quilt_rails 1.10.0 → 1.11.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +31 -31
- data/lib/quilt_rails/header_csrf_strategy.rb +34 -0
- data/lib/quilt_rails/version.rb +1 -1
- data/lib/quilt_rails.rb +1 -0
- metadata +5 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 0375ff704f3b5de3a726c3483e1aee2808871d0979a6e4a35f03d490ad5f9c47
|
|
4
|
+
data.tar.gz: 6ccb28ab1d0ac38f149922668ef43acfa5c43811a2b4c683772d28243614d6e9
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 6999712f3a0bab58d7e824f2d9caf3570385e613cf77dc7adcc24eda499464a923bcfdbe9fb5caa64c2647448e1d49c89e4e932a6e49d2479cbbc7a6ff42ab0a
|
|
7
|
+
data.tar.gz: 60013d5daf244057e5edf7c21f1fdadc8eefb5ff966fba8754077ae07af0a228f6aa5ea70f962f0af80044e20729af5d2a6ed8e41ec70039520c80d44716e245
|
data/README.md
CHANGED
|
@@ -91,6 +91,9 @@ An application can also be setup manually using the following steps.
|
|
|
91
91
|
#### Install dependencies
|
|
92
92
|
|
|
93
93
|
```sh
|
|
94
|
+
# Add ruby dependencies
|
|
95
|
+
bundle add sewing_kit quilt_rails
|
|
96
|
+
|
|
94
97
|
# Add core Node dependencies
|
|
95
98
|
yarn add @shopify/sewing-kit @shopify/react-server
|
|
96
99
|
|
|
@@ -387,55 +390,50 @@ With SSR enabled React apps, state must be serialized on the server and deserial
|
|
|
387
390
|
|
|
388
391
|
#### Customizing the node server
|
|
389
392
|
|
|
390
|
-
By default, sewing-kit bundles in `@shopify/react-server-webpack-plugin` for `quilt_rails` applications to get apps up and running fast without needing to manually write any node server code.
|
|
393
|
+
By default, sewing-kit bundles in [`@shopify/react-server-webpack-plugin`](../../packages/react-server-webpack-plugin/README.md) for `quilt_rails` applications to get apps up and running fast without needing to manually write any node server code.
|
|
394
|
+
|
|
395
|
+
If what it provides is not sufficient, a completely custom server can be defined by adding a `server.js` or `server.ts` file to the `app/ui` folder. The simplest way to customize the server is to export the object created by [`@shopify/react-server`](../../packages/react-server/README.md#node-usage)'s `createServer` call in `server.ts` file.
|
|
391
396
|
|
|
392
397
|
```
|
|
393
|
-
└──
|
|
398
|
+
└── appeon
|
|
394
399
|
└── ui
|
|
395
400
|
└─- app.{js|ts}x
|
|
396
401
|
└─- index.{js|ts}
|
|
397
402
|
└─- server.{js|ts}x
|
|
398
403
|
```
|
|
399
404
|
|
|
400
|
-
|
|
401
|
-
// app/ui/server.tsx
|
|
402
|
-
import '@shopify/polyfills/fetch';
|
|
403
|
-
import {createServer} from '@shopify/react-server';
|
|
404
|
-
import {Context} from 'koa';
|
|
405
|
-
import React from 'react';
|
|
405
|
+
#### Fixing rejected CSRF tokens for new user sessions
|
|
406
406
|
|
|
407
|
-
|
|
408
|
-
|
|
409
|
-
// The simplest way to build a custom server that will work with this library is to use the APIs provided by @shopify/react-server.
|
|
410
|
-
// https://github.com/Shopify/quilt/blob/master/packages/react-server/README.md#L8
|
|
411
|
-
const app = createServer({
|
|
412
|
-
port: process.env.PORT ? parseInt(process.env.PORT, 10) : 8081,
|
|
413
|
-
ip: process.env.IP,
|
|
414
|
-
assetPrefix: process.env.CDN_URL || 'localhost:8080/assets/webpack',
|
|
415
|
-
render: (ctx, {locale}) => {
|
|
416
|
-
const whatever = /* do something special with the koa context */;
|
|
417
|
-
// any special data we add to the incoming request in our rails controller we can access here to pass into our component
|
|
418
|
-
return <App server someCustomProp={whatever} location={ctx.request.url} locale={locale} />;
|
|
419
|
-
},
|
|
420
|
-
});
|
|
407
|
+
When a React component sends HTTP requests back to a Rails endpoint (e.g., `/graphql`), Rails may throw a `Can't verify CSRF token authenticity` exception. This stems from the Rails CSRF tokens not persisting until after the first `UiController` call ends.
|
|
421
408
|
|
|
422
|
-
|
|
423
|
-
```
|
|
409
|
+
If your API **does not** require session data, the easiest way to deal with this is to use `protect_from_forgery with: :null_session`. This will work for APIs that either have no authentication requirements, or use header based authentication.
