roda 3.83.0 → 3.84.0

data/doc/release_notes/3.81.0.txt

@@ -1,24 +0,0 @@
-= New Features
-
-* The hmac_paths plugin now supports :until and :seconds options for
-  hmac_path, to create a path that is only valid for a specific amount of
-  time.  :until sets a specific time that the path will be valid until,
-  and :seconds makes the path only valid for the given number of seconds.
-
-    hmac_path('/widget/1', until: Time.utc(2100))
-    # =>  "/dc8b6e56e4cbe7815df7880d42f0e02956b2e4c49881b6060ceb0e49745a540d/t/4102444800/widget/1"
-
-  Requests for the path after the given time will not be matched by
-  r.hmac_path.
-
-= Other Improvements
-
-* The early_hints plugin now correctly follows the Rack 3 SPEC when
-  using Rack 3.  This was not caught previously because Rack only
-  added official support for early_hints in the last month.
-
-* Ruby 3.4 backtraces are now parsed correctly in the exception_page
-  plugin.
-
-* Some plugins that accept a block no longer issue an unused block
-  warning on Ruby 3.4.

data/doc/release_notes/3.82.0.txt

@@ -1,43 +0,0 @@
-= New Features
-
-* A :zstd option has been added to the public and multi_public
-  plugins to support serving zstd-compressed files with a .zst
-  extension. This option is similar to the existing :gzip and
-  :brotli plugin options.  Chrome started supporting zstd encoding
-  in March.
-
-* An :encodings option has been added to the public and multi_public
-  plugins, for more control over how encodings are handled.  This
-  allows for changing the order in which encodings are attempted, the
-  use of custom encodings, and the use of different file extensions
-  for encodings.  Example:
-
-    plugin :public, encodings: {'zstd'=>'.zst', 'deflate'=>'.deflate'}
-
-  If the :encodings option is not provided, the :zstd, :brotli, and
-  :gzip options are used to build an equivalent :encodings option.
-
-= Other Improvements
-
-* The capture_erb plugin now integrates better when using
-  erubi/capture_block for <%= method do %> support in ERB templates,
-  using the native capture method provided by the buffer object.
-
-* Encoding handling has been more optimized in the public plugin.
-  Regexps for the encodings are precomputed, avoiding a regexp
-  allocation per request per encoding attempted. On Ruby 2.4+
-  Regexp#match? is used for better performance.  If the
-  Accept-Encoding header is not present, no encoding matching
-  is attemped.
-
-= Backwards Compatibility
-
-* The private public_serve_compressed request method in the public
-  plugin now assumes it is called after the encoding is already
-  valid. If you are calling this method in your own code, you now
-  need to perform checks to make sure the client can accept the
-  encoding before calling this method.
-
-* The :public_gzip and :public_brotli application options are no
-  longer set by the public plugin.  The :public_encodings option
-  is now set.

data/doc/release_notes/3.83.0.txt

@@ -1,6 +0,0 @@
-= New Features
-
-* An assume_ssl plugin has been added.  This plugin is designed for
-  cases where the application is being fronted by an SSL-terminating
-  reverse proxy that does not set the X-Forwarded-Proto or similar
-  header to indicate it is forwarding an SSL request.

data/doc/release_notes/3.9.0.txt

@@ -1,67 +0,0 @@
-= New Features
-
-* A route_csrf plugin has been added.  This plugin allows for more
-  control over CSRF protection, since the user can choose where in
-  the routing tree to enforce the protection.  Additionally, the
-  route_csrf plugin offers better security than the CSRF protection
-  used by the csrf plugin (which uses the rack_csrf library).
-
-  The route_csrf plugin defaults to allowing only CSRF tokens
-  specific to a given request method and request path, and not
-  allowing generic CSRF tokens (though it does offer optional support
-  for such tokens).  Both request-specific and generic CSRF tokens
-  are designed to never leak the CSRF secret key, making it more
-  difficult to forge valid CSRF tokens.  Additionally, the plugin
-  offers optional support for accepting rack_csrf tokens, which
-  should only be enabled during a short transition period.
-
-  Some differences between the route_csrf plugin and the older
-  csrf plugin:
-
-  * route_csrf supports and by default only allows CSRF tokens
-    specific to request method and request path, as mentioned
-    above.  You can use the require_request_specific_tokens: false
-    option to allow generic CSRF tokens.
-
-  * route_csrf does not check the HTTP header by default, it
-    only checks the header if the :check_header option is set.
-    The :check_header option can be set to true to check both
-    the parameter and the header, or set to :only to only check
-    the header.
-
-  * route_csrf raises by default for invalid CSRF tokens.  rack_csrf
-    returns an empty 403 response in that case.  You can use the
-    error_handler plugin to handle the
-    Roda::RodaPlugins::RouteCsrf::InvalidToken exceptions, or you
-    can use the csrf_failure: :empty_403 option if you would like
-    the csrf plugin default behavior.  The plugin also accepts a
-    block for configurable failure behavior.
-
-  * route_csrf does not use a middleware, as it is designed to give
-    more control. In order to enforce the CSRF protection, you need
-    to call check_csrf! in your routing tree at the appropriate
-    place.  If you are not sure where to add it, add it to the top
-    of the routing tree, after the public or assets routes if you
-    are using those plugins:
-
-      route do
-        r.public
-        r.assets
-        check_csrf!
-
-        # ...
-      end
-
-    The check_csrf! method accepts an options hash, which can be used
-    to override the plugin options on a per-call basis.
-
-  * The csrf_token/csrf_tag methods take an optional path and method
-    arguments.  If a path is given, the method defaults to POST, and
-    the resulting CSRF token can only be used to submit forms for the
-    path and method.  If a path is not given, the resulting CSRF token
-    will be generic, but it will only work if the plugin has been
-    configured to allow generic CSRF tokens.
-
-  * A csrf_path method is available for easily taking a form action
-    string and returning an appropriate path to pass to the csrf_token
-    or csrf_tag methods.