rack_csrf 2.2.0 → 2.3.0

data/Changelog.md

@@ -1,3 +1,15 @@
+# v2.3.0 (2011-10-23)
+
+* Updated examples' Gemfiles.
+* Moved to use the RDoc gem.
+* new option :check_only (courtesy of [ghermeto](https://github.com/ghermeto))
+* Cuba example.
+* Changed request checking to look at GET+POST data.
+* Added support for custom HTTP methods.
+* Promoted public methods' shorter aliases to main API.
+
+
+
 # v2.2.0 (2011-04-12)
 
 * Simplified specs and some Cucumber's steps.

data/README.rdoc

@@ -34,6 +34,20 @@ The following options allow you to tweak Rack::Csrf.
 
   Default value: false.
 
+[<tt>:check_only</tt>]
+  By default, Rack::Csrf checks every POST, PUT, DELETE and PATCH request;
+  passing an array of HTTP method/URL (regular expressions allowed) to this
+  option you can change this behavior to *only* check the items on this list.
+
+    use Rack::Csrf, :check_only => ['POST:/checking', 'PUT:/me_too',
+      'DELETE:/cars/.*\.xml', 'PATCH:/this/.*/too']
+
+  Please, note that the regular expressions are not escaped and it is your
+  duty to write them correctly. Empty PATH_INFO (see Rack's spec for details)
+  is treated as '/' for this check.
+
+  Default value: empty.
+
 [<tt>:skip</tt>]
   By default, Rack::Csrf checks every POST, PUT, DELETE and PATCH request;
   passing an array of HTTP method/URL (regular expressions allowed) to this
@@ -64,6 +78,15 @@ The following options allow you to tweak Rack::Csrf.
 
   Default value: csrf.token
 
+[<tt>:check_also</tt>]
+  By passing an array of uppercase strings to this option you can add them to
+  the list of HTTP methods which "mark" requests that must be searched for the
+  anti-forging token.
+
+    use Rack::Csrf, :check_also => %w(WHATEVER YOU WANT EVEN GET)
+
+  Default value: empty
+
 The <tt>:browser_only</tt> option has been removed; you do not need to edit
 any rackup file because Rack::Csrf simply ignores unknown options. Changes
 introduced in Rack version 1.1.0 tightened the parsing of POST params, so
@@ -80,19 +103,19 @@ The ill devised <tt>:browser_only</tt> option could have been used to
 The following class methods try to ease the insertion of the anti-forging
 token.
 
-[<tt>Rack::Csrf.csrf_key</tt> (also <tt>Rack::Csrf.key</tt>)]
+[<tt>Rack::Csrf.key</tt> (also <tt>Rack::Csrf.csrf_key</tt>)]
   Returns the name of the key used to store/retrieve the token from the Rack
   session.
 
-[<tt>Rack::Csrf.csrf_field</tt> (also <tt>Rack::Csrf.field</tt>)]
+[<tt>Rack::Csrf.field</tt> (also <tt>Rack::Csrf.csrf_field</tt>)]
   Returns the name of the field that must be present in the request.
 
-[<tt>Rack::Csrf.csrf_token(env)</tt> (also <tt>Rack::Csrf.token(env)</tt>)]
+[<tt>Rack::Csrf.token(env)</tt> (also <tt>Rack::Csrf.csrf_token(env)</tt>)]
   Given the request's environment, it generates a random token, stuffs it in
   the session and returns it to the caller or simply retrieves the already
   stored one.
 
-[<tt>Rack::Csrf.csrf_tag(env)</tt> (also <tt>Rack::Csrf.tag(env)</tt>)]
+[<tt>Rack::Csrf.tag(env)</tt> (also <tt>Rack::Csrf.csrf_tag(env)</tt>)]
   Given the request's environment, it generates a small HTML fragment to
   insert the token in a standard form like an hidden input field with the
   right value already entered for you.
@@ -107,7 +130,7 @@ framework; see the various README files for other details.
 
 If you want to help:
 
-* fork the project[http://github.com/baldowl/rack_csrf] on GitHub;
+* fork the project[https://github.com/baldowl/rack_csrf] on GitHub;
 * work in a topic branch;
 * add features/specs for your additions or bug fixes;
 * write your additions/bug fixes;
@@ -115,7 +138,7 @@ If you want to help:
 * send me a pull request for the topic branch.
 
 If you have any issue, please post them on the {project's issue
-list}[http://github.com/baldowl/rack_csrf] on GitHub.
+list}[https://github.com/baldowl/rack_csrf] on GitHub.
 
 == Warning! Warning! Warning!
 

data/Rakefile

@@ -1,7 +1,7 @@
 require 'rake/clean'
 require 'cucumber/rake/task'
 require 'rspec/core/rake_task'
-require 'rake/rdoctask'
+require 'rdoc/task'
 require 'jeweler'
 
 Cucumber::Rake::Task.new :features
@@ -14,9 +14,10 @@ task :default => :spec
 
 version = File.exists?('VERSION') ? File.read('VERSION').strip : ''
 
