static-rails 0.0.3 → 0.0.8

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 04cd8c43f2a9d6ff2da0768d8daa7024ca470acb94a2444540d26411dad45675
-  data.tar.gz: 55246dbc95a32e8517db8bc8b21136f9a3cac60ba18b3cd9bee27ef2501ae774
+  metadata.gz: 760a85803ecdc64592ce6f0f29e948fe744ff7e0d5d893f62f713f11aa7de9cb
+  data.tar.gz: 235ed594c1bf01dba53e028e3419ce1f5919e14de31441c5fb3f6a0b3b3de382
 SHA512:
-  metadata.gz: e59dd52fb103bc1add1ad27a05ac83eff4b04b09ecc7bb08b73d2fd071279a87e8ae05e73c2f43a64eda4e2c1c77281d0fd8650a5c4aea2d04c2088980606127
-  data.tar.gz: 548aa50ee427be8b0a3842b4000a07dbac7b0513cf9a712ab46dcd8903a829a58f395345549b921b154d5acdfa235fdc482e7e357ffcbdffec6a07aaf0d34319
+  metadata.gz: fd446ac15d01e261594e66388afada570c203046d0dcaa52437c43aca8cc8f5a09c19ce1e87aa699b7b9407a3f9993328e285aa1a4aaf53035493fd2cde7a28d
+  data.tar.gz: 592a87c638a0f861c673566746b591700e256de4eae4d3b28218d6faa6e994e5c3cccf589f3a2d16d850275d8d5db079661ac03aee17e6bc62ecf62b28cdc538

data/CHANGELOG.md

@@ -1,3 +1,30 @@
+## 0.0.8
+
+* Add support for the [CSRF
+  changes](https://github.com/rails/rails/commit/358ff18975f26e820ea355ec113ffc5228e59af8) in Rails 6.0.3.1
+
+## 0.0.7
+
+* Ensure that CSRF tokens are valid, at the cost of some performance and
+  reliance on additional Rails internals. As a result CSRF cookie setting is now
+  disabled by default [#6](https://github.com/testdouble/static-rails/pull/6)
+
+## 0.0.6
+
+* Fix an issue where `ActionDispatch::FileHandler` won't be loaded in the event
+  that static-rails is serving compiled assets but Rails is not
+
+## 0.0.5
+
+* Add a site option `compile_404_file_path` to specify a file to be used as a
+  404 page when serving compiled assets and no file is found
+
+## 0.0.4
+
+* Add a cookie named `_csrf_token` by default to all static site requests, so
+  that your static sites can make CSRF-protected requests of your server
+  ([#4](https://github.com/testdouble/static-rails/pull/4))
+
 ## 0.0.3
 
 * Add `url_skip_paths_starting_with` array of strings option to site

data/Gemfile.lock

@@ -1,27 +1,27 @@
 PATH
   remote: .
   specs:
-    static-rails (0.0.3)
+    static-rails (0.0.8)
       rack-proxy (~> 0.6)
       railties (>= 5.0.0)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    actionpack (6.0.3)
-      actionview (= 6.0.3)
-      activesupport (= 6.0.3)
+    actionpack (6.0.3.1)
+      actionview (= 6.0.3.1)
+      activesupport (= 6.0.3.1)
       rack (~> 2.0, >= 2.0.8)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actionview (6.0.3)
-      activesupport (= 6.0.3)
+    actionview (6.0.3.1)
+      activesupport (= 6.0.3.1)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activesupport (6.0.3)
+    activesupport (6.0.3.1)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 0.7, < 2)
       minitest (~> 5.1)
@@ -32,19 +32,18 @@ GEM
     concurrent-ruby (1.1.6)
     crass (1.0.6)
     erubi (1.9.0)
-    i18n (1.8.2)
+    i18n (1.8.3)
       concurrent-ruby (~> 1.0)
-    jaro_winkler (1.5.4)
     loofah (2.5.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     method_source (1.0.0)
     mini_portile2 (2.4.0)
-    minitest (5.14.0)
+    minitest (5.14.1)
     nokogiri (1.10.9)
       mini_portile2 (~> 2.4.0)
     parallel (1.19.1)
-    parser (2.7.1.1)
+    parser (2.7.1.3)
       ast (~> 2.4.0)
     rack (2.2.2)
     rack-proxy (0.6.5)
@@ -56,34 +55,38 @@ GEM
       nokogiri (>= 1.6)
     rails-html-sanitizer (1.3.0)
       loofah (~> 2.3)
-    railties (6.0.3)
-      actionpack (= 6.0.3)
-      activesupport (= 6.0.3)
+    railties (6.0.3.1)
+      actionpack (= 6.0.3.1)
+      activesupport (= 6.0.3.1)
       method_source
       rake (>= 0.8.7)
       thor (>= 0.20.3, < 2.0)
     rainbow (3.0.0)
     rake (13.0.1)
+    regexp_parser (1.7.1)
     rexml (3.2.4)
-    rubocop (0.80.1)
-      jaro_winkler (~> 1.5.1)
+    rubocop (0.85.1)
       parallel (~> 1.10)
       parser (>= 2.7.0.1)
       rainbow (>= 2.2.2, < 4.0)
+      regexp_parser (>= 1.7)
       rexml
+      rubocop-ast (>= 0.0.3)
       ruby-progressbar (~> 1.7)
-      unicode-display_width (>= 1.4.0, < 1.7)
-    rubocop-performance (1.5.2)
+      unicode-display_width (>= 1.4.0, < 2.0)
+    rubocop-ast (0.0.3)
+      parser (>= 2.7.0.1)
+    rubocop-performance (1.6.1)
       rubocop (>= 0.71.0)
     ruby-progressbar (1.10.1)
-    standard (0.2.5)
-      rubocop (~> 0.80.1)
-      rubocop-performance (~> 1.5.2)
+    standard (0.4.7)
+      rubocop (~> 0.85.0)
+      rubocop-performance (~> 1.6.0)
     thor (1.0.1)
     thread_safe (0.3.6)
     tzinfo (1.2.7)
       thread_safe (~> 0.1)
-    unicode-display_width (1.6.1)
+    unicode-display_width (1.7.0)
     zeitwerk (2.3.0)
 
 PLATFORMS

data/README.md

@@ -2,7 +2,7 @@
 
 [![CircleCI](https://circleci.com/gh/testdouble/static-rails.svg?style=svg)](https://circleci.com/gh/testdouble/static-rails)
 
-## What is this thing?
+## Build and serve your static sites from your Rails app
 
 **tl;dr in development, static-rails runs your static site generators &
 proxies requests; in production, it compiles and serves the final assets**
@@ -25,18 +25,18 @@ without forcing you to abandon your monolithic Rails architecture.
 
 Here's what it does:
 
-* In `development` and `test` environments, the gem will run launch each site's
-  `serve_command` and proxy to them any requests that match their configured
-  `url_subdomain` and `url_root_path` properties
+* In development, static-rails launches your sites' local servers and then
+  proxies any requests to wherever you've mounted them in your Rails app so you
+  can start a single server and transition work between your static sites and
+  Rails app seamlessly
 
-* When running `rake assets:precompile` (typically performed during a deploy),
-  the `compile_command` you've configured will be executed for each of your
-  sites
+* When deploying, static-rails will compile all your static assets when `rake
+  assets:precompile` is run, meaning your assets will be built automatically
+  when pushed to a platform like Heroku
 
-* In `production`, the gem will host each of your sites' assets out of your
-  configured `compile_dir` using the same middleware code that Rails uses to
-  host assets out of `public/`. (Putting a performant CDN in front of everything
-  remains an exercise for the reader.)
+* In production, static-rails will serve your sites' compiled assets from disk
+  with a similar features and performance to what you're familiar with if you've
+  ever hosted files out of your `public/` directory
 
