rack_csrf 2.5.0 → 2.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 347ff3179f58ae9f50ba7ea21ced84f4e79ce39a
-  data.tar.gz: ae43acbd043e920ae4aa0f19bf9607f4c8775fb2
+  metadata.gz: 7481a1058bae8d7a4fef4806a5fb72599cc3b724
+  data.tar.gz: 0af8b6cec94f2ca0703cb72478199e30aa60fc17
 SHA512:
-  metadata.gz: f57f414196810efbb0fde60593cb889e2e4c9897e714afb10c8d44e232b522fa068820f9c9fbb461dd19eefaf56553063fdd1c195363ad41a6eef686d77bb14c
-  data.tar.gz: ffe85c09c9da3ffec3d39d1e30f88ddeb46558505f8f2d87fb56a6a1b31eb1c2706ca4a9b59a262ac2af87665d4871ac39d521ccfd3e8d5bf84acb8ded360a78
+  metadata.gz: d5c1d649719acfc69b42e0a9760f9021e313cab550efff436d988ad4886646312ece6ae6ecd672546011848382924e402364d9454cbc844e5ea2bc2f6cb842c6
+  data.tar.gz: 25d4bec6bb2489c6999d0db1f9bd4969ebde37b9533b496c4ccde981c55949ee8922984feda32a56ec342d22de428c33a4be18204b8641d468b27594913d1a7c

data/.gitignore

@@ -1,2 +1,5 @@
-Gemfile.lock
+.bundle
 .rvmrc
+Gemfile.lock
+doc
+pkg

data/.travis.yml

@@ -1,15 +1,25 @@
+sudo: false
+
 language: ruby
 
 rvm:
-  - 1.8.7
-  - 1.9.2
-  - 1.9.3
-  - 2.0.0
-  - 2.1.0
+  - 2.0.0-p648
+  - 2.1.10
+  - 2.2.6
+  - 2.3.3
+  - 2.4.0
 
 env:
-  - TEST_WITH_RACK=1.1.0
-  - TEST_WITH_RACK=1.2.0
-  - TEST_WITH_RACK=1.3.0
   - TEST_WITH_RACK=1.4.0
   - TEST_WITH_RACK=1.5.0
+  - TEST_WITH_RACK=1.6.0
+  - TEST_WITH_RACK=2.0.0
+
+matrix:
+  exclude:
+    - rvm: 2.0.0-p648
+      env: TEST_WITH_RACK=2.0.0
+    - rvm: 2.1.10
+      env: TEST_WITH_RACK=2.0.0
+
+script: bundle exec rake spec features

data/Changelog.md

@@ -1,3 +1,14 @@
+# v2.6.0 (2016-12-31)
+
+Many little, internal, changes; the important ones are:
+
+* switched to use SecureRandom.urlsafe_base64 to make the token URL-friendly
+  (courtesy of [steved](https://github.com/steved));
+* code is tested against Rack 1.4, 1.5, 1.6 and 2.0;
+* code is tested only on Ruby 2.0.0 and later.
+
+
+
 # v2.5.0 (2014-06-15)
 
 * Fixed/improved the examples.

data/LICENSE.rdoc

@@ -2,7 +2,7 @@
 
 (The MIT License)
 
-Copyright (c) 2009, 2010, 2011, 2012, 2014 Emanuele Vicentini
+Copyright (c) 2009, 2010, 2011, 2012, 2014, 2016 Emanuele Vicentini
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the 'Software'), to deal

data/README.rdoc

@@ -190,6 +190,13 @@ In the +examples+ directory there are some small, working web applications
 written with different Rack-based frameworks. They are named after the used
 framework; see the various README files for other details.
 
+== Supported Rubies and Racks
+
+The gemspec shows the minimum Ruby and Rack versions, but Rack::Csrf is
+tested only with the Rubies and Racks you can see in +.travis.yml+. It could
+work also with older versions, but I decided not to test it against
+unsupported Rubies and Racks.
+
 == Contributing
 
 If you want to help:
@@ -212,5 +219,5 @@ forgo responsibilities for keeping your application as safe as possible.
 
