mta_json 0.0.1 → 0.0.2

data/README.md

@@ -3,6 +3,8 @@
 Wraps MTA:SA's JSON format to support named parameters and different HTTP
 methods with callRemote.
 
+See [Multi Theft Auto: San Andreas](http://mtasa.com/).
+
 ## Installation
 
 Add this line to your application's Gemfile:
@@ -17,11 +19,21 @@ Or install it yourself as:
 
     $ gem install mta_json
 
----
+## Configuration
+
+### Whitelist for POST, PUT and DELETE
+
+GET-requests are always processed.
+
+POST-, PUT- and DELETE-requests are handled via an ip whitelist. The only
+entry for this list is `127.0.0.1` per default.
+It can be **overwritten** with the following code in your `application.rb`:
 
-You'll need to add the following line to your `config/application.rb`:
+    config.mta_json.whitelist = %w(1.2.3.4 1.2.3.5)
 
-    config.middleware.insert_before Rack::MethodOverride, MtaJson::Wrapper
+Or, to still allow requests from your local machine:
+
+    config.mta_json.whitelist = %w(1.2.3.4 1.2.3.5 127.0.0.1)
 
 ## Usage
 
@@ -122,9 +134,5 @@ A more complete example can be found in `examples/crud`.
 
 ## TODOs
 
-* Special care should be taken with the default POST method, there currently is
-  no way to set a CSRF-Token. This can be worked around by using:
-
-  <pre>skip_before_filter :verify_authenticity_token, :only => :your_method</pre>
-
-* The code doesn't insert itself as middleware automatically, see Installation section.
+* running rails behind a proxy/load balancer and IP resolution together with
+  the whitelist?

data/examples/crud/README.md

@@ -3,23 +3,8 @@
 
 Tests whether you can create, read, update and delete posts from MTA
 
-## Running the example
-
-Start the rails server:
-
-    $ cd rails
-    $ rails s
-
-Start the MTA Server and type the following commands:
-
-    $ aclrequest crud allow all
-    $ start crud
-
-After that, the following commands are available within MTA (console, in-game)
-
-* **/posts** - lists all posts
 
-## How this was built - in rails
+## Building a simple CRUD-based controller
 
 Creating the project:
 
@@ -38,3 +23,15 @@ Generating a model Post along with a matching Controller:
 Migrates the database to include the new posts table:
 
     $ rake db:migrate
+
+## Running the example
+
+Start the rails server:
+
+    $ cd rails
+    $ rails s
+
+Start the MTA Server and type the following commands:
+
+    $ aclrequest crud allow all
+    $ start crud

data/examples/crud/meta.xml

@@ -1,14 +0,0 @@
-<!--
-mta_json crud example to interact with rails.
-
-See https://github.com/mabako/mta_json
--->
-<meta>
-  <!-- Script source file -->
-  <script src="crud.lua"/>
-
-  <!-- This wouldn't make sense without callRemote, would it? -->
-  <aclrequest>
-    <right name="function.callRemote" access="true" />
-  </aclrequest>
-</meta>

data/lib/mta_json.rb

@@ -1,6 +1,7 @@
-require "mta_json/version"
-require "mta_json/wrapper"
-
-module MtaJson
-
-end
+require "mta_json/version"
+require "mta_json/wrapper"
+require "mta_json/railtie" if defined? ::Rails::Railtie
+
+module MtaJson
+
+end

data/lib/mta_json/railtie.rb

@@ -0,0 +1,12 @@
+module MtaJson
+  class Railtie < Rails::Railtie
+    config.mta_json = ActiveSupport::OrderedOptions.new
+
+    # default whitelist includes only the local ip.
+    config.mta_json.whitelist = %w(127.0.0.1)
+
+    initializer "mta_json.configure" do |app|
+      app.middleware.use MtaJson::Wrapper
+    end
+  end
+end

data/lib/mta_json/version.rb

@@ -1,3 +1,3 @@
 module MtaJson
-  VERSION = "0.0.1"
+  VERSION = "0.0.2"
 end

data/lib/mta_json/wrapper.rb

@@ -12,15 +12,19 @@ module MtaJson
     BODY = 'rack.input'.freeze
     FORM_INPUT = 'rack.request.form_input'.freeze
     FORM_HASH = 'rack.request.form_hash'.freeze
+    SESSION = 'rack.session'.freeze
     METHOD = 'REQUEST_METHOD'.freeze
     POST = 'POST'.freeze
     PATH_INFO = 'PATH_INFO'.freeze
+    IP = 'REMOTE_ADDR'.freeze
+    CSRF_TOKEN = 'X-CSRF-Token'.freeze
 
