startback 0.14.4 → 0.15.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c5c3f249ec6472efb11b54a4f986e821a5cac786289cf8e6b6030ecfee74ed5d
-  data.tar.gz: 4e5c9cbe214c1406dbcf540fb956265646408a5c5617b056969f43b9d0ac384b
+  metadata.gz: b8e08eed55633b64b47f2307a4264023f3232f67cae42170528e6791801bc58f
+  data.tar.gz: ea734a5d5fb6ae5f2259e66f2d90716136ec932f177309e5739b5f4c9bd720c0
 SHA512:
-  metadata.gz: 34394cd84378932d4c8355364fbff7d19b7c7d78c3002f039952813ebf0b74e55edf7ad080838362f5e2827846f6bbfd3f35d2ab8dc0d5b4cd708da02d50a932
-  data.tar.gz: ba61cc3907b2b14dd8ee0abc8ea2d70772b841dadc6c9e71338c1bec6074f929543430607392ea85c851ff7ec74b089286b8307845f0fc9ad31b1d65e3b6299c
+  metadata.gz: 7f43df37c925b1e8c8747c3670cd6c8bbc4389d0c6a75e4494318e2073585793cb91e901426ee7ab05ccbbcb19f56bf67e8c6aca7a750f60e116a5ce1db6de41
+  data.tar.gz: cdca0ff90178824867fe2c9218b2eecbecbc0c6a440588a774a22ab6341a959c6a0e747c711212792ddfeb6697bfdbf8c0067d0aa3e04df84fe779931b84edb4

data/lib/startback/version.rb

@@ -1,8 +1,8 @@
 module Startback
   module Version
     MAJOR = 0
-    MINOR = 14
-    TINY  = 4
+    MINOR = 15
+    TINY  = 2
   end
   VERSION = "#{Version::MAJOR}.#{Version::MINOR}.#{Version::TINY}"
 end

data/lib/startback/web/cors_headers.rb

@@ -14,6 +14,12 @@ module Startback
     #     # as Access-Control-Allow-Origin response header
     #     use CorsHeaders, bounce: true
     #
+    #     # Force a bouncing of the origin, but only for whitelisted candidates
+    #     use CorsHeaders, bounce: ['https://*.test.com', 'https://*.test.devel']
+    #
+    #     # The option above also works with a comma-separated string
+    #     use CorsHeaders, bounce: 'https://*.test.com,https://*.test.devel'
+    #
     #     # Overrides a specific header
     #     use CorsHeaders, headers: { 'Access-Control-Allow-Methods' => 'POST' }
     #
@@ -47,6 +53,7 @@ module Startback
       def initialize(app, options = {})
         @app = app
         @options = Startback::Support.deep_merge(DEFAULT_OPTIONS, options)
+        @options[:bounce] = compile_bounce!(@options[:bounce])
       end
 
       def call(env)
@@ -65,14 +72,46 @@ module Startback
 
       def cors_headers(origin)
         headers = @options[:headers].dup
-        if bounce?
-          headers['Access-Control-Allow-Origin'] = origin
+        if bounce = do_bounce(origin)
+          headers['Access-Control-Allow-Origin'] = bounce
+        else
+          headers.delete('Access-Control-Allow-Origin')
         end
         headers
       end
 
-      def bounce?
-        @options[:bounce]
+      def compile_bounce!(bounce)
+        case bounce
+        when TrueClass
+          true
+        when FalseClass, NilClass
+          nil
+        when Regexp
+          bounce
+        when String
+          rx_str = bounce
+            .split(',')
+            .map{|b| b.gsub(/\*/, '[^.]+') }
+            .join('|')
+          Regexp.new("^(#{rx_str})$")
+        when Array
+          compile_bounce!(bounce.join(','))
+        else
+          nil
+        end
+      end
+
+      def do_bounce(origin)
+        case bounce = @options[:bounce]
+        when NilClass
+          @options[:headers]['Access-Control-Allow-Origin']
+        when TrueClass
+          origin
+        when Regexp
+          bounce =~ origin ? origin : nil
+        else
+          nil
+        end
       end
 
     end # class AllowCors

data/lib/startback/web/shield.rb

@@ -40,6 +40,7 @@ module Startback
       def body_for(ex)
         ex = ex.root_cause if ex.is_a?(Finitio::TypeError)
         body = { code: ex.class.name, description: ex.message }
+        body[:location] = ex.location if ex.is_a?(Finitio::TypeError)
         return body unless ex.is_a?(Startback::Errors::Error)
         return body unless ex.has_causes?
 