-Rake::RDocTask.new :doc do |rdoc|
+RDoc::Task.new :doc do |rdoc|
   rdoc.rdoc_dir = 'doc'
   rdoc.title = "Rack::Csrf #{version}"
+  rdoc.main = 'README.rdoc'
   rdoc.rdoc_files.include('README.rdoc', 'LICENSE.rdoc')
   rdoc.rdoc_files.include('lib/**/*.rb')
 end
@@ -28,12 +29,13 @@ Jeweler::Tasks.new do |gem|
   gem.license = 'MIT'
   gem.authors = 'Emanuele Vicentini'
   gem.email = 'emanuele.vicentini@gmail.com'
-  gem.homepage = 'http://github.com/baldowl/rack_csrf'
+  gem.homepage = 'https://github.com/baldowl/rack_csrf'
   gem.rubyforge_project = 'rackcsrf'
   gem.add_dependency 'rack', '>= 0.9'
   gem.add_development_dependency 'cucumber', '>= 0.1.13'
   gem.add_development_dependency 'rack-test'
   gem.add_development_dependency 'rspec', '>= 2.0.0'
+  gem.add_development_dependency 'rdoc', '>= 2.4.2'
   gem.rdoc_options << '--line-numbers' << '--inline-source' << '--title' <<
     "Rack::Csrf #{version}" << '--main' << 'README.rdoc'
   gem.test_files.clear

data/VERSION

@@ -1 +1 @@
-2.2.0
+2.3.0

data/examples/camping/Gemfile

@@ -1,4 +1,4 @@
 source 'http://rubygems.org'
 
-gem 'camping', '2.1'
-gem 'markaby', '0.7.1'
+gem 'camping', '>= 2.1', '<= 2.1.467'
+gem 'markaby', '>= 0.7.1', '<= 0.7.2'

data/examples/camping/app.rb

@@ -37,7 +37,7 @@ module LittleApp
       form :action => URL(Response), :method => :post do
         h1 'Spit your utterance!'
         input :name => :utterance, :type => :text
-        text Rack::Csrf.csrf_tag(@env)
+        text Rack::Csrf.tag(@env)
         p {
           input :type => :submit, :value => :Send!
         }

data/examples/cuba/Gemfile

@@ -0,0 +1,3 @@
+source 'http://rubygems.org'
+
+gem 'cuba', '2.1.0'

data/examples/cuba/README.rdoc

@@ -0,0 +1,11 @@
+= How to use Rack::Csrf with Cuba
+
+This is a mini Cuba application with two slightly different rackup files.
+Beside Rack you only need Cuba to try them, so, assuming you have Bundler
+installed, run:
+
+    $ bundle install
+    $ bundle exec rackup -p 3000 config.ru
+    $ bundle exec rackup -p 3000 config-with-raise.ru
+
+Tested with Cuba versions listed in the Gemfile.

data/examples/cuba/app.rb

@@ -0,0 +1,17 @@
+Cuba.define do
+  on get do
+    on '' do
+      res.write render('views/form.erb')
+    end
+
+    on 'notworking' do
+      res.write render('views/form_not_working.erb')
+    end
+  end
+
+  on post do
+    on 'response', param(:utterance), param(Rack::Csrf.field) do |utterance, csrf|
+      res.write render('views/response.erb', :utterance => utterance, :csrf => csrf)
+    end
+  end
+end

data/examples/cuba/config-with-raise.ru

@@ -0,0 +1,11 @@
+require 'cuba'
+$: << File.join(File.dirname(__FILE__), '../../lib')
+require 'rack/csrf'
+
+Cuba.use Rack::ShowExceptions
+Cuba.use Rack::Session::Cookie
+Cuba.use Rack::Csrf, :raise => true
+
+require 'app'
+
+run Cuba

data/examples/cuba/config.ru

@@ -0,0 +1,10 @@
+require 'cuba'
+$: << File.join(File.dirname(__FILE__), '../../lib')
+require 'rack/csrf'
+
+Cuba.use Rack::Session::Cookie
+Cuba.use Rack::Csrf
+
+require 'app'
+
+run Cuba

data/examples/cuba/views/form.erb

@@ -0,0 +1,8 @@
+<form action="/response" method="post">
+  <h1>Spit your utterance!</h1>
+  <input type="text" name="utterance">
+  <%= Rack::Csrf.tag(env) %>
+  <p><input type="submit" value="Send!"></p>
+</form>
+
+<p>Try also the <a href="/notworking">not working</a> form!</p>

data/examples/cuba/views/form_not_working.erb

@@ -0,0 +1,7 @@
+<form action="/response" method="post">
+  <h1>Spit your utterance!</h1>
+  <input type="text" name="utterance">
+  <p><input type="submit" value="Send!"></p>
+</form>
+
+<p>Try also the <a href="/">working</a> form!</p>

data/examples/cuba/views/response.erb

@@ -0,0 +1,5 @@
+<p>It seems you've just said: <em><%= utterance %></em></p>
+
+<p>Here's the anti-CSRF token stuffed in the session: <strong><%= csrf %></strong></p>
+
+<p><a href='/'>Back</a></p>

data/examples/innate/Gemfile

@@ -1,3 +1,3 @@
 source 'http://rubygems.org'
 
-gem 'innate', '>= 2009.07', '<= 2011.01'
+gem 'innate', '>= 2009.07', '<= 2011.04'

data/examples/innate/app.rb

@@ -5,6 +5,6 @@ class LittleApp
 
   def response
     redirect_referer unless request.post?
-    @utterance, @csrf = request[:utterance, Rack::Csrf.csrf_field]
+    @utterance, @csrf = request[:utterance, Rack::Csrf.field]
   end
 end

data/examples/innate/view/index.erb

@@ -1,7 +1,7 @@
 <form action="/response" method="post">
   <h1>Spit your utterance!</h1>
   <input type="text" name="utterance">
-  <%= Rack::Csrf.csrf_tag(request.env) %>
+  <%= Rack::Csrf.tag(request.env) %>
   <p><input type="submit" value="Send!"></p>
 </form>
 

data/examples/rack/Gemfile

@@ -1,3 +1,3 @@
 source 'http://rubygems.org'
 
