Allow for custom env settings to be set and simple csrf support

Gemfile

@@ -1,4 +1,4 @@
-source :rubygems
+source 'https://rubygems.org'
 
 gem 'rspec'
 gem "rack"

Gemfile.lock

@@ -1,24 +1,24 @@
 GEM
-  remote: http://rubygems.org/
+  remote: https://rubygems.org/
   specs:
-    diff-lcs (1.1.3)
-    rack (1.4.0)
-    rack-protection (1.2.0)
+    diff-lcs (1.2.3)
+    rack (1.5.2)
+    rack-protection (1.5.0)
       rack
-    rake (0.9.2)
-    rspec (2.8.0)
-      rspec-core (~> 2.8.0)
-      rspec-expectations (~> 2.8.0)
-      rspec-mocks (~> 2.8.0)
-    rspec-core (2.8.0)
-    rspec-expectations (2.8.0)
-      diff-lcs (~> 1.1.2)
-    rspec-mocks (2.8.0)
-    sinatra (1.3.2)
-      rack (~> 1.3, >= 1.3.6)
-      rack-protection (~> 1.2)
-      tilt (~> 1.3, >= 1.3.3)
-    tilt (1.3.3)
+    rake (10.0.4)
+    rspec (2.13.0)
+      rspec-core (~> 2.13.0)
+      rspec-expectations (~> 2.13.0)
+      rspec-mocks (~> 2.13.0)
+    rspec-core (2.13.1)
+    rspec-expectations (2.13.0)
+      diff-lcs (>= 1.1.3, < 2.0)
+    rspec-mocks (2.13.1)
+    sinatra (1.4.2)
+      rack (~> 1.5, >= 1.5.2)
+      rack-protection (~> 1.4)
+      tilt (~> 1.3, >= 1.3.4)
+    tilt (1.3.7)
 
 PLATFORMS
   java

lib/rack/test.rb

@@ -35,6 +35,7 @@ class Session
       # (See README.rdoc for an example)
       def initialize(mock_session)
         @headers = {}
+        @env = {}
 
         if mock_session.is_a?(MockSession)
           @rack_mock_session = mock_session
@@ -139,6 +140,19 @@ def header(name, value)
         end
       end
 
+      # Set an env var to be included on all subsequent requests through the
+      # session. Use a value of nil to remove a previously configured env.
+      #
+      # Example:
+      #   env "rack.session", {:csrf => 'token'}
+      def env(name, value)
+        if value.nil?
+          @env.delete(name)
+        else
+          @env[name] = value
+        end
+      end
+
       # Set the username and password for HTTP Basic authorization, to be
       # included in subsequent requests in the HTTP_AUTHORIZATION header.
       #
@@ -271,7 +285,7 @@ def digest_auth_configured?
       end
 
       def default_env
-        { "rack.test" => true, "REMOTE_ADDR" => "127.0.0.1" }.merge(headers_for_env)
+        { "rack.test" => true, "REMOTE_ADDR" => "127.0.0.1" }.merge(@env).merge(headers_for_env)
       end
 
       def headers_for_env

lib/rack/test/methods.rb

@@ -67,6 +67,7 @@ def _current_session_names # :nodoc:
         :head,
         :follow_redirect!,
         :header,
+        :env,
         :set_cookie,
         :clear_cookies,
         :authorize,

spec/rack/test_spec.rb

@@ -289,6 +289,46 @@ def close
     end
   end
 
+  describe "#env" do
+    it "sets the env to be sent with requests" do
+      env "rack.session", {:csrf => 'token'}
+      request "/"
+
+      last_request.env["rack.session"].should == {:csrf => 'token'}
+    end
+
+    it "persists across multiple requests" do
+      env "rack.session", {:csrf => 'token'}
+      request "/"
+      request "/"
+
+      last_request.env["rack.session"].should == {:csrf => 'token'}
+    end
+
+    it "overwrites previously set envs" do
+      env "rack.session", {:csrf => 'token'}
+      env "rack.session", {:some => :thing}
+      request "/"
+
+      last_request.env["rack.session"].should == {:some => :thing}
+    end
+
+    it "can be used to clear a env" do
+      env "rack.session", {:csrf => 'token'}
+      env "rack.session", nil
+      request "/"
+
+      last_request.env.should_not have_key("X_CSRF_TOKEN")
+    end
+
+    it "is overridden by envs sent during the request" do
+      env "rack.session", {:csrf => 'token'}
+      request "/", "rack.session" => {:some => :thing}
+
+      last_request.env["rack.session"].should == {:some => :thing}
+    end
+  end
+
   describe "#authorize" do
     it "sets the HTTP_AUTHORIZATION header" do
       authorize "bryan", "secret"