roda 3.73.0 → 3.74.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7a47f703af806a15f523b99b38d084520bada92f23196374d6d9781d5953faa8
-  data.tar.gz: 4612153820b89e6dbcfa2370c04269666c49277d8f11256869f6c1f0bb0b571a
+  metadata.gz: ae3f95331c6c3d69453feb96a7dbd3629a6d5f52bd9d1862edecab893d95a36f
+  data.tar.gz: c5457f54b2ca5a9971f93a23db10abe3b6fd16a743e2651749ec14c480c248a3
 SHA512:
-  metadata.gz: bdc42cdc9540750195327dac290e3f0bb08c3ed0100b610441b644c85849e7e9f9f974013cea041cdf640f590e2027996d68b62eea9c31d41bd42a57df6530bb
-  data.tar.gz: 3ab05db704cf45803ad706e78b558ea7798d8d9782a06c7dec79814a4d862582249e5554946c59fff88e1f1d2d360e242268c593a8c9c95fe87b5489e4a4a44c
+  metadata.gz: f314713b33ec4400e5ef8849c6a3e30f1b5956b428dea55a5bf45855fef4a965f9b417063182cc4412effa592a7d311715cf4541826781675ca26bd20f202ca3
+  data.tar.gz: 735cb4cf3e5480be4462d88ccb0090001e7eca27bfe7338a923f5f190730095037ff0c77e1cbe3c875b137175bc7022b8d0611ccbf8b82426cbbaec5b7802149

data/CHANGELOG

@@ -1,3 +1,7 @@
+= 3.74.0 (2023-11-13)
+
+* Add redirect_http_to_https plugin, helping to ensure future requests from the browser are submitted via HTTPS (jeremyevans)
+
 = 3.73.0 (2023-10-13)
 
 * Support :next_if_not_found option for middleware plugin (jeremyevans) (#334)

data/README.rdoc

@@ -723,7 +723,7 @@ Note that when subclassing, Roda only does a shallow clone of the settings.
 
 If you store nested structures and plan to mutate them in subclasses,
 it is your responsibility to dup the nested structures inside +Roda.inherited+
-(making sure to call +super+).  This should be is done so that that modifications
+(making sure to call +super+).  This should be is done so that modifications
 to the parent class made after subclassing do _not_ affect the subclass, and
 vice-versa.
 
@@ -851,9 +851,8 @@ should use an appropriate external middleware.
 It is possible to use other session cookie middleware such as
 <tt>Rack::Session::Cookie</tt>, but other middleware may not have the same security
 features that Roda's session support does.  For example, the session cookies used by
-the <tt>Rack::Session::Cookie</tt> middleware are not encrypted, just signed to
-prevent tampering.  This means you should not store any secret data in the session
-when using <tt>Rack::Session::Cookie</tt>.
+the <tt>Rack::Session::Cookie</tt> middleware provided by Rack before Rack 3 are not
+encrypted, just signed to prevent tampering.
 
 For any cookie-based sessions, make sure that the necessary secrets (+:secret+ option)
 are not disclosed to an attacker.  Knowledge of the
@@ -960,17 +959,17 @@ application level using using the +default_headers+ plugin:
 Strict-Transport-Security :: Enforces SSL/TLS Connections to the application.
 X-Content-Type-Options :: Forces some browsers to respect a declared Content-Type header.
 X-Frame-Options :: Provides click-jacking protection by not allowing usage inside a frame.
-X-XSS-Protection :: Enables an XSS mitigation filter in some browsers.
+                   Only include this if you want to support and protect old browsers that
+                   do not support Content-Security-Policy.
 
 Example:
 
   class App < Roda
     plugin :default_headers,
       'Content-Type'=>'text/html',
-      'Strict-Transport-Security'=>'max-age=16070400;',
+      'Strict-Transport-Security'=>'max-age=63072000; includeSubDomains',
       'X-Content-Type-Options'=>'nosniff',
-      'X-Frame-Options'=>'deny',
-      'X-XSS-Protection'=>'1; mode=block'
+      'X-Frame-Options'=>'deny'
   end
 
 === Rendering Templates Derived From User Input
@@ -1007,25 +1006,16 @@ constants and removing them when any of the reloadable loaded files changes. It
 +require+ and +require_relative+ when activated (usually in the development environment). No
 configurations other than +reloadable_paths+ are required.
 
-Both {rerun}[https://github.com/alexch/rerun] and
-{shotgun}[https://github.com/rtomayko/shotgun] use a fork/exec approach for loading new
-versions of your app.  rerun is faster as it only reloads the app on changes, whereas
-shotgun reloads the app on every request.  Both work without any changes to application
+{rerun}[https://github.com/alexch/rerun] uses a fork/exec approach for loading new
+versions of your app.  It work without any changes to application
 code, but may be slower as they have to reload the entire application on every change.
-However, for small apps that load quickly, either may be a good approach.
-
-{Rack::Reloader}[https://github.com/rack/rack/blob/master/lib/rack/reloader.rb] ships
-with rack and just reloads monitored files when they change, without unloading constants.
-It's fast but may cause issues in cases where you remove classes, constants, or methods,
-or when you are not clearing out cached data manually when files are reloaded.
+However, for small apps that load quickly, it may be a good approach.
 
 There is no one reloading solution that is the best for all applications and development
 approaches.  Consider your needs and the tradeoffs of each of the reloading approaches,
-and pick the one you think will work best.
-
-If you are unsure where to start, it may be best to start with rerun or shotgun
-(unless you're running on JRuby or Windows), and only consider other options if rerun or
-shotgun are not fast enough.
+and pick the one you think will work best.  If you are unsure where to start,
+it may be best to start with Zeitwerk, and only consider other options if it does not
+work well for you.
 
 == Plugins
 
@@ -1144,4 +1134,3 @@ MIT
 == Maintainer
 
 Jeremy Evans <code@jeremyevans.net>
-

data/doc/conventions.rdoc

@@ -55,7 +55,7 @@ via <tt>irb -r ./models</tt>, without loading the Roda application.
 migrations.
 
 +spec/+ (or +test/+ should contain your specifications/tests.  For a small application, it's recommended
-to a have a single file for your model tests, and a single file for your web/integration tests.
+to have a single file for your model tests, and a single file for your web/integration tests.
 
 +Rakefile+ should contain the rake tasks for the application.  The convention is that the
 default rake task will run all specs/tests related to the application.  If you are using

data/doc/release_notes/3.74.0.txt

@@ -0,0 +1,28 @@
+= New Features
+
+* A redirect_http_to_https plugin has been added, redirecting HTTP
+  requests to the same path on an HTTPS site.  Using the routing tree,
+  you can control where to do the redirection, which allows you to
+  easily have part of your site accessible via HTTP, with sensitive
+  sections requiring HTTPS:
+
+    plugin :redirect_http_to_https
+
+    route do |r|
+      # routes available via both HTTP and HTTPS
+      r.redirect_http_to_https
+      # routes available only via HTTPS
+    end
+
+  If you want to redirect to HTTPS for all routes in the routing tree, you
+  can have r.redirect_http_to_https as the very first method call in the
+  routing tree.  Note that in Roda it is possible to handle routing before
+  the normal routing tree using before hooks.  The static_routing and
+  heartbeat plugins use this feature. If you would like to handle routes
+  before the normal routing tree, you can setup a before hook:
+
+    plugin :hooks
+
+    before do
+      request.redirect_http_to_https
+    end