 ## Install
 
@@ -46,7 +46,7 @@ Add this to your Gemfile:
 gem "static-rails"
 ```
 
-Then run this generator to create a configuration file 
+Then run this generator to create a configuration file
 `config/initializers/static.rb`:
 
 ```
@@ -54,11 +54,110 @@ $ rails g static_rails:initializer
 ```
 
 You can check out the configuration options in the [generated file's
-comments](/lib/generators/templates/static.rb).
+comments]().
 
 Want an example of setting things up? You're in luck, there's an [example
 app](/example) right in this repo!
 
+## Configuring the gem
+
+**(Want to dive right in? The generated initializer [enumerates every
+option](/lib/generators/templates/static.rb) and the [example app's
+config](https://github.com/testdouble/static-rails/blob/master/example/config/initializers/static.rb)
+sets up 4 sites.)**
+
+### Top-level configuration
+
+So, what should you stick in your initializer's `StaticRails.config do |config|`
+block? These options are set right off the `config` object and control the
+overall behavior of the gem itself, across all your static sites:
+
+* **config.proxy_requests** (Default: `!Rails.env.production?`) when true,
+  the gem's middleware requests that match where you've mounted your static site
+  and proxy them to the development server
+
+* **config.serve_compiled_assets** (Default: `Rails.env.production?`) when true,
+  the gem's middleware will find your static assets on disk and serve them using
+  the same code that Rails uses to serve files out of `public/`
+
+* **config.ping_server_timeout** (Default: `5`) the number of seconds that (when
+  `proxy_requests` is true, that the gem will wait for a response from a static
+  site's server on any given request before timing out and raising an error
+
+* **config.set_csrf_token_cookie** (Default: `false`) when true, the gem's
+  middleware will set a cookie named `_csrf_token` with each request of your
+  static site. You can use this to set the `'x-csrf-token'` header on any
+  requests from your site back to routes hosted by the Rails app that are
+  [protected from CSRF
+  forgery](https://guides.rubyonrails.org/security.html#cross-site-request-forgery-csrf)
+  (if you're not using Rails' cookie store for sessions or you're okay with API
+  calls bypassing Rails CSRF, leave this off)
+
+### Configuring your static sites themselves
+
+To tell the gem about your static sites, assign an array of hashes as `sites`
+(e.g. `config.sites = [{…}]`). Each of those hashes have the following options:
+
+* **name** (Required) A unique name for the site (primarily used for
+  logging)
+
+* **source_dir** (Required) The file path (relative to the Rails app's root) to
+  the static site's project directory
+
+* **url_subdomain** (Default: `nil`) Constrains the static site's assets to only
+  be served for requests to a given subdomain (e.g. for a Rails app hosting
+  `example.com`, a Hugo site at `blog.example.com` would set this to `"blog"`)
+
+* **url_root_path** (Default: `/`) The base URL path at which to mount the
+  static site (e.g. if you want your Jekyll site hosted at `example.com/docs`,
+  you'd set this to `/docs`). For most static site generators, you'll want to
+  configure it to serve assets from the same path so links and other references
+  are correct (see below for examples)
+
+* **url_skip_paths_starting_with** (Default: `[]`) If you want to mount your
+  static site to `/` but allow the Rails app to serve APIs from `/api`, you can
+  set the path prefix `["/api"]` here to tell the gem's middleware not to try to
+  proxy or serve the request from your static site, but rather let Rails handle
+  it
+
+* **start_server** (Default `!Rails.env.production?) When true, the gem will
+  start the site's server (and if it ever exits, restart it) as your Rails app
+  is booting up. All output from the server will be forwarded to STDOUT/STDERR
+
