static-rails 0.0.2 → 0.0.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 59b735436f8beadbe02b488f6d9ba385beb4527cc3b1da082e4e07f2a4645dc9
-  data.tar.gz: 5c40b3b20ea44e52dabef6d8660aaf59784f198759baac9e909ba9283916a9f8
+  metadata.gz: 71c1a0e6ce72ea1feb691e3cbfae0bec8bf723f1512cda383aeae57d56fd9765
+  data.tar.gz: 4d8d3c148661b2498ccfeb3677553e94a91c2cb68b5c48ba47aaace89be8adfe
 SHA512:
-  metadata.gz: 2d222bec9bcc9c02e3c52adadcd8426290dccbd18aaff465723ed4b152147d42c4980bf34284669cbd58ec2b9794aaf02b3e719bb1b76324ffceb24547b6afbc
-  data.tar.gz: c42139bb13e835326dd49c37f569c816689eff8a490befba9f6b37491e0113992dcaf4f5395fb24aaea20143c7abeacd5db8b0276932748ae7fc1476566263e3
+  metadata.gz: cc39f818e745f67930b8821dbf3b38cdfd34d33accd25979801a4fbc34df67cdf600e517a2fe806f6094e43bc2e797fcef2aa4b1bb7006f3d75317a26b19ea82
+  data.tar.gz: c0879dc6ef5950806aaa662035ac7593a78c334dc578f65bd5e13526d1f4c770a08b9cf1f2b8fc8e21a9d00372876736924e05687e4d33ebbb780acc5b802ea1

data/CHANGELOG.md

@@ -0,0 +1,35 @@
+## 0.0.7
+
+* Ensure that CSRF tokens are valid, at the cost of some performance and
+  reliance on additional Rails internals. As a result CSRF cookie setting is now
+  disabled by default [#6](https://github.com/testdouble/static-rails/pull/6)
+
+## 0.0.6
+
+* Fix an issue where `ActionDispatch::FileHandler` won't be loaded in the event
+  that static-rails is serving compiled assets but Rails is not
+
+## 0.0.5
+
+* Add a site option `compile_404_file_path` to specify a file to be used as a
+  404 page when serving compiled assets and no file is found
+
+## 0.0.4
+
+* Add a cookie named `_csrf_token` by default to all static site requests, so
+  that your static sites can make CSRF-protected requests of your server
+  ([#4](https://github.com/testdouble/static-rails/pull/4))
+
+## 0.0.3
+
+* Add `url_skip_paths_starting_with` array of strings option to site
+  configuration. Will fall through to the next matching site or all the way to
+  the Rails app.
+
+## 0.0.2
+
+* Add `env` hash option to site configuration
+
+## 0.0.1
+
+* Initial release

data/Gemfile.lock

@@ -1,32 +1,32 @@
 PATH
   remote: .
   specs:
-    static-rails (0.0.2)
+    static-rails (0.0.7)
       rack-proxy (~> 0.6)
       railties (>= 5.0.0)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    actionpack (6.0.2.2)
-      actionview (= 6.0.2.2)
-      activesupport (= 6.0.2.2)
+    actionpack (6.0.3.1)
+      actionview (= 6.0.3.1)
+      activesupport (= 6.0.3.1)
       rack (~> 2.0, >= 2.0.8)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actionview (6.0.2.2)
-      activesupport (= 6.0.2.2)
+    actionview (6.0.3.1)
+      activesupport (= 6.0.3.1)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activesupport (6.0.2.2)
+    activesupport (6.0.3.1)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 0.7, < 2)
       minitest (~> 5.1)
       tzinfo (~> 1.1)
-      zeitwerk (~> 2.2)
+      zeitwerk (~> 2.2, >= 2.2.2)
     ast (2.4.0)
     builder (3.2.4)
     concurrent-ruby (1.1.6)
@@ -56,9 +56,9 @@ GEM
       nokogiri (>= 1.6)
     rails-html-sanitizer (1.3.0)
       loofah (~> 2.3)
-    railties (6.0.2.2)
-      actionpack (= 6.0.2.2)
-      activesupport (= 6.0.2.2)
+    railties (6.0.3.1)
+      actionpack (= 6.0.3.1)
+      activesupport (= 6.0.3.1)
       method_source
       rake (>= 0.8.7)
       thor (>= 0.20.3, < 2.0)