 == Copyright
 
-Copyright (c) 2009, 2010, 2011, 2012, 2014 Emanuele Vicentini. See
+Copyright (c) 2009, 2010, 2011, 2012, 2014, 2016 Emanuele Vicentini. See
 LICENSE.rdoc for details.

data/Rakefile

@@ -31,7 +31,7 @@ Shows the changelog in Git between the given points.
 start -- defaults to the current version tag
 end   -- defaults to HEAD
 EOD
-task :changes, [:start, :end] do |t, args|
+task :changes, [:start, :end] do |_, args|
   args.with_defaults :start => "v#{Rack::Csrf::VERSION}",
     :end => 'HEAD'
   repo = Git.open Dir.pwd

data/examples/camping/app.rb

@@ -6,7 +6,7 @@ Camping.goes :LittleApp
 
 module LittleApp
   use Rack::Csrf # This has to come BEFORE 'include Camping::Session',
-                 # otherwise you get the 'Rack::Csrf depends on session 
+                 # otherwise you get the 'Rack::Csrf depends on session
                  # middleware' exception. Weird...
   include Camping::Session
 

data/examples/sinatra/app.rb

@@ -7,6 +7,8 @@ get '/notworking' do
 end
 
 post '/response' do
-  erb :response, :locals => {:utterance => params[:utterance],
-    :csrf => params[Rack::Csrf.field]}
+  erb :response, :locals => {
+    :utterance => params[:utterance],
+    :csrf => params[Rack::Csrf.field]
+  }
 end

data/features/step_definitions/request_steps.rb

@@ -4,7 +4,7 @@
 When /^it receives a (.*) request without the CSRF (?:token|header)$/ do |http_method|
   begin
     @browser.request '/', :method => http_method
-  rescue Exception => e
+  rescue StandardError => e
     @exception = e
   end
 end
@@ -12,7 +12,7 @@ end
 When /^it receives a (.*) request for (.+) without the CSRF (?:token|header|token or header)$/ do |http_method, path|
   begin
     @browser.request path, :method => http_method
-  rescue Exception => e
+  rescue StandardError => e
     @exception = e
   end
 end
@@ -34,7 +34,7 @@ When /^it receives a (.*) request with the wrong CSRF token$/ do |http_method|
     @browser.request '/', :method        => http_method,
                           'rack.session' => {Rack::Csrf.key   => 'right_token'},
                           :params        => {Rack::Csrf.field => 'wrong_token'}
-  rescue Exception => e
+  rescue StandardError => e
     @exception = e
   end
 end
@@ -43,7 +43,7 @@ When /^it receives a (.*) request with the wrong CSRF header/ do |http_method|
   begin
     @browser.request '/', :method => http_method,
                           Rack::Csrf.rackified_header => 'right_token'
-  rescue Exception => e
+  rescue StandardError => e
     @exception = e
   end
 end
@@ -51,7 +51,7 @@ end
 When /^it receives a (.*) request with neither PATH_INFO nor CSRF token or header$/ do |http_method|
   begin
     @browser.request '/doesntmatter', :method => http_method, 'PATH_INFO' => ''
-  rescue Exception => e
+  rescue StandardError => e
     @exception = e
   end
 end
@@ -59,7 +59,7 @@ end
 When /^it receives a request with headers (.+) = ([^ ]+) without the CSRF token or header$/ do |name, value|
   begin
     @browser.request '/', Hash[:method, 'POST', name, value]
-  rescue Exception => e
+  rescue StandardError => e
     @exception = e
   end
 end
@@ -67,7 +67,7 @@ end
 When /^it receives a request with headers (.+) = ([^,]+), (.+), and without the CSRF token or header$/ do |name, value, method|
   begin
     @browser.request '/', Hash[:method, method, name, value]
-  rescue Exception => e
+  rescue StandardError => e
     @exception = e
   end
 end

data/features/step_definitions/response_steps.rb

@@ -1,14 +1,14 @@
 Then /^it lets it pass untouched$/ do
-  @browser.last_response.should be_ok
-  @browser.last_response.should =~ /Hello world!/
+  expect(@browser.last_response).to be_ok
+  expect(@browser.last_response).to match(/Hello world!/)
 end
 
 Then /^it responds with (\d\d\d)$/ do |code|
-  @browser.last_response.status.should == code.to_i
+  expect(@browser.last_response.status).to eq(code.to_i)
 end
 
 Then /^the response body is empty$/ do
-  @browser.last_response.body.should be_empty
+  expect(@browser.last_response.body).to be_empty
 end
 
 Then /^there is no response$/ do
@@ -16,5 +16,5 @@ Then /^there is no response$/ do
 end
 
