RubyGems - rack-session - Versions diffs - 0.3.0 → 1.0.0 - Mend

rack-session 0.3.0 → 1.0.0

Files changed (13) hide show

checksums.yaml +4 -4
data/lib/rack/session/version.rb +4 -1
data/license.md +24 -0
data/readme.md +47 -0
data/security.md +3 -0
metadata +25 -26
data/LICENSE.md +0 -23
data/lib/rack/session/abstract/id.rb +0 -532
data/lib/rack/session/constants.rb +0 -9
data/lib/rack/session/cookie.rb +0 -308
data/lib/rack/session/encryptor.rb +0 -188
data/lib/rack/session/pool.rb +0 -78
data/lib/rack/session.rb +0 -9

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 50f1782c9cc160cdbcee7ac400f1d3643c5b2140e6024c5a1e9829df9d535441
-  data.tar.gz: cacc044559ef38fef31477da4e17173de8533e5970739e7bfc90678d38bf08e3
+  metadata.gz: 197fa5e7a11e2cf9998fb2e456b2d2ae84d3eb21e4208d38741b17dc8356375f
+  data.tar.gz: f0f51a370a60eb8abf007d37e8f7763514a374c937b85529e1a0bf7e9c61eb8f
 SHA512:
-  metadata.gz: 0b196f3055fdb3ccda5e0aff1a0aa3b852e1fb3676de3ed0508f2d92f2771e63c8b79ac8b3b7dc4c346467eadd178786e31b92501fb900418be6c7d0afe985de
-  data.tar.gz: 9d200ef0353f8efdf0a92f072db2765fd2be3cd391db47a603c31be9f0a29b16dfb421e20693e889c38204171680fc5f859046d823fe4aaf0a6a6f26300b25b4
+  metadata.gz: f70b021ddb700f519752fc64c0ceed6ffe04c2d28ae2f7c15b32368c503e721fd804c2fce7e0f3052ae4b5d3c0c362918361b377bd068d7abce761ca2e916030
+  data.tar.gz: 179dba7f3f3f2610bd23f9a36c2d8cef776e8cf4cf9cba8f85c44a7a8e1b6ca473fdf08eabd22ac6a4b88b59ebc016c270c212ad67f979961e7ba6b16c07612f

data/lib/rack/session/version.rb CHANGED Viewed

@@ -1,7 +1,10 @@
 # frozen_string_literal: true
+# Released under the MIT License.
+# Copyright, 2022-2023, by Samuel Williams.
 module Rack
   module Session
-    VERSION = "0.3.0"
+    VERSION = "1.0.0"
   end
 end

data/license.md ADDED Viewed

@@ -0,0 +1,24 @@
+# MIT License
+Copyright, 2022-2023, by Samuel Williams.
+Copyright, 2022, by Jeremy Evans.
+Copyright, 2022, by Philip Arndt.
+Copyright, 2022, by Jon Dufresne.
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/readme.md ADDED Viewed

@@ -0,0 +1,47 @@
+# Rack::Session
+Session management implementation for Rack.
+[![Development Status](https://github.com/rack/rack-session/workflows/Test/badge.svg)](https://github.com/rack/rack-session/actions?workflow=Test)
+## Usage
+In your `config.ru`:
+``` ruby
+# config.ru
+require 'rack/session'
+use Rack::Session::Cookie,
+  :domain => 'mywebsite.com',
+  :path => '/',
+  :expire_after => 3600*24,
+  :secret => '**unique secret key**'
+```
+Usage follows the standard outlined by `rack.session`, i.e.:
+``` ruby
+class MyApp
+  def call(env)
+    session = env['rack.session']
+    # Set some state:
+    session[:key] = "value"
+  end
+end
+```
+### Compatibility
+`rack-session` code used to be part of Rack, but it was extracted in Rack v3 to this gem. The v1 release of this gem is compatible with Rack v2, and the v2 release of this gem is compatible with Rack v3+. That means you can add `gem "rack-session"` to your application and it will be compatible with all versions of Rack.
+## Contributing
+We welcome contributions to this project.
+1.  Fork it.
+2.  Create your feature branch (`git checkout -b my-new-feature`).
+3.  Commit your changes (`git commit -am 'Add some feature'`).
+4.  Push to the branch (`git push origin my-new-feature`).
+5.  Create new Pull Request.

data/security.md ADDED Viewed

@@ -0,0 +1,3 @@
+# Security Policy
+Please see our main security policy: https://github.com/rack/rack/security/policy

metadata CHANGED Viewed

@@ -1,57 +1,60 @@
 --- !ruby/object:Gem::Specification
 name: rack-session
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 1.0.0
 platform: ruby
 authors:
-- Rack Contributors
+- Samuel Williams
+- Jeremy Evans
+- Jon Dufresne
+- Philip Arndt
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-09-24 00:00:00.000000000 Z
+date: 2023-01-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "<="
       - !ruby/object:Gem::Version
-        version: 3.0.0.beta1
+        version: '3'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "<="
       - !ruby/object:Gem::Version
-        version: 3.0.0.beta1
+        version: '3'
 - !ruby/object:Gem::Dependency
-  name: minitest
+  name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '5.0'
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '5.0'
+        version: '0'
 - !ruby/object:Gem::Dependency
-  name: minitest-sprint
+  name: minitest
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '5.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '5.0'
 - !ruby/object:Gem::Dependency
   name: minitest-global_expectations
   requirement: !ruby/object:Gem::Requirement
@@ -67,7 +70,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: bundler
+  name: minitest-sprint
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -100,14 +103,10 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- LICENSE.md
-- lib/rack/session.rb
-- lib/rack/session/abstract/id.rb
-- lib/rack/session/constants.rb
-- lib/rack/session/cookie.rb
-- lib/rack/session/encryptor.rb
-- lib/rack/session/pool.rb
 - lib/rack/session/version.rb
+- license.md
+- readme.md
+- security.md
 homepage: https://github.com/rack/rack-session
 licenses:
 - MIT
@@ -127,7 +126,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.0.dev
+rubygems_version: 3.4.1
 signing_key:
 specification_version: 4
 summary: A session implementation for Rack.

data/LICENSE.md DELETED Viewed

@@ -1,23 +0,0 @@
-The MIT License (MIT)
-Copyright, 2007-2021, by [Leah Neukirchen](https://leahneukirchen.org).
-Copyright, 2008, by Scytrin dai Kinthra.
-Copyright, 2020, by [Michael Coyne](https://michaeljcoyne.me).
-Copyright, 2021, by [Samuel G. D. Williams](https://www.codeotaku.com).
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to
-deal in the Software without restriction, including without limitation the
-rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-sell copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-The above copyright notice and this permission notice shall be included in
-all copies or substantial portions of the Software.
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
-THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
-IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
-CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/lib/rack/session/abstract/id.rb DELETED Viewed

@@ -1,532 +0,0 @@
-# frozen_string_literal: true
-# AUTHOR: blink <blinketje@gmail.com>; blink#ruby-lang@irc.freenode.net
-# bugrep: Andreas Zehnder
-require 'time'
-require 'securerandom'
-require 'digest/sha2'
-require 'rack/constants'
-require 'rack/request'
-require 'rack/response'
-require_relative '../constants'
-module Rack
-  module Session
-    class SessionId
-      ID_VERSION = 2
-      attr_reader :public_id
-      def initialize(public_id)
-        @public_id = public_id
-      end
-      def private_id
-        "#{ID_VERSION}::#{hash_sid(public_id)}"
-      end
-      alias :cookie_value :public_id
-      alias :to_s :public_id
-      def empty?; false; end
-      def inspect; public_id.inspect; end
-      private
-      def hash_sid(sid)
-        Digest::SHA256.hexdigest(sid)
-      end
-    end
-    module Abstract
-      # SessionHash is responsible to lazily load the session from store.
-      class SessionHash
-        include Enumerable
-        attr_writer :id
-        Unspecified = Object.new
-        def self.find(req)
-          req.get_header RACK_SESSION
-        end
-        def self.set(req, session)
-          req.set_header RACK_SESSION, session
-        end
-        def self.set_options(req, options)
-          req.set_header RACK_SESSION_OPTIONS, options.dup
-        end
-        def initialize(store, req)
-          @store = store
-          @req = req
-          @loaded = false
-        end
-        def id
-          return @id if @loaded or instance_variable_defined?(:@id)
-          @id = @store.send(:extract_session_id, @req)
-        end
-        def options
-          @req.session_options
-        end
-        def each(&block)
-          load_for_read!
-          @data.each(&block)
-        end
-        def [](key)
-          load_for_read!
-          @data[key.to_s]
-        end
-        def dig(key, *keys)
-          load_for_read!
-          @data.dig(key.to_s, *keys)
-        end
-        def fetch(key, default = Unspecified, &block)
-          load_for_read!
-          if default == Unspecified
-            @data.fetch(key.to_s, &block)
-          else
-            @data.fetch(key.to_s, default, &block)
-          end
-        end
-        def has_key?(key)
-          load_for_read!
-          @data.has_key?(key.to_s)
-        end
-        alias :key? :has_key?
-        alias :include? :has_key?
-        def []=(key, value)
-          load_for_write!
-          @data[key.to_s] = value
-        end
-        alias :store :[]=
-        def clear
-          load_for_write!
-          @data.clear
-        end
-        def destroy
-          clear
-          @id = @store.send(:delete_session, @req, id, options)
-        end
-        def to_hash
-          load_for_read!
-          @data.dup
-        end
-        def update(hash)
-          load_for_write!
-          @data.update(stringify_keys(hash))
-        end
-        alias :merge! :update
-        def replace(hash)
-          load_for_write!
-          @data.replace(stringify_keys(hash))
-        end
-        def delete(key)
-          load_for_write!
-          @data.delete(key.to_s)
-        end
-        def inspect
-          if loaded?
-            @data.inspect
-          else
-            "#<#{self.class}:0x#{self.object_id.to_s(16)} not yet loaded>"
-          end
-        end
-        def exists?
-          return @exists if instance_variable_defined?(:@exists)
-          @data = {}
-          @exists = @store.send(:session_exists?, @req)
-        end
-        def loaded?
-          @loaded
-        end
-        def empty?
-          load_for_read!
-          @data.empty?
-        end
-        def keys
-          load_for_read!
-          @data.keys
-        end
-        def values
-          load_for_read!
-          @data.values
-        end
-      private
-        def load_for_read!
-          load! if !loaded? && exists?
-        end
-        def load_for_write!
-          load! unless loaded?
-        end
-        def load!
-          @id, session = @store.send(:load_session, @req)
-          @data = stringify_keys(session)
-          @loaded = true
-        end
-        def stringify_keys(other)
-          # Use transform_keys after dropping Ruby 2.4 support
-          hash = {}
-          other.to_hash.each do |key, value|
-            hash[key.to_s] = value
-          end
-          hash
-        end
-      end
-      # ID sets up a basic framework for implementing an id based sessioning
-      # service. Cookies sent to the client for maintaining sessions will only
-      # contain an id reference. Only #find_session, #write_session and
-      # #delete_session are required to be overwritten.
-      #
-      # All parameters are optional.
-      # * :key determines the name of the cookie, by default it is
-      #   'rack.session'
-      # * :path, :domain, :expire_after, :secure, :httponly, and :same_site set
-      #   the related cookie options as by Rack::Response#set_cookie
-      # * :skip will not a set a cookie in the response nor update the session state
-      # * :defer will not set a cookie in the response but still update the session
-      #   state if it is used with a backend
-      # * :renew (implementation dependent) will prompt the generation of a new
-      #   session id, and migration of data to be referenced at the new id. If
-      #   :defer is set, it will be overridden and the cookie will be set.
-      # * :sidbits sets the number of bits in length that a generated session
-      #   id will be.
-      #
-      # These options can be set on a per request basis, at the location of
-      # <tt>env['rack.session.options']</tt>. Additionally the id of the
-      # session can be found within the options hash at the key :id. It is
-      # highly not recommended to change its value.
-      #
-      # Is Rack::Utils::Context compatible.
-      #
-      # Not included by default; you must require 'rack/session/abstract/id'
-      # to use.
-      class Persisted
-        DEFAULT_OPTIONS = {
-          key: RACK_SESSION,
-          path: '/',
-          domain: nil,
-          expire_after: nil,
-          secure: false,
-          httponly: true,
-          defer: false,
-          renew: false,
-          sidbits: 128,
-          cookie_only: true,
-          secure_random: ::SecureRandom
-        }.freeze
-        attr_reader :key, :default_options, :sid_secure, :same_site
-        def initialize(app, options = {})
-          @app = app
-          @default_options = self.class::DEFAULT_OPTIONS.merge(options)
-          @key = @default_options.delete(:key)
-          @cookie_only = @default_options.delete(:cookie_only)
-          @same_site = @default_options.delete(:same_site)
-          initialize_sid
-        end
-        def call(env)
-          context(env)
-        end
-        def context(env, app = @app)
-          req = make_request env
-          prepare_session(req)
-          status, headers, body = app.call(req.env)
-          res = Rack::Response::Raw.new status, headers
-          commit_session(req, res)
-          [status, headers, body]
-        end
-        private
-        def make_request(env)
-          Rack::Request.new env
-        end
-        def initialize_sid
-          @sidbits = @default_options[:sidbits]
-          @sid_secure = @default_options[:secure_random]
-          @sid_length = @sidbits / 4
-        end
-        # Generate a new session id using Ruby #rand.  The size of the
-        # session id is controlled by the :sidbits option.
-        # Monkey patch this to use custom methods for session id generation.
-        def generate_sid(secure = @sid_secure)
-          if secure
-            secure.hex(@sid_length)
-          else
-            "%0#{@sid_length}x" % Kernel.rand(2**@sidbits - 1)
-          end
-        rescue NotImplementedError
-          generate_sid(false)
-        end
-        # Sets the lazy session at 'rack.session' and places options and session
-        # metadata into 'rack.session.options'.
-        def prepare_session(req)
-          session_was               = req.get_header RACK_SESSION
-          session                   = session_class.new(self, req)
-          req.set_header RACK_SESSION, session
-          req.set_header RACK_SESSION_OPTIONS, @default_options.dup
-          session.merge! session_was if session_was
-        end
-        # Extracts the session id from provided cookies and passes it and the
-        # environment to #find_session.
-        def load_session(req)
-          sid = current_session_id(req)
-          sid, session = find_session(req, sid)
-          [sid, session || {}]
-        end
-        # Extract session id from request object.
-        def extract_session_id(request)
-          sid = request.cookies[@key]
-          sid ||= request.params[@key] unless @cookie_only
-          sid
-        end
-        # Returns the current session id from the SessionHash.
-        def current_session_id(req)
-          req.get_header(RACK_SESSION).id
-        end
-        # Check if the session exists or not.
-        def session_exists?(req)
-          value = current_session_id(req)
-          value && !value.empty?
-        end
-        # Session should be committed if it was loaded, any of specific options like :renew, :drop
-        # or :expire_after was given and the security permissions match. Skips if skip is given.
-        def commit_session?(req, session, options)
-          if options[:skip]
-            false
-          else
-            has_session = loaded_session?(session) || forced_session_update?(session, options)
-            has_session && security_matches?(req, options)
-          end
-        end
-        def loaded_session?(session)
-          !session.is_a?(session_class) || session.loaded?
-        end
-        def forced_session_update?(session, options)
-          force_options?(options) && session && !session.empty?
-        end
-        def force_options?(options)
-          options.values_at(:max_age, :renew, :drop, :defer, :expire_after).any?
-        end
-        def security_matches?(request, options)
-          return true unless options[:secure]
-          request.ssl?
-        end
-        # Acquires the session from the environment and the session id from
-        # the session options and passes them to #write_session. If successful
-        # and the :defer option is not true, a cookie will be added to the
-        # response with the session's id.
-        def commit_session(req, res)
-          session = req.get_header RACK_SESSION
-          options = session.options
-          if options[:drop] || options[:renew]
-            session_id = delete_session(req, session.id || generate_sid, options)
-            return unless session_id
-          end
-          return unless commit_session?(req, session, options)
-          session.send(:load!) unless loaded_session?(session)
-          session_id ||= session.id
-          session_data = session.to_hash.delete_if { |k, v| v.nil? }
-          if not data = write_session(req, session_id, session_data, options)
-            req.get_header(RACK_ERRORS).puts("Warning! #{self.class.name} failed to save session. Content dropped.")
-          elsif options[:defer] and not options[:renew]
-            req.get_header(RACK_ERRORS).puts("Deferring cookie for #{session_id}") if $VERBOSE
-          else
-            cookie = Hash.new
-            cookie[:value] = cookie_value(data)
-            cookie[:expires] = Time.now + options[:expire_after] if options[:expire_after]
-            cookie[:expires] = Time.now + options[:max_age] if options[:max_age]
-            if @same_site.respond_to? :call
-              cookie[:same_site] = @same_site.call(req, res)
-            else
-              cookie[:same_site] = @same_site
-            end
-            set_cookie(req, res, cookie.merge!(options))
-          end
-        end
-        public :commit_session
-        def cookie_value(data)
-          data
-        end
-        # Sets the cookie back to the client with session id. We skip the cookie
-        # setting if the value didn't change (sid is the same) or expires was given.
-        def set_cookie(request, response, cookie)
-          if request.cookies[@key] != cookie[:value] || cookie[:expires]
-            response.set_cookie(@key, cookie)
-          end
-        end
-        # Allow subclasses to prepare_session for different Session classes
-        def session_class
-          SessionHash
-        end
-        # All thread safety and session retrieval procedures should occur here.
-        # Should return [session_id, session].
-        # If nil is provided as the session id, generation of a new valid id
-        # should occur within.
-        def find_session(env, sid)
-          raise '#find_session not implemented.'
-        end
-        # All thread safety and session storage procedures should occur here.
-        # Must return the session id if the session was saved successfully, or
-        # false if the session could not be saved.
-        def write_session(req, sid, session, options)
-          raise '#write_session not implemented.'
-        end
-        # All thread safety and session destroy procedures should occur here.
-        # Should return a new session id or nil if options[:drop]
-        def delete_session(req, sid, options)
-          raise '#delete_session not implemented'
-        end
-      end
-      class PersistedSecure < Persisted
-        class SecureSessionHash < SessionHash
-          def [](key)
-            if key == "session_id"
-              load_for_read!
-              case id
-              when SessionId
-                id.public_id
-              else
-                id
-              end
-            else
-              super
-            end
-          end
-        end
-        def generate_sid(*)
-          public_id = super
-          SessionId.new(public_id)
-        end
-        def extract_session_id(*)
-          public_id = super
-          public_id && SessionId.new(public_id)
-        end
-        private
-        def session_class
-          SecureSessionHash
-        end
-        def cookie_value(data)
-          data.cookie_value
-        end
-      end
-      class ID < Persisted
-        def self.inherited(klass)
-          k = klass.ancestors.find { |kl| kl.respond_to?(:superclass) && kl.superclass == ID }
-          unless k.instance_variable_defined?(:"@_rack_warned")
-            warn "#{klass} is inheriting from #{ID}.  Inheriting from #{ID} is deprecated, please inherit from #{Persisted} instead" if $VERBOSE
-            k.instance_variable_set(:"@_rack_warned", true)
-          end
-          super
-        end
-        # All thread safety and session retrieval procedures should occur here.
-        # Should return [session_id, session].
-        # If nil is provided as the session id, generation of a new valid id
-        # should occur within.
-        def find_session(req, sid)
-          get_session req.env, sid
-        end
-        # All thread safety and session storage procedures should occur here.
-        # Must return the session id if the session was saved successfully, or
-        # false if the session could not be saved.
-        def write_session(req, sid, session, options)
-          set_session req.env, sid, session, options
-        end
-        # All thread safety and session destroy procedures should occur here.
-        # Should return a new session id or nil if options[:drop]
-        def delete_session(req, sid, options)
-          destroy_session req.env, sid, options
-        end
-      end
-    end
-  end
-end

data/lib/rack/session/constants.rb DELETED Viewed

@@ -1,9 +0,0 @@
-# frozen_string_literal: true
-module Rack
-  module Session
-    RACK_SESSION                        = 'rack.session'
-    RACK_SESSION_OPTIONS                = 'rack.session.options'
-    RACK_SESSION_UNPACKED_COOKIE_DATA   = 'rack.session.unpacked_cookie_data'
-  end
-end

data/lib/rack/session/cookie.rb DELETED Viewed

@@ -1,308 +0,0 @@
-# frozen_string_literal: true
-require 'openssl'
-require 'zlib'
-require 'json'
-require 'base64'
-require 'delegate'
-require 'rack/constants'
-require 'rack/utils'
-require_relative 'abstract/id'
-require_relative 'encryptor'
-require_relative 'constants'
-module Rack
-  module Session
-    # Rack::Session::Cookie provides simple cookie based session management.
-    # By default, the session is a Ruby Hash that is serialized and encoded as
-    # a cookie set to :key (default: rack.session).
-    #
-    # This middleware accepts a :secrets option which enables encryption of
-    # session cookies. This option should be one or more random "secret keys"
-    # that are each at least 64 bytes in length. Multiple secret keys can be
-    # supplied in an Array, which is useful when rotating secrets.
-    #
-    # Several options are also accepted that are passed to Rack::Session::Encryptor.
-    # These options include:
-    # * :serialize_json
-    #     Use JSON for message serialization instead of Marshal. This can be
-    #     viewed as a security ehancement.
-    # * :gzip_over
-    #     For message data over this many bytes, compress it with the deflate
-    #     algorithm.
-    #
-    # Refer to Rack::Session::Encryptor for more details on these options.
-    #
-    # Prior to version TODO, the session hash was stored as base64 encoded
-    # marshalled data. When a :secret option was supplied, the integrity of the
-    # encoded data was protected with HMAC-SHA1. This functionality is still
-    # supported using a set of a legacy options.
-    #
-    # Lastly, a :coder option is also accepted. When used, both encryption and
-    # the legacy HMAC will be skipped. This option could create security issues
-    # in your application!
-    #
-    # Example:
-    #
-    #   use Rack::Session::Cookie, {
-    #     key: 'rack.session',
-    #     domain: 'foo.com',
-    #     path: '/',
-    #     expire_after: 2592000,
-    #     secrets: 'a randomly generated, raw binary string 64 bytes in size',
-    #   }
-    #
-    # Example using legacy HMAC options:
-    #
-    #   Rack::Session:Cookie.new(application, {
-    #     # The secret used for legacy HMAC cookies, this enables the functionality
-    #     legacy_hmac_secret: 'legacy secret',
-    #     # legacy_hmac_coder will default to Rack::Session::Cookie::Base64::Marshal
-    #     legacy_hmac_coder: Rack::Session::Cookie::Identity.new,
-    #     # legacy_hmac will default to OpenSSL::Digest::SHA1
-    #     legacy_hmac: OpenSSL::Digest::SHA256
-    #   })
-    #
-    # Example of a cookie with no encoding:
-    #
-    #   Rack::Session::Cookie.new(application, {
-    #     :coder => Rack::Session::Cookie::Identity.new
-    #   })
-    #
-    # Example of a cookie with custom encoding:
-    #
-    #   Rack::Session::Cookie.new(application, {
-    #     :coder => Class.new {
-    #       def encode(str); str.reverse; end
-    #       def decode(str); str.reverse; end
-    #     }.new
-    #   })
-    #
-    class Cookie < Abstract::PersistedSecure
-      # Encode session cookies as Base64
-      class Base64
-        def encode(str)
-          ::Base64.strict_encode64(str)
-        end
-        def decode(str)
-          ::Base64.decode64(str)
-        end
-        # Encode session cookies as Marshaled Base64 data
-        class Marshal < Base64
-          def encode(str)
-            super(::Marshal.dump(str))
-          end
-          def decode(str)
-            return unless str
-            ::Marshal.load(super(str)) rescue nil
-          end
-        end
-        # N.B. Unlike other encoding methods, the contained objects must be a
-        # valid JSON composite type, either a Hash or an Array.
-        class JSON < Base64
-          def encode(obj)
-            super(::JSON.dump(obj))
-          end
-          def decode(str)
-            return unless str
-            ::JSON.parse(super(str)) rescue nil
-          end
-        end
-        class ZipJSON < Base64
-          def encode(obj)
-            super(Zlib::Deflate.deflate(::JSON.dump(obj)))
-          end
-          def decode(str)
-            return unless str
-            ::JSON.parse(Zlib::Inflate.inflate(super(str)))
-          rescue
-            nil
-          end
-        end
-      end
-      # Use no encoding for session cookies
-      class Identity
-        def encode(str); str; end
-        def decode(str); str; end
-      end
-      class Marshal
-        def encode(str)
-          ::Marshal.dump(str)
-        end
-        def decode(str)
-          ::Marshal.load(str) if str
-        end
-      end
-      attr_reader :coder, :encryptors
-      def initialize(app, options = {})
-        # support both :secrets and :secret for backwards compatibility
-        secrets = [*(options[:secrets] || options[:secret])]
