roda 3.75.0 → 3.77.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4ebdbc5b5707ba21044b5f4c83445ff8fca6a3925488c72a5176cc662c2ad15b
-  data.tar.gz: ac528e50bfe1e778b5b4d32d16d12e117e87dc55b2f7cad1170b682e2f979586
+  metadata.gz: 8afa46b8055c19e63e1efeebf444b422cd810701c759936d476797515630245d
+  data.tar.gz: 4e857447435707de1d586857126795e2a1191f685ca8893e99cd1c78aeb50c02
 SHA512:
-  metadata.gz: b7d13975d6c7705f1d7b184f27430320e1dfd5fea96e532f119f86b4c09fdb5c7e460107033d8d099c6ef8da354a514289981163d74cdb293b89074299a57eda
-  data.tar.gz: d16c1b3a2edd401a73b104bf9458fcb865e441f4de649dcfcb8144eb3102abcd6abee741ecbbbf1cad3b13d8efca7260d7785b7e5a2505f29541ad001de9b1e4
+  metadata.gz: 2ecfeb211d574d46bdc31995c3551afb97af50acf8567cce83b46808e87ff797a5ef7c769e42c0477ed6a6d9271040b818da72e77c91e4f91f9760201d2cd5ca
+  data.tar.gz: 45e67fbd1da64839c6dc5a8dc0975a0dca5f67a77c83ae79a62ab22e7d9cf0002cb8b8f6a22661bdaf97ad973b6bc6ff928af2e416a96c35b12150e9fe0eaf4d

data/CHANGELOG

@@ -1,3 +1,15 @@
+= 3.77.0 (2024-02-12)
+
+* Support formaction/formmethod attributes in forms in route_csrf plugin (jeremyevans)
+
+= 3.76.0 (2024-01-12)
+
+* Support :filter plugin option in error_mail and error_email for filtering parameters, environment variables, and session values (jeremyevans) (#346)
+
+* Set temporary name on Ruby 3.3 in middleware plugin for middleware class created (janko) (#344)
+
+* Add break plugin, for using break inside a routing block to return from the block and keep routing (jeremyevans)
+
 = 3.75.0 (2023-12-14)
 
 * Add cookie_flags plugin, for overriding, warning, or raising for incorrect cookie flags (jeremyevans)

data/doc/release_notes/3.76.0.txt

@@ -0,0 +1,18 @@
+= New Features
+
+* A break plugin has been added, allowing you to use break from
+  inside a routing block and continue routing after the block.  This
+  offers the same feature as the pass plugin, but using the standard
+  break keyword instead of the r.pass method.
+
+* The error_mail and error_email features now both accept a :filter
+  plugin option.  The value should respond to call with two arguments.
+  The first arguments is the key, and the second is the value, and
+  should return a truthy value if the value should be filtered.  This
+  will be used for filtering parameter values, ENV values, and session
+  values in the generated emails.
+
+= Other Improvements
+
+* On Ruby 3.3+, the middleware plugin sets a temporary class name for
+  the created middleware, based on the class name of the Roda app.

data/doc/release_notes/3.77.0.txt

@@ -0,0 +1,8 @@
+= New Features
+
+* The route_csrf plugin now supports formaction/formmethod attributes
+  in forms. A csrf_formaction_tag method has been added for creating
+  a hidden input for a particular path and method.  When a form is
+  submitted, the check_csrf! method will fix check for a path-specific
+  csrf token (set by the hidden tag added by the csrf_formaction_tag
+  method), before checking for the default csrf token.

data/lib/roda/plugins/break.rb

@@ -0,0 +1,43 @@
+# frozen-string-literal: true
+
+#
+class Roda
+  module RodaPlugins
+    # The break plugin supports calling break inside a match block, to
+    # return from the block and continue in the routing tree, restoring
+    # the remaining path so that future matchers operating on the path
+    # operate as expected.
+    #
+    #   plugin :break
+    #
+    #   route do |r|
+    #     r.on "foo", :bar do |bar|
+    #       break if bar == 'baz'
+    #       "/foo/#{bar} (not baz)"
+    #     end
+    #
+    #     r.on "foo/baz" do
+    #       "/foo/baz"
+    #     end
+    #   end
+    #
+    # This provides the same basic feature as the pass plugin, but
+    # uses Ruby's standard control flow primative instead of a
+    # separate method.
+    module Break
+      module RequestMethods
+        private
+
+        # Handle break inside match blocks, restoring remaining path.
+        def if_match(_)
+          rp = @remaining_path
+          super
+        ensure
+          @remaining_path = rp
+        end
+      end
+    end
+
+    register_plugin(:break, Break)
+  end
+end

data/lib/roda/plugins/error_email.rb

@@ -21,6 +21,9 @@ class Roda
     #
     # Options:
     #
+    # :filter :: Callable called with the key and value for each parameter, environment
+    #            variable, and session value.  If it returns true, the value of the
+    #            parameter is filtered in the email.
     # :from :: The From address to use in the email (required)
     # :headers :: A hash of additional headers to use in the email (default: empty hash)
     # :host :: The SMTP server to use to send the email (default: localhost)
@@ -38,6 +41,7 @@ class Roda
     # use an error reporting service instead of this plugin.
     module ErrorEmail
       DEFAULTS = {
+        :filter=>lambda{|k,v| false},
         :headers=>OPTS,
         :host=>'localhost',
         # :nocov:
@@ -52,7 +56,12 @@ class Roda
           {'From'=>h[:from], 'To'=>h[:to], 'Subject'=>"#{h[:prefix]}#{subject}"}
         end,
         :body=>lambda do |s, e|
-          format = lambda{|h| h.map{|k, v| "#{k.inspect} => #{v.inspect}"}.sort.join("\n")}
+          filter = s.opts[:error_email][:filter]
+          format = lambda do |h|
+            h = h.map{|k, v| "#{k.inspect} => #{filter.call(k, v) ? 'FILTERED' : v.inspect}"}
+            h.sort!
+            h.join("\n")
+          end 
 
           begin
             params = s.request.params

data/lib/roda/plugins/error_mail.rb

@@ -21,6 +21,9 @@ class Roda
     #
     # Options:
     #
+    # :filter :: Callable called with the key and value for each parameter, environment
+    #            variable, and session value.  If it returns true, the value of the
+    #            parameter is filtered in the email.
     # :from :: The From address to use in the email (required)
     # :headers :: A hash of additional headers to use in the email (default: empty hash)
     # :prefix :: A prefix to use in the email's subject line (default: no prefix)
@@ -36,9 +39,12 @@ class Roda
     # for low traffic web applications.  For high traffic web applications,
     # use an error reporting service instead of this plugin.
     module ErrorMail
+      DEFAULT_FILTER = lambda{|k,v| false}
+      private_constant :DEFAULT_FILTER
+
       # Set default opts for plugin.  See ErrorEmail module RDoc for options.
       def self.configure(app, opts=OPTS)
-        app.opts[:error_mail] = email_opts = (app.opts[:error_mail] || OPTS).merge(opts).freeze
+        app.opts[:error_mail] = email_opts = (app.opts[:error_mail] || {:filter=>DEFAULT_FILTER}).merge(opts).freeze
         unless email_opts[:to] && email_opts[:from]
           raise RodaError, "must provide :to and :from options to error_mail plugin"
         end
@@ -68,8 +74,13 @@ class Roda
             e.to_s
           end
           subject = "#{email_opts[:prefix]}#{subject}"
+          filter = email_opts[:filter]
 
-          format = lambda{|h| h.map{|k, v| "#{k.inspect} => #{v.inspect}"}.sort.join("\n")}
+          format = lambda do |h|
+            h = h.map{|k, v| "#{k.inspect} => #{filter.call(k, v) ? 'FILTERED' : v.inspect}"}
+            h.sort!
+            h.join("\n")
+          end 
 
           begin
             params = request.params

data/lib/roda/plugins/middleware.rb

@@ -134,6 +134,9 @@ class Roda
         # and store +app+ as the next middleware to call.
         def initialize(mid, app, *args, &block)
           @mid = Class.new(mid)
+          # :nocov:
+          @mid.set_temporary_name("#{mid.name}(middleware)") if mid.name && RUBY_VERSION >= "3.3"
+          # :nocov:
           if @mid.opts[:middleware_next_if_not_found]
             @mid.plugin(:not_found, &NEXT_PROC)
           end

data/lib/roda/plugins/route_csrf.rb

@@ -42,6 +42,9 @@ class Roda
     # This plugin supports the following options:
     #
     # :field :: Form input parameter name for CSRF token (default: '_csrf')
+    # :formaction_field :: Form input parameter name for path-specific CSRF tokens (used by the
+    #                      +csrf_formaction_tag+ method).  If present, this parameter should be
+    #                      submitted as a hash, keyed by path, with CSRF token values.
     # :header :: HTTP header name for CSRF token (default: 'X-CSRF-Token')
     # :key :: Session key for CSRF secret (default: '_roda_csrf_secret')
     # :require_request_specific_tokens :: Whether request-specific tokens are required (default: true).
@@ -86,6 +89,10 @@ class Roda
     #                         override any of the plugin options for this specific call.
     #                         The :token option can be used to specify the provided CSRF token
     #                         (instead of looking for the token in the submitted parameters).
+    # csrf_formaction_tag(path, method='POST') :: An HTML hidden input tag string containing the CSRF token, suitable
+    #                                             for placing in an HTML form that has inputs that use formaction
+    #                                             attributes to change the endpoint to which the form is submitted.
+    #                                             Takes the same arguments as csrf_token.
     # csrf_field :: The field name to use for the hidden tag containing the CSRF token.
     # csrf_path(action) :: This takes an argument that would be the value of the HTML form's
     #                      action attribute, and returns a path you can pass to csrf_token
@@ -152,6 +159,7 @@ class Roda
       # Default CSRF option values
       DEFAULTS = {
         :field => '_csrf'.freeze,
+        :formaction_field => '_csrfs'.freeze,
         :header => 'X-CSRF-Token'.freeze,
         :key => '_roda_csrf_secret'.freeze,
         :require_request_specific_tokens => true,
@@ -252,6 +260,14 @@ class Roda
           end
         end
 
+        # An HTML hidden input tag string containing the CSRF token, used for inputs
+        # with formaction, so the same form can be used to submit to multiple endpoints
+        # depending on which button was clicked.  See csrf_token for arguments, but the
+        # path argument is required.
+        def csrf_formaction_tag(path, *args)
+          "<input type=\"hidden\" name=\"#{csrf_options[:formaction_field]}[#{Rack::Utils.escape_html(path)}]\" value=\"#{csrf_token(path, *args)}\" \/>"
+        end
+
         # An HTML hidden input tag string containing the CSRF token.  See csrf_token for
         # arguments.
         def csrf_tag(*args)
@@ -291,6 +307,8 @@ class Roda
             return
           end
 
+          path = @_request.path
+
           unless encoded_token = opts[:token]
             encoded_token = case opts[:check_header]
             when :only
@@ -298,7 +316,8 @@ class Roda
             when true
               return (csrf_invalid_message(opts.merge(:check_header=>false)) && csrf_invalid_message(opts.merge(:check_header=>:only)))
             else
-              @_request.params[opts[:field]]
+              params = @_request.params
+              ((formactions = params[opts[:formaction_field]]).is_a?(Hash) && (formactions[path])) || params[opts[:field]]
             end
           end
 
@@ -326,7 +345,7 @@ class Roda
 
           random_data = submitted_hmac.slice!(0...31)
 
-          if csrf_compare(csrf_hmac(random_data, method, @_request.path), submitted_hmac)
+          if csrf_compare(csrf_hmac(random_data, method, path), submitted_hmac)
             return
           end
 

data/lib/roda/version.rb

@@ -4,7 +4,7 @@ class Roda
   RodaMajorVersion = 3
 
   # The minor version of Roda, updated for new feature releases of Roda.
-  RodaMinorVersion = 75
+  RodaMinorVersion = 77
 
   # The patch version of Roda, updated only for bug fixes from the last
   # feature release.

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: roda
 version: !ruby/object:Gem::Version
-  version: 3.75.0
+  version: 3.77.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-12-14 00:00:00.000000000 Z
+date: 2024-02-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -249,6 +249,8 @@ extra_rdoc_files:
 - doc/release_notes/3.73.0.txt
 - doc/release_notes/3.74.0.txt
 - doc/release_notes/3.75.0.txt
+- doc/release_notes/3.76.0.txt
+- doc/release_notes/3.77.0.txt
 - doc/release_notes/3.8.0.txt
 - doc/release_notes/3.9.0.txt
 files:
@@ -331,6 +333,8 @@ files:
 - doc/release_notes/3.73.0.txt
 - doc/release_notes/3.74.0.txt
 - doc/release_notes/3.75.0.txt
+- doc/release_notes/3.76.0.txt
+- doc/release_notes/3.77.0.txt
 - doc/release_notes/3.8.0.txt
 - doc/release_notes/3.9.0.txt
 - lib/roda.rb
@@ -351,6 +355,7 @@ files:
 - lib/roda/plugins/autoload_named_routes.rb
 - lib/roda/plugins/backtracking_array.rb
 - lib/roda/plugins/branch_locals.rb
+- lib/roda/plugins/break.rb
 - lib/roda/plugins/caching.rb
 - lib/roda/plugins/capture_erb.rb
 - lib/roda/plugins/chunked.rb
@@ -494,7 +499,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.10
+rubygems_version: 3.5.3
 signing_key:
 specification_version: 4
 summary: Routing tree web toolkit