quilt_rails 1.10.0 → 1.11.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +31 -31
- data/lib/quilt_rails/header_csrf_strategy.rb +34 -0
- data/lib/quilt_rails/version.rb +1 -1
- data/lib/quilt_rails.rb +1 -0
- metadata +5 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 0375ff704f3b5de3a726c3483e1aee2808871d0979a6e4a35f03d490ad5f9c47
|
|
4
|
+
data.tar.gz: 6ccb28ab1d0ac38f149922668ef43acfa5c43811a2b4c683772d28243614d6e9
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 6999712f3a0bab58d7e824f2d9caf3570385e613cf77dc7adcc24eda499464a923bcfdbe9fb5caa64c2647448e1d49c89e4e932a6e49d2479cbbc7a6ff42ab0a
|
|
7
|
+
data.tar.gz: 60013d5daf244057e5edf7c21f1fdadc8eefb5ff966fba8754077ae07af0a228f6aa5ea70f962f0af80044e20729af5d2a6ed8e41ec70039520c80d44716e245
|
data/README.md
CHANGED
|
@@ -91,6 +91,9 @@ An application can also be setup manually using the following steps.
|
|
|
91
91
|
#### Install dependencies
|
|
92
92
|
|
|
93
93
|
```sh
|
|
94
|
+
# Add ruby dependencies
|
|
95
|
+
bundle add sewing_kit quilt_rails
|
|
96
|
+
|
|
94
97
|
# Add core Node dependencies
|
|
95
98
|
yarn add @shopify/sewing-kit @shopify/react-server
|
|
96
99
|
|
|
@@ -387,55 +390,50 @@ With SSR enabled React apps, state must be serialized on the server and deserial
|
|
|
387
390
|
|
|
388
391
|
#### Customizing the node server
|
|
389
392
|
|
|
390
|
-
By default, sewing-kit bundles in `@shopify/react-server-webpack-plugin` for `quilt_rails` applications to get apps up and running fast without needing to manually write any node server code.
|
|
393
|
+
By default, sewing-kit bundles in [`@shopify/react-server-webpack-plugin`](../../packages/react-server-webpack-plugin/README.md) for `quilt_rails` applications to get apps up and running fast without needing to manually write any node server code.
|
|
394
|
+
|
|
395
|
+
If what it provides is not sufficient, a completely custom server can be defined by adding a `server.js` or `server.ts` file to the `app/ui` folder. The simplest way to customize the server is to export the object created by [`@shopify/react-server`](../../packages/react-server/README.md#node-usage)'s `createServer` call in `server.ts` file.
|
|
391
396
|
|
|
392
397
|
```
|
|
393
|
-
└──
|
|
398
|
+
└── appeon
|
|
394
399
|
└── ui
|
|
395
400
|
└─- app.{js|ts}x
|
|
396
401
|
└─- index.{js|ts}
|
|
397
402
|
└─- server.{js|ts}x
|
|
398
403
|
```
|
|
399
404
|
|
|
400
|
-
|
|
401
|
-
// app/ui/server.tsx
|
|
402
|
-
import '@shopify/polyfills/fetch';
|
|
403
|
-
import {createServer} from '@shopify/react-server';
|
|
404
|
-
import {Context} from 'koa';
|
|
405
|
-
import React from 'react';
|
|
405
|
+
#### Fixing rejected CSRF tokens for new user sessions
|
|
406
406
|
|
|
407
|
-
|
|
408
|
-
|
|
409
|
-
// The simplest way to build a custom server that will work with this library is to use the APIs provided by @shopify/react-server.
|
|
410
|
-
// https://github.com/Shopify/quilt/blob/master/packages/react-server/README.md#L8
|
|
411
|
-
const app = createServer({
|
|
412
|
-
port: process.env.PORT ? parseInt(process.env.PORT, 10) : 8081,
|
|
413
|
-
ip: process.env.IP,
|
|
414
|
-
assetPrefix: process.env.CDN_URL || 'localhost:8080/assets/webpack',
|
|
415
|
-
render: (ctx, {locale}) => {
|
|
416
|
-
const whatever = /* do something special with the koa context */;
|
|
417
|
-
// any special data we add to the incoming request in our rails controller we can access here to pass into our component
|
|
418
|
-
return <App server someCustomProp={whatever} location={ctx.request.url} locale={locale} />;
|
|
419
|
-
},
|
|
420
|
-
});
|
|
407
|
+
When a React component sends HTTP requests back to a Rails endpoint (e.g., `/graphql`), Rails may throw a `Can't verify CSRF token authenticity` exception. This stems from the Rails CSRF tokens not persisting until after the first `UiController` call ends.
|
|
421
408
|
|
|
422
|
-
|
|
423
|
-
```
|
|
409
|
+
If your API **does not** require session data, the easiest way to deal with this is to use `protect_from_forgery with: :null_session`. This will work for APIs that either have no authentication requirements, or use header based authentication.
|
|
424
410
|
|
|
425
|
-
|
|
411
|
+
##### Example
|
|
412
|
+
|
|
413
|
+
```rb
|
|
414
|
+
class GraphqlController < ApplicationController
|
|
415
|
+
protect_from_forgery with: :null_session
|
|
426
416
|
|
|
427
|
-
|
|
417
|
+
def execute
|
|
418
|
+
# Get GraphQL query, etc
|
|
428
419
|
|
|
429
|
-
|
|
420
|
+
result = MySchema.execute(query, operation_name: operation_name, variables: variables, context: context)
|
|
430
421
|
|
|
431
|
-
|
|
432
|
-
|
|
422
|
+
render(json: result)
|
|
423
|
+
end
|
|
424
|
+
end
|
|
425
|
+
```
|
|
426
|
+
|
|
427
|
+
If your API **does** require session data, you may can use follow the following steps:
|
|
433
428
|
|
|
434
|
-
|
|
429
|
+
- Add an `x-shopify-react-xhr` header to all GraphQL requests with a value of 1 (this is done automatically if you are using `@shopify/react-graphql-universal-provider`)
|
|
430
|
+
- Add a `protect_from_forgery with: Quilt::HeaderCsrfStrategy` override to your controllers
|
|
431
|
+
|
|
432
|
+
##### Example
|
|
435
433
|
|
|
436
434
|
```rb
|
|
437
435
|
class GraphqlController < ApplicationController
|
|
438
|
-
protect_from_forgery with: Quilt::
|
|
436
|
+
protect_from_forgery with: Quilt::HeaderCsrfStrategy
|
|
439
437
|
|
|
440
438
|
def execute
|
|
441
439
|
# Get GraphQL query, etc
|
|
@@ -447,6 +445,8 @@ class GraphqlController < ApplicationController
|
|
|
447
445
|
end
|
|
448
446
|
```
|
|
449
447
|
|
|
448
|
+
-
|
|
449
|
+
|
|
450
450
|
## Performance tracking a React app
|
|
451
451
|
|
|
452
452
|
Using [`Quilt::Performance::Reportable`](#performanceReportable) and [@shopify/react-performance](https://www.npmjs.com/package/@shopify/react-performance) it's easy to add performance tracking to apps using[`sewing_kit`](https://github.com/Shopify/sewing-kit/tree/master/gems/sewing_kit#sewing_kit-) for client-side-rendering or `quilt_rails` for server-side-rendering.
|
|
@@ -0,0 +1,34 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
module Quilt
|
|
4
|
+
class HeaderCsrfStrategy
|
|
5
|
+
HEADER = "x-shopify-react-xhr"
|
|
6
|
+
HEADER_VALUE = "1"
|
|
7
|
+
|
|
8
|
+
def initialize(controller)
|
|
9
|
+
@controller = controller
|
|
10
|
+
end
|
|
11
|
+
|
|
12
|
+
def handle_unverified_request
|
|
13
|
+
raise NoSameSiteHeaderError unless same_site?
|
|
14
|
+
end
|
|
15
|
+
|
|
16
|
+
private
|
|
17
|
+
|
|
18
|
+
def same_site?
|
|
19
|
+
@controller.request.headers[HEADER] == HEADER_VALUE
|
|
20
|
+
end
|
|
21
|
+
|
|
22
|
+
def fallback_handler
|
|
23
|
+
ActionController::RequestForgeryProtection::ProtectionMethods::Exception.new(@controller)
|
|
24
|
+
end
|
|
25
|
+
|
|
26
|
+
class NoSameSiteHeaderError < StandardError
|
|
27
|
+
def initialize
|
|
28
|
+
# rubocop:disable LineLength
|
|
29
|
+
super "CSRF verification failed. This request is missing the `x-shopify-react-xhr` header, or it does not have the expected value."
|
|
30
|
+
# rubocop:enable LineLength
|
|
31
|
+
end
|
|
32
|
+
end
|
|
33
|
+
end
|
|
34
|
+
end
|
data/lib/quilt_rails/version.rb
CHANGED
data/lib/quilt_rails.rb
CHANGED
|
@@ -9,4 +9,5 @@ require "quilt_rails/configuration"
|
|
|
9
9
|
require "quilt_rails/react_renderable"
|
|
10
10
|
require "quilt_rails/performance"
|
|
11
11
|
require "quilt_rails/trusted_ui_server_csrf_strategy"
|
|
12
|
+
require "quilt_rails/header_csrf_strategy"
|
|
12
13
|
require "quilt_rails/monkey_patches/active_support_reloader" if Rails.env.development?
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: quilt_rails
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.11.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Mathew Allen
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2020-
|
|
11
|
+
date: 2020-03-24 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: railties
|
|
@@ -104,6 +104,7 @@ files:
|
|
|
104
104
|
- lib/quilt_rails.rb
|
|
105
105
|
- lib/quilt_rails/configuration.rb
|
|
106
106
|
- lib/quilt_rails/engine.rb
|
|
107
|
+
- lib/quilt_rails/header_csrf_strategy.rb
|
|
107
108
|
- lib/quilt_rails/logger.rb
|
|
108
109
|
- lib/quilt_rails/monkey_patches/active_support_reloader.rb
|
|
109
110
|
- lib/quilt_rails/performance.rb
|
|
@@ -121,7 +122,8 @@ files:
|
|
|
121
122
|
homepage: https://github.com/Shopify/quilt/tree/master/gems/quilt_rails
|
|
122
123
|
licenses:
|
|
123
124
|
- MIT
|
|
124
|
-
metadata:
|
|
125
|
+
metadata:
|
|
126
|
+
allowed_push_host: https://rubygems.org
|
|
125
127
|
post_install_message:
|
|
126
128
|
rdoc_options: []
|
|
127
129
|
require_paths:
|