     # HTTP-Response-Headers
     CONTENT_LENGTH = 'Content-Length'.freeze
 
     # Allowed Methods to be set by MTA
-    ALLOWED_METHODS = %w(POST GET PUT DELETE)
+    ALLOWED_METHODS = %w(GET)
+    ALLOWED_METHODS_PRIVATE = %w(POST PUT DELETE)
 
     def initialize app
       @app = app
@@ -65,9 +69,14 @@ module MtaJson
         # optional options!
         update_options env, json[1].with_indifferent_access if json.size >= 2
 
+        verify_request_method env
+
         # any parameters given? otherwise we don't really care for any params
         update_params env, json[0] if json.size >= 1 and json[0] != 0 # 0 is nil in terms of callRemote. JSON has 'null' though!
 
+        # add some CSRF info... maybe.
+        add_csrf_info env
+
         # call the other middlewares
         status, headers, response = @app.call(env)
 
@@ -91,30 +100,48 @@ module MtaJson
       end
     end
 
-    # update all of the parameter-related values in the current request's environment
-    def update_params env, json
-      env[FORM_HASH] = json
-      env[BODY] = StringIO.new(Rack::Utils.build_query(json))
-      env[FORM_INPUT] = env[BODY]
-    end
+    private
+      # update all of the parameter-related values in the current request's environment
+      def update_params env, json
+        env[FORM_HASH] = json
+        env[BODY] = env[FORM_INPUT] = StringIO.new(Rack::Utils.build_query(json))
+      end
 
-    # updates the options
-    def update_options env, options
-      # switch between POST and GET?
-      if ALLOWED_METHODS.include?(options[:method])
-        # (possibly) TODO - pass parameters for GET instead of POST in update_params then?
-        # see https://github.com/rack/rack/blob/master/lib/rack/request.rb -> def GET
-        env[METHOD] = options[:method]
+      # make sure the request came from a whitelisted ip, or uses a publically accessible request method
+      def verify_request_method env
+        allowed = ALLOWED_METHODS
+        allowed |= ALLOWED_METHODS_PRIVATE if whitelisted?(env)
+        if !allowed.include?(env[METHOD])
+          raise "Request method #{env[METHOD]} not allowed"
+        end
+      end
+
+      # updates the options
+      def update_options env, options
+        if options[:method] and (ALLOWED_METHODS | ALLOWED_METHODS_PRIVATE).include?(options[:method])
+          # (possibly) TODO - pass parameters for GET instead of POST in update_params then?
+          # see https://github.com/rack/rack/blob/master/lib/rack/request.rb -> def GET
+          env[METHOD] = options[:method]
+        end
+      end
+
+      # adds csrf info to non-GET requests of whitelisted IPs
+      def add_csrf_info env
+        env[CSRF_TOKEN] = env[SESSION][:_csrf_token] = SecureRandom.base64(32).to_s if env[METHOD] != 'GET' and whitelisted?(env)
       end
-    end
 
