vodka 0.0.1 → 0.1.0

data/README.md

@@ -3,14 +3,16 @@ Vodka makes communication easier. Always.
 
 Vodka uses [Her](https://github.com/remiprev/her) as a REST client.
 
-It currently supports ORM's on server:
+It currently supports these ORMs on server:
 - [ActiveRecord](https://github.com/rails/rails/tree/master/activerecord)
 - [MongoMapper](https://github.com/jnunemaker/mongomapper)
 
-Plugins:
+And the following plugins:
 - [WillPaginate](https://github.com/mislav/will_paginate)
 
-It is strongly recommended *NOT* to use this gem in production (yet).
+Vodka supports I18n. If you change locale on client you may expect getting response from server in this locale.
+
+Vodka signs all requests and responses so you can relax and hope nothing goes wrong. Or your sensitive data will be stolen by some Russian gangsters. Or there will be some man-in-the-middle that will attack you. Anyway, as long as you're not using SSL for all your requests you're screwed.
 
 ## Installation
 Add this gem to both server and client application Gemfiles:
@@ -27,7 +29,8 @@ Add initializer `vodka_setup.rb` to `config/initializers`:
 
 ```ruby
 Vodka::Server.configure do |c|
-  c.secret = 'whatever'
+  c.request_secret = '8089c2189321798bf60df6b8c01bb661fb585080'
+  c.response_secret = '3ecb42ac23cd58994a6518971e7e31d2f4545e3c'
 end
 ```
 
@@ -53,7 +56,7 @@ class ArticlesController < VodkaController
 end
 
 # comments_controller.rb
-class CommentsController < Vodka::Server::VodkaController
+class CommentsController < VodkaController
   def approve
     vodka_response.success = resource.approve
     respond_with_resource
@@ -98,9 +101,20 @@ Add initializer `vodka_setup.rb` to `config/initializers`:
 ```ruby
 Vodka::Client.configure do |c|
   c.api_url = 'https://api.myproject.org/vodka'
-  c.secret = 'whatever' # Same as server's
+  c.request_secret = '8089c2189321798bf60df6b8c01bb661fb585080'  # Same as server's
+  c.response_secret = '3ecb42ac23cd58994a6518971e7e31d2f4545e3c' # Same as server's
 end
 Vodka::Client.configure_her!
+
+# Instead of calling Vodka::Client.configure_her! you may configure her yourself
+# Her::API.setup(url: Vodka::Client.config.api_url) do |c|
+#   c.use Vodka::Client::Middleware::ErrorAware
+#   c.use Vodka::Client::Middleware::SignedRequest
+#   c.use Faraday::Request::UrlEncoded
+#   c.use Vodka::Client::Middleware::SignedResponse
+#   c.use Her::Middleware::SecondLevelParseJSON
+#   c.use Faraday::Adapter::NetHttp
+# end
 ```
 
 ## Usage
@@ -108,12 +122,17 @@ After all the configuration is done, you can use your Her-applied models with al
 
 Vodka adds some convinient methods to client and supports them on server:
 - `.create!` (throws exception on error)
-- `.paginate` (same as `.all`, for WillPaginate compatibility)
+- `.paginate` (returns WillPaginate-compatible collection)
 - `.where` (supports chaining the way you expect)
+- `.first`
+- `.last`
 - `#update_attribute`
 - `#update_attribute!` (throws exception on error)
 - `#update_attributes`
 - `#update_attributes!` (throws exception on error)
 - `#destroy!` (throws exception on error)
-- `#delete` (acts as `#destroy`)
-- `#delete!` (acts as `#destroy!`)
+- `#delete` (acts like `#destroy`)
+- `#delete!` (acts like `#destroy!`)
+
+## Is it secure? Should I use it in production?
+Hell no. At least not yet.

data/lib/party.rb

@@ -4,6 +4,7 @@ require './spec/client/article'
 
 Vodka::Client.configure do |c|
   c.api_url = 'http://0.0.0.0:3000/vodka'
-  c.secret = 'whatever'
+  c.request_secret = '8089c2189321798bf60df6b8c01bb661fb585080'
+  c.response_secret = '3ecb42ac23cd58994a6518971e7e31d2f4545e3c'
 end
 Vodka::Client.configure_her!

data/lib/vodka/client/exceptions/security_exception.rb

@@ -0,0 +1,6 @@
+module Vodka
+  module Client
+    class SecurityException < ::Exception
+    end
+  end
+end

data/lib/vodka/client/middleware/signed_request.rb

@@ -23,10 +23,7 @@ module Vodka
         end
 
         def request_signature
-          Digest::SHA512.hexdigest([
-            env[:url].scheme, env[:url].host, env[:url].port, env[:url].path,
-            request_id, Vodka::Client.config.secret
-          ].join)
+          Digest::SHA512.hexdigest([request_id, Vodka::Client.config.request_secret].join)
         end
       end
     end

data/lib/vodka/client/middleware/signed_response.rb

@@ -0,0 +1,39 @@
+module Vodka
+  module Client
+    module Middleware
+      class SignedResponse < Faraday::Response::Middleware
+        attr_reader :env
+
+        def on_complete(env)
+          @env = env
+          raise SecurityException.new('Response ID mismatch') unless ids_match?
+          raise SecurityException.new('Invalid response signature') unless signature_valid?
+        end
+
+        def ids_match?
+          request_id == response_id
+        end
+
+        def signature_valid?
+          response_signature == expected_response_signature
+        end
+
+        def request_id
+          env[:request_headers]['X-Request-Id']
+        end
+
+        def response_id
+          env[:response_headers]['x-response-id']
+        end
+
+        def response_signature
+          env[:response_headers]['x-response-signature']
+        end
+
+        def expected_response_signature
+          Digest::SHA512.hexdigest([request_id, Vodka::Client.config.response_secret].join)
+        end
+      end
+    end
+  end
+end

data/lib/vodka/client.rb

@@ -4,7 +4,9 @@ require 'vodka/client/exceptions/failed_action_exception'
 require 'vodka/client/exceptions/forbidden_exception'
 require 'vodka/client/exceptions/not_found_exception'
 require 'vodka/client/exceptions/resource_exception'
+require 'vodka/client/exceptions/security_exception'
 require 'vodka/client/middleware/signed_request'
+require 'vodka/client/middleware/signed_response'
 require 'vodka/client/middleware/error_aware'
 require 'vodka/her/extensions/extended_orm'
 require 'vodka/her/extensions/will_paginate'

data/lib/vodka/configuration.rb

@@ -1,6 +1,6 @@
 module Vodka
   class Configuration
-    attr_accessor :secret, :api_url
+    attr_accessor :request_secret, :response_secret, :api_url
   end
 
   module Configurable
@@ -17,6 +17,7 @@ module Vodka
         c.use Vodka::Client::Middleware::ErrorAware
         c.use Vodka::Client::Middleware::SignedRequest
         c.use Faraday::Request::UrlEncoded
+        c.use Vodka::Client::Middleware::SignedResponse
         c.use ::Her::Middleware::SecondLevelParseJSON
         c.use Faraday::Adapter::NetHttp
       end

data/lib/vodka/server/controllers/vodka_controller.rb

@@ -7,7 +7,7 @@ module Vodka
       include Handlers::Resource
       include Handlers::Response
 
-      before_filter :fix_params_names, :set_locale
+      before_filter :set_response_id, :fix_params_names, :set_locale
       before_filter :handle_not_found, only: [:show, :update, :destroy]
 
     private
@@ -25,6 +25,10 @@ module Vodka
       def handle_not_found
         not_found if resource.nil? && vodka_response.success == false
       end
+
+      def set_response_id
+        vodka_response.id = request.headers['X-Request-Id']
+      end
     end
   end
 end

data/lib/vodka/server/handlers/response.rb

@@ -20,6 +20,8 @@ module Vodka
         end
 
         def respond!
+          response.headers['X-Response-Id'] = vodka_response.id
+          response.headers['X-Response-Signature'] = vodka_response.signature
           return render text: vodka_response.json, status: vodka_response.code, content_type: 'application/json'
         end
 

data/lib/vodka/server/middleware/signed_request.rb

@@ -16,22 +16,39 @@ module Vodka
         end
 
         def request_signature_valid?
-          env['HTTP_X_REQUEST_SIGNATURE'] == request_signature
+          request_signature == expected_request_signature
+        end
+
+        def request_id
+          env['HTTP_X_REQUEST_ID']
         end
 
         def request_signature
-          Digest::SHA512.hexdigest([
-            request.scheme, request.host, request.port, request.path,
-            env['HTTP_X_REQUEST_ID'], Vodka::Server.config.secret
-          ].join)
+          env['HTTP_X_REQUEST_SIGNATURE']
+        end
+
+        def expected_request_signature
+          Digest::SHA512.hexdigest([request_id, Vodka::Server.config.request_secret].join)
+        end
+
+        def response_signature
+          Digest::SHA512.hexdigest([request_id, Vodka::Server.config.response_secret].join)
         end
 
