activestorage 6.0.4 → 6.1.0.rc1

data/app/controllers/active_storage/base_controller.rb

@@ -5,4 +5,15 @@ class ActiveStorage::BaseController < ActionController::Base
   include ActiveStorage::SetCurrent
 
   protect_from_forgery with: :exception
+
+  self.etag_with_template_digest = false
+
+  private
+    def stream(blob)
+      blob.download do |chunk|
+        response.stream.write chunk
+      end
+    ensure
+      response.stream.close
+    end
 end

data/app/controllers/active_storage/blobs/proxy_controller.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+# Proxy files through application. This avoids having a redirect and makes files easier to cache.
+class ActiveStorage::Blobs::ProxyController < ActiveStorage::BaseController
+  include ActiveStorage::SetBlob
+  include ActiveStorage::SetHeaders
+
+  def show
+    http_cache_forever public: true do
+      set_content_headers_from @blob
+      stream @blob
+    end
+  end
+end

data/app/controllers/active_storage/{blobs_controller.rb → blobs/redirect_controller.rb}

@@ -4,11 +4,11 @@
 # Note: These URLs are publicly accessible. If you need to enforce access protection beyond the
 # security-through-obscurity factor of the signed blob references, you'll need to implement your own
 # authenticated redirection controller.
-class ActiveStorage::BlobsController < ActiveStorage::BaseController
+class ActiveStorage::Blobs::RedirectController < ActiveStorage::BaseController
   include ActiveStorage::SetBlob
 
   def show
     expires_in ActiveStorage.service_urls_expire_in
-    redirect_to @blob.service_url(disposition: params[:disposition])
+    redirect_to @blob.url(disposition: params[:disposition])
   end
 end

data/app/controllers/active_storage/disk_controller.rb

@@ -5,11 +5,13 @@
 # Always go through the BlobsController, or your own authenticated controller, rather than directly
 # to the service URL.
 class ActiveStorage::DiskController < ActiveStorage::BaseController
+  include ActiveStorage::FileServer
+
   skip_forgery_protection
 
   def show
     if key = decode_verified_key
-      serve_file disk_service.path_for(key[:key]), content_type: key[:content_type], disposition: key[:disposition]
+      serve_file named_disk_service(key[:service_name]).path_for(key[:key]), content_type: key[:content_type], disposition: key[:disposition]
     else
       head :not_found
     end
@@ -20,7 +22,7 @@ class ActiveStorage::DiskController < ActiveStorage::BaseController
   def update
     if token = decode_verified_token
       if acceptable_content?(token)
-        disk_service.upload token[:key], request.body, checksum: token[:checksum]
+        named_disk_service(token[:service_name]).upload token[:key], request.body, checksum: token[:checksum]
       else
         head :unprocessable_entity
       end
@@ -32,30 +34,16 @@ class ActiveStorage::DiskController < ActiveStorage::BaseController
   end
 
   private
-    def disk_service
-      ActiveStorage::Blob.service
+    def named_disk_service(name)
+      ActiveStorage::Blob.services.fetch(name) do
+        ActiveStorage::Blob.service
+      end
     end
 
-
     def decode_verified_key
       ActiveStorage.verifier.verified(params[:encoded_key], purpose: :blob_key)
     end
 
-    def serve_file(path, content_type:, disposition:)
-      Rack::File.new(nil).serving(request, path).tap do |(status, headers, body)|
-        self.status = status
-        self.response_body = body
-
-        headers.each do |name, value|
-          response.headers[name] = value
-        end
-
-        response.headers["Content-Type"] = content_type || DEFAULT_SEND_FILE_TYPE
-        response.headers["Content-Disposition"] = disposition || DEFAULT_SEND_FILE_DISPOSITION
-      end
-    end
-
-
     def decode_verified_token
       ActiveStorage.verifier.verified(params[:encoded_token], purpose: :blob_token)
     end

data/app/controllers/active_storage/representations/proxy_controller.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+# Proxy files through application. This avoids having a redirect and makes files easier to cache.
+class ActiveStorage::Representations::ProxyController < ActiveStorage::BaseController
+  include ActiveStorage::SetBlob
+  include ActiveStorage::SetHeaders
+
+  def show
+    http_cache_forever public: true do
+      set_content_headers_from representation.image
+      stream representation
+    end
+  end
+
+  private
+    def representation
+      @representation ||= @blob.representation(params[:variation_key]).processed
+    end
+end

data/app/controllers/active_storage/{representations_controller.rb → representations/redirect_controller.rb}

