diff --git a/CHANGELOG b/CHANGELOG index 24da56c1..7aca989a 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,4 +1,4 @@ -= master += 3.80.0 (2024-05-10) * Support :namespace option in hmac_paths plugin, allowing for easy per-user/per-group HMAC paths (jeremyevans) diff --git a/doc/release_notes/3.80.0.txt b/doc/release_notes/3.80.0.txt new file mode 100644 index 00000000..5a8270d7 --- /dev/null +++ b/doc/release_notes/3.80.0.txt @@ -0,0 +1,31 @@ += New Features + +* The hmac_paths plugin now supports a :namespace option for both hmac_path and + r.hmac_path. The :namespace option makes the generated HMAC values unique + per namespace, allowing easy use of per user/group HMAC paths. This can + be useful if the same path will show different information to different + users/groups, and you want to prevent path enumeration for each user/group + (not allow paths enumerated by one user/group to be valid for a different + user/group). Example: + + hmac_path('/widget/1', namespace: '1') + # => "/3793ac2a72ea399c40cbd63f154d19f0fe34cdf8d347772134c506a0b756d590/n/widget/1" + + hmac_path('/widget/1', namespace: '2') + # => "/0e1e748860d4fd17fe9b7c8259b1e26996502c38e465f802c2c9a0a13000087c/n/widget/1" + + The HMAC path created with namespace: '1' will only be valid when calling + r.hmac_path with namespace: '1' (similar for namespace: '2'). + + It is expected that the most common use of the :namespace option is to + reference session values, so the value of each path depends on the logged in + user. You can use the :namespace_session_key plugin option to set the + default namespace for both hmac_path and r.hmac_path: + + plugin :hmac_paths, secret: 'some-secret-value-with-at-least-32-bytes', + namespace_session_key: 'account_id' + + This will use session['account_id'] (converted to a string) as the namespace + for both hmac_path and r.hmac_path, unless a specific :namespace option is + given, making it simple to implement per user/group HMAC paths across an + application. diff --git a/lib/roda/version.rb b/lib/roda/version.rb index a3949a14..66b3be34 100644 --- a/lib/roda/version.rb +++ b/lib/roda/version.rb @@ -4,7 +4,7 @@ class Roda RodaMajorVersion = 3 # The minor version of Roda, updated for new feature releases of Roda. - RodaMinorVersion = 79 + RodaMinorVersion = 80 # The patch version of Roda, updated only for bug fixes from the last # feature release.