rack-authenticate 0.1.0 → 0.2.0

data/gemfiles/rack-1.1.gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: /Users/myron/code/rack-authenticate
   specs:
-    rack-authenticate (0.1.0)
+    rack-authenticate (0.2.0)
       ruby-hmac (~> 0.4.0)
 
 GEM

data/gemfiles/rack-1.2.gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: /Users/myron/code/rack-authenticate
   specs:
-    rack-authenticate (0.1.0)
+    rack-authenticate (0.2.0)
       ruby-hmac (~> 0.4.0)
 
 GEM

data/gemfiles/rack-1.3.gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: /Users/myron/code/rack-authenticate
   specs:
-    rack-authenticate (0.1.0)
+    rack-authenticate (0.2.0)
       ruby-hmac (~> 0.4.0)
 
 GEM

data/lib/rack/authenticate/client.rb

@@ -6,13 +6,14 @@ module Rack
   module Authenticate
     class Client
       attr_reader :access_id, :secret_key
-      def initialize(access_id, secret_key)
+      def initialize(access_id, secret_key, options = {})
         @access_id, @secret_key = access_id, secret_key
+        @ajax = options[:ajax]
       end
 
       def request_signature_headers(method, url, content_type = nil, content = nil)
         {}.tap do |headers|
-          headers['Date'] = date = Time.now.httpdate
+          headers[date_header_field] = date = Time.now.httpdate
           request = [method.to_s.upcase, url, date]
 
           if content_md5 = content_md5_for(content_type, content)
@@ -27,6 +28,13 @@ module Rack
 
     private
 
+      def date_header_field
+        # Browsers do not allow javascript to set the Date header when making an AJAX request:
+        #   http://www.w3.org/TR/XMLHttpRequest/#the-setrequestheader-method
+        # Thus, we allow the custom X-Authorization-Date header to be used instead of Date.
+        @ajax ? 'X-Authorization-Date' : 'Date'
+      end
+
       def content_md5_for(content_type, content)
         if content_type.nil? && content.nil?
           # no-op

data/lib/rack/authenticate/middleware.rb

@@ -5,14 +5,18 @@ require 'time'
 module Rack
   module Authenticate
     class Middleware < ::Rack::Auth::Basic
+      ACCESS_CONTROL_MAX_AGE = 60 * 60 * 24 # 24 hours
+
       class Configuration
         def initialize(*args)
           self.timestamp_minute_tolerance ||= 30
           self.hmac_secret_key { |access_id| }
           self.basic_auth_validation { |u, p| false }
+          self.support_cross_origin_resource_sharing = false
         end
 
         attr_accessor :timestamp_minute_tolerance
+        attr_writer   :support_cross_origin_resource_sharing
         attr_reader   :basic_auth_validation_block
 
         def hmac_secret_key(&block)
@@ -26,6 +30,10 @@ module Rack
         def basic_auth_validation(&block)
           @basic_auth_validation_block = block
         end
+
+        def support_cross_origin_resource_sharing?
+          @support_cross_origin_resource_sharing
+        end
       end
 
       class Auth < ::Rack::Auth::AbstractRequest
@@ -56,10 +64,6 @@ module Rack
           @request ||= ::Rack::Request.new(@env)
         end unless method_defined?(:request)
 
-        def date
-          request.env['HTTP_DATE']
-        end
-
         def valid_current_date?
           timestamp = Time.httpdate(date)
         rescue ArgumentError
@@ -107,6 +111,25 @@ module Rack
           valid_current_date? &&
           calculated_digest == given_digest
         end
+
+        def supported_cors_preflight_request?
+          @configuration.support_cross_origin_resource_sharing? &&
+          request.request_method == 'OPTIONS' &&
+          %w[ HTTP_ACCESS_CONTROL_REQUEST_METHOD HTTP_ORIGIN ].all? { |k| request.env.has_key?(k) }
+        end
+
+      private
+
+        def date
+          @date ||= request.env[date_header_field]
+        end
+
+        def date_header_field
+          # Browsers do not allow javascript to set the Date header when making an AJAX request:
+          #   http://www.w3.org/TR/XMLHttpRequest/#the-setrequestheader-method
+          # Thus, we allow the custom X-Authorization-Date header to be used instead of Date.
+          @date_header_field ||= ['HTTP_X_AUTHORIZATION_DATE', 'HTTP_DATE'].find { |k| request.env.has_key?(k) } || 'HTTP_DATE'
+        end
       end
 