data/README.md

@@ -2,7 +2,7 @@
 
 [![CircleCI](https://circleci.com/gh/testdouble/static-rails.svg?style=svg)](https://circleci.com/gh/testdouble/static-rails)
 
-## What is this thing?
+## Build and serve your static sites from your Rails app
 
 **tl;dr in development, static-rails runs your static site generators &
 proxies requests; in production, it compiles and serves the final assets**
@@ -25,18 +25,18 @@ without forcing you to abandon your monolithic Rails architecture.
 
 Here's what it does:
 
-* In `development` and `test` environments, the gem will run launch each site's
-  `serve_command` and proxy to them any requests that match their configured
-  `url_subdomain` and `url_root_path` properties
+* In development, static-rails launches your sites' local servers and then
+  proxies any requests to wherever you've mounted them in your Rails app so you
+  can start a single server and transition work between your static sites and
+  Rails app seamlessly
 
-* When running `rake assets:precompile` (typically performed during a deploy),
-  the `compile_command` you've configured will be executed for each of your
-  sites
+* When deploying, static-rails will compile all your static assets when `rake
+  assets:precompile` is run, meaning your assets will be built automatically
+  when pushed to a platform like Heroku
 
-* In `production`, the gem will host each of your sites' assets out of your
-  configured `compile_dir` using the same middleware code that Rails uses to
-  host assets out of `public/`. (Putting a performant CDN in front of everything
-  remains an exercise for the reader.)
+* In production, static-rails will serve your sites' compiled assets from disk
+  with a similar features and performance to what you're familiar with if you've
+  ever hosted files out of your `public/` directory
 
 ## Install
 
@@ -46,7 +46,7 @@ Add this to your Gemfile:
 gem "static-rails"
 ```
 
-Then run this generator to create a configuration file 
+Then run this generator to create a configuration file
 `config/initializers/static.rb`:
 