@@ -4,11 +4,11 @@
 # Note: These URLs are publicly accessible. If you need to enforce access protection beyond the
 # security-through-obscurity factor of the signed blob and variation reference, you'll need to implement your own
 # authenticated redirection controller.
-class ActiveStorage::RepresentationsController < ActiveStorage::BaseController
+class ActiveStorage::Representations::RedirectController < ActiveStorage::BaseController
   include ActiveStorage::SetBlob
 
   def show
     expires_in ActiveStorage.service_urls_expire_in
-    redirect_to @blob.representation(params[:variation_key]).processed.service_url(disposition: params[:disposition])
+    redirect_to @blob.representation(params[:variation_key]).processed.url(disposition: params[:disposition])
   end
 end

data/app/controllers/concerns/active_storage/file_server.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+module ActiveStorage::FileServer # :nodoc:
+  private
+    def serve_file(path, content_type:, disposition:)
+      Rack::File.new(nil).serving(request, path).tap do |(status, headers, body)|
+        self.status = status
+        self.response_body = body
+
+        headers.each do |name, value|
+          response.headers[name] = value
+        end
+
+        response.headers["Content-Type"] = content_type || DEFAULT_SEND_FILE_TYPE
+        response.headers["Content-Disposition"] = disposition || DEFAULT_SEND_FILE_DISPOSITION
+      end
+    end
+end

data/app/controllers/concerns/active_storage/set_blob.rb

@@ -9,7 +9,7 @@ module ActiveStorage::SetBlob #:nodoc:
 
   private
     def set_blob
-      @blob = ActiveStorage::Blob.find_signed(params[:signed_blob_id] || params[:signed_id])
+      @blob = ActiveStorage::Blob.find_signed!(params[:signed_blob_id] || params[:signed_id])
     rescue ActiveSupport::MessageVerifier::InvalidSignature
       head :not_found
     end

data/app/controllers/concerns/active_storage/set_current.rb

@@ -1,8 +1,8 @@
 # frozen_string_literal: true
 
 # Sets the <tt>ActiveStorage::Current.host</tt> attribute, which the disk service uses to generate URLs.
-# Include this concern in custom controllers that call ActiveStorage::Blob#service_url,
-# ActiveStorage::Variant#service_url, or ActiveStorage::Preview#service_url so the disk service can
+# Include this concern in custom controllers that call ActiveStorage::Blob#url,
+# ActiveStorage::Variant#url, or ActiveStorage::Preview#url so the disk service can
 # generate URLs using the same host, protocol, and base path as the current request.
 module ActiveStorage::SetCurrent
   extend ActiveSupport::Concern

data/app/controllers/concerns/active_storage/set_headers.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+module ActiveStorage::SetHeaders #:nodoc:
+  extend ActiveSupport::Concern
+
+  private
+    def set_content_headers_from(blob)
+      response.headers["Content-Type"] = blob.content_type_for_serving
+      response.headers["Content-Disposition"] = ActionDispatch::Http::ContentDisposition.format \
+        disposition: blob.forced_disposition_for_serving || params[:disposition] || "inline", filename: blob.filename.sanitized
+    end
+end

data/app/jobs/active_storage/mirror_job.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+require "active_support/core_ext/object/try"
+
+# Provides asynchronous mirroring of directly-uploaded blobs.
+class ActiveStorage::MirrorJob < ActiveStorage::BaseJob
+  queue_as { ActiveStorage.queues[:mirror] }
+
+  discard_on ActiveStorage::FileNotFoundError
+  retry_on ActiveStorage::IntegrityError, attempts: 10, wait: :exponentially_longer
+
+  def perform(key, checksum:)
+    ActiveStorage::Blob.service.try(:mirror, key, checksum: checksum)
+  end
+end

data/app/models/active_storage/attachment.rb

@@ -5,43 +5,51 @@ require "active_support/core_ext/module/delegation"
 # Attachments associate records with blobs. Usually that's a one record-many blobs relationship,
 # but it is possible to associate many different records with the same blob. A foreign-key constraint
 # on the attachments table prevents blobs from being purged if they’re still attached to any records.
-class ActiveStorage::Attachment < ActiveRecord::Base
+#
+# Attachments also have access to all methods from {ActiveStorage::Blob}[rdoc-ref:ActiveStorage::Blob].
+class ActiveStorage::Attachment < ActiveStorage::Record
   self.table_name = "active_storage_attachments"
 
   belongs_to :record, polymorphic: true, touch: true
-  belongs_to :blob, class_name: "ActiveStorage::Blob"
+  belongs_to :blob, class_name: "ActiveStorage::Blob", autosave: true
 
   delegate_missing_to :blob
+  delegate :signed_id, to: :blob
 
-  after_create_commit :analyze_blob_later, :identify_blob
+  after_create_commit :mirror_blob_later, :analyze_blob_later
   after_destroy_commit :purge_dependent_blob_later
 
   # Synchronously deletes the attachment and {purges the blob}[rdoc-ref:ActiveStorage::Blob#purge].
   def purge
-    delete
+    transaction do
+      delete
+      record&.touch
+    end
     blob&.purge
   end
 
   # Deletes the attachment and {enqueues a background job}[rdoc-ref:ActiveStorage::Blob#purge_later] to purge the blob.
   def purge_later
-    delete
+    transaction do
+      delete
+      record&.touch
+    end
     blob&.purge_later
   end
 
   private
-    def identify_blob
-      blob.identify
-    end
-
     def analyze_blob_later
       blob.analyze_later unless blob.analyzed?
     end
 
+    def mirror_blob_later
+      blob.mirror_later
+    end
+
     def purge_dependent_blob_later
       blob&.purge_later if dependent == :purge_later
     end
 
-
     def dependent
       record.attachment_reflections[name]&.options[:dependent]
     end

data/app/models/active_storage/blob.rb

@@ -14,80 +14,109 @@
 # Blobs are intended to be immutable in as-so-far as their reference to a specific file goes. You're allowed to
 # update a blob's metadata on a subsequent pass, but you should not update the key or change the uploaded file.
 # If you need to create a derivative or otherwise change the blob, simply create a new blob and purge the old one.
-class ActiveStorage::Blob < ActiveRecord::Base
-  unless Rails.autoloaders.zeitwerk_enabled?
-    require_dependency "active_storage/blob/analyzable"
-    require_dependency "active_storage/blob/identifiable"
-    require_dependency "active_storage/blob/representable"
-  end
-
-  include Analyzable
-  include Identifiable
-  include Representable
+class ActiveStorage::Blob < ActiveStorage::Record
+  # We use constant paths in the following include calls to avoid a gotcha of
+  # classic mode: If the parent application defines a top-level Analyzable, for
+  # example, and ActiveStorage::Blob::Analyzable is not yet loaded, a bare
+  #
+  #   include Analyzable
+  #
+  # would resolve to the top-level one, const_missing would not be triggered,
+  # and therefore ActiveStorage::Blob::Analyzable would not be autoloaded.
+  #
+  # By using qualified names, we ensure const_missing is invoked if needed.
+  # Please, note that Ruby 2.5 or newer is required, so Object is not checked
+  # when looking up the ancestors of ActiveStorage::Blob.
+  #
+  # Zeitwerk mode does not have this gotcha. If we ever drop classic mode, this
+  # can be simplified, bare constant names would just work.
+  include ActiveStorage::Blob::Analyzable
+  include ActiveStorage::Blob::Identifiable
+  include ActiveStorage::Blob::Representable
 
   self.table_name = "active_storage_blobs"
 
-  has_secure_token :key
+  MINIMUM_TOKEN_LENGTH = 28
+
+  has_secure_token :key, length: MINIMUM_TOKEN_LENGTH
   store :metadata, accessors: [ :analyzed, :identified ], coder: ActiveRecord::Coders::JSON
 
