RubyGems - roda - Versions diffs - 3.18.0 → 3.19.0 - Mend

roda 3.18.0 → 3.19.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (27) hide show

checksums.yaml +4 -4
data/CHANGELOG +24 -0
data/README.rdoc +7 -9
data/doc/conventions.rdoc +10 -10
data/doc/release_notes/3.19.0.txt +229 -0
data/lib/roda.rb +88 -45
data/lib/roda/plugins/assets.rb +11 -4
data/lib/roda/plugins/delay_build.rb +3 -30
data/lib/roda/plugins/empty_root.rb +1 -1
data/lib/roda/plugins/hash_routes.rb +455 -0
data/lib/roda/plugins/match_hook.rb +69 -0
data/lib/roda/plugins/multi_route.rb +4 -0
data/lib/roda/plugins/multi_view.rb +4 -0
data/lib/roda/plugins/optimized_string_matchers.rb +1 -1
data/lib/roda/plugins/sessions.rb +63 -16
data/lib/roda/plugins/static_routing.rb +7 -40
data/lib/roda/version.rb +1 -1
data/spec/define_roda_method_spec.rb +3 -0
data/spec/freeze_spec.rb +10 -1
data/spec/integration_spec.rb +1 -1
data/spec/plugin/assets_spec.rb +16 -0
data/spec/plugin/delay_build_spec.rb +2 -3
data/spec/plugin/hash_routes_spec.rb +535 -0
data/spec/plugin/match_hook_spec.rb +79 -0
data/spec/plugin/middleware_spec.rb +1 -0
data/spec/plugin/sessions_spec.rb +363 -320
metadata +8 -2

data/spec/plugin/match_hook_spec.rb ADDED Viewed

@@ -0,0 +1,79 @@
+require_relative "../spec_helper"
+describe "match hook plugin" do
+  it "matches verbs" do
+    matches = []
+    app(:bare) do
+      plugin :match_hook
+      match_hook do
+        matches << [request.matched_path, request.remaining_path]
+      end
+      route do |r|
+        r.on "foo" do
+          r.on "bar" do
+            r.get "baz" do
+              "fbb"
+            end
+            "fb"
+          end
+          "f"
+        end
+        r.get "bar" do
+          "b"
+        end
+        r.root do
+          "r"
+        end
+        "n"
+      end
+    end
+    body("/foo").must_equal 'f'
+    matches.must_equal [["/foo", ""]]
+    matches.clear
+    body("/foo/bar").must_equal 'fb'
+    matches.must_equal [["/foo", "/bar"], ["/foo/bar", ""]]
+    matches.clear
+    body("/foo/bar/baz").must_equal 'fbb'
+    matches.must_equal [["/foo", "/bar/baz"], ["/foo/bar", "/baz"], ["/foo/bar/baz", ""]]
+    matches.clear
+    body("/bar").must_equal 'b'
+    matches.must_equal [["/bar", ""]]
+    matches.clear
+    body.must_equal 'r'
+    matches.must_equal [["", "/"]]
+    matches.clear
+    body('/x').must_equal 'n'
+    matches.must_be_empty
+    matches.clear
+    body("/foo/baz").must_equal 'f'
+    matches.must_equal [["/foo", "/baz"]]
+    matches.clear
+    body("/foo/bar/bar").must_equal 'fb'
+    matches.must_equal [["/foo", "/bar/bar"], ["/foo/bar", "/bar"]]
+    app.match_hook{matches << :x }
+    matches.clear
+    body("/foo/bar/baz").must_equal 'fbb'
+    matches.must_equal [["/foo", "/bar/baz"], :x, ["/foo/bar", "/baz"], :x, ["/foo/bar/baz", ""], :x]
+    app.freeze
+    matches.clear
+    body("/foo/bar/baz").must_equal 'fbb'
+    matches.must_equal [["/foo", "/bar/baz"], :x, ["/foo/bar", "/baz"], :x, ["/foo/bar/baz", ""], :x]
+    app.opts[:match_hooks].must_be :frozen?