data/spec/unit/web/test_cors_headers.rb

@@ -17,22 +17,22 @@ module Startback
         it 'sets the CORS headers to default values' do
           header('Origin', "https://test.com")
           get '/'
-          expect(last_response['Access-Control-Allow-Origin']). to eql("*")
-          expect(last_response['Access-Control-Allow-Methods']). to eql("OPTIONS, HEAD, GET, POST, PUT, PATCH, DELETE")
+          expect(last_response['Access-Control-Allow-Origin']).to eql("*")
+          expect(last_response['Access-Control-Allow-Methods']).to eql("OPTIONS, HEAD, GET, POST, PUT, PATCH, DELETE")
           expect(last_response.body).to eql("Hello world")
         end
 
         it 'strips everything when option' do
           header('Origin', "https://test.com")
           options '/'
-          expect(last_response['Access-Control-Allow-Origin']). to eql("*")
-          expect(last_response['Access-Control-Allow-Methods']). to eql("OPTIONS, HEAD, GET, POST, PUT, PATCH, DELETE")
+          expect(last_response['Access-Control-Allow-Origin']).to eql("*")
+          expect(last_response['Access-Control-Allow-Methods']).to eql("OPTIONS, HEAD, GET, POST, PUT, PATCH, DELETE")
           expect(last_response.status).to eql(204)
           expect(last_response.body).to eql("")
         end
       end
 
-      context 'when used with the :bounce option' do
+      context 'when used with the :bounce option (boolean)' do
         def app
           Rack::Builder.new do
             use CorsHeaders, bounce: true
@@ -43,12 +43,63 @@ module Startback
         it 'sets the CORS Origin header to the caller' do
           header('Origin', "https://test.com")
           get '/'
-          expect(last_response['Access-Control-Allow-Origin']). to eql("https://test.com")
-          expect(last_response['Access-Control-Allow-Methods']). to eql("OPTIONS, HEAD, GET, POST, PUT, PATCH, DELETE")
+          expect(last_response['Access-Control-Allow-Origin']).to eql("https://test.com")
+          expect(last_response['Access-Control-Allow-Methods']).to eql("OPTIONS, HEAD, GET, POST, PUT, PATCH, DELETE")
           expect(last_response.body).to eql("Hello world")
         end
       end
 
+      context 'when used with the :bounce option (array)' do
+        def app
+          Rack::Builder.new do
+            use CorsHeaders, bounce: ['https://test.com', 'https://*.test.com']
+            run ->(env){ [200, {}, ["Hello world"]] }
+          end
+        end
+
+        it 'sets the CORS Origin header to the caller if match' do
+          header('Origin', "https://test.com")
+          get '/'
+          expect(last_response['Access-Control-Allow-Origin']).to eql("https://test.com")
+
+          header('Origin', "https://api.test.com")
+          get '/'
+          expect(last_response['Access-Control-Allow-Origin']).to eql("https://api.test.com")
+        end
+
+        it 'rejects otherwise' do
+          header('Origin', "https://nosuchone.com")
+          get '/'
+          expect(last_response['Access-Control-Allow-Origin']).to be_nil
+        end
+      end
+
+      context 'when used with the :bounce option (string)' do
+        def app
+          Rack::Builder.new do
+            use CorsHeaders, bounce: 'https://test.com,https://*.test.com'
+            run ->(env){ [200, {}, ["Hello world"]] }
+          end
+        end
+
+        it 'sets the CORS Origin header to the caller if match' do
+          header('Origin', "https://test.com")
+          get '/'
+          expect(last_response['Access-Control-Allow-Origin']).to eql("https://test.com")
+
+          header('Origin', "https://api.test.com")
+          get '/'
+          expect(last_response['Access-Control-Allow-Origin']).to eql("https://api.test.com")
+        end
+
+        it 'rejects otherwise' do
+          header('Origin', "https://nosuchone.com")
+          get '/'
+          expect(last_response.headers.key?('Access-Control-Allow-Origin')).to eql(false)
+          expect(last_response['Access-Control-Allow-Origin']).to be_nil
+        end
+      end
+
       context 'when overriding a header' do
         def app
           Rack::Builder.new do
@@ -60,8 +111,8 @@ module Startback
         it 'sets the CORS Origin header to the caller' do
           header('Origin', "https://test.com")
           get '/'
-          expect(last_response['Access-Control-Allow-Origin']). to eql("*")
-          expect(last_response['Access-Control-Allow-Methods']). to eql("POST")
+          expect(last_response['Access-Control-Allow-Origin']).to eql("*")
+          expect(last_response['Access-Control-Allow-Methods']).to eql("POST")
           expect(last_response.body).to eql("Hello world")
         end
       end
@@ -77,8 +128,8 @@ module Startback
         it 'does not override them' do
           header('Origin', "https://test.com")
           get '/'
-          expect(last_response['Access-Control-Allow-Origin']). to eql("*")
-          expect(last_response['Access-Control-Allow-Methods']). to eql("POST")
+          expect(last_response['Access-Control-Allow-Origin']).to eql("*")
+          expect(last_response['Access-Control-Allow-Methods']).to eql("POST")
           expect(last_response.body).to eql("Hello world")
         end
       end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: startback
 version: !ruby/object:Gem::Version
-  version: 0.14.4
+  version: 0.15.2
 platform: ruby
 authors:
 - Bernard Lambeau
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-06-15 00:00:00.000000000 Z
+date: 2022-08-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rspec
@@ -133,7 +133,7 @@ dependencies:
         version: '0.10'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '0.11'
+        version: '0.12'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -143,7 +143,7 @@ dependencies:
         version: '0.10'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '0.11'
+        version: '0.12'
 - !ruby/object:Gem::Dependency
   name: path
   requirement: !ruby/object:Gem::Requirement