 Then /^an exception is climbing up the stack$/ do
-  @exception.should be_an_instance_of(Rack::Csrf::InvalidCsrfToken)
+  expect(@exception).to be_an_instance_of(Rack::Csrf::InvalidCsrfToken)
 end

data/features/step_definitions/setup_steps.rb

@@ -73,7 +73,7 @@ When /^I insert the anti\-CSRF middleware with the :raise option$/ do
 end
 
 When /^I insert the anti\-CSRF middleware with the :skip option$/ do |table|
-  skippable = table.hashes.collect {|t| t.values}.flatten
+  skippable = table.hashes.collect(&:values).flatten
   @rack_builder.use Rack::Csrf, :skip => skippable
   @app = toy_app
   @browser = Rack::Test::Session.new(Rack::MockSession.new(@app))
@@ -82,9 +82,10 @@ end
 When /^I insert the anti\-CSRF middleware with the :skip_if option$/ do |table|
   skippable = {}
   table.hashes.each {|row| skippable[row['name']] = row['value']}
-  @rack_builder.use Rack:: Csrf, :skip_if => Proc.new { |request|
+  skip_logic = Proc.new do |request|
     skippable.any? { |name, value| request.env[name] == value }
-  }
+  end
+  @rack_builder.use Rack:: Csrf, :skip_if => skip_logic
   @app = toy_app
   @browser = Rack::Test::Session.new(Rack::MockSession.new(@app))
 end
@@ -96,10 +97,11 @@ When /^I insert the anti\-CSRF middleware with the :skip and :skip_if options$/
     skip_option_arguments << row['path']
     skip_if_option_arguments[row['name']] = row['value']
   end
-
-  @rack_builder.use Rack:: Csrf, :skip => skip_option_arguments, :skip_if => Proc.new { |request|
+  skip_if_logic = Proc.new do |request|
     skip_if_option_arguments.any? { |name, value| request.env[name] == value }
-  }
+  end
+  @rack_builder.use Rack::Csrf, :skip => skip_option_arguments,
+    :skip_if => skip_if_logic
   @app = toy_app
   @browser = Rack::Test::Session.new(Rack::MockSession.new(@app))
 end
@@ -123,14 +125,14 @@ When /^I insert the anti\-CSRF middleware with the :header option$/ do
 end
 
 When /^I insert the anti\-CSRF middleware with the :check_also option$/ do |table|
-  check_also = table.hashes.collect {|t| t.values}.flatten
+  check_also = table.hashes.collect(&:values).flatten
   @rack_builder.use Rack::Csrf, :check_also => check_also
   @app = toy_app
   @browser = Rack::Test::Session.new(Rack::MockSession.new(@app))
 end
 
 When /^I insert the anti\-CSRF middleware with the :check_only option$/ do |table|
-  must_be_checked = table.hashes.collect {|t| t.values}.flatten
+  must_be_checked = table.hashes.collect(&:values).flatten
   @rack_builder.use Rack::Csrf, :check_only => must_be_checked
   @app = toy_app
   @browser = Rack::Test::Session.new(Rack::MockSession.new(@app))
@@ -147,6 +149,6 @@ Then /^I get an error message$/ do
 end
 
 def toy_app
-  @rack_builder.run(lambda {|env| Rack::Response.new('Hello world!').finish})
+  @rack_builder.run(lambda {|_| Rack::Response.new('Hello world!').finish})
   @rack_builder.to_app
 end

data/features/support/fake_session.rb

@@ -4,8 +4,9 @@ class FakeSession
   def initialize(app)
     @app = app
   end
+
   def call(env)
-    env['rack.session'] ||= Hash.new
+    env['rack.session'] ||= {}
     @app.call(env)
   end
 end

data/lib/rack/csrf.rb

@@ -13,32 +13,31 @@ module Rack
     def initialize(app, opts = {})
       @app = app
 
