Ensure basic token requirements

Andrew Kane committed Aug 12, 2016

commit 5527b4eb7a517dd56d35651f362209298c0a8862

Showing 2 changed files with 17 additions and 6 deletions

CHANGELOG.md +1 -0

@@	@@ -1,6 +1,7 @@
	## 1.4.3 [unreleased]

	- Fixed visit recreation on cookie expiration
+	- Ensure basic token requirements

	## 1.4.2

ahoy/tracker.rb b/lib/ahoy/tracker.rb +16 -6

@@	@@ -60,11 +60,11 @@ module Ahoy
	end

	def visit_id
-	@visit_id \|\|= ensure_uuid(existing_visit_id \|\| visit_token)
+	@visit_id \|\|= ensure_uuid(existing_visit_id \|\| visit_token_helper)
	end

	def visitor_id
-	@visitor_id \|\|= ensure_uuid(existing_visitor_id \|\| visitor_token)
+	@visitor_id \|\|= ensure_uuid(existing_visitor_id \|\| visitor_token_helper)
	end

	def new_visit?
@@	@@ -90,18 +90,24 @@ module Ahoy
	@visit_properties \|\|= Ahoy::VisitProperties.new(request, @options.slice(:api))
	end

-	# for ActiveRecordTokenStore only - do not use
	def visit_token
-	@visit_token \|\|= existing_visit_id \|\| (@options[:api] && request.params["visit_token"]) \|\| generate_id
+	@visit_token \|\|= ensure_token(visit_token_helper)
	end

-	# for ActiveRecordTokenStore only - do not use
	def visitor_token
-	@visitor_token \|\|= existing_visitor_id \|\| (@options[:api] && request.params["visitor_token"]) \|\| generate_id
+	@visitor_token \|\|= ensure_token(visitor_token_helper)
	end

	protected

+	def visit_token_helper
+	@visit_token_helper \|\|= existing_visit_id \|\| (@options[:api] && request.params["visit_token"]) \|\| generate_id
+	end
+
+	def visitor_token_helper
+	@visitor_token_helper \|\|= existing_visitor_id \|\| (@options[:api] && request.params["visitor_token"]) \|\| generate_id
+	end
+
	def set_cookie(name, value, duration = nil)
	cookie = {
	value: value
@@	@@ -151,6 +157,10 @@ module Ahoy
	Ahoy.ensure_uuid(id)
	end

+	def ensure_token(token)
+	token.to_s.gsub(/[^a-z0-9\-]/i, "").first(64)
+	end
+
	def debug(message)
	Rails.logger.debug { "[ahoy] #{message}" }
	end