utopia 1.8.1 → 1.8.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 75627410dd935b6194426983f63b4f20c8510166
-  data.tar.gz: 0d1870b25983cbad435ceb10ab4cf0d0de02435b
+  metadata.gz: 2ca9a6f28fcec98323ae67b683f903e44fb68eea
+  data.tar.gz: 1b86bb5bb7a36448df329b2aeda819feb2c66fa2
 SHA512:
-  metadata.gz: 1dd33618145c3e88849b2761e9b8f33c17a78d7ea05d9a431124e16f57764cdcde9b13cb3d64a926f6f97e36393042f1c53f53d6f0e522dab3bad2b357bf478c
-  data.tar.gz: 8f02447b3531c5bef12f79e1fae54d70a909cf8dfc6111dd05f25160439e1209708dd83d549d352f246b314897c61f26b6ff7add885f27da068e3414245f4297
+  metadata.gz: 7279e0472f9c4e1760368ee5c138f1338e2426dd2c194e5014a318b5faf2e0227c04bd09f556c32bc3abeca899270bbbd92208c7aaf454cac2100d4116a2b4c8
+  data.tar.gz: 5be21037ad98e014ece09d98ceef3812256aaa9239eb7ea770f68df6aa636f245fe9a5168ef545944e0206954a11ed0d7388c0083f3ff7237e35f62a4cbb80d9

data/.travis.yml

@@ -8,9 +8,9 @@ rvm:
   - 2.2.4
   - 2.3.0
   - ruby-head
-  - rbx
+  - rbx-3.65
 env: COVERAGE=true BENCHMARK=true
 matrix:
   allow_failures:
-    - rvm: rbx
+    - rvm: rbx-3.65
     - rvm: ruby-head

data/lib/utopia/session/lazy_hash.rb

@@ -65,6 +65,23 @@ module Utopia
 			def load!
 				@values ||= @loader.call
 			end
+			
+			def loaded?
+				!@values.nil?
+			end
+			
+			def needs_update?(timeout = nil)
+				# If data has changed, we need update:
+				return true if @changed
+				
+				# We want to be careful here and not call load! which isn't cheap operation.
+				if timeout and @values and updated_at = @values[:updated_at]
+					# If the last update was too long ago, we need update:
+					return true if updated_at < (Time.now - timeout)
+				end
+				
+				return false
+			end
 		end
 	end
 end

data/lib/utopia/session.rb

@@ -28,30 +28,59 @@ module Utopia
 	class Session
 		RACK_SESSION = "rack.session".freeze
 		CIPHER_ALGORITHM = "aes-256-cbc"
-		KEY_LENGTH = 32
 		
-		def initialize(app, secret:, **options)
+		# The session will expire if no requests were made within 24 hours:
+		DEFAULT_EXPIRES_AFTER = 3600*24
+		
+		# At least, the session will be updated every 1 hour:
+		DEFAULT_UPDATE_TIMEOUT = 3600
+		
+		def initialize(app, session_name: nil, secret:, expires_after: nil, update_timeout: nil, **options)
 			@app = app
-			@cookie_name = options.delete(:cookie_name) || (RACK_SESSION + ".encrypted")
 			
-			salt = OpenSSL::Random.random_bytes(16)
-			@key = OpenSSL::PKCS5.pbkdf2_hmac_sha1(secret, salt, 1, KEY_LENGTH)
+			@session_name = session_name || RACK_SESSION
+			@cookie_name = @session_name + ".encrypted"
+			
+			# This generates a 32-byte key suitable for aes.
+			@key = Digest::SHA2.digest(secret)
 			
-			@options = {
-				:domain => nil,
-				:path => "/",
-				:expires_after => nil
+			@expires_after = expires_after || DEFAULT_EXPIRES_AFTER
+			@update_timeout = update_timeout || DEFAULT_UPDATE_TIMEOUT
+			
+			@cookie_defaults = {
+				domain: nil,
+				path: "/",
+				# The Secure attribute is meant to keep cookie communication limited to encrypted transmission, directing browsers to use cookies only via secure/encrypted connections. However, if a web server sets a cookie with a secure attribute from a non-secure connection, the cookie can still be intercepted when it is sent to the user by man-in-the-middle attacks. Therefore, for maximum security, cookies with the Secure attribute should only be set over a secure connection.
+				secure: false,
+				# The HttpOnly attribute directs browsers not to expose cookies through channels other than HTTP (and HTTPS) requests. This means that the cookie cannot be accessed via client-side scripting languages (notably JavaScript), and therefore cannot be stolen easily via cross-site scripting (a pervasive attack technique).
+				http_only: true,
 			}.merge(options)
 		end
+		
+		attr :cookie_name
+		attr :key
+		
+		attr :expires_after
+		attr :update_timeout
+		
+		attr :cookie_defaults
+		
+		def freeze
+			@cookie_name.freeze
+			@key.freeze
+			@expires_after.freeze
+			@update_timeout.freeze
+			@cookie_defaults.freeze
+			
+			super
+		end
 
 		def call(env)
 			session_hash = prepare_session(env)
 
 			status, headers, body = @app.call(env)
 
-			if session_hash.changed?
-				commit(session_hash.values, headers)
-			end
+			update_session(env, session_hash, headers)
 
 			return [status, headers, body]
 		end
@@ -64,11 +93,25 @@ module Utopia
 			end
 		end
 		
+		def update_session(env, session_hash, headers)
+			if session_hash.needs_update?(@update_timeout)
+				values = session_hash.values
+				
+				values[:updated_at] = Time.now
+				
+				data = encrypt(session_hash.values)
+				
+				commit(data, headers)
+			end
+		end
+		
 		# Constructs a valid session for the given request. These fields must match as per the checks performed in `valid_session?`:
 		def build_initial_session(request)
 			{
 				request_ip: request.ip,
 				request_user_agent: request.user_agent,
+				created_at: Time.now,
+				updated_at: Time.now,
 			}
 		end
 		
@@ -100,14 +143,19 @@ module Utopia
 			return true
 		end
 		
-		def commit(values, headers)
-			data = encrypt(values)
-			
-			cookie = {:value => data}
-			
-			cookie[:expires] = Time.now + @options[:expires_after] unless @options[:expires_after].nil?
+		def expires
+			if @expires_after
+				return Time.now + @expires_after
+			end
+		end
+		
+		def commit(value, headers)
+			cookie = {
+				value: value,
+				expires: expires
+			}.merge(@cookie_defaults)
 			
-			Rack::Utils.set_cookie_header!(headers, @cookie_name, cookie.merge(@options))
+			Rack::Utils.set_cookie_header!(headers, @cookie_name, cookie)
 		end
 		
 		def encrypt(hash)

data/lib/utopia/version.rb

@@ -19,5 +19,5 @@
 # THE SOFTWARE.
 
 module Utopia
-	VERSION = "1.8.1"
+	VERSION = "1.8.2"
 end

data/spec/utopia/session_spec.rb

@@ -46,8 +46,36 @@ module Utopia::SessionSpec
 			expect(last_response.header).to be_include 'Set-Cookie'
 			
 			get "/session-get?key=foo"
+			expect(last_request.cookies).to include('rack.session.encrypted')
 			expect(last_response.body).to be == "bar"
 		end
+		
+		it "should ignore session if cookie value is invalid" do
+			set_cookie 'rack.session.encrypted=junk'
+			
+			get "/session-get?key=foo"
+			
+			expect(last_response.body).to be == ""
+		end
+		
+		it "shouldn't update the session if there are no changes" do
+			get "/session-set?key=foo&value=bar"
+			expect(last_response.header).to be_include 'Set-Cookie'
+			
+			get "/session-set?key=foo&value=bar"
+			expect(last_response.header).to_not be_include 'Set-Cookie'
+		end
+		
+		it "should update the session if time has passed" do
+			get "/session-set?key=foo&value=bar"
+			expect(last_response.header).to be_include 'Set-Cookie'
+			
+			# Sleep more than update_timeout
+			sleep 2
+			
+			get "/session-set?key=foo&value=bar"
+			expect(last_response.header).to be_include 'Set-Cookie'
+		end
 	end
 	
 	describe Utopia::Session do
@@ -85,7 +113,7 @@ module Utopia::SessionSpec
 	end
 	
 	describe Utopia::Session::LazyHash do
-		it "should load hash when required" do
+		it "should load hash only when required" do
 			loaded = false
 			
 			hash = Utopia::Session::LazyHash.new do
@@ -100,14 +128,51 @@ module Utopia::SessionSpec
 			expect(loaded).to be true
 		end
 		
+		it "should need to be reloaded if changed" do
+			hash = Utopia::Session::LazyHash.new do
+				{a: 10}
+			end
+			
+			expect(hash.needs_update?).to be false
+			
+			hash[:a] = 10
+			
+			expect(hash.needs_update?).to be false
+			
+			hash[:a] = 20
+			
+			expect(hash.needs_update?).to be true
+		end
+		
+		it "should need to be reloaded if old" do
+			hash = Utopia::Session::LazyHash.new do
+				{updated_at: Time.now - 3700}
+			end
+			
+			expect(hash.needs_update?(3600)).to be false
+			
+			expect(hash).to include(:updated_at)
+			
+			# If the timeout is 2 hours, it shouldn't require any update:
+			expect(hash.needs_update?(3600*2)).to be false
+			
+			# However if the timeout is 1 hour ago, it WILL require an update:
+			expect(hash.needs_update?(3600)).to be true
+		end
+		
 		it "should delete the specified item" do
 			hash = Utopia::Session::LazyHash.new do
 				{a: 10, b: 20}
 			end
 			
-			expect(hash.include?(:a)).to be true
+			expect(hash).to include(:a, :b)
+			
 			expect(hash.delete(:a)).to be 10
-			expect(hash.include?(:a)).to be false
+			
+			expect(hash).to include(:b)
+			expect(hash).to_not include(:a)
+			
+			expect(hash.needs_update?).to be true
 		end
 	end
 end

data/spec/utopia/session_spec.ru

@@ -1,5 +1,8 @@
 
-use Utopia::Session, secret: "97111cabf4c1a5e85b8029cf7c61aa44424fc24a"
+use Utopia::Session,
+	secret: "97111cabf4c1a5e85b8029cf7c61aa44424fc24a",
+	expires_after: 3600 * 48,
+	update_timeout: 1
 
 run lambda { |env|
 	request = Rack::Request.new(env)
@@ -9,11 +12,11 @@ run lambda { |env|
 		
 		[200, {}, []]
 	elsif env[Rack::PATH_INFO] =~ /session-set/
-		env['rack.session'][request.params['key']] = request.params['value']
+		env['rack.session'][request.params['key'].to_sym] = request.params['value']
 		
 		[200, {}, []]
 	elsif env[Rack::PATH_INFO] =~ /session-get/
-		[200, {}, [env['rack.session'][request.params['key']]]]
+		[200, {}, [env['rack.session'][request.params['key'].to_sym]]]
 	else
 		[404, {}, []]
 	end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: utopia
 version: !ruby/object:Gem::Version
-  version: 1.8.1
+  version: 1.8.2
 platform: ruby
 authors:
 - Samuel Williams
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-10-31 00:00:00.000000000 Z
+date: 2016-11-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: trenni