aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib/action_dispatch/middleware/session/abstract_store.rb
blob: ea49b30630014df6f06e13476b403cc52f2ede11 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
require 'rack/utils'
require 'rack/request'
require 'action_dispatch/middleware/cookies'
require 'active_support/core_ext/object/blank'

module ActionDispatch
  module Session
    class SessionRestoreError < StandardError #:nodoc:
    end

    class AbstractStore
      ENV_SESSION_KEY = 'rack.session'.freeze
      ENV_SESSION_OPTIONS_KEY = 'rack.session.options'.freeze

      # thin wrapper around Hash that allows us to lazily
      # load session id into session_options
      class OptionsHash < Hash
        def initialize(by, env, default_options)
          @by = by
          @env = env
          @session_id_loaded = false
          merge!(default_options)
        end

        def [](key)
          if key == :id
            load_session_id! unless key?(:id) || has_session_id?
          end
          super
        end

      private

        def has_session_id?
          @session_id_loaded
        end

        def load_session_id!
          self[:id] = @by.send(:extract_session_id, @env)
          @session_id_loaded = true
        end
      end

      class SessionHash < Hash
        def initialize(by, env)
          super()
          @by = by
          @env = env
          @loaded = false
        end

        def [](key)
          load_for_read!
          super(key.to_s)
        end

        def has_key?(key)
          load_for_read!
          super(key.to_s)
        end

        def []=(key, value)
          load_for_write!
          super(key.to_s, value)
        end

        def clear
          load_for_write!
          super
        end

        def to_hash
          load_for_read!
          h = {}.replace(self)
          h.delete_if { |k,v| v.nil? }
          h
        end

        def update(hash)
          load_for_write!
          super(hash.stringify_keys)
        end

        def delete(key)
          load_for_write!
          super(key.to_s)
        end

        def inspect
          load_for_read!
          super
        end

        def exists?
          return @exists if instance_variable_defined?(:@exists)
          @exists = @by.send(:exists?, @env)
        end

        def loaded?
          @loaded
        end

        def destroy
          clear
          @by.send(:destroy, @env) if defined?(@by) && @by
          @env[ENV_SESSION_OPTIONS_KEY][:id] = nil if defined?(@env) && @env && @env[ENV_SESSION_OPTIONS_KEY]
          @loaded = false
        end

        private

          def load_for_read!
            load! if !loaded? && exists?
          end

          def load_for_write!
            load! unless loaded?
          end

          def load!
            id, session = @by.send(:load_session, @env)
            @env[ENV_SESSION_OPTIONS_KEY][:id] = id
            replace(session.stringify_keys)
            @loaded = true
          end

      end

      DEFAULT_OPTIONS = {
        :key =>           '_session_id',
        :path =>          '/',
        :domain =>        nil,
        :expire_after =>  nil,
        :secure =>        false,
        :httponly =>      true,
        :cookie_only =>   true
      }

      def initialize(app, options = {})
        @app = app
        @default_options = DEFAULT_OPTIONS.merge(options)
        @key = @default_options.delete(:key).freeze
        @cookie_only = @default_options.delete(:cookie_only)
        ensure_session_key!
      end

      def call(env)
        prepare!(env)
        response = @app.call(env)

        session_data = env[ENV_SESSION_KEY]
        options = env[ENV_SESSION_OPTIONS_KEY]

        if !session_data.is_a?(AbstractStore::SessionHash) || session_data.loaded? || options[:expire_after]
          request = ActionDispatch::Request.new(env)

          return response if (options[:secure] && !request.ssl?)

          session_data.send(:load!) if session_data.is_a?(AbstractStore::SessionHash) && !session_data.loaded?

          sid = options[:id] || generate_sid
          session_data = session_data.to_hash

          value = set_session(env, sid, session_data)
          return response unless value

          cookie = { :value => value }
          unless options[:expire_after].nil?
            cookie[:expires] = Time.now + options.delete(:expire_after)
          end

          set_cookie(request, cookie.merge!(options))
        end

        response
      end

      private

        def prepare!(env)
          env[ENV_SESSION_KEY] = SessionHash.new(self, env)
          env[ENV_SESSION_OPTIONS_KEY] = OptionsHash.new(self, env, @default_options)
        end

        def generate_sid
          ActiveSupport::SecureRandom.hex(16)
        end

        def set_cookie(request, options)
          if request.cookie_jar[@key] != options[:value] || !options[:expires].nil?
            request.cookie_jar[@key] = options
          end
        end

        def load_session(env)
          stale_session_check! do
            sid = current_session_id(env)
            sid, session = get_session(env, sid)
            [sid, session]
          end
        end

        def extract_session_id(env)
          stale_session_check! do
            request = ActionDispatch::Request.new(env)
            sid = request.cookies[@key]
            sid ||= request.params[@key] unless @cookie_only
            sid
          end
        end

        def current_session_id(env)
          env[ENV_SESSION_OPTIONS_KEY][:id]
        end

        def ensure_session_key!
          if @key.blank?
            raise ArgumentError, 'A key is required to write a ' +
              'cookie containing the session data. Use ' +
              'config.session_store SESSION_STORE, { :key => ' +
              '"_myapp_session" } in config/application.rb'
          end
        end

        def stale_session_check!
          yield
        rescue ArgumentError => argument_error
          if argument_error.message =~ %r{undefined class/module ([\w:]*\w)}
            begin
              # Note that the regexp does not allow $1 to end with a ':'
              $1.constantize
            rescue LoadError, NameError => const_error
              raise ActionDispatch::Session::SessionRestoreError, "Session contains objects whose class definition isn't available.\nRemember to require the classes for all objects kept in the session.\n(Original exception: #{const_error.message} [#{const_error.class}])\n"
            end
            retry
          else
            raise
          end
        end

        def exists?(env)
          current_session_id(env).present?
        end

        def get_session(env, sid)
          raise '#get_session needs to be implemented.'
        end

        def set_session(env, sid, session_data)
          raise '#set_session needs to be implemented and should return ' <<
            'the value to be stored in the cookie (usually the sid)'
        end

        def destroy(env)
          raise '#destroy needs to be implemented.'
        end
    end
  end
end