rack-steady_etag 0.1.0 → 0.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 733d26f0e71001a540dcd32beb688dd0b78e72ded8d6695bcb489db227a31d35
-  data.tar.gz: 429c9a93ffad20173a5e8f603d427f54daeb964a748c955a4685d6dd8a7d2f70
+  metadata.gz: d3047cb500ace97518e12a5667bad5602d27b493f24d6a8a6c8236372fe7ca36
+  data.tar.gz: d9c3afe27e063227577e1921f6f4ce4e170f7f5627be0126096f1ed846ad7d1e
 SHA512:
-  metadata.gz: 041f32e35729ad2a7cb72d447814dea132d2a463e9c13f5d4af113ffa4f5fc568791c7c6a67cc724046628560737ec9a9401c8c5c34dde9319af251aa3f7cc7c
-  data.tar.gz: 20ecac0974ebf4dd59d55360ca872af812b5c2cf1fd4c20f81c9a0f6cb90cd89cb7980e8a8a667536bf4b79e5673c4b5220f7de3419e2e7ec8b3e448a9cee70b
+  metadata.gz: b86c5ec23d0d27170406530421acea4a54be83caf4c0513de01004136e92d2842aa771927f9ab8074bd918b83f3f10efc651b3e815dc8c5c2036769767c28077
+  data.tar.gz: b28cddf4577f20d1c0c75cdcf7c58d9ce5765f2148ab6fde4b9c0533725d09aa4c596b1624cab70c4e36a5b909e67153fd14ff95a272e9ef8fa0ee5ac81800c8

data/CHANGELOG.md

@@ -0,0 +1,25 @@
+All notable changes to this project will be documented in this file.
+
+This project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
+
+
+## Unreleased
+
+## 0.2.1 - 2022-05-12
+
+- Only strip patterns for HTML and XHTML responses.
+
+## 0.2.0 - 2022-05-12
+
+- Be more compatible with Rack 2.2.2:
+  - Always set a `Cache-Control` header, even for responses that we don't try to digest.
+- Strip patterns for responses with `Cache-Control: public`
+- Requires Rack 2.x (we want to break with Rack 3)
+
+## 0.1.1 - 2022-05-16
+
+- Activate rubygems MFA
+
+## 0.1.0 - 2021-12-01
+
+- initial release

data/Gemfile.lock

@@ -1,25 +1,24 @@
 PATH
   remote: .
   specs:
-    rack-steady_etag (0.1.0)
+    rack-steady_etag (0.2.1)
       activesupport (>= 3.2)
-      rack
+      rack (~> 2.0)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    activesupport (6.1.4.1)
+    activesupport (7.0.1)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 1.6, < 2)
       minitest (>= 5.1)
       tzinfo (~> 2.0)
-      zeitwerk (~> 2.3)
     byebug (11.1.3)
     concurrent-ruby (1.1.9)
     diff-lcs (1.4.4)
     i18n (1.8.11)
       concurrent-ruby (~> 1.0)
-    minitest (5.14.4)
+    minitest (5.15.0)
     rack (2.2.3)
     rake (13.0.6)
     rspec (3.10.0)
@@ -37,7 +36,6 @@ GEM
     rspec-support (3.10.3)
     tzinfo (2.0.4)
       concurrent-ruby (~> 1.0)
-    zeitwerk (2.5.1)
 
 PLATFORMS
   x86_64-linux

data/README.md

@@ -2,7 +2,7 @@
 
 `Rack::SteadyTag` is a Rack middleware that generates the same default [`ETag`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/ETag) for responses that only differ in CSRF tokens or CSP nonces.
 
-By default Rails uses [`Rack::ETag`](https://rdoc.info/github/rack/rack/Rack/ETag) to generate `ETag` headers by hashing the response body. In theory this would [enable caching](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-None-Match) for multiple requests to the same resource. However, since most Rails application layouts insert randomly rotating CSRF tokens and CSP nonces into the HTML, two requests for the same content and user will never produce the same response bytes. This means the default ETags from Rails will [never hit a cache](https://github.com/rails/rails/issues/29889).
+By default Rails uses [`Rack::ETag`](https://rdoc.info/github/rack/rack/Rack/ETag) to generate `ETag` headers by hashing the response body. In theory this would [enable caching](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/If-None-Match) for multiple requests to the same resource. However, since most Rails application layouts insert randomly rotating CSRF tokens and CSP nonces into the HTML, two requests for the same content and user will never produce the same response bytes. This means `Rack::ETag` will never send the same ETag twice, causing responses to [never hit a cache](https://github.com/rails/rails/issues/29889).
 
 `Rack::SteadyETag` is a drop-in replacement for `Rack::ETag`. It excludes random content (like CSRF tokens) from the generated ETag, causing two requests for the same content to usually carry the same ETag.
 
@@ -20,17 +20,27 @@ By default Rails uses [`Rack::ETag`](https://rdoc.info/github/rack/rack/Rack/ETa
 You can add your own patterns:
 
 ```ruby
-Rack::SteadyETag::IGNORED_PATTERNS << /<meta name="XSRF-TOKEN" value="[^"]+">/
+Rack::SteadyETag::STRIP_PATTERNS << /<meta name="XSRF-TOKEN" value="[^"]+">/
 ```
 
 You can also push lambda for arbitrary transformations:
 
 ```ruby
-Rack::SteadyETag::IGNORED_PATTERNS << -> { |text| text.gsub(/<meta name="XSRF-TOKEN" value="[^"]+">/, '') }
+Rack::SteadyETag::STRIP_PATTERNS << -> { |text| text.gsub(/<meta name="XSRF-TOKEN" value="[^"]+">/, '') }
 ```
 
 Transformations are only applied for the `ETag` hash. The response body will not be changed.
 
+## What responses are processed
+
+This middleware will process responses that match all of the following: 
+
+- Responses with a HTTP status of 200 or 201
+- Responses with a `Content-Type` of `text/html` or `application/xhtml+xml`
+- Responses with a body. 
+
+This middleware can also add a default `Cache-Control` header for responses it *didn't* process. This is passed as an argument during middleware initialization (see *Installation* below). 
+
 ## Covered edge cases
 
 - Different `ETags` are generated when the same content is accessed with different Rack sessions.
@@ -39,7 +49,7 @@ Transformations are only applied for the `ETag` hash. The response body will not
 - No `ETag` is generated when the response already has an `Last-Modified` header.
 
 
-## Installation
+## Installation in Rails
 
 Add this line to your application's Gemfile:
 
@@ -56,9 +66,11 @@ bundle install
 In your `config/application.rb`:
 
 ```ruby
-config.middleware.swap Rack::ETag, Rack::SteadyETag
+config.middleware.swap Rack::ETag, Rack::SteadyETag, 'no-cache'
 ```
 
+The `'no-cache'` argument is the default `Cache-Control` for responses that cannot be digested. While it may feel surprising that the middleware changes the `Cache-Control` header in such a case, the [Rails default middleware stack](https://github.com/rails/rails/blob/d96609505511a76c618dc3adfa3ca4679317d008/railties/lib/rails/application/default_middleware_stack.rb#L81) configures the same behavior.
+
 
 ## Development
 

data/lib/rack/steady_etag/version.rb

@@ -2,6 +2,6 @@
 
 module Rack
   class SteadyEtag
-    VERSION = "0.1.0"
+    VERSION = "0.2.1"
   end
 end

data/lib/rack/steady_etag.rb

@@ -6,8 +6,8 @@ require_relative "steady_etag/version"
 
 module Rack
 
-  # Based on Rack::Etag
-  # https://github.com/rack/rack/blob/master/lib/rack/etag.rb
+  # Based on Rack::Etag from rack 2.2.2
+  # https://github.com/rack/rack/blob/v2.2.2/lib/rack/etag.rb
   #
   # Automatically sets the ETag header on all String bodies.
   #
@@ -15,20 +15,30 @@ module Rack
   # a sendfile body (body.responds_to :to_path) is given (since such cases
   # should be handled by apache/nginx).
   class SteadyETag
+
+    # Yes, Rack::ETag sets a default Cache-Control for responses that it can digest.
     DEFAULT_CACHE_CONTROL = "max-age=0, private, must-revalidate"
 
-    IGNORE_PATTERNS = [
+    STRIP_PATTERNS = [
       /<meta\b[^>]*\bname=(["'])csrf-token\1[^>]+>/i,
       /<meta\b[^>]*\bname=(["'])csp-nonce\1[^>]+>/i,
       /<input\b[^>]*\bname=(["'])authenticity_token\1[^>]+>/i,
       lambda { |string| string.gsub(/(<script\b[^>]*)\bnonce=(["'])[^"']+\2+/i, '\1') }
     ]
 
-    def initialize(app, no_digest_cache_control: nil, digest_cache_control: DEFAULT_CACHE_CONTROL, ignore_patterns: IGNORE_PATTERNS.dup)
+    STRIP_CONTENT_TYPES = %w[
+      text/html
+      application/xhtml+xml
+    ]
+
+    def initialize(app, no_digest_cache_control = nil, digest_cache_control = DEFAULT_CACHE_CONTROL)
       @app = app
+
       @digest_cache_control = digest_cache_control
+
+      # Rails sets a default `Cache-Control: no-cache` for responses that we cannot digest.
+      # See https://github.com/rails/rails/blob/d96609505511a76c618dc3adfa3ca4679317d008/railties/lib/rails/application/default_middleware_stack.rb#L81
       @no_digest_cache_control = no_digest_cache_control
-      @ignore_patterns = ignore_patterns
     end
 
     def call(env)
@@ -45,6 +55,18 @@ module Rack
         headers[ETAG] = %(W/"#{digest}") if digest
       end
 
+      # It would make more sense to only set a Cache-Control for responses that we process.
+      # However, the original Rack::ETag sets Cache-Control: @no_digest_cache_control
+      # for all responses, even responses that we don't otherwise modify.
+      # Hence if we move this code into the `if` above we would remove Rails' default
+      # Cache-Control headers for non-digestable responses, which would be a considerable
+      # change in behavior.
+      if digest
+        set_cache_control_with_digest(headers)
+      else
+        set_cache_control_without_digest(headers)
+      end
+
       [status, headers, body]
     end
 
@@ -63,6 +85,9 @@ module Rack
     end
 
     def etag_body?(body)
+      # Rack main branch checks for `:to_ary` here to exclude streaming responses,
+      # but that had other issues for me in testing. Maybe recheck when there is a
+      # new Rack release after 2.2.2.
       !body.respond_to?(:to_path)
     end
 
@@ -70,51 +95,45 @@ module Rack
       headers.key?(ETAG) || headers.key?('Last-Modified')
     end
 
-    def cache_control_private?(headers)
-      headers[CACHE_CONTROL] && headers[CACHE_CONTROL] =~ /\bprivate\b/
-    end
-
     def digest_body(body, headers, session)
       parts = []
       digest = nil
 
+      strippable_response = STRIP_CONTENT_TYPES.include?(headers['Content-Type'])
+
       body.each do |part|
         parts << part
 
         if part.present?
-          set_cache_control_with_digest(headers)
-
-          if cache_control_private?(headers)
-            part = strip_ignore_patterns(part)
-          end
-
-          unless digest
-            digest = Digest::SHA256.new
-
-            if session && (session_id = session['session_id'])
-              digest << session_id.to_s
-            end
-          end
-
+          digest ||= initialize_digest(session)
+          part = strip_patterns(part) if strippable_response
           digest << part
         end
       end
 
       if digest
         digest = digest.hexdigest.byteslice(0,32)
-      else
-        set_cache_control_without_digest(headers)
       end
 
       [digest, parts]
     end
 
-    def strip_ignore_patterns(html)
-      @ignore_patterns.each do |ignore_pattern|
-        if ignore_pattern.respond_to?(:call)
-          html = ignore_pattern.call(html)
+    def initialize_digest(session)
+      digest = Digest::SHA256.new
+
+      if session && (session_id = session['session_id'])
+        digest << session_id.to_s
+      end
+
+      digest
+    end
+
+    def strip_patterns(html)
+      STRIP_PATTERNS.each do |pattern|
+        if pattern.respond_to?(:call)
+          html = pattern.call(html)
         else
-          html = html.gsub(ignore_pattern, '')
+          html = html.gsub(pattern, '')
         end
       end
       html

data/rack-steady_etag.gemspec

@@ -16,6 +16,9 @@ Gem::Specification.new do |spec|
 
   spec.metadata["homepage_uri"] = spec.homepage
   spec.metadata["source_code_uri"] = spec.homepage
+  spec.metadata["bug_tracker_uri"] = spec.homepage + "/issues"
+  spec.metadata["changelog_uri"] = spec.homepage + "/blob/master/CHANGELOG.md"
+  spec.metadata["rubygems_mfa_required"] = 'true'
 
   # Specify which files should be added to the gem when it is released.
   # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
@@ -28,10 +31,10 @@ Gem::Specification.new do |spec|
   spec.executables = spec.files.grep(%r{\Aexe/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
 
-  # Uncomment to register a new dependency of your gem
-  spec.add_dependency "rack"
-  spec.add_dependency 'activesupport', '>= 3.2'
+  # I expect Rack 3 to have a new ETag middleware to no longer buffer
+  # streaming responses: https://github.com/rack/rack/issues/1619
+  # Once Rack 3 is out we should release a new version of this gem.
+  spec.add_dependency "rack", '~>2.0'
 
-  # For more information and examples about making a new gem, checkout our
-  # guide at: https://bundler.io/guides/creating_gem.html
+  spec.add_dependency 'activesupport', '>= 3.2'
 end

metadata

@@ -1,29 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: rack-steady_etag
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.1
 platform: ruby
 authors:
 - Henning Koch
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2021-12-01 00:00:00.000000000 Z
+date: 2022-05-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '2.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: activesupport
   requirement: !ruby/object:Gem::Requirement
@@ -48,6 +48,7 @@ extra_rdoc_files: []
 files:
 - ".rspec"
 - ".ruby-version"
+- CHANGELOG.md
 - Gemfile
 - Gemfile.lock
 - LICENSE.txt
@@ -64,6 +65,9 @@ licenses:
 metadata:
   homepage_uri: https://github.com/makandra/rack-steady_etag
   source_code_uri: https://github.com/makandra/rack-steady_etag
+  bug_tracker_uri: https://github.com/makandra/rack-steady_etag/issues
+  changelog_uri: https://github.com/makandra/rack-steady_etag/blob/master/CHANGELOG.md
+  rubygems_mfa_required: 'true'
 post_install_message: 
 rdoc_options: []
 require_paths: