roda 3.72.0 → 3.74.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d5c28e38d35f59176f159798f68d82bbd30df62a5907ace3a3750b1daf7b4fe6
-  data.tar.gz: cb5fd8d5a9d665bc820c55ccbf1fd6a068873ae3e265a1f877bbdf82b51c4d6e
+  metadata.gz: ae3f95331c6c3d69453feb96a7dbd3629a6d5f52bd9d1862edecab893d95a36f
+  data.tar.gz: c5457f54b2ca5a9971f93a23db10abe3b6fd16a743e2651749ec14c480c248a3
 SHA512:
-  metadata.gz: d8710537511b8f332c443fd41bd279c99de53c0bc9618cd92f763ab7d354f70c4496ba9eafa076438087b5ab52f36e69f649aa00d2fb6f07d5315b7d61aef4a1
-  data.tar.gz: e0af216b465facc81e81ab8a495d472685c26aa6b2c1d56c0e48631586555f78f4d5922ac5ee92c6118a08b8162ee35866dc5708155bdbed70d5851b2ff8339b
+  metadata.gz: f314713b33ec4400e5ef8849c6a3e30f1b5956b428dea55a5bf45855fef4a965f9b417063182cc4412effa592a7d311715cf4541826781675ca26bd20f202ca3
+  data.tar.gz: 735cb4cf3e5480be4462d88ccb0090001e7eca27bfe7338a923f5f190730095037ff0c77e1cbe3c875b137175bc7022b8d0611ccbf8b82426cbbaec5b7802149

data/CHANGELOG

@@ -1,3 +1,13 @@
+= 3.74.0 (2023-11-13)
+
+* Add redirect_http_to_https plugin, helping to ensure future requests from the browser are submitted via HTTPS (jeremyevans)
+
+= 3.73.0 (2023-10-13)
+
+* Support :next_if_not_found option for middleware plugin (jeremyevans) (#334)
+
+* Remove dependency on base64 library from sessions and route_csrf plugin, as it will not be part of the standard library in Ruby 3.4+ (jeremyevans)
+
 = 3.72.0 (2023-09-12)
 
 * Add invalid_request_body plugin for custom handling of invalid request bodies (jeremyevans)

data/README.rdoc

@@ -723,7 +723,7 @@ Note that when subclassing, Roda only does a shallow clone of the settings.
 
 If you store nested structures and plan to mutate them in subclasses,
 it is your responsibility to dup the nested structures inside +Roda.inherited+
-(making sure to call +super+).  This should be is done so that that modifications
+(making sure to call +super+).  This should be is done so that modifications
 to the parent class made after subclassing do _not_ affect the subclass, and
 vice-versa.
 
@@ -851,9 +851,8 @@ should use an appropriate external middleware.
 It is possible to use other session cookie middleware such as
 <tt>Rack::Session::Cookie</tt>, but other middleware may not have the same security
 features that Roda's session support does.  For example, the session cookies used by
-the <tt>Rack::Session::Cookie</tt> middleware are not encrypted, just signed to
-prevent tampering.  This means you should not store any secret data in the session
-when using <tt>Rack::Session::Cookie</tt>.
+the <tt>Rack::Session::Cookie</tt> middleware provided by Rack before Rack 3 are not
+encrypted, just signed to prevent tampering.
 
 For any cookie-based sessions, make sure that the necessary secrets (+:secret+ option)
 are not disclosed to an attacker.  Knowledge of the
@@ -960,17 +959,17 @@ application level using using the +default_headers+ plugin:
 Strict-Transport-Security :: Enforces SSL/TLS Connections to the application.
 X-Content-Type-Options :: Forces some browsers to respect a declared Content-Type header.
 X-Frame-Options :: Provides click-jacking protection by not allowing usage inside a frame.
-X-XSS-Protection :: Enables an XSS mitigation filter in some browsers.
+                   Only include this if you want to support and protect old browsers that
+                   do not support Content-Security-Policy.
 