+* **server_command** (Required if `start_server` is true) the command to run to
+  start the site's server, from the working directory of `source_dir` (e.g.
+  `hugo server`)
+
+* **ping_server** (Default: true) if this and `start_server` are both true, then
+  wait to proxy any requests until the server is accepting TCP connections
+
+* **env** (Default: `{}`) any environment variables you need to pass to either
+  the server or compile commands (e.g. `env: {"BUNDLE_PATH" =>
+  "vendor/bundle"}`). Note that this configuration file is Ruby, so if you need
+  to provide different env vars based on Rails environment, you have the power
+  to do that!
+
+* **server_host** (Default: `localhost`) the host your static site's server will
+  run on
+
+* **server_port** (Required if `proxy_requests` is true) the port your static
+  site's server will accept requests on
+
+* **server_path** (Default: `"/"`) the root URL path to which requests should be
+  proxied
+
+* **compile_comand** (Required) the command to be run by both the
+  `static:compile` and `assets:precompile` Rake commands (e.g. `npm run build`),
+  with working directory set to the site's `source_dir`
+
+* **compile_dir** (Required when `serve_compiled_assets` is true) the root file
+  path to which production assets are compiled, relative to the site's
+  `source_dir`
+
+* **compile_404_file_path** (Optional) When `serve_compiled_assets` is true,
+  this file (relative to the `compile_dir`) will be served whenever the
+  request's path does not match a file on disk
+
 ## Configuring your static site generators
 
 Assuming you won't be mounting your static site to your app's root `/` path,
@@ -104,9 +203,10 @@ To mitigate this, there are a few things you can do:
   base path with `{{ "/" | relURL }}` (given the above `baseURL`, this will
   render `"/marketing/"`)
 
-Also, because Hugo will serve `/livereload.js` from the root, live-reloading probably 
+Also, because Hugo will serve `/livereload.js` from the root, live-reloading probably
 won't work in development when running through the static-rails proxy.
-You might consider disabling it with `--disableLiveReload`.
+You might consider disabling it with `--disableLiveReload` unless you're serving
+Hugo from a root path ("`/`").
 
 A static-rails config for a Hugo configuration in `sites` might look like:
 

data/lib/generators/templates/static.rb

@@ -9,6 +9,11 @@ StaticRails.config do |config|
   #   (Applies when a site has both start_server and ping_server set to true)
   # config.ping_server_timeout = 5
 
+  # When true, both the proxy & static asset middleware will set a cookie
+  #   named "_csrf_token" to the Rails CSRF token, allowing any client-side
+  #   API requests to take advantage of Rails' request forgery protection
+  # config.set_csrf_token_cookie = false
+
   # The list of static sites you are hosting with static-rails.
   # Note that order matters! Request will be forwarded to the first site that
   # matches the subdomain and root path (this probably means you want any sites
@@ -61,6 +66,9 @@ StaticRails.config do |config|
     #
     #   # The destination of production-compiled assets, relative to Rails root
     #   compile_dir: "static/blog/dist"
+    #
+    #   # A 404 page to be sent when serving compiled assets and no file matches
+    #   compile_404_file_path: "404.html"
     # },
   ]
 end

data/lib/static-rails/configuration.rb

@@ -13,20 +13,24 @@ module StaticRails
     # When Rails invokes our Railtie, we'll save off a reference to the Rails app
     attr_accessor :app
 
-    # When true, the ProxyMiddleware will be added
+    # When true, our middleware will proxy requests to static site servers
     attr_accessor :proxy_requests
 
-    # When true, the StaticMiddleware will be added
+    # When true, our middleware will serve sites' compiled asset files
     attr_accessor :serve_compiled_assets
 
