static-rails 0.0.3 → 0.0.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 04cd8c43f2a9d6ff2da0768d8daa7024ca470acb94a2444540d26411dad45675
-  data.tar.gz: 55246dbc95a32e8517db8bc8b21136f9a3cac60ba18b3cd9bee27ef2501ae774
+  metadata.gz: 14d31f3821438735e307f98dd5f4a48215d0b1d678915369a7abd459b3b40145
+  data.tar.gz: bc7b15c689693e533a75ac378db060396cde1839edb0acffc04c30e18872bf77
 SHA512:
-  metadata.gz: e59dd52fb103bc1add1ad27a05ac83eff4b04b09ecc7bb08b73d2fd071279a87e8ae05e73c2f43a64eda4e2c1c77281d0fd8650a5c4aea2d04c2088980606127
-  data.tar.gz: 548aa50ee427be8b0a3842b4000a07dbac7b0513cf9a712ab46dcd8903a829a58f395345549b921b154d5acdfa235fdc482e7e357ffcbdffec6a07aaf0d34319
+  metadata.gz: f645e5e515d712acd3c1a81935d560d3ef0f2be3a42e5fd42af4320cf6a4ae25e14843b0c076dfda4ec5b980a12cc436cfbef527768704f97c6e89ac2e7e17f6
+  data.tar.gz: 61600757a2e549dc5bff49b8fe01da9c0f45eac4a1fd6ba815ea4aafb5655270bfa457ac76c98a0927b98e61bcf741b40a0089f0cfb55f612ad0de386b0fa9d4

data/CHANGELOG.md

@@ -1,3 +1,9 @@
+## 0.0.4
+
+* Add a cookie named `_csrf_token` by default to all static site requests, so
+  that your static sites can make CSRF-protected requests of your server
+  ([#4](https://github.com/testdouble/static-rails/pull/4))
+
 ## 0.0.3
 
 * Add `url_skip_paths_starting_with` array of strings option to site

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    static-rails (0.0.3)
+    static-rails (0.0.4)
       rack-proxy (~> 0.6)
       railties (>= 5.0.0)
 

data/README.md

@@ -2,7 +2,7 @@
 
 [![CircleCI](https://circleci.com/gh/testdouble/static-rails.svg?style=svg)](https://circleci.com/gh/testdouble/static-rails)
 
-## What is this thing?
+## Build and serve your static sites from your Rails app
 
 **tl;dr in development, static-rails runs your static site generators &
 proxies requests; in production, it compiles and serves the final assets**
@@ -25,18 +25,18 @@ without forcing you to abandon your monolithic Rails architecture.
 
 Here's what it does:
 
-* In `development` and `test` environments, the gem will run launch each site's
-  `serve_command` and proxy to them any requests that match their configured
-  `url_subdomain` and `url_root_path` properties
+* In development, static-rails launches your sites' local servers and then
+  proxies any requests to wherever you've mounted them in your Rails app so you
+  can start a single server and transition work between your static sites and
+  Rails app seamlessly
 
-* When running `rake assets:precompile` (typically performed during a deploy),
-  the `compile_command` you've configured will be executed for each of your
-  sites
+* When deploying, static-rails will compile all your static assets when `rake
+  assets:precompile` is run, meaning your assets will be built automatically
+  when pushed to a platform like Heroku
 
-* In `production`, the gem will host each of your sites' assets out of your
-  configured `compile_dir` using the same middleware code that Rails uses to
-  host assets out of `public/`. (Putting a performant CDN in front of everything
-  remains an exercise for the reader.)
+* In production, static-rails will serve your sites' compiled assets from disk
+  with a similar features and performance to what you're familiar with if you've
+  ever hosted files out of your `public/` directory
 
 ## Install
 
@@ -46,7 +46,7 @@ Add this to your Gemfile:
 gem "static-rails"
 ```
 
-Then run this generator to create a configuration file 
+Then run this generator to create a configuration file
 `config/initializers/static.rb`:
 