-        encryptor_opts = {
-          purpose: options[:key], serialize_json: options[:serialize_json]
-        }
-        # For each secret, create an Encryptor. We have iterate this Array at
-        # decryption time to achieve key rotation.
-        @encryptors = secrets.map do |secret|
-          Rack::Session::Encryptor.new secret, encryptor_opts
-        end
-        # If a legacy HMAC secret is present, initialize those features.
-        # Fallback to :secret for backwards compatibility.
-        if options.has_key?(:legacy_hmac_secret) || options.has_key?(:secret)
-          @legacy_hmac = options.fetch(:legacy_hmac, 'SHA1')
-          @legacy_hmac_secret = options[:legacy_hmac_secret] || options[:secret]
-          @legacy_hmac_coder  = options.fetch(:legacy_hmac_coder, Base64::Marshal.new)
-        else
-          @legacy_hmac = false
-        end
-        warn <<-MSG unless secure?(options)
-        SECURITY WARNING: No secret option provided to Rack::Session::Cookie.
-        This poses a security threat. It is strongly recommended that you
-        provide a secret to prevent exploits that may be possible from crafted
-        cookies. This will not be supported in future versions of Rack, and
-        future versions will even invalidate your existing user cookies.
-        Called from: #{caller[0]}.
-        MSG
-        # Potential danger ahead! Marshal without verification and/or
-        # encryption could present a major security issue.
-        @coder = options[:coder] ||= Base64::Marshal.new
-        super(app, options.merge!(cookie_only: true))
-      end
-      private
-      def find_session(req, sid)
-        data = unpacked_cookie_data(req)
-        data = persistent_session_id!(data)
-        [data["session_id"], data]
-      end
-      def extract_session_id(request)
-        unpacked_cookie_data(request)&.[]("session_id")
-      end
-      def unpacked_cookie_data(request)
-        request.fetch_header(RACK_SESSION_UNPACKED_COOKIE_DATA) do |k|
-          if cookie_data = request.cookies[@key]
-            session_data = nil
-            # Try to decrypt the session data with our encryptors
-            encryptors.each do |encryptor|
-              begin
-                session_data = encryptor.decrypt(cookie_data)
-                break
-              rescue Rack::Session::Encryptor::Error => error
-                request.env[Rack::RACK_ERRORS].puts "Session cookie encryptor error: #{error.message}"
-                next
-              end
-            end
-            # If session decryption fails but there is @legacy_hmac_secret
-            # defined, attempt legacy HMAC verification
-            if !session_data && @legacy_hmac_secret
-              # Parse and verify legacy HMAC session cookie
-              session_data, _, digest = cookie_data.rpartition('--')
-              session_data = nil unless legacy_digest_match?(session_data, digest)
-              # Decode using legacy HMAC decoder
-              session_data = @legacy_hmac_coder.decode(session_data)
-            elsif !session_data && coder
-              # Use the coder option, which has the potential to be very unsafe
-              session_data = coder.decode(cookie_data)
-            end
-          end
-          request.set_header(k, session_data || {})
-        end
-      end
-      def persistent_session_id!(data, sid = nil)
-        data ||= {}
-        data["session_id"] ||= sid || generate_sid
-        data
-      end
-      class SessionId < DelegateClass(Session::SessionId)
-        attr_reader :cookie_value
-        def initialize(session_id, cookie_value)
-          super(session_id)
-          @cookie_value = cookie_value
-        end
-      end
-      def write_session(req, session_id, session, options)
-        session = session.merge("session_id" => session_id)
-        session_data = encode_session_data(session)
-        if session_data.size > (4096 - @key.size)
-          req.get_header(RACK_ERRORS).puts("Warning! Rack::Session::Cookie data size exceeds 4K.")
-          nil
-        else
-          SessionId.new(session_id, session_data)
-        end
-      end
-      def delete_session(req, session_id, options)
-        # Nothing to do here, data is in the client
-        generate_sid unless options[:drop]
-      end
-      def legacy_digest_match?(data, digest)
-        return false unless data && digest
-        Rack::Utils.secure_compare(digest, legacy_generate_hmac(data))
-      end
-      def legacy_generate_hmac(data)
-        OpenSSL::HMAC.hexdigest(@legacy_hmac, @legacy_hmac_secret, data)
-      end
-      def encode_session_data(session)
-        if encryptors.empty?
-          coder.encode(session)
-        else
-          encryptors.first.encrypt(session)
-        end
-      end
-      # Were consider "secure" if:
-      # * Encrypted cookies are enabled and one or more encryptor is
-      #   initialized
-      # * The legacy HMAC option is enabled
-      # * Customer :coder is used, with :let_coder_handle_secure_encoding
-      #   set to true
-      def secure?(options)
-        !@encryptors.empty? ||
-          @legacy_hmac ||
-          (options[:coder] && options[:let_coder_handle_secure_encoding])
-      end
-    end
-  end
-end

data/lib/rack/session/encryptor.rb DELETED Viewed

@@ -1,188 +0,0 @@
-# frozen_string_literal: true
-require 'base64'
-require 'openssl'
-require 'securerandom'
-require 'zlib'
-require 'rack/utils'
-module Rack
-  module Session
-    class Encryptor
-      class Error < StandardError
-      end
-      class InvalidSignature < Error
-      end
-      class InvalidMessage < Error
-      end
-      # The secret String must be at least 64 bytes in size. The first 32 bytes
-      # will be used for the encryption cipher key. The remainder will be used
-      # for an HMAC key.
-      #
-      # Options may include:
-      # * :serialize_json
-      #     Use JSON for message serialization instead of Marshal. This can be
-      #     viewed as a security enhancement.
-      # * :pad_size
-      #     Pad encrypted message data, to a multiple of this many bytes
-      #     (default: 32). This can be between 2-4096 bytes, or +nil+ to disable
-      #     padding.
-      # * :purpose
-      #     Limit messages to a specific purpose. This can be viewed as a
-      #     security enhancement to prevent message reuse from different contexts
-      #     if keys are reused.
-      #
-      # Cryptography and Output Format:
-      #
-      #   urlsafe_encode64(version + random_data + IV + encrypted data + HMAC)
-      #
-      #  Where:
-      #  * version - 1 byte and is currently always 0x01
-      #  * random_data - 32 bytes used for generating the per-message secret
-      #  * IV - 16 bytes random initialization vector
-      #  * HMAC - 32 bytes HMAC-SHA-256 of all preceding data, plus the purpose
-      #    value
-      def initialize(secret, opts = {})
-        raise ArgumentError, "secret must be a String" unless String === secret
-        raise ArgumentError, "invalid secret: #{secret.bytesize}, must be >=64" unless secret.bytesize >= 64
-        case opts[:pad_size]
-        when nil
-          # padding is disabled
-        when Integer
-          raise ArgumentError, "invalid pad_size: #{opts[:pad_size]}" unless (2..4096).include? opts[:pad_size]
-        else
-          raise ArgumentError, "invalid pad_size: #{opts[:pad_size]}; must be Integer or nil"
-        end
-        @options = {
-          serialize_json: false, pad_size: 32, purpose: nil
-        }.update(opts)
-        @hmac_secret = secret.dup.force_encoding('BINARY')
-        @cipher_secret = @hmac_secret.slice!(0, 32)
-        @hmac_secret.freeze
-        @cipher_secret.freeze
-      end
-      def decrypt(base64_data)
-        data = Base64.urlsafe_decode64(base64_data)
-        signature = data.slice!(-32..-1)
-        verify_authenticity! data, signature
-        # The version is reserved for future
-        _version = data.slice!(0, 1)
-        message_secret = data.slice!(0, 32)
-        cipher_iv = data.slice!(0, 16)
-        cipher = new_cipher
-        cipher.decrypt
-        set_cipher_key(cipher, cipher_secret_from_message_secret(message_secret))
-        cipher.iv = cipher_iv
-        data = cipher.update(data) << cipher.final
-        deserialized_message data
-      rescue ArgumentError
-        raise InvalidSignature, 'Message invalid'
-      end
-      def encrypt(message)
-        version = "\1"
-        serialized_payload = serialize_payload(message)
-        message_secret, cipher_secret = new_message_and_cipher_secret
-        cipher = new_cipher
-        cipher.encrypt
-        set_cipher_key(cipher, cipher_secret)
-        cipher_iv = cipher.random_iv
-        encrypted_data = cipher.update(serialized_payload) << cipher.final
-        data = String.new
-        data << version
-        data << message_secret
-        data << cipher_iv
-        data << encrypted_data
-        data << compute_signature(data)
-        Base64.urlsafe_encode64(data)
-      end
-      private
-      def new_cipher
-        OpenSSL::Cipher.new('aes-256-ctr')
-      end
-      def new_message_and_cipher_secret
-        message_secret = SecureRandom.random_bytes(32)
-        [message_secret, cipher_secret_from_message_secret(message_secret)]
-      end
-      def cipher_secret_from_message_secret(message_secret)
-        OpenSSL::HMAC.digest(OpenSSL::Digest::SHA256.new, @cipher_secret, message_secret)
-      end
-      def set_cipher_key(cipher, key)
-        cipher.key = key
-      end
-      def serializer
-        @serializer ||= @options[:serialize_json] ? JSON : Marshal
-      end
-      def compute_signature(data)
-        signing_data = data
-        signing_data += @options[:purpose] if @options[:purpose]
-        OpenSSL::HMAC.digest(OpenSSL::Digest::SHA256.new, @hmac_secret, signing_data)
-      end
-      def verify_authenticity!(data, signature)
-        raise InvalidMessage, 'Message is invalid' if data.nil? || signature.nil?
-        unless Rack::Utils.secure_compare(signature, compute_signature(data))
-          raise InvalidSignature, 'HMAC is invalid'
-        end
-      end
-      # Returns a serialized payload of the message. If a :pad_size is supplied,
-      # the message will be padded. The first 2 bytes of the returned string will
-      # indicating the amount of padding.
-      def serialize_payload(message)
-        serialized_data = serializer.dump(message)
-        return "#{[0].pack('v')}#{serialized_data}" if @options[:pad_size].nil?
-        padding_bytes = @options[:pad_size] - (2 + serialized_data.size) % @options[:pad_size]
-        padding_data = SecureRandom.random_bytes(padding_bytes)
-        "#{[padding_bytes].pack('v')}#{padding_data}#{serialized_data}"
-      end
-      # Return the deserialized message. The first 2 bytes will be read as the
-      # amount of padding.
-      def deserialized_message(data)
-        # Read the first 2 bytes as the padding_bytes size
-        padding_bytes, = data.unpack('v')
-        # Slice out the serialized_data and deserialize it
-        serialized_data = data.slice(2 + padding_bytes, data.bytesize)
-        serializer.load serialized_data
-      end
-    end
-  end
-end

data/lib/rack/session/pool.rb DELETED Viewed

@@ -1,78 +0,0 @@
-# frozen_string_literal: true
-# AUTHOR: blink <blinketje@gmail.com>; blink#ruby-lang@irc.freenode.net
-# THANKS:
-#   apeiros, for session id generation, expiry setup, and threadiness
-#   sergio, threadiness and bugreps
-require_relative 'abstract/id'
-module Rack
-  module Session
-    # Rack::Session::Pool provides simple cookie based session management.
-    # Session data is stored in a hash held by @pool.
-    # In the context of a multithreaded environment, sessions being
-    # committed to the pool is done in a merging manner.
-    #
-    # The :drop option is available in rack.session.options if you wish to
-    # explicitly remove the session from the session cache.
-    #
-    # Example:
-    #   myapp = MyRackApp.new
-    #   sessioned = Rack::Session::Pool.new(myapp,
-    #     :domain => 'foo.com',
-    #     :expire_after => 2592000
-    #   )
-    #   Rack::Handler::WEBrick.run sessioned
-    class Pool < Abstract::PersistedSecure
-      attr_reader :mutex, :pool
-      DEFAULT_OPTIONS = Abstract::ID::DEFAULT_OPTIONS.merge(drop: false, allow_fallback: true)
-      def initialize(app, options = {})
-        super
-        @pool = Hash.new
-        @mutex = Mutex.new
-        @allow_fallback = @default_options.delete(:allow_fallback)
-      end
-      def generate_sid(*args, use_mutex: true)
-        loop do
-          sid = super(*args)
-          break sid unless use_mutex ? @mutex.synchronize { @pool.key? sid.private_id } : @pool.key?(sid.private_id)
-        end
-      end
-      def find_session(req, sid)
-        @mutex.synchronize do
-          unless sid and session = get_session_with_fallback(sid)
-            sid, session = generate_sid(use_mutex: false), {}
-            @pool.store sid.private_id, session
-          end
-          [sid, session]
-        end
-      end
-      def write_session(req, session_id, new_session, options)
-        @mutex.synchronize do
-          @pool.store session_id.private_id, new_session
-          session_id
-        end
-      end
-      def delete_session(req, session_id, options)
-        @mutex.synchronize do
-          @pool.delete(session_id.public_id)
-          @pool.delete(session_id.private_id)
-          generate_sid(use_mutex: false) unless options[:drop]
-        end
-      end
-      private
-      def get_session_with_fallback(sid)
-        @pool[sid.private_id] || (@pool[sid.public_id] if @allow_fallback)
-      end
-    end
-  end
-end

data/lib/rack/session.rb DELETED Viewed

@@ -1,9 +0,0 @@
-# frozen_string_literal: true
-module Rack
-  module Session
-    autoload :Cookie, "rack/session/cookie"
-    autoload :Pool, "rack/session/pool"
-    autoload :Memcache, "rack/session/memcache"
-  end
-end