+  end
+end

data/spec/plugin/middleware_spec.rb CHANGED Viewed

@@ -91,6 +91,7 @@ describe "middleware plugin" do
       use a
       route{}
     end
+    body.must_equal 'a'
     a.opts[:a] = 'b'
     body.must_equal 'a'
   end

data/spec/plugin/sessions_spec.rb CHANGED Viewed

@@ -1,396 +1,439 @@
 require_relative "../spec_helper"
 if RUBY_VERSION >= '2'
-describe "sessions plugin" do
-  include CookieJar
+[true, false].each do |per_cookie_cipher_secret|
+  describe "sessions plugin with per_cookie_cipher_secret: #{per_cookie_cipher_secret}" do
+    include CookieJar
-  def req(path, opts={})
-    @errors ||= (errors = []; def errors.puts(s) self << s; end; errors)
-    super(path, opts.merge('rack.errors'=>@errors))
-  end
+    def req(path, opts={})
+      @errors ||= (errors = []; def errors.puts(s) self << s; end; errors)
+      super(path, opts.merge('rack.errors'=>@errors))
+    end
-  def errors
-    e = @errors.dup
-    @errors.clear
-    e
-  end
+    def errors
+      e = @errors.dup
+      @errors.clear
+      e
+    end
-  before do
-    app(:bare) do
-      plugin :sessions, :secret=>'1'*64
-      route do |r|
-        if r.GET['sut']
-          session
-          env['roda.session.updated_at'] -= r.GET['sut'].to_i if r.GET['sut']
+    before do
+      app(:bare) do
+        plugin :sessions, :secret=>'1'*64, :per_cookie_cipher_secret=>per_cookie_cipher_secret
+        route do |r|
+          if r.GET['sut']
+            session
+            env['roda.session.updated_at'] -= r.GET['sut'].to_i if r.GET['sut']
+          end
+          r.get('s', String, String){|k, v| session[k] = v}
+          r.get('g',  String){|k| session[k].to_s}
+          r.get('sct'){|i| session; env['roda.session.created_at'].to_s}
+          r.get('ssct', Integer){|i| session; (env['roda.session.created_at'] -= i).to_s}
+          r.get('sc'){session.clear; 'c'}
+          r.get('cs', String, String){|k, v| clear_session; session[k] = v}
+          ''
         end
-        r.get('s', String, String){|k, v| session[k] = v}
-        r.get('g',  String){|k| session[k].to_s}
-        r.get('sct'){|i| session; env['roda.session.created_at'].to_s}
-        r.get('ssct', Integer){|i| session; (env['roda.session.created_at'] -= i).to_s}
-        r.get('sc'){session.clear; 'c'}
-        r.get('cs', String, String){|k, v| clear_session; session[k] = v}
-        ''
       end
     end
-  end
-  it "requires appropriate :secret option" do
-    proc{app(:bare){plugin :sessions}}.must_raise Roda::RodaError
-    proc{app(:bare){plugin :sessions, :secret=>Object.new}}.must_raise Roda::RodaError
-    proc{app(:bare){plugin :sessions, :secret=>'1'*63}}.must_raise Roda::RodaError
-  end
+    it "requires appropriate :secret option" do
+      proc{app(:bare){plugin :sessions}}.must_raise Roda::RodaError
+      proc{app(:bare){plugin :sessions, :secret=>Object.new}}.must_raise Roda::RodaError
+      proc{app(:bare){plugin :sessions, :secret=>'1'*63}}.must_raise Roda::RodaError
+    end
-  it "has session store data between requests" do
-    req('/').must_equal [200, {"Content-Type"=>"text/html", "Content-Length"=>"0"}, [""]]
-    body('/s/foo/bar').must_equal 'bar'
-    body('/g/foo').must_equal 'bar'
+    it "has session store data between requests" do
+      req('/').must_equal [200, {"Content-Type"=>"text/html", "Content-Length"=>"0"}, [""]]
+      body('/s/foo/bar').must_equal 'bar'
+      body('/g/foo').must_equal 'bar'
-    body('/s/foo/baz').must_equal 'baz'
-    body('/g/foo').must_equal 'baz'
+      body('/s/foo/baz').must_equal 'baz'
+      body('/g/foo').must_equal 'baz'
-    body("/s/foo/\u1234").must_equal "\u1234"
-    body("/g/foo").must_equal "\u1234"
+      body("/s/foo/\u1234").must_equal "\u1234"
+      body("/g/foo").must_equal "\u1234"
-    errors.must_equal []
-  end
+      errors.must_equal []
+    end
-  it "does not add Set-Cookie header if session does not change, unless outside :skip_within seconds" do
-    req('/').must_equal [200, {"Content-Type"=>"text/html", "Content-Length"=>"0"}, [""]]
-    _, h, b = req('/s/foo/bar')
-    h['Set-Cookie'].must_match(/\Aroda.session/)
-    b.must_equal ["bar"]
-    req('/g/foo').must_equal [200, {"Content-Type"=>"text/html", "Content-Length"=>"3"}, ["bar"]]
-    req('/s/foo/bar').must_equal [200, {"Content-Type"=>"text/html", "Content-Length"=>"3"}, ["bar"]]
-    _, h, b = req('/s/foo/baz')
-    h['Set-Cookie'].must_match(/\Aroda.session/)
-    b.must_equal ["baz"]
