safe_cookies 0.1.6 → 0.1.7

checksums.yaml

@@ -1,15 +1,15 @@
 ---
 !binary "U0hBMQ==":
   metadata.gz: !binary |-
-    M2M1NGJkNGIyYmRhNmQ5OWZmYjU2MTVmMTEwZTc3NzRjNzRlNzE5Zg==
+    Njc0YjdlMzZlMTRmNjk3NGQ1NWQ5NDU0YjU0ZGQwMTA0OGYyM2Y1MQ==
   data.tar.gz: !binary |-
-    MTNiNGMwMjcyMzBkMmQzYzhmODVkNWIzYzg0N2FiNGZmNWE0ZTFkNQ==
+    YzQ4OWE2ODk3NWU4M2U0OTQ3MjRlZDdiYzIzM2MyNjFjNmE0YzRmOQ==
 SHA512:
   metadata.gz: !binary |-
-    YjAyZWNhNTExNWFmZjk3MzAzYmVmYmY1NDAwZDQ4YzA1YWJkOTk0NTAzMDc0
-    OWE3YTM5YmZiMTYzMDg0ZmRiZjFhZGNiMTE5OWU3MWNjZTQ4MGRkNTNlYWNk
-    ZDhlYmM1Y2RjNWE1ZmRlYTY5OGJlYmIxZjJmMTUzODc5NzE1OTI=
+    NmJjNjgzM2VjZTdmY2E4ZmM3OTQwOTEwNzgwNTQ1YTMxOTZlOWY4NDA3Nzgy
+    YTJlZmRkOTQyMjQwNTE1NWUxN2I2M2VmNTNjMjMyZTk5NGQ0MTlmY2M0MWMz
+    NmQwM2EwZmE4M2I4MjJlNmVjZDlmZmJmNWY0NDYxN2Q3ZWI2YmE=
   data.tar.gz: !binary |-
-    NThmZjk3M2M5ZGY5YmZiMmI5ZjRkMzA3MWUyOTRlZWMzMmEwY2VjZTRkMWFj
-    OWZjZDk5OGJlMDM0MGE2MDQ0NmM4NTgyMDA4Y2VjYzY5NzEyNjJjZjMzOTE3
-    YWEzYjlmNzkwZjQyZmRhZWI5YzhmNzcyZjlmMmE3NTIxZTRjODE=
+    YjU4NDU0NjUwNjgzZGNhYzNjNTBiM2JjOTQyMGZlZDY3YThjYjRiYTUzZDE5
+    ZDU5NjVhOTNlYjM1NWE2NDUwMjI1YzZmZmU5OGZhZmI3M2I2ZjM5YzMyNzNl
+    YWZjYWFjMGIwMWU5YTg2NThlMzJkNjExMDdjODgyMzhkY2ExYmY=

data/README.md

@@ -1,6 +1,6 @@
 # SafeCookies
 
-This Gem brings a middleware that will make all cookies secure. In detail, it will:
+This Gem has a middleware that will make all cookies secure. In detail, it will:
 
 * set all new application cookies 'HttpOnly', unless specified otherwise
 * set all new application cookies 'secure', if the request came via HTTPS and not specified otherwise
@@ -13,14 +13,14 @@ Add this line to your application's Gemfile:
 
     gem 'safe_cookies'
 
-Then run `bundle`.
+Then run `bundle install`.
 
-Though this gem is aimed at Rails applications, you may even use it without Rails. Install it then with
-`gem install safe_cookies`.
+Though this gem is aimed at Rails applications, you may even use it without
+Rails. In that case, install it with `gem install safe_cookies`.
 
 
 ### Step 2
-**Rails 3**: add the following line in config/application.rb:
+**Rails 3 and 4**: add the following line in config/application.rb:
 
     class Application < Rails::Application
       # ...
@@ -36,8 +36,8 @@ Though this gem is aimed at Rails applications, you may even use it without Rail
     end
 
 ### Step 3
-Register cookies, either just after the lines you added in step 1 or in in an initializer
-(e.g. in `config/initializers/safe_cookies.rb):
+Register cookies, either just after the lines you added above or in in an initializer
+(e.g. in `config/initializers/safe_cookies.rb`):
 
     SafeCookies.configure do |config|
       config.register_cookie :remember_token, :expire_after => 1.year
@@ -46,28 +46,33 @@ Register cookies, either just after the lines you added in step 1 or in in an in
       config.register_cookie :javascript_data, :expire_after => 1.day, :http_only => false
     end
 
-This will have the `default_language` cookie not made secure, the `javascript_data` cookie
-not made http-only. It will rewrite the `remember_token` with an expiry of one year and the
-`last_action` cookie with an expiry of 30 days, making both of them secure and http-only.
+If a request has any of those four cookies, the middleware will set them anew. The `remember_token` and
+`last_action` cookies will be made `secure` and `HttpOnly`.
+Since we want to access the default language even if the user comes via HTTP,  the `default_language`
+cookie is not made secure. Analogous, the `javascript_data` cookie will be used by a script and hence is
+not made `HttpOnly`.
+
 Available options are: `:expire_after (required), :path, :secure, :http_only`.
 
-### Step 4 (only for Rails 2)
-Override `SafeCookies::Middleware#handle_unknown_cookies(cookies)` (see "Dealing with unregistered
-cookies" below).
+### Step 4 (important for Rails 2 only)
+Override `SafeCookies::Middleware#handle_unknown_cookies(cookies)` to notify you
+e.g. by email (see "Dealing with unregistered cookies" below).
 
 
 ## Dealing with unregistered cookies
 
-The middleware is not able to secure cookies without knowing their attributes (most important: their
-expiry). Unfortunately, [the client won't ever tell us](http://tools.ietf.org/html/rfc6265#section-4.2.2)
-if it stores the cookie with flags such as "secure" or which expiry date it currently has.
-Therefore, it is important to register all cookies that users may come with, specifying their properties.
-Unregistered cookies cannot be secured.
-
-If a request brings a cookie that is not registered, the middleware will raise a
-`SafeCookies::UnknownCookieError`. Rails 3+ should handle the exception as any other in your application,
-but by default, **you will not be notified from Rails 2 applications** and the user will see a standard
-500 Server Error. Override `SafeCookies::Middleware#handle_unknown_cookies(cookies)` in the config
+The middleware is not able to secure cookies without knowing their attributes
+(most importantly: their expiry). Unfortunately, [the client won't ever tell us](http://tools.ietf.org/html/rfc6265#section-4.2.2)
+if it stores the cookie with flags such as "secure" or which expiry date it
+currently has. Therefore, it is important to register all cookies that may be
+sent by the client, specifying their properties. Unregistered cookies cannot be
+secured.
+
+If a request contains a cookie that is not registered, the middleware will raise
+a `SafeCookies::UnknownCookieError`. Rails 3+ should handle the exception as any
+other in your application, but by default, **you will not be notified from Rails
+2 applications** and the user will see a standard 500 Server Error. Override
+`SafeCookies::Middleware#handle_unknown_cookies(cookies)` in the config
 initializer for customized exception handling (like, notifying you per email).
 
 You should register any cookie that your application has to do with. However, there are cookies that you
@@ -87,3 +92,15 @@ The configuration option `config.fix_paths` turns on fixing this error. It requi
 point of time from which cookies will be secured with the correct path. The middleware will fix the cookie
 paths by rewriting all cookies that it has already secured, but only if the were secured before the time
 you specified.
+
+
+## Development
+
+- Tests live in `spec`.
+- You can run specs from the project root by saying `bundle exec rake`.
+
+If you would like to contribute:
+
+- Fork the repository.
+- Push your changes **with passing specs**.
+- Send us a pull request.