 ```
@@ -54,11 +54,110 @@ $ rails g static_rails:initializer
 ```
 
 You can check out the configuration options in the [generated file's
-comments](/lib/generators/templates/static.rb).
+comments]().
 
 Want an example of setting things up? You're in luck, there's an [example
 app](/example) right in this repo!
 
+## Configuring the gem
+
+**(Want to dive right in? The generated initializer [enumerates every
+option](/lib/generators/templates/static.rb) and the [example app's
+config](https://github.com/testdouble/static-rails/blob/master/example/config/initializers/static.rb)
+sets up 4 sites.)**
+
+### Top-level configuration
+
+So, what should you stick in your initializer's `StaticRails.config do |config|`
+block? These options are set right off the `config` object and control the
+overall behavior of the gem itself, across all your static sites:
+
+* **config.proxy_requests** (Default: `!Rails.env.production?`) when true,
+  the gem's middleware requests that match where you've mounted your static site
+  and proxy them to the development server
+
+* **config.serve_compiled_assets** (Default: `Rails.env.production?`) when true,
+  the gem's middleware will find your static assets on disk and serve them using
+  the same code that Rails uses to serve files out of `public/`
+
+* **config.ping_server_timeout** (Default: `5`) the number of seconds that (when
+  `proxy_requests` is true, that the gem will wait for a response from a static
+  site's server on any given request before timing out and raising an error
+
+* **config.set_csrf_token_cookie** (Default: `false`) when true, the gem's
+  middleware will set a cookie named `_csrf_token` with each request of your
+  static site. You can use this to set the `'x-csrf-token'` header on any
+  requests from your site back to routes hosted by the Rails app that are
+  [protected from CSRF
+  forgery](https://guides.rubyonrails.org/security.html#cross-site-request-forgery-csrf)
+  (if you're not using Rails' cookie store for sessions or you're okay with API
+  calls bypassing Rails CSRF, leave this off)
+
+### Configuring your static sites themselves
+
+To tell the gem about your static sites, assign an array of hashes as `sites`
+(e.g. `config.sites = [{…}]`). Each of those hashes have the following options:
+
+* **name** (Required) A unique name for the site (primarily used for
+  logging)
+
+* **source_dir** (Required) The file path (relative to the Rails app's root) to
+  the static site's project directory
+
+* **url_subdomain** (Default: `nil`) Constrains the static site's assets to only
+  be served for requests to a given subdomain (e.g. for a Rails app hosting
+  `example.com`, a Hugo site at `blog.example.com` would set this to `"blog"`)
+
+* **url_root_path** (Default: `/`) The base URL path at which to mount the
+  static site (e.g. if you want your Jekyll site hosted at `example.com/docs`,
+  you'd set this to `/docs`). For most static site generators, you'll want to
+  configure it to serve assets from the same path so links and other references
+  are correct (see below for examples)
+
+* **url_skip_paths_starting_with** (Default: `[]`) If you want to mount your
+  static site to `/` but allow the Rails app to serve APIs from `/api`, you can
+  set the path prefix `["/api"]` here to tell the gem's middleware not to try to
+  proxy or serve the request from your static site, but rather let Rails handle
+  it
+
+* **start_server** (Default `!Rails.env.production?) When true, the gem will
+  start the site's server (and if it ever exits, restart it) as your Rails app
+  is booting up. All output from the server will be forwarded to STDOUT/STDERR
+
+* **server_command** (Required if `start_server` is true) the command to run to
+  start the site's server, from the working directory of `source_dir` (e.g.
+  `hugo server`)
+
+* **ping_server** (Default: true) if this and `start_server` are both true, then
+  wait to proxy any requests until the server is accepting TCP connections
+
+* **env** (Default: `{}`) any environment variables you need to pass to either
+  the server or compile commands (e.g. `env: {"BUNDLE_PATH" =>
+  "vendor/bundle"}`). Note that this configuration file is Ruby, so if you need
+  to provide different env vars based on Rails environment, you have the power
+  to do that!
+
+* **server_host** (Default: `localhost`) the host your static site's server will
+  run on
+
+* **server_port** (Required if `proxy_requests` is true) the port your static
+  site's server will accept requests on
+
+* **server_path** (Default: `"/"`) the root URL path to which requests should be
+  proxied
+
+* **compile_comand** (Required) the command to be run by both the
+  `static:compile` and `assets:precompile` Rake commands (e.g. `npm run build`),
+  with working directory set to the site's `source_dir`
+
+* **compile_dir** (Required when `serve_compiled_assets` is true) the root file
+  path to which production assets are compiled, relative to the site's
+  `source_dir`
+
+* **compile_404_file_path** (Optional) When `serve_compiled_assets` is true,
+  this file (relative to the `compile_dir`) will be served whenever the
+  request's path does not match a file on disk
+
 ## Configuring your static site generators
 
 Assuming you won't be mounting your static site to your app's root `/` path,
@@ -104,9 +203,10 @@ To mitigate this, there are a few things you can do:
   base path with `{{ "/" | relURL }}` (given the above `baseURL`, this will
   render `"/marketing/"`)
 
-Also, because Hugo will serve `/livereload.js` from the root, live-reloading probably 
+Also, because Hugo will serve `/livereload.js` from the root, live-reloading probably
 won't work in development when running through the static-rails proxy.
-You might consider disabling it with `--disableLiveReload`.
+You might consider disabling it with `--disableLiveReload` unless you're serving
+Hugo from a root path ("`/`").
 
 A static-rails config for a Hugo configuration in `sites` might look like:
 

data/lib/generators/templates/static.rb

@@ -9,6 +9,11 @@ StaticRails.config do |config|
   #   (Applies when a site has both start_server and ping_server set to true)
   # config.ping_server_timeout = 5
 
+  # When true, both the proxy & static asset middleware will set a cookie
+  #   named "_csrf_token" to the Rails CSRF token, allowing any client-side
+  #   API requests to take advantage of Rails' request forgery protection
+  # config.set_csrf_token_cookie = false
+
   # The list of static sites you are hosting with static-rails.
   # Note that order matters! Request will be forwarded to the first site that
   # matches the subdomain and root path (this probably means you want any sites
@@ -28,6 +33,9 @@ StaticRails.config do |config|
     #   # Mount the static site web hosting to a certain sub-path (e.g. "/docs")
     #   url_root_path: "/",
     #
+    #   # Don't serve/redirect routes whose paths start with these strings
+    #   url_skip_paths_starting_with: ["/api"]
+    #
     #   # Whether to run the local development/test server or not
     #   start_server: !Rails.env.production?,
     #
@@ -58,6 +66,9 @@ StaticRails.config do |config|
     #
     #   # The destination of production-compiled assets, relative to Rails root
     #   compile_dir: "static/blog/dist"
+    #
+    #   # A 404 page to be sent when serving compiled assets and no file matches
+    #   compile_404_file_path: "404.html"
     # },
   ]
 end

data/lib/static-rails/configuration.rb

@@ -13,20 +13,24 @@ module StaticRails
     # When Rails invokes our Railtie, we'll save off a reference to the Rails app
     attr_accessor :app
 
-    # When true, the ProxyMiddleware will be added
+    # When true, our middleware will proxy requests to static site servers
     attr_accessor :proxy_requests
 
-    # When true, the StaticMiddleware will be added
+    # When true, our middleware will serve sites' compiled asset files
     attr_accessor :serve_compiled_assets
 
     # Number of seconds to wait on sites to confirm servers are ready
     attr_accessor :ping_server_timeout
 
+    # When true, a cookie named "_csrf_token" will be set by static-rails middleware
+    attr_accessor :set_csrf_token_cookie
+
     def initialize
       @sites = []
       @proxy_requests = !Rails.env.production?
