rack-cors-csrf_prevention 0.1.0 → 0.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/Gemfile.lock +16 -1
  3. data/README.md +11 -14
  4. data/lib/rack/cors/csrf_prevention/version.rb +1 -1
  5. data/lib/rack/cors/csrf_prevention.rb +8 -7
  6. data/rack-cors-csrf_prevention.gemspec +1 -1
  7. metadata +21 -1
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 875f008ae969331b4266a00a131b2edf9399d24ea347c2622d9cd79eaa6fcd71
4
- data.tar.gz: 7de16bb4d69a5783829281c312290c94ec5b544963c45bc03ae38942968eb795
3
+ metadata.gz: 391b427a869958db6d02bfb9ce4eb9a9b933419474a45f3cf864307ff376645c
4
+ data.tar.gz: 15481e6053666edbfd884be6107fcfb96fea8cf1d317d831e363cb624f6307ff
5
5
  SHA512:
6
- metadata.gz: fb20827ff14fa2a57ac931ab263adedc4f87e0422d8ddb1c021abb4878a8023638ded968c05616ab163ce218e14e09ce2026b85101569b8afd25070f31c08635
7
- data.tar.gz: f8bcbb4e2b5330e27285e3e296d9d2c6db64e6350843e2bb16d0fcef844728120237a81eed4f00f0e426d0fab98c81af349b196288df1d4550298c67a4c1a74c
6
+ metadata.gz: 969463a394cfdb672e665af4c4b7410c9c8519bd3a6459ca2300a6b27fe081304bdd5a6491a672e6fc67d9232eff60d402036ebda7979f9bb2be1c789a3e94b7
7
+ data.tar.gz: fc4f13efe119e22cf942173c4395541e3d93c09aa7d0ede08f5e166326be01a1b42948060dd3d2d19d10c72d62f9f2535b70e63a4d7d272d1a8f6b2ef9c1e467
data/Gemfile.lock CHANGED
@@ -1,15 +1,28 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- rack-cors-csrf_prevention (0.1.0)
4
+ rack-cors-csrf_prevention (0.2.1)
5
5
  rack (>= 1)
6
6
 
7
7
  GEM
8
8
  remote: https://rubygems.org/
9
9
  specs:
10
+ debug (1.9.1)
11
+ irb (~> 1.10)
12
+ reline (>= 0.3.8)
10
13
  diff-lcs (1.5.0)
14
+ io-console (0.7.2)
15
+ irb (1.11.2)
16
+ rdoc
17
+ reline (>= 0.4.2)
18
+ psych (5.1.2)
19
+ stringio
11
20
  rack (2.2.7)
12
21
  rake (13.0.6)
22
+ rdoc (6.6.2)
23
+ psych (>= 4.0.0)
24
+ reline (0.4.2)
25
+ io-console (~> 0.5)
13
26
  rspec (3.12.0)
14
27
  rspec-core (~> 3.12.0)
15
28
  rspec-expectations (~> 3.12.0)
@@ -23,12 +36,14 @@ GEM
23
36
  diff-lcs (>= 1.2.0, < 2.0)
24
37
  rspec-support (~> 3.12.0)
25
38
  rspec-support (3.12.0)
39
+ stringio (3.1.0)
26
40
 
27
41
  PLATFORMS
28
42
  arm64-darwin-22
29
43
  x86_64-linux
30
44
 
31
45
  DEPENDENCIES
46
+ debug (~> 1.9, >= 1.9.1)
32
47
  rack-cors-csrf_prevention!
33
48
  rake (~> 13.0)
34
49
  rspec (~> 3.0)
data/README.md CHANGED
@@ -20,38 +20,35 @@ gem install rack-cors-csrf_prevention
20
20
 
21
21
  ### Rails Configuration
22
22
 
23
- Specify paths for CSRF prevention:
24
-
25
23
  ```ruby
26
24
  # config/initializers/cors.rb
27
25
 
28
- Rails.application.config.middleware.use Rack::Cors::CsrfPrevention,
29
- paths: %w[/graphql]
26
+ Rails.application.config.middleware.use Rack::Cors::CsrfPrevention
30
27
  ```
31
28
 
32
- You can also specify custom headers that allow execution. By default, it's `X-Apollo-Operation-Name` or `Apollo-Require-Preflight` headers, but you can configure to allow a `Some-Special-Header` header:
29
+ By default, gem protects path `/graphql` and allows only `X-Apollo-Operation-Name` or `Apollo-Require-Preflight` header for non-preflighted content types.
30
+
31
+ You can customize path and headers for CSRF prevention:
33
32
 
34
33
  ```ruby
35
34
  # config/initializers/cors.rb
36
35
 
37
36
  Rails.application.config.middleware.use Rack::Cors::CsrfPrevention,
38
- paths: %w[/graphql],
39
- required_headers: %w[
40
- X-APOLLO-OPERATION-NAME
41
- APOLLO-REQUIRE-PREFLIGHT
42
- SOME-SPECIAL-HEADER
43
- ]
37
+ path: "/gql",
38
+ required_headers: %w[SOME-SPECIAL-HEADER]
44
39
  ```
45
40
 
41
+ Also, you can configure multiple paths via `paths` argument.
42
+
46
43
  ## Development
47
44
 
48
45
  After checking out the repo, run `bin/setup` to install dependencies. Then, run
49
- `bundle exec rake spec` to run the tests. You can also run `bin/console` for an
46
+ `bin/rake spec` to run the tests. You can also run `bin/console` for an
50
47
  interactive prompt that will allow you to experiment.
51
48
 
52
- To install this gem onto your local machine, run `bundle exec rake install`.
49
+ To install this gem onto your local machine, run `bin/rake rake install`.
53
50
  To release a new version, update the version number in `version.rb`, and then
54
- run `bundle exec rake release`, which will create a git tag for the version,
51
+ run `bin/rake release`, which will create a git tag for the version,
55
52
  push git commits and the created tag, and push the `.gem` file to [rubygems.org](https://rubygems.org).
56
53
 
57
54
  ## Contributing
data/lib/rack/cors/csrf_prevention/version.rb CHANGED
@@ -3,7 +3,7 @@
3
3
  module Rack
4
4
  class Cors
5
5
  class CsrfPrevention
6
- VERSION = "0.1.0"
6
+ VERSION = "0.2.1"
7
7
  end
8
8
  end
9
9
  end
data/lib/rack/cors/csrf_prevention.rb CHANGED
@@ -10,8 +10,8 @@ module Rack
10
10
  include Rack::Cors::CsrfPrevention::Logger
11
11
 
12
12
  APOLLO_CUSTOM_PREFLIGHT_HEADERS = %w[
13
- X-APOLLO-OPERATION-NAME
14
- APOLLO-REQUIRE-PREFLIGHT
13
+ X_APOLLO_OPERATION_NAME
14
+ APOLLO_REQUIRE_PREFLIGHT
15
15
  ].freeze
16
16
 
17
17
  NON_PREFLIGHTED_CONTENT_TYPES = %w[
@@ -23,17 +23,18 @@ module Rack
23
23
  ERROR_MESSAGE = <<~HEREDOC
24
24
  This operation has been blocked as a potential Cross-Site Request Forgery (CSRF).
25
25
 
26
- Please either specify a "Content-Type" header (with a mime-type that is not one of #{NON_PREFLIGHTED_CONTENT_TYPES.join(', ')}) or provide one of the following headers: #{APOLLO_CUSTOM_PREFLIGHT_HEADERS.join(', ')}.
26
+ Please either specify a "Content-Type" header (with a mime-type that is not one of #{NON_PREFLIGHTED_CONTENT_TYPES.join(', ')}) or provide one of the following headers: #{APOLLO_CUSTOM_PREFLIGHT_HEADERS.join(', ').tr('_', '-')}.
27
27
  HEREDOC
28
28
 
29
29
  def initialize(
30
30
  app,
31
- paths:,
32
- required_headers: APOLLO_CUSTOM_PREFLIGHT_HEADERS
31
+ path: nil,
32
+ paths: [],
33
+ required_headers: []
33
34
  )
34
35
  @app = app
35
- @paths = paths
36
- @required_headers = required_headers
36
+ @paths = path.nil? && paths.empty? ? ["/graphql"] : [path].compact + paths
37
+ @required_headers = APOLLO_CUSTOM_PREFLIGHT_HEADERS + required_headers
37
38
  end
38
39
 
39
40
  def call(env)
data/rack-cors-csrf_prevention.gemspec CHANGED
@@ -51,6 +51,6 @@ Gem::Specification.new do |spec|
51
51
  spec.add_dependency "rack", ">= 1"
52
52
 
53
53
  spec.add_development_dependency "rake", "~> 13.0"
54
- # spec.add_development_dependency "minitest", "~> 5.0"
55
54
  spec.add_development_dependency "rspec", "~> 3.0"
55
+ spec.add_development_dependency "debug", "~> 1.9", ">= 1.9.1"
56
56
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: rack-cors-csrf_prevention
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.0
4
+ version: 0.2.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Digital Classifieds LLC
@@ -52,6 +52,26 @@ dependencies:
52
52
  - - "~>"
53
53
  - !ruby/object:Gem::Version
54
54
  version: '3.0'
55
+ - !ruby/object:Gem::Dependency
56
+ name: debug
57
+ requirement: !ruby/object:Gem::Requirement
58
+ requirements:
59
+ - - "~>"
60
+ - !ruby/object:Gem::Version
61
+ version: '1.9'
62
+ - - ">="
63
+ - !ruby/object:Gem::Version
64
+ version: 1.9.1
65
+ type: :development
66
+ prerelease: false
67
+ version_requirements: !ruby/object:Gem::Requirement
68
+ requirements:
69
+ - - "~>"
70
+ - !ruby/object:Gem::Version
71
+ version: '1.9'
72
+ - - ">="
73
+ - !ruby/object:Gem::Version
74
+ version: 1.9.1
55
75
  description: |
56
76
  The middleware makes sure any request to specified paths would have been
57
77
  preflighted if it was sent by a browser.