roda 3.1.0 → 3.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: d0f2116bac0848dc9f1f4563daab14474e62a79b
-  data.tar.gz: 5f564ae0dc012ae84af1a9d5d64c1b4bb214b7b0
+  metadata.gz: e4935b8951819226ca81b82723628a6c555e505e
+  data.tar.gz: c3fd3714c47c7b5e014ed34a2f817a249b257fa6
 SHA512:
-  metadata.gz: 31621a2f3576447f261cad0d53ec12b24d407b3f929fbe51be8c102ca279492cc3f19bf80ded152e4b4018fc4f02836b70a5800cbbe39f2fc196e001307e4f6d
-  data.tar.gz: b9ede292a9c37c68532b0068fcd79a5d942da3f9b31e751f9ba360df8bcc4959eb35908bcbb06a6389fd93f593b60a80f48537a00e92d76938241799e5e1426a
+  metadata.gz: 7bf5572895450e439a6559a79815603a98fd5dd1b2a1b11a1b13218dd15a35cbdbc67db60021752878c22fc1dceadc8f4926c79f90d65705ca78187a68fb8c55
+  data.tar.gz: 4a6e9c478b28b58da51dedad966cd77b72ff5bca90a21d4adcba47c4560252549af8d9f75df2123fc30f46c600b7da06e7b6f5d8bb692b36d5f7052a0a364148

data/CHANGELOG

@@ -1,3 +1,9 @@
+= 3.2.0 (2017-11-16)
+
+* Use microseconds in assets plugin :timestamp_paths timestamps (jeremyevans)
+
+* Add timestamp_public plugin for serving static files with paths that change based on modify timestamp (jeremyevans)
+
 = 3.1.0 (2017-10-13)
 
 * Make set_layout_locals and set_view_locals in branch_locals plugin work when the other is not called (jeremyevans)

data/doc/release_notes/3.2.0.txt

@@ -0,0 +1,22 @@
+= New Features
+
+* A timestamp_public plugin has been added for serving static files
+  with paths that change based on the modification timestamp of the
+  file.  By using a new path, cached versions of the file will not
+  be used, fixing staleness issues.  Example:
+
+    plugin :timestamp_public
+
+    route do |r|
+      # serves requests for /static/\d+/.*
+      r.timestamp_public
+
+      # /static/1234567890/path/to/file
+      timestamp_path("path/to/file")
+    end
+
+= Other Improvements
+
+* When using the assets plugin :timestamp_paths option, the
+  timestamps now include microseconds, to make cache poisoning more
+  difficult.

data/lib/roda/plugins/assets.rb

@@ -620,7 +620,13 @@ class Roda
               dirs.each{|f| asset_dir = asset_dir[f]}
               prefix = "#{dirs.join('/')}/" if o[:group_subdirs]
             end
-            Array(asset_dir).map{|f| "#{url_prefix}/#{o[:"#{stype}_prefix"]}#{"#{asset_last_modified(File.join(o[:"#{stype}_path"], *[prefix, f].compact)).to_i}/" if o[:timestamp_paths]}#{prefix}#{f}#{o[:"#{stype}_suffix"]}"}
+            Array(asset_dir).map do |f|
+              if o[:timestamp_paths]
+                mtime = asset_last_modified(File.join(o[:"#{stype}_path"], *[prefix, f].compact))
+                mtime = "#{sprintf("%i%06i", mtime.to_i, mtime.usec)}/"
+              end
+              "#{url_prefix}/#{o[:"#{stype}_prefix"]}#{mtime}#{prefix}#{f}#{o[:"#{stype}_suffix"]}"
+            end
           end
         end
 

data/lib/roda/plugins/public.rb

@@ -45,8 +45,12 @@ class Roda
       # :headers :: A hash of headers to use for statically served files
       # :root :: Use this option for the root of the public directory (default: "public")
       def self.configure(app, opts={})
-        root =  app.expand_path(opts[:root]||"public")
-        app.opts[:public_server] = ::Rack::File.new(root, opts[:headers]||{}, opts[:default_mime] || 'text/plain')
+        if opts[:root]
+          app.opts[:public_root] = app.expand_path(opts[:root])
+        elsif !app.opts[:public_root]
+          app.opts[:public_root] = app.expand_path("public")
+        end
+        app.opts[:public_server] = ::Rack::File.new(app.opts[:public_root], opts[:headers]||{}, opts[:default_mime] || 'text/plain')
         app.opts[:public_gzip] = opts[:gzip]
       end
 

