fixes session cookie

Ride-Builder/RideAppClassHelper.class.st

@@ -53,7 +53,16 @@ RideAppClassHelper class >> newSessionWith_UrlMethodFor: aSymbol [
 	
 	"Answer a new {1}App session with the given sessionId and url."
 
-	^ {1}Session newWith: sessionId url: anUrl
+	^ self sessionClass newWith: sessionId url: anUrl
+' format: { aSymbol }
+]
+
+{ #category : #accessing }
+RideAppClassHelper class >> sessionClassMethodFor: aSymbol [
+
+	^ 'sessionClass
+	
+	^ {1}Session
 ' format: { aSymbol }
 ]
 
@@ -90,11 +99,18 @@ RideAppClassHelper >> addInstallMethodTo: aClass for: aSymbol [
 
 { #category : #actions }
 RideAppClassHelper >> addNewSessionWith_UrlMethodTo: aClass for: aSymbol [
-
+	self deprecated: 'not used'.
 	aClass class compile: (self class newSessionWith_UrlMethodFor: aSymbol).
 	aClass class organization classify: #'newSessionWith:url:' under: 'actions'
 ]
 
+{ #category : #actions }
+RideAppClassHelper >> addSessionClassMethodTo: aClass for: aSymbol [
+
+	aClass class compile: (self class sessionClassMethodFor: aSymbol).
+	aClass class organization classify: #sessionClass under: 'accessing'
+]
+
 { #category : #accessing }
 RideAppClassHelper >> classNameFor: aSymbol [
 
@@ -114,7 +130,8 @@ RideAppClassHelper >> for: aSymbol [
 	| appClass |
 	appClass := super for: aSymbol.
 
-	self addNewSessionWith_UrlMethodTo: appClass for: aSymbol.
+	self addSessionClassMethodTo: appClass for: aSymbol.
+	"self addNewSessionWith_UrlMethodTo: appClass for: aSymbol."
 	self addInstallMethodTo: appClass for: aSymbol.
 	self addApplicationResourceClassMethodTo: appClass for: aSymbol.
 	self addInitializeServerMethodTo: appClass for: aSymbol.

Ride/RidePresenter.class.st

@@ -235,6 +235,15 @@ RidePresenter >> currentSession [
 	^ RideCurrentSession value
 ]
 
+{ #category : #actions }
+RidePresenter >> ensureSessionCookie [
+
+	| response sessionCookie |
+	response := RideCurrentResponse value.
+	sessionCookie := self currentSession sessionCookie.
+	response headers at: 'Set-Cookie' put: sessionCookie fullString
+]
+
 { #category : #actions }
 RidePresenter >> formAction [
 	"Makes the receiver perform the action corresponding to a RESTful convention
@@ -397,7 +406,7 @@ RidePresenter >> newAuthToken [
 { #category : #actions }
 RidePresenter >> onAboutToRespond [
 
-	"no-op is the default"
+	self ensureSessionCookie
 ]
 
 { #category : #actions }
@@ -521,7 +530,7 @@ RidePresenter >> renderUsing: aSelector [
 { #category : #actions }
 RidePresenter >> resetSession [
 
-	Ride service invalidateSession: self currentSession
+	Ride service invalidateSessionId: self currentSession
 ]
 
 { #category : #accessing }
@@ -577,6 +586,13 @@ RidePresenter >> templateContext [
 			  template ]
 ]
 
+{ #category : #accessing }
+RidePresenter >> unauthorizedHandler [
+	"Answers a handler to react when the auth token is missing or was not found."
+
+	^ [ RideUnauthorizedError signal: 'Authorization not found' ]
+]
+
 { #category : #actions }
 RidePresenter >> updateModelFromRequest: aRequest [
 	"Updates the model data following the convention of expecting for all its data keys,

Ride/RideService.class.st

@@ -29,12 +29,12 @@ RideService class >> applicationResourceClass [
 { #category : #accessing }
 RideService class >> getSessionGetter [
 
-	^ [ :request | 
+	^ [ :request |
 	  | sessionId |
 	  sessionId := self sessionIdFromCookieOrNewFrom: request.
 	  Ride service sessions
 		  at: sessionId
-		  ifAbsentPut: [ self newSessionWith: sessionId url: request url ] ]
+		  ifAbsentPut: [ self newSessionWith: sessionId request: request ] ]
 ]
 
