rack_csrf 2.3.0 → 2.4.0

data/features/skip_if_block_passes.feature

@@ -0,0 +1,40 @@
+Feature: Skipping the check if a block passes
+
+  Scenario Outline: Skipping check for requests with specific header
+    Given a rack with the anti-CSRF middleware and the :skip_if option
+      | name        | value   |
+      | token       | skip    |
+      | User-Agent  | MSIE    |
+    When it receives a request with headers <name> = <value> without the CSRF token or header
+    Then it lets it pass untouched
+
+    Examples:
+      | name        | value   |
+      | token       | skip    |
+      | User-Agent  | MSIE    |
+
+  Scenario Outline: Not skipping check for requests without specific header
+    Given a rack with the anti-CSRF middleware and the :skip_if option
+      | name        | value   |
+      | token       | skip    |
+      | User-Agent  | MSIE    |
+    When it receives a request with headers <name> = <value> without the CSRF token or header
+    Then it responds with 403
+
+    Examples:
+      | name        | value   |
+      | token       | forward |
+      | User-Agent  | WebKit  |
+      | User-Agent  | Mozilla |
+
+  Scenario Outline: Skipping check for requests with :skip and :skip_if options
+    Given a rack with the anti-CSRF middleware and both the :skip and :skip_if options
+      | name        | value   | path    |
+      | token       | skip    | POST:/  |
+    When it receives a request with headers <name> = <value>, <method>, and without the CSRF token or header
+    Then it lets it pass untouched
+
+    Examples:
+      | name        | value   | method  |
+      | token       | skip    | POST    |
+      | token       | pass    | POST    |

data/features/skip_some_routes.feature

@@ -8,7 +8,7 @@ Feature: Skipping the check for some specific routes
       | POST:/not_.*\.json   |
       | DELETE:/cars/.*\.xml |
       | PATCH:/this/one/too  |
-    When it receives a <method> request for <path> without the CSRF token
+    When it receives a <method> request for <path> without the CSRF token or header
     Then it lets it pass untouched
 
     Examples:
@@ -28,7 +28,7 @@ Feature: Skipping the check for some specific routes
       | POST:/not_.*\.json   |
       | DELETE:/cars/.*\.xml |
       | PATCH:/this/one/too  |
-    When it receives a <method> request for <path> without the CSRF token
+    When it receives a <method> request for <path> without the CSRF token or header
     Then it responds with 403
     And the response body is empty
 
@@ -63,7 +63,7 @@ Feature: Skipping the check for some specific routes
       | PUT:/    |
       | DELETE:/ |
       | PATCH:/  |
-    When it receives a <method> request with neither PATH_INFO nor CSRF token
+    When it receives a <method> request with neither PATH_INFO nor CSRF token or header
     Then it lets it pass untouched
 
     Examples:

data/features/step_definitions/request_steps.rb

@@ -1,7 +1,7 @@
 # Yes, they're not as DRY as possible, but I think they're more readable than
 # a single step definition with a few captures and more complex checkings.
 
-When /^it receives a (.*) request without the CSRF token$/ do |http_method|
+When /^it receives a (.*) request without the CSRF (?:token|header)$/ do |http_method|
   begin
     @browser.request '/', :method => http_method
   rescue Exception => e
@@ -9,7 +9,7 @@ When /^it receives a (.*) request without the CSRF token$/ do |http_method|
   end
 end
 
-When /^it receives a (.*) request for (.+) without the CSRF token$/ do |http_method, path|
+When /^it receives a (.*) request for (.+) without the CSRF (?:token|header|token or header)$/ do |http_method, path|
   begin
     @browser.request path, :method => http_method
   rescue Exception => e
@@ -18,24 +18,56 @@ When /^it receives a (.*) request for (.+) without the CSRF token$/ do |http_met
 end
 
 When /^it receives a (.*) request with the right CSRF token$/ do |http_method|
-  @browser.request '/', :method => http_method,
-    'rack.session' => {Rack::Csrf.key => 'right_token'},
-    :params => {Rack::Csrf.field => 'right_token'}
+  @browser.request '/', :method        => http_method,
+                        'rack.session' => {Rack::Csrf.key   => 'right_token'},
+                        :params        => {Rack::Csrf.field => 'right_token'}
+end
+
+When /^it receives a (.*) request with the right CSRF header$/ do |http_method|
+  @browser.request '/', :method                     => http_method,
+                        'rack.session'              => {Rack::Csrf.key => 'right_token'},
+                        Rack::Csrf.rackified_header => 'right_token'
 end
 
 When /^it receives a (.*) request with the wrong CSRF token$/ do |http_method|
+  begin
+    @browser.request '/', :method        => http_method,
+                          'rack.session' => {Rack::Csrf.key   => 'right_token'},
+                          :params        => {Rack::Csrf.field => 'wrong_token'}
+  rescue Exception => e
+    @exception = e
+  end
+end
+
+When /^it receives a (.*) request with the wrong CSRF header/ do |http_method|
   begin
     @browser.request '/', :method => http_method,
-      :params => {Rack::Csrf.field => 'whatever'}
+                          Rack::Csrf.rackified_header => 'right_token'
   rescue Exception => e
     @exception = e
   end
 end
 
-When /^it receives a (.*) request with neither PATH_INFO nor CSRF token$/ do |http_method|
+When /^it receives a (.*) request with neither PATH_INFO nor CSRF token or header$/ do |http_method|
   begin
     @browser.request '/doesntmatter', :method => http_method, 'PATH_INFO' => ''
   rescue Exception => e
     @exception = e
   end
 end
+
+When /^it receives a request with headers (.+) = ([^ ]+) without the CSRF token or header$/ do |name, value|
+  begin
+    @browser.request '/', Hash[:method, 'POST', name, value]
+  rescue Exception => e
+    @exception = e
+  end
+end
+
+When /^it receives a request with headers (.+) = ([^,]+), (.+), and without the CSRF token or header$/ do |name, value, method|
+  begin
+    @browser.request '/', Hash[:method, method, name, value]
+  rescue Exception => e
+    @exception = e
+  end
+end

data/features/step_definitions/setup_steps.rb

@@ -8,38 +8,53 @@ end
 # a single step definition with a few captures and more complex checkings.
 
 Given /^a rack with the anti\-CSRF middleware$/ do
-  Given 'a rack with the session middleware'
-  When 'I insert the anti-CSRF middleware'
+  step 'a rack with the session middleware'
+  step 'I insert the anti-CSRF middleware'
 end
 
 Given /^a rack with the anti\-CSRF middleware and the :raise option$/ do
-  Given 'a rack with the session middleware'
-  When 'I insert the anti-CSRF middleware with the :raise option'
+  step 'a rack with the session middleware'
+  step 'I insert the anti-CSRF middleware with the :raise option'
 end
 
 Given /^a rack with the anti\-CSRF middleware and the :skip option$/ do |table|
-  Given 'a rack with the session middleware'
-  When 'I insert the anti-CSRF middleware with the :skip option', table
+  step 'a rack with the session middleware'
+  step 'I insert the anti-CSRF middleware with the :skip option', table
+end
+
+Given /^a rack with the anti\-CSRF middleware and the :skip_if option$/ do |table|
+  step 'a rack with the session middleware'
+  step 'I insert the anti-CSRF middleware with the :skip_if option', table
+end
+
+Given /^a rack with the anti\-CSRF middleware and both the :skip and :skip_if options$/ do |table|
+  step 'a rack with the session middleware'
+  step 'I insert the anti-CSRF middleware with the :skip and :skip_if options', table
 end
 
 Given /^a rack with the anti\-CSRF middleware and the :field option$/ do
-  Given 'a rack with the session middleware'
-  When 'I insert the anti-CSRF middleware with the :field option'
+  step 'a rack with the session middleware'
+  step 'I insert the anti-CSRF middleware with the :field option'
 end
 
