multi_session 1.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: e401b25f019731faaad3230a51406a7853c071837f9a134c7779bf2f1130841f
+  data.tar.gz: ef26f4a723075fcdb0b19406a787a8bd6fabd84e8fb4fac417c96a1be3c3d281
+SHA512:
+  metadata.gz: 19f01b7549b920e6d25e6a072fabd846c80d6cd8f4ed60bb48ce75e88a58363abfc72ee9a8d42ba40aa62b02f01572294b67aac68f0eccb0711121d4711d9ad6
+  data.tar.gz: b2f5cd824bbc7e84310f352c08ce36ecb8450711ec5605846dbccc31e4b5c450d4bac6df72873afbc367d3284c7f0282f9004c9a3fb3b008d3d0d280b40f0c21

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2018 Sean Huber
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,110 @@
+[![Gem Version](https://badge.fury.io/rb/multi_session.svg)](https://badge.fury.io/rb/multi_session)
+[![Build Status](https://travis-ci.org/seanhuber/multi_session.svg?branch=master)](https://travis-ci.org/seanhuber/multi_session)
+[![Coverage Status](https://coveralls.io/repos/github/seanhuber/multi_session/badge.svg?branch=master)](https://coveralls.io/github/seanhuber/multi_session?branch=master)
+
+multi_session
+==============
+
+`multi_session` is a Railtie that extends rails to provide the ability to have multiple sessions per user via encrypted cookies.
+
+## Motivation
+
+Rails comes with a `session` helper method for storing user session information across HTTP requests.  The default approach is to store that information in an encrypted cookie that gets passed as a header in each HTTP request/response.  That cookie is encrypted/decrypted using the `secret_key_base` defined in `config/secrets.yml` (or `config/credentials.yml.enc` as of Rails version 5.2).
+
+Rails' `session` is secure and works great but what if you'd like to share that session cookie with multiple Rails applications hosted across different subdomains? Various blogs and stackoverflow questions on the matter suggest sharing the same `secret_key_base` value amongst the multiple Rails applications.  But what if these apps only want to share part of the session information? Or what if there are security concerns because `secret_key_base` is used for more than just encrypting session cookies? This `multi_session` railtie provides a helper method (named `multi_session`) similar to `session` except that it permits you to create multiple encrypted session cookies per user, each with their own secret key, giving you the flexibility to choose which session components could be shared with other Rails (and non-Rails) web applications.
+
+## Usage
+
+`multi_session` is a helper method that gets added to your `ApplicationController` and is therefore accessible by all your controllers that subclass `ApplicationController`, as well all view templates.  To create and read new sessions, use bracket notation (`[]` and `[]=`) like you would with `Hash` or hash-like objects.
+
+For example:
+
+```ruby
+# app/controllers/some_controller.rb
+
+class SomeController < ApplicationController
+  def my_action
+    @user = User.find(params.require(:id))
+    multi_session[:global_user_session] = {
+      'user_id' => @user.id,
+      'email'   => @user.email,
+      'name'    => @user.full_name
+    }
+    multi_session[:user_preferences] = {
+      'enable_push_notifications' => true,
+      'something_else' => false
+    }
+  end
+
+  def another_action
+    @user = User.find(multi_session[:global_user_session]['user_id'])
+  end
+end
+```
+
+In the example above, multi_session would create 2 encrypted cookies, one named `"global_user_session"` and the other named `"user_preferences"`.  The key_base used to encrypt/decrypt these cookies would need to be defined in `config/secrets.yml` or `config/credentials.yml.enc` under a key named `:multi_session_keys`.  Example:
+
+```yaml
+# config/credentials.yml.enc
+secret_key_base: # generated by Rails
+
+multi_session_keys: # use `rake secret` to generate custom keys
+  global_user_session: # insert a new secret here
+  user_preferences: # insert a different secret here
+```
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'multi_session', '~> 1.1'
+```
+
+## Configuration
+
+For the current version `multi_session`, there these are the configuration values that can optionally be set:
+
+| Config option                         | Type                    | Description                                           |
+|---------------------------------------|-------------------------|-------------------------------------------------------|
+| `expires`                             | ActiveSupport::Duration | expiration  period for `multi_session` cookies/values |
+| `authenticated_encrypted_cookie_salt` | String                  | Salt used to derive key for GCM encryption            |
+
+
+To configure `multi_session`, first generate an initializer using the built-in rails generator:
+
+```
+rails g multi_session:install
+```
+
+Then open and edit `config/initializers/multi_session.rb`:
+
+```ruby
+# config/initializers/multi_session.rb
+
+MultiSession.setup do |config|
+  # Uncomment to force multi_session cookies to expire after a period of time
+  config.expires = 30.minutes
+
+  # Salt used to derive key for GCM encryption. Default value is 'multi session authenticated encrypted cookie'
+  config.authenticated_encrypted_cookie_salt = 'my multi session salt value'
+end
+```
+
+## Security
+
+`multi_session` does not introduce any novel security mechanisms. Encryptions/decryption is done using `ActiveSupport::MessageEncryptor` in the same manner that Rails encrypts the `session` cookie in Rails 5.2 (see https://github.com/rails/rails/blob/5fb4703471ffb11dab9aa3855daeef9f592f6388/actionpack/lib/action_dispatch/middleware/cookies.rb).
+
+The default cipher for encrypting messages in Rails 5.2 is `AES-256-GCM`, which is the same as what `multi_session` uses.
+
+There are many good writeups on the web (such as https://guides.rubyonrails.org/security.html, https://www.justinweiss.com/articles/how-rails-sessions-work/, and https://www.theodinproject.com/courses/ruby-on-rails/lessons/sessions-cookies-and-authentication) that go into detail of how Rails addresses session security concerns and I encourage all app developers to spend some time educating themselves on how Rails sessions work.
+
+The implementation of `multi_session` is actually quite simple because it leans heavily on existing Rails functionality. The nuts and bolts are primarily coded in `lib/multi_session/session.rb` (https://github.com/seanhuber/multi_session/blob/b0211d714d995dc01eb817e52f5dc78e52120bf0/lib/multi_session/session.rb).  It's a small file, please do your own code-audit before using this gem. :wink:
+
+## Contributing
+
+Pull requests and issue reports are welcome!
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,12 @@
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
+
+RSpec::Core::RakeTask.new(:spec)
+
+task default: :spec

