utopia 2.30.2 → 2.31.0

data/lib/utopia/session/middleware.rb

@@ -0,0 +1,218 @@
+# frozen_string_literal: true
+
+# Released under the MIT License.
+# Copyright, 2014-2025, by Samuel Williams.
+# Copyright, 2019, by Huba Nagy.
+
+require "openssl"
+require "digest/sha2"
+require "console"
+require "json"
+
+require_relative "lazy_hash"
+require_relative "serialization"
+
+module Utopia
+	module Session
+		# A middleware which provides a secure client-side session storage using a private symmetric encrpytion key.
+		class Middleware
+			class PayloadError < StandardError
+			end
+			
+			MAXIMUM_SIZE = 1024*32
+			
+			SECRET_KEY = "UTOPIA_SESSION_SECRET".freeze
+			
+			RACK_SESSION = "rack.session".freeze
+			CIPHER_ALGORITHM = "aes-256-cbc"
+			
+			# The session will expire if no requests were made within 24 hours:
+			DEFAULT_EXPIRES_AFTER = 3600*24
+			
+			# At least, the session will be updated every 1 hour:
+			DEFAULT_UPDATE_TIMEOUT = 3600
+			
+			# @param session_name [String] The name of the session cookie.
+			# @param secret [Array] The secret text used to generate a symetric encryption key for the coookie data.
+			# @param same_site [Symbol, String] Controls how the cookie is provided to the site.
+			# @param expires_after [String] The cache-control header to set for static content.
+			# @param options [Hash<Symbol,Object>] Additional defaults used for generating the cookie by `Rack::Utils.set_cookie_header!`.
+			def initialize(app, session_name: RACK_SESSION, secret: nil, expires_after: DEFAULT_EXPIRES_AFTER, update_timeout: DEFAULT_UPDATE_TIMEOUT, secure: false, same_site: :lax, maximum_size: MAXIMUM_SIZE, **options)
+				@app = app
+				
+				@session_name = session_name
+				@cookie_name = @session_name + ".encrypted"
+				
+				if secret.nil? or secret.empty?
+					raise ArgumentError, "invalid session secret: #{secret.inspect}"
+				end
+				
+				# This generates a 32-byte key suitable for aes.
+				@key = Digest::SHA2.digest(secret)
+				
+				@expires_after = expires_after
+				@update_timeout = update_timeout
+				
+				@cookie_defaults = {
+					domain: nil,
+					path: "/",
+					
+					# The SameSite attribute controls when the cookie is sent to the server, from 3rd parties (None), from requests with external referrers (Lax) or from within the site itself (Strict).
+					same_site: same_site,
+					
+					# The Secure attribute is meant to keep cookie communication limited to encrypted transmission, directing browsers to use cookies only via secure/encrypted connections. However, if a web server sets a cookie with a secure attribute from a non-secure connection, the cookie can still be intercepted when it is sent to the user by man-in-the-middle attacks. Therefore, for maximum security, cookies with the Secure attribute should only be set over a secure connection.
+					secure: secure,
+					
+					# The HttpOnly attribute directs browsers not to expose cookies through channels other than HTTP (and HTTPS) requests. This means that the cookie cannot be accessed via client-side scripting languages (notably JavaScript), and therefore cannot be stolen easily via cross-site scripting (a pervasive attack technique).
+					http_only: true,
+				}.merge(options)
+				
+				@serialization = Serialization.new
+				@maximum_size = maximum_size
+			end
+			
+			attr :cookie_name
+			attr :key
+			
+			attr :expires_after
+			attr :update_timeout
+			
+			attr :cookie_defaults
+			
+			def freeze
+				return self if frozen?
+				
+				@cookie_name.freeze
+				@key.freeze
+				@expires_after.freeze
+				@update_timeout.freeze
+				@cookie_defaults.freeze
+				
+				super
+			end
+			
+			def call(env)
+				session_hash = prepare_session(env)
+				
+				status, headers, body = @app.call(env)
+				
+				update_session(env, session_hash, headers)
+				
+				return [status, headers, body]
+			end
+			
+			protected
+			
+			def prepare_session(env)
+				env[RACK_SESSION] = LazyHash.new do
+					self.load_session_values(env)
+				end
+			end
+			
+			def update_session(env, session_hash, headers)
+				if session_hash.needs_update?(@update_timeout)
+					values = session_hash.values
+					
+					values[:updated_at] = Time.now.utc
+					
+					data = encrypt(session_hash.values)
+					
+					commit(data, values[:updated_at], headers)
+				end
+			end
+			
+			# Constructs a valid session for the given request. These fields must match as per the checks performed in `valid_session?`:
+			def build_initial_session(request)
+				{
+					user_agent: request.user_agent,
+					created_at: Time.now.utc,
+					updated_at: Time.now.utc,
+				}
+			end
+			
+			# Load session from user supplied cookie. If the data is invalid or otherwise fails validation, `build_iniital_session` is invoked.
+			# @return hash of values.
+			def load_session_values(env)
+				request = Rack::Request.new(env)
+				
+				# Decrypt the data from the user if possible:
+				if data = request.cookies[@cookie_name]
+					begin
+						if values = decrypt(data)
+							validate_session!(request, values)
+							
+							return values
+						end
+					rescue => error
+						Console.error(self, error)
+					end
+				end
+				
+				# If we couldn't create a session
+				return build_initial_session(request)
+			end
+			
+			def validate_session!(request, values)
+				if values[:user_agent] != request.user_agent
+					raise PayloadError, "Invalid session because supplied user agent #{request.user_agent.inspect} does not match session user agent #{values[:user_agent].inspect}!"
+				end
+				
+				if expires_at = expires(values[:updated_at])
+					if expires_at < Time.now.utc
+						raise PayloadError, "Expired session cookie, user agent submitted a cookie that should have expired at #{expires_at}."
+					end
+				end
+				
+				return true
+			end
+			
+			def expires(updated_at=Time.now.utc)
+				if @expires_after
+					return updated_at + @expires_after
+				end
+			end
+			
+			def commit(value, updated_at, headers)
+				cookie = {
+					value: value,
+					expires: expires(updated_at)
+				}.merge(@cookie_defaults)
+				
+				Rack::Utils.set_cookie_header!(headers, @cookie_name, cookie)
+			end
+			
+			def encrypt(hash)
+				c = OpenSSL::Cipher.new(CIPHER_ALGORITHM)
+				c.encrypt
+				
+				# your pass is what is used to encrypt/decrypt
+				c.key = @key
+				c.iv = iv = c.random_iv
+				
+				e = c.update(@serialization.dump(hash))
+				e << c.final
+				
+				return [iv, e].pack("m16m*")
+			end
+			
+			def decrypt(data)
+				if @maximum_size and data.bytesize > @maximum_size
+					raise PayloadError, "Session payload size #{data.bytesize}bytes exceeds maximum allowed size #{@maximum_size}bytes!"
+				end
+				
+				iv, e = data.unpack("m16m*")
+				
+				c = OpenSSL::Cipher.new(CIPHER_ALGORITHM)
+				c.decrypt
+				
+				c.key = @key
+				c.iv = iv
+				
+				d = c.update(e)
+				d << c.final
+				
+				return @serialization.load(d)
+			end
+		end
+	end
+end