-    # returns the response body: old response body + headers as a JSON array
-    def to_response response, headers
-      body = ""
-      response.each do |s|
-        body << s.to_s
+      # TODO might need to revise this behing proxies
+      def whitelisted? env
+        Railtie.config.mta_json.whitelist.include?(env[IP])
+      end
+
+      # returns the response body: old response body + headers as a JSON array
+      def to_response response, headers
+        body = ""
+        response.each do |s|
+          body << s.to_s
+        end
+        ["[#{body},#{headers.to_json.to_s}]"]
       end
-      ["[#{body},#{headers.to_json.to_s}]"]
     end
-  end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: mta_json
 version: !ruby/object:Gem::Version
-  version: 0.0.1
+  version: 0.0.2
   prerelease: 
 platform: ruby
 authors:
@@ -59,73 +59,8 @@ files:
 - examples/crud/README.md
 - examples/crud/crud.lua
 - examples/crud/meta.xml
-- examples/crud/mta/crud/crud.lua
-- examples/crud/mta/crud/meta.xml
-- examples/crud/rails/.gitignore
-- examples/crud/rails/Gemfile
-- examples/crud/rails/Rakefile
-- examples/crud/rails/app/assets/images/rails.png
-- examples/crud/rails/app/assets/javascripts/application.js
-- examples/crud/rails/app/assets/javascripts/posts.js.coffee
-- examples/crud/rails/app/assets/stylesheets/application.css
-- examples/crud/rails/app/assets/stylesheets/posts.css.scss
-- examples/crud/rails/app/assets/stylesheets/scaffolds.css.scss
-- examples/crud/rails/app/controllers/application_controller.rb
-- examples/crud/rails/app/controllers/posts_controller.rb
-- examples/crud/rails/app/helpers/application_helper.rb
-- examples/crud/rails/app/helpers/posts_helper.rb
-- examples/crud/rails/app/mailers/.gitkeep
-- examples/crud/rails/app/models/.gitkeep
-- examples/crud/rails/app/models/post.rb
-- examples/crud/rails/app/views/layouts/application.html.erb
-- examples/crud/rails/app/views/posts/_form.html.erb
-- examples/crud/rails/app/views/posts/edit.html.erb
-- examples/crud/rails/app/views/posts/index.html.erb
-- examples/crud/rails/app/views/posts/new.html.erb
-- examples/crud/rails/app/views/posts/show.html.erb
-- examples/crud/rails/config.ru
-- examples/crud/rails/config/application.rb
-- examples/crud/rails/config/boot.rb
-- examples/crud/rails/config/database.yml
-- examples/crud/rails/config/environment.rb
-- examples/crud/rails/config/environments/development.rb
-- examples/crud/rails/config/environments/production.rb
-- examples/crud/rails/config/environments/test.rb
-- examples/crud/rails/config/initializers/backtrace_silencers.rb
-- examples/crud/rails/config/initializers/inflections.rb
-- examples/crud/rails/config/initializers/mime_types.rb
-- examples/crud/rails/config/initializers/secret_token.rb
-- examples/crud/rails/config/initializers/session_store.rb
-- examples/crud/rails/config/initializers/wrap_parameters.rb
-- examples/crud/rails/config/locales/en.yml
-- examples/crud/rails/config/routes.rb
-- examples/crud/rails/db/migrate/20130320115007_create_posts.rb
-- examples/crud/rails/db/schema.rb
-- examples/crud/rails/db/seeds.rb
-- examples/crud/rails/lib/assets/.gitkeep
-- examples/crud/rails/lib/tasks/.gitkeep
-- examples/crud/rails/log/.gitkeep
-- examples/crud/rails/public/404.html
-- examples/crud/rails/public/422.html
-- examples/crud/rails/public/500.html
-- examples/crud/rails/public/favicon.ico
-- examples/crud/rails/public/index.html
-- examples/crud/rails/public/robots.txt
-- examples/crud/rails/script/rails
-- examples/crud/rails/test/fixtures/.gitkeep
-- examples/crud/rails/test/fixtures/posts.yml
-- examples/crud/rails/test/functional/.gitkeep
-- examples/crud/rails/test/functional/posts_controller_test.rb
-- examples/crud/rails/test/integration/.gitkeep
-- examples/crud/rails/test/performance/browsing_test.rb
-- examples/crud/rails/test/test_helper.rb
-- examples/crud/rails/test/unit/.gitkeep
-- examples/crud/rails/test/unit/helpers/posts_helper_test.rb
-- examples/crud/rails/test/unit/post_test.rb
-- examples/crud/rails/vendor/assets/javascripts/.gitkeep
-- examples/crud/rails/vendor/assets/stylesheets/.gitkeep
-- examples/crud/rails/vendor/plugins/.gitkeep
 - lib/mta_json.rb
+- lib/mta_json/railtie.rb
 - lib/mta_json/version.rb
 - lib/mta_json/wrapper.rb
 - mta_json.gemspec
@@ -158,69 +93,3 @@ test_files:
 - examples/crud/README.md
 - examples/crud/crud.lua
 - examples/crud/meta.xml
-- examples/crud/mta/crud/crud.lua
-- examples/crud/mta/crud/meta.xml
-- examples/crud/rails/.gitignore
-- examples/crud/rails/Gemfile
-- examples/crud/rails/Rakefile
-- examples/crud/rails/app/assets/images/rails.png
-- examples/crud/rails/app/assets/javascripts/application.js
-- examples/crud/rails/app/assets/javascripts/posts.js.coffee
-- examples/crud/rails/app/assets/stylesheets/application.css
-- examples/crud/rails/app/assets/stylesheets/posts.css.scss
-- examples/crud/rails/app/assets/stylesheets/scaffolds.css.scss
-- examples/crud/rails/app/controllers/application_controller.rb
-- examples/crud/rails/app/controllers/posts_controller.rb
-- examples/crud/rails/app/helpers/application_helper.rb
-- examples/crud/rails/app/helpers/posts_helper.rb
-- examples/crud/rails/app/mailers/.gitkeep
-- examples/crud/rails/app/models/.gitkeep
-- examples/crud/rails/app/models/post.rb
-- examples/crud/rails/app/views/layouts/application.html.erb
-- examples/crud/rails/app/views/posts/_form.html.erb
-- examples/crud/rails/app/views/posts/edit.html.erb
-- examples/crud/rails/app/views/posts/index.html.erb
-- examples/crud/rails/app/views/posts/new.html.erb
-- examples/crud/rails/app/views/posts/show.html.erb
-- examples/crud/rails/config.ru
-- examples/crud/rails/config/application.rb
-- examples/crud/rails/config/boot.rb
-- examples/crud/rails/config/database.yml
-- examples/crud/rails/config/environment.rb
-- examples/crud/rails/config/environments/development.rb
-- examples/crud/rails/config/environments/production.rb
-- examples/crud/rails/config/environments/test.rb
-- examples/crud/rails/config/initializers/backtrace_silencers.rb
-- examples/crud/rails/config/initializers/inflections.rb
-- examples/crud/rails/config/initializers/mime_types.rb
-- examples/crud/rails/config/initializers/secret_token.rb
-- examples/crud/rails/config/initializers/session_store.rb
-- examples/crud/rails/config/initializers/wrap_parameters.rb
-- examples/crud/rails/config/locales/en.yml
-- examples/crud/rails/config/routes.rb
-- examples/crud/rails/db/migrate/20130320115007_create_posts.rb
-- examples/crud/rails/db/schema.rb
-- examples/crud/rails/db/seeds.rb
-- examples/crud/rails/lib/assets/.gitkeep
-- examples/crud/rails/lib/tasks/.gitkeep
-- examples/crud/rails/log/.gitkeep
-- examples/crud/rails/public/404.html
-- examples/crud/rails/public/422.html
-- examples/crud/rails/public/500.html
-- examples/crud/rails/public/favicon.ico
-- examples/crud/rails/public/index.html
-- examples/crud/rails/public/robots.txt
-- examples/crud/rails/script/rails
-- examples/crud/rails/test/fixtures/.gitkeep
-- examples/crud/rails/test/fixtures/posts.yml
-- examples/crud/rails/test/functional/.gitkeep
-- examples/crud/rails/test/functional/posts_controller_test.rb
-- examples/crud/rails/test/integration/.gitkeep
-- examples/crud/rails/test/performance/browsing_test.rb
-- examples/crud/rails/test/test_helper.rb
-- examples/crud/rails/test/unit/.gitkeep
-- examples/crud/rails/test/unit/helpers/posts_helper_test.rb
-- examples/crud/rails/test/unit/post_test.rb
-- examples/crud/rails/vendor/assets/javascripts/.gitkeep
-- examples/crud/rails/vendor/assets/stylesheets/.gitkeep
-- examples/crud/rails/vendor/plugins/.gitkeep