-    req('/g/foo').must_equal [200, {"Content-Type"=>"text/html", "Content-Length"=>"3"}, ["baz"]]
-    req('/g/foo', 'QUERY_STRING'=>'sut=3500').must_equal [200, {"Content-Type"=>"text/html", "Content-Length"=>"3"}, ["baz"]]
-    _, h, b = req('/g/foo', 'QUERY_STRING'=>'sut=3700')
-    h['Set-Cookie'].must_match(/\Aroda.session/)
-    b.must_equal ["baz"]
-    @app.plugin(:sessions, :skip_within=>3800)
-    req('/g/foo', 'QUERY_STRING'=>'sut=3700').must_equal [200, {"Content-Type"=>"text/html", "Content-Length"=>"3"}, ["baz"]]
-    _, h, b = req('/g/foo', 'QUERY_STRING'=>'sut=3900')
-    h['Set-Cookie'].must_match(/\Aroda.session/)
-    b.must_equal ["baz"]
-    errors.must_equal []
-  end
+    it "supports loading sessions created when per_cookie_cipher_secret: #{!per_cookie_cipher_secret} " do
+      req('/').must_equal [200, {"Content-Type"=>"text/html", "Content-Length"=>"0"}, [""]]
+      body('/s/foo/bar').must_equal 'bar'
+      body('/g/foo').must_equal 'bar'
-  it "removes session cookie when session is submitted but empty after request" do
-    body('/s/foo/bar').must_equal 'bar'
-    sct = body('/sct').to_i
-    body('/g/foo').must_equal 'bar'
+      app.plugin :sessions, :per_cookie_cipher_secret=>!per_cookie_cipher_secret
-    _, h, b = req('/sc')
+      body('/s/foo/baz').must_equal 'baz'
+      body('/g/foo').must_equal 'baz'
-    # Parameters can come in any order, and only the final parameter may omit the ;
-    ['roda.session=', 'max-age=0', 'path=/'].each do |param|
-      h['Set-Cookie'].must_match /#{Regexp.escape(param)}(;|\z)/
+      errors.must_equal []
     end
-    h['Set-Cookie'].must_match /expires=Thu, 01 Jan 1970 00:00:00 (-0000|GMT)(;|\z)/
-    b.must_equal ['c']
+    it "does not add Set-Cookie header if session does not change, unless outside :skip_within seconds" do
+      req('/').must_equal [200, {"Content-Type"=>"text/html", "Content-Length"=>"0"}, [""]]
+      _, h, b = req('/s/foo/bar')
+      h['Set-Cookie'].must_match(/\Aroda.session/)
+      b.must_equal ["bar"]
+      req('/g/foo').must_equal [200, {"Content-Type"=>"text/html", "Content-Length"=>"3"}, ["bar"]]
+      req('/s/foo/bar').must_equal [200, {"Content-Type"=>"text/html", "Content-Length"=>"3"}, ["bar"]]
+      _, h, b = req('/s/foo/baz')
+      h['Set-Cookie'].must_match(/\Aroda.session/)
+      b.must_equal ["baz"]
+      req('/g/foo').must_equal [200, {"Content-Type"=>"text/html", "Content-Length"=>"3"}, ["baz"]]
+      req('/g/foo', 'QUERY_STRING'=>'sut=3500').must_equal [200, {"Content-Type"=>"text/html", "Content-Length"=>"3"}, ["baz"]]
+      _, h, b = req('/g/foo', 'QUERY_STRING'=>'sut=3700')
+      h['Set-Cookie'].must_match(/\Aroda.session/)
+      b.must_equal ["baz"]
+      @app.plugin(:sessions, :skip_within=>3800)
+      req('/g/foo', 'QUERY_STRING'=>'sut=3700').must_equal [200, {"Content-Type"=>"text/html", "Content-Length"=>"3"}, ["baz"]]
+      _, h, b = req('/g/foo', 'QUERY_STRING'=>'sut=3900')
+      h['Set-Cookie'].must_match(/\Aroda.session/)
+      b.must_equal ["baz"]
+      errors.must_equal []
+    end
-    errors.must_equal []
-  end
+    it "removes session cookie when session is submitted but empty after request" do
+      body('/s/foo/bar').must_equal 'bar'
+      sct = body('/sct').to_i
+      body('/g/foo').must_equal 'bar'
-  it "removes session cookie even when max-age and expires are in cookie options" do
-    app.plugin :sessions, :cookie_options=>{:max_age=>'1000', :expires=>Time.now+1000}
-    body('/s/foo/bar').must_equal 'bar'
-    sct = body('/sct').to_i
-    body('/g/foo').must_equal 'bar'
+      _, h, b = req('/sc')
-    _, h, b = req('/sc')
+      # Parameters can come in any order, and only the final parameter may omit the ;
+      ['roda.session=', 'max-age=0', 'path=/'].each do |param|
+        h['Set-Cookie'].must_match /#{Regexp.escape(param)}(;|\z)/
+      end
+      h['Set-Cookie'].must_match /expires=Thu, 01 Jan 1970 00:00:00 (-0000|GMT)(;|\z)/
+      b.must_equal ['c']
-    # Parameters can come in any order, and only the final parameter may omit the ;
-    ['roda.session=', 'max-age=0', 'path=/'].each do |param|
-      h['Set-Cookie'].must_match /#{Regexp.escape(param)}(;|\z)/
+      errors.must_equal []
     end
-    h['Set-Cookie'].must_match /expires=Thu, 01 Jan 1970 00:00:00 (-0000|GMT)(;|\z)/
-    b.must_equal ['c']
+    it "removes session cookie even when max-age and expires are in cookie options" do
+      app.plugin :sessions, :cookie_options=>{:max_age=>'1000', :expires=>Time.now+1000}
+      body('/s/foo/bar').must_equal 'bar'
