roda 3.71.0 → 3.73.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d5460d6cecb4f9b9acfedd05f5b14793bb9aefa2df2a8c29c559da319df87ee4
-  data.tar.gz: 75c3c8803abef4e27cac592a88597e8f9cd098be39bf1d0c1b1192175fd1f8e2
+  metadata.gz: 7a47f703af806a15f523b99b38d084520bada92f23196374d6d9781d5953faa8
+  data.tar.gz: 4612153820b89e6dbcfa2370c04269666c49277d8f11256869f6c1f0bb0b571a
 SHA512:
-  metadata.gz: 6efc49bb205012a7ce50bc3c300d924a149de33416a35870f11efed492251c331804b970c967e47a481b0ddb0a83507c5926c1dc32069941b4edd2bd56df09e5
-  data.tar.gz: 698b7e7daae4cd0712a20a1e3e274f7ba3cdb9068eefdeb3bb5f043f2d437cdd5dda961ce91d88794e22a8ca3ef5825e3f8bd3f92ff933eab772c352dd17c2ee
+  metadata.gz: bdc42cdc9540750195327dac290e3f0bb08c3ed0100b610441b644c85849e7e9f9f974013cea041cdf640f590e2027996d68b62eea9c31d41bd42a57df6530bb
+  data.tar.gz: 3ab05db704cf45803ad706e78b558ea7798d8d9782a06c7dec79814a4d862582249e5554946c59fff88e1f1d2d360e242268c593a8c9c95fe87b5489e4a4a44c

data/CHANGELOG

@@ -1,3 +1,17 @@
+= 3.73.0 (2023-10-13)
+
+* Support :next_if_not_found option for middleware plugin (jeremyevans) (#334)
+
+* Remove dependency on base64 library from sessions and route_csrf plugin, as it will not be part of the standard library in Ruby 3.4+ (jeremyevans)
+
+= 3.72.0 (2023-09-12)
+
+* Add invalid_request_body plugin for custom handling of invalid request bodies (jeremyevans)
+
+* Warn when defining method that expects 1 argument when block requires multiple arguments when :check_arity option is set to :warn (jeremyevans)
+
+* Implement the match_hooks plugin using the match_hook_args plugin (jeremyevans)
+
 = 3.71.0 (2023-08-14)
 
 * Add match_hook_args plugin, similar to match_hooks but support matchers and block args as hook arguments (jeremyevans)

data/doc/release_notes/3.72.0.txt

@@ -0,0 +1,48 @@
+= New Features
+
+* An invalid_request_body plugin has been added for allowing custom
+  handling of invalid request bodies.  Roda uses Rack's request body
+  parsing, and by default invalid request bodies can result in
+  different exceptions based on how the body is invalid and which
+  version of Rack is in use.
+
+  If you want to treat an invalid request body as the submission of
+  no parameters, you can use the :empty_hash argument when loading
+  the plugin:
+
+    plugin :invalid_request_body, :empty_hash
+
+  If you want to return a empty 400 (Bad Request) response if an
+  invalid request body is submitted, you can use the :empty_400
+  argument when loading the plugin:
+
+    plugin :invalid_request_body, :empty_400
+
+  If you want to raise a Roda::RodaPlugins::InvalidRequestBody::Error
+  exception if an invalid request body is submitted (which makes it
+  easier to handle these exceptions when using the error_handler
+  plugin), you can use the :raise argument when loading the plugin:
+
+    plugin :invalid_request_body, :raise
+
+  For custom behavior, you can pass a block when loading the plugin
+  The block is called with the exception Rack raised when parsing the
+  body. The block will be used to define a method in the application's
+  RodaRequest class.  It can either return a hash of parameters, or
+  you can raise a different exception, or you can halt processing and
+  return a response:
+
+    plugin :invalid_request_body do |exception|
+      # To treat the exception raised as a submitted parameter
+      {body_error: exception}
+    end
+
+= Other Improvements
+
+* When using the check_arity: :warn Roda option, Roda now correctly
+  warns when defining a method that expects a single argument when
+  the provided block requires multiple arguments.
+
+* The match_hooks plugin is now implemented using the match_hook_args
+  plugin, simplifying the implementation.  This change should be
+  transparent unless you were reaching into the internals.

data/doc/release_notes/3.73.0.txt

@@ -0,0 +1,33 @@
+= New Features
+
+* The middleware plugin now accepts a :next_if_not_found option.
+  This allows the middleware plugin to pass the request to the next
+  application if the current application handles the request but
+  ends up calling the not_found handler.  With the following
+  middleware:
+
+    class Mid < Roda
+      plugin :middleware
+
+      route do |r|
+        r.on "foo" do
+          r.get "bar" do
+            'bar'
+          end
+        end
+      end
+    end
+
+  Requests for /x would be forwarded to the next application, since
+  the application doesn't handle the request, but requests for /foo/x
+  would not be, because the middleware is partially handling the
+  request in the r.on "foo" block.  With the :next_if_not_found
+  option, only requests for /foo/bar would be handled by the
+  middleware, and all other requests would be forwarded to the next
+  application.
+
+= Other Improvements
+
+* The sessions and route_csrf plugins no longer depend on the base64
+  library. base64 will be removed from Ruby's standard library
+  starting in Ruby 3.4.

data/lib/roda/plugins/_base64.rb

@@ -0,0 +1,34 @@
+# frozen-string-literal: true
+
+#
+class Roda
+  module RodaPlugins
+    module Base64_
+      class << self
+        if RUBY_VERSION >= '2.4'
+          def decode64(str)
+            str.unpack1("m0")
+          end
+        # :nocov:
+        else
+          def decode64(str)
+            str.unpack("m0")[0]
+          end
+        # :nocov:
+        end
+
+        def urlsafe_encode64(bin)
+          str = [bin].pack("m0")
+          str.tr!("+/", "-_")
+          str
+        end
+
+        def urlsafe_decode64(str)
+          decode64(str.tr("-_", "+/"))
+        end
+      end
+    end
+
+    register_plugin(:_base64, Base64_)
+  end
+end

data/lib/roda/plugins/exception_page.rb

@@ -411,7 +411,7 @@ END
 
         private
 
-        if RUBY_VERSION >= '3.2'
+        if Exception.method_defined?(:detailed_message)
           def exception_page_exception_message(exception)
             exception.detailed_message(highlight: false).to_s
           end

data/lib/roda/plugins/invalid_request_body.rb

@@ -0,0 +1,107 @@
+# frozen-string-literal: true
+
+#
+class Roda
+  module RodaPlugins
+    # The invalid_request_body plugin allows for custom handling of invalid request
+    # bodies.  Roda uses Rack for parsing request bodies, so by default, any
+    # invalid request bodies would result in Rack raising an exception, and the
+    # exception could change for different reasons the request body is invalid.
+    # This plugin overrides RodaRequest#POST (which parses parameters from request
+    # bodies), and if parsing raises an exception, it allows for custom behavior.
+    # 
+    # If you want to treat an invalid request body as the submission of no parameters,
+    # you can use the :empty_hash argument when loading the plugin:
+    #
+    #   plugin :invalid_request_body, :empty_hash
+    #
+    # If you want to return a empty 400 (Bad Request) response if an invalid request
+    # body is submitted, you can use the :empty_400 argument when loading the plugin:
+    #
+    #   plugin :invalid_request_body, :empty_400
+    #
+    # If you want to raise a Roda::RodaPlugins::InvalidRequestBody::Error exception
+    # if an invalid request body is submitted (which makes it easier to handle these
+    # exceptions when using the error_handler plugin), you can use the :raise argument
+    # when loading the plugin:
+    #
+    #   plugin :invalid_request_body, :raise
+    #
+    # For custom behavior, you can pass a block when loading the plugin.  The block
+    # is called with the exception Rack raised when parsing the body. The block will
+    # be used to define a method in the application's RodaRequest class.  It can either
+    # return a hash of parameters, or you can raise a different exception, or you
+    # can halt processing and return a response:
+    #
+    #   plugin :invalid_request_body do |exception|
+    #     # To treat the exception raised as a submitted parameter
+    #     {body_error: exception}
+    #   end
+    module InvalidRequestBody
+      # Exception class raised for invalid request bodies.
+      Error = Class.new(RodaError)
+
+      # Set the action to use (:empty_400, :empty_hash, :raise) for invalid request bodies,
+      # or use a block for custom behavior.
+      def self.configure(app, action=nil, &block)
+        if action
+          if block
+            raise RodaError, "cannot provide both block and action when loading invalid_request_body plugin"
+          end
+
+          method = :"handle_invalid_request_body_#{action}"
+          unless RequestMethods.private_method_defined?(method)
+            raise RodaError, "invalid invalid_request_body action provided: #{action}"
+          end
+
+          app::RodaRequest.send(:alias_method, :handle_invalid_request_body, method)
+        elsif block
+          app::RodaRequest.class_eval do
+            define_method(:handle_invalid_request_body, &block)
+            alias handle_invalid_request_body handle_invalid_request_body
+          end
+        else
+          raise RodaError, "must provide block or action when loading invalid_request_body plugin"
+        end
+
+        app::RodaRequest.send(:private, :handle_invalid_request_body)
+      end
+
+      module RequestMethods
+        # Handle invalid request bodies as configured if the default behavior
+        # raises an exception.
+        def POST
+          super
+        rescue => e 
+          handle_invalid_request_body(e)
+        end
+
+        private
+
+        # Return an empty 400 HTTP response for invalid request bodies.
+        def handle_invalid_request_body_empty_400(e)
+          response.status = 400
+          headers = response.headers
+          headers.clear
+          headers[RodaResponseHeaders::CONTENT_TYPE] = 'text/html'
+          headers[RodaResponseHeaders::CONTENT_LENGTH] ='0'
+          throw :halt, response.finish_with_body([])
+        end
+
+        # Treat invalid request bodies by using an empty hash as the
+        # POST params.
+        def handle_invalid_request_body_empty_hash(e)
+          {}
+        end
+
+        # Raise a specific error for all invalid request bodies,
+        # to allow for easy rescuing using the error_handler plugin.
+        def handle_invalid_request_body_raise(e)
+          raise Error, e.message
+        end
+      end
+    end
+
+    register_plugin(:invalid_request_body, InvalidRequestBody)
+  end
+end

