roda 3.39.0 → 3.43.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4f01105e24f4eae80a69f5734f93d3dfe54b5f6be2489521f1d886053c569102
-  data.tar.gz: 2aebf30460c7d5352ee15baf3f884e59dac972e0aadd63aa7ab81445a8a29f65
+  metadata.gz: 95c0306a50aefb2cfa3bd700403ff2d8441acb78438dcca36bdb0341708208fe
+  data.tar.gz: df524e11cab19b33d6f4e2a139f2813b89dc0832863aa2e0ac70c69cc4f98e68
 SHA512:
-  metadata.gz: d3fd374b3d700106ca814fff8f2dd0c66a3295955f27a453ef5d9fb2ba7fdea583d76ce82f91efb8e2ebcbb97a07e664f3f008689d51eb67ae39aebdd86a5d0e
-  data.tar.gz: 59c34c88ab1e5a5bc5017d46707a530c7cd002f4262c30751ba6429983b32477b813d83ada45a19873be711d1d2bd0abd95fe2a5c44c01038ad4a32dbb8f276d
+  metadata.gz: dc0c531cdc7d9ae5d122cae6394b49ebd9014811c6dfba64ef70bc2b4ffe03d66efe2a10dd11f180a1c68db15a7bf3e048f8fdd8550fa72584d2190d8b3d59ea
+  data.tar.gz: 3f42b2dd764cae91a0b81f43933c230b5795f29f33aebf18a7cbfd800071dfdb9ce29f80b471747105e6caa524571877f207cffde621fdaf3d04b89d5c295f8e

data/CHANGELOG

@@ -1,3 +1,39 @@
+= 3.43.1 (2021-04-13)
+
+* [SECURITY] Fix issue where loading content_security_policy plugin after default_headers plugin had no effect (jeremyevans)
+
+= 3.43.0 (2021-04-12)
+
+* Add host_authorization plugin, for checking that requests are submitted using an approved host (jeremyevans)
+
+= 3.42.0 (2021-03-12)
+
+* Make Roda.plugin support plugins using keyword arguments in Ruby 3 (jeremyevans)
+
+* Make Roda.use support middleware using keyword arguments in Ruby 3 (pat) (#207)
+
+* Support common_logger plugin :method option for specifying the method to call on the logger (fnordfish, jeremyevans) (#206)
+
+* Add recheck_precompiled_assets plugin for checking for updates to the precompiled asset metadata file (jeremyevans)
+
+* Make compile_assets class method in assets plugin use an atomic approach to writing precompiled metadata file (jeremyevans)
+
+= 3.41.0 (2021-02-17)
+
+* Improve view performance with :content option up to 3x by calling compiled template methods directly (jeremyevans)
+
+= 3.40.0 (2021-01-14)
+
+* Add freeze_template_caches! to the precompile_templates plugin, which ensures all templates are precompiled, and speeds up template access (jeremyevans)
+
+* Add precompile_views to the precompile_templates plugin, which precompiles the optimized render methods (jeremyevans)
+
+* Have RodaCache#freeze return the frozen internal hash (which no longer needs a mutex for thread-safety) (jeremyevans)
+
+* Speed up the view method in the render plugin even more when freezing the application (jeremyevans)
+
+* Speed up the view method in the render plugin when called with a single argument (jeremyevans)
+
 = 3.39.0 (2020-12-15)
 
 * Speed up relative_path plugin if relative_path or relative_prefix is called more than once (jeremyevans)

data/MIT-LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2014-2020 Jeremy Evans
+Copyright (c) 2014-2021 Jeremy Evans
 Copyright (c) 2010-2014 Michel Martens, Damian Janowski and Cyril David
 Copyright (c) 2008-2009 Christian Neukirchen
 

data/doc/release_notes/3.40.0.txt

@@ -0,0 +1,24 @@
+= New Features
+
+* A precompile_views method has been added to the
+  precompile_templates plugin.  This method works with Roda's
+  optimized compiled view methods, allowing additional memory
+  sharing between parent and child processes.
+
+* A freeze_template_caches! method has been added to the
+  precompile_templates plugin.  This freezes the template caches,
+  preventing the compilation of additional templates, useful for
+  enforcing that only precompiled templates are used.  Additionally,
+  this speeds up access to the template caches.
+
+* RodaCache#freeze now returns the frozen internal hash, which can
+  then be accessed without a mutex. Previously, freeze only froze
+  the receiver and not the internal hash, so it didn't have the
+  expected effect.
+
+= Other Improvements
+
+* The view method in the render plugin is now faster in most cases
+  when a single argument is used.  When freezing the application,
+  an additional optimization is performed to increase the
+  performance of the view method even further.

data/doc/release_notes/3.41.0.txt

@@ -0,0 +1,9 @@
+= Improvements
+
+* The performance of the render plugin's view method when passed the
+  :content option and no other options or arguments has been improved
+  by about 3x, by calling compiled template methods directly.
+
+* The compiled template method for the layout is cleared when the
+  render plugin is loaded again, which can fix issues when it is
+  loaded with different options that affect the layout.

data/doc/release_notes/3.42.0.txt

@@ -0,0 +1,21 @@
+= New Features
+
+* A recheck_precompiled_assets plugin has been added, which allows
+  for checking for updates to the precompiled asset metadata file,
+  and automatically using the updated data.
+
+* The common_logger plugin now supports a :method plugin option to
+  specify the method to call on the logger.
+
+= Other Improvements
+
+* Plugins and middleware that use keyword arguments are now supported
+  in Ruby 3.
+
+* The compile_assets class method in the assets plugin now uses an
+  atomic approach to writing the precompiled asset metadata file.
+
+* Minor method visibility issues have been fixed.  The custom_matchers
+  plugin no longer makes the unsupported_matcher request method
+  public, and the render plugin no longer makes the _layout_method
+  public when the application is frozen.

data/doc/release_notes/3.43.0.txt

@@ -0,0 +1,34 @@
+= New Features
+
+* A host_authorization plugin has been added to verify the requested
+  Host header is authorized.  Using it can prevent DNS rebinding
+  attacks in cases where the application can receive requests for
+  arbitrary hosts.
+
+  To check for authorized hosts in your routing tree, you call the
+  check_host_authorization! method.  For example, if you want to
+  check for authorized hosts after serving requests for public
+  files, you could do:
+
+    plugin :public
+    plugin :host_authorization, 'my-domain-name.example.com'
+
+    route do |r|
+      r.public
+      check_host_authorized!
+
+      # ... rest of routing tree
+    end
+
+  In addition to handling single domain names via a string, you can
+  provide an array of domain names, a regexp to match again, or a
+  proc.
+  
+  By default, requests using unauthorized hosts receive an empty 403
+  response.  If you would like to customize the response, you can
+  pass a block when loading the plugin:
+
+    plugin :host_authorization, 'my-domain-name.example.com' do |r|
+      response.status = 403
+      "Response Body Here"
+    end

data/lib/roda.rb

@@ -292,6 +292,9 @@ class Roda
           plugin.configure(self, *args, &block) if plugin.respond_to?(:configure)
           @app = nil
         end
+        # :nocov:
+        ruby2_keywords(:plugin) if respond_to?(:ruby2_keywords, true)
+        # :nocov:
 
         # Setup routing tree for the current Roda application, and build the
         # underlying rack application using the stored middleware. Requires
@@ -327,6 +330,9 @@ class Roda
           @middleware << [args, block].freeze
           @app = nil
         end
+        # :nocov:
+        ruby2_keywords(:use) if respond_to?(:ruby2_keywords, true)
+        # :nocov:
 
         private
 

data/lib/roda/cache.rb

@@ -22,6 +22,13 @@ class Roda
       @mutex.synchronize{@hash[key] = value}
     end
 
+    # Return the frozen internal hash.  The internal hash can then
+    # be accessed directly since it is frozen and there are no
+    # thread safety issues.
+    def freeze
+      @hash.freeze
+    end
+
     private
 
     # Create a copy of the cache with a separate mutex.

data/lib/roda/plugins/assets.rb

@@ -376,7 +376,7 @@ class Roda
 
         if opts[:precompiled] && !opts[:compiled] && ::File.exist?(opts[:precompiled])
           require 'json'
-          opts[:compiled] = (app.opts[:json_parser] || ::JSON.method(:parse)).call(::File.read(opts[:precompiled]))
+          opts[:compiled] = app.send(:_precompiled_asset_metadata, opts[:precompiled])
         end
 
         if opts[:early_hints]
@@ -455,7 +455,7 @@ class Roda
           require 'fileutils'
 
           unless assets_opts[:compiled]
-            opts[:assets] = assets_opts.merge(:compiled => {})
+            opts[:assets] = assets_opts.merge(:compiled => _compiled_assets_initial_hash).freeze
           end
 
           if type == nil
@@ -465,10 +465,12 @@ class Roda
             _compile_assets(type)
           end
 
-          if assets_opts[:precompiled]
+          if precompile_file = assets_opts[:precompiled]
             require 'json'
-            ::FileUtils.mkdir_p(File.dirname(assets_opts[:precompiled]))
-            ::File.open(assets_opts[:precompiled], 'wb'){|f| f.write((opts[:json_serializer] || :to_json.to_proc).call(assets_opts[:compiled]))}
+            ::FileUtils.mkdir_p(File.dirname(precompile_file))
+            tmp_file = "#{precompile_file}.tmp"
+            ::File.open(tmp_file, 'wb'){|f| f.write((opts[:json_serializer] || :to_json.to_proc).call(assets_opts[:compiled]))}
+            ::File.rename(tmp_file, precompile_file)
           end
 
           assets_opts[:compiled]
@@ -476,6 +478,11 @@ class Roda
 
         private
 
+        # The initial hash to use to store compiled asset metadata.
+        def _compiled_assets_initial_hash
+          {}
+        end
+
         # Internals of compile_assets, handling recursive calls for loading
         # all asset groups under the given type.
         def _compile_assets(type)
@@ -493,6 +500,11 @@ class Roda
           end
         end
 
+        # The precompiled asset metadata stored in the given file
+        def _precompiled_asset_metadata(file)
+          (opts[:json_parser] || ::JSON.method(:parse)).call(::File.read(file))
+        end
+
         # Compile each array of files for the given type into a single
         # file.  Dirs should be an array of asset group names, if these
         # are files in an asset group.
@@ -794,23 +806,32 @@ class Roda
         # handled.
         def assets_matchers
           @assets_matchers ||= [:css, :js].map do |t|
-            [t, assets_regexp(t)].freeze if roda_class.assets_opts[t]
+            if regexp = assets_regexp(t)
+              [t, regexp].freeze
+            end
           end.compact.freeze
         end
 
         private
 
+        # A string for the asset filename for the asset type, key, and digest.
+        def _asset_regexp(type, key, digest)
+          "#{key.sub(/\A#{type}/, '')}.#{digest}.#{type}"
+        end
+
         # The regexp matcher to use for the given type.  This handles any asset groups
         # for the asset types.
         def assets_regexp(type)
           o = roda_class.assets_opts
           if compiled = o[:compiled]
-            assets = compiled.select{|k,_| k =~ /\A#{type}/}.map do |k, md|
-              "#{k.sub(/\A#{type}/, '')}.#{md}.#{type}"
-            end
+            assets = compiled.
+              select{|k,_| k =~ /\A#{type}/}.
+              map{|k, md| _asset_regexp(type, k, md)}
+            return if assets.empty?
             /#{o[:"compiled_#{type}_prefix"]}(#{Regexp.union(assets)})/
           else
-            assets = unnest_assets_hash(o[type])
+            return unless assets = o[type]
+            assets = unnest_assets_hash(assets)
             ts = o[:timestamp_paths]
             /#{o[:"#{type}_prefix"]}#{"\\d+#{ts}" if ts}(#{Regexp.union(assets.uniq)})#{o[:"#{type}_suffix"]}/
           end

data/lib/roda/plugins/common_logger.rb

@@ -18,10 +18,11 @@ class Roda
     #   plugin :common_logger
     #   plugin :common_logger, $stdout
     #   plugin :common_logger, Logger.new('filename')
+    #   plugin :common_logger, Logger.new('filename'), method: :debug
     module CommonLogger
-      def self.configure(app, logger=nil)
+      def self.configure(app, logger=nil, opts=OPTS)
         app.opts[:common_logger] = logger || app.opts[:common_logger] || $stderr
-        app.opts[:common_logger_meth] = app.opts[:common_logger].method(logger.respond_to?(:write) ? :write : :<<)
+        app.opts[:common_logger_meth] = app.opts[:common_logger].method(opts.fetch(:method){logger.respond_to?(:write) ? :write : :<<})
       end
 
       if RUBY_VERSION >= '2.1'

data/lib/roda/plugins/custom_matchers.rb

@@ -68,6 +68,8 @@ class Roda
       end
 
       module RequestMethods
+        private
+
         # Try custom matchers before calling super
         def unsupported_matcher(matcher)
           roda_class.opts[:custom_matchers].each do |match_class, meth|

data/lib/roda/plugins/default_headers.rb

@@ -23,30 +23,31 @@ class Roda
     module DefaultHeaders
       # Merge the given headers into the existing default headers, if any.
       def self.configure(app, headers={})
-        headers = app.opts[:default_headers] = (app.default_headers || app::RodaResponse::DEFAULT_HEADERS).merge(headers).freeze
+        app.opts[:default_headers] = (app.default_headers || app::RodaResponse::DEFAULT_HEADERS).merge(headers).freeze
+      end 
+
+      module ClassMethods
+        # The default response headers to use for the current class.
+        def default_headers
+          opts[:default_headers]
+        end
 
-        if headers.all?{|k, v| k.is_a?(String) && v.is_a?(String)}
-          response_class = app::RodaResponse
-          owner = response_class.instance_method(:set_default_headers).owner
-          if owner == Base::ResponseMethods || (owner == response_class && app.opts[:set_default_headers_overridder] == response_class)
-            app.opts[:set_default_headers_overridder] = response_class
-            response_class.class_eval(<<-END, __FILE__, __LINE__+1)
+        # Optimize the response class set_default_headers method if it hasn't been
+        # overridden and all default headers are strings.
+        def freeze
+          if (headers = opts[:default_headers]).all?{|k, v| k.is_a?(String) && v.is_a?(String)} &&
+             (self::RodaResponse.instance_method(:set_default_headers).owner == Base::ResponseMethods)
+            self::RodaResponse.class_eval(<<-END, __FILE__, __LINE__+1)
               private
 
-              alias set_default_headers set_default_headers
               def set_default_headers
                 h = @headers
                 #{headers.map{|k,v| "h[#{k.inspect}] ||= #{v.inspect}"}.join('; ')}
               end
             END
           end
-        end
-      end 
 
-      module ClassMethods
-        # The default response headers to use for the current class.
-        def default_headers
-          opts[:default_headers]
+          super
         end
       end
 

data/lib/roda/plugins/host_authorization.rb

@@ -0,0 +1,156 @@
+# frozen-string-literal: true
+
+#
+class Roda
+  module RodaPlugins
+    # The host_authorization plugin allows configuring an authorized host or
+    # an array of authorized hosts.  Then in the routing tree, you can check
+    # whether the request uses an authorized host via the +check_host_authorized!+
+    # method.
+    # 
+    # If the request doesn't match one of the authorized hosts, the
+    # request processing stops at that point. Using this plugin can prevent
+    # DNS rebinding attacks if the application can receive requests for
+    # arbitrary hosts.
+    #
+    # By default, an empty response using status 403 will be returned for requests
+    # with unauthorized hosts.
+    #
+    # Because +check_host_authorized!+ is an instance method, you can easily choose
+    # to only check for authorization in certain routes, or to check it after
+    # other processing.  For example, you could check for authorized hosts after
+    # serving static files, since the serving of static files should not be
+    # vulnerable to DNS rebinding attacks.
+    #
+    # = Usage
+    #
+    # In your routing tree, call the +check_host_authorized!+ method at the point you
+    # want to check for authorized hosts:
+    #
+    #   plugin :host_authorization, 'www.example.com'
+    #   plugin :public
+    #
+    #   route do |r|
+    #    r.public
+    #    check_host_authorized!
+    #
+    #    # ...
+    #   end
+    #
+    # = Specifying authorized hosts
+    #
+    # For applications hosted on a single domain name, you can use a single string:
+    #
+    #   plugin :host_authorization, 'www.example.com'
+    #
+    # For applications hosted on multiple domain names, you can use an array of strings:
+    #
+    #   plugin :host_authorization, %w'www.example.com www.example2.com'
+    #
+    # For applications supporting arbitrary subdomains, you can use a regexp. If using
+    # a regexp, make sure you use <tt>\A<tt> and <tt>\z</tt> in your regexp, and restrict
+    # the allowed characters to the minimum required, otherwise you can potentionally
+    # introduce a security issue:
+    #
+    #   plugin :host_authorization, /\A[-0-9a-f]+\.example\.com\z/
+    #
+    # For applications with more complex requirements, you can use a proc.  Similarly
+    # to the regexp case, the proc should be aware the host contains user-submitted
+    # values, and not assume it is in any particular format:
+    #
+    #   plugin :host_authorization, proc{|host| ExternalService.allowed_host?(host)}
+    #
+    # If an array of values is passed as the host argument, the host is authorized if
+    # it matches any value in the array.  All host authorization checks use the
+    # <tt>===</tt> method, which is why it works for strings, regexps, and procs.
+    # It can also work with arbitrary objects that support <tt>===</tt>.
+    #
+    # For security reasons, only the +Host+ header is checked by default.  If you are
+    # sure that your application is being run behind a forwarding proxy that sets the
+    # <tt>X-Forwarded-Host</tt> header, you should enable support for checking that
+    # header using the +:check_forwarded+ option:
+    # 
+    #   plugin :host_authorization, 'www.example.com', check_forwarded: true
+    #
+    # In this case, the trailing host in the <tt>X-Forwarded-Host</tt> header is checked,
+    # which should be the host set by the forwarding proxy closest to the application.
+    # In cases where multiple forwarding proxies are used that append to the
+    # <tt>X-Forwarded-Host</tt> header, you should not use this plugin.
+    #
+    # = Customizing behavior
+    #
+    # By default, an unauthorized host will receive an empty 403 response.  You can
+    # customize this by passing a block when loading the plugin. For example, for
+    # sites using the render plugin, you could return a page that uses your default
+    # layout:
+    #
+    #   plugin :render
+    #   plugin :host_authorization, 'www.example.com' do |r|
+    #     response.status = 403
+    #     view(:content=>"<h1>Forbidden</h1>")
+    #   end
+    #
+    # The block passed to this plugin is treated as a match block.
+    module HostAuthorization
+      def self.configure(app, host, opts=OPTS, &block)
+        app.opts[:host_authorization_host] = host
+        app.opts[:host_authorization_check_forwarded] = opts[:check_forwarded] if opts.key?(:check_forwarded)
+
+        if block
+          app.define_roda_method(:host_authorization_unauthorized, 1, &block)
+        end
+      end
+
+      module InstanceMethods
+        # Check whether the host is authorized.  If not authorized, return a response
+        # immediately based on the plugin block.
+        def check_host_authorization!
+          r = @_request
+          return if host_authorized?(_convert_host_for_authorization(r.env["HTTP_HOST"].to_s.dup))
+
+          if opts[:host_authorization_check_forwarded] && (host = r.env["HTTP_X_FORWARDED_HOST"])
+            if i = host.rindex(',')
+              host = host[i+1, 10000000].to_s
+            end
+            host = _convert_host_for_authorization(host.strip)
+
+            if !host.empty? && host_authorized?(host)
+              return
+            end
+          end
+
+          r.on do
+            host_authorization_unauthorized(r)
+          end
+        end
+
+        private
+
+        # Remove the port information from the passed string (mutates the passed argument).
+        def _convert_host_for_authorization(host)
+          host.sub!(/:\d+\z/, "")
+          host
+        end
+
+        # Whether the host given is one of the authorized hosts for this application.
+        def host_authorized?(host, authorized_host = opts[:host_authorization_host])
+          case authorized_host
+          when Array
+            authorized_host.any?{|auth_host| host_authorized?(host, auth_host)}
+          else
+            authorized_host === host
+          end
+        end
+
+        # Action to take for unauthorized hosts. Sets a 403 status by default.
+        def host_authorization_unauthorized(_)
+          @_response.status = 403
+          nil
+        end
+      end
+    end
+
+    register_plugin(:host_authorization, HostAuthorization)
+  end
+end
+

