safe_cookies 0.1.7 → 0.2.0

checksums.yaml

@@ -1,15 +1,15 @@
 ---
 !binary "U0hBMQ==":
   metadata.gz: !binary |-
-    Njc0YjdlMzZlMTRmNjk3NGQ1NWQ5NDU0YjU0ZGQwMTA0OGYyM2Y1MQ==
+    YjY2ZmQ0ZDEzMWVhMDRmNWE0MmM2ODRjYTU5MzEyZmQxN2JkMGQzMg==
   data.tar.gz: !binary |-
-    YzQ4OWE2ODk3NWU4M2U0OTQ3MjRlZDdiYzIzM2MyNjFjNmE0YzRmOQ==
+    N2E2Yzg5OGQzMzkyYWI3N2E1MWJlZWJmZjI1NGM0ZjY2MjkzNDVkZQ==
 SHA512:
   metadata.gz: !binary |-
-    NmJjNjgzM2VjZTdmY2E4ZmM3OTQwOTEwNzgwNTQ1YTMxOTZlOWY4NDA3Nzgy
-    YTJlZmRkOTQyMjQwNTE1NWUxN2I2M2VmNTNjMjMyZTk5NGQ0MTlmY2M0MWMz
-    NmQwM2EwZmE4M2I4MjJlNmVjZDlmZmJmNWY0NDYxN2Q3ZWI2YmE=
+    MzU1ZTQyYjQzNmNhNzljNzA2Y2U2NWIyMDU5MTkyMTU5MDZjYmQ0ZDY4MjNl
+    M2MxMWJhYmQwMzJkZDdlYzJlZTkwYWFkNWJkNzE4ZTc5MTUxOWI0YjMwNmVk
+    NGM0YzUyZWU3MjJjMGZlMzgzYjk2OTg4OWU1MzY5ZGQzYjE0NzE=
   data.tar.gz: !binary |-
-    YjU4NDU0NjUwNjgzZGNhYzNjNTBiM2JjOTQyMGZlZDY3YThjYjRiYTUzZDE5
-    ZDU5NjVhOTNlYjM1NWE2NDUwMjI1YzZmZmU5OGZhZmI3M2I2ZjM5YzMyNzNl
-    YWZjYWFjMGIwMWU5YTg2NThlMzJkNjExMDdjODgyMzhkY2ExYmY=
+    OTMzYTYzN2JkMzk3OGU5NzE4MzAwMWUxYWVmMmI1ZThmYTExNmQyNzgyYWU4
+    YjFiYzIyOTg4YTk0Njg3YTk0NzRiMjAyMzc1NmM0OWVhYjRhNWI3NDdlZjZm
+    NTMxYTkwNmJlYTJlMjBkY2NhMGYzM2MwYzRkYzcwMTViMTlmMzc=

data/README.md

@@ -66,19 +66,22 @@ The middleware is not able to secure cookies without knowing their attributes
 if it stores the cookie with flags such as "secure" or which expiry date it
 currently has. Therefore, it is important to register all cookies that may be
 sent by the client, specifying their properties. Unregistered cookies cannot be
-secured.
-
-If a request contains a cookie that is not registered, the middleware will raise
-a `SafeCookies::UnknownCookieError`. Rails 3+ should handle the exception as any
-other in your application, but by default, **you will not be notified from Rails
-2 applications** and the user will see a standard 500 Server Error. Override
-`SafeCookies::Middleware#handle_unknown_cookies(cookies)` in the config
-initializer for customized exception handling (like, notifying you per email).
-
-You should register any cookie that your application has to do with. However, there are cookies that you
-do not control, like Google's `__utma` & co. You can tell the middleware to ignore those with the
-`config.ignore_cookie` directive, which takes either a String or a Regex parameter. Be careful when using
-regular expressions!
+secured by the middleware.
+
+Unknown cookies are written to the Rails log. When you start implementing the
+middleware, you should closely watch it to find cookies you forgot to register.
+You may overwrite `SafeCookies::Middleware#handle_unknown_cookies(cookies)` in
+the config initializer for customized behaviour (like, notifying you per email).
+
+You should register any cookie that your application is using.
+
+
+## Ignoring cookies
+
+Currently, ignoring cookies only prevents the middleware from writing them to the logs.
+
+You can tell the middleware to ignore cookies with the `config.ignore_cookie`
+directive, which takes either a String or a Regex parameter. Be careful when using regular expressions!
 
 
 ## Fix cookie paths

data/lib/safe_cookies/version.rb

@@ -1,3 +1,3 @@
 module SafeCookies
-  VERSION = '0.1.7'
+  VERSION = '0.2.0'
 end

data/lib/safe_cookies.rb

@@ -18,6 +18,7 @@ module SafeCookies
   STORE_COOKIE_NAME = '_safe_cookies__known_cookies'
   SECURED_COOKIE_NAME = 'secured_old_cookies'
   HELPER_COOKIES_LIFETIME = 10 * 365 * 24 * 60 * 60 # 10 years
+  
 
   class Middleware
     
@@ -57,9 +58,7 @@ module SafeCookies
     def reset_instance_variables
       @request, @headers, @application_cookies_string = nil
     end
-    
-    # Do something if a request has an unregistered cookie, because we do not
-    # want any cookie to not be secured. By default, we raise an error.
+
     def check_if_request_has_unknown_cookies
       request_cookie_names = request_cookies.keys.map(&:to_s)
       unknown_cookie_names = request_cookie_names - known_cookie_names
@@ -129,7 +128,14 @@ module SafeCookies
     
     # API method
     def handle_unknown_cookies(cookie_names)
-      raise SafeCookies::UnknownCookieError.new("Request for '#{@request.url}' had unknown cookies: #{cookie_names.join(', ')}")
+      log_error("Request for '#{@request.url}' had unknown cookies: #{cookie_names.join(', ')}")
+    end
+    
+    def log_error(error_message)
+      message = '** [SafeCookies error] '
+      message << error_message
+      
+      Rails.logger.error(message) if defined?(Rails)
     end
 
   end

data/spec/safe_cookies_spec.rb

@@ -207,16 +207,22 @@ describe SafeCookies::Middleware do
     end
     
   end
-
+  
+  
+  # The unknown cookies mechanism was more important when we were sending
+  # notifications on encountering unknown cookies. Perhaps, it will regain
+  # importance in the future.
   context 'when a request has unknown cookies,' do
     
-    it 'raises an error if there is an unknown cookie' do
+    it 'logs an error message' do
+      stub_app_call(app)
       set_request_cookies(env, 'foo=bar')
-    
-      expect{ subject.call(env) }.to raise_error(SafeCookies::UnknownCookieError)
+      
+      subject.should_receive(:log_error).with(/unknown cookies: foo/)
+      subject.call(env)
     end
     
-    it 'does not raise an error if the (unregistered) cookie was initially set by the application' do
+    it 'does not log an error if the (unregistered) cookie was initially set by the application' do
       # application sets cookie
       stub_app_call(app, :application_cookies => 'foo=bar; path=/some/path; secure')
       
@@ -233,10 +239,11 @@ describe SafeCookies::Middleware do
       stub_app_call(other_app)
       set_request_cookies(env, *received_cookies)
 
+      other_subject.should_not_receive(:log_error)
       other_subject.call(env)
     end
     
-    it 'does not raise an error if the cookie is listed in the cookie configuration' do
+    it 'does not log an error if the cookie is listed in the cookie configuration' do
       SafeCookies.configure do |config|
         config.register_cookie('foo', :expire_after => 3600)
       end
@@ -244,10 +251,11 @@ describe SafeCookies::Middleware do
       stub_app_call(app)
       set_request_cookies(env, 'foo=bar')
       
+      subject.should_not_receive(:log_error)
       subject.call(env)
     end
     
-    it 'does not raise an error if the cookie is ignored' do
+    it 'does not log an error if the cookie is ignored' do
       SafeCookies.configure do |config|
         config.ignore_cookie '__utma'
       end
@@ -255,10 +263,11 @@ describe SafeCookies::Middleware do
       stub_app_call(app)
       set_request_cookies(env, '__utma=tracking')
       
+      subject.should_not_receive(:log_error)
       subject.call(env)
     end
     
-    it 'allows overwriting the error mechanism' do
+    it 'allows overwriting the handling mechanism' do
       stub_app_call(app)
       set_request_cookies(env, 'foo=bar')
       

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: safe_cookies
 version: !ruby/object:Gem::Version
-  version: 0.1.7
+  version: 0.2.0
 platform: ruby
 authors:
 - Dominik Schöler
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-11-04 00:00:00.000000000 Z
+date: 2013-11-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -109,7 +109,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.1.2
+rubygems_version: 2.1.3
 signing_key: 
 specification_version: 4
 summary: Make all cookies `secure` and `HttpOnly`.