rack_csrf 1.1.1 → 2.0.0

data/Changelog.md

@@ -0,0 +1,57 @@
+# v2.0.0 (2010-01-11)
+
+* Added a changelog and a Rake task to help.
+* Removed Jeweler's support for Rubyforge.
+* Fixed a couple of typos.
+* Removed the :browser_only option.
+* Tweaked the copyright notice.
+* Cleaned up a bit some step definitions.
+* Switched to use Rack::Test in the Cucumber's scenarios.
+* Removed redundant require in Cucumber's support files.
+
+
+
+# v1.1.1 (2009-10-15)
+
+* Tweaked the default HTTP response code.
+* Moving to Jeweler.
+* Innate example.
+* Little tweak to the plain Rack example.
+* Plain Rack example.
+* Extended the main README.rdoc.
+* Fixed loading Rack::Csrf in the Sinatra example. New README.
+* Moved the Sinatra example in its own directory.
+* Fixed RSpec support file.
+* Tweaked Cucumber's task definition.
+* Fixed grammar; added some fragments of code.
+* Tweaked a bit the Cucumber and RSpec support files.
+* Reworded and fixed the spec. It should be clearer.
+
+
+
+# 1.1.0 (2009-05-22)
+
+* Tweaks to the examples to run smoothly with future Sinatra release.
+* Moved some code into #initialize.
+* More generic step checking response code.
+* Added the :browser_only option.
+* Tweaked Cucumber's profile to follow new Cucumber release.
+* Shortened steps' names.
+* Tweak to spec to ensure use of csrf_field in csrf_tag.
+* Clarification on options' default values.
+* :skip now accept an array of regexps.
+
+
+
+# 1.0.1 (2009-05-02)
+
+* Changed env key to satisfy Rack specification.
+* Auto-fill session with token upon receiving first request.
+* Added missing scenarios for :field option.
+* Fixed a typo.
+
+
+
+# 1.0.0 (2009-04-22 17:14:45 +0200)
+
+* First release

data/LICENSE.rdoc

@@ -2,7 +2,7 @@
 
 (The MIT License)
 
-Copyright (c) 2009 Emanuele Vicentini
+Copyright (c) 2009, 2010 Emanuele Vicentini
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the 'Software'), to deal

data/README.rdoc

@@ -55,14 +55,16 @@ The following options allow you to tweak Rack::Csrf.
 
   Default value: _csrf
 
-[<tt>:browser_only</tt>]
-  Set it to true to inspect only requests with Content-Type typically produced
-  only by web browsers. This means that curl, Active Resource, etc. can send
-  any request without worring about the token.
+The <tt>:browser_only</tt> option has been removed; you do not need to edit
+any rackup file because Rack::Csrf simply ignores unknown options. Changes
+introduced in Rack version 1.1.0 tightened the parsing of POST params, so
+requests need to have the right Content-Type (or none at all); these
+Content-Types are exactly those used also by browsers and so there is no use
+for <tt>:browser_only</tt> anymore.
 
-    use Rack::Csrf, :browser_only => true
-
-  Default value: false.
+The ill devised <tt>:browser_only</tt> option could have been used to
+"protect" an API, but I think it might be better to use a combination of
+<tt>:skip</tt> and formatted URLs.
 
 == Helpers
 
@@ -107,3 +109,7 @@ list}[http://github.com/baldowl/rack_csrf] on GitHub.
 I cannot stress enough that this middleware is not a bulletproof vest or a
 panacea for the CSRF plague; it is just an *aid* and by using it you cannot
 forgo responsibilities for keeping your application as safe as possible.
+
+== Copyright
+
+Copyright (c) 2009, 2010 Emanuele Vicentini. See LICENSE.rdoc for details.

data/Rakefile

@@ -37,11 +37,26 @@ Jeweler::Tasks.new do |gem|
   gem.rubyforge_project = 'rackcsrf'
   gem.add_dependency 'rack', '>= 0.9'
   gem.add_development_dependency 'cucumber', '>= 0.1.13'
+  gem.add_development_dependency 'rack-test'
   gem.add_development_dependency 'rspec'
   gem.rdoc_options << '--line-numbers' << '--inline-source' << '--title' <<
     "Rack::Csrf #{version}" << '--main' << 'README.rdoc'
   gem.test_files.clear
 end
 
-Jeweler::RubyforgeTasks.new
 Jeweler::GemcutterTasks.new
+
+desc <<-EOD
+Shows the changelog in Git between the given points.
+
+start -- defaults to the current version tag
+end   -- defaults to HEAD
+EOD
+task :changes, [:start, :end] do |t, args|
+  args.with_defaults :start => "v#{Rake.application.jeweler.version}",
+    :end => 'HEAD'
+  repo = Git.open Rake.application.jeweler.git_base_dir
+  repo.log(nil).between(args.start, args.end).each do |c|
+    puts c.message.split($/).first
+  end
+end

data/VERSION

@@ -1 +1 @@
-1.1.1
+2.0.0

data/features/setup.feature

@@ -27,8 +27,3 @@ Feature: Setup of the middleware
     Given a rack with the session middleware
     When I insert the anti-CSRF middleware with the :field option
     Then I get a fully functional rack
-
-  Scenario: Setup with the :browser_only option
-    Given a rack with the session middleware
-    When I insert the anti-CSRF middleware with the :browser_only option
-    Then I get a fully functional rack

data/features/step_definitions/request_steps.rb

@@ -1,55 +1,37 @@
 When /^it receives a GET request (with|without) the CSRF token$/ do |prep|
-  if prep == 'with'
-    url = "/?#{Rack::Utils.build_query(Rack::Csrf.csrf_field => 'whatever')}"
-  else
-    url = '/'
-  end
-  @response = Rack::MockRequest.new(@app).get(url)
+  params = prep == 'with' ? {Rack::Csrf.csrf_field => 'whatever'} : {}
+  @browser.get '/', :params => params
 end
 
 # Yes, they're not as DRY as possible, but I think they're more readable than
 # a single step definition with a few captures and more complex checkings.
 
 When /^it receives a (POST|PUT|DELETE) request without the CSRF token$/ do |http_method|
-  http_method.downcase!
   begin
-    @response = Rack::MockRequest.new(@app).send http_method.to_sym, '/'
+    @browser.request '/', :method => http_method
   rescue Exception => e
     @exception = e
   end
 end
 
 When /^it receives a (POST|PUT|DELETE) request for (.+) without the CSRF token$/ do |http_method, path|
-  http_method.downcase!
-  begin
-    @response = Rack::MockRequest.new(@app).send http_method.to_sym, path
-  rescue Exception => e
-    @exception = e
-  end
-end
-
-When /^it receives a (POST|PUT|DELETE) request without the CSRF token from a browser$/ do |http_method|
-  http_method.downcase!
   begin
-    @response = Rack::MockRequest.new(@app).send http_method.to_sym, '/',
-      'CONTENT_TYPE' => 'text/html'
+    @browser.request path, :method => http_method
   rescue Exception => e
     @exception = e
   end
 end
 
 When /^it receives a (POST|PUT|DELETE) request with the right CSRF token$/ do |http_method|
-  http_method.downcase!
-  @response = Rack::MockRequest.new(@app).send http_method.to_sym, '/',
-    :input => "#{Rack::Csrf.csrf_field}=right_token",
-    'rack.session' => {'csrf.token' => 'right_token'}
+  @browser.request '/', :method => http_method,
+    'rack.session' => {'csrf.token' => 'right_token'},
+    :params => {Rack::Csrf.csrf_field => 'right_token'}
 end
 
