actionpack 7.2.3 → 8.0.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e774a50c3ffb6c9c4f387e2bf3632992f1979e8b050cdd481e0ff41fc289f4d4
-  data.tar.gz: b433f1b952b2cca2850d40a668bbf4196a72dd1981ede7714348607cb79fadb1
+  metadata.gz: 1fea6ba071295e83d6e5781df7582dfe27d5f3757183dfac91bf650b090e445e
+  data.tar.gz: ffcc0f47bbc76b7491946fbd0cf039d3d61201e9e389417dba5d6b2fd5b66a77
 SHA512:
-  metadata.gz: 7c48de1742782bbad870035834911eb2bac273330d2d34317c2d670f02d762d9998f024491fe37e17b8628f4255844d66fec7522bb47e10668e0a775e160e6c4
-  data.tar.gz: d72cf3db810cc51bfca8ff37af293e22a4089838ec00fb8cc44dce15d77255937a7221a90b6fdd2dc38f01803abd42757641b5fb665d6c121111bf3e548022f4
+  metadata.gz: 787632a979e611d3c63181e8cde8c4da8b1c7aabdcff0e8bed08bc675f0140cd0de24f8c867130e8db78512a2db2f6ad529c1fc28d5df76106c14b382e1c306a
+  data.tar.gz: 3171d0030c6cff57a0797a88d6b3250c9c074f150d2ca44b577e020d913158eaaa80fd860dd8e42982bc36b32e9aa7c7630f760ac451615358d1f6be478fd53d

data/CHANGELOG.md

@@ -1,9 +1,28 @@
-## Rails 7.2.3 (October 28, 2025) ##
+## Rails 8.0.4 (October 28, 2025) ##
 
 *   Submit test requests using `as: :html` with `Content-Type: x-www-form-urlencoded`
 
     *Sean Doyle*
 
+
+## Rails 8.0.3 (September 22, 2025) ##
+
+*   URL helpers for engines mounted at the application root handle `SCRIPT_NAME` correctly.
+
+    Fixed an issue where `SCRIPT_NAME` is not applied to paths generated for routes in an engine
+    mounted at "/".
+
+    *Mike Dalessio*
+
+*   Fix `Rails.application.reload_routes!` from clearing almost all routes.
+
+    When calling `Rails.application.reload_routes!` inside a middleware of
+    a Rake task, it was possible under certain conditions that all routes would be cleared.
+    If ran inside a middleware, this would result in getting a 404 on most page you visit.
+    This issue was only happening in development.
+
+    *Edouard Chin*
+
 *   Address `rack 3.2` deprecations warnings.
 
     ```
@@ -11,10 +30,14 @@
     Please use :unprocessable_content instead.
     ```
 
-    Rails API will transparently convert one into the other for the forseable future.
+    Rails API will transparently convert one into the other for the foreseeable future.
 
     *Earlopain*, *Jean Boussier*
 
+*   Support hash-source in Content Security Policy.
+
+    *madogiwa*
+
 *   Always return empty body for HEAD requests in `PublicExceptions` and
     `DebugExceptions`.
 
@@ -22,218 +45,248 @@
 
     *Hartley McGuire*
 
-*   Fix `url_for` to handle `:path_params` gracefully when it's not a `Hash`.
 
-    Prevents various security scanners from causing exceptions.
+## Rails 8.0.2.1 (August 13, 2025) ##
 
-    *Martin Emde*
-
-*   Fix `ActionDispatch::Executor` to unwrap exceptions like other error reporting middlewares.
+*   No changes.
 
-    *Jean Boussier*
+## Rails 8.0.2 (March 12, 2025) ##
 
-*   Fix NoMethodError when a non-string CSRF token is passed through headers.
+*   Improve `with_routing` test helper to not rebuild the middleware stack.
 
-    *Ryan Heneise*
+    Otherwise some middleware configuration could be lost.
 
-*   Fix invalid response when rescuing `ActionController::Redirecting::UnsafeRedirectError` in a controller.
+    *Édouard Chin*
 
-    *Alex Ghiculescu*
+*   Add resource name to the `ArgumentError` that's raised when invalid `:only` or `:except` options are given to `#resource` or `#resources`
 
+    This makes it easier to locate the source of the problem, especially for routes drawn by gems.
 
