fivo_cookie_consent 0.2.0

data/README.md

@@ -0,0 +1,524 @@
+# fivo_cookie_consent
+
+GDPR cookie-banner for Rails 7 (esbuild/jsbundling).
+
+A minimal, opinionated GDPR cookie consent banner for Rails 7 projects using esbuild + jsbundling-rails + sass. Designed specifically for German-only audiences without I18n complexity.
+
+## Features
+
+- 🚀 **Rails Engine** - Auto-mounted routes, views, and helpers
+- 📱 **Responsive Design** - Mobile-first with desktop optimization
+- 🎨 **Modern UI** - Clean design with WCAG-AA contrast compliance  
+- 🛠 **Configurable** - Customize labels, URLs, and cookie lifespan
+- 📦 **localStorage** - Persistent consent storage with expiration
+- 🎯 **Event-driven** - Custom events for analytics integration
+- ♿ **Accessible** - Full keyboard navigation and screen reader support
+- 🧪 **Well-tested** - Comprehensive RSpec + Capybara test suite
+- 🔍 **Auto-Detection** - Automatically detects and categorizes cookies (client-side)
+- 🛡️ **Server-Side Cookies** - Detects HttpOnly Rails session/CSRF cookies on the server and merges them client-side so users always see *all* cookies
+- 📋 **Expandable Lists** - Collapsible cookie details with name, duration, and description
+- 🚫 **Empty State Handling** - Graceful handling of categories with no cookies
+- ⚙️ **Script Loaders** - Consent-gated loading for GTM, GA4, reCAPTCHA, Hotjar, and Facebook Pixel
+- 🧩 **Extensible API** - Ruby API and JS facade for registering and loading custom third-party scripts
+
+## Installation
+
+### From RubyGems (when published)
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'fivo_cookie_consent'
+```
+
+And then execute:
+
+```bash
+bundle add fivo_cookie_consent
+```
+
+### From GitLab Repository (current)
+
+To use the latest version directly from GitLab, add this to your Gemfile:
+
+```ruby
+# GDPR Cookie Consent
+gem 'fivo_cookie_consent', git: 'https://gitlab.com/fivo/fivo_cookie_consent.git'
+```
+
+Or specify a branch/tag:
+
+```ruby
+# Use main branch (recommended)
+gem 'fivo_cookie_consent', git: 'https://gitlab.com/fivo/fivo_cookie_consent.git', branch: 'main'
+
+# Or use a specific tag
+gem 'fivo_cookie_consent', git: 'https://gitlab.com/fivo/fivo_cookie_consent.git', tag: 'v0.1.0'
+```
+
+Then execute:
+
+```bash
+bundle install
+```
+
+Run the generator to install required files:
+
+```bash
+rails generate fivo_cookie_consent:install
+```
+
+### Manual Setup
+
+After running the generator, add the imports to your bundler files:
+
+**app/javascript/application.js**
+```javascript
+import "./fivo_cookie_consent"
+```
+
+**app/assets/stylesheets/application.scss**
+```scss
+@use "fivo_cookie_consent";
+```
+
+## Usage
+
+Add the cookie banner to your layout before the closing `</body>` tag:
+
+```erb
+<!-- app/views/layouts/application.html.erb -->
+<%= gdpr_cookie_banner %>
+```
+
+The helper injects a `data-server-cookies` attribute containing a JSON string of HttpOnly cookies detected on the server (Rails session, CSRF token, etc.).
+
+**Important:** Do **not** mark this JSON as `html_safe`. The gem’s helper already escapes it correctly—see `server_cookies_json`—so the string remains valid markup and can be parsed on the client with `JSON.parse()`.
+
+The banner will automatically appear for new visitors and hide once consent is given.
+
+### Step 1: Add the banner and assets
+
+1. Ensure you have imported the JS and SCSS as shown in the "Manual Setup" section.
+2. Add `<%= gdpr_cookie_banner %>` once in your main layout, typically `app/views/layouts/application.html.erb`, just before `</body>`.
+
+### Step 2: Choose how to load analytics/marketing scripts
+
+You have two primary integration modes:
+
+1. **Strict lazy-load** – third-party scripts are not loaded at all until the user has given consent for the relevant category.
+2. **Google Consent Mode pre-load** – GTM/GA4 are loaded immediately but with storage denied by default; consent updates are forwarded to Consent Mode.
