RubyGems - phlex-reactive - Versions diffs - 0.2.2 → 0.2.3 - Mend

phlex-reactive 0.2.2 → 0.2.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +15 -0
data/lib/phlex/reactive/component.rb +45 -16
data/lib/phlex/reactive/version.rb +1 -1
metadata +1 -1

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 11c82575cc72017be4f81341c0c2f999d626fe88ed8b81a20cfde246a412fe12
-  data.tar.gz: '0996ececdc33cd2220a7a6517d49d1a59c5c583af891b937f1df32f433189a65'
+  metadata.gz: 5644272b11bc8ff62496e05c81f01a92b1925ffe2b471ab123c05df573ee1343
+  data.tar.gz: 56d13ad853e1b6da4e40e8e239838514171b9e908a59ad6db60f6f4a4b199b0e
 SHA512:
-  metadata.gz: 24b3704443cd08380e30bb2bd4340d266a75a39beb80247a4ba26327a4c6f6429b0017fc94618b4063dc4f00a7a86f49ab88074c008d9be1c2ead0b266b5c8cd
-  data.tar.gz: 4f858ded4f109ce0350603140572b4d9c694acd981785ac1913c0cf4c48630e6927d223073cd89fbb1f6a72e16bf7cea0603079661fff7b80740a4389ccbe732
+  metadata.gz: a489e7a7cdce253735c59c4b5196c52d2051e83f7fb783e7c892cbbd8b9be98934141392d7a84b58b938e80bfd5aba6e4bfe1995888b2b322d232a3fdc207a4a
+  data.tar.gz: b9126364a92d1be370e6db639969803c25936e61910967fe05cac00ce908216dd5fa6f6f2f42f16d3c3c23c813d4e2e1c54614babb96f162f77bd71b6e3a5f6b

data/CHANGELOG.md CHANGED Viewed

@@ -8,6 +8,21 @@ adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 ### Fixed
+- **Record-backed components silently lost `reactive_state` every action.** When
+  a component declared BOTH `reactive_record` and `reactive_state`, the state
+  branch was dead: `reactive_token` signed only the record GID and
+  `from_identity` rebuilt with only the record — so the listed instance vars
+  (e.g. `attribute`, `editing`) reset to their `initialize` defaults on every
+  action. This broke the documented `inline_edit` example (clicking "edit"
+  couldn't stay in edit mode; `save` wrote the wrong/blank column) and quietly
+  voided the docs' promise that `@attribute` is signed/tamper-proof.
+  `reactive_token` now signs the record GID AND the declared state into one
+  `MessageVerifier` payload, and `from_identity` restores both — record + state
+  are composable, and the state stays tamper-proof. Record-only (`{c, gid}`) and
+  state-only (`{c, s}`) token shapes are unchanged; a signed `false` survives the
+  round trip (only a genuinely absent value falls back to the `initialize`
+  default). No API changes. Closes #6.
 - **Record-backed component built with a different init keyword by the action
   endpoint vs the broadcast path.** The click path (`Component.from_identity`)
   builds with `reactive_record_key` (the `reactive_record :name`), but the

data/lib/phlex/reactive/component.rb CHANGED Viewed

@@ -20,8 +20,12 @@ module Phlex
     #     can neither forge the component class nor swap the record. State =
     #     the database.
     #   * State-backed (record-less, e.g. a counter): reactive_state :count
-    #     signs the listed instance variables. Use only when there is genuinely
-    #     no record to re-find.
+    #     signs the listed instance variables. Use when there is genuinely no
+    #     record to re-find.
+    #   * Both (the inline_edit pattern): reactive_record :record plus
+    #     reactive_state :attribute, :editing signs the record's GlobalID AND
+    #     the transient mode in one token, so "which field / what mode" survives
+    #     every action round trip and stays tamper-proof.
     #
     # Actions are DEFAULT-DENY: only methods declared with `action :name` may be
     # invoked. The signature proves the token is ours, NOT that this user may
@@ -102,17 +106,35 @@ module Phlex
         # Rebuild a component instance from a verified identity payload. Called
         # by the action endpoint after the token signature is verified.
+        #
+        # A component may carry a record (re-found via GlobalID), signed state
+        # (instance vars listed in reactive_state), or BOTH (the inline_edit
+        # pattern: a record plus "which field / what mode"). We assemble the
+        # init kwargs from whichever identity pieces are declared.
         def from_identity(payload)
+          kwargs = {}
           if reactive_record_key
             record = GlobalID::Locator.locate(payload.fetch("gid"))
             raise(ActiveRecord::RecordNotFound, "reactive record missing") unless record
-            new(reactive_record_key => record)
-          else
+            kwargs[reactive_record_key] = record
+          end
+          if reactive_state_keys.any?
             state = payload.fetch("s", {})
-            kwargs = reactive_state_keys.to_h { |k| [k, state[k.to_s]] }.compact
-            new(**kwargs)
+            reactive_state_keys.each do |key|
+              # Use key presence, not the value: a signed `nil` (nullable state)
+              # must round-trip distinctly. Only a genuinely absent key falls
+              # back to the component's initialize default; `false` and `nil`
+              # both survive.
+              next unless state.key?(key.to_s)
+              kwargs[key] = state[key.to_s]
+            end
           end
+          new(**kwargs)
         end
       end
@@ -164,18 +186,25 @@ module Phlex
       private
-      # Signed { c, gid } (record-backed) or { c, s } (state-backed).
+      # Signed identity payload: the class name plus whichever identity pieces
+      # the component declares — a record GlobalID (`gid`), signed state (`s`),
+      # or both. Keeping them in ONE MessageVerifier payload makes the state
+      # (e.g. which column an inline_edit may write) tamper-proof alongside the
+      # record. Record-only ({c, gid}) and state-only ({c, s}) shapes are
+      # unchanged.
       def reactive_token
-        payload =
-          if self.class.reactive_record_key
-            record = instance_variable_get(:"@#{self.class.reactive_record_key}")
-            {"c" => self.class.name, "gid" => record.to_gid.to_s}
-          else
-            state = self.class.reactive_state_keys.to_h do |k|
-              [k.to_s, instance_variable_get(:"@#{k}").as_json]
-            end
-            {"c" => self.class.name, "s" => state}
+        payload = {"c" => self.class.name}
+        if self.class.reactive_record_key
+          record = instance_variable_get(:"@#{self.class.reactive_record_key}")
+          payload["gid"] = record.to_gid.to_s
+        end
+        if self.class.reactive_state_keys.any?
+          payload["s"] = self.class.reactive_state_keys.to_h do |k|
+            [k.to_s, instance_variable_get(:"@#{k}").as_json]
           end
+        end
         Phlex::Reactive.sign(payload)
       end

data/lib/phlex/reactive/version.rb CHANGED Viewed

@@ -2,6 +2,6 @@
 module Phlex
   module Reactive
-    VERSION = "0.2.2"
+    VERSION = "0.2.3"
   end
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: phlex-reactive
 version: !ruby/object:Gem::Version
-  version: 0.2.2
+  version: 0.2.3
 platform: ruby
 authors:
 - Mikael Henriksson