       def initialize(app)
@@ -117,13 +140,42 @@ module Rack
 
       def call(env)
         auth = Auth.new(env, @configuration)
+        return cors_allowances(env) if auth.supported_cors_preflight_request?
+
+        _call(env, auth) { super }.tap do |(status, headers, body)|
+          if @configuration.support_cross_origin_resource_sharing? && env.has_key?('HTTP_ORIGIN')
+            headers['Access-Control-Allow-Origin'] = env['HTTP_ORIGIN']
+          end
+        end
+      end
+
+    private
+
+      def _call(env, auth)
         return unauthorized unless auth.provided?
-        return super        if     auth.basic?
+        return yield            if auth.basic?
         return bad_request  unless auth.hmac?
         return bad_request  unless auth.has_all_required_parts?
         return unauthorized unless auth.valid?
+
         @app.call(env)
       end
+
+      def cors_allowances(env)
+        headers = {
+          'Access-Control-Allow-Origin'      => env['HTTP_ORIGIN'],
+          'Access-Control-Allow-Methods'     => env['HTTP_ACCESS_CONTROL_REQUEST_METHOD'],
+          'Access-Control-Allow-Credentials' => 'true',
+          'Access-Control-Max-Age'           => ACCESS_CONTROL_MAX_AGE.to_s,
+          'Content-Type'                     => 'text/plain'
+        }
+
+        if env.has_key?('HTTP_ACCESS_CONTROL_REQUEST_HEADERS')
+          headers['Access-Control-Allow-Headers'] = env['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']
+        end
+
+        [200, headers, []]
+      end
     end
   end
 end

data/lib/rack/authenticate/version.rb

@@ -1,5 +1,5 @@
 module Rack
   module Authenticate
-    VERSION = "0.1.0"
+    VERSION = "0.2.0"
   end
 end

data/spec/rack/authenticate/client_spec.rb

@@ -16,7 +16,8 @@ module Rack
 
       let(:access_id)  { 'my-access-id' }
       let(:secret_key) { 'the-s3cr3t' }
-      subject { Client.new(access_id, secret_key) }
+      let(:options)    { {} }
+      subject { Client.new(access_id, secret_key, options) }
 
       describe "#request_signature_headers" do
         it 'raises an Argument error if given a content type but not content' do
@@ -78,6 +79,13 @@ module Rack
           headers.should include('Date' => http_date)
         end
 
+        it 'returns the http date as the X-Authorization-Date in the headers hash for an ajax client' do
+          options[:ajax] = true
+          headers = subject.request_signature_headers("get", "http://foo.com/bar?q=buzz")
+          headers.keys.should_not include('Date')
+          headers.should include('X-Authorization-Date' => http_date)
+        end
+
         context 'when there is no content' do
           it 'does not use anything beyond the method, url and date for the digest' do
             HMAC::SHA1.should_receive(:hexdigest) do |key, request|

data/spec/rack/authenticate/middleware_spec.rb

@@ -119,6 +119,21 @@ module Rack
               auth.should_not be_valid_current_date
             end
           end
+
+          it 'uses the X-Authorization-Date header if given in order to support browser AJAX requests' do
+            basic_env['HTTP_DATE'] = (Time.now - 40.minutes).httpdate
+            basic_env['HTTP_X_AUTHORIZATION_DATE'] = Time.now.httpdate
+            auth = Auth.new(basic_env, stub(:timestamp_minute_tolerance => 10))
+            auth.should be_valid_current_date
+
+            Timecop.freeze(base_time - 11.minutes) do
+              auth.should_not be_valid_current_date
+            end
+
+            Timecop.freeze(base_time + 11.minutes) do
+              auth.should_not be_valid_current_date
+            end
+          end
         end
 
         describe "#has_all_required_parts?" do
@@ -252,9 +267,14 @@ module Rack
           ["#{username}:#{password}"].pack("m*")
         end
 