 Example:
 
   class App < Roda
     plugin :default_headers,
       'Content-Type'=>'text/html',
-      'Strict-Transport-Security'=>'max-age=16070400;',
+      'Strict-Transport-Security'=>'max-age=63072000; includeSubDomains',
       'X-Content-Type-Options'=>'nosniff',
-      'X-Frame-Options'=>'deny',
-      'X-XSS-Protection'=>'1; mode=block'
+      'X-Frame-Options'=>'deny'
   end
 
 === Rendering Templates Derived From User Input
@@ -1007,25 +1006,16 @@ constants and removing them when any of the reloadable loaded files changes. It
 +require+ and +require_relative+ when activated (usually in the development environment). No
 configurations other than +reloadable_paths+ are required.
 
-Both {rerun}[https://github.com/alexch/rerun] and
-{shotgun}[https://github.com/rtomayko/shotgun] use a fork/exec approach for loading new
-versions of your app.  rerun is faster as it only reloads the app on changes, whereas
-shotgun reloads the app on every request.  Both work without any changes to application
+{rerun}[https://github.com/alexch/rerun] uses a fork/exec approach for loading new
+versions of your app.  It work without any changes to application
 code, but may be slower as they have to reload the entire application on every change.
-However, for small apps that load quickly, either may be a good approach.
-
-{Rack::Reloader}[https://github.com/rack/rack/blob/master/lib/rack/reloader.rb] ships
-with rack and just reloads monitored files when they change, without unloading constants.
-It's fast but may cause issues in cases where you remove classes, constants, or methods,
-or when you are not clearing out cached data manually when files are reloaded.
+However, for small apps that load quickly, it may be a good approach.
 
 There is no one reloading solution that is the best for all applications and development
 approaches.  Consider your needs and the tradeoffs of each of the reloading approaches,
-and pick the one you think will work best.
-
-If you are unsure where to start, it may be best to start with rerun or shotgun
-(unless you're running on JRuby or Windows), and only consider other options if rerun or
-shotgun are not fast enough.
+and pick the one you think will work best.  If you are unsure where to start,
+it may be best to start with Zeitwerk, and only consider other options if it does not
+work well for you.
 
 == Plugins
 
@@ -1144,4 +1134,3 @@ MIT
 == Maintainer
 
 Jeremy Evans <code@jeremyevans.net>
-

data/doc/conventions.rdoc

@@ -55,7 +55,7 @@ via <tt>irb -r ./models</tt>, without loading the Roda application.
 migrations.
 
 +spec/+ (or +test/+ should contain your specifications/tests.  For a small application, it's recommended
-to a have a single file for your model tests, and a single file for your web/integration tests.
+to have a single file for your model tests, and a single file for your web/integration tests.
 
 +Rakefile+ should contain the rake tasks for the application.  The convention is that the
 default rake task will run all specs/tests related to the application.  If you are using

data/doc/release_notes/3.73.0.txt

@@ -0,0 +1,33 @@
+= New Features
+
+* The middleware plugin now accepts a :next_if_not_found option.
+  This allows the middleware plugin to pass the request to the next
+  application if the current application handles the request but
+  ends up calling the not_found handler.  With the following
+  middleware:
+
+    class Mid < Roda
+      plugin :middleware
+
+      route do |r|
+        r.on "foo" do
+          r.get "bar" do
+            'bar'
+          end
+        end
+      end
+    end
+
+  Requests for /x would be forwarded to the next application, since
+  the application doesn't handle the request, but requests for /foo/x
+  would not be, because the middleware is partially handling the
+  request in the r.on "foo" block.  With the :next_if_not_found
+  option, only requests for /foo/bar would be handled by the
+  middleware, and all other requests would be forwarded to the next
+  application.
+
+= Other Improvements
+
+* The sessions and route_csrf plugins no longer depend on the base64
+  library. base64 will be removed from Ruby's standard library
+  starting in Ruby 3.4.

