static-rails 0.0.11 → 0.0.12

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d5808adb0f3f344a5706a6dddb5053899047f5d8aa4bbddb577168319b9aa046
-  data.tar.gz: d84c08d618e80a28b95be9da396f34d57636985ecf83859a906c5997a1532238
+  metadata.gz: 3c9c3f77b3746fd75f797c4c33815e5c699af9e4c1c9a88f56234117406d1b7f
+  data.tar.gz: bf8d899c95891497e8a17492d58315993af2d189f7a3ea3e848937f04e252a81
 SHA512:
-  metadata.gz: adb43e14b69561af8ce12989d319782b95d8c915b30968c4ce28d6bbf109426b8d606ba83d860002c2d793c16be3fbfe6c962be473df83507fd18d1e16de66c4
-  data.tar.gz: 7f4e6b9a9ed8dabaccd3a0da66671c36605a56e15da8483fe17f9518badbe3be6e2b82369ac4e7a05af9b4d594eaec1b010ad7616fc77b3aa835f81e0f87aa57
+  metadata.gz: 8ae97c0207f5fcfe0516d78e43738ec6c8def425312dd0af03070c488927ee812824b1ec3742ee21e874e3d8e47568f44e1bd577757aa0054f8a3dcadce7c943
+  data.tar.gz: f840d03e50b3017ecccc9a259d9f89e0ce92dc76b735f47bc6a8873c17efb6f87ece051eb6167f6a11f603e88c5e5c5ca2afac9b9f2d886bf098e63fc0491133

data/CHANGELOG.md

@@ -1,3 +1,10 @@
+## 0.0.12
+
+* Fix an issue in which enabling force_ssl would result in redirects to the
+  obfuscated `/_static_rails/` path. Resolved this by placing the static-rails
+  middleware after `ActionDispatch::SSL`. Note that this will break if you
+  remove `Rack::SendFile` from your app's middleware stack
+
 ## 0.0.11
 
 * Inline the `ActionDispatch::FileHandler` from Rails master so that we can

data/Gemfile.lock

@@ -1,27 +1,27 @@
 PATH
   remote: .
   specs:
-    static-rails (0.0.11)
+    static-rails (0.0.12)
       rack-proxy (~> 0.6)
       railties (>= 5.0.0)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    actionpack (6.0.3.1)
-      actionview (= 6.0.3.1)
-      activesupport (= 6.0.3.1)
+    actionpack (6.0.3.2)
+      actionview (= 6.0.3.2)
+      activesupport (= 6.0.3.2)
       rack (~> 2.0, >= 2.0.8)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actionview (6.0.3.1)
-      activesupport (= 6.0.3.1)
+    actionview (6.0.3.2)
+      activesupport (= 6.0.3.2)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activesupport (6.0.3.1)
+    activesupport (6.0.3.2)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 0.7, < 2)
       minitest (~> 5.1)
@@ -34,7 +34,7 @@ GEM
     erubi (1.9.0)
     i18n (1.8.3)
       concurrent-ruby (~> 1.0)
-    loofah (2.5.0)
+    loofah (2.6.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     method_source (1.0.0)
@@ -45,7 +45,7 @@ GEM
     parallel (1.19.1)
     parser (2.7.1.3)
       ast (~> 2.4.0)
-    rack (2.2.2)
+    rack (2.2.3)
     rack-proxy (0.6.5)
       rack
     rack-test (1.1.0)
@@ -55,9 +55,9 @@ GEM
       nokogiri (>= 1.6)
     rails-html-sanitizer (1.3.0)
       loofah (~> 2.3)
-    railties (6.0.3.1)
-      actionpack (= 6.0.3.1)
-      activesupport (= 6.0.3.1)
+    railties (6.0.3.2)
+      actionpack (= 6.0.3.2)
+      activesupport (= 6.0.3.2)
       method_source
       rake (>= 0.8.7)
       thor (>= 0.20.3, < 2.0)

data/lib/generators/templates/static.rb

@@ -34,14 +34,14 @@ StaticRails.config do |config|
     #   url_root_path: "/",
     #
     #   # Don't serve/redirect routes whose paths start with these strings
-    #   url_skip_paths_starting_with: ["/api"]
+    #   url_skip_paths_starting_with: ["/api"],
     #
     #   # Whether to run the local development/test server or not
     #   start_server: !Rails.env.production?,
     #
     #   # If start_server is true, wait to proxy requests to the server until it
     #   #   can connect to server_host over TCP on server_port
-    #   ping_server: true
+    #   ping_server: true,
     #
     #   # Any environment variables you need to pass to the server & compile
     #   #   commands as a hash (e.g. `env: {"BUNDLE_PATH" => "vendor/bundle"}`)
@@ -65,7 +65,7 @@ StaticRails.config do |config|
     #   compile_command: "hugo",
     #
     #   # The destination of production-compiled assets, relative to Rails root
-    #   compile_dir: "static/blog/dist"
+    #   compile_dir: "static/blog/dist",
     #
     #   # A 404 page to be sent when serving compiled assets and no file matches
     #   compile_404_file_path: "404.html"

data/lib/static-rails/configuration.rb

@@ -36,7 +36,7 @@ module StaticRails
     attr_reader :sites
     def sites=(sites)
       @sites = Array.wrap(sites).map { |site|
-        Site.new(site)
+        Site.new(**site)
       }
     end
   end

data/lib/static-rails/gets_csrf_token.rb

@@ -10,16 +10,18 @@ module StaticRails
 
     private
 
-    def csrf_token_hmac(session, identifier)
-      ActionController::RequestForgeryProtection.instance_method(:csrf_token_hmac).bind(self).call(session, identifier)
-    end
-
-    def mask_token(raw_token)
-      ActionController::RequestForgeryProtection.instance_method(:mask_token).bind(self).call(raw_token)
+    [
+      :csrf_token_hmac,
+      :mask_token,
+      :xor_byte_strings
+    ].each do |method|
+      define_method method do |*args, **kwargs, &blk|
+        ActionController::RequestForgeryProtection.instance_method(method).bind(self).call(*args, **kwargs, &blk)
+      end
     end
 
     def masked_authenticity_token(session, form_options: {})
-      ActionController::RequestForgeryProtection.instance_method(:masked_authenticity_token).bind(self).call(session, form_options)
+      ActionController::RequestForgeryProtection.instance_method(:masked_authenticity_token).bind(self).call(session, form_options: form_options)
     end
 
     def global_csrf_token(session)
@@ -30,10 +32,6 @@ module StaticRails
       ActionController::RequestForgeryProtection.instance_method(:real_csrf_token).bind(self).call(session)
     end
 
-    def xor_byte_strings(s1, s2)
-      ActionController::RequestForgeryProtection.instance_method(:xor_byte_strings).bind(self).call(s1, s2)
-    end
-
     def per_form_csrf_tokens
       false
     end

data/lib/static-rails/railtie.rb

@@ -10,7 +10,7 @@ module StaticRails
     end
 
     initializer "static_rails.middleware" do
-      config.app_middleware.insert_before 0, SiteMiddleware
+      config.app_middleware.insert_after Rack::Sendfile, SiteMiddleware
       config.app_middleware.use SitePlusCsrfMiddleware
     end
 

data/lib/static-rails/site_middleware.rb

@@ -40,7 +40,7 @@ module StaticRails
         #
         # (By the way, this was all Matthew Draper's bright idea. You can
         # compliment him here: https://github.com/matthewd )
-        @app.call(env.merge("PATH_INFO" => PATH_INFO_OBFUSCATION + env["PATH_INFO"]))
+        @app.call(env.merge("PATH_INFO" => "/" + PATH_INFO_OBFUSCATION + env["PATH_INFO"]))
       elsif StaticRails.config.proxy_requests
         @proxy_middleware.call(env)
       elsif StaticRails.config.serve_compiled_assets

data/lib/static-rails/site_plus_csrf_middleware.rb

@@ -13,10 +13,10 @@ module StaticRails
     end
 
     def call(env)
-      return @app.call(env) unless env["PATH_INFO"]&.start_with?(PATH_INFO_OBFUSCATION) || @determines_whether_to_handle_request.call(env)
+      return @app.call(env) unless env["PATH_INFO"]&.start_with?(/\/?#{PATH_INFO_OBFUSCATION}/) || @determines_whether_to_handle_request.call(env)
 
       env = env.merge(
-        "PATH_INFO" => env["PATH_INFO"].gsub(/^#{PATH_INFO_OBFUSCATION}/, "")
+        "PATH_INFO" => env["PATH_INFO"].gsub(/^\/?#{PATH_INFO_OBFUSCATION}/, "")
       )
       status, headers, body = super(env)
 

data/lib/static-rails/version.rb

@@ -1,3 +1,3 @@
 module StaticRails
-  VERSION = "0.0.11"
+  VERSION = "0.0.12"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: static-rails
 version: !ruby/object:Gem::Version
-  version: 0.0.11
+  version: 0.0.12
 platform: ruby
 authors:
 - Justin Searls
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-06-11 00:00:00.000000000 Z
+date: 2020-06-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties