roda 3.82.0 → 3.84.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/roda/plugins/assume_ssl.rb +28 -0
- data/lib/roda/plugins/hsts.rb +35 -0
- data/lib/roda/plugins/multi_public.rb +3 -3
- data/lib/roda/plugins/public.rb +1 -1
- data/lib/roda/plugins/timestamp_public.rb +1 -1
- data/lib/roda/plugins/typecast_params.rb +1 -1
- data/lib/roda/response.rb +1 -1
- data/lib/roda/version.rb +1 -1
- metadata +5 -177
- data/CHANGELOG +0 -687
- data/README.rdoc +0 -1136
- data/doc/conventions.rdoc +0 -177
- data/doc/release_notes/3.0.0.txt +0 -84
- data/doc/release_notes/3.1.0.txt +0 -24
- data/doc/release_notes/3.10.0.txt +0 -132
- data/doc/release_notes/3.11.0.txt +0 -54
- data/doc/release_notes/3.12.0.txt +0 -19
- data/doc/release_notes/3.13.0.txt +0 -38
- data/doc/release_notes/3.14.0.txt +0 -36
- data/doc/release_notes/3.14.1.txt +0 -43
- data/doc/release_notes/3.15.0.txt +0 -21
- data/doc/release_notes/3.16.0.txt +0 -52
- data/doc/release_notes/3.17.0.txt +0 -62
- data/doc/release_notes/3.18.0.txt +0 -170
- data/doc/release_notes/3.19.0.txt +0 -229
- data/doc/release_notes/3.2.0.txt +0 -22
- data/doc/release_notes/3.20.0.txt +0 -7
- data/doc/release_notes/3.21.0.txt +0 -5
- data/doc/release_notes/3.22.0.txt +0 -24
- data/doc/release_notes/3.23.0.txt +0 -28
- data/doc/release_notes/3.24.0.txt +0 -14
- data/doc/release_notes/3.25.0.txt +0 -12
- data/doc/release_notes/3.26.0.txt +0 -15
- data/doc/release_notes/3.27.0.txt +0 -15
- data/doc/release_notes/3.28.0.txt +0 -13
- data/doc/release_notes/3.29.0.txt +0 -15
- data/doc/release_notes/3.3.0.txt +0 -291
- data/doc/release_notes/3.30.0.txt +0 -14
- data/doc/release_notes/3.31.0.txt +0 -11
- data/doc/release_notes/3.32.0.txt +0 -42
- data/doc/release_notes/3.33.0.txt +0 -8
- data/doc/release_notes/3.34.0.txt +0 -17
- data/doc/release_notes/3.35.0.txt +0 -12
- data/doc/release_notes/3.36.0.txt +0 -17
- data/doc/release_notes/3.37.0.txt +0 -42
- data/doc/release_notes/3.38.0.txt +0 -5
- data/doc/release_notes/3.39.0.txt +0 -16
- data/doc/release_notes/3.4.0.txt +0 -24
- data/doc/release_notes/3.40.0.txt +0 -24
- data/doc/release_notes/3.41.0.txt +0 -9
- data/doc/release_notes/3.42.0.txt +0 -21
- data/doc/release_notes/3.43.0.txt +0 -34
- data/doc/release_notes/3.44.0.txt +0 -23
- data/doc/release_notes/3.45.0.txt +0 -22
- data/doc/release_notes/3.46.0.txt +0 -19
- data/doc/release_notes/3.47.0.txt +0 -13
- data/doc/release_notes/3.48.0.txt +0 -10
- data/doc/release_notes/3.49.0.txt +0 -18
- data/doc/release_notes/3.5.0.txt +0 -31
- data/doc/release_notes/3.50.0.txt +0 -21
- data/doc/release_notes/3.51.0.txt +0 -20
- data/doc/release_notes/3.52.0.txt +0 -20
- data/doc/release_notes/3.53.0.txt +0 -14
- data/doc/release_notes/3.54.0.txt +0 -48
- data/doc/release_notes/3.55.0.txt +0 -12
- data/doc/release_notes/3.56.0.txt +0 -33
- data/doc/release_notes/3.57.0.txt +0 -34
- data/doc/release_notes/3.58.0.txt +0 -16
- data/doc/release_notes/3.59.0.txt +0 -17
- data/doc/release_notes/3.6.0.txt +0 -21
- data/doc/release_notes/3.60.0.txt +0 -56
- data/doc/release_notes/3.61.0.txt +0 -24
- data/doc/release_notes/3.62.0.txt +0 -41
- data/doc/release_notes/3.63.0.txt +0 -36
- data/doc/release_notes/3.64.0.txt +0 -26
- data/doc/release_notes/3.65.0.txt +0 -12
- data/doc/release_notes/3.66.0.txt +0 -23
- data/doc/release_notes/3.67.0.txt +0 -25
- data/doc/release_notes/3.68.0.txt +0 -21
