rack-deadline 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 1c5ee4aaaecaccbcf6c5cd7f391fc7f6a943f2a1
+  data.tar.gz: b2257b76530e894c966bd76de67f56c87d85f454
+SHA512:
+  metadata.gz: 45cf023d81d9ac86a1b7ee2064d6658f0235c513ba57237160ada5b131248ca616b915870f6f63474b8a2dd8182d41901a06c0c7d49490014376919da7cc3ef5
+  data.tar.gz: f546df89e134a9c43ca3b4c40384b3cdd558710f38227364e24a1b68a298ac16aa2234d7728bb06baabeacd8002278cf2bf748d0b42f222179755b474433cc2b

data/CHANGELOG

@@ -0,0 +1,3 @@
+=== 1.0.0 (2014-01-28)
+
+* Initial Public Release

data/MIT-LICENSE

@@ -0,0 +1,18 @@
+Copyright (c) 2014 Jeremy Evans
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+  
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+   
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER 
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc

@@ -0,0 +1,71 @@
+= rack-deadline
+
+rack-deadline is a simple rack middleware that automatically
+clears sessions that have been open too long (by default,
+1 day).
+
+This is designed for use with cookie stores to mitigate the
+risk of session fixation, since it is impossible to invalidate
+older sessions with a pure cookie-based approach.
+
+It is impossible to enforce a deadline with the standard rack
+cookie session API. The expire_after setting is not part of the
+session itself (it's part of the cookie, and not cryptographically
+signed), and an attacker who has access to a previous cookie can
+just omit it when making a request.
+
+This stores a deadline inside the crytographically signed session,
+and once the deadline is passed, the session will no longer be valid.
+
+= Installation
+
+  sudo gem install rack-deadline
+
+= Source Code
+
+Source code is available on GitHub at https://github.com/jeremyevans/rack-deadline
+
+= Usage
+
+First, require the library:
+
+  require 'rack-deadline'
+
+Then load the middleware, after you have loaded the middleware
+that sets up the session:
+
+  use Rack::Session::Deadline
+
+You can also provide options:
+
+  use Rack::Session::Deadline, :deadline=>3600, :key=>'_my_deadline'
+
+Options:
+
+:deadline :: The number of seconds from the start of the session until
+             the session is no longer valid.  By default this is 86400,
+             or 1 day.
+:key :: The hash key used inside the session to store the deadline. The
+        deadline is stored as an integer number of seconds from the unix
+        epoch.
+
+This has been tested on both Rails and Sinatra, but should work with any
+software that uses the Rack::Session::Abstract::ID API.
+
+= Tested On 
+
+* Ruby 1.8.7
+* Ruby 1.9.3
+* Ruby 2.0.0
+* Ruby 2.1.0
+* Rubinius 2.2.3
+* Rack 1.4.5
+* Rack 1.5.2
+
+= License
+
+MIT
+
+= Author
+
+Jeremy Evans <code@jeremyevans.net>

data/Rakefile

@@ -0,0 +1,50 @@
+require "rake"
+require "rake/clean"
+require 'rake/testtask'
+
+
+CLEAN.include ["rack-deadline-*.gem", "rdoc", "coverage"]
+
+desc "Build rack-deadline gem"
+task :package=>[:clean] do |p|
+  sh %{#{FileUtils::RUBY} -S gem build rack-deadline.gemspec}
+end
+
+### Tests
+
+desc "Run tests"
+Rake::TestTask.new do |t|
+  t.libs.push "lib"
+  t.test_files = FileList['test/*_test.rb']
+  t.verbose = true
+end
+
+task :default=>:test
+
+### RDoc
+
+RDOC_DEFAULT_OPTS = ["--quiet", "--line-numbers", "--inline-source", '--title', 'Rack::Session::Deadline: Automatically clears sessions open too long']
+
+begin
+  gem 'rdoc', '= 3.12.2'
+  gem 'hanna-nouveau'
+  RDOC_DEFAULT_OPTS.concat(['-f', 'hanna'])
+rescue Gem::LoadError
+end
+
+rdoc_task_class = begin
+  require "rdoc/task"
+  RDoc::Task
+rescue LoadError
+  require "rake/rdoctask"
+  Rake::RDocTask
+end
+
+RDOC_OPTS = RDOC_DEFAULT_OPTS + ['--main', 'README.rdoc']
+
+rdoc_task_class.new do |rdoc|
+  rdoc.rdoc_dir = "rdoc"
+  rdoc.options += RDOC_OPTS
+  rdoc.rdoc_files.add %w"README.rdoc CHANGELOG MIT-LICENSE lib/**/*.rb"
+end
+

