RubyGems - padrino-csrf - Versions diffs - 0.1.0 → 0.1.1 - Mend

padrino-csrf 0.1.0 → 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

data/.rspec ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ --format documentation
2	+ --color

data/Rakefile CHANGED Viewed

@@ -1,7 +1,30 @@
+$LOAD_PATH.unshift File.expand_path('../lib', __FILE__)
+require 'padrino-csrf/version'
 require 'rake'
-require 'rake/testtask'
+require 'yard'
+require 'rspec'
+require 'rspec/core/rake_task'
+RSpec::Core::RakeTask.new do |task|
+  task.pattern = 'spec/**/*_spec.rb'
+end
+YARD::Rake::YardocTask.new
+task :build do
+  `gem build padrino-csrf.gemspec`
+end
+task :install => :build do
+  `gem install padrino-csrf-#{Padrino::CSRF::VERSION}.gem`
+end
+desc 'Releases the current version into the wild'
+task :release => :build do
+  `git tag -a v#{Padrino::CSRF::VERSION} -m "Version #{Padrino::CSRF::VERSION}"`
+  `gem push padrino-csrf-#{Padrino::CSRF::VERSION}.gem`
+  `git push --tags`
+end
-Rake::TestTask.new do |test|
-  test.test_files = FileList['test/**/test_*.rb']
-  test.verbose = true
-end
+task :default => :spec

data/lib/padrino-csrf.rb CHANGED Viewed

@@ -8,8 +8,7 @@ module Padrino
   module CSRF
     REQUEST_BLACKLIST = %w(POST PUT DELETE)
-    class InvalidToken < RuntimeError
-      # @private
+    class InvalidToken < RuntimeError
       def http_status
         403
       end

data/lib/padrino-csrf/routing.rb CHANGED Viewed

@@ -46,9 +46,11 @@ module Padrino
       # @private
       def route(verb, path, options = {}, &block)
         if REQUEST_BLACKLIST.include?(verb)
-          options[:protect] = settings.prevent_request_forgery if options[:protect] == nil
+          if options[:protect].nil?
+             options[:protect] = settings.prevent_request_forgery if settings.prevent_request_forgery?
+          end
         else
-          options.delete(:protect)
+          options.delete :protect
         end
         super(verb, path, options, &block)

data/lib/padrino-csrf/version.rb CHANGED Viewed

@@ -1,6 +1,6 @@
 # encoding: utf-8
 module Padrino
   module CSRF
-    VERSION = '0.1.0'
+    VERSION = '0.1.1'
   end
 end

data/padrino-csrf.gemspec CHANGED Viewed

@@ -19,6 +19,7 @@ Gem::Specification.new do |s|
   s.add_dependency 'padrino-core'
   s.add_dependency 'padrino-helpers'
-  s.add_development_dependency 'minitest'
-  s.add_development_dependency 'webrat'
+  s.add_development_dependency 'rspec', '>= 2.0.0'
+  s.add_development_dependency 'rspec-html-matchers'
+  s.add_development_dependency 'rack-test'
 end

