lib/global_session/rack.rb in global_session-3.2.1 vs lib/global_session/rack.rb in global_session-3.2.2

@@ -17,10 +17,11 @@
 # NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
 # LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
 # OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
 # WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 
+
 require File.expand_path(File.join(File.dirname(__FILE__), "..", "global_session"))
 
 # Make sure the namespace exists, to satisfy Rails auto-loading
 module GlobalSession
   module Rack
@@ -103,13 +104,23 @@
 
         @cookie_retrieval = block
         @cookie_name      = @configuration['cookie']['name']
       end
 
-      # Rack request chain. Sets up the global session ticket from
-      # the environment and passes it up the chain.
+      # Rack request chain. Parses a global session from the request if present;
+      # makes a new session if absent; populates env['global_session'] with the
+      # session object and calls through to the next middleware.
       #
+      # On return, auto-renews the session if appropriate and writes a new
+      # session cookie if anything in the session has changed.
+      #
+      # When reading session cookies or authorization headers, this middleware
+      # URL-decodes cookie/token values before passing them into the gem's
+      # other logic. Some user agents and proxies "helpfully" URL-encode cookies
+      # which we need to undo in order to prevent subtle signature failures due
+      # to Base64 decoding issues resulting from "=" being URL-encoded.
+      #
       # @return [Array] valid Rack response tuple e.g. [200, 'hello world']
       # @param [Hash] env Rack request environment
       def call(env)
         env['rack.cookies'] = {} unless env['rack.cookies']
 
@@ -161,11 +172,11 @@
         end
 
         if header_data && header_data.size == 2 && header_data.first.downcase == 'bearer'
           env['global_session.req.renew']  = false
           env['global_session.req.update'] = false
-          env['global_session']            = @directory.load_session(header_data.last)
+          env['global_session']            = @directory.load_session(CGI.unescape(header_data.last))
           true
         else
           false
         end
       end
@@ -174,13 +185,14 @@
       #
       # @return [Boolean] true if the environment was populated, false otherwise
       # @param [Hash] env Rack request environment
       def read_cookie(env)
         if @cookie_retrieval && (cookie = @cookie_retrieval.call(env))
-          env['global_session'] = @directory.load_session(cookie)
+          env['global_session'] = @directory.load_session(CGI.unescape(cookie))
           true
         elsif env['rack.cookies'].has_key?(@cookie_name)
-          env['global_session'] = @directory.load_session(env['rack.cookies'][@cookie_name])
+          cookie = env['rack.cookies'][@cookie_name]
+          env['global_session'] = @directory.load_session(CGI.unescape(cookie))
           true
         else
           false
         end
       end