rack-potentially-secure-cookies 1.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- data/MIT-LICENSE +20 -0
- data/README.md +44 -0
- data/Rakefile +13 -0
- data/lib/rack/potentially_secure_cookies.rb +33 -0
- metadata +63 -0
checksums.yaml
ADDED
|
@@ -0,0 +1,7 @@
|
|
|
1
|
+
---
|
|
2
|
+
SHA1:
|
|
3
|
+
metadata.gz: 097d2b73a2a3f4918b9c72fa010efc2eb931a25f
|
|
4
|
+
data.tar.gz: 4c1a16a283d75cfd097252b1c623aeec4a1da1a3
|
|
5
|
+
SHA512:
|
|
6
|
+
metadata.gz: 63d7f71c2f025c7c30bc1a5b39b7541c633192d12b10e99cf2fe85433877ea83736057eca7288965a936137cc050d721293d21a6c569f1a2dc6f8920d59185db
|
|
7
|
+
data.tar.gz: 38310b5cbe94927af0286ceb9aea34de8d00229dd0fa0fe68aa5fcb2c427d64d141b8cdd8736d3cd23e5a8e399143d30154cfa1c14939fd3b1bc9dc7088e9a28
|
data/MIT-LICENSE
ADDED
|
@@ -0,0 +1,20 @@
|
|
|
1
|
+
Copyright 2015 YOURNAME
|
|
2
|
+
|
|
3
|
+
Permission is hereby granted, free of charge, to any person obtaining
|
|
4
|
+
a copy of this software and associated documentation files (the
|
|
5
|
+
"Software"), to deal in the Software without restriction, including
|
|
6
|
+
without limitation the rights to use, copy, modify, merge, publish,
|
|
7
|
+
distribute, sublicense, and/or sell copies of the Software, and to
|
|
8
|
+
permit persons to whom the Software is furnished to do so, subject to
|
|
9
|
+
the following conditions:
|
|
10
|
+
|
|
11
|
+
The above copyright notice and this permission notice shall be
|
|
12
|
+
included in all copies or substantial portions of the Software.
|
|
13
|
+
|
|
14
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
|
15
|
+
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
|
16
|
+
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
|
17
|
+
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
|
18
|
+
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
|
19
|
+
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
|
20
|
+
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
data/README.md
ADDED
|
@@ -0,0 +1,44 @@
|
|
|
1
|
+
# Rack::PotentiallySecureCookie
|
|
2
|
+
|
|
3
|
+
This is a Rack middleware for one very specific purpose;
|
|
4
|
+
|
|
5
|
+
You have a site running on a server that can be accessed through both HTTP and
|
|
6
|
+
HTTPS. Whichever method the user accesses the site she'll never change. So if
|
|
7
|
+
you access the site the first time through HTTPS you will continue to do so.
|
|
8
|
+
|
|
9
|
+
Because security we needed a way to ensure that the cookie flag `Secure` was
|
|
10
|
+
being set whenever our users accesses the site through HTTPS, and to ensure it
|
|
11
|
+
was *not* set when accessing through HTTP as the users couldn't login then.
|
|
12
|
+
|
|
13
|
+
An example of this is:
|
|
14
|
+
|
|
15
|
+
* The site is running on a secured server deep in the middle of a datacenter
|
|
16
|
+
* This site serves the public internet and because of this there's SSL
|
|
17
|
+
termination in front of the site
|
|
18
|
+
* The same site is also being used internally at the company, under a split-view
|
|
19
|
+
setup and these users are not able to go through the SSL termination
|
|
20
|
+
* Since it would be wasteful to run the server with multiple instances of the
|
|
21
|
+
app only to configure the secure cookie setting something to dynamically set
|
|
22
|
+
this needed to be done
|
|
23
|
+
|
|
24
|
+
## Installation and configuration
|
|
25
|
+
|
|
26
|
+
This is available as a gem so just add to your `Gemfile`:
|
|
27
|
+
|
|
28
|
+
```ruby
|
|
29
|
+
gem 'rack-potentially-secure-cookies', require: 'rack/potentially_secure_cookies'
|
|
30
|
+
```
|
|
31
|
+
|
|
32
|
+
In your `environment.rb` (or maybe `environments/production.rb`) add the middleware:
|
|
33
|
+
|
|
34
|
+
```ruby
|
|
35
|
+
config.middleware.insert_before(ActionDispatch::Cookies,
|
|
36
|
+
Rack::PotentiallySecureCookies,
|
|
37
|
+
['_session_id'])
|
|
38
|
+
```
|
|
39
|
+
|
|
40
|
+
The last argument is an array of cookies to force this configuration on.
