roda 3.8.0 → 3.9.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f1f45dc2c17fe99add9644d7ee24bcc83e85f0c4ca5927b7d88b31ddac7c4d35
-  data.tar.gz: 654f4aaa9987343d9ff989bc4fc730d2c07d885b4ee57465be845c0876636340
+  metadata.gz: 39ce926351959abb8a72a7b1c9db596dff7e0e84c26c296db4d2b3c124486356
+  data.tar.gz: 904ab94da8c67bfd2d4acb5246fa0a3049c89778e2fbc9e1701f6f342f39329a
 SHA512:
-  metadata.gz: 9766752c2e4204821986db58bc086080f406770672670179a65bfe91766227f2637c195250d66d0f1b8ad021e6a3593b901a649cd51ab5484e7249cda057498c
-  data.tar.gz: e9ad5ba69df715e11e3ee9b258c2e4233631104cbdf972c2c8e0c6ace1bbf1fa5b6bca5cb88d2891e63fb64885ba17623a35760e6b60f49c4e56cebf43a17c1a
+  metadata.gz: 590cc6b72c9fbb3fc01e389a6c12a5d09cd0db1cf56fe0d821b79e0e3aaf1d91ca7598d25fbdbdc50b25171f79501087599bd334ce079ad435ee51be31988588
+  data.tar.gz: 8bcde66bd4ab812a963ace04db8b026df5d5b5c9d79432de4b5780da80f9548f1dc92681e2fe0bdd1330d20f526cab4cea27b4bd0d54dddedbc8b5a9ec864c77

data/CHANGELOG

@@ -1,3 +1,7 @@
+= 3.9.0 (2018-06-11)
+
+* Add route_csrf plugin for CSRF protection, offering more control, better security, and request-specific tokens compared to rack_csrf (jeremyevans)
+
 = 3.8.0 (2018-05-17)
 
 * Accept convert_each! :keys option that is Proc or Method in typecast_params plugin (jeremyevans)

data/README.rdoc

@@ -788,12 +788,24 @@ This means you should not store any secret data in the session.
 
 === Cross Site Request Forgery (CSRF)
 
-CSRF can be prevented by using the +csrf+ plugin that ships with Roda,
-which uses the {rack_csrf}[https://github.com/baldowl/rack_csrf] library.
-Just make sure that you include the CSRF token tags in your HTML, as appropriate.
+CSRF can be prevented by using the +route_csrf+ plugin that ships with Roda.
+The +route_csrf+ plugin uses modern security practices to create CSRF tokens,
+requires request-specific tokens by default, and offers control to the user
+over where in the routing tree that CSRF tokens are checked. For example, if
+you are using the +public+ plugin to serve static files and the +assets+
+plugin to serve assets, you wouldn't need to check for CSRF tokens for either
+of those, so you could put the CSRF check after those in the routing tree,
+but before handling other requests:
+
+  route do |r|
+    r.public
+    r.assets
+
+    check_csrf! # Must call this to check for valid CSRF tokens
+
+    # ...
+  end
 
-It's also possible to use the <tt>Rack::Csrf</tt> middleware directly;
-you don't have to use the +csrf+ plugin.
 
 === Cross Site Scripting (XSS)
 

data/doc/release_notes/3.9.0.txt

@@ -0,0 +1,67 @@
+= New Features
+
+* A route_csrf plugin has been added.  This plugin allows for more
+  control over CSRF protection, since the user can choose where in
+  the routing tree to enforce the protection.  Additionally, the
+  route_csrf plugin offers better security than the CSRF protection
+  used by the csrf plugin (which uses the rack_csrf library).
+
+  The route_csrf plugin defaults to allowing only CSRF tokens
+  specific to a given request method and request path, and not
+  allowing generic CSRF tokens (though it does offer optional support
+  for such tokens).  Both request-specific and generic CSRF tokens
+  are designed to never leak the CSRF secret key, making it more
+  difficult to forge valid CSRF tokens.  Additionally, the plugin
+  offers optional support for accepting rack_csrf tokens, which
+  should only be enabled during a short transition period.
+
+  Some differences between the route_csrf plugin and the older
+  csrf plugin:
+
+  * route_csrf supports and by default only allows CSRF tokens
+    specific to request method and request path, as mentioned
+    above.  You can use the require_request_specific_tokens: false
+    option to allow generic CSRF tokens.
+
+  * route_csrf does not check the HTTP header by default, it
+    only checks the header if the :check_header option is set.
+    The :check_header option can be set to true to check both
+    the parameter and the header, or set to :only to only check
+    the header.
+
+  * route_csrf raises by default for invalid CSRF tokens.  rack_csrf
+    returns an empty 403 response in that case.  You can use the
+    error_handler plugin to handle the
+    Roda::RodaPlugins::RouteCsrf::InvalidToken exceptions, or you
+    can use the csrf_failure: :empty_403 option if you would like
+    the csrf plugin default behavior.  The plugin also accepts a
+    block for configurable failure behavior.
+
+  * route_csrf does not use a middleware, as it is designed to give
+    more control. In order to enforce the CSRF protection, you need
+    to call check_csrf! in your routing tree at the appropriate
+    place.  If you are not sure where to add it, add it to the top
+    of the routing tree, after the public or assets routes if you
+    are using those plugins:
+
+      route do
+        r.public
+        r.assets
+        check_csrf!
+
+        # ...
+      end
+
+    The check_csrf! method accepts an options hash, which can be used
+    to override the plugin options on a per-call basis.
+
+  * The csrf_token/csrf_tag methods take an optional path and method
+    arguments.  If a path is given, the method defaults to POST, and
+    the resulting CSRF token can only be used to submit forms for the
+    path and method.  If a path is not given, the resulting CSRF token
+    will be generic, but it will only work if the plugin has been
+    configured to allow generic CSRF tokens.
+
+  * A csrf_path method is available for easily taking a form action
+    string and returning an appropriate path to pass to the csrf_token
+    or csrf_tag methods.

data/lib/roda/plugins/csrf.rb

@@ -4,6 +4,10 @@ require 'rack/csrf'
 
 class Roda
   module RodaPlugins
+    # This plugin is no longer recommended for use, it exists only for
+    # backwards compatibility.  Consider using the route_csrf plugin
+    # instead, as that provides stronger CSRF protection.
+    #
     # The csrf plugin adds CSRF protection using rack_csrf, along with
     # some csrf helper methods to use in your views.  To use it, load
     # the plugin, with the options hash passed to Rack::Csrf:

data/lib/roda/plugins/route_csrf.rb

@@ -0,0 +1,351 @@
+# frozen-string-literal: true
+
+require 'base64'
+require 'openssl'
+require 'securerandom'
+require 'uri'
+
+class Roda
+  module RodaPlugins
+    # The route_csrf plugin is the recommended plugin to use to support
+    # CSRF protection in Roda applications. This plugin allows you set
+    # where in the routing tree to enforce CSRF protection.  Additionally,
+    # the route_csrf plugin uses modern security practices.
+    #
+    # By default, the plugin requires tokens be specific to the request
+    # method and request path, so a CSRF token generated for one form will
+    # not be usable to submit a different form.
+    #
+    # This plugin also takes care to not expose the underlying CSRF key
+    # (except in the session), so that it is not possible for an attacker
+    # to generate valid CSRF tokens specific to an arbitrary request method
+    # and request path even if they have access to a token that is not
+    # specific to request method and request path.  To get this security
+    # benefit, you must ensure an attacker does not have access to the
+    # session.  Rack::Session::Cookie uses signed sessions, not encrypted
+    # sessions, so if the attacker has the ability to read cookie data
+    # and you are using Rack::Session::Cookie, it will still be possible
+    # for an attacker to generate valid CSRF tokens specific to arbitrary
+    # request method and request path.
+    #
+    # # Usage
+    #
+    # It is recommended to use the plugin defaults, loading the
+    # plugin with no options:
+    #
+    #   plugin :route_csrf
+    #
+    # This plugin supports the following options:
+    #
+    #   :field :: Form input parameter name for CSRF token (default: '_csrf')
+    #   :header :: HTTP header name for CSRF token (default: 'X-CSRF-Token')
+    #   :key :: Session key for CSRF secret (default: '_roda_csrf_secret')
+    #   :require_request_specific_tokens :: Whether request-specific tokens are required (default: true).
+    #                                       A false value will allow tokens that are not request-specific
+    #                                       to also work.  You should only set this to false if it is
+    #                                       impossible to use request-specific tokens.  If you must
+    #                                       use non-request-specific tokens in certain cases, it is best
+    #                                       to leave this option true by default, and override it on a
+    #                                       per call basis in those specific cases.
+    #   :csrf_failure :: The action to taken if a request fails the CSRF check (default: :raise).  Options:
+    #                    :raise :: raise a Roda::RodaPlugins::RouteCsrf::InvalidToken exception
+    #                    :empty_403 :: return a blank 403 page (rack_csrf's default behavior)
+    #                    :clear_session :: Clear the current session
+    #                    Proc :: Treated as a routing block, called with request object
+    #   :check_header :: Whether the HTTP header should be checked for the token value (default: false).
+    #                    If true, checks the HTTP header after checking for the form input parameter.
+    #                    If :only, only checks the HTTP header and doesn't check the form input parameter.
+    #   :check_request_methods :: Which request methods require CSRF protection
+    #                             (default: <tt>['POST', 'DELETE', 'PATCH', 'PUT']</tt>)
+    #   :upgrade_from_rack_csrf_key :: If provided, the session key that should be checked for the
+    #                                  rack_csrf raw token.  If the session key is present, the value
+    #                                  will be checked against the submitted token, and if it matches,
+    #                                  the CSRF check will be passed.  Should only be set temporarily
+    #                                  if upgrading from using rack_csrf to the route_csrf plugin, and
+    #                                  should be removed as soon as you are OK with CSRF forms generated
+    #                                  before the upgrade not longer being usable. The default rack_csrf
+    #                                  key is <tt>'csrf.token'</tt>.
+    #
+    # The plugin also supports a block, in which case the block will be used
+    # as the value of the :csrf_failure option.
+    #
+    # # Methods
+    #
+    # This adds the following instance methods:
+    #
+    # check_csrf!(opts={}) :: Used for checking if the submitted CSRF token is valid.
+    #                         If a block is provided, it is treated as a routing block if the
+    #                         CSRF token is not valid.  Otherwise, by default, raises a
+    #                         Roda::RodaPlugins::RouteCsrf::InvalidToken exception if a CSRF
+    #                         token is necessary for the request and there is no token provided
+    #                         or the provided token is not valid. Options can be provided to
+    #                         override any of the plugin options for this specific call.
+    #                         The :token option can be used to specify the provided CSRF token
+    #                         (instead of looking for the token in the submitted parameters).
+    # csrf_field :: The field name to use for the hidden tag containing the CSRF token.
+    # csrf_path(action) :: This takes an argument that would be the value of the HTML form's
+    #                      action attribute, and returns a path you can pass to csrf_token
+    #                      that should be valid for the form submission.  The argument should
+    #                      either be nil or a string representing a relative path, absolute
+    #                      path, or full URL.
+    # csrf_tag(path=nil, method='POST') :: An HTML hidden input tag string containing the CSRF token, suitable
+    #                                      for placing in an HTML form.  Takes the same arguments as csrf_token.
+    # csrf_token(path=nil, method='POST') :: The value of the csrf token, in case it needs to be accessed
+    #                                        directly.  It is recommended to call this method with a
+    #                                        path, which will create a request-specific token.  Calling
+    #                                        this method without an argument will create a token that is
+    #                                        not specific to the request, but such a token will only
+    #                                        work if you set the :require_request_specific_tokens option
+    #                                        to false, which is a bad idea from a security standpoint.
+    # use_request_specific_csrf_tokens? :: Whether the plugin is configured to only support
+    #                                      request-specific tokens, true by default.
+    # valid_csrf?(opts={}) :: Returns whether the submitted CSRF token is valid (also true if
+    #                         the request does not require a CSRF token).  Takes same option hash
+    #                         as check_csrf!.
+    #
+    # This plugin also adds the following instance methods for compatibility with the
+    # older csrf plugin, but it is not recommended to use these methods in new code:
+    #
+    # csrf_header :: The header name to use for submitting the CSRF token via an HTTP header
+    #                (useful for javascript). Note that this plugin will not look in
+    #                the HTTP header by default, it will only do so if the :check_header
+    #                option is used.
+    # csrf_metatag :: An HTML meta tag string containing the CSRF token, suitable
+    #                 for placing in the page header.  It is not recommended to use
+    #                 this method, as the token generated is not request-specific and
+    #                 will not work unless you set the :require_request_specific_tokens option to
+    #                 false, which is a bad idea from a security standpoint.
+    #
+    # # Token Cryptography
+    #
+    # route_csrf uses HMAC-SHA-256 to generate all CSRF tokens.  It generates a random 32-byte secret,
+    # which is stored base64 encoded in the session.  For each CSRF token, it generates 31 bytes
+    # of random data.
+    #
+    # For request-specific CSRF tokens, this pseudocode generates the HMAC: 
+    #
+    #   hmac = HMAC(secret, method + path + random_data)
+    #
+    # For CSRF tokens not specific to a request, this pseudocode generates the HMAC: 
+    #
+    #   hmac = HMAC(secret, random_data)
+    #
+    # This pseudocode generates the final CSRF token in both cases:
+    #
+    #   token = Base64Encode(random_data + hmac)
+    #
+    # Using this construction for generating CSRF tokens means that generating any
+    # valid CSRF token without knowledge of the secret is equivalent to a successful generic attack
+    # on HMAC-SHA-256.
+    #
+    # By using an HMAC for tokens not specific to a request, it is not possible to use a
+    # valid CSRF token that is not specific to a request to generate a valid request-specific
+    # CSRF token.  
+    #
+    # By including random data in the HMAC for all tokens, different tokens are generated
+    # each time, mitigating compression ratio attacks such as BREACH.
+    module RouteCsrf
+      # Default CSRF option values
+      DEFAULTS = {
+        :field => '_csrf'.freeze,
+        :header => 'X-CSRF-Token'.freeze,
+        :key => '_roda_csrf_secret'.freeze,
+        :require_request_specific_tokens => true,
+        :csrf_failure => :raise,
+        :check_header => false,
+        :check_request_methods => %w'POST DELETE PATCH PUT'.freeze.each(&:freeze)
+      }.freeze
+
+      # Exception class raised when :csrf_failure option is :raise and
+      # a valid CSRF token was not provided.
+      class InvalidToken < RodaError; end
+
+      def self.configure(app, opts=OPTS, &block)
+        options = app.opts[:route_csrf] = (app.opts[:route_csrf] || DEFAULTS).merge(opts)
+        if block
+          if opts[:csrf_failure]
+            raise RodaError, "Cannot specify both route_csrf plugin block and :csrf_failure option"
+          end
+          options[:csrf_failure] = block
+        end
+        options[:env_header] = "HTTP_#{options[:header].to_s.gsub('-', '_').upcase}".freeze
+        options.freeze
+      end
+
+      module InstanceMethods
+        # Check that the submitted CSRF token is valid, if the request requires a CSRF token.
+        # If the CSRF token is valid or the request does not require a CSRF token, return nil.
+        # Otherwise, if a block is given, treat it as a routing block and yield to it, and
+        # if a block is not given, use the :csrf_failure option to determine how to handle it.
+        def check_csrf!(opts=OPTS, &block)
+          if msg = csrf_invalid_message(opts)
+            if block
+              @_request.on(&block)
+            end
+            
+            case failure_action = opts.fetch(:csrf_failure, csrf_options[:csrf_failure])
+            when :raise
+              raise InvalidToken, msg
+            when :empty_403
+              throw :halt, [403, {'Content-Type'=>'text/html', 'Content-Length'=>'0'}, []]
+            when :clear_session
+              session.clear
+            when Proc
+              @_request.on{instance_exec(@_request, &failure_action)}
+            else
+              raise RodaError, "Unsupported :csrf_failure option: #{failure_action.inspect}"
+            end
+          end
+        end
+
+        # The name of the hidden input tag containing the CSRF token.  Also used as the name
+        # for the meta tag.
+        def csrf_field
+          csrf_options[:field]
+        end
+
+        # The HTTP header name to use when submitting CSRF tokens in an HTTP header, if
+        # such support is enabled (it is not by default).
+        def csrf_header
+          csrf_options[:header]
+        end
+
+        # An HTML meta tag string containing a CSRF token that is not request-specific.
+        # It is not recommended to use this, as it doesn't support request-specific tokens.
+        def csrf_metatag
+          "<meta name=\"#{csrf_field}\" content=\"#{csrf_token}\" \/>"
+        end
+
+        # Given a form action, return the appropriate path to use for the CSRF token.
+        # This makes it easier to generate request-specific tokens without having to
+        # worry about the different types of form actions (relative paths, absolute
+        # paths, URLs, empty paths).
+        def csrf_path(action)
+          case action
+          when nil, '', /\A[#?]/
+            # use current path
+            request.path
+          when /\A(?:https?:\/)?\//
+            # Either full URI or absolute path, extract just the path
+            URI.parse(action).path
+          else
+            # relative path, join to current path
+            URI.join(request.url, action).path
+          end
+        end
+
+        # An HTML hidden input tag string containing the CSRF token.  See csrf_token for
+        # arguments.
+        def csrf_tag(*args)
+          "<input type=\"hidden\" name=\"#{csrf_field}\" value=\"#{csrf_token(*args)}\" \/>"
+        end
+
+        # The value of the csrf token.  For a path specific token, provide a path
+        # argument.  By default, it a path is provided, the POST request method will
+        # be assumed.  To generate a token for a non-POST request method, pass the
+        # method as the second argument.
+        def csrf_token(path=nil, method=('POST' if path))
+          token = SecureRandom.random_bytes(31)
+          token << csrf_hmac(token, method, path)
+          Base64.strict_encode64(token)
+        end
+
+        # Whether request-specific CSRF tokens should be used by default.
+        def use_request_specific_csrf_tokens?
+          csrf_options[:require_request_specific_tokens]
+        end
+
+        # Whether the submitted CSRF token is valid for the request.  True if the
+        # request does not require a CSRF token.
+        def valid_csrf?(opts=OPTS)
+          csrf_invalid_message(opts).nil?
+        end
+
+        private
+
+        # Returns error message string if the CSRF token is not valid.
+        # Returns nil if the CSRF token is valid.
+        def csrf_invalid_message(opts)
+          opts = opts.empty? ? csrf_options : csrf_options.merge(opts)
+          method = request.request_method
+
+          unless opts[:check_request_methods].include?(method)
+            return
+          end
+
+          unless encoded_token = opts[:token]
+            encoded_token = case opts[:check_header]
+            when :only
+              env[opts[:env_header]]
+            when true
+              return (csrf_invalid_message(opts.merge(:check_header=>false)) && csrf_invalid_message(opts.merge(:check_header=>:only)))
+            else
+              @_request.params[opts[:field]]
+            end
+          end
+
+          unless encoded_token.is_a?(String)
+            return "encoded token is not a string"
+          end
+
+          if (rack_csrf_key = opts[:upgrade_from_rack_csrf_key]) && (rack_csrf_value = session[rack_csrf_key]) && csrf_compare(rack_csrf_value, encoded_token)
+            return
+          end
+
+          # 31 byte random initialization vector
+          # 32 byte HMAC
+          # 63 bytes total
+          # 84 bytes when base64 encoded
+          unless encoded_token.bytesize == 84
+            return "encoded token length is not 84"
+          end
+
+          begin
+            submitted_hmac = Base64.strict_decode64(encoded_token)
+          rescue ArgumentError
+            return "encoded token is not valid base64"
+          end
+
+          random_data = submitted_hmac.slice!(0...31)
+
+          if csrf_compare(csrf_hmac(random_data, method, @_request.path), submitted_hmac)
+            return
+          end
+
+          if opts[:require_request_specific_tokens]
+            "decoded token is not valid for request method and path"
+          else
+            unless csrf_compare(csrf_hmac(random_data, '', ''), submitted_hmac)
+              "decoded token is not valid for either request method and path or for blank method and path"
+            end
+          end
+        end
+        
+        # Helper for getting the plugin options.
+        def csrf_options
+          opts[:route_csrf]
+        end
+
+        # Perform a constant-time comparison of the two strings, returning true if they match and false otherwise.
+        def csrf_compare(s1, s2)
+          Rack::Utils.secure_compare(s1, s2)
+        end
+
+        # Return the HMAC-SHA-256 for the secret and the given arguments.
+        def csrf_hmac(random_data, method, path)
+          OpenSSL::HMAC.digest(OpenSSL::Digest::SHA256.new, csrf_secret, "#{method.to_s.upcase}#{path}#{random_data}")
+        end
+
+        # If a secret has not already been specified, generate a random 32-byte
+        # secret, stored base64 encoded in the session (to handle cases where
+        # JSON is used for session serialization).
+        def csrf_secret
+          key = session[csrf_options[:key]] ||= SecureRandom.base64(32)
+          Base64.strict_decode64(key)
+        end
+      end
+    end
+
+    register_plugin(:route_csrf, RouteCsrf)
+  end
+end

