startback 0.14.4 → 0.15.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c5c3f249ec6472efb11b54a4f986e821a5cac786289cf8e6b6030ecfee74ed5d
-  data.tar.gz: 4e5c9cbe214c1406dbcf540fb956265646408a5c5617b056969f43b9d0ac384b
+  metadata.gz: d3b72151f15267aa20de6185a0f6c33d6ee22370171dfb34574604dfb1c5016c
+  data.tar.gz: 2aa005e7ca84a6dab18a29b0054ad16483b5c8b27e789351c8dfb3bccdc4714a
 SHA512:
-  metadata.gz: 34394cd84378932d4c8355364fbff7d19b7c7d78c3002f039952813ebf0b74e55edf7ad080838362f5e2827846f6bbfd3f35d2ab8dc0d5b4cd708da02d50a932
-  data.tar.gz: ba61cc3907b2b14dd8ee0abc8ea2d70772b841dadc6c9e71338c1bec6074f929543430607392ea85c851ff7ec74b089286b8307845f0fc9ad31b1d65e3b6299c
+  metadata.gz: fb5b6cb84aa0fb74ad5600fd5cefaf7efc1bd0bd659555e5035031db98646d7cf44f66c22c1c04ffa020d74dbdb4ad4609e09a8dda2efee7b0f41570a0ce57ae
+  data.tar.gz: ebacc25e2ca8628d5914396314bec03a22d65fa39886656f2f0863fb02efc1276cda9ccf07e1ef0256489ad17845e5e3fb224c4707ce4295740917af872b240f

data/lib/startback/version.rb

@@ -1,8 +1,8 @@
 module Startback
   module Version
     MAJOR = 0
-    MINOR = 14
-    TINY  = 4
+    MINOR = 15
+    TINY  = 0
   end
   VERSION = "#{Version::MAJOR}.#{Version::MINOR}.#{Version::TINY}"
 end

data/lib/startback/web/cors_headers.rb

@@ -14,6 +14,12 @@ module Startback
     #     # as Access-Control-Allow-Origin response header
     #     use CorsHeaders, bounce: true
     #
+    #     # Force a bouncing of the origin, but only for whitelisted candidates
+    #     use CorsHeaders, bounce: ['https://*.test.com', 'https://*.test.devel']
+    #
+    #     # The option above also works with a comma-separated string
+    #     use CorsHeaders, bounce: 'https://*.test.com,https://*.test.devel'
+    #
     #     # Overrides a specific header
     #     use CorsHeaders, headers: { 'Access-Control-Allow-Methods' => 'POST' }
     #
@@ -47,6 +53,7 @@ module Startback
       def initialize(app, options = {})
         @app = app
         @options = Startback::Support.deep_merge(DEFAULT_OPTIONS, options)
+        @options[:bounce] = compile_bounce!(@options[:bounce])
       end
 
       def call(env)
@@ -65,14 +72,43 @@ module Startback
 
       def cors_headers(origin)
         headers = @options[:headers].dup
-        if bounce?
-          headers['Access-Control-Allow-Origin'] = origin
-        end
+        bounce = do_bounce(origin)
+        headers['Access-Control-Allow-Origin'] = bounce
         headers
       end
 
-      def bounce?
-        @options[:bounce]
+      def compile_bounce!(bounce)
+        case bounce
+        when TrueClass
+          true
+        when FalseClass, NilClass
+          nil
+        when Regexp
+          bounce
+        when String
+          rx_str = bounce
+            .split(',')
+            .map{|b| b.gsub(/\*/, '[^.]+') }
+            .join('|')
+          Regexp.new("^(#{rx_str})$")
+        when Array
+          compile_bounce!(bounce.join(','))
+        else
+          nil
+        end
+      end
+
+      def do_bounce(origin)
+        case bounce = @options[:bounce]
+        when NilClass
+          @options[:headers]['Access-Control-Allow-Origin']
+        when TrueClass
+          origin
+        when Regexp
+          bounce =~ origin ? origin : nil
+        else
+          nil
+        end
       end
 
     end # class AllowCors

data/lib/startback/web/shield.rb

@@ -40,6 +40,7 @@ module Startback
       def body_for(ex)
         ex = ex.root_cause if ex.is_a?(Finitio::TypeError)
         body = { code: ex.class.name, description: ex.message }
+        body[:location] = ex.location if ex.is_a?(Finitio::TypeError)
         return body unless ex.is_a?(Startback::Errors::Error)
         return body unless ex.has_causes?
 