data/lib/roda/plugins/redirect_http_to_https.rb

@@ -0,0 +1,99 @@
+# frozen-string-literal: true
+
+#
+class Roda
+  module RodaPlugins
+    # The redirect_http_to_https plugin exposes a +redirect_http_to_https+
+    # request method that redirects HTTP requests to HTTPS, helping to ensure
+    # that future requests by the same browser will be submitted securely.
+    #
+    # You should use this plugin if you have an application that can receive
+    # requests using both HTTP and HTTPS, and you want to make sure that all
+    # or a subset of routes are only handled for HTTPS requests.
+    #
+    # The reason this exposes a request method is so that you can choose where
+    # in your routing tree to do the redirection:
+    #
+    #   route do |r|
+    #     # routes available via both HTTP and HTTPS
+    #     r.redirect_http_to_https
+    #     # routes available only via HTTPS
+    #   end
+    #
+    # If you want to redirect to HTTPS for all routes in the routing tree, you
+    # can have this as the very first method call in the routing tree.  Note that
+    # in Roda it is possible to handle routing before the normal routing tree
+    # using before hooks.  The static_routing and heartbeat plugins use this
+    # feature. If you would like to handle routes before the normal routing tree,
+    # you can setup a before hook:
+    #
+    #   plugin :hooks
+    #
+    #   before do
+    #     request.redirect_http_to_https
+    #   end
+    module RedirectHttpToHttps
+      status_map = Hash.new(307)
+      status_map['GET'] = status_map['HEAD'] = 301
+      status_map.freeze
+      DEFAULTS = {:status_map => status_map}.freeze
+      private_constant :DEFAULTS
+
+      # Configures redirection from HTTP to HTTPS.  Available options:
+      #
+      # :body :: The body used in the redirect.  If not set, uses an empty body.
+      # :headers :: Any additional headers used in the redirect response. By default,
+      #             no additional headers are set, the only header used is the Location header.
+      # :host :: The host to redirect to.  If not set, redirects to the same host as the HTTP
+      #          requested to.  It is highly recommended that you set this if requests with
+      #          arbitrary Host headers can be submitted to the application.
+      # :port :: The port to use in the redirect.  By default, will not set an explicit port,
+      #          so that it will implicitly use the HTTPS default port of 443.
+      # :status_map :: A hash mapping request methods to response status codes.  By default,
+      #                uses a hash that redirects GET and HEAD requests with a 301 status,
+      #                and other request methods with a 307 status.
+      def self.configure(app, opts=OPTS)
+        previous = app.opts[:redirect_http_to_https] || DEFAULTS
+        opts = app.opts[:redirect_http_to_https] = previous.merge(opts)
+        opts[:port_string] = opts[:port] ? ":#{opts[:port]}".freeze : "".freeze
+        opts[:prefix] = opts[:host] ? "https://#{opts[:host]}#{opts[:port_string]}".freeze : nil
+        opts.freeze
+      end
+
+      module RequestMethods
+        # Redirect HTTP requests to HTTPS. While this doesn't secure the
+        # current request, it makes it more likely that the browser will submit
+        # future requests securely via HTTPS.
+        def redirect_http_to_https
+          return if ssl?
+
+          opts = roda_class.opts[:redirect_http_to_https]
+
+          res = response
+
+          if body = opts[:body]
+            res.write(body)
+          end
+
+          if headers = opts[:headers]
+            res.headers.merge!(headers)
+          end
+
+          path = if prefix = opts[:prefix]
+            prefix + fullpath
+          else
+            "https://#{host}#{opts[:port_string]}#{fullpath}"
+          end
+
+          unless status = opts[:status_map][@env['REQUEST_METHOD']]
+            raise RodaError, "redirect_http_to_https :status_map provided does not support #{@env['REQUEST_METHOD']}"
+          end
+
+          redirect(path, status)
+        end
+      end
+    end
+
+    register_plugin(:redirect_http_to_https, RedirectHttpToHttps)
+  end
+end

data/lib/roda/plugins/route_csrf.rb

@@ -22,9 +22,11 @@ class Roda
     # and request path even if they have access to a token that is not
     # specific to request method and request path.  To get this security
     # benefit, you must ensure an attacker does not have access to the
-    # session.  Rack::Session::Cookie uses signed sessions, not encrypted
+    # session.  Rack::Session::Cookie versions shipped with Rack before
+    # Rack 3 use signed sessions, not encrypted
     # sessions, so if the attacker has the ability to read cookie data
-    # and you are using Rack::Session::Cookie, it will still be possible
+    # and you are using one of those Rack::Session::Cookie versions,
+    # it will still be possible
     # for an attacker to generate valid CSRF tokens specific to arbitrary
     # request method and request path.  Roda's session plugin uses
     # encrypted sessions and therefore is safe even if the attacker can