 When /^it receives a (POST|PUT|DELETE) request with the wrong CSRF token$/ do |http_method|
-  http_method.downcase!
   begin
-    @response = Rack::MockRequest.new(@app).send http_method.to_sym, '/',
-      :input => "#{Rack::Csrf.csrf_field}=whatever"
+    @browser.request '/', :method => http_method,
+      :params => {Rack::Csrf.csrf_field => 'whatever'}
   rescue Exception => e
     @exception = e
   end

data/features/step_definitions/response_steps.rb

@@ -1,18 +1,18 @@
 Then /^it lets it pass untouched$/ do
-  @response.should be_ok
-  @response.should =~ /Hello world!/
+  @browser.last_response.should be_ok
+  @browser.last_response.should =~ /Hello world!/
 end
 
 Then /^it responds with (\d\d\d)$/ do |code|
-  @response.status.should == code.to_i
+  @browser.last_response.status.should == code.to_i
 end
 
 Then /^the response body is empty$/ do
-  @response.body.should be_empty
+  @browser.last_response.body.should be_empty
 end
 
 Then /^there is no response$/ do
-  @response.should be_nil
+  lambda {@browser.last_response}.should raise_error(Rack::Test::Error)
 end
 
 Then /^an exception is climbing up the stack$/ do

data/features/step_definitions/setup_steps.rb

@@ -1,5 +1,6 @@
 Given /^a rack (with|without) the session middleware$/ do |prep|
   @rack_builder = Rack::Builder.new
+  @rack_builder.use Rack::Lint
   @rack_builder.use FakeSession if prep == 'with'
 end
 
@@ -26,48 +27,32 @@ Given /^a rack with the anti\-CSRF middleware and the :field option$/ do
   When 'I insert the anti-CSRF middleware with the :field option'
 end
 
-Given /^a rack with the anti\-CSRF middleware and the :browser_only option$/ do
-  Given 'a rack with the session middleware'
-  When 'I insert the anti-CSRF middleware with the :browser_only option'
-end
-
 # Yes, they're not as DRY as possible, but I think they're more readable than
 # a single step definition with a few captures and more complex checkings.
 
 When /^I insert the anti\-CSRF middleware$/ do
-  @rack_builder.use Rack::Lint
   @rack_builder.use Rack::Csrf
-  @rack_builder.run(lambda {|env| Rack::Response.new('Hello world!').finish})
-  @app = @rack_builder.to_app
+  toy_app
+  @browser = Rack::Test::Session.new(Rack::MockSession.new(@app))
 end
 
 When /^I insert the anti\-CSRF middleware with the :raise option$/ do
-  @rack_builder.use Rack::Lint
   @rack_builder.use Rack::Csrf, :raise => true
-  @rack_builder.run(lambda {|env| Rack::Response.new('Hello world!').finish})
-  @app = @rack_builder.to_app
+  toy_app
+  @browser = Rack::Test::Session.new(Rack::MockSession.new(@app))
 end
 
 When /^I insert the anti\-CSRF middleware with the :skip option$/ do |table|
   skippable = table.hashes.collect {|t| t.values}.flatten
-  @rack_builder.use Rack::Lint
   @rack_builder.use Rack::Csrf, :skip => skippable
-  @rack_builder.run(lambda {|env| Rack::Response.new('Hello world!').finish})
-  @app = @rack_builder.to_app
+  toy_app
+  @browser = Rack::Test::Session.new(Rack::MockSession.new(@app))
 end
 
 When /^I insert the anti\-CSRF middleware with the :field option$/ do
-  @rack_builder.use Rack::Lint
   @rack_builder.use Rack::Csrf, :field => 'fantasy_name'
-  @rack_builder.run(lambda {|env| Rack::Response.new('Hello world!').finish})
-  @app = @rack_builder.to_app
-end
-
-When /^I insert the anti\-CSRF middleware with the :browser_only option$/ do
-  @rack_builder.use Rack::Lint
-  @rack_builder.use Rack::Csrf, :browser_only => true
-  @rack_builder.run(lambda {|env| Rack::Response.new('Hello world!').finish})
-  @app = @rack_builder.to_app
+  toy_app
+  @browser = Rack::Test::Session.new(Rack::MockSession.new(@app))
 end
 
