Added Signed Cookie and optionally used it in Session - Other Speedups (

#148) * ran a bunch of tests, fixed some issues and cleaned up the code. added signed cookie made session take advantage of signed or encrypted cookies. only save code on changed? conditional added comment with store options * added test to prove that cookies with no signature return empty values * the deep magic before the dawn of time. * cleaned up store initialization at @drujensen's request * added delete and mark as changed when it delete
amberframework · Jul 28, 2017 · 1ba4f81 · 1ba4f81
1 parent 2af5b7a
commit 1ba4f81
Show file tree

Hide file tree

Showing 14 changed files with 467 additions and 184 deletions.
diff --git a/spec/amber/router/cookies_spec.cr b/spec/amber/router/cookies_spec.cr
@@ -96,43 +96,96 @@ module Amber::Router
       cookie_header(cookies).should eq "user_name=david; path=/; expires=#{HTTP.rfc1123_date(Time.new(2017, 6, 7, 9))},login=XJ-122; path=/"
     end
 
-    it "sets an encrypted cookie" do
-      cookies = new_cookie_store
+    context "encrypted cookies" do
+      it "sets an encrypted cookie" do
+        cookies = new_cookie_store
 
-      cookies.encrypted.set "user_name", "david"
+        cookies.encrypted.set "user_name", "david"
 
-      cookies.encrypted["user_name"].should eq "david"
-      cookie_header(cookies).should_not eq "user_name=david; path=/"
-    end
+        cookies.encrypted["user_name"].should eq "david"
+        cookie_header(cookies).should_not eq "user_name=david; path=/"
+      end
 
-    it "gets an encrypted cookie" do
-      cookies = new_cookie_store
-      cookie = HTTP::Cookie::Parser.parse_cookies("user_name=V2dOdEU0dzhQSWJ3V0RsOHVJOFdaSnJER2VEa1hxMTJtQ09LOFZkTm9xMD0tLU1hUDQ4dWpSWXhndEU1RU5yNDRXRlE9PQ==--4b887ed5ce9e000fa21b00bf9a474e17b8e662dc195f3db83fc424cd3d8b891d; path=/").first
+      it "gets an encrypted cookie" do
+        cookies = new_cookie_store
+        cookie = HTTP::Cookie::Parser.parse_cookies("user_name=LByguEoiSsJqc1iG%2FPrIujkr5ha0yUi%2Fng2fT4XSX3I%3D--qRpa7wr%2FuVEx5xfyfDrCHzrXjnJv44q1xhqG1XdgaAQ%3D; path=/").first
 
-      cookies[cookie.name] = cookie
+        cookies[cookie.name] = cookie
 
-      cookies.encrypted["user_name"].should eq "david"
-    end
+        cookies.encrypted["user_name"].should eq "david"
+      end
 
-    it "ignores tampered cookie signature" do
-      cookies = new_cookie_store
-      cookie = HTTP::Cookie::Parser.parse_cookies("user_name=YVpKaXlJN29vZUlwUnNuR3JzOVFPdEFwazFGWWNrYlpIUzhqU21YWWJDbz0tLVAvUldZaFZCQklLOW44ZGJLMDAramc9PQ%3D%3D--tampered; path=/").first
+      it "ignores tampered cookie signature" do
+        cookies = new_cookie_store
+        cookie = HTTP::Cookie::Parser.parse_cookies("user_name=LByguEoiSsJqc1iG%2FPrIujkr5ha0yUi%2Fng2fT4XSX3I%3D--tampered; path=/").first
 
-      cookies[cookie.name] = cookie
+        cookies[cookie.name] = cookie
 
-      cookies.encrypted["user_name"].should eq ""
-    end
+        cookies.encrypted["user_name"].should eq ""
+      end
 
-    it "ignores tampered cookie value" do
-      cookies = new_cookie_store(HTTP::Headers{"Cookie" => "user_name=tampered%3D%3D--cead74d6b7a64512a499fef31483fd21d9e89b85378a3eaa440c7ac7f9cd6b94;"})
+      it "ignores tampered cookie value" do
+        cookies = new_cookie_store(HTTP::Headers{"Cookie" => "user_name=tampered%3D%3D--cead74d6b7a64512a499fef31483fd21d9e89b85378a3eaa440c7ac7f9cd6b94;"})
 
-      cookies.encrypted["user_name"].should eq ""
+        cookies.encrypted["user_name"].should eq ""
+      end
+
+      it "ignores unset encrypted cookies" do
+        cookies = new_cookie_store
+
+        cookies.encrypted["invalid"].should eq nil
+      end
     end
 
-    it "ignores unset encrypted cookies" do
-      cookies = new_cookie_store
+    context "signed cookies" do
+      it "sets a cookie" do
+        cookies = new_cookie_store
+
+        cookies.signed.set "user_name", "david"
+
+        cookies.signed["user_name"].should eq "david"
+        cookie_header(cookies).should_not eq "user_name=david; path=/"
+      end
+
+      it "gets a cookie" do
+        cookies = new_cookie_store
+        cookie = HTTP::Cookie::Parser.parse_cookies("user_name=ZGF2aWQ%3D--84T1hBkFFZNrUKwheNP5KXTTdJk%3D; path=/").first
 
-      cookies.encrypted["invalid"].should eq nil
+        cookies[cookie.name] = cookie
+
+        cookies.signed["user_name"].should eq "david"
+      end
+
+      it "ignores tampered cookie signature" do
+        cookies = new_cookie_store
+        cookie = HTTP::Cookie::Parser.parse_cookies("user_name=ZGF2aWQ%3D--tampered; path=/").first
+
+        cookies[cookie.name] = cookie
+
+        cookies.signed["user_name"].should eq ""
+      end
+
+      it "ignores tampered cookie value" do
+        cookies = new_cookie_store(HTTP::Headers{"Cookie" => "user_name=tampered%3D%3D--cead74d6b7a64512a499fef31483fd21d9e89b85378a3eaa440c7ac7f9cd6b94;"})
+
+        cookies.signed["user_name"].should eq ""
+      end
+
+      it "ignores cookie without signature" do
+        cookies = new_cookie_store
+        cookie = HTTP::Cookie::Parser.parse_cookies("user_name=ZGF2aWQ%3D; path=/").first
+
+        cookies[cookie.name] = cookie
+
+        cookies.signed["user_name"].should eq ""
+      end
+
+
+      it "ignores unset encrypted cookies" do
+        cookies = new_cookie_store
+
+        cookies.signed["invalid"].should eq nil
+      end
     end
 
     it "raises cookie overflow error" do

diff --git a/spec/amber/router/pipe/session_spec.cr b/spec/amber/router/pipe/session_spec.cr
@@ -6,7 +6,7 @@ module Amber
       it "sets a cookie" do
         request = HTTP::Request.new("GET", "/")
         context = create_context(request)
-
+        context.session[:listening] = "linkin park"
         Session.new.call(context)
 
         context.response.headers.has_key?("Set-Cookie").should be_true
@@ -35,7 +35,7 @@ module Amber
               :store     => :redis,
               :expires   => 120,
               :secret    => "secret",
-              :redis_url => ENV["REDIS_URL"] || "redis://127.0.0.1:6379",
+              :redis_url => ENV["REDIS_URL"]? || "redis://127.0.0.1:6379",
             }
 
             request1 = HTTP::Request.new("GET", "/")