Module: Otto::ResponseHelpers

Defined in:
lib/otto/helpers/response.rb

Instance Attribute Summary collapse

Instance Method Summary collapse

Instance Attribute Details

#requestObject

Returns the value of attribute request.



5
6
7
 
# File 'lib/otto/helpers/response.rb', line 5

def request
  @request
end

Instance Method Details



89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
 
# File 'lib/otto/helpers/response.rb', line 89

def cookie_security_headers
  # Add security headers that complement cookie security
  headers = {}

  # Prevent MIME type sniffing
  headers['x-content-type-options'] = 'nosniff'

  # Add referrer policy
  headers['referrer-policy'] = 'strict-origin-when-cross-origin'

  # Add frame options
  headers['x-frame-options'] = 'DENY'

  # Add XSS protection
  headers['x-xss-protection'] = '1; mode=block'

  headers
end

#delete_cookie(name, opts = {}) ⇒ Object 



55
56
57
58
59
60
61
62
63
64
65
66
 
# File 'lib/otto/helpers/response.rb', line 55

def delete_cookie(name, opts = {})
  # Ensure we use the same path and domain when deleting
  delete_opts = {
    path: opts[:path] || '/',
    domain: opts[:domain],
    secure: opts[:secure],
    httponly: opts[:httponly],
    samesite: opts[:samesite]
  }.compact

  send_cookie name, '', -1, delete_opts
end

#send_cookie(name, value, ttl, opts = {}) ⇒ Object 



11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
 
# File 'lib/otto/helpers/response.rb', line 11

def send_cookie(name, value, ttl, opts = {})
  # Default security options
  defaults = {
    secure: true,
    httponly: true,
    samesite: :lax,
    path: '/'
  }

  # Merge with provided options
  cookie_opts = defaults.merge(opts)

  # Adjust secure flag for local development
  if request.local?
    cookie_opts[:secure] = false
  end

  # Set expiration using max-age (preferred) and expires (fallback)
  if ttl && ttl > 0
    cookie_opts[:max_age] = ttl
    cookie_opts[:expires] = (Time.now.utc + ttl + 10)
  elsif ttl && ttl < 0
    # For deletion, set both to past date
    cookie_opts[:max_age] = 0
    cookie_opts[:expires] = Time.now.utc - 86400
  end

  # Set the cookie value
  cookie_opts[:value] = value

  # Validate SameSite attribute
  valid_samesite = [:strict, :lax, :none, 'Strict', 'Lax', 'None']
  unless valid_samesite.include?(cookie_opts[:samesite])
    cookie_opts[:samesite] = :lax
  end

  # If SameSite=None, Secure must be true
  if cookie_opts[:samesite].to_s.downcase == 'none'
    cookie_opts[:secure] = true
  end

  set_cookie name, cookie_opts
end

#send_secure_cookie(name, value, ttl, opts = {}) ⇒ Object 



7
8
9
 
# File 'lib/otto/helpers/response.rb', line 7

def send_secure_cookie(name, value, ttl, opts = {})
  send_cookie name, value, ttl, opts.merge(secure: true)
end

#send_session_cookie(name, value, opts = {}) ⇒ Object 



68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
 
# File 'lib/otto/helpers/response.rb', line 68

def send_session_cookie(name, value, opts = {})
  # Session cookies don't have expiration
  session_opts = opts.merge(
    secure: true,
    httponly: true,
    samesite: :lax
  )

  # Remove expiration-related options for session cookies
  session_opts.delete(:max_age)
  session_opts.delete(:expires)

  # Adjust secure flag for local development
  if request.local?
    session_opts[:secure] = false
  end

  session_opts[:value] = value
  set_cookie name, session_opts
end