turbo_boost-commands 0.2.2 → 0.3.0

data/lib/turbo_boost/commands/sanitizer.rb

@@ -7,7 +7,7 @@ class TurboBoost::Commands::Sanitizer
   attr_reader :scrubber
 
   def sanitize(value)
-    super(value, scrubber: scrubber)
+    super(value.to_s, scrubber: scrubber)
   end
 
   private

data/lib/turbo_boost/commands/state.rb

@@ -1,73 +1,123 @@
 # frozen_string_literal: true
 
+require "digest/md5"
+require_relative "state_store"
+
+# Class that encapsulates all the various forms of state.
+#
+# 1. `page` - Client-side transient page state used for rendering remembered element attributes
+# 2. `now` - Server-side state for the current render only (discarded after rendering)
+# 3. `signed` - Server-side state that persists across renders (state that was used for the last server-side render)
+# 4. `unsigned` - Client-side state (optimistic client-side changes)
+# 5. `current` - Combined server-side state (signed + now)
+# 6. `all` - All state except unsigned (signed + now + page)
+#
 class TurboBoost::Commands::State
   include Enumerable
 
-  class << self
-    def from_sgid_param(sgid)
-      new URI::UID.from_sgid(sgid, for: name)&.decode
-    end
-  end
+  def initialize(payload = {})
+    payload = payload.respond_to?(:to_unsafe_h) ? payload.to_unsafe_h : payload.to_h
+    payload = payload.with_indifferent_access
 
-  def initialize(store = nil, provisional: false)
-    @store = store || ActiveSupport::Cache::MemoryStore.new(expires_in: 1.day, size: 16.kilobytes)
-    @store.cleanup
-    @provisional = provisional
+    @now = {}.with_indifferent_access
+    @page = payload.fetch(:page, {}).with_indifferent_access
+    @signed = TurboBoost::Commands::StateStore.new(payload.fetch(:signed, {}))
+    @unsigned = payload.fetch(:unsigned, {}).with_indifferent_access
   end
 
-  delegate :to_json, to: :to_h
-  delegate_missing_to :store
-
-  def dig(*keys)
-    to_h.with_indifferent_access.dig(*keys)
+  # Client-side transient page state used for rendering remembered element attributes
+  # @return [HashWithIndifferentAccess]
+  attr_reader :page
+
+  # Server-side state for the current render only (similar to flash.now)
+  # @note Discarded after rendering
+  # @return [HashWithIndifferentAccess]
+  attr_reader :now
+
+  # Server-side state that persists across renders
+  # This is the state that was used for the last server-side render (untampered by the client)
+  # @return [TurboBoost::Commands::StateStore]
+  attr_reader :signed
+
+  # @note Most state will interactions work with the signed state, so we delegate missing methods to it.
+  delegate_missing_to :signed
+
+  # Client-side state (optimistic client-side changes)
+  # @note There is a hook on Command instances to resolve state `Command#resolve_state`,
+  #       where Command authors can determine how to properly handle optimistic client-side state.
+  # @return [HashWithIndifferentAccess]
+  attr_reader :unsigned
+  alias_method :optimistic, :unsigned
+
+  # Combined server-side state (signed + now)
+  # @return [HashWithIndifferentAccess]
+  def current
+    signed.to_h.merge now
   end
 
-  def merge!(hash = {})
-    hash.to_h.each { |key, val| self[key] = val }
-    self
-  end
+  delegate :each, to: :current
 
-  def each
-    data.keys.each { |key| yield(key, self[key]) }
+  # All state except unsigned (page + current).
+  # @return [HashWithIndifferentAccess]
+  def all
+    page.merge current
   end
 
-  # Provisional state is for the current request/response and is exposed as `State#now`
-  # Standard state is preserved across multiple requests
-  def provisional?
-    !!@provisional
+  # Returns a cache key representing "all" state
+  def cache_key
+    "TurboBoost::Commands::State/#{Digest::MD5.base64digest(all.to_s)}"
   end
 
-  def now
-    return nil if provisional? # provisional state cannot hold child provisional state
-    @now ||= self.class.new(provisional: true)
+  # A JSON representation of state that can be sent to the client
+  #
+  # Includes the following keys:
+  # * `signed` - The signed state (String)
+  # * `unsigned` - The unsigned state (Hash)
+  #
+  # @return [String]
+  def to_json
+    {signed: signed.to_sgid_param, unsigned: signed.to_h}.to_json(camelize: false)
   end
 
-  def cache_key
-    "TurboBoost::Commands::State/#{Digest::SHA2.base64digest(to_json)}"
-  end
+  def tag_options(options = {})
+    return options unless options.is_a?(Hash)
 
-  def read(...)
-    now&.read(...) || store.read(...)
-  end
+    options = options.deep_symbolize_keys
+    return options unless options.key?(:turbo_boost)
 
-  def [](...)
-    read(...)
-  end
+    config = options.delete(:turbo_boost)
+    return options unless config.is_a?(Hash)
 
-  def []=(...)
-    write(...)
-  end
+    attributes = config[:remember]
+    return options if attributes.blank?
 
-  def to_sgid_param
-    store.cleanup
-    URI::UID.build(store, include_blank: false).to_sgid_param for: self.class.name, expires_in: 1.week
-  end
+    attributes = begin
+      attributes.is_a?(Array) ? attributes : JSON.parse(attributes.to_s)
+    rescue
+      raise TurboBoost::Commands::StateError,
+        "Invalid `turbo_boost` options! `attributes` must be an Array of attributes to remember!"
+    end
+    attributes ||= []
+    attributes.map!(&:to_s).uniq!
+    return options if attributes.blank?
 
-  private
+    if options[:id].blank?
+      raise TurboBoost::Commands::StateError, "An `id` attribute is required for remembering state!"
+    end
 
-  attr_reader :store
+    options[:aria] ||= {}
+    options[:data] ||= {}
+    options[:data][:turbo_boost_state_attributes] = attributes.to_json
+
+    attributes.each do |name|
+      value = page.dig(options[:id], name)
+      case name
+      in String if name.start_with?("aria-") then options[:aria][name.delete_prefix("aria-").to_sym] = value
+      in String if name.start_with?("data-") then options[:data][name.delete_prefix("data-").to_sym] = value
+      else options[name.to_sym] = value
+      end
+    end
 
-  def data
-    store.instance_variable_get(:@data) || {}
+    options
   end
 end

data/lib/turbo_boost/commands/state_store.rb

@@ -0,0 +1,72 @@
+# frozen_string_literal: true
+
+class TurboBoost::Commands::StateStore < ActiveSupport::Cache::MemoryStore
+  include Enumerable
+
+  class NoCoder
+    def dump(value)
+      value
+    end
+
+    def load(value)
+      value
+    end
+  end
+
+  SGID_PURPOSE = name.dup.freeze
+
+  def initialize(payload = {})
+    super(coder: NoCoder.new, compress: false, expires_in: 1.day, size: 16.kilobytes)
+
+    begin
+      payload = case payload
+      when SignedGlobalID then URI::UID.from_sgid(payload, for: SGID_PURPOSE)&.decode
+      when GlobalID then URI::UID.from_gid(payload)&.decode
+      when String then URI::UID.from_sgid(payload, for: SGID_PURPOSE)&.decode || URI::UID.from_gid(payload, for: SGID_PURPOSE)&.decode
+      else payload
+      end
+    rescue => error
+      Rails.logger.error "Failed to decode URI::UID when creating a TurboBoost::Commands::StateStore! #{error.message}"
+      payload = {}
+    end
+
+    merge! payload
+  end
+
+  alias_method :[], :read
+  alias_method :[]=, :write
+
+  def to_h
+    @data
+      .each_with_object({}) { |(key, entry), memo| memo[key] = entry.value }
+      .with_indifferent_access
+  end
+
+  delegate :dig, :each, to: :to_h
+
+  def merge!(other = {})
+    other.to_h.each { |key, val| write key, val }
+    self
+  end
+
+  def to_uid
+    cleanup
+    URI::UID.build to_h, include_blank: false
+  end
+
+  def to_gid
+    to_uid.to_gid
+  end
+
+  def to_gid_param
+    to_gid.to_param
+  end
+
+  def to_sgid
+    to_uid.to_sgid for: SGID_PURPOSE, expires_in: 1.day
+  end
+
+  def to_sgid_param
+    to_sgid.to_param
+  end
+end

