startback 0.14.3 → 0.15.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7a10c20a409a7f9919e6b0354721748d5a8522a430b144759630937ba405df2a
-  data.tar.gz: 1fd7f036026d8330ef663347e6839e3e14d792db508391e54cbc211ddfe5329b
+  metadata.gz: aedecb0daf2771549cdede97feba4f0b95255b4e073e57f6f8aed834de45c7ea
+  data.tar.gz: 93238106d46190b9c8347040e7e155b79a11296ad0377e722d749d53fa1a156d
 SHA512:
-  metadata.gz: 8c9afae9253b1ffa1ff89efb39d7ea59447cd5645138a765329a9d950fd3baf31e866237ac7338c74a15f363e4796181e42eb77f605fd0ca06293a181656878d
-  data.tar.gz: b3aab76baa49e81d358fd06ffccddab13b00c5f49374c1860cbb686b2f0c249b09e096f37ef63f0d51833dab6c5054924f5dc0e358ca889536857b825aff9c4c
+  metadata.gz: b0295a08c94dc01fc6bcb0aeaa61e33c9306ec89614da443d38544c524a4772fab565cded8f69b6fb02b8101139be89283309fc488326cf1a500627683b2a65a
+  data.tar.gz: 9254603245c14c4f3a4dc66c0113d5a25605c99f570ef2e33c14fe59c1006251122f87ceba19a8072ee8689a605b181cf453e78ca2e508838403d4e22696acc4

data/lib/startback/version.rb

@@ -1,8 +1,8 @@
 module Startback
   module Version
     MAJOR = 0
-    MINOR = 14
-    TINY  = 3
+    MINOR = 15
+    TINY  = 1
   end
   VERSION = "#{Version::MAJOR}.#{Version::MINOR}.#{Version::TINY}"
 end

data/lib/startback/web/cors_headers.rb

@@ -14,6 +14,12 @@ module Startback
     #     # as Access-Control-Allow-Origin response header
     #     use CorsHeaders, bounce: true
     #
+    #     # Force a bouncing of the origin, but only for whitelisted candidates
+    #     use CorsHeaders, bounce: ['https://*.test.com', 'https://*.test.devel']
+    #
+    #     # The option above also works with a comma-separated string
+    #     use CorsHeaders, bounce: 'https://*.test.com,https://*.test.devel'
+    #
     #     # Overrides a specific header
     #     use CorsHeaders, headers: { 'Access-Control-Allow-Methods' => 'POST' }
     #
@@ -47,6 +53,7 @@ module Startback
       def initialize(app, options = {})
         @app = app
         @options = Startback::Support.deep_merge(DEFAULT_OPTIONS, options)
+        @options[:bounce] = compile_bounce!(@options[:bounce])
       end
 
       def call(env)
@@ -65,14 +72,46 @@ module Startback
 
       def cors_headers(origin)
         headers = @options[:headers].dup
-        if bounce?
-          headers['Access-Control-Allow-Origin'] = origin
+        if bounce = do_bounce(origin)
+          headers['Access-Control-Allow-Origin'] = bounce
+        else
+          headers.delete('Access-Control-Allow-Origin')
         end
         headers
       end
 
-      def bounce?
-        @options[:bounce]
+      def compile_bounce!(bounce)
+        case bounce
+        when TrueClass
+          true
+        when FalseClass, NilClass
+          nil
+        when Regexp
+          bounce
+        when String
+          rx_str = bounce
+            .split(',')
+            .map{|b| b.gsub(/\*/, '[^.]+') }
+            .join('|')
+          Regexp.new("^(#{rx_str})$")
+        when Array
+          compile_bounce!(bounce.join(','))
+        else
+          nil
+        end
+      end
+
+      def do_bounce(origin)
+        case bounce = @options[:bounce]
+        when NilClass
+          @options[:headers]['Access-Control-Allow-Origin']
+        when TrueClass
+          origin
+        when Regexp
+          bounce =~ origin ? origin : nil
+        else
+          nil
+        end
       end
 
     end # class AllowCors

data/lib/startback/web/shield.rb

@@ -40,6 +40,7 @@ module Startback
       def body_for(ex)
         ex = ex.root_cause if ex.is_a?(Finitio::TypeError)
         body = { code: ex.class.name, description: ex.message }
+        body[:location] = ex.location if ex.is_a?(Finitio::TypeError)
         return body unless ex.is_a?(Startback::Errors::Error)
         return body unless ex.has_causes?
 

