redis-session-store 0.11.5 → 0.11.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 90331bd500f283f691772c63fe0fd9800433c50aca9a380ff5bde853bf70fd19
-  data.tar.gz: 6d5b6f2f7017261c21f6265de114ac78d7febcfacfa50e308a56dcb15a4ae216
+  metadata.gz: d18e9f3e69775d747faf496a6dcd718aaae738759306fc85fb158e0670de9588
+  data.tar.gz: bd5457371142d59eb6b2009b6b3add32efcc57bb886ec6e05b415298031ad9d8
 SHA512:
-  metadata.gz: a7bb1ac24ac0cbc84f7d923047c8d05fdab9936c53bb1faa6b571617fc0b59706ca386527094aa5d2533cb9867dc00990404836b578077c4121805ee9eb4fce6
-  data.tar.gz: 50fa31bdfe84b874f97ee55e86eb8a575ad49eccd60f22b8315e23e1cf87e01940470b46ddf089ee9d5fc720112abf8010e1ae6983c85993baa20237c3380946
+  metadata.gz: 69db8ffaf3ba8bfa9002f2355474b213ab9e7091338eeb63e3049ea31e575a461ed770e6024be89a925dccbaf8a1b4f62b261e5b927b30b1ef041f3e92d9f275
+  data.tar.gz: 3f4af5b4cd6b806c44407d2ad8fd536873c03fc72db4e20a386afaffc3a681a98ab7c7755b478c56d656c71439d1a44b651413d92ec01d3c6a60b4824d971c61

data/.rubocop.yml

@@ -24,7 +24,10 @@ Layout/LineLength:
   Max: 100
 
 Metrics/ClassLength:
-  Max: 120
+  Max: 140
+
+RSpec/MultipleExpectations:
+  Max: 3
 
 Security/MarshalLoad:
   Enabled: false

data/AUTHORS.md

@@ -2,6 +2,7 @@ Redis Session Store authors
 ===========================
 
 - Ben Marini
+- Bill Ruddock
 - Dan Buch
 - Donald Plummer
 - Edwin Cruz

data/CHANGELOG.md

@@ -4,6 +4,10 @@
 
 ## [Unreleased]
 
+# [0.11.6] - 2024-11-12
+- Fix secure session using private_id
+- Support Rails 8
+
 # [0.11.5] - 2022-11-27
 
 ### Changed

data/lib/redis-session-store.rb

@@ -3,7 +3,7 @@ require 'redis'
 # Redis session storage for Rails, and for Rails only. Derived from
 # the MemCacheStore code, simply dropping in Redis instead.
 class RedisSessionStore < ActionDispatch::Session::AbstractSecureStore
-  VERSION = '0.11.5'.freeze
+  VERSION = '0.11.6'.freeze
   # Rails 3.1 and beyond defines the constant elsewhere
   unless defined?(ENV_SESSION_OPTIONS_KEY)
     ENV_SESSION_OPTIONS_KEY = if Rack.release.split('.').first.to_i > 1
@@ -65,7 +65,7 @@ class RedisSessionStore < ActionDispatch::Session::AbstractSecureStore
 
     !!(
       value && !value.empty? &&
-      key_exists?(value)
+      key_exists_with_fallback?(value)
     )
   rescue Errno::ECONNREFUSED, Redis::CannotConnectError => e
     on_redis_down.call(e, env, value) if on_redis_down
@@ -73,6 +73,12 @@ class RedisSessionStore < ActionDispatch::Session::AbstractSecureStore
     true
   end
 
+  def key_exists_with_fallback?(value)
+    return false if private_session_id?(value.public_id)
+
+    key_exists?(value.private_id) || key_exists?(value.public_id)
+  end
+
   def key_exists?(value)
     if redis.respond_to?(:exists?)
       # added in redis gem v4.2
@@ -83,6 +89,10 @@ class RedisSessionStore < ActionDispatch::Session::AbstractSecureStore
     end
   end
 
+  def private_session_id?(value)
+    value.match?(/\A\d+::/)
+  end
+
   def verify_handlers!
     %w(on_redis_down on_session_load_error).each do |h|
       next unless (handler = public_send(h)) && !handler.respond_to?(:call)
@@ -100,13 +110,21 @@ class RedisSessionStore < ActionDispatch::Session::AbstractSecureStore
   end
 
   def get_session(env, sid)
-    sid && (session = load_session_from_redis(sid)) ? [sid, session] : session_default_values
+    sid && (session = load_session_with_fallback(sid)) ? [sid, session] : session_default_values
   rescue Errno::ECONNREFUSED, Redis::CannotConnectError => e
     on_redis_down.call(e, env, sid) if on_redis_down
     session_default_values
   end
   alias find_session get_session
 
+  def load_session_with_fallback(sid)
+    return nil if private_session_id?(sid.public_id)
+
+    load_session_from_redis(
+      key_exists?(sid.private_id) ? sid.private_id : sid.public_id
+    )
+  end
+
   def load_session_from_redis(sid)
     data = redis.get(prefixed(sid))
     begin
@@ -126,9 +144,9 @@ class RedisSessionStore < ActionDispatch::Session::AbstractSecureStore
   def set_session(env, sid, session_data, options = nil)
     expiry = get_expiry(env, options)
     if expiry
-      redis.setex(prefixed(sid), expiry, encode(session_data))
+      redis.setex(prefixed(sid.private_id), expiry, encode(session_data))
     else
-      redis.set(prefixed(sid), encode(session_data))
+      redis.set(prefixed(sid.private_id), encode(session_data))
     end
     sid
   rescue Errno::ECONNREFUSED, Redis::CannotConnectError => e
@@ -147,14 +165,17 @@ class RedisSessionStore < ActionDispatch::Session::AbstractSecureStore
   end
 
   def destroy_session(env, sid, options)
-    destroy_session_from_sid(sid, (options || {}).to_hash.merge(env: env))
+    destroy_session_from_sid(sid.public_id, (options || {}).to_hash.merge(env: env, drop: true))
+    destroy_session_from_sid(sid.private_id, (options || {}).to_hash.merge(env: env))
   end
   alias delete_session destroy_session
 
   def destroy(env)
     if env['rack.request.cookie_hash'] &&
        (sid = env['rack.request.cookie_hash'][key])
-      destroy_session_from_sid(sid, drop: true, env: env)
+      sid = Rack::Session::SessionId.new(sid)
+      destroy_session_from_sid(sid.private_id, drop: true, env: env)
+      destroy_session_from_sid(sid.public_id, drop: true, env: env)
     end
     false
   end

data/redis-session-store.gemspec

@@ -15,7 +15,7 @@ Gem::Specification.new do |gem|
   gem.version = File.read('lib/redis-session-store.rb')
                     .match(/^  VERSION = '(.*)'/)[1]
 
-  gem.add_runtime_dependency 'actionpack', '>= 6', '< 8'
+  gem.add_runtime_dependency 'actionpack', '>= 5.2.4.1', '< 9'
   gem.add_runtime_dependency 'redis', '>= 3', '< 6'
 
   gem.add_development_dependency 'fakeredis', '~> 0.8'

data/spec/redis_session_store_spec.rb

@@ -157,7 +157,7 @@ describe RedisSessionStore do
     # https://github.com/rack/rack/blob/1.4.5/lib/rack/session/abstract/id.rb
 
     let(:env)          { double('env') }
-    let(:session_id)   { 12_345 }
+    let(:session_id)   { Rack::Session::SessionId.new('12 345') }
     let(:session_data) { double('session_data') }
     let(:options)      { { expire_after: 123 } }
 
@@ -217,7 +217,8 @@ describe RedisSessionStore do
   end
 
   describe 'checking for session existence' do
-    let(:session_id) { 'foo' }
+    let(:public_id) { 'foo' }
+    let(:session_id) { Rack::Session::SessionId.new(public_id) }
 
     before do
       allow(store).to receive(:current_session_id)
@@ -234,10 +235,9 @@ describe RedisSessionStore do
       end
 
       context 'when session id is empty string' do
-        let(:session_id) { '' }
+        let(:public_id) { '' }
 
         it 'returns false' do
-          allow(store).to receive(:current_session_id).with(:env).and_return('')
           expect(store.send(:session_exists?, :env)).to eq(false)
         end
       end
@@ -250,20 +250,46 @@ describe RedisSessionStore do
         end
       end
 
-      context 'when session id does not exist in redis' do
-        it 'returns false' do
-          expect(redis).to receive(:exists).with('foo').and_return(false)
-          expect(store.send(:session_exists?, :env)).to eq(false)
+      context 'when session private id does not exist in redis' do
+        context 'when session public id does not exist in redis' do
+          it 'returns false' do
+            expect(redis).to receive(:exists)
+              .with(session_id.private_id)
+              .and_return(false)
+            expect(redis).to receive(:exists).with('foo').and_return(false)
+            expect(store.send(:session_exists?, :env)).to eq(false)
+          end
+        end
+
+        context 'when session public id exists in redis' do
+          it 'returns true' do
+            expect(redis).to receive(:exists)
+              .with(session_id.private_id)
+              .and_return(false)
+            expect(redis).to receive(:exists).with('foo').and_return(true)
+            expect(store.send(:session_exists?, :env)).to eq(true)
+          end
         end
       end
 