-      @raisable        = opts[:raise] || false
-      @skip_list       = (opts[:skip] || []).map {|r| /\A#{r}\Z/i}
-      @skip_if         = opts[:skip_if] if opts[:skip_if]
-      @check_only_list = (opts[:check_only] || []).map {|r| /\A#{r}\Z/i}
-      @@field          = opts[:field] if opts[:field]
-      @@header         = opts[:header] if opts[:header]
-      @@key            = opts[:key] if opts[:key]
+      @raise_if_invalid = opts.fetch(:raise, false)
+      @skip_list        = opts.fetch(:skip, []).map {|r| /\A#{r}\Z/i}
+      @skip_if          = opts[:skip_if]
+      @check_only_list  = opts.fetch(:check_only, []).map {|r| /\A#{r}\Z/i}
+      @@field           = opts[:field] if opts[:field]
+      @@header          = opts[:header] if opts[:header]
+      @@key             = opts[:key] if opts[:key]
 
       standard_http_methods = %w(POST PUT DELETE PATCH)
-      check_also            = opts[:check_also] || []
+      check_also            = opts.fetch(:check_also, [])
       @http_methods = (standard_http_methods + check_also).flatten.uniq
     end
 
     def call(env)
       unless env['rack.session']
-        raise SessionUnavailable.new('Rack::Csrf depends on session middleware')
+        fail SessionUnavailable, 'Rack::Csrf depends on session middleware'
       end
       req = Rack::Request.new(env)
-      untouchable = skip_checking(req) ||
+      let_it_pass = skip_checking(req) ||
         !@http_methods.include?(req.request_method) ||
-        req.params[self.class.field] == self.class.token(env) ||
-        req.env[self.class.rackified_header] == self.class.token(env)
-      if untouchable
+        found_a_valid_token?(req)
+      if let_it_pass
         @app.call(env)
       else
-        raise InvalidCsrfToken if @raisable
+        fail InvalidCsrfToken if @raise_if_invalid
         [403, {'Content-Type' => 'text/html', 'Content-Length' => '0'}, []]
       end
     end
@@ -56,7 +55,7 @@ module Rack
     end
 
     def self.token(env)
-      env['rack.session'][key] ||= SecureRandom.base64(32)
+      env['rack.session'][key] ||= SecureRandom.urlsafe_base64(32)
     end
 
     def self.tag(env)
@@ -64,7 +63,7 @@ module Rack
     end
 
     def self.metatag(env, options = {})
-      name = options.delete(:name) || '_csrf'
+      name = options.fetch(:name, '_csrf')
       %Q(<meta name="#{name}" content="#{token(env)}" />)
     end
 
@@ -81,7 +80,7 @@ module Rack
 
     # Returns the custom header's name adapted to current standards.
     def self.rackified_header
-      "HTTP_#{@@header.gsub('-','_').upcase}"
+      "HTTP_#{@@header.gsub('-', '_').upcase}"
     end
 
     # Returns +true+ if the given request appears in the <b>skip list</b> or
@@ -103,5 +102,11 @@ module Rack
         route =~ (request.request_method + ':' + pi)
       end
     end
+
+    def found_a_valid_token? request
+      token = self.class.token(request.env)
+      Rack::Utils.secure_compare(request.params[self.class.field].to_s, token) ||
+        Rack::Utils.secure_compare(request.env[self.class.rackified_header].to_s, token)
+    end
   end
 end

data/lib/rack/csrf/version.rb

@@ -1,5 +1,5 @@
 module Rack
   class Csrf
-    VERSION = '2.5.0'
+    VERSION = '2.6.0'
   end
 end

data/rack_csrf.gemspec

@@ -13,8 +13,7 @@ Gem::Specification.new do |spec|
   spec.homepage              = 'https://github.com/baldowl/rack_csrf'
   spec.license               = 'MIT'
 
-  spec.files                 = `git ls-files`.split($/)
-  spec.executables           = spec.files.grep(%r{^bin/}) {|f| File.basename f}
+  spec.files                 = `git ls-files -z`.split("\x0")
   spec.test_files            = spec.files.grep(%r{^(test|spec|features)/})
   spec.require_paths         = ['lib']
 
@@ -31,7 +30,7 @@ Gem::Specification.new do |spec|
     'README.rdoc'
   ]
 
