rack-cors-csrf_prevention 0.1.0 → 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/Gemfile.lock +16 -1
- data/README.md +8 -11
- data/lib/rack/cors/csrf_prevention/version.rb +1 -1
- data/lib/rack/cors/csrf_prevention.rb +5 -4
- data/rack-cors-csrf_prevention.gemspec +1 -1
- metadata +21 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: bf73e75d0b552d217b4a9cb9aabf5f08eb16db81b864a452a61388bd39d41f5c
|
|
4
|
+
data.tar.gz: 6daf069995fda9f4b8af289a3b6cf3a009a839ba95d6267d0167b9e98484ba81
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 7ab5b4cb92c9db15d97d60ab49725f7feae8aede713f678531bbd0292575e23fa9834ffb8feadbf86217d1ee19cdad9252d1f7d75bb6461ab83f1b837bf2fef2
|
|
7
|
+
data.tar.gz: 30a0e42021a6ba4eed3cf1a6d684310937dc0ee6a888e7b81ccc8a02db889afbf3fcb0fbc532ef453951cc51696845c6d2d34fd74d21a4a96ffe886b14a4e1c0
|
data/Gemfile.lock
CHANGED
|
@@ -1,15 +1,28 @@
|
|
|
1
1
|
PATH
|
|
2
2
|
remote: .
|
|
3
3
|
specs:
|
|
4
|
-
rack-cors-csrf_prevention (0.
|
|
4
|
+
rack-cors-csrf_prevention (0.2.0)
|
|
5
5
|
rack (>= 1)
|
|
6
6
|
|
|
7
7
|
GEM
|
|
8
8
|
remote: https://rubygems.org/
|
|
9
9
|
specs:
|
|
10
|
+
debug (1.9.1)
|
|
11
|
+
irb (~> 1.10)
|
|
12
|
+
reline (>= 0.3.8)
|
|
10
13
|
diff-lcs (1.5.0)
|
|
14
|
+
io-console (0.7.2)
|
|
15
|
+
irb (1.11.2)
|
|
16
|
+
rdoc
|
|
17
|
+
reline (>= 0.4.2)
|
|
18
|
+
psych (5.1.2)
|
|
19
|
+
stringio
|
|
11
20
|
rack (2.2.7)
|
|
12
21
|
rake (13.0.6)
|
|
22
|
+
rdoc (6.6.2)
|
|
23
|
+
psych (>= 4.0.0)
|
|
24
|
+
reline (0.4.2)
|
|
25
|
+
io-console (~> 0.5)
|
|
13
26
|
rspec (3.12.0)
|
|
14
27
|
rspec-core (~> 3.12.0)
|
|
15
28
|
rspec-expectations (~> 3.12.0)
|
|
@@ -23,12 +36,14 @@ GEM
|
|
|
23
36
|
diff-lcs (>= 1.2.0, < 2.0)
|
|
24
37
|
rspec-support (~> 3.12.0)
|
|
25
38
|
rspec-support (3.12.0)
|
|
39
|
+
stringio (3.1.0)
|
|
26
40
|
|
|
27
41
|
PLATFORMS
|
|
28
42
|
arm64-darwin-22
|
|
29
43
|
x86_64-linux
|
|
30
44
|
|
|
31
45
|
DEPENDENCIES
|
|
46
|
+
debug (~> 1.9, >= 1.9.1)
|
|
32
47
|
rack-cors-csrf_prevention!
|
|
33
48
|
rake (~> 13.0)
|
|
34
49
|
rspec (~> 3.0)
|
data/README.md
CHANGED
|
@@ -20,29 +20,26 @@ gem install rack-cors-csrf_prevention
|
|
|
20
20
|
|
|
21
21
|
### Rails Configuration
|
|
22
22
|
|
|
23
|
-
Specify paths for CSRF prevention:
|
|
24
|
-
|
|
25
23
|
```ruby
|
|
26
24
|
# config/initializers/cors.rb
|
|
27
25
|
|
|
28
|
-
Rails.application.config.middleware.use Rack::Cors::CsrfPrevention
|
|
29
|
-
paths: %w[/graphql]
|
|
26
|
+
Rails.application.config.middleware.use Rack::Cors::CsrfPrevention
|
|
30
27
|
```
|
|
31
28
|
|
|
32
|
-
|
|
29
|
+
By default, gem protects path `/graphql` and allows only `X-Apollo-Operation-Name` or `Apollo-Require-Preflight` header for non-preflighted content types.