data/doc/release_notes/3.74.0.txt

@@ -0,0 +1,28 @@
+= New Features
+
+* A redirect_http_to_https plugin has been added, redirecting HTTP
+  requests to the same path on an HTTPS site.  Using the routing tree,
+  you can control where to do the redirection, which allows you to
+  easily have part of your site accessible via HTTP, with sensitive
+  sections requiring HTTPS:
+
+    plugin :redirect_http_to_https
+
+    route do |r|
+      # routes available via both HTTP and HTTPS
+      r.redirect_http_to_https
+      # routes available only via HTTPS
+    end
+
+  If you want to redirect to HTTPS for all routes in the routing tree, you
+  can have r.redirect_http_to_https as the very first method call in the
+  routing tree.  Note that in Roda it is possible to handle routing before
+  the normal routing tree using before hooks.  The static_routing and
+  heartbeat plugins use this feature. If you would like to handle routes
+  before the normal routing tree, you can setup a before hook:
+
+    plugin :hooks
+
+    before do
+      request.redirect_http_to_https
+    end

data/lib/roda/plugins/_base64.rb

@@ -0,0 +1,34 @@
+# frozen-string-literal: true
+
+#
+class Roda
+  module RodaPlugins
+    module Base64_
+      class << self
+        if RUBY_VERSION >= '2.4'
+          def decode64(str)
+            str.unpack1("m0")
+          end
+        # :nocov:
+        else
+          def decode64(str)
+            str.unpack("m0")[0]
+          end
+        # :nocov:
+        end
+
+        def urlsafe_encode64(bin)
+          str = [bin].pack("m0")
+          str.tr!("+/", "-_")
+          str
+        end
+
+        def urlsafe_decode64(str)
+          decode64(str.tr("-_", "+/"))
+        end
+      end
+    end
+
+    register_plugin(:_base64, Base64_)
+  end
+end

data/lib/roda/plugins/exception_page.rb

@@ -411,7 +411,7 @@ END
 
         private
 
-        if RUBY_VERSION >= '3.2'
+        if Exception.method_defined?(:detailed_message)
           def exception_page_exception_message(exception)
             exception.detailed_message(highlight: false).to_s
           end

data/lib/roda/plugins/middleware.rb

@@ -33,6 +33,43 @@ class Roda
     #
     #   run App
     #
+    # By default, when the app is used as middleware and handles the request at
+    # all, it does not forward the request to the next middleware.  For the
+    # following setup:
+    #
+    #   class Mid < Roda
+    #     plugin :middleware
+    #
+    #     route do |r|
+    #       r.on "foo" do
+    #         r.is "mid" do
+    #           "Mid"
+    #         end
+    #       end
+    #     end
+    #   end
+    #
+    #   class App < Roda
+    #     use Mid
+    #
+    #     route do |r|
+    #       r.on "foo" do
+    #         r.is "app" do
+    #           "App"
+    #         end
+    #       end
+    #     end
+    #   end
+    #
+    #   run App
+    #
+    # Requests for +/foo/mid will+ return +Mid+, but requests for +/foo/app+
+    # will return an empty 404 response, because the middleware handles the
+    # +/foo/app+ request in the <tt>r.on "foo" do</tt> block, but does not
+    # have the block return a result, which Roda treats as an empty 404 response.
+    # If you would like the middleware to forward +/foo/app+ request to the
+    # application, you should use the +:next_if_not_found+ plugin option.
+    #
     # It is possible to use the Roda app as a regular app even when using
     # the middleware plugin.  Using an app as middleware automatically creates
     # a subclass of the app for the middleware.  Because a subclass is automatically
@@ -64,6 +101,9 @@ class Roda
     #   # Request to App for /mid returns
     #   # "foo bar baz"
     module Middleware
+      NEXT_PROC = lambda{throw :next, true}
+      private_constant :NEXT_PROC
+
       # Configure the middleware plugin.  Options:
       # :env_var :: Set the environment variable to use to indicate to the roda
       #             application that the current request is a middleware request.
@@ -77,12 +117,15 @@ class Roda
       #                              the middleware's route block should be applied to the
       #                              final response when the request is forwarded to the app.
       #                              Defaults to false.
+      # :next_if_not_found :: If the middleware handles the request but returns a not found
+      #                       result (404 with no body), forward the result to the next middleware.
       def self.configure(app, opts={}, &block)
         app.opts[:middleware_env_var] = opts[:env_var] if opts.has_key?(:env_var)
         app.opts[:middleware_env_var] ||= 'roda.forward_next'
         app.opts[:middleware_configure] = block if block
         app.opts[:middleware_handle_result] = opts[:handle_result]
         app.opts[:middleware_forward_response_headers] = opts[:forward_response_headers]
+        app.opts[:middleware_next_if_not_found] = opts[:next_if_not_found]
       end
 
