RubyGems - redis-session-store - Versions diffs - 0.11.5 → 0.11.6 - Mend

redis-session-store 0.11.5 → 0.11.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

checksums.yaml +4 -4
data/.rubocop.yml +4 -1
data/AUTHORS.md +1 -0
data/CHANGELOG.md +4 -0
data/lib/redis-session-store.rb +28 -7
data/redis-session-store.gemspec +1 -1
data/spec/redis_session_store_spec.rb +93 -24
data/spec/support.rb +24 -2
metadata +7 -7

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 90331bd500f283f691772c63fe0fd9800433c50aca9a380ff5bde853bf70fd19
-  data.tar.gz: 6d5b6f2f7017261c21f6265de114ac78d7febcfacfa50e308a56dcb15a4ae216
+  metadata.gz: d18e9f3e69775d747faf496a6dcd718aaae738759306fc85fb158e0670de9588
+  data.tar.gz: bd5457371142d59eb6b2009b6b3add32efcc57bb886ec6e05b415298031ad9d8
 SHA512:
-  metadata.gz: a7bb1ac24ac0cbc84f7d923047c8d05fdab9936c53bb1faa6b571617fc0b59706ca386527094aa5d2533cb9867dc00990404836b578077c4121805ee9eb4fce6
-  data.tar.gz: 50fa31bdfe84b874f97ee55e86eb8a575ad49eccd60f22b8315e23e1cf87e01940470b46ddf089ee9d5fc720112abf8010e1ae6983c85993baa20237c3380946
+  metadata.gz: 69db8ffaf3ba8bfa9002f2355474b213ab9e7091338eeb63e3049ea31e575a461ed770e6024be89a925dccbaf8a1b4f62b261e5b927b30b1ef041f3e92d9f275
+  data.tar.gz: 3f4af5b4cd6b806c44407d2ad8fd536873c03fc72db4e20a386afaffc3a681a98ab7c7755b478c56d656c71439d1a44b651413d92ec01d3c6a60b4824d971c61

data/.rubocop.yml CHANGED Viewed

@@ -24,7 +24,10 @@ Layout/LineLength:
   Max: 100
 Metrics/ClassLength:
-  Max: 120
+  Max: 140
+RSpec/MultipleExpectations:
+  Max: 3
 Security/MarshalLoad:
   Enabled: false

data/AUTHORS.md CHANGED Viewed

@@ -2,6 +2,7 @@ Redis Session Store authors
 ===========================
 - Ben Marini
+- Bill Ruddock
 - Dan Buch
 - Donald Plummer
 - Edwin Cruz

data/CHANGELOG.md CHANGED Viewed

@@ -4,6 +4,10 @@
 ## [Unreleased]
+# [0.11.6] - 2024-11-12
+- Fix secure session using private_id
+- Support Rails 8
 # [0.11.5] - 2022-11-27
 ### Changed