data/lib/roda/plugins/typecast_params.rb

@@ -665,8 +665,8 @@ class Roda
           v = array(type, key, default)
 
           if key.is_a?(Array)
-            key.zip(v).each do |key, arr|
-              check_array!(key, arr)
+            key.zip(v).each do |k, arr|
+              check_array!(k, arr)
             end
           else
             check_array!(key, v)

data/lib/roda/version.rb

@@ -4,7 +4,7 @@ class Roda
   RodaMajorVersion = 3
 
   # The minor version of Roda, updated for new feature releases of Roda.
-  RodaMinorVersion = 8
+  RodaMinorVersion = 9
 
   # The patch version of Roda, updated only for bug fixes from the last
   # feature release.

data/spec/plugin/csrf_spec.rb

@@ -6,6 +6,8 @@ rescue LoadError
   warn "rack_csrf not installed, skipping csrf plugin test"  
 else
 describe "csrf plugin" do 
+  include CookieJar
+
   it "adds csrf protection and csrf helper methods" do
     app(:bare) do
       use Rack::Session::Cookie, :secret=>'1'
@@ -33,7 +35,6 @@ describe "csrf plugin" do
     status('REQUEST_METHOD'=>'POST', 'rack.input'=>io).must_equal 403
     body('/foo', 'REQUEST_METHOD'=>'POST', 'rack.input'=>io).must_equal 'bar'
 
-    env = proc{|h| h['Set-Cookie'] ? {'HTTP_COOKIE'=>h['Set-Cookie'].sub("; path=/; HttpOnly", '')} : {}}
     s, h, b = req
     s.must_equal 200
     field = h['FIELD']
@@ -41,7 +42,7 @@ describe "csrf plugin" do
     h['TAG'].must_match(/\A<input type="hidden" name="#{field}" value="#{token}" \/>\z/)
     h['METATAG'].must_match(/\A<meta name="#{field}" content="#{token}" \/>\z/)
     b.must_equal ['g']
-    s, _, b = req('/', env[h].merge('REQUEST_METHOD'=>'POST', 'rack.input'=>io, "HTTP_#{h['HEADER']}"=>h['TOKEN']))
+    s, _, b = req('REQUEST_METHOD'=>'POST', 'rack.input'=>io, "HTTP_#{h['HEADER']}"=>h['TOKEN'])
     s.must_equal 200
     b.must_equal ['p']
 
@@ -87,7 +88,6 @@ describe "csrf plugin" do
     status('/foo', 'REQUEST_METHOD'=>'POST', 'rack.input'=>io).must_equal 403
     body('/foo/bar', 'REQUEST_METHOD'=>'POST', 'rack.input'=>io).must_equal 'foobar'
 
-    env = proc{|h| h['Set-Cookie'] ? {'HTTP_COOKIE'=>h['Set-Cookie'].sub("; path=/; HttpOnly", '')} : {}}
     s, h, b = req('/foo')
     s.must_equal 200
     field = h['FIELD']
@@ -95,7 +95,7 @@ describe "csrf plugin" do
     h['TAG'].must_match(/\A<input type="hidden" name="#{field}" value="#{token}" \/>\z/)
     h['METATAG'].must_match(/\A<meta name="#{field}" content="#{token}" \/>\z/)
     b.must_equal ['g']
-    s, _, b = req('/foo', env[h].merge('REQUEST_METHOD'=>'POST', 'rack.input'=>io, "HTTP_#{h['HEADER']}"=>h['TOKEN']))
+    s, _, b = req('/foo', 'REQUEST_METHOD'=>'POST', 'rack.input'=>io, "HTTP_#{h['HEADER']}"=>h['TOKEN'])
     s.must_equal 200
     b.must_equal ['p']
 

data/spec/plugin/flash_spec.rb

@@ -1,6 +1,8 @@
 require_relative "../spec_helper"
 
 describe "flash plugin" do 
+  include CookieJar
+
   it "flash.now[] sets flash for current page" do
     app(:bare) do
       use Rack::Session::Cookie, :secret => "1"
@@ -34,20 +36,19 @@ describe "flash plugin" do
       end
     end
 
-    env = proc{|h| h['Set-Cookie'] ? {'HTTP_COOKIE'=>h['Set-Cookie'].sub("; path=/; HttpOnly", '')} : {}}
     _, h, b = req
     b.join.must_equal ''
-    _, h, b = req(env[h])
+    _, h, b = req
     b.join.must_equal 'b'
-    _, h, b = req(env[h])
+    _, h, b = req
     b.join.must_equal 'bb'
-    _, h, b = req('/a', env[h])
+    _, h, b = req('/a')
     b.join.must_equal 'cbbb'
-    _, h, b = req(env[h])
+    _, h, b = req
     b.join.must_equal ''
-    _, h, b = req(env[h])
+    _, h, b = req
     b.join.must_equal 'b'
-    _, h, b = req(env[h])
+    _, h, b = req
     b.join.must_equal 'bb'
   end
 end

data/spec/plugin/head_spec.rb

@@ -40,7 +40,7 @@ describe "head plugin" do
         r.halt [ 200, {}, body ]
       end
     end
-    s, h, b = req('REQUEST_METHOD' => 'HEAD')
+    s, _, b = req('REQUEST_METHOD' => 'HEAD')
     s.must_equal 200
     res = String.new
     body.closed?.must_equal false

data/spec/plugin/route_csrf_spec.rb

@@ -0,0 +1,277 @@
+require_relative "../spec_helper"
+
+describe "route_csrf plugin" do 
+  include CookieJar
+
+  def route_csrf_app(opts={}, &block)
+    app(:bare) do
+      use Rack::Session::Cookie, :secret=>'1'
+      plugin(:route_csrf, opts, &opts[:block])
+      route do |r|
+        check_csrf! unless env['SKIP']
+        r.post('foo'){'f'}
+        r.post('bar'){'b'}
+        r.get "token", String do |s|
+          csrf_token("/#{s}")
+        end
+        instance_exec(r, &block) if block
+      end
+    end
+  end
+
+  it "allows all GET requests and allows POST requests only if they have a correct token for the path" do
+    route_csrf_app
+    token = body("/token/foo")
+    token.length.must_equal 84
+    body("/foo", "REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new("_csrf=#{Rack::Utils.escape(token)}")).must_equal 'f'
+    proc{body("/bar", "REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new("_csrf=#{Rack::Utils.escape(token)}"))}.must_raise Roda::RodaPlugins::RouteCsrf::InvalidToken
+    proc{body("/foo", "REQUEST_METHOD"=>'PUT', 'rack.input'=>StringIO.new("_csrf=#{Rack::Utils.escape(token)}"))}.must_raise Roda::RodaPlugins::RouteCsrf::InvalidToken
+
+    token = body("/token/bar")
+    token.length.must_equal 84
+    body("/bar", "REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new("_csrf=#{Rack::Utils.escape(token)}")).must_equal 'b'
+    proc{body("/foo", "REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new("_csrf=#{Rack::Utils.escape(token)}"))}.must_raise Roda::RodaPlugins::RouteCsrf::InvalidToken
+    proc{body("/bar", "REQUEST_METHOD"=>'DELETE', 'rack.input'=>StringIO.new("_csrf=#{Rack::Utils.escape(token)}"))}.must_raise Roda::RodaPlugins::RouteCsrf::InvalidToken
+
+    # Additional failure cases
+
+    proc{body("/bar", "REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new)}.must_raise Roda::RodaPlugins::RouteCsrf::InvalidToken
+
+    proc{body("/bar", "REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new("_csrf=#{Rack::Utils.escape(token)}a"))}.must_raise Roda::RodaPlugins::RouteCsrf::InvalidToken
+
+    t2 = token.dup
+    t2.setbyte(1, t2.getbyte(1) ^ 1)
+    proc{body("/bar", "REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new("_csrf=#{Rack::Utils.escape(t2)}"))}.must_raise Roda::RodaPlugins::RouteCsrf::InvalidToken
+
+    t2 = token.dup
+    t2.setbyte(61, t2.getbyte(61) ^ 1)
+    proc{body("/bar", "REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new("_csrf=#{Rack::Utils.escape(t2)}"))}.must_raise Roda::RodaPlugins::RouteCsrf::InvalidToken
+
+    t2 = token.dup
+    t2[1] = '|'
+    proc{body("/bar", "REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new("_csrf=#{Rack::Utils.escape(t2)}"))}.must_raise Roda::RodaPlugins::RouteCsrf::InvalidToken
+  end
+
+  it "supports :require_request_specific_tokens => false option to allow non-request-specific tokens" do
+    route_csrf_app(:require_request_specific_tokens=>false){csrf_token}
+    token = body("/token/foo")
+    token.length.must_equal 84
+    body("/foo", "REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new("_csrf=#{Rack::Utils.escape(token)}")).must_equal 'f'
+    proc{body("/bar", "REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new("_csrf=#{Rack::Utils.escape(token)}"))}.must_raise Roda::RodaPlugins::RouteCsrf::InvalidToken
+
+    token = body
+    token.length.must_equal 84
+    body("/foo", "REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new("_csrf=#{Rack::Utils.escape(token)}")).must_equal 'f'
+    body("/bar", "REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new("_csrf=#{Rack::Utils.escape(token)}")).must_equal 'b'
+  end
+
+  it "allows tokens submitted in both parameter and HTTP header if :check_header option is true" do
+    route_csrf_app(:check_header=>true)
+    token = body("/token/foo")
+    token.length.must_equal 84
+    body("/foo", "REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new("_csrf=#{Rack::Utils.escape(token)}")).must_equal 'f'
+    body("/foo", "REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new, 'HTTP_X_CSRF_TOKEN'=>token).must_equal 'f'
+    proc{body("/bar", "REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new("_csrf=#{Rack::Utils.escape(token)}"))}.must_raise Roda::RodaPlugins::RouteCsrf::InvalidToken
+    proc{body("/foo", "REQUEST_METHOD"=>'PUT', 'rack.input'=>StringIO.new, 'HTTP_X_CSRF_TOKEN'=>token)}.must_raise Roda::RodaPlugins::RouteCsrf::InvalidToken
+  end
+
+  it "allows tokens submitted in only HTTP header if :check_header option is :only" do
+    route_csrf_app(:check_header=>:only)
+    token = body("/token/foo")
+    token.length.must_equal 84
+    body("/foo", "REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new, 'HTTP_X_CSRF_TOKEN'=>token).must_equal 'f'
+    proc{body("/foo", "REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new("_csrf=#{Rack::Utils.escape(token)}"))}.must_raise Roda::RodaPlugins::RouteCsrf::InvalidToken
+    proc{body("/bar", "REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new("_csrf=#{Rack::Utils.escape(token)}"))}.must_raise Roda::RodaPlugins::RouteCsrf::InvalidToken
+    proc{body("/foo", "REQUEST_METHOD"=>'PUT', 'rack.input'=>StringIO.new, 'HTTP_X_CSRF_TOKEN'=>token)}.must_raise Roda::RodaPlugins::RouteCsrf::InvalidToken
+  end
+