-gem 'rack', '>= 1.0.0', '<= 1.2.2'
+gem 'rack', '>= 1.0.0', '<= 1.3.5'

data/examples/rack/app.rb

@@ -3,7 +3,7 @@ class LittleApp
     <form action="/response" method="post">
       <h1>Spit your utterance!</h1>
       <input type="text" name="utterance">
-      <%= Rack::Csrf.csrf_tag(env) %>
+      <%= Rack::Csrf.tag(env) %>
       <p><input type="submit" value="Send!"></p>
     </form>
 
@@ -38,7 +38,7 @@ class LittleApp
       end
     elsif req.post?
       utterance = req['utterance']
-      csrf = req[Rack::Csrf.csrf_field]
+      csrf = req[Rack::Csrf.field]
       Rack::Response.new(@response.result(binding)).finish
     end
   end

data/examples/sinatra/Gemfile

@@ -1,3 +1,3 @@
 source 'http://rubygems.org'
 
-gem 'sinatra', '>= 0.9.4', '<= 1.2.1'
+gem 'sinatra', '>= 0.9.4', '<= 1.3.1'

data/examples/sinatra/app.rb

@@ -8,5 +8,5 @@ end
 
 post '/response' do
   erb :response, :locals => {:utterance => params[:utterance],
-    :csrf => params[Rack::Csrf.csrf_field]}
+    :csrf => params[Rack::Csrf.field]}
 end

data/examples/sinatra/views/form.erb

@@ -1,7 +1,7 @@
 <form action="/response" method="post">
   <h1>Spit your utterance!</h1>
   <input type="text" name="utterance">
-  <%= Rack::Csrf.csrf_tag(env) %>
+  <%= Rack::Csrf.tag(env) %>
   <p><input type="submit" value="Send!"></p>
 </form>
 

data/features/check_only_some_specific_requests.feature

@@ -0,0 +1,28 @@
+Feature: Check only some specific requests
+
+  Background:
+    Given a rack with the anti-CSRF middleware and the :check_only option
+      | pair             |
+      | POST:/check/this |
+
+  Scenario: Blocking that specific request
+    When it receives a POST request for /check/this without the CSRF token
+    Then it responds with 403
+
+  Scenario Outline: Not blocking other requests
+    When it receives a <method> request for <path> without the CSRF token
+    Then it lets it pass untouched
+
+    Examples:
+      | method | path         |
+      | GET    | /check/this  |
+      | PUT    | /check/this  |
+      | PATCH  | /check/this  |
+      | DELETE | /check/this  |
+      | CUSTOM | /check/this  |
+      | GET    | /another/one |
+      | POST   | /another/one |
+      | PUT    | /another/one |
+      | PATCH  | /another/one |
+      | DELETE | /another/one |
+      | CUSTOM | /another/one |

data/features/custom_http_methods.feature

@@ -0,0 +1,62 @@
+Feature: Handling custom HTTP methods
+
+  Background:
+    Given a rack with the anti-CSRF middleware and the :check_also option
+      | method |
+      | ME     |
+      | YOU    |
+
+  Scenario Outline: Blocking "standard" requests without the token
+    When it receives a <method> request without the CSRF token
+    Then it responds with 403
+    And the response body is empty
+
+    Examples:
+      | method |
+      | POST   |
+      | PUT    |
+      | DELETE |
+      | PATCH  |
+
+  Scenario Outline: Blocking "standard" requests with the wrong token
+    When it receives a <method> request with the wrong CSRF token
+    Then it responds with 403
+    And the response body is empty
+
+    Examples:
+      | method |
+      | POST   |
+      | PUT    |
+      | DELETE |
+      | PATCH  |
+
+  Scenario Outline: Blocking requests without the token
+    When it receives a <method> request without the CSRF token
+    Then it responds with 403
+    And the response body is empty
+
+    Examples:
+      | method |
+      | ME     |
+      | YOU    |
+
+  Scenario Outline: Blocking requests with the wrong token
+    When it receives a <method> request with the wrong CSRF token
+    Then it responds with 403
+    And the response body is empty
+
+    Examples:
+      | method |
+      | ME     |
+      | YOU    |
+
+  Scenario Outline: Letting pass "unknown" and safe requests without the token
+    When it receives a <method> request without the CSRF token
+    Then it lets it pass untouched
+
+    Examples:
+      | method  |
+      | HIM     |
+      | HER     |
+      | GET     |
+      | OPTIONS |

data/features/empty_responses.feature

@@ -1,17 +1,21 @@
 Feature: Handling of the HTTP requests returning an empty response
 
-  Scenario: GET request with CSRF token
+  Background:
     Given a rack with the anti-CSRF middleware
-    When it receives a GET request with the CSRF token
+
+  Scenario: GET request with the right CSRF token
+    When it receives a GET request with the right CSRF token
+    Then it lets it pass untouched
+
+  Scenario: GET request with the wrong CSRF token
+    When it receives a GET request with the wrong CSRF token
     Then it lets it pass untouched
 
   Scenario: GET request without CSRF token
-    Given a rack with the anti-CSRF middleware
     When it receives a GET request without the CSRF token
     Then it lets it pass untouched
 
   Scenario Outline: Handling request without CSRF token
-    Given a rack with the anti-CSRF middleware
     When it receives a <method> request without the CSRF token
     Then it responds with 403
     And the response body is empty
@@ -24,7 +28,6 @@ Feature: Handling of the HTTP requests returning an empty response
       | PATCH  |
 
   Scenario Outline: Handling request with the right CSRF token
-    Given a rack with the anti-CSRF middleware
     When it receives a <method> request with the right CSRF token
     Then it lets it pass untouched
 
@@ -36,7 +39,6 @@ Feature: Handling of the HTTP requests returning an empty response
       | PATCH  |
 
   Scenario Outline: Handling request with the wrong CSRF token
-    Given a rack with the anti-CSRF middleware
     When it receives a <method> request with the wrong CSRF token
     Then it responds with 403
     And the response body is empty

data/features/inspecting_also_get_requests.feature

@@ -0,0 +1,20 @@
+Feature: Inspecting also GET requests
+
+  Background:
+    Given a rack with the anti-CSRF middleware and the :check_also option
+      | method |
+      | GET    |
+
+  Scenario: GET request with the right CSRF token
+    When it receives a GET request with the right CSRF token
+    Then it lets it pass untouched
+
+  Scenario: GET request with the wrong CSRF token
+    When it receives a GET request with the wrong CSRF token
+    Then it responds with 403
+    And the response body is empty
+
+  Scenario: GET request without the CSRF token
+    When it receives a GET request without the CSRF token
+    Then it responds with 403
+    And the response body is empty

data/features/raising_exception.feature

@@ -1,12 +1,13 @@
 Feature: Handling of the HTTP requests raising an exception
 
-  Scenario: GET request without CSRF token
+  Background:
     Given a rack with the anti-CSRF middleware and the :raise option
+
+  Scenario: GET request without CSRF token
     When it receives a GET request without the CSRF token
     Then it lets it pass untouched
 
   Scenario Outline: Handling request without CSRF token
-    Given a rack with the anti-CSRF middleware and the :raise option
     When it receives a <method> request without the CSRF token
     Then there is no response
     And an exception is climbing up the stack
@@ -19,7 +20,6 @@ Feature: Handling of the HTTP requests raising an exception
       | PATCH  |
 
   Scenario Outline: Handling request with the right CSRF token
-    Given a rack with the anti-CSRF middleware and the :raise option
     When it receives a <method> request with the right CSRF token
     Then it lets it pass untouched
 
@@ -31,7 +31,6 @@ Feature: Handling of the HTTP requests raising an exception
       | PATCH  |
 
   Scenario Outline: Handling request with the wrong CSRF token
-    Given a rack with the anti-CSRF middleware and the :raise option
     When it receives a <method> request with the wrong CSRF token
     Then there is no response
     And an exception is climbing up the stack

data/features/setup.feature

@@ -32,3 +32,19 @@ Feature: Setup of the middleware
     Given a rack with the session middleware
     When I insert the anti-CSRF middleware with the :key option
     Then I get a fully functional rack
+
+  Scenario: Setup with the :check_also option
+    Given a rack with the session middleware
+    When I insert the anti-CSRF middleware with the :check_also option
+      | method |
+      | ME     |
+      | YOU    |
+    Then I get a fully functional rack
+
+  Scenario: Setup with the :check_only option
+    Given a rack with the session middleware
+    When I insert the anti-CSRF middleware with the :check_only option
+      | route               |
+      | POST:/check/me      |
+      | PUT:/check/this/too |
+    Then I get a fully functional rack

data/features/step_definitions/request_steps.rb

@@ -1,12 +1,7 @@
-When /^it receives a GET request (with|without) the CSRF token$/ do |prep|
-  params = prep == 'with' ? {Rack::Csrf.csrf_field => 'whatever'} : {}
-  @browser.get '/', :params => params
-end
-
 # Yes, they're not as DRY as possible, but I think they're more readable than
 # a single step definition with a few captures and more complex checkings.
 
-When /^it receives a (POST|PUT|DELETE|PATCH) request without the CSRF token$/ do |http_method|
+When /^it receives a (.*) request without the CSRF token$/ do |http_method|
   begin
     @browser.request '/', :method => http_method
   rescue Exception => e
@@ -14,7 +9,7 @@ When /^it receives a (POST|PUT|DELETE|PATCH) request without the CSRF token$/ do
   end
 end
 
-When /^it receives a (POST|PUT|DELETE|PATCH) request for (.+) without the CSRF token$/ do |http_method, path|
+When /^it receives a (.*) request for (.+) without the CSRF token$/ do |http_method, path|
   begin
     @browser.request path, :method => http_method
   rescue Exception => e
@@ -22,22 +17,22 @@ When /^it receives a (POST|PUT|DELETE|PATCH) request for (.+) without the CSRF t
   end
 end
 
-When /^it receives a (POST|PUT|DELETE|PATCH) request with the right CSRF token$/ do |http_method|
+When /^it receives a (.*) request with the right CSRF token$/ do |http_method|
   @browser.request '/', :method => http_method,
-    'rack.session' => {Rack::Csrf.csrf_key => 'right_token'},
-    :params => {Rack::Csrf.csrf_field => 'right_token'}
+    'rack.session' => {Rack::Csrf.key => 'right_token'},
+    :params => {Rack::Csrf.field => 'right_token'}
 end
 
-When /^it receives a (POST|PUT|DELETE|PATCH) request with the wrong CSRF token$/ do |http_method|
+When /^it receives a (.*) request with the wrong CSRF token$/ do |http_method|
   begin
     @browser.request '/', :method => http_method,
-      :params => {Rack::Csrf.csrf_field => 'whatever'}
+      :params => {Rack::Csrf.field => 'whatever'}
   rescue Exception => e
     @exception = e
   end
 end
 