data/lib/safe_cookies/cookie_path_fix.rb

@@ -6,15 +6,14 @@ module SafeCookies
     # (see below), leading to multiple cookies per domain.
     #
     # If the cookies were secured before the configured datetime, this method
-    # instructs the client to delete all cookies it sent with the request + the
-    # SECURED_COOKIE_NAME helper cookie.
+    # instructs the client to delete all cookies it sent with the request and
+    # that we are able to rewrite, plus the SECURED_COOKIE_NAME helper cookie.
+    #
     # The middleware still sees the request cookies and will rewrite them as
     # if it hadn't seen them before, setting them on the correct path (root,
-    # per default).
+    # by default).
     def delete_cookies_on_bad_path
-      registered_cookies_in_request.keys.each do |registered_cookie|
-        delete_cookie_for_current_directory(registered_cookie)
-      end
+      rewritable_request_cookies.keys.each &method(:delete_cookie_for_current_directory)
       delete_cookie_for_current_directory(SafeCookies::SECURED_COOKIE_NAME)
     
       # Delete this cookie here, so the middleware believes it hasn't secured
@@ -25,17 +24,15 @@ module SafeCookies
     private
   
     def fix_cookie_paths?
-      @configuration.fix_cookie_paths or return false
-    
-      cookies_need_path_fix = (secured_old_cookies_timestamp < @configuration.correct_cookie_paths_timestamp)
-
-      cookies_have_been_rewritten_before? and cookies_need_path_fix
+      @config.fix_cookie_paths &&
+      cookies_have_been_rewritten_before? &&
+      (secured_old_cookies_timestamp < @config.correct_cookie_paths_timestamp)
     end
 
     # Delete cookies by giving them an expiry in the past,
     # cf. https://tools.ietf.org/html/rfc6265#section-4.1.2.
     #
-    # Most important, as specified in
+    # Most importantly, as specified in
     # https://tools.ietf.org/html/rfc6265#section-4.1.2.4 and in section 5.1.4,
     # cookies set without a path will be set for the current "directory", that is:
     #
@@ -57,12 +54,18 @@ module SafeCookies
     end
   
     def secured_old_cookies_timestamp
-      Time.rfc2822(request_cookies[SafeCookies::SECURED_COOKIE_NAME])
+      @request.cookies.has_key?(SafeCookies::SECURED_COOKIE_NAME) or return nil
+
+      Time.rfc2822(@request.cookies[SafeCookies::SECURED_COOKIE_NAME])
     rescue ArgumentError
       # If we cannot parse the secured_old_cookies time,
       # assume it was before we noticed the bug to ensure
       # broken cookie paths will be fixed.
-      Time.parse "2013-08-25 0:00"
+      #
+      # One reason to get here is that Rack::Utils.rfc2822 produces an invalid
+      # datetime string in Rack v1.1, writing the date with dashes
+      # (e.g. '04-Nov-2013').
+      Time.parse "2013-08-25 00:00"
     end
 
   end

data/lib/safe_cookies/helpers.rb

@@ -3,6 +3,9 @@ module SafeCookies
   
     KNOWN_COOKIES_DIVIDER = '|'
   
+    # Since we have to operate on and modify the actual @headers hash that the
+    # application returns, cache the @headers['Set-Cookie'] string so that
+    # later on, we still know what the application did set.
     def cache_application_cookies_string
       cookies = @headers['Set-Cookie']
       # Rack 1.1 returns an Array
@@ -41,31 +44,31 @@ module SafeCookies
       options[:secure] = should_be_secure?(name)
       options[:httponly] = should_be_http_only?(name)
 
+      # Rack magic
       Rack::Utils.set_cookie_header!(@headers, name, options)
     end
   
   
     # getters
+    
+    # returns the request cookies minus ignored cookies
+    def request_cookies
+      Util.except!(@request.cookies.dup, *@config.ignored_cookies)
+    end
 
     def stored_application_cookie_names
       store_cookie = @request.cookies[STORE_COOKIE_NAME] || ""
       store_cookie.split(KNOWN_COOKIES_DIVIDER)
     end
 
-    # returns those of the registered cookies that appear in the request
-    def registered_cookies_in_request
-      Util.slice(@configuration.registered_cookies, *request_cookies.keys)
+    def rewritable_request_cookies
+      Util.slice(request_cookies, *@config.registered_cookies.keys)
     end
 
     def known_cookie_names
       known = [STORE_COOKIE_NAME, SECURED_COOKIE_NAME]
       known += stored_application_cookie_names
-      known += @configuration.registered_cookies.keys
-    end
-    
-    # returns the request cookies minus ignored cookies
-    def request_cookies
-      Util.except!(@request.cookies.dup, *@configuration.ignored_cookies)
+      known += @config.registered_cookies.keys
     end
 
 
@@ -77,7 +80,7 @@ module SafeCookies
 
     def should_be_secure?(cookie)
       cookie_name = cookie.split('=').first.strip
-      ssl? and not @configuration.insecure_cookie?(cookie_name)
+      ssl? and not @config.insecure_cookie?(cookie_name)
     end
 
     def ssl?
@@ -91,7 +94,7 @@ module SafeCookies
 
     def should_be_http_only?(cookie)
       cookie_name = cookie.split('=').first.strip
-      not @configuration.scriptable_cookie?(cookie_name)
+      not @config.scriptable_cookie?(cookie_name)
     end  
 
   end

data/lib/safe_cookies/version.rb

@@ -1,3 +1,3 @@
 module SafeCookies
-  VERSION = '0.1.6'
+  VERSION = '0.1.7'
 end

data/lib/safe_cookies.rb

@@ -5,6 +5,7 @@ require "safe_cookies/helpers"
 require "safe_cookies/util"
 require "safe_cookies/version"
 require "rack"
+require "time" # add Time#rfc2822
 
 # Naming:
 # - application_cookies: cookies received from the application. The 'Set-Cookie' header is a string
@@ -28,16 +29,16 @@ module SafeCookies
 
     def initialize(app)
       @app = app
-      @configuration = SafeCookies.configuration or raise "Don't know what to do without configuration"
+      @config = SafeCookies.configuration or raise "Don't know what to do without configuration"
     end
 
     def call(env)
       reset_instance_variables
       
       @request = Rack::Request.new(env)
-      ensure_no_unknown_cookies_in_request!
+      check_if_request_has_unknown_cookies
 
-      # calling the next middleware
+      # call the next middleware up the stack
       status, @headers, body = @app.call(env)
       cache_application_cookies_string
       
@@ -52,13 +53,14 @@ module SafeCookies
 
     private
     
+    # Instance variables survive requests because the middleware is a singleton.
     def reset_instance_variables
       @request, @headers, @application_cookies_string = nil
     end
     
-    # Make sure we get notified if a client comes with an unregistered cookie,
-    # because we do not want any cookie not to be secured.
-    def ensure_no_unknown_cookies_in_request!
+    # Do something if a request has an unregistered cookie, because we do not
+    # want any cookie to not be secured. By default, we raise an error.
+    def check_if_request_has_unknown_cookies
       request_cookie_names = request_cookies.keys.map(&:to_s)
       unknown_cookie_names = request_cookie_names - known_cookie_names
       
@@ -67,7 +69,7 @@ module SafeCookies
       end
     end
     
-    # Overwrites @header['Set-Cookie']
+    # Overwrites @header['Set-Cookie']!
     def enhance_application_cookies!
       if @application_cookies_string
         cookies = @application_cookies_string.split("\n")
@@ -90,8 +92,8 @@ module SafeCookies
       end
     end
     
-    # Store the names of cookies that are set by the application. We are already
-    # securing those and therefore do not need to rewrite them.
+    # Store the names of cookies that are set by the application.
+    # (We are already securing those and will not need to rewrite them.)
     def store_application_cookie_names
       if @application_cookies_string
         application_cookie_names = stored_application_cookie_names + @application_cookies_string.scan(COOKIE_NAME_REGEX)
@@ -107,23 +109,21 @@ module SafeCookies
     # With the SECURED_COOKIE_NAME cookie we remember the exact time that we
     # rewrote the cookies.
     def rewrite_request_cookies
-      cookies_to_rewrite = request_cookies || []
+      rewritable_cookies = rewritable_request_cookies
       
       # don't rewrite request cookies that the application is setting in the response
       if @application_cookies_string
-        application_cookie_names = @application_cookies_string.scan(COOKIE_NAME_REGEX)
-        Util.except!(cookies_to_rewrite, *application_cookie_names)
+        app_cookie_names = @application_cookies_string.scan(COOKIE_NAME_REGEX)
+        Util.except!(rewritable_cookies, *app_cookie_names)
       end
       
