padrino-cookies 0.1.0 → 0.1.1

data/README.md

@@ -30,7 +30,6 @@ TODO
 -----
 
 * Additional documentation
-* Signed cookies
 
 Copyright
 ---------

data/lib/padrino-cookies/jar.rb

@@ -1,9 +1,4 @@
 # encoding: UTF-8
-require 'active_support/core_ext/integer/time'
-require 'active_support/core_ext/numeric/time'
-require 'active_support/core_ext/numeric/bytes'
-require 'active_support/core_ext/date/calculations'
-
 module Padrino
   module Cookies
     class Jar
@@ -15,6 +10,12 @@ module Padrino
         @request  = app.request
         @cookies  = app.request.cookies
 
+        if app.settings.respond_to?(:cookie_secret)
+          @secret = app.settings.cookie_secret
+        elsif app.settings.respond_to?(:session_secret)
+          @secret = app.settings.session_secret
+        end
+
         @options = {
               path: '/',
           httponly: true,
@@ -29,7 +30,7 @@ module Padrino
       #   Value of the cookie
       #
       # @example
-      #   cookies[:remembrance]
+      #   cookie[:remembrance]
       #   # => '71ab53190d2f863b5f3b12381d2d5986512f8e15b34d439e6b66e3daf41b5e35'
       #
       # @since 0.1.0
@@ -66,8 +67,11 @@ module Padrino
       #   @option options [String] :domain
       #     The scope in which this cookie is accessible
       #
+      # @raise [Overflow]
+      #   Raised when the value of the cookie exceeds the maximum size
+      #
       # @example
-      #   cookies[:remembrance] = '71ab53190d2f863b5f3b12381d2d5986512f8e15b34d439e6b66e3daf41b5e35'
+      #   cookie[:remembrance] = '71ab53190d2f863b5f3b12381d2d5986512f8e15b34d439e6b66e3daf41b5e35'
       #
       # @since 0.1.0
       # @api public
@@ -76,6 +80,8 @@ module Padrino
           options = { value: options }
         end
 
+        raise Overflow if options[:value].size > MAX_COOKIE_SIZE
+
         @response.set_cookie(name, @options.merge(options))
         @cookies[name.to_s] = options[:value]
       end
@@ -205,32 +211,79 @@ module Padrino
       # Sets a permanent cookie
       #
       # @example
-      #   cookies.permanent[:remembrance] = '71ab53190d2f863b5f3b12381d2d5986512f8e15b34d439e6b66e3daf41b5e35'
+      #   cookie.permanent[:remembrance] = '71ab53190d2f863b5f3b12381d2d5986512f8e15b34d439e6b66e3daf41b5e35'
       #
       # @since 0.1.0
       # @api public
       def permanent
-        @permanent ||= PermanentJar.new(self)
+        @permanent ||= PermanentJar.new(self, @secret)
+      end
+
+      ###
+      # Signs a cookie with a cryptographic hash so it cannot be tampered with
+      #
+      # @example
+      #   cookie.signed[:remembrance] = '71ab53190d2f863b5f3b12381d2d5986512f8e15b34d439e6b66e3daf41b5e35'
+      #
+      # @since 0.1.1
+      # @api public
+      def signed
+        @signed ||= SignedJar.new(self, @secret)
       end
     end # Jar
 
     class PermanentJar # @private
-      def initialize(parent_jar)
+      def initialize(parent_jar, secret)
         @parent_jar = parent_jar
+        @secret = secret
       end
 
-      def []=(key, options)
-        unless options.is_a?(Hash)
-          options = { value: options }
-        end
-
+      def []=(name, options)
+        options = { value: options } unless options.is_a?(Hash)
         options[:expires] = 1.year.from_now
-        @parent_jar[key] = options
+        @parent_jar[name] = options
+      end
+
+      def signed
+        @signed ||= SignedJar.new(self, @secret)
       end
 
       def method_missing(method, *args, &block)
         @parent_jar.send(method, *args, &block)
       end
     end # PermanentJar
+
+    class SignedJar # @private
+      def initialize(parent_jar, secret)
+        if secret.blank? || secret.size < 64
+          raise ArgumentError, 'cookie_secret must be at least 64 characters long'
+        end
+
+        @parent_jar = parent_jar
+        @message_verifier = ActiveSupport::MessageVerifier.new(secret)
+      end
+
+      def [](name)
+        if value = @parent_jar[name]
+          @message_verifier.verify(value)
+        end
+      rescue
+        nil
+      end
+
+      def []=(name, options)
+        options = { value: options } unless options.is_a?(Hash)
+        options[:value] = @message_verifier.generate(options[:value])
+        @parent_jar[name] = options
+      end
+
+      def permanent
+        @permanent ||= PermanentJar.new(self, @secret)
+      end
+
+      def method_missing(method, *args, &block)
+        @parent_jar.send(method, *args, &block)
+      end
+    end # SignedJar
   end # Cookies
 end # Padrino

data/lib/padrino-cookies/version.rb

@@ -1,6 +1,6 @@
 # encoding: UTF-8
 module Padrino
   module Cookies
-    VERSION = '0.1.0'
+    VERSION = '0.1.1'
   end
 end

data/lib/padrino-cookies.rb

@@ -1,9 +1,22 @@
 # encoding: UTF-8
+require 'active_support/core_ext/integer/time'
+require 'active_support/core_ext/numeric/time'
+require 'active_support/core_ext/date/calculations'
+require 'active_support/message_verifier'
+
 require 'padrino-core'
 FileSet.glob_require('padrino-cookies/**/*.rb', __FILE__)
 
 module Padrino
   module Cookies
+    MAX_COOKIE_SIZE = 4096
+
+    class Overflow < ArgumentError
+      def http_status
+        500
+      end
+    end
+
     class << self
       # @private
       def registered(app)

data/spec/cookies_spec.rb

@@ -5,6 +5,20 @@ describe Padrino::Cookies do
     route('foo=bar', 'bar=foo') { cookies }
   end
 
+  context :secret do
+    it 'should use :cookie_secret when set' do
+      app.set :cookie_secret, 'cookie_secret'
+      secret = cookies.instance_variable_get(:@secret)
+      secret.should == 'cookie_secret'
+    end
+
+    it 'should fall back to :session_secret when :cookie_secret is not set' do
+      app.set :session_secret, 'session_secret'
+      secret = cookies.instance_variable_get(:@secret)
+      secret.should == 'session_secret'
+    end
+  end
+
   context :[] do
     it 'can retrieve existing cookies' do
       cookies['foo'].should == 'bar'
@@ -33,6 +47,18 @@ describe Padrino::Cookies do
       cookies['test'].should == 'test'
     end
 
+    it 'should raise Overflow when more then 4096 bytes are used' do
+      cookies['test'] = 'C' * 4096
+      cookies['test'].should_not be_nil
+
+      expect { cookies['test'] = 'C' * 4097 }.to raise_error(Padrino::Cookies::Overflow)
+    end
+
+    it 'should accept a hash of options' do
+      cookies['test'] = { value: 'test', path: '/' }
+      cookies['test'].should == 'test'
+    end
+
     it 'should set the response headers when setting a cookie' do
       result = route do
         cookies['foo'] = 'bar'
@@ -86,7 +112,7 @@ describe Padrino::Cookies do
     end
   end
 
-  describe :clear do
+  context :clear do
     it 'can delete all cookies that are set' do
       cookies['foo'].should == 'bar'
       cookies['bar'].should == 'foo'
@@ -110,7 +136,7 @@ describe Padrino::Cookies do
     end
   end
 
-  describe :keys do
+  context :keys do
     it 'can give you a list of cookies that are set' do
       cookies.keys.should == ['bar', 'foo']
     end
@@ -161,11 +187,18 @@ describe Padrino::Cookies do
   end
 
   context :permanent do
+    before { app.set :cookie_secret, ('test' * 16) }
+
     it 'should add cookies to the parent jar' do
       cookies.permanent['baz'] = 'foo'
       cookies['baz'].should == 'foo'
     end
 