-## Rails 7.2.2.2 (August 13, 2025) ##
+    Before:
+    ```
+    :only and :except must include only [:index, :create, :new, :show, :update, :destroy, :edit], but also included [:foo, :bar]
+    ```
 
-*   No changes.
+    After:
+    ```
+    Route `resources :products` - :only and :except must include only [:index, :create, :new, :show, :update, :destroy, :edit], but also included [:foo, :bar]
+    ```
 
+    *Jeremy Green*
 
-## Rails 7.2.2.1 (December 10, 2024) ##
+*   Fix `url_for` to handle `:path_params` gracefully when it's not a `Hash`.
 
-*   Add validation to content security policies to disallow spaces and semicolons.
-    Developers should use multiple arguments, and different directive methods instead.
+    Prevents various security scanners from causing exceptions.
 
-    [CVE-2024-54133]
+    *Martin Emde*
 
-    *Gannon McGibbon*
+*   Fix `ActionDispatch::Executor` to unwrap exceptions like other error reporting middlewares.
 
+    *Jean Boussier*
 
-## Rails 7.2.2 (October 30, 2024) ##
 
-*   Fix non-GET requests not updating cookies in `ActionController::TestCase`.
+## Rails 8.0.1 (December 13, 2024) ##
 
-    *Jon Moss*, *Hartley McGuire*
+*   Add `ActionDispatch::Request::Session#store` method to conform Rack spec.
 
+    *Yaroslav*
 
-## Rails 7.2.1.2 (October 23, 2024) ##
 
-*   No changes.
+## Rails 8.0.0.1 (December 10, 2024) ##
 
+*   Add validation to content security policies to disallow spaces and semicolons.
+    Developers should use multiple arguments, and different directive methods instead.
 
-## Rails 7.2.1.1 (October 15, 2024) ##
+    [CVE-2024-54133]
 
-*   Avoid regex backtracking in HTTP Token authentication
+    *Gannon McGibbon*
 
-    [CVE-2024-47887]
 
-    *John Hawthorn*
+## Rails 8.0.0 (November 07, 2024) ##
 
-*   Avoid regex backtracking in query parameter filtering
+*   No changes.
 
-    [CVE-2024-41128]
 
-    *John Hawthorn*
+## Rails 8.0.0.rc2 (October 30, 2024) ##
 
+*   Fix routes with `::` in the path.
 
-## Rails 7.2.1 (August 22, 2024) ##
+    *Rafael Mendonça França*
 
-*   Fix `Request#raw_post` raising `NoMethodError` when `rack.input` is `nil`.
+*   Maintain Rack 2 parameter parsing behaviour.
 
-    *Hartley McGuire*
+    *Matthew Draper*
 
 
-## Rails 7.2.0 (August 09, 2024) ##
+## Rails 8.0.0.rc1 (October 19, 2024) ##
 
-*   Allow bots to ignore `allow_browser`.
+*   Remove `Rails.application.config.action_controller.allow_deprecated_parameters_hash_equality`.
 
-    *Matthew Nguyen*
+    *Rafael Mendonça França*
 
-*   Include the HTTP Permissions-Policy on non-HTML Content-Types
-    [CVE-2024-28103]
+*   Improve `ActionController::TestCase` to expose a binary encoded `request.body`.
 
-    *Aaron Patterson*, *Zack Deveau*
+    The rack spec clearly states:
 
-*   Fix `Mime::Type.parse` handling type parameters for HTTP Accept headers.
+    > The input stream is an IO-like object which contains the raw HTTP POST data.
+    > When applicable, its external encoding must be “ASCII-8BIT” and it must be opened in binary mode.
 
-    *Taylor Chaparro*
+    Until now its encoding was generally UTF-8, which doesn't accurately reflect production
+    behavior.
 
-*   Fix the error page that is displayed when a view template is missing to account for nested controller paths in the
-    suggested correct location for the missing template.
+    *Jean Boussier*
 
-    *Joshua Young*
+*   Update `ActionController::AllowBrowser` to support passing method names to `:block`
 
-*   Add `save_and_open_page` helper to `IntegrationTest`.
+    ```ruby
+    class ApplicationController < ActionController::Base
+      allow_browser versions: :modern, block: :handle_outdated_browser
 
-    `save_and_open_page` is a helpful helper to keep a short feedback loop when working on system tests.
-    A similar helper with matching signature has been added to integration tests.
+      private
+        def handle_outdated_browser
+          render file: Rails.root.join("public/custom-error.html"), status: :not_acceptable
+        end
+    end
+    ```
 
-    *Joé Dupuis*
+    *Sean Doyle*
 
-*   Fix a regression in 7.1.3 passing a `to:` option without a controller when the controller is already defined by a scope.
+*   Raise an `ArgumentError` when invalid `:only` or `:except` options are passed into `#resource` and `#resources`.
 
-    ```ruby
-    Rails.application.routes.draw do
-      controller :home do
-        get "recent", to: "recent_posts"
-      end
-    end
-    ```
+    *Joshua Young*
 
-    *Étienne Barrié*
+## Rails 8.0.0.beta1 (September 26, 2024) ##
 
-*   Request Forgery takes relative paths into account.
+*   Fix non-GET requests not updating cookies in `ActionController::TestCase`.
 
