From d578308c28141370ab6ef2b2990baa6fb60c2f17 Mon Sep 17 00:00:00 2001
From: Chris Cadden <cadden.cs@gmail.com>
Date: Wed, 26 Apr 2023 19:33:26 -0400
Subject: [PATCH] feat: add exclude_extra_attributes_from_session option to
 RackCAS configuration

---
 README.md                     | 5 +++++
 lib/rack-cas/configuration.rb | 7 ++++---
 lib/rack/cas.rb               | 6 +++++-
 spec/rack/cas_spec.rb         | 8 ++++++++
 4 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index fd6f44d..1e2483a 100644
--- a/README.md
+++ b/README.md
@@ -143,6 +143,11 @@ In your `config/application.rb`:
 config.rack_cas.extra_attributes_filter = %w(some_attribute some_other_attribute)
 ```
 
+Depending on your CAS implementation and space considerations, you can also choose to exclude **all** extra attributes from being saved in the session store.
+```ruby
+config.rack_cas.exclude_extra_attributes_from_session = true
+```
+
 Excluding Paths
 ---------------
 
diff --git a/lib/rack-cas/configuration.rb b/lib/rack-cas/configuration.rb
index 0988585..f991b33 100644
--- a/lib/rack-cas/configuration.rb
+++ b/lib/rack-cas/configuration.rb
@@ -1,8 +1,9 @@
 module RackCAS
   class Configuration
-    SETTINGS = [:fake, :fake_attributes, :server_url, :session_store, :exclude_path, :exclude_paths, :extra_attributes_filter,
-                :verify_ssl_cert, :renew, :use_saml_validation, :ignore_intercept_validator, :exclude_request_validator, :protocol,
-                :redis_options, :login_url, :service]
+    SETTINGS = [:fake, :fake_attributes, :server_url, :session_store, :exclude_path, :exclude_paths,
+                :extra_attributes_filter, :exclude_extra_attributes_from_session, :verify_ssl_cert,
+                :renew, :use_saml_validation, :ignore_intercept_validator, :exclude_request_validator,
+                :protocol, :redis_options, :login_url, :service]
 
 
     SETTINGS.each do |setting|
diff --git a/lib/rack/cas.rb b/lib/rack/cas.rb
index 052e98c..38bb5b4 100644
--- a/lib/rack/cas.rb
+++ b/lib/rack/cas.rb
@@ -98,7 +98,11 @@ def store_session(request, user, ticket, extra_attrs = {})
       extra_attrs.select! { |key, val| RackCAS.config.extra_attributes_filter.map(&:to_s).include? key.to_s }
     end
 
-    request.session['cas'] = { 'user' => user, 'ticket' => ticket, 'extra_attributes' => extra_attrs }
+    request.session['cas'] = {
+      'user' => user,
+      'ticket' => ticket,
+      'extra_attributes' => RackCAS.config.exclude_extra_attributes_from_session? ? {} : extra_attrs
+    }
   end
 
   def redirect_to(url, status=302)
diff --git a/spec/rack/cas_spec.rb b/spec/rack/cas_spec.rb
index d93d59c..410b434 100644
--- a/spec/rack/cas_spec.rb
+++ b/spec/rack/cas_spec.rb
@@ -35,6 +35,14 @@ def app
       it { should_not have_key 'title' }
     end
 
+    context 'with exclude_extra_attributes_from_session set' do
+      let(:app_options) { { exclude_extra_attributes_from_session: true } }
+
+      before { get '/private?ticket=ST-0123456789ABCDEFGHIJKLMNOPQRS' }
+      subject { last_request.session['cas']['extra_attributes'] }
+      it { should be_empty }
+    end
+
     context 'with an invalid ticket' do
       before { RackCAS::ServiceValidationResponse.any_instance.stub(:user) { raise RackCAS::ServiceValidationResponse::TicketInvalidError } }
       its(:status) { should eql 302 }