# frozen_string_literal: true class Tynn # Adds simple cookie based session management. You can pass a secret # token to sign the cookie data, thus unauthorized means can't alter it. # # require "tynn" # require "tynn/session" # # Tynn.plugin(Tynn::Session, secret: "__change_me_not_secure__") # # Tynn.define do # on "login" do # on post do # # ... # # session[:user_id] = user.id # # res.redirect("/admin") # end # end # end # # The following command generates a cryptographically secure secret ready # to use: # # $ ruby -r securerandom -e "puts SecureRandom.hex(64)" # # It's important to keep the token secret. Knowing the token allows an # attacker to tamper the data. So, it's recommended to load the token # from the environment. # # Tynn.plugin(Tynn::Session, secret: ENV["SESSION_SECRET"]) # # Under the hood, Tynn::Session uses the Rack::Session::Cookie # middleware. Thus, supports all the options available for this middleware: # # [key] # The name of the cookie. Defaults to "rack.session". # # [httponly] # If true, sets the HttpOnly flag. This mitigates the # risk of client side scripting accessing the cookie. Defaults to true. # # [secure] # If true, sets the Secure flag. This tells the browser # to only transmit the cookie over HTTPS. Defaults to false. # # [same_site] # Disables third-party usage for cookies. There are two possible values # :Lax and :Strict. In Strict mode, the cookie # is restrain to any cross-site usage; in Lax mode, some cross-site # usage is allowed. Defaults to :Lax. If nil is passed, # the flag is not included. Check this article[http://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with-samesite-cookie-attribute/] # for more information. # # [expire_after] # The lifespan of the cookie. If nil, the session cookie is temporary # and is no retained after the browser is closed. Defaults to nil. # # # # Tynn.plugin( # Tynn::Session, # key: "app", # secret: ENV["SESSION_SECRET"], # expire_after: 36_000, # seconds # httponly: true, # secure: true, # same_site: :Strict # ) # module Session SECRET_MIN_LENGTH = 30 # :nodoc: def self.setup(app, options = {}) # :nodoc: secret = options[:secret] if secret.nil? raise Tynn::Error, <<~MSG No secret option provided to Tynn::Session. Tynn::Session uses a secret token to sign the cookie data, thus unauthorized means can't alter it. Please, add the secret option to your code: #{ app }.plugin(Tynn::Session, secret: "__a_long_random_secret__", ...) If you're sharing your code publicly, make sure the secret key is kept private. Knowing the secret allows an attacker to tamper the data. You can use environment variables to store the secret: #{ app }.plugin(Tynn::Session, secret: ENV.fetch("SESSION_SECRET"), ...) MSG end if secret.length < SECRET_MIN_LENGTH raise Tynn::Error, <<~MSG The secret provided is shorter than the minimum length. Make sure the secret is long and all random. You can generate a secure secret key with: $ ruby -r securerandom -e "puts SecureRandom.hex(64)" MSG end app.use(Rack::Session::Cookie, { coder: Rack::Session::Cookie::Base64::JSON.new, hmac: OpenSSL::Digest::SHA256, same_site: :Lax }.merge(options)) end module InstanceMethods # Returns the session hash. # # session # # => {} # # session[:foo] = "foo" # session[:foo] # # => "foo" # def session req.session end end end end