|
|
30
|
+
|
|
31
|
+
You can customize path and headers for CSRF prevention:
|
|
33
32
|
|
|
34
33
|
```ruby
|
|
35
34
|
# config/initializers/cors.rb
|
|
36
35
|
|
|
37
36
|
Rails.application.config.middleware.use Rack::Cors::CsrfPrevention,
|
|
38
|
-
|
|
39
|
-
required_headers: %w[
|
|
40
|
-
X-APOLLO-OPERATION-NAME
|
|
41
|
-
APOLLO-REQUIRE-PREFLIGHT
|
|
42
|
-
SOME-SPECIAL-HEADER
|
|
43
|
-
]
|
|
37
|
+
path: "/gql",
|
|
38
|
+
required_headers: %w[SOME-SPECIAL-HEADER]
|
|
44
39
|
```
|
|
45
40
|
|
|
41
|
+
Also, you can configure multiple paths via `paths` argument.
|
|
42
|
+
|
|
46
43
|
## Development
|
|
47
44
|
|
|
48
45
|
After checking out the repo, run `bin/setup` to install dependencies. Then, run
|
|
@@ -28,12 +28,13 @@ module Rack
|
|
|
28
28
|
|
|
29
29
|
def initialize(
|
|
30
30
|
app,
|
|
31
|
-
|
|
32
|
-
|
|
31
|
+
path: nil,
|
|
32
|
+
paths: [],
|
|
33
|
+
required_headers: []
|
|
33
34
|
)
|
|
34
35
|
@app = app
|
|
35
|
-
@paths = paths
|
|
36
|
-
@required_headers = required_headers
|
|
36
|
+
@paths = path.nil? && paths.empty? ? ["/graphql"] : [path].compact + paths
|
|
37
|
+
@required_headers = APOLLO_CUSTOM_PREFLIGHT_HEADERS + required_headers
|
|
37
38
|
end
|
|
38
39
|
|
|
39
40
|
def call(env)
|
|
@@ -51,6 +51,6 @@ Gem::Specification.new do |spec|
|
|
|
51
51
|
spec.add_dependency "rack", ">= 1"
|
|
52
52
|
|
|
53
53
|
spec.add_development_dependency "rake", "~> 13.0"
|
|
54
|
-
# spec.add_development_dependency "minitest", "~> 5.0"
|
|
55
54
|
spec.add_development_dependency "rspec", "~> 3.0"
|
|
55
|
+
spec.add_development_dependency "debug", "~> 1.9", ">= 1.9.1"
|
|
56
56
|
end
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rack-cors-csrf_prevention
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.2.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Digital Classifieds LLC
|
|
@@ -52,6 +52,26 @@ dependencies:
|
|
|
52
52
|
- - "~>"
|
|
53
53
|
- !ruby/object:Gem::Version
|
|
54
54
|
version: '3.0'
|
|
55
|
+
- !ruby/object:Gem::Dependency
|
|
56
|
+
name: debug
|
|
57
|
+
requirement: !ruby/object:Gem::Requirement
|
|
58
|
+
requirements:
|
|
59
|
+
- - "~>"
|
|
60
|
+
- !ruby/object:Gem::Version
|
|
61
|
+
version: '1.9'
|
|
62
|
+
- - ">="
|
|
63
|
+
- !ruby/object:Gem::Version
|
|
64
|
+
version: 1.9.1
|
|
65
|
+
type: :development
|
|
66
|
+
prerelease: false
|
|
67
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
68
|
+
requirements:
|
|
69
|
+
- - "~>"
|
|
70
|
+
- !ruby/object:Gem::Version
|
|
71
|
+
version: '1.9'
|
|
72
|
+
- - ">="
|
|
73
|
+
- !ruby/object:Gem::Version
|
|
74
|
+
version: 1.9.1
|
|
55
75
|
description: |
|
|
56
76
|
The middleware makes sure any request to specified paths would have been
|
|
57
77
|
preflighted if it was sent by a browser.
|