rack_csrf 2.0.0 → 2.1.0

data/.rspec

@@ -0,0 +1,2 @@
+--colour
+--format documentation

data/Changelog.md

@@ -1,3 +1,14 @@
+# v2.1.0 (2010-10-11)
+
+* Tiny improvements to Rakefile.
+* Added the :key option.
+* Moved to RSpec 2.
+* Tweaked Camping application's load path.
+* Camping example, courtesy of David Susco.
+* Summer spec cleanings.
+
+
+
 # v2.0.0 (2010-01-11)
 
 * Added a changelog and a Rake task to help.

data/README.rdoc

@@ -55,6 +55,14 @@ The following options allow you to tweak Rack::Csrf.
 
   Default value: _csrf
 
+[<tt>:key</tt>]
+  The key used to store/retrieve the token from the Rack session; you can
+  adapt it to specific needs.
+
+    use Rack::Csrf, :key => 'my.own_session.key'
+
+  Default value: csrf.token
+
 The <tt>:browser_only</tt> option has been removed; you do not need to edit
 any rackup file because Rack::Csrf simply ignores unknown options. Changes
 introduced in Rack version 1.1.0 tightened the parsing of POST params, so
@@ -71,6 +79,10 @@ The ill devised <tt>:browser_only</tt> option could have been used to
 The following class methods try to ease the insertion of the anti-forging
 token.
 
+[<tt>Rack::Csrf.csrf_key</tt>]
+  Returns the name of the key used to store/retrieve the token from the Rack
+  session.
+
 [<tt>Rack::Csrf.csrf_field</tt>]
   Returns the name of the field that must be present in the request.
 

data/Rakefile

@@ -1,20 +1,14 @@
 require 'rake/clean'
 require 'cucumber/rake/task'
-require 'spec/rake/spectask'
+require 'rspec/core/rake_task'
 require 'rake/rdoctask'
 require 'jeweler'
 
-Cucumber::Rake::Task.new :features do |c|
-  c.cucumber_opts = '--profile default'
-end
-
+Cucumber::Rake::Task.new :features
 task :features => :check_dependencies
 task :default => :features
 
-Spec::Rake::SpecTask.new do |t|
-  t.spec_opts = %w(-O spec/spec.opts)
-end
-
+RSpec::Core::RakeTask.new :spec
 task :spec => :check_dependencies
 task :default => :spec
 
@@ -38,7 +32,7 @@ Jeweler::Tasks.new do |gem|
   gem.add_dependency 'rack', '>= 0.9'
   gem.add_development_dependency 'cucumber', '>= 0.1.13'
   gem.add_development_dependency 'rack-test'
-  gem.add_development_dependency 'rspec'
+  gem.add_development_dependency 'rspec', '>= 2.0.0'
   gem.rdoc_options << '--line-numbers' << '--inline-source' << '--title' <<
     "Rack::Csrf #{version}" << '--main' << 'README.rdoc'
   gem.test_files.clear

data/VERSION

@@ -1 +1 @@
-2.0.0
+2.1.0

data/examples/camping/README.rdoc

@@ -0,0 +1,16 @@
+= How to use Rack::Csrf with Camping
+
+This Camping application has been provided by David Susco. All you need is
+Camping itself and Markaby.
+
+    $ sudo gem install camping markaby
+    $ camping -p 3000 app.rb
+
+The <tt>config.ru</tt> can be used to run the application with any
+Rack-compliant web server.
+
+Please, note the way Rack::Csrf has been inserted into the stack and the
+position relative to Camping::Session (see Camping's internals for the
+reason).
+
+Tested with Camping 2.1 and Markaby 0.7.1.

