bump version to v0.3.2

Changes.md

@@ -1,3 +1,13 @@
+### v0.3.2 2017.06.10
+
+- 关于内置session插件的更改
+    - 修复session过期时间bug
+    - 移除lua-resty-session依赖
+    - 内置session插件替换为基于cookie的简单实现
+    - 接口仍然保持与之前版本兼容
+    - 关于session处理，仍然建议根据具体业务需求和安全考量自行实现
+- 支持URI中含有字符'-'
+
 ### v0.3.1 2017.04.16
 
 - 支持路由中包含`~`字符（from [@XadillaX](https://github.com/XadillaX))

bin/scaffold/generator.lua

@@ -259,6 +259,7 @@ local mw_cookie = require("lor.lib.middleware.cookie")
 local mw_session = require("lor.lib.middleware.session")
 app:use(mw_cookie())
 app:use(mw_session({
+    secret = "session aes secret which you should set",
     timeout = 3600 -- default session timeout is 3600 seconds
 }))
 
@@ -291,10 +292,10 @@ app:erroruse(function(err, req, res, next)
         if string_find(req.headers["Accept"], "application/json") then
             res:status(500):json({
                 success = false,
-                msg = "500! unknown error."
+                msg = "500! internal error, please check the log."
             })
         else
-            res:status(500):send("unknown error")
+            res:status(500):send("internal error, please check the log.")
         end
     end
 end)

dist.ini

@@ -1,10 +1,10 @@
 name = lor
 abstract = A fast and minimalist web framework based on OpenResty.
-version = 0.3.1
+version = 0.3.2
 author = Sumory Wu (@sumory)
 is_original = yes
 license = mit
 repo_link = https://github.com/sumory/lor
 main_module = lib/lor/index.lua
 exclude_files = .travis, docker, docs, .travis.yml
-requires = bungle/lua-resty-session >= 2.13, bungle/lua-resty-template >= 1.9, p0pr0ck5/lua-resty-cookie >= 0.01
+requires = bungle/lua-resty-template >= 1.9, p0pr0ck5/lua-resty-cookie >= 0.01

lib/lor/lib/middleware/init.lua

@@ -2,19 +2,8 @@ local init_middleware = function(req, res, next)
     req.res = res
     req.next = next
     res.req = req
-
-    --        if app and app:getconf("x-powered-by") then
-    --            if app.version then
-    --                res:setHeader('X-Powered-By', 'Lor Framework ' .. app.version)
-    --            else
-    --
-    --            end
-    --        end
-
     -- res:set_header('X-Powered-By', 'Lor Framework')
     res.locals = res.locals or {}
-    -- setmetatable(req, {__index = app.request})
-    -- setmetatable(res, {__index = app.response})
     next()
 end
 

lib/lor/lib/middleware/session.lua

@@ -1,111 +1,172 @@
-local xpcall = xpcall
+local type, xpcall = type, xpcall
 local traceback = debug.traceback
+local http_time = ngx.http_time
 local ngx_time = ngx.time
-local Session = require("resty.session")
-
--- Mind:
--- base on 'lua-resty-session'
--- this is the default `session` middleware which uses storage `cookie`
--- you're recommended to define your own `session` middleware.
--- you're strongly recommended to set your own session.secret
-
--- usage example:
---    app:get("/session/set", function(req, res, next)
---        local k = req.query.k
---        local v = req.query.v
---        if k then
---            req.session.set(k,v)
---            res:send("session saved: " .. k .. "->" .. v)
---        else
---            res:send("null session key")
---        end
---    end)
---
---    app:get("/session/get/:key", function(req, res, next)
---        local k = req.params.key
---        if not k then
---            res:send("please input session key")
---        else
---            res:send("session data: " .. req.session.get(k))
---        end
---    end)
---
---    app:get("/session/destroy", function(req, res, next)
---        req.session.destroy()
---    end)
+local ck = require("resty.cookie")
+local utils = require("lor.lib.utils.utils")
+local aes = require("lor.lib.utils.aes")
+local base64 = require("lor.lib.utils.base64")
+
+
+local function decode_data(field, aes_key, ase_secret)
+    if not field or field == "" then return {} end
+    local payload = base64.decode(field)
+    local data = {}
+    local cipher = aes.new()
+    local decrypt_str = cipher:decrypt(payload, aes_key, ase_secret)
+    local decode_obj = utils.json_decode(decrypt_str)
+    return decode_obj or data
+end
+
+local function encode_data(obj, aes_key, ase_secret)
+    local default = "{}"
+    local str = utils.json_encode(obj) or default
+    local cipher = aes.new()
+    local encrypt_str = cipher:encrypt(str, aes_key, ase_secret)
+    local encode_encrypt_str = base64.encode(encrypt_str)
+    return encode_encrypt_str
+end
+
+local function parse_session(field, aes_key, ase_secret)
+    if not field then return end
+    return decode_data(field, aes_key, ase_secret)
+end
+
+--- no much secure & performance consideration
+--- TODO: optimization & security issues
 local session_middleware = function(config)
     config = config or {}
+    config.session_key = config.session_key or "_app_"
     if config.refresh_cookie ~= false then
         config.refresh_cookie = true
     end
-
     if not config.timeout or type(config.timeout) ~= "number" then
         config.timeout = 3600 -- default session timeout is 3600 seconds
     end
+
+    -- backward compatibility for lor < v0.3.2
+    config.session_aes_key = config.session_aes_key or "custom_session_aes_key" 
+    config.session_aes_secret = config.session_aes_secret or config.secret
 