 ```
@@ -54,11 +54,105 @@ $ rails g static_rails:initializer
 ```
 
 You can check out the configuration options in the [generated file's
-comments](/lib/generators/templates/static.rb).
+comments]().
 
 Want an example of setting things up? You're in luck, there's an [example
 app](/example) right in this repo!
 
+## Configuring the gem
+
+**(Want to dive right in? The generated initializer [enumerates every
+option](/lib/generators/templates/static.rb) and the [example app's
+config](https://github.com/testdouble/static-rails/blob/master/example/config/initializers/static.rb)
+sets up 4 sites.)**
+
+### Top-level configuration
+
+So, what should you stick in your initializer's `StaticRails.config do |config|`
+block? These options are set right off the `config` object and control the
+overall behavior of the gem itself, across all your static sites:
+
+* **config.proxy_requests** (Default: `!Rails.env.production?`) when true,
+  the gem's middleware requests that match where you've mounted your static site
+  and proxy them to the development server
+
+* **config.serve_compiled_assets** (Default: `Rails.env.production?`) when true,
+  the gem's middleware will find your static assets on disk and serve them using
+  the same code that Rails uses to serve files out of `public/`
+
+* **config.ping_server_timeout** (Default: `5`) the number of seconds that (when
+  `proxy_requests` is true, that the gem will wait for a response from a static
+  site's server on any given request before timing out and raising an error
+
+* **config.set_csrf_token_cookie** (Default: `true`) when true, the gem's
+  middleware will set a cookie named `_csrf_token` with each request of your
+  static site. You can use this to set the `'x-csrf-token'` header on any
+  requests from your site back to routes hosted by the Rails app that are
+  [protected from CSRF
+  forgery](https://guides.rubyonrails.org/security.html#cross-site-request-forgery-csrf)
+  (if you're not using Rails' cookie store for sessions, turn this off)
+
+### Configuring your static sites themselves
+
+To tell the gem about your static sites, assign an array of hashes as `sites`
+(e.g. `config.sites = [{…}]`). Each of those hashes have the following options:
+
+* **name** (Required) A unique name for the site (primarily used for
+  logging)
+
+* **source_dir** (Required) The file path (relative to the Rails app's root) to
+  the static site's project directory
+
+* **url_subdomain** (Default: `nil`) Constrains the static site's assets to only
+  be served for requests to a given subdomain (e.g. for a Rails app hosting
+  `example.com`, a Hugo site at `blog.example.com` would set this to `"blog"`)
+
+* **url_root_path** (Default: `/`) The base URL path at which to mount the
+  static site (e.g. if you want your Jekyll site hosted at `example.com/docs`,
+  you'd set this to `/docs`). For most static site generators, you'll want to
+  configure it to serve assets from the same path so links and other references
+  are correct (see below for examples)
+
+* **url_skip_paths_starting_with** (Default: `[]`) If you want to mount your
+  static site to `/` but allow the Rails app to serve APIs from `/api`, you can
+  set the path prefix `["/api"]` here to tell the gem's middleware not to try to
+  proxy or serve the request from your static site, but rather let Rails handle
+  it
+
+* **start_server** (Default `!Rails.env.production?) When true, the gem will
+  start the site's server (and if it ever exits, restart it) as your Rails app
+  is booting up. All output from the server will be forwarded to STDOUT/STDERR
+
+* **server_command** (Required if `start_server` is true) the command to run to
+  start the site's server, from the working directory of `source_dir` (e.g.
+  `hugo server`)
+
+* **ping_server** (Default: true) if this and `start_server` are both true, then
+  wait to proxy any requests until the server is accepting TCP connections
+
+* **env** (Default: `{}`) any environment variables you need to pass to either
