startback 0.14.2 → 0.15.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/startback/version.rb +2 -2
- data/lib/startback/web/cors_headers.rb +41 -5
- data/lib/startback/web/shield.rb +1 -0
- data/spec/unit/web/test_cors_headers.rb +61 -11
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: d3b72151f15267aa20de6185a0f6c33d6ee22370171dfb34574604dfb1c5016c
|
|
4
|
+
data.tar.gz: 2aa005e7ca84a6dab18a29b0054ad16483b5c8b27e789351c8dfb3bccdc4714a
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: fb5b6cb84aa0fb74ad5600fd5cefaf7efc1bd0bd659555e5035031db98646d7cf44f66c22c1c04ffa020d74dbdb4ad4609e09a8dda2efee7b0f41570a0ce57ae
|
|
7
|
+
data.tar.gz: ebacc25e2ca8628d5914396314bec03a22d65fa39886656f2f0863fb02efc1276cda9ccf07e1ef0256489ad17845e5e3fb224c4707ce4295740917af872b240f
|
data/lib/startback/version.rb
CHANGED
|
@@ -14,6 +14,12 @@ module Startback
|
|
|
14
14
|
# # as Access-Control-Allow-Origin response header
|
|
15
15
|
# use CorsHeaders, bounce: true
|
|
16
16
|
#
|
|
17
|
+
# # Force a bouncing of the origin, but only for whitelisted candidates
|
|
18
|
+
# use CorsHeaders, bounce: ['https://*.test.com', 'https://*.test.devel']
|
|
19
|
+
#
|
|
20
|
+
# # The option above also works with a comma-separated string
|
|
21
|
+
# use CorsHeaders, bounce: 'https://*.test.com,https://*.test.devel'
|
|
22
|
+
#
|
|
17
23
|
# # Overrides a specific header
|
|
18
24
|
# use CorsHeaders, headers: { 'Access-Control-Allow-Methods' => 'POST' }
|
|
19
25
|
#
|
|
@@ -47,6 +53,7 @@ module Startback
|
|
|
47
53
|
def initialize(app, options = {})
|
|
48
54
|
@app = app
|
|
49
55
|
@options = Startback::Support.deep_merge(DEFAULT_OPTIONS, options)
|
|
56
|
+
@options[:bounce] = compile_bounce!(@options[:bounce])
|
|
50
57
|
end
|
|
51
58
|
|
|
52
59
|
def call(env)
|
|
@@ -65,14 +72,43 @@ module Startback
|
|
|
65
72
|
|
|
66
73
|
def cors_headers(origin)
|
|
67
74
|
headers = @options[:headers].dup
|
|
68
|
-
|
|
69
|
-
|
|
70
|
-
end
|
|
75
|
+
bounce = do_bounce(origin)
|
|
76
|
+
headers['Access-Control-Allow-Origin'] = bounce
|
|
71
77
|
headers
|
|
72
78
|
end
|
|
73
79
|
|
|
74
|
-
def bounce
|
|
75
|
-
|
|
80
|
+
def compile_bounce!(bounce)
|
|
81
|
+
case bounce
|
|
82
|
+
when TrueClass
|
|
83
|
+
true
|
|
84
|
+
when FalseClass, NilClass
|
|
85
|
+
nil
|
|
86
|
+
when Regexp
|
|
87
|
+
bounce
|
|
88
|
+
when String
|
|
89
|
+
rx_str = bounce
|
|
90
|
+
.split(',')
|
|
91
|
+
.map{|b| b.gsub(/\*/, '[^.]+') }
|
|
92
|
+
.join('|')
|
|
93
|
+
Regexp.new("^(#{rx_str})$")
|
|
94
|
+
when Array
|
|
95
|
+
compile_bounce!(bounce.join(','))
|
|
96
|
+
else
|
|
97
|
+
nil
|
|
98
|
+
end
|
|
99
|
+
end
|
|
100
|
+
|
|
101
|
+
def do_bounce(origin)
|
|
102
|
+
case bounce = @options[:bounce]
|
|
103
|
+
when NilClass
|
|
104
|
+
@options[:headers]['Access-Control-Allow-Origin']
|
|
105
|
+
when TrueClass
|
|
106
|
+
origin
|
|
107
|
+
when Regexp
|
|
108
|
+
bounce =~ origin ? origin : nil
|
|
109
|
+
else
|
|
110
|
+
nil
|
|
111
|
+
end
|
|
76
112
|
end
|
|
77
113
|
|
|
78
114
|
end # class AllowCors
|
data/lib/startback/web/shield.rb
CHANGED
|
@@ -40,6 +40,7 @@ module Startback
|
|
|
40
40
|
def body_for(ex)
|
|
41
41
|
ex = ex.root_cause if ex.is_a?(Finitio::TypeError)
|
|
42
42
|
body = { code: ex.class.name, description: ex.message }
|
|
43
|
+
body[:location] = ex.location if ex.is_a?(Finitio::TypeError)
|
|
43
44
|
return body unless ex.is_a?(Startback::Errors::Error)
|
|
44
45
|
return body unless ex.has_causes?
