mongoid_session_store 0.0.1

data/example/public/javascripts/rails.js

@@ -0,0 +1,175 @@
+(function() {
+  // Technique from Juriy Zaytsev
+  // http://thinkweb2.com/projects/prototype/detecting-event-support-without-browser-sniffing/
+  function isEventSupported(eventName) {
+    var el = document.createElement('div');
+    eventName = 'on' + eventName;
+    var isSupported = (eventName in el);
+    if (!isSupported) {
+      el.setAttribute(eventName, 'return;');
+      isSupported = typeof el[eventName] == 'function';
+    }
+    el = null;
+    return isSupported;
+  }
+
+  function isForm(element) {
+    return Object.isElement(element) && element.nodeName.toUpperCase() == 'FORM'
+  }
+
+  function isInput(element) {
+    if (Object.isElement(element)) {
+      var name = element.nodeName.toUpperCase()
+      return name == 'INPUT' || name == 'SELECT' || name == 'TEXTAREA'
+    }
+    else return false
+  }
+
+  var submitBubbles = isEventSupported('submit'),
+      changeBubbles = isEventSupported('change')
+
+  if (!submitBubbles || !changeBubbles) {
+    // augment the Event.Handler class to observe custom events when needed
+    Event.Handler.prototype.initialize = Event.Handler.prototype.initialize.wrap(
+      function(init, element, eventName, selector, callback) {
+        init(element, eventName, selector, callback)
+        // is the handler being attached to an element that doesn't support this event?
+        if ( (!submitBubbles && this.eventName == 'submit' && !isForm(this.element)) ||
+             (!changeBubbles && this.eventName == 'change' && !isInput(this.element)) ) {
+          // "submit" => "emulated:submit"
+          this.eventName = 'emulated:' + this.eventName
+        }
+      }
+    )
+  }
+
+  if (!submitBubbles) {
+    // discover forms on the page by observing focus events which always bubble
+    document.on('focusin', 'form', function(focusEvent, form) {
+      // special handler for the real "submit" event (one-time operation)
+      if (!form.retrieve('emulated:submit')) {
+        form.on('submit', function(submitEvent) {
+          var emulated = form.fire('emulated:submit', submitEvent, true)
+          // if custom event received preventDefault, cancel the real one too
+          if (emulated.returnValue === false) submitEvent.preventDefault()
+        })
+        form.store('emulated:submit', true)
+      }
+    })
+  }
+
+  if (!changeBubbles) {
+    // discover form inputs on the page
+    document.on('focusin', 'input, select, texarea', function(focusEvent, input) {
+      // special handler for real "change" events
+      if (!input.retrieve('emulated:change')) {
+        input.on('change', function(changeEvent) {
+          input.fire('emulated:change', changeEvent, true)
+        })
+        input.store('emulated:change', true)
+      }
+    })
+  }
+
+  function handleRemote(element) {
+    var method, url, params;
+
+    var event = element.fire("ajax:before");
+    if (event.stopped) return false;
+
+    if (element.tagName.toLowerCase() === 'form') {
+      method = element.readAttribute('method') || 'post';
+      url    = element.readAttribute('action');
+      params = element.serialize();
+    } else {
+      method = element.readAttribute('data-method') || 'get';
+      url    = element.readAttribute('href');
+      params = {};
+    }
+
+    new Ajax.Request(url, {
+      method: method,
+      parameters: params,
+      evalScripts: true,
+
+      onComplete:    function(request) { element.fire("ajax:complete", request); },
+      onSuccess:     function(request) { element.fire("ajax:success",  request); },
+      onFailure:     function(request) { element.fire("ajax:failure",  request); }
+    });
+
+    element.fire("ajax:after");
+  }
+
+  function handleMethod(element) {
+    var method = element.readAttribute('data-method'),
+        url = element.readAttribute('href'),
+        csrf_param = $$('meta[name=csrf-param]')[0],
+        csrf_token = $$('meta[name=csrf-token]')[0];
+
+    var form = new Element('form', { method: "POST", action: url, style: "display: none;" });
+    element.parentNode.insert(form);
+
+    if (method !== 'post') {
+      var field = new Element('input', { type: 'hidden', name: '_method', value: method });
+      form.insert(field);
+    }
+
+    if (csrf_param) {
+      var param = csrf_param.readAttribute('content'),
+          token = csrf_token.readAttribute('content'),
+          field = new Element('input', { type: 'hidden', name: param, value: token });
+      form.insert(field);
+    }
+
+    form.submit();
+  }
+
+
+  document.on("click", "*[data-confirm]", function(event, element) {
+    var message = element.readAttribute('data-confirm');
+    if (!confirm(message)) event.stop();
+  });
+
+  document.on("click", "a[data-remote]", function(event, element) {
+    if (event.stopped) return;
+    handleRemote(element);
+    event.stop();
+  });
+
+  document.on("click", "a[data-method]", function(event, element) {
+    if (event.stopped) return;
+    handleMethod(element);
+    event.stop();
+  });
+
+  document.on("submit", function(event) {
+    var element = event.findElement(),
+        message = element.readAttribute('data-confirm');
+    if (message && !confirm(message)) {
+      event.stop();
+      return false;
+    }
+
+    var inputs = element.select("input[type=submit][data-disable-with]");
+    inputs.each(function(input) {
+      input.disabled = true;
+      input.writeAttribute('data-original-value', input.value);
+      input.value = input.readAttribute('data-disable-with');
+    });
+
+    var element = event.findElement("form[data-remote]");
+    if (element) {
+      handleRemote(element);
+      event.stop();
+    }
+  });
+
+  document.on("ajax:after", "form", function(event, element) {
+    var inputs = element.select("input[type=submit][disabled=true][data-disable-with]");
+    inputs.each(function(input) {
+      input.value = input.readAttribute('data-original-value');
+      input.removeAttribute('data-original-value');
+      input.disabled = false;
+    });
+  });
+})();

data/example/public/robots.txt

@@ -0,0 +1,5 @@
+# See http://www.robotstxt.org/wc/norobots.html for documentation on how to use the robots.txt file
+#
+# To ban all spiders from the entire site uncomment the next two lines:
+# User-Agent: *
+# Disallow: /

data/example/script/rails

@@ -0,0 +1,6 @@
+#!/usr/bin/env ruby
+# This command will automatically be run when you run "rails" with Rails 3 gems installed from the root of your application.
+
+APP_PATH = File.expand_path('../../config/application',  __FILE__)
+require File.expand_path('../../config/boot',  __FILE__)
+require 'rails/commands'

data/example/test/functional/sessions_controller_test.rb

@@ -0,0 +1,8 @@
+require 'test_helper'
+
+class SessionsControllerTest < ActionController::TestCase
+  # Replace this with your real tests.
+  test "the truth" do
+    assert true
+  end
+end

data/example/test/integration/sessions_test.rb

@@ -0,0 +1,152 @@
+require 'test_helper'
+
+class SessionsTest < ActionDispatch::IntegrationTest
+  fixtures :all
+  
+  def setup
+    # Mongoid.master.collections.select {|c| c.name !~ /system/ }.each(&:drop)
+    ActionDispatch::Session::MongoidStore::Session.delete_all
+  end
+  
+  test "set session value" do
+    get '/set_session_value'
+    assert_response :success
+    assert cookies['_session_id']
+    session_id = cookies['_session_id']
+  end
+  
+  test "setting and getting session value with" do
+    get '/set_session_value'
+    assert_response :success
+    assert cookies['_session_id']
+
+    get '/get_session_value'
+    assert_response :success
+    assert_equal 'foo: "bar"', response.body
+
+    get '/set_session_value', :foo => "baz"
+    assert_response :success
+    assert cookies['_session_id']
+
+    get '/get_session_value'
+    assert_response :success
+    assert_equal 'foo: "baz"', response.body
+
+    get '/call_reset_session'
+    assert_response :success
+    assert_not_equal [], headers['Set-Cookie']
+  end
+  
+  test "getting nil session value" do
+    get '/get_session_value'
+    assert_response :success
+    assert_equal 'foo: nil', response.body
+  end
+
+  test "setting session value after session reset" do
+    get '/set_session_value'
+    assert_response :success
+    assert cookies['_session_id']
+    session_id = cookies['_session_id']
+
+    get '/call_reset_session'
+    assert_response :success
+    assert_not_equal [], headers['Set-Cookie']
+
+    get '/get_session_value'
+    assert_response :success
+    assert_equal 'foo: "baz"', response.body
+
+    get '/get_session_id'
+    assert_response :success
+    assert_not_equal session_id, response.body
+  end
+
+  test "getting session value after session reset" do
+    get '/set_session_value'
+    assert_response :success
+    assert cookies['_session_id']
+    session_cookie = cookies.send(:hash_for)['_session_id']
+
+    get '/call_reset_session'
+    assert_response :success
+    assert_not_equal [], headers['Set-Cookie']
+
+    cookies << session_cookie # replace our new session_id with our old, pre-reset session_id
+
+    get '/get_session_value'
+    assert_response :success
+    assert_equal 'foo: nil', response.body, "data for this session should have been obliterated from the database"
+  end
+
+  test "getting from nonexistent session" do
+    get '/get_session_value'
+    assert_response :success
+    assert_equal 'foo: nil', response.body
+    assert_nil cookies['_session_id'], "should only create session on write, not read"
+  end
+
+  test "getting session id" do
+    get '/set_session_value'
+    assert_response :success
+    assert cookies['_session_id']
+    session_id = cookies['_session_id']
+
+    get '/get_session_id'
+    assert_response :success
+    assert_equal session_id, response.body, "should be able to read session id without accessing the session hash"
+  end
+
+  test "doesnt write session cookie if session id is already exists" do
+    get '/set_session_value'
+    assert_response :success
+    assert cookies['_session_id']
+
+    get '/get_session_value'
+    assert_response :success
+    assert_equal nil, headers['Set-Cookie'], "should not resend the cookie again if session_id cookie is already exists"
+  end
+
+  test "prevents_session_fixation" do
+    get '/set_session_value'
+    assert_response :success
+    assert cookies['_session_id']
+
+    get '/get_session_value'
+    assert_response :success
+    assert_equal 'foo: "bar"', response.body
+    session_id = cookies['_session_id']
+    assert session_id
+
+    reset!
+
+    get '/get_session_value', :_session_id => session_id
+    assert_response :success
+    assert_equal 'foo: nil', response.body
+    assert_not_equal session_id, cookies['_session_id']
+  end
+
+  test "test allows session fixation" do
+    get '/set_session_value'
+    assert_response :success
+    assert cookies['_session_id']
+
+    get '/get_session_value'
+    assert_response :success
+    assert_equal 'foo: "bar"', response.body
+    session_id = cookies['_session_id']
+    assert session_id
+
+    reset!
+
+    get '/set_session_value', :_session_id => session_id, :foo => "baz"
+    assert_response :success
+    assert_equal session_id, cookies['_session_id']
+
+    get '/get_session_value', :_session_id => session_id
+    assert_response :success
+    assert_equal 'foo: "baz"', response.body
+    assert_equal session_id, cookies['_session_id']
+  end
+    
+end