     # Number of seconds to wait on sites to confirm servers are ready
     attr_accessor :ping_server_timeout
 
+    # When true, a cookie named "_csrf_token" will be set by static-rails middleware
+    attr_accessor :set_csrf_token_cookie
+
     def initialize
       @sites = []
       @proxy_requests = !Rails.env.production?
       @serve_compiled_assets = Rails.env.production?
       @ping_server_timeout = 5
+      @set_csrf_token_cookie = false
     end
 
     attr_reader :sites

data/lib/static-rails/determines_whether_to_handle_request.rb

@@ -0,0 +1,15 @@
+module StaticRails
+  class DeterminesWhetherToHandleRequest
+    def initialize
+      @matches_request_to_static_site = MatchesRequestToStaticSite.new
+    end
+
+    def call(env)
+      req = Rack::Request.new(env)
+
+      (req.get? || req.head?) &&
+        (StaticRails.config.proxy_requests || StaticRails.config.serve_compiled_assets) &&
+        @matches_request_to_static_site.call(req)
+    end
+  end
+end

data/lib/static-rails/gets_csrf_token.rb

@@ -0,0 +1,37 @@
+module StaticRails
+  class GetsCsrfToken
+    def call(req)
+      masked_authenticity_token(req.session)
+    end
+
+    private
+
+    def csrf_token_hmac(session, identifier)
+      ActionController::RequestForgeryProtection.instance_method(:csrf_token_hmac).bind(self).call(session, identifier)
+    end
+
+    def mask_token(raw_token)
+      ActionController::RequestForgeryProtection.instance_method(:mask_token).bind(self).call(raw_token)
+    end
+
+    def masked_authenticity_token(session, form_options: {})
+      ActionController::RequestForgeryProtection.instance_method(:masked_authenticity_token).bind(self).call(session, form_options)
+    end
+
+    def global_csrf_token(session)
+      ActionController::RequestForgeryProtection.instance_method(:global_csrf_token).bind(self).call(session)
+    end
+
+    def real_csrf_token(session)
+      ActionController::RequestForgeryProtection.instance_method(:real_csrf_token).bind(self).call(session)
+    end
+
+    def xor_byte_strings(s1, s2)
+      ActionController::RequestForgeryProtection.instance_method(:xor_byte_strings).bind(self).call(s1, s2)
+    end
+
+    def per_form_csrf_tokens
+      false
+    end
+  end
+end

data/lib/static-rails/proxy_middleware.rb

@@ -14,22 +14,21 @@ module StaticRails
 
     def perform_request(env)
       return @app.call(env) unless StaticRails.config.proxy_requests
-      ServerStore.instance.ensure_all_servers_are_started
 
-      req = Rack::Request.new(env)
       server_store = ServerStore.instance
+      server_store.ensure_all_servers_are_started
       server_store.ensure_servers_are_up
 
+      req = Rack::Request.new(env)
       if (req.get? || req.head?) && (site = @matches_request_to_static_site.call(req))
         if site.ping_server && (server = server_store.server_for(site))
           server.wait_until_ready
         end
 
         @backend = URI("http://#{site.server_host}:#{site.server_port}")
-
         env["HTTP_HOST"] = @backend.host
         env["PATH_INFO"] = forwarding_path(site, req)
-        env["HTTP_COOKIE"] = ""
+
         super(env)
       else
         @app.call(env)

data/lib/static-rails/railtie.rb

@@ -1,7 +1,7 @@
 require_relative "rack_server_check"
 require_relative "server_store"
-require_relative "proxy_middleware"
-require_relative "static_middleware"
+require_relative "site_middleware"
+require_relative "site_plus_csrf_middleware"
 
 module StaticRails
   class Railtie < ::Rails::Railtie
@@ -9,14 +9,9 @@ module StaticRails
       load "tasks/static-rails.rake"
     end
 
-    # Note that user initializer won't have run yet, but we seem to need to
-    # register the middleware by now if it's going to properly get added to the
-    # stack. So if the user overrides these flags' defaults, the middleware will
-    # still be added but will be responsible itself for skipping each request
-    if StaticRails.config.proxy_requests
-      config.app_middleware.insert_before 0, ProxyMiddleware
-    elsif StaticRails.config.serve_compiled_assets
-      config.app_middleware.insert_before 0, StaticMiddleware
+    initializer "static_rails.middleware" do
+      config.app_middleware.insert_before 0, SiteMiddleware
+      config.app_middleware.use SitePlusCsrfMiddleware
     end
 
     config.after_initialize do |app|

data/lib/static-rails/site.rb

@@ -14,6 +14,7 @@ module StaticRails
     :server_path,
     :compile_command,
     :compile_dir,
+    :compile_404_file_path,
     keyword_init: true
   )
 

data/lib/static-rails/site_middleware.rb

@@ -0,0 +1,58 @@
+require_relative "proxy_middleware"
+require_relative "static_middleware"
+require_relative "determines_whether_to_handle_request"
+
+module StaticRails
+  class SiteMiddleware
+    PATH_INFO_OBFUSCATION = "JujJVj31M3SpzTjIGBJ2-3iE0lKXOIOlbLuk9Lxwe-Ll2uLuwH5KD8dmt1MqyZ"
+
+    def initialize(app)
+      @app = app
+      @proxy_middleware = ProxyMiddleware.new(app)
+      @static_middleware = StaticMiddleware.new(app)
+      @determines_whether_to_handle_request = DeterminesWhetherToHandleRequest.new
+    end
+
+    def call(env)
+      return @app.call(env) unless @determines_whether_to_handle_request.call(env)
+
+      if require_csrf_before_processing_request?
+        # You might be asking yourself what the hell is going on here. In short,
+        # This middleware sits at the top of the stack, which is too early to
+        # set a CSRF token in a cookie. Therefore, we've placed a subclass of
+        # this middleware named SitePlusCsrfMiddleware near the bottom of the
+        # middleware stack, which is slower but comes after Session::CookieStore
+        # and therefore can write _csrf_token to the cookie. As a result, the
+        # observable behavior to the user is identical, but the first request
+        # to set the cookie will be marginally slower because it needs to go
+        # deeper down the Rails middleware stack
+        #
+        # But! Between these two is ActionDispatch::Static. In the odd case that
+        # a path that this middleware would serve happens to match the name of
+        # a path in public/, kicking down the middleware stack would result in
+        # that file being served instead of our deeper middleware being called.
+        # So to work around this we're just making the PATH_INFO property so
+        # ugly that there's no chance it'll match anything. When our subclass
+        # gets its shot at this request, it'll know to remove the path
+        # obfuscation from PATH_INFO and go about its business.
+        #
+        # See, easy!
+        #
+        # (By the way, this was all Matthew Draper's bright idea. You can
+        # compliment him here: https://github.com/matthewd )
+        @app.call(env.merge("PATH_INFO" => PATH_INFO_OBFUSCATION + env["PATH_INFO"]))
+      elsif StaticRails.config.proxy_requests
+        @proxy_middleware.call(env)
+      elsif StaticRails.config.serve_compiled_assets
+        @static_middleware.call(env)
+      end
+    end
+
+    protected
+
+    # Override this in subclass since it'll call super(env) and deal itself
+    def require_csrf_before_processing_request?
+      StaticRails.config.set_csrf_token_cookie
+    end
+  end
+end

data/lib/static-rails/site_plus_csrf_middleware.rb

@@ -0,0 +1,50 @@
+require_relative "site_middleware"
+require_relative "determines_whether_to_handle_request"
+require_relative "validates_csrf_token"
+require_relative "gets_csrf_token"
+
+module StaticRails
+  class SitePlusCsrfMiddleware < SiteMiddleware
+    def initialize(app)
+      @determines_whether_to_handle_request = DeterminesWhetherToHandleRequest.new
+      @validates_csrf_token = ValidatesCsrfToken.new
+      @gets_csrf_token = GetsCsrfToken.new
+      super
+    end
+
+    def call(env)
