rage-rb 1.3.0 → 1.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: cef03d55f96279c7e6d451dc7ce0abce04024a7ca30d07e9c48c0d054c530bb6
-  data.tar.gz: c399b5b3d060aee5367c2e3064435649bbb8eba7dcb2bf2bd215730a698f69d8
+  metadata.gz: 43393d351828980659e1a5e574887b818727744bf679bca2c1e0e0a164848496
+  data.tar.gz: d732652d4966c9cdcdd1825ec692b6c88286e467c229a2e4acdb7658e2b0a455
 SHA512:
-  metadata.gz: cc5578e1e51d557a8f30729b0eff9a41d4a651e62c837af53aff3b3f50caee2b827be47a239aeadd47f2e9ff15ff8263f35a032634c1fdb738cb2b2c71787780
-  data.tar.gz: 28a70f5c33752ea33dd1474bc4e481ba7b56fd76541544f838226c9b5ace3758b80d9a93b5947c1ea8cbf9374cbae204e9c0e6c5ff40f2adcbc40be3208f5597
+  metadata.gz: e23ca7a0309a24e665850c6c7798a3a4d7cb5dd5d8f239346907bc2be0ae3c6446530e5299e2f5a6b08f773281a8e3c570dc19b9ebe1f6cbe1b0712b643ed688
+  data.tar.gz: 9578c4f912c7ce713639acd0c043de9f4b757ff816e60dd5ae9637434699190d8c84af29a0a42fd7c0f0f32ae6724b710429cde6fab20011c23fd79bade36d13

data/CHANGELOG.md

@@ -1,5 +1,15 @@
 ## [Unreleased]
 
+## [1.4.0] - 2024-05-01
+
+### Added
+
+- Support cookies and sessions (#69).
+
+### Fixed
+
+- Improve compatibility with ActiveRecord 7.1 (#80).
+
 ## [1.3.0] - 2024-04-17
 
 ### Added

data/Gemfile

@@ -14,3 +14,6 @@ gem "yard"
 gem "pg"
 gem "mysql2"
 gem "connection_pool", "~> 2.0"
+
+gem "rbnacl"
+gem "domain_name"

data/lib/rage/configuration.rb

@@ -15,6 +15,14 @@
 #
 # > Defines the verbosity of the Rage logger. This option defaults to `:debug` for all environments except production, where it defaults to `:info`. The available log levels are: `:debug`, `:info`, `:warn`, `:error`, `:fatal`, and `:unknown`.
 #
+# • _config.secret_key_base_
+#
+# > The `secret_key_base` is used as the input secret to the application's key generator, which is used to encrypt cookies. Rage will fall back to the `SECRET_KEY_BASE` environment variable if this is not set.
+#
+# • _config.fallback_secret_key_base_
+#
+# > Defines one or several old secrets that need to be rotated. Can accept a single key or an array of keys. Rage will fall back to the `FALLBACK_SECRET_KEY_BASE` environment variable if this is not set.
+#
 # # Middleware Configuration
 #
 # • _config.middleware.use_
@@ -100,6 +108,7 @@
 class Rage::Configuration
   attr_accessor :logger
   attr_reader :log_formatter, :log_level
+  attr_writer :secret_key_base, :fallback_secret_key_base
 
   # used in DSL
   def config = self
@@ -113,6 +122,14 @@ class Rage::Configuration
     @log_level = level.is_a?(Symbol) ? Logger.const_get(level.to_s.upcase) : level
   end
 
+  def secret_key_base
+    @secret_key_base || ENV["SECRET_KEY_BASE"]
+  end
+
+  def fallback_secret_key_base
+    Array(@fallback_secret_key_base || ENV["FALLBACK_SECRET_KEY_BASE"])
+  end
+
   def server
     @server ||= Server.new
   end

data/lib/rage/controller/api.rb

@@ -324,6 +324,18 @@ class RageController::API
     @response ||= Rage::Response.new(@__headers, @__body)
   end
 
