s/check/validate/

[catagits/Web-Session.git] / lib / Plack / Session / State.pm

diff --git a/lib/Plack/Session/State.pm b/lib/Plack/Session/State.pm
index 9b8314f..8e196f0 100644 (file)
--- a/lib/Plack/Session/State.pm
+++ b/lib/Plack/Session/State.pm
@@ -2,9 +2,12 @@ package Plack::Session::State;
 use strict;
 use warnings;
 
+use Digest::SHA1 ();
+
 use Plack::Util::Accessor qw[
     session_key
     sid_generator
+    sid_validator
 ];
 
 sub new {
@@ -13,9 +16,9 @@ sub new {
     $params{'_expired'}      ||= +{};
     $params{'session_key'}   ||= 'plack_session';
     $params{'sid_generator'} ||= sub {
-        require Digest::SHA1;
         Digest::SHA1::sha1_hex(rand() . $$ . {} . time)
     };
+    $params{'sid_validator'} ||= qr/\A[0-9a-f]{40}\Z/;
 
     bless { %params } => $class;
 }
@@ -36,16 +39,36 @@ sub check_expired {
     return $id;
 }
 
+sub validate_request_session_id {
+    my ($self, $request) = @_;
+
+    my $reqest_session_id = $self->get_request_session_id($request);
+    my $sid_validator = $self->sid_validator;
+
+    defined $reqest_session_id && $reqest_session_id =~ m{$sid_validator};
+}
+
 sub get_session_id {
     my ($self, $request) = @_;
-    $self->extract( $request )
+    (
+        $self->validate_request_session_id($request)
+        &&
+        $self->extract( $request )
+    )
         ||
     $self->generate( $request )
 }
 
+sub get_request_session_id {
+    my ($self, $request ) = @_;
+
+    $request->param( $self->session_key );
+}
+
 sub extract {
     my ($self, $request) = @_;
-    $self->check_expired( $request->param( $self->session_key ) );
+
+    $self->check_expired( $self->get_request_session_id($request) );
 }
 
 sub generate {
@@ -69,21 +92,56 @@ __END__
 
 Plack::Session::State - Basic parameter-based session state
 
+=head1 SYNOPSIS
+
+  use Plack::Builder;
+  use Plack::Middleware::Session;
+  use Plack::Session::State;
+
+  my $app = sub {
+      return [ 200, [ 'Content-Type' => 'text/plain' ], [ 'Hello Foo' ] ];
+  };
+
+  builder {
+      enable 'Session',
+          state => Plack::Session::State->new;
+      $app;
+  };
+
 =head1 DESCRIPTION
 
+This will maintain session state by passing the session through
+the request params. It does not do this automatically though,
+you are responsible for passing the session param.
+
+This should be considered the state "base" class (although
+subclassing is not a requirement) and defines the spec for
+all B<Plack::Session::State::*> modules. You will only
+need to override a couple methods if you do subclass. See
+L<Plack::Session::State::Cookie> for an example of this.
+
 =head1 METHODS
 
 =over 4
 
 =item B<new ( %params )>
 
+The C<%params> can include I<session_key>, I<sid_generator> and I<sid_checker>
+however in both cases a default will be provided for you.
+
 =item B<session_key>
 
 This is the name of the session key, it default to 'plack_session'.
 
 =item B<sid_generator>
 
-This is a CODE ref used to generate unique session ids.
+This is a CODE ref used to generate unique session ids, by default
+it will generate a SHA1 using fairly sufficient entropy. If you are
+concerned or interested, just read the source.
+
+=item B<sid_validator>
+
+This is a regex used to validate requested session id,
 
 =back
 
@@ -98,6 +156,8 @@ if the is expired or does not exist, it will then generate a new
 session. The C<$request> is expected to be a L<Plack::Request> instance
 or an object with an equivalent interface.
 
+=item B<get_request_session_id ( $request )>
+
 =item B<extract ( $request )>
 
 This will attempt to extract the session from a C<$request> by looking