       # Forwarder instances are what is actually used as middleware.
@@ -91,6 +134,9 @@ class Roda
         # and store +app+ as the next middleware to call.
         def initialize(mid, app, *args, &block)
           @mid = Class.new(mid)
+          if @mid.opts[:middleware_next_if_not_found]
+            @mid.plugin(:not_found, &NEXT_PROC)
+          end
           if configure = @mid.opts[:middleware_configure]
             configure.call(@mid, *args, &block)
           elsif block || !args.empty?

data/lib/roda/plugins/redirect_http_to_https.rb

@@ -0,0 +1,99 @@
+# frozen-string-literal: true
+
+#
+class Roda
+  module RodaPlugins
+    # The redirect_http_to_https plugin exposes a +redirect_http_to_https+
+    # request method that redirects HTTP requests to HTTPS, helping to ensure
+    # that future requests by the same browser will be submitted securely.
+    #
+    # You should use this plugin if you have an application that can receive
+    # requests using both HTTP and HTTPS, and you want to make sure that all
+    # or a subset of routes are only handled for HTTPS requests.
+    #
+    # The reason this exposes a request method is so that you can choose where
+    # in your routing tree to do the redirection:
+    #
+    #   route do |r|
+    #     # routes available via both HTTP and HTTPS
+    #     r.redirect_http_to_https
+    #     # routes available only via HTTPS
+    #   end
+    #
+    # If you want to redirect to HTTPS for all routes in the routing tree, you
+    # can have this as the very first method call in the routing tree.  Note that
+    # in Roda it is possible to handle routing before the normal routing tree
+    # using before hooks.  The static_routing and heartbeat plugins use this
+    # feature. If you would like to handle routes before the normal routing tree,
+    # you can setup a before hook:
+    #
+    #   plugin :hooks
+    #
+    #   before do
+    #     request.redirect_http_to_https
+    #   end
+    module RedirectHttpToHttps
+      status_map = Hash.new(307)
+      status_map['GET'] = status_map['HEAD'] = 301
+      status_map.freeze
+      DEFAULTS = {:status_map => status_map}.freeze
+      private_constant :DEFAULTS
+
+      # Configures redirection from HTTP to HTTPS.  Available options:
+      #
+      # :body :: The body used in the redirect.  If not set, uses an empty body.
+      # :headers :: Any additional headers used in the redirect response. By default,
+      #             no additional headers are set, the only header used is the Location header.
+      # :host :: The host to redirect to.  If not set, redirects to the same host as the HTTP
+      #          requested to.  It is highly recommended that you set this if requests with
+      #          arbitrary Host headers can be submitted to the application.
+      # :port :: The port to use in the redirect.  By default, will not set an explicit port,
+      #          so that it will implicitly use the HTTPS default port of 443.
+      # :status_map :: A hash mapping request methods to response status codes.  By default,
+      #                uses a hash that redirects GET and HEAD requests with a 301 status,
+      #                and other request methods with a 307 status.
+      def self.configure(app, opts=OPTS)
+        previous = app.opts[:redirect_http_to_https] || DEFAULTS
+        opts = app.opts[:redirect_http_to_https] = previous.merge(opts)
+        opts[:port_string] = opts[:port] ? ":#{opts[:port]}".freeze : "".freeze
+        opts[:prefix] = opts[:host] ? "https://#{opts[:host]}#{opts[:port_string]}".freeze : nil
+        opts.freeze
+      end
+
+      module RequestMethods
+        # Redirect HTTP requests to HTTPS. While this doesn't secure the
+        # current request, it makes it more likely that the browser will submit
+        # future requests securely via HTTPS.
+        def redirect_http_to_https
+          return if ssl?
+
+          opts = roda_class.opts[:redirect_http_to_https]
+
+          res = response
+
+          if body = opts[:body]
+            res.write(body)
+          end
+
+          if headers = opts[:headers]
+            res.headers.merge!(headers)
+          end
+
+          path = if prefix = opts[:prefix]
+            prefix + fullpath
+          else
+            "https://#{host}#{opts[:port_string]}#{fullpath}"
+          end
+
+          unless status = opts[:status_map][@env['REQUEST_METHOD']]
+            raise RodaError, "redirect_http_to_https :status_map provided does not support #{@env['REQUEST_METHOD']}"
+          end
+
+          redirect(path, status)
+        end
+      end
+    end
+
+    register_plugin(:redirect_http_to_https, RedirectHttpToHttps)
+  end
+end

data/lib/roda/plugins/route_csrf.rb

@@ -1,6 +1,5 @@
 # frozen-string-literal: true
 
-require 'base64'
 require 'openssl'
 require 'securerandom'
 require 'uri'
@@ -23,9 +22,11 @@ class Roda
     # and request path even if they have access to a token that is not
     # specific to request method and request path.  To get this security
     # benefit, you must ensure an attacker does not have access to the
-    # session.  Rack::Session::Cookie uses signed sessions, not encrypted
+    # session.  Rack::Session::Cookie versions shipped with Rack before
+    # Rack 3 use signed sessions, not encrypted
     # sessions, so if the attacker has the ability to read cookie data
-    # and you are using Rack::Session::Cookie, it will still be possible
+    # and you are using one of those Rack::Session::Cookie versions,
+    # it will still be possible
     # for an attacker to generate valid CSRF tokens specific to arbitrary
     # request method and request path.  Roda's session plugin uses
     # encrypted sessions and therefore is safe even if the attacker can
@@ -163,6 +164,10 @@ class Roda
       # a valid CSRF token was not provided.
       class InvalidToken < RodaError; end
 
+      def self.load_dependencies(app, opts=OPTS)
+        app.plugin :_base64
+      end
+
       def self.configure(app, opts=OPTS, &block)
         options = app.opts[:route_csrf] = (app.opts[:route_csrf] || DEFAULTS).merge(opts)
         if block || opts[:csrf_failure].is_a?(Proc)
@@ -260,7 +265,7 @@ class Roda
         def csrf_token(path=nil, method=('POST' if path))
           token = SecureRandom.random_bytes(31)
           token << csrf_hmac(token, method, path)
-          Base64.strict_encode64(token)
+          [token].pack("m0")
         end
 
         # Whether request-specific CSRF tokens should be used by default.
@@ -314,7 +319,7 @@ class Roda
           end
 
           begin
-            submitted_hmac = Base64.strict_decode64(encoded_token)
+            submitted_hmac = Base64_.decode64(encoded_token)
           rescue ArgumentError
             return "encoded token is not valid base64"
           end
@@ -354,7 +359,7 @@ class Roda
         # JSON is used for session serialization).
         def csrf_secret
           key = session[csrf_options[:key]] ||= SecureRandom.base64(32)
-          Base64.strict_decode64(key)
+          Base64_.decode64(key)
         end
       end
     end

data/lib/roda/plugins/sessions.rb

@@ -10,7 +10,6 @@ rescue OpenSSL::Cipher::CipherError
   # :nocov:
 end
 
-require 'base64'
 require 'json'
 require 'securerandom'
 require 'zlib'
@@ -41,7 +40,8 @@ class Roda
     #
     # Session secrets can be rotated.  See options below.
     #
-    # The sessions plugin can transparently upgrade sessions from Rack::Session::Cookie
+    # The sessions plugin can transparently upgrade sessions from versions of Rack::Session::Cookie
+    # shipped with Rack before Rack 3,
     # if the default Rack::Session::Cookie coder and HMAC are used, see options below.
     # It is recommended to only enable transparent upgrades for a brief transition period,
     # and remove support for them once old sessions have converted or timed out.
@@ -171,6 +171,10 @@ class Roda
         [cipher_secret.freeze, hmac_secret.freeze]
       end
 
+      def self.load_dependencies(app, opts=OPTS)
+        app.plugin :_base64
+      end
+
       # Configure the plugin, see Sessions for details on options.
       def self.configure(app, opts=OPTS)
         opts = (app.opts[:sessions] || DEFAULT_OPTIONS).merge(opts)
@@ -344,7 +348,7 @@ class Roda
           opts = roda_class.opts[:sessions]
 
           begin
-            data = Base64.urlsafe_decode64(data)
+            data = Base64_.urlsafe_decode64(data)
           rescue ArgumentError
             return _session_serialization_error("Unable to decode session: invalid base64")
           end
@@ -493,7 +497,7 @@ class Roda
           data << encrypted_data
           data << OpenSSL::HMAC.digest(OpenSSL::Digest::SHA256.new, opts[:hmac_secret], data+opts[:key])
 