 { #category : #accessing }
@@ -61,9 +61,11 @@ RideService class >> log: aString level: aSymbol [
 RideService class >> newResetSessionCookie [
 
 	| expires cookieString domain |
+	self deprecated: 'using this from the session'.
 	domain := Ride service server router domain.
 	expires := ZnUtils httpDate: DateAndTime now - 10 years.
-	cookieString := 'id={1}; expires={2}; path=/; domain={3}' format: { 
+	cookieString := '{1}={2}; expires={3}; path=/; domain={4}' format: {
+			                Ride service sessionClass cookieName.
 			                String new.
 			                expires.
 			                domain }.
@@ -76,9 +78,15 @@ RideService class >> newSessionId [
 	^ UUID new asString36
 ]
 
+{ #category : #actions }
+RideService class >> newSessionWith: sessionId request: aRequest [
+
+	^ self sessionClass newWith: sessionId request: aRequest
+]
+
 { #category : #accessing }
 RideService class >> newSessionWith: sessionId url: anUrl [
-
+	self deprecated: 'not used'.
 	self subclassResponsibility
 ]
 
@@ -98,13 +106,21 @@ RideService class >> restart [
 ]
 
 { #category : #accessing }
-RideService class >> sessionIdFromCookieOrNewFrom: aRequest [
+RideService class >> sessionClass [
+
+	^ self subclassResponsibility
+]
 
+{ #category : #accessing }
+RideService class >> sessionIdFromCookieOrNewFrom: aRequest [
 	"Answers the session ID taken from the cookie of the given aRequest.
 	Answers a new one if the cookie is absent "
 
+	| cookieName |
+	cookieName := Ride service sessionClass cookieName.
+
 	^ (aRequest cookies
-		   detect: [ :each | each name = 'id' ]
+		   detect: [ :each | each name = cookieName ]
 		   ifNone: [ ^ self newSessionId ]) value
 ]
 
@@ -240,6 +256,13 @@ RideService >> invalidateSession: aRideSession [
 		put: Ride service class newResetSessionCookie fullString
 ]
 
+{ #category : #actions }
+RideService >> invalidateSessionId: aRideSessionId [
+	"Remove the given session from the cache"
+
+	sessions removeKey: aRideSessionId ifAbsent: [  ]
+]
+
 { #category : #accessing }
 RideService >> locator [
 	self deprecated: 'use Ride resource instead'.
@@ -371,6 +394,12 @@ RideService >> server: anObject [
 	server := anObject
 ]
 
+{ #category : #accessing }
+RideService >> sessionClass [
+
+	^ self class sessionClass
+]
+
 { #category : #accessing }
 RideService >> sessionGetter [
 

Ride/RideSession.class.st

@@ -9,23 +9,88 @@ Class {
 		'id',
 		'webSocket',
 		'cache',
-		'values'
+		'values',
+		'authenticityTokens',
+		'cookie'
+	],
+	#classInstVars : [
+		'authenticityTokenGenerator'
 	],
 	#category : #'Ride-Core'
 }
 
+{ #category : #accessing }
+RideSession class >> authenticityTokenGenerator [
+
+	^ authenticityTokenGenerator := UUIDGenerator new
+]
+
+{ #category : #actions }
+RideSession class >> cookieName [
+	"Answers the session cookie name."
+
+	^ self name asString
+]
+
+{ #category : #actions }
+RideSession class >> newSessionCookieId: anId expiring: aDateAndTime [
+
+	| domain expires cookieString |
+	domain := Ride service server router domain.
+	expires := ZnUtils httpDate: aDateAndTime.
+	cookieString := '{1}={2}; expires={3}; path=/; domain={4}' format: {
+			                Ride service sessionClass cookieName.
+			                anId.
+			                expires.
+			                domain }.
+
+	^ ZnCookie fromString: cookieString for: ('http://' , domain) asZnUrl
+]
+
 { #category : #'instance creation' }
-RideSession class >> newWith: anId url: anUrl [
+RideSession class >> newWith: anId request: aRequest [
+
+	^ self new initializeWith: anId request: aRequest
+]
 
+{ #category : #'instance creation' }
+RideSession class >> newWith: anId url: anUrl [
+	self deprecated: 'not used'.
 	^ self new initializeWith: anId url: anUrl
 ]
 
