padrino-csrf 0.1.0 → 0.1.1

data/.rspec

@@ -0,0 +1,2 @@
+--format documentation
+--color

data/Rakefile

@@ -1,7 +1,30 @@
+$LOAD_PATH.unshift File.expand_path('../lib', __FILE__)
+require 'padrino-csrf/version'
+
 require 'rake'
-require 'rake/testtask'
+require 'yard'
+require 'rspec'
+require 'rspec/core/rake_task'
+
+RSpec::Core::RakeTask.new do |task|
+  task.pattern = 'spec/**/*_spec.rb'
+end
+
+YARD::Rake::YardocTask.new
+
+task :build do
+  `gem build padrino-csrf.gemspec`
+end
+
+task :install => :build do
+  `gem install padrino-csrf-#{Padrino::CSRF::VERSION}.gem`
+end
+
+desc 'Releases the current version into the wild'
+task :release => :build do
+  `git tag -a v#{Padrino::CSRF::VERSION} -m "Version #{Padrino::CSRF::VERSION}"`
+  `gem push padrino-csrf-#{Padrino::CSRF::VERSION}.gem`
+  `git push --tags`
+end
 
-Rake::TestTask.new do |test|
-  test.test_files = FileList['test/**/test_*.rb']
-  test.verbose = true
-end
+task :default => :spec

data/lib/padrino-csrf.rb

@@ -8,8 +8,7 @@ module Padrino
   module CSRF
     REQUEST_BLACKLIST = %w(POST PUT DELETE)
 
-    class InvalidToken < RuntimeError 
-      # @private
+    class InvalidToken < RuntimeError
       def http_status
         403
       end

data/lib/padrino-csrf/routing.rb

@@ -46,9 +46,11 @@ module Padrino
       # @private
       def route(verb, path, options = {}, &block)
         if REQUEST_BLACKLIST.include?(verb)
-          options[:protect] = settings.prevent_request_forgery if options[:protect] == nil
+          if options[:protect].nil?
+             options[:protect] = settings.prevent_request_forgery if settings.prevent_request_forgery?
+          end
         else
-          options.delete(:protect)
+          options.delete :protect
         end
 
         super(verb, path, options, &block)

data/lib/padrino-csrf/version.rb

@@ -1,6 +1,6 @@
 # encoding: utf-8
 module Padrino
   module CSRF
-    VERSION = '0.1.0'
+    VERSION = '0.1.1'
   end
 end

data/padrino-csrf.gemspec

@@ -19,6 +19,7 @@ Gem::Specification.new do |s|
   s.add_dependency 'padrino-core'
   s.add_dependency 'padrino-helpers'
 
-  s.add_development_dependency 'minitest'
-  s.add_development_dependency 'webrat'
+  s.add_development_dependency 'rspec', '>= 2.0.0'
+  s.add_development_dependency 'rspec-html-matchers'
+  s.add_development_dependency 'rack-test'
 end

data/spec/csrf_spec.rb

@@ -0,0 +1,86 @@
+require_relative 'spec'
+
+describe Padrino::CSRF do
+  let :random_string do
+    SecureRandom.hex(32)
+  end
+
+  it 'should validate CSRF tokens for POST requests' do
+    app.post :test do
+      # ...
+    end
+
+    post '/test', { _csrf_token: random_string }, 'rack.session' => { _csrf_token: random_string }
+    last_response.should be_ok
+
+    expect do
+      post '/test', { _csrf_token: 'haaaax' }, 'rack.session' => { _csrf_token: random_string }
+    end.to raise_error(Padrino::CSRF::InvalidToken)
+  end
+
+  it 'should validate CSRF tokens for PUT requests' do
+    app.put :test do
+      # ...
+    end
+
+    put '/test', { _csrf_token: random_string }, 'rack.session' => { _csrf_token: random_string }
+    last_response.should be_ok
+
+    expect do
+      put '/test', { _csrf_token: 'haaaax' }, 'rack.session' => { _csrf_token: random_string }
+    end.to raise_error(Padrino::CSRF::InvalidToken)
+  end
+
+  it 'should validate CSRF tokens for DELETE requests' do
+    app.delete :test do
+      # ...
+    end
+
+    delete '/test', { _csrf_token: random_string }, 'rack.session' => { _csrf_token: random_string }
+    last_response.should be_ok
+
+    expect do
+      delete '/test', { _csrf_token: 'haaaax' }, 'rack.session' => { _csrf_token: random_string }
+    end.to raise_error(Padrino::CSRF::InvalidToken)
+  end
+
+  it 'should not validate CSRF tokens for GET requests' do
+    app.get :test do
+      # ...
+    end
+
+    get '/test', {}, 'rack.session' => { _csrf_token: random_string }
+    last_response.should be_ok
+  end
+
+  it 'can disable validation on a request by request basis when enabled globally' do
+    app.enable :prevent_request_forgery
+    app.post :test, protect: false do
+      # ...
+    end
+
+    post '/test', {}, 'rack.session' => { _csrf_token: random_string }
+    last_response.should be_ok
+  end
+
+  it 'can enable validation on a request by request basis when disabled globally' do
+    app.disable :prevent_request_forgery
+    app.post :test do
+      # ...
+    end
+
+    post '/test', {}, 'rack.session' => { _csrf_token: random_string }
+    last_response.should be_ok
+
+    app.post :another_test, protect: true do
+      # ...
+    end
+
+    post '/another_test', { _csrf_token: random_string }, 'rack.session' => { _csrf_token: random_string }
+    last_response.should be_ok
+
+    expect do
+      post '/another_test', { _csrf_token: 'haaaax' }, 'rack.session' => { _csrf_token: random_string }
+    end.to raise_error(Padrino::CSRF::InvalidToken)
+  end
+end

data/spec/helpers_spec.rb

@@ -0,0 +1,82 @@
+require_relative 'spec'
+
+describe Padrino::CSRF::Helpers do
+  include Padrino::Helpers::AssetTagHelpers
+  include Padrino::Helpers::OutputHelpers
+  include Padrino::Helpers::FormHelpers
+  include Padrino::Helpers::TagHelpers
+  include Padrino::CSRF::FormHelpers
+  include Padrino::CSRF::Helpers
+
+  let :params do
+    {}
+  end
+
+  let :session do
+    { _csrf_token: SecureRandom.hex(32) }
+  end
+
+  let :request do
+    Sinatra::Request.new('HTTP_X_CSRF_TOKEN' => nil)
+  end
+
+  context '#csrf_valid?' do
+    it 'should return false when the CSRF param is invalid' do
+      params[csrf_param] = csrf_token[0..-2]
+      csrf_valid?.should be_false
+    end
+
+    it 'should return true when the CSRF param is valid' do
+      params[csrf_param] = csrf_token
+      csrf_valid?.should be_true
+    end
+
+    it 'should return false when the CSRF header is invalid' do
+      request.stub(:env).and_return('HTTP_X_CSRF_TOKEN' => csrf_token[0..-2])
+      csrf_valid?.should be_false
+    end
+
+    it 'should return true when the CSRF header is valid' do
+      request.stub(:env).and_return('HTTP_X_CSRF_TOKEN' => csrf_token)
+      csrf_valid?.should be_true
+    end
+  end
+
+  context '#csrf_meta_tags' do
+    it 'should return meta tags with the current token and parameter' do
+      meta_tags = csrf_meta_tags
+      meta_tags.should have_tag(:meta, count: 1, with: { name: 'csrf-param', content: csrf_param })
+      meta_tags.should have_tag(:meta, count: 1, with: { name: 'csrf-token', content: csrf_token })
+    end
+  end
+
+  context '#csrf_token' do
+    it 'should return the current sessions CSRF token' do
+      csrf_token.should == session[csrf_param]
+    end
+
+    it 'should set the sessions CSRF token when one is not present' do
+      session.clear
+      session[csrf_param].should be_nil
+      csrf_token.should_not be_nil
+      session[csrf_param].should_not be_nil
+    end
+  end
+
+  context '#form_tag' do
+    it 'should prepend the CSRF authenticity token to the form' do
+      form = form_tag('/register') { text_field_tag :user_name, value: 'test' }
+      form.should have_tag(:form, count: 1, with: { method: 'post',  action: '/register' }) do
+        with_tag(:input, count: 1, with: { type: 'hidden', name: csrf_param, value: csrf_token })
+        with_tag(:input, count: 1, with: { type: 'text', name: 'user_name', value: 'test' })
+      end
+    end
+  end
+
+  context '#token_field_tag' do
+    it 'should return a hidden input with the current CSRF token' do
+      input = token_field_tag
+      input.should have_tag(:input, count: 1, with: { type: 'hidden', name: csrf_param, value: csrf_token })
+    end
+  end
+end