-    if not config.secret then
-        config.secret = "7su3k78hjqw90fvj480fsdi934j7ery3n59ljf295d"
+    local err_tip = "session_aes_key and session_aes_secret should be set for session middleware"
+    if not config.session_aes_key or config.session_aes_key == "" 
+        or not config.session_aes_secret or config.session_aes_secret == "" then
+        ngx.log(ngx.ERR, err_tip)
     end
 
+    local session_key = config.session_key
+    local session_aes_key = config.session_aes_key
+    local session_aes_secret = config.session_aes_secret
+    local refresh_cookie = config.refresh_cookie
+    local timeout = config.timeout
+    ngx.log(ngx.INFO, "session middleware initialized")
+
     return function(req, res, next)
-        -- local config = config or {}
-        -- config.storage = config.storage or "cookie" -- default is “cookie”
-        -- local session = Session.new(config)
+        if not session_aes_key or not session_aes_secret then
+            return next(err_tip)
+        end
+
+        local cookie, err = ck:new()
+        if not cookie then
+            ngx.log(ngx.ERR, "cookie is nil:", err)
+        end
+
+        local current_session
+        local session_data, err = cookie:get(session_key)
+        if err then
+            ngx.log(ngx.ERR, "cannot get session_data:", err)
+        else
+            if session_data then
+                current_session = parse_session(session_data, session_aes_key, session_aes_secret)
+            end
+        end
+        current_session = current_session or {}
+
         req.session = {
-            set = function(key, value)
-                local s = Session:open({
-                    secret = config.secret
+            set = function(...)
+                local p = ...
+                if type(p) == "table" then
+                    for i, v in pairs(p) do
+                        current_session[i] = v
+                    end
+                else
+                    local params = { ... }
+                    if type(params[2]) == "table" then -- set("k", {1, 2, 3})
+                        current_session[params[1]] = params[2]
+                    else -- set("k", "123")
+                        current_session[params[1]] = params[2] or ""
+                    end
+                end
+
+                local value = encode_data(current_session, session_aes_key, session_aes_secret)
+                local expires = http_time(ngx_time() + timeout)
+                local max_age = timeout
+                local ok, err = cookie:set({
+                    key = session_key,
+                    value = value or "",
+                    expires = expires,
+                    max_age = max_age,
+                    path = "/"
                 })
 
-                s.data[key] = value
+                ngx.log(ngx.INFO, "session.set: ", value)
 
-                s.cookie.persistent = true
-                s.cookie.lifetime = config.timeout
-                s.expires = ngx_time() + config.timeout
-                s:save()
+                if err or not ok then
+                    return ngx.log(ngx.ERR, "session.set error:", err)
+                end
             end,
 
