Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Data securely stored in urls.

tag: v0.3.2

Fetching latest commit…

Octocat-spinner-32-eaf2f5

Cannot retrieve the latest commit at this time

Octocat-spinner-32 lib
Octocat-spinner-32 spec
Octocat-spinner-32 Gemfile
Octocat-spinner-32 Gemfile.lock
Octocat-spinner-32 Rakefile
Octocat-spinner-32 Readme.md
Octocat-spinner-32 VERSION
Octocat-spinner-32 url_store.gemspec
Readme.md

Data securely stored in urls.

  • url-save output
  • short codes through GZip
  • serializing through :marshal :yaml
  • hashing through DSS DSS1 MD2 MD4 MD5 MDC2 RIPEMD160 SHA SHA1 SHA224 SHA256 SHA384 SHA512

Great for:

  • password reset links
  • email unsubscribe links
  • click tracking
  • access control
  • ...

Install

When using Rails 3, include it in your Gemfile:

gem 'url_store'

When using Rails 2 or no rails at all:

sudo gem install url_store

Or as Rails plugin:

rails plugin install git://github.com/grosser/url_store.git

Usage

When on Rails, create config/initializers/url_store.rb using generator. A random secret will be generated for you:

rails generate url_store:initializer

Or configure it by hand (e.g in environment.rb):

UrlStore.defaults = {:secret => 'adadasd2adsdasd4ads4eas4dea4dsea4sd'}

In Rails views:

<%= link_to 'paid', :controller =>:payments, :action=>:paid, :data=>UrlStore.encode(:id=>1, :status=>'paid') %>

In controllers:

if data = UrlStore.decode(params[:data])
  Payment.find(data[:id]).update_attribute(:status, data[:status])
else
  raise 'FRAUD!'
end

Defaults

UrlStore.defaults = {:secret => 'something random'} # ALWAYS use your own secret
UrlStore.defaults = {... , :hasher => 'MD5'} # default: 'SHA1'
UrlStore.defaults = {... , :serializer => :yaml} # default: :marshal

Tips

  • If you need multiple UrlStores, just use UrlStore.new(:secret => 'sadasd', ...)
  • As long as you stay under 2k chars there should be no problems. max url lengths per browser/server
  • Data is not (yet) encrypted, users could read(but not change) the encoded data
  • Replay attacks are possible <-> add a timestamp to check the freshness of the encoded data

Authors

Contributors

Michael Grosser
michael@grosser.it
Hereby placed under public domain, do what you want, just do not hold anyone accountable...

Something went wrong with that request. Please try again.