roda 3.10.0 → 3.11.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0fa178463d549cd2a8826a8601eccc793e2a3b5a6bb34293ce8511fb8d357128
-  data.tar.gz: 5b099180432b7efc3bc4839883367a454c876d9a2e6809f533f970e83bd32d0d
+  metadata.gz: b7fc4e03ddcb9b4e5fa37af6c0a151aef49965ef251d8ab177e7b530ec034529
+  data.tar.gz: 78ab54340363d9b963496e143809ca9f809c619d25f98faa08b08f9e3790ae19
 SHA512:
-  metadata.gz: e7ec971ff829c784c21c9660b7964f79755841501449c6372260510a367482a9dde5131bf6b488eadefdd24403f7a19576c8d1176d8d8306fecc861388fb9f7f
-  data.tar.gz: 7fe25ba12cceccf1b59d9993d4972c0ffb2df2b78b68716f7708ecc58d131bc0858d9b7a1b87ac34bb88a05b57aeb6f0fb68beac648bbdfe2f7c0c3c6933def9
+  metadata.gz: 56b9bb6e1e03cfa079457238d532d9223fdd6adef8438954dfd601afb68b384945b528c2606a3100881f3154e94024ae46f286364c41fce4c23af624a1ebcee3
+  data.tar.gz: 3856d03202576bd35465b29e975bb84fe23780695b87442c3ba8b09b7e36deb19cddf6a4ea5299249baf21c9e7b62b61e681221580b6d7a5af6b84858395d8a0

data/CHANGELOG

@@ -1,3 +1,11 @@
+= 3.11.0 (2018-08-15)
+
+* Disable default compression of sessions over 128 bytes in the sessions plugin (jeremyevans)
+
+* Log but otherwise ignore exceptions raised by after processing of error handler response (jeremyevans)
+
+* Modify internal before/after processing to avoid plugin load order issues (jeremyevans)
+
 = 3.10.0 (2018-07-18)
 
 * Remove flash key from session if new flash is empty when rotating flash (jeremyevans)

data/doc/release_notes/3.11.0.txt

@@ -0,0 +1,54 @@
+= Improvements
+
+* The order in which internal plugin before and after hooks are run
+  when multiple plugins are loaded is now fixed and does not depend
+  on the order in which the plugins are loaded.  This can prevent
+  some issues in cases the plugins were not loaded in the order
+  previously recommended in the documentation.
+
+  Internal plugin before hooks are now run in the following order:
+
+  * hooks
+  * heartbeat
+  * static_routing
+
+  and internal plugin after hooks are now run in the following order:
+
+  * class_level_routing
+  * status_handler
+  * head
+  * flash
+  * session
+  * hooks
+
+* Default compression of sessions over 128 bytes in length has been
+  disabled in the sessions plugin.  Compression of sessions must now
+  be manually enabled if it is desired by setting :gzip_over to an
+  integer.
+
+  This change is being made to avoid possible compression ratio
+  attacks if both sensitive data and user-submitted data are stored in
+  the session.  Such attacks were mitigated by the sessions plugin's
+  default use of padding after compression, and the JSON serialization
+  format used, but disabling compression avoids the possibility.
+
+  This does not affect backwards compatibility, as compressed sessions
+  will still be decompressed correctly, unless the size of the session
+  cookie when not using compression is over 4096 bytes.
+
+= Backwards Compatibility
+
+* When using the error_handler plugin, if routing raises an exception that
+  is handled by the error handler, but an exception is raised by a plugin
+  internal after hook after the error handler has been run, the exception
+  will be logged to the rack.errors entry in the environment, but it will
+  be otherwise ignored.
+
+  Exceptions raised inside the error handler will continue to be be raised
+  to the application's caller.
+
+  Additionally, the error_handler plugin no longers call before hooks
+  during error handling.
+
+* A private Roda#_call method has been added.  This could potentially
+  cause issues for applications that add their own _call method.

data/lib/roda.rb

@@ -239,6 +239,7 @@ class Roda
         # Build the rack app to use
         def build_rack_app
           if block = @route_block
+            block = rack_app_route_block(block)
             app = lambda{|env| new(env).call(&block)}
             @middleware.reverse_each do |args, bl|
               mid, *args = args
@@ -248,6 +249,12 @@ class Roda
             @app = app
           end
         end
+
+        # The route block to use when building the rack app.
+        # Can be modified by plugins.
+        def rack_app_route_block(block)
+          block
+        end
       end
 
       # Instance methods for the Roda class.
@@ -277,6 +284,10 @@ class Roda
           end
         end
 
+        # Private alias for internal use
+        alias _call call
+        private :_call
+
         # The environment hash for the current request. Example:
         #
         #   env['REQUEST_METHOD'] # => 'GET'

data/lib/roda/plugins/_after_hook.rb

@@ -0,0 +1,35 @@
+# frozen-string-literal: true
+
+#
+class Roda
+  module RodaPlugins
+    # Internal after hook module, not for external use.
+    # Allows for plugins to configure the order in which
+    # after processing is done by using _roda_after_*
+    # private instance methods that are called in sorted order.
+    module AfterHook # :nodoc:
+      module ClassMethods
+        # Rebuild the _roda_after method whenever a plugin might
+        # have added a _roda_after_* method.
+        def include(*)
+          res = super
+          meths = private_instance_methods.grep(/\A_roda_after_\d\d\z/).sort.map{|s| "#{s}(res)"}.join(';')
+          class_eval("def _roda_after(res); #{meths} end", __FILE__, __LINE__)
+          private :_roda_after
+          res
+        end
+      end
+
+      module InstanceMethods
+        # Run internal after hooks with the response
+        def call
+          res = super
+        ensure
+          _roda_after(res)
+        end
+      end
+    end
+
+    register_plugin(:_after_hook, AfterHook)
+  end
+end

data/lib/roda/plugins/_before_hook.rb

@@ -0,0 +1,51 @@
+# frozen-string-literal: true
+
+#
+class Roda
+  module RodaPlugins
+    # Internal before hook module, not for external use.
+    # Allows for plugins to configure the order in which
+    # before processing is done by using _roda_before_*
+    # private instance methods that are called in sorted order.
+    module BeforeHook # :nodoc:
+      # Rebuild the rack app if the rack app already exists,
+      # so the before hooks are setup inside the rack app
+      # route block.
+      def self.configure(app)
+        app.instance_exec do
+          build_rack_app if @app
+        end
+      end
+
+      module ClassMethods
+        # Rebuild the _roda_before method whenever a plugin might
+        # have added a _roda_before_* method.
+        def include(*a)
+          res = super
+          def_roda_before
+          res
+        end
+
+        private
+
+        # Build a _roda_before method that calls each _roda_before_* method
+        # in order.
+        def def_roda_before
+          meths = private_instance_methods.grep(/\A_roda_before_\d\d\z/).sort.join(';')
+          class_eval("def _roda_before; #{meths} end", __FILE__, __LINE__)
+          private :_roda_before
+        end
+
+        # Modify rack app route block to use before hook.
+        def rack_app_route_block(block)
+          lambda do |r|
+            _roda_before
+            instance_exec(r, &block)
+          end
+        end
+      end
+    end
+
+    register_plugin(:_before_hook, BeforeHook)
+  end
+end

data/lib/roda/plugins/class_level_routing.rb

@@ -52,6 +52,10 @@ class Roda
     # the normal +route+ class method to define your routing tree.  This plugin does make it simpler to
     # add additional routes after the routing tree has already been defined, though.
     module ClassLevelRouting
+      def self.load_dependencies(app)
+        app.plugin :_after_hook
+      end
+
       # Initialize the class_routes array when the plugin is loaded.  Also, if the application doesn't
       # currently have a routing block, setup an empty routing block so that things will still work if
       # a routing block isn't added.
@@ -76,28 +80,29 @@ class Roda
       end
 
       module InstanceMethods
+        def initialize(_)
+          super
+          @_original_remaining_path = @_request.remaining_path
+        end
+
+        private
+
         # If the normal routing tree doesn't handle an action, try each class level route
         # to see if it matches.
-        def call
-          req = @_request
-          rp = req.remaining_path
-          result = super
-
-          if result[0] == 404 && (v = result[2]).is_a?(Array) && v.empty?
+        def _roda_after_10(result)
+          if result && result[0] == 404 && (v = result[2]).is_a?(Array) && v.empty?
             # Reset the response so it doesn't inherit the status or any headers from
             # the original response.
             @_response.send(:initialize)
-            super do |r|
+            result.replace(_call do |r|
               opts[:class_level_routes].each do |meth, args, blk|
-                req.instance_variable_set(:@remaining_path, rp)
+                r.instance_variable_set(:@remaining_path, @_original_remaining_path)
                 r.public_send(meth, *args) do |*a|
                   instance_exec(*a, &blk)
                 end
               end
               nil
-            end
-          else
-            result
+            end)
           end
         end
       end

data/lib/roda/plugins/error_handler.rb

@@ -28,7 +28,15 @@ class Roda
     # default status set to 500, before executing the error handler.
     # The error handler can change the response status if necessary,
     # as well set headers and/or write to the body, just like a regular
-    # request.
+    # request.  After the error handler returns a response, normal after
+    # processing of that response occurs, except that an exception during
+    # after processing is logged to <tt>env['rack.errors']</tt> but
+    # otherwise ignored. This avoids recursive calls into the
+    # error_handler.  Note that if the error_handler itself raises
+    # an exception, the exception will be raised without normal after
+    # processing.  This can cause some after processing to run twice
+    # (once before the error_handler is called and once after) if
+    # later after processing raises an exception.
     #
     # By default, this plugin handles StandardError and ScriptError.
     # To override the exception classes it will handle, pass a :classes
@@ -36,6 +44,10 @@ class Roda
     #
     #   plugin :error_handler, classes: [StandardError, ScriptError, NoMemoryError]
     module ErrorHandler
+      def self.load_dependencies(app, *)
+        app.plugin :_after_hook
+      end
+
       DEFAULT_ERROR_HANDLER_CLASSES = [StandardError, ScriptError].freeze
 
       # If a block is given, automatically call the +error+ method on
@@ -66,7 +78,16 @@ class Roda
         rescue *opts[:error_handler_classes] => e
           @_response.send(:initialize)
           @_response.status = 500
-          super{handle_error(e)}
+          res = _call{handle_error(e)}
+          begin
+            _roda_after(res)
+          rescue => e2
+            if errors = env['rack.errors']
+              errors.puts "Error in after hook processing of error handler: #{e2.class}: #{e2.message}"
+              e2.backtrace.each{|line| errors.puts(line)}
+            end
+          end
+          res
         end
 
         private

data/lib/roda/plugins/flash.rb

@@ -36,6 +36,10 @@ class Roda
     #     flash['a'] # = >'b'
     #   end
     module Flash
+      def self.load_dependencies(app)
+        app.plugin :_after_hook
+      end
+
       # Simple flash hash, where assiging to the hash updates the flash
       # used in the following request.
       class FlashHash < DelegateClass(Hash)
@@ -95,11 +99,11 @@ class Roda
           @_flash ||= FlashHash.new(session['_flash'] || (session['_flash'] = session.delete(:_flash)))
         end
 
+        private
+
         # If the routing doesn't raise an error, rotate the flash
         # hash in the session so the next request has access to it.
-        def call
-          res = super
-
+        def _roda_after_40(_)
           if f = @_flash
             f = f.next
             if f.empty?
@@ -108,8 +112,6 @@ class Roda
               session['_flash'] = f
             end
           end
-
-          res
         end
       end
     end

data/lib/roda/plugins/head.rb

@@ -37,6 +37,9 @@ class Roda
     # this plugin those HEAD requests will return a 404 status, which
     # may prevent search engines from crawling your website.
     module Head
+      def self.load_dependencies(app)
+        app.plugin :_after_hook
+      end
 
       # used to ensure proper resource release on HEAD requests
       # we do not respond to a to_path method, here.
@@ -56,11 +59,12 @@ class Roda
       end
 
       module InstanceMethods
+        private
+
         # Always use an empty response body for head requests, with a
         # content length of 0.
-        def call(*)
-          res = super
-          if @_request.head?
+        def _roda_after_30(res)
+          if res && @_request.head?
             body = res[2]
             if body.respond_to?(:close)
               res[2] = CloseLater.new(body)
@@ -68,7 +72,6 @@ class Roda
               res[2] = EMPTY_ARRAY
             end
           end
-          res
         end
       end
 

data/lib/roda/plugins/heartbeat.rb

@@ -16,20 +16,24 @@ class Roda
     module Heartbeat
       HEARTBEAT_RESPONSE = [200, {'Content-Type'=>'text/plain'}.freeze, ['OK'.freeze].freeze].freeze
 