+      return @app.call(env) unless env["PATH_INFO"]&.start_with?(PATH_INFO_OBFUSCATION) || @determines_whether_to_handle_request.call(env)
+
+      env = env.merge(
+        "PATH_INFO" => env["PATH_INFO"].gsub(/^#{PATH_INFO_OBFUSCATION}/, "")
+      )
+      status, headers, body = super(env)
+
+      if StaticRails.config.set_csrf_token_cookie
+        req = Rack::Request.new(env)
+        res = Rack::Response.new(body, status, headers)
+        if needs_new_csrf_token?(req)
+          res.set_cookie("_csrf_token", {
+            value: @gets_csrf_token.call(req),
+            path: "/"
+          })
+        end
+        res.finish
+      else
+        [status, headers, body]
+      end
+    end
+
+    protected
+
+    def require_csrf_before_processing_request?
+      false
+    end
+
+    private
+
+    def needs_new_csrf_token?(req)
+      !req.cookies.has_key?("_csrf_token") || !@validates_csrf_token.call(req)
+    end
+  end
+end

data/lib/static-rails/static_middleware.rb

@@ -1,4 +1,5 @@
 require "rack-proxy"
+require "action_dispatch/middleware/static"
 
 require_relative "matches_request_to_static_site"
 
@@ -17,7 +18,7 @@ module StaticRails
       if (req.get? || req.head?) && (site = @matches_request_to_static_site.call(req))
         file_handler = file_handler_for(site)
         path = req.path_info.gsub(/^#{site.url_root_path}/, "").chomp("/")
-        if (match = file_handler.match?(path))
+        if (match = matching_file_for(file_handler, site, path))
           req.path_info = match
           return file_handler.serve(req)
         end
@@ -35,5 +36,13 @@ module StaticRails
         StaticRails.config.app.root.join(site.compile_dir).to_s
       )
     end
+
+    def matching_file_for(file_handler, site, path)
+      if (match = file_handler.match?(path))
+        match
+      elsif site.compile_404_file_path.present?
+        file_handler.match?(site.compile_404_file_path)
+      end
+    end
   end
 end

data/lib/static-rails/validates_csrf_token.rb

@@ -0,0 +1,29 @@
+module StaticRails
+  class ValidatesCsrfToken
+    def call(req)
+      valid_authenticity_token?(req.session, req.cookies["_csrf_token"])
+    end
+
+    private
+
+    [
+      :compare_with_global_token,
+      :global_csrf_token,
+      :csrf_token_hmac,
+      :valid_authenticity_token?,
+      :unmask_token,
+      :compare_with_real_token,
+      :valid_per_form_csrf_token?,
+      :xor_byte_strings,
+      :real_csrf_token
+    ].each do |method|
+      define_method method do |*args, **kwargs, &blk|
+        ActionController::RequestForgeryProtection.instance_method(method).bind(self).call(*args, **kwargs, &blk)
+      end
+    end
+
+    def per_form_csrf_tokens
+      false
+    end
+  end
+end

data/lib/static-rails/version.rb

@@ -1,3 +1,3 @@
 module StaticRails
-  VERSION = "0.0.3"
+  VERSION = "0.0.8"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: static-rails
 version: !ruby/object:Gem::Version
-  version: 0.0.3
+  version: 0.0.8
 platform: ruby
 authors:
 - Justin Searls
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-05-11 00:00:00.000000000 Z
+date: 2020-06-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: railties
@@ -62,7 +62,9 @@ files:
 - lib/static-rails.rb
 - lib/static-rails/compile.rb
 - lib/static-rails/configuration.rb
+- lib/static-rails/determines_whether_to_handle_request.rb
 - lib/static-rails/error.rb
+- lib/static-rails/gets_csrf_token.rb
 - lib/static-rails/matches_request_to_static_site.rb
 - lib/static-rails/proxy_middleware.rb
 - lib/static-rails/rack_server_check.rb
@@ -70,7 +72,10 @@ files:
 - lib/static-rails/server.rb
 - lib/static-rails/server_store.rb
 - lib/static-rails/site.rb
+- lib/static-rails/site_middleware.rb
+- lib/static-rails/site_plus_csrf_middleware.rb
 - lib/static-rails/static_middleware.rb
+- lib/static-rails/validates_csrf_token.rb
 - lib/static-rails/version.rb
 - lib/static-rails/waits_for_connection.rb
 - lib/tasks/static-rails.rake