From bf9913f8f43a2436c644ad893d3d7034f7d7e256 Mon Sep 17 00:00:00 2001
From: Carlhuda <carlhuda@engineyard.com>
Date: Tue, 2 Mar 2010 16:22:53 -0800
Subject: Move session_store and session_options to the AC configuration object

---
 .../lib/action_controller/metal/compatibility.rb   |  3 --
 .../action_controller/metal/http_authentication.rb | 28 ++++++++---------
 .../action_controller/metal/session_management.rb  | 35 +++++++++++++++-------
 3 files changed, 37 insertions(+), 29 deletions(-)

(limited to 'actionpack/lib/action_controller/metal')

diff --git a/actionpack/lib/action_controller/metal/compatibility.rb b/actionpack/lib/action_controller/metal/compatibility.rb
index 2b1ada1426..d1c86b296d 100644
--- a/actionpack/lib/action_controller/metal/compatibility.rb
+++ b/actionpack/lib/action_controller/metal/compatibility.rb
@@ -12,9 +12,6 @@ module ActionController
       ::ActionController::UnknownAction = ::AbstractController::ActionNotFound
       ::ActionController::DoubleRenderError = ::AbstractController::DoubleRenderError
 
-      cattr_accessor :session_options
-      self.session_options = {}
-
       cattr_accessor :relative_url_root
       self.relative_url_root = ENV['RAILS_RELATIVE_URL_ROOT']
 
diff --git a/actionpack/lib/action_controller/metal/http_authentication.rb b/actionpack/lib/action_controller/metal/http_authentication.rb
index 0f35a7c040..5c6641c948 100644
--- a/actionpack/lib/action_controller/metal/http_authentication.rb
+++ b/actionpack/lib/action_controller/metal/http_authentication.rb
@@ -165,7 +165,7 @@ module ActionController
 
         # Authenticate with HTTP Digest, returns true or false
         def authenticate_with_http_digest(realm = "Application", &password_procedure)
-          HttpAuthentication::Digest.authenticate(request, realm, &password_procedure)
+          HttpAuthentication::Digest.authenticate(config.session_options[:secret], request, realm, &password_procedure)
         end
 
         # Render output including the HTTP Digest authentication header
@@ -175,8 +175,8 @@ module ActionController
       end
 
       # Returns false on a valid response, true otherwise
-      def authenticate(request, realm, &password_procedure)
-        authorization(request) && validate_digest_response(request, realm, &password_procedure)
+      def authenticate(secret_key, request, realm, &password_procedure)
+        authorization(request) && validate_digest_response(secret_key, request, realm, &password_procedure)
       end
 
       def authorization(request)
@@ -189,11 +189,11 @@ module ActionController
       # Returns false unless the request credentials response value matches the expected value.
       # First try the password as a ha1 digest password. If this fails, then try it as a plain
       # text password.
-      def validate_digest_response(request, realm, &password_procedure)
+      def validate_digest_response(secret_key, request, realm, &password_procedure)
         credentials = decode_credentials_header(request)
-        valid_nonce = validate_nonce(request, credentials[:nonce])
+        valid_nonce = validate_nonce(secret_key, request, credentials[:nonce])
 
-        if valid_nonce && realm == credentials[:realm] && opaque == credentials[:opaque]
+        if valid_nonce && realm == credentials[:realm] && opaque(secret_key) == credentials[:opaque]
           password = password_procedure.call(credentials[:username])
           return false unless password
 
@@ -238,6 +238,9 @@ module ActionController
       end
 
       def authentication_header(controller, realm)
+        secret_key = controller.config.session_options[:secret]
+        nonce = self.nonce(secret_key)
+        opaque = opaque(secret_key)
         controller.headers["WWW-Authenticate"] = %(Digest realm="#{realm}", qop="auth", algorithm=MD5, nonce="#{nonce}", opaque="#{opaque}")
       end
 
@@ -280,7 +283,7 @@ module ActionController
       # The nonce is opaque to the client. Composed of Time, and hash of Time with secret
       # key from the Rails session secret generated upon creation of project. Ensures
       # the time cannot be modified by client.
-      def nonce(time = Time.now)
+      def nonce(secret_key, time = Time.now)
         t = time.to_i
         hashed = [t, secret_key]
         digest = ::Digest::MD5.hexdigest(hashed.join(":"))
@@ -292,21 +295,16 @@ module ActionController
       # Can be much shorter if the Stale directive is implemented. This would
       # allow a user to use new nonce without prompting user again for their
       # username and password.
-      def validate_nonce(request, value, seconds_to_timeout=5*60)
+      def validate_nonce(secret_key, request, value, seconds_to_timeout=5*60)
         t = ActiveSupport::Base64.decode64(value).split(":").first.to_i
-        nonce(t) == value && (t - Time.now.to_i).abs <= seconds_to_timeout
+        nonce(secret_key, t) == value && (t - Time.now.to_i).abs <= seconds_to_timeout
       end
 
       # Opaque based on random generation - but changing each request?
-      def opaque()
+      def opaque(secret_key)
         ::Digest::MD5.hexdigest(secret_key)
       end
 
-      # Set in /initializers/session_store.rb, and loaded even if sessions are not in use.
-      def secret_key
-        ActionController::Base.session_options[:secret]
-      end
-
     end
   end
 end
diff --git a/actionpack/lib/action_controller/metal/session_management.rb b/actionpack/lib/action_controller/metal/session_management.rb
index 6997257844..264250db1a 100644
--- a/actionpack/lib/action_controller/metal/session_management.rb
+++ b/actionpack/lib/action_controller/metal/session_management.rb
@@ -2,27 +2,40 @@ module ActionController #:nodoc:
   module SessionManagement #:nodoc:
     extend ActiveSupport::Concern
 
+    included do
+      self.config.session_store   ||= :cookie_store
+      self.config.session_options ||= {}
+    end
+
     module ClassMethods
       # Set the session store to be used for keeping the session data between requests.
       # By default, sessions are stored in browser cookies (<tt>:cookie_store</tt>),
       # but you can also specify one of the other included stores (<tt>:active_record_store</tt>,
       # <tt>:mem_cache_store</tt>, or your own custom class.
       def session_store=(store)
-        if store == :active_record_store
-          self.session_store = ActiveRecord::SessionStore
-        else
-          @@session_store = store.is_a?(Symbol) ?
-            ActionDispatch::Session.const_get(store.to_s.camelize) :
-            store
-        end
+        ActiveSupport::Deprecation.warn "Setting session_store directly on ActionController::Base is deprecated. " \
+                                        "Please set it on config.action_controller.session_store"
+        config.session_store = store
+      end
+
+      def session_options=(opts)
+        ActiveSupport::Deprecation.warn "Setting seession_options directly on ActionController::Base is deprecated. " \
+                                        "Please set it on config.action_controller.session_options"
+        config.session_store = opts
+      end
+
+      def session_options
+        config.session_options
       end
 
-      # Returns the session store class currently used.
       def session_store
-        if defined? @@session_store
-          @@session_store
+        case store = config.session_store
+        when :active_record_store
+          ActiveRecord::SessionStore
+        when Symbol
+          ActionDispatch::Session.const_get(store.to_s.camelize)
         else
-          ActionDispatch::Session::CookieStore
+          store
         end
       end
 
-- 
cgit v1.2.3