-  class_attribute :service
+  class_attribute :services, default: {}
+  class_attribute :service, instance_accessor: false
 
   has_many :attachments
 
-  scope :unattached, -> { left_joins(:attachments).where(ActiveStorage::Attachment.table_name => { blob_id: nil }) }
+  scope :unattached, -> { where.missing(:attachments) }
+
+  after_initialize do
+    self.service_name ||= self.class.service.name
+  end
+
+  after_update_commit :update_service_metadata, if: :content_type_previously_changed?
 
   before_destroy(prepend: true) do
     raise ActiveRecord::InvalidForeignKey if attachments.exists?
   end
 
+  validates :service_name, presence: true
+
+  validate do
+    if service_name_changed? && service_name.present?
+      services.fetch(service_name) do
+        errors.add(:service_name, :invalid)
+      end
+    end
+  end
+
   class << self
     # You can use the signed ID of a blob to refer to it on the client side without fear of tampering.
     # This is particularly helpful for direct uploads where the client-side needs to refer to the blob
     # that was created ahead of the upload itself on form submission.
     #
     # The signed ID is also used to create stable URLs for the blob through the BlobsController.
-    def find_signed(id)
-      find ActiveStorage.verifier.verify(id, purpose: :blob_id)
+    def find_signed!(id, record: nil)
+      super(id, purpose: :blob_id)
     end
 
-    # Returns a new, unsaved blob instance after the +io+ has been uploaded to the service.
-    # When providing a content type, pass <tt>identify: false</tt> to bypass automatic content type inference.
-    def build_after_upload(io:, filename:, content_type: nil, metadata: nil, identify: true)
-      new(filename: filename, content_type: content_type, metadata: metadata).tap do |blob|
+    def build_after_upload(io:, filename:, content_type: nil, metadata: nil, service_name: nil, identify: true, record: nil) #:nodoc:
+      new(filename: filename, content_type: content_type, metadata: metadata, service_name: service_name).tap do |blob|
         blob.upload(io, identify: identify)
       end
     end
 
-    def build_after_unfurling(io:, filename:, content_type: nil, metadata: nil, identify: true) #:nodoc:
-      new(filename: filename, content_type: content_type, metadata: metadata).tap do |blob|
+    deprecate :build_after_upload
+
+    def build_after_unfurling(key: nil, io:, filename:, content_type: nil, metadata: nil, service_name: nil, identify: true, record: nil) #:nodoc:
+      new(key: key, filename: filename, content_type: content_type, metadata: metadata, service_name: service_name).tap do |blob|
         blob.unfurl(io, identify: identify)
       end
     end
 
-    def create_after_unfurling!(io:, filename:, content_type: nil, metadata: nil, identify: true, record: nil) #:nodoc:
-      build_after_unfurling(io: io, filename: filename, content_type: content_type, metadata: metadata, identify: identify).tap(&:save!)
+    def create_after_unfurling!(key: nil, io:, filename:, content_type: nil, metadata: nil, service_name: nil, identify: true, record: nil) #:nodoc:
+      build_after_unfurling(key: key, io: io, filename: filename, content_type: content_type, metadata: metadata, service_name: service_name, identify: identify).tap(&:save!)
     end
 
-    # Creates a new blob instance and then uploads the contents of the given <tt>io</tt> to the
-    # service. The blob instance is saved before the upload begins to avoid clobbering another due
-    # to key collisions.
-    #
-    # When providing a content type, pass <tt>identify: false</tt> to bypass automatic content type inference.
-    def create_and_upload!(io:, filename:, content_type: nil, metadata: nil, identify: true, record: nil)
-      create_after_unfurling!(io: io, filename: filename, content_type: content_type, metadata: metadata, identify: identify).tap do |blob|
+    # Creates a new blob instance and then uploads the contents of
+    # the given <tt>io</tt> to the service. The blob instance is going to
+    # be saved before the upload begins to prevent the upload clobbering another due to key collisions.
+    # When providing a content type, pass <tt>identify: false</tt> to bypass
+    # automatic content type inference.
+    def create_and_upload!(key: nil, io:, filename:, content_type: nil, metadata: nil, service_name: nil, identify: true, record: nil)
+      create_after_unfurling!(key: key, io: io, filename: filename, content_type: content_type, metadata: metadata, service_name: service_name, identify: identify).tap do |blob|
         blob.upload_without_unfurling(io)
       end
     end
 
     alias_method :create_after_upload!, :create_and_upload!
+    deprecate create_after_upload!: :create_and_upload!
 
