rage-rb 1.19.0 → 1.19.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 847e3debe188b3b34ffdd6b7306edeca0a053b82c0e5106b3faa37a6e43f20bf
-  data.tar.gz: 202db65e0a17d27ae94178d93ddfca940a95237450095b06c0fa4e080a6fd09a
+  metadata.gz: 9c49338e5b69de7d3c5667af08785441a4988710da64e84946023a660cc31560
+  data.tar.gz: 841f4c508fb3d0739fd912967d370f5b40e69dbe8089727ea8cc56b123abd9ff
 SHA512:
-  metadata.gz: 74610482cca2fd1394e3ffd4bd2cf577ed78a980140e39bf359ece4050bed7497dc1845a472a3c403a6fb0cbd48c1124a1714b8e7c8352b0ed720287177418c9
-  data.tar.gz: cd7cec704b0019012d1a08aea63b97dd83e0a6ee17155228d9517575e7882482c58b4b227d6663b053cc77a2edc551e34da53d0bf9bc0463e254ca917f9e8af4
+  metadata.gz: 73c04963af90446e29b52564020c42048735a3df8a17e071dd744f139094e68a64cabf66396433b05dd1cd51fa1b91374fe06133754b2d802171641cf2f44956
+  data.tar.gz: d7561754ef307415e7d848e9ac0fc2731c03281285664eafd3c2865ebc7234bb03826c22cb803e05d48aaa3c4fce05d568a13b199f4d5ee5eb8d2613ba13c4b9

data/CHANGELOG.md

@@ -1,5 +1,17 @@
 ## [Unreleased]
 
+## [1.19.2] - 2025-01-06
+
+### Changed
+
+- Compatibility with Rack 3 (#193).
+
+## [1.19.1] - 2025-12-26
+
+### Changed
+
+- Use app-specific cookie keys for sessions (#189).
+
 ## [1.19.0] - 2025-12-03
 
 ### Added

data/lib/rage/cable/cable.rb

@@ -1,5 +1,33 @@
 # frozen_string_literal: true
 
+##
+# `Rage::Cable` provides built-in WebSocket support for Rage apps, similar to Action Cable in Rails. It lets you mount a separate WebSocket application, define channels and connections, subscribe clients to named streams, and broadcast messages in real time.
+#
+# Define a channel:
+# ```ruby
+# class ChatChannel < Rage::Cable::Channel
+#   def subscribed
+#     stream_from "chat"
+#   end
+#
+#   def receive(data)
+#     puts "Received message: #{data['message']}"
+#   end
+# end
+# ```
+#
+# Mount the Cable application:
+# ```ruby
+# Rage.routes.draw do
+#   mount Rage::Cable.application, at: "/cable"
+# end
+# ```
+#
+# Broadcast a message to a stream:
+# ```ruby
+# Rage.cable.broadcast("chat", { message: "Hello, world!" })
+# ```
+#
 module Rage::Cable
   # Create a new Cable application.
   #
@@ -19,7 +47,7 @@ module Rage::Cable
         env["rack.upgrade"] = handler
         accept_response
       else
-        [426, { "Connection" => "Upgrade", "Upgrade" => "websocket" }, []]
+        [426, { "connection" => "upgrade", "upgrade" => "websocket" }, []]
       end
     end
 

data/lib/rage/configuration.rb

@@ -203,6 +203,14 @@ class Rage::Configuration
   end
   # @!endgroup
 
+  # @!group Session Configuration
+  # Allows configuring session settings.
+  # @return [Rage::Configuration::Session]
+  def session
+    @session ||= Session.new
+  end
+  # @!endgroup
+
   # @private
   def internal
     @internal ||= Internal.new
@@ -773,6 +781,17 @@ class Rage::Configuration
     end
   end
 
+  class Session
+    # @!attribute key
+    #   Specify the name of the session cookie.
+    #   @return [String]
+    #   @example Change the session cookie name
+    #     Rage.configure do
+    #       config.session.key = "_myapp_session"
+    #     end
+    attr_accessor :key
+  end
+
   # @private
   class Internal
     attr_accessor :rails_mode

data/lib/rage/controller/api.rb

@@ -585,7 +585,7 @@ class RageController::API
 
   # Render an HTTP header requesting the client to send a Bearer token for authentication.
   def request_http_token_authentication
-    headers["Www-Authenticate"] = "Token"
+    headers["www-authenticate"] = "Token"
     render plain: "HTTP Token: Access denied.", status: 401
   end
 

