merged changes from zimbatm

lib/slanger/api/request_validation.rb

@@ -14,9 +14,13 @@ def body
       end
 
       def parse_body!
-        JSON.parse(raw_body)
-      rescue
-        raise Signature::AuthenticationError.new("Invalid request body: #{raw_body}")
+        assert_valid_json!(raw_body)
+      end
+
+      def assert_valid_json!(string)
+        yield JSON.parse(string)
+      rescue JSON::ParserError
+        raise Slanger::InvalidRequest.new("Invalid request body: #{raw_body}")
       end
 
       def authenticate!
@@ -31,6 +35,7 @@ def auth_params
 
       def validate!
         determine_valid_socket_id
+        determine_valid_channel_id
       end
 
       def socket_id
@@ -42,14 +47,14 @@ def params
       end
 
       def data
-        @data ||= JSON.parse(raw_body.tap{ |s| s.force_encoding('utf-8')})
+        @data ||= assert_valid_json!(raw_body.tap{ |s| s.force_encoding('utf-8')})
       end
 
       private
 
       def determine_valid_socket_id
-        return validate_socket_id!(data["socket_id"]) if data["socket_id"]
-        return validate_socket_id!(params["socket_id"]) if params["socket_id"]
+        return Slanger::Validate.socket_id!(data["socket_id"])   if data["socket_id"]
+        return Slanger::Validate.socket_id!(params["socket_id"]) if params["socket_id"]
       end
 
       def validate_raw_params!
@@ -58,7 +63,7 @@ def validate_raw_params!
         invalid_keys = restricted.keys - user_params.keys
 
         if invalid_keys.any?
-          raise Signature::AuthenticationError.new "Invalid params: #{invalid_keys}"
+          raise Slanger::InvalidRequest.new "Invalid params: #{invalid_keys}"
         end
 
         restricted
@@ -67,18 +72,6 @@ def validate_raw_params!
       def user_params
         raw_params.reject{|k,_| %w(splat captures).include?(k)}
       end
-
-      def validate_socket_id!(socket_id)
-        unless valid_socket_id?(socket_id)
-          raise Signature::AuthenticationError.new("Invalid socket_id: #{socket_id}")
-        end
-
-        socket_id
-      end
-
-      def valid_socket_id?(socket_id)
-        socket_id =~ /\A[\da-fA-F]{8}\-[\da-fA-F]{4}-[\da-fA-F]{4}-[\da-fA-F]{4}-[\da-fA-F]{12}\z/
-      end
     end
   end
 end

lib/slanger/api_server.rb

@@ -17,6 +17,7 @@ class ApiServer < Sinatra::Base
 
     # Respond with HTTP 401 Unauthorized if request cannot be authenticated.
     error(Signature::AuthenticationError) { |e| halt 401, "401 UNAUTHORIZED\n#{e}" }
+    error(Slanger::InvalidRequest) { |c| halt 400, "Bad Request\n" }
 
     post '/apps/:app_id/events' do
       authenticate
@@ -60,6 +61,8 @@ def authenticate
     end
 
     def publish(channel, event, data, socket_id)
+      Slanger::Validate.channel_name(channel)
+      Slanger::Validate.socket_id(socket_id) if socket_id
       Slanger::Redis.publish(channel, payload(channel, event, data, socket_id))
     end
   end

lib/slanger/subscription.rb

@@ -4,6 +4,7 @@ class Subscription
     delegate :send_payload, :send_message, :error, :socket_id, to: :connection
 
     def initialize socket, socket_id, msg
+      Slanger::Validate.socket_id socket_id
       @connection = Connection.new socket, socket_id
       @msg        = msg
     end

lib/slanger/validate.rb

@@ -0,0 +1,23 @@
+module Slanger
+  module Validate
+    InvalidRequest = Class.new ArgumentError
+
+    def socket_id(socket_id)
+      if socket_id !~ /\A\d+\.\d+\z/
+        raise InvalidRequest, "Invalid socket_id #{socket_id.inspect}"
+      end
+
+      socket_id
+    end
+
+    def channel_id(channel_id)
+      if channel_id !~ /\A[\w@\-;]+\z/
+        raise InvalidRequest, "Invalid channel_id #{channel_id.inspect}"
+      end
+
+      channel_id
+    end
+
+    extend self
+  end
+end