     # Returns a saved blob _without_ uploading a file to the service. This blob will point to a key where there is
     # no file yet. It's intended to be used together with a client-side upload, which will first create the blob
     # in order to produce the signed URL for uploading. This signed URL points to the key generated by the blob.
     # Once the form using the direct upload is submitted, the blob can be associated with the right record using
     # the signed ID.
-    def create_before_direct_upload!(filename:, byte_size:, checksum:, content_type: nil, metadata: nil)
-      create! filename: filename, byte_size: byte_size, checksum: checksum, content_type: content_type, metadata: metadata
+    def create_before_direct_upload!(key: nil, filename:, byte_size:, checksum:, content_type: nil, metadata: nil, service_name: nil, record: nil)
+      create! key: key, filename: filename, byte_size: byte_size, checksum: checksum, content_type: content_type, metadata: metadata, service_name: service_name
     end
 
     # To prevent problems with case-insensitive filesystems, especially in combination
@@ -95,15 +124,27 @@ class ActiveStorage::Blob < ActiveRecord::Base
     # to only contain the base-36 character alphabet and will therefore be lowercase. To maintain
     # the same or higher amount of entropy as in the base-58 encoding used by `has_secure_token`
     # the number of bytes used is increased to 28 from the standard 24
-    def generate_unique_secure_token
-      SecureRandom.base36(28)
+    def generate_unique_secure_token(length: MINIMUM_TOKEN_LENGTH)
+      SecureRandom.base36(length)
+    end
+
+    # Customize signed ID purposes for backwards compatibility.
+    def combine_signed_id_purposes(purpose) #:nodoc:
+      purpose.to_s
+    end
+
+    # Customize the default signed ID verifier for backwards compatibility.
+    #
+    # We override the reader (.signed_id_verifier) instead of just calling the writer (.signed_id_verifier=)
+    # to guard against the case where ActiveStorage.verifier isn't yet initialized at load time.
+    def signed_id_verifier #:nodoc:
+      @signed_id_verifier ||= ActiveStorage.verifier
     end
   end
 
   # Returns a signed ID for this blob that's suitable for reference on the client-side without fear of tampering.
-  # It uses the framework-wide verifier on <tt>ActiveStorage.verifier</tt>, but with a dedicated purpose.
   def signed_id
-    ActiveStorage.verifier.generate(id, purpose: :blob_id)
+    super(purpose: :blob_id)
   end
 
   # Returns the key pointing to the file on the service that's associated with this blob. The key is the
@@ -112,7 +153,7 @@ class ActiveStorage::Blob < ActiveRecord::Base
   # Always refer to blobs using the signed_id or a verified form of the key.
   def key
     # We can't wait until the record is first saved to have a key for it
-    self[:key] ||= self.class.generate_unique_secure_token
+    self[:key] ||= self.class.generate_unique_secure_token(length: MINIMUM_TOKEN_LENGTH)
   end
 
   # Returns an ActiveStorage::Filename instance of the filename that can be
@@ -142,18 +183,18 @@ class ActiveStorage::Blob < ActiveRecord::Base
     content_type.start_with?("text")
   end
 
-
-  # Returns the URL of the blob on the service. This URL is intended to be short-lived for security and not used directly
-  # with users. Instead, the +service_url+ should only be exposed as a redirect from a stable, possibly authenticated URL.
-  # Hiding the +service_url+ behind a redirect also gives you the power to change services without updating all URLs. And
-  # it allows permanent URLs that redirect to the +service_url+ to be cached in the view.
-  def service_url(expires_in: ActiveStorage.service_urls_expire_in, disposition: :inline, filename: nil, **options)
-    filename = ActiveStorage::Filename.wrap(filename || self.filename)
-
-    service.url key, expires_in: expires_in, filename: filename, content_type: content_type_for_service_url,
-      disposition: forced_disposition_for_service_url || disposition, **options
+  # Returns the URL of the blob on the service. This returns a permanent URL for public files, and returns a
+  # short-lived URL for private files. Private files are signed, and not for public use. Instead,
+  # the URL should only be exposed as a redirect from a stable, possibly authenticated URL. Hiding the
+  # URL behind a redirect also allows you to change services without updating all URLs.
+  def url(expires_in: ActiveStorage.service_urls_expire_in, disposition: :inline, filename: nil, **options)
+    service.url key, expires_in: expires_in, filename: ActiveStorage::Filename.wrap(filename || self.filename),
+      content_type: content_type_for_serving, disposition: forced_disposition_for_serving || disposition, **options
   end
 
+  alias_method :service_url, :url
+  deprecate service_url: :url
+
   # Returns a URL that can be used to directly upload a file for this blob on the service. This URL is intended to be
   # short-lived for security and only generated on-demand by the client-side JavaScript responsible for doing the uploading.
   def service_url_for_direct_upload(expires_in: ActiveStorage.service_urls_expire_in)
@@ -165,6 +206,16 @@ class ActiveStorage::Blob < ActiveRecord::Base
     service.headers_for_direct_upload key, filename: filename, content_type: content_type, content_length: byte_size, checksum: checksum
   end
 
+  def content_type_for_serving #:nodoc:
+    forcibly_serve_as_binary? ? ActiveStorage.binary_content_type : content_type
+  end
+
+  def forced_disposition_for_serving #:nodoc:
+    if forcibly_serve_as_binary? || !allowed_inline?
+      :attachment
+    end
+  end
+
 
   # Uploads the +io+ to the service on the +key+ for this blob. Blobs are intended to be immutable, so you shouldn't be
   # using this method after a file has already been uploaded to fit with a blob. If you want to create a derivative blob,
@@ -218,6 +269,9 @@ class ActiveStorage::Blob < ActiveRecord::Base
       name: [ "ActiveStorage-#{id}-", filename.extension_with_delimiter ], tmpdir: tmpdir, &block
   end
 
+  def mirror_later #:nodoc:
+    ActiveStorage::MirrorJob.perform_later(key, checksum: checksum) if service.respond_to?(:mirror)
+  end
 
   # Deletes the files on the service associated with the blob. This should only be done if the blob is going to be
   # deleted as well or you will essentially have a dead reference. It's recommended to use #purge and #purge_later
@@ -227,8 +281,8 @@ class ActiveStorage::Blob < ActiveRecord::Base
     service.delete_prefixed("variants/#{key}/") if image?
   end
 
-  # Deletes the file on the service and then destroys the blob record. This is the recommended way to dispose of unwanted
-  # blobs. Note, though, that deleting the file off the service will initiate a HTTP connection to the service, which may
+  # Destroys the blob record and then deletes the file on the service. This is the recommended way to dispose of unwanted
+  # blobs. Note, though, that deleting the file off the service will initiate an HTTP connection to the service, which may
   # be slow or prevented, so you should not use this method inside a transaction or in callbacks. Use #purge_later instead.
   def purge
     destroy
@@ -242,6 +296,11 @@ class ActiveStorage::Blob < ActiveRecord::Base
     ActiveStorage::PurgeJob.perform_later(self)
   end
 
+  # Returns an instance of service, which can be configured globally or per attachment
+  def service
+    services.fetch(service_name)
+  end
+
   private
     def compute_checksum_in_chunks(io)
       Digest::MD5.new.tap do |checksum|
@@ -265,14 +324,8 @@ class ActiveStorage::Blob < ActiveRecord::Base
       ActiveStorage.content_types_allowed_inline.include?(content_type)
     end
 
-    def content_type_for_service_url
-      forcibly_serve_as_binary? ? ActiveStorage.binary_content_type : content_type
-    end
-
-    def forced_disposition_for_service_url
-      if forcibly_serve_as_binary? || !allowed_inline?
-        :attachment
-      end
+    def web_image?
+      ActiveStorage.web_image_content_types.include?(content_type)
     end
 
     def service_metadata
@@ -284,6 +337,10 @@ class ActiveStorage::Blob < ActiveRecord::Base
         { content_type: content_type }
       end
     end
+
+    def update_service_metadata
+      service.update_metadata key, **service_metadata if service_metadata.any?
+    end
 end
 
 ActiveSupport.run_load_hooks :active_storage_blob, ActiveStorage::Blob