+        def configure(&block)
+          @configuration_block = block
+        end
+
         let(:app) do
           hmac_creds = hmac_auth_creds
           basic_creds = basic_auth_creds
+          config_block = @configuration_block || Proc.new { }
 
           Rack::Builder.new do
             use Rack::ContentLength
@@ -262,6 +282,7 @@ module Rack
               config.hmac_secret_key { |access_id| hmac_creds[access_id] }
               config.basic_auth_validation { |u, p| basic_creds[u] == p }
               config.timestamp_minute_tolerance = 30
+              config_block.call(config)
             end
 
             run lambda { |env| [200, {}, ['OK']] }
@@ -307,6 +328,13 @@ module Rack
           last_response.status.should eq(200)
         end
 
+        it 'allows an HMAC-authorized request to use the custom X-Authorization-Date header to handle browers that cannot override a Date header on an AJAX request' do
+          header 'Authorization', 'HMAC abc:34a70d9901bd447a02157f9fc598e43d6bf5b484'
+          header 'X-Authorization-Date', http_date
+          get '/'
+          last_response.status.should eq(200)
+        end
+
         it 'lets the request through when there is a valid Basic authorization header' do
           header 'Authorization', "BASIC #{basis_auth_value('abc', 'foo')}"
           get '/'
@@ -329,6 +357,83 @@ module Rack
           post '/foo', "some content"
           last_response.status.should eq(200)
         end
+
+        it 'generates the same signature as an AJAX client', :no_timecop do
+          client = Client.new('abc', hmac_auth_creds['abc'], :ajax => true)
+          client.request_signature_headers('post', 'http://example.org/foo', 'text/plain', "some content").each do |key, value|
+            header key, value
+          end
+
+          header 'Content-Type', 'text/plain'
+          post '/foo', "some content"
+          last_response.status.should eq(200)
+        end
+
+        context 'when cross origin resource sharing is supported' do
+          before { configure { |c| c.support_cross_origin_resource_sharing = true } }
+          let(:headers) { 'X-Authorization-Date, Content-MD5, Authorization, Content-Type' }
+          let(:origin)  { 'http://foo.example.com' }
+
+          let(:expected_response_headers) do {
+            'Content-Type'                     => 'text/plain',
+            'Access-Control-Allow-Origin'      => origin,
+            'Access-Control-Allow-Methods'     => 'PUT',
+            'Access-Control-Allow-Credentials' => 'true',
+            'Access-Control-Max-Age'           => ACCESS_CONTROL_MAX_AGE.to_s
+          } end
+
+          it 'responds to a CORS OPTIONS request with all of the correct headers' do
+            header 'Origin', origin
+            header 'Access-Control-Request-Method', 'PUT'
+            options '/'
+
+            last_response.status.should eq(200)
+            last_response.headers.should include(expected_response_headers)
+            last_response.headers.should_not have_key('Access-Control-Allow-Headers')
+          end
+
+          it 'includes Access-Control-Allow-Headers when they the request asks about them' do
+            header 'Origin', origin
+            header 'Access-Control-Request-Method', 'PUT'
+            header 'Access-Control-Request-Headers', headers
+            options '/'
+
+            last_response.status.should eq(200)
+            last_response.headers.should include(expected_response_headers.merge(
+              'Access-Control-Allow-Headers' => headers
+            ))
+          end
+
+          it 'appends the Access-Control-Allow-Origin header to every response to a request with an Origin header' do
+            header 'Origin', origin
+            get '/'
+            last_response.headers.should include('Access-Control-Allow-Origin' => origin)
+          end
+
+          it 'does not append a Access-Control-Allow-Origin header to a request without an Origin header' do
+            get '/'
+            last_response.headers.keys.should_not include('Access-Control-Allow-Origin')
+          end
+        end
+
+        context 'when cross origin resource sharing is not supported' do
+          before { configure { |c| c.support_cross_origin_resource_sharing = false } }
+
+          it 'does not respond to a CORS OPTIONS request' do
+            header 'Origin', 'http://foo.example.com'
+            header 'Access-Control-Request-Method', 'PUT'
+            options '/'
+
+            last_response.status.should eq(401)
+            last_response.headers.keys.select { |k| k.include?('Access-Control') }.should eq([])
+          end
+
+          it 'does not append the Access-Control-Allow-Origin header to every response' do
+            header 'Origin', 'http://foo.example.com'
+            get '/'
+            last_response.headers.keys.should_not include('Access-Control-Allow-Origin')
+          end
+        end
       end
     end
   end

