rack_csrf 2.4.0 → 2.5.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 347ff3179f58ae9f50ba7ea21ced84f4e79ce39a
+  data.tar.gz: ae43acbd043e920ae4aa0f19bf9607f4c8775fb2
+SHA512:
+  metadata.gz: f57f414196810efbb0fde60593cb889e2e4c9897e714afb10c8d44e232b522fa068820f9c9fbb461dd19eefaf56553063fdd1c195363ad41a6eef686d77bb14c
+  data.tar.gz: ffe85c09c9da3ffec3d39d1e30f88ddeb46558505f8f2d87fb56a6a1b31eb1c2706ca4a9b59a262ac2af87665d4871ac39d521ccfd3e8d5bf84acb8ded360a78

data/.gitignore

@@ -0,0 +1,2 @@
+Gemfile.lock
+.rvmrc

data/.travis.yml

@@ -0,0 +1,15 @@
+language: ruby
+
+rvm:
+  - 1.8.7
+  - 1.9.2
+  - 1.9.3
+  - 2.0.0
+  - 2.1.0
+
+env:
+  - TEST_WITH_RACK=1.1.0
+  - TEST_WITH_RACK=1.2.0
+  - TEST_WITH_RACK=1.3.0
+  - TEST_WITH_RACK=1.4.0
+  - TEST_WITH_RACK=1.5.0

data/Changelog.md

@@ -1,3 +1,15 @@
+# v2.5.0 (2014-06-15)
+
+* Fixed/improved the examples.
+* Added basic Travis setup.
+* Dropped support for Rack versions older than 1.1.0.
+* Lazy generation of the CSRF token.
+* Left Jeweler; totally embraced Bundler.
+* Dropped support for Ruby 1.8.6.
+* Fixed Cucumber's step for Ruby 1.8.*.
+
+
+
 # v2.4.0 (2012-02-28)
 
 * Updated examples' Gemfiles.

data/Gemfile

@@ -1,12 +1,2 @@
-source 'http://rubygems.org'
-
-gem 'rack', '>= 0.9'
-
-group :development do
-  gem 'bundler', '>= 1.0.0'
-  gem 'cucumber', '>= 1.1.1'
-  gem 'rack-test'
-  gem 'rspec', '>= 2.0.0'
-  gem 'rdoc', '>= 2.4.2'
-  gem 'jeweler'
-end
+source 'https://rubygems.org'
+gemspec

data/LICENSE.rdoc

@@ -2,7 +2,7 @@
 
 (The MIT License)
 
-Copyright (c) 2009, 2010, 2011, 2012 Emanuele Vicentini
+Copyright (c) 2009, 2010, 2011, 2012, 2014 Emanuele Vicentini
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the 'Software'), to deal

data/README.rdoc

@@ -1,4 +1,4 @@
-= Rack::Csrf
+= Rack::Csrf {<img src="https://travis-ci.org/baldowl/rack_csrf.png?branch=master" alt="Build Status" />}[https://travis-ci.org/baldowl/rack_csrf] {<img src="https://badge.fury.io/rb/rack_csrf.png" alt="Gem Version" />}[http://badge.fury.io/rb/rack_csrf]
 
 This is just a small Rack middleware whose only goal is to lessen the hazards
 posed by CSRF attacks by trying to ensure that all requests of particular
@@ -20,9 +20,6 @@ immediately replies with an empty response.
 
 The anti-forging token can be passed as a request parameter or a header.
 
-I have not tested Rack::Csrf with Rack 0.4.0 or earlier versions, but it could
-possibly work.
-
 == Options
 
 The following options allow you to tweak Rack::Csrf.
@@ -79,6 +76,9 @@ The following options allow you to tweak Rack::Csrf.
   This option is useful if a guarded resource can be accessed by clients who
   support CSRF token (e.g. browsers) and by ones who don't (e.g. API clients).
 
+  Don't try to check the CSRF token: it could exist or not at this stage and
+  you should always let it alone.
+
   Default value: empty.
 