 Given /^a rack with the anti\-CSRF middleware and the :key option$/ do
-  Given 'a rack with the session middleware'
-  When 'I insert the anti-CSRF middleware with the :key option'
+  step 'a rack with the session middleware'
+  step 'I insert the anti-CSRF middleware with the :key option'
+end
+
+Given /^a rack with the anti\-CSRF middleware and the :header option$/ do
+  step 'a rack with the session middleware'
+  step 'I insert the anti-CSRF middleware with the :header option'
 end
 
 Given /^a rack with the anti\-CSRF middleware and the :check_also option$/ do |table|
-  Given 'a rack with the session middleware'
-  When 'I insert the anti-CSRF middleware with the :check_also option', table
+  step 'a rack with the session middleware'
+  step 'I insert the anti-CSRF middleware with the :check_also option', table
 end
 
 Given /^a rack with the anti\-CSRF middleware and the :check_only option$/ do |table|
-  Given 'a rack with the session middleware'
-  When 'I insert the anti-CSRF middleware with the :check_only option', table
+  step 'a rack with the session middleware'
+  step 'I insert the anti-CSRF middleware with the :check_only option', table
 end
 
 # Yes, they're not as DRY as possible, but I think they're more readable than
@@ -64,6 +79,27 @@ When /^I insert the anti\-CSRF middleware with the :skip option$/ do |table|
   @browser = Rack::Test::Session.new(Rack::MockSession.new(@app))
 end
 
+When /^I insert the anti\-CSRF middleware with the :skip_if option$/ do |table|
+  skippable = table.hashes.collect {|t| t.values}
+  @rack_builder.use Rack:: Csrf, :skip_if => Proc.new { |request|
+    skippable.any? { |name, value| request.env[name] == value }
+  }
+  @app = toy_app
+  @browser = Rack::Test::Session.new(Rack::MockSession.new(@app))
+end
+
+When /^I insert the anti\-CSRF middleware with the :skip and :skip_if options$/ do |table|
+  data = table.hashes.collect {|t| t.values}[0]
+  headers = data[0..1]
+  skippable = data[2]
+
+  @rack_builder.use Rack:: Csrf, :skip => [skippable], :skip_if => Proc.new { |request|
+    skippable.any? { |name, value| request.env[name] == value }
+  }
+  @app = toy_app
+  @browser = Rack::Test::Session.new(Rack::MockSession.new(@app))
+end
+
 When /^I insert the anti\-CSRF middleware with the :field option$/ do
   @rack_builder.use Rack::Csrf, :field => 'fantasy_name'
   @app = toy_app
@@ -76,6 +112,12 @@ When /^I insert the anti\-CSRF middleware with the :key option$/ do
   @browser = Rack::Test::Session.new(Rack::MockSession.new(@app))
 end
 
+When /^I insert the anti\-CSRF middleware with the :header option$/ do
+  @rack_builder.use Rack::Csrf, :header => 'fantasy_name'
+  @app = toy_app
+  @browser = Rack::Test::Session.new(Rack::MockSession.new(@app))
+end
+
 When /^I insert the anti\-CSRF middleware with the :check_also option$/ do |table|
   check_also = table.hashes.collect {|t| t.values}.flatten
   @rack_builder.use Rack::Csrf, :check_also => check_also

data/features/variation_on_header_name.feature

@@ -0,0 +1,35 @@
+Feature: Customization of the header name
+
+  Background:
+    Given a rack with the anti-CSRF middleware and the :header option
+
+  Scenario: GET request with the right CSRF header in custom field
+    When it receives a GET request with the right CSRF header
+    Then it lets it pass untouched
+
+  Scenario: GET request with the wrong CSRF header in custom field
+    When it receives a GET request with the wrong CSRF header
+    Then it lets it pass untouched
+
+  Scenario Outline: Handling request with the right CSRF header in custom field
+    When it receives a <method> request with the right CSRF header
+    Then it lets it pass untouched
+
+    Examples:
+      | method |
+      | POST   |
+      | PUT    |
+      | DELETE |
+      | PATCH  |
+
+  Scenario Outline: Handling request with the wrong CSRF header in custom field
+    When it receives a <method> request with the wrong CSRF header
+    Then it responds with 403
+    And the response body is empty
+
+    Examples:
+      | method |
+      | POST   |
+      | PUT    |
+      | DELETE |
+      | PATCH  |

data/lib/rack/csrf.rb

@@ -10,20 +10,23 @@ module Rack
     class SessionUnavailable < StandardError; end
     class InvalidCsrfToken < StandardError; end
 
-    @@field = '_csrf'
-    @@key = 'csrf.token'
+    @@field  = '_csrf'
+    @@header = 'X_CSRF_TOKEN'
+    @@key    = 'csrf.token'
 
     def initialize(app, opts = {})
       @app = app
 
-      @raisable = opts[:raise] || false
-      @to_be_skipped = (opts[:skip] || []).map {|r| /\A#{r}\Z/i}
-      @to_be_checked = (opts[:check_only] || []).map {|r| /\A#{r}\Z/i}
-      @@field = opts[:field] if opts[:field]
-      @@key = opts[:key] if opts[:key]
+      @raisable        = opts[:raise] || false
+      @skip_list       = (opts[:skip] || []).map {|r| /\A#{r}\Z/i}
+      @skip_if         = opts[:skip_if] if opts[:skip_if]
+      @check_only_list = (opts[:check_only] || []).map {|r| /\A#{r}\Z/i}
+      @@field          = opts[:field] if opts[:field]
+      @@header         = opts[:header] if opts[:header]
+      @@key            = opts[:key] if opts[:key]
 
       standard_http_methods = %w(POST PUT DELETE PATCH)
-      check_also = opts[:check_also] || []
+      check_also            = opts[:check_also] || []
       @http_methods = (standard_http_methods + check_also).flatten.uniq
     end
 
@@ -35,7 +38,8 @@ module Rack
       req = Rack::Request.new(env)
       untouchable = skip_checking(req) ||
         !@http_methods.include?(req.request_method) ||
-        req.params[self.class.field] == env['rack.session'][self.class.key]
+        req.params[self.class.field] == env['rack.session'][self.class.key] ||
+        req.env[self.class.rackified_header] == env['rack.session'][self.class.key]
       if untouchable
         @app.call(env)
       else
@@ -52,6 +56,10 @@ module Rack
       @@field
     end
 
+    def self.header
+      @@header
+    end
+
     def self.token(env)
       env['rack.session'][key] ||= SecureRandom.base64(32)
     end
@@ -60,21 +68,40 @@ module Rack
       %Q(<input type="hidden" name="#{field}" value="#{token(env)}" />)
     end
 
+    def self.metatag(env, options = {})
+      name = options.delete(:name) || '_csrf'
+      %Q(<meta name="#{name}" content="#{token(env)}" />)
+    end
+
     class << self
       alias_method :csrf_key, :key
       alias_method :csrf_field, :field
+      alias_method :csrf_header, :header
       alias_method :csrf_token, :token
       alias_method :csrf_tag, :tag
+      alias_method :csrf_metatag, :metatag
     end
 
     protected
 
+    # Returns the custom header's name adapted to current standards.
+    def self.rackified_header
+      "HTTP_#{@@header.gsub('-','_').upcase}"
+    end
+
+    # Returns +true+ if the given request appears in the <b>skip list</b> or
+    # the <b>conditional skipping code</b> return true or, when the <b>check
+    # only list</b> is not empty (i.e., we are working in the "reverse mode"
+    # triggered by the +check_only+ option), it does not appear in the
+    # <b>check only list.</b>
     def skip_checking request
-      skip = any? @to_be_skipped, request
-      allow = any? @to_be_checked, request
-      skip || (!@to_be_checked.empty? && !allow)
+      to_be_skipped = any? @skip_list, request
+      to_be_skipped ||= @skip_if && @skip_if.call(request)
+      to_be_checked = any? @check_only_list, request
+      to_be_skipped || (!@check_only_list.empty? && !to_be_checked)
     end
-    
+
+    # Returns +true+ when the given list "includes" the request.
     def any? list, request
       pi = request.path_info.empty? ? '/' : request.path_info
       list.any? do |route|