|
|
41
|
+
|
|
42
|
+
## License
|
|
43
|
+
|
|
44
|
+
MIT License
|
data/Rakefile
ADDED
|
@@ -0,0 +1,13 @@
|
|
|
1
|
+
begin
|
|
2
|
+
require 'bundler/setup'
|
|
3
|
+
rescue LoadError
|
|
4
|
+
puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
|
|
5
|
+
end
|
|
6
|
+
require 'rspec/core/rake_task'
|
|
7
|
+
|
|
8
|
+
Bundler::GemHelper.install_tasks
|
|
9
|
+
|
|
10
|
+
RSpec::Core::RakeTask.new(:spec) do |t|
|
|
11
|
+
t.rspec_opts = '--format documentation'
|
|
12
|
+
end
|
|
13
|
+
task :default => :spec
|
|
@@ -0,0 +1,33 @@
|
|
|
1
|
+
module Rack
|
|
2
|
+
class PotentiallySecureCookies
|
|
3
|
+
VERSION = '1.0.1'
|
|
4
|
+
|
|
5
|
+
def initialize(app, cookies)
|
|
6
|
+
@app = app
|
|
7
|
+
|
|
8
|
+
# All in the name to make this as fast as possible anything that
|
|
9
|
+
# could be used in multiple requests have been defined here.
|
|
10
|
+
_cookies = "^((#{cookies.join(')|(')}))".freeze
|
|
11
|
+
@configured_cookies = /#{_cookies}/
|
|
12
|
+
@cookies_with_secure = /(#{_cookies}.*?)(; [Ss]ecure)(.*)$/
|
|
13
|
+
@cookies_without_secure = /(#{_cookies}(?!.*[Ss]ecure).*)/
|
|
14
|
+
@secure = /; [Ss]ecure/
|
|
15
|
+
end
|
|
16
|
+
|
|
17
|
+
def call(env)
|
|
18
|
+
status, headers, body = @app.call(env)
|
|
19
|
+
|
|
20
|
+
if headers['Set-Cookie'] && @configured_cookies.match(headers['Set-Cookie'])
|
|
21
|
+
request = Rack::Request.new(env)
|
|
22
|
+
|
|
23
|
+
if request.ssl?
|
|
24
|
+
headers['Set-Cookie'].gsub!(@cookies_without_secure, '\1; Secure')
|
|
25
|
+
else
|
|
26
|
+
headers['Set-Cookie'].gsub!(@cookies_with_secure, '\1\3')
|
|
27
|
+
end
|
|
28
|
+
end
|
|
29
|
+
|
|
30
|
+
[status, headers, body]
|
|
31
|
+
end
|
|
32
|
+
end
|
|
33
|
+
end
|
metadata
ADDED
|
@@ -0,0 +1,63 @@
|
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
|
2
|
+
name: rack-potentially-secure-cookies
|
|
3
|
+
version: !ruby/object:Gem::Version
|
|
4
|
+
version: 1.0.1
|
|
5
|
+
platform: ruby
|
|
6
|
+
authors:
|
|
7
|
+
- Björn Andersson
|
|
8
|
+
autorequire:
|
|
9
|
+
bindir: bin
|
|
10
|
+
cert_chain: []
|
|
11
|
+
date: 2015-12-10 00:00:00.000000000 Z
|
|
12
|
+
dependencies:
|
|
13
|
+
- !ruby/object:Gem::Dependency
|
|
14
|
+
name: rack
|
|
15
|
+
requirement: !ruby/object:Gem::Requirement
|
|
16
|
+
requirements:
|
|
17
|
+
- - ">="
|
|
18
|
+
- !ruby/object:Gem::Version
|
|
19
|
+
version: '0'
|
|
20
|
+
type: :runtime
|
|
21
|
+
prerelease: false
|
|
22
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
23
|
+
requirements:
|
|
24
|
+
- - ">="
|
|
25
|
+
- !ruby/object:Gem::Version
|
|
26
|
+
version: '0'
|
|
27
|
+
description:
|
|
28
|
+
email:
|
|
29
|
+
- ba@sanitarium.se
|
|
30
|
+
executables: []
|
|
31
|
+
extensions: []
|
|
32
|
+
extra_rdoc_files: []
|
|
33
|
+
files:
|
|
34
|
+
- MIT-LICENSE
|
|
35
|
+
- README.md
|
|
36
|
+
- Rakefile
|
|
37
|
+
- lib/rack/potentially_secure_cookies.rb
|
|
38
|
+
homepage: https://github.com/gaqzi/rack-potentially-secure-cookies
|
|
39
|
+
licenses:
|
|
40
|
+
- MIT
|
|
41
|
+
metadata: {}
|
|
42
|
+
post_install_message:
|
|
43
|
+
rdoc_options: []
|
|
44
|
+
require_paths:
|
|
45
|
+
- lib
|
|
46
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
|
47
|
+
requirements:
|
|
48
|
+
- - ">="
|
|
49
|
+
- !ruby/object:Gem::Version
|
|
50
|
+
version: '0'
|
|
51
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
52
|
+
requirements:
|
|
53
|
+
- - ">="
|
|
54
|
+
- !ruby/object:Gem::Version
|
|
55
|
+
version: '0'
|
|
56
|
+
requirements: []
|
|
57
|
+
rubyforge_project:
|
|
58
|
+
rubygems_version: 2.2.5
|
|
59
|
+
signing_key:
|
|
60
|
+
specification_version: 4
|
|
61
|
+
summary: Force the secure bit of a cookie depending on whether your connection is
|
|
62
|
+
secure
|
|
63
|
+
test_files: []
|