simple_session 0.2.3 → 0.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: bc7cc686a18d938b53ac97732ed364f8748dbe8b
4
- data.tar.gz: f1f99526496a442f389eed962e1369c774cf88da
3
+ metadata.gz: 83dc3c7b1992f0d05a7166de51c41c350e908dad
4
+ data.tar.gz: 9c562864c93af1b1a23d09de26b469708d017b57
5
5
  SHA512:
6
- metadata.gz: 2f35593ee666a5218c572e7fc2608902934db616642e2e7255f9247dc738fdeb18e8a40add85af1b8bf7a9d70c759cad837c45d64137cc4e6e67a8065256b1fe
7
- data.tar.gz: 1cecd565c55012dd2e7e7a456feeff3b42eb24681a45abb90ef32321cd3b374a36881ee76c2f7e34260ad450ad98b6fa2edd3642133b7b12e78eadd6241cc5b8
6
+ metadata.gz: 7ba09f3c14291e46e361a215e30e6b213a2389d55143491ea98f40106ccc618b15ddaf97f38ea5dc30700feca9b5612bec4b19af431ac22a0c0736a91cf94655
7
+ data.tar.gz: b20f02781c54a948ffedaddea97ce0994444626cae4dc8b4c126021af67ac4129c834da49eb0f7d436f1fbc9c209c247f483bd320907fe281c2e0c029aa2a87f
data/Gemfile CHANGED
@@ -2,3 +2,4 @@ source 'https://rubygems.org'
2
2
 
3
3
  # Specify your gem's dependencies in simple_session.gemspec
4
4
  gemspec
5
+
data/README.md CHANGED
@@ -1,9 +1,12 @@
1
1
  # SimpleSession
2
2
  ![build-status](https://travis-ci.org/hayduke19us/simple_session.svg?branch=master)
3
3
 
4
+ ![Gem Version](https://badge.fury.io/rb/simple_session.svg)
5
+
4
6
  This is a drop in replacement for rack session. By default
5
- the session cookie is encrypted in AES-256-CBC and requires a secret
6
- which is recommended to be kept in an .env file or something similar.
7
+ the session cookie is encrypted in AES-256-CBC and requires a secret which is
8
+ recommended to be kept in an .env file or something similar. The session is also
9
+ signed with an HMAC signature in a double ended fashion that prevents tampering.
7
10
 
8
11
  <a href='#install-sect'><h4>Installation</h4></a>
9
12
 
@@ -36,10 +36,6 @@ module SimpleSession
36
36
  request.cookies[@key] if request
37
37
  end
38
38
 
39
- def req_options
40
- session[:options] if session
41
- end
42
-
43
39
  def new_session_hash
44
40
  { session_id: SecureRandom.hex(32) }
45
41
  end
@@ -64,20 +60,18 @@ module SimpleSession
64
60
  [status, headers, body]
65
61
  end
66
62
 
67
- private
68
63
  def extract_session env
69
64
  begin
70
65
  @request = Rack::Request.new env
71
66
  @session = req_session ? decrypt(req_session) : new_session_hash
67
+ session.merge!(options_hash)
68
+ raise ArgumentError, "Unable to decrypt session" unless session
72
69
 
73
- raise ArgumentError, "Unable to decrypt session" unless @session
74
-
75
- rescue => e
76
- @session = new_session_hash
77
- puts e.message
70
+ rescue Exception => e
71
+ @session = new_session_hash.merge!(options_hash)
72
+ print e.message
78
73
  end
79
74
 
80
- @options = options_hash
81
75
  end
82
76
 
83
77
  def options_hash
@@ -87,13 +81,13 @@ module SimpleSession
87
81
 
88
82
  def load_environment env
89
83
  env[@key] = session.dup
90
- env[@options_key] = @options[:options].dup
84
+ env[@options_key] = session[:options].dup
91
85
  end
92
86
 
93
87
  def add_session headers
94
88
  cookie = Hash.new
95
- cookie[:value] = encrypt session.merge(@options)
96
- cookie.merge!(@options[:options])
89
+ cookie.merge!(session.fetch(:options, @default_opts))
90
+ cookie[:value] = encrypt session
97
91
 
98
92
  set_cookie_header headers, @key, cookie
99
93
  end
@@ -103,21 +97,25 @@ module SimpleSession
103
97
  end
104
98
 
105
99
  def update_options
106
- @options = {options: OptionHash.new(request.session_options).opts}
100
+ session[:options] = {options: OptionHash.new(request.session_options).opts}
107
101
  end
108
102
 
