rack-cors-csrf_prevention 0.1.0 → 0.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 875f008ae969331b4266a00a131b2edf9399d24ea347c2622d9cd79eaa6fcd71
-  data.tar.gz: 7de16bb4d69a5783829281c312290c94ec5b544963c45bc03ae38942968eb795
+  metadata.gz: 391b427a869958db6d02bfb9ce4eb9a9b933419474a45f3cf864307ff376645c
+  data.tar.gz: 15481e6053666edbfd884be6107fcfb96fea8cf1d317d831e363cb624f6307ff
 SHA512:
-  metadata.gz: fb20827ff14fa2a57ac931ab263adedc4f87e0422d8ddb1c021abb4878a8023638ded968c05616ab163ce218e14e09ce2026b85101569b8afd25070f31c08635
-  data.tar.gz: f8bcbb4e2b5330e27285e3e296d9d2c6db64e6350843e2bb16d0fcef844728120237a81eed4f00f0e426d0fab98c81af349b196288df1d4550298c67a4c1a74c
+  metadata.gz: 969463a394cfdb672e665af4c4b7410c9c8519bd3a6459ca2300a6b27fe081304bdd5a6491a672e6fc67d9232eff60d402036ebda7979f9bb2be1c789a3e94b7
+  data.tar.gz: fc4f13efe119e22cf942173c4395541e3d93c09aa7d0ede08f5e166326be01a1b42948060dd3d2d19d10c72d62f9f2535b70e63a4d7d272d1a8f6b2ef9c1e467

data/Gemfile.lock

@@ -1,15 +1,28 @@
 PATH
   remote: .
   specs:
-    rack-cors-csrf_prevention (0.1.0)
+    rack-cors-csrf_prevention (0.2.1)
       rack (>= 1)
 
 GEM
   remote: https://rubygems.org/
   specs:
+    debug (1.9.1)
+      irb (~> 1.10)
+      reline (>= 0.3.8)
     diff-lcs (1.5.0)
+    io-console (0.7.2)
+    irb (1.11.2)
+      rdoc
+      reline (>= 0.4.2)
+    psych (5.1.2)
+      stringio
     rack (2.2.7)
     rake (13.0.6)
+    rdoc (6.6.2)
+      psych (>= 4.0.0)
+    reline (0.4.2)
+      io-console (~> 0.5)
     rspec (3.12.0)
       rspec-core (~> 3.12.0)
       rspec-expectations (~> 3.12.0)
@@ -23,12 +36,14 @@ GEM
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.12.0)
     rspec-support (3.12.0)
+    stringio (3.1.0)
 
 PLATFORMS
   arm64-darwin-22
   x86_64-linux
 
 DEPENDENCIES
+  debug (~> 1.9, >= 1.9.1)
   rack-cors-csrf_prevention!
   rake (~> 13.0)
   rspec (~> 3.0)

data/README.md

@@ -20,38 +20,35 @@ gem install rack-cors-csrf_prevention
 
 ### Rails Configuration
 
-Specify paths for CSRF prevention:
-
 ```ruby
 # config/initializers/cors.rb
 
-Rails.application.config.middleware.use Rack::Cors::CsrfPrevention,
-                                        paths: %w[/graphql]
+Rails.application.config.middleware.use Rack::Cors::CsrfPrevention
 ```
 
-You can also specify custom headers that allow execution. By default, it's `X-Apollo-Operation-Name` or `Apollo-Require-Preflight` headers, but you can configure to allow a `Some-Special-Header` header:
+By default, gem protects path `/graphql` and allows only `X-Apollo-Operation-Name` or `Apollo-Require-Preflight` header for non-preflighted content types.
+
+You can customize path and headers for CSRF prevention:
 
 ```ruby
 # config/initializers/cors.rb
 
 Rails.application.config.middleware.use Rack::Cors::CsrfPrevention,
-                                        paths: %w[/graphql],
-                                        required_headers: %w[
-                                          X-APOLLO-OPERATION-NAME
-                                          APOLLO-REQUIRE-PREFLIGHT
-                                          SOME-SPECIAL-HEADER
-                                        ]
+                                        path: "/gql",
+                                        required_headers: %w[SOME-SPECIAL-HEADER]
 ```
 
+Also, you can configure multiple paths via `paths` argument.
+
 ## Development
 
 After checking out the repo, run `bin/setup` to install dependencies. Then, run
-`bundle exec rake spec` to run the tests. You can also run `bin/console` for an
+`bin/rake spec` to run the tests. You can also run `bin/console` for an
 interactive prompt that will allow you to experiment.
 
-To install this gem onto your local machine, run `bundle exec rake install`.
+To install this gem onto your local machine, run `bin/rake rake install`.
 To release a new version, update the version number in `version.rb`, and then
-run `bundle exec rake release`, which will create a git tag for the version,
+run `bin/rake release`, which will create a git tag for the version,
 push git commits and the created tag, and push the `.gem` file to [rubygems.org](https://rubygems.org).
 
 ## Contributing

data/lib/rack/cors/csrf_prevention/version.rb

@@ -3,7 +3,7 @@
 module Rack
   class Cors
     class CsrfPrevention
-      VERSION = "0.1.0"
+      VERSION = "0.2.1"
     end
   end
 end

data/lib/rack/cors/csrf_prevention.rb

@@ -10,8 +10,8 @@ module Rack
       include Rack::Cors::CsrfPrevention::Logger
 
       APOLLO_CUSTOM_PREFLIGHT_HEADERS = %w[
-        X-APOLLO-OPERATION-NAME
-        APOLLO-REQUIRE-PREFLIGHT
+        X_APOLLO_OPERATION_NAME
+        APOLLO_REQUIRE_PREFLIGHT
       ].freeze
 
       NON_PREFLIGHTED_CONTENT_TYPES = %w[
@@ -23,17 +23,18 @@ module Rack
       ERROR_MESSAGE = <<~HEREDOC
         This operation has been blocked as a potential Cross-Site Request Forgery (CSRF).
 
-        Please either specify a "Content-Type" header (with a mime-type that is not one of #{NON_PREFLIGHTED_CONTENT_TYPES.join(', ')}) or provide one of the following headers: #{APOLLO_CUSTOM_PREFLIGHT_HEADERS.join(', ')}.
+        Please either specify a "Content-Type" header (with a mime-type that is not one of #{NON_PREFLIGHTED_CONTENT_TYPES.join(', ')}) or provide one of the following headers: #{APOLLO_CUSTOM_PREFLIGHT_HEADERS.join(', ').tr('_', '-')}.
       HEREDOC
 
       def initialize(
         app,
-        paths:,
-        required_headers: APOLLO_CUSTOM_PREFLIGHT_HEADERS
+        path: nil,
+        paths: [],
+        required_headers: []
       )
         @app = app
-        @paths = paths
-        @required_headers = required_headers
+        @paths = path.nil? && paths.empty? ? ["/graphql"] : [path].compact + paths
+        @required_headers = APOLLO_CUSTOM_PREFLIGHT_HEADERS + required_headers
       end
 
       def call(env)

data/rack-cors-csrf_prevention.gemspec

@@ -51,6 +51,6 @@ Gem::Specification.new do |spec|
   spec.add_dependency "rack", ">= 1"
 
   spec.add_development_dependency "rake", "~> 13.0"
-  # spec.add_development_dependency "minitest", "~> 5.0"
   spec.add_development_dependency "rspec", "~> 3.0"
+  spec.add_development_dependency "debug", "~> 1.9", ">= 1.9.1"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rack-cors-csrf_prevention
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.1
 platform: ruby
 authors:
 - Digital Classifieds LLC
@@ -52,6 +52,26 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: debug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.9'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.9.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.9'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.9.1
 description: |
   The middleware makes sure any request to specified paths would have been
   preflighted if it was sent by a browser.