+      def self.load_dependencies(app, opts=OPTS)
+        app.plugin :_before_hook
+      end
+
       # Set the heartbeat path to the given path.
       def self.configure(app, opts=OPTS)
         app.opts[:heartbeat_path] = (opts[:path] || app.opts[:heartbeat_path] || "/heartbeat").dup.freeze
       end
 
       module InstanceMethods
+        private
+
         # If the request is for a heartbeat path, return the heartbeat response.
-        def call
+        def _roda_before_20
           if env['PATH_INFO'] == opts[:heartbeat_path]
             response = HEARTBEAT_RESPONSE.dup
             response[1] = Hash[response[1]]
-            response
-          else
-            super
+            throw :halt, response
           end
         end
       end

data/lib/roda/plugins/hooks.rb

@@ -30,8 +30,14 @@ class Roda
     # Note that the after hook is called with the rack response array
     # of status, headers, and body.  If it wants to change the response,
     # it must mutate this argument, calling <tt>response.status=</tt> inside
-    # an after block will not affect the returned status.
+    # an after block will not affect the returned status. Note that after
+    # hooks can be called with nil if an exception is raised during routing.
     module Hooks
+      def self.load_dependencies(app)
+        app.plugin :_before_hook
+        app.plugin :_after_hook
+      end
+
       def self.configure(app)
         app.opts[:before_hook] ||= nil
         app.opts[:after_hook] ||= nil
@@ -70,21 +76,21 @@ class Roda
       end
 
       module InstanceMethods
-        # Before routing, execute the before hooks, and
-        # execute the after hooks before returning.
-        def call(&block)
-          res = super do |r|
-            if b = opts[:before_hook]
-              instance_exec(&b)
-            end
+        private
 
-            instance_exec(r, &block)
-          end
-        ensure
+        # Run after hooks.
+        def _roda_after_90(res)
           if b = opts[:after_hook]
             instance_exec(res, &b)
           end
         end
+
+        # Run before hooks.
+        def _roda_before_10
+          if b = opts[:before_hook]
+            instance_exec(&b)
+          end
+        end
       end
     end
 

data/lib/roda/plugins/sessions.rb

@@ -21,8 +21,7 @@ class Roda
     # way to support sessions in Roda applications.
     #
     # The session cookies are encrypted with AES-256-CTR and then signed with HMAC-SHA-256.
-    # By default, session data over a certain size is compressed to reduced space, and
-    # is padded to reduce information leaked based on the session size.
+    # By default, session data is padded to reduce information leaked based on the session size.
     #
     # Sessions are serialized via JSON, so session information should only store data that
     # allows roundtrips via JSON (String, Integer, Float, Array, Hash, true, false, and nil).
@@ -34,26 +33,20 @@ class Roda
     # and does not convert all keys to strings.
     #
     # All sessions are timestamped and session expiration is enabled by default, with sessions
-    # being valid for 30 days maximum and 7 days since last use.  Session creation time is
+    # being valid for 30 days maximum and 7 days since last use by default.  Session creation time is
     # reset whenever the session is empty when serialized and also whenever +clear_session+
     # is called while processing the request.
     #
-    # Session secrets can be rotated, and if so both the cipher and HMAC secrets should be
-    # rotated at the same time.  See options below.
+    # Session secrets can be rotated.  See options below.
     #
     # The sessions plugin can transparently upgrade sessions from Rack::Session::Cookie
     # if the default Rack::Session::Cookie coder and HMAC are used, see options below.
     # It is recommended to only enable transparent upgrades for a brief transition period,
     # and remove support for them once old sessions have converted or timed out.
     #
-    # While session data will be compressed by default for sessions over a certain size,
-    # if the final cookie is too large (>=4096 bytes), a Roda::RodaPlugins::Sessions::CookieTooLarge
+    # If the final cookie is too large (>=4096 bytes), a Roda::RodaPlugins::Sessions::CookieTooLarge
     # exception will be raised.
     #
-    # If the flash plugin is used, the sessions plugin should be loaded after the flash
-    # plugin, so that the flash plugin rotates the flash in the session before the sessions
-    # plugin serializes the session.
-    #
     # = Required Options
     #
     # The session cookies this plugin uses are both encrypted and signed, so two separate
@@ -70,7 +63,9 @@ class Roda
     #                    that.  If the +:secure+ option is not present in the hash, then
     #                    <tt>secure: true</tt> is also set if the request is made over HTTPS.  If this option is
     #                    given, it will be merged into the default cookie options.
-    # :gzip_over :: For session data over this many bytes, compress it with the deflate algorithm (default: 128).
+    # :gzip_over :: For session data over this many bytes, compress it with the deflate algorithm (default: nil,
+    #               so never compress).  Note that compression should not be enabled if you are storing data in
+    #               the session derived from user input and also storing sensitive data in the session.
     # :key :: The cookie name to use (default: <tt>'roda.session'</tt>)
     # :max_seconds :: The maximum number of seconds to allow for total session lifetime, starting with when
     #                 the session was originally created.  Default is <tt>86400*30</tt> (30 days). Can be set to
@@ -140,7 +135,7 @@ class Roda
     #                    deflate compression, this contains the deflate compressed data.
     module Sessions
       DEFAULT_COOKIE_OPTIONS = {:httponly=>true, :path=>'/'.freeze, :same_site=>:lax}.freeze
-      DEFAULT_OPTIONS = {:key => 'roda.session'.freeze, :max_seconds=>86400*30, :max_idle_seconds=>86400*7, :pad_size=>32, :gzip_over=>128, :skip_within=>3600}.freeze
+      DEFAULT_OPTIONS = {:key => 'roda.session'.freeze, :max_seconds=>86400*30, :max_idle_seconds=>86400*7, :pad_size=>32, :gzip_over=>nil, :skip_within=>3600}.freeze
       DEFLATE_BIT  = 0x1000
       PADDING_MASK = 0x0fff
       SESSION_CREATED_AT = 'roda.session.created_at'.freeze
@@ -153,6 +148,10 @@ class Roda
       class CookieTooLarge < RodaError
       end
 
+      def self.load_dependencies(app, opts=OPTS)
+        app.plugin :_after_hook
+      end
+
       # Split given secret into a cipher secret and an hmac secret.
       def self.split_secret(name, secret)
         raise RodaError, "sessions plugin :#{name} option must be a String" unless secret.is_a?(String)
@@ -194,19 +193,6 @@ class Roda
       end
 
       module InstanceMethods
-        # If session information has been set in the request environment,
-        # update the rack response headers to set the session cookie in
-        # the response.
-        def call
-          res = super
-
-          if session = env['rack.session']
-            @_request.persist_session(res[1], session)
-          end
-
-          res
-        end
-
         # Clear data from the session, and update the request environment
         # so that the session cookie will use a new creation timestamp
         # instead of the previous creation timestamp.
@@ -216,6 +202,17 @@ class Roda
           env.delete(SESSION_UPDATED_AT)
           nil
         end
+
+        private
+
+        # If session information has been set in the request environment,
+        # update the rack response headers to set the session cookie in
+        # the response.
+        def _roda_after_50(res)
+          if res && (session = env['rack.session'])
+            @_request.persist_session(res[1], session)
+          end
+        end
       end
 
       module RequestMethods
@@ -401,8 +398,9 @@ class Roda
 
           bitmap = 0
           json_length = json_data.bytesize
+          gzip_over = opts[:gzip_over]
 
-          if json_length > opts[:gzip_over]
+          if gzip_over && json_length > gzip_over
             json_data = Zlib.deflate(json_data)
             json_length = json_data.bytesize
             bitmap |= DEFLATE_BIT

data/lib/roda/plugins/static_routing.rb

@@ -48,10 +48,11 @@ class Roda
     # As shown above, you can use Roda's routing tree methods inside the
     # static_route block to have shared behavior for different request methods,
     # while still handling the request methods differently.
-    #
-    # Note that if you want to use the static_routing plugin and the hooks
-    # plugin at the same time, you should load the hooks plugin first.
     module StaticRouting
+      def self.load_dependencies(app)
+        app.plugin :_before_hook
+      end
+
       def self.configure(app)
         app.opts[:static_routes] = {}
       end
@@ -104,15 +105,14 @@ class Roda
       end
 
       module InstanceMethods
+        private
+
         # If there is a static routing method for the given path, call it
         # instead having the routing tree handle the request.
-        def call(&block)
-          super do |r|
-            if route = self.class.static_route_for(r.request_method, r.path_info)
-              r.static_route(&route)
-            else
-              instance_exec(r, &block)
-            end
+        def _roda_before_30
+          r = @_request
+          if route = self.class.static_route_for(r.request_method, r.path_info)
+            r.static_route(&route)
           end
         end
       end

