        next unless @_options_lookup[name]
+        options = defaults.merge(@_options_lookup[name])
+        if (expiry = options[:expires]).respond_to?(:gmtime)
+          options[:expires] = expiry.gmtime.strftime(Merb::Const::COOKIE_EXPIRATION_FORMAT)
+        end
+        secure  = options.delete(:secure)
+        kookie  = "#{name}=#{Merb::Request.escape(value)}; "
+        options.each { |k, v| kookie << "#{k}=#{v}; " }
+        kookie  << 'secure' if secure
+        cookies << kookie.rstrip
       end
+      cookies.empty? ? {} : { 'Set-Cookie' => cookies }
+    end
+    
+  end
+  
+  module CookiesMixin
+    
+    def self.included(base)
+      # Allow per-controller default cookie domains (see callback below)
+      base.class_inheritable_accessor :_default_cookie_domain
+      base._default_cookie_domain = Merb::Config[:default_cookie_domain]
       
-      if domain = options[:domain] || Merb::Controller._session_cookie_domain
-        options[:domain] = domain
+      # Add a callback to enable Set-Cookie headers
+      base._after_dispatch_callbacks << lambda do |c|
+        headers = c.request.cookies.extract_headers(:domain => c._default_cookie_domain)
+        c.headers.update(headers)
       end
-
-      secure = options.delete(:secure)
-      
-      @_headers['Set-Cookie'] ||=[]
-      
-      kookie = "#{name}=#{value}; "
-      # options are sorted for testing purposes:
-      # Hash is unsorted so string is spec is random every run
-      kookie <<  options.map{|k, v| "#{k}=#{v};"}.join(' ')
-      kookie << ' secure' if secure
-      
-      @_headers['Set-Cookie'] << kookie
     end
+    
+    # ==== Returns
+    # Merb::Cookies::
+    #   A new Merb::Cookies instance representing the cookies that came in
+    #   from the request object
+    #
+    # ==== Notes
+    # Headers are passed into the cookie object so that you can do:
+    #   cookies[:foo] = "bar"
+    def cookies
+      request.cookies
+    end
+    
+    module RequestMixin
+            
+      # ==== Returns
+      # Hash:: The cookies for this request.
+      #
+      # ==== Notes
+      # If a method #default_cookies is defined it will be called. This can
+      # be used for session fixation purposes for example. The method returns
+      # a Hash of key => value pairs.
+      def cookies
+        @cookies ||= begin
+          values  = self.class.query_parse(@env[Merb::Const::HTTP_COOKIE], ';,')
+          cookies = Merb::Cookies.new(values, :domain => Merb::Controller._default_cookie_domain, :path => '/')
+          cookies.update(default_cookies) if respond_to?(:default_cookies)
+          cookies
+        end
+      end
+      
+    end   
+    
   end
+  
 end

data/lib/merb-core/dispatch/default_exception/views/index.html.erb

@@ -28,8 +28,10 @@
       <h3>Parameters</h3>
       <%= listing("Parameter", "Value", request.params) %>
 
+      <% if request.session? %>
       <h3>Session</h3>
       <%= listing("Key", "Value", request.session) %>
+      <% end %>
 
       <h3>Cookies</h3>
       <%= listing("Cookie", "Value", request.cookies) %>

data/lib/merb-core/dispatch/request.rb

@@ -3,8 +3,8 @@ require 'tempfile'
 module Merb
   
   class Request
-    # def env def session def route_params
-    attr_accessor :env, :session, :exceptions, :route
+    # def env def exceptions def route_params
+    attr_accessor :env, :exceptions, :route
     attr_reader :route_params
     