data/examples/crud/mta/crud/meta.xml

@@ -1,3 +0,0 @@
-<meta>
-  <script src="crud.lua"/>
-</meta>

data/examples/crud/rails/.gitignore

@@ -1,15 +0,0 @@
-# See http://help.github.com/ignore-files/ for more about ignoring files.
-#
-# If you find yourself ignoring temporary files generated by your text editor
-# or operating system, you probably want to add a global ignore instead:
-#   git config --global core.excludesfile ~/.gitignore_global
-
-# Ignore bundler config
-/.bundle
-
-# Ignore the default SQLite database.
-/db/*.sqlite3
-
-# Ignore all logfiles and tempfiles.
-/log/*.log
-/tmp

data/examples/crud/rails/Gemfile

@@ -1,40 +0,0 @@
-source 'https://rubygems.org'
-
-gem 'rails', '3.2.12'
-
-# Bundle edge Rails instead:
-# gem 'rails', :git => 'git://github.com/rails/rails.git'
-
-gem 'sqlite3'
-
-
-# Gems used only for assets and not required
-# in production environments by default.
-group :assets do
-  gem 'sass-rails',   '~> 3.2.3'
-  gem 'coffee-rails', '~> 3.2.1'
-
-  # See https://github.com/sstephenson/execjs#readme for more supported runtimes
-  # gem 'therubyracer', :platforms => :ruby
-
-  gem 'uglifier', '>= 1.0.3'
-end
-
-gem 'jquery-rails'
-
-# To use ActiveModel has_secure_password
-# gem 'bcrypt-ruby', '~> 3.0.0'
-
-# To use Jbuilder templates for JSON
-# gem 'jbuilder'
-
-# Use unicorn as the app server
-# gem 'unicorn'
-
-# Deploy with Capistrano
-# gem 'capistrano'
-
-# To use debugger
-# gem 'debugger'
-
-gem 'mta_json'