-  spec.required_ruby_version = '>= 1.8.7'
+  spec.required_ruby_version = '>= 1.9.2'
 
   if ENV['TEST_WITH_RACK']
     spec.add_runtime_dependency 'rack', "~> #{ENV['TEST_WITH_RACK']}"
@@ -41,10 +40,9 @@ Gem::Specification.new do |spec|
 
   spec.add_development_dependency 'bundler', '>= 1.0.0'
   spec.add_development_dependency 'rake'
-  spec.add_development_dependency 'cucumber', '>= 1.1.1'
+  spec.add_development_dependency 'cucumber', '~> 2.4'
   spec.add_development_dependency 'rack-test', '>= 0'
   spec.add_development_dependency 'rspec', '~> 3.0'
-  spec.add_development_dependency 'rspec-collection_matchers'
   spec.add_development_dependency 'rdoc', '>= 2.4.2'
   spec.add_development_dependency 'git', '>= 1.2.5'
 end

data/spec/csrf_spec.rb

@@ -3,58 +3,67 @@ require 'spec_helper'
 describe Rack::Csrf do
   describe 'key' do
     it "should be 'csrf.token' by default" do
-      Rack::Csrf.key.should == 'csrf.token'
+      expect(Rack::Csrf.key).to eq('csrf.token')
     end
 
-    it "should be the value of the :key option" do
+    it 'should be the value of the :key option' do
       Rack::Csrf.new nil, :key => 'whatever'
-      Rack::Csrf.key.should == 'whatever'
+      expect(Rack::Csrf.key).to eq('whatever')
     end
   end
 
   describe 'csrf_key' do
     it 'should be the same as method key' do
-      Rack::Csrf.method(:csrf_key).should == Rack::Csrf.method(:key)
+      expect(Rack::Csrf.method(:csrf_key)).to eq(Rack::Csrf.method(:key))
     end
   end
 
   describe 'field' do
     it "should be '_csrf' by default" do
-      Rack::Csrf.field.should == '_csrf'
+      expect(Rack::Csrf.field).to eq('_csrf')
     end
 
-    it "should be the value of :field option" do
+    it 'should be the value of :field option' do
       Rack::Csrf.new nil, :field => 'whatever'
-      Rack::Csrf.field.should == 'whatever'
+      expect(Rack::Csrf.field).to eq('whatever')
     end
   end
 
   describe 'csrf_field' do
     it 'should be the same as method field' do
-      Rack::Csrf.method(:csrf_field).should == Rack::Csrf.method(:field)
+      expect(Rack::Csrf.method(:csrf_field)).to eq(Rack::Csrf.method(:field))
     end
   end
 
   describe 'header' do
     subject { Rack::Csrf.header }
-    it      { should == 'X_CSRF_TOKEN' }
+    it      { is_expected.to be == 'X_CSRF_TOKEN' }
 
-    context "when set to something" do
+    context 'when set to something' do
       before  { Rack::Csrf.new nil, :header => 'something' }
       subject { Rack::Csrf.header }
-      it      { should == 'something' }
+      it      { is_expected.to be == 'something' }
     end
   end
 
   describe 'csrf_header' do
-    subject { Rack::Csrf.method(:csrf_header) }
-    it      { should == Rack::Csrf.method(:header) }
+    it 'should be the same as method header' do
+      expect(Rack::Csrf.method(:csrf_header)).to eq(Rack::Csrf.method(:header))
+    end
   end
 
   describe 'token(env)' do
     let(:env) { {'rack.session' => {}} }
 
-    specify {Rack::Csrf.token(env).should have_at_least(32).characters}
+    context 'should produce a token' do
+      specify 'with at least 32 characters' do
+        expect(Rack::Csrf.token(env).length).to be >= 32
+      end
+
+      specify 'without +, / or =' do
+        expect(Rack::Csrf.token(env)).not_to match(/\+|\/|=/)
+      end
+    end
 
     context 'when accessing/manipulating the session' do
       before do
@@ -62,17 +71,17 @@ describe Rack::Csrf do
       end
 
       it 'should use the key provided by method key' do
-        env['rack.session'].should be_empty
+        expect(env['rack.session']).to be_empty
         Rack::Csrf.token env
-        env['rack.session'][Rack::Csrf.key].should_not be_nil
+        expect(env['rack.session'][Rack::Csrf.key]).not_to be_nil
       end
     end
 
     context 'when the session does not already contain the token' do
       it 'should store the token inside the session' do
-        env['rack.session'].should be_empty
+        expect(env['rack.session']).to be_empty
         token = Rack::Csrf.token(env)
-        token.should == env['rack.session'][Rack::Csrf.key]
+        expect(token).to eq(env['rack.session'][Rack::Csrf.key])
       end
     end
 