data/lib/generators/multi_session/install_generator.rb

@@ -0,0 +1,10 @@
+module MultiSession
+  class InstallGenerator < Rails::Generators::Base
+    source_root File.expand_path('../../templates', __FILE__)
+
+    desc 'creates a config/initializers/multi_session.rb file for configuring multi_session'
+    def install
+      template 'multi_session.rb', 'config/initializers/multi_session.rb'
+    end
+  end
+end

data/lib/generators/templates/multi_session.rb

@@ -0,0 +1,7 @@
+MultiSession.setup do |config|
+  # Uncomment to force multi_session cookies to expire after a period of time
+  # config.expires = 30.minutes
+
+  # Salt used to derive key for GCM encryption. Default value is 'multi session authenticated encrypted cookie'
+  # config.authenticated_encrypted_cookie_salt = 'multi session authenticated encrypted cookie'
+end

data/lib/multi_session/helper.rb

@@ -0,0 +1,21 @@
+module MultiSession
+  module Helper
+    extend ActiveSupport::Concern
+
+    included do
+      helper_method :multi_session if defined?(helper_method)
+      after_action :slide_multi_session
+    end
+
+    private
+
+    def multi_session
+      Session.new cookies
+    end
+
+    def slide_multi_session
+      return unless MultiSession.expires.present?
+      Session.new(cookies).update_expiration
+    end
+  end
+end

data/lib/multi_session/railtie.rb

@@ -0,0 +1,7 @@
+module MultiSession
+  class Railtie < ::Rails::Railtie
+    initializer 'multi_session.configure_rails_initialization' do |app|
+      ActionController::Base.send :include, MultiSession::Helper
+    end
+  end
+end