data/spec/csrf_spec.rb ADDED Viewed

@@ -0,0 +1,86 @@
+require_relative 'spec'
+describe Padrino::CSRF do
+  let :random_string do
+    SecureRandom.hex(32)
+  end
+  it 'should validate CSRF tokens for POST requests' do
+    app.post :test do
+      # ...
+    end
+    post '/test', { _csrf_token: random_string }, 'rack.session' => { _csrf_token: random_string }
+    last_response.should be_ok
+    expect do
+      post '/test', { _csrf_token: 'haaaax' }, 'rack.session' => { _csrf_token: random_string }
+    end.to raise_error(Padrino::CSRF::InvalidToken)
+  end
+  it 'should validate CSRF tokens for PUT requests' do
+    app.put :test do
+      # ...
+    end
+    put '/test', { _csrf_token: random_string }, 'rack.session' => { _csrf_token: random_string }
+    last_response.should be_ok
+    expect do
+      put '/test', { _csrf_token: 'haaaax' }, 'rack.session' => { _csrf_token: random_string }
+    end.to raise_error(Padrino::CSRF::InvalidToken)
+  end
+  it 'should validate CSRF tokens for DELETE requests' do
+    app.delete :test do
+      # ...
+    end
+    delete '/test', { _csrf_token: random_string }, 'rack.session' => { _csrf_token: random_string }
+    last_response.should be_ok
+    expect do
+      delete '/test', { _csrf_token: 'haaaax' }, 'rack.session' => { _csrf_token: random_string }
+    end.to raise_error(Padrino::CSRF::InvalidToken)
+  end
+  it 'should not validate CSRF tokens for GET requests' do
+    app.get :test do
+      # ...
+    end
+    get '/test', {}, 'rack.session' => { _csrf_token: random_string }
+    last_response.should be_ok
+  end
+  it 'can disable validation on a request by request basis when enabled globally' do
+    app.enable :prevent_request_forgery
+    app.post :test, protect: false do
+      # ...
+    end
+    post '/test', {}, 'rack.session' => { _csrf_token: random_string }
+    last_response.should be_ok
+  end
+  it 'can enable validation on a request by request basis when disabled globally' do
+    app.disable :prevent_request_forgery
+    app.post :test do
+      # ...
+    end
+    post '/test', {}, 'rack.session' => { _csrf_token: random_string }
+    last_response.should be_ok
+    app.post :another_test, protect: true do
+      # ...
+    end
+    post '/another_test', { _csrf_token: random_string }, 'rack.session' => { _csrf_token: random_string }
+    last_response.should be_ok
+    expect do
+      post '/another_test', { _csrf_token: 'haaaax' }, 'rack.session' => { _csrf_token: random_string }
+    end.to raise_error(Padrino::CSRF::InvalidToken)
+  end
+end

data/spec/helpers_spec.rb ADDED Viewed

@@ -0,0 +1,82 @@
+require_relative 'spec'
+describe Padrino::CSRF::Helpers do
+  include Padrino::Helpers::AssetTagHelpers
+  include Padrino::Helpers::OutputHelpers
+  include Padrino::Helpers::FormHelpers
+  include Padrino::Helpers::TagHelpers
+  include Padrino::CSRF::FormHelpers
+  include Padrino::CSRF::Helpers
+  let :params do
+    {}
+  end
+  let :session do
+    { _csrf_token: SecureRandom.hex(32) }
+  end
+  let :request do
+    Sinatra::Request.new('HTTP_X_CSRF_TOKEN' => nil)
+  end
+  context '#csrf_valid?' do
+    it 'should return false when the CSRF param is invalid' do
+      params[csrf_param] = csrf_token[0..-2]
+      csrf_valid?.should be_false
+    end
+    it 'should return true when the CSRF param is valid' do
+      params[csrf_param] = csrf_token
+      csrf_valid?.should be_true
+    end
+    it 'should return false when the CSRF header is invalid' do
+      request.stub(:env).and_return('HTTP_X_CSRF_TOKEN' => csrf_token[0..-2])
+      csrf_valid?.should be_false
+    end
+    it 'should return true when the CSRF header is valid' do
+      request.stub(:env).and_return('HTTP_X_CSRF_TOKEN' => csrf_token)
+      csrf_valid?.should be_true
+    end
+  end
+  context '#csrf_meta_tags' do
+    it 'should return meta tags with the current token and parameter' do
+      meta_tags = csrf_meta_tags
+      meta_tags.should have_tag(:meta, count: 1, with: { name: 'csrf-param', content: csrf_param })
+      meta_tags.should have_tag(:meta, count: 1, with: { name: 'csrf-token', content: csrf_token })
+    end
+  end
+  context '#csrf_token' do
+    it 'should return the current sessions CSRF token' do
+      csrf_token.should == session[csrf_param]
+    end
+    it 'should set the sessions CSRF token when one is not present' do
+      session.clear
+      session[csrf_param].should be_nil
+      csrf_token.should_not be_nil
+      session[csrf_param].should_not be_nil
+    end
+  end
+  context '#form_tag' do
+    it 'should prepend the CSRF authenticity token to the form' do
+      form = form_tag('/register') { text_field_tag :user_name, value: 'test' }
+      form.should have_tag(:form, count: 1, with: { method: 'post',  action: '/register' }) do
+        with_tag(:input, count: 1, with: { type: 'hidden', name: csrf_param, value: csrf_token })
+        with_tag(:input, count: 1, with: { type: 'text', name: 'user_name', value: 'test' })
+      end
+    end
+  end
+  context '#token_field_tag' do
+    it 'should return a hidden input with the current CSRF token' do
+      input = token_field_tag
+      input.should have_tag(:input, count: 1, with: { type: 'hidden', name: csrf_param, value: csrf_token })
+    end
+  end
+end