data/lib/redis-session-store.rb CHANGED Viewed

@@ -3,7 +3,7 @@ require 'redis'
 # Redis session storage for Rails, and for Rails only. Derived from
 # the MemCacheStore code, simply dropping in Redis instead.
 class RedisSessionStore < ActionDispatch::Session::AbstractSecureStore
-  VERSION = '0.11.5'.freeze
+  VERSION = '0.11.6'.freeze
   # Rails 3.1 and beyond defines the constant elsewhere
   unless defined?(ENV_SESSION_OPTIONS_KEY)
     ENV_SESSION_OPTIONS_KEY = if Rack.release.split('.').first.to_i > 1
@@ -65,7 +65,7 @@ class RedisSessionStore < ActionDispatch::Session::AbstractSecureStore
     !!(
       value && !value.empty? &&
-      key_exists?(value)
+      key_exists_with_fallback?(value)
     )
   rescue Errno::ECONNREFUSED, Redis::CannotConnectError => e
     on_redis_down.call(e, env, value) if on_redis_down
@@ -73,6 +73,12 @@ class RedisSessionStore < ActionDispatch::Session::AbstractSecureStore
     true
   end
+  def key_exists_with_fallback?(value)
+    return false if private_session_id?(value.public_id)
+    key_exists?(value.private_id) || key_exists?(value.public_id)
+  end
   def key_exists?(value)
     if redis.respond_to?(:exists?)
       # added in redis gem v4.2
@@ -83,6 +89,10 @@ class RedisSessionStore < ActionDispatch::Session::AbstractSecureStore
     end
   end
+  def private_session_id?(value)
+    value.match?(/\A\d+::/)
+  end
   def verify_handlers!
     %w(on_redis_down on_session_load_error).each do |h|
       next unless (handler = public_send(h)) && !handler.respond_to?(:call)
@@ -100,13 +110,21 @@ class RedisSessionStore < ActionDispatch::Session::AbstractSecureStore
   end
   def get_session(env, sid)
-    sid && (session = load_session_from_redis(sid)) ? [sid, session] : session_default_values
+    sid && (session = load_session_with_fallback(sid)) ? [sid, session] : session_default_values
   rescue Errno::ECONNREFUSED, Redis::CannotConnectError => e
     on_redis_down.call(e, env, sid) if on_redis_down
     session_default_values
   end
   alias find_session get_session
+  def load_session_with_fallback(sid)
+    return nil if private_session_id?(sid.public_id)
+    load_session_from_redis(
+      key_exists?(sid.private_id) ? sid.private_id : sid.public_id
+    )
+  end
   def load_session_from_redis(sid)
     data = redis.get(prefixed(sid))
     begin
@@ -126,9 +144,9 @@ class RedisSessionStore < ActionDispatch::Session::AbstractSecureStore
   def set_session(env, sid, session_data, options = nil)
     expiry = get_expiry(env, options)
     if expiry
-      redis.setex(prefixed(sid), expiry, encode(session_data))
+      redis.setex(prefixed(sid.private_id), expiry, encode(session_data))
     else
-      redis.set(prefixed(sid), encode(session_data))
+      redis.set(prefixed(sid.private_id), encode(session_data))
     end
     sid
   rescue Errno::ECONNREFUSED, Redis::CannotConnectError => e
@@ -147,14 +165,17 @@ class RedisSessionStore < ActionDispatch::Session::AbstractSecureStore
   end
   def destroy_session(env, sid, options)
-    destroy_session_from_sid(sid, (options || {}).to_hash.merge(env: env))
+    destroy_session_from_sid(sid.public_id, (options || {}).to_hash.merge(env: env, drop: true))
+    destroy_session_from_sid(sid.private_id, (options || {}).to_hash.merge(env: env))
   end
   alias delete_session destroy_session
   def destroy(env)
     if env['rack.request.cookie_hash'] &&
        (sid = env['rack.request.cookie_hash'][key])
-      destroy_session_from_sid(sid, drop: true, env: env)
+      sid = Rack::Session::SessionId.new(sid)
+      destroy_session_from_sid(sid.private_id, drop: true, env: env)
+      destroy_session_from_sid(sid.public_id, drop: true, env: env)
     end
     false
   end

data/redis-session-store.gemspec CHANGED Viewed

@@ -15,7 +15,7 @@ Gem::Specification.new do |gem|
   gem.version = File.read('lib/redis-session-store.rb')
                     .match(/^  VERSION = '(.*)'/)[1]
-  gem.add_runtime_dependency 'actionpack', '>= 6', '< 8'
+  gem.add_runtime_dependency 'actionpack', '>= 5.2.4.1', '< 9'
   gem.add_runtime_dependency 'redis', '>= 3', '< 6'
   gem.add_development_dependency 'fakeredis', '~> 0.8'

