roda 3.102.0 → 3.103.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f36503d930c18c02148a0da9c30d8f7166790402e04a4220e5a792dc2502779a
-  data.tar.gz: 533b40ec81263d73cbcf60d3a9807434ba0ca1a0d92ee1ca3fc59226edc80c96
+  metadata.gz: d9809241399d00f1fc975608188f61e99c76c5818d7775a4fe8f0b7eeb9715e3
+  data.tar.gz: e04d8e54e041a4f96e998ebdd0431aada5e6d201fb1b6acc4b8c2a3fab50ea79
 SHA512:
-  metadata.gz: 0afa286317e707bd64e903fe6d5225d17a499606fdc71253769795818505793a0a12d42f8999c5eb8e678481da09d82aacb495b7a228ab47a6437b721807f57b
-  data.tar.gz: 14e94a735b1f88e45ff4c2c21b4c3acb7d96cf75f3435695b0c13a0f22471f6c619d3b0915b2794dff745ea88a333c0fd5e629c9566326f5e15d8b4cedd2be32
+  metadata.gz: 19235fd38195015a2b7392ebbf97d34d2f7bda2977c6d45c42fd3b2fd86b1cdee5eff2b65bccf485157955ad474994567ae1b99e93c9459a3a9601df65800f6c
+  data.tar.gz: 628a775ff0bbb503e18d3cc1989ddfb8dcafec407b890b96adf30684674f5ca749cc6ae6fdc9c4ff9ec59e7779f878f55ae37e76c0e52c26da4e8127a5a0f0f9

data/lib/roda/plugins/hash_public.rb

@@ -0,0 +1,105 @@
+# frozen-string-literal: true
+
+require 'digest/sha2'
+
+class Roda
+  module RodaPlugins
+    # The hash_public plugin adds a +hash_path+ method for constructing
+    # content-hash-based paths, and a +r.hash_public+ routing method to serve
+    # static files from a directory (using the public plugin).  This plugin is
+    # useful when you want to modify the path to static files when the content
+    # of the file changes, ensuring that requests for the static file will not
+    # be cached.
+    #
+    # Unlike the timestamp_public plugin, which uses file modification times,
+    # hash_public uses a SHA256 digest of the file content.  This makes paths
+    # stable across different build environments (e.g. Docker images built in
+    # CI/CD pipelines), where file modification times may vary even when the
+    # file content has not changed.
+    #
+    # Note that while this plugin will not serve files outside of the public
+    # directory, for performance reasons it does not check the path of the file
+    # is inside the public directory when computing the content hash.  If the
+    # +hash_path+ method is called with untrusted input, it is possible for an
+    # attacker to read the content hash of any file on the file system.
+    #
+    # This plugin caches the digest of file content on first read. That means
+    # if you change the file after that, it will continue to show the old hash.
+    # This can cause problems in development mode if you are modifying the
+    # content of files served by the plugin.
+    #
+    # Examples:
+    #
+    #   # Use public folder as location of files, and static as the path prefix
+    #   plugin :hash_public
+    #
+    #   # Use /path/to/app/static as location of files, and public as the path prefix
+    #   opts[:root] = '/path/to/app'
+    #   plugin :hash_public, root: 'static', prefix: 'public'
+    #
+    #   # Assuming public is the location of files, and static as the path prefix
+    #   route do
+    #     # Make GET /static/any-string/images/foo.png look for public/images/foo.png
+    #     r.hash_public
+    #
+    #     r.get "example" do
+    #       # "/static/sha256-url-safe-base64-encoded-file-digest-/images/foo.png"
+    #       hash_path("images/foo.png")
+    #     end
+    #   end
+    module HashPublic
+      # Use options given to setup content-hash-based file serving.  The
+      # following options are recognized by the plugin:
+      #
+      # :prefix :: The prefix for paths, before the hash segment
+      # :length :: The number of characters of the digest to use in paths
+      #            (default: full 43-character SHA256 URL safe base64 digest)
+      #
+      # The options given are also passed to the public plugin.
+      def self.configure(app, opts = {})
+        app.plugin :public, opts
+        app.opts[:hash_public_prefix] = (opts[:prefix] || app.opts[:hash_public_prefix] || 'static').dup.freeze
+        app.opts[:hash_public_length] = opts[:length] || app.opts[:hash_public_length]
+        app.opts[:hash_public_mutex] ||= Mutex.new
+        app.opts[:hash_public_cache] ||= {}
+      end
+
+      module InstanceMethods
+        # Return a path to the static file that could be served by r.hash_public.
+        # This does not check the file is inside the directory for performance
+        # reasons, so this should not be called with untrusted input.
+        def hash_path(file)
+          opts = self.opts
+          cache = opts[:hash_public_cache]
+          mutex = opts[:hash_public_mutex]
+          unless digest = mutex.synchronize{cache[file]}
+            digest = ::Digest::SHA256.file(File.join(opts[:public_root], file)).base64digest
+            digest.chomp!("=")
+            digest.tr!("+/", "-_")
+            if length = opts[:hash_public_length]
+              digest = digest[0, length]
+            end
+            digest.freeze
+            mutex.synchronize{cache[file] = digest}
+          end
+          "/#{opts[:hash_public_prefix]}/#{digest}/#{file}"
+        end
+      end
+
+      module RequestMethods
+        # Serve files from the public directory if the file exists,
+        # it includes the hash_public prefix segment followed by
+        # a string segment for the content hash, and this is a GET request.
+        def hash_public
+          if is_get?
+            on roda_class.opts[:hash_public_prefix], String do |_|
+              public
+            end
+          end
+        end
+      end
+    end
+
+    register_plugin(:hash_public, HashPublic)
+  end
+end

data/lib/roda/plugins/ip_from_header.rb

@@ -0,0 +1,34 @@
+# frozen-string-literal: true
+
+#
+class Roda
+  module RodaPlugins
+    # The ip_from_header plugin allows for overriding +request.ip+ to return
+    # the value contained in a specific header. This is useful when the
+    # application is behind a proxy that sets a specific header, especially
+    # when the proxy does not use a fixed IP address range. Example showing 
+    # usage with Cloudflare:
+    #
+    #   plugin :ip_from_header, "CF-Connecting-IP"
+    #
+    # This plugin assumes that if the header is set, it contains a valid IP
+    # address, it does not check the format of the header value, just as
+    # <tt>Rack::Request#ip</tt> does not check the IP address it returns is
+    # actually valid.
+    module IPFromHeader
+      def self.configure(app, header)
+        app.opts[:ip_from_header_env_key] = "HTTP_#{header.upcase.tr('-', '_')}".freeze
+      end
+
+      module RequestMethods
+        # Return the IP address continained in the configured header, if present.
+        # Fallback to the default behavior if not present.
+        def ip
+          @env[roda_class.opts[:ip_from_header_env_key]] || super
+        end
+      end
+    end
+
+    register_plugin(:ip_from_header, IPFromHeader)
+  end
+end

data/lib/roda/version.rb

@@ -4,7 +4,7 @@ class Roda
   RodaMajorVersion = 3
 
   # The minor version of Roda, updated for new feature releases of Roda.
-  RodaMinorVersion = 102
+  RodaMinorVersion = 103
 
   # The patch version of Roda, updated only for bug fixes from the last
   # feature release.

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: roda
 version: !ruby/object:Gem::Version
-  version: 3.102.0
+  version: 3.103.0
 platform: ruby
 authors:
 - Jeremy Evans
@@ -218,6 +218,7 @@ files:
 - lib/roda/plugins/hash_branches.rb
 - lib/roda/plugins/hash_matcher.rb
 - lib/roda/plugins/hash_paths.rb
+- lib/roda/plugins/hash_public.rb
 - lib/roda/plugins/hash_routes.rb
 - lib/roda/plugins/head.rb
 - lib/roda/plugins/header_matchers.rb
@@ -230,6 +231,7 @@ files:
 - lib/roda/plugins/indifferent_params.rb
 - lib/roda/plugins/inject_erb.rb
 - lib/roda/plugins/invalid_request_body.rb
+- lib/roda/plugins/ip_from_header.rb
 - lib/roda/plugins/json.rb
 - lib/roda/plugins/json_parser.rb
 - lib/roda/plugins/link_to.rb