-When /^it receives a (POST|PUT|DELETE|PATCH) request with neither PATH_INFO nor CSRF token$/ do |http_method|
+When /^it receives a (.*) request with neither PATH_INFO nor CSRF token$/ do |http_method|
   begin
     @browser.request '/doesntmatter', :method => http_method, 'PATH_INFO' => ''
   rescue Exception => e

data/features/step_definitions/setup_steps.rb

@@ -32,6 +32,16 @@ Given /^a rack with the anti\-CSRF middleware and the :key option$/ do
   When 'I insert the anti-CSRF middleware with the :key option'
 end
 
+Given /^a rack with the anti\-CSRF middleware and the :check_also option$/ do |table|
+  Given 'a rack with the session middleware'
+  When 'I insert the anti-CSRF middleware with the :check_also option', table
+end
+
+Given /^a rack with the anti\-CSRF middleware and the :check_only option$/ do |table|
+  Given 'a rack with the session middleware'
+  When 'I insert the anti-CSRF middleware with the :check_only option', table
+end
+
 # Yes, they're not as DRY as possible, but I think they're more readable than
 # a single step definition with a few captures and more complex checkings.
 
@@ -66,6 +76,20 @@ When /^I insert the anti\-CSRF middleware with the :key option$/ do
   @browser = Rack::Test::Session.new(Rack::MockSession.new(@app))
 end
 
+When /^I insert the anti\-CSRF middleware with the :check_also option$/ do |table|
+  check_also = table.hashes.collect {|t| t.values}.flatten
+  @rack_builder.use Rack::Csrf, :check_also => check_also
+  @app = toy_app
+  @browser = Rack::Test::Session.new(Rack::MockSession.new(@app))
+end
+
+When /^I insert the anti\-CSRF middleware with the :check_only option$/ do |table|
+  must_be_checked = table.hashes.collect {|t| t.values}.flatten
+  @rack_builder.use Rack::Csrf, :check_only => must_be_checked
+  @app = toy_app
+  @browser = Rack::Test::Session.new(Rack::MockSession.new(@app))
+end
+
 Then /^I get a fully functional rack$/ do
   expect {Rack::MockRequest.new(@app).get('/')}.to_not raise_exception
 end

data/features/variation_on_field_name.feature

@@ -1,12 +1,17 @@
 Feature: Customization of the field name
 
-  Scenario: GET request with CSRF token in custom field
+  Background:
     Given a rack with the anti-CSRF middleware and the :field option
-    When it receives a GET request with the CSRF token
+
+  Scenario: GET request with the right CSRF token in custom field
+    When it receives a GET request with the right CSRF token
+    Then it lets it pass untouched
+
+  Scenario: GET request with the wrong CSRF token in custom field
+    When it receives a GET request with the wrong CSRF token
     Then it lets it pass untouched
 
   Scenario Outline: Handling request with the right CSRF token in custom field
-    Given a rack with the anti-CSRF middleware and the :field option
     When it receives a <method> request with the right CSRF token
     Then it lets it pass untouched
 
@@ -18,7 +23,6 @@ Feature: Customization of the field name
       | PATCH  |
 
   Scenario Outline: Handling request with the wrong CSRF token in custom field
-    Given a rack with the anti-CSRF middleware and the :field option
     When it receives a <method> request with the wrong CSRF token
     Then it responds with 403
     And the response body is empty

data/features/variation_on_key_name.feature

@@ -1,12 +1,17 @@
 Feature: Customization of the key name
 
-  Scenario: GET request with CSRF token stored in custom key
+  Background:
     Given a rack with the anti-CSRF middleware and the :key option
-    When it receives a GET request with the CSRF token
+
+  Scenario: GET request with the right CSRF token stored in custom key
+    When it receives a GET request with the right CSRF token
+    Then it lets it pass untouched
+
+  Scenario: GET request with the wrong CSRF token stored in custom key
+    When it receives a GET request with the wrong CSRF token
     Then it lets it pass untouched
 
   Scenario Outline: Handling request with the right CSRF token stored in custom key
-    Given a rack with the anti-CSRF middleware and the :key option
     When it receives a <method> request with the right CSRF token
     Then it lets it pass untouched
 
@@ -18,7 +23,6 @@ Feature: Customization of the key name
       | PATCH  |
 
   Scenario Outline: Handling request with the wrong CSRF token stored in custom key
-    Given a rack with the anti-CSRF middleware and the :key option
     When it receives a <method> request with the wrong CSRF token
     Then it responds with 403
     And the response body is empty

data/lib/rack/csrf.rb

@@ -17,22 +17,25 @@ module Rack
       @app = app
 
       @raisable = opts[:raise] || false
-      @skippable = (opts[:skip] || []).map {|r| /\A#{r}\Z/i}
+      @to_be_skipped = (opts[:skip] || []).map {|r| /\A#{r}\Z/i}
+      @to_be_checked = (opts[:check_only] || []).map {|r| /\A#{r}\Z/i}
       @@field = opts[:field] if opts[:field]
       @@key = opts[:key] if opts[:key]
 
-      @http_verbs = %w(POST PUT DELETE PATCH)
+      standard_http_methods = %w(POST PUT DELETE PATCH)
+      check_also = opts[:check_also] || []
+      @http_methods = (standard_http_methods + check_also).flatten.uniq
     end
 
     def call(env)
       unless env['rack.session']
         raise SessionUnavailable.new('Rack::Csrf depends on session middleware')
       end
-      self.class.csrf_token(env)
+      self.class.token(env)
       req = Rack::Request.new(env)
-      untouchable = !@http_verbs.include?(req.request_method) ||
-        req.POST[self.class.csrf_field] == env['rack.session'][self.class.csrf_key] ||
-        skip_checking(req)
+      untouchable = skip_checking(req) ||
+        !@http_methods.include?(req.request_method) ||
+        req.params[self.class.field] == env['rack.session'][self.class.key]
       if untouchable
         @app.call(env)
       else
@@ -41,34 +44,40 @@ module Rack
       end
     end
 