data/spec/redis_session_store_spec.rb CHANGED Viewed

@@ -157,7 +157,7 @@ describe RedisSessionStore do
     # https://github.com/rack/rack/blob/1.4.5/lib/rack/session/abstract/id.rb
     let(:env)          { double('env') }
-    let(:session_id)   { 12_345 }
+    let(:session_id)   { Rack::Session::SessionId.new('12 345') }
     let(:session_data) { double('session_data') }
     let(:options)      { { expire_after: 123 } }
@@ -217,7 +217,8 @@ describe RedisSessionStore do
   end
   describe 'checking for session existence' do
-    let(:session_id) { 'foo' }
+    let(:public_id) { 'foo' }
+    let(:session_id) { Rack::Session::SessionId.new(public_id) }
     before do
       allow(store).to receive(:current_session_id)
@@ -234,10 +235,9 @@ describe RedisSessionStore do
       end
       context 'when session id is empty string' do
-        let(:session_id) { '' }
+        let(:public_id) { '' }
         it 'returns false' do
-          allow(store).to receive(:current_session_id).with(:env).and_return('')
           expect(store.send(:session_exists?, :env)).to eq(false)
         end
       end
@@ -250,20 +250,46 @@ describe RedisSessionStore do
         end
       end
-      context 'when session id does not exist in redis' do
-        it 'returns false' do
-          expect(redis).to receive(:exists).with('foo').and_return(false)
-          expect(store.send(:session_exists?, :env)).to eq(false)
+      context 'when session private id does not exist in redis' do
+        context 'when session public id does not exist in redis' do
+          it 'returns false' do
+            expect(redis).to receive(:exists)
+              .with(session_id.private_id)
+              .and_return(false)
+            expect(redis).to receive(:exists).with('foo').and_return(false)
+            expect(store.send(:session_exists?, :env)).to eq(false)
+          end
+        end
+        context 'when session public id exists in redis' do
+          it 'returns true' do
+            expect(redis).to receive(:exists)
+              .with(session_id.private_id)
+              .and_return(false)
+            expect(redis).to receive(:exists).with('foo').and_return(true)
+            expect(store.send(:session_exists?, :env)).to eq(true)
+          end
         end
       end
-      context 'when session id exists in redis' do
+      context 'when session private id exists in redis' do
         it 'returns true' do
-          expect(redis).to receive(:exists).with('foo').and_return(true)
+          expect(redis).to receive(:exists)
+            .with(session_id.private_id)
+            .and_return(true)
           expect(store.send(:session_exists?, :env)).to eq(true)
         end
       end
+      context 'when session public id is formatted like a private id' do
+        let(:public_id) { Rack::Session::SessionId.new('foo').private_id }
+        it 'returns false' do
+          expect(redis).not_to receive(:exists)
+          expect(store.send(:session_exists?, :env)).to eq(false)
+        end
+      end
       context 'when redis is down' do
         it 'returns true (fallback to old behavior)' do
           allow(store).to receive(:redis).and_raise(Redis::CannotConnectError)
@@ -281,6 +307,7 @@ describe RedisSessionStore do
     end
     let(:fake_key) { 'thisisarediskey' }
+    let(:session_id) { Rack::Session::SessionId.new(fake_key) }
     describe 'generate_sid' do
       it 'generates a secure ID' do
@@ -289,13 +316,50 @@ describe RedisSessionStore do
       end
     end
-    it 'retrieves the prefixed key from redis' do
-      redis = double('redis')
-      allow(store).to receive(:redis).and_return(redis)
-      allow(store).to receive(:generate_sid).and_return(fake_key)
-      expect(redis).to receive(:get).with("#{options[:key_prefix]}#{fake_key}")
+    context 'when redis is up' do
+      let(:redis) { double('redis') }
+      let(:private_exists) { true }
+      before do
+        allow(store).to receive(:redis).and_return(redis)
+        allow(redis).to receive(:exists)
+          .with("#{options[:key_prefix]}#{session_id.private_id}")
+          .and_return(private_exists)
+      end
-      store.send(:get_session, double('env'), fake_key)
+      context 'when session private id exists in redis' do
+        it 'retrieves the prefixed private id from redis' do
+          expect(redis).to receive(:get).with("#{options[:key_prefix]}#{session_id.private_id}")
+          store.send(:get_session, double('env'), session_id)
+        end
+      end
+      context 'when session private id not found in redis' do
+        let(:private_exists) { false }
+        it 'retrieves the prefixed public id from redis' do
+          expect(redis).to receive(:get).with("#{options[:key_prefix]}#{fake_key}")
+          store.send(:get_session, double('env'), session_id)
+        end
+      end
+      context 'when session id is formatted like a private id' do
+        let(:fake_key) { Rack::Session::SessionId.new('anykey').private_id }
+        let(:new_sid) { Rack::Session::SessionId.new('newid') }
+        before do
+          allow(store).to receive(:generate_sid).and_return(new_sid)
+        end
+        it 'returns a default new session' do
+          expect(redis).not_to receive(:exists)
+          expect(redis).not_to receive(:get)
+          expect(store.send(:get_session, double('env'), session_id))
+            .to eq([new_sid, {}])
+        end
+      end
     end
     context 'when redis is down' do
@@ -305,12 +369,12 @@ describe RedisSessionStore do
       end
       it 'returns an empty session hash' do
-        expect(store.send(:get_session, double('env'), fake_key).last)
+        expect(store.send(:get_session, double('env'), session_id).last)
           .to eq({})
       end
       it 'returns a newly generated sid' do
-        expect(store.send(:get_session, double('env'), fake_key).first)
+        expect(store.send(:get_session, double('env'), session_id).first)
           .to eq('foop')
       end
@@ -319,7 +383,7 @@ describe RedisSessionStore do
         it 'explodes' do
           expect do
-            store.send(:get_session, double('env'), fake_key)
+            store.send(:get_session, double('env'), session_id)
           end.to raise_error(Redis::CannotConnectError)
         end
       end
@@ -331,6 +395,7 @@ describe RedisSessionStore do
       let(:env) { { 'rack.request.cookie_hash' => cookie_hash } }
       let(:cookie_hash) { double('cookie hash') }
       let(:fake_key) { 'thisisarediskey' }
+      let(:session_id) { Rack::Session::SessionId.new(fake_key) }
       before do
         allow(cookie_hash).to receive(:[]).and_return(fake_key)
@@ -341,6 +406,8 @@ describe RedisSessionStore do
         allow(store).to receive(:redis).and_return(redis)
         expect(redis).to receive(:del)
           .with("#{options[:key_prefix]}#{fake_key}")
+        expect(redis).to receive(:del)
+          .with("#{options[:key_prefix]}#{session_id.private_id}")
         store.send(:destroy, env)
       end
@@ -371,7 +438,8 @@ describe RedisSessionStore do
         redis = double('redis', setnx: true)
         allow(store).to receive(:redis).and_return(redis)
         sid = store.send(:generate_sid)
-        expect(redis).to receive(:del).with("#{options[:key_prefix]}#{sid}")
+        expect(redis).to receive(:del).with("#{options[:key_prefix]}#{sid.public_id}")
+        expect(redis).to receive(:del).with("#{options[:key_prefix]}#{sid.private_id}")
         store.send(:destroy_session, {}, sid, nil)
       end
@@ -380,7 +448,7 @@ describe RedisSessionStore do
   describe 'session encoding' do
     let(:env)          { double('env') }
-    let(:session_id)   { 12_345 }
+    let(:session_id)   { Rack::Session::SessionId.new('12 345') }
     let(:session_data) { { 'some' => 'data' } }
     let(:options)      { {} }
     let(:encoded_data) { Marshal.dump(session_data) }
@@ -393,11 +461,12 @@ describe RedisSessionStore do
     shared_examples_for 'serializer' do
       it 'encodes correctly' do
-        expect(redis).to receive(:set).with('12345', expected_encoding)
+        expect(redis).to receive(:set).with(session_id.private_id, expected_encoding)
         store.send(:set_session, env, session_id, session_data, options)
       end
       it 'decodes correctly' do
+        allow(redis).to receive(:exists).with(session_id.private_id).and_return(true)
         expect(store.send(:get_session, env, session_id))
           .to eq([session_id, session_data])
       end
@@ -548,7 +617,7 @@ describe RedisSessionStore do
   describe 'setting the session' do
     it 'allows changing the session' do
       env = { 'rack.session.options' => {} }
-      sid = 1234
+      sid = Rack::Session::SessionId.new('1234')
       allow(store).to receive(:redis).and_return(Redis.new)
       data1 = { 'foo' => 'bar' }
       store.send(:set_session, env, sid, data1)
@@ -560,7 +629,7 @@ describe RedisSessionStore do
     it 'allows changing the session when the session has an expiry' do
       env = { 'rack.session.options' => { expire_after: 60 } }
-      sid = 1234
+      sid = Rack::Session::SessionId.new('1234')
       allow(store).to receive(:redis).and_return(Redis.new)
       data1 = { 'foo' => 'bar' }
       store.send(:set_session, env, sid, data1)