 { #category : #actions }
-RideSession >> add: routeKey presenter: aRidePresenter [
+RideSession class >> nextAuthenticityTokenValue [
+
+	^ self authenticityTokenGenerator next asString36
+]
+
+{ #category : #actions }
+RideSession class >> reset [
 
+	authenticityTokenGenerator := nil
+]
+
+{ #category : #accessing }
+RideSession class >> sessionDuration [
+
+	^ (Smalltalk os environment
+		   at: #SESSION_DURATION
+		   ifAbsent: [ 20 years asSeconds ]) asInteger seconds
+]
+
+{ #category : #actions }
+RideSession >> add: routeKey presenter: aRidePresenter [
+self deprecated: ' not used'.
 	^ self presenters at: routeKey put: aRidePresenter
 ]
 
+{ #category : #accessing }
+RideSession >> authenticityTokens [
+
+	^ authenticityTokens ifNil: [ self initializeAuthenticityTokens ]
+]
+
 { #category : #accessing }
 RideSession >> cache [
 
@@ -83,36 +148,79 @@ RideSession >> initialUrl: anUrl [
 		self values at: #initialUrl put: anUrl ]
 ]
 
+{ #category : #initialization }
+RideSession >> initializeAuthenticityTokens [
+
+	^ authenticityTokens := TTLCache new
+]
+
 { #category : #initialization }
 RideSession >> initializeCache [
 
 	^ cache := TTLCache new
 ]
 
+{ #category : #initialization }
+RideSession >> initializeCookieUsing: aRequest [
+
+	| newCookie |
+
+	newCookie := [
+	             self class
+		             newSessionCookieId:
+		             self class nextAuthenticityTokenValue
+		             expiring: DateAndTime now + self class sessionDuration ].
+
+	^ cookie := aRequest cookies
+		            detect: [ :e | e name = self class cookieName ]
+		            ifNone: [ newCookie value ]
+]
+
 { #category : #initialization }
 RideSession >> initializeValues [
 
 	^ values := SmallDictionary new
 ]
 
 { #category : #initialization }
-RideSession >> initializeWith: anId url: anUrl [
+RideSession >> initializeWith: anId request: aRequest [
 
 	super initialize.
 
 	id := anId.
+	self initializeCookieUsing: aRequest.
 	self initializeCache.
+	self initializeAuthenticityTokens.
+	self initialUrl: aRequest url
+]
+
+{ #category : #initialization }
+RideSession >> initializeWith: anId url: anUrl [
+	self deprecated: 'not in use'.
+	super initialize.
+
+	id := anId.
+	self initializeCookie.
+	self initializeCache.
+	self initializeAuthenticityTokens.
 	self initialUrl: anUrl
 ]
 
 { #category : #actions }
 RideSession >> invalidateAndRedirectTo: url [
 
 	| response |
-	Ride service invalidateSession: self.
+	Ride service invalidateSessionId: self id.
 	response := RideCurrentResponse value.
 
-	"Redirect"
+	"Reset the session cookie"
+	response headers
+		at: 'Set-Cookie'
+		put:
+			(self class newSessionCookieExpiring: DateAndTime now - 10 years)
+				fullString.
+
+	"and redirect"
 	response
 		code: 302;
 		location: url.
@@ -121,9 +229,14 @@ RideSession >> invalidateAndRedirectTo: url [
 
 { #category : #actions }
 RideSession >> newAuthToken [
-	"Adds a new auth token"
-
-	^ cache at: #authenticity_token put: self newUUIDAsString36
+	"Adds a new auth token.
+	The authenticity tokens are stored by value with its own TTL
+	so request can be considered unauthorized when a request doesn't
+	include an existing one for this session."
+
+	| value |
+	value := self class nextAuthenticityTokenValue.
+	^ authenticityTokens at: value ifAbsentPut: [ value ]
 ]
 
 { #category : #actions }
@@ -144,6 +257,12 @@ RideSession >> remove: routeKey [
 	^ self presenters removeKey: routeKey ifAbsent: [ nil ]
 ]
 
+{ #category : #accessing }
+RideSession >> sessionCookie [
+
+	^ cookie 
+]
+
 { #category : #accessing }
 RideSession >> values [