data/lib/rack-deadline.rb

@@ -0,0 +1,33 @@
+require 'rack/session/abstract/id'
+
+# Rack middleware that automatically clears sessions that are open too long.
+# This is designed to mitigate session fixation attacks in pure cookie-based
+# session storage.
+class Rack::Session::Deadline
+  ENV_KEY = 'rack.session'.freeze
+  DEFAULT_KEY = '_deadline'.freeze
+  DEFAULT_DEADLINE = 86400
+
+  # Configure the middleware with the given options:
+  # :deadline :: The maximum number of seconds a session can be open.
+  # :key :: the key in the session hash in which to store the deadline.
+  def initialize(app, opts={})
+    @app = app
+    @deadline = opts[:deadline] || DEFAULT_DEADLINE
+    @key = opts[:key] || DEFAULT_KEY
+    @time_class = opts[:time_class] || Time
+  end
+
+  # Before calling the app, clears the session if it has passed the deadline.
+  # After calling the app, set the deadline in the session if it hasn't been set yet.
+  def call(env)
+    if (session = env[ENV_KEY]) && (!session.has_key?(@key) || session[@key] < @time_class.now.to_i)
+      session.clear
+    end
+    res = @app.call(env)
+    if session
+      session[@key] ||= @time_class.now.to_i + @deadline
+    end
+    res
+  end
+end

data/test/rack-deadline_test.rb

@@ -0,0 +1,75 @@
+require 'rubygems'
+require 'minitest/autorun'
+require 'minitest/spec'
+
+require 'rack/test'
+require 'rack-deadline'
+
+describe Rack::Session::Deadline do
+  include Rack::Test::Methods
+
+  attr_reader :app
+
+  def request
+    Rack::MockRequest.new(@app).get('').body
+  end
+  
+  def time_class(&block)
+    Class.new do
+      define_method(:now) do
+        Class.new do
+          define_method(:to_i, &block)
+        end.new
+      end
+    end.new
+  end
+  
+  def deadline(opts={})
+    @app = Rack::Session::Cookie.new(Rack::Session::Deadline.new(@app, opts), :secret=>'1')
+  end
+
+  before do
+    @app = lambda do |env|
+      old = env['rack.session']['foo']
+      new = env['rack.session']['foo'] = (old||0) + 1
+      [200, {'Content-Type'=>'text/html'}, ["#{old}=>#{new}"]]
+    end
+  end
+
+  it "should work correctly with no options" do
+    deadline
+    get('/').body.must_equal '=>1'
+    get('/').body.must_equal '1=>2'
+    get('/').body.must_equal '2=>3'
+  end
+
+  it "should clear session if deadline is passed" do
+    i = 0
+    deadline(:deadline=>1, :time_class=>time_class{i})
+    get('/').body.must_equal '=>1'
+    get('/').body.must_equal '1=>2'
+    i = 2
+    get('/').body.must_equal '=>1'
+    get('/').body.must_equal '1=>2'
+    i = 4
+    get('/').body.must_equal '=>1'
+    get('/').body.must_equal '1=>2'
+    get('/').body.must_equal '2=>3'
+    i = 6
+    get('/').body.must_equal '=>1'
+  end
+
+  it "should store deadline in given session key" do
+    i = 5
+    deadline(:key=>'foo', :time_class=>time_class{i})
+    get('/').body.must_equal '=>1'
+    i = 0
+    get('/').body.must_equal '1=>2'
+    get('/').body.must_equal '2=>3'
+    get('/').body.must_equal '3=>4'
+    get('/').body.must_equal '4=>5'
+    get('/').body.must_equal '5=>6'
+    i = 86407
+    get('/').body.must_equal '=>1'
+  end
+end

metadata

@@ -0,0 +1,75 @@
+--- !ruby/object:Gem::Specification
+name: rack-deadline
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Jeremy Evans
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2014-01-28 00:00:00.000000000 Z
+dependencies: []
+description: |
+  rack-deadline is a simple rack middleware that automatically
+  clears sessions that have been open too long (by default,
+  1 day).
+
+  This is designed for use with cookie stores to mitigate the
+  risk of session fixation, since it is impossible to invalidate
+  older sessions with a pure cookie-based approach.
+
+  It is impossible to enforce a deadline with the standard rack
+  cookie session API. The expire_after setting is not part of the
+  session itself (it's part of the cookie, and not cryptographically
+  signed), and an attacker who has access to a previous cookie can
+  just omit it when making a request.
+
+  This stores a deadline inside the crytographically signed session,
+  and once the deadline is passed, the session will no longer be valid.
+email: code@jeremyevans.net
+executables: []
+extensions: []
+extra_rdoc_files:
+- README.rdoc
+- CHANGELOG
+- MIT-LICENSE
+files:
+- CHANGELOG
+- MIT-LICENSE
+- README.rdoc
+- Rakefile
+- lib/rack-deadline.rb
+- test/rack-deadline_test.rb
+homepage: http://gihub.com/jeremyevans/rack-deadline
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options:
+- "--quiet"
+- "--line-numbers"
+- "--inline-source"
+- "--title"
+- 'Rack::Session::Deadline: Automatically clears sessions open too long'
+- "--main"
+- README.rdoc
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.2.0
+signing_key: 
+specification_version: 4
+summary: Automatically clears sessions open too long
+test_files: []