rack-session-encryptedcookie 0.2.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 856832c8f3652b96214a5bd20c2247ab9eef5e11
+  data.tar.gz: cec97853bb6a2d761fcc0b4622d6d56f441f36ef
+SHA512:
+  metadata.gz: f738b4841d55c5527f6b33b4518664452d86affee34bc7af6f802544e3fec4f633778a67faa39ef529ec3c5c51698d99d82ee041c62de8d1f91745e74b214659
+  data.tar.gz: ab2bc73c700c5aa333844709c57c11cefd915339830eb95cee80769f0c3a5e80391cfe39821aad901a524facb416641984413893419926215c6ffd12025dc833

data/LICENSE

@@ -0,0 +1,22 @@
+Copyright (c) 2012, Tim Hentenaar
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met: 
+
+1. Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer. 
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution. 
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
+ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

data/README.md

@@ -0,0 +1,102 @@
+rack-session-encryptedcookie
+============================
+
+[![Travis CI Status](https://secure.travis-ci.org/thentenaar/rack-session-encryptedcookie.svg?branch=master)](https://travis-ci.org/thentenaar/rack-session-encryptedcookie)
+
+Rack session handling middleware that serializes the session data into
+an encrypted cookie; that's also async-aware.
+
+This is probably not the **most** secure solution, but it's better than storing your session
+data in a cookie as clear text. That being said, it's _much_ more secure to use a
+pre-generated key with this module than a password-derived key, but the latter is
+provided as a convenience option.
+
+If you have strict security requirements, you really shouldn't be storing sensitive data in
+the session.
+
+Licensing
+=========
+
+This software is licensed under the [Simplified BSD License](http://en.wikipedia.org/wiki/BSD_licenses#2-clause_license_.28.22Simplified_BSD_License.22_or_.22FreeBSD_License.22.29) as described in the LICENSE file.
+
+Requirements
+============
+
+* rack
+
+Installation
+============
+
+    gem install rack-session-encryptedcookie
+
+Usage
+=====
+
+Just add something like this to your _config.ru_:
+
+```ruby
+require 'rack/session/encryptedcookie'
+
+use Rack::Session::EncryptedCookie domain: 'domain.name', salt: 'salthere', key: 'my_secret'
+```
+
+... and you can access the session hash via ``env['rack.session']`` per
+usual.
+
+The full list of options is:
+| ``cookie_name`` | Cookie name (default: 'rack.session')            |
+| ``domain``      | Domain for the cookie (mandatory)                |
+| ``http_only``   | HttpOnly for the cookie                          |
+| ``expires``     | Cookie expiry (in seconds, optional)             |
+| ``cipher``      | OpenSSL cipher to use (default: aes-256-cbc)     |
+| ``salt``        | Salt for the IV (password-derrived key)          |
+| ``rounds``      | Number of salting rounds (password-derrived key) |
+| ``key``         | Encryption key / password for the cookie         |
+| ``tag_len``     | Tag length (for GCM/CCM ciphers, optional)       |
+
+Generating your own Key
+=======================
+
+You can generate a key using something like:
+```ruby
+SecureRandom.random_bytes(key_size_in_bytes)
+```
+or anything else, as long as the key is the proper size for the cipher.
+
+Using a pre-generated Key
+=========================
+
+To use a pre-generated key, you must specify the following options:
+```ruby
+cipher: 'aes-256-cbc', # The cipher algorithm to use (defaults to aes-256-cbc)
+key:    your_key_here, # Your pre-generated key
+```
+
+Examples:
+```ruby
+# Using the default cipher
+use Rack::Session::EncryptedCookie, key: your_key
+
+# Using the specified cipher
+use Rack::Session::EncryptedCookie, cipher: your_cipher, key: your_key
+```
+
+Using a password-derived key
+=============================
+
+You can derive a key by specifying the following options:
+```ruby
+cipher  'aes-256-cbc', # The cipher algorithm to use (default aes-256-cbc)
+salt    'salthere',    # Salt to use for key generation
+rounds: 2000,          # Number of cipher rounds for key generation (default: 2000)
+key:    'yoursecret',  # A password from which to generate the key
+```
+
+``crypto_key`` and ``salt`` must be specified in order to enable encryption.
+All other options have defaults available.
+
+Example:
+```ruby
+use Rack::Session::EncryptedCookie, salt: 'salthere', crypto_key: 'my_secret'
+```
+