data/lib/roda/plugins/sinatra_helpers.rb

@@ -53,7 +53,7 @@ class Roda
     # and halts the request.  It takes an optional body:
     #
     #   error           # 500 response, empty boby
-    #   error 501       # 501 reponse, empty body
+    #   error 501       # 501 response, empty body
     #   error 'b'       # 500 response, 'b' body
     #   error 501, 'b'  # 501 response, 'b' body
     #

data/lib/roda/plugins/timestamp_public.rb

@@ -0,0 +1,75 @@
+# frozen-string-literal: true
+
+#
+class Roda
+  module RodaPlugins
+    # The timestamp_public plugin adds a +timestamp_path+ method for constructing
+    # timestamp paths, and a +r.timestamp_public+ routing method to serve static files
+    # from a directory (using the public plugin).  This plugin is useful when you want
+    # to modify the path to static files when the modify timestamp on the file changes,
+    # ensuring that requests for the static file will not be cached.
+    #
+    # Note that while this plugin will not serve files outside of the public directory,
+    # for performance reasons it does not check the path of the file is inside the public
+    # directory when getting the modify timestamp.  If the +timestamp_path+ method is
+    # called with untrusted input, it is possible for an attacker to get the modify
+    # timestamp for any file on the file system.
+    #
+    # Examples:
+    #
+    #   # Use public folder as location of files, and static as the path prefix
+    #   plugin :timestamp_public
+    #
+    #   # Use /path/to/app/static as location of files, and public as the path prefix
+    #   opts[:root] = '/path/to/app'
+    #   plugin :public, root: 'static', prefix: 'public'
+    #
+    #   # Assuming public is the location of files, and static is the path prefix
+    #   r.route do
+    #     # Make GET /static/1238099123/images/foo.png look for public/images/foo.png 
+    #     r.timestamp_public
+    #
+    #     r.get "example" do
+    #       # "/static/1238099123/images/foo.png"
+    #       timestamp_path("images/foo.png")
+    #     end
+    #   end
+    module TimestampPublic
+      # Use options given to setup timestamped file serving.  The following option is
+      # recognized by the plugin:
+      #
+      # :prefix :: The prefix for paths, before the timestamp segment
+      #
+      # The options given are also passed to the public plugin.
+      def self.configure(app, opts={})
+        app.plugin :public, opts
+        app.opts[:timestamp_public_prefix] = (opts[:prefix] || app.opts[:timestamp_public_prefix] || "static").dup.freeze
+      end
+
+      module InstanceMethods
+        # Return a path to the static file that could be served by r.timestamp_public.
+        # This does not check the file is inside the directory for performance reasons,
+        # so this should not be called with untrusted input.
+        def timestamp_path(file)
+          mtime = File.mtime(File.join(opts[:public_root], file))
+          "/#{opts[:timestamp_public_prefix]}/#{sprintf("%i%06i", mtime.to_i, mtime.usec)}/#{file}"
+        end
+      end
+
+      module RequestMethods
+        # Serve files from the public directory if the file exists,
+        # it includes the timestamp_public prefix segment followed by
+        # a integer segment for the timestamp, and this is a GET request.
+        def timestamp_public
+          if is_get?
+            on roda_class.opts[:timestamp_public_prefix], Integer do |_|
+              public
+            end
+          end
+        end
+      end
+    end
+
+    register_plugin(:timestamp_public, TimestampPublic)
+  end
+end

