static-rails 0.0.6 → 0.0.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +6 -0
- data/Gemfile.lock +1 -1
- data/README.md +3 -2
- data/lib/generators/templates/static.rb +1 -1
- data/lib/static-rails/configuration.rb +1 -1
- data/lib/static-rails/site_middleware.rb +1 -6
- data/lib/static-rails/site_plus_csrf_middleware.rb +14 -4
- data/lib/static-rails/validates_csrf_token.rb +26 -0
- data/lib/static-rails/version.rb +1 -1
- metadata +3 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 71c1a0e6ce72ea1feb691e3cbfae0bec8bf723f1512cda383aeae57d56fd9765
|
|
4
|
+
data.tar.gz: 4d8d3c148661b2498ccfeb3677553e94a91c2cb68b5c48ba47aaace89be8adfe
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: cc39f818e745f67930b8821dbf3b38cdfd34d33accd25979801a4fbc34df67cdf600e517a2fe806f6094e43bc2e797fcef2aa4b1bb7006f3d75317a26b19ea82
|
|
7
|
+
data.tar.gz: c0879dc6ef5950806aaa662035ac7593a78c334dc578f65bd5e13526d1f4c770a08b9cf1f2b8fc8e21a9d00372876736924e05687e4d33ebbb780acc5b802ea1
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,9 @@
|
|
|
1
|
+
## 0.0.7
|
|
2
|
+
|
|
3
|
+
* Ensure that CSRF tokens are valid, at the cost of some performance and
|
|
4
|
+
reliance on additional Rails internals. As a result CSRF cookie setting is now
|
|
5
|
+
disabled by default [#6](https://github.com/testdouble/static-rails/pull/6)
|
|
6
|
+
|
|
1
7
|
## 0.0.6
|
|
2
8
|
|
|
3
9
|
* Fix an issue where `ActionDispatch::FileHandler` won't be loaded in the event
|
data/Gemfile.lock
CHANGED
data/README.md
CHANGED
|
@@ -84,13 +84,14 @@ overall behavior of the gem itself, across all your static sites:
|
|
|
84
84
|
`proxy_requests` is true, that the gem will wait for a response from a static
|
|
85
85
|
site's server on any given request before timing out and raising an error
|
|
86
86
|
|
|
87
|
-
* **config.set_csrf_token_cookie** (Default: `
|
|
87
|
+
* **config.set_csrf_token_cookie** (Default: `false`) when true, the gem's
|
|
88
88
|
middleware will set a cookie named `_csrf_token` with each request of your
|
|
89
89
|
static site. You can use this to set the `'x-csrf-token'` header on any
|
|
90
90
|
requests from your site back to routes hosted by the Rails app that are
|
|
91
91
|
[protected from CSRF
|
|
92
92
|
forgery](https://guides.rubyonrails.org/security.html#cross-site-request-forgery-csrf)
|
|
93
|
-
(if you're not using Rails' cookie store for sessions
|
|
93
|
+
(if you're not using Rails' cookie store for sessions or you're okay with API
|
|
94
|
+
calls bypassing Rails CSRF, leave this off)
|
|
94
95
|
|
|
95
96
|
### Configuring your static sites themselves
|
|
96
97
|
|
|
@@ -12,7 +12,7 @@ StaticRails.config do |config|
|
|
|
12
12
|
# When true, both the proxy & static asset middleware will set a cookie
|
|
13
13
|
# named "_csrf_token" to the Rails CSRF token, allowing any client-side
|
|
14
14
|
# API requests to take advantage of Rails' request forgery protection
|
|
15
|
-
# config.set_csrf_token_cookie =
|
|
15
|
+
# config.set_csrf_token_cookie = false
|
|
16
16
|
|
|
17
17
|
# The list of static sites you are hosting with static-rails.
|
|
18
18
|
# Note that order matters! Request will be forwarded to the first site that
|
|
@@ -1,7 +1,6 @@
|
|
|
1
1
|
require_relative "proxy_middleware"
|
|
2
2
|
require_relative "static_middleware"
|
|
3
3
|
require_relative "determines_whether_to_handle_request"
|
|
4
|
-
require_relative "gets_csrf_token"
|
|
5
4
|
|
|
6
5
|
module StaticRails
|
|
7
6
|
class SiteMiddleware
|
|
@@ -17,7 +16,7 @@ module StaticRails
|
|
|
17
16
|
def call(env)
|
|
18
17
|
return @app.call(env) unless @determines_whether_to_handle_request.call(env)
|
|
19
18
|
|
|
20
|
-
if require_csrf_before_processing_request?
|
|
19
|
+
if require_csrf_before_processing_request?