109
103
  def options_changed?
110
- request.session_options != @options[:options]
104
+ request.session_options != session[:options]
111
105
  end
112
106
 
113
107
  def session_changed?
114
- request.session != @session
108
+ request.session != session
115
109
  end
116
110
 
117
111
  def update_session
118
112
  @session = request.session
119
113
  end
120
114
 
115
+ def signature
116
+ hmac(cipher_key)
117
+ end
118
+
121
119
  def encrypt data
122
120
  # Serialize
123
121
  m = Marshal.dump data
@@ -125,19 +123,29 @@ module SimpleSession
125
123
  # Cipher
126
124
  c = load_cipher m
127
125
 
126
+ # Sign
127
+ h = signature + c + signature
128
+
128
129
  # Encode Base64
129
- [c].pack('m')
130
+ [h].pack('m0')
130
131
  end
131
132
 
132
133
  def decrypt data
133
134
  # Decode Base64
134
- b = data.unpack('m').first
135
-
136
- # Decipher
137
- c = unload_cipher b
138
-
139
- # Deserialize
140
- Marshal.load c
135
+ b = data.unpack('m0').first
136
+
137
+ # Parse Signature
138
+ h1 = b[0, 32]
139
+ data = b[32..-1]
140
+ h2 = data.reverse[0, 32].reverse
141
+ data = data.reverse[32..-1].reverse
142
+
143
+ if h1 == signature.to_s && h2 == signature.to_s
144
+ # Decipher
145
+ Marshal.load unload_cipher data
146
+ else
147
+ raise SecurityError
148
+ end
141
149
  end
142
150
 
143
151
  def digest
@@ -171,7 +179,7 @@ module SimpleSession
171
179
  end
172
180
 
173
181
  def cipher_key
174
- hmac("A red, red fox has had three socks but all have holes")
182
+ hmac("A red, red fox has had three socks but all have holes" + @secret)
175
183
  end
176
184
 
177
185
  class OptionHash
@@ -1,3 +1,3 @@
1
1
  module SimpleSession
2
- VERSION = "0.2.3"
2
+ VERSION = "0.3.3"
3
3
  end
@@ -9,9 +9,12 @@ Gem::Specification.new do |spec|
9
9
  spec.authors = ["hayduke19us"]
10
10
  spec.email = ["hayduke19us@gmail.com"]
11
11
 
12
- spec.summary = %q{A simple middleware providing rack with a session cookie.}
13
- spec.description = %q{Provides an AES-256-CBC encrypted session cookie
14
- with the option to set max-age. Honors rack's
12
+ spec.summary = %q{A simple middleware providing rack with an
13
+ encrypted session cookie.}
14
+ spec.description = %q{Provides an AES-256-CBC encrypted session cookie signed
15
+ with and HMAC digest in a double ended manor.
16
+ Cookie options include max-age, path, domain, http-only,
17
+ and secure. Honors Rack's
15
18
  methods like session and request.session_options}
16
19
  spec.homepage = "https://github.com/hayduke19us/simple_session"
17
20
  spec.license = "MIT"
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: simple_session
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.2.3
4
+ version: 0.3.3
5
5
  platform: ruby
6
6
  authors:
7
7
  - hayduke19us
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2015-11-12 00:00:00.000000000 Z
11
+ date: 2015-11-19 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bundler
@@ -122,10 +122,10 @@ dependencies:
122
122
  - - ">="
123
123
  - !ruby/object:Gem::Version
124
124
  version: '0'
125
- description: |-
126
- Provides an AES-256-CBC encrypted session cookie
127
- with the option to set max-age. Honors rack's
128
- methods like session and request.session_options
125
+ description: "Provides an AES-256-CBC encrypted session cookie signed\n with
126
+ and HMAC digest in a double ended manor. \n Cookie options
127
+ include max-age, path, domain, http-only,\n and secure.
128
+ Honors Rack's\n methods like session and request.session_options"
129
129
  email:
130
130
  - hayduke19us@gmail.com
131
131
  executables: []
@@ -168,5 +168,5 @@ rubyforge_project:
168
168
  rubygems_version: 2.4.5
169
169
  signing_key:
170
170
  specification_version: 4
171
- summary: A simple middleware providing rack with a session cookie.
171
+ summary: A simple middleware providing rack with an encrypted session cookie.
172
172
  test_files: []