+      sct = body('/sct').to_i
+      body('/g/foo').must_equal 'bar'
-    errors.must_equal []
-  end
+      _, h, b = req('/sc')
-  it "sets new session create time when clear_session is called even when session is not empty when serializing" do
-    body('/s/foo/bar').must_equal 'bar'
-    sct = body('/sct').to_i
-    body('/g/foo').must_equal 'bar'
-    body('/sct').to_i.must_equal sct
-    body('/ssct/10').to_i.must_equal(sct - 10)
+      # Parameters can come in any order, and only the final parameter may omit the ;
+      ['roda.session=', 'max-age=0', 'path=/'].each do |param|
+        h['Set-Cookie'].must_match /#{Regexp.escape(param)}(;|\z)/
+      end
+      h['Set-Cookie'].must_match /expires=Thu, 01 Jan 1970 00:00:00 (-0000|GMT)(;|\z)/
-    body('/cs/foo/baz').must_equal 'baz'
-    body('/sct').to_i.must_be :>=, sct
+      b.must_equal ['c']
-    errors.must_equal []
-  end
+      errors.must_equal []
+    end
-  it "should include HttpOnly and secure cookie options appropriately" do
-    h = header('Set-Cookie', '/s/foo/bar')
-    h.must_include('; HttpOnly')
-    h.wont_include('; secure')
+    it "sets new session create time when clear_session is called even when session is not empty when serializing" do
+      body('/s/foo/bar').must_equal 'bar'
+      sct = body('/sct').to_i
+      body('/g/foo').must_equal 'bar'
+      body('/sct').to_i.must_equal sct
+      body('/ssct/10').to_i.must_equal(sct - 10)
-    h = header('Set-Cookie', '/s/foo/baz', 'HTTPS'=>'on')
-    h.must_include('; HttpOnly')
-    h.must_include('; secure')
+      body('/cs/foo/baz').must_equal 'baz'
+      body('/sct').to_i.must_be :>=, sct
-    @app.plugin(:sessions, :cookie_options=>{})
-    h = header('Set-Cookie', '/s/foo/bar')
-    h.must_include('; HttpOnly')
-    h.wont_include('; secure')
-  end
+      errors.must_equal []
+    end
-  it "should merge :cookie_options options into the default cookie options" do
-    @app.plugin(:sessions, :cookie_options=>{:secure=>true})
-    h = header('Set-Cookie', '/s/foo/bar')
-    h.must_include('; HttpOnly')
-    h.must_include('; path=/')
-    h.must_include('; secure')
-  end
+    it "should include HttpOnly and secure cookie options appropriately" do
+      h = header('Set-Cookie', '/s/foo/bar')
+      h.must_include('; HttpOnly')
+      h.wont_include('; secure')
+      h = header('Set-Cookie', '/s/foo/baz', 'HTTPS'=>'on')
+      h.must_include('; HttpOnly')
+      h.must_include('; secure')
-  it "handles secret rotation using :old_secret option" do
-    body('/s/foo/bar').must_equal 'bar'
-    body('/g/foo').must_equal 'bar'
+      @app.plugin(:sessions, :cookie_options=>{})
+      h = header('Set-Cookie', '/s/foo/bar')
+      h.must_include('; HttpOnly')
+      h.wont_include('; secure')
+    end
+    it "should merge :cookie_options options into the default cookie options" do
+      @app.plugin(:sessions, :cookie_options=>{:secure=>true})
+      h = header('Set-Cookie', '/s/foo/bar')
+      h.must_include('; HttpOnly')
+      h.must_include('; path=/')
+      h.must_include('; secure')
+    end
-    old_cookie = @cookie
-    @app.plugin(:sessions, :secret=>'2'*64, :old_secret=>'1'*64)
-    body('/g/foo', 'QUERY_STRING'=>'sut=3700').must_equal 'bar'
+    it "handles secret rotation using :old_secret option" do
+      body('/s/foo/bar').must_equal 'bar'
+      body('/g/foo').must_equal 'bar'
-    @app.plugin(:sessions, :secret=>'2'*64, :old_secret=>nil)
-    body('/g/foo', 'QUERY_STRING'=>'sut=3700').must_equal 'bar'
+      old_cookie = @cookie
+      @app.plugin(:sessions, :secret=>'2'*64, :old_secret=>'1'*64)
+      body('/g/foo', 'QUERY_STRING'=>'sut=3700').must_equal 'bar'
-    @cookie = old_cookie
-    body('/g/foo').must_equal ''
-    errors.must_equal ["Not decoding session: HMAC invalid"]
+      @app.plugin(:sessions, :secret=>'2'*64, :old_secret=>nil)
+      body('/g/foo', 'QUERY_STRING'=>'sut=3700').must_equal 'bar'
-    proc{app(:bare){plugin :sessions, :old_secret=>'1'*63}}.must_raise Roda::RodaError
-    proc{app(:bare){plugin :sessions, :old_secret=>Object.new}}.must_raise Roda::RodaError
-  end
+      @cookie = old_cookie
+      body('/g/foo').must_equal ''
+      errors.must_equal ["Not decoding session: HMAC invalid"]
-  it "pads data by default to make it more difficult to guess session contents based on size" do
-    long = "bar"*35
-    _, h1, b = req('/s/foo/bar')
-    b.must_equal ['bar']
-    _, h2, b = req('/s/foo/bar', 'QUERY_STRING'=>'sut=3700')
-    b.must_equal ['bar']