|
|
424
410
|
|
|
425
|
-
|
|
411
|
+
##### Example
|
|
412
|
+
|
|
413
|
+
```rb
|
|
414
|
+
class GraphqlController < ApplicationController
|
|
415
|
+
protect_from_forgery with: :null_session
|
|
426
416
|
|
|
427
|
-
|
|
417
|
+
def execute
|
|
418
|
+
# Get GraphQL query, etc
|
|
428
419
|
|
|
429
|
-
|
|
420
|
+
result = MySchema.execute(query, operation_name: operation_name, variables: variables, context: context)
|
|
430
421
|
|
|
431
|
-
|
|
432
|
-
|
|
422
|
+
render(json: result)
|
|
423
|
+
end
|
|
424
|
+
end
|
|
425
|
+
```
|
|
426
|
+
|
|
427
|
+
If your API **does** require session data, you may can use follow the following steps:
|
|
433
428
|
|
|
434
|
-
|
|
429
|
+
- Add an `x-shopify-react-xhr` header to all GraphQL requests with a value of 1 (this is done automatically if you are using `@shopify/react-graphql-universal-provider`)
|
|
430
|
+
- Add a `protect_from_forgery with: Quilt::HeaderCsrfStrategy` override to your controllers
|
|
431
|
+
|
|
432
|
+
##### Example
|
|
435
433
|
|
|
436
434
|
```rb
|
|
437
435
|
class GraphqlController < ApplicationController
|
|
438
|
-
protect_from_forgery with: Quilt::
|
|
436
|
+
protect_from_forgery with: Quilt::HeaderCsrfStrategy
|
|
439
437
|
|
|
440
438
|
def execute
|
|
441
439
|
# Get GraphQL query, etc
|
|
@@ -447,6 +445,8 @@ class GraphqlController < ApplicationController
|
|
|
447
445
|
end
|
|
448
446
|
```
|
|
449
447
|
|
|
448
|
+
-
|
|
449
|
+
|
|
450
450
|
## Performance tracking a React app
|
|
451
451
|
|
|
452
452
|
Using [`Quilt::Performance::Reportable`](#performanceReportable) and [@shopify/react-performance](https://www.npmjs.com/package/@shopify/react-performance) it's easy to add performance tracking to apps using[`sewing_kit`](https://github.com/Shopify/sewing-kit/tree/master/gems/sewing_kit#sewing_kit-) for client-side-rendering or `quilt_rails` for server-side-rendering.
|
|
@@ -0,0 +1,34 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
module Quilt
|
|
4
|
+
class HeaderCsrfStrategy
|
|
5
|
+
HEADER = "x-shopify-react-xhr"
|
|
6
|
+
HEADER_VALUE = "1"
|
|
7
|
+
|
|
8
|
+
def initialize(controller)
|
|
9
|
+
@controller = controller
|
|
10
|
+
end
|
|
11
|
+
|
|
12
|
+
def handle_unverified_request
|
|
13
|
+
raise NoSameSiteHeaderError unless same_site?
|
|
14
|
+
end
|
|
15
|
+
|
|
16
|
+
private
|
|
17
|
+
|
|
18
|
+
def same_site?
|
|
19
|
+
@controller.request.headers[HEADER] == HEADER_VALUE
|
|
20
|
+
end
|
|
21
|
+
|
|
22
|
+
def fallback_handler
|
|
23
|
+
ActionController::RequestForgeryProtection::ProtectionMethods::Exception.new(@controller)
|
|
24
|
+
end
|
|
25
|
+
|
|
26
|
+
class NoSameSiteHeaderError < StandardError
|
|
27
|
+
def initialize
|
|
28
|
+
# rubocop:disable LineLength
|
|
29
|
+
super "CSRF verification failed. This request is missing the `x-shopify-react-xhr` header, or it does not have the expected value."
|
|
30
|
+
# rubocop:enable LineLength
|
|
31
|
+
end
|
|
32
|
+
end
|
|
33
|
+
end
|
|
34
|
+
end
|
data/lib/quilt_rails/version.rb
CHANGED
data/lib/quilt_rails.rb
CHANGED
|
@@ -9,4 +9,5 @@ require "quilt_rails/configuration"
|
|
|
9
9
|
require "quilt_rails/react_renderable"
|
|
10
10
|
require "quilt_rails/performance"
|
|
11
11
|
require "quilt_rails/trusted_ui_server_csrf_strategy"
|
|
12
|
+
require "quilt_rails/header_csrf_strategy"
|
|
12
13
|
require "quilt_rails/monkey_patches/active_support_reloader" if Rails.env.development?
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: quilt_rails
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.11.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Mathew Allen
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2020-
|
|
11
|
+
date: 2020-03-24 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: railties
|
|
@@ -104,6 +104,7 @@ files:
|
|
|
104
104
|
- lib/quilt_rails.rb
|
|
105
105
|
- lib/quilt_rails/configuration.rb
|
|
106
106
|
- lib/quilt_rails/engine.rb
|
|
107
|
+
- lib/quilt_rails/header_csrf_strategy.rb
|
|
107
108
|
- lib/quilt_rails/logger.rb
|
|
108
109
|
- lib/quilt_rails/monkey_patches/active_support_reloader.rb
|
|
109
110
|
- lib/quilt_rails/performance.rb
|
|
@@ -121,7 +122,8 @@ files:
|
|
|
121
122
|
homepage: https://github.com/Shopify/quilt/tree/master/gems/quilt_rails
|
|
122
123
|
licenses:
|
|
123
124
|
- MIT
|
|
124
|
-
metadata:
|
|
125
|
+
metadata:
|
|
126
|
+
allowed_push_host: https://rubygems.org
|
|
125
127
|
post_install_message:
|
|
126
128
|
rdoc_options: []
|
|
127
129
|
require_paths:
|