data/lib/roda/plugins/precompile_templates.rb

@@ -13,32 +13,33 @@ class Roda
     # all of the child processes can use the same precompiled templates, which
     # saves memory.
     #
-    # After loading the plugin, you can call +precompile_templates+ with
-    # the pattern of templates you would like to precompile:
+    # Another advantage of the precompile_templates plugin is that after
+    # template precompilation, access to the template file in the file system is
+    # no longer needed, so this can be used with security features that do not
+    # allow access to the template files at runtime.
+    #
+    # After loading the plugin, you should call precompile_views with an array
+    # of views to compile, using the same argument you are passing to view or
+    # render:
     #
     #   plugin :precompile_templates
-    #   precompile_templates "views/\*\*/*.erb"
+    #   precompile_views %w'view1 view2'
+    #   
+    # If the view requires local variables, you should call precompile_views with a second
+    # argument for the local variables:
     #
-    # That will precompile all erb template files in the views directory or
-    # any subdirectory.
+    #   plugin :precompile_templates
+    #   precompile_views :view3, [:local_var1, :local_var2]
     #
-    # If the templates use local variables, you need to specify which local
-    # variables to precompile, which should be an array of symbols:
+    # After all templates are precompiled, you can optionally use freeze_template_caches!,
+    # which will freeze the template caches so that any template compilation at runtime
+    # will result in an error.  This also speeds up template cache access, since the
+    # template caches no longer need a mutex.
     #
-    #   precompile_templates 'views/users/_*.erb', locals: [:user]
+    #   freeze_template_caches!
     #
     # Note that you should use Tilt 2.0.1+ if you are using this plugin, so
     # that locals are handled in the same order.
-    #
-    # You can specify other render options when calling +precompile_templates+,
-    # including +:cache_key+, +:template_class+, and +:template_opts+.  If you
-    # are passing any of those options to render/view for the template, you
-    # should pass the same options when precompiling the template.
-    #
-    # To compile inline templates, just pass a single hash containing an :inline
-    # to +precompile_templates+:
-    #
-    #   precompile_templates inline: some_template_string
     module PrecompileTemplates
       # Load the render plugin as precompile_templates depends on it.
       def self.load_dependencies(app, opts=OPTS)
@@ -46,8 +47,49 @@ class Roda
       end
 
       module ClassMethods
-        # Precompile the templates using the given options.  See PrecompileTemplates
-        # for details.
+        # Freeze the template caches.  Should be called after precompiling all templates during
+        # application startup, if you don't want to allow templates to be cached at runtime.
+        # In addition to ensuring that no templates are compiled at runtime, this also speeds
+        # up rendering by freezing the template caches, so that a mutex is not needed to access
+        # them.
+        def freeze_template_caches!
+          _freeze_layout_method
+
+          opts[:render] = render_opts.merge(
+            :cache=>render_opts[:cache].freeze,
+            :template_method_cache=>render_opts[:template_method_cache].freeze,
+          ).freeze
+          self::RodaCompiledTemplates.freeze
+
+          nil
+        end
+
+        # Precompile the templates using the given options.  Note that this doesn't
+        # handle optimized template methods supported in newer versions of Roda, but
+        # there are still cases where makes sense to use it.
+        #
+        # You can call +precompile_templates+ with the pattern of templates you would
+        # like to precompile:
+        #
+        #   precompile_templates "views/**/*.erb"
+        #
+        # That will precompile all erb template files in the views directory or
+        # any subdirectory.
+        #
+        # If the templates use local variables, you need to specify which local
+        # variables to precompile, which should be an array of symbols:
+        #
+        #   precompile_templates 'views/users/_*.erb', locals: [:user]
+        #
+        # You can specify other render options when calling +precompile_templates+,
+        # including +:cache_key+, +:template_class+, and +:template_opts+.  If you
+        # are passing any of those options to render/view for the template, you
+        # should pass the same options when precompiling the template.
+        #
+        # To compile inline templates, just pass a single hash containing an :inline
+        # to +precompile_templates+:
+        #
+        #   precompile_templates inline: some_template_string
         def precompile_templates(pattern, opts=OPTS)
           if pattern.is_a?(Hash)
             opts = pattern.merge(opts)
@@ -68,7 +110,40 @@ class Roda
           instance = allocate
           compile_opts.each do |compile_opt|
             template = instance.send(:retrieve_template, compile_opt)
-            Render.tilt_template_compiled_method(template, locals, self)
+            begin
+              Render.tilt_template_compiled_method(template, locals, self)
+            rescue NotImplementedError
+              # When freezing template caches, you may want to precompile a template for a
+              # template type that doesn't support template precompilation, just to populate
+              # the cache.  Tilt rescues NotImplementedError in this case, which we can ignore.
+              nil
+            end
+          end
+
+          nil
+        end
+
+        # Precompile the given views with the given locals, handling optimized template methods.
+        def precompile_views(views, locals=EMPTY_ARRAY)
+          instance = allocate
+          views = Array(views)
+
+          if locals.empty?
+            opts = OPTS
+          else
+            locals_hash = {}
+            locals.each{|k| locals_hash[k] = nil}
+            opts = {:locals=>locals_hash}
+          end
+
+          views.each do |view|
+            instance.send(:retrieve_template, instance.send(:render_template_opts, view, opts))
+          end
+
+          if locals_hash
+            views.each do |view|
+              instance.send(:_optimized_render_method_for_locals, view, locals_hash)
+            end
           end
 