         def forbidden
-          [
-            403,
-            { 'Content-Type' => 'application/json; charset=utf-8' },
-            ['{"data":null,"errors":{"vodka_error":"403 Forbidden"},"metadata":{}}']
-          ]
+          headers = {
+            'Content-Type'         => 'application/json; charset=utf-8',
+            'X-Response-Id'        => request_id,
+            'X-Response-Signature' => response_signature
+          }
+          data = {
+            data: nil,
+            errors: {
+              vodka_error: '403 Forbidden'
+            },
+            metadata: {}
+          }
+          [403, headers, [MultiJson.dump(data)]]
         end
       end
     end

data/lib/vodka/server/response.rb

@@ -1,7 +1,7 @@
 module Vodka
   module Server
     class Response
-      attr_accessor :code, :success, :data, :metadata, :errors
+      attr_accessor :id, :code, :success, :data, :metadata, :errors
 
       def initialize
         @code = 200
@@ -29,6 +29,10 @@ module Vodka
           errors: errors_to_return
         )
       end
+
+      def signature
+        Digest::SHA512.hexdigest([id, Vodka::Server.config.response_secret].join)
+      end
     end
   end
 end

data/lib/vodka/version.rb

@@ -1,3 +1,3 @@
 module Vodka
-  VERSION = '0.0.1'
+  VERSION = '0.1.0'
 end

data/spec/dummy/config/initializers/vodka_setup.rb

@@ -1,3 +1,4 @@
 Vodka::Server.configure do |c|
-  c.secret = 'whatever'
+  c.request_secret = '8089c2189321798bf60df6b8c01bb661fb585080'
+  c.response_secret = '3ecb42ac23cd58994a6518971e7e31d2f4545e3c'
 end

data/spec/middleware/error_aware_spec.rb

@@ -2,13 +2,14 @@ require 'spec_helper'
 
 describe Vodka::Client::Middleware::ErrorAware do
   it 'should throw exception for a forbidden response' do
-    Vodka::Client.config.secret = 'invalid'
+    @old_secret = Vodka::Client.config.request_secret.dup
+    Vodka::Client.config.request_secret = 'invalid'
 
     expect{
       Article.first
     }.to raise_exception(Vodka::Client::ForbiddenException, Vodka::Client::ForbiddenException::MESSAGE)
 
-    Vodka::Client.config.secret = 'whatever'
+    Vodka::Client.config.request_secret = @old_secret
   end
 
   it 'should throw exception for when response was not found' do

data/spec/middleware/signed_response_spec.rb

@@ -0,0 +1,19 @@
+require 'spec_helper'
+
+describe Vodka::Client::Middleware::SignedResponse do
+  it 'raise exception if request id and response id dont match' do
+    Vodka::Client::Middleware::SignedResponse.any_instance.stub(:response_id).and_return('bullshit')
+
+    expect {
+      Article.first
+    }.to raise_exception(Vodka::Client::SecurityException, 'Response ID mismatch')
+  end
+
+  it 'raise exception if response signature is invalid' do
+    Vodka::Client::Middleware::SignedResponse.any_instance.stub(:response_signature).and_return('bullshit')
+
+    expect {
+      Article.first
+    }.to raise_exception(Vodka::Client::SecurityException, 'Invalid response signature')
+  end
+end

data/spec/spec_helper.rb

@@ -8,7 +8,8 @@ require 'client/article'
 
 Vodka::Client.configure do |c|
   c.api_url = 'http://0.0.0.0:3000/vodka'
-  c.secret = 'whatever'
+  c.request_secret = '8089c2189321798bf60df6b8c01bb661fb585080'
+  c.response_secret = '3ecb42ac23cd58994a6518971e7e31d2f4545e3c'
 end
 Vodka::Client.configure_her!
 

metadata

@@ -2,7 +2,7 @@
 name: vodka
 version: !ruby/object:Gem::Version
   prerelease: 
-  version: 0.0.1
+  version: 0.1.0
 platform: ruby
 authors:
 - Gregory Eremin
@@ -95,8 +95,10 @@ files:
 - lib/vodka/client/exceptions/forbidden_exception.rb
 - lib/vodka/client/exceptions/not_found_exception.rb
 - lib/vodka/client/exceptions/resource_exception.rb
+- lib/vodka/client/exceptions/security_exception.rb
 - lib/vodka/client/middleware/error_aware.rb
 - lib/vodka/client/middleware/signed_request.rb
+- lib/vodka/client/middleware/signed_response.rb
 - lib/vodka/configuration.rb
 - lib/vodka/her/extensions/extended_orm.rb
 - lib/vodka/her/extensions/will_paginate.rb
@@ -160,6 +162,7 @@ files:
 - spec/middleware/error_aware_spec.rb
 - spec/middleware/response_locale_spec.rb
 - spec/middleware/signed_request_spec.rb
+- spec/middleware/signed_response_spec.rb
 - spec/spec_helper.rb
 - vodka.gemspec
 homepage: https://github.com/magnolia-fan/vodka