data/example/test/performance/browsing_test.rb

@@ -0,0 +1,9 @@
+require 'test_helper'
+require 'rails/performance_test_help'
+
+# Profiling results for each test method are written to tmp/performance.
+class BrowsingTest < ActionDispatch::PerformanceTest
+  def test_homepage
+    get '/'
+  end
+end

data/example/test/test_helper.rb

@@ -0,0 +1,13 @@
+ENV["RAILS_ENV"] = "test"
+require File.expand_path('../../config/environment', __FILE__)
+require 'rails/test_help'
+
+class ActiveSupport::TestCase
+  # Setup all fixtures in test/fixtures/*.(yml|csv) for all tests in alphabetical order.
+  #
+  # Note: You'll currently still have to declare fixtures explicitly in integration tests
+  # -- they do not yet inherit this setting
+  fixtures :all
+
+  # Add more helper methods to be used by all tests here...
+end

data/example/test/unit/helpers/sessions_helper_test.rb

@@ -0,0 +1,4 @@
+require 'test_helper'
+
+class SessionsHelperTest < ActionView::TestCase
+end

data/lib/mongoid_session_store/mongoid_store.rb

@@ -0,0 +1,71 @@
+module ActionDispatch
+  module Session
+    class MongoidStore < AbstractStore
+      
+      class Session
+        include Mongoid::Document
+        include Mongoid::Timestamps
+        
+        store_in :sessions
+
+        field :data, :type => String, :default => [Marshal.dump({})].pack("m*")
+        field :session_id, :type => String, :allow_nil => false
+        
+        index :updated_at
+        index :session_id
+      end
+
+      # The class used for session storage.
+      cattr_accessor :session_class
+      self.session_class = Session
+
+      SESSION_RECORD_KEY = 'rack.session.record'.freeze
+
+      private
+            
+        def get_session(env, sid)    
+          session = find_session(sid)
+          env[SESSION_RECORD_KEY] = session
+          [sid, unpack(session.data)]
+        end
+
+        def set_session(env, sid, session_data)
+          record = get_session_model(env, sid)
+          record.data = pack(session_data)
+
+          # Rack spec dictates that set_session should return true or false
+          # depending on whether or not the session was saved or not.
+          # However, ActionPack seems to want a session id instead.
+          record.save ? sid : false
+        end
+
+        def find_session(id)   
+          @@session_class.where(:session_id => id).first || @@session_class.new(:session_id => id)
+        end
+                
+        def destroy(env)
+          if sid = current_session_id(env)
+            find_session(sid).destroy
+          end
+        end
+        
+        def get_session_model(env, sid)
+          if env[ENV_SESSION_OPTIONS_KEY][:id].nil?
+            env[SESSION_RECORD_KEY] = find_session(sid)
+          else
+            env[SESSION_RECORD_KEY] ||= find_session(sid)
+          end
+        end
+
+        def pack(data)
+          [Marshal.dump(data)].pack("m*")
+        end
+
+        def unpack(packed)
+          return nil unless packed
+          Marshal.load(packed.unpack("m*").first)
+        end
+      
+    end
+  end
+end