-    def self.csrf_key
+    def self.key
       @@key
     end
 
-    def self.csrf_field
+    def self.field
       @@field
     end
 
-    def self.csrf_token(env)
-      env['rack.session'][csrf_key] ||= SecureRandom.base64(32)
+    def self.token(env)
+      env['rack.session'][key] ||= SecureRandom.base64(32)
     end
 
-    def self.csrf_tag(env)
-      %Q(<input type="hidden" name="#{csrf_field}" value="#{csrf_token(env)}" />)
+    def self.tag(env)
+      %Q(<input type="hidden" name="#{field}" value="#{token(env)}" />)
     end
 
     class << self
-      alias_method :key, :csrf_key
-      alias_method :field, :csrf_field
-      alias_method :token, :csrf_token
-      alias_method :tag, :csrf_tag
+      alias_method :csrf_key, :key
+      alias_method :csrf_field, :field
+      alias_method :csrf_token, :token
+      alias_method :csrf_tag, :tag
     end
 
     protected
 
     def skip_checking request
+      skip = any? @to_be_skipped, request
+      allow = any? @to_be_checked, request
+      skip || (!@to_be_checked.empty? && !allow)
+    end
+    
+    def any? list, request
       pi = request.path_info.empty? ? '/' : request.path_info
-      @skippable.any? do |route|
+      list.any? do |route|
         route =~ (request.request_method + ':' + pi)
       end
     end

data/rack_csrf.gemspec

@@ -4,14 +4,14 @@
 # -*- encoding: utf-8 -*-
 
 Gem::Specification.new do |s|
-  s.name = %q{rack_csrf}
-  s.version = "2.2.0"
+  s.name = "rack_csrf"
+  s.version = "2.3.0"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Emanuele Vicentini"]
-  s.date = %q{2011-04-12}
-  s.description = %q{Anti-CSRF Rack middleware}
-  s.email = %q{emanuele.vicentini@gmail.com}
+  s.date = "2011-10-23"
+  s.description = "Anti-CSRF Rack middleware"
+  s.email = "emanuele.vicentini@gmail.com"
   s.extra_rdoc_files = [
     "LICENSE.rdoc",
     "README.rdoc"
@@ -28,6 +28,14 @@ Gem::Specification.new do |s|
     "examples/camping/README.rdoc",
     "examples/camping/app.rb",
     "examples/camping/config.ru",
+    "examples/cuba/Gemfile",
+    "examples/cuba/README.rdoc",
+    "examples/cuba/app.rb",
+    "examples/cuba/config-with-raise.ru",
+    "examples/cuba/config.ru",
+    "examples/cuba/views/form.erb",
+    "examples/cuba/views/form_not_working.erb",
+    "examples/cuba/views/response.erb",
     "examples/innate/Gemfile",
     "examples/innate/README.rdoc",
     "examples/innate/app.rb",
@@ -49,7 +57,10 @@ Gem::Specification.new do |s|
     "examples/sinatra/views/form.erb",
     "examples/sinatra/views/form_not_working.erb",
     "examples/sinatra/views/response.erb",
+    "features/check_only_some_specific_requests.feature",
+    "features/custom_http_methods.feature",
     "features/empty_responses.feature",
+    "features/inspecting_also_get_requests.feature",
     "features/raising_exception.feature",
     "features/setup.feature",
     "features/skip_some_routes.feature",
@@ -66,13 +77,13 @@ Gem::Specification.new do |s|
     "spec/csrf_spec.rb",
     "spec/spec_helper.rb"
   ]
-  s.homepage = %q{http://github.com/baldowl/rack_csrf}
+  s.homepage = "https://github.com/baldowl/rack_csrf"
   s.licenses = ["MIT"]
-  s.rdoc_options = ["--line-numbers", "--inline-source", "--title", "Rack::Csrf 2.2.0", "--main", "README.rdoc"]
+  s.rdoc_options = ["--line-numbers", "--inline-source", "--title", "Rack::Csrf 2.3.0", "--main", "README.rdoc"]
   s.require_paths = ["lib"]
-  s.rubyforge_project = %q{rackcsrf}
-  s.rubygems_version = %q{1.7.2}
-  s.summary = %q{Anti-CSRF Rack middleware}
+  s.rubyforge_project = "rackcsrf"
+  s.rubygems_version = "1.8.11"
+  s.summary = "Anti-CSRF Rack middleware"
 
   if s.respond_to? :specification_version then
     s.specification_version = 3
@@ -82,17 +93,20 @@ Gem::Specification.new do |s|
       s.add_development_dependency(%q<cucumber>, [">= 0.1.13"])
       s.add_development_dependency(%q<rack-test>, [">= 0"])
       s.add_development_dependency(%q<rspec>, [">= 2.0.0"])
+      s.add_development_dependency(%q<rdoc>, [">= 2.4.2"])
     else
       s.add_dependency(%q<rack>, [">= 0.9"])
       s.add_dependency(%q<cucumber>, [">= 0.1.13"])
       s.add_dependency(%q<rack-test>, [">= 0"])
       s.add_dependency(%q<rspec>, [">= 2.0.0"])
+      s.add_dependency(%q<rdoc>, [">= 2.4.2"])
     end
   else
     s.add_dependency(%q<rack>, [">= 0.9"])
     s.add_dependency(%q<cucumber>, [">= 0.1.13"])
     s.add_dependency(%q<rack-test>, [">= 0"])
     s.add_dependency(%q<rspec>, [">= 2.0.0"])
+    s.add_dependency(%q<rdoc>, [">= 2.4.2"])
   end
 end
 

data/spec/csrf_spec.rb

@@ -1,46 +1,46 @@
 require File.join(File.dirname(__FILE__), 'spec_helper.rb')
 
 describe Rack::Csrf do
-  describe 'csrf_key' do
+  describe 'key' do
     it "should be 'csrf.token' by default" do
-      Rack::Csrf.csrf_key.should == 'csrf.token'
+      Rack::Csrf.key.should == 'csrf.token'
     end
 
     it "should be the value of the :key option" do
       fakeapp = lambda {|env| [200, {}, []]}
       Rack::Csrf.new fakeapp, :key => 'whatever'
-      Rack::Csrf.csrf_key.should == 'whatever'
+      Rack::Csrf.key.should == 'whatever'
     end
   end
 
-  describe 'key' do
-    it 'should be the same as csrf_key' do
-      Rack::Csrf.method(:key).should == Rack::Csrf.method(:csrf_key)
+  describe 'csrf_key' do
+    it 'should be the same as method key' do
+      Rack::Csrf.method(:csrf_key).should == Rack::Csrf.method(:key)
     end
   end
 
-  describe 'csrf_field' do
+  describe 'field' do
     it "should be '_csrf' by default" do
-      Rack::Csrf.csrf_field.should == '_csrf'
+      Rack::Csrf.field.should == '_csrf'
     end
 
     it "should be the value of :field option" do
       fakeapp = lambda {|env| [200, {}, []]}
       Rack::Csrf.new fakeapp, :field => 'whatever'
-      Rack::Csrf.csrf_field.should == 'whatever'
+      Rack::Csrf.field.should == 'whatever'
     end
   end
 
-  describe 'field' do
-    it 'should be the same as csrf_field' do
-      Rack::Csrf.method(:field).should == Rack::Csrf.method(:csrf_field)
+  describe 'csrf_field' do
+    it 'should be the same as method field' do
+      Rack::Csrf.method(:csrf_field).should == Rack::Csrf.method(:field)
     end
   end
 
-  describe 'csrf_token(env)' do
+  describe 'token(env)' do
     let(:env) { {'rack.session' => {}} }
 
-    specify {Rack::Csrf.csrf_token(env).should have_at_least(32).characters}
+    specify {Rack::Csrf.token(env).should have_at_least(32).characters}
 
     context 'when accessing/manipulating the session' do
       before do
@@ -48,45 +48,45 @@ describe Rack::Csrf do
         Rack::Csrf.new fakeapp, :key => 'whatever'
       end
 
-      it 'should use the key provided by csrf_key' do
+      it 'should use the key provided by method key' do
         env['rack.session'].should be_empty
-        Rack::Csrf.csrf_token env
-        env['rack.session'][Rack::Csrf.csrf_key].should_not be_nil
+        Rack::Csrf.token env
+        env['rack.session'][Rack::Csrf.key].should_not be_nil
       end
     end
 
     context 'when the session does not already contain the token' do
       it 'should store the token inside the session' do
         env['rack.session'].should be_empty
-        csrf_token = Rack::Csrf.csrf_token(env)
-        csrf_token.should == env['rack.session'][Rack::Csrf.csrf_key]
+        token = Rack::Csrf.token(env)
+        token.should == env['rack.session'][Rack::Csrf.key]
       end
     end
 
     context 'when the session already contains the token' do
       before do
-        Rack::Csrf.csrf_token env
+        Rack::Csrf.token env
       end
 
       it 'should get the token from the session' do
-        env['rack.session'][Rack::Csrf.csrf_key].should == Rack::Csrf.csrf_token(env)
+        env['rack.session'][Rack::Csrf.key].should == Rack::Csrf.token(env)
       end
     end
   end
 
-  describe 'token(env)' do
-    it 'should be the same as csrf_token(env)' do
-      Rack::Csrf.method(:token).should == Rack::Csrf.method(:csrf_token)
+  describe 'csrf_token(env)' do
+    it 'should be the same as method token(env)' do
+      Rack::Csrf.method(:csrf_token).should == Rack::Csrf.method(:token)
     end
   end
 
-  describe 'csrf_tag(env)' do
+  describe 'tag(env)' do
     let(:env) { {'rack.session' => {}} }
 
     let :tag do
       fakeapp = lambda {|env| [200, {}, []]}
       Rack::Csrf.new fakeapp, :field => 'whatever'
-      Rack::Csrf.csrf_tag env
+      Rack::Csrf.tag env
     end
 
     it 'should be an input field' do
@@ -97,19 +97,96 @@ describe Rack::Csrf do
       tag.should =~ /type="hidden"/
     end
 
-    it "should have the csrf_field's name" do
-      tag.should =~ /name="#{Rack::Csrf.csrf_field}"/
+    it "should have the name provided by method field" do
+      tag.should =~ /name="#{Rack::Csrf.field}"/
     end
 
-    it "should have the csrf_token's output" do
-      quoted_value = Regexp.quote %Q(value="#{Rack::Csrf.csrf_token(env)}")
+    it "should have the value provided by method token(env)" do
+      quoted_value = Regexp.quote %Q(value="#{Rack::Csrf.token(env)}")
       tag.should =~ /#{quoted_value}/
     end
   end
 