+  the server or compile commands (e.g. `env: {"BUNDLE_PATH" =>
+  "vendor/bundle"}`). Note that this configuration file is Ruby, so if you need
+  to provide different env vars based on Rails environment, you have the power
+  to do that!
+
+* **server_host** (Default: `localhost`) the host your static site's server will
+  run on
+
+* **server_port** (Required if `proxy_requests` is true) the port your static
+  site's server will accept requests on
+
+* **server_path** (Default: `"/"`) the root URL path to which requests should be
+  proxied
+
+* **compile_comand** (Required) the command to be run by both the
+  `static:compile` and `assets:precompile` Rake commands (e.g. `npm run build`),
+  with working directory set to the site's `source_dir`
+
+* **compile_dir** (Required when `serve_compiled_assets` is true) the root file
+  path to which production assets are compiled, relative to the site's
+  `source_dir`
+
 ## Configuring your static site generators
 
 Assuming you won't be mounting your static site to your app's root `/` path,
@@ -104,9 +198,10 @@ To mitigate this, there are a few things you can do:
   base path with `{{ "/" | relURL }}` (given the above `baseURL`, this will
   render `"/marketing/"`)
 
-Also, because Hugo will serve `/livereload.js` from the root, live-reloading probably 
+Also, because Hugo will serve `/livereload.js` from the root, live-reloading probably
 won't work in development when running through the static-rails proxy.
-You might consider disabling it with `--disableLiveReload`.
+You might consider disabling it with `--disableLiveReload` unless you're serving
+Hugo from a root path ("`/`").
 
 A static-rails config for a Hugo configuration in `sites` might look like:
 

data/lib/generators/templates/static.rb

@@ -9,6 +9,11 @@ StaticRails.config do |config|
   #   (Applies when a site has both start_server and ping_server set to true)
   # config.ping_server_timeout = 5
 
+  # When true, both the proxy & static asset middleware will set a cookie
+  #   named "_csrf_token" to the Rails CSRF token, allowing any client-side
+  #   API requests to take advantage of Rails' request forgery protection
+  # config.set_csrf_token_cookie = true
+
   # The list of static sites you are hosting with static-rails.
   # Note that order matters! Request will be forwarded to the first site that
   # matches the subdomain and root path (this probably means you want any sites

data/lib/static-rails/configuration.rb

@@ -22,11 +22,15 @@ module StaticRails
     # Number of seconds to wait on sites to confirm servers are ready
     attr_accessor :ping_server_timeout
 
+    # When true, a cookie named "_csrf_token" will be set by static-rails middleware
+    attr_accessor :set_csrf_token_cookie
+
     def initialize
       @sites = []
       @proxy_requests = !Rails.env.production?
       @serve_compiled_assets = Rails.env.production?
       @ping_server_timeout = 5
+      @set_csrf_token_cookie = true
     end
 
     attr_reader :sites

data/lib/static-rails/csrf_middleware.rb

@@ -0,0 +1,20 @@
+require_relative "gets_csrf_token"
+
+module StaticRails
+  class CsrfMiddleware
+    def initialize(app)
+      @app = app
+      @gets_csrf_token = GetsCsrfToken.new
+    end
+
+    def call(env)
+      if env["__static_rails_evil_request_for_csrf_token"]
+        req = Rack::Request.new(env)
+        [200, {}, [@gets_csrf_token.call(req)]].tap do
+        end
+      else
+        @app.call(env)
+      end
+    end
+  end
+end

data/lib/static-rails/determines_whether_to_handle_request.rb

@@ -0,0 +1,15 @@
+module StaticRails
+  class DeterminesWhetherToHandleRequest
+    def initialize
+      @matches_request_to_static_site = MatchesRequestToStaticSite.new
+    end
+
+    def call(env)
+      req = Rack::Request.new(env)
+
+      (req.get? || req.head?) &&
+        (StaticRails.config.proxy_requests || StaticRails.config.serve_compiled_assets) &&
+        @matches_request_to_static_site.call(req)
+    end
+  end
+end

data/lib/static-rails/gets_csrf_token.rb

@@ -0,0 +1,25 @@
+module StaticRails
+  class GetsCsrfToken
+    def call(req)
+      masked_authenticity_token(req.session)
+    end
+
+    private
+
+    def masked_authenticity_token(session, form_options: {})
+      ActionController::RequestForgeryProtection.instance_method(:masked_authenticity_token).bind(self).call(session, form_options)
+    end
+
+    def real_csrf_token(session)
+      ActionController::RequestForgeryProtection.instance_method(:real_csrf_token).bind(self).call(session)
+    end
+
+    def xor_byte_strings(s1, s2)
+      ActionController::RequestForgeryProtection.instance_method(:xor_byte_strings).bind(self).call(s1, s2)
+    end
+
+    def per_form_csrf_tokens
+      false
+    end
+  end
+end

data/lib/static-rails/proxy_middleware.rb

@@ -14,22 +14,21 @@ module StaticRails
 
     def perform_request(env)
       return @app.call(env) unless StaticRails.config.proxy_requests
-      ServerStore.instance.ensure_all_servers_are_started
 
-      req = Rack::Request.new(env)
       server_store = ServerStore.instance
+      server_store.ensure_all_servers_are_started
       server_store.ensure_servers_are_up
 
+      req = Rack::Request.new(env)
       if (req.get? || req.head?) && (site = @matches_request_to_static_site.call(req))
         if site.ping_server && (server = server_store.server_for(site))
           server.wait_until_ready
         end
 
         @backend = URI("http://#{site.server_host}:#{site.server_port}")
-
         env["HTTP_HOST"] = @backend.host
         env["PATH_INFO"] = forwarding_path(site, req)
-        env["HTTP_COOKIE"] = ""
+
         super(env)
       else
         @app.call(env)

data/lib/static-rails/railtie.rb

@@ -1,7 +1,7 @@
 require_relative "rack_server_check"
 require_relative "server_store"
-require_relative "proxy_middleware"
-require_relative "static_middleware"
+require_relative "site_middleware"
+require_relative "site_plus_csrf_middleware"
 
 module StaticRails
   class Railtie < ::Rails::Railtie
@@ -9,14 +9,9 @@ module StaticRails
       load "tasks/static-rails.rake"
     end
 
-    # Note that user initializer won't have run yet, but we seem to need to
-    # register the middleware by now if it's going to properly get added to the
-    # stack. So if the user overrides these flags' defaults, the middleware will
-    # still be added but will be responsible itself for skipping each request
-    if StaticRails.config.proxy_requests
-      config.app_middleware.insert_before 0, ProxyMiddleware
-    elsif StaticRails.config.serve_compiled_assets
-      config.app_middleware.insert_before 0, StaticMiddleware
+    initializer "static_rails.middleware" do
+      config.app_middleware.insert_before 0, SiteMiddleware
+      config.app_middleware.use SitePlusCsrfMiddleware
     end
 
     config.after_initialize do |app|

data/lib/static-rails/site_middleware.rb

@@ -0,0 +1,63 @@
+require_relative "proxy_middleware"
+require_relative "static_middleware"
+require_relative "determines_whether_to_handle_request"
+require_relative "gets_csrf_token"
+
+module StaticRails
+  class SiteMiddleware
+    PATH_INFO_OBFUSCATION = "JujJVj31M3SpzTjIGBJ2-3iE0lKXOIOlbLuk9Lxwe-Ll2uLuwH5KD8dmt1MqyZ"
+
+    def initialize(app)
+      @app = app
+      @proxy_middleware = ProxyMiddleware.new(app)
+      @static_middleware = StaticMiddleware.new(app)
+      @determines_whether_to_handle_request = DeterminesWhetherToHandleRequest.new
+    end
+
+    def call(env)
+      return @app.call(env) unless @determines_whether_to_handle_request.call(env)
+
+      if require_csrf_before_processing_request? && !csrf_token_is_set?(env)
+        # You might be asking yourself what the hell is going on here. In short,
+        # This middleware sits at the top of the stack, which is too early to
+        # set a CSRF token in a cookie. Therefore, we've placed a subclass of
+        # this middleware named SitePlusCsrfMiddleware near the bottom of the
+        # middleware stack, which is slower but comes after Session::CookieStore