+    it 'should accept a hash of options' do
+      cookies.permanent['foo'] = { value: 'baz', path: '/' }
+      cookies['foo'].should == 'baz'
+    end
+
     it 'should set a cookie that expires in the distant future' do
       result = route do
         cookies.permanent['baz'] = 'foo'
@@ -174,5 +207,49 @@ describe Padrino::Cookies do
 
       result.should =~ /#{1.year.from_now.year}/
     end
+
+    it 'should allow you to chain signed cookies' do
+      result = route do
+        cookies.permanent.signed['foo'] = 'baz'
+        response['Set-Cookie']
+      end
+
+      result.should =~ /#{1.year.from_now.year}/
+      result.should =~ /6cbc7824dbfd7121efb019bb55f01be1e07bcf58/
+    end
+  end
+
+  context :signed do
+    before { app.set :cookie_secret, ('test' * 16) }
+
+    it 'should read signed values' do
+      cookies['foo'] = 'BAhJIghiYXoGOgZFRg==--6cbc7824dbfd7121efb019bb55f01be1e07bcf58'
+      cookies.signed['foo'].should == 'baz'
+    end
+
+    it 'should write signed values' do
+      cookies.signed['foo'] = 'baz'
+      cookies['foo'].should == 'BAhJIghiYXoGOgZFRg==--6cbc7824dbfd7121efb019bb55f01be1e07bcf58'
+    end
+
+    it 'should accept a hash of options' do
+      cookies.signed['foo'] = { value: 'baz', path: '/' }
+      cookies.signed['foo'].should == 'baz'
+    end
+
+    it 'should require a 64 character secret' do
+      app.set :cookie_secret, ('C' * 63)
+      expect { cookies.signed['foo'] = 'baz' }.to raise_error(ArgumentError)
+    end
+
+    it 'should allow you to chain permanent cookies' do
+      result = route do
+        cookies.signed.permanent['foo'] = 'baz'
+        response['Set-Cookie']
+      end
+
+      result.should =~ /#{1.year.from_now.year}/
+      result.should =~ /6cbc7824dbfd7121efb019bb55f01be1e07bcf58/
+    end
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: padrino-cookies
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.1.1
   prerelease: 
 platform: ruby
 authors:
@@ -9,11 +9,11 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-03-02 00:00:00.000000000 Z
+date: 2012-03-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: padrino-core
-  requirement: &15464784 !ruby/object:Gem::Requirement
+  requirement: &13846392 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -21,10 +21,10 @@ dependencies:
         version: '0'
   type: :runtime
   prerelease: false
-  version_requirements: *15464784
+  version_requirements: *13846392
 - !ruby/object:Gem::Dependency
   name: rspec
-  requirement: &15464232 !ruby/object:Gem::Requirement
+  requirement: &13845648 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -32,10 +32,10 @@ dependencies:
         version: 2.0.0
   type: :development
   prerelease: false
-  version_requirements: *15464232
+  version_requirements: *13845648
 - !ruby/object:Gem::Dependency
   name: rspec-html-matchers
-  requirement: &15463920 !ruby/object:Gem::Requirement
+  requirement: &13844784 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -43,10 +43,10 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *15463920
+  version_requirements: *13844784
 - !ruby/object:Gem::Dependency
   name: rack-test
-  requirement: &15463500 !ruby/object:Gem::Requirement
+  requirement: &13825020 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -54,7 +54,7 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *15463500
+  version_requirements: *13825020
 description: A plugin for the Padrino web framework which adds support for Rails like
   cookie manipulation
 email:
@@ -97,7 +97,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 1.8.15
+rubygems_version: 1.8.17
 signing_key: 
 specification_version: 3
 summary: A plugin for the Padrino web framework which adds support for Rails like