-            update = function() 
-                local s = Session:start({ 
-                    secret = config.secret
-                })
-
-                s.cookie.persistent = true
-                s.expires = ngx_time() + config.timeout
-                s.cookie.lifetime = config.timeout
-                s:save() 
+            refresh = function() 
+                if session_data and session_data ~= "" then
+                    local expires = http_time(ngx_time() + timeout)
+                    local max_age = timeout
+                    local ok, err = cookie:set({
+                        key = session_key,
+                        value = session_data or "",
+                        expires = expires,
+                        max_age = max_age,
+                        path = "/"
+                    })
+                    if err or not ok then
+                        return ngx.log(ngx.ERR, "session.refresh error:", err)
+                    end
+                end
             end,
 
             get = function(key)
-                local s = Session:open({
-                    secret = config.secret
-                })
-
-                s.cookie.persistent = true
-                s.cookie.lifetime = config.timeout
-                s.expires = ngx_time() + config.timeout
-                return s.data[key]
+                return current_session[key]
             end,
 
             destroy = function()
-                local s = Session.start({
-                    secret = config.secret
+                local expires = "Thu, 01 Jan 1970 00:00:01 GMT"
+                local max_age = 0
+                local ok, err = cookie:set({
+                    key = session_key,
+                    value = "",
+                    expires = expires,
+                    max_age = max_age,
+                    path = "/"
                 })
-                s:destroy()
+                if err or not ok then
+                    ngx.log(ngx.ERR, "session.destroy error:", err)
+                    return false
+                end
+
+                return true
             end
         }
 
-        local e, ok
-        ok = xpcall(function() 
-            if config and config.refresh_cookie == true then
-                req.session.update()
-            end
-        end, function()
-            e = traceback()
-        end)
+        if refresh_cookie then
+            local e, ok
+            ok = xpcall(function() 
+                req.session.refresh()
+            end, function()
+                e = traceback()
+            end)
 
-        if not ok then
-            ngx.log(ngx.ERR, "[session middleware]refresh cookie error, ", e)
+            if not ok then
+                ngx.log(ngx.ERR, "refresh cookie error:", e)
+            end
         end
 
         next()

lib/lor/lib/response.lua

@@ -9,7 +9,6 @@ local Response = {}
 
 function Response:new()
     --ngx.status = 200
-
     local instance = {
         http_status = nil,
         headers = {},

resty/session/ciphers/aes.lua → lib/lor/lib/utils/aes.lua

@@ -1,3 +1,4 @@
+-- from lua-resty-session
 local setmetatable = setmetatable
 local tonumber     = tonumber
 local aes          = require "resty.aes"
@@ -33,7 +34,7 @@ local cipher = {}
 cipher.__index = cipher
 
 function cipher.new(config)
-    local a = config.aes or defaults
+    local a = config and config.aes or defaults
     return setmetatable({
         size   = CIPHER_SIZES[a.size or defaults.size]   or 256,
         mode   = CIPHER_MODES[a.mode or defaults.mode]   or "cbc",
@@ -50,4 +51,4 @@ function cipher:decrypt(d, k, s)
     return aes:new(k, s, cip(self.size, self.mode), self.hash, self.rounds):decrypt(d)
 end
 
-return cipher
+return cipher

resty/session/encoders/base64.lua → lib/lor/lib/utils/base64.lua

@@ -24,4 +24,4 @@ function base64.decode(value)
     return base64dec((value:gsub("[-_.]", DECODE_CHARS)))
 end
 
-return base64
+return base64

lib/lor/lib/utils/utils.lua

@@ -68,7 +68,8 @@ end
 function _M.json_encode(data, empty_table_as_object)
     local json_value
     if json.encode_empty_table_as_object then
-        json.encode_empty_table_as_object(empty_table_as_object or false) -- empty table encoded as array default
+        -- empty table encoded as array default
+        json.encode_empty_table_as_object(empty_table_as_object or false) 
     end
     if require("ffi").os ~= "Windows" then
         json.encode_sparse_array(true)

lib/lor/lib/view.lua

@@ -51,5 +51,4 @@ function View:render(view_file, data)
     end
 end
 
-
-return View
+return View

lib/lor/lib/wrap.lua

@@ -19,7 +19,7 @@ function _M:new(create_app, Router, Group, Request, Response)
     return instance
 end
 
--- Generally, this shouled only be used by `lor` framework itself.
+-- Generally, this should only be used by `lor` framework itself.
 function _M:create_app(options)
     self.app = self.fn(options)
     return self.app

lib/lor/version.lua

@@ -1 +1 @@
-return "0.3.1"
+return "0.3.2"