+  # Get the cookie object. See {Rage::Cookies}.
+  # @return [Rage::Cookies]
+  def cookies
+    @cookies ||= Rage::Cookies.new(@__env, self)
+  end
+
+  # Get the session object. See {Rage::Session}.
+  # @return [Rage::Session]
+  def session
+    @session ||= Rage::Session.new(self)
+  end
+
   # Send a response to the client.
   #
   # @param json [String, Object] send a json response to the client; objects like arrays will be serialized automatically
@@ -477,4 +489,9 @@ class RageController::API
   #     def append_info_to_payload(payload)
   #       payload[:response] = response.body
   #     end
+
+  # Reset the entire session. See {Rage::Session}.
+  def reset_session
+    session.clear
+  end
 end

data/lib/rage/cookies.rb

@@ -0,0 +1,241 @@
+# frozen_string_literal: true
+
+require "base64"
+require "time"
+
+if !defined?(DomainName)
+  fail <<~ERR
+
+    rage-rb depends on domain_name to specify the domain name for cookies. Add the following line to your Gemfile:
+    gem "domain_name"
+
+  ERR
+end
+
+class Rage::Cookies
+  # @private
+  def initialize(env, controller)
+    @env = env
+    @headers = controller.headers
+    @request_cookies = {}
+    @parsed = false
+
+    @jar = SimpleJar
+  end
+
+  # Read a cookie.
+  #
+  # @param key [Symbol]
+  # @return [String]
+  def [](key)
+    value = request_cookies[key]
+    @jar.load(value) if value
+  end
+
+  # Get the number of cookies.
+  #
+  # @return [Integer]
+  def size
+    request_cookies.count { |_, v| !v.nil? }
+  end
+
+  # Delete a cookie.
+  #
+  # @param key [Symbol]
+  # @param path [String]
+  # @param domain [String]
+  def delete(key, path: "/", domain: nil)
+    @headers.compare_by_identity
+
+    @request_cookies[key] = nil
+    @headers[set_cookie_key(key)] = Rack::Utils.add_cookie_to_header(nil, key, {
+      value: "", expires: Time.at(0), path: path, domain: domain
+    })
+  end
+
+  # Returns a jar that'll automatically encrypt cookie values before sending them to the client and will decrypt them
+  # for read. If the cookie was tampered with by the user (or a 3rd party), `nil` will be returned.
+  #
+  # This jar requires that you set a suitable secret for the verification on your app's `secret_key_base`.
+  #
+  # @example
+  #   cookies.encrypted[:user_id] = current_user.id
+  def encrypted
+    dup.tap { |c| c.jar = EncryptedJar }
+  end
+
+  # Returns a jar that'll automatically set the assigned cookies to have an expiration date 20 years from now.
+  #
+  # @example
+  #   cookies.permanent[:user_id] = current_user.id
+  def permanent
+    dup.tap { |c| c.expires = Time.now + 20 * 365 * 24 * 60 * 60 }
+  end
+
+  # Set a cookie.
+  #
+  # @param key [Symbol]
+  # @param value [String, Hash]
+  # @option value [String] :path
+  # @option value [Boolean] :secure
+  # @option value [Boolean] :httponly
+  # @option value [nil, :none, :lax, :strict] :same_site
+  # @option value [Time] :expires
+  # @option value [String, Array<String>, :all] :domain
+  # @option value [String] :value
+  # @example
+  #   cookie[:user_id] = current_user.id
+  # @example
+  #   cookie[:user_id] = { value: current_user.id, httponly: true, secure: true }
+  def []=(key, value)
+    @headers.compare_by_identity
+
+    unless value.is_a?(Hash)
+      serialized_value = @jar.dump(value)
+      @request_cookies[key] = serialized_value
+      @headers[set_cookie_key(key)] = Rack::Utils.add_cookie_to_header(nil, key, { value: serialized_value, expires: @expires })
+      return
+    end
+
+    if domain = value[:domain]
+      host = @env["HTTP_HOST"]
+
+      _domain = if domain.is_a?(String)
