tzispa 0.6.0 → 0.6.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (8) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +4 -0
  3. data/lib/tzispa/controller/auth_layout.rb +1 -1
  4. data/lib/tzispa/http/context.rb +17 -5
  5. data/lib/tzispa/http/response.rb +2 -1
  6. data/lib/tzispa/http/session_flash_bag.rb +1 -1
  7. data/lib/tzispa/version.rb +1 -1
  8. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 0d1e2f805b398259308d37b08aaf4b1afe9d2537
4
- data.tar.gz: 751ff37e20bdb8f0c0fc27a12aa7250523b80c99
3
+ metadata.gz: 1e7d9bdf85429d1bbe0fd303daff3853049aa4f6
4
+ data.tar.gz: 61aecb036fb1501b56572e8f5504ed9911e51242
5
5
  SHA512:
6
- metadata.gz: c98965cffb98d15718affc2fa467a9cd6fce46c9033bfcdbdaf1fc55849679708e75fa6db836e735be380d3af9cb8e2f71a753c1dbc92d47ffef0cfb8af43069
7
- data.tar.gz: a38443bda7a70802a8baf6d946a5c5293576dcdf8742f5afaf04f658154017454a06c34c71add5324796ab3f5fc9b6b6850ba9a6aff22c39035d2ff29fa4932a
6
+ metadata.gz: 79493c3072124348bc1e9458615da7a75665c4a9ee6f29ef138ede3df6bdae48648402c7ecfb3058fc93357905717ed034f6e17b4f0929d18993603927981560
7
+ data.tar.gz: f38fabe97d6d006bfde4e0e2d9f2349d96a428c68f7fa818e38e33cb836b8f8a04257b7cd4137d06f69206e48c03f1d20610eba913411a61f2d45edf6081a435
data/CHANGELOG.md CHANGED
@@ -2,6 +2,10 @@ Tzispa
2
2
 
3
3
  General purpose web framework
4
4
 
5
+ ## v0.6.1
6
+ - sessions security improvements
7
+ - added "x-frame-option: sameorigin" header to security improvement
8
+
5
9
  ## v0.6.0
6
10
  - code refactoring & templates namespace simplification
7
11
  - added auth_layout controller
data/lib/tzispa/controller/auth_layout.rb CHANGED
@@ -12,7 +12,7 @@ module Tzispa
12
12
  include Tzispa::Helpers::Response
13
13
 
14
14
  def render!
15
- if (layout_name == login_layout) || context.login
15
+ if (layout_name == login_layout) || context.logged?
16
16
  rig = Tzispa::Rig::Engine.layout name: layout_name, domain: application.domain, content_type: context.router_params[:format] || config.default_format
17
17
  response.body << rig.render(context)
18
18
  content_type rig.content_type
data/lib/tzispa/http/context.rb CHANGED
@@ -17,9 +17,10 @@ module Tzispa
17
17
  include Tzispa::Helpers::Security
18
18
 
19
19
  attr_reader :request, :response
20
- def_delegators :@request, :session, :browser
20
+ def_delegators :@request, :session
21
21
 
22
22
  SESSION_LAST_ACCESS = :__last_access
23
+ SESSION_ID = :__session_id
23
24
  SESSION_AUTH_USER = :__auth__user
24
25
  GLOBAL_MESSAGE_FLASH = :__global_message_flash
25
26
 
@@ -28,7 +29,7 @@ module Tzispa
28
29
  super(app, environment)
29
30
  @request = Tzispa::Http::Request.new(environment)
30
31
  @response = Tzispa::Http::Response.new
31
- session[:id] ||= SecureRandom.uuid if app&.config&.sessions&.enabled
32
+ generate_session_id unless session[SESSION_ID]
32
33
  end
33
34
 
34
35
  def router_params
@@ -48,15 +49,19 @@ module Tzispa
48
49
  end
49
50
 
50
51
  def flash
51
- SessionFlashBag.new(session, GLOBAL_MESSAGE_FLASH)
52
+ @flash ||= SessionFlashBag.new(session, GLOBAL_MESSAGE_FLASH)
53
+ end
54
+
55
+ def session?
56
+ (not session[SESSION_ID].nil?) and (session[SESSION_ID] == session.id)
52
57
  end
53
58
 
54
59
  def logged?
55
- not session[SESSION_AUTH_USER].nil?
60
+ session? and (not session[SESSION_AUTH_USER].nil?)
56
61
  end
57
62
 
58
63
  def login=(user)
59
- session[SESSION_AUTH_USER] = user if not user.nil?
64
+ session[SESSION_AUTH_USER] = user unless user.nil?
60
65
  end
61
66
 
62
67
  def login
@@ -131,6 +136,13 @@ module Tzispa
131
136
 
132
137
  private
133
138
 
139
+ def generate_session_id
140
+ SecureRandom.uuid.tap { |uuid|
141
+ session.id = uuid
142
+ session[SESSION_ID] = uuid
143
+ }
144
+ end
145
+
134
146
  def normalize_format(params)
135
147
  params.tap { |pmm|
136
148
  pmm[:format] = config.default_format unless pmm[:format]
data/lib/tzispa/http/response.rb CHANGED
@@ -41,7 +41,8 @@ module Tzispa
41
41
  # currently, this would be the static file-handler
42
42
  headers["Content-Length"] = body.inject(0) { |l, p| l + p.bytesize }.to_s
43
43
  end
44
- headers['X-Powered-By'] = "#{Tzispa::FRAMEWORK_NAME}"
44
+ headers['X-Frame-Options'] = 'SAMEORIGIN'
45
+ headers['X-Powered-By'] = "#{Tzispa::FRAMEWORK_NAME} #{Tzispa::VERSION}"
45
46
  [status.to_i, headers, result]
46
47
  end
47
48
 
data/lib/tzispa/http/session_flash_bag.rb CHANGED
@@ -20,7 +20,7 @@ module Tzispa
20
20
  load!
21
21
  end
22
22
 
23
- def << (value)
23
+ def <<(value)
24
24
  if not value.nil?
25
25
  @bag << value
26
26
  store
data/lib/tzispa/version.rb CHANGED
@@ -1,7 +1,7 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module Tzispa
4
- VERSION = '0.6.0'
4
+ VERSION = '0.6.1'
5
5
  FRAMEWORK_NAME = 'Tzispa'
6
6
  GEM_NAME = 'tzispa'
7
7
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: tzispa
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.6.0
4
+ version: 0.6.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Juan Antonio Piñero
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2017-02-13 00:00:00.000000000 Z
11
+ date: 2017-02-16 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rack