module Roda::RodaPlugins::HmacPaths::InstanceMethods

  1. lib/roda/plugins/hmac_paths.rb

Methods

Public Instance

  1. hmac_path
  2. hmac_path_hmac
  3. hmac_path_namespace

Public Instance methods

hmac_path(path, opts=OPTS)

Return a path with an HMAC. Designed to be used with r.hmac_path, to make sure users can only request paths that they have been provided by the application (directly or indirectly). This can prevent users of a site from enumerating valid paths. The given path should be a string starting with /. Options:

:method

Limits the returned path to only be valid for the given request method.

:namespace

Make the HMAC value depend on the given namespace. If this is not provided, the default namespace is used. To explicitly not use a namespace when there is a default namespace, pass a nil value.

:params

Includes parameters in the query string of the returned path, and limits the returned path to only be valid for that exact query string.

:root

Should be an empty string or string starting with /. This will be the already matched path of the routing tree using r.hmac_path. Defaults to the empty string, which will returns paths valid for r.hmac_path at the top level of the routing tree.

[show source] 
    # File lib/roda/plugins/hmac_paths.rb
235 def hmac_path(path, opts=OPTS)
236   unless path.is_a?(String) && path.getbyte(0) == 47
237     raise RodaError, "path must be a string starting with /"
238   end
239 
240   root = opts[:root] || ''
241   unless root.is_a?(String) && ((root_byte = root.getbyte(0)) == 47 || root_byte == nil)
242     raise RodaError, "root must be empty string or string starting with /"
243   end
244 
245   flags = String.new
246   path = path.dup
247 
248   if method = opts[:method]
249     flags << 'm'
250   end
251 
252   if params = opts[:params]
253     flags << 'p'
254     path << '?' << Rack::Utils.build_query(params)
255   end
256 
257   if hmac_path_namespace(opts)
258     flags << 'n'
259   end
260 
261   flags << '0' if flags.empty?
262   
263   hmac_path = if method
264     "#{method.to_s.upcase}:/#{flags}#{path}"
265   else
266     "/#{flags}#{path}"
267   end
268 
269   "#{root}/#{hmac_path_hmac(root, hmac_path, opts)}/#{flags}#{path}"
270 end
hmac_path_hmac(root, path, opts=OPTS)

The HMAC to use in hmac_path, for the given root, path, and options.

[show source] 
    # File lib/roda/plugins/hmac_paths.rb
273 def hmac_path_hmac(root, path, opts=OPTS)
274   OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA256.new, hmac_path_hmac_secret(root, opts), path)
275 end
hmac_path_namespace(opts=OPTS)

The namespace to use for the hmac path. If a :namespace option is not provided, and a :namespace_session_key option was provided, this will use the value of the related session key, if present.

[show source] 
    # File lib/roda/plugins/hmac_paths.rb
280 def hmac_path_namespace(opts=OPTS)
281   opts.fetch(:namespace){hmac_path_default_namespace}
282 end