@@ -82,14 +91,14 @@ describe Rack::Csrf do
       end
 
       it 'should get the token from the session' do
-        env['rack.session'][Rack::Csrf.key].should == Rack::Csrf.token(env)
+        expect(env['rack.session'][Rack::Csrf.key]).to eq(Rack::Csrf.token(env))
       end
     end
   end
 
   describe 'csrf_token(env)' do
     it 'should be the same as method token(env)' do
-      Rack::Csrf.method(:csrf_token).should == Rack::Csrf.method(:token)
+      expect(Rack::Csrf.method(:csrf_token)).to eq(Rack::Csrf.method(:token))
     end
   end
 
@@ -102,26 +111,26 @@ describe Rack::Csrf do
     end
 
     it 'should be an input field' do
-      tag.should =~ /^<input/
+      expect(tag).to match(/^<input/)
     end
 
     it 'should be an hidden input field' do
-      tag.should =~ /type="hidden"/
+      expect(tag).to match(/type="hidden"/)
     end
 
-    it "should have the name provided by method field" do
-      tag.should =~ /name="#{Rack::Csrf.field}"/
+    it 'should have the name provided by method field' do
+      expect(tag).to match(/name="#{Rack::Csrf.field}"/)
     end
 
-    it "should have the value provided by method token(env)" do
+    it 'should have the value provided by method token(env)' do
       quoted_value = Regexp.quote %Q(value="#{Rack::Csrf.token(env)}")
-      tag.should =~ /#{quoted_value}/
+      expect(tag).to match(/#{quoted_value}/)
     end
   end
 
   describe 'csrf_tag(env)' do
     it 'should be the same as method tag(env)' do
-      Rack::Csrf.method(:csrf_tag).should == Rack::Csrf.method(:tag)
+      expect(Rack::Csrf.method(:csrf_tag)).to eq(Rack::Csrf.method(:tag))
     end
   end
 
@@ -135,11 +144,11 @@ describe Rack::Csrf do
       end
 
       subject { metatag }
-      it { should =~ /^<meta/ }
-      it { should =~ /name="_csrf"/ }
-      it "should have the content provided by method token(env)" do
+      it { is_expected.to match(/^<meta/) }
+      it { is_expected.to match(/name="_csrf"/) }
+      it 'should have the content provided by method token(env)' do
         quoted_value = Regexp.quote %Q(content="#{Rack::Csrf.token(env)}")
-        metatag.should =~ /#{quoted_value}/
+        expect(metatag).to match(/#{quoted_value}/)
       end
     end
 
@@ -150,18 +159,18 @@ describe Rack::Csrf do
       end
 
       subject { metatag }
-      it { should =~ /^<meta/ }
-      it { should =~ /name="custom_name"/ }
-      it "should have the content provided by method token(env)" do
+      it { is_expected.to match(/^<meta/) }
+      it { is_expected.to match(/name="custom_name"/) }
+      it 'should have the content provided by method token(env)' do
         quoted_value = Regexp.quote %Q(content="#{Rack::Csrf.token(env)}")
-        metatag.should =~ /#{quoted_value}/
+        expect(metatag).to match(/#{quoted_value}/)
       end
     end
   end
 
   describe 'csrf_metatag(env)' do
     it 'should be the same as method metatag(env)' do
-      Rack::Csrf.method(:csrf_metatag).should == Rack::Csrf.method(:metatag)
+      expect(Rack::Csrf.method(:csrf_metatag)).to eq(Rack::Csrf.method(:metatag))
     end
   end
 
@@ -170,7 +179,7 @@ describe Rack::Csrf do
   describe 'rackified_header' do
     before  { Rack::Csrf.new nil, :header => 'my-header' }
     subject { Rack::Csrf.rackified_header }
-    it      { should == 'HTTP_MY_HEADER'}
+    it      { is_expected.to be == 'HTTP_MY_HEADER'}
   end
 
   describe 'skip_checking' do
@@ -185,7 +194,7 @@ describe Rack::Csrf do
       let(:csrf) { Rack::Csrf.new nil }
 
       it 'should run the check' do
-        csrf.send(:skip_checking, request).should be false
+        expect(csrf.send(:skip_checking, request)).to be false
       end
     end
 
@@ -193,7 +202,7 @@ describe Rack::Csrf do
       let(:csrf) { Rack::Csrf.new nil, :skip => ['POST:/hello'] }
 
       it 'should not run the check' do
-        csrf.send(:skip_checking, request).should be true
+        expect(csrf.send(:skip_checking, request)).to be true
       end
     end
 