data/lib/turbo_boost/commands/token_validator.rb

@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+class TurboBoost::Commands::TokenValidator
+  def initialize(command, method_name)
+    @command = command
+    @method_name = method_name
+  end
+
+  attr_reader :command, :method_name
+  delegate :controller, to: :command
+  delegate :session, to: :controller
+
+  def validate
+    return true unless TurboBoost::Commands.config.protect_from_forgery
+    tokens.any? { |token| valid_token? token }
+  end
+
+  alias_method :valid?, :validate
+
+  def validate!
+    return true if valid?
+
+    message = <<~MSG
+      `#{command.class.name}##{method_name}` invoked with an invalid authenticity token!
+
+      Verify that your page includes `<%= csrf_meta_tags %>` in the header.
+
+      If the problem persists, you can disable forgery protection with `TurboBoost::Commands.config.protect_from_forgery = false`
+    MSG
+
+    raise TurboBoost::Commands::InvalidTokenError.new(message, command: command.class)
+  end
+
+  private
+
+  def tokens
+    list = Set.new.tap do |set|
+      set.add command.params[:csrf_token]
+
+      # TODO: Update to use Rails' public API
+      set.merge controller.send(:request_authenticity_tokens)
+    end
+
+    list.select(&:present?).to_a
+  end
+
+  def valid_token?(token)
+    # TODO: Update to use Rails' public API
+    controller.send :valid_authenticity_token?, session, token
+  end
+end

data/lib/turbo_boost/commands/version.rb

@@ -2,6 +2,6 @@
 
 module TurboBoost
   module Commands
-    VERSION = "0.2.2"
+    VERSION = "0.3.0"
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: turbo_boost-commands
 version: !ruby/object:Gem::Version
-  version: 0.2.2
+  version: 0.3.0
 platform: ruby
 authors:
 - Nate Hopkins (hopsoft)
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-03-14 00:00:00.000000000 Z
+date: 2024-05-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -66,6 +66,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 0.1.7
+- !ruby/object:Gem::Dependency
+  name: amazing_print
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: capybara
   requirement: !ruby/object:Gem::Requirement
@@ -336,16 +350,16 @@ dependencies:
   name: sqlite3
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '1.7'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '1.7'
 - !ruby/object:Gem::Dependency
   name: standardrb
   requirement: !ruby/object:Gem::Requirement
@@ -431,6 +445,8 @@ files:
 - app/javascript/schema.js
 - app/javascript/state/index.js
 - app/javascript/state/observable.js
+- app/javascript/state/page.js
+- app/javascript/state/storage.js
 - app/javascript/turbo.js
 - app/javascript/urls.js
 - app/javascript/uuids.js
@@ -440,16 +456,21 @@ files:
 - lib/turbo_boost/commands/attribute_set.rb
 - lib/turbo_boost/commands/command.rb
 - lib/turbo_boost/commands/command_callbacks.rb
+- lib/turbo_boost/commands/command_validator.rb
 - lib/turbo_boost/commands/controller_pack.rb
 - lib/turbo_boost/commands/engine.rb
 - lib/turbo_boost/commands/errors.rb
 - lib/turbo_boost/commands/http_status_codes.rb
-- lib/turbo_boost/commands/middleware.rb
+- lib/turbo_boost/commands/middlewares/entry_middleware.rb
+- lib/turbo_boost/commands/middlewares/exit_middleware.rb
 - lib/turbo_boost/commands/patches.rb
 - lib/turbo_boost/commands/patches/action_view_helpers_tag_helper_tag_builder_patch.rb
+- lib/turbo_boost/commands/responder.rb
 - lib/turbo_boost/commands/runner.rb
 - lib/turbo_boost/commands/sanitizer.rb
 - lib/turbo_boost/commands/state.rb
+- lib/turbo_boost/commands/state_store.rb
+- lib/turbo_boost/commands/token_validator.rb
 - lib/turbo_boost/commands/version.rb
 homepage: https://github.com/hopsoft/turbo_boost-commands
 licenses:
@@ -473,7 +494,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.6
+rubygems_version: 3.5.10
 signing_key:
 specification_version: 4
 summary: Commands to help you build robust reactive applications with Rails & Hotwire.