- data/doc/release_notes/3.69.0.txt +0 -33
- data/doc/release_notes/3.7.0.txt +0 -123
- data/doc/release_notes/3.70.0.txt +0 -19
- data/doc/release_notes/3.71.0.txt +0 -33
- data/doc/release_notes/3.72.0.txt +0 -48
- data/doc/release_notes/3.73.0.txt +0 -33
- data/doc/release_notes/3.74.0.txt +0 -28
- data/doc/release_notes/3.75.0.txt +0 -19
- data/doc/release_notes/3.76.0.txt +0 -18
- data/doc/release_notes/3.77.0.txt +0 -8
- data/doc/release_notes/3.78.0.txt +0 -99
- data/doc/release_notes/3.79.0.txt +0 -148
- data/doc/release_notes/3.8.0.txt +0 -27
- data/doc/release_notes/3.80.0.txt +0 -31
- data/doc/release_notes/3.81.0.txt +0 -24
- data/doc/release_notes/3.82.0.txt +0 -43
- data/doc/release_notes/3.9.0.txt +0 -67
@@ -1,24 +0,0 @@
|
|
1
|
-
= New Features
|
2
|
-
|
3
|
-
* The hmac_paths plugin now supports :until and :seconds options for
|
4
|
-
hmac_path, to create a path that is only valid for a specific amount of
|
5
|
-
time. :until sets a specific time that the path will be valid until,
|
6
|
-
and :seconds makes the path only valid for the given number of seconds.
|
7
|
-
|
8
|
-
hmac_path('/widget/1', until: Time.utc(2100))
|
9
|
-
# => "/dc8b6e56e4cbe7815df7880d42f0e02956b2e4c49881b6060ceb0e49745a540d/t/4102444800/widget/1"
|
10
|
-
|
11
|
-
Requests for the path after the given time will not be matched by
|
12
|
-
r.hmac_path.
|
13
|
-
|
14
|
-
= Other Improvements
|
15
|
-
|
16
|
-
* The early_hints plugin now correctly follows the Rack 3 SPEC when
|
17
|
-
using Rack 3. This was not caught previously because Rack only
|
18
|
-
added official support for early_hints in the last month.
|
19
|
-
|
20
|
-
* Ruby 3.4 backtraces are now parsed correctly in the exception_page
|
21
|
-
plugin.
|
22
|
-
|
23
|
-
* Some plugins that accept a block no longer issue an unused block
|
24
|
-
warning on Ruby 3.4.
|
@@ -1,43 +0,0 @@
|
|
1
|
-
= New Features
|
2
|
-
|
3
|
-
* A :zstd option has been added to the public and multi_public
|
4
|
-
plugins to support serving zstd-compressed files with a .zst
|
5
|
-
extension. This option is similar to the existing :gzip and
|
6
|
-
:brotli plugin options. Chrome started supporting zstd encoding
|
7
|
-
in March.
|
8
|
-
|
9
|
-
* An :encodings option has been added to the public and multi_public
|
10
|
-
plugins, for more control over how encodings are handled. This
|
11
|
-
allows for changing the order in which encodings are attempted, the
|
12
|
-
use of custom encodings, and the use of different file extensions
|
13
|
-
for encodings. Example:
|
14
|
-
|
15
|
-
plugin :public, encodings: {'zstd'=>'.zst', 'deflate'=>'.deflate'}
|
16
|
-
|
17
|
-
If the :encodings option is not provided, the :zstd, :brotli, and
|
18
|
-
:gzip options are used to build an equivalent :encodings option.
|
19
|
-
|
20
|
-
= Other Improvements
|
21
|
-
|
22
|
-
* The capture_erb plugin now integrates better when using
|
23
|
-
erubi/capture_block for <%= method do %> support in ERB templates,
|
24
|
-
using the native capture method provided by the buffer object.
|
25
|
-
|
26
|
-
* Encoding handling has been more optimized in the public plugin.
|
27
|
-
Regexps for the encodings are precomputed, avoiding a regexp
|
28
|
-
allocation per request per encoding attempted. On Ruby 2.4+
|
29
|
-
Regexp#match? is used for better performance. If the
|
30
|
-
Accept-Encoding header is not present, no encoding matching
|
31
|
-
is attemped.
|
32
|
-
|
33
|
-
= Backwards Compatibility
|
34
|
-
|
35
|
-
* The private public_serve_compressed request method in the public
|
36
|
-
plugin now assumes it is called after the encoding is already
|
37
|
-
valid. If you are calling this method in your own code, you now
|
38
|
-
need to perform checks to make sure the client can accept the
|
39
|
-
encoding before calling this method.
|
40
|
-
|
41
|
-
* The :public_gzip and :public_brotli application options are no
|
42
|
-
longer set by the public plugin. The :public_encodings option
|
43
|
-
is now set.
|
data/doc/release_notes/3.9.0.txt
DELETED
@@ -1,67 +0,0 @@
|
|
1
|
-
= New Features
|
2
|
-
|
3
|
-
* A route_csrf plugin has been added. This plugin allows for more
|
4
|
-
control over CSRF protection, since the user can choose where in
|
5
|
-
the routing tree to enforce the protection. Additionally, the
|
6
|
-
route_csrf plugin offers better security than the CSRF protection
|
7
|
-
used by the csrf plugin (which uses the rack_csrf library).
|
8
|
-
|
9
|
-
The route_csrf plugin defaults to allowing only CSRF tokens
|
10
|
-
specific to a given request method and request path, and not
|
11
|
-
allowing generic CSRF tokens (though it does offer optional support
|
12
|
-
for such tokens). Both request-specific and generic CSRF tokens
|
13
|
-
are designed to never leak the CSRF secret key, making it more
|
14
|
-
difficult to forge valid CSRF tokens. Additionally, the plugin
|
15
|
-
offers optional support for accepting rack_csrf tokens, which
|
16
|
-
should only be enabled during a short transition period.
|
17
|
-
|
18
|
-
Some differences between the route_csrf plugin and the older
|
19
|
-
csrf plugin:
|
20
|
-
|
21
|
-
* route_csrf supports and by default only allows CSRF tokens
|
22
|
-
specific to request method and request path, as mentioned
|
23
|
-
above. You can use the require_request_specific_tokens: false
|
24
|
-
option to allow generic CSRF tokens.
|
25
|
-
|
26
|
-
* route_csrf does not check the HTTP header by default, it
|
27
|
-
only checks the header if the :check_header option is set.
|
28
|
-
The :check_header option can be set to true to check both
|
29
|
-
the parameter and the header, or set to :only to only check
|
30
|
-
the header.
|
31
|
-
|
32
|
-
* route_csrf raises by default for invalid CSRF tokens. rack_csrf
|
33
|
-
returns an empty 403 response in that case. You can use the
|
34
|
-
error_handler plugin to handle the
|
35
|
-
Roda::RodaPlugins::RouteCsrf::InvalidToken exceptions, or you
|
36
|
-
can use the csrf_failure: :empty_403 option if you would like
|
37
|
-
the csrf plugin default behavior. The plugin also accepts a
|
38
|
-
block for configurable failure behavior.
|
39
|
-
|
40
|
-
* route_csrf does not use a middleware, as it is designed to give
|
41
|
-
more control. In order to enforce the CSRF protection, you need
|
42
|
-
to call check_csrf! in your routing tree at the appropriate
|
43
|
-
place. If you are not sure where to add it, add it to the top
|
44
|
-
of the routing tree, after the public or assets routes if you
|
45
|
-
are using those plugins:
|
46
|
-
|
47
|
-
route do
|
48
|
-
r.public
|
49
|
-
r.assets
|
50
|
-
check_csrf!
|
51
|
-
|
52
|
-
# ...
|
53
|
-
end
|
54
|
-
|
55
|
-
The check_csrf! method accepts an options hash, which can be used
|
56
|
-
to override the plugin options on a per-call basis.
|
57
|
-
|
58
|
-
* The csrf_token/csrf_tag methods take an optional path and method
|
59
|
-
arguments. If a path is given, the method defaults to POST, and
|
60
|
-
the resulting CSRF token can only be used to submit forms for the
|
61
|
-
path and method. If a path is not given, the resulting CSRF token
|
62
|
-
will be generic, but it will only work if the plugin has been
|
63
|
-
configured to allow generic CSRF tokens.
|
64
|
-
|
65
|
-
* A csrf_path method is available for easily taking a form action
|
66
|
-
string and returning an appropriate path to pass to the csrf_token
|
67
|
-
or csrf_tag methods.
|