data/spec/rack/authenticate_spec.rb

@@ -10,7 +10,7 @@ module Rack
   describe Authenticate do
     describe "#new_secret_key" do
       it "generates a long random string" do
-        Rack::Authenticate.new_secret_key.should match(/[A-Za-z0-9\\\/]{60,}/)
+        Rack::Authenticate.new_secret_key.should match(/[A-Za-z0-9\\\/\+]{60,}/)
       end
     end
   end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rack-authenticate
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
   prerelease: 
 platform: ruby
 authors:
@@ -9,11 +9,11 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2011-12-14 00:00:00.000000000Z
+date: 2011-12-16 00:00:00.000000000Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ruby-hmac
-  requirement: &2165123900 !ruby/object:Gem::Requirement
+  requirement: &2164691280 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -21,10 +21,10 @@ dependencies:
         version: 0.4.0
   type: :runtime
   prerelease: false
-  version_requirements: *2165123900
+  version_requirements: *2164691280
 - !ruby/object:Gem::Dependency
   name: rspec
-  requirement: &2165122980 !ruby/object:Gem::Requirement
+  requirement: &2164690620 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -32,10 +32,10 @@ dependencies:
         version: 2.8.0.rc1
   type: :development
   prerelease: false
-  version_requirements: *2165122980
+  version_requirements: *2164690620
 - !ruby/object:Gem::Dependency
   name: rack-test
-  requirement: &2165121800 !ruby/object:Gem::Requirement
+  requirement: &2164689740 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -43,10 +43,10 @@ dependencies:
         version: 0.6.1
   type: :development
   prerelease: false
-  version_requirements: *2165121800
+  version_requirements: *2164689740
 - !ruby/object:Gem::Dependency
   name: timecop
-  requirement: &2165119880 !ruby/object:Gem::Requirement
+  requirement: &2164689140 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -54,10 +54,10 @@ dependencies:
         version: 0.3.5
   type: :development
   prerelease: false
-  version_requirements: *2165119880
+  version_requirements: *2164689140
 - !ruby/object:Gem::Dependency
   name: rake
-  requirement: &2165118740 !ruby/object:Gem::Requirement
+  requirement: &2164688520 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -65,7 +65,7 @@ dependencies:
         version: 0.9.2.2
   type: :development
   prerelease: false
-  version_requirements: *2165118740
+  version_requirements: *2164688520
 description: A rack middleware that authenticates requests either using basic auth
   or via signed HMAC.
 email:
@@ -108,18 +108,12 @@ required_ruby_version: !ruby/object:Gem::Requirement
   - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
-      segments:
-      - 0
-      hash: 3915972377908680387
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements:
   - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
-      segments:
-      - 0
-      hash: 3915972377908680387
 requirements: []
 rubyforge_project: rack-authenticate
 rubygems_version: 1.8.6