data/lib/utopia/session/serialization.rb

@@ -9,7 +9,7 @@ require "time"
 require "date"
 
 module Utopia
-	class Session
+	module Session
 		class Serialization
 			def initialize
 				@factory = MessagePack::Factory.new

data/lib/utopia/session.rb

@@ -4,213 +4,12 @@
 # Copyright, 2014-2025, by Samuel Williams.
 # Copyright, 2019, by Huba Nagy.
 
-require "openssl"
-require "digest/sha2"
-require "console"
-require "json"
-
-require_relative "session/lazy_hash"
-require_relative "session/serialization"
+require_relative "session/middleware"
 
 module Utopia
-	# A middleware which provides a secure client-side session storage using a private symmetric encrpytion key.
-	class Session
-		class PayloadError < StandardError
-		end
-		
-		MAXIMUM_SIZE = 1024*32
-		
-		SECRET_KEY = "UTOPIA_SESSION_SECRET".freeze
-		
-		RACK_SESSION = "rack.session".freeze
-		CIPHER_ALGORITHM = "aes-256-cbc"
-		
-		# The session will expire if no requests were made within 24 hours:
-		DEFAULT_EXPIRES_AFTER = 3600*24
-		
-		# At least, the session will be updated every 1 hour:
-		DEFAULT_UPDATE_TIMEOUT = 3600
-		
-		# @param session_name [String] The name of the session cookie.
-		# @param secret [Array] The secret text used to generate a symetric encryption key for the coookie data.
-		# @param same_site [Symbol, String] Controls how the cookie is provided to the site.
-		# @param expires_after [String] The cache-control header to set for static content.
-		# @param options [Hash<Symbol,Object>] Additional defaults used for generating the cookie by `Rack::Utils.set_cookie_header!`.
-		def initialize(app, session_name: RACK_SESSION, secret: nil, expires_after: DEFAULT_EXPIRES_AFTER, update_timeout: DEFAULT_UPDATE_TIMEOUT, secure: false, same_site: :lax, maximum_size: MAXIMUM_SIZE, **options)
-			@app = app
-			
-			@session_name = session_name
-			@cookie_name = @session_name + ".encrypted"
-			
-			if secret.nil? or secret.empty?
-				raise ArgumentError, "invalid session secret: #{secret.inspect}"
-			end
-			
-			# This generates a 32-byte key suitable for aes.
-			@key = Digest::SHA2.digest(secret)
-			
-			@expires_after = expires_after
-			@update_timeout = update_timeout
-			
-			@cookie_defaults = {
-				domain: nil,
-				path: "/",
-				
-				# The SameSite attribute controls when the cookie is sent to the server, from 3rd parties (None), from requests with external referrers (Lax) or from within the site itself (Strict).
-				same_site: same_site,
-				
-				# The Secure attribute is meant to keep cookie communication limited to encrypted transmission, directing browsers to use cookies only via secure/encrypted connections. However, if a web server sets a cookie with a secure attribute from a non-secure connection, the cookie can still be intercepted when it is sent to the user by man-in-the-middle attacks. Therefore, for maximum security, cookies with the Secure attribute should only be set over a secure connection.
-				secure: secure,
-				
-				# The HttpOnly attribute directs browsers not to expose cookies through channels other than HTTP (and HTTPS) requests. This means that the cookie cannot be accessed via client-side scripting languages (notably JavaScript), and therefore cannot be stolen easily via cross-site scripting (a pervasive attack technique).
-				http_only: true,
-			}.merge(options)
-			
-			@serialization = Serialization.new
-			@maximum_size = maximum_size
-		end
-		
-		attr :cookie_name
-		attr :key
-		