+
+#### Option A: Strict lazy-load for GTM/GA4
+
+Add consent-gated placeholders to your `<head>` using `gdpr_lazy_load_tag`:
+
+```erb
+<!-- app/views/layouts/application.html.erb -->
+<head>
+  <title>My App</title>
+
+  <%# Strict lazy-load: scripts are only loaded after consent %>
+  <%= gdpr_lazy_load_tag(:gtm, id: 'GTM-XXXX') %>
+  <%= gdpr_lazy_load_tag(:ga4, id: 'G-XXXXXXX') %>
+
+  <%= csrf_meta_tags %>
+  <%= csp_meta_tag %>
+</head>
+```
+
+What this does:
+
+- Renders `<script type="text/plain" data-gdpr-category="analytics" ...>` placeholders.
+- The gem’s JavaScript turns these placeholders into real `<script>` tags **only if** the user has granted consent for the `analytics` category.
+- Works with both "Accept all" and granular settings in the modal.
+
+#### Option B: Google Consent Mode pre-load for GTM/GA4
+
+If you want to use Google Consent Mode, call `gdpr_consent_mode_defaults` **before** your GTM/GA scripts, then still lazy-load the actual script tags so that they only execute when appropriate:
+
+```erb
+<!-- app/views/layouts/application.html.erb -->
+<head>
+  <title>My App</title>
+
+  <%# 1) Set Consent Mode defaults and wire gdpr:accept/decline events %>
+  <%= gdpr_consent_mode_defaults(functionality: true, security: true) %>
+
+  <%# 2) Load GA4 + GTM via consent-gated placeholders %>
+  <%= gdpr_lazy_load_tag(:ga4, id: 'G-XXXXXXX') %>
+  <%= gdpr_lazy_load_tag(:gtm, id: 'GTM-XXXX') %>
+
+  <%= csrf_meta_tags %>
+  <%= csp_meta_tag %>
+</head>
+```
+
+What this does:
+
+- Defines `window.dataLayer` and a `gtag` helper.
+- Sets initial Consent Mode defaults (analytics/marketing denied until consent).
+- Listens to `gdpr:accept` and `gdpr:decline` events and forwards category choices to Google Consent Mode.
+- Uses the same lazy-load placeholders under the hood so GTM/GA only start working when consent is present.
+
+### Step 3: Register custom scripts
+
+You can register additional scripts (e.g., Hotjar, reCAPTCHA, custom trackers) in your initializer and then load them with `gdpr_lazy_load_tag`:
+
+```ruby
+# config/initializers/fivo_cookie_consent.rb
+RailsCookiesGdpr.configure do |config|
+  # existing options ...
+end
+
+# Register custom scripts (using the FivoCookieConsent API)
+RailsCookiesGdpr.register_script(:hotjar, category: :analytics)
+RailsCookiesGdpr.register_script(:recaptcha, category: :functional)
+RailsCookiesGdpr.register_script(
+  :adroll,
+  category: :marketing,
+  src: 'https://example-cdn.com/adroll.js',
+  async: true
+)
+```
+
+Then, in your layout or views:
+
+```erb
+<%= gdpr_lazy_load_tag(:hotjar, src: 'https://static.hotjar.com/c/hotjar-XXXX.js') %>
+
+<%= gdpr_lazy_load_tag(:recaptcha, src: 'https://www.google.com/recaptcha/api.js', async: true, defer: true) %>
+
+<%= gdpr_lazy_load_tag(:adroll) %>
+```
+
+The gem ensures these scripts are only executed once the corresponding category (`analytics`, `functional`, `marketing`, etc.) has been granted.