-  describe 'tag(env)' do
-    it 'should be the same as csrf_tag(env)' do
-      Rack::Csrf.method(:tag).should == Rack::Csrf.method(:csrf_tag)
+  describe 'csrf_tag(env)' do
+    it 'should be the same as method tag(env)' do
+      Rack::Csrf.method(:csrf_tag).should == Rack::Csrf.method(:tag)
+    end
+  end
+
+  describe 'skip_checking' do
+    class MockReq
+      attr_accessor :path_info, :request_method
+    end
+
+    before :each do
+      @request = MockReq.new
+      @request.path_info = '/hello'
+      @request.request_method = 'POST'
+    end
+
+    context 'with empty :skip and :check_only lists' do
+      let(:csrf) { Rack::Csrf.new nil }
+
+      it 'should run the check, irrespective of the request' do
+        csrf.send(:skip_checking, @request).should be_false
+      end
+    end
+
+    context 'with routes in the :skip list and nothing in the :check_only list' do
+      let(:csrf) { Rack::Csrf.new nil, :skip => ['POST:/hello'] }
+
+      it 'should skip the check when the request is included in the :skip list' do
+        csrf.send(:skip_checking, @request).should be_true
+      end
+
+      it 'should run the check when the request is not in the :skip list' do
+        @request.path_info = '/byebye'
+        csrf.send(:skip_checking, @request).should be_false
+      end
+    end
+
+    context 'with routes in the :check_only list and nothing in the :skip list' do
+      let(:csrf) { Rack::Csrf.new nil, :check_only => ['POST:/hello'] }
+
+      it 'should run the check when the request is included in the :check_only list' do
+        csrf.send(:skip_checking, @request).should be_false
+      end
+
+      it 'should skip the check when the request is not in the :check_only list' do
+        @request.path_info = '/byebye'
+        csrf.send(:skip_checking, @request).should be_true
+      end
+    end
+
+    context 'with different routes in the :skip and :check_only lists' do
+      let :csrf do
+        Rack::Csrf.new nil,
+          :skip => ['POST:/hello'],
+          :check_only => ['POST:/byebye']
+      end
+
+      it 'should skip the check when the request is included in the :skip list' do
+        csrf.send(:skip_checking, @request).should be_true
+      end
+
+      it 'should run the check when the request is included in the :check_only list' do
+        @request.path_info = '/byebye'
+        csrf.send(:skip_checking, @request).should be_false
+      end
+    end
+
+    context 'with the same routes in the :check_only and :skip lists' do
+      let :csrf do
+        Rack::Csrf.new nil,
+          :skip => ['POST:/hello'],
+          :check_only => ['POST:/hello']
+      end
+
+      context 'when the request is included in one of the list' do
+        it 'should ignore the :check_only list and skip the check' do
+          csrf.send(:skip_checking, @request).should be_true
+        end
+      end
     end
   end
 end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: rack_csrf
 version: !ruby/object:Gem::Version 
-  hash: 7
+  hash: 3
   prerelease: 
   segments: 
   - 2
-  - 2
+  - 3
   - 0
-  version: 2.2.0
+  version: 2.3.0
 platform: ruby
 authors: 
 - Emanuele Vicentini
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2011-04-12 00:00:00 Z
+date: 2011-10-23 00:00:00 Z
 dependencies: 
 - !ruby/object:Gem::Dependency 
   name: rack
@@ -78,6 +78,22 @@ dependencies:
         version: 2.0.0
   type: :development
   version_requirements: *id004
+- !ruby/object:Gem::Dependency 
+  name: rdoc
+  prerelease: false
+  requirement: &id005 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 27
+        segments: 
+        - 2
+        - 4
+        - 2
+        version: 2.4.2
+  type: :development
+  version_requirements: *id005
 description: Anti-CSRF Rack middleware
 email: emanuele.vicentini@gmail.com
 executables: []
@@ -99,6 +115,14 @@ files:
 - examples/camping/README.rdoc
 - examples/camping/app.rb
 - examples/camping/config.ru
+- examples/cuba/Gemfile
+- examples/cuba/README.rdoc
+- examples/cuba/app.rb
+- examples/cuba/config-with-raise.ru
+- examples/cuba/config.ru
+- examples/cuba/views/form.erb
+- examples/cuba/views/form_not_working.erb
+- examples/cuba/views/response.erb
 - examples/innate/Gemfile
 - examples/innate/README.rdoc
 - examples/innate/app.rb
@@ -120,7 +144,10 @@ files:
 - examples/sinatra/views/form.erb
 - examples/sinatra/views/form_not_working.erb
 - examples/sinatra/views/response.erb
+- features/check_only_some_specific_requests.feature
+- features/custom_http_methods.feature
 - features/empty_responses.feature
+- features/inspecting_also_get_requests.feature
 - features/raising_exception.feature
 - features/setup.feature
 - features/skip_some_routes.feature
@@ -136,7 +163,7 @@ files:
 - rack_csrf.gemspec
 - spec/csrf_spec.rb
 - spec/spec_helper.rb
-homepage: http://github.com/baldowl/rack_csrf
+homepage: https://github.com/baldowl/rack_csrf
 licenses: 
 - MIT
 post_install_message: 
@@ -144,7 +171,7 @@ rdoc_options:
 - --line-numbers
 - --inline-source
 - --title
-- Rack::Csrf 2.2.0
+- Rack::Csrf 2.3.0
 - --main
 - README.rdoc
 require_paths: 
@@ -170,7 +197,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
 requirements: []
 
 rubyforge_project: rackcsrf
-rubygems_version: 1.7.2
+rubygems_version: 1.8.11
 signing_key: 
 specification_version: 3
 summary: Anti-CSRF Rack middleware