-		attr :expires_after
-		attr :update_timeout
-		
-		attr :cookie_defaults
-		
-		def freeze
-			return self if frozen?
-			
-			@cookie_name.freeze
-			@key.freeze
-			@expires_after.freeze
-			@update_timeout.freeze
-			@cookie_defaults.freeze
-			
-			super
-		end
-
-		def call(env)
-			session_hash = prepare_session(env)
-
-			status, headers, body = @app.call(env)
-
-			update_session(env, session_hash, headers)
-
-			return [status, headers, body]
-		end
-		
-		protected
-		
-		def prepare_session(env)
-			env[RACK_SESSION] = LazyHash.new do
-				self.load_session_values(env)
-			end
-		end
-		
-		def update_session(env, session_hash, headers)
-			if session_hash.needs_update?(@update_timeout)
-				values = session_hash.values
-				
-				values[:updated_at] = Time.now.utc
-				
-				data = encrypt(session_hash.values)
-				
-				commit(data, values[:updated_at], headers)
-			end
-		end
-		
-		# Constructs a valid session for the given request. These fields must match as per the checks performed in `valid_session?`:
-		def build_initial_session(request)
-			{
-				user_agent: request.user_agent,
-				created_at: Time.now.utc,
-				updated_at: Time.now.utc,
-			}
-		end
-		
-		# Load session from user supplied cookie. If the data is invalid or otherwise fails validation, `build_iniital_session` is invoked.
-		# @return hash of values.
-		def load_session_values(env)
-			request = Rack::Request.new(env)
-			
-			# Decrypt the data from the user if possible:
-			if data = request.cookies[@cookie_name]
-				begin
-					if values = decrypt(data)
-						validate_session!(request, values)
-						
-						return values
-					end
-				rescue => error
-					Console.error(self, error)
-				end
-			end
-			
-			# If we couldn't create a session
-			return build_initial_session(request)
-		end
-		
-		def validate_session!(request, values)
-			if values[:user_agent] != request.user_agent
-				raise PayloadError, "Invalid session because supplied user agent #{request.user_agent.inspect} does not match session user agent #{values[:user_agent].inspect}!"
-			end
-
-			if expires_at = expires(values[:updated_at])
-				if expires_at < Time.now.utc
-					raise PayloadError, "Expired session cookie, user agent submitted a cookie that should have expired at #{expires_at}."
-				end
-			end
-			
-			return true
-		end
-		
-		def expires(updated_at=Time.now.utc)
-			if @expires_after
-				return updated_at + @expires_after
-			end
-		end
-		
-		def commit(value, updated_at, headers)
-			cookie = {
-				value: value,
-				expires: expires(updated_at)
-			}.merge(@cookie_defaults)
-			
-			Rack::Utils.set_cookie_header!(headers, @cookie_name, cookie)
-		end
-		
-		def encrypt(hash)
-			c = OpenSSL::Cipher.new(CIPHER_ALGORITHM)
-			c.encrypt
-			
-			# your pass is what is used to encrypt/decrypt
-			c.key = @key
-			c.iv = iv = c.random_iv
-			
-			e = c.update(@serialization.dump(hash))
-			e << c.final
-			
-			return [iv, e].pack("m16m*")
-		end
-		
-		def decrypt(data)
-			if @maximum_size and data.bytesize > @maximum_size
-				raise PayloadError, "Session payload size #{data.bytesize}bytes exceeds maximum allowed size #{@maximum_size}bytes!"
-			end
-			
-			iv, e = data.unpack("m16m*")
-			
-			c = OpenSSL::Cipher.new(CIPHER_ALGORITHM)
-			c.decrypt
-			
-			c.key = @key
-			c.iv = iv
-			
-			d = c.update(e)
-			d << c.final
-			
-			return @serialization.load(d)
+	module Session
+		def self.new(...)
+			Middleware.new(...)
 		end
 	end
 end

data/lib/utopia/static/local_file.rb

@@ -8,83 +8,83 @@ require "digest/sha1"
 
 module Utopia
 	# A middleware which serves static files from the specified root directory.
-	class Static
+	module Static
 		# Represents a local file on disk which can be served directly, or passed upstream to sendfile.
 		class LocalFile
 			def initialize(root, path)
 				@root = root
 				@path = path
 				@etag = Digest::SHA1.hexdigest("#{File.size(full_path)}#{mtime_date}")
-
+				
 				@range = nil
 			end
-
+			
 			attr :root
 			attr :path
 			attr :etag
 			attr :range
-
+			
 			# Fit in with Rack::Sendfile
 			def to_path
 				full_path
 			end
-
+			
 			def full_path
 				File.join(@root, @path.components)
 			end
-
+			
 			def mtime_date
 				File.mtime(full_path).httpdate
 			end
-
+			
 			def bytesize
 				File.size(full_path)
 			end
-
+			
 			# This reflects whether calling each would yield anything.
 			def empty?
 				bytesize == 0
 			end
-
+			
 			alias size bytesize
-
+			
 			def each
 				File.open(full_path, "rb") do |file|
 					file.seek(@range.begin)
 					remaining = @range.end - @range.begin+1
-
+					
 					while remaining > 0
 						break unless part = file.read([8192, remaining].min)
-
+						
 						remaining -= part.length
-
+						
 						yield part
 					end
 				end
 			end
-
+			
 			def modified?(env)
 				if modified_since = env["HTTP_IF_MODIFIED_SINCE"]
 					return false if File.mtime(full_path) <= Time.parse(modified_since)
 				end
-
+				
 				if etags = env["HTTP_IF_NONE_MATCH"]
 					etags = etags.split(/\s*,\s*/)
 					return false if etags.include?(etag) || etags.include?("*")
 				end
-
+				
 				return true
 			end
-
+			
 			CONTENT_LENGTH = Rack::CONTENT_LENGTH
 			CONTENT_RANGE = "Content-Range".freeze
 			
 			def serve(env, response_headers)
 				ranges = Rack::Utils.get_byte_ranges(env["HTTP_RANGE"], size)
 				response = [200, response_headers, self]
-
+				
 				# puts "Requesting ranges: #{ranges.inspect} (#{size})"
-
+				
 				if ranges == nil or ranges.size != 1
 					# No ranges, or multiple ranges (which we don't support).
 					# TODO: Support multiple byte-ranges, for now just send entire file:

data/lib/utopia/static/middleware.rb

@@ -0,0 +1,120 @@
+# frozen_string_literal: true
+
+# Released under the MIT License.
+# Copyright, 2009-2025, by Samuel Williams.
+
+require_relative "../middleware"
+require_relative "../localization"
+
+require_relative "local_file"
+require_relative "mime_types"
+
+require "traces/provider"
+
+module Utopia
+	module Static
+		# A middleware which serves static files from the specified root directory.
+		class Middleware
+			DEFAULT_CACHE_CONTROL = "public, max-age=3600".freeze
+			
+			# @param root [String] The root directory to serve files from.
+			# @param types [Array] The mime-types (and file extensions) to recognize/serve.
+			# @param cache_control [String] The cache-control header to set for static content.
+			def initialize(app, root: Utopia::default_root, types: MIME_TYPES[:default], cache_control: DEFAULT_CACHE_CONTROL)
+				@app = app
+				@root = root
+				
+				@extensions = MimeTypeLoader.extensions_for(types)
+				
+				@cache_control = cache_control
+			end
+			
+			def freeze
+				return self if frozen?
+				
+				@root.freeze
+				@extensions.freeze
+				@cache_control.freeze
+				
+				super
+			end
+			
+			def fetch_file(path)
+				# We need file_path to be an absolute path for X-Sendfile to work correctly.
+				file_path = File.join(@root, path.components)
+				
+				if File.exist?(file_path)
+					return LocalFile.new(@root, path)
+				else
+					return nil
+				end
+			end
+			
+			attr :extensions
+			
+			LAST_MODIFIED = "Last-Modified".freeze
+			CONTENT_TYPE = HTTP::CONTENT_TYPE
+			CACHE_CONTROL = HTTP::CACHE_CONTROL
+			ETAG = "ETag".freeze
+			ACCEPT_RANGES = "Accept-Ranges".freeze
+			
+			def response_headers_for(file, content_type)
+				if @cache_control.respond_to?(:call)
+					cache_control = @cache_control.call(file)
+				else
+					cache_control = @cache_control
+				end
+				
+				{
+					LAST_MODIFIED => file.mtime_date,
+					CONTENT_TYPE => content_type,
+					CACHE_CONTROL => cache_control,
+					ETAG => file.etag,
+					ACCEPT_RANGES => "bytes"
+				}
+			end
+			
+			def respond(env, path_info, extension)
+				path = Path[path_info].simplify
+				
+				if locale = env[Localization::CURRENT_LOCALE_KEY]
+					path.last.insert(path.last.rindex(".") || -1, ".#{locale}")
+				end
+				
+				if file = fetch_file(path)
+					response_headers = self.response_headers_for(file, @extensions[extension])
+					
+					if file.modified?(env)
+						return file.serve(env, response_headers)
+					else
+						return [304, response_headers, []]
+					end
+				end
+			end
+			
+			def call(env)
+				path_info = env[Rack::PATH_INFO]
+				extension = File.extname(path_info)
+				
+				if @extensions.key?(extension.downcase)
+					if response = self.respond(env, path_info, extension)
+						return response
+					end
+				end
+				
+				# else if no file was found:
+				return @app.call(env)
+			end
+		end
+		
+		Traces::Provider(Static) do
+			def respond(env, path_info, extension)
+				attributes = {
+					path_info: path_info,
+				}
+				
+				Traces.trace("utopia.static.respond", attributes: attributes) {super}
+			end
+		end
+	end
+end

data/lib/utopia/static/mime_types.rb

@@ -7,7 +7,7 @@ require "mime/types"
 
 module Utopia
 	# A middleware which serves static files from the specified root directory.
-	class Static
+	module Static
 		# Default mime-types which are common for files served over HTTP:
 		MIME_TYPES = {
 			:xiph => {