roda 3.85.0 → 3.87.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a862ed0414bf90081e744ed7c50ac19806f141ebeae8c699d5f96b9a4e718e10
-  data.tar.gz: b1fcd622255d24044ba7f26c2c3f35e5fc8ea7f30b2ba577bec5fe306ca75c76
+  metadata.gz: bee7ae126ad0e6e8081bba94be0ad60e2a5f7523c483b2441571549b1bd29274
+  data.tar.gz: f5441e96617877d1347f4a5b6e54e5d48713ffc91a8ad3b9282781c0c26ca108
 SHA512:
-  metadata.gz: '086d21f564d66b14fafabbb99c6d670559c12fed91105c1acb9e5e9147623bf15de0730d35f2b5bd098a6e26aba0d6a73497a914ee23d97d8cb58dbbf0f6dd5b'
-  data.tar.gz: 713dee3419ce7bf52742d7da6be4243c393b393aeb5762dcd0dc61a58d691e586226636b5df687e56e0dd280a89930a18b1e32f3c9b499516afc461cf92fcf4c
+  metadata.gz: 141408b4d85e7467c0b753c05180201b1a63a3096f713241b94d379bad8d65224d96f1d60978ac336a7d8b9fb3093f35c1d2887d422276cf255cd1c64c557719
+  data.tar.gz: a64207e6d0a46d22c59bc0acc9d56ed43f4dbc75a9d22737908097564a2e4e801f3c19fd3bf95a28722dbf4a828d9930146dd088e421847709948d3a8f2cf24b

data/lib/roda/plugins/autoload_hash_branches.rb

@@ -68,7 +68,7 @@ class Roda
 
         # Eagerly load all hash branches when freezing the application.
         def freeze
-          opts.delete(:autoload_hash_branch_files).each{|file| require file}
+          opts.delete(:autoload_hash_branch_files).each{|file| require file} unless opts.frozen?
           super
         end
       end

data/lib/roda/plugins/autoload_named_routes.rb

@@ -54,7 +54,7 @@ class Roda
 
         # Eagerly load all autoloaded named routes when freezing the application.
         def freeze
-          opts.delete(:autoload_named_route_files).each{|file| require file}
+          opts.delete(:autoload_named_route_files).each{|file| require file} unless opts.frozen?
           super
         end
       end

data/lib/roda/plugins/conditional_sessions.rb

@@ -0,0 +1,67 @@
+# frozen-string-literal: true
+
+class Roda
+  module RodaPlugins
+    # The conditional_sessions plugin loads the sessions plugin.  However,
+    # it only allows sessions if the block passed to the plugin returns
+    # truthy.  The block is evaluated in request context. This is designed for
+    # use in applications that want to use sessions for some requests,
+    # and want to be sure that sessions are not used for other requests.
+    # For example, if you want to make sure that sessions are not used for
+    # requests with paths starting with /static, you could do:
+    #
+    #   plugin :conditional_sessions, secret: ENV["SECRET"] do
+    #     !path_info.start_with?('/static')
+    #   end
+    #
+    # The the request session, session_created_at, and session_updated_at methods
+    # raise a RodaError exception when sessions are not allowed.  The request
+    # persist_session and route scope clear_session methods do nothing when
+    # sessions are not allowed.
+    module ConditionalSessions
+      # Pass all options to the sessions block, and use the block to define
+      # a request method for whether sessions are allowed.
+      def self.load_dependencies(app, opts=OPTS, &block)
+        app.plugin :sessions, opts
+        app::RodaRequest.class_eval do
+          define_method(:use_sessions?, &block)
+          alias use_sessions? use_sessions?
+        end
+      end
+
+      module InstanceMethods
+        # Do nothing if not using sessions.
+        def clear_session
+          super if @_request.use_sessions?
+        end
+      end
+
+      module RequestMethods
+        # Raise RodaError if not using sessions.
+        def session
+          raise RodaError, "session called on request not using sessions" unless use_sessions?
+          super
+        end
+
+        # Raise RodaError if not using sessions.
+        def session_created_at
+          raise RodaError, "session_created_at called on request not using sessions" unless use_sessions?
+          super
+        end
+
+        # Raise RodaError if not using sessions.
+        def session_updated_at
+          raise RodaError, "session_updated_at called on request not using sessions" unless use_sessions?
+          super
+        end
+
+        # Do nothing if not using sessions.
+        def persist_session(headers, session)
+          super if use_sessions?
+        end
+      end
+    end
+
+    register_plugin(:conditional_sessions, ConditionalSessions)
+  end
+end

data/lib/roda/plugins/content_security_policy.rb

@@ -92,7 +92,10 @@ class Roda
     #   content_security_policy.get_script_src
     #   # => [:self, :unsafe_eval, 'example.com', [:nonce, 'foobarbaz']]
     #
-    # The clear method can be used to remove all settings from the policy.
+    # The clear method can be used to remove all settings from the policy. Empty policies
+    # do not set any headers. You can use +response.skip_content_security_policy!+ to skip
+    # setting a policy.  This is faster than calling +content_security_policy.clear+, since
+    # it does not duplicate the default policy.
     #
     # The following methods to set boolean settings are also defined:
     #
@@ -304,12 +307,19 @@ class Roda
           @content_security_policy ||= roda_class.opts[:content_security_policy].dup
         end
 
+        # Do not set a content security policy header for this response.
+        def skip_content_security_policy!
+          @skip_content_security_policy = true
+        end
+
         private
 
         # Set the appropriate content security policy header.
         def set_default_headers
           super
-          (@content_security_policy || roda_class.opts[:content_security_policy]).set_header(headers)
+          unless @skip_content_security_policy
+            (@content_security_policy || roda_class.opts[:content_security_policy]).set_header(headers)
+          end
         end
       end
     end

data/lib/roda/plugins/custom_block_results.rb

@@ -28,7 +28,16 @@ class Roda
     #
     # Note that custom block result handling only occurs if the types
     # are not handled by Roda itself.  You cannot use this to modify
-    # the handling of nil, false, or string results.
+    # the handling of nil, false, or string results.  Additionally,
+    # if the response body has already been written to before the the
+    # route block exits, then the result of the block is ignored,
+    # and the related +handle_block_result+ block will not be called
+    # (this is standard Roda behavior).
+    # 
+    # The return value of the +handle_block_result+ block is written
+    # to the body if the block return value is a String, similar to
+    # standard Roda handling of block results.  Non-String return
+    # values are ignored.
     module CustomBlockResults
       def self.configure(app)
         app.opts[:custom_block_results] ||= {}
@@ -55,7 +64,15 @@ class Roda
         # to get the block result.
         def unsupported_block_result(result)
           roda_class.opts[:custom_block_results].each do |klass, meth|
-            return scope.send(meth, result) if klass === result
+            if klass === result
+              result = scope.send(meth, result)
+
+              if String === result
+                return result
+              else
+                return
+              end
+            end
           end
 
           super

data/lib/roda/plugins/early_hints.rb

@@ -4,8 +4,7 @@
 class Roda
   module RodaPlugins
     # The early_hints plugin allows sending 103 Early Hints responses
-    # using the rack.early_hints environment variable.  Currently, this
-    # is only supported by puma 3.11+, and on other servers this is a no-op.
+    # using the rack.early_hints environment variable.
     # Early hints allow clients to preload necessary files before receiving
     # the response.
     module EarlyHints

data/lib/roda/plugins/header_matchers.rb

@@ -51,7 +51,8 @@ class Roda
 
         # Match if the given uppercase key is present inside the environment.
         def match_header(key)
-          key = key.upcase.tr("-","_")
+          key = key.upcase
+          key.tr!("-","_")
           unless key == "CONTENT_TYPE" || key == "CONTENT_LENGTH"
             key = "HTTP_#{key}"
           end
@@ -75,8 +76,8 @@ class Roda
         # Match the submitted user agent to the given pattern, capturing any
         # regexp match groups.
         def match_user_agent(pattern)
-          if (user_agent = @env["HTTP_USER_AGENT"]) && user_agent.to_s =~ pattern
-            @captures.concat($~[1..-1])
+          if (user_agent = @env["HTTP_USER_AGENT"]) && (match = pattern.match(user_agent))
+            @captures.concat(match.captures)
           end
         end
       end