-    *Stefan Wienert*
+    *Jon Moss*, *Hartley McGuire*
 
-*   Add ".test" as a default allowed host in development to ensure smooth golden-path setup with puma.dev.
+*   Update `ActionController::Live` to use a thread-pool to reuse threads across requests.
 
-    *DHH*
+    *Adam Renberg Tamm*
 
-*   Add `allow_browser` to set minimum browser versions for the application.
+*   Introduce safer, more explicit params handling method with `params#expect` such that
+    `params.expect(table: [ :attr ])` replaces `params.require(:table).permit(:attr)`
 
-    A browser that's blocked will by default be served the file in `public/406-unsupported-browser.html` with a HTTP status code of "406 Not Acceptable".
+    Ensures params are filtered with consideration for the expected
+    types of values, improving handling of params and avoiding ignorable
+    errors caused by params tampering.
 
     ```ruby
-    class ApplicationController < ActionController::Base
-      # Allow only browsers natively supporting webp images, web push, badges, import maps, CSS nesting + :has
-      allow_browser versions: :modern
-    end
+    # If the url is altered to ?person=hacked
+    # Before
+    params.require(:person).permit(:name, :age, pets: [:name])
+    # raises NoMethodError, causing a 500 and potential error reporting
+
+    # After
+    params.expect(person: [ :name, :age, pets: [[:name]] ])
+    # raises ActionController::ParameterMissing, correctly returning a 400 error
+    ```
 
-    class ApplicationController < ActionController::Base
-      # All versions of Chrome and Opera will be allowed, but no versions of "internet explorer" (ie). Safari needs to be 16.4+ and Firefox 121+.
-      allow_browser versions: { safari: 16.4, firefox: 121, ie: false }
-    end
+    You may also notice the new double array `[[:name]]`. In order to
+    declare when a param is expected to be an array of parameter hashes,
+    this new double array syntax is used to explicitly declare an array.
+    `expect` requires you to declare expected arrays in this way, and will
+    ignore arrays that are passed when, for example, `pet: [:name]` is used.
 
-    class MessagesController < ApplicationController
-      # In addition to the browsers blocked by ApplicationController, also block Opera below 104 and Chrome below 119 for the show action.
-      allow_browser versions: { opera: 104, chrome: 119 }, only: :show
-    end
-    ```
+    In order to preserve compatibility, `permit` does not adopt the new
+    double array syntax and is therefore more permissive about unexpected
+    types. Using `expect` everywhere is recommended.
 
-    *DHH*
+    We suggest replacing `params.require(:person).permit(:name, :age)`
+    with the direct replacement `params.expect(person: [:name, :age])`
+    to prevent external users from manipulating params to trigger 500
+    errors. A 400 error will be returned instead, using public/400.html
 
-*   Add rate limiting API.
+    Usage of `params.require(:id)` should likewise be replaced with
+    `params.expect(:id)` which is designed to ensure that `params[:id]`
+    is a scalar and not an array or hash, also requiring the param.
 
     ```ruby
-    class SessionsController < ApplicationController
-      rate_limit to: 10, within: 3.minutes, only: :create
-    end
+    # Before
+    User.find(params.require(:id)) # allows an array, altering behavior
 
-    class SignupsController < ApplicationController
-      rate_limit to: 1000, within: 10.seconds,
-        by: -> { request.domain }, with: -> { redirect_to busy_controller_url, alert: "Too many signups!" }, only: :new
-    end
+    # After
+    User.find(params.expect(:id)) # expect only returns non-blank permitted scalars (excludes Hash, Array, nil, "", etc)
     ```
 
-    *DHH*, *Jean Boussier*
+    *Martin Emde*
 
-*   Add `image/svg+xml` to the compressible content types of `ActionDispatch::Static`.
+*   System Testing: Disable Chrome's search engine choice by default in system tests.
 