data/lib/roda/plugins/match_hook.rb

@@ -6,7 +6,8 @@ class Roda
     # The match_hook plugin adds hooks that are called upon a successful match
     # by any of the matchers.  The hooks do not take any arguments.  If you would
     # like hooks that pass the arguments/matchers and values yielded to the route block,
-    # use the match_hook_args plugin.
+    # use the match_hook_args plugin. This uses the match_hook_args plugin internally,
+    # but doesn't pass the matchers and values yielded.
     #
     #   plugin :match_hook
     #
@@ -14,56 +15,18 @@ class Roda
     #     logger.debug("#{request.matched_path} matched. #{request.remaining_path} remaining.")
     #   end
     module MatchHook
-      def self.configure(app)
-        app.opts[:match_hooks] ||= []
+      def self.load_dependencies(app)
+        app.plugin :match_hook_args
       end
 
       module ClassMethods
-        # Freeze the array of hook methods when freezing the app
-        def freeze
-          opts[:match_hooks].freeze
-          super
-        end
-
         # Add a match hook.
         def match_hook(&block)
-          opts[:match_hooks] << define_roda_method("match_hook", 0, &block)
-
-          if opts[:match_hooks].length == 1
-            class_eval("alias _match_hook #{opts[:match_hooks].first}", __FILE__, __LINE__)
-          else
-            class_eval("def _match_hook; #{opts[:match_hooks].join(';')} end", __FILE__, __LINE__)
-          end
-
-          public :_match_hook
-
+          meth = define_roda_method("match_hook", 0, &block)
+          add_match_hook{|_,_| send(meth)}
           nil
         end
       end
-
-      module InstanceMethods
-        # Default empty method if no match hooks are defined.
-        def _match_hook
-        end
-      end
-
-      module RequestMethods
-        private
-
-        # Call the match hook if yielding to the block before yielding to the block.
-        def if_match(_)
-          super do |*a|
-            scope._match_hook
-            yield(*a)
-          end
-        end
-
-        # Call the match hook before yielding to the block
-        def always
-          scope._match_hook
-          super
-        end
-      end
     end
 
