tynn 2.0.0.alpha → 2.0.0.beta1

data/lib/tynn/secure_headers.rb

@@ -9,10 +9,7 @@ class Tynn
   #
   # [X-Frame-Options]
   #   Provides {Clickjacking}[https://www.owasp.org/index.php/Clickjacking]
-  #   protection. Defaults to <tt>"SAMEORIGIN"</tt>.
-  #
-  # [X-Permitted-Cross-Domain-Policies]
-  #   Restricts Adobe Flash Player's access to data. Defaults to <tt>"none"</tt>.
+  #   protection. Defaults to <tt>"deny"</tt>.
   #
   # [X-XSS-Protection]
   #   Enables the XSS protection filter built into IE, Chrome and Safari.
@@ -29,8 +26,7 @@ class Tynn
   module SecureHeaders
     HEADERS = {
       "X-Content-Type-Options" => "nosniff",
-      "X-Frame-Options" => "SAMEORIGIN",
-      "X-Permitted-Cross-Domain-Policies" => "none",
+      "X-Frame-Options" => "deny",
       "X-XSS-Protection" => "1; mode=block"
     }.freeze # :nodoc:
 

data/lib/tynn/session.rb

@@ -10,8 +10,8 @@ class Tynn
   #   Tynn.plugin(Tynn::Session, secret: "__change_me_not_secure__")
   #
   #   Tynn.define do
-  #     on("login") do
-  #       post do
+  #     on "login" do
+  #       on post do
   #         # ...
   #
   #         session[:user_id] = user.id
@@ -46,6 +46,14 @@ class Tynn
   #   If <tt>true</tt>, sets the <tt>Secure</tt> flag. This tells the browser
   #   to only transmit the cookie over HTTPS. Defaults to <tt>false</tt>.
   #
+  # [same_site]
+  #   Disables third-party usage for cookies. There are two possible values
+  #   <tt>:Lax</tt> and <tt>:Strict</tt>. In <tt>Strict</tt> mode, the cookie
+  #   is restrain to any cross-site usage; in <tt>Lax</tt> mode, some cross-site
+  #   usage is allowed. Defaults to <tt>:Lax</tt>. If <tt>nil</tt> is passed,
+  #   the flag is not included. Check this article[http://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with-samesite-cookie-attribute/]
+  #   for more information.
+  #
   # [expire_after]
   #   The lifespan of the cookie. If <tt>nil</tt>, the session cookie is temporary
   #   and is no retained after the browser is closed. Defaults to <tt>nil</tt>.
@@ -58,7 +66,8 @@ class Tynn
   #     secret: ENV["SESSION_SECRET"],
   #     expire_after: 36_000, # seconds
   #     httponly: true,
-  #     secure: true
+  #     secure: true,
+  #     same_site: :Strict
   #   )
   #
   module Session
@@ -68,7 +77,7 @@ class Tynn
       secret = options[:secret]
 
       if secret.nil?
-        raise <<~MSG
+        raise Tynn::Error, <<~MSG
           No secret option provided to Tynn::Session.
 
           Tynn::Session uses a secret token to sign the cookie data, thus
@@ -86,7 +95,7 @@ class Tynn
       end
 
       if secret.length < SECRET_MIN_LENGTH
-        raise <<~MSG
+        raise Tynn::Error, <<~MSG
           The secret provided is shorter than the minimum length.
 