-    _, h3, b = req('/s/foo/bar2')
-    b.must_equal ['bar2']
-    _, h4, b = req("/s/foo/#{long}")
-    b.must_equal [long]
-    h1['Set-Cookie'].length.must_equal h2['Set-Cookie'].length
-    h1['Set-Cookie'].wont_equal h2['Set-Cookie']
-    h1['Set-Cookie'].length.must_equal h3['Set-Cookie'].length
-    h1['Set-Cookie'].wont_equal h3['Set-Cookie']
-    h1['Set-Cookie'].length.wont_equal h4['Set-Cookie'].length
-    @app.plugin(:sessions, :pad_size=>256)
-    _, h1, b = req('/s/foo/bar')
-    b.must_equal ['bar']
-    _, h2, b = req('/s/foo/bar', 'QUERY_STRING'=>'sut=3700')
-    b.must_equal ['bar']
-    _, h3, b = req('/s/foo/bar2')
-    b.must_equal ['bar2']
-    _, h4, b = req("/s/foo/#{long}")
-    b.must_equal [long]
-    h1['Set-Cookie'].length.must_equal h2['Set-Cookie'].length
-    h1['Set-Cookie'].wont_equal h2['Set-Cookie']
-    h1['Set-Cookie'].length.must_equal h3['Set-Cookie'].length
-    h1['Set-Cookie'].wont_equal h3['Set-Cookie']
-    h1['Set-Cookie'].length.must_equal h4['Set-Cookie'].length
-    h1['Set-Cookie'].wont_equal h3['Set-Cookie']
-    @app.plugin(:sessions, :pad_size=>nil)
-    _, h1, b = req('/s/foo/bar')
-    b.must_equal ['bar']
-    _, h2, b = req('/s/foo/bar', 'QUERY_STRING'=>'sut=3700')
-    b.must_equal ['bar']
-    _, h3, b = req('/s/foo/bar2')
-    b.must_equal ['bar2']
-    h1['Set-Cookie'].length.must_equal h2['Set-Cookie'].length
-    h1['Set-Cookie'].wont_equal h2['Set-Cookie']
-    if !defined?(JRUBY_VERSION) || JRUBY_VERSION >= '9.2'
-      h1['Set-Cookie'].length.wont_equal h3['Set-Cookie'].length
+      proc{app(:bare){plugin :sessions, :old_secret=>'1'*63}}.must_raise Roda::RodaError
+      proc{app(:bare){plugin :sessions, :old_secret=>Object.new}}.must_raise Roda::RodaError
     end
-    proc{@app.plugin(:sessions, :pad_size=>0)}.must_raise Roda::RodaError
-    proc{@app.plugin(:sessions, :pad_size=>1)}.must_raise Roda::RodaError
-    proc{@app.plugin(:sessions, :pad_size=>Object.new)}.must_raise Roda::RodaError
+    it "handles secret rotation using :old_secret option when also changing :per_cookie_cipher_secret option" do
+      body('/s/foo/bar').must_equal 'bar'
+      body('/g/foo').must_equal 'bar'
-    errors.must_equal []
-  end
+      old_cookie = @cookie
+      @app.plugin(:sessions, :secret=>'2'*64, :old_secret=>'1'*64, :per_cookie_cipher_secret=>!per_cookie_cipher_secret)
-  it "compresses data over a certain size by default" do
-    long = 'b'*8192
-    proc{body("/s/foo/#{long}")}.must_raise Roda::RodaPlugins::Sessions::CookieTooLarge
+      body('/g/foo', 'QUERY_STRING'=>'sut=3700').must_equal 'bar'
-    @app.plugin(:sessions, :gzip_over=>8000)
-    body("/s/foo/#{long}").must_equal long
-    body("/g/foo", 'QUERY_STRING'=>'sut=3700').must_equal long
+      @app.plugin(:sessions, :secret=>'2'*64, :old_secret=>nil)
+      body('/g/foo', 'QUERY_STRING'=>'sut=3700').must_equal 'bar'
-    @app.plugin(:sessions, :gzip_over=>15000)
-    proc{body("/g/foo", 'QUERY_STRING'=>'sut=3700')}.must_raise Roda::RodaPlugins::Sessions::CookieTooLarge
+      @cookie = old_cookie
+      body('/g/foo').must_equal ''
+      errors.must_equal ["Not decoding session: HMAC invalid"]
-    errors.must_equal []
-  end
+      proc{app(:bare){plugin :sessions, :old_secret=>'1'*63}}.must_raise Roda::RodaError
+      proc{app(:bare){plugin :sessions, :old_secret=>Object.new}}.must_raise Roda::RodaError
+    end
-  it "raises CookieTooLarge if cookie is too large" do
-    proc{req('/s/foo/'+Base64.urlsafe_encode64(SecureRandom.random_bytes(8192)))}.must_raise Roda::RodaPlugins::Sessions::CookieTooLarge
-  end
+    it "pads data by default to make it more difficult to guess session contents based on size" do
+      long = "bar"*35
+      _, h1, b = req('/s/foo/bar')
+      b.must_equal ['bar']
+      _, h2, b = req('/s/foo/bar', 'QUERY_STRING'=>'sut=3700')
+      b.must_equal ['bar']
+      _, h3, b = req('/s/foo/bar2')
+      b.must_equal ['bar2']
+      _, h4, b = req("/s/foo/#{long}")
+      b.must_equal [long]
+      h1['Set-Cookie'].length.must_equal h2['Set-Cookie'].length
+      h1['Set-Cookie'].wont_equal h2['Set-Cookie']
+      h1['Set-Cookie'].length.must_equal h3['Set-Cookie'].length
+      h1['Set-Cookie'].wont_equal h3['Set-Cookie']
+      h1['Set-Cookie'].length.wont_equal h4['Set-Cookie'].length
+      @app.plugin(:sessions, :pad_size=>256)
+      _, h1, b = req('/s/foo/bar')
+      b.must_equal ['bar']
+      _, h2, b = req('/s/foo/bar', 'QUERY_STRING'=>'sut=3700')
+      b.must_equal ['bar']
+      _, h3, b = req('/s/foo/bar2')
