messagesodium 0.2.0 → 0.3.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +4 -3
- data/lib/messagesodium/version.rb +1 -1
- data/lib/messagesodium.rb +7 -2
- data/messagesodium.gemspec +2 -1
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: ab737303b92992980e7aa7189686b57603c40cea
|
4
|
+
data.tar.gz: 3d3216c1bfbc8174f4ed8d4a1808a44c7b3d515a
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 6f267c8fc47f1741adfb8b239cf7e71f9b5e44d9ff2f1735f72c44f6916d2d0db74db9cd3d0d6bfcab4e37a10e98da80de7fa4a8e17060ae4fc4b6224fe5a7d5
|
7
|
+
data.tar.gz: 4024beeed614f60c3831940d0295f9baf14ef7cae9d627c1832d70ae46be2803e877579f8567459960fd192f005bb61689071adb169caee7b230f8db53f88ecb
|
data/README.md
CHANGED
@@ -1,12 +1,13 @@
|
|
1
1
|
# Messagesodium
|
2
2
|
|
3
|
-
Project status:
|
3
|
+
Project status: 1.0 Release candidate
|
4
4
|
|
5
5
|
Patches Cookiestore to use libsodium for encryption and verification.
|
6
|
+
[![Build Status](https://travis-ci.org/technion/messagesodium.svg?branch=master)](https://travis-ci.org/technion/messagesodium)
|
6
7
|
|
7
8
|
# Cookistore
|
8
9
|
|
9
|
-
Rails [Cookiestore](https://www.justinweiss.com/articles/how-rails-sessions-work/) is a heavily underrated feature. It bought commonsense to session management at a time when [saving every user session in its own tmpfile on a server](http://php.net/manual/en/function.session-start.php) was slow and unreasonable to scale
|
10
|
+
Rails [Cookiestore](https://www.justinweiss.com/articles/how-rails-sessions-work/) is a heavily underrated feature. It bought commonsense to session management at a time when [saving every user session in its own tmpfile on a server](http://php.net/manual/en/function.session-start.php) was slow and unreasonable to scale. And finally it avoided by default the horrible security issues we've seen with directly storing session variables in a cookie.
|
10
11
|
|
11
12
|
This gem brings an alternative backend to CookieStore.
|
12
13
|
|
@@ -65,7 +66,7 @@ What you'll find in this gem is a much smaller, more easily audited codebase wit
|
|
65
66
|
|
66
67
|
# Approach
|
67
68
|
|
68
|
-
This gem is designed largely as a drop-in replacement for MessageEncryptor, which in turn is used by CookieStore. In a
|
69
|
+
This gem is designed largely as a drop-in replacement for MessageEncryptor, which in turn is used by CookieStore. In a default environment, Rails astracts away everything I say below.
|
69
70
|
|
70
71
|
MessageEncryptor takes a "secret", and a "signing secret", using them as two different secrets. Libsodium only needs a 256-bit secret.
|
71
72
|
|
data/lib/messagesodium.rb
CHANGED
@@ -25,13 +25,18 @@ module ActiveSupport
|
|
25
25
|
# Encrypt and authenticate using libsodium XSalsa20/Poly1305
|
26
26
|
# Serialise with JSON.dump
|
27
27
|
# Returns base64(random nonce + cipher + auth tag)
|
28
|
+
# URLSafe encoding means it doesn't have to be mangled further to
|
29
|
+
# become a cookie
|
28
30
|
def encrypt_and_sign(value)
|
29
|
-
Base64.
|
31
|
+
Base64.urlsafe_encode64(@box.encrypt(::JSON.dump(value)))
|
30
32
|
end
|
31
33
|
|
32
34
|
# Decrypt the message, and check the auth tag in the process.
|
33
35
|
def decrypt_and_verify(value)
|
34
|
-
::JSON.parse(
|
36
|
+
::JSON.parse(
|
37
|
+
@box.decrypt(
|
38
|
+
Base64.urlsafe_decode64(value)),
|
39
|
+
symbolize_names: true)
|
35
40
|
rescue RbNaCl::CryptoError
|
36
41
|
raise InvalidMessage
|
37
42
|
end
|
data/messagesodium.gemspec
CHANGED
@@ -10,7 +10,8 @@ Gem::Specification.new do |spec|
|
|
10
10
|
spec.email = ["technion@lolware.net"]
|
11
11
|
|
12
12
|
spec.summary = %q{Patches MessageEncryptor/Cookiestore to use Libsodium .}
|
13
|
-
spec.description =
|
13
|
+
spec.description = 'Introduces modern crypto, higher performance,' \
|
14
|
+
' smaller cookies to your sessions.'
|
14
15
|
spec.homepage = "https://github.com/technion/messagesodium"
|
15
16
|
spec.license = "MIT"
|
16
17
|
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: messagesodium
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.3.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Technion
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date: 2017-09-
|
11
|
+
date: 2017-09-07 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rbnacl-libsodium
|