data/examples/camping/app.rb

@@ -0,0 +1,81 @@
+require 'camping'
+require 'camping/session'
+
+$: << File.join(File.dirname(__FILE__), '../../lib')
+require 'rack/csrf'
+
+Camping.goes :LittleApp
+
+module LittleApp
+  use Rack::Csrf # This has to come BEFORE 'include Camping::Session',
+                 # otherwise you get the 'Rack::Csrf depends on session 
+                 # middleware' exception. Weird...
+  include Camping::Session
+
+  module Controllers
+    class Working < R '/'
+      def get
+        render :working
+      end
+    end
+
+    class NotWorking < R '/notworking'
+      def get
+        render :notworking
+      end
+    end
+
+    class Response < R '/response'
+      def post
+        render :response
+      end
+    end
+  end
+
+  module Views
+    def working
+      form :action => URL(Response), :method => :post do
+        h1 'Spit your utterance!'
+        input :name => :utterance, :type => :text
+        text Rack::Csrf.csrf_tag(@env)
+        p {
+          input :type => :submit, :value => :Send!
+        }
+      end
+      p {
+        text 'Try also the '
+        a 'not working', :href => URL(NotWorking)
+        text ' form!'
+      }
+    end
+
+    def notworking
+      form :action => URL(Response), :method => :post do
+        h1 'Spit your utterance!'
+        input :name => :utterance, :type => :text
+        p {
+          input :type => :submit, :value => :Send!
+        }
+      end
+      p {
+        text 'Try also the '
+        a 'working', :href => URL(Working)
+        text ' form!'
+      }
+    end
+
+    def response
+      p {
+        text "It seems you've just said: "
+        em @input.utterance
+      }
+      p {
+        text "Here's the anti-CSRF token stuffed in the session: "
+        strong @input._csrf
+      }
+      p {
+        a 'Back', :href => URL(Working)
+      }
+    end
+  end
+end

data/examples/camping/config.ru

@@ -0,0 +1,4 @@
+require 'rack'
+require 'app'
+
+run LittleApp

data/features/setup.feature

@@ -27,3 +27,8 @@ Feature: Setup of the middleware
     Given a rack with the session middleware
     When I insert the anti-CSRF middleware with the :field option
     Then I get a fully functional rack
+
+  Scenario: Setup with the :key option
+    Given a rack with the session middleware
+    When I insert the anti-CSRF middleware with the :key option
+    Then I get a fully functional rack

data/features/step_definitions/request_steps.rb

@@ -24,7 +24,7 @@ end
 
 When /^it receives a (POST|PUT|DELETE) request with the right CSRF token$/ do |http_method|
   @browser.request '/', :method => http_method,
-    'rack.session' => {'csrf.token' => 'right_token'},
+    'rack.session' => {Rack::Csrf.csrf_key => 'right_token'},
     :params => {Rack::Csrf.csrf_field => 'right_token'}
 end
 

data/features/step_definitions/setup_steps.rb

@@ -27,6 +27,11 @@ Given /^a rack with the anti\-CSRF middleware and the :field option$/ do
   When 'I insert the anti-CSRF middleware with the :field option'
 end
 
+Given /^a rack with the anti\-CSRF middleware and the :key option$/ do
+  Given 'a rack with the session middleware'
+  When 'I insert the anti-CSRF middleware with the :key option'
+end
+
 # Yes, they're not as DRY as possible, but I think they're more readable than
 # a single step definition with a few captures and more complex checkings.
 
@@ -55,6 +60,12 @@ When /^I insert the anti\-CSRF middleware with the :field option$/ do
   @browser = Rack::Test::Session.new(Rack::MockSession.new(@app))
 end
 
+When /^I insert the anti\-CSRF middleware with the :key option$/ do
+  @rack_builder.use Rack::Csrf, :key => 'fantasy_name'
+  toy_app
+  @browser = Rack::Test::Session.new(Rack::MockSession.new(@app))
+end
+
 Then /^I get a fully functional rack$/ do
   lambda {Rack::MockRequest.new(@app).get('/')}.should_not raise_error
 end

data/features/support/env.rb

@@ -1,7 +1,5 @@
 require 'rubygems'
-require 'spec/expectations'
+require 'rspec'
 require 'rack/test'
 
-$: << File.join(File.dirname(__FILE__), '../../lib')
-
 require 'rack/csrf'

data/features/variation_on_key_name.feature

@@ -0,0 +1,29 @@
+Feature: Customization of the key name
+
+  Scenario: GET request with CSRF token stored in custom key
+    Given a rack with the anti-CSRF middleware and the :key option
+    When it receives a GET request with the CSRF token
+    Then it lets it pass untouched
+
+  Scenario Outline: Handling request with the right CSRF token stored in custom key
+    Given a rack with the anti-CSRF middleware and the :key option
+    When it receives a <method> request with the right CSRF token
+    Then it lets it pass untouched
+
+    Examples:
+      | method |
+      | POST   |
+      | PUT    |
+      | DELETE |
+
+  Scenario Outline: Handling request with the wrong CSRF token stored in custom key
+    Given a rack with the anti-CSRF middleware and the :key option
+    When it receives a <method> request with the wrong CSRF token
+    Then it responds with 403
+    And the response body is empty
+
+    Examples:
+      | method |
+      | POST   |
+      | PUT    |
+      | DELETE |

data/lib/rack/csrf.rb

@@ -11,6 +11,7 @@ module Rack
     class InvalidCsrfToken < StandardError; end
 
     @@field = '_csrf'
+    @@key = 'csrf.token'
 
     def initialize(app, opts = {})
       @app = app
@@ -18,6 +19,7 @@ module Rack
       @raisable = opts[:raise] || false
       @skippable = (opts[:skip] || []).map {|r| /\A#{r}\Z/i}
       @@field = opts[:field] if opts[:field]
+      @@key = opts[:key] if opts[:key]
 