     register_plugin :match_hook, MatchHook

data/lib/roda/plugins/middleware.rb

@@ -33,6 +33,43 @@ class Roda
     #
     #   run App
     #
+    # By default, when the app is used as middleware and handles the request at
+    # all, it does not forward the request to the next middleware.  For the
+    # following setup:
+    #
+    #   class Mid < Roda
+    #     plugin :middleware
+    #
+    #     route do |r|
+    #       r.on "foo" do
+    #         r.is "mid" do
+    #           "Mid"
+    #         end
+    #       end
+    #     end
+    #   end
+    #
+    #   class App < Roda
+    #     use Mid
+    #
+    #     route do |r|
+    #       r.on "foo" do
+    #         r.is "app" do
+    #           "App"
+    #         end
+    #       end
+    #     end
+    #   end
+    #
+    #   run App
+    #
+    # Requests for +/foo/mid will+ return +Mid+, but requests for +/foo/app+
+    # will return an empty 404 response, because the middleware handles the
+    # +/foo/app+ request in the <tt>r.on "foo" do</tt> block, but does not
+    # have the block return a result, which Roda treats as an empty 404 response.
+    # If you would like the middleware to forward +/foo/app+ request to the
+    # application, you should use the +:next_if_not_found+ plugin option.
+    #
     # It is possible to use the Roda app as a regular app even when using
     # the middleware plugin.  Using an app as middleware automatically creates
     # a subclass of the app for the middleware.  Because a subclass is automatically
@@ -64,6 +101,9 @@ class Roda
     #   # Request to App for /mid returns
     #   # "foo bar baz"
     module Middleware
+      NEXT_PROC = lambda{throw :next, true}
+      private_constant :NEXT_PROC
+
       # Configure the middleware plugin.  Options:
       # :env_var :: Set the environment variable to use to indicate to the roda
       #             application that the current request is a middleware request.
@@ -77,12 +117,15 @@ class Roda
       #                              the middleware's route block should be applied to the
       #                              final response when the request is forwarded to the app.
       #                              Defaults to false.
+      # :next_if_not_found :: If the middleware handles the request but returns a not found
+      #                       result (404 with no body), forward the result to the next middleware.
       def self.configure(app, opts={}, &block)
         app.opts[:middleware_env_var] = opts[:env_var] if opts.has_key?(:env_var)
         app.opts[:middleware_env_var] ||= 'roda.forward_next'
         app.opts[:middleware_configure] = block if block
         app.opts[:middleware_handle_result] = opts[:handle_result]
         app.opts[:middleware_forward_response_headers] = opts[:forward_response_headers]
+        app.opts[:middleware_next_if_not_found] = opts[:next_if_not_found]
       end
 
       # Forwarder instances are what is actually used as middleware.
@@ -91,6 +134,9 @@ class Roda
         # and store +app+ as the next middleware to call.
         def initialize(mid, app, *args, &block)
           @mid = Class.new(mid)
+          if @mid.opts[:middleware_next_if_not_found]
+            @mid.plugin(:not_found, &NEXT_PROC)
+          end
           if configure = @mid.opts[:middleware_configure]
             configure.call(@mid, *args, &block)
           elsif block || !args.empty?

data/lib/roda/plugins/route_csrf.rb

@@ -1,6 +1,5 @@
 # frozen-string-literal: true
 
-require 'base64'
 require 'openssl'
 require 'securerandom'
 require 'uri'
@@ -163,6 +162,10 @@ class Roda
       # a valid CSRF token was not provided.
       class InvalidToken < RodaError; end
 
+      def self.load_dependencies(app, opts=OPTS)
+        app.plugin :_base64
+      end
+
       def self.configure(app, opts=OPTS, &block)
         options = app.opts[:route_csrf] = (app.opts[:route_csrf] || DEFAULTS).merge(opts)
         if block || opts[:csrf_failure].is_a?(Proc)
@@ -260,7 +263,7 @@ class Roda
         def csrf_token(path=nil, method=('POST' if path))
           token = SecureRandom.random_bytes(31)
           token << csrf_hmac(token, method, path)
-          Base64.strict_encode64(token)
+          [token].pack("m0")
         end
 
         # Whether request-specific CSRF tokens should be used by default.
@@ -314,7 +317,7 @@ class Roda
           end
 
           begin
-            submitted_hmac = Base64.strict_decode64(encoded_token)
+            submitted_hmac = Base64_.decode64(encoded_token)
           rescue ArgumentError
             return "encoded token is not valid base64"
           end
@@ -354,7 +357,7 @@ class Roda
         # JSON is used for session serialization).
         def csrf_secret
           key = session[csrf_options[:key]] ||= SecureRandom.base64(32)
-          Base64.strict_decode64(key)
+          Base64_.decode64(key)
         end
       end
     end

data/lib/roda/plugins/sessions.rb

@@ -10,7 +10,6 @@ rescue OpenSSL::Cipher::CipherError
   # :nocov:
 end
 
-require 'base64'
 require 'json'
 require 'securerandom'
 require 'zlib'
@@ -171,6 +170,10 @@ class Roda
         [cipher_secret.freeze, hmac_secret.freeze]
       end
 