-      context 'when session id exists in redis' do
+      context 'when session private id exists in redis' do
         it 'returns true' do
-          expect(redis).to receive(:exists).with('foo').and_return(true)
+          expect(redis).to receive(:exists)
+            .with(session_id.private_id)
+            .and_return(true)
           expect(store.send(:session_exists?, :env)).to eq(true)
         end
       end
 
+      context 'when session public id is formatted like a private id' do
+        let(:public_id) { Rack::Session::SessionId.new('foo').private_id }
+
+        it 'returns false' do
+          expect(redis).not_to receive(:exists)
+          expect(store.send(:session_exists?, :env)).to eq(false)
+        end
+      end
+
       context 'when redis is down' do
         it 'returns true (fallback to old behavior)' do
           allow(store).to receive(:redis).and_raise(Redis::CannotConnectError)
@@ -281,6 +307,7 @@ describe RedisSessionStore do
     end
 
     let(:fake_key) { 'thisisarediskey' }
+    let(:session_id) { Rack::Session::SessionId.new(fake_key) }
 
     describe 'generate_sid' do
       it 'generates a secure ID' do
@@ -289,13 +316,50 @@ describe RedisSessionStore do
       end
     end
 
-    it 'retrieves the prefixed key from redis' do
-      redis = double('redis')
-      allow(store).to receive(:redis).and_return(redis)
-      allow(store).to receive(:generate_sid).and_return(fake_key)
-      expect(redis).to receive(:get).with("#{options[:key_prefix]}#{fake_key}")
+    context 'when redis is up' do
+      let(:redis) { double('redis') }
+      let(:private_exists) { true }
+
+      before do
+        allow(store).to receive(:redis).and_return(redis)
+        allow(redis).to receive(:exists)
+          .with("#{options[:key_prefix]}#{session_id.private_id}")
+          .and_return(private_exists)
+      end
 
-      store.send(:get_session, double('env'), fake_key)
+      context 'when session private id exists in redis' do
+        it 'retrieves the prefixed private id from redis' do
+          expect(redis).to receive(:get).with("#{options[:key_prefix]}#{session_id.private_id}")
+
+          store.send(:get_session, double('env'), session_id)
+        end
+      end
+
+      context 'when session private id not found in redis' do
+        let(:private_exists) { false }
+
+        it 'retrieves the prefixed public id from redis' do
+          expect(redis).to receive(:get).with("#{options[:key_prefix]}#{fake_key}")
+
+          store.send(:get_session, double('env'), session_id)
+        end
+      end
+
+      context 'when session id is formatted like a private id' do
+        let(:fake_key) { Rack::Session::SessionId.new('anykey').private_id }
+        let(:new_sid) { Rack::Session::SessionId.new('newid') }
+
+        before do
+          allow(store).to receive(:generate_sid).and_return(new_sid)
+        end
+
+        it 'returns a default new session' do
+          expect(redis).not_to receive(:exists)
+          expect(redis).not_to receive(:get)
+          expect(store.send(:get_session, double('env'), session_id))
+            .to eq([new_sid, {}])
+        end
+      end
     end
 
     context 'when redis is down' do
@@ -305,12 +369,12 @@ describe RedisSessionStore do
       end
 
       it 'returns an empty session hash' do
-        expect(store.send(:get_session, double('env'), fake_key).last)
+        expect(store.send(:get_session, double('env'), session_id).last)
           .to eq({})
       end
 
       it 'returns a newly generated sid' do
-        expect(store.send(:get_session, double('env'), fake_key).first)
+        expect(store.send(:get_session, double('env'), session_id).first)
           .to eq('foop')
       end
 