+        # and therefore can write _csrf_token to the cookie. As a result, the
+        # observable behavior to the user is identical, but the first request
+        # to set the cookie will be marginally slower because it needs to go
+        # deeper down the Rails middleware stack
+        #
+        # But! Between these two is ActionDispatch::Static. In the odd case that
+        # a path that this middleware would serve happens to match the name of
+        # a path in public/, kicking down the middleware stack would result in
+        # that file being served instead of our deeper middleware being called.
+        # So to work around this we're just making the PATH_INFO property so
+        # ugly that there's no chance it'll match anything. When our subclass
+        # gets its shot at this request, it'll know to remove the path
+        # obfuscation from PATH_INFO and go about its business.
+        #
+        # See, easy!
+        #
+        # (By the way, this was all Matthew Draper's bright idea. You can
+        # compliment him here: https://github.com/matthewd )
+        @app.call(env.merge("PATH_INFO" => env["PATH_INFO"] + PATH_INFO_OBFUSCATION))
+      elsif StaticRails.config.proxy_requests
+        @proxy_middleware.call(env)
+      elsif StaticRails.config.serve_compiled_assets
+        @static_middleware.call(env)
+      end
+    end
+
+    protected
+
+    # Override this in subclass since it'll call super(env) and deal itself
+    def require_csrf_before_processing_request?
+      StaticRails.config.set_csrf_token_cookie
+    end
+
+    def csrf_token_is_set?(env)
+      Rack::Request.new(env).cookies.has_key?("_csrf_token")
+    end
+  end
+end

data/lib/static-rails/site_plus_csrf_middleware.rb

@@ -0,0 +1,40 @@
+require_relative "site_middleware"
+require_relative "determines_whether_to_handle_request"
+require_relative "gets_csrf_token"
+
+module StaticRails
+  class SitePlusCsrfMiddleware < SiteMiddleware
+    def initialize(app)
+      @determines_whether_to_handle_request = DeterminesWhetherToHandleRequest.new
+      @gets_csrf_token = GetsCsrfToken.new
+      super
+    end
+
+    def call(env)
+      return @app.call(env) unless @determines_whether_to_handle_request.call(env)
+
+      env = env.merge(
+        "PATH_INFO" => env["PATH_INFO"].gsub(/#{PATH_INFO_OBFUSCATION}/, "")
+      )
+      status, headers, body = super(env)
+
+      if StaticRails.config.set_csrf_token_cookie
+        req = Rack::Request.new(env)
+        res = Rack::Response.new(body, status, headers)
+        res.set_cookie("_csrf_token", {
+          value: @gets_csrf_token.call(req),
+          path: "/"
+        })
+        res.finish
+      else
+        [status, headers, body]
+      end
+    end
+
+    protected
+
+    def require_csrf_before_processing_request?
+      false
+    end
+  end
+end

data/lib/static-rails/version.rb

@@ -1,3 +1,3 @@
 module StaticRails
-  VERSION = "0.0.3"
+  VERSION = "0.0.4"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: static-rails
 version: !ruby/object:Gem::Version
-  version: 0.0.3
+  version: 0.0.4
 platform: ruby
 authors:
 - Justin Searls
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-05-11 00:00:00.000000000 Z
+date: 2020-05-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties
@@ -62,7 +62,10 @@ files:
 - lib/static-rails.rb
 - lib/static-rails/compile.rb
 - lib/static-rails/configuration.rb
+- lib/static-rails/csrf_middleware.rb
+- lib/static-rails/determines_whether_to_handle_request.rb
 - lib/static-rails/error.rb
+- lib/static-rails/gets_csrf_token.rb
 - lib/static-rails/matches_request_to_static_site.rb
 - lib/static-rails/proxy_middleware.rb
 - lib/static-rails/rack_server_check.rb
@@ -70,6 +73,8 @@ files:
 - lib/static-rails/server.rb
 - lib/static-rails/server_store.rb
 - lib/static-rails/site.rb
+- lib/static-rails/site_middleware.rb
+- lib/static-rails/site_plus_csrf_middleware.rb
 - lib/static-rails/static_middleware.rb
 - lib/static-rails/version.rb
 - lib/static-rails/waits_for_connection.rb