+      def self.load_dependencies(app, opts=OPTS)
+        app.plugin :_base64
+      end
+
       # Configure the plugin, see Sessions for details on options.
       def self.configure(app, opts=OPTS)
         opts = (app.opts[:sessions] || DEFAULT_OPTIONS).merge(opts)
@@ -344,7 +347,7 @@ class Roda
           opts = roda_class.opts[:sessions]
 
           begin
-            data = Base64.urlsafe_decode64(data)
+            data = Base64_.urlsafe_decode64(data)
           rescue ArgumentError
             return _session_serialization_error("Unable to decode session: invalid base64")
           end
@@ -493,7 +496,7 @@ class Roda
           data << encrypted_data
           data << OpenSSL::HMAC.digest(OpenSSL::Digest::SHA256.new, opts[:hmac_secret], data+opts[:key])
 
-          data = Base64.urlsafe_encode64(data)
+          data = Base64_.urlsafe_encode64(data)
 
           if data.bytesize >= 4096
             raise CookieTooLarge, "attempted to create cookie larger than 4096 bytes"

data/lib/roda/version.rb

@@ -4,7 +4,7 @@ class Roda
   RodaMajorVersion = 3
 
   # The minor version of Roda, updated for new feature releases of Roda.
-  RodaMinorVersion = 71
+  RodaMinorVersion = 73
 
   # The patch version of Roda, updated only for bug fixes from the last
   # feature release.

data/lib/roda.rb

@@ -88,6 +88,7 @@ class Roda
           end
           call_meth = meth
 
+          # RODA4: Switch to false # :warn in last Roda 3 version
           if (check_arity = opts.fetch(:check_arity, true)) && !block.lambda?
             required_args, optional_args, rest, keyword = _define_roda_method_arg_numbers(block)
 
@@ -117,6 +118,9 @@ class Roda
                 alias_method meth, meth
                 meth = :"#{meth}_arity"
               elsif required_args > 1
+                if check_arity == :warn
+                  RodaPlugins.warn "Arity mismatch in block passed to define_roda_method. Expected Arity 1, but multiple arguments required for #{block.inspect}"
+                end
                 b = block
                 block = lambda{|r| instance_exec(r, &b)} # Fallback
               end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: roda
 version: !ruby/object:Gem::Version
-  version: 3.71.0
+  version: 3.73.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-08-14 00:00:00.000000000 Z
+date: 2023-10-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -245,6 +245,8 @@ extra_rdoc_files:
 - doc/release_notes/3.7.0.txt
 - doc/release_notes/3.70.0.txt
 - doc/release_notes/3.71.0.txt
+- doc/release_notes/3.72.0.txt
+- doc/release_notes/3.73.0.txt
 - doc/release_notes/3.8.0.txt
 - doc/release_notes/3.9.0.txt
 files:
@@ -323,6 +325,8 @@ files:
 - doc/release_notes/3.7.0.txt
 - doc/release_notes/3.70.0.txt
 - doc/release_notes/3.71.0.txt
+- doc/release_notes/3.72.0.txt
+- doc/release_notes/3.73.0.txt
 - doc/release_notes/3.8.0.txt
 - doc/release_notes/3.9.0.txt
 - lib/roda.rb
@@ -330,6 +334,7 @@ files:
 - lib/roda/plugins.rb
 - lib/roda/plugins/Integer_matcher_max.rb
 - lib/roda/plugins/_after_hook.rb
+- lib/roda/plugins/_base64.rb
 - lib/roda/plugins/_before_hook.rb
 - lib/roda/plugins/_optimized_matching.rb
 - lib/roda/plugins/_symbol_regexp_matchers.rb
@@ -386,6 +391,7 @@ files:
 - lib/roda/plugins/host_authorization.rb
 - lib/roda/plugins/indifferent_params.rb
 - lib/roda/plugins/inject_erb.rb
+- lib/roda/plugins/invalid_request_body.rb
 - lib/roda/plugins/json.rb
 - lib/roda/plugins/json_parser.rb
 - lib/roda/plugins/link_to.rb