-    *Georg Ledermann*
+    *glaszig*
 
-*   Add instrumentation for `ActionController::Live#send_stream`.
+*   Fix `Request#raw_post` raising `NoMethodError` when `rack.input` is `nil`.
+
+    *Hartley McGuire*
 
-    Allows subscribing to `send_stream` events. The event payload contains the filename, disposition, and type.
+*   Remove `racc` dependency by manually writing `ActionDispatch::Journey::Scanner`.
 
-    *Hannah Ramadan*
+    *Gannon McGibbon*
 
-*   Add support for `with_routing` test helper in `ActionDispatch::IntegrationTest`.
+*   Speed up `ActionDispatch::Routing::Mapper::Scope#[]` by merging frame hashes.
 
     *Gannon McGibbon*
 
-*   Remove deprecated support to set `Rails.application.config.action_dispatch.show_exceptions` to `true` and `false`.
+*   Allow bots to ignore `allow_browser`.
 
-    *Rafael Mendonça França*
+    *Matthew Nguyen*
 
-*   Remove deprecated `speaker`, `vibrate`, and `vr` permissions policy directives.
+*   Deprecate drawing routes with multiple paths to make routing faster.
+    You may use `with_options` or a loop to make drawing multiple paths easier.
 
-    *Rafael Mendonça França*
+    ```ruby
+    # Before
+    get "/users", "/other_path", to: "users#index"
 
-*   Remove deprecated `Rails.application.config.action_dispatch.return_only_request_media_type_on_content_type`.
+    # After
+    get "/users", to: "users#index"
+    get "/other_path", to: "users#index"
+    ```
 
-    *Rafael Mendonça França*
+    *Gannon McGibbon*
 
-*   Deprecate `Rails.application.config.action_controller.allow_deprecated_parameters_hash_equality`.
+*   Make `http_cache_forever` use `immutable: true`
 
-    *Rafael Mendonça França*
+    *Nate Matykiewicz*
 
-*   Remove deprecated comparison between `ActionController::Parameters` and `Hash`.
+*   Add `config.action_dispatch.strict_freshness`.
 
-    *Rafael Mendonça França*
+    When set to `true`, the `ETag` header takes precedence over the `Last-Modified` header when both are present,
+    as specified by RFC 7232, Section 6.
 
-*   Remove deprecated constant `AbstractController::Helpers::MissingHelperError`.
+    Defaults to `false` to maintain compatibility with previous versions of Rails, but is enabled as part of
+    Rails 8.0 defaults.
 
-    *Rafael Mendonça França*
+    *heka1024*
 
-*   Fix a race condition that could cause a `Text file busy - chromedriver`
-    error with parallel system tests.
+*   Support `immutable` directive in Cache-Control
 
-    *Matt Brictson*
+    ```ruby
+    expires_in 1.minute, public: true, immutable: true
+    # Cache-Control: public, max-age=60, immutable
+    ```
 
-*   Add `racc` as a dependency since it will become a bundled gem in Ruby 3.4.0
+    *heka1024*
 
-    *Hartley McGuire*
-*   Remove deprecated constant `ActionDispatch::IllegalStateError`.
+*   Add `:wasm_unsafe_eval` mapping for `content_security_policy`
 
-    *Rafael Mendonça França*
+    ```ruby
+    # Before
+    policy.script_src "'wasm-unsafe-eval'"
+
+    # After
+    policy.script_src :wasm_unsafe_eval
+    ```
 
-*   Add parameter filter capability for redirect locations.
+    *Joe Haig*
 
-    It uses the `config.filter_parameters` to match what needs to be filtered.
-    The result would be like this:
+*   Add `display_capture` and `keyboard_map` in `permissions_policy`
 
-        Redirected to http://secret.foo.bar?username=roque&password=[FILTERED]
+    *Cyril Blaecke*
 
-    Fixes #14055.
+*   Add `connect` route helper.
 