data/spec/support.rb CHANGED Viewed

@@ -11,10 +11,32 @@ unless defined?(Rack::Session::SessionId)
   module Rack
     module Session
       class SessionId
+        ID_VERSION = 2
         attr_reader :public_id
-        def initialize(_public_id)
-          @public_id
+        def initialize(public_id)
+          @public_id = public_id
+        end
+        alias to_s public_id
+        def empty?
+          false
+        end
+        def inspect
+          public_id.inspect
+        end
+        def private_id
+          "#{ID_VERSION}::#{hash_sid(public_id)}"
+        end
+        private
+        def hash_sid(value)
+          "test_hash_from:#{value}"
         end
       end
     end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: redis-session-store
 version: !ruby/object:Gem::Version
-  version: 0.11.5
+  version: 0.11.6
 platform: ruby
 authors:
 - Mathias Meyer
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-11-27 00:00:00.000000000 Z
+date: 2024-11-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: actionpack
@@ -16,20 +16,20 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '6'
+        version: 5.2.4.1
     - - "<"
       - !ruby/object:Gem::Version
-        version: '8'
+        version: '9'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '6'
+        version: 5.2.4.1
     - - "<"
       - !ruby/object:Gem::Version
-        version: '8'
+        version: '9'
 - !ruby/object:Gem::Dependency
   name: redis
   requirement: !ruby/object:Gem::Requirement
@@ -197,7 +197,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.6
+rubygems_version: 3.5.23
 signing_key:
 specification_version: 4
 summary: A drop-in replacement for e.g. MemCacheStore to store Rails sessions (and