data/rack_csrf.gemspec

@@ -5,11 +5,11 @@
 
 Gem::Specification.new do |s|
   s.name = "rack_csrf"
-  s.version = "2.3.0"
+  s.version = "2.4.0"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Emanuele Vicentini"]
-  s.date = "2011-10-23"
+  s.date = "2012-02-28"
   s.description = "Anti-CSRF Rack middleware"
   s.email = "emanuele.vicentini@gmail.com"
   s.extra_rdoc_files = [
@@ -19,6 +19,7 @@ Gem::Specification.new do |s|
   s.files = [
     ".rspec",
     "Changelog.md",
+    "Gemfile",
     "LICENSE.rdoc",
     "README.rdoc",
     "Rakefile",
@@ -63,6 +64,7 @@ Gem::Specification.new do |s|
     "features/inspecting_also_get_requests.feature",
     "features/raising_exception.feature",
     "features/setup.feature",
+    "features/skip_if_block_passes.feature",
     "features/skip_some_routes.feature",
     "features/step_definitions/request_steps.rb",
     "features/step_definitions/response_steps.rb",
@@ -70,6 +72,7 @@ Gem::Specification.new do |s|
     "features/support/env.rb",
     "features/support/fake_session.rb",
     "features/variation_on_field_name.feature",
+    "features/variation_on_header_name.feature",
     "features/variation_on_key_name.feature",
     "lib/rack/csrf.rb",
     "lib/rack/vendor/securerandom.rb",
@@ -79,10 +82,10 @@ Gem::Specification.new do |s|
   ]
   s.homepage = "https://github.com/baldowl/rack_csrf"
   s.licenses = ["MIT"]
-  s.rdoc_options = ["--line-numbers", "--inline-source", "--title", "Rack::Csrf 2.3.0", "--main", "README.rdoc"]
+  s.rdoc_options = ["--line-numbers", "--inline-source", "--title", "Rack::Csrf 2.4.0", "--main", "README.rdoc"]
   s.require_paths = ["lib"]
   s.rubyforge_project = "rackcsrf"
-  s.rubygems_version = "1.8.11"
+  s.rubygems_version = "1.8.17"
   s.summary = "Anti-CSRF Rack middleware"
 
   if s.respond_to? :specification_version then
@@ -90,23 +93,29 @@ Gem::Specification.new do |s|
 
     if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
       s.add_runtime_dependency(%q<rack>, [">= 0.9"])
-      s.add_development_dependency(%q<cucumber>, [">= 0.1.13"])
+      s.add_development_dependency(%q<bundler>, [">= 1.0.0"])
+      s.add_development_dependency(%q<cucumber>, [">= 1.1.1"])
       s.add_development_dependency(%q<rack-test>, [">= 0"])
       s.add_development_dependency(%q<rspec>, [">= 2.0.0"])
       s.add_development_dependency(%q<rdoc>, [">= 2.4.2"])
+      s.add_development_dependency(%q<jeweler>, [">= 0"])
     else
       s.add_dependency(%q<rack>, [">= 0.9"])
-      s.add_dependency(%q<cucumber>, [">= 0.1.13"])
+      s.add_dependency(%q<bundler>, [">= 1.0.0"])
+      s.add_dependency(%q<cucumber>, [">= 1.1.1"])
       s.add_dependency(%q<rack-test>, [">= 0"])
       s.add_dependency(%q<rspec>, [">= 2.0.0"])
       s.add_dependency(%q<rdoc>, [">= 2.4.2"])
+      s.add_dependency(%q<jeweler>, [">= 0"])
     end
   else
     s.add_dependency(%q<rack>, [">= 0.9"])
-    s.add_dependency(%q<cucumber>, [">= 0.1.13"])
+    s.add_dependency(%q<bundler>, [">= 1.0.0"])
+    s.add_dependency(%q<cucumber>, [">= 1.1.1"])
     s.add_dependency(%q<rack-test>, [">= 0"])
     s.add_dependency(%q<rspec>, [">= 2.0.0"])
     s.add_dependency(%q<rdoc>, [">= 2.4.2"])
+    s.add_dependency(%q<jeweler>, [">= 0"])
   end
 end