@@ -202,7 +211,7 @@ describe Rack::Csrf do
         let(:csrf) { Rack::Csrf.new nil, :skip_if => lambda { |req| req.env.key?('HTTP_X_VERY_SPECIAL_HEADER') } }
 
         it 'should not run the check' do
-          csrf.send(:skip_checking, request).should be true
+          expect(csrf.send(:skip_checking, request)).to be true
         end
       end
 
@@ -211,7 +220,7 @@ describe Rack::Csrf do
           let(:csrf) { Rack::Csrf.new nil, :check_only => [] }
 
           it 'should run the check' do
-            csrf.send(:skip_checking, request).should be false
+            expect(csrf.send(:skip_checking, request)).to be false
           end
         end
 
@@ -220,7 +229,7 @@ describe Rack::Csrf do
             let(:csrf) { Rack::Csrf.new nil, :check_only => ['POST:/hello'] }
 
             it 'should run the check' do
-              csrf.send(:skip_checking, request).should be false
+              expect(csrf.send(:skip_checking, request)).to be false
             end
           end
 
@@ -228,11 +237,49 @@ describe Rack::Csrf do
             let(:csrf) { Rack::Csrf.new nil, :check_only => ['POST:/ciao'] }
 
             it 'should not run the check' do
-              csrf.send(:skip_checking, request).should be true
+              expect(csrf.send(:skip_checking, request)).to be true
             end
           end
         end
       end
     end
   end
+
+  describe 'found_a_valid_token?' do
+    let(:env) { {'rack.session' => {}} }
+
+    let(:csrf) { Rack::Csrf.new nil }
+
+    let(:mock_request_env) do
+      Rack::MockRequest.env_for '/hello',
+        :method => 'POST',
+        :input => 'foo=bar'
+    end
+
+    before do
+      Rack::Csrf.token env
+      mock_request_env['rack.session'] = env['rack.session']
+    end
+
+    context 'should be true' do
+      specify "if a valid token can be found in the request's paramaters" do
+        mock_request_env['rack.input'] = StringIO.new("#{Rack::Csrf.field}=#{Rack::Csrf.token(env)}")
+        request = Rack::Request.new(mock_request_env)
+        expect(csrf.send(:found_a_valid_token?, request)).to be true
+      end
+
+      specify "if a valid token can be found in the request's headers" do
+        mock_request_env[Rack::Csrf.rackified_header] = Rack::Csrf.token(env)
+        request = Rack::Request.new(mock_request_env)
+        expect(csrf.send(:found_a_valid_token?, request)).to be true
+      end
+    end
+
+    context 'should be false' do
+      specify 'if no valid token can be found anywhere' do
+        request = Rack::Request.new(mock_request_env)
+        expect(csrf.send(:found_a_valid_token?, request)).to be false
+      end
+    end
+  end
 end

data/spec/spec_helper.rb

@@ -1,11 +1,4 @@
 require 'rubygems'
 require 'rspec'
-require 'rspec/collection_matchers'
 
 require 'rack/csrf'
-
-RSpec.configure do |config|
-  config.expect_with :rspec do |c|
-    c.syntax = :should
-  end
-end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rack_csrf
 version: !ruby/object:Gem::Version
-  version: 2.5.0
+  version: 2.6.0
 platform: ruby
 authors:
 - Emanuele Vicentini
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-06-15 00:00:00.000000000 Z
+date: 2016-12-31 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -56,16 +56,16 @@ dependencies:
   name: cucumber
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.1.1
+        version: '2.4'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.1.1
+        version: '2.4'
 - !ruby/object:Gem::Dependency
   name: rack-test
   requirement: !ruby/object:Gem::Requirement
@@ -94,20 +94,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.0'
-- !ruby/object:Gem::Dependency
-  name: rspec-collection_matchers
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
 - !ruby/object:Gem::Dependency
   name: rdoc
   requirement: !ruby/object:Gem::Requirement
@@ -217,7 +203,7 @@ rdoc_options:
 - "--line-numbers"
 - "--inline-source"
 - "--title"
-- Rack::Csrf 2.5.0
+- Rack::Csrf 2.6.0
 - "--main"
 - README.rdoc
 require_paths:
@@ -226,7 +212,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 1.8.7
+      version: 1.9.2
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
@@ -234,7 +220,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.3.0
+rubygems_version: 2.6.8
 signing_key: 
 specification_version: 4
 summary: Anti-CSRF Rack middleware