data/lib/rack/session/encryptedcookie.rb

@@ -0,0 +1,192 @@
+#
+# Rack::Session::EncryptedCookie - Encrypted session middleware for Rack
+#
+# Copyright (C) 2013 - 2017 Tim Hentenaar. All Rights Reserved.
+#
+# Licensed under the Simplified BSD License.
+# See the LICENSE file for details.
+#
+
+require 'rack/request'
+require 'rack/utils'
+require 'openssl'
+
+module Rack
+module Session
+  class EncryptedCookie
+    NOT_FOUND = [ 404, {}, [ 'Not found' ]].freeze
+
+    # @param [Hash] opts Session options
+    # @option opts [String]  :cookie_name Cookie name
+    # @option opts [String]  :domain      Domain for the cookie
+    # @option opts [Boolean] :http_only   HttpOnly for the cookie
+    # @option opts [Integer] :expires     Cookie expiry (in seconds)
+    # @option opts [String]  :cipher      OpenSSL cipher to use
+    # @option opts [String]  :salt        Salt for the IV
+    # @optons opts [Integer] :rounds      Number of salting rounds
+    # @option opts [String]  :key         Encryption key for the data
+    # @option opts [Integer] :tag_len     Tag length (for GCM/CCM ciphers)
+    def initialize(app, opts={})
+      @app  = app
+      @hash = {}
+      @opts = {
+        cookie_name: 'rack.session',
+        domain:      nil,
+        http_only:   false,
+        expires:     (15 * 60),
+        cipher:      'aes-256-cbc',
+        salt:        '3@bG>B@J5vy-FeXJ',
+        rounds:      2000,
+        key:         'r`*BqnG:c^;AL{k97=KYN!#',
+        tag_len:     16
+      }.merge(opts)
+    end
+
+    def call(env)
+      dup.call!(env)
+    end
+
+    def call!(env)
+      @cb = env['async.callback']
+      env['async.callback'] = method(:save_session) if @cb
+      env['rack.session']   = self
+      load_session(env)
+
+      if @app
+        @cb ? @app.call(env) : save_session(@app.call(env))
+      else
+        @cb ? @cb.call(NOT_FOUND) : NOT_FOUND
+      end
+    end
+
+    def method_missing(method, *args, &block)
+      if @hash.respond_to?(method)
+        @hash.send(method, *args, &block)
+      else
+        raise ArgumentError.new("Method `#{method}` doesn't exist.")
+      end
+    end
+
+    private
+
+    # Load the sesssion data from the cookie
+    # @return [Hash, nil] Session data
+    def load_session(env)
+      r = Rack::Request.new(env)
+      cookie = r.cookies[@opts[:cookie_name]]
+      return if cookie.nil?
+      @hash = Marshal.load(cipher(:decrypt, cookie)) rescue {}
+    end
+
+    # Add our cookie to the response
+    #
+    # @param [Array] r Upstream Rack response
+    # @return [Array] Rack response + our cookie
+    def save_session(r)
+      return r if !r.is_a?(Array) || (r.is_a?(Array) && r[0] == -1)
+
+      unless @hash.empty? || @opts[:domain].nil?
+        data = cipher(:encrypt, Marshal.dump(@hash)) rescue nil
+        c = {
+          value:  data,
+          domain: @opts[:domain],
+          path:   '/',
+        }
+
+        c[:httponly] = @opts[:http_only] === true
+        if @opts.has_key?(:expires)
+          c[:expires] = Time.at(Time.now + @opts[:expires])
+        end
+
+        r[1]['Set-Cookie'] = Rack::Utils.add_cookie_to_header(
+          r[1]['Set-Cookie'], @opts[:cookie_name], c
+        ) unless data.nil?
+      end
+
+      @cb.call(r) if @cb
+      r
+    end
+
+    # Warn the user that en/de-cryption failed
+    # @param [String] e Exception message
+    # @return nil
+    def cipher_failed(e='<no message>')
+        warn (<<-XXX.gsub(/^\s*/, ''))
+        SECURITY WARNING: Session cipher failed: #{e}
+        XXX
+        return nil
+    end
+
+    # Handle en/de-cryption
+    # @param [Symbol] :mode :encrypt or :decrypt
+    # @param [String] :str  Data to en/de-crypt
+    # @return [String, nil] Encrypted data
+    def cipher(mode, str)
+      return nil if @opts[:key].nil? || str.nil?
+      begin
+        cipher = OpenSSL::Cipher::Cipher.new(@opts[:cipher])
+        cipher.send(mode)
+      rescue
+        return cipher_failed($!.message)
+      end
+
+      # Set the key and IV
+      if @opts[:salt].nil?
+        cipher.key = @opts[:key]
+      else
+        cipher.key = OpenSSL::PKCS5.pbkdf2_hmac_sha1(
+          @opts[:key], @opts[:salt],
+          @opts[:rounds], cipher.key_len
+        )
+      end
+
+      # Setup the auth data for GCM/CCM
+      if cipher.name.match(%r{/[CG]CM$/i})
+        cipher.auth_data = ''
+        cipher.tag_len   = @opts[:tag_len]
+      end
+
+      iv   = cipher.random_iv
+      xstr = str
+
+      if mode == :decrypt
+        str = str.unpack('m').first
+
+        # Set the tag for GCM/CCM
+        if cipher.name.match(%r{/[CG]CM$/i})
+          cipher.auth_tag = str.slice!(0, cipher.tag_len).unpack('C*')
+        end
+
+        # Extract the iv
+        iv_len   = iv.length
+        str_b,iv = Array[str[0 ... iv_len << 1].unpack('C*')].transpose.
+                   partition.with_index { |x,i| (i&1).zero? }
+        iv.flatten! ; str_b.flatten!
+
+        # Set the IV and buffer
+        iv   = iv.pack('C*')
+        xstr = str_b.pack('C*') + str[iv_len << 1 ... str.length]
+      end
+
+      # Call the cipher
+      r         = nil
+      cipher.iv = iv
+      begin
+        r = cipher.update(xstr) + cipher.final
+        if mode == :encrypt
+          d = r.bytes.zip(iv.bytes).flatten.compact
+          if cipher.name.match(%r{/[CG]CM$/i})
+            d = cipher.tag.bytes + d.bytes
+          end
+          r = [d.pack('C*')].pack('m').chomp
+        end
+      rescue OpenSSL::Cipher::CipherError
+        return cipher_failed($!.message)
+      end
+      r
+    end
+  end
+end
+end
+
+# vi:set ts=2 sw=2 et sta:

metadata

@@ -0,0 +1,89 @@
+--- !ruby/object:Gem::Specification
+name: rack-session-encryptedcookie
+version: !ruby/object:Gem::Version
+  version: 0.2.1
+platform: ruby
+authors:
+- Tim Hentenaar
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2017-12-18 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '12.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '12.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '3.5'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '3.5'
+- !ruby/object:Gem::Dependency
+  name: rack
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.0'
+description: |2
+    Rack middleware that persists session data in an encrypted cookie
+email: tim.hentenaar@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- LICENSE
+- README.md
+- lib/rack/session/encryptedcookie.rb
+homepage: https://github.com/thentenaar/rack-session-encryptedcookie
+licenses:
+- BSD-2-Clause
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.6.14
+signing_key: 
+specification_version: 4
+summary: Encrypted session middleware for Rack
+test_files: []