data/spec/spec.rb

@@ -0,0 +1,21 @@
+PADRINO_ENV = 'test'
+
+require 'rspec'
+require 'rspec-html-matchers'
+require 'rack/test'
+require 'padrino-csrf'
+
+module TestHelpers
+  def app
+    @app ||= Sinatra.new(Padrino::Application) do
+      register Padrino::CSRF
+      set :prevent_request_forgery, true
+      set :logging, false
+    end
+  end
+end
+
+RSpec.configure do |configuration|
+  configuration.include TestHelpers
+  configuration.include Rack::Test::Methods
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: padrino-csrf
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.1.1
   prerelease: 
 platform: ruby
 authors:
@@ -9,11 +9,11 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-02-01 00:00:00.000000000 Z
+date: 2012-02-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: padrino-core
-  requirement: &18997080 !ruby/object:Gem::Requirement
+  requirement: &15518448 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -21,10 +21,10 @@ dependencies:
         version: '0'
   type: :runtime
   prerelease: false
-  version_requirements: *18997080
+  version_requirements: *15518448
 - !ruby/object:Gem::Dependency
   name: padrino-helpers
-  requirement: &18961296 !ruby/object:Gem::Requirement
+  requirement: &15517608 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -32,10 +32,21 @@ dependencies:
         version: '0'
   type: :runtime
   prerelease: false
-  version_requirements: *18961296
+  version_requirements: *15517608
 - !ruby/object:Gem::Dependency
-  name: minitest
-  requirement: &18729264 !ruby/object:Gem::Requirement
+  name: rspec
+  requirement: &15517176 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 2.0.0
+  type: :development
+  prerelease: false
+  version_requirements: *15517176
+- !ruby/object:Gem::Dependency
+  name: rspec-html-matchers
+  requirement: &15516288 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -43,10 +54,10 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *18729264
+  version_requirements: *15516288
 - !ruby/object:Gem::Dependency
-  name: webrat
-  requirement: &15937272 !ruby/object:Gem::Requirement
+  name: rack-test
+  requirement: &15515712 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -54,7 +65,7 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *15937272
+  version_requirements: *15515712
 description: A plugin for the Padrino web framework which adds CSRF protection
 email:
 - cirex@gamesol.org
@@ -63,6 +74,7 @@ extensions: []
 extra_rdoc_files: []
 files:
 - .gitignore
+- .rspec
 - .yardopts
 - Gemfile
 - LICENSE
@@ -74,6 +86,9 @@ files:
 - lib/padrino-csrf/routing.rb
 - lib/padrino-csrf/version.rb
 - padrino-csrf.gemspec
+- spec/csrf_spec.rb
+- spec/helpers_spec.rb
+- spec/spec.rb
 - vendor/assets/jquery.unobtrusive.js
 homepage: https://github.com/Cirex/padrino-csrf
 licenses: []