|
|
45
46
|
|
|
@@ -17,22 +17,22 @@ module Startback
|
|
|
17
17
|
it 'sets the CORS headers to default values' do
|
|
18
18
|
header('Origin', "https://test.com")
|
|
19
19
|
get '/'
|
|
20
|
-
expect(last_response['Access-Control-Allow-Origin']).
|
|
21
|
-
expect(last_response['Access-Control-Allow-Methods']).
|
|
20
|
+
expect(last_response['Access-Control-Allow-Origin']).to eql("*")
|
|
21
|
+
expect(last_response['Access-Control-Allow-Methods']).to eql("OPTIONS, HEAD, GET, POST, PUT, PATCH, DELETE")
|
|
22
22
|
expect(last_response.body).to eql("Hello world")
|
|
23
23
|
end
|
|
24
24
|
|
|
25
25
|
it 'strips everything when option' do
|
|
26
26
|
header('Origin', "https://test.com")
|
|
27
27
|
options '/'
|
|
28
|
-
expect(last_response['Access-Control-Allow-Origin']).
|
|
29
|
-
expect(last_response['Access-Control-Allow-Methods']).
|
|
28
|
+
expect(last_response['Access-Control-Allow-Origin']).to eql("*")
|
|
29
|
+
expect(last_response['Access-Control-Allow-Methods']).to eql("OPTIONS, HEAD, GET, POST, PUT, PATCH, DELETE")
|
|
30
30
|
expect(last_response.status).to eql(204)
|
|
31
31
|
expect(last_response.body).to eql("")
|
|
32
32
|
end
|
|
33
33
|
end
|
|
34
34
|
|
|
35
|
-
context 'when used with the :bounce option' do
|
|
35
|
+
context 'when used with the :bounce option (boolean)' do
|
|
36
36
|
def app
|
|
37
37
|
Rack::Builder.new do
|
|
38
38
|
use CorsHeaders, bounce: true
|
|
@@ -43,12 +43,62 @@ module Startback
|
|
|
43
43
|
it 'sets the CORS Origin header to the caller' do
|
|
44
44
|
header('Origin', "https://test.com")
|
|
45
45
|
get '/'
|
|
46
|
-
expect(last_response['Access-Control-Allow-Origin']).
|
|
47
|
-
expect(last_response['Access-Control-Allow-Methods']).