+      b.must_equal ['bar2']
+      _, h4, b = req("/s/foo/#{long}")
+      b.must_equal [long]
+      h1['Set-Cookie'].length.must_equal h2['Set-Cookie'].length
+      h1['Set-Cookie'].wont_equal h2['Set-Cookie']
+      h1['Set-Cookie'].length.must_equal h3['Set-Cookie'].length
+      h1['Set-Cookie'].wont_equal h3['Set-Cookie']
+      h1['Set-Cookie'].length.must_equal h4['Set-Cookie'].length
+      h1['Set-Cookie'].wont_equal h3['Set-Cookie']
+      @app.plugin(:sessions, :pad_size=>nil)
+      _, h1, b = req('/s/foo/bar')
+      b.must_equal ['bar']
+      _, h2, b = req('/s/foo/bar', 'QUERY_STRING'=>'sut=3700')
+      b.must_equal ['bar']
+      _, h3, b = req('/s/foo/bar2')
+      b.must_equal ['bar2']
+      h1['Set-Cookie'].length.must_equal h2['Set-Cookie'].length
+      h1['Set-Cookie'].wont_equal h2['Set-Cookie']
+      if !defined?(JRUBY_VERSION) || JRUBY_VERSION >= '9.2'
+        h1['Set-Cookie'].length.wont_equal h3['Set-Cookie'].length
+      end
-  it "ignores session cookies if session exceeds max time since create" do
-    body("/s/foo/bar").must_equal 'bar'
-    body("/g/foo").must_equal 'bar'
+      proc{@app.plugin(:sessions, :pad_size=>0)}.must_raise Roda::RodaError
+      proc{@app.plugin(:sessions, :pad_size=>1)}.must_raise Roda::RodaError
+      proc{@app.plugin(:sessions, :pad_size=>Object.new)}.must_raise Roda::RodaError
-    @app.plugin(:sessions, :max_seconds=>-1)
-    body("/g/foo").must_equal ''
-    errors.must_equal ["Not returning session: maximum session time expired"]
+      errors.must_equal []
+    end
-    @app.plugin(:sessions, :max_seconds=>10)
-    body("/s/foo/bar").must_equal 'bar'
-    body("/g/foo").must_equal 'bar'
+    it "compresses data over a certain size by default" do
+      long = 'b'*8192
+      proc{body("/s/foo/#{long}")}.must_raise Roda::RodaPlugins::Sessions::CookieTooLarge
-    errors.must_equal []
-  end
+      @app.plugin(:sessions, :gzip_over=>8000)
+      body("/s/foo/#{long}").must_equal long
+      body("/g/foo", 'QUERY_STRING'=>'sut=3700').must_equal long
-  it "ignores session cookies if session exceeds max idle time since update" do
-    body("/s/foo/bar").must_equal 'bar'
-    body("/g/foo").must_equal 'bar'
+      @app.plugin(:sessions, :gzip_over=>15000)
+      proc{body("/g/foo", 'QUERY_STRING'=>'sut=3700')}.must_raise Roda::RodaPlugins::Sessions::CookieTooLarge
-    @app.plugin(:sessions, :max_idle_seconds=>-1)
-    body("/g/foo").must_equal ''
-    errors.must_equal ["Not returning session: maximum session idle time expired"]
+      errors.must_equal []
+    end
-    @app.plugin(:sessions, :max_idle_seconds=>10)
-    body("/s/foo/bar").must_equal 'bar'
-    body("/g/foo").must_equal 'bar'
+    it "raises CookieTooLarge if cookie is too large" do
+      proc{req('/s/foo/'+Base64.urlsafe_encode64(SecureRandom.random_bytes(8192)))}.must_raise Roda::RodaPlugins::Sessions::CookieTooLarge
+    end
-    errors.must_equal []
-  end
+    it "ignores session cookies if session exceeds max time since create" do
+      body("/s/foo/bar").must_equal 'bar'
+      body("/g/foo").must_equal 'bar'
-  it "supports :serializer and :parser options to override serializer/deserializer" do
-    body('/s/foo/bar').must_equal 'bar'
+      @app.plugin(:sessions, :max_seconds=>-1)
+      body("/g/foo").must_equal ''
+      errors.must_equal ["Not returning session: maximum session time expired"]
-    @app.plugin(:sessions, :parser=>proc{|s| JSON.parse("{#{s[1...-1].reverse}}")})
-    body('/g/rab').must_equal 'oof'
+      @app.plugin(:sessions, :max_seconds=>10)
+      body("/s/foo/bar").must_equal 'bar'
+      body("/g/foo").must_equal 'bar'
-    @app.plugin(:sessions, :serializer=>proc{|s| s.to_json.upcase})
+      errors.must_equal []
+    end
-    body('/s/foo/baz').must_equal 'baz'
-    body('/g/ZAB').must_equal 'OOF'
+    it "ignores session cookies if session exceeds max idle time since update" do
+      body("/s/foo/bar").must_equal 'bar'
+      body("/g/foo").must_equal 'bar'
-    errors.must_equal []
-  end
+      @app.plugin(:sessions, :max_idle_seconds=>-1)
+      body("/g/foo").must_equal ''
+      errors.must_equal ["Not returning session: maximum session idle time expired"]
-  it "logs session decoding errors to rack.errors" do
-    body('/s/foo/bar').must_equal 'bar'
-    c = @cookie.dup
-    k = c.split('=', 2)[0] + '='
+      @app.plugin(:sessions, :max_idle_seconds=>10)
+      body("/s/foo/bar").must_equal 'bar'
+      body("/g/foo").must_equal 'bar'
-    @cookie[20] = '!'
-    body('/g/foo').must_equal ''
-    errors.must_equal ["Unable to decode session: invalid base64"]
+      errors.must_equal []
+    end
-    @cookie = k+Base64.urlsafe_encode64('1'*60)
-    body('/g/foo').must_equal ''
-    errors.must_equal ["Unable to decode session: data too short"]
+    it "supports :serializer and :parser options to override serializer/deserializer" do
+      body('/s/foo/bar').must_equal 'bar'
-    @cookie = k+Base64.urlsafe_encode64('1'*75)
-    body('/g/foo').must_equal ''
-    errors.must_equal ["Unable to decode session: version marker unsupported"]
+      @app.plugin(:sessions, :parser=>proc{|s| JSON.parse("{#{s[1...-1].reverse}}")})
+      body('/g/rab').must_equal 'oof'
-    @cookie = k+Base64.urlsafe_encode64("\0"*75)
-    body('/g/foo').must_equal ''
-    errors.must_equal ["Not decoding session: HMAC invalid"]
-  end
-end
+      @app.plugin(:sessions, :serializer=>proc{|s| s.to_json.upcase})
-describe "sessions plugin" do
-  include CookieJar
+      body('/s/foo/baz').must_equal 'baz'
+      body('/g/ZAB').must_equal 'OOF'
-  def req(path, opts={})
-    @errors ||= (errors = []; def errors.puts(s) self << s; end; errors)
-    super(path, opts.merge('rack.errors'=>@errors))
-  end
+      errors.must_equal []
+    end
+    it "logs session decoding errors to rack.errors" do
+      body('/s/foo/bar').must_equal 'bar'
+      c = @cookie.dup
+      k = c.split('=', 2)[0] + '='
-  def errors
-    e = @errors.dup
-    @errors.clear
-    e
+      @cookie[20] = '!'
+      body('/g/foo').must_equal ''
+      errors.must_equal ["Unable to decode session: invalid base64"]
+      @cookie = k+Base64.urlsafe_encode64('')
+      body('/g/foo').must_equal ''
+      errors.must_equal ["Unable to decode session: no data"]
+      @cookie = k+Base64.urlsafe_encode64("\0" * 60)
+      body('/g/foo').must_equal ''
+      errors.must_equal ["Unable to decode session: data too short"]
+      @cookie = k+Base64.urlsafe_encode64("\1" * 92)
+      body('/g/foo').must_equal ''
+      errors.must_equal ["Unable to decode session: data too short"]
+      @cookie = k+Base64.urlsafe_encode64('1'*75)
+      body('/g/foo').must_equal ''
+      errors.must_equal ["Unable to decode session: version marker unsupported"]
+      @cookie = k+Base64.urlsafe_encode64("\0"*75)
+      body('/g/foo').must_equal ''
+      errors.must_equal ["Not decoding session: HMAC invalid"]
+    end
   end
-  it "supports transparent upgrade from Rack::Session::Cookie with default HMAC and coder" do
-    app(:bare) do
-      use Rack::Session::Cookie, :secret=>'1'
-      plugin :middleware_stack
-      route do |r|
-        r.get('s', String, String){|k, v| session[k] = {:a=>v}; v}
-        r.get('g',  String){|k| session[k].inspect}
-        ''
-      end
+  describe "sessions plugin" do
+    include CookieJar
+    def req(path, opts={})
+      @errors ||= (errors = []; def errors.puts(s) self << s; end; errors)
+      super(path, opts.merge('rack.errors'=>@errors))
+    end
+    def errors
+      e = @errors.dup
+      @errors.clear
+      e
     end
-    _, h, b = req('/s/foo/bar')
-    (h['Set-Cookie'] =~ /\A(rack\.session=.*); path=\/; HttpOnly\z/).must_equal 0
-    c = $1
-    b.must_equal ['bar']
-    _, h, b = req('/g/foo')
-    h['Set-Cookie'].must_be_nil
-    b.must_equal ['{:a=>"bar"}']
-    @app.plugin :sessions, :secret=>'1'*64,
-                :upgrade_from_rack_session_cookie_secret=>'1'
-    @app.middleware_stack.remove{|m, *| m == Rack::Session::Cookie}
-    @cookie = c.dup
-    @cookie.slice!(15)
-    body('/g/foo').must_equal 'nil'
-    errors.must_equal ["Not decoding Rack::Session::Cookie session: HMAC invalid"]
-    @cookie = c.split('--', 2)[0]
-    body('/g/foo').must_equal 'nil'
-    errors.must_equal ["Not decoding Rack::Session::Cookie session: invalid format"]
-    @cookie = c.split('--', 2)[0][13..-1]
-    @cookie = Rack::Utils.unescape(@cookie).unpack('m')[0]
-    @cookie[2] = "^"
-    @cookie = [@cookie].pack('m')
-    cookie = String.new
-    cookie << 'rack.session=' << @cookie << '--' << OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA1.new, '1', @cookie)
-    @cookie = cookie
-    body('/g/foo').must_equal 'nil'
-    errors.must_equal ["Error decoding Rack::Session::Cookie session: not base64 encoded marshal dump"]
-    @cookie = c
-    _, h, b = req('/g/foo')
-    h['Set-Cookie'].must_match(/\Aroda\.session=(.*); path=\/; HttpOnly(; SameSite=Lax)?\nrack\.session=; path=\/; max-age=0; expires=Thu, 01 Jan 1970 00:00:00/m)
-    b.must_equal ['{"a"=>"bar"}']
-    @app.plugin :sessions, :cookie_options=>{:path=>'/foo'}, :upgrade_from_rack_session_cookie_options=>{}
-    @cookie = c
-    _, h, b = req('/g/foo')
-    h['Set-Cookie'].must_match(/\Aroda\.session=(.*); path=\/foo; HttpOnly(; SameSite=Lax)?\nrack\.session=; path=\/foo; max-age=0; expires=Thu, 01 Jan 1970 00:00:00/m)
-    b.must_equal ['{"a"=>"bar"}']
-    @app.plugin :sessions, :upgrade_from_rack_session_cookie_options=>{:path=>'/baz'}
-    @cookie = c
-    _, h, b = req('/g/foo')
-    h['Set-Cookie'].must_match(/\Aroda\.session=(.*); path=\/foo; HttpOnly(; SameSite=Lax)?\nrack\.session=; path=\/baz; max-age=0; expires=Thu, 01 Jan 1970 00:00:00/m)
-    b.must_equal ['{"a"=>"bar"}']
-    @app.plugin :sessions, :upgrade_from_rack_session_cookie_key=>'quux.session'
-    @cookie = c.sub(/\Arack/, 'quux')
-    _, h, b = req('/g/foo')
-    h['Set-Cookie'].must_match(/\Aroda\.session=(.*); path=\/foo; HttpOnly(; SameSite=Lax)?\nquux\.session=; path=\/baz; max-age=0; expires=Thu, 01 Jan 1970 00:00:00/m)
-    b.must_equal ['{"a"=>"bar"}']
+    it "supports transparent upgrade from Rack::Session::Cookie with default HMAC and coder" do
+      app(:bare) do
+        use Rack::Session::Cookie, :secret=>'1'
+        plugin :middleware_stack
+        route do |r|
+          r.get('s', String, String){|k, v| session[k] = {:a=>v}; v}
+          r.get('g',  String){|k| session[k].inspect}
+          ''
+        end
+      end
+      _, h, b = req('/s/foo/bar')
+      (h['Set-Cookie'] =~ /\A(rack\.session=.*); path=\/; HttpOnly\z/).must_equal 0
+      c = $1
+      b.must_equal ['bar']
+      _, h, b = req('/g/foo')
+      h['Set-Cookie'].must_be_nil
+      b.must_equal ['{:a=>"bar"}']
+      @app.plugin :sessions, :secret=>'1'*64,
+                  :upgrade_from_rack_session_cookie_secret=>'1'
+      @app.middleware_stack.remove{|m, *| m == Rack::Session::Cookie}
+      @cookie = c.dup
+      @cookie.slice!(15)
+      body('/g/foo').must_equal 'nil'
+      errors.must_equal ["Not decoding Rack::Session::Cookie session: HMAC invalid"]
+      @cookie = c.split('--', 2)[0]
+      body('/g/foo').must_equal 'nil'
+      errors.must_equal ["Not decoding Rack::Session::Cookie session: invalid format"]
+      @cookie = c.split('--', 2)[0][13..-1]
+      @cookie = Rack::Utils.unescape(@cookie).unpack('m')[0]
+      @cookie[2] = "^"
+      @cookie = [@cookie].pack('m')
+      cookie = String.new
+      cookie << 'rack.session=' << @cookie << '--' << OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA1.new, '1', @cookie)
+      @cookie = cookie
+      body('/g/foo').must_equal 'nil'
+      errors.must_equal ["Error decoding Rack::Session::Cookie session: not base64 encoded marshal dump"]
+      @cookie = c
+      _, h, b = req('/g/foo')
+      h['Set-Cookie'].must_match(/\Aroda\.session=(.*); path=\/; HttpOnly(; SameSite=Lax)?\nrack\.session=; path=\/; max-age=0; expires=Thu, 01 Jan 1970 00:00:00/m)
+      b.must_equal ['{"a"=>"bar"}']
+      @app.plugin :sessions, :cookie_options=>{:path=>'/foo'}, :upgrade_from_rack_session_cookie_options=>{}
+      @cookie = c
+      _, h, b = req('/g/foo')
+      h['Set-Cookie'].must_match(/\Aroda\.session=(.*); path=\/foo; HttpOnly(; SameSite=Lax)?\nrack\.session=; path=\/foo; max-age=0; expires=Thu, 01 Jan 1970 00:00:00/m)
+      b.must_equal ['{"a"=>"bar"}']
+      @app.plugin :sessions, :upgrade_from_rack_session_cookie_options=>{:path=>'/baz'}
+      @cookie = c
+      _, h, b = req('/g/foo')
+      h['Set-Cookie'].must_match(/\Aroda\.session=(.*); path=\/foo; HttpOnly(; SameSite=Lax)?\nrack\.session=; path=\/baz; max-age=0; expires=Thu, 01 Jan 1970 00:00:00/m)
+      b.must_equal ['{"a"=>"bar"}']
+      @app.plugin :sessions, :upgrade_from_rack_session_cookie_key=>'quux.session'
+      @cookie = c.sub(/\Arack/, 'quux')
+      _, h, b = req('/g/foo')
+      h['Set-Cookie'].must_match(/\Aroda\.session=(.*); path=\/foo; HttpOnly(; SameSite=Lax)?\nquux\.session=; path=\/baz; max-age=0; expires=Thu, 01 Jan 1970 00:00:00/m)
+      b.must_equal ['{"a"=>"bar"}']
+    end
   end
 end
 end