angular_rails_csrf 6.0.0 → 7.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fd1f93c61de73220bcc0827bc1b460b0fd4440f5ec8597b01687aa2e0d50800e
-  data.tar.gz: 0a0133f2183e46d61798a0501ce8ebff0c43310210c8fdd245b8436289e10756
+  metadata.gz: 93c2203c523539847ce011752c0a50ba0662f1f05aef215343ad3dd8f576cf2c
+  data.tar.gz: 19031ae6c4b9c5c9f4fcfdeadeb0853c7cc4c0fcd592768b833b06447d3ffdfe
 SHA512:
-  metadata.gz: fff212dd32057d2b57b26331d859354c4e969593e8e03901d8d002ac112b11694a04d47bd8432d4bd7e90ad52d1a3b14ec150e26d297f714891fab72c42a9b6a
-  data.tar.gz: d126f472156857b4b7460514de8fffe786ee697caee3835059bf8794cfbc5344e1c8c7473312fdb53bed369cf1622950f3b08f3c6acd7d70da009483d8e9e37e
+  metadata.gz: 9a4a6a941ccb94e0cdcd18b51db96c3efccf2beecaec88a105cd88a377cf8e1700c92cfb9ba555f86cb0f24452ce80c299154cf2704356da37ab240482270e44
+  data.tar.gz: 02431a3ecc99795abcd1d827cb3c1d058e285c12ccb2d3ecb4aa6f788cca4a9cf0e4796f516792aebacdd5d49047d8b077d8900ce4c154c74d420bac6225bb69

data/CHANGELOG.md

@@ -0,0 +1,125 @@
+# Changelog
+
+## 7.0.1 (11-May-25)
+
+* Test with Ruby 3.4
+* Repo moved
+* Add deprecation message
+
+## 7.0.0 (12-Nov-24)
+
+* **Breaking change**: require Ruby 3.2+. If you need support for older Rubies, stay on version 6
+* Set Railties dependency to `< 9`
+* Test with Rails 8
+* Do not test with Ruby 3.0 and 3.1
+
+## 6.0.0 (14-Nov-23)
+
+* **Breaking change**: drop support for Ruby < 3. If you need to support older Rubies, stay on v5. If you'd like to support *even older stuff*, v4.5.0 is your choice as it plays nicely with Rails 5.1 and Ruby 2.5.
+* Test only with Rails 7
+* Fix some failing tests, minor tweaks
+
+## 5.0.0 (14-Dec-21)
+
+* Add support for Rails 7.
+* Test against Rails 6.1 and Rails 7.0.
+* Test against Ruby 3.0.
+* Rails 5.1 is not supported officially anymore (but should still work fine).
+* Ruby < 2.7 is not supported anymore (has reached end of life) but should still work.
+
+## 4.5.0 (21-Sep-20)
+
+* Added a new [`HttpOnly` option](https://github.com/jsanders/angular_rails_csrf#httponly-cookie) (thanks, [@Lubo-mir](https://github.com/Lubo-mir))
+* Introduced some code refactorings
+
+## 4.4.0 (04-Aug-20)
+
+* Make the gem play nicely with controllers that do not have `protect_against_forgery?` method defined — for example, certain Doorkeeper controllers (thanks, [@amenz](https://github.com/amenz))
+* Updated dependencies and cops
+
+## 4.3.0 (18-May-20)
+
+* Ruby version 2.4 is no longer officially supported (though it still should work) - this is also due to the fact that [v2.4 is abanoded by Ruby core team as well](https://www.ruby-lang.org/en/news/2020/04/05/support-of-ruby-2-4-has-ended/). Required Ruby version is now 2.5+ according to [version compatibility](https://github.com/jsanders/angular_rails_csrf/wiki/Version-Compatibility).
+* Dropped backwards compatibility with older versions of Rails (v4 and below). [If you require Rails 4 support, use angular_rails_csrf v3]((https://github.com/jsanders/angular_rails_csrf/wiki/Version-Compatibility)).
+* Increased test coverage up to 100%.
+
+## 4.2.0 (31-Mar-20)
+
+* Added a new [`angular_rails_csrf_same_site` option](https://github.com/jsanders/angular_rails_csrf#samesite) which defaults to `:lax` (thanks, [@timobleeker](https://github.com/timobleeker))
+  + This option is introduced to comply with the latest changes: https://www.chromium.org/updates/same-site
+* Update cops
+
+## 4.1.0 (03-Feb-20)
+
+* Added a new [`angular_rails_csrf_secure` option](https://github.com/jsanders/angular_rails_csrf#secure-cookie) (thanks, [@DougKeller](https://github.com/DougKeller))
+* Tested against Ruby 2.7
+
+## 4.0.1 (23-Dec-19)
+
+* Updated dependencies, tested against more recent Rubies and Rails
+* Updated Gemfile for Bundler 2
+* Added Rubocop and SimpleCov
+
+## 4.0.0 (20-Aug-19)
+
+Updated:
+* Added support for Rails 6.0
+* Drop support for Rails 4
+
+## 3.2.0
+
+New feature:
+* Allow cookie's name to be customized (thanks, [@timobleeker](https://github.com/timobleeker))
+
+## 3.1.0
+
+Updated:
+* Added support for Rails 5.2.0
+
+Testing:
+* Tested against more recent Ruby/Rails versions
+
+## 3.0.0
+
+New feature:
+* Allow cookie domain to be set via `Rails.application.config` (thanks, [@gingermusketeer](https://github.com/gingermusketeer))
+
+Updated:
+* Dropped support for Rails < 4
+* Dropped official support for Ruby 2.2 though it should still work
+
+Testing:
+* Test against more recent versions of Ruby and Rails
+
+## 2.1.1
+
+Updated:
+* Added support for Rails 5.1.1
+
+Testing:
+* Test against more recent versions of Ruby
+* Test against Rails 5.1.1
+
+## 2.1.0
+
+Updated:
+* Added support for Rails 5.1
+
+Testing improvements:
+* Tested against Rails 5.1
+* Tested against Ruby 2.4.0
+* We are no longer testing against Rails < 4.2
+
+## 2.0.0
+
+**Breaking changes:**
+* Revert to `after_action` again (fixes [issues with Devise](https://github.com/jsanders/angular_rails_csrf/issues/17) and similar solutions)
+* Introduced a new `exclude_xsrf_token_cookie` class method to exclude setting CSRF token for certain controllers. This is done to take care of [problems with streaming](https://github.com/jsanders/angular_rails_csrf/issues/7).
+
+Updated:
+* Added support for Rails 5
+* `rails` dependency changed to `railties`
+
+Testing improvements:
+* Tested against Rails 5
+* Tested against Ruby 2.2.5 and 2.3.0

data/LICENSE.md

@@ -0,0 +1,20 @@
+Copyright 2024 James Sanders, Ilya Krukowski
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -1,16 +1,32 @@
 ## AngularJS-style CSRF Protection for Rails
 
 ![Gem](https://img.shields.io/gem/v/angular_rails_csrf)
-![CI](https://github.com/jsanders/angular_rails_csrf/actions/workflows/ci.yml/badge.svg)
+![CI](https://github.com/bodrovis/angular_rails_csrf/actions/workflows/ci.yml/badge.svg)
 ![Downloads total](https://img.shields.io/gem/dt/angular_rails_csrf)
 
+**Deprecation notice (2025)**
+
+James and then me (@bodrovis) have been supporting this gem since 2013. It has been downloaded more than 10 million times and we're glad you guys found it useful. However, after discussing privately we've decided to put angular_rails_csrf under passive maintenance starting from June 2025.
+
+In modern frontend–backend architectures (e.g., Angular, React, Vue + Rails APIs), CSRF protection is typically handled via token-based authentication (JWT, OAuth) and not via CSRF cookies. This gem remains relevant only for Rails monoliths that:
+
+- Use cookie-based session auth
+- Serve frontend via Rails
+- Expect `XSRF-TOKEN` / `X-XSRF-TOKEN` pattern
+
+If you're actively using this gem and want to see it maintained or enhanced, please [open an issue](https://github.com/bodrovis/angular_rails_csrf/issues) describing your use case.
+
+Otherwise, this project may be archived in late 2025 or 2026. Thank you!
+
+---
+
 The AngularJS [ng.$http](http://docs.angularjs.org/api/ng.$http) service has built-in CSRF protection. By default, it looks for a cookie named `XSRF-TOKEN` and, if found, writes its value into an `X-XSRF-TOKEN` header, which the server compares with the CSRF token saved in the user's session.
 
 This project adds direct support for this scheme to your Rails application without requiring any changes to your AngularJS application. It also doesn't require the use of `csrf_meta_tags` to write a CSRF token into your page markup, so it works for pure JSON API applications.
 