data/lib/roda/plugins/status_handler.rb

@@ -23,6 +23,10 @@ class Roda
     # cleared.  So if you want to be sure the headers are set even in your block,
     # you need to reset them in the block.
     module StatusHandler
+      def self.load_dependencies(app)
+        app.plugin :_after_hook
+      end
+
       def self.configure(app)
         app.opts[:status_handler] ||= {}
       end
@@ -41,15 +45,13 @@ class Roda
       end
 
       module InstanceMethods
-        # If routing returns a response we have a handler for, call that handler.
-        def call
-          result = super
+        private
 
-          if (block = opts[:status_handler][result[0]]) && (v = result[2]).is_a?(Array) && v.empty?
+        # If routing returns a response we have a handler for, call that handler.
+        def _roda_after_20(result)
+          if result && (block = opts[:status_handler][result[0]]) && (v = result[2]).is_a?(Array) && v.empty?
             @_response.headers.clear
-            super(&block)
-          else
-            result
+            result.replace(_call(&block))
           end
         end
       end

data/lib/roda/version.rb

@@ -4,7 +4,7 @@ class Roda
   RodaMajorVersion = 3
 
   # The minor version of Roda, updated for new feature releases of Roda.
-  RodaMinorVersion = 10
+  RodaMinorVersion = 11
 
   # The patch version of Roda, updated only for bug fixes from the last
   # feature release.

data/spec/plugin/error_handler_spec.rb

@@ -144,6 +144,28 @@ describe "error_handler plugin" do
     proc{req}.must_raise(ArgumentError)
   end
 
+  it "logs exceptions during after processing of error handler" do
+    app(:bare) do
+      plugin :error_handler do |e|
+        e.message * 2
+      end
+      plugin :hooks
+
+      after do
+        raise "foo"
+      end
+
+      route do |r|
+        ''
+      end
+    end
+
+    errors = StringIO.new
+    body('rack.errors'=>errors).must_equal 'foofoo'
+    errors.rewind
+    errors.read.split("\n").first.must_equal "Error in after hook processing of error handler: RuntimeError: foo"
+  end
+
   it "has access to current remaining_path" do
     app(:bare) do
       plugin :error_handler do |e|

data/spec/plugin/flash_spec.rb

@@ -3,47 +3,49 @@ require_relative "../spec_helper"
 describe "flash plugin" do 
   include CookieJar
 
-  it "flash.now[] sets flash for current page" do
-    app(:bare) do
-      send(*DEFAULT_SESSION_ARGS)
-      plugin :flash
-
-      route do |r|
-        r.on do
-          flash.now['a'] = 'b'
-          flash['a']
+  [lambda{send(*DEFAULT_SESSION_ARGS); plugin :flash},
+   lambda{plugin :flash; send(*DEFAULT_SESSION_ARGS)}].each do  |config|
+
+    it "flash.now[] sets flash for current page" do
+      app(:bare) do
+        instance_exec(&config)
+
+        route do |r|
+          r.on do
+            flash.now['a'] = 'b'
+            flash['a']
+          end
         end
       end
-    end
 
-    body.must_equal 'b'
-  end
+      body.must_equal 'b'
+    end
 
-  it "flash[] sets flash for next page" do
-    app(:bare) do
-      plugin :flash
-      send(*DEFAULT_SESSION_ARGS)
+    it "flash[] sets flash for next page" do
+      app(:bare) do
+        instance_exec(&config)
 
-      route do |r|
-        r.get('a'){"c#{flash['a']}"}
-        r.get('f'){flash; session['_flash'].inspect}
+        route do |r|
+          r.get('a'){"c#{flash['a']}"}
+          r.get('f'){flash; session['_flash'].inspect}
 
-        flash['a'] = "b#{flash['a']}"
-        flash['a'] || ''
+          flash['a'] = "b#{flash['a']}"
+          flash['a'] || ''
+        end
       end
-    end
 
-    body.must_equal ''
-    body.must_equal 'b'
-    body.must_equal 'bb'
+      body.must_equal ''
+      body.must_equal 'b'
+      body.must_equal 'bb'
 