       @http_verbs = %w(POST PUT DELETE)
     end
@@ -29,7 +31,7 @@ module Rack
       self.class.csrf_token(env)
       req = Rack::Request.new(env)
       untouchable = !@http_verbs.include?(req.request_method) ||
-        req.POST[self.class.csrf_field] == env['rack.session']['csrf.token'] ||
+        req.POST[self.class.csrf_field] == env['rack.session'][self.class.csrf_key] ||
         skip_checking(req)
       if untouchable
         @app.call(env)
@@ -39,12 +41,16 @@ module Rack
       end
     end
 
+    def self.csrf_key
+      @@key
+    end
+
     def self.csrf_field
       @@field
     end
 
     def self.csrf_token(env)
-      env['rack.session']['csrf.token'] ||= SecureRandom.base64(32)
+      env['rack.session'][csrf_key] ||= SecureRandom.base64(32)
     end
 
     def self.csrf_tag(env)

data/rack_csrf.gemspec

@@ -5,11 +5,11 @@
 
 Gem::Specification.new do |s|
   s.name = %q{rack_csrf}
-  s.version = "2.0.0"
+  s.version = "2.1.0"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Emanuele Vicentini"]
-  s.date = %q{2010-01-11}
+  s.date = %q{2010-10-11}
   s.description = %q{Anti-CSRF Rack middleware}
   s.email = %q{emanuele.vicentini@gmail.com}
   s.extra_rdoc_files = [
@@ -17,12 +17,16 @@ Gem::Specification.new do |s|
      "README.rdoc"
   ]
   s.files = [
-    "Changelog.md",
+    ".rspec",
+     "Changelog.md",
      "LICENSE.rdoc",
      "README.rdoc",
      "Rakefile",
      "VERSION",
      "cucumber.yml",
+     "examples/camping/README.rdoc",
+     "examples/camping/app.rb",
+     "examples/camping/config.ru",
      "examples/innate/README.rdoc",
      "examples/innate/app.rb",
      "examples/innate/start-with-raise.rb",
@@ -51,40 +55,40 @@ Gem::Specification.new do |s|
      "features/support/env.rb",
      "features/support/fake_session.rb",
      "features/variation_on_field_name.feature",
+     "features/variation_on_key_name.feature",
      "lib/rack/csrf.rb",
      "lib/rack/vendor/securerandom.rb",
      "rack_csrf.gemspec",
      "spec/csrf_spec.rb",
-     "spec/spec.opts",
      "spec/spec_helper.rb"
   ]
   s.homepage = %q{http://github.com/baldowl/rack_csrf}
-  s.rdoc_options = ["--charset=UTF-8", "--line-numbers", "--inline-source", "--title", "Rack::Csrf 2.0.0", "--main", "README.rdoc"]
+  s.rdoc_options = ["--charset=UTF-8", "--line-numbers", "--inline-source", "--title", "Rack::Csrf 2.1.0", "--main", "README.rdoc"]
   s.require_paths = ["lib"]
   s.rubyforge_project = %q{rackcsrf}
-  s.rubygems_version = %q{1.3.5}
+  s.rubygems_version = %q{1.3.7}
   s.summary = %q{Anti-CSRF Rack middleware}
 
   if s.respond_to? :specification_version then
     current_version = Gem::Specification::CURRENT_SPECIFICATION_VERSION
     s.specification_version = 3
 
-    if Gem::Version.new(Gem::RubyGemsVersion) >= Gem::Version.new('1.2.0') then
+    if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
       s.add_runtime_dependency(%q<rack>, [">= 0.9"])
       s.add_development_dependency(%q<cucumber>, [">= 0.1.13"])
       s.add_development_dependency(%q<rack-test>, [">= 0"])
-      s.add_development_dependency(%q<rspec>, [">= 0"])
+      s.add_development_dependency(%q<rspec>, [">= 2.0.0"])
     else
       s.add_dependency(%q<rack>, [">= 0.9"])
       s.add_dependency(%q<cucumber>, [">= 0.1.13"])
       s.add_dependency(%q<rack-test>, [">= 0"])
-      s.add_dependency(%q<rspec>, [">= 0"])
+      s.add_dependency(%q<rspec>, [">= 2.0.0"])
     end
   else
     s.add_dependency(%q<rack>, [">= 0.9"])
     s.add_dependency(%q<cucumber>, [">= 0.1.13"])
     s.add_dependency(%q<rack-test>, [">= 0"])
-    s.add_dependency(%q<rspec>, [">= 0"])
+    s.add_dependency(%q<rspec>, [">= 2.0.0"])
   end
 end
 