data/lib/multi_session/session.rb

@@ -0,0 +1,59 @@
+module MultiSession
+  class Session
+    def initialize cookies
+      @cookies = cookies
+    end
+
+    def [](key)
+      return nil unless @cookies[key.to_s].present?
+      session = ActiveSupport::JSON.decode encryptor(key).decrypt_and_verify(@cookies[key])
+      session['value'] # TODO: add ability to let developer retrieve the session_id
+    end
+
+    def []=(key, value)
+      previous_session = self[key]
+      session_id = if previous_session && previous_session['session_id'].present?
+        previous_session['session_id']
+      else
+        SecureRandom.hex(16).encode Encoding::UTF_8
+      end
+
+      new_session = {
+        'session_id' => session_id,
+        'value' => value
+      }
+      expiry_options = MultiSession.expires.present? ? {expires_at: Time.now + MultiSession.expires} : {}
+      encrypted_and_signed_value = encryptor(key).encrypt_and_sign ActiveSupport::JSON.encode(new_session), expiry_options
+
+      raise ActionDispatch::Cookies::CookieOverflow if encrypted_and_signed_value.bytesize > ActionDispatch::Cookies::MAX_COOKIE_SIZE
+
+      @cookies[key.to_s] = {value: encrypted_and_signed_value}.merge(MultiSession.expires.present? ? {expires: MultiSession.expires} : {})
+      nil
+    end
+
+    def clear
+      @cookies.clear
+    end
+
+    def update_expiration
+      Rails.application.credentials[:multi_session_keys].each_key do |key|
+        self[key] = self[key] # decrypt and re-encrypt to force expires_at to update
+      end
+    end
+
+    private
+
+    def encryptor key
+      secret_key_base = Rails.application.credentials[:multi_session_keys][key.to_sym]
+      raise ArgumentError.new("Rails.application.credentials[:multi_session_keys][:'#{key}'] has not been set.") unless secret_key_base.present?
+
+      encrypted_cookie_cipher = 'aes-256-gcm'
+      key_generator = ActiveSupport::CachingKeyGenerator.new ActiveSupport::KeyGenerator.new(secret_key_base, iterations: 1000)
+      key_len = ActiveSupport::MessageEncryptor.key_len encrypted_cookie_cipher
+      salt = 'authenticated encrypted cookie'
+      secret = key_generator.generate_key(MultiSession.authenticated_encrypted_cookie_salt, key_len)
+
+      ActiveSupport::MessageEncryptor.new secret, cipher: encrypted_cookie_cipher, serializer: ActiveSupport::MessageEncryptor::NullSerializer
+    end
+  end
+end

data/lib/multi_session/version.rb

@@ -0,0 +1,3 @@
+module MultiSession
+  VERSION = '1.1.0'
+end

data/lib/multi_session.rb

@@ -0,0 +1,15 @@
+require 'multi_session/helper'
+require 'multi_session/railtie'
+require 'multi_session/session'
+
+module MultiSession
+  mattr_accessor :authenticated_encrypted_cookie_salt
+  @@authenticated_encrypted_cookie_salt = 'multi session authenticated encrypted cookie'
+
+  mattr_accessor :expires
+  @@expires = nil
+
+  def self.setup
+    yield self
+  end
+end

data/spec/dummy/Rakefile

@@ -0,0 +1,6 @@
+# Add your own tasks in files placed in lib/tasks ending in .rake,
+# for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
+
+require_relative 'config/application'
+
+Rails.application.load_tasks

data/spec/dummy/app/assets/config/manifest.js

@@ -0,0 +1,2 @@
+//= link_tree ../images
+//= link_directory ../stylesheets .css

data/spec/dummy/app/assets/javascripts/application.js

@@ -0,0 +1,14 @@
+// This is a manifest file that'll be compiled into application.js, which will include all the files
+// listed below.
+//
+// Any JavaScript/Coffee file within this directory, lib/assets/javascripts, vendor/assets/javascripts,
+// or any plugin's vendor/assets/javascripts directory can be referenced here using a relative path.
+//
+// It's not advisable to add code directly here, but if you do, it'll appear at the bottom of the
+// compiled file. JavaScript code in this file should be added after the last require_* statement.
+//
+// Read Sprockets README (https://github.com/rails/sprockets#sprockets-directives) for details
+// about supported directives.
+//
+//= require rails-ujs
+//= require_tree .

data/spec/dummy/app/assets/stylesheets/application.css

@@ -0,0 +1,15 @@
+/*
+ * This is a manifest file that'll be compiled into application.css, which will include all the files
+ * listed below.
+ *
+ * Any CSS and SCSS file within this directory, lib/assets/stylesheets, vendor/assets/stylesheets,
+ * or any plugin's vendor/assets/stylesheets directory can be referenced here using a relative path.
+ *
+ * You're free to add application-wide styles to this file and they'll appear at the bottom of the
+ * compiled file so the styles you add here take precedence over styles defined in any other CSS/SCSS
+ * files in this directory. Styles in this file should be added after the last require_* statement.
+ * It is generally better to create a new file per style scope.
+ *
+ *= require_tree .
+ *= require_self
+ */

data/spec/dummy/app/controllers/application_controller.rb

@@ -0,0 +1,2 @@
+class ApplicationController < ActionController::Base
+end

data/spec/dummy/app/controllers/multi_session_test_controller.rb

@@ -0,0 +1,18 @@
+class MultiSessionTestController < ApplicationController
+  def some_action
+  end
+
+  def encrypt_multi_sessions
+    params.require(:session_values).permit!.each do |session_key, value|
+      multi_session[session_key] = value
+    end
+    head :ok
+  end
+
+  def decrypt_multi_sessions
+    session_values = params.require(:session_keys).map do |key|
+      "#{key}-#{multi_session[key]}"
+    end.join(',')
+    render inline: session_values
+  end
+end

data/spec/dummy/app/helpers/application_helper.rb

@@ -0,0 +1,2 @@
+module ApplicationHelper
+end

data/spec/dummy/app/jobs/application_job.rb

@@ -0,0 +1,2 @@
+class ApplicationJob < ActiveJob::Base
+end

data/spec/dummy/app/views/layouts/application.html.erb

@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <title>Dummy</title>
+    <%= csrf_meta_tags %>
+    <%= csp_meta_tag %>
+
+    <%= stylesheet_link_tag    'application', media: 'all' %>
+  </head>
+
+  <body>
+    <%= yield %>
+  </body>
+</html>

data/spec/dummy/app/views/multi_session_test/some_action.html.erb

@@ -0,0 +1 @@
+<h1>hello world!</h1>

data/spec/dummy/bin/bundle

@@ -0,0 +1,3 @@
+#!/usr/bin/env ruby
+ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../Gemfile', __dir__)
+load Gem.bin_path('bundler', 'bundle')

data/spec/dummy/bin/rails

@@ -0,0 +1,4 @@
+#!/usr/bin/env ruby
+APP_PATH = File.expand_path('../config/application', __dir__)
+require_relative '../config/boot'
+require 'rails/commands'

data/spec/dummy/bin/rake

@@ -0,0 +1,4 @@
+#!/usr/bin/env ruby
+require_relative '../config/boot'
+require 'rake'
+Rake.application.run

data/spec/dummy/bin/setup

@@ -0,0 +1,25 @@
+#!/usr/bin/env ruby
+require 'fileutils'
+include FileUtils
+
+# path to your application root.
+APP_ROOT = File.expand_path('..', __dir__)
+
+def system!(*args)
+  system(*args) || abort("\n== Command #{args} failed ==")
+end
+
+chdir APP_ROOT do
+  # This script is a starting point to setup your application.
+  # Add necessary setup steps to this file.
+
+  puts '== Installing dependencies =='
+  system! 'gem install bundler --conservative'
+  system('bundle check') || system!('bundle install')
+
+  puts "\n== Removing old logs and tempfiles =="
+  system! 'bin/rails log:clear tmp:clear'
+
+  puts "\n== Restarting application server =="
+  system! 'bin/rails restart'
+end

data/spec/dummy/bin/update

@@ -0,0 +1,25 @@
+#!/usr/bin/env ruby
+require 'fileutils'
+include FileUtils
+
+# path to your application root.
+APP_ROOT = File.expand_path('..', __dir__)
+
+def system!(*args)
+  system(*args) || abort("\n== Command #{args} failed ==")
+end
+
+chdir APP_ROOT do
+  # This script is a way to update your development environment automatically.
+  # Add necessary update steps to this file.
+
+  puts '== Installing dependencies =='
+  system! 'gem install bundler --conservative'
+  system('bundle check') || system!('bundle install')
+
+  puts "\n== Removing old logs and tempfiles =="
+  system! 'bin/rails log:clear tmp:clear'
+
+  puts "\n== Restarting application server =="
+  system! 'bin/rails restart'
+end