@@ -319,7 +383,7 @@ describe RedisSessionStore do
 
         it 'explodes' do
           expect do
-            store.send(:get_session, double('env'), fake_key)
+            store.send(:get_session, double('env'), session_id)
           end.to raise_error(Redis::CannotConnectError)
         end
       end
@@ -331,6 +395,7 @@ describe RedisSessionStore do
       let(:env) { { 'rack.request.cookie_hash' => cookie_hash } }
       let(:cookie_hash) { double('cookie hash') }
       let(:fake_key) { 'thisisarediskey' }
+      let(:session_id) { Rack::Session::SessionId.new(fake_key) }
 
       before do
         allow(cookie_hash).to receive(:[]).and_return(fake_key)
@@ -341,6 +406,8 @@ describe RedisSessionStore do
         allow(store).to receive(:redis).and_return(redis)
         expect(redis).to receive(:del)
           .with("#{options[:key_prefix]}#{fake_key}")
+        expect(redis).to receive(:del)
+          .with("#{options[:key_prefix]}#{session_id.private_id}")
 
         store.send(:destroy, env)
       end
@@ -371,7 +438,8 @@ describe RedisSessionStore do
         redis = double('redis', setnx: true)
         allow(store).to receive(:redis).and_return(redis)
         sid = store.send(:generate_sid)
-        expect(redis).to receive(:del).with("#{options[:key_prefix]}#{sid}")
+        expect(redis).to receive(:del).with("#{options[:key_prefix]}#{sid.public_id}")
+        expect(redis).to receive(:del).with("#{options[:key_prefix]}#{sid.private_id}")
 
         store.send(:destroy_session, {}, sid, nil)
       end
@@ -380,7 +448,7 @@ describe RedisSessionStore do
 
   describe 'session encoding' do
     let(:env)          { double('env') }
-    let(:session_id)   { 12_345 }
+    let(:session_id)   { Rack::Session::SessionId.new('12 345') }
     let(:session_data) { { 'some' => 'data' } }
     let(:options)      { {} }
     let(:encoded_data) { Marshal.dump(session_data) }
@@ -393,11 +461,12 @@ describe RedisSessionStore do
 
     shared_examples_for 'serializer' do
       it 'encodes correctly' do
-        expect(redis).to receive(:set).with('12345', expected_encoding)
+        expect(redis).to receive(:set).with(session_id.private_id, expected_encoding)
         store.send(:set_session, env, session_id, session_data, options)
       end
 
       it 'decodes correctly' do
+        allow(redis).to receive(:exists).with(session_id.private_id).and_return(true)
         expect(store.send(:get_session, env, session_id))
           .to eq([session_id, session_data])
       end
@@ -548,7 +617,7 @@ describe RedisSessionStore do
   describe 'setting the session' do
     it 'allows changing the session' do
       env = { 'rack.session.options' => {} }
-      sid = 1234
+      sid = Rack::Session::SessionId.new('1234')
       allow(store).to receive(:redis).and_return(Redis.new)
       data1 = { 'foo' => 'bar' }
       store.send(:set_session, env, sid, data1)
@@ -560,7 +629,7 @@ describe RedisSessionStore do
 
     it 'allows changing the session when the session has an expiry' do
       env = { 'rack.session.options' => { expire_after: 60 } }
-      sid = 1234
+      sid = Rack::Session::SessionId.new('1234')
       allow(store).to receive(:redis).and_return(Redis.new)
       data1 = { 'foo' => 'bar' }
       store.send(:set_session, env, sid, data1)

data/spec/support.rb

@@ -11,10 +11,32 @@ unless defined?(Rack::Session::SessionId)
   module Rack
     module Session
       class SessionId
+        ID_VERSION = 2
+
         attr_reader :public_id
 
-        def initialize(_public_id)
-          @public_id
+        def initialize(public_id)
+          @public_id = public_id
+        end
+
+        alias to_s public_id
+
+        def empty?
+          false
+        end
+
+        def inspect
+          public_id.inspect
+        end
+
+        def private_id
+          "#{ID_VERSION}::#{hash_sid(public_id)}"
+        end
+
+        private
+
+        def hash_sid(value)
+          "test_hash_from:#{value}"
         end
       end
     end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: redis-session-store
 version: !ruby/object:Gem::Version
-  version: 0.11.5
+  version: 0.11.6
 platform: ruby
 authors:
 - Mathias Meyer
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-11-27 00:00:00.000000000 Z
+date: 2024-11-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: actionpack
@@ -16,20 +16,20 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '6'
+        version: 5.2.4.1
     - - "<"
       - !ruby/object:Gem::Version
-        version: '8'
+        version: '9'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '6'
+        version: 5.2.4.1
     - - "<"
       - !ruby/object:Gem::Version
-        version: '8'
+        version: '9'
 - !ruby/object:Gem::Dependency
   name: redis
   requirement: !ruby/object:Gem::Requirement
@@ -197,7 +197,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.6
+rubygems_version: 3.5.23
 signing_key:
 specification_version: 4
 summary: A drop-in replacement for e.g. MemCacheStore to store Rails sessions (and