+        domain
+      elsif domain == :all
+        DomainName(host).domain
+      elsif domain.is_a?(Array)
+        host if domain.include?(host)
+      end
+    end
+
+    serialized_value = @jar.dump(value[:value])
+    cookie = Rack::Utils.add_cookie_to_header(nil, key, {
+      path: value[:path],
+      secure: value[:secure],
+      expires: value[:expires] || @expires,
+      httponly: value[:httponly],
+      same_site: value[:same_site],
+      value: serialized_value,
+      domain: _domain
+    })
+
+    @request_cookies[key] = serialized_value
+    @headers[set_cookie_key(key)] = cookie
+  end
+
+  def inspect
+    cookies = request_cookies.transform_values do |v|
+      decoded = Base64.urlsafe_decode64(v) rescue nil
+      is_encrypted = decoded&.start_with?(EncryptedJar::PADDING)
+
+      is_encrypted ? "<encrypted>" : v
+    end
+
+    "#<#{self.class.name} @request_cookies=#{cookies.inspect}"
+  end
+
+  private
+
+  def request_cookies
+    return @request_cookies if @parsed
+
+    @parsed = true
+    if cookie_header = @env["HTTP_COOKIE"]
+      cookie_header.split(/; */n).each do |cookie|
+        next if cookie.empty?
+        key, value = cookie.split("=", 2).yield_self { |k, _| [k.to_sym, _] }
+        unless @request_cookies.has_key?(key)
+          @request_cookies[key] = (Rack::Utils.unescape(value, Encoding::UTF_8) rescue value)
+        end
+      end
+    end
+
+    @request_cookies
+  end
+
+  def set_cookie_key(key)
+    @set_cookie_keys ||= Hash.new { |hash, key| hash[key] = "Set-Cookie".dup }
+    @set_cookie_keys[key]
+  end
+
+  protected
+
+  attr_writer :jar, :expires
+
+  ####################
+  #
+  # Cookie Jars
+  #
+  ####################
+
+  class SimpleJar
+    def self.load(_)
+      _
+    end
+
+    def self.dump(value)
+      value.to_s
+    end
+  end
+
+  class EncryptedJar
+    SALT = "encrypted cookie"
+    PADDING = "00"
+
+    class << self
+      def load(value)
+        box = primary_box
+
+        begin
+          box.decrypt(Base64.urlsafe_decode64(value).byteslice(2..))
+        rescue ArgumentError
+          nil
+        rescue RbNaCl::CryptoError
+          i ||= 0
+          if box = fallback_boxes[i]
+            i += 1
+            retry
+          end
+        end
+      end
+
+      def dump(value)
+        # add two bytes to hold meta information, e.g. in case we
+        # need to change the encryption algorithm in the future
+        Base64.urlsafe_encode64(PADDING + primary_box.encrypt(value.to_s))
+      end
+
+      private
+
+      def primary_box
+        @primary_box ||= begin
+          if !defined?(RbNaCl) || !(Gem::Version.create(RbNaCl::VERSION) >= Gem::Version.create("3.3.0") && Gem::Version.create(RbNaCl::VERSION) < Gem::Version.create("8.0.0"))
+            fail <<~ERR
+
+              rage-rb depends on rbnacl [>= 3.3, < 8.0] to encrypt cookies. Add the following line to your Gemfile:
+              gem "rbnacl"
+
+            ERR
+          end
+
+          unless Rage.config.secret_key_base
+            raise "Rage.config.secret_key_base should be set to use encrypted cookies"
+          end
+
+          RbNaCl::SimpleBox.from_secret_key(
+            RbNaCl::Hash.blake2b(Rage.config.secret_key_base, digest_size: 32, salt: SALT)
+          )
+        end
+      end
+
+      def fallback_boxes
+        @fallback_boxes ||= begin
+          Rage.config.fallback_secret_key_base.map do |key|
+            RbNaCl::SimpleBox.from_secret_key(RbNaCl::Hash.blake2b(key, digest_size: 32, salt: SALT))
+          end
+        end
+      end
+    end # class << self
+  end
+end