 [<tt>:field</tt>]
@@ -154,6 +154,10 @@ token.
   Returns the name of the key used to store/retrieve the token from the Rack
   session.
 
+  Despite this class method, you should never try to retrieve the token with
+  code like <tt>env['rack.session'][Rack::Csrf.key]</tt>. See the `token`
+  method below.
+
 [<tt>Rack::Csrf.field</tt> (also <tt>Rack::Csrf.csrf_field</tt>)]
   Returns the name of the field that must be present in the request.
 
@@ -208,5 +212,5 @@ forgo responsibilities for keeping your application as safe as possible.
 
 == Copyright
 
-Copyright (c) 2009, 2010, 2011, 2012 Emanuele Vicentini. See LICENSE.rdoc for
-details.
+Copyright (c) 2009, 2010, 2011, 2012, 2014 Emanuele Vicentini. See
+LICENSE.rdoc for details.

data/Rakefile

@@ -1,52 +1,30 @@
 require 'rubygems'
-require 'bundler'
-begin
-  Bundler.setup(:default, :development)
-rescue Bundler::BundlerError => e
-  $stderr.puts e.message
-  $stderr.puts "Run `bundle install` to install missing gems"
-  exit e.status_code
-end
+require 'bundler/setup'
 
 require 'rake/clean'
-require 'cucumber/rake/task'
-require 'rspec/core/rake_task'
-require 'rdoc/task'
-require 'jeweler'
 
+require 'cucumber/rake/task'
 Cucumber::Rake::Task.new :features
 task :default => :features
 
+require 'rspec/core/rake_task'
 RSpec::Core::RakeTask.new :spec
 task :default => :spec
 
-version = File.exists?('VERSION') ? File.read('VERSION').strip : ''
+require 'rack/csrf/version'
 
+require 'rdoc/task'
 RDoc::Task.new :doc do |rdoc|
   rdoc.rdoc_dir = 'doc'
-  rdoc.title = "Rack::Csrf #{version}"
+  rdoc.title = "Rack::Csrf #{Rack::Csrf::VERSION}"
   rdoc.main = 'README.rdoc'
   rdoc.rdoc_files.include('README.rdoc', 'LICENSE.rdoc')
   rdoc.rdoc_files.include('lib/**/*.rb')
 end
 
-Jeweler::Tasks.new do |gem|
-  gem.name = 'rack_csrf'
-  gem.summary = 'Anti-CSRF Rack middleware'
-  gem.description = 'Anti-CSRF Rack middleware'
-  gem.license = 'MIT'
-  gem.authors = 'Emanuele Vicentini'
-  gem.email = 'emanuele.vicentini@gmail.com'
-  gem.homepage = 'https://github.com/baldowl/rack_csrf'
-  gem.rubyforge_project = 'rackcsrf'
-  # dependencies defined in Gemfile
-  gem.rdoc_options << '--line-numbers' << '--inline-source' << '--title' <<
-    "Rack::Csrf #{version}" << '--main' << 'README.rdoc'
-  gem.test_files.clear
-end
-
-Jeweler::GemcutterTasks.new
+require 'bundler/gem_tasks'
 
+require 'git'
 desc <<-EOD
 Shows the changelog in Git between the given points.
 
@@ -54,9 +32,9 @@ start -- defaults to the current version tag
 end   -- defaults to HEAD
 EOD
 task :changes, [:start, :end] do |t, args|
-  args.with_defaults :start => "v#{Rake.application.jeweler.version}",
+  args.with_defaults :start => "v#{Rack::Csrf::VERSION}",
     :end => 'HEAD'
-  repo = Git.open Rake.application.jeweler.git_base_dir
+  repo = Git.open Dir.pwd
   repo.log(nil).between(args.start, args.end).each do |c|
     puts c.message.split($/).first
   end

data/examples/camping/Gemfile

@@ -1,4 +1,6 @@
 source 'http://rubygems.org'
 
+gem 'rack_csrf', :path => File.expand_path('../../..', __FILE__)
+gem 'rack', '~> 1.4.0'
 gem 'camping', '>= 2.1', '<= 2.1.467'
 gem 'markaby', '>= 0.7.1', '<= 0.7.2'

data/examples/camping/app.rb

@@ -1,7 +1,5 @@
 require 'camping'
 require 'camping/session'
-
-$: << File.join(File.dirname(__FILE__), '../../lib')
 require 'rack/csrf'
 
 Camping.goes :LittleApp

data/examples/cuba/Gemfile

@@ -1,3 +1,4 @@
 source 'http://rubygems.org'
 
+gem 'rack_csrf', :path => File.expand_path('../../..', __FILE__)
 gem 'cuba', '>= 2.1.0', '<= 2.2.1'

data/examples/cuba/app.rb

@@ -1,5 +1,7 @@
 Cuba.define do
   on get do
+    res['Content-Type'] = 'text/html'
+
     on '' do
       res.write render('views/form.erb')
     end

data/examples/cuba/config-with-raise.ru

@@ -1,11 +1,10 @@
 require 'cuba'
-$: << File.join(File.dirname(__FILE__), '../../lib')
 require 'rack/csrf'
 
 Cuba.use Rack::ShowExceptions
 Cuba.use Rack::Session::Cookie
 Cuba.use Rack::Csrf, :raise => true
 
-require 'app'
+require './app'
 
 run Cuba

data/examples/cuba/config.ru

@@ -1,10 +1,9 @@
 require 'cuba'
-$: << File.join(File.dirname(__FILE__), '../../lib')
 require 'rack/csrf'
 
 Cuba.use Rack::Session::Cookie
 Cuba.use Rack::Csrf
 
-require 'app'
+require './app'
 
 run Cuba

data/examples/innate/Gemfile

@@ -1,3 +1,4 @@
 source 'http://rubygems.org'
 
+gem 'rack_csrf', :path => File.expand_path('../../..', __FILE__)
 gem 'innate', '>= 2009.07', '<= 2011.12'

data/examples/innate/start-with-raise.rb

@@ -1,10 +1,8 @@
 require 'rubygems'
 require 'innate'
-
-$: << File.join(File.dirname(__FILE__), '../../lib')
 require 'rack/csrf'
 
-require 'app'
+require './app'
 
 Innate.start do |m|
   m.use Rack::ShowExceptions

data/examples/innate/start.rb

@@ -1,10 +1,8 @@
 require 'rubygems'
 require 'innate'
-
-$: << File.join(File.dirname(__FILE__), '../../lib')
 require 'rack/csrf'
 
-require 'app'
+require './app'
 
 Innate.start do |m|
   m.use Rack::Session::Cookie

data/examples/rack/Gemfile

@@ -1,3 +1,4 @@
 source 'http://rubygems.org'
 
-gem 'rack', '>= 1.0.0', '<= 1.4.1'
+gem 'rack_csrf', :path => File.expand_path('../../..', __FILE__)
+gem 'rack', '<= 1.5.2'

data/examples/rack/app.rb

@@ -30,16 +30,21 @@ class LittleApp
 
   def self.call env
     req = Rack::Request.new env
+    res = Rack::Response.new
+
     if req.get?
       if req.path_info == '/notworking'
-        Rack::Response.new(@form_not_working.result(binding)).finish
+        res.write @form_not_working.result(binding)
       else
-        Rack::Response.new(@form.result(binding)).finish
+        res.write @form.result(binding)
       end
     elsif req.post?
       utterance = req['utterance']
       csrf = req[Rack::Csrf.field]
-      Rack::Response.new(@response.result(binding)).finish
+      res.write @response.result(binding)
     end
+
+    res['Content-Type'] = 'text/html'
+    res.finish
   end
 end

data/examples/rack/config-with-raise.ru

@@ -1,8 +1,7 @@
-$: << File.join(File.dirname(__FILE__), '../../lib')
 require 'rack/csrf'
 
 require 'erb'
-require 'app'
+require './app'
 
 use Rack::ShowExceptions
 use Rack::Session::Cookie

data/examples/rack/config.ru

@@ -1,8 +1,7 @@
-$: << File.join(File.dirname(__FILE__), '../../lib')
 require 'rack/csrf'
 
 require 'erb'
-require 'app'
+require './app'
 
 use Rack::Session::Cookie
 use Rack::Csrf

data/examples/sinatra/Gemfile

@@ -1,3 +1,4 @@
 source 'http://rubygems.org'
 
-gem 'sinatra', '>= 0.9.4', '<= 1.3.2'
+gem 'rack_csrf', :path => File.expand_path('../../..', __FILE__)
+gem 'sinatra', '>= 0.9.4', '<= 1.4.4'

data/examples/sinatra/config-with-raise.ru

@@ -1,14 +1,11 @@
 require 'sinatra'
-$: << File.join(File.dirname(__FILE__), '../../lib')
 require 'rack/csrf'
 
 require 'erb'
-require 'app'
+require './app'
 
 use Rack::ShowExceptions
 use Rack::Session::Cookie
 use Rack::Csrf, :raise => true
 
-set :app_file, 'app.rb'
-
 run Sinatra::Application

data/examples/sinatra/config.ru

@@ -1,13 +1,10 @@
 require 'sinatra'
-$: << File.join(File.dirname(__FILE__), '../../lib')
 require 'rack/csrf'
 
 require 'erb'
-require 'app'
+require './app'
 
 use Rack::Session::Cookie
 use Rack::Csrf
 
-set :app_file, 'app.rb'
-
 run Sinatra::Application

data/features/step_definitions/setup_steps.rb

@@ -80,7 +80,8 @@ When /^I insert the anti\-CSRF middleware with the :skip option$/ do |table|
 end
 
 When /^I insert the anti\-CSRF middleware with the :skip_if option$/ do |table|
-  skippable = table.hashes.collect {|t| t.values}
+  skippable = {}
+  table.hashes.each {|row| skippable[row['name']] = row['value']}
   @rack_builder.use Rack:: Csrf, :skip_if => Proc.new { |request|
     skippable.any? { |name, value| request.env[name] == value }
   }
@@ -89,12 +90,15 @@ When /^I insert the anti\-CSRF middleware with the :skip_if option$/ do |table|
 end
 
 When /^I insert the anti\-CSRF middleware with the :skip and :skip_if options$/ do |table|
-  data = table.hashes.collect {|t| t.values}[0]
-  headers = data[0..1]
-  skippable = data[2]
-
-  @rack_builder.use Rack:: Csrf, :skip => [skippable], :skip_if => Proc.new { |request|
-    skippable.any? { |name, value| request.env[name] == value }
+  skip_option_arguments = []
+  skip_if_option_arguments = {}
+  table.hashes.each do |row|
+    skip_option_arguments << row['path']
+    skip_if_option_arguments[row['name']] = row['value']
+  end
+
+  @rack_builder.use Rack:: Csrf, :skip => skip_option_arguments, :skip_if => Proc.new { |request|
+    skip_if_option_arguments.any? { |name, value| request.env[name] == value }
   }
   @app = toy_app
   @browser = Rack::Test::Session.new(Rack::MockSession.new(@app))

data/lib/rack/csrf.rb

@@ -1,9 +1,5 @@
 require 'rack'
-begin
-  require 'securerandom'
-rescue LoadError
-  require File.dirname(__FILE__) + '/vendor/securerandom'
-end
+require 'securerandom'
 
 module Rack
   class Csrf
@@ -34,12 +30,11 @@ module Rack
       unless env['rack.session']
         raise SessionUnavailable.new('Rack::Csrf depends on session middleware')
       end
-      self.class.token(env)
       req = Rack::Request.new(env)
       untouchable = skip_checking(req) ||
         !@http_methods.include?(req.request_method) ||
-        req.params[self.class.field] == env['rack.session'][self.class.key] ||
-        req.env[self.class.rackified_header] == env['rack.session'][self.class.key]
+        req.params[self.class.field] == self.class.token(env) ||
+        req.env[self.class.rackified_header] == self.class.token(env)
       if untouchable
         @app.call(env)
       else