+  it "allows configuring CSRF failure action with :csrf_failure => :empty_403 option" do
+    route_csrf_app(:csrf_failure=>:empty_403)
+    body("/foo", "REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new("_csrf=#{Rack::Utils.escape(body("/token/foo"))}")).must_equal 'f'
+    req("/foo", "REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new).must_equal [403, {'Content-Type'=>'text/html', 'Content-Length'=>'0'}, []]
+  end
+
+  it "allows configuring CSRF failure action with :csrf_failure => :empty_403 option" do
+    route_csrf_app(:csrf_failure=>:clear_session){session.inspect}
+    body("/foo", "REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new("_csrf=#{Rack::Utils.escape(body("/token/foo"))}")).must_equal 'f'
+    body("/b", "REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new("_csrf=#{Rack::Utils.escape(body('/token/a'))}")).must_equal '{}'
+  end
+
+  it "allows configuring CSRF failure action with :csrf_failure => proc option" do
+    route_csrf_app(:csrf_failure=>proc{|r| r.path + '2'})
+    body("/foo", "REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new("_csrf=#{Rack::Utils.escape(body("/token/foo"))}")).must_equal 'f'
+    body("/foo", "REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new).must_equal '/foo2'
+  end
+
+  it "allows configuring CSRF failure action via a plugin block" do
+    route_csrf_app(:block=>proc{|r| r.path + '2'})
+    body("/foo", "REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new("_csrf=#{Rack::Utils.escape(body("/token/foo"))}")).must_equal 'f'
+    body("/foo", "REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new).must_equal '/foo2'
+  end
+
+  it "raises Error if configuring plugin with invalid :csrf_failure option" do
+    route_csrf_app(:csrf_failure=>:foo)
+    proc{body("/foo", "REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new)}.must_raise Roda::RodaError
+  end
+
+  it "raises Error if configuring plugin with block and :csrf_failure option" do
+    proc{route_csrf_app(:block=>proc{|r| r.path + '2'}, :csrf_failure=>:raise)}.must_raise Roda::RodaError
+  end
+
+  it "supports valid_csrf? method" do
+    route_csrf_app{valid_csrf?.to_s}
+    body("/a", "REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new("_csrf=#{Rack::Utils.escape(body("/token/a"))}")).must_equal 'true'
+    body("/a", "REQUEST_METHOD"=>'POST', 'SKIP'=>true, 'rack.input'=>StringIO.new("_csrf=#{Rack::Utils.escape(body("/token/b"))}")).must_equal 'false'
+  end
+
+  it "supports valid_csrf? method" do
+    route_csrf_app do
+      check_csrf!{'nope'}
+      'yep'
+    end
+    body("/a", "REQUEST_METHOD"=>'POST', 'SKIP'=>true, 'rack.input'=>StringIO.new("_csrf=#{Rack::Utils.escape(body("/token/a"))}")).must_equal 'yep'
+    body("/a", "REQUEST_METHOD"=>'POST', 'SKIP'=>true, 'rack.input'=>StringIO.new("_csrf=#{Rack::Utils.escape(body("/token/b"))}")).must_equal 'nope'
+  end
+
+  it "supports use_request_specific_csrf_tokens? method" do
+    route_csrf_app{use_request_specific_csrf_tokens?.to_s}
+    body.must_equal 'true'
+    route_csrf_app(:require_request_specific_tokens=>false){use_request_specific_csrf_tokens?.to_s}
+    body.must_equal 'false'
+  end
+
+  it "supports csrf_field method" do
+    route_csrf_app{csrf_field}
+    body.must_equal '_csrf'
+    route_csrf_app(:field=>'foo'){csrf_field}
+    body.must_equal 'foo'
+  end
+
+  it "supports csrf_header method" do
+    route_csrf_app{csrf_header}
+    body.must_equal 'X-CSRF-Token'
+    route_csrf_app(:header=>'Foo'){csrf_header}
+    body.must_equal 'Foo'
+  end
+
+  it "supports csrf_metatag method" do
+    route_csrf_app(:require_request_specific_tokens=>false){csrf_metatag}
+    body =~ /\A<meta name="_csrf" content="([+\/0-9A-Za-z]{84})" \/>\z/
+    body("/foo", "REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new("_csrf=#{Rack::Utils.escape($1)}")).must_equal 'f'
+
+    route_csrf_app(:require_request_specific_tokens=>false, :field=>'foo'){csrf_metatag}
+    body =~ /\A<meta name="foo" content="([+\/0-9A-Za-z]{84})" \/>\z/
+    body("/bar", "REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new("foo=#{Rack::Utils.escape($1)}")).must_equal 'b'
+  end
+
+  it "supports csrf_tag method" do
+    route_csrf_app(:require_request_specific_tokens=>false){csrf_tag}
+    body =~ /\A<input type="hidden" name="_csrf" value="([+\/0-9A-Za-z]{84})" \/>\z/
+    body("/foo", "REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new("_csrf=#{Rack::Utils.escape($1)}")).must_equal 'f'
+
+    route_csrf_app(:require_request_specific_tokens=>false, :field=>'foo'){csrf_tag}
+    body =~ /\A<input type="hidden" name="foo" value="([+\/0-9A-Za-z]{84})" \/>\z/
+    body("/foo", "REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new("foo=#{Rack::Utils.escape($1)}")).must_equal 'f'
+
+    route_csrf_app{csrf_tag('/foo')}
+    body =~ /\A<input type="hidden" name="_csrf" value="([+\/0-9A-Za-z]{84})" \/>\z/
+    token = $1
+    body("/foo", "REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new("_csrf=#{Rack::Utils.escape(token)}")).must_equal 'f'
+    proc{body("/bar", "REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new("_csrf=#{Rack::Utils.escape(token)}"))}.must_raise Roda::RodaPlugins::RouteCsrf::InvalidToken
+    proc{body("/foo", "REQUEST_METHOD"=>'PUT', 'rack.input'=>StringIO.new, 'QUERY_STRING'=>"_csrf=#{Rack::Utils.escape(token)}")}.must_raise Roda::RodaPlugins::RouteCsrf::InvalidToken
+
+    route_csrf_app do |r|
+      r.is 'foo', :method=>'PUT' do
+        'f2'
+      end
+      csrf_tag('/foo', 'PUT')
+    end
+    body =~ /\A<input type="hidden" name="_csrf" value="([+\/0-9A-Za-z]{84})" \/>\z/
+    token = $1
+    body("/foo", "REQUEST_METHOD"=>'PUT', 'rack.input'=>StringIO.new, 'QUERY_STRING'=>"_csrf=#{Rack::Utils.escape(token)}").must_equal 'f2'
+    proc{body("/bar", "REQUEST_METHOD"=>'PUT', 'rack.input'=>StringIO.new, 'QUERY_STRING'=>"_csrf=#{Rack::Utils.escape(token)}")}.must_raise Roda::RodaPlugins::RouteCsrf::InvalidToken
+    proc{body("/foo", "REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new("_csrf=#{Rack::Utils.escape(token)}"))}.must_raise Roda::RodaPlugins::RouteCsrf::InvalidToken
+  end
+
+  it "supports csrf_tag method" do
+    route_csrf_app(:require_request_specific_tokens=>false){csrf_token}