data/spec/spec.rb ADDED Viewed

@@ -0,0 +1,21 @@
+PADRINO_ENV = 'test'
+require 'rspec'
+require 'rspec-html-matchers'
+require 'rack/test'
+require 'padrino-csrf'
+module TestHelpers
+  def app
+    @app ||= Sinatra.new(Padrino::Application) do
+      register Padrino::CSRF
+      set :prevent_request_forgery, true
+      set :logging, false
+    end
+  end
+end
+RSpec.configure do |configuration|
+  configuration.include TestHelpers
+  configuration.include Rack::Test::Methods
+end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: padrino-csrf
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.1.1
   prerelease:
 platform: ruby
 authors:
@@ -9,11 +9,11 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2012-02-01 00:00:00.000000000 Z
+date: 2012-02-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: padrino-core
-  requirement: &18997080 !ruby/object:Gem::Requirement
+  requirement: &15518448 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -21,10 +21,10 @@ dependencies:
         version: '0'
   type: :runtime
   prerelease: false
-  version_requirements: *18997080
+  version_requirements: *15518448
 - !ruby/object:Gem::Dependency
   name: padrino-helpers
-  requirement: &18961296 !ruby/object:Gem::Requirement
+  requirement: &15517608 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -32,10 +32,21 @@ dependencies:
         version: '0'
   type: :runtime
   prerelease: false
-  version_requirements: *18961296
+  version_requirements: *15517608
 - !ruby/object:Gem::Dependency
-  name: minitest
-  requirement: &18729264 !ruby/object:Gem::Requirement
+  name: rspec
+  requirement: &15517176 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 2.0.0
+  type: :development
+  prerelease: false
+  version_requirements: *15517176
+- !ruby/object:Gem::Dependency
+  name: rspec-html-matchers
+  requirement: &15516288 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -43,10 +54,10 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *18729264
+  version_requirements: *15516288
 - !ruby/object:Gem::Dependency
-  name: webrat
-  requirement: &15937272 !ruby/object:Gem::Requirement
+  name: rack-test
+  requirement: &15515712 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -54,7 +65,7 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *15937272
+  version_requirements: *15515712
 description: A plugin for the Padrino web framework which adds CSRF protection
 email:
 - cirex@gamesol.org
@@ -63,6 +74,7 @@ extensions: []
 extra_rdoc_files: []
 files:
 - .gitignore
+- .rspec
 - .yardopts
 - Gemfile
 - LICENSE
@@ -74,6 +86,9 @@ files:
 - lib/padrino-csrf/routing.rb
 - lib/padrino-csrf/version.rb
 - padrino-csrf.gemspec
+- spec/csrf_spec.rb
+- spec/helpers_spec.rb
+- spec/spec.rb
 - vendor/assets/jquery.unobtrusive.js
 homepage: https://github.com/Cirex/padrino-csrf
 licenses: []