rack-cors-csrf_prevention 0.1.0 → 0.2.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile.lock +16 -1
- data/README.md +8 -11
- data/lib/rack/cors/csrf_prevention/version.rb +1 -1
- data/lib/rack/cors/csrf_prevention.rb +5 -4
- data/rack-cors-csrf_prevention.gemspec +1 -1
- metadata +21 -1
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: bf73e75d0b552d217b4a9cb9aabf5f08eb16db81b864a452a61388bd39d41f5c
|
4
|
+
data.tar.gz: 6daf069995fda9f4b8af289a3b6cf3a009a839ba95d6267d0167b9e98484ba81
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 7ab5b4cb92c9db15d97d60ab49725f7feae8aede713f678531bbd0292575e23fa9834ffb8feadbf86217d1ee19cdad9252d1f7d75bb6461ab83f1b837bf2fef2
|
7
|
+
data.tar.gz: 30a0e42021a6ba4eed3cf1a6d684310937dc0ee6a888e7b81ccc8a02db889afbf3fcb0fbc532ef453951cc51696845c6d2d34fd74d21a4a96ffe886b14a4e1c0
|
data/Gemfile.lock
CHANGED
@@ -1,15 +1,28 @@
|
|
1
1
|
PATH
|
2
2
|
remote: .
|
3
3
|
specs:
|
4
|
-
rack-cors-csrf_prevention (0.
|
4
|
+
rack-cors-csrf_prevention (0.2.0)
|
5
5
|
rack (>= 1)
|
6
6
|
|
7
7
|
GEM
|
8
8
|
remote: https://rubygems.org/
|
9
9
|
specs:
|
10
|
+
debug (1.9.1)
|
11
|
+
irb (~> 1.10)
|
12
|
+
reline (>= 0.3.8)
|
10
13
|
diff-lcs (1.5.0)
|
14
|
+
io-console (0.7.2)
|
15
|
+
irb (1.11.2)
|
16
|
+
rdoc
|
17
|
+
reline (>= 0.4.2)
|
18
|
+
psych (5.1.2)
|
19
|
+
stringio
|
11
20
|
rack (2.2.7)
|
12
21
|
rake (13.0.6)
|
22
|
+
rdoc (6.6.2)
|
23
|
+
psych (>= 4.0.0)
|
24
|
+
reline (0.4.2)
|
25
|
+
io-console (~> 0.5)
|
13
26
|
rspec (3.12.0)
|
14
27
|
rspec-core (~> 3.12.0)
|
15
28
|
rspec-expectations (~> 3.12.0)
|
@@ -23,12 +36,14 @@ GEM
|
|
23
36
|
diff-lcs (>= 1.2.0, < 2.0)
|
24
37
|
rspec-support (~> 3.12.0)
|
25
38
|
rspec-support (3.12.0)
|
39
|
+
stringio (3.1.0)
|
26
40
|
|
27
41
|
PLATFORMS
|
28
42
|
arm64-darwin-22
|
29
43
|
x86_64-linux
|
30
44
|
|
31
45
|
DEPENDENCIES
|
46
|
+
debug (~> 1.9, >= 1.9.1)
|
32
47
|
rack-cors-csrf_prevention!
|
33
48
|
rake (~> 13.0)
|
34
49
|
rspec (~> 3.0)
|
data/README.md
CHANGED
@@ -20,29 +20,26 @@ gem install rack-cors-csrf_prevention
|
|
20
20
|
|
21
21
|
### Rails Configuration
|
22
22
|
|
23
|
-
Specify paths for CSRF prevention:
|
24
|
-
|
25
23
|
```ruby
|
26
24
|
# config/initializers/cors.rb
|
27
25
|
|
28
|
-
Rails.application.config.middleware.use Rack::Cors::CsrfPrevention
|
29
|
-
paths: %w[/graphql]
|
26
|
+
Rails.application.config.middleware.use Rack::Cors::CsrfPrevention
|
30
27
|
```
|
31
28
|
|
32
|
-
|
29
|
+
By default, gem protects path `/graphql` and allows only `X-Apollo-Operation-Name` or `Apollo-Require-Preflight` header for non-preflighted content types.
|
30
|
+
|
31
|
+
You can customize path and headers for CSRF prevention:
|
33
32
|
|
34
33
|
```ruby
|
35
34
|
# config/initializers/cors.rb
|
36
35
|
|
37
36
|
Rails.application.config.middleware.use Rack::Cors::CsrfPrevention,
|
38
|
-
|
39
|
-
required_headers: %w[
|
40
|
-
X-APOLLO-OPERATION-NAME
|
41
|
-
APOLLO-REQUIRE-PREFLIGHT
|
42
|
-
SOME-SPECIAL-HEADER
|
43
|
-
]
|
37
|
+
path: "/gql",
|
38
|
+
required_headers: %w[SOME-SPECIAL-HEADER]
|
44
39
|
```
|
45
40
|
|
41
|
+
Also, you can configure multiple paths via `paths` argument.
|
42
|
+
|
46
43
|
## Development
|
47
44
|
|
48
45
|
After checking out the repo, run `bin/setup` to install dependencies. Then, run
|
@@ -28,12 +28,13 @@ module Rack
|
|
28
28
|
|
29
29
|
def initialize(
|
30
30
|
app,
|
31
|
-
|
32
|
-
|
31
|
+
path: nil,
|
32
|
+
paths: [],
|
33
|
+
required_headers: []
|
33
34
|
)
|
34
35
|
@app = app
|
35
|
-
@paths = paths
|
36
|
-
@required_headers = required_headers
|
36
|
+
@paths = path.nil? && paths.empty? ? ["/graphql"] : [path].compact + paths
|
37
|
+
@required_headers = APOLLO_CUSTOM_PREFLIGHT_HEADERS + required_headers
|
37
38
|
end
|
38
39
|
|
39
40
|
def call(env)
|
@@ -51,6 +51,6 @@ Gem::Specification.new do |spec|
|
|
51
51
|
spec.add_dependency "rack", ">= 1"
|
52
52
|
|
53
53
|
spec.add_development_dependency "rake", "~> 13.0"
|
54
|
-
# spec.add_development_dependency "minitest", "~> 5.0"
|
55
54
|
spec.add_development_dependency "rspec", "~> 3.0"
|
55
|
+
spec.add_development_dependency "debug", "~> 1.9", ">= 1.9.1"
|
56
56
|
end
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: rack-cors-csrf_prevention
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.2.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Digital Classifieds LLC
|
@@ -52,6 +52,26 @@ dependencies:
|
|
52
52
|
- - "~>"
|
53
53
|
- !ruby/object:Gem::Version
|
54
54
|
version: '3.0'
|
55
|
+
- !ruby/object:Gem::Dependency
|
56
|
+
name: debug
|
57
|
+
requirement: !ruby/object:Gem::Requirement
|
58
|
+
requirements:
|
59
|
+
- - "~>"
|
60
|
+
- !ruby/object:Gem::Version
|
61
|
+
version: '1.9'
|
62
|
+
- - ">="
|
63
|
+
- !ruby/object:Gem::Version
|
64
|
+
version: 1.9.1
|
65
|
+
type: :development
|
66
|
+
prerelease: false
|
67
|
+
version_requirements: !ruby/object:Gem::Requirement
|
68
|
+
requirements:
|
69
|
+
- - "~>"
|
70
|
+
- !ruby/object:Gem::Version
|
71
|
+
version: '1.9'
|
72
|
+
- - ">="
|
73
|
+
- !ruby/object:Gem::Version
|
74
|
+
version: 1.9.1
|
55
75
|
description: |
|
56
76
|
The middleware makes sure any request to specified paths would have been
|
57
77
|
preflighted if it was sent by a browser.
|