rack-cors-csrf_prevention 0.1.0 → 0.2.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile.lock +16 -1
- data/README.md +11 -14
- data/lib/rack/cors/csrf_prevention/version.rb +1 -1
- data/lib/rack/cors/csrf_prevention.rb +8 -7
- data/rack-cors-csrf_prevention.gemspec +1 -1
- metadata +21 -1
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 391b427a869958db6d02bfb9ce4eb9a9b933419474a45f3cf864307ff376645c
|
4
|
+
data.tar.gz: 15481e6053666edbfd884be6107fcfb96fea8cf1d317d831e363cb624f6307ff
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 969463a394cfdb672e665af4c4b7410c9c8519bd3a6459ca2300a6b27fe081304bdd5a6491a672e6fc67d9232eff60d402036ebda7979f9bb2be1c789a3e94b7
|
7
|
+
data.tar.gz: fc4f13efe119e22cf942173c4395541e3d93c09aa7d0ede08f5e166326be01a1b42948060dd3d2d19d10c72d62f9f2535b70e63a4d7d272d1a8f6b2ef9c1e467
|
data/Gemfile.lock
CHANGED
@@ -1,15 +1,28 @@
|
|
1
1
|
PATH
|
2
2
|
remote: .
|
3
3
|
specs:
|
4
|
-
rack-cors-csrf_prevention (0.1
|
4
|
+
rack-cors-csrf_prevention (0.2.1)
|
5
5
|
rack (>= 1)
|
6
6
|
|
7
7
|
GEM
|
8
8
|
remote: https://rubygems.org/
|
9
9
|
specs:
|
10
|
+
debug (1.9.1)
|
11
|
+
irb (~> 1.10)
|
12
|
+
reline (>= 0.3.8)
|
10
13
|
diff-lcs (1.5.0)
|
14
|
+
io-console (0.7.2)
|
15
|
+
irb (1.11.2)
|
16
|
+
rdoc
|
17
|
+
reline (>= 0.4.2)
|
18
|
+
psych (5.1.2)
|
19
|
+
stringio
|
11
20
|
rack (2.2.7)
|
12
21
|
rake (13.0.6)
|
22
|
+
rdoc (6.6.2)
|
23
|
+
psych (>= 4.0.0)
|
24
|
+
reline (0.4.2)
|
25
|
+
io-console (~> 0.5)
|
13
26
|
rspec (3.12.0)
|
14
27
|
rspec-core (~> 3.12.0)
|
15
28
|
rspec-expectations (~> 3.12.0)
|
@@ -23,12 +36,14 @@ GEM
|
|
23
36
|
diff-lcs (>= 1.2.0, < 2.0)
|
24
37
|
rspec-support (~> 3.12.0)
|
25
38
|
rspec-support (3.12.0)
|
39
|
+
stringio (3.1.0)
|
26
40
|
|
27
41
|
PLATFORMS
|
28
42
|
arm64-darwin-22
|
29
43
|
x86_64-linux
|
30
44
|
|
31
45
|
DEPENDENCIES
|
46
|
+
debug (~> 1.9, >= 1.9.1)
|
32
47
|
rack-cors-csrf_prevention!
|
33
48
|
rake (~> 13.0)
|
34
49
|
rspec (~> 3.0)
|
data/README.md
CHANGED
@@ -20,38 +20,35 @@ gem install rack-cors-csrf_prevention
|
|
20
20
|
|
21
21
|
### Rails Configuration
|
22
22
|
|
23
|
-
Specify paths for CSRF prevention:
|
24
|
-
|
25
23
|
```ruby
|
26
24
|
# config/initializers/cors.rb
|
27
25
|
|
28
|
-
Rails.application.config.middleware.use Rack::Cors::CsrfPrevention
|
29
|
-
paths: %w[/graphql]
|
26
|
+
Rails.application.config.middleware.use Rack::Cors::CsrfPrevention
|
30
27
|
```
|
31
28
|
|
32
|
-
|
29
|
+
By default, gem protects path `/graphql` and allows only `X-Apollo-Operation-Name` or `Apollo-Require-Preflight` header for non-preflighted content types.
|
30
|
+
|
31
|
+
You can customize path and headers for CSRF prevention:
|
33
32
|
|
34
33
|
```ruby
|
35
34
|
# config/initializers/cors.rb
|
36
35
|
|
37
36
|
Rails.application.config.middleware.use Rack::Cors::CsrfPrevention,
|
38
|
-
|
39
|
-
required_headers: %w[
|
40
|
-
X-APOLLO-OPERATION-NAME
|
41
|
-
APOLLO-REQUIRE-PREFLIGHT
|
42
|
-
SOME-SPECIAL-HEADER
|
43
|
-
]
|
37
|
+
path: "/gql",
|
38
|
+
required_headers: %w[SOME-SPECIAL-HEADER]
|
44
39
|
```
|
45
40
|
|
41
|
+
Also, you can configure multiple paths via `paths` argument.
|
42
|
+
|
46
43
|
## Development
|
47
44
|
|
48
45
|
After checking out the repo, run `bin/setup` to install dependencies. Then, run
|
49
|
-
`
|
46
|
+
`bin/rake spec` to run the tests. You can also run `bin/console` for an
|
50
47
|
interactive prompt that will allow you to experiment.
|
51
48
|
|
52
|
-
To install this gem onto your local machine, run `
|
49
|
+
To install this gem onto your local machine, run `bin/rake rake install`.
|
53
50
|
To release a new version, update the version number in `version.rb`, and then
|
54
|
-
run `
|
51
|
+
run `bin/rake release`, which will create a git tag for the version,
|
55
52
|
push git commits and the created tag, and push the `.gem` file to [rubygems.org](https://rubygems.org).
|
56
53
|
|
57
54
|
## Contributing
|
@@ -10,8 +10,8 @@ module Rack
|
|
10
10
|
include Rack::Cors::CsrfPrevention::Logger
|
11
11
|
|
12
12
|
APOLLO_CUSTOM_PREFLIGHT_HEADERS = %w[
|
13
|
-
|
14
|
-
|
13
|
+
X_APOLLO_OPERATION_NAME
|
14
|
+
APOLLO_REQUIRE_PREFLIGHT
|
15
15
|
].freeze
|
16
16
|
|
17
17
|
NON_PREFLIGHTED_CONTENT_TYPES = %w[
|
@@ -23,17 +23,18 @@ module Rack
|
|
23
23
|
ERROR_MESSAGE = <<~HEREDOC
|
24
24
|
This operation has been blocked as a potential Cross-Site Request Forgery (CSRF).
|
25
25
|
|
26
|
-
Please either specify a "Content-Type" header (with a mime-type that is not one of #{NON_PREFLIGHTED_CONTENT_TYPES.join(', ')}) or provide one of the following headers: #{APOLLO_CUSTOM_PREFLIGHT_HEADERS.join(', ')}.
|
26
|
+
Please either specify a "Content-Type" header (with a mime-type that is not one of #{NON_PREFLIGHTED_CONTENT_TYPES.join(', ')}) or provide one of the following headers: #{APOLLO_CUSTOM_PREFLIGHT_HEADERS.join(', ').tr('_', '-')}.
|
27
27
|
HEREDOC
|
28
28
|
|
29
29
|
def initialize(
|
30
30
|
app,
|
31
|
-
|
32
|
-
|
31
|
+
path: nil,
|
32
|
+
paths: [],
|
33
|
+
required_headers: []
|
33
34
|
)
|
34
35
|
@app = app
|
35
|
-
@paths = paths
|
36
|
-
@required_headers = required_headers
|
36
|
+
@paths = path.nil? && paths.empty? ? ["/graphql"] : [path].compact + paths
|
37
|
+
@required_headers = APOLLO_CUSTOM_PREFLIGHT_HEADERS + required_headers
|
37
38
|
end
|
38
39
|
|
39
40
|
def call(env)
|
@@ -51,6 +51,6 @@ Gem::Specification.new do |spec|
|
|
51
51
|
spec.add_dependency "rack", ">= 1"
|
52
52
|
|
53
53
|
spec.add_development_dependency "rake", "~> 13.0"
|
54
|
-
# spec.add_development_dependency "minitest", "~> 5.0"
|
55
54
|
spec.add_development_dependency "rspec", "~> 3.0"
|
55
|
+
spec.add_development_dependency "debug", "~> 1.9", ">= 1.9.1"
|
56
56
|
end
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: rack-cors-csrf_prevention
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.1
|
4
|
+
version: 0.2.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Digital Classifieds LLC
|
@@ -52,6 +52,26 @@ dependencies:
|
|
52
52
|
- - "~>"
|
53
53
|
- !ruby/object:Gem::Version
|
54
54
|
version: '3.0'
|
55
|
+
- !ruby/object:Gem::Dependency
|
56
|
+
name: debug
|
57
|
+
requirement: !ruby/object:Gem::Requirement
|
58
|
+
requirements:
|
59
|
+
- - "~>"
|
60
|
+
- !ruby/object:Gem::Version
|
61
|
+
version: '1.9'
|
62
|
+
- - ">="
|
63
|
+
- !ruby/object:Gem::Version
|
64
|
+
version: 1.9.1
|
65
|
+
type: :development
|
66
|
+
prerelease: false
|
67
|
+
version_requirements: !ruby/object:Gem::Requirement
|
68
|
+
requirements:
|
69
|
+
- - "~>"
|
70
|
+
- !ruby/object:Gem::Version
|
71
|
+
version: '1.9'
|
72
|
+
- - ">="
|
73
|
+
- !ruby/object:Gem::Version
|
74
|
+
version: 1.9.1
|
55
75
|
description: |
|
56
76
|
The middleware makes sure any request to specified paths would have been
|
57
77
|
preflighted if it was sent by a browser.
|