data/spec/csrf_spec.rb

@@ -1,6 +1,18 @@
 require File.join(File.dirname(__FILE__), 'spec_helper.rb')
 
 describe Rack::Csrf do
+  describe '#csrf_key' do
+    it "should be 'csrf.token' by default" do
+      Rack::Csrf.csrf_key.should == 'csrf.token'
+    end
+
+    it "should be the value of the :key option" do
+      fakeapp = lambda {|env| [200, {}, []]}
+      Rack::Csrf.new fakeapp, :key => 'whatever'
+      Rack::Csrf.csrf_key.should == 'whatever'
+    end
+  end
+
   describe '#csrf_field' do
     it "should be '_csrf' by default" do
       Rack::Csrf.csrf_field.should == '_csrf'
@@ -14,58 +26,70 @@ describe Rack::Csrf do
   end
 
   describe '#csrf_token' do
-    before do
-      @env = {'rack.session' => {}}
-    end
+    let(:env) { {'rack.session' => {}} }
 
-    it 'should be at least 32 characters long' do
-      Rack::Csrf.csrf_token(@env).length.should >= 32
+    specify {Rack::Csrf.csrf_token(env).should have_at_least(32).characters}
+
+    context 'when accessing/manipulating the session' do
+      before do
+        fakeapp = lambda {|env| [200, {}, []]}
+        Rack::Csrf.new fakeapp, :key => 'whatever'
+      end
+
+      it 'should use the key provided by csrf_key' do
+        env['rack.session'].should be_empty
+        Rack::Csrf.csrf_token env
+        env['rack.session'].should_not be_empty
+        env['rack.session'][Rack::Csrf.csrf_key].should_not be_nil
+      end
     end
 
     context 'when the session does not already contain the token' do
       it 'should store the token inside the session' do
-        @env['rack.session'].should be_empty
-        csrf_token = Rack::Csrf.csrf_token(@env)
-        @env['rack.session'].should_not be_empty
-        @env['rack.session']['csrf.token'].should_not be_empty
-        csrf_token.should == @env['rack.session']['csrf.token']
+        env['rack.session'].should be_empty
+        csrf_token = Rack::Csrf.csrf_token(env)
+        env['rack.session'].should_not be_empty
+        env['rack.session'][Rack::Csrf.csrf_key].should_not be_nil
+        csrf_token.should == env['rack.session'][Rack::Csrf.csrf_key]
       end
     end
 
     context 'when the session already contains the token' do
       before do
-        Rack::Csrf.csrf_token @env
+        Rack::Csrf.csrf_token env
       end
+
       it 'should get the token from the session' do
-        @env['rack.session'].should_not be_empty
-        @env['rack.session']['csrf.token'].should == Rack::Csrf.csrf_token(@env)
+        env['rack.session'].should_not be_empty
+        env['rack.session'][Rack::Csrf.csrf_key].should == Rack::Csrf.csrf_token(env)
       end
     end
   end
 
   describe '#csrf_tag' do
-    before do
-      @env = {'rack.session' => {}}
+    let(:env) { {'rack.session' => {}} }
+
+    let :tag do
       fakeapp = lambda {|env| [200, {}, []]}
       Rack::Csrf.new fakeapp, :field => 'whatever'
-      @tag = Rack::Csrf.csrf_tag(@env)
+      Rack::Csrf.csrf_tag env
     end
 
     it 'should be an input field' do
-      @tag.should =~ /^<input/
+      tag.should =~ /^<input/
     end
 
     it 'should be an hidden input field' do
-      @tag.should =~ /type="hidden"/
+      tag.should =~ /type="hidden"/
     end
 
     it "should have the csrf_field's name" do
-      @tag.should =~ /name="#{Rack::Csrf.csrf_field}"/
+      tag.should =~ /name="#{Rack::Csrf.csrf_field}"/
     end
 
     it "should have the csrf_token's output" do
-      quoted_value = Regexp.quote %Q(value="#{Rack::Csrf.csrf_token(@env)}")
-      @tag.should =~ /#{quoted_value}/
+      quoted_value = Regexp.quote %Q(value="#{Rack::Csrf.csrf_token(env)}")
+      tag.should =~ /#{quoted_value}/
     end
   end
 end

data/spec/spec_helper.rb

@@ -1,6 +1,4 @@
 require 'rubygems'
-require 'spec'
-
-$: << File.join(File.dirname(__FILE__), '../lib')
+require 'rspec'
 
 require 'rack/csrf'

metadata

@@ -1,7 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: rack_csrf
 version: !ruby/object:Gem::Version 
-  version: 2.0.0
+  hash: 11
+  prerelease: false
+  segments: 
+  - 2
+  - 1
+  - 0
+  version: 2.1.0
 platform: ruby
 authors: 
 - Emanuele Vicentini
@@ -9,49 +15,70 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2010-01-11 00:00:00 +01:00
+date: 2010-10-11 00:00:00 +02:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
   name: rack
-  type: :runtime
-  version_requirement: 
-  version_requirements: !ruby/object:Gem::Requirement 
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    none: false
     requirements: 
     - - ">="
       - !ruby/object:Gem::Version 
+        hash: 25
+        segments: 
+        - 0
+        - 9
         version: "0.9"
-    version: 
+  type: :runtime
+  version_requirements: *id001
 - !ruby/object:Gem::Dependency 
   name: cucumber
-  type: :development
-  version_requirement: 
-  version_requirements: !ruby/object:Gem::Requirement 
+  prerelease: false
+  requirement: &id002 !ruby/object:Gem::Requirement 
+    none: false
     requirements: 
     - - ">="
       - !ruby/object:Gem::Version 
+        hash: 1
+        segments: 
+        - 0
+        - 1
+        - 13
         version: 0.1.13
-    version: 
+  type: :development
+  version_requirements: *id002
 - !ruby/object:Gem::Dependency 
   name: rack-test
-  type: :development
-  version_requirement: 
-  version_requirements: !ruby/object:Gem::Requirement 
+  prerelease: false
+  requirement: &id003 !ruby/object:Gem::Requirement 
+    none: false
     requirements: 
     - - ">="
       - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
         version: "0"
-    version: 
+  type: :development
+  version_requirements: *id003
 - !ruby/object:Gem::Dependency 
   name: rspec
-  type: :development
-  version_requirement: 
-  version_requirements: !ruby/object:Gem::Requirement 
+  prerelease: false
+  requirement: &id004 !ruby/object:Gem::Requirement 
+    none: false
     requirements: 
     - - ">="
       - !ruby/object:Gem::Version 
-        version: "0"
-    version: 
+        hash: 15
+        segments: 
+        - 2
+        - 0
+        - 0
+        version: 2.0.0
+  type: :development
+  version_requirements: *id004
 description: Anti-CSRF Rack middleware
 email: emanuele.vicentini@gmail.com
 executables: []
@@ -62,12 +89,16 @@ extra_rdoc_files:
 - LICENSE.rdoc
 - README.rdoc
 files: 
+- .rspec
 - Changelog.md
 - LICENSE.rdoc
 - README.rdoc
 - Rakefile
 - VERSION
 - cucumber.yml
+- examples/camping/README.rdoc
+- examples/camping/app.rb
+- examples/camping/config.ru
 - examples/innate/README.rdoc
 - examples/innate/app.rb
 - examples/innate/start-with-raise.rb
@@ -96,11 +127,11 @@ files:
 - features/support/env.rb
 - features/support/fake_session.rb
 - features/variation_on_field_name.feature
+- features/variation_on_key_name.feature
 - lib/rack/csrf.rb
 - lib/rack/vendor/securerandom.rb
 - rack_csrf.gemspec
 - spec/csrf_spec.rb
-- spec/spec.opts
 - spec/spec_helper.rb
 has_rdoc: true
 homepage: http://github.com/baldowl/rack_csrf
@@ -112,27 +143,33 @@ rdoc_options:
 - --line-numbers
 - --inline-source
 - --title
-- Rack::Csrf 2.0.0
+- Rack::Csrf 2.1.0
 - --main
 - README.rdoc
 require_paths: 
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
   requirements: 
   - - ">="
     - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
       version: "0"
-  version: 
 required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
   requirements: 
   - - ">="
     - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
       version: "0"
-  version: 
 requirements: []
 
 rubyforge_project: rackcsrf
-rubygems_version: 1.3.5
+rubygems_version: 1.3.7
 signing_key: 
 specification_version: 3
 summary: Anti-CSRF Rack middleware

data/spec/spec.opts

@@ -1,2 +0,0 @@
---colour
---format specdoc