+
+## Configuration
+
+Edit the generated initializer to customize labels and settings:
+
+```ruby
+# config/initializers/fivo_cookie_consent.rb
+RailsCookiesGdpr.configure do |config|
+  config.analytics_label   = 'Analyse-Cookies'
+  config.marketing_label   = 'Marketing-Cookies'  
+  config.functional_label  = 'Präferenz-Cookies'
+  config.privacy_url       = '/datenschutz'
+  config.cookie_lifespan   = 365 # days
+  
+  # Optional: Customize cookie patterns for auto-detection
+  config.cookie_patterns = {
+    necessary: [/^_session_/, /^csrf_token/, /^authenticity_token/],
+    analytics: [/^_ga/, /^_gid/, /^_gat/, /^_gtag/],
+    marketing: [/^_fbp/, /^_fbc/, /^fr$/],
+    functional: [/^_locale/, /^language/, /^theme/]
+  }
+end
+```
+
+### Configuration Options
+
+All configuration settings are optional and have sensible defaults. The generator creates an initializer with all available options:
+
+| Option | Default | Description |
+|--------|---------|-------------|
+| `analytics_label` | `'Analyse-Cookies'` | Display label for analytics cookie category in the banner |
+| `marketing_label` | `'Marketing-Cookies'` | Display label for marketing cookie category in the banner |
+| `functional_label` | `'Präferenz-Cookies'` | Display label for functional cookie category in the banner |
+| `privacy_url` | `'/datenschutz'` | URL path to your privacy policy page (linked from banner) |
+| `cookie_lifespan` | `365` | Number of days until user consent expires and banner reappears |
+| `cookie_patterns` | See below | Hash of regex patterns for automatically categorizing detected cookies |
+
+#### Setting Details
+
+**Labels (`analytics_label`, `marketing_label`, `functional_label`)**
+- Control the text displayed for each cookie category in the banner
+- Should match your site's language (currently German-focused)
+- Used in both the quick banner and detailed settings modal
+
+**Privacy URL (`privacy_url`)**
+- Must be a valid route in your Rails application
+- Banner includes a "Privacy Policy" link pointing to this URL
+- Commonly `/datenschutz`, `/privacy`, or `/impressum`
+
+**Cookie Lifespan (`cookie_lifespan`)**
+- Controls when the banner reappears for returning users
+- Stored as `savedAt` timestamp in localStorage
+- Set to `0` to show banner on every visit (not recommended)
+
+**Cookie Patterns (`cookie_patterns`)**
+- Hash with keys: `:necessary`, `:analytics`, `:marketing`, `:functional`
+- Each key contains an array of regular expressions
+- Used to automatically categorize detected cookies
+- See "Automatic Cookie Detection" section below for details
+
+## Automatic Cookie Detection
+
+The gem automatically detects cookies in your application and categorizes them based on configurable patterns. This feature:
+
+- **Scans `document.cookie`** every 2 seconds to detect new cookies
+- **Categorizes cookies** using regular expression patterns
+- **Shows cookie details** in expandable lists with name, duration, and description
+- **Handles empty categories** with appropriate messaging and disabled controls
+- **Development mode** shows an "Uncategorised" section for cookies that don't match any pattern
+
+### Default Cookie Patterns
+
+The gem includes sensible defaults for common cookie patterns:
+
+```ruby
+# Necessary cookies (always enabled)
+necessary: [
+  /^_session_/,     # Rails session cookies
+  /^csrf_token/,    # CSRF protection
+  /^authenticity_token/,
+  /^_rails_/,       # Rails framework cookies
+  /^gdpr_cookie_consent$/  # Our own consent cookie
+]
+
+# Analytics cookies
+analytics: [
+  /^_ga/,           # Google Analytics
+  /^_gid/, /^_gat/, /^_gtag/,
+  /^__utm/,         # Google Analytics UTM
+  /^_dc_gtm_/,      # Google Tag Manager
+  /^_hj/            # Hotjar
+]
+
+# Marketing cookies
+marketing: [
+  /^_fbp/, /^_fbc/, # Facebook Pixel
+  /^fr$/, /^tr$/,   # Facebook tracking
+  /^_pinterest_/,   # Pinterest
+  /^__Secure-3PAPISID/, # Google Ads
+  /^NID$/, /^IDE$/  # Google advertising
+]
+
+# Functional cookies
+functional: [
+  /^_locale/,       # Language preferences
+  /^language/,
+  /^theme/,         # UI preferences
+  /^preferences/,
+  /^_user_settings/
+]
+```
+
+### Customizing Cookie Patterns
+
+You can override or extend the cookie patterns in your initializer:
+
+```ruby
+RailsCookiesGdpr.configure do |config|
+  # Add custom patterns
+  config.cookie_patterns = {
+    necessary: config.default_cookie_patterns[:necessary] + [/^my_app_session/],
+    analytics: [/^custom_analytics_/],
+    marketing: [/^my_marketing_/],
+    functional: [/^user_pref_/]
+  }
+end
+```
+
+## Events
+
+The gem dispatches custom events that you can listen to for integrating with analytics:
+
+```javascript
+// Listen for consent acceptance
+document.addEventListener('gdpr:accept', function(event) {
+  const { categories } = event.detail;
+  // categories = ['analytics', 'marketing', 'functional']
+  
+  if (categories.includes('analytics')) {
+    // Initialize Google Analytics, etc.