           nil

data/lib/roda/plugins/recheck_precompiled_assets.rb

@@ -0,0 +1,107 @@
+# frozen-string-literal: true
+
+#
+class Roda
+  module RodaPlugins
+    # The recheck_precompiled_assets plugin enables checking for the precompiled asset metadata file.
+    # You need to have already loaded the assets plugin with the +:precompiled+ option and the file
+    # specified by the +:precompiled+ option must already exist in order to use the
+    # recheck_precompiled_assets plugin.
+    #
+    # Any time you want to check whether the precompiled asset metadata file has changed and should be
+    # reloaded, you can call the +recheck_precompiled_assets+ class method.  This method will check
+    # whether the file has changed, and reload it if it has.  If you want to check for modifications on
+    # every request, you can use +self.class.recheck_precompiled_assets+ inside your route block.
+    module RecheckPrecompiledAssets
+      # Thread safe wrapper for the compiled asset metadata hash.  Does not wrap all
+      # hash methods, only a few that are used.
+      class CompiledAssetsHash
+        include Enumerable
+
+        def initialize
+          @hash = {}
+          @mutex = Mutex.new
+        end
+
+        def [](key)
+          @mutex.synchronize{@hash[key]}
+        end
+
+        def []=(key, value)
+          @mutex.synchronize{@hash[key] = value}
+        end
+
+        def replace(hash)
+          hash = hash.instance_variable_get(:@hash) if (CompiledAssetsHash === hash)
+          @mutex.synchronize{@hash.replace(hash)}
+          self
+        end
+
+        def each(&block)
+          @mutex.synchronize{@hash.dup}.each(&block)
+          self
+        end
+
+        def to_json(*args)
+          @mutex.synchronize{@hash.dup}.to_json(*args)
+        end
+      end
+
+      def self.load_dependencies(app)
+        unless app.respond_to?(:assets_opts) && app.assets_opts[:precompiled]
+          raise RodaError, "must load assets plugin with precompiled option before loading recheck_precompiled_assets plugin"
+        end
+      end
+
+      def self.configure(app)
+        precompiled_file = app.assets_opts[:precompiled]
+        prev_mtime = ::File.mtime(precompiled_file)
+        app.instance_exec do
+          opts[:assets] = opts[:assets].merge(:compiled=>_compiled_assets_initial_hash.replace(assets_opts[:compiled])).freeze
+
+          define_singleton_method(:recheck_precompiled_assets) do
+            new_mtime = ::File.mtime(precompiled_file)
+            if new_mtime != prev_mtime
+              prev_mtime = new_mtime
+              assets_opts[:compiled].replace(_precompiled_asset_metadata(precompiled_file))
+
+              # Unset the cached asset matchers, so new ones will be generated.
+              # This is needed in case the new precompiled metadata uses
+              # different files.
+              app::RodaRequest.instance_variable_set(:@assets_matchers, nil)
+            end
+          end
+          singleton_class.send(:alias_method, :recheck_precompiled_assets, :recheck_precompiled_assets)
+        end
+      end
+
+      module ClassMethods
+        private
+
+        # Wrap the precompiled asset metadata in a thread-safe hash.
+        def _precompiled_asset_metadata(file)
+          CompiledAssetsHash.new.replace(super)
+        end
+
+        # Use a thread-safe wrapper of a hash for the :compiled assets option, since
+        # the recheck_precompiled_asset_metadata can modify it at runtime.
+        def _compiled_assets_initial_hash
+          CompiledAssetsHash.new
+        end
+      end
+
+      module RequestClassMethods
+        private
+
+        # Use a regexp that matches any digest.  When the precompiled asset metadata
+        # file is updated, this allows requests for a previous precompiled asset to
+        # still work.
+        def _asset_regexp(type, key, _)
+          /#{Regexp.escape(key.sub(/\A#{type}/, ''))}\.[0-9a-fA-F]+\.#{type}/
+        end
+      end
+    end
+
+    register_plugin(:recheck_precompiled_assets, RecheckPrecompiledAssets)
+  end
+end

data/lib/roda/plugins/render.rb

@@ -183,6 +183,7 @@ class Roda
           app.const_set(:RodaCompiledTemplates, compiled_templates_module)
         end
         opts[:template_method_cache] = orig_method_cache || (opts[:cache_class] || RodaCache).new
+        opts[:template_method_cache][:_roda_layout] = nil if opts[:template_method_cache][:_roda_layout]
         opts[:cache] = orig_cache || (opts[:cache_class] || RodaCache).new
 
         opts[:layout_opts] = (opts[:layout_opts] || {}).dup
@@ -333,6 +334,25 @@ class Roda
       end
 
       module ClassMethods
+        # :nocov:
+        if COMPILED_METHOD_SUPPORT
+        # :nocov:
+          # If using compiled methods and there is an optimized layout, speed up
+          # access to the layout method to improve the performance of view.
+          def freeze
+            begin
+              _freeze_layout_method
+            rescue
+              # This is only for optimization, if any errors occur, they can be ignored.
+              # One possibility for error is the app doesn't use a layout, but doesn't
+              # specifically set the :layout=>false plugin option.
+              nil
+            end
+
+            super
+          end
+        end
+
         # Copy the rendering options into the subclass, duping
         # them as necessary to prevent changes in the subclass
         # affecting the parent class.
@@ -352,6 +372,29 @@ class Roda
         def render_opts
           opts[:render]
         end
+
+        private
+
+        # Precompile the layout method, to reduce method calls to look it up at runtime.
+        def _freeze_layout_method
+          if render_opts[:layout]
+            instance = allocate
+            instance.send(:retrieve_template, instance.send(:view_layout_opts, OPTS))
+
+            # :nocov:
+            if COMPILED_METHOD_SUPPORT
+            # :nocov:
+              if (layout_template = render_opts[:optimize_layout]) && !opts[:render][:optimized_layout_method_created]
+                instance.send(:retrieve_template, :template=>layout_template, :cache_key=>nil, :template_method_cache_key => :_roda_layout)
+                layout_method = opts[:render][:template_method_cache][:_roda_layout]
+                define_method(:_layout_method){layout_method}
+                private :_layout_method
+                alias_method(:_layout_method, :_layout_method)
+                opts[:render] = opts[:render].merge(:optimized_layout_method_created=>true)
+              end
+            end
+          end
+        end
       end
 
       module InstanceMethods
@@ -375,19 +418,21 @@ class Roda
         # Render the given template.  If there is a default layout
         # for the class, take the result of the template rendering
         # and render it inside the layout.  See Render for details.
-        def view(template, opts = (optimized_template = _cached_template_method(template); OPTS))
-          if optimized_template
-            content = send(optimized_template, OPTS)
-
-            render_opts = self.class.opts[:render]
-            if layout_template = render_opts[:optimize_layout]
-              method_cache = render_opts[:template_method_cache]
-              unless layout_method = method_cache[:_roda_layout]
-                retrieve_template(:template=>layout_template, :cache_key=>nil, :template_method_cache_key => :_roda_layout)
-                layout_method = method_cache[:_roda_layout]
-              end
+        def view(template, opts = (content = _optimized_view_content(template); OPTS))
+          if content
+            # First, check if the optimized layout method has already been created,
+            # and use it if so.  This way avoids the extra conditional and local variable
+            # assignments in the next section.
+            if layout_method = _layout_method
+              return send(layout_method, OPTS){content}
+            end
 
-              if layout_method
+            # If we have an optimized template method but no optimized layout method, create the
+            # optimized layout method if possible and use it.  If you can't create the optimized
+            # layout method, fall through to the slower approach.
+            if layout_template = self.class.opts[:render][:optimize_layout]
+              retrieve_template(:template=>layout_template, :cache_key=>nil, :template_method_cache_key => :_roda_layout)
+              if layout_method = _layout_method
                 return send(layout_method, OPTS){content}
               end
             end
@@ -428,6 +473,11 @@ class Roda
             method_cache[template]
           end
 
+          # Return a symbol containing the optimized layout method
+          def _layout_method
+            self.class.opts[:render][:template_method_cache][:_roda_layout]
+          end
+
           # Use an optimized render path for templates with a hash of locals.  Returns the result
           # of the template render if the optimized path is used, or nil if the optimized
           # path is not used and the long method needs to be used.
@@ -469,19 +519,37 @@ class Roda
               end
             end
           end
+
+          # Get the content for #view, or return nil to use the unoptimized approach. Only called if
+          # a single argument is passed to view.
+          def _optimized_view_content(template)
+            if optimized_template = _cached_template_method(template)
+              send(optimized_template, OPTS)
+            elsif template.is_a?(Hash) && template.length == 1
+              template[:content]
+            end
+          end
         else
           # :nocov:
-          def _cached_template_method(template)
+          def _cached_template_method(_)
             nil
           end
 