 Then /^I get a fully functional rack$/ do
@@ -77,3 +62,8 @@ end
 Then /^I get an error message$/ do
   lambda {Rack::MockRequest.new(@app).get('/')}.should raise_error(Rack::Csrf::SessionUnavailable, 'Rack::Csrf depends on session middleware')
 end
+
+def toy_app
+  @rack_builder.run(lambda {|env| Rack::Response.new('Hello world!').finish})
+  @app = @rack_builder.to_app
+end

data/features/support/env.rb

@@ -1,9 +1,7 @@
 require 'rubygems'
 require 'spec/expectations'
+require 'rack/test'
 
 $: << File.join(File.dirname(__FILE__), '../../lib')
-$: << File.join(File.dirname(__FILE__))
 
 require 'rack/csrf'
-
-require 'fake_session'

data/lib/rack/csrf.rb

@@ -18,13 +18,8 @@ module Rack
       @raisable = opts[:raise] || false
       @skippable = (opts[:skip] || []).map {|r| /\A#{r}\Z/i}
       @@field = opts[:field] if opts[:field]
-      @browser_only = opts[:browser_only] || false
 
       @http_verbs = %w(POST PUT DELETE)
-      @browser_content_types = ['text/html', 'application/xhtml+xml', 'xhtml',
-        'application/x-www-form-urlencoded',
-        'multipart/form-data',
-        'text/plain', 'txt']
     end
 
     def call(env)
@@ -35,7 +30,7 @@ module Rack
       req = Rack::Request.new(env)
       untouchable = !@http_verbs.include?(req.request_method) ||
         req.POST[self.class.csrf_field] == env['rack.session']['csrf.token'] ||
-        skip_checking(req) || (@browser_only && !from_a_browser(req))
+        skip_checking(req)
       if untouchable
         @app.call(env)
       else
@@ -63,9 +58,5 @@ module Rack
         route =~ (request.request_method + ':' + request.path_info)
       end
     end
-
-    def from_a_browser request
-      @browser_content_types.include?(request.media_type)
-    end
   end
 end

data/rack_csrf.gemspec

@@ -1,15 +1,15 @@
 # Generated by jeweler
-# DO NOT EDIT THIS FILE
-# Instead, edit Jeweler::Tasks in Rakefile, and run `rake gemspec`
+# DO NOT EDIT THIS FILE DIRECTLY
+# Instead, edit Jeweler::Tasks in Rakefile, and run the gemspec command
 # -*- encoding: utf-8 -*-
 