data/lib/rage/ext/setup.rb

@@ -4,7 +4,7 @@ if defined?(ActiveSupport::IsolatedExecutionState)
 end
 
 # release ActiveRecord connections on yield
-if defined?(ActiveRecord)
+if defined?(ActiveRecord) && ActiveRecord.version < Gem::Version.create("7.1.0")
   class Fiber
     def self.defer
       res = Fiber.yield

data/lib/rage/fiber.rb

@@ -91,7 +91,7 @@ class Fiber
 
   # @private
   # under normal circumstances, the method is a copy of `yield`, but it can be overriden to perform
-  # additional steps on yielding, e.g. releasing AR connections; see "lib/rage/rails.rb"
+  # additional steps on yielding, e.g. releasing AR connections; see "lib/rage/ext/setup.rb"
   class << self
     alias_method :defer, :yield
   end

data/lib/rage/session.rb

@@ -0,0 +1,105 @@
+# frozen_string_literal: true
+
+require "json"
+
+class Rage::Session
+  # @private
+  KEY = Rack::RACK_SESSION.to_sym
+
+  # @private
+  def initialize(controller)
+    @cookies = controller.cookies.encrypted
+  end
+
+  # Writes the value to the session.
+  #
+  # @param key [Symbol]
+  # @param value [String]
+  def []=(key, value)
+    write_session(add: { key => value })
+  end
+
+  # Returns the value of the key stored in the session or `nil` if the given key is not found.
+  #
+  # @param key [Symbol]
+  def [](key)
+    read_session[key]
+  end
+
+  # Returns the value of the given key from the session, or raises `KeyError` if the given key is not found
+  # and no default value is set. Returns the default value if specified.
+  #
+  # @param key [Symbol]
+  def fetch(key, default = nil, &block)
+    if default.nil?
+      read_session.fetch(key, &block)
+    else
+      read_session.fetch(key, default, &block)
+    end
+  end
+
+  # Deletes the given key from the session.
+  #
+  # @param key [Symbol]
+  def delete(key)
+    write_session(remove: key)
+  end
+
+  # Clears the session.
+  def clear
+    write_session(clear: true)
+  end
+
+  # Returns the session as Hash.
+  def to_hash
+    read_session
+  end
+
+  alias_method :to_h, :to_hash
+
+  def empty?
+    read_session.empty?
+  end
+
+  # Returns `true` if the given key is present in the session.
+  def has_key?(key)
+    read_session.has_key?(key)
+  end
+
+  alias_method :key?, :has_key?
+  alias_method :include?, :has_key?
+
+  def each(&block)
+    read_session.each(&block)
+  end
+
+  def dig(*keys)
+    read_session.dig(*keys)
+  end
+
+  def inspect
+    "#<#{self.class.name} @session=#{to_h.inspect}"
+  end
+
+  private
+
+  def write_session(add: nil, remove: nil, clear: nil)
+    if add
+      read_session.merge!(add)
+    elsif remove && read_session.has_key?(remove)
+      read_session.reject! { |k, _| k == remove }
+    elsif clear
+      read_session.clear
+    end
+
+    @cookies[KEY] = { httponly: true, same_site: :lax, value: read_session.to_json }
+  end
+
+  def read_session
+    @session ||= begin
+      JSON.parse(@cookies[KEY] || "{}", symbolize_names: true)
+    rescue JSON::ParserError
+      {}
+    end
+  end
+end

data/lib/rage/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Rage
-  VERSION = "1.3.0"
+  VERSION = "1.4.0"
 end

data/lib/rage-rb.rb

@@ -102,6 +102,9 @@ module Rage
       autoload :ConnectionPool, "rage/ext/active_record/connection_pool"
     end
   end
+
+  autoload :Cookies, "rage/cookies"
+  autoload :Session, "rage/session"
 end
 
 module RageController

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rage-rb
 version: !ruby/object:Gem::Version
-  version: 1.3.0
+  version: 1.4.0
 platform: ruby
 authors:
 - Roman Samoilov
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2024-04-17 00:00:00.000000000 Z
+date: 2024-05-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: thor
@@ -105,6 +105,7 @@ files:
 - lib/rage/code_loader.rb
 - lib/rage/configuration.rb
 - lib/rage/controller/api.rb
+- lib/rage/cookies.rb
 - lib/rage/env.rb
 - lib/rage/errors.rb
 - lib/rage/ext/active_record/connection_pool.rb
@@ -130,6 +131,7 @@ files:
 - lib/rage/router/strategies/host.rb
 - lib/rage/router/util.rb
 - lib/rage/rspec.rb
+- lib/rage/session.rb
 - lib/rage/setup.rb
 - lib/rage/sidekiq_session.rb
 - lib/rage/templates/Gemfile