Public Instance methods
Return a path with an HMAC. Designed to be used with r.hmac_path, to make sure users can only request paths that they have been provided by the application (directly or indirectly). This can prevent users of a site from enumerating valid paths. The given path should be a string starting with /
. Options:
:method |
Limits the returned path to only be valid for the given request method. |
:namespace |
Make the HMAC value depend on the given namespace. If this is not provided, the default namespace is used. To explicitly not use a namespace when there is a default namespace, pass a nil value. |
:params |
Includes parameters in the query string of the returned path, and limits the returned path to only be valid for that exact query string. |
:root |
Should be an empty string or string starting with |
# File lib/roda/plugins/hmac_paths.rb 235 def hmac_path(path, opts=OPTS) 236 unless path.is_a?(String) && path.getbyte(0) == 47 237 raise RodaError, "path must be a string starting with /" 238 end 239 240 root = opts[:root] || '' 241 unless root.is_a?(String) && ((root_byte = root.getbyte(0)) == 47 || root_byte == nil) 242 raise RodaError, "root must be empty string or string starting with /" 243 end 244 245 flags = String.new 246 path = path.dup 247 248 if method = opts[:method] 249 flags << 'm' 250 end 251 252 if params = opts[:params] 253 flags << 'p' 254 path << '?' << Rack::Utils.build_query(params) 255 end 256 257 if hmac_path_namespace(opts) 258 flags << 'n' 259 end 260 261 flags << '0' if flags.empty? 262 263 hmac_path = if method 264 "#{method.to_s.upcase}:/#{flags}#{path}" 265 else 266 "/#{flags}#{path}" 267 end 268 269 "#{root}/#{hmac_path_hmac(root, hmac_path, opts)}/#{flags}#{path}" 270 end
The HMAC to use in hmac_path
, for the given root, path, and options.
# File lib/roda/plugins/hmac_paths.rb 273 def hmac_path_hmac(root, path, opts=OPTS) 274 OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA256.new, hmac_path_hmac_secret(root, opts), path) 275 end
The namespace to use for the hmac path. If a :namespace option is not provided, and a :namespace_session_key option was provided, this will use the value of the related session key, if present.
# File lib/roda/plugins/hmac_paths.rb 280 def hmac_path_namespace(opts=OPTS) 281 opts.fetch(:namespace){hmac_path_default_namespace} 282 end