data/lib/roda/version.rb

@@ -4,7 +4,7 @@ class Roda
   RodaMajorVersion = 3
 
   # The minor version of Roda, updated for new feature releases of Roda.
-  RodaMinorVersion = 1
+  RodaMinorVersion = 2
 
   # The patch version of Roda, updated only for bug fixes from the last
   # feature release.

data/spec/plugin/timestamp_public_spec.rb

@@ -0,0 +1,85 @@
+require_relative "../spec_helper"
+
+describe "timestamp_public plugin" do 
+  it "adds r.timestamp_public for serving static files from timestamp_public folder" do
+    app(:bare) do
+      plugin :timestamp_public, :root=>'spec/views'
+
+      route do |r|
+        r.timestamp_public
+      end
+    end
+
+    status("/about/_test.erb\0").must_equal 404
+    status("/about/_test.erb").must_equal 404
+    status("/static/a/about/_test.erb").must_equal 404
+    status("/static/1/about/_test.erb\0").must_equal 404
+    body("/static/1/about/_test.erb").must_equal File.read('spec/views/about/_test.erb')
+  end
+
+  it "adds r.timestamp_public for serving static files from timestamp_public folder" do
+    app(:bare) do
+      plugin :timestamp_public, :root=>'spec/views', :prefix=>'foo'
+
+      route do |r|
+        r.timestamp_public
+      end
+    end
+
+    body("/foo/1/about/_test.erb").must_equal File.read('spec/views/about/_test.erb')
+  end
+
+  it "adds r.timestamp_public for serving static files from timestamp_public folder" do
+    app(:bare) do
+      plugin :timestamp_public, :root=>'spec/plugin'
+      
+      route do |r|
+        r.timestamp_public
+        timestamp_path('../views/about/_test.erb')
+      end
+    end
+
+    mtime = File.mtime('spec/views/about/_test.erb')
+    body.must_equal "/static/#{sprintf("%i%06i", mtime.to_i, mtime.usec)}/../views/about/_test.erb"
+    status("/static/1/../views/about/_test.erb").must_equal 404
+  end
+
+  it "respects the application's :root option" do
+    app(:bare) do
+      opts[:root] = File.expand_path('../../', __FILE__)
+      plugin :timestamp_public, :root=>'views'
+
+      route do |r|
+        r.timestamp_public
+      end
+    end
+
+    body('/static/1/about/_test.erb').must_equal File.read('spec/views/about/_test.erb')
+  end
+
+  it "handles serving gzip files in gzip mode if client supports gzip" do
+    app(:bare) do
+      plugin :timestamp_public, :root=>'spec/views', :gzip=>true
+
+      route do |r|
+        r.timestamp_public
+      end
+    end
+
+    body('/static/1/about/_test.erb').must_equal File.read('spec/views/about/_test.erb')
+    header('Content-Encoding', '/about/_test.erb').must_be_nil
+
+    body('/static/1/about.erb').must_equal File.read('spec/views/about.erb')
+    header('Content-Encoding', '/about.erb').must_be_nil
+
+    body('/static/1/about/_test.erb', 'HTTP_ACCEPT_ENCODING'=>'deflate, gzip').must_equal File.binread('spec/views/about/_test.erb.gz')
+    h = req('/static/1/about/_test.erb', 'HTTP_ACCEPT_ENCODING'=>'deflate, gzip')[1]
+    h['Content-Encoding'].must_equal 'gzip'
+    h['Content-Type'].must_equal 'text/plain'
+
+    body('/static/1/about/_test.css', 'HTTP_ACCEPT_ENCODING'=>'deflate, gzip').must_equal File.binread('spec/views/about/_test.css.gz')
+    h = req('/static/1/about/_test.css', 'HTTP_ACCEPT_ENCODING'=>'deflate, gzip')[1]
+    h['Content-Encoding'].must_equal 'gzip'
+    h['Content-Type'].must_equal 'text/css'
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: roda
 version: !ruby/object:Gem::Version
-  version: 3.1.0
+  version: 3.2.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-10-13 00:00:00.000000000 Z
+date: 2017-11-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -197,6 +197,7 @@ extra_rdoc_files:
 - doc/release_notes/2.29.0.txt
 - doc/release_notes/3.0.0.txt
 - doc/release_notes/3.1.0.txt
+- doc/release_notes/3.2.0.txt
 files:
 - CHANGELOG
 - MIT-LICENSE
@@ -240,6 +241,7 @@ files:
 - doc/release_notes/2.9.0.txt
 - doc/release_notes/3.0.0.txt
 - doc/release_notes/3.1.0.txt
+- doc/release_notes/3.2.0.txt
 - lib/roda.rb
 - lib/roda/plugins/_symbol_regexp_matchers.rb
 - lib/roda/plugins/all_verbs.rb
@@ -318,6 +320,7 @@ files:
 - lib/roda/plugins/symbol_matchers.rb
 - lib/roda/plugins/symbol_status.rb
 - lib/roda/plugins/symbol_views.rb
+- lib/roda/plugins/timestamp_public.rb
 - lib/roda/plugins/type_routing.rb
 - lib/roda/plugins/unescape_path.rb
 - lib/roda/plugins/view_options.rb
@@ -409,6 +412,7 @@ files:
 - spec/plugin/symbol_matchers_spec.rb
 - spec/plugin/symbol_status_spec.rb
 - spec/plugin/symbol_views_spec.rb
+- spec/plugin/timestamp_public_spec.rb
 - spec/plugin/type_routing_spec.rb
 - spec/plugin/unescape_path_spec.rb
 - spec/plugin/view_options_spec.rb