data/lib/rack/csrf/version.rb

@@ -0,0 +1,5 @@
+module Rack
+  class Csrf
+    VERSION = '2.5.0'
+  end
+end

data/rack_csrf.gemspec

@@ -1,121 +1,50 @@
-# Generated by jeweler
-# DO NOT EDIT THIS FILE DIRECTLY
-# Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
-# -*- encoding: utf-8 -*-
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'rack/csrf/version'
 
-Gem::Specification.new do |s|
-  s.name = "rack_csrf"
-  s.version = "2.4.0"
+Gem::Specification.new do |spec|
+  spec.name                  = 'rack_csrf'
+  spec.version               = Rack::Csrf::VERSION
+  spec.authors               = ['Emanuele Vicentini']
+  spec.email                 = ['emanuele.vicentini@gmail.com']
+  spec.description           = 'Anti-CSRF Rack middleware'
+  spec.summary               = 'Anti-CSRF Rack middleware'
+  spec.homepage              = 'https://github.com/baldowl/rack_csrf'
+  spec.license               = 'MIT'
 
-  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
-  s.authors = ["Emanuele Vicentini"]
-  s.date = "2012-02-28"
-  s.description = "Anti-CSRF Rack middleware"
-  s.email = "emanuele.vicentini@gmail.com"
-  s.extra_rdoc_files = [
-    "LICENSE.rdoc",
-    "README.rdoc"
+  spec.files                 = `git ls-files`.split($/)
+  spec.executables           = spec.files.grep(%r{^bin/}) {|f| File.basename f}
+  spec.test_files            = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths         = ['lib']
+
+  spec.rdoc_options          = [
+    '--line-numbers',
+    '--inline-source',
+    '--title',
+    "Rack::Csrf #{Rack::Csrf::VERSION}",
+    '--main',
+    'README.rdoc'
   ]
-  s.files = [
-    ".rspec",
-    "Changelog.md",
-    "Gemfile",
-    "LICENSE.rdoc",
-    "README.rdoc",
-    "Rakefile",
-    "VERSION",
-    "cucumber.yml",
-    "examples/camping/Gemfile",
-    "examples/camping/README.rdoc",
-    "examples/camping/app.rb",
-    "examples/camping/config.ru",
-    "examples/cuba/Gemfile",
-    "examples/cuba/README.rdoc",
-    "examples/cuba/app.rb",
-    "examples/cuba/config-with-raise.ru",
-    "examples/cuba/config.ru",
-    "examples/cuba/views/form.erb",
-    "examples/cuba/views/form_not_working.erb",
-    "examples/cuba/views/response.erb",
-    "examples/innate/Gemfile",
-    "examples/innate/README.rdoc",
-    "examples/innate/app.rb",
-    "examples/innate/start-with-raise.rb",
-    "examples/innate/start.rb",
-    "examples/innate/view/index.erb",
-    "examples/innate/view/notworking.erb",
-    "examples/innate/view/response.erb",
-    "examples/rack/Gemfile",
-    "examples/rack/README.rdoc",
-    "examples/rack/app.rb",
-    "examples/rack/config-with-raise.ru",
-    "examples/rack/config.ru",
-    "examples/sinatra/Gemfile",
-    "examples/sinatra/README.rdoc",
-    "examples/sinatra/app.rb",
-    "examples/sinatra/config-with-raise.ru",
-    "examples/sinatra/config.ru",
-    "examples/sinatra/views/form.erb",
-    "examples/sinatra/views/form_not_working.erb",
-    "examples/sinatra/views/response.erb",
-    "features/check_only_some_specific_requests.feature",
-    "features/custom_http_methods.feature",
-    "features/empty_responses.feature",
-    "features/inspecting_also_get_requests.feature",
-    "features/raising_exception.feature",
-    "features/setup.feature",
-    "features/skip_if_block_passes.feature",
-    "features/skip_some_routes.feature",
-    "features/step_definitions/request_steps.rb",
-    "features/step_definitions/response_steps.rb",
-    "features/step_definitions/setup_steps.rb",
-    "features/support/env.rb",
-    "features/support/fake_session.rb",
-    "features/variation_on_field_name.feature",
-    "features/variation_on_header_name.feature",
-    "features/variation_on_key_name.feature",
-    "lib/rack/csrf.rb",
-    "lib/rack/vendor/securerandom.rb",
-    "rack_csrf.gemspec",
-    "spec/csrf_spec.rb",
-    "spec/spec_helper.rb"
+  spec.extra_rdoc_files      = [
+    'LICENSE.rdoc',
+    'README.rdoc'
   ]
-  s.homepage = "https://github.com/baldowl/rack_csrf"
-  s.licenses = ["MIT"]
-  s.rdoc_options = ["--line-numbers", "--inline-source", "--title", "Rack::Csrf 2.4.0", "--main", "README.rdoc"]
-  s.require_paths = ["lib"]
-  s.rubyforge_project = "rackcsrf"
-  s.rubygems_version = "1.8.17"
-  s.summary = "Anti-CSRF Rack middleware"
 
-  if s.respond_to? :specification_version then
-    s.specification_version = 3
+  spec.required_ruby_version = '>= 1.8.7'
 
-    if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
-      s.add_runtime_dependency(%q<rack>, [">= 0.9"])
-      s.add_development_dependency(%q<bundler>, [">= 1.0.0"])
-      s.add_development_dependency(%q<cucumber>, [">= 1.1.1"])
-      s.add_development_dependency(%q<rack-test>, [">= 0"])
-      s.add_development_dependency(%q<rspec>, [">= 2.0.0"])
-      s.add_development_dependency(%q<rdoc>, [">= 2.4.2"])
-      s.add_development_dependency(%q<jeweler>, [">= 0"])
-    else
-      s.add_dependency(%q<rack>, [">= 0.9"])
-      s.add_dependency(%q<bundler>, [">= 1.0.0"])
-      s.add_dependency(%q<cucumber>, [">= 1.1.1"])
-      s.add_dependency(%q<rack-test>, [">= 0"])
-      s.add_dependency(%q<rspec>, [">= 2.0.0"])
-      s.add_dependency(%q<rdoc>, [">= 2.4.2"])
-      s.add_dependency(%q<jeweler>, [">= 0"])
-    end
+  if ENV['TEST_WITH_RACK']
+    spec.add_runtime_dependency 'rack', "~> #{ENV['TEST_WITH_RACK']}"
   else
-    s.add_dependency(%q<rack>, [">= 0.9"])
-    s.add_dependency(%q<bundler>, [">= 1.0.0"])
-    s.add_dependency(%q<cucumber>, [">= 1.1.1"])
-    s.add_dependency(%q<rack-test>, [">= 0"])
-    s.add_dependency(%q<rspec>, [">= 2.0.0"])
-    s.add_dependency(%q<rdoc>, [">= 2.4.2"])
-    s.add_dependency(%q<jeweler>, [">= 0"])
+    spec.add_runtime_dependency 'rack', '>= 1.1.0'
   end
-end
 
+  spec.add_development_dependency 'bundler', '>= 1.0.0'
+  spec.add_development_dependency 'rake'
+  spec.add_development_dependency 'cucumber', '>= 1.1.1'
+  spec.add_development_dependency 'rack-test', '>= 0'
+  spec.add_development_dependency 'rspec', '~> 3.0'
+  spec.add_development_dependency 'rspec-collection_matchers'
+  spec.add_development_dependency 'rdoc', '>= 2.4.2'
+  spec.add_development_dependency 'git', '>= 1.2.5'
+end