data/lib/rage/cookies.rb

@@ -12,6 +12,92 @@ if !defined?(DomainName)
   ERR
 end
 
+##
+# Cookies provide a convenient way to store small amounts of data on the client side that persists across requests.
+# They are commonly used for session management, personalization, and tracking user preferences.
+#
+# Rage cookies support both simple string-based cookies and encrypted cookies for sensitive data.
+#
+# To use cookies, add the `domain_name` gem to your `Gemfile`:
+#
+# ```bash
+# bundle add domain_name
+# ```
+#
+# Additionally, if you need to use encrypted cookies, see {Session} for setup steps.
+#
+# ## Usage
+#
+# ### Basic Cookies
+#
+# Read and write simple string values:
+#
+# ```ruby
+# # Set a cookie
+# cookies[:user_name] = "Alice"
+#
+# # Read a cookie
+# cookies[:user_name] # => "Alice"
+#
+# # Delete a cookie
+# cookies.delete(:user_name)
+# ```
+#
+# ### Cookie Options
+#
+# Set cookies with additional options for security and control:
+#
+# ```ruby
+# cookies[:user_id] = {
+#   value: "12345",
+#   expires: 1.year.from_now,
+#   secure: true,
+#   httponly: true,
+#   same_site: :lax
+# }
+# ```
+#
+# ### Encrypted Cookies
+#
+# Store sensitive data securely with automatic encryption:
+#
+# ```ruby
+# # Set an encrypted cookie
+# cookies.encrypted[:api_token] = "secret-token"
+#
+# # Read an encrypted cookie
+# cookies.encrypted[:api_token] # => "secret-token"
+#
+# ```
+#
+# ### Permanent Cookies
+#
+# Create cookies that expire 20 years from now:
+#
+# ```ruby
+# cookies.permanent[:remember_token] = "token-value"
+#
+# # Can be combined with encrypted
+# cookies.permanent.encrypted[:user_id] = current_user.id
+# ```
+#
+# ### Domain Configuration
+#
+# Control which domains can access your cookies:
+#
+# ```ruby
+# # Specific domain
+# cookies[:cross_domain] = { value: "data", domain: "example.com" }
+#
+# # All subdomains
+# cookies[:shared] = { value: "data", domain: :all }
+#
+# # Multiple allowed domains
+# cookies[:limited] = { value: "data", domain: ["app.example.com", "api.example.com"] }
+# ```
+#
+# @see Session
+#
 class Rage::Cookies
   # @private
   def initialize(env, headers)
@@ -45,12 +131,8 @@ class Rage::Cookies
   # @param path [String]
   # @param domain [String]
   def delete(key, path: "/", domain: nil)
-    @headers.compare_by_identity
-
     @request_cookies[key] = nil
-    @headers[set_cookie_key(key)] = Rack::Utils.add_cookie_to_header(nil, key, {
-      value: "", expires: Time.at(0), path: path, domain: domain
-    })
+    Rack::Utils.delete_cookie_header!(@headers, key, { path: path, domain: domain })
   end
 
   # Returns a jar that'll automatically encrypt cookie values before sending them to the client and will decrypt them
@@ -88,19 +170,17 @@ class Rage::Cookies
   # @example
   #   cookie[:user_id] = { value: current_user.id, httponly: true, secure: true }
   def []=(key, value)
-    @headers.compare_by_identity
-
     unless value.is_a?(Hash)
       serialized_value = @jar.dump(value)
       @request_cookies[key] = serialized_value
-      @headers[set_cookie_key(key)] = Rack::Utils.add_cookie_to_header(nil, key, { value: serialized_value, expires: @expires })
+      Rack::Utils.set_cookie_header!(@headers, key, { value: serialized_value, expires: @expires })
       return
     end
 
     if (domain = value[:domain])
       host = @env["HTTP_HOST"]
 
-      _domain = if domain.is_a?(String)
+      processed_domain = if domain.is_a?(String)
         domain
       elsif domain == :all
         DomainName(host).domain
@@ -110,18 +190,13 @@ class Rage::Cookies
     end
 
     serialized_value = @jar.dump(value[:value])
-    cookie = Rack::Utils.add_cookie_to_header(nil, key, {
-      path: value[:path],
-      secure: value[:secure],
-      expires: value[:expires] || @expires,
-      httponly: value[:httponly],
-      same_site: value[:same_site],
+    Rack::Utils.set_cookie_header!(@headers, key, {
+      **value,
       value: serialized_value,
-      domain: _domain
+      domain: processed_domain,
+      expires: value[:expires] || @expires
     })
-
     @request_cookies[key] = serialized_value
-    @headers[set_cookie_key(key)] = cookie
   end
 
   def inspect
@@ -154,11 +229,6 @@ class Rage::Cookies
     @request_cookies
   end
 
-  def set_cookie_key(key)
-    @set_cookie_keys ||= Hash.new { |hash, key| hash[key] = "Set-Cookie".dup }
-    @set_cookie_keys[key]
-  end
-
   protected
 
   attr_writer :jar, :expires
@@ -190,10 +260,13 @@ class Rage::Cookies
         begin
           box.decrypt(Base64.urlsafe_decode64(value).byteslice(2..))
         rescue ArgumentError
+          Rage.logger.debug("Failed to decode encrypted cookie")
           nil
         rescue RbNaCl::CryptoError
+          Rage.logger.debug("Failed to decrypt encrypted cookie")
           i ||= 0
           if (box = fallback_boxes[i])
+            Rage.logger.debug("Trying to decrypt with fallback key ##{i + 1}")
             i += 1
             retry
           end

data/lib/rage/logger/logger.rb

@@ -209,13 +209,7 @@ class Rage::Logger
         RUBY
       elsif @external_logger.is_a?(External::Dynamic)
         # a callable object is used as a logger
-        call_method = if @external_logger.wrapped.is_a?(Proc)
-          @external_logger.wrapped
-        else
-          @external_logger.wrapped.method(:call)
-        end
-
-        parameters = Rage::Internal.build_arguments(call_method, {
+        parameters = Rage::Internal.build_arguments(@external_logger.wrapped, {
           severity: ":#{level_name}",
           tags: "logger[:tags].freeze",
           context: "logger[:context].freeze",

data/lib/rage/middleware/cors.rb

@@ -14,20 +14,20 @@ class Rage::Cors
     end
 
     response = @app.call(env)
-    response[1]["Access-Control-Allow-Credentials"] = @allow_credentials if @allow_credentials
-    response[1]["Access-Control-Expose-Headers"] = @expose_headers if @expose_headers
+    response[1]["access-control-allow-credentials"] = @allow_credentials if @allow_credentials
+    response[1]["access-control-expose-headers"] = @expose_headers if @expose_headers
 
     response
   ensure
     if !$! && (origin = @cors_check.call(env))
       headers = response[1]
-      headers["Access-Control-Allow-Origin"] = origin
+      headers["access-control-allow-origin"] = origin
       if @origins != "*"
-        vary = headers["Vary"]
+        vary = headers["vary"]
         if vary.nil?
-          headers["Vary"] = "Origin"
+          headers["vary"] = "Origin"
         elsif vary != "Origin"
-          headers["Vary"] += ", Origin"
+          headers["vary"] += ", Origin"
         end
       end
     end
@@ -98,21 +98,21 @@ class Rage::Cors
 
   def create_headers
     headers = {
-      "Access-Control-Allow-Origin" => "",
-      "Access-Control-Allow-Methods" => @methods
+      "access-control-allow-origin" => "",
+      "access-control-allow-methods" => @methods
     }
 
     if @allow_headers
-      headers["Access-Control-Allow-Headers"] = @allow_headers
+      headers["access-control-allow-headers"] = @allow_headers
     end
     if @expose_headers
-      headers["Access-Control-Expose-Headers"] = @expose_headers
+      headers["access-control-expose-headers"] = @expose_headers
     end
     if @max_age
-      headers["Access-Control-Max-Age"] = @max_age
+      headers["access-control-max-age"] = @max_age
     end
     if @allow_credentials
-      headers["Access-Control-Allow-Credentials"] = @allow_credentials
+      headers["access-control-allow-credentials"] = @allow_credentials
     end
 
     headers

data/lib/rage/middleware/request_id.rb

@@ -24,7 +24,7 @@ class Rage::RequestId
   def call(env)
     env["rage.request_id"] = validate_external_request_id(env["HTTP_X_REQUEST_ID"])
     response = @app.call(env)
-    response[1]["X-Request-Id"] = env["rage.request_id"]
+    response[1]["x-request-id"] = env["rage.request_id"]
 
     response
   end

data/lib/rage/openapi/openapi.rb

@@ -48,13 +48,13 @@ module Rage::OpenAPI
         spec_url = "#{scheme}://#{host}#{path}/json"
         page = ERB.new(File.read("#{__dir__}/index.html.erb")).result(binding)
 
