lib/tynn/session.rb in tynn-2.0.0.alpha vs lib/tynn/session.rb in tynn-2.0.0.beta1

@@ -8,12 +8,12 @@
   #   require "tynn/session"
   #
   #   Tynn.plugin(Tynn::Session, secret: "__change_me_not_secure__")
   #
   #   Tynn.define do
-  #     on("login") do
-  #       post do
+  #     on "login" do
+  #       on post do
   #         # ...
   #
   #         session[:user_id] = user.id
   #
   #         res.redirect("/admin")
@@ -44,10 +44,18 @@
   #
   # [secure]
   #   If <tt>true</tt>, sets the <tt>Secure</tt> flag. This tells the browser
   #   to only transmit the cookie over HTTPS. Defaults to <tt>false</tt>.
   #
+  # [same_site]
+  #   Disables third-party usage for cookies. There are two possible values
+  #   <tt>:Lax</tt> and <tt>:Strict</tt>. In <tt>Strict</tt> mode, the cookie
+  #   is restrain to any cross-site usage; in <tt>Lax</tt> mode, some cross-site
+  #   usage is allowed. Defaults to <tt>:Lax</tt>. If <tt>nil</tt> is passed,
+  #   the flag is not included. Check this article[http://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with-samesite-cookie-attribute/]
+  #   for more information.
+  #
   # [expire_after]
   #   The lifespan of the cookie. If <tt>nil</tt>, the session cookie is temporary
   #   and is no retained after the browser is closed. Defaults to <tt>nil</tt>.
   #
   # <tt></tt>
@@ -56,21 +64,22 @@
   #     Tynn::Session,
   #     key: "app",
   #     secret: ENV["SESSION_SECRET"],
   #     expire_after: 36_000, # seconds
   #     httponly: true,
-  #     secure: true
+  #     secure: true,
+  #     same_site: :Strict
   #   )
   #
   module Session
     SECRET_MIN_LENGTH = 30 # :nodoc:
 
     def self.setup(app, options = {}) # :nodoc:
       secret = options[:secret]
 
       if secret.nil?
-        raise <<~MSG
+        raise Tynn::Error, <<~MSG
           No secret option provided to Tynn::Session.
 
           Tynn::Session uses a secret token to sign the cookie data, thus
           unauthorized means can't alter it. Please, add the secret option
           to your code:
@@ -84,10 +93,10 @@
               #{ app }.plugin(Tynn::Session, secret: ENV.fetch("SESSION_SECRET"), ...)
         MSG
       end
 
       if secret.length < SECRET_MIN_LENGTH
-        raise <<~MSG
+        raise Tynn::Error, <<~MSG
           The secret provided is shorter than the minimum length.
 
           Make sure the secret is long and all random. You can generate a
           secure secret key with: