roda 3.80.0 → 3.82.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0cebe935d536e1f903b212075108ba9cbcade4aa2e8d2abf1c5e0d6e6f539ce8
-  data.tar.gz: 9b0c576aaa36c5a05596c1bc1bec23d3ab0f37c56dc72342bfa962b10442928f
+  metadata.gz: bdf5797c96af1d28dc4d13f0c95ac0468d60eb30b6a128b2cee2c26a08eb0a7f
+  data.tar.gz: d687b3cd03657bdcfda6f87a7a7a2a3b55e9a0c4f856cabd3d080865cc7d9ad2
 SHA512:
-  metadata.gz: 0e83d0fe8e1f70bb196ea5f285f7a00590ab1669e4b1d686f859d1e5c65a8e760d1320b345306740d00c7d063f0f6bada1af88433b3b04c6b429f439bb7e2521
-  data.tar.gz: e9b0ffd5b5fb7e976a971f11fbed4f0beb35868dcb7aa70c41c005046a9053cb6c62caf29f669c02cd53e67cd5db51a28076f058824c90a1c1b917a9b7f0f4fb
+  metadata.gz: e518b9638e98713ed54fd4c609069edf81a81987adf53ce2b7a09fa7110244f67b109cbe91c9c03d713f824900649d1c4b2ad435823852dcdfd01094f506afae
+  data.tar.gz: '00877a1338b70a5b96dab7fb946e21c7c916c776666286f80251b362e29ca6e040ffeb9b7a7258cf3af4c9246de5a6c35c5332385bd3cb926505776102c9112c'

data/CHANGELOG

@@ -1,3 +1,19 @@
+= 3.82.0 (2024-07-12)
+
+* Add :encodings option to public plugin to support configurable encoding order (jeremyevans)
+
+* Add :zstd option to public plugin to supplement it to serve zstd-compressed files with .zst extension (jeremyevans)
+
+* Make capture_erb plugin call integrate better with erubi/capture_block (jeremyevans)
+
+= 3.81.0 (2024-06-12)
+
+* Make assets plugin :early_hints option follow Rack 3 SPEC if using Rack 3 (jeremyevans)
+
+* Correctly parse Ruby 3.4 backtraces in exception_page plugin (jeremyevans)
+
+* Support :until and :seconds option in hmac_paths plugin, for paths valid only until a specific time (jeremyevans)
+
 = 3.80.0 (2024-05-10)
 
 * Support :namespace option in hmac_paths plugin, allowing for easy per-user/per-group HMAC paths (jeremyevans)

data/doc/release_notes/3.81.0.txt

@@ -0,0 +1,24 @@
+= New Features
+
+* The hmac_paths plugin now supports :until and :seconds options for
+  hmac_path, to create a path that is only valid for a specific amount of
+  time.  :until sets a specific time that the path will be valid until,
+  and :seconds makes the path only valid for the given number of seconds.
+
+    hmac_path('/widget/1', until: Time.utc(2100))
+    # =>  "/dc8b6e56e4cbe7815df7880d42f0e02956b2e4c49881b6060ceb0e49745a540d/t/4102444800/widget/1"
+
+  Requests for the path after the given time will not be matched by
+  r.hmac_path.
+
+= Other Improvements
+
+* The early_hints plugin now correctly follows the Rack 3 SPEC when
+  using Rack 3.  This was not caught previously because Rack only
+  added official support for early_hints in the last month.
+
+* Ruby 3.4 backtraces are now parsed correctly in the exception_page
+  plugin.
+
+* Some plugins that accept a block no longer issue an unused block
+  warning on Ruby 3.4.

data/doc/release_notes/3.82.0.txt

@@ -0,0 +1,43 @@
+= New Features
+
+* A :zstd option has been added to the public and multi_public
+  plugins to support serving zstd-compressed files with a .zst
+  extension. This option is similar to the existing :gzip and
+  :brotli plugin options.  Chrome started supporting zstd encoding
+  in March.
+
+* An :encodings option has been added to the public and multi_public
+  plugins, for more control over how encodings are handled.  This
+  allows for changing the order in which encodings are attempted, the
+  use of custom encodings, and the use of different file extensions
+  for encodings.  Example:
+
+    plugin :public, encodings: {'zstd'=>'.zst', 'deflate'=>'.deflate'}
+
+  If the :encodings option is not provided, the :zstd, :brotli, and
+  :gzip options are used to build an equivalent :encodings option.
+
+= Other Improvements
+
+* The capture_erb plugin now integrates better when using
+  erubi/capture_block for <%= method do %> support in ERB templates,
+  using the native capture method provided by the buffer object.
+
+* Encoding handling has been more optimized in the public plugin.
+  Regexps for the encodings are precomputed, avoiding a regexp
+  allocation per request per encoding attempted. On Ruby 2.4+
+  Regexp#match? is used for better performance.  If the
+  Accept-Encoding header is not present, no encoding matching
+  is attemped.
+
+= Backwards Compatibility
+
+* The private public_serve_compressed request method in the public
+  plugin now assumes it is called after the encoding is already
+  valid. If you are calling this method in your own code, you now
+  need to perform checks to make sure the client can accept the
+  encoding before calling this method.
+
+* The :public_gzip and :public_brotli application options are no
+  longer set by the public plugin.  The :public_encodings option
+  is now set.

data/lib/roda/plugins/assets.rb

@@ -736,7 +736,9 @@ class Roda
           paths = assets_paths(type)
           if o[:early_hints]
             early_hint_as = ltype == :js ? 'script' : 'style'
-            send_early_hints('Link'=>paths.map{|p| "<#{p}>; rel=preload; as=#{early_hint_as}"}.join("\n"))
+            early_hints = paths.map{|p| "<#{p}>; rel=preload; as=#{early_hint_as}"}
+            early_hints = early_hints.join("\n") if Rack.release < '3'
+            send_early_hints(RodaResponseHeaders::LINK=>early_hints)
           end
           paths.map{|p| "#{tag_start}#{h(p)}#{tag_end}"}.join("\n")
         end

data/lib/roda/plugins/capture_erb.rb

@@ -15,6 +15,11 @@ class Roda
     # inside templates.  It can be combined with the inject_erb plugin
     # to wrap template blocks with arbitrary output and then inject the
     # wrapped output into the template.
+    #
+    # If the output buffer object responds to +capture+ (e.g. when
+    # +erubi/capture_block+ is being used as the template engine),
+    # this will call +capture+ on the output buffer object, instead
+    # of setting the output buffer object temporarily to a new object.
     module CaptureERB
       def self.load_dependencies(app)
         app.plugin :render
@@ -25,13 +30,20 @@ class Roda
         # with an empty string, and then yield to the block.
         # Return the value of the block, converted to a string.
         # Restore the previous ERB output buffer before returning.
-        def capture_erb
+        def capture_erb(&block)
           outvar = render_opts[:template_opts][:outvar]
           buf_was = instance_variable_get(outvar)
-          instance_variable_set(outvar, String.new)
-          yield.to_s
-        ensure
-          instance_variable_set(outvar, buf_was) if outvar && buf_was
+
+          if buf_was.respond_to?(:capture)
+            buf_was.capture(&block)
+          else
+            begin
+              instance_variable_set(outvar, String.new)
+              yield.to_s
+            ensure
+              instance_variable_set(outvar, buf_was) if outvar && buf_was
+            end
+          end
         end
       end
     end

data/lib/roda/plugins/exception_page.rb

@@ -245,7 +245,7 @@ END
 
             frames = exception.backtrace.map.with_index do |line, i|
               frame = {:id=>i}
-              if line =~ /\A(.*?):(\d+)(?::in `(.*)')?\Z/
+              if line =~ /\A(.*?):(\d+)(?::in [`'](.*)')?\Z/
                 filename = frame[:filename] = $1
                 lineno = frame[:lineno] = $2.to_i
                 frame[:function] = $3

data/lib/roda/plugins/filter_common_logger.rb

@@ -21,7 +21,7 @@ class Roda
     #     !request.path.start_with?('/admin/')
     #   end
     module FilterCommonLogger
-      def self.load_dependencies(app)
+      def self.load_dependencies(app, &_)
         app.plugin :common_logger
       end
 

data/lib/roda/plugins/hmac_paths.rb

@@ -112,6 +112,16 @@ class Roda
     # this for POST requests (or other HTTP verbs that can have request bodies), use +r.GET+
     # instead of +r.params+ to specifically check query string parameters.
     #
+    # The generated paths can be timestamped, so that they are only valid until a given time
+    # or for a given number of seconds after they are generated, using the :until or :seconds
+    # options:
+    #
+    #   hmac_path('/widget/1', until: Time.utc(2100))
+    #   # =>  "/dc8b6e56e4cbe7815df7880d42f0e02956b2e4c49881b6060ceb0e49745a540d/t/4102444800/widget/1"
+    #
+    #   hmac_path('/widget/1', seconds: Time.utc(2100).to_i - Time.now.to_i)
+    #   # =>  "/dc8b6e56e4cbe7815df7880d42f0e02956b2e4c49881b6060ceb0e49745a540d/t/4102444800/widget/1"
+    #
     # The :namespace option, if provided, should be a string, and it modifies the generated HMACs
     # to only match those in the same namespace.  This can be used to provide different paths to
     # different users or groups of users.
@@ -190,6 +200,11 @@ class Roda
     #  r.hmac_path('/1', params: {k: 2})
     #  HMAC_hex(HMAC_hex(secret, ''), '/p/1?k=2')
     #
+    # The +:until+ and +:seconds+ option include the timestamp in the HMAC:
+    #
+    #  r.hmac_path('/1', until: Time.utc(2100))
+    #  HMAC_hex(HMAC_hex(secret, ''), '/t/4102444800/1')
+    #
     # If a +:namespace+ option is provided, the original secret used before the +:root+ option is
     # an HMAC of the +:secret+ plugin option and the given namespace.
     # 
@@ -232,6 +247,8 @@ class Roda
         #          the already matched path of the routing tree using r.hmac_path. Defaults
         #          to the empty string, which will returns paths valid for r.hmac_path at
         #          the top level of the routing tree.
+        # :seconds :: Make the given path valid for the given integer number of seconds.
+        # :until :: Make the given path valid until the given Time.
         def hmac_path(path, opts=OPTS)
           unless path.is_a?(String) && path.getbyte(0) == 47
             raise RodaError, "path must be a string starting with /"
@@ -242,6 +259,12 @@ class Roda
             raise RodaError, "root must be empty string or string starting with /"
           end
 
+          if valid_until = opts[:until]
+            valid_until = valid_until.to_i
+          elsif seconds = opts[:seconds]
+            valid_until = Time.now.to_i + seconds
+          end
+
           flags = String.new
           path = path.dup
 
@@ -258,6 +281,11 @@ class Roda
             flags << 'n'
           end
 
+          if valid_until
+            flags << 't'
+            path = "/#{valid_until}#{path}"
+          end
+
           flags << '0' if flags.empty?
           
           hmac_path = if method
@@ -335,7 +363,19 @@ class Roda
                   end
 
                   if hmac_path_valid?(mpath, rpath, submitted_hmac, opts)
-                    always(&block)
+                    if flags.include?('t')
+                      on Integer do |int|
+                        if int >= Time.now.to_i
+                          always(&block)
+                        else
+                          # Return from method without matching
+                          @remaining_path = orig_path
+                          return
+                        end
+                      end
+                    else
+                      always(&block)
+                    end
                   end
                 end
 

data/lib/roda/plugins/indifferent_params.rb

@@ -53,13 +53,10 @@ class Roda
           
           class Params < Rack::QueryParser::Params
             if Rack.release >= '3'
-              # rack main branch compatibility
-              # :nocov:
               if Params < Hash
                 def initialize
                   super(&INDIFFERENT_PROC)
                 end
-              # :nocov:
               else
                 def initialize
                   @size   = 0

data/lib/roda/plugins/not_found.rb

@@ -31,7 +31,7 @@ class Roda
     # still exists mainly for backward compatibility.
     module NotFound
       # Require the status_handler plugin
-      def self.load_dependencies(app)
+      def self.load_dependencies(app, &_)
         app.plugin :status_handler
       end
 

data/lib/roda/plugins/plain_hash_response_headers.rb

@@ -3,7 +3,7 @@
 #
 class Roda
   module RodaPlugins
-    # The response_headers_plain_hash plugin will change Roda to
+    # The plain_hash_response_headers plugin will change Roda to
     # use a plain hash for response headers.  This is Roda's
     # default behavior on Rack 2, but on Rack 3+, Roda defaults
     # to using Rack::Headers for response headers for backwards

data/lib/roda/plugins/public.rb

@@ -44,15 +44,30 @@ class Roda
       SPLIT = Regexp.union(*[File::SEPARATOR, File::ALT_SEPARATOR].compact)
       PARSER = URI::DEFAULT_PARSER
       RACK_FILES = defined?(Rack::Files) ? Rack::Files : Rack::File
+      ENCODING_MAP = {:zstd=>'zstd', :brotli=>'br', :gzip=>'gzip'}.freeze
+      ENCODING_EXTENSIONS = {'br'=>'.br', 'gzip'=>'.gz', 'zstd'=>'.zst'}.freeze
+
+      # :nocov:
+      MATCH_METHOD = RUBY_VERSION >= '2.4' ? :match? : :match
+      # :nocov:
 
       # Use options given to setup a Rack::File instance for serving files. Options:
+      # :brotli :: Whether to serve already brotli-compressed files with a .br extension
+      #            for clients supporting "br" transfer encoding.
       # :default_mime :: The default mime type to use if the mime type is not recognized.
+      # :encodings :: An enumerable of pairs to handle accepted encodings.  The first
+      #               element of the pair is the accepted encoding name (e.g. 'gzip'),
+      #               and the second element of the pair is the file extension (e.g.
+      #               '.gz'). This allows configuration of the order in which encodings 
+      #               are tried, to prefer brotli to zstd for example, or to support
+      #               encodings other than zstd, brotli, and gzip. This takes
+      #               precedence over the :brotli, :gzip, and :zstd options if given.
       # :gzip :: Whether to serve already gzipped files with a .gz extension for clients
-      #          supporting gzipped transfer encoding.
-      # :brotli :: Whether to serve already brotli-compressed files with a .br extension
-      #            for clients supporting brotli transfer encoding.
+      #          supporting "gzip" transfer encoding.
       # :headers :: A hash of headers to use for statically served files
       # :root :: Use this option for the root of the public directory (default: "public")
+      # :zstd :: Whether to serve already zstd-compressed files with a .zst extension
+      #          for clients supporting "zstd" transfer encoding.
       def self.configure(app, opts={})
         if opts[:root]
           app.opts[:public_root] = app.expand_path(opts[:root])
@@ -60,8 +75,18 @@ class Roda
           app.opts[:public_root] = app.expand_path("public")
         end
         app.opts[:public_server] = RACK_FILES.new(app.opts[:public_root], opts[:headers]||{}, opts[:default_mime] || 'text/plain')
-        app.opts[:public_gzip] = opts[:gzip]
-        app.opts[:public_brotli] = opts[:brotli]
+
+        unless encodings = opts[:encodings]
+          if ENCODING_MAP.any?{|k,| opts.has_key?(k)}
+            encodings = ENCODING_MAP.map{|k, v| [v, ENCODING_EXTENSIONS[v]] if opts[k]}.compact
+          end
+        end
+        encodings = (encodings || app.opts[:public_encodings] || EMPTY_ARRAY).map(&:dup).freeze
+        encodings.each do |a|
+          a << /\b#{a[0]}\b/
+        end
+        encodings.each(&:freeze)
+        app.opts[:public_encodings] = encodings
       end
 
       module RequestMethods
@@ -102,8 +127,13 @@ class Roda
           roda_opts = roda_class.opts
           path = ::File.join(server.root, *public_path_segments(path))
 
-          public_serve_compressed(server, path, '.br', 'br') if roda_opts[:public_brotli]
-          public_serve_compressed(server, path, '.gz', 'gzip') if roda_opts[:public_gzip]
+          if accept_encoding = env['HTTP_ACCEPT_ENCODING']
+            roda_opts[:public_encodings].each do |enc, ext, regexp|
+              if regexp.send(MATCH_METHOD, accept_encoding)
+                public_serve_compressed(server, path, ext, enc)
+              end
+            end
+          end
 
           if public_file_readable?(path)
             s, h, b = public_serve(server, path)
@@ -113,22 +143,22 @@ class Roda
           end
         end
 
+        # Serve the compressed file if it exists.  This should only
+        # be called if the client will accept the related encoding.
         def public_serve_compressed(server, path, suffix, encoding)
-          if env['HTTP_ACCEPT_ENCODING'] =~ /\b#{encoding}\b/
-            compressed_path = path + suffix
+          compressed_path = path + suffix
 
-            if public_file_readable?(compressed_path)
-              s, h, b = public_serve(server, compressed_path)
-              headers = response.headers
-              headers.replace(h)
-
-              unless s == 304
-                headers[RodaResponseHeaders::CONTENT_TYPE] = ::Rack::Mime.mime_type(::File.extname(path), 'text/plain')
-                headers[RodaResponseHeaders::CONTENT_ENCODING] = encoding
-              end
+          if public_file_readable?(compressed_path)
+            s, h, b = public_serve(server, compressed_path)
+            headers = response.headers
+            headers.replace(h)
 
-              halt [s, headers, b]
+            unless s == 304
+              headers[RodaResponseHeaders::CONTENT_TYPE] = ::Rack::Mime.mime_type(::File.extname(path), 'text/plain')
+              headers[RodaResponseHeaders::CONTENT_ENCODING] = encoding
             end
+
+            halt [s, headers, b]
           end
         end
 

data/lib/roda/plugins/render.rb

@@ -148,6 +148,19 @@ class Roda
     # inject the content into the output. To get similar behavior with Roda, you have
     # a few different options you can use.
     #
+    # == Use Erubi::CaptureBlockEngine
+    #
+    # Roda defaults to using Erubi for erb template rendering.  Erubi 1.13.0+ includes
+    # support for an erb variant that supports blocks in <tt><%=</tt> and <tt><%==</tt>
+    # tags.  To use it:
+    #
+    #   require 'erubi/capture_block'
+    #   plugin :render, template_opts: {engine_class: Erubi::CaptureBlockEngine}
+    #
+    # See the Erubi documentation for how to capture data inside the block.  Make sure
+    # the method call (+some_method+ in the example) returns the output you want added
+    # to the rendered body.
+    #
     # == Directly Inject Template Output
     #
     # You can switch from a <tt><%=</tt> tag to using a <tt><%</tt> tag:

data/lib/roda/plugins/route_csrf.rb

@@ -172,7 +172,7 @@ class Roda
       # a valid CSRF token was not provided.
       class InvalidToken < RodaError; end
 
-      def self.load_dependencies(app, opts=OPTS)
+      def self.load_dependencies(app, opts=OPTS, &_)
         app.plugin :_base64
       end
 

data/lib/roda/plugins/sessions.rb

@@ -476,7 +476,7 @@ class Roda
           serialized_data << json_data
 
           cipher_secret = opts[:cipher_secret]
-          if per_cookie_secret = opts[:per_cookie_cipher_secret]
+          if opts[:per_cookie_cipher_secret]
             version = "\1"
             per_cookie_secret_base = SecureRandom.random_bytes(32)
             cipher_secret = OpenSSL::HMAC.digest(OpenSSL::Digest::SHA256.new, cipher_secret, per_cookie_secret_base)

data/lib/roda/version.rb

@@ -4,7 +4,7 @@ class Roda
   RodaMajorVersion = 3
 
   # The minor version of Roda, updated for new feature releases of Roda.
-  RodaMinorVersion = 80
+  RodaMinorVersion = 82
 
   # The patch version of Roda, updated only for bug fixes from the last
   # feature release.

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: roda
 version: !ruby/object:Gem::Version
-  version: 3.80.0
+  version: 3.82.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-05-10 00:00:00.000000000 Z
+date: 2024-07-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -122,20 +122,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-- !ruby/object:Gem::Dependency
-  name: sassc
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
 - !ruby/object:Gem::Dependency
   name: json
   requirement: !ruby/object:Gem::Requirement
@@ -255,6 +241,8 @@ extra_rdoc_files:
 - doc/release_notes/3.79.0.txt
 - doc/release_notes/3.8.0.txt
 - doc/release_notes/3.80.0.txt
+- doc/release_notes/3.81.0.txt
+- doc/release_notes/3.82.0.txt
 - doc/release_notes/3.9.0.txt
 files:
 - CHANGELOG
@@ -342,6 +330,8 @@ files:
 - doc/release_notes/3.79.0.txt
 - doc/release_notes/3.8.0.txt
 - doc/release_notes/3.80.0.txt
+- doc/release_notes/3.81.0.txt
+- doc/release_notes/3.82.0.txt
 - doc/release_notes/3.9.0.txt
 - lib/roda.rb
 - lib/roda/cache.rb
@@ -507,7 +497,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.9
+rubygems_version: 3.5.11
 signing_key:
 specification_version: 4
 summary: Routing tree web toolkit