|
|
21
20
|
# You might be asking yourself what the hell is going on here. In short,
|
|
22
21
|
# This middleware sits at the top of the stack, which is too early to
|
|
23
22
|
# set a CSRF token in a cookie. Therefore, we've placed a subclass of
|
|
@@ -55,9 +54,5 @@ module StaticRails
|
|
|
55
54
|
def require_csrf_before_processing_request?
|
|
56
55
|
StaticRails.config.set_csrf_token_cookie
|
|
57
56
|
end
|
|
58
|
-
|
|
59
|
-
def csrf_token_is_set?(env)
|
|
60
|
-
Rack::Request.new(env).cookies.has_key?("_csrf_token")
|
|
61
|
-
end
|
|
62
57
|
end
|
|
63
58
|
end
|
|
@@ -1,11 +1,13 @@
|
|
|
1
1
|
require_relative "site_middleware"
|
|
2
2
|
require_relative "determines_whether_to_handle_request"
|
|
3
|
+
require_relative "validates_csrf_token"
|
|
3
4
|
require_relative "gets_csrf_token"
|
|
4
5
|
|
|
5
6
|
module StaticRails
|
|
6
7
|
class SitePlusCsrfMiddleware < SiteMiddleware
|
|
7
8
|
def initialize(app)
|
|
8
9
|
@determines_whether_to_handle_request = DeterminesWhetherToHandleRequest.new
|
|
10
|
+
@validates_csrf_token = ValidatesCsrfToken.new
|
|
9
11
|
@gets_csrf_token = GetsCsrfToken.new
|
|
10
12
|
super
|
|
11
13
|
end
|
|
@@ -21,10 +23,12 @@ module StaticRails
|
|
|
21
23
|
if StaticRails.config.set_csrf_token_cookie
|
|
22
24
|
req = Rack::Request.new(env)
|
|
23
25
|
res = Rack::Response.new(body, status, headers)
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
26
|
+
if needs_new_csrf_token?(req)
|
|
27
|
+
res.set_cookie("_csrf_token", {
|
|
28
|
+
value: @gets_csrf_token.call(req),
|
|
29
|
+
path: "/"
|
|
30
|
+
})
|
|
31
|
+
end
|
|
28
32
|
res.finish
|
|
29
33
|
else
|
|
30
34
|
[status, headers, body]
|
|
@@ -36,5 +40,11 @@ module StaticRails
|
|
|
36
40
|
def require_csrf_before_processing_request?
|
|
37
41
|
false
|
|
38
42
|
end
|
|
43
|
+
|
|
44
|
+
private
|
|
45
|
+
|
|
46
|
+
def needs_new_csrf_token?(req)
|
|
47
|
+
!req.cookies.has_key?("_csrf_token") || !@validates_csrf_token.call(req)
|
|
48
|
+
end
|
|
39
49
|
end
|
|
40
50
|
end
|
|
@@ -0,0 +1,26 @@
|
|
|
1
|
+
module StaticRails
|
|
2
|
+
class ValidatesCsrfToken
|
|
3
|
+
def call(req)
|
|
4
|
+
valid_authenticity_token?(req.session, req.cookies["_csrf_token"])
|
|
5
|
+
end
|
|
6
|
+
|
|
7
|
+
private
|
|
8
|
+
|
|
9
|
+
[
|
|
10
|
+
:valid_authenticity_token?,
|
|
11
|
+
:unmask_token,
|
|
12
|
+
:compare_with_real_token,
|
|
13
|
+
:valid_per_form_csrf_token?,
|
|
14
|
+
:xor_byte_strings,
|
|
15
|
+
:real_csrf_token
|
|
16
|
+
].each do |method|
|
|
17
|
+
define_method method do |*args, **kwargs, &blk|
|
|
18
|
+
ActionController::RequestForgeryProtection.instance_method(method).bind(self).call(*args, **kwargs, &blk)
|
|
19
|
+
end
|
|
20
|
+
end
|
|
21
|
+
|
|
22
|
+
def per_form_csrf_tokens
|
|
23
|
+
false
|
|
24
|
+
end
|
|
25
|
+
end
|
|
26
|
+
end
|
data/lib/static-rails/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: static-rails
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.0.
|
|
4
|
+
version: 0.0.7
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Justin Searls
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2020-05-
|
|
11
|
+
date: 2020-05-29 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: railties
|
|
@@ -75,6 +75,7 @@ files:
|
|
|
75
75
|
- lib/static-rails/site_middleware.rb
|
|
76
76
|
- lib/static-rails/site_plus_csrf_middleware.rb
|
|
77
77
|
- lib/static-rails/static_middleware.rb
|
|
78
|
+
- lib/static-rails/validates_csrf_token.rb
|
|
78
79
|
- lib/static-rails/version.rb
|
|
79
80
|
- lib/static-rails/waits_for_connection.rb
|
|
80
81
|
- lib/tasks/static-rails.rake
|