|
|
46
|
+
expect(last_response['Access-Control-Allow-Origin']).to eql("https://test.com")
|
|
47
|
+
expect(last_response['Access-Control-Allow-Methods']).to eql("OPTIONS, HEAD, GET, POST, PUT, PATCH, DELETE")
|
|
48
48
|
expect(last_response.body).to eql("Hello world")
|
|
49
49
|
end
|
|
50
50
|
end
|
|
51
51
|
|
|
52
|
+
context 'when used with the :bounce option (array)' do
|
|
53
|
+
def app
|
|
54
|
+
Rack::Builder.new do
|
|
55
|
+
use CorsHeaders, bounce: ['https://test.com', 'https://*.test.com']
|
|
56
|
+
run ->(env){ [200, {}, ["Hello world"]] }
|
|
57
|
+
end
|
|
58
|
+
end
|
|
59
|
+
|
|
60
|
+
it 'sets the CORS Origin header to the caller if match' do
|
|
61
|
+
header('Origin', "https://test.com")
|
|
62
|
+
get '/'
|
|
63
|
+
expect(last_response['Access-Control-Allow-Origin']).to eql("https://test.com")
|
|
64
|
+
|
|
65
|
+
header('Origin', "https://api.test.com")
|
|
66
|
+
get '/'
|
|
67
|
+
expect(last_response['Access-Control-Allow-Origin']).to eql("https://api.test.com")
|
|
68
|
+
end
|
|
69
|
+
|
|
70
|
+
it 'rejects otherwise' do
|
|
71
|
+
header('Origin', "https://nosuchone.com")
|
|
72
|
+
get '/'
|
|
73
|
+
expect(last_response['Access-Control-Allow-Origin']).to be_nil
|
|
74
|
+
end
|
|
75
|
+
end
|
|
76
|
+
|
|
77
|
+
context 'when used with the :bounce option (string)' do
|
|
78
|
+
def app
|
|
79
|
+
Rack::Builder.new do
|
|
80
|
+
use CorsHeaders, bounce: 'https://test.com,https://*.test.com'
|
|
81
|
+
run ->(env){ [200, {}, ["Hello world"]] }
|
|
82
|
+
end
|
|
83
|
+
end
|
|
84
|
+
|
|
85
|
+
it 'sets the CORS Origin header to the caller if match' do
|
|
86
|
+
header('Origin', "https://test.com")
|
|
87
|
+
get '/'
|
|
88
|
+
expect(last_response['Access-Control-Allow-Origin']).to eql("https://test.com")
|
|
89
|
+
|
|
90
|
+
header('Origin', "https://api.test.com")
|
|
91
|
+
get '/'
|
|
92
|
+
expect(last_response['Access-Control-Allow-Origin']).to eql("https://api.test.com")
|
|
93
|
+
end
|
|
94
|
+
|
|
95
|
+
it 'rejects otherwise' do
|
|
96
|
+
header('Origin', "https://nosuchone.com")
|
|
97
|
+
get '/'
|
|
98
|
+
expect(last_response['Access-Control-Allow-Origin']).to be_nil
|
|
99
|
+
end
|
|
100
|
+
end
|
|
101
|
+
|
|
52
102
|
context 'when overriding a header' do
|
|
53
103
|
def app
|
|
54
104
|
Rack::Builder.new do
|
|
@@ -60,8 +110,8 @@ module Startback
|
|
|
60
110
|
it 'sets the CORS Origin header to the caller' do
|
|
61
111
|
header('Origin', "https://test.com")
|
|
62
112
|
get '/'
|
|
63
|
-
expect(last_response['Access-Control-Allow-Origin']).
|
|
64
|
-
expect(last_response['Access-Control-Allow-Methods']).
|
|
113
|
+
expect(last_response['Access-Control-Allow-Origin']).to eql("*")
|
|
114
|
+
expect(last_response['Access-Control-Allow-Methods']).to eql("POST")
|
|
65
115
|
expect(last_response.body).to eql("Hello world")
|
|
66
116
|
end
|
|
67
117
|
end
|
|
@@ -77,8 +127,8 @@ module Startback
|
|
|
77
127
|
it 'does not override them' do
|
|
78
128
|
header('Origin', "https://test.com")
|
|
79
129
|
get '/'
|
|
80
|
-
expect(last_response['Access-Control-Allow-Origin']).
|
|
81
|
-
expect(last_response['Access-Control-Allow-Methods']).
|
|
130
|
+
expect(last_response['Access-Control-Allow-Origin']).to eql("*")
|
|
131
|
+
expect(last_response['Access-Control-Allow-Methods']).to eql("POST")
|
|
82
132
|
expect(last_response.body).to eql("Hello world")
|
|
83
133
|
end
|
|
84
134
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: startback
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.15.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Bernard Lambeau
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2022-06-
|
|
11
|
+
date: 2022-06-22 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: rspec
|