-          def _cached_template_method_key(template)
+          def _cached_template_method_key(_)
+            nil
+          end
+
+          def _layout_method
             nil
           end
 
           def _optimized_render_method_for_locals(_, _)
             nil
           end
+
+          def _optimized_view_content(template)
+            nil
+          end
           # :nocov:
         end
 

data/lib/roda/plugins/render_locals.rb

@@ -51,6 +51,10 @@ class Roda
           def _cached_template_method(template)
             nil
           end
+
+          def _optimized_view_content(template)
+            nil
+          end
         end
 
         def render_locals

data/lib/roda/version.rb

@@ -4,11 +4,11 @@ class Roda
   RodaMajorVersion = 3
 
   # The minor version of Roda, updated for new feature releases of Roda.
-  RodaMinorVersion = 39
+  RodaMinorVersion = 43
 
   # The patch version of Roda, updated only for bug fixes from the last
   # feature release.
-  RodaPatchVersion = 0
+  RodaPatchVersion = 1
 
   # The full version of Roda as a string.
   RodaVersion = "#{RodaMajorVersion}.#{RodaMinorVersion}.#{RodaPatchVersion}".freeze

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: roda
 version: !ruby/object:Gem::Version
-  version: 3.39.0
+  version: 3.43.1
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-12-15 00:00:00.000000000 Z
+date: 2021-04-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -174,16 +174,8 @@ extra_rdoc_files:
 - MIT-LICENSE
 - CHANGELOG
 - doc/conventions.rdoc
-- doc/release_notes/3.7.0.txt
 - doc/release_notes/3.0.0.txt
 - doc/release_notes/3.1.0.txt
-- doc/release_notes/3.2.0.txt
-- doc/release_notes/3.3.0.txt
-- doc/release_notes/3.4.0.txt
-- doc/release_notes/3.5.0.txt
-- doc/release_notes/3.6.0.txt
-- doc/release_notes/3.8.0.txt
-- doc/release_notes/3.9.0.txt
 - doc/release_notes/3.10.0.txt
 - doc/release_notes/3.11.0.txt
 - doc/release_notes/3.12.0.txt
@@ -195,6 +187,7 @@ extra_rdoc_files:
 - doc/release_notes/3.17.0.txt
 - doc/release_notes/3.18.0.txt
 - doc/release_notes/3.19.0.txt
+- doc/release_notes/3.2.0.txt
 - doc/release_notes/3.20.0.txt
 - doc/release_notes/3.21.0.txt
 - doc/release_notes/3.22.0.txt
@@ -205,6 +198,7 @@ extra_rdoc_files:
 - doc/release_notes/3.27.0.txt
 - doc/release_notes/3.28.0.txt
 - doc/release_notes/3.29.0.txt
+- doc/release_notes/3.3.0.txt
 - doc/release_notes/3.30.0.txt
 - doc/release_notes/3.31.0.txt
 - doc/release_notes/3.32.0.txt
@@ -215,6 +209,16 @@ extra_rdoc_files:
 - doc/release_notes/3.37.0.txt
 - doc/release_notes/3.38.0.txt
 - doc/release_notes/3.39.0.txt
+- doc/release_notes/3.4.0.txt
+- doc/release_notes/3.40.0.txt
+- doc/release_notes/3.41.0.txt
+- doc/release_notes/3.42.0.txt
+- doc/release_notes/3.43.0.txt
+- doc/release_notes/3.5.0.txt
+- doc/release_notes/3.6.0.txt
+- doc/release_notes/3.7.0.txt
+- doc/release_notes/3.8.0.txt
+- doc/release_notes/3.9.0.txt
 files:
 - CHANGELOG
 - MIT-LICENSE
@@ -256,6 +260,10 @@ files:
 - doc/release_notes/3.38.0.txt
 - doc/release_notes/3.39.0.txt
 - doc/release_notes/3.4.0.txt
+- doc/release_notes/3.40.0.txt
+- doc/release_notes/3.41.0.txt
+- doc/release_notes/3.42.0.txt
+- doc/release_notes/3.43.0.txt
 - doc/release_notes/3.5.0.txt
 - doc/release_notes/3.6.0.txt
 - doc/release_notes/3.7.0.txt
@@ -306,6 +314,7 @@ files:
 - lib/roda/plugins/header_matchers.rb
 - lib/roda/plugins/heartbeat.rb
 - lib/roda/plugins/hooks.rb
+- lib/roda/plugins/host_authorization.rb
 - lib/roda/plugins/indifferent_params.rb
 - lib/roda/plugins/json.rb
 - lib/roda/plugins/json_parser.rb
@@ -337,6 +346,7 @@ files:
 - lib/roda/plugins/precompile_templates.rb
 - lib/roda/plugins/public.rb
 - lib/roda/plugins/r.rb
+- lib/roda/plugins/recheck_precompiled_assets.rb
 - lib/roda/plugins/relative_path.rb
 - lib/roda/plugins/render.rb
 - lib/roda/plugins/render_each.rb
@@ -394,7 +404,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
+rubygems_version: 3.2.15
 signing_key: 
 specification_version: 4
 summary: Routing tree web toolkit