-      if cookies_to_rewrite.any?
-        registered_cookies_in_request.each do |cookie_name, options|
-          value = request_cookies[cookie_name]
-
+      if rewritable_cookies.any?
+        rewritable_cookies.each do |cookie_name, value|
+          options = @config.registered_cookies[cookie_name]
           set_cookie!(cookie_name, value, options)
         end
       
-        formatted_now = Rack::Utils.rfc2822(Time.now.gmtime)
-        set_cookie!(SECURED_COOKIE_NAME, formatted_now, :expire_after => HELPER_COOKIES_LIFETIME)
+        set_cookie!(SECURED_COOKIE_NAME, Time.now.gmtime.rfc2822, :expire_after => HELPER_COOKIES_LIFETIME)
       end
     end
     

data/spec/cookie_path_fix_spec.rb

@@ -3,7 +3,7 @@ require 'cgi'
 
 describe SafeCookies::Middleware do
   
-  describe 'cookie path fix' do
+  describe 'cookie path fix,' do
     
     subject { described_class.new(app) }
     let(:app) { stub 'application' }
@@ -15,12 +15,11 @@ describe SafeCookies::Middleware do
     end
     
     def set_default_request_cookies(secured_at = Time.parse('2040-01-01 00:00'))
-      secured_old_cookies_time = Rack::Utils.rfc2822(secured_at.gmtime)
-      set_request_cookies(env, 'cookie_to_update=some_data', "secured_old_cookies=#{CGI::escape(secured_old_cookies_time)}")
+      set_request_cookies(env, 'cookie_to_update=some_data', "secured_old_cookies=#{CGI::escape(secured_at.gmtime.rfc2822)}")
     end
 
 
-    context 'rewriting previously secured cookies' do
+    context 'rewriting previously secured cookies,' do
       
       before do
         SafeCookies.configure do |config|
@@ -109,11 +108,21 @@ describe SafeCookies::Middleware do
         headers['Set-Cookie'].should =~ %r(secured_old_cookies=\w+.*path=/;)
       end
       
-      it 'rewrites cookies even if it cannot parse the secured_old_cookies timestamp' do
-        set_request_cookies(env, 'cookie_to_update=some_data', 'secured_old_cookies=rubbish')
-  
-        code, headers, response = subject.call(env)
-        headers['Set-Cookie'].should =~ /cookie_to_update=some_data;.*path=\/;/
+      context 'unparseable secured_old_cookies timestamp,' do
+        
+        before do
+          set_request_cookies(env, 'cookie_to_update=some_data', 'secured_old_cookies=rubbish')
+          code, @headers, response = subject.call(env)
+        end
+        
+        it 'rewrites cookies anyway' do
+          @headers['Set-Cookie'].should include('cookie_to_update=some_data;')
+        end
+        
+        it 'sets a new, parseable secured_old_cookies timestamp' do
+          @headers['Set-Cookie'].should include("secured_old_cookies=#{CGI::escape @now.gmtime.rfc2822}")
+        end
+
       end
 
     end

data/spec/safe_cookies_spec.rb

@@ -96,7 +96,7 @@ describe SafeCookies::Middleware do
       env['PATH_INFO'] = '/special/path/subfolder'
   
       code, headers, response = subject.call(env)
-      expected_expiry = Rack::Utils.rfc2822((Time.now + 3600).gmtime) # a special date format needed here
+      expected_expiry = (Time.now + 3600).gmtime.rfc2822 # a special date format needed here
       headers['Set-Cookie'].should =~ %r(foo=bar; path=/special/path; expires=#{expected_expiry}; secure; HttpOnly)
     end
     
@@ -208,7 +208,7 @@ describe SafeCookies::Middleware do
     
   end
 
-  context 'unknown request cookies' do
+  context 'when a request has unknown cookies,' do
     
     it 'raises an error if there is an unknown cookie' do
       set_request_cookies(env, 'foo=bar')

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: safe_cookies
 version: !ruby/object:Gem::Version
-  version: 0.1.6
+  version: 0.1.7
 platform: ruby
 authors:
 - Dominik Schöler
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-10-21 00:00:00.000000000 Z
+date: 2013-11-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack