quilt_rails 1.10.0 → 1.11.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: f4580b1b1870a7fb2afa9bc64bab975e8ec3c7041f775de16356d31151ab4768
4
- data.tar.gz: 8914278b57d9bb8bad32c33c2e9697289073fe80576248b08bfe60f0b6f2536d
3
+ metadata.gz: 0375ff704f3b5de3a726c3483e1aee2808871d0979a6e4a35f03d490ad5f9c47
4
+ data.tar.gz: 6ccb28ab1d0ac38f149922668ef43acfa5c43811a2b4c683772d28243614d6e9
5
5
  SHA512:
6
- metadata.gz: e908b7d01e781f43ccf9c3a21d595aef8fffb612fe5da76d29f1cbef9a635ef5cbd8b8b29e6e9cbd8a9bdf170ac7fbabe7a4e0c8880a3bd81a90fde2d2da5a03
7
- data.tar.gz: 66fe45a859a30dde3a31e76563cb6d5ef5c0d6621f9127cb1a41c270dde190b47227a5d31bcca81bdb26098e172a67e811d7c58c551a74fa8b7d6d8e0d1968bb
6
+ metadata.gz: 6999712f3a0bab58d7e824f2d9caf3570385e613cf77dc7adcc24eda499464a923bcfdbe9fb5caa64c2647448e1d49c89e4e932a6e49d2479cbbc7a6ff42ab0a
7
+ data.tar.gz: 60013d5daf244057e5edf7c21f1fdadc8eefb5ff966fba8754077ae07af0a228f6aa5ea70f962f0af80044e20729af5d2a6ed8e41ec70039520c80d44716e245
data/README.md CHANGED
@@ -91,6 +91,9 @@ An application can also be setup manually using the following steps.
91
91
  #### Install dependencies
92
92
 
93
93
  ```sh
94
+ # Add ruby dependencies
95
+ bundle add sewing_kit quilt_rails
96
+
94
97
  # Add core Node dependencies
95
98
  yarn add @shopify/sewing-kit @shopify/react-server
96
99
 
@@ -387,55 +390,50 @@ With SSR enabled React apps, state must be serialized on the server and deserial
387
390
 
388
391
  #### Customizing the node server
389
392
 
390
- By default, sewing-kit bundles in `@shopify/react-server-webpack-plugin` for `quilt_rails` applications to get apps up and running fast without needing to manually write any node server code. If what it provides is not sufficient, a custom server can be defined by adding a `server.js` or `server.ts` file to the app folder.
393
+ By default, sewing-kit bundles in [`@shopify/react-server-webpack-plugin`](../../packages/react-server-webpack-plugin/README.md) for `quilt_rails` applications to get apps up and running fast without needing to manually write any node server code.
394
+
395
+ If what it provides is not sufficient, a completely custom server can be defined by adding a `server.js` or `server.ts` file to the `app/ui` folder. The simplest way to customize the server is to export the object created by [`@shopify/react-server`](../../packages/react-server/README.md#node-usage)'s `createServer` call in `server.ts` file.
391
396
 
392
397
  ```
393
- └── app
398
+ └── appeon
394
399
  └── ui
395
400
  └─- app.{js|ts}x
396
401
  └─- index.{js|ts}
397
402
  └─- server.{js|ts}x
398
403
  ```
399
404
 
400
- ```tsx
401
- // app/ui/server.tsx
402
- import '@shopify/polyfills/fetch';
403
- import {createServer} from '@shopify/react-server';
404
- import {Context} from 'koa';
405
- import React from 'react';
405
+ #### Fixing rejected CSRF tokens for new user sessions
406
406
 
407
- import App from './app';
408
-
409
- // The simplest way to build a custom server that will work with this library is to use the APIs provided by @shopify/react-server.
410
- // https://github.com/Shopify/quilt/blob/master/packages/react-server/README.md#L8
411
- const app = createServer({
412
- port: process.env.PORT ? parseInt(process.env.PORT, 10) : 8081,
413
- ip: process.env.IP,
414
- assetPrefix: process.env.CDN_URL || 'localhost:8080/assets/webpack',
415
- render: (ctx, {locale}) => {
416
- const whatever = /* do something special with the koa context */;
417
- // any special data we add to the incoming request in our rails controller we can access here to pass into our component
418
- return <App server someCustomProp={whatever} location={ctx.request.url} locale={locale} />;
419
- },
420
- });
407
+ When a React component sends HTTP requests back to a Rails endpoint (e.g., `/graphql`), Rails may throw a `Can't verify CSRF token authenticity` exception. This stems from the Rails CSRF tokens not persisting until after the first `UiController` call ends.
421
408
 
422
- export default app;
423
- ```
409
+ If your API **does not** require session data, the easiest way to deal with this is to use `protect_from_forgery with: :null_session`. This will work for APIs that either have no authentication requirements, or use header based authentication.
424
410
 
425
- #### Fixing rejected CSRF tokens for new user sessions
411
+ ##### Example
412
+
413
+ ```rb
414
+ class GraphqlController < ApplicationController
415
+ protect_from_forgery with: :null_session
426
416
 
427
- If a React component calls back to a Rails endpoint (e.g., `/graphql`), Rails may throw a `Can't verify CSRF token authenticity` exception. This stems from the Rails CSRF tokens not persisting until after the first `UiController` call ends.
417
+ def execute
418
+ # Get GraphQL query, etc
428
419
 
429
- To fix this:
420
+ result = MySchema.execute(query, operation_name: operation_name, variables: variables, context: context)
430
421
 
431
- - Add an `X-Shopify-Server-Side-Rendered: 1` header to all server-side GraphQL requests
432
- - Add a `protect_from_forgery with: Quilt::TrustedUiServerCsrfStrategy` override to Node-accessed controllers
422
+ render(json: result)
423
+ end
424
+ end
425
+ ```
426
+
427
+ If your API **does** require session data, you may can use follow the following steps:
433
428
 
434
- e.g.:
429
+ - Add an `x-shopify-react-xhr` header to all GraphQL requests with a value of 1 (this is done automatically if you are using `@shopify/react-graphql-universal-provider`)
430
+ - Add a `protect_from_forgery with: Quilt::HeaderCsrfStrategy` override to your controllers
431
+
432
+ ##### Example
435
433
 
436
434
  ```rb
437
435
  class GraphqlController < ApplicationController
438
- protect_from_forgery with: Quilt::TrustedUiServerCsrfStrategy
436
+ protect_from_forgery with: Quilt::HeaderCsrfStrategy
439
437
 
440
438
  def execute
441
439
  # Get GraphQL query, etc
@@ -447,6 +445,8 @@ class GraphqlController < ApplicationController
447
445
  end
448
446
  ```
449
447
 
448
+ -
449
+
450
450
  ## Performance tracking a React app
451
451
 
452
452
  Using [`Quilt::Performance::Reportable`](#performanceReportable) and [@shopify/react-performance](https://www.npmjs.com/package/@shopify/react-performance) it's easy to add performance tracking to apps using[`sewing_kit`](https://github.com/Shopify/sewing-kit/tree/master/gems/sewing_kit#sewing_kit-) for client-side-rendering or `quilt_rails` for server-side-rendering.
@@ -0,0 +1,34 @@
1
+ # frozen_string_literal: true
2
+
3
+ module Quilt
4
+ class HeaderCsrfStrategy
5
+ HEADER = "x-shopify-react-xhr"
6
+ HEADER_VALUE = "1"
7
+
8
+ def initialize(controller)
9
+ @controller = controller
10
+ end
11
+
12
+ def handle_unverified_request
13
+ raise NoSameSiteHeaderError unless same_site?
14
+ end
15
+
16
+ private
17
+
18
+ def same_site?
19
+ @controller.request.headers[HEADER] == HEADER_VALUE
20
+ end
21
+
22
+ def fallback_handler
23
+ ActionController::RequestForgeryProtection::ProtectionMethods::Exception.new(@controller)
24
+ end
25
+
26
+ class NoSameSiteHeaderError < StandardError
27
+ def initialize
28
+ # rubocop:disable LineLength
29
+ super "CSRF verification failed. This request is missing the `x-shopify-react-xhr` header, or it does not have the expected value."
30
+ # rubocop:enable LineLength
31
+ end
32
+ end
33
+ end
34
+ end
@@ -1,4 +1,4 @@
1
1
  # frozen_string_literal: true
2
2
  module Quilt
3
- VERSION = "1.10.0"
3
+ VERSION = "1.11.1"
4
4
  end
data/lib/quilt_rails.rb CHANGED
@@ -9,4 +9,5 @@ require "quilt_rails/configuration"
9
9
  require "quilt_rails/react_renderable"
10
10
  require "quilt_rails/performance"
11
11
  require "quilt_rails/trusted_ui_server_csrf_strategy"
12
+ require "quilt_rails/header_csrf_strategy"
12
13
  require "quilt_rails/monkey_patches/active_support_reloader" if Rails.env.development?
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: quilt_rails
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.10.0
4
+ version: 1.11.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Mathew Allen
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2020-01-30 00:00:00.000000000 Z
11
+ date: 2020-03-24 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: railties
@@ -104,6 +104,7 @@ files:
104
104
  - lib/quilt_rails.rb
105
105
  - lib/quilt_rails/configuration.rb
106
106
  - lib/quilt_rails/engine.rb
107
+ - lib/quilt_rails/header_csrf_strategy.rb
107
108
  - lib/quilt_rails/logger.rb
108
109
  - lib/quilt_rails/monkey_patches/active_support_reloader.rb
109
110
  - lib/quilt_rails/performance.rb
@@ -121,7 +122,8 @@ files:
121
122
  homepage: https://github.com/Shopify/quilt/tree/master/gems/quilt_rails
122
123
  licenses:
123
124
  - MIT
124
- metadata: {}
125
+ metadata:
126
+ allowed_push_host: https://rubygems.org
125
127
  post_install_message:
126
128
  rdoc_options: []
127
129
  require_paths: