rack-cors-csrf_prevention 0.2.1 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 391b427a869958db6d02bfb9ce4eb9a9b933419474a45f3cf864307ff376645c
-  data.tar.gz: 15481e6053666edbfd884be6107fcfb96fea8cf1d317d831e363cb624f6307ff
+  metadata.gz: f58e017a9570b557ee1c4028c57d65790e63033ac89e8fd60e9b040286397c7b
+  data.tar.gz: e8e76479edd2eb9eaad26cf64e64ae538241483595910b4411bf0193c9f6f956
 SHA512:
-  metadata.gz: 969463a394cfdb672e665af4c4b7410c9c8519bd3a6459ca2300a6b27fe081304bdd5a6491a672e6fc67d9232eff60d402036ebda7979f9bb2be1c789a3e94b7
-  data.tar.gz: fc4f13efe119e22cf942173c4395541e3d93c09aa7d0ede08f5e166326be01a1b42948060dd3d2d19d10c72d62f9f2535b70e63a4d7d272d1a8f6b2ef9c1e467
+  metadata.gz: 9c5d439ce879f6e557015e064b5ee2467ec65eef82a742834b013f342390fd34b38d2c5dbe3a7d9b49a1eab0862de1360589b7fab3910b91c3ccabce2e8af2c8
+  data.tar.gz: 6d5b5076c5c65cb4e8c853a30b2d2ac18d5ebc2c68b3e3872912e85612ba7db3c26c9320350be30fcbfd1001aeb8b0fb50ec2be7bca4a45324b8e403546d23c0

data/.rubocop.yml

@@ -1,12 +1,19 @@
 AllCops:
   NewCops: enable
+  Exclude:
+    - "bin/bundle"
+
+Gemspec/DevelopmentDependencies:
+  EnforcedStyle: gemspec
 
 Metrics/BlockLength:
-  Exclude:
-    - *.gemspec
+  Enabled: false
 
 Metrics/ParameterLists:
   CountKeywordArgs: false
 
+Style/Documentation:
+  Enabled: false
+
 Style/StringLiterals:
   EnforcedStyle: double_quotes

data/Gemfile.lock

@@ -1,12 +1,13 @@
 PATH
   remote: .
   specs:
-    rack-cors-csrf_prevention (0.2.1)
+    rack-cors-csrf_prevention (0.3.0)
       rack (>= 1)
 
 GEM
   remote: https://rubygems.org/
   specs:
+    ast (2.4.3)
     debug (1.9.1)
       irb (~> 1.10)
       reline (>= 0.3.8)
@@ -15,12 +16,23 @@ GEM
     irb (1.11.2)
       rdoc
       reline (>= 0.4.2)
+    json (2.16.0)
+    language_server-protocol (3.17.0.5)
+    lint_roller (1.1.0)
+    parallel (1.27.0)
+    parser (3.3.10.0)
+      ast (~> 2.4.1)
+      racc
+    prism (1.6.0)
     psych (5.1.2)
       stringio
+    racc (1.8.1)
     rack (2.2.7)
+    rainbow (3.1.1)
     rake (13.0.6)
     rdoc (6.6.2)
       psych (>= 4.0.0)
+    regexp_parser (2.11.3)
     reline (0.4.2)
       io-console (~> 0.5)
     rspec (3.12.0)
@@ -36,7 +48,25 @@ GEM
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.12.0)
     rspec-support (3.12.0)
+    rubocop (1.81.7)
+      json (~> 2.3)
+      language_server-protocol (~> 3.17.0.2)
+      lint_roller (~> 1.1.0)
+      parallel (~> 1.10)
+      parser (>= 3.3.0.2)
+      rainbow (>= 2.2.2, < 4.0)
+      regexp_parser (>= 2.9.3, < 3.0)
+      rubocop-ast (>= 1.47.1, < 2.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (>= 2.4.0, < 4.0)
+    rubocop-ast (1.48.0)
+      parser (>= 3.3.7.2)
+      prism (~> 1.4)
+    ruby-progressbar (1.13.0)
     stringio (3.1.0)
+    unicode-display_width (3.2.0)
+      unicode-emoji (~> 4.1)
+    unicode-emoji (4.1.0)
 
 PLATFORMS
   arm64-darwin-22
@@ -47,6 +77,7 @@ DEPENDENCIES
   rack-cors-csrf_prevention!
   rake (~> 13.0)
   rspec (~> 3.0)
+  rubocop (~> 1.81, >= 1.81.1)
 
 BUNDLED WITH
    2.4.4

data/README.md

@@ -26,27 +26,46 @@ gem install rack-cors-csrf_prevention
 Rails.application.config.middleware.use Rack::Cors::CsrfPrevention
 ```
 
-By default, gem protects path `/graphql` and allows only `X-Apollo-Operation-Name` or `Apollo-Require-Preflight` header for non-preflighted content types.
+#### Paths
 
-You can customize path and headers for CSRF prevention:
+By default, the gem protects only `/graphql` path.
 
-```ruby
-# config/initializers/cors.rb
+You can set your path using `path` argument:
 
-Rails.application.config.middleware.use Rack::Cors::CsrfPrevention,
-                                        path: "/gql",
-                                        required_headers: %w[SOME-SPECIAL-HEADER]
+```ruby
+config.middleware.use Rack::Cors::CsrfPrevention, path: "/gql"
 ```
 
 Also, you can configure multiple paths via `paths` argument.
 
+#### Headers
+
+By default, gem allows only `X-Apollo-Operation-Name` or `Apollo-Require-Preflight` header for non-preflighted content types.
+
+You can add additional headers for CSRF prevention:
+
+```ruby
+config.middleware.use Rack::Cors::CsrfPrevention,
+                      required_headers: %w[SOME-SPECIAL-HEADER]
+```
+
+#### Error message
+
+By default, gem returns detailed error message that can help API clients in development.
+
+You can hide detailed error message in a production environment:
+
+```ruby
+config.middleware.use Rack::Cors::CsrfPrevention, detailed_error: !Rails.env.production?
+```
+
 ## Development
 
 After checking out the repo, run `bin/setup` to install dependencies. Then, run
 `bin/rake spec` to run the tests. You can also run `bin/console` for an
 interactive prompt that will allow you to experiment.
 
-To install this gem onto your local machine, run `bin/rake rake install`.
+To install this gem onto your local machine, run `bin/rake install`.
 To release a new version, update the version number in `version.rb`, and then
 run `bin/rake release`, which will create a git tag for the version,
 push git commits and the created tag, and push the `.gem` file to [rubygems.org](https://rubygems.org).

data/lib/rack/cors/csrf_prevention/version.rb

@@ -3,7 +3,7 @@
 module Rack
   class Cors
     class CsrfPrevention
-      VERSION = "0.2.1"
+      VERSION = "0.3.0"
     end
   end
 end

data/lib/rack/cors/csrf_prevention.rb

@@ -30,11 +30,13 @@ module Rack
         app,
         path: nil,
         paths: [],
-        required_headers: []
+        required_headers: [],
+        detailed_error: true
       )
         @app = app
         @paths = path.nil? && paths.empty? ? ["/graphql"] : [path].compact + paths
         @required_headers = APOLLO_CUSTOM_PREFLIGHT_HEADERS + required_headers
+        @detailed_error = detailed_error
       end
 
       def call(env)
@@ -49,7 +51,7 @@ module Rack
         else
           logger(env).debug { "Request isn't preflighted" }
 
-          Rack::Response[400, { "Content-Type" => "text/plain" }, ERROR_MESSAGE].to_a
+          Rack::Response[400, { "Content-Type" => "text/plain" }, response_body].to_a
         end
       end
 
@@ -72,6 +74,10 @@ module Rack
       def recommended_header_provided?(request)
         @required_headers.any? { |header| request.has_header?("HTTP_#{header}") }
       end
+
+      def response_body
+        @detailed_error ? ERROR_MESSAGE : "Bad Request"
+      end
     end
   end
 end

data/rack-cors-csrf_prevention.gemspec

@@ -37,6 +37,7 @@ Gem::Specification.new do |spec|
   spec.required_ruby_version = ">= 2.6.0"
 
   spec.metadata["homepage_uri"] = spec.homepage
+  spec.metadata["rubygems_mfa_required"] = "true"
   spec.metadata["source_code_uri"] = spec.homepage
 
   # Specify which files should be added to the gem when it is released.
@@ -50,7 +51,8 @@ Gem::Specification.new do |spec|
 
   spec.add_dependency "rack", ">= 1"
 
+  spec.add_development_dependency "debug", "~> 1.9", ">= 1.9.1"
   spec.add_development_dependency "rake", "~> 13.0"
   spec.add_development_dependency "rspec", "~> 3.0"
-  spec.add_development_dependency "debug", "~> 1.9", ">= 1.9.1"
+  spec.add_development_dependency "rubocop", "~> 1.81", ">= 1.81.1"
 end

metadata

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: rack-cors-csrf_prevention
 version: !ruby/object:Gem::Version
-  version: 0.2.1
+  version: 0.3.0
 platform: ruby
 authors:
 - Digital Classifieds LLC
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-02-15 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -24,6 +23,26 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '1'
+- !ruby/object:Gem::Dependency
+  name: debug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.9'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.9.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.9'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.9.1
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -53,25 +72,25 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '3.0'
 - !ruby/object:Gem::Dependency
-  name: debug
+  name: rubocop
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.9'
+        version: '1.81'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.9.1
+        version: 1.81.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.9'
+        version: '1.81'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 1.9.1
+        version: 1.81.1
 description: |
   The middleware makes sure any request to specified paths would have been
   preflighted if it was sent by a browser.
@@ -95,7 +114,6 @@ description: |
   headers to be set. By ensuring that every operation either has a custom
   content-type or sets one of these headers, we know we won't execute
   operations at the request of origins who our CORS policy will block.
-email:
 executables: []
 extensions: []
 extra_rdoc_files: []
@@ -115,8 +133,8 @@ licenses:
 - MIT
 metadata:
   homepage_uri: https://github.com/digitaz/rack-cors-csrf_prevention
+  rubygems_mfa_required: 'true'
   source_code_uri: https://github.com/digitaz/rack-cors-csrf_prevention
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -131,8 +149,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.26
-signing_key:
+rubygems_version: 3.6.7
 specification_version: 4
 summary: Ruby implementation of CSRF prevention from the Apollo Router.
 test_files: []