 Gem::Specification.new do |s|
   s.name = %q{rack_csrf}
-  s.version = "1.1.1"
+  s.version = "2.0.0"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Emanuele Vicentini"]
-  s.date = %q{2009-10-15}
+  s.date = %q{2010-01-11}
   s.description = %q{Anti-CSRF Rack middleware}
   s.email = %q{emanuele.vicentini@gmail.com}
   s.extra_rdoc_files = [
@@ -17,7 +17,8 @@ Gem::Specification.new do |s|
      "README.rdoc"
   ]
   s.files = [
-    "LICENSE.rdoc",
+    "Changelog.md",
+     "LICENSE.rdoc",
      "README.rdoc",
      "Rakefile",
      "VERSION",
@@ -40,7 +41,6 @@ Gem::Specification.new do |s|
      "examples/sinatra/views/form.erb",
      "examples/sinatra/views/form_not_working.erb",
      "examples/sinatra/views/response.erb",
-     "features/browser_only.feature",
      "features/empty_responses.feature",
      "features/raising_exception.feature",
      "features/setup.feature",
@@ -59,7 +59,7 @@ Gem::Specification.new do |s|
      "spec/spec_helper.rb"
   ]
   s.homepage = %q{http://github.com/baldowl/rack_csrf}
-  s.rdoc_options = ["--charset=UTF-8", "--line-numbers", "--inline-source", "--title", "Rack::Csrf 1.1.1", "--main", "README.rdoc"]
+  s.rdoc_options = ["--charset=UTF-8", "--line-numbers", "--inline-source", "--title", "Rack::Csrf 2.0.0", "--main", "README.rdoc"]
   s.require_paths = ["lib"]
   s.rubyforge_project = %q{rackcsrf}
   s.rubygems_version = %q{1.3.5}
@@ -72,15 +72,19 @@ Gem::Specification.new do |s|
     if Gem::Version.new(Gem::RubyGemsVersion) >= Gem::Version.new('1.2.0') then
       s.add_runtime_dependency(%q<rack>, [">= 0.9"])
       s.add_development_dependency(%q<cucumber>, [">= 0.1.13"])
+      s.add_development_dependency(%q<rack-test>, [">= 0"])
       s.add_development_dependency(%q<rspec>, [">= 0"])
     else
       s.add_dependency(%q<rack>, [">= 0.9"])
       s.add_dependency(%q<cucumber>, [">= 0.1.13"])
+      s.add_dependency(%q<rack-test>, [">= 0"])
       s.add_dependency(%q<rspec>, [">= 0"])
     end
   else
     s.add_dependency(%q<rack>, [">= 0.9"])
     s.add_dependency(%q<cucumber>, [">= 0.1.13"])
+    s.add_dependency(%q<rack-test>, [">= 0"])
     s.add_dependency(%q<rspec>, [">= 0"])
   end
 end
+

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification 
 name: rack_csrf
 version: !ruby/object:Gem::Version 
-  version: 1.1.1
+  version: 2.0.0
 platform: ruby
 authors: 
 - Emanuele Vicentini
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2009-10-15 00:00:00 +02:00
+date: 2010-01-11 00:00:00 +01:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -32,6 +32,16 @@ dependencies:
       - !ruby/object:Gem::Version 
         version: 0.1.13
     version: 
+- !ruby/object:Gem::Dependency 
+  name: rack-test
+  type: :development
+  version_requirement: 
+  version_requirements: !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: "0"
+    version: 
 - !ruby/object:Gem::Dependency 
   name: rspec
   type: :development
@@ -52,6 +62,7 @@ extra_rdoc_files:
 - LICENSE.rdoc
 - README.rdoc
 files: 
+- Changelog.md
 - LICENSE.rdoc
 - README.rdoc
 - Rakefile
@@ -75,7 +86,6 @@ files:
 - examples/sinatra/views/form.erb
 - examples/sinatra/views/form_not_working.erb
 - examples/sinatra/views/response.erb
-- features/browser_only.feature
 - features/empty_responses.feature
 - features/raising_exception.feature
 - features/setup.feature
@@ -102,7 +112,7 @@ rdoc_options:
 - --line-numbers
 - --inline-source
 - --title
-- Rack::Csrf 1.1.1
+- Rack::Csrf 2.0.0
 - --main
 - README.rdoc
 require_paths: 

data/features/browser_only.feature

@@ -1,24 +0,0 @@
-Feature: Filtering only browser generated requests
-
-  Scenario Outline: Handling request without CSRF token
-    Given a rack with the anti-CSRF middleware and the :browser_only option
-    When it receives a <method> request without the CSRF token
-    Then it lets it pass untouched
-
-    Examples:
-      | method |
-      | POST   |
-      | PUT    |
-      | DELETE |
-
-  Scenario Outline: Handling request without CSRF token
-    Given a rack with the anti-CSRF middleware and the :browser_only option
-    When it receives a <method> request without the CSRF token from a browser
-    Then it responds with 403
-    And the response body is empty
-
-    Examples:
-      | method |
-      | POST   |
-      | PUT    |
-      | DELETE |