 Note that there is nothing AngularJS specific here, and this will work with any other front-end that implements the same scheme.
 
-Check [version compatibility](https://github.com/jsanders/angular_rails_csrf/wiki/Version-Compatibility) to learn which Rails/Rubies are currently supported.
+Check [version compatibility](https://github.com/bodrovis/angular_rails_csrf/wiki/Version-Compatibility) to learn which Rails/Rubies are currently supported.
 
 ## Installation
 
@@ -102,7 +118,7 @@ end
 
 ### Exclusions
 
-Sometimes you will want to skip setting the XSRF token for certain controllers (for example, when using SSE or ActionCable, as discussed [here](https://github.com/jsanders/angular_rails_csrf/issues/7)):
+Sometimes you will want to skip setting the XSRF token for certain controllers (for example, when using SSE or ActionCable, as discussed [here](https://github.com/bodrovis/angular_rails_csrf/issues/7)):
 
 ```ruby
 class ExclusionsController < ApplicationController
@@ -128,4 +144,4 @@ $ rake test
 
 ## License
 
-Licensed under the [MIT License](https://github.com/jsanders/angular_rails_csrf/blob/master/LICENSE).
+Licensed under the [MIT License](https://github.com/bodrovis/angular_rails_csrf/blob/master/LICENSE.md).

data/lib/angular_rails_csrf/concern.rb

@@ -42,6 +42,8 @@ module AngularRailsCsrf
     # Fetches the given option from config
     # If the option is not set, return a default value
     def option_from(config, option, default = nil)
+      return default if config.nil?
+
       config.respond_to?(option) ? config.send(option) : default
     end
 

data/lib/angular_rails_csrf/railtie.rb

@@ -9,5 +9,16 @@ module AngularRailsCsrf
         include AngularRailsCsrf::Concern
       end
     end
+
+    initializer 'angular-rails-csrf.deprecation_notice' do |_app|
+      unless Rails.env.test? || ENV['ANGULAR_RAILS_CSRF_SILENCE']
+        AngularRailsCsrf.deprecator.warn(
+          '[angular_rails_csrf] This gem is under passive maintenance and may be sunset in the future. ' \
+          'Open an issue if you rely on it and want it to live on: ' \
+          'https://github.com/bodrovis/angular_rails_csrf/issues. ' \
+          'Set ANGULAR_RAILS_CSRF_SILENCE to silence this warning.'
+        )
+      end
+    end
   end
 end

data/lib/angular_rails_csrf/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module AngularRailsCsrf
-  VERSION = '6.0.0'
+  VERSION = '7.0.1'
 end

data/lib/angular_rails_csrf.rb

@@ -1,3 +1,9 @@
 # frozen_string_literal: true
 
 require 'angular_rails_csrf/railtie'
+
+module AngularRailsCsrf
+  def self.deprecator
+    @deprecator ||= ActiveSupport::Deprecation.new('7.0', 'angular_rails_csrf')
+  end
+end

metadata

@@ -1,15 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: angular_rails_csrf
 version: !ruby/object:Gem::Version
-  version: 6.0.0
+  version: 7.0.1
 platform: ruby
 authors:
 - James Sanders
 - Ilya Krukowski
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-11-14 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties
@@ -20,7 +19,7 @@ dependencies:
         version: '3'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '8'
+        version: '9'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -30,7 +29,7 @@ dependencies:
         version: '3'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '8'
+        version: '9'
 description: AngularJS style CSRF protection for Rails
 email:
 - sanderjd@gmail.com
@@ -39,18 +38,20 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- CHANGELOG.md
+- LICENSE.md
 - README.md
 - Rakefile
 - lib/angular_rails_csrf.rb
 - lib/angular_rails_csrf/concern.rb
 - lib/angular_rails_csrf/railtie.rb
 - lib/angular_rails_csrf/version.rb
-homepage: https://github.com/jsanders/angular_rails_csrf
+homepage: https://github.com/bodrovis/angular_rails_csrf
 licenses:
 - MIT
 metadata:
   rubygems_mfa_required: 'true'
-post_install_message:
+  deprecation_warning: Passive maintenance; may be sunset in 2025-2026. See README.
 rdoc_options: []
 require_paths:
 - lib
@@ -58,15 +59,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '3.0'
+      version: '3.2'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.21
-signing_key:
+rubygems_version: 3.6.8
 specification_version: 4
 summary: Support for AngularJS $http service style CSRF protection in Rails
 test_files: []