-    body('/a').must_equal 'cbbb'
-    body.must_equal ''
-    body.must_equal 'b'
-    body.must_equal 'bb'
+      body('/a').must_equal 'cbbb'
+      body.must_equal ''
+      body.must_equal 'b'
+      body.must_equal 'bb'
 
-    body('/f').must_equal '{"a"=>"bbb"}'
-    body('/f').must_equal 'nil'
+      body('/f').must_equal '{"a"=>"bbb"}'
+      body('/f').must_equal 'nil'
+    end
   end
 end
 

data/spec/plugin/hooks_spec.rb

@@ -100,4 +100,32 @@ describe "hooks plugin" do
     end
     status.must_equal 201
   end
+
+  it "works with error plugin when loaded first" do
+    app.plugin(:error_handler){|e| "error"}
+    app.before do
+      raise "before" if @_request.path == '/b'
+    end
+    app.after do
+      raise "after" if @_request.path == '/a'
+    end
+    body('/a').must_equal "error"
+    body('/b').must_equal "error"
+  end
+
+  it "works with error plugin when loaded after" do
+    app(:bare) do
+      plugin(:error_handler){|e| "error"}
+      plugin :hooks
+      before do
+        raise "before" if @_request.path == '/b'
+      end
+      after do
+        raise "after" if @_request.path == '/a'
+      end
+      route{}
+    end
+    body('/a').must_equal "error"
+    body('/b').must_equal "error"
+  end
 end

data/spec/plugin/sessions_spec.rb

@@ -205,15 +205,15 @@ describe "sessions plugin" do
 
   it "compresses data over a certain size by default" do
     long = 'b'*8192
+    proc{body("/s/foo/#{long}")}.must_raise Roda::RodaPlugins::Sessions::CookieTooLarge
+
+    @app.plugin(:sessions, :gzip_over=>8000)
     body("/s/foo/#{long}").must_equal long
-    body("/g/foo").must_equal long
+    body("/g/foo", 'QUERY_STRING'=>'sut=3700').must_equal long
 
     @app.plugin(:sessions, :gzip_over=>15000)
     proc{body("/g/foo", 'QUERY_STRING'=>'sut=3700')}.must_raise Roda::RodaPlugins::Sessions::CookieTooLarge
 
-    @app.plugin(:sessions, :gzip_over=>8000)
-    body("/g/foo", 'QUERY_STRING'=>'sut=3700').must_equal long
-
     errors.must_equal []
   end
 

data/spec/plugin/static_routing_spec.rb

@@ -66,6 +66,26 @@ describe "static_routing plugin" do
     a.must_equal [1,3,2]
   end
 
+  it "works with hooks plugin if loaded before" do
+    a = []
+    app(:bare) do
+      plugin :static_routing
+      plugin :hooks
+
+      before{a << 1}
+      after{a << 2}
+
+      static_route "/foo" do |r|
+        a << 3
+        "bar"
+      end
+
+      route{}
+    end
+    body('/foo').must_equal 'bar'
+    a.must_equal [1,3,2]
+  end
+
   it "does not allow placeholders in static routes" do
     app(:bare) do
       plugin :static_routing

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: roda
 version: !ruby/object:Gem::Version
-  version: 3.10.0
+  version: 3.11.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-07-18 00:00:00.000000000 Z
+date: 2018-08-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -206,6 +206,7 @@ extra_rdoc_files:
 - doc/release_notes/3.8.0.txt
 - doc/release_notes/3.9.0.txt
 - doc/release_notes/3.10.0.txt
+- doc/release_notes/3.11.0.txt
 files:
 - CHANGELOG
 - MIT-LICENSE
@@ -250,6 +251,7 @@ files:
 - doc/release_notes/3.0.0.txt
 - doc/release_notes/3.1.0.txt
 - doc/release_notes/3.10.0.txt
+- doc/release_notes/3.11.0.txt
 - doc/release_notes/3.2.0.txt
 - doc/release_notes/3.3.0.txt
 - doc/release_notes/3.4.0.txt
@@ -259,6 +261,8 @@ files:
 - doc/release_notes/3.8.0.txt
 - doc/release_notes/3.9.0.txt
 - lib/roda.rb
+- lib/roda/plugins/_after_hook.rb
+- lib/roda/plugins/_before_hook.rb
 - lib/roda/plugins/_symbol_regexp_matchers.rb
 - lib/roda/plugins/all_verbs.rb
 - lib/roda/plugins/assets.rb