Add support for legacy format session ids

Author: ryokdy

README.md

@@ -23,7 +23,7 @@ Run the session store as a Rack middleware in the following way:
     use Aws::SessionStore::DynamoDB::RackMiddleware.new(options)
     run SomeRackApp
 
-Note that `:secret_key` is a mandatory configuration option that must be set.
+Note that `:secret_key` is a configuration option that is used for the older version.
 
 ## Detailed Usage
 

lib/aws-sessionstore-dynamodb.rb

@@ -6,6 +6,7 @@ module DynamoDB; end
 
 require 'aws/session_store/dynamo_db/configuration'
 require 'aws/session_store/dynamo_db/invalid_id_error'
+require 'aws/session_store/dynamo_db/missing_secret_key_error'
 require 'aws/session_store/dynamo_db/errors/base_handler'
 require 'aws/session_store/dynamo_db/errors/default_handler'
 require 'aws/session_store/dynamo_db/garbage_collection'

lib/aws/session_store/dynamo_db/configuration.rb

@@ -40,7 +40,8 @@ class Configuration
       :write_capacity => 5,
       :raise_errors => false,
       # :max_age => 7*3600*24,
-      # :max_stale => 3600*5
+      # :max_stale => 3600*5,
+      :secret_key => nil
     }
 
     ### Feature options
@@ -81,6 +82,9 @@ class Configuration
     #   before the current time that the session was last accessed.
     attr_reader :max_stale
 
+    # @return [String] The secret key for HMAC encryption of legacy sid.
+    attr_reader :secret_key
+
     # @return [String,Pathname]
     attr_reader :config_file
 
@@ -126,6 +130,8 @@ class Configuration
     #   from the current time that a session was created.
     # @option options [Integer] :max_stale (nil) Maximum number of seconds
     #   before current time that session was last accessed.
+    # @option options [String] :secret_key (SecureRandom.hex(64))
+    #   Secret key for HMAC encription.
     def initialize(options = {})
       @options = default_options.merge(
         env_options.merge(

lib/aws/session_store/dynamo_db/errors/default_handler.rb

@@ -4,7 +4,8 @@ class DefaultHandler < Aws::SessionStore::DynamoDB::Errors::BaseHandler
     # Array of errors that will always be passed up the Rack stack.
     HARD_ERRORS = [
       Aws::DynamoDB::Errors::ResourceNotFoundException,
-      Aws::DynamoDB::Errors::ConditionalCheckFailedException
+      Aws::DynamoDB::Errors::ConditionalCheckFailedException,
+      Aws::SessionStore::DynamoDB::MissingSecretKeyError
     ]
 
     # Determines behavior of DefaultErrorHandler

lib/aws/session_store/dynamo_db/missing_secret_key_error.rb

@@ -0,0 +1,7 @@
+module Aws::SessionStore::DynamoDB
+  class MissingSecretKeyError < RuntimeError
+    def initialize(msg = "No secret key provided!")
+      super
+    end
+  end
+end

lib/aws/session_store/dynamo_db/rack_middleware.rb

@@ -23,14 +23,32 @@ def find_session(req, sid)
       if req.session.options[:skip]
         [generate_sid, {}]
       else
-        unless sid and session = @lock.get_session_data(req.env, sid.private_id)
+        session = find_session_data(req, sid)
+        unless session
           session = {}
           sid = generate_unique_sid(req.env, session)
         end
         [sid, session]
       end
     end
 
+    # Generate HMAC hash based on MD5
+    def generate_hmac(sid, secret)
+      OpenSSL::HMAC.hexdigest(OpenSSL::Digest::MD5.new, secret, sid).strip()
+    end
+
+    # Get session data from DynamoDB.
+    def find_session_data(req, sid)
+      return nil unless sid
+      digest, ver_sid  = sid.public_id.split("--")
+      if ver_sid && @config.secret_key && digest == generate_hmac(ver_sid, @config.secret_key)
+        # Legacy session id format
+        @lock.get_session_data(req.env, sid.public_id)
+      else
+        @lock.get_session_data(req.env, sid.private_id)
+      end
+    end
+
     def generate_unique_sid(env, session)
       env['dynamo_db.new_session'] = 'true'
       generate_sid

spec/aws/session_store/dynamo_db/rack_middleware_spec.rb

@@ -35,10 +35,12 @@ def ensure_data_updated(mutated_data)
 
         before do
           @options = {
-            dynamo_db_client: dynamo_db_client
+            dynamo_db_client: dynamo_db_client,
+            secret_key: secret_key
           }
         end
 
+        let(:secret_key) { 'watermelon_cherries' }
         let(:app) { RoutedRackApp.build(@options) }
         let(:sample_packed_data) do
           [Marshal.dump('multiplier' => 1)].pack('m*')
@@ -140,6 +142,30 @@ def ensure_data_updated(mutated_data)
             get '/', { 'HTTP_Cookie' => session_cookie }
           end
         end
+
+        describe 'Legacy session id format' do
+          let(:legacy_session_id) do
+            sid = SecureRandom.hex(16)
+            sid.encode!(Encoding::UTF_8)
+            "#{OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('MD5'), secret_key, sid).strip}--" + sid
+          end
+
+          it 'loads/manipulates a session based on legacy session id' do
+            expect(dynamo_db_client).to receive(:get_item).with(
+              {
+                :attributes_to_get => ["data"],
+                :consistent_read => true,
+                :key => {
+                  "session_id" => legacy_session_id
+                },
+                :table_name=>"sessions"
+              }
+            )
+            set_cookie("_session_id=#{legacy_session_id}; path=/; httponly")
+            get '/'
+            expect(last_request.session.to_hash).to eq('multiplier' => 2)
+          end
+        end
       end
     end
   end