roda-rails 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 3665d0f667c4ff1848e1cd9165f79e8d1af48161
+  data.tar.gz: 947dcb654cef59987556f8a702b55104f4149b93
+SHA512:
+  metadata.gz: 01473a39994fdfc89246dd71c2528cda834916bd09dfbd84e698a07b00ada1214efcc51ae78f4732e10820a79c3f9cd02ab9b7909faced661ce90deeeb5bad46
+  data.tar.gz: 84f7a70f815e31a297dbf93b598662f22a2c5f83b847a3f8e635add30c379c9e8befac5688e848c3fa369f130646ea7e974a7f0dbe5c8d0e2ddb183a1f0e15d4

data/MIT-LICENSE

@@ -0,0 +1,19 @@
+Copyright (c) 2016 Jeremy Evans
+Copyright (c) 2004-2016 David Heinemeier Hansson
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to
+deal in the Software without restriction, including without limitation the
+rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
+sell copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+  
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+   
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER 
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc

@@ -0,0 +1,51 @@
+= roda-rails
+
+roda-rails offers integration for Roda when used as Rack middleware in a Rails
+application.  It allows the Roda middleware to use Rails flash handling as well
+as Rails' CSRF support.  Roda by default integrates with Rails' session support,
+since that just uses the standard Rack session protocol.
+
+Currently, only support for Rails 4.2 is included.  Pull requests for other
+Rails versions will be considered, in the form of a separate plugin per Rails
+minor version.
+
+Currently, there are no automated tests.  If you decide to use this in production,
+it may be a good idea to write automated tests for it and submit a pull request.
+
+= Installation
+
+  gem install roda-rails
+
+= Source Code
+
+Source code is available on GitHub at https://github.com/jeremyevans/roda-rails
+
+= Usage
+
+roda-rails currently includes a rails42 plugin, which you can load just like
+any other Roda plugin:
+
+  plugin :rails42
+
+The following plugin options are supported:
+
+:check_csrf :: A callable object that accepts the RodaRequest instance and returns
+               whether the CSRF token should be checked.  The default is to check
+               all non-GET requests.
+:invalid_csrf :: A callable object for the action to taken on an invalid CSRF token.
+                 The default is to set a 400 response status and halt.
+:csrf_key :: A callable object for how to get the submitted CSRF token.  The default
+             is to get it from the +authenticity_token+ request parameter.
+
+Methods offered:
+
+csrf_tag :: Return a string containing a hidden input tag containing the CSRF token.
+flash :: The Rails flash object associated with the current session.
+
+= License
+
+MIT
+
+= Author
+
+Jeremy Evans <code@jeremyevans.net>

data/lib/roda/plugins/rails42.rb

@@ -0,0 +1,113 @@
+class Roda
+  module RodaPlugins
+    module Rails42
+      Flash = ActionDispatch::Flash
+      AUTHENTICITY_TOKEN_LENGTH = 32
+      DEFAULT_CHECK_CSRF = lambda{|_| !r.is_get?}
+      DEFAULT_INVALID_CSRF = lambda do |r|
+        r.response.status = 400
+        r.halt
+      end
+      DEFAULT_CSRF_TOKEN = lambda{|r| r['authenticity_token']}
+
+      def self.configure(app, opts={})
+        opts = opts.dup
+        opts[:check_csrf] ||= DEFAULT_CHECK_CSRF
+        opts[:invalid_csrf] ||= DEFAULT_INVALID_CSRF
+        opts[:csrf_token] ||= DEFAULT_CSRF_TOKEN
+        app.opts[:rails] = opts
+      end
+
+      ### Rails 4.2 integration code, most code from Rails
+      module InstanceMethods
+        def call
+          catch(:halt) do
+            rails = self.class.opts[:rails]
+            r = request
+            if instance_exec(r, &rails[:check_csrf])
+              unless valid_authenticity_token?(session, instance_exec(r, &rails[:csrf_token]))
+                instance_exec(r, &rails[:invalid_csrf])
+              end
+            end
+
+            super
+          end
+        end
+
+        def flash
+          env[Flash::KEY] ||= Flash::FlashHash.from_session_value(session["flash"])
+        end
+
+        def csrf_tag
+          "<input type='hidden' name='authenticity_token' value=\"#{masked_authenticity_token(session)}\" />".html_safe
+        end
+
+        private
+
+        # Creates a masked version of the authenticity token that varies
+        # on each request. The masking is used to mitigate SSL attacks
+        # like BREACH.
+        def masked_authenticity_token(session)
+          one_time_pad = SecureRandom.random_bytes(AUTHENTICITY_TOKEN_LENGTH)
+          encrypted_csrf_token = xor_byte_strings(one_time_pad, real_csrf_token(session))
+          masked_token = one_time_pad + encrypted_csrf_token
+          Base64.strict_encode64(masked_token)
+        end
+
+        # Checks the client's masked token to see if it matches the
+        # session token. Essentially the inverse of
+        # +masked_authenticity_token+.
+        def valid_authenticity_token?(session, encoded_masked_token)
+          if encoded_masked_token.nil? || encoded_masked_token.empty? || !encoded_masked_token.is_a?(String)
+            return false
+          end
+
+          begin
+            masked_token = Base64.strict_decode64(encoded_masked_token)
+          rescue ArgumentError # encoded_masked_token is invalid Base64
+            return false
+          end
+
+          # See if it's actually a masked token or not. In order to
+          # deploy this code, we should be able to handle any unmasked
+          # tokens that we've issued without error.
+
+          if masked_token.length == AUTHENTICITY_TOKEN_LENGTH
+            # This is actually an unmasked token. This is expected if
+            # you have just upgraded to masked tokens, but should stop
+            # happening shortly after installing this gem
+            compare_with_real_token masked_token, session
+
+          elsif masked_token.length == AUTHENTICITY_TOKEN_LENGTH * 2
+            # Split the token into the one-time pad and the encrypted
+            # value and decrypt it
+            one_time_pad = masked_token[0...AUTHENTICITY_TOKEN_LENGTH]
+            encrypted_csrf_token = masked_token[AUTHENTICITY_TOKEN_LENGTH..-1]
+            csrf_token = xor_byte_strings(one_time_pad, encrypted_csrf_token)
+
+            compare_with_real_token csrf_token, session
+
+          else
+            false # Token is malformed
+          end
+        end
+
+        def compare_with_real_token(token, session)
+          ActiveSupport::SecurityUtils.secure_compare(token, real_csrf_token(session))
+        end
+
+        def real_csrf_token(session)
+          session[:_csrf_token] ||= SecureRandom.base64(AUTHENTICITY_TOKEN_LENGTH)
+          Base64.strict_decode64(session[:_csrf_token])
+        end
+
+        def xor_byte_strings(s1, s2)
+          s1.bytes.zip(s2.bytes).map { |(c1,c2)| c1 ^ c2 }.pack('c*')
+        end
+      end
+    end
+
+    register_plugin(:rails42, Rails42)
+  end
+end
+

metadata

@@ -0,0 +1,78 @@
+--- !ruby/object:Gem::Specification
+name: roda-rails
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Jeremy Evans
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2016-04-18 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: roda
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2'
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 4.2.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 4.2.0
+description: |
+  roda-rails offers integration for Roda when used as Rack middleware in a Rails
+  application.  It allows the Roda middleware to use Rails flash handling as well
+  as Rails' CSRF support.
+email:
+- code@jeremyevans.net
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- MIT-LICENSE
+- README.rdoc
+- lib/roda/plugins/rails42.rb
+homepage: https://github.com/jeremyevans/roda-rails
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.5.1
+signing_key: 
+specification_version: 4
+summary: Integration for using Roda as Rack middleware in a Rails app
+test_files: []