data/spec/unit/web/test_cors_headers.rb

@@ -17,22 +17,22 @@ module Startback
         it 'sets the CORS headers to default values' do
           header('Origin', "https://test.com")
           get '/'
-          expect(last_response['Access-Control-Allow-Origin']). to eql("*")
-          expect(last_response['Access-Control-Allow-Methods']). to eql("OPTIONS, HEAD, GET, POST, PUT, PATCH, DELETE")
+          expect(last_response['Access-Control-Allow-Origin']).to eql("*")
+          expect(last_response['Access-Control-Allow-Methods']).to eql("OPTIONS, HEAD, GET, POST, PUT, PATCH, DELETE")
           expect(last_response.body).to eql("Hello world")
         end
 
         it 'strips everything when option' do
           header('Origin', "https://test.com")
           options '/'
-          expect(last_response['Access-Control-Allow-Origin']). to eql("*")
-          expect(last_response['Access-Control-Allow-Methods']). to eql("OPTIONS, HEAD, GET, POST, PUT, PATCH, DELETE")
+          expect(last_response['Access-Control-Allow-Origin']).to eql("*")
+          expect(last_response['Access-Control-Allow-Methods']).to eql("OPTIONS, HEAD, GET, POST, PUT, PATCH, DELETE")
           expect(last_response.status).to eql(204)
           expect(last_response.body).to eql("")
         end
       end
 
-      context 'when used with the :bounce option' do
+      context 'when used with the :bounce option (boolean)' do
         def app
           Rack::Builder.new do
             use CorsHeaders, bounce: true
@@ -43,12 +43,62 @@ module Startback
         it 'sets the CORS Origin header to the caller' do
           header('Origin', "https://test.com")
           get '/'
-          expect(last_response['Access-Control-Allow-Origin']). to eql("https://test.com")
-          expect(last_response['Access-Control-Allow-Methods']). to eql("OPTIONS, HEAD, GET, POST, PUT, PATCH, DELETE")
+          expect(last_response['Access-Control-Allow-Origin']).to eql("https://test.com")
+          expect(last_response['Access-Control-Allow-Methods']).to eql("OPTIONS, HEAD, GET, POST, PUT, PATCH, DELETE")
           expect(last_response.body).to eql("Hello world")
         end
       end
 
+      context 'when used with the :bounce option (array)' do
+        def app
+          Rack::Builder.new do
+            use CorsHeaders, bounce: ['https://test.com', 'https://*.test.com']
+            run ->(env){ [200, {}, ["Hello world"]] }
+          end
+        end
+
+        it 'sets the CORS Origin header to the caller if match' do
+          header('Origin', "https://test.com")
+          get '/'
+          expect(last_response['Access-Control-Allow-Origin']).to eql("https://test.com")
+
+          header('Origin', "https://api.test.com")
+          get '/'
+          expect(last_response['Access-Control-Allow-Origin']).to eql("https://api.test.com")
+        end
+
+        it 'rejects otherwise' do
+          header('Origin', "https://nosuchone.com")
+          get '/'
+          expect(last_response['Access-Control-Allow-Origin']).to be_nil
+        end
+      end
+
+      context 'when used with the :bounce option (string)' do
+        def app
+          Rack::Builder.new do
+            use CorsHeaders, bounce: 'https://test.com,https://*.test.com'
+            run ->(env){ [200, {}, ["Hello world"]] }
+          end
+        end
+
+        it 'sets the CORS Origin header to the caller if match' do
+          header('Origin', "https://test.com")
+          get '/'
+          expect(last_response['Access-Control-Allow-Origin']).to eql("https://test.com")
+
+          header('Origin', "https://api.test.com")
+          get '/'
+          expect(last_response['Access-Control-Allow-Origin']).to eql("https://api.test.com")
+        end
+
+        it 'rejects otherwise' do
+          header('Origin', "https://nosuchone.com")
+          get '/'
+          expect(last_response['Access-Control-Allow-Origin']).to be_nil
+        end
+      end
+
       context 'when overriding a header' do
         def app
           Rack::Builder.new do
@@ -60,8 +110,8 @@ module Startback
         it 'sets the CORS Origin header to the caller' do
           header('Origin', "https://test.com")
           get '/'
-          expect(last_response['Access-Control-Allow-Origin']). to eql("*")
-          expect(last_response['Access-Control-Allow-Methods']). to eql("POST")
+          expect(last_response['Access-Control-Allow-Origin']).to eql("*")
+          expect(last_response['Access-Control-Allow-Methods']).to eql("POST")
           expect(last_response.body).to eql("Hello world")
         end
       end
@@ -77,8 +127,8 @@ module Startback
         it 'does not override them' do
           header('Origin', "https://test.com")
           get '/'
-          expect(last_response['Access-Control-Allow-Origin']). to eql("*")
-          expect(last_response['Access-Control-Allow-Methods']). to eql("POST")
+          expect(last_response['Access-Control-Allow-Origin']).to eql("*")
+          expect(last_response['Access-Control-Allow-Methods']).to eql("POST")
           expect(last_response.body).to eql("Hello world")
         end
       end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: startback
 version: !ruby/object:Gem::Version
-  version: 0.14.4
+  version: 0.15.0
 platform: ruby
 authors:
 - Bernard Lambeau
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-06-15 00:00:00.000000000 Z
+date: 2022-06-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rspec