-    *Roque Pinel*, *Trevor Turk*, *tonytonyjan*
+    *Samuel Williams*
 
-Please check [7-1-stable](https://github.com/rails/rails/blob/7-1-stable/actionpack/CHANGELOG.md) for previous changes.
+Please check [7-2-stable](https://github.com/rails/rails/blob/7-2-stable/actionpack/CHANGELOG.md) for previous changes.

data/lib/abstract_controller/rendering.rb

@@ -5,7 +5,6 @@
 require "abstract_controller/error"
 require "action_view"
 require "action_view/view_paths"
-require "set"
 
 module AbstractController
   class DoubleRenderError < Error

data/lib/action_controller/base.rb

@@ -266,7 +266,7 @@ module ActionController
       ParamsWrapper
     ]
 
-    # Note: Documenting these severely degrates the performance of rdoc
+    # Note: Documenting these severely degrades the performance of rdoc
     # :stopdoc:
     include AbstractController::Rendering
     include AbstractController::Translation

data/lib/action_controller/form_builder.rb

@@ -22,10 +22,10 @@ module ActionController
   #       default_form_builder AdminFormBuilder
   #     end
   #
-  # Then in the view any form using `form_for` will be an instance of the
-  # specified form builder:
+  # Then in the view any form using `form_with` or `form_for` will be an
+  # instance of the specified form builder:
   #
-  #     <%= form_for(@instance) do |builder| %>
+  #     <%= form_with(model: @instance) do |builder| %>
   #       <%= builder.special_field(:name) %>
   #     <% end %>
   module FormBuilder

data/lib/action_controller/metal/allow_browser.rb

@@ -36,6 +36,16 @@ module ActionController # :nodoc:
       #     end
       #
       #     class ApplicationController < ActionController::Base
+      #       # Allow only browsers natively supporting webp images, web push, badges, import maps, CSS nesting, and CSS :has
+      #       allow_browser versions: :modern, block: :handle_outdated_browser
+      #
+      #       private
+      #         def handle_outdated_browser
+      #           render file: Rails.root.join("public/custom-error.html"), status: :not_acceptable
+      #         end
+      #     end
+      #
+      #     class ApplicationController < ActionController::Base
       #       # All versions of Chrome and Opera will be allowed, but no versions of "internet explorer" (ie). Safari needs to be 16.4+ and Firefox 121+.
       #       allow_browser versions: { safari: 16.4, firefox: 121, ie: false }
       #     end
@@ -55,7 +65,7 @@ module ActionController # :nodoc:
 
         if BrowserBlocker.new(request, versions: versions).blocked?
           ActiveSupport::Notifications.instrument("browser_block.action_controller", request: request, versions: versions) do
-            instance_exec(&block)
+            block.is_a?(Symbol) ? send(block) : instance_exec(&block)
           end
         end
       end

data/lib/action_controller/metal/conditional_get.rb

@@ -259,6 +259,9 @@ module ActionController
     # `:stale_if_error`
     # :   Sets the value of the `stale-if-error` directive.
     #
+    # `:immutable`
+    # :   If true, adds the `immutable` directive.
+    #
     #
     # Any additional key-value pairs are concatenated as directives. For a list of
     # supported `Cache-Control` directives, see the [article on
@@ -292,6 +295,7 @@ module ActionController
         must_revalidate: options.delete(:must_revalidate),
         stale_while_revalidate: options.delete(:stale_while_revalidate),
         stale_if_error: options.delete(:stale_if_error),
+        immutable: options.delete(:immutable),
       )
       options.delete(:private)
 
@@ -315,7 +319,7 @@ module ActionController
     #     user's web browser. To allow proxies to cache the response, set `true` to
     #     indicate that they can serve the cached response to all users.
     def http_cache_forever(public: false)
-      expires_in 100.years, public: public
+      expires_in 100.years, public: public, immutable: true
 
       yield if stale?(etag: request.fullpath,
                       last_modified: Time.new(2011, 1, 1).utc,

data/lib/action_controller/metal/data_streaming.rb

@@ -28,7 +28,8 @@ module ActionController # :nodoc:
       # `send_file(params[:path])` allows a malicious user to download any file on
       # your server.
       #
-      # Options:
+      # #### Options:
+      #
       # *   `:filename` - suggests a filename for the browser to use. Defaults to
       #     `File.basename(path)`.
       # *   `:type` - specifies an HTTP content type. You can specify either a string
@@ -90,7 +91,8 @@ module ActionController # :nodoc:
       # inline data. You may also set the content type, the file name, and other
       # things.
       #
-      # Options:
+      # #### Options:
+      #
       # *   `:filename` - suggests a filename for the browser to use.
       # *   `:type` - specifies an HTTP content type. Defaults to
       #     `application/octet-stream`. You can specify either a string or a symbol

data/lib/action_controller/metal/instrumentation.rb

@@ -2,7 +2,6 @@
 
 # :markup: markdown
 
-require "benchmark"
 require "abstract_controller/logger"
 
 module ActionController
@@ -29,7 +28,7 @@ module ActionController
     def render(*)
       render_output = nil
       self.view_runtime = cleanup_view_runtime do
-        Benchmark.ms { render_output = super }
+        ActiveSupport::Benchmark.realtime(:float_millisecond) { render_output = super }
       end
       render_output
     end

data/lib/action_controller/metal/live.rb

@@ -171,12 +171,6 @@ module ActionController
         @ignore_disconnect = false
       end
 
-      # ActionDispatch::Response delegates #to_ary to the internal
-      # ActionDispatch::Response::Buffer, defining #to_ary is an indicator that the
-      # response body can be buffered and/or cached by Rack middlewares, this is not
-      # the case for Live responses so we undefine it for this Buffer subclass.
-      undef_method :to_ary
-
       def write(string)
         unless @response.committed?
           @response.headers["Cache-Control"] ||= "no-cache"
@@ -307,6 +301,9 @@ module ActionController
               error = e
             end
           ensure
+            ActiveSupport::IsolatedExecutionState.clear
+            clean_up_thread_locals(locals, t2)
+
             @_response.commit!
           end
         end
@@ -328,7 +325,8 @@ module ActionController
     # or other running data where you don't want the entire file buffered in memory
     # first. Similar to send_data, but where the data is generated live.
     #
-    # Options:
+    # #### Options:
+    #
     # *   `:filename` - suggests a filename for the browser to use.
     # *   `:type` - specifies an HTTP content type. You can specify either a string
     #     or a symbol for a registered type with `Mime::Type.register`, for example
@@ -371,11 +369,20 @@ module ActionController
       # data from the response bodies. Nobody should call this method except in Rails
       # internals. Seriously!
       def new_controller_thread # :nodoc:
-        Thread.new {
+        ActionController::Live.live_thread_pool_executor.post do
           t2 = Thread.current
           t2.abort_on_exception = true
           yield
-        }
+        end
+      end
+
+      # Ensure we clean up any thread locals we copied so that the thread can reused.
+      def clean_up_thread_locals(locals, thread) # :nodoc:
+        locals.each { |k, _| thread[k] = nil }
+      end
+
+      def self.live_thread_pool_executor
+        @live_thread_pool_executor ||= Concurrent::CachedThreadPool.new(name: "action_controller.live")
       end
 
       def log_error(exception)

data/lib/action_controller/metal/rate_limiting.rb

@@ -29,6 +29,9 @@ module ActionController # :nodoc:
       # datastore as your general caches, you can pass a custom store in the `store`
       # parameter.
       #
+      # If you want to use multiple rate limits per controller, you need to give each of
+      # them an explicit name via the `name:` option.
+      #
       # Examples:
       #
       #     class SessionsController < ApplicationController
@@ -44,14 +47,20 @@ module ActionController # :nodoc:
       #       RATE_LIMIT_STORE = ActiveSupport::Cache::RedisCacheStore.new(url: ENV["REDIS_URL"])
       #       rate_limit to: 10, within: 3.minutes, store: RATE_LIMIT_STORE
       #     end
-      def rate_limit(to:, within:, by: -> { request.remote_ip }, with: -> { head :too_many_requests }, store: cache_store, **options)
-        before_action -> { rate_limiting(to: to, within: within, by: by, with: with, store: store) }, **options
+      #
+      #     class SessionsController < ApplicationController
+      #       rate_limit to: 3, within: 2.seconds, name: "short-term"
+      #       rate_limit to: 10, within: 5.minutes, name: "long-term"
+      #     end
+      def rate_limit(to:, within:, by: -> { request.remote_ip }, with: -> { head :too_many_requests }, store: cache_store, name: nil, **options)
+        before_action -> { rate_limiting(to: to, within: within, by: by, with: with, store: store, name: name) }, **options
       end
     end
 
     private
-      def rate_limiting(to:, within:, by:, with:, store:)
-        count = store.increment("rate-limit:#{controller_path}:#{instance_exec(&by)}", 1, expires_in: within)
+      def rate_limiting(to:, within:, by:, with:, store:, name:)
+        cache_key = ["rate-limit", controller_path, name, instance_exec(&by)].compact.join(":")
+        count = store.increment(cache_key, 1, expires_in: within)
         if count && count > to
           ActiveSupport::Notifications.instrument("rate_limit.action_controller", request: request) do
             instance_exec(&with)