+    gtag('consent', 'update', {
+      'analytics_storage': 'granted'
+    });
+  }
+});
+
+// Listen for consent decline
+document.addEventListener('gdpr:decline', function(event) {
+  const { categories } = event.detail;
+  // Handle declined categories
+});
+
+// Listen for any consent change (recommended for most integrations)
+document.addEventListener('gdpr:change', function(event) {
+  const { consent } = event.detail;
+  // consent = { necessary: true, analytics: true/false, marketing: true/false, functional: true/false, savedAt: ... }
+});
+```
+
+### Event Details
+
+- **gdpr:accept** - Fired when categories are accepted
+- **gdpr:decline** - Fired when categories are declined
+- **gdpr:change** - Fired whenever consent is updated (accept all, decline all, or custom settings)
+- `event.detail.categories` - Array of affected category names
+- `event.detail.consent` - Full consent object (for `gdpr:change`)
+
+## Cookie Storage
+
+User consent is stored in localStorage under the key `gdpr_cookie_consent`:
+
+```json
+{
+  "necessary": true,
+  "analytics": true,
+  "marketing": false,
+  "functional": true,
+  "savedAt": "2024-01-15T10:30:00.000Z"
+}
+```
+
+## Accessing Consent Status
+
+You can check consent status from JavaScript.
+
+### Recommended: via the `GDPRConsent` facade
+
+The gem exposes a small JS helper on `window.GDPRConsent` and as an ES module export:
+
+```javascript
+// Get full consent object
+const consent = GDPRConsent.getConsent();
+
+// Check specific category
+if (GDPRConsent.hasConsent('analytics')) {
+  // Load analytics scripts
+}
+
+// Subscribe to changes (fires on accept/decline/save preferences)
+GDPRConsent.on('gdpr:change', (event) => {
+  const { consent } = event.detail;
+  console.log('Updated consent:', consent);
+});
+
+// Open settings programmatically, e.g. from a footer link
+// GDPRConsent.showModal();
+```
+
+### Low-level: direct localStorage access
+
+If you prefer, you can still read the raw localStorage entry yourself:
+
+```javascript
+// Get full consent object
+const consent = JSON.parse(localStorage.getItem('gdpr_cookie_consent'));
+
+// Check specific category
+function hasConsent(category) {
+  const consent = JSON.parse(localStorage.getItem('gdpr_cookie_consent') || '{}');
+  return consent[category] === true;
+}
+
+if (hasConsent('analytics')) {
+  // Load analytics scripts
+}
+
+// Access detected cookies information
+const detectedCookies = window.RailsCookiesGdpr?.detectCookies?.() || {};
+console.log('Current cookies by category:', detectedCookies);
+```
+
+## UI Features
+
+### Expandable Category Rows
+
+Each cookie category can be expanded to show detailed information about detected cookies:
+
+- **Chevron indicators** (▶/▾) show expansion state
+- **Cookie tables** display name, duration, and description
+- **Collapsible interface** keeps the modal clean and focused
+- **No persistence** - expansion state resets on modal close
+
+### Empty State Handling
+
+When no cookies are detected in a category:
+
+- Shows **"Keine Cookies gesetzt"** message
+- **Disables the toggle** with `aria-disabled="true"`
+- **Automatically enables** when cookies are detected
+- **Maintains accessibility** with proper ARIA attributes
+
+### Development Mode
+
+In development environment:
+
+- Shows **"Uncategorised"** section for cookies that don't match any pattern
+- Helps identify new cookies that need pattern rules
+- Hidden in production to avoid user confusion
+
+## Styling
+
+The gem uses a clean, modern design with the following color scheme:
+
+- **Brand Green**: `#1E858B` - Primary buttons and links
+- **Neutral Grey**: `#626465` - Secondary elements and text
+
+### CSS Classes
+
+Key CSS classes for customization:
+
+- `.gdpr-banner` - Main banner container
+- `.gdpr-modal` - Settings modal
+- `.gdpr-banner__btn--primary` - Accept button style
+- `.gdpr-banner__btn--secondary` - Decline button style
+
+## Browser Support
+
+- Chrome 60+
+- Firefox 60+
+- Safari 12+
+- Edge 79+
+
+## Development
+
+After checking out the repo, run:
+
+```bash
+bin/setup
+```
+
+To run the test suite:
+
+```bash
+bundle exec rake spec
+```
+
+To run the dummy app for testing:
+
+```bash
+cd spec/dummy
+rails server
+```
+
+## Contributing
+
+1. Fork the project
+2. Create your feature branch (`git checkout -b feature/amazing-feature`)
+3. Commit your changes (`git commit -m 'Add amazing feature'`)
+4. Push to the branch (`git push origin feature/amazing-feature`)
+5. Open a Pull Request
+
+## Release
+
+To release a new version:
+
+1. Update the version number in `lib/fivo_cookie_consent/version.rb`
+2. Update `CHANGELOG.md` with the new changes
+3. Commit the changes
+4. Run:
+
+```bash
+bundle exec rake release
+```
+
+This will create a git tag, push commits and tags, and publish the gem to RubyGems.
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
+require 'rubocop/rake_task'
+
+RSpec::Core::RakeTask.new(:spec)
+
+RuboCop::RakeTask.new
+
+task default: :spec