data/spec/unit/web/test_cors_headers.rb

@@ -17,22 +17,22 @@ module Startback
         it 'sets the CORS headers to default values' do
           header('Origin', "https://test.com")
           get '/'
-          expect(last_response['Access-Control-Allow-Origin']). to eql("*")
-          expect(last_response['Access-Control-Allow-Methods']). to eql("OPTIONS, HEAD, GET, POST, PUT, PATCH, DELETE")
+          expect(last_response['Access-Control-Allow-Origin']).to eql("*")
+          expect(last_response['Access-Control-Allow-Methods']).to eql("OPTIONS, HEAD, GET, POST, PUT, PATCH, DELETE")
           expect(last_response.body).to eql("Hello world")
         end
 
         it 'strips everything when option' do
           header('Origin', "https://test.com")
           options '/'
-          expect(last_response['Access-Control-Allow-Origin']). to eql("*")
-          expect(last_response['Access-Control-Allow-Methods']). to eql("OPTIONS, HEAD, GET, POST, PUT, PATCH, DELETE")
+          expect(last_response['Access-Control-Allow-Origin']).to eql("*")
+          expect(last_response['Access-Control-Allow-Methods']).to eql("OPTIONS, HEAD, GET, POST, PUT, PATCH, DELETE")
           expect(last_response.status).to eql(204)
           expect(last_response.body).to eql("")
         end
       end
 
-      context 'when used with the :bounce option' do
+      context 'when used with the :bounce option (boolean)' do
         def app
           Rack::Builder.new do
             use CorsHeaders, bounce: true
@@ -43,12 +43,63 @@ module Startback
         it 'sets the CORS Origin header to the caller' do
           header('Origin', "https://test.com")
           get '/'
-          expect(last_response['Access-Control-Allow-Origin']). to eql("https://test.com")
-          expect(last_response['Access-Control-Allow-Methods']). to eql("OPTIONS, HEAD, GET, POST, PUT, PATCH, DELETE")
+          expect(last_response['Access-Control-Allow-Origin']).to eql("https://test.com")
+          expect(last_response['Access-Control-Allow-Methods']).to eql("OPTIONS, HEAD, GET, POST, PUT, PATCH, DELETE")
           expect(last_response.body).to eql("Hello world")
         end
       end
 
+      context 'when used with the :bounce option (array)' do
+        def app
+          Rack::Builder.new do
+            use CorsHeaders, bounce: ['https://test.com', 'https://*.test.com']
+            run ->(env){ [200, {}, ["Hello world"]] }
+          end
+        end
+
+        it 'sets the CORS Origin header to the caller if match' do
+          header('Origin', "https://test.com")
+          get '/'
+          expect(last_response['Access-Control-Allow-Origin']).to eql("https://test.com")
+
+          header('Origin', "https://api.test.com")
+          get '/'
+          expect(last_response['Access-Control-Allow-Origin']).to eql("https://api.test.com")
+        end
+
+        it 'rejects otherwise' do
+          header('Origin', "https://nosuchone.com")
+          get '/'
+          expect(last_response['Access-Control-Allow-Origin']).to be_nil
+        end
+      end
+
+      context 'when used with the :bounce option (string)' do
+        def app
+          Rack::Builder.new do
+            use CorsHeaders, bounce: 'https://test.com,https://*.test.com'
+            run ->(env){ [200, {}, ["Hello world"]] }
+          end
+        end
+
+        it 'sets the CORS Origin header to the caller if match' do
+          header('Origin', "https://test.com")
+          get '/'
+          expect(last_response['Access-Control-Allow-Origin']).to eql("https://test.com")
+
+          header('Origin', "https://api.test.com")
+          get '/'
+          expect(last_response['Access-Control-Allow-Origin']).to eql("https://api.test.com")
+        end
+
+        it 'rejects otherwise' do
+          header('Origin', "https://nosuchone.com")
+          get '/'
+          expect(last_response.headers.key?('Access-Control-Allow-Origin')).to eql(false)
+          expect(last_response['Access-Control-Allow-Origin']).to be_nil
+        end
+      end
+
       context 'when overriding a header' do
         def app
           Rack::Builder.new do
@@ -60,8 +111,8 @@ module Startback
         it 'sets the CORS Origin header to the caller' do
           header('Origin', "https://test.com")
           get '/'
-          expect(last_response['Access-Control-Allow-Origin']). to eql("*")
-          expect(last_response['Access-Control-Allow-Methods']). to eql("POST")
+          expect(last_response['Access-Control-Allow-Origin']).to eql("*")
+          expect(last_response['Access-Control-Allow-Methods']).to eql("POST")
           expect(last_response.body).to eql("Hello world")
         end
       end
@@ -77,8 +128,8 @@ module Startback
         it 'does not override them' do
           header('Origin', "https://test.com")
           get '/'
-          expect(last_response['Access-Control-Allow-Origin']). to eql("*")
-          expect(last_response['Access-Control-Allow-Methods']). to eql("POST")
+          expect(last_response['Access-Control-Allow-Origin']).to eql("*")
+          expect(last_response['Access-Control-Allow-Methods']).to eql("POST")
           expect(last_response.body).to eql("Hello world")
         end
       end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: startback
 version: !ruby/object:Gem::Version
-  version: 0.14.3
+  version: 0.15.1
 platform: ruby
 authors:
 - Bernard Lambeau
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-06-15 00:00:00.000000000 Z
+date: 2022-06-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rspec