     # by setting these to false, auto-parsing is disabled; this way you can
@@ -207,6 +207,7 @@ module Merb
     end
     
     public
+    
     # ==== Returns
     # Mash:: All request parameters.
     #
@@ -236,20 +237,7 @@ module Merb
     def reset_params!
       @params = nil
     end
-
-    # ==== Returns
-    # Hash:: The cookies for this request.
-    def cookies
-      @cookies ||= begin 
-        cookies = self.class.query_parse(@env[Merb::Const::HTTP_COOKIE], ';,')
-        if route && route.allow_fixation? && params.key?(Merb::Controller._session_id_key)
-          Merb.logger.info("Fixated session id: #{Merb::Controller._session_id_key}")
-          cookies[Merb::Controller._session_id_key] = params[Merb::Controller._session_id_key]
-        end
-        cookies
-      end
-    end
-
+    
     # ==== Returns
     # String:: The raw post.
     def raw_post
@@ -459,6 +447,20 @@ module Merb
     def domain(tld_length = 1)
       host.split('.').last(1 + tld_length).join('.').sub(/:\d+$/,'')
     end
+
+    # ==== Returns
+    # Value of If-None-Match request header.
+    def if_none_match
+      @env[Merb::Const::HTTP_IF_NONE_MATCH]
+    end
+
+    # ==== Returns
+    # Value of If-Modified-Since request header.
+    def if_modified_since
+      if time = @env[Merb::Const::HTTP_IF_MODIFIED_SINCE]
+        Time.rfc2822(time)
+      end
+    end
     
     class << self
       

data/lib/merb-core/dispatch/router/route.rb

@@ -258,9 +258,15 @@ module Merb
           format = fallback[:format] if format == :current
           url += ".#{format}"
         end
+        if query_params
+          fragment = query_params.delete(:fragment)
+        end
         if query_params && !query_params.empty?
           url += "?" + Merb::Request.params_to_query_string(query_params)
         end
+        if fragment
+          url += "##{fragment}"
+        end
         url
       end
 

data/lib/merb-core/dispatch/router.rb

@@ -169,7 +169,7 @@ module Merb
       # String:: The generated URL.
       def generate_for_default_route(params, fallback)
         query_params = params.reject do |k,v|
-          [:controller, :action, :id, :format].include?(k.to_sym)
+          [:controller, :action, :id, :format, :fragment].include?(k.to_sym)
         end
 
         controller = params[:controller] || fallback[:controller]
@@ -191,6 +191,9 @@ module Merb
         unless query_params.empty?
           url += "?" + Merb::Request.params_to_query_string(query_params)
         end
+        if params[:fragment]
+          url += "##{params[:fragment]}"
+        end
         url
       end
     end # self

data/lib/merb-core/dispatch/session/container.rb

@@ -0,0 +1,64 @@
+module Merb
+  class SessionContainer < Mash
+  
+    class_inheritable_accessor :session_store_type
+    cattr_accessor :subclasses 
+    self.subclasses = []
+  
+    attr_reader :session_id
+    attr_accessor :needs_new_cookie
+  
+    class << self
+  
+      # Register the subclass as an available session store type.
+      def inherited(klass)
+        self.subclasses << klass.to_s
+        super
+      end
+
+      # Generates a new session ID and creates a new session.
+      #
+      # ==== Returns
+      # SessionContainer:: The new session.
+      def generate
+      end
+    
+      # ==== Parameters
+      # request<Merb::Request>:: The Merb::Request that came in from Rack.
+      #
+      # ==== Returns
+      # SessionContainer:: a SessionContainer. If no sessions were found, 
+      # a new SessionContainer will be generated.
+      def setup(request)
+      end    
+    
+    end
+  
+    # ==== Parameters
+    # session_id<String>:: A unique identifier for this session.
+    def initialize(session_id)
+      self.session_id = session_id
+    end
+  
+    # Teardown and/or persist the current session.
+    #
+    # ==== Parameters
+    # request<Merb::Request>:: The Merb::Request that came in from Rack.
+    def finalize(request)
+    end
+    
+    # Assign a new session_id.
+    #
+    # Recreates the cookie with the default expiration time. Useful during log
+    # in for pushing back the expiration date.
+    def session_id=(sid)
+      self.needs_new_cookie = (@session_id && @session_id != sid)
+      @session_id = sid
+    end
+  
+    # Regenerate the Session ID
+    def regenerate
+    end
+  
+  end
+end

data/lib/merb-core/dispatch/session/cookie.rb

@@ -3,36 +3,6 @@ require 'openssl'       # to generate the HMAC message digest
 # Most of this code is taken from bitsweat's implementation in rails
 module Merb
 
-  module SessionMixin
-
-    # Adds a before and after dispatch hook for setting up the cookie session
-    # store.
-    #
-    # ==== Parameters
-    # base<Class>:: The class to which the SessionMixin is mixed into.
-    def setup_session
-      request.session = Merb::CookieSession.new(cookies[_session_id_key], _session_secret_key)
-      @original_session = request.session.read_cookie
-    end
-
-    # Finalizes the session by storing the session in a cookie, if the session
-    # has changed.
-    def finalize_session
-      new_session = request.session.read_cookie
-      if @original_session != new_session
-        options = {:expires => (Time.now + _session_expiry)}
-        options[:domain] = _session_cookie_domain if _session_cookie_domain
-        cookies.set_cookie(_session_id_key, new_session, options)
-      end
-    end
-
-    # ==== Returns
-    # String:: The session store type, i.e. "cookie".
-    def session_store_type
-      "cookie"
-    end
-  end
-  
   # If you have more than 4K of session data or don't want your data to be
   # visible to the user, pick another session store.
   #
@@ -41,108 +11,112 @@ module Merb
   #
   # A message digest is included with the cookie to ensure data integrity:
   # a user cannot alter session data without knowing the secret key included
-  # in the hash. 
-  # 
+  # in the hash.
+  #
   # To use Cookie Sessions, set in config/merb.yml
   #  :session_secret_key - your secret digest key
   #  :session_store: cookie
-  class CookieSession
+  class CookieSession < SessionContainer
     # TODO (maybe):
     # include request ip address
     # AES encrypt marshaled data
-    
+
     # Raised when storing more than 4K of session data.
     class CookieOverflow < StandardError; end
-    
+
     # Raised when the cookie fails its integrity check.
     class TamperedWithCookie < StandardError; end
-    
+
     # Cookies can typically store 4096 bytes.
     MAX = 4096
     DIGEST = OpenSSL::Digest::Digest.new('SHA1') # or MD5, RIPEMD160, SHA256?
-    
-    attr_reader :data
+
+    attr_accessor :_original_session_data
+
+    # The session store type
+    self.session_store_type = :cookie
+
+    class << self
+      # Generates a new session ID and creates a new session.
+      #
+      # ==== Returns
+      # SessionContainer:: The new session.
+      def generate
+        self.new(Merb::SessionMixin.rand_uuid, "", Merb::Request._session_secret_key)
+      end
+
+      # Setup a new session.
+      #
+      # ==== Parameters
+      # request<Merb::Request>:: The Merb::Request that came in from Rack.
+      #
+      # ==== Returns
+      # SessionContainer:: a SessionContainer. If no sessions were found,
+      # a new SessionContainer will be generated.
+      def setup(request)
+        session = self.new(Merb::SessionMixin.rand_uuid,
+          request.session_cookie_value, request._session_secret_key)
+        session._original_session_data = session.to_cookie
+        request.session = session
+      end
+
+    end
 
     # ==== Parameters
-    # cookie<String>:: The cookie.
+    # session_id<String>:: A unique identifier for this session.
+    # cookie<String>:: The raw cookie data.
     # secret<String>:: A session secret.
     #
     # ==== Raises
     # ArgumentError:: Nil or blank secret.
-    def initialize(cookie, secret)
-      if secret.nil? or secret.blank?
+    def initialize(session_id, cookie, secret)
+      super session_id
+      if secret.blank? || secret.length < 16
+        Merb.logger.warn("You must specify a session_secret_key in your init file, and it must be at least 16 characters")
         raise ArgumentError, 'A secret is required to generate an integrity hash for cookie session data.'
       end
       @secret = secret
-      @data = unmarshal(cookie) || Hash.new
+      self.update(unmarshal(cookie))
     end
-    
-    # ==== Returns
-    # String:: Cookie value.
+
+    # Teardown and/or persist the current session.
     #
-    # ==== Raises
-    # CookieOverflow:: Session contains too much information.
-    def read_cookie
-      unless @data.nil?
-        updated = marshal(@data)
-        raise CookieOverflow if updated.size > MAX
-        updated
-      end
-    end
-    
     # ==== Parameters
-    # k<~to_s>:: The key of the session parameter to set.
-    # v<~to_s>:: The value of the session parameter to set.
-    def []=(k, v) 
-      @data[k] = v
+    # request<Merb::Request>:: The Merb::Request that came in from Rack.
+    def finalize(request)
+      if _original_session_data != (new_session_data = self.to_cookie)
+        request.set_session_cookie_value(new_session_data)
+      end
     end
 
-    # ==== Parameters
-    # k<~to_s>:: The key of the session parameter to retrieve.
+    # Create the raw cookie string; includes an HMAC keyed message digest.
     #
     # ==== Returns
-    # String:: The value of the session parameter.
-    def [](k) 
-      @data[k] 
-    end
-
-    # Yields the session data to an each block.
+    # String:: Cookie value.
+    #
+    # ==== Raises
+    # CookieOverflow:: Session contains too much information.
     #
-    # ==== Parameter
-    # &b:: The block to pass to each.
-    def each(&b) 
-      @data.each(&b) 
+    # ==== Notes
+    # The data (self) is converted to a Hash first, since a container might
+    # choose to do a full Marshal on the data, which would make it persist
+    # attributes like 'needs_new_cookie', which it shouldn't.
+    def to_cookie
+      unless self.empty?
+        data = self.serialize
+        value = Merb::Request.escape "#{data}--#{generate_digest(data)}"
+        raise CookieOverflow if value.size > MAX
+        value
+      end
     end
 
-    # Deletes the session by emptying stored data.
-    def delete  
-      @data = {} 
-    end
-    
     private
 
-    # Attempts to redirect any messages to the data object.
-    def method_missing(name, *args, &block)
-      @data.send(name, *args, &block)
-    end
-    
     # Generate the HMAC keyed message digest. Uses SHA1.
     def generate_digest(data)
       OpenSSL::HMAC.hexdigest(DIGEST, @secret, data)
     end
-    
-    # Marshal a session hash into safe cookie data. Include an integrity hash.
-    #
-    # ==== Parameters
-    # session<Hash>:: The session to store in the cookie.
-    #
-    # ==== Returns
-    # String:: The cookie to be stored.
-    def marshal(session)
-      data = Base64.encode64(Marshal.dump(session)).chop
-      Merb::Request.escape "#{data}--#{generate_digest(data)}"
-    end
-    
+
     # Unmarshal cookie data to a hash and verify its integrity.
     #
     # ==== Parameters
@@ -154,15 +128,31 @@ module Merb
     # ==== Returns
     # Hash:: The stored session data.
     def unmarshal(cookie)
-      if cookie
-        data, digest = cookie.split('--')
-        return {} if data.blank?
+      if cookie.blank?
+        {}
+      else
+        data, digest = Merb::Request.unescape(cookie).split('--')
+        return {} if data.blank? || digest.blank?
         unless digest == generate_digest(data)
-          delete
-          raise TamperedWithCookie, "Maybe the site's session_secret_key has changed?"
+          clear
+          unless Merb::Config[:ignore_tampered_cookies]
+            raise TamperedWithCookie, "Maybe the site's session_secret_key has changed?"
+          end
         end
-        Marshal.load(Base64.decode64(data))
+        unserialize(data)
       end
     end
+
+    protected
+
+    # Serialize current session data - as a Hash
+    def serialize
+      Base64.encode64(Marshal.dump(self.to_hash)).chop
+    end
+
+    # Unserialize the raw cookie data - to a Hash
+    def unserialize(data)
+      Marshal.load(Base64.decode64(data)) rescue {}
+    end
   end
-end
+end