-          data = Base64.urlsafe_encode64(data)
+          data = Base64_.urlsafe_encode64(data)
 
           if data.bytesize >= 4096
             raise CookieTooLarge, "attempted to create cookie larger than 4096 bytes"

data/lib/roda/response.rb

@@ -10,19 +10,15 @@ class Roda
   # headers used internally by Roda can be lower case on Rack 3, so that it is
   # possible to use a plain hash of response headers instead of using Rack::Headers.
   module RodaResponseHeaders
-    headers = %w'Allow Cache-Control Content-Disposition Content-Encoding Content-Length
-       Content-Security-Policy Content-Security-Policy-Report-Only Content-Type
-       ETag Expires Last-Modified Link Location Set-Cookie Transfer-Encoding Vary'.freeze.each(&:freeze)
+    downcase = defined?(Rack::Headers) && Rack::Headers.is_a?(Class)
 
-    if defined?(Rack::Headers) && Rack::Headers.is_a?(Class)
-      headers.each do |mixed_case|
-        const_set(mixed_case.gsub('-', '_').upcase!.to_sym, mixed_case.downcase.freeze)
-      end
-    else
-      headers.each do |mixed_case|
-        const_set(mixed_case.gsub('-', '_').upcase!.to_sym, mixed_case.freeze)
+    %w'Allow Cache-Control Content-Disposition Content-Encoding Content-Length
+       Content-Security-Policy Content-Security-Policy-Report-Only Content-Type
+       ETag Expires Last-Modified Link Location Set-Cookie Transfer-Encoding Vary'.
+      each do |value|
+        value = value.downcase if downcase
+        const_set(value.gsub('-', '_').upcase!.to_sym, value.freeze)
       end
-    end
   end
 
   # Base class used for Roda responses.  The instance methods for this

data/lib/roda/version.rb

@@ -4,7 +4,7 @@ class Roda
   RodaMajorVersion = 3
 
   # The minor version of Roda, updated for new feature releases of Roda.
-  RodaMinorVersion = 72
+  RodaMinorVersion = 74
 
   # The patch version of Roda, updated only for bug fixes from the last
   # feature release.

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: roda
 version: !ruby/object:Gem::Version
-  version: 3.72.0
+  version: 3.74.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-09-12 00:00:00.000000000 Z
+date: 2023-11-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -246,6 +246,8 @@ extra_rdoc_files:
 - doc/release_notes/3.70.0.txt
 - doc/release_notes/3.71.0.txt
 - doc/release_notes/3.72.0.txt
+- doc/release_notes/3.73.0.txt
+- doc/release_notes/3.74.0.txt
 - doc/release_notes/3.8.0.txt
 - doc/release_notes/3.9.0.txt
 files:
@@ -325,6 +327,8 @@ files:
 - doc/release_notes/3.70.0.txt
 - doc/release_notes/3.71.0.txt
 - doc/release_notes/3.72.0.txt
+- doc/release_notes/3.73.0.txt
+- doc/release_notes/3.74.0.txt
 - doc/release_notes/3.8.0.txt
 - doc/release_notes/3.9.0.txt
 - lib/roda.rb
@@ -332,6 +336,7 @@ files:
 - lib/roda/plugins.rb
 - lib/roda/plugins/Integer_matcher_max.rb
 - lib/roda/plugins/_after_hook.rb
+- lib/roda/plugins/_base64.rb
 - lib/roda/plugins/_before_hook.rb
 - lib/roda/plugins/_optimized_matching.rb
 - lib/roda/plugins/_symbol_regexp_matchers.rb
@@ -425,6 +430,7 @@ files:
 - lib/roda/plugins/public.rb
 - lib/roda/plugins/r.rb
 - lib/roda/plugins/recheck_precompiled_assets.rb
+- lib/roda/plugins/redirect_http_to_https.rb
 - lib/roda/plugins/relative_path.rb
 - lib/roda/plugins/render.rb
 - lib/roda/plugins/render_coverage.rb