       @serve_compiled_assets = Rails.env.production?
       @ping_server_timeout = 5
+      @set_csrf_token_cookie = false
     end
 
     attr_reader :sites

data/lib/static-rails/determines_whether_to_handle_request.rb

@@ -0,0 +1,15 @@
+module StaticRails
+  class DeterminesWhetherToHandleRequest
+    def initialize
+      @matches_request_to_static_site = MatchesRequestToStaticSite.new
+    end
+
+    def call(env)
+      req = Rack::Request.new(env)
+
+      (req.get? || req.head?) &&
+        (StaticRails.config.proxy_requests || StaticRails.config.serve_compiled_assets) &&
+        @matches_request_to_static_site.call(req)
+    end
+  end
+end

data/lib/static-rails/gets_csrf_token.rb

@@ -0,0 +1,25 @@
+module StaticRails
+  class GetsCsrfToken
+    def call(req)
+      masked_authenticity_token(req.session)
+    end
+
+    private
+
+    def masked_authenticity_token(session, form_options: {})
+      ActionController::RequestForgeryProtection.instance_method(:masked_authenticity_token).bind(self).call(session, form_options)
+    end
+
+    def real_csrf_token(session)
+      ActionController::RequestForgeryProtection.instance_method(:real_csrf_token).bind(self).call(session)
+    end
+
+    def xor_byte_strings(s1, s2)
+      ActionController::RequestForgeryProtection.instance_method(:xor_byte_strings).bind(self).call(s1, s2)
+    end
+
+    def per_form_csrf_tokens
+      false
+    end
+  end
+end

data/lib/static-rails/matches_request_to_static_site.rb

@@ -2,7 +2,7 @@ module StaticRails
   class MatchesRequestToStaticSite
     def call(request)
       StaticRails.config.sites.find { |site|
-        subdomain_match?(site, request) && path_match?(site, request)
+        subdomain_match?(site, request) && path_match?(site, request) && !skip_path?(site, request)
       }
     end
 
@@ -20,5 +20,11 @@ module StaticRails
     def path_match?(site, request)
       request.path_info.start_with?(site.url_root_path)
     end
+
+    def skip_path?(site, request)
+      site.url_skip_paths_starting_with.any? { |path_start|
+        request.path_info.start_with?(path_start)
+      }
+    end
   end
 end

data/lib/static-rails/proxy_middleware.rb

@@ -14,22 +14,21 @@ module StaticRails
 
     def perform_request(env)
       return @app.call(env) unless StaticRails.config.proxy_requests
-      ServerStore.instance.ensure_all_servers_are_started
 
-      req = Rack::Request.new(env)
       server_store = ServerStore.instance
+      server_store.ensure_all_servers_are_started
       server_store.ensure_servers_are_up
 
+      req = Rack::Request.new(env)
       if (req.get? || req.head?) && (site = @matches_request_to_static_site.call(req))
         if site.ping_server && (server = server_store.server_for(site))
           server.wait_until_ready
         end
 
         @backend = URI("http://#{site.server_host}:#{site.server_port}")
-
         env["HTTP_HOST"] = @backend.host
         env["PATH_INFO"] = forwarding_path(site, req)
-        env["HTTP_COOKIE"] = ""
+
         super(env)
       else
         @app.call(env)

data/lib/static-rails/railtie.rb

@@ -1,7 +1,7 @@
 require_relative "rack_server_check"
 require_relative "server_store"
-require_relative "proxy_middleware"
-require_relative "static_middleware"
+require_relative "site_middleware"
+require_relative "site_plus_csrf_middleware"
 
 module StaticRails
   class Railtie < ::Rails::Railtie
@@ -9,14 +9,9 @@ module StaticRails
       load "tasks/static-rails.rake"
     end
 
-    # Note that user initializer won't have run yet, but we seem to need to
-    # register the middleware by now if it's going to properly get added to the
-    # stack. So if the user overrides these flags' defaults, the middleware will
-    # still be added but will be responsible itself for skipping each request
-    if StaticRails.config.proxy_requests
-      config.app_middleware.insert_before 0, ProxyMiddleware
-    elsif StaticRails.config.serve_compiled_assets
-      config.app_middleware.insert_before 0, StaticMiddleware
+    initializer "static_rails.middleware" do
+      config.app_middleware.insert_before 0, SiteMiddleware
+      config.app_middleware.use SitePlusCsrfMiddleware
     end
 
     config.after_initialize do |app|

data/lib/static-rails/site.rb

@@ -3,6 +3,7 @@ module StaticRails
     :name,
     :url_subdomain,
     :url_root_path,
+    :url_skip_paths_starting_with,
     :source_dir,
     :start_server,
     :ping_server,
@@ -13,11 +14,13 @@ module StaticRails
     :server_path,
     :compile_command,
     :compile_dir,
+    :compile_404_file_path,
     keyword_init: true
   )
 
     def initialize(
       url_root_path: "/",
+      url_skip_paths_starting_with: [],
       start_server: !Rails.env.production?,
       ping_server: true,
       env: {},
@@ -25,11 +28,13 @@ module StaticRails
       server_path: "/",
       **other_kwargs
     )
+      @url_root_path = url_root_path
+      @url_skip_paths_starting_with = url_skip_paths_starting_with
       @start_server = start_server
+      @ping_server = ping_server
       @env = env
       @server_host = server_host
       @server_path = server_path
-      @ping_server = ping_server
       super
     end
   end

data/lib/static-rails/site_middleware.rb

@@ -0,0 +1,58 @@
+require_relative "proxy_middleware"
+require_relative "static_middleware"
+require_relative "determines_whether_to_handle_request"
+
+module StaticRails
+  class SiteMiddleware
+    PATH_INFO_OBFUSCATION = "JujJVj31M3SpzTjIGBJ2-3iE0lKXOIOlbLuk9Lxwe-Ll2uLuwH5KD8dmt1MqyZ"
+
+    def initialize(app)
+      @app = app
+      @proxy_middleware = ProxyMiddleware.new(app)
+      @static_middleware = StaticMiddleware.new(app)
+      @determines_whether_to_handle_request = DeterminesWhetherToHandleRequest.new
+    end
+
+    def call(env)
+      return @app.call(env) unless @determines_whether_to_handle_request.call(env)
+
+      if require_csrf_before_processing_request?
+        # You might be asking yourself what the hell is going on here. In short,
+        # This middleware sits at the top of the stack, which is too early to
+        # set a CSRF token in a cookie. Therefore, we've placed a subclass of
+        # this middleware named SitePlusCsrfMiddleware near the bottom of the
+        # middleware stack, which is slower but comes after Session::CookieStore
+        # and therefore can write _csrf_token to the cookie. As a result, the
+        # observable behavior to the user is identical, but the first request
+        # to set the cookie will be marginally slower because it needs to go
+        # deeper down the Rails middleware stack
+        #
+        # But! Between these two is ActionDispatch::Static. In the odd case that
+        # a path that this middleware would serve happens to match the name of
+        # a path in public/, kicking down the middleware stack would result in
+        # that file being served instead of our deeper middleware being called.
+        # So to work around this we're just making the PATH_INFO property so
+        # ugly that there's no chance it'll match anything. When our subclass
+        # gets its shot at this request, it'll know to remove the path
+        # obfuscation from PATH_INFO and go about its business.
+        #
+        # See, easy!
+        #
+        # (By the way, this was all Matthew Draper's bright idea. You can
+        # compliment him here: https://github.com/matthewd )
+        @app.call(env.merge("PATH_INFO" => env["PATH_INFO"] + PATH_INFO_OBFUSCATION))
+      elsif StaticRails.config.proxy_requests
+        @proxy_middleware.call(env)
+      elsif StaticRails.config.serve_compiled_assets
+        @static_middleware.call(env)
+      end
+    end
+
+    protected
+
+    # Override this in subclass since it'll call super(env) and deal itself
+    def require_csrf_before_processing_request?
+      StaticRails.config.set_csrf_token_cookie
+    end
+  end
+end

data/lib/static-rails/site_plus_csrf_middleware.rb

@@ -0,0 +1,50 @@
+require_relative "site_middleware"
+require_relative "determines_whether_to_handle_request"
+require_relative "validates_csrf_token"
+require_relative "gets_csrf_token"
+
+module StaticRails
+  class SitePlusCsrfMiddleware < SiteMiddleware
+    def initialize(app)
+      @determines_whether_to_handle_request = DeterminesWhetherToHandleRequest.new
+      @validates_csrf_token = ValidatesCsrfToken.new
+      @gets_csrf_token = GetsCsrfToken.new
+      super
+    end
+
+    def call(env)
+      return @app.call(env) unless @determines_whether_to_handle_request.call(env)
+
+      env = env.merge(
+        "PATH_INFO" => env["PATH_INFO"].gsub(/#{PATH_INFO_OBFUSCATION}/, "")
+      )
+      status, headers, body = super(env)
+
+      if StaticRails.config.set_csrf_token_cookie
+        req = Rack::Request.new(env)
+        res = Rack::Response.new(body, status, headers)
+        if needs_new_csrf_token?(req)
+          res.set_cookie("_csrf_token", {
+            value: @gets_csrf_token.call(req),
+            path: "/"
+          })
+        end
+        res.finish
+      else
+        [status, headers, body]
+      end
+    end
+
+    protected
+
+    def require_csrf_before_processing_request?
+      false
+    end
+
+    private
+
+    def needs_new_csrf_token?(req)
+      !req.cookies.has_key?("_csrf_token") || !@validates_csrf_token.call(req)
+    end
+  end
+end

data/lib/static-rails/static_middleware.rb

@@ -1,4 +1,5 @@
 require "rack-proxy"
+require "action_dispatch/middleware/static"
 
 require_relative "matches_request_to_static_site"
 
@@ -17,7 +18,7 @@ module StaticRails
       if (req.get? || req.head?) && (site = @matches_request_to_static_site.call(req))
         file_handler = file_handler_for(site)
         path = req.path_info.gsub(/^#{site.url_root_path}/, "").chomp("/")
-        if (match = file_handler.match?(path))
+        if (match = matching_file_for(file_handler, site, path))
           req.path_info = match
           return file_handler.serve(req)
         end
@@ -35,5 +36,13 @@ module StaticRails
         StaticRails.config.app.root.join(site.compile_dir).to_s
       )
     end
+
+    def matching_file_for(file_handler, site, path)
+      if (match = file_handler.match?(path))
+        match
+      elsif site.compile_404_file_path.present?
+        file_handler.match?(site.compile_404_file_path)
+      end
+    end
   end
 end

data/lib/static-rails/validates_csrf_token.rb

@@ -0,0 +1,26 @@
+module StaticRails
+  class ValidatesCsrfToken
+    def call(req)
+      valid_authenticity_token?(req.session, req.cookies["_csrf_token"])
+    end
+
+    private
+
+    [
+      :valid_authenticity_token?,
+      :unmask_token,
+      :compare_with_real_token,
+      :valid_per_form_csrf_token?,
+      :xor_byte_strings,
+      :real_csrf_token
+    ].each do |method|
+      define_method method do |*args, **kwargs, &blk|
+        ActionController::RequestForgeryProtection.instance_method(method).bind(self).call(*args, **kwargs, &blk)
+      end
+    end
+
+    def per_form_csrf_tokens
+      false
+    end
+  end
+end

data/lib/static-rails/version.rb

@@ -1,3 +1,3 @@
 module StaticRails
-  VERSION = "0.0.2"
+  VERSION = "0.0.7"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: static-rails
 version: !ruby/object:Gem::Version
-  version: 0.0.2
+  version: 0.0.7
 platform: ruby
 authors:
 - Justin Searls
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-05-06 00:00:00.000000000 Z
+date: 2020-05-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties
@@ -49,6 +49,7 @@ files:
 - ".gitignore"
 - ".standard.yml"
 - ".travis.yml"
+- CHANGELOG.md
 - Gemfile
 - Gemfile.lock
 - LICENSE.txt
@@ -61,7 +62,9 @@ files:
 - lib/static-rails.rb
 - lib/static-rails/compile.rb
 - lib/static-rails/configuration.rb
+- lib/static-rails/determines_whether_to_handle_request.rb
 - lib/static-rails/error.rb
+- lib/static-rails/gets_csrf_token.rb
 - lib/static-rails/matches_request_to_static_site.rb
 - lib/static-rails/proxy_middleware.rb
 - lib/static-rails/rack_server_check.rb
@@ -69,7 +72,10 @@ files:
 - lib/static-rails/server.rb
 - lib/static-rails/server_store.rb
 - lib/static-rails/site.rb
+- lib/static-rails/site_middleware.rb
+- lib/static-rails/site_plus_csrf_middleware.rb
 - lib/static-rails/static_middleware.rb
+- lib/static-rails/validates_csrf_token.rb
 - lib/static-rails/version.rb
 - lib/static-rails/waits_for_connection.rb
 - lib/tasks/static-rails.rake