data/lib/roda/plugins/host_routing.rb

@@ -0,0 +1,190 @@
+# frozen-string-literal: true
+
+#
+class Roda
+  module RodaPlugins
+    # The host_routing plugin adds support for more routing requests based on
+    # the requested host.  It also adds predicate methods for checking
+    # whether a request was requested with the given host.
+    #
+    # When loading the plugin, you pass a block, which is used for configuring
+    # the plugin.  For example, if you want to treat requests to api.example.com
+    # or api2.example.com as api requests, and treat other requests as www
+    # requests, you could use:
+    #
+    #   plugin :host_routing do |hosts|
+    #     hosts.to :api, "api.example.com", "api2.example.com"
+    #     hosts.default :www
+    #   end
+    #
+    # With this configuration, in your routing tree, you can call the +r.api+ and
+    # +r.www+ methods for dispatching to routing blocks only for those types of
+    # requests:
+    #
+    #   route do |r|
+    #     r.api do
+    #       # requests to api.example.com or api2.example.com
+    #     end
+    #
+    #     r.www do
+    #       # requests to other domains
+    #     end
+    #   end
+    #
+    # In addition to the routing methods, predicate methods are also added to the
+    # request object:
+    #
+    #   route do |r|
+    #     "#{r.api?}-#{r.www?}"
+    #   end
+    #   # Requests to api.example.com or api2.example.com return "true-false"
+    #   # Other requests return "false-true"
+    #
+    # If the +:scope_predicates+ plugin option is given, predicate methods are also
+    # created in route block scope:
+    #
+    #   plugin :host_routing, scope_predicates: true do |hosts|
+    #     hosts.to :api, "api.example.com"
+    #     hosts.default :www
+    #   end
+    #
+    #   route do |r|
+    #     "#{api?}-#{www?}"
+    #   end
+    #
+    # To handle hosts that match a certain format (such as all subdomains),
+    # where the specific host names are not known up front, you can provide a block
+    # when calling +hosts.default+. This block is passed the host name, or an empty
+    # string if no host name is provided, and is evaluated in route block scope.
+    # When using this support, you should also call +hosts.register+
+    # to register host types that could be returned by the block.  For example, to
+    # handle api subdomains differently:
+    #
+    #   plugin :host_routing do |hosts|
+    #     hosts.to :api, "api.example.com"
+    #     hosts.register :api_sub
+    #     hosts.default :www do |host|
+    #       :api_sub if host.end_with?(".api.example.com")
+    #     end
+    #   end
+    #
+    # This plugin uses the host method on the request to get the hostname (this method
+    # is defined by Rack).
+    module HostRouting
+      # Setup the host routing support.  The block yields an object used to
+      # configure the plugin.  Options:
+      #
+      # :scope_predicates :: Setup predicate methods in route block scope
+      #                      in addition to request scope.
+      def self.configure(app, opts=OPTS, &block)
+        hosts, host_hash, default_block, default_host = DSL.new.process(&block)
+        app.opts[:host_routing_hash] = host_hash
+        app.opts[:host_routing_default_host] = default_host
+
+        app.send(:define_method, :_host_routing_default, &default_block) if default_block
+
+        app::RodaRequest.class_exec do
+          hosts.each do |host|
+            host_sym = host.to_sym
+            define_method(host_sym){|&blk| always(&blk) if _host_routing_host == host}
+            alias_method host_sym, host_sym
+
+            meth = :"#{host}?"
+            define_method(meth){_host_routing_host == host}
+            alias_method meth, meth
+          end
+        end
+
+        if opts[:scope_predicates]
+          app.class_exec do
+            hosts.each do |host|
+              meth = :"#{host}?"
+              define_method(meth){@_request.send(meth)}
+              alias_method meth, meth
+            end
+          end
+        end
+      end
+
+      class DSL
+        def initialize
+          @hosts = []
+          @host_hash = {}
+        end
+
+        # Run the DSL for the given block.
+        def process(&block)
+          instance_exec(self, &block)
+
+          if !@default_host
+            raise RodaError, "must call default method inside host_routing plugin block to set default host"
+          end
+
+          @hosts.concat(@host_hash.values)
+          @hosts << @default_host
+          @hosts.uniq!
+          [@hosts.freeze, @host_hash.freeze, @default_block, @default_host].freeze
+        end
+        
+        # Register hosts that can be returned.  This is only needed if
+        # calling register with a block, where the block can return
+        # a value that doesn't match a host given to +to+ or +default+.
+        def register(*hosts)
+          @hosts = hosts
+        end
+
+        # Treat all given hostnames as routing to the give host.
+        def to(host, *hostnames)
+          hostnames.each do |hostname|
+            @host_hash[hostname] = host
+          end
+        end
+
+        # Register the default hostname.  If a block is provided, it is
+        # called with the host if there is no match for one of the hostnames
+        # provided to +to+.  If the block returns nil/false, the hostname
+        # given to this method is used.
+        def default(hostname, &block)
+          @default_host = hostname
+          @default_block = block
+        end
+      end
+      private_constant :DSL
+
+      module InstanceMethods
+        # Handle case where plugin is used without providing a block to
+        # +hosts.default+.  This returns nil, ensuring that the hostname
+        # provided to +hosts.default+ will be used.
+        def _host_routing_default(_)
+          nil
+        end
+      end
+
+      module RequestMethods
+        private
+
+        # Cache the host to use in the host routing support, so the processing
+        # is only done once per request.
+        def _host_routing_host
+          @_host_routing_host ||= _get_host_routing_host
+        end
+
+        # Determine the host to use for the host routing support.  Tries the
+        # following, in order:
+        #
+        # * An exact match for a hostname given in +hosts.to+
+        # * The return value of the +hosts.default+ block, if given
+        # * The default value provided in the +hosts.default+ call
+        def _get_host_routing_host
+          host = self.host || ""
+
+          roda_class.opts[:host_routing_hash][host] ||
+            scope._host_routing_default(host) ||
+            roda_class.opts[:host_routing_default_host]
+        end
+      end
+    end
+
+    register_plugin(:host_routing, HostRouting)
+  end
+end

data/lib/roda/plugins/permissions_policy.rb

@@ -99,7 +99,10 @@ class Roda
     #   permissions_policy.get_fullscreen
     #   # => [:self, "https://example.com", "https://*.example.com"]
     #
-    # The clear method can be used to remove all settings from the policy.
+    # The clear method can be used to remove all settings from the policy. Empty policies
+    # do not set any headers. You can use +response.skip_permissions_policy!+ to skip
+    # setting a policy.  This is faster than calling +permissions_policy.clear+, since
+    # it does not duplicate the default policy.
     module PermissionsPolicy
       SUPPORTED_SETTINGS = %w'
       accelerometer
@@ -311,12 +314,19 @@ class Roda
           @permissions_policy ||= roda_class.opts[:permissions_policy].dup
         end
 
+        # Do not set a permissions policy header for this response.
+        def skip_permissions_policy!
+          @skip_permissions_policy = true
+        end
+
         private
 
         # Set the appropriate permissions policy header.
         def set_default_headers
           super
-          (@permissions_policy || roda_class.opts[:permissions_policy]).set_header(headers)
+          unless @skip_permissions_policy
+            (@permissions_policy || roda_class.opts[:permissions_policy]).set_header(headers)
+          end
         end
       end
     end

data/lib/roda/version.rb

@@ -4,7 +4,7 @@ class Roda
   RodaMajorVersion = 3
 
   # The minor version of Roda, updated for new feature releases of Roda.
-  RodaMinorVersion = 85
+  RodaMinorVersion = 87
 
   # The patch version of Roda, updated only for bug fixes from the last
   # feature release.

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: roda
 version: !ruby/object:Gem::Version
-  version: 3.85.0
+  version: 3.87.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-10-11 00:00:00.000000000 Z
+date: 2024-12-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -186,6 +186,7 @@ files:
 - lib/roda/plugins/class_level_routing.rb
 - lib/roda/plugins/class_matchers.rb
 - lib/roda/plugins/common_logger.rb
+- lib/roda/plugins/conditional_sessions.rb
 - lib/roda/plugins/content_for.rb
 - lib/roda/plugins/content_security_policy.rb
 - lib/roda/plugins/cookie_flags.rb
@@ -224,6 +225,7 @@ files:
 - lib/roda/plugins/hmac_paths.rb
 - lib/roda/plugins/hooks.rb
 - lib/roda/plugins/host_authorization.rb
+- lib/roda/plugins/host_routing.rb
 - lib/roda/plugins/hsts.rb
 - lib/roda/plugins/indifferent_params.rb
 - lib/roda/plugins/inject_erb.rb
@@ -326,7 +328,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.16
+rubygems_version: 3.5.22
 signing_key:
 specification_version: 4
 summary: Routing tree web toolkit