           Make sure the secret is long and all random. You can generate a

data/lib/tynn/ssl.rb

@@ -13,21 +13,24 @@ class Tynn
   # 3. Setting the <tt>secure</tt> flag on cookies. This tells the browser to
   #    only transmit them over HTTPS.
   #
-  # You can configure HSTS passing a <tt>:hsts</tt> option. The following options
-  # are supported:
-  #
-  # - *:expires* - The time, in seconds, that the browser access the site only
-  #   by HTTPS. Defaults to 180 days.
-  #
-  # - *:subdomains* - If this is <tt>true</tt>, the rule applies to all the
-  #   site's subdomains as well. Defaults to <tt>true</tt>.
-  #
-  # - *:preload* - A limitation of HSTS is that the initial request remains
-  #   unprotected if it uses HTTP. The same applies to the first request after
-  #   the activity period specified by <tt>max-age</tt>. Modern browsers implements
-  #   a "HSTS preload list", which contains known sites supporting HSTS. If you
-  #   would like to include your website into the list, set this option to
-  #   <tt>true</tt> and submit your domain to this form[https://hstspreload.appspot.com/].
+  # You can configure HSTS passing through the <tt>:hsts</tt> option.
+  # The following options are supported:
+  #
+  # [expires]
+  #   The time, in seconds, that the browser access the site only by HTTPS.
+  #   Defaults to 180 days.
+  #
+  # [subdomains]
+  #   If this is <tt>true</tt>, the rule applies to all the site's subdomains as
+  #   well. Defaults to <tt>true</tt>.
+  #
+  # [preload]
+  #   A limitation of HSTS is that the initial request remains unprotected if it
+  #   uses HTTP. The same applies to the first request after the activity period
+  #   specified by <tt>max-age</tt>. Modern browsers implements a "HSTS preload
+  #   list", which contains known sites supporting HSTS. If you would like to
+  #   include your website into the list, set this option to <tt>true</tt> and
+  #   submit your domain to this form[https://hstspreload.appspot.com/].
   #   Supported by Chrome, Firefox, IE11+ and IE Edge.
   #
   # To disable HSTS, you will need to tell the browser to expire it immediately.
@@ -74,7 +77,7 @@ class Tynn
       end
 
       def call(env)
-        request = Rack::Request.new(env)
+        request = Tynn::Request.new(env)
 
         return redirect_to_https(request) unless request.ssl?
 

data/lib/tynn/test.rb

@@ -7,16 +7,16 @@ class Tynn
   #   require "tynn/test"
   #
   #   Tynn.define do
-  #     root do
+  #     on get do
   #       res.write("Hei!")
   #     end
   #   end
   #
-  #   app = Tynn::Test.new
-  #   app.get("/")
+  #   ts = Tynn::Test.new
+  #   ts.get("/")
   #
-  #   app.res.status # => 200
-  #   app.res.body   # => "Hei!"
+  #   ts.res.status    # => 200
+  #   ts.res.body.join # => "Hei!"
   #
   class Test
     attr_reader :app # :nodoc:
@@ -26,8 +26,8 @@ class Tynn
     #   class API < Tynn
     #   end
     #
-    #   app = Tynn::Test.new(API)
-    #   app.get("/user.json")
+    #   ts = Tynn::Test.new(API)
+    #   ts.get("/user.json")
     #
     def initialize(app = Tynn)
       @app = app
@@ -52,40 +52,38 @@ class Tynn
     #   end
     #
     module Methods
-      # If a request has been issued, returns an instance of
-      # Rack::Request[http://www.rubydoc.info/gems/rack/Rack/Request].
+      # If a request has been issued, returns an instance of Tynn::Request.
       # Otherwise, returns <tt>nil</tt>.
       #
-      #   app = Tynn::Test.new
-      #   app.get("/", { foo: "foo" }, { "HTTP_USER_AGENT" => "Tynn::Test" })
+      #   ts = Tynn::Test.new
+      #   ts.get("/", { foo: "foo" }, { "HTTP_USER_AGENT" => "Tynn::Test" })
       #
-      #   app.req.get?
+      #   ts.req.get?
       #   # => true
       #
-      #   app.req.params["foo"]
+      #   ts.req.params["foo"]
       #   # => "foo"
       #
-      #   app.req.env["HTTP_USER_AGENT"]
+      #   ts.req.env["HTTP_USER_AGENT"]
       #   # => "Tynn::Test"
       #
       def req
         @__req
       end
 
-      # If a request has been issued, returns an instance of
-      # Rack::MockResponse[http://www.rubydoc.info/gems/rack/Rack/MockResponse].
+      # If a request has been issued, returns an instance of Tynn::Response
       # Otherwise, returns <tt>nil</tt>.
       #
-      #   app = Tynn::Test.new
-      #   app.get("/", name: "Jane")
+      #   ts = Tynn::Test.new
+      #   ts.get("/", name: "Jane")
       #
-      #   app.res.status
+      #   ts.res.status
       #   # => 200
       #
-      #   app.res.body
+      #   ts.res.body.join
       #   # => "Hello Jane!"
       #
-      #   app.res["Content-Type"]
+      #   ts.res.headers["Content-Type"]
       #   # => "text/html"
       #
       def res
@@ -99,9 +97,9 @@ class Tynn
       #          or <tt>nil</tt>.
       # [env]    A Hash of Rack environment values.
       #
-      #   app = Tynn::Test.new
-      #   app.get("/search", name: "jane")
-      #   app.get("/cart", {}, { "HTTPS" => "on" })
+      #   ts = Tynn::Test.new
+      #   ts.get("/search", name: "jane")
+      #   ts.get("/cart", {}, { "HTTPS" => "on" })
       #
       def get(path, params = {}, env = {})
         request(path, env.merge(method: "GET", params: params))
@@ -109,8 +107,8 @@ class Tynn
 
       # Issues a <tt>POST</tt> request. See #get for more information.
       #
-      #   app = Tynn::Test.new
-      #   app.post("/signup", username: "janedoe", password: "secret")
+      #   ts = Tynn::Test.new
+      #   ts.post("/signup", username: "janedoe", password: "secret")
       #
       def post(path, params = {}, env = {})
         request(path, env.merge(method: "POST", params: params))
@@ -118,8 +116,8 @@ class Tynn
 
       # Issues a <tt>PUT</tt> request. See #get for more information.
       #
-      #   app = Tynn::Test.new
-      #   app.put("/users/1", username: "johndoe", name: "John")
+      #   ts = Tynn::Test.new
+      #   ts.put("/users/1", username: "johndoe", name: "John")
       #
       def put(path, params = {}, env = {})
         request(path, env.merge(method: "PUT", params: params))
@@ -127,8 +125,8 @@ class Tynn
 
       # Issues a <tt>PATCH</tt> request. See #get for more information.
       #
-      #   app = Tynn::Test.new
-      #   app.patch("/users/1", username: "janedoe")
+      #   ts = Tynn::Test.new
+      #   ts.patch("/users/1", username: "janedoe")
       #
       def patch(path, params = {}, env = {})
         request(path, env.merge(method: "PATCH", params: params))
@@ -136,8 +134,8 @@ class Tynn
 
       # Issues a <tt>DELETE</tt> request. See #get for more information.
       #
-      #   app = Tynn::Test.new
-      #   app.delete("/users/1")
+      #   ts = Tynn::Test.new
+      #   ts.delete("/users/1")
       #
       def delete(path, params = {}, env = {})
         request(path, env.merge(method: "DELETE", params: params))
@@ -145,8 +143,8 @@ class Tynn
 
       # Issues a <tt>HEAD</tt> request. See #get for more information.
       #
-      #   app = Tynn::Test.new
-      #   app.head("/users/1")
+      #   ts = Tynn::Test.new
+      #   ts.head("/users/1")
       #
       def head(path, params = {}, env = {})
         request(path, env.merge(method: Rack::HEAD, params: params))
@@ -154,8 +152,8 @@ class Tynn
 
       # Issues a <tt>OPTIONS</tt> request. See #get for more information.
       #
-      #   app = Tynn::Test.new
-      #   app.options("/users")
+      #   ts = Tynn::Test.new
+      #   ts.options("/users")
       #
       def options(path, params = {}, env = {})
         request(path, env.merge(method: "OPTIONS", params: params))
@@ -164,8 +162,17 @@ class Tynn
       private
 
       def request(path, opts = {})
-        @__req = Rack::Request.new(Rack::MockRequest.env_for(path, opts))
-        @__res = Rack::MockResponse.new(*app.call(@__req.env))
+        @__req = Tynn::Request.new(Rack::MockRequest.env_for(path, opts))
+        @__res = make_response(*app.call(@__req.env))
+      end
+
+      def make_response(status, headers, body)
+        res = Tynn::Response.new(headers)
+        res.status = status
+
+        body.each { |b| res.write(b) }
+
+        res
       end
     end
 

data/lib/tynn/utils.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+class Tynn
+  module Utils # :nodoc:
+    module_function
+
+    def deepclone_hash(hash)
+      default_proc, hash.default_proc = hash.default_proc, nil
+
+      Marshal.load(Marshal.dump(hash))
+    ensure
+      hash.default_proc = default_proc
+    end
+  end
+end

data/lib/tynn/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 class Tynn
-  VERSION = "2.0.0.alpha" # :nodoc:
+  VERSION = "2.0.0.beta1" # :nodoc:
 end

data/test/default_headers_test.rb

@@ -4,7 +4,7 @@ require_relative "helper"
 
 class DefaultHeadersTest < Minitest::Test
   def setup
-    @app = Class.new(Tynn)
+    @app = new_app
   end
 
   def test_set_and_get_headers

data/test/environment_test.rb

@@ -5,7 +5,7 @@ require_relative "../lib/tynn/environment"
 
 class EnvironmentTest < Minitest::Test
   def setup
-    @app = Class.new(Tynn)
+    @app = new_app
   end
 
   def test_without_rack_env

data/test/helper.rb

@@ -5,3 +5,12 @@ require "minitest/autorun"
 require "minitest/pride"
 require_relative "../lib/tynn"
 require_relative "../lib/tynn/test"
+
+class Minitest::Test
+  def new_app(parent: Tynn, lint: true)
+    app = Class.new(parent)
+    app.use(Rack::Lint) if lint
+
+    app
+  end
+end

data/test/json_test.rb

@@ -5,14 +5,14 @@ require_relative "../lib/tynn/json"
 
 class JSONTest < Minitest::Test
   def setup
-    @app = Class.new(Tynn)
+    @app = new_app
   end
 
   def test_respond_json_object
     @app.plugin(Tynn::JSON)
 
     @app.define do
-      get do
+      on get do
         json(foo: "foo")
       end
     end
@@ -20,7 +20,7 @@ class JSONTest < Minitest::Test
     ts = Tynn::Test.new(@app)
     ts.get("/")
 
-    object = JSON.parse(ts.res.body)
+    object = JSON.parse(ts.res.body.join)
 
     assert_equal "foo", object["foo"]
   end
@@ -29,7 +29,7 @@ class JSONTest < Minitest::Test
     @app.plugin(Tynn::JSON)
 
     @app.define do
-      get do
+      on get do
         json(%w(foo bar baz))
       end
     end
@@ -37,14 +37,14 @@ class JSONTest < Minitest::Test
     ts = Tynn::Test.new(@app)
     ts.get("/")
 
-    assert_equal %w(foo bar baz), JSON.parse(ts.res.body)
+    assert_equal %w(foo bar baz), JSON.parse(ts.res.body.join)
   end
 
   def test_content_type
     @app.plugin(Tynn::JSON)
 
     @app.define do
-      get do
+      on get do
         json(ok: true)
       end
     end
@@ -54,4 +54,19 @@ class JSONTest < Minitest::Test
 
     assert_equal "application/json", ts.res.content_type
   end
+
+  def test_custom_content_type
+    @app.plugin(Tynn::JSON, content_type: "application/js")
+
+    @app.define do
+      on get do
+        json(ok: true)
+      end
+    end
+
+    ts = Tynn::Test.new(@app)
+    ts.get("/")
+
+    assert_equal "application/js", ts.res.content_type
+  end
 end

data/test/middleware_test.rb

@@ -16,12 +16,12 @@ class MiddlewareTest < Minitest::Test
   end
 
   def test_middleware_works
-    app = Class.new(Tynn)
+    app = new_app
 
     app.use(Shrimp)
 
     app.define do
-      get do
+      on get do
         res.write("1")
         res.write("2")
       end
@@ -31,23 +31,23 @@ class MiddlewareTest < Minitest::Test
     ts.get("/")
 
     assert_equal 200, ts.res.status
-    assert_equal "21", ts.res.body
+    assert_equal "21", ts.res.body.join
   end
 
   def test_middleware_with_composition
-    app = Class.new(Tynn)
-    api = Class.new(Tynn)
+    app = new_app
+    api = new_app(lint: false)
 
     app.use(Shrimp)
 
     app.define do
-      on("api") do
+      on "api" do
         run(api)
       end
     end
 
     api.define do
-      get do
+      on get do
         res.write("1")
         res.write("2")
       end
@@ -57,23 +57,23 @@ class MiddlewareTest < Minitest::Test
     ts.get("/api")
 
     assert_equal 200, ts.res.status
-    assert_equal "21", ts.res.body
+    assert_equal "21", ts.res.body.join
   end
 
   def test_middleware_for_sub_application
-    app = Class.new(Tynn)
-    api = Class.new(Tynn)
+    app = new_app
+    api = new_app
 
     api.use(Shrimp)
 
     app.define do
-      on("api") do
+      on "api" do
         run(api)
       end
     end
 
     api.define do
-      get do
+      on get do
         res.write("1")
         res.write("2")
       end
@@ -83,6 +83,16 @@ class MiddlewareTest < Minitest::Test
     ts.get("/api")
 
     assert_equal 200, ts.res.status
-    assert_equal "21", ts.res.body
+    assert_equal "21", ts.res.body.join
+  end
+
+  def test_raise_if_frozen
+    app = new_app
+
+    app.define {}
+
+    assert_raises(Tynn::Error) do
+      app.use(Shrimp, name: "foo", bar: 1)
+    end
   end
 end