data/lib/roda/plugins/sessions.rb

@@ -40,7 +40,8 @@ class Roda
     #
     # Session secrets can be rotated.  See options below.
     #
-    # The sessions plugin can transparently upgrade sessions from Rack::Session::Cookie
+    # The sessions plugin can transparently upgrade sessions from versions of Rack::Session::Cookie
+    # shipped with Rack before Rack 3,
     # if the default Rack::Session::Cookie coder and HMAC are used, see options below.
     # It is recommended to only enable transparent upgrades for a brief transition period,
     # and remove support for them once old sessions have converted or timed out.

data/lib/roda/response.rb

@@ -10,19 +10,15 @@ class Roda
   # headers used internally by Roda can be lower case on Rack 3, so that it is
   # possible to use a plain hash of response headers instead of using Rack::Headers.
   module RodaResponseHeaders
-    headers = %w'Allow Cache-Control Content-Disposition Content-Encoding Content-Length
-       Content-Security-Policy Content-Security-Policy-Report-Only Content-Type
-       ETag Expires Last-Modified Link Location Set-Cookie Transfer-Encoding Vary'.freeze.each(&:freeze)
+    downcase = defined?(Rack::Headers) && Rack::Headers.is_a?(Class)
 
-    if defined?(Rack::Headers) && Rack::Headers.is_a?(Class)
-      headers.each do |mixed_case|
-        const_set(mixed_case.gsub('-', '_').upcase!.to_sym, mixed_case.downcase.freeze)
-      end
-    else
-      headers.each do |mixed_case|
-        const_set(mixed_case.gsub('-', '_').upcase!.to_sym, mixed_case.freeze)
+    %w'Allow Cache-Control Content-Disposition Content-Encoding Content-Length
+       Content-Security-Policy Content-Security-Policy-Report-Only Content-Type
+       ETag Expires Last-Modified Link Location Set-Cookie Transfer-Encoding Vary'.
+      each do |value|
+        value = value.downcase if downcase
+        const_set(value.gsub('-', '_').upcase!.to_sym, value.freeze)
       end
-    end
   end
 
   # Base class used for Roda responses.  The instance methods for this

data/lib/roda/version.rb

@@ -4,7 +4,7 @@ class Roda
   RodaMajorVersion = 3
 
   # The minor version of Roda, updated for new feature releases of Roda.
-  RodaMinorVersion = 73
+  RodaMinorVersion = 74
 
   # The patch version of Roda, updated only for bug fixes from the last
   # feature release.

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: roda
 version: !ruby/object:Gem::Version
-  version: 3.73.0
+  version: 3.74.0
 platform: ruby
 authors:
 - Jeremy Evans
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-10-13 00:00:00.000000000 Z
+date: 2023-11-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -247,6 +247,7 @@ extra_rdoc_files:
 - doc/release_notes/3.71.0.txt
 - doc/release_notes/3.72.0.txt
 - doc/release_notes/3.73.0.txt
+- doc/release_notes/3.74.0.txt
 - doc/release_notes/3.8.0.txt
 - doc/release_notes/3.9.0.txt
 files:
@@ -327,6 +328,7 @@ files:
 - doc/release_notes/3.71.0.txt
 - doc/release_notes/3.72.0.txt
 - doc/release_notes/3.73.0.txt
+- doc/release_notes/3.74.0.txt
 - doc/release_notes/3.8.0.txt
 - doc/release_notes/3.9.0.txt
 - lib/roda.rb
@@ -428,6 +430,7 @@ files:
 - lib/roda/plugins/public.rb
 - lib/roda/plugins/r.rb
 - lib/roda/plugins/recheck_precompiled_assets.rb
+- lib/roda/plugins/redirect_http_to_https.rb
 - lib/roda/plugins/relative_path.rb
 - lib/roda/plugins/render.rb
 - lib/roda/plugins/render_coverage.rb