+    body("/foo", "REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new("_csrf=#{Rack::Utils.escape(body)}")).must_equal 'f'
+
+    route_csrf_app(:require_request_specific_tokens=>false, :field=>'foo'){csrf_token}
+    body("/foo", "REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new("foo=#{Rack::Utils.escape(body)}")).must_equal 'f'
+
+    route_csrf_app{csrf_token('/foo')}
+    token = body
+    body("/foo", "REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new("_csrf=#{Rack::Utils.escape(token)}")).must_equal 'f'
+    proc{body("/bar", "REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new("_csrf=#{Rack::Utils.escape(token)}"))}.must_raise Roda::RodaPlugins::RouteCsrf::InvalidToken
+    proc{body("/foo", "REQUEST_METHOD"=>'PUT', 'rack.input'=>StringIO.new, 'QUERY_STRING'=>"_csrf=#{Rack::Utils.escape(token)}")}.must_raise Roda::RodaPlugins::RouteCsrf::InvalidToken
+
+    route_csrf_app do |r|
+      r.is 'foo', :method=>'PUT' do
+        'f2'
+      end
+      csrf_token('/foo', 'PUT')
+    end
+    token = body
+    body("/foo", "REQUEST_METHOD"=>'PUT', 'rack.input'=>StringIO.new, 'QUERY_STRING'=>"_csrf=#{Rack::Utils.escape(token)}").must_equal 'f2'
+    proc{body("/bar", "REQUEST_METHOD"=>'PUT', 'rack.input'=>StringIO.new, 'QUERY_STRING'=>"_csrf=#{Rack::Utils.escape(token)}")}.must_raise Roda::RodaPlugins::RouteCsrf::InvalidToken
+    proc{body("/foo", "REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new("_csrf=#{Rack::Utils.escape(token)}"))}.must_raise Roda::RodaPlugins::RouteCsrf::InvalidToken
+  end
+
+  it "supports csrf_path method" do
+    route_csrf_app do |r|
+      r.post{r.path + '2'}
+      csrf_token(csrf_path(env['CP']))
+    end
+
+    body("REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new("_csrf=#{Rack::Utils.escape(body('CP'=>nil))}")).must_equal '/2'
+    body("REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new("_csrf=#{Rack::Utils.escape(body('CP'=>''))}")).must_equal '/2'
+    body("REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new("_csrf=#{Rack::Utils.escape(body('CP'=>'#foo'))}")).must_equal '/2'
+    body("REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new("_csrf=#{Rack::Utils.escape(body('CP'=>'?foo'))}")).must_equal '/2'
+
+    body('/a', "REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new("_csrf=#{Rack::Utils.escape(body('/a', 'CP'=>nil))}")).must_equal '/a2'
+    body('/a', "REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new("_csrf=#{Rack::Utils.escape(body('/a', 'CP'=>''))}")).must_equal '/a2'
+    body('/a', "REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new("_csrf=#{Rack::Utils.escape(body('/a', 'CP'=>'?foo'))}")).must_equal '/a2'
+    body('/a', "REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new("_csrf=#{Rack::Utils.escape(body('/a', 'CP'=>'#foo'))}")).must_equal '/a2'
+
+    body("REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new("_csrf=#{Rack::Utils.escape(body('CP'=>'http://foo/'))}")).must_equal '/2'
+    body('/a', "REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new("_csrf=#{Rack::Utils.escape(body('CP'=>'https://foo/a'))}")).must_equal '/a2'
+    body('/a/b', "REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new("_csrf=#{Rack::Utils.escape(body('CP'=>'http://foo/a/b'))}")).must_equal '/a/b2'
+
+    body("REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new("_csrf=#{Rack::Utils.escape(body('CP'=>'/'))}")).must_equal '/2'
+    body('/a', "REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new("_csrf=#{Rack::Utils.escape(body('CP'=>'/a'))}")).must_equal '/a2'
+    body('/a/b', "REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new("_csrf=#{Rack::Utils.escape(body('CP'=>'/a/b'))}")).must_equal '/a/b2'
+
+    body('/a', "REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new("_csrf=#{Rack::Utils.escape(body('HTTPS'=>'on', 'HTTP_HOST'=>'foo.com', 'CP'=>'a'))}")).must_equal '/a2'
+    body('/a', "REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new("_csrf=#{Rack::Utils.escape(body('/b', 'HTTPS'=>'on', 'HTTP_HOST'=>'foo.com', 'CP'=>'a'))}")).must_equal '/a2'
+    body('/b/a', "REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new("_csrf=#{Rack::Utils.escape(body('/b/', 'HTTPS'=>'on', 'HTTP_HOST'=>'foo.com', 'CP'=>'a'))}")).must_equal '/b/a2'
+    body('/b/a', "REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new("_csrf=#{Rack::Utils.escape(body('/b/b', 'HTTPS'=>'on', 'HTTP_HOST'=>'foo.com', 'CP'=>'a'))}")).must_equal '/b/a2'
+    body('/a/b', "REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new("_csrf=#{Rack::Utils.escape(body('/b', 'HTTPS'=>'on', 'HTTP_HOST'=>'foo.com', 'CP'=>'a/b'))}")).must_equal '/a/b2'
+    body('/b/a/b', "REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new("_csrf=#{Rack::Utils.escape(body('/b/', 'HTTPS'=>'on', 'HTTP_HOST'=>'foo.com', 'CP'=>'a/b'))}")).must_equal '/b/a/b2'
+    body('/b/a/b', "REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new("_csrf=#{Rack::Utils.escape(body('/b/a', 'HTTPS'=>'on', 'HTTP_HOST'=>'foo.com', 'CP'=>'a/b'))}")).must_equal '/b/a/b2'
+  end
+
+begin
+  require 'rack/csrf'
+rescue LoadError
+  warn "rack_csrf not installed, skipping route_csrf plugin test for rack_csrf upgrade"  
+else
+  it "supports upgrades from existing rack_csrf token" do
+    route_csrf_app(:upgrade_from_rack_csrf_key=>'csrf.token') do |r|
+      r.get 'clear' do
+        session.clear
+        ''
+      end
+      Rack::Csrf.token(env)
+    end
+    app.use Rack::Csrf, :skip=>['POST:/foo', 'POST:/bar'], :raise=>true
+    token = body
+    token.length.wont_equal 84
+    body("/foo", "REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new("_csrf=#{Rack::Utils.escape(token)}")).must_equal 'f'
+    body("/bar", "REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new("_csrf=#{Rack::Utils.escape(token)}")).must_equal 'b'
+    body('/clear').must_equal ''
+    proc{body("/foo", "REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new("_csrf=#{Rack::Utils.escape(token)}"))}.must_raise Roda::RodaPlugins::RouteCsrf::InvalidToken
+    proc{body("/bar", "REQUEST_METHOD"=>'POST', 'rack.input'=>StringIO.new("_csrf=#{Rack::Utils.escape(token)}"))}.must_raise Roda::RodaPlugins::RouteCsrf::InvalidToken
+  end
+end
+end

data/spec/plugin/typecast_params_spec.rb

@@ -187,7 +187,7 @@ describe "typecast_params plugin" do
   end
 
   it "#int should convert to integer" do
-    tp('a=-1').int('a').must_equal -1
+    tp('a=-1').int('a').must_equal(-1)
     tp('a=0').int('a').must_equal 0
     tp('a=a').int('a').must_equal 0
     tp.int('a').must_equal 1
@@ -248,7 +248,7 @@ describe "typecast_params plugin" do
   end
 
   it "#Integer should convert to integer strictly" do
-    tp('a=-1').Integer('a').must_equal -1
+    tp('a=-1').Integer('a').must_equal(-1)
     tp('a=0').Integer('a').must_equal 0
     lambda{tp('a=a').Integer('a')}.must_raise @tp_error
     tp.Integer('a').must_equal 1
@@ -277,7 +277,7 @@ describe "typecast_params plugin" do
   end
 
   it "#float should convert to float" do
-    tp('a=-1').float('a').must_equal -1
+    tp('a=-1').float('a').must_equal(-1)
     tp('a=0').float('a').must_equal 0
     tp('a=a').float('a').must_equal 0
     tp.float('a').must_equal 1
@@ -306,7 +306,7 @@ describe "typecast_params plugin" do
   end
 
   it "#Float should convert to float strictly" do
-    tp('a=-1').Float('a').must_equal -1
+    tp('a=-1').Float('a').must_equal(-1)
     tp('a=0').Float('a').must_equal 0
     lambda{tp('a=a').Float('a')}.must_raise @tp_error
     tp.Float('a').must_equal 1
@@ -1108,8 +1108,8 @@ describe "typecast_params plugin with customized params" do
   end
 
   it "should respect custom typecasting methods" do
-    tp.opp_int('a').must_equal -1
-    tp.opp_int!('a').must_equal -1
+    tp.opp_int('a').must_equal(-1)
+    tp.opp_int!('a').must_equal(-1)
     tp.opp_int('d').must_be_nil
     lambda{tp.opp_int!('d')}.must_raise @tp_error
 
@@ -1133,8 +1133,8 @@ describe "typecast_params plugin with customized params" do
       end
     end
 
-    tp.opp_int('a').must_equal -1
-    tp.opp_int!('a').must_equal -1
+    tp.opp_int('a').must_equal(-1)
+    tp.opp_int!('a').must_equal(-1)
     tp.opp_int('d').must_be_nil
     lambda{tp.opp_int!('d')}.must_raise @tp_error
 

data/spec/session_spec.rb

@@ -1,6 +1,8 @@
 require_relative "spec_helper"
 
 describe "session handling" do
+  include CookieJar
+
   it "should give a warning if session variable is not available" do
     app do |r|
       begin
@@ -27,9 +29,9 @@ describe "session handling" do
 
     _, h, b = req
     b.join.must_equal 'ab'
-    _, h, b = req('HTTP_COOKIE'=>h['Set-Cookie'].sub("; path=/; HttpOnly", ''))
+    _, h, b = req
     b.join.must_equal 'abb'
-    _, h, b = req('HTTP_COOKIE'=>h['Set-Cookie'].sub("; path=/; HttpOnly", ''))
+    _, h, b = req
     b.join.must_equal 'abbb'
   end
 end

data/spec/spec_helper.rb

@@ -24,6 +24,8 @@ end
 
 require_relative "../lib/roda"
 require "stringio"
+
+ENV['MT_NO_PLUGINS'] = '1' # Work around stupid autoloading of plugins
 gem 'minitest'
 require "minitest/autorun"
 
@@ -34,6 +36,23 @@ def (Roda::RodaPlugins).warn(s)
   puts caller.grep(/_spec\.rb:\d+:/)
 end
 
+module CookieJar
+  def req(path='/', env={})
+    if path.is_a?(Hash)
+      env = path
+    else
+      env['PATH_INFO'] = path.dup
+    end
+    env['HTTP_COOKIE'] = @cookie if @cookie
+
+    a = super(env)
+    if set = a[1]['Set-Cookie']
+      @cookie = set.sub("; path=/; HttpOnly", '')
+    end
+    a
+  end
+end
+
 class Minitest::Spec
   def self.deprecated(a, &block)
     it("#{a} (deprecated)") do

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: roda
 version: !ruby/object:Gem::Version
-  version: 3.8.0
+  version: 3.9.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-05-17 00:00:00.000000000 Z
+date: 2018-06-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -204,6 +204,7 @@ extra_rdoc_files:
 - doc/release_notes/3.5.0.txt
 - doc/release_notes/3.6.0.txt
 - doc/release_notes/3.8.0.txt
+- doc/release_notes/3.9.0.txt
 files:
 - CHANGELOG
 - MIT-LICENSE
@@ -254,6 +255,7 @@ files:
 - doc/release_notes/3.6.0.txt
 - doc/release_notes/3.7.0.txt
 - doc/release_notes/3.8.0.txt
+- doc/release_notes/3.9.0.txt
 - lib/roda.rb
 - lib/roda/plugins/_symbol_regexp_matchers.rb
 - lib/roda/plugins/all_verbs.rb
@@ -322,6 +324,7 @@ files:
 - lib/roda/plugins/request_aref.rb
 - lib/roda/plugins/request_headers.rb
 - lib/roda/plugins/response_request.rb
+- lib/roda/plugins/route_csrf.rb
 - lib/roda/plugins/run_append_slash.rb
 - lib/roda/plugins/run_handler.rb
 - lib/roda/plugins/shared_vars.rb
@@ -419,6 +422,7 @@ files:
 - spec/plugin/request_aref_spec.rb
 - spec/plugin/request_headers_spec.rb
 - spec/plugin/response_request_spec.rb
+- spec/plugin/route_csrf_spec.rb
 - spec/plugin/run_append_slash_spec.rb
 - spec/plugin/run_handler_spec.rb
 - spec/plugin/shared_vars_spec.rb
@@ -484,7 +488,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.7.6
+rubygems_version: 3.0.0.beta1
 signing_key: 
 specification_version: 4
 summary: Routing tree web toolkit