-        [200, { "Content-Type" => "text/html; charset=UTF-8" }, [page]]
+        [200, { "content-type" => "text/html; charset=UTF-8" }, [page]]
       end
     end
 
     json_app = ->(env) do
       spec = (__data_cache[[:spec, namespace]] ||= build(namespace:).to_json)
-      [200, { "Content-Type" => "application/json" }, [spec]]
+      [200, { "content-type" => "application/json" }, [spec]]
     end
 
     app = ->(env) do

data/lib/rage/response.rb

@@ -4,8 +4,8 @@ require "digest"
 require "time"
 
 class Rage::Response
-  ETAG_HEADER = "ETag"
-  LAST_MODIFIED_HEADER = "Last-Modified"
+  ETAG_HEADER = "etag"
+  LAST_MODIFIED_HEADER = "last-modified"
 
   # @private
   def initialize(headers, body)

data/lib/rage/session.rb

@@ -2,9 +2,68 @@
 
 require "json"
 
+##
+# Sessions securely store data between requests using cookies and are typically one of the most convenient and secure
+# authentication mechanisms for browser-based clients.
+#
+# Rage sessions are encrypted using a secret key. This prevents clients from reading or tampering with session data.
+#
+# ## Setup
+#
+# 1. Add the required gems to your `Gemfile`:
+#
+#     ```bash
+#     bundle add base64 domain_name rbnacl
+#     ```
+#
+# 2. Generate a secret key base (keep this value private and out of version control):
+#
+#     ```bash
+#     ruby -r securerandom -e 'puts SecureRandom.hex(64)'
+#     ```
+#
+# 3. Configure your application to use the generated key, either via configuration:
+#
+#     ```ruby
+#     Rage.configure do |config|
+#       config.secret_key_base = "my-secret-key"
+#     end
+#     ```
+#
+#     or via the `SECRET_KEY_BASE` environment variable:
+#
+#     ```bash
+#     export SECRET_KEY_BASE="my-secret-key"
+#     ```
+#
+# ## System Dependencies
+#
+# Rage sessions use libsodium (via RbNaCl) for encryption. On many Debian-based systems
+# it is installed by default; if not, install it with:
+#
+# - Ubuntu / Debian:
+#
+#     ```bash
+#     sudo apt install libsodium23
+#     ```
+#
+# - Fedora / RHEL / Amazon Linux:
+#
+#     ```bash
+#     sudo yum install libsodium
+#     ```
+#
+# - macOS (using Homebrew):
+#
+#     ```bash
+#     brew install libsodium
+#     ```
+#
 class Rage::Session
   # @private
-  KEY = Rack::RACK_SESSION.to_sym
+  def self.key
+    @key ||= Rage.config.session.key&.to_sym || :"_#{Rage.root.basename.to_s.gsub(/\W/, "_").downcase}_session"
+  end
 
   # @private
   def initialize(cookies)
@@ -92,13 +151,15 @@ class Rage::Session
       read_session.clear
     end
 
-    @cookies[KEY] = { httponly: true, same_site: :lax, value: read_session.to_json }
+    @cookies[self.class.key] = { httponly: true, same_site: :lax, value: read_session.to_json }
   end
 
   def read_session
     @session ||= begin
-      JSON.parse(@cookies[KEY] || "{}", symbolize_names: true)
+      session_value = @cookies[self.class.key] || @cookies[Rack::RACK_SESSION.to_sym] || "{}"
+      JSON.parse(session_value, symbolize_names: true)
     rescue JSON::ParserError
+      Rage.logger.debug("Failed to parse session cookie, resetting session")
       {}
     end
   end

data/lib/rage/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Rage
-  VERSION = "1.19.0"
+  VERSION = "1.19.2"
 end

data/rage.gemspec

@@ -28,7 +28,7 @@ Gem::Specification.new do |spec|
   spec.require_paths = ["lib"]
 
   spec.add_dependency "thor", "~> 1.0"
-  spec.add_dependency "rack", "~> 2.0"
+  spec.add_dependency "rack", "< 4"
   spec.add_dependency "rage-iodine", "~> 4.3"
   spec.add_dependency "zeitwerk", "~> 2.6"
   spec.add_dependency "rack-test", "~> 2.1"

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: rage-rb
 version: !ruby/object:Gem::Version
-  version: 1.19.0
+  version: 1.19.2
 platform: ruby
 authors:
 - Roman Samoilov
 bindir: exe
 cert_chain: []
-date: 2025-12-03 00:00:00.000000000 Z
+date: 2026-01-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: thor
@@ -27,16 +27,16 @@ dependencies:
   name: rack
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - "<"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '4'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - "<"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '4'
 - !ruby/object:Gem::Dependency
   name: rage-iodine
   requirement: !ruby/object:Gem::Requirement