wrap_it_ruby 0.2.0 → 0.3.1

data/app/javascript/wrap_it_ruby/controllers/sortable_tree_controller.js

@@ -0,0 +1,198 @@
+import { Controller } from "@hotwired/stimulus"
+import SortableTree from "sortable-tree"
+import { patch, post, destroy } from "@rails/request.js"
+
+// Wraps the sortable-tree library as a Stimulus controller.
+// Handles drag-to-sort, click-to-edit, and CRUD via modals.
+
+export default class extends Controller {
+  static values = {
+    nodes: Array,
+    sortUrl: String,
+    lockRoot: { type: Boolean, default: true },
+    collapseLevel: { type: Number, default: 2 },
+  }
+
+  connect() {
+    this.tree = new SortableTree({
+      nodes: this.nodesValue,
+      element: this.element,
+      lockRootLevel: this.lockRootValue,
+      initCollapseLevel: this.collapseLevelValue,
+      styles: {
+        tree: "st-tree",
+        node: "st-node",
+        nodeHover: "st-node--hover",
+        nodeDragging: "st-node--dragging",
+        nodeDropBefore: "st-node--drop-before",
+        nodeDropInside: "st-node--drop-inside",
+        nodeDropAfter: "st-node--drop-after",
+        label: "st-label",
+        subnodes: "st-subnodes",
+        collapse: "st-collapse",
+      },
+      icons: {
+        collapsed: '<i class="caret right icon"></i>',
+        open: '<i class="caret down icon"></i>',
+      },
+      renderLabel: (data) => {
+        const icon = data.icon ? `<i class="${data.icon} icon"></i> ` : ""
+        const route = data.route ? `<span class="st-route">${data.route}</span>` : ""
+        const typeBadge = data.item_type === "group"
+          ? '<span class="ui mini label">group</span> '
+          : ""
+        return `<span class="st-label-inner">${icon}${typeBadge}<strong>${data.title}</strong>${route}</span>`
+      },
+      onChange: async ({ nodes, movedNode, srcParentNode, targetParentNode }) => {
+        if (!this.hasSortUrlValue) return
+        await this.persistTree(nodes)
+      },
+      onClick: (event, node) => {
+        this.editNode(node)
+      },
+    })
+
+    // Expose global functions for the modal buttons
+    this.registerGlobalFunctions()
+  }
+
+  disconnect() {
+    if (this.tree) {
+      this.tree.destroy()
+      this.tree = null
+    }
+    this.unregisterGlobalFunctions()
+  }
+
+  // -- Edit --
+
+  editNode(node) {
+    const data = node.data
+    this._currentEditId = data.id
+
+    document.getElementById("menu-edit-id").value = data.id
+    document.getElementById("menu-edit-label").value = data.title || ""
+    document.getElementById("menu-edit-icon").value = data.icon || ""
+    document.getElementById("menu-edit-route").value = data.route || ""
+    document.getElementById("menu-edit-url").value = data.url || ""
+    document.getElementById("menu-edit-type").value = data.item_type || "proxy"
+
+    menuSettingsToggleProxyFields("menu-edit")
+
+    $("#menu-edit-modal").modal({ allowMultiple: true }).modal("show")
+  }
+
+  async saveNode() {
+    const id = document.getElementById("menu-edit-id").value
+    const data = {
+      label: document.getElementById("menu-edit-label").value,
+      icon: document.getElementById("menu-edit-icon").value,
+      route: document.getElementById("menu-edit-route").value,
+      url: document.getElementById("menu-edit-url").value,
+      item_type: document.getElementById("menu-edit-type").value,
+    }
+
+    await patch(`/menu/settings/${id}`, {
+      body: JSON.stringify(data),
+      contentType: "application/json",
+      responseKind: "turbo-stream",
+    })
+
+    $("#menu-edit-modal").modal("hide")
+  }
+
+  async deleteNode() {
+    const id = document.getElementById("menu-edit-id").value
+    if (!confirm("Delete this item and all its children?")) return
+
+    await destroy(`/menu/settings/${id}`, {
+      responseKind: "turbo-stream",
+    })
+
+    $("#menu-edit-modal").modal("hide")
+  }
+
+  // -- Add --
+
+  showAdd() {
+    document.getElementById("menu-add-label").value = ""
+    document.getElementById("menu-add-icon").value = ""
+    document.getElementById("menu-add-route").value = ""
+    document.getElementById("menu-add-url").value = ""
+    document.getElementById("menu-add-type").value = "group"
+    document.getElementById("menu-add-parent").value = ""
+
+    menuSettingsToggleProxyFields("menu-add")
+
+    $("#menu-add-modal").modal({ allowMultiple: true }).modal("show")
+  }
+
+  async createNode() {
+    const data = {
+      label: document.getElementById("menu-add-label").value,
+      icon: document.getElementById("menu-add-icon").value,
+      route: document.getElementById("menu-add-route").value,
+      url: document.getElementById("menu-add-url").value,
+      item_type: document.getElementById("menu-add-type").value,
+      parent_id: document.getElementById("menu-add-parent").value || null,
+    }
+
+    await post("/menu/settings", {
+      body: JSON.stringify(data),
+      contentType: "application/json",
+      responseKind: "turbo-stream",
+    })
+
+    $("#menu-add-modal").modal("hide")
+  }
+
+  // -- Sort --
+
+  async persistTree(nodes) {
+    const ordering = this.flattenTree(nodes)
+    await patch(this.sortUrlValue, {
+      body: JSON.stringify({ ordering }),
+      contentType: "application/json",
+      responseKind: "turbo-stream",
+    })
+  }
+
+  flattenTree(nodes, parentId = null) {
+    const result = []
+    nodes.forEach((node, index) => {
+      result.push({
+        id: node.element.data.id,
+        parent_id: parentId,
+        position: index + 1,
+      })
+      if (node.subnodes && node.subnodes.length > 0) {
+        result.push(...this.flattenTree(node.subnodes, node.element.data.id))
+      }
+    })
+    return result
+  }
+
+  // -- Global functions (called by modal button onclick handlers) --
+
+  registerGlobalFunctions() {
+    window.menuSettingsSave = () => this.saveNode()
+    window.menuSettingsDelete = () => this.deleteNode()
+    window.menuSettingsCreate = () => this.createNode()
+    window.menuSettingsShowAdd = () => this.showAdd()
+    window.menuSettingsToggleProxyFields = (prefix) => {
+      const type = document.getElementById(`${prefix}-type`).value
+      const proxyFields = document.getElementById(`${prefix}-proxy-fields`)
+      if (proxyFields) {
+        proxyFields.style.display = type === "proxy" ? "" : "none"
+      }
+    }
+  }
+
+  unregisterGlobalFunctions() {
+    delete window.menuSettingsSave
+    delete window.menuSettingsDelete
+    delete window.menuSettingsCreate
+    delete window.menuSettingsShowAdd
+    delete window.menuSettingsToggleProxyFields
+  }
+}

data/app/views/wrap_it_ruby/menu_settings/_tree.html.erb

@@ -0,0 +1 @@
+<div id="menu-tree-container"><%= sortable_menu_tree %></div>

data/app/views/wrap_it_ruby/menu_settings/index.html.erb

@@ -0,0 +1 @@
+<%= render partial: "wrap_it_ruby/menu_settings/tree" %>

data/config/importmap.rb

@@ -1,6 +1,10 @@
 # Importmap pins for the WrapItRuby engine.
 # These get merged into the host app's importmap via the engine initializer.
 
-pin_all_from WrapItRuby::Engine.root.join("app/javascript/wrap_it_ruby/controllers"),
-  under: "controllers/wrap_it_ruby",
-  to: "wrap_it_ruby/controllers"
+pin_all_from WrapItRuby::Engine.root.join('app/javascript/wrap_it_ruby/controllers'),
+             under: 'controllers/wrap_it_ruby',
+             to: 'wrap_it_ruby/controllers'
+
+# Sortable tree + request helpers
+pin 'sortable-tree', to: 'https://esm.sh/sortable-tree@0.7.6'
+pin '@rails/request.js', to: 'https://ga.jspm.io/npm:@rails/request.js@0.0.11/src/index.js'

data/config/routes.rb

@@ -1,7 +1,13 @@
 # frozen_string_literal: true
 
 WrapItRuby::Engine.routes.draw do
-  get "/*path", to: "proxy#show", constraints: ->(req) {
+  get    'menu/settings',          to: 'menu_settings#index',   as: :menu_settings
+  post   'menu/settings',          to: 'menu_settings#create',  as: :create_menu_setting
+  patch  'menu/settings/:id/sort', to: 'menu_settings#sort',    as: :sort_menu_setting
+  patch  'menu/settings/:id',      to: 'menu_settings#update',  as: :update_menu_setting
+  delete 'menu/settings/:id',      to: 'menu_settings#destroy', as: :destroy_menu_setting
+
+  get '/*path', to: 'proxy#show', constraints: lambda { |req|
     WrapItRuby::MenuHelper.proxy_paths.any? { |p| req.path.start_with?(p) }
   }
 end

data/lib/wrap_it_ruby/engine.rb

@@ -1,9 +1,9 @@
 # frozen_string_literal: true
 
-require "ui"
-require "wrap_it_ruby/middleware/proxy_middleware"
-require "wrap_it_ruby/middleware/root_relative_proxy_middleware"
-require "wrap_it_ruby/middleware/script_injection_middleware"
+require 'ui'
+require 'wrap_it_ruby/middleware/proxy_middleware'
+require 'wrap_it_ruby/middleware/root_relative_proxy_middleware'
+require 'wrap_it_ruby/middleware/script_injection_middleware'
 
 module WrapItRuby
   class Engine < ::Rails::Engine
@@ -17,33 +17,34 @@ module WrapItRuby
     #   2. ScriptInjection strips Accept-Encoding, passes to Proxy,
     #      then injects <base> + interception.js into HTML responses
     #   3. Proxy does the actual upstream proxying
-    initializer "wrap_it_ruby.middleware" do |app|
+    initializer 'wrap_it_ruby.middleware' do |app|
       app.middleware.insert_before ActionDispatch::Static, WrapItRuby::Middleware::RootRelativeProxyMiddleware
       app.middleware.insert_after  WrapItRuby::Middleware::RootRelativeProxyMiddleware, WrapItRuby::Middleware::ScriptInjectionMiddleware
       app.middleware.insert_after  WrapItRuby::Middleware::ScriptInjectionMiddleware,   WrapItRuby::Middleware::ProxyMiddleware
     end
 
     # Register importmap pins for the Stimulus controller
-    initializer "wrap_it_ruby.importmap", before: "importmap" do |app|
+    initializer 'wrap_it_ruby.importmap', before: 'importmap' do |app|
       if app.config.respond_to?(:importmap)
-        app.config.importmap.paths << Engine.root.join("config/importmap.rb")
-        app.config.importmap.cache_sweepers << Engine.root.join("app/javascript")
+        app.config.importmap.paths << Engine.root.join('config/importmap.rb')
+        app.config.importmap.cache_sweepers << Engine.root.join('app/javascript')
       end
     end
 
     # Add engine assets to the asset load path (for propshaft/sprockets)
-    initializer "wrap_it_ruby.assets" do |app|
-      app.config.assets.paths << Engine.root.join("app/assets/javascripts")
-      app.config.assets.paths << Engine.root.join("app/assets/stylesheets")
+    initializer 'wrap_it_ruby.assets' do |app|
+      app.config.assets.paths << Engine.root.join('app/javascript')
+      app.config.assets.paths << Engine.root.join('app/assets/javascripts')
+      app.config.assets.paths << Engine.root.join('app/assets/stylesheets')
 
       # rails-active-ui ships stylesheets.css directly in app/assets/
-      app.config.assets.paths << Ui::Engine.root.join("app/assets")
+      app.config.assets.paths << Ui::Engine.root.join('app/assets')
     end
 
     # Make engine helpers (MenuHelper, IframeHelper) available in host app views.
     # MenuHelper#render_menu depends on ComponentHelper from rails-active-ui,
     # which is already injected into ActionView by the Ui engine.
-    initializer "wrap_it_ruby.helpers" do
+    initializer 'wrap_it_ruby.helpers' do
       ActiveSupport.on_load(:action_view) do
         include WrapItRuby::MenuHelper
         include WrapItRuby::IframeHelper

data/lib/wrap_it_ruby/middleware/proxy_middleware.rb

@@ -1,41 +1,84 @@
 # frozen_string_literal: true
 
-require "async/http/client"
-require "async/http/endpoint"
-require "async/websocket/adapters/rack"
+require 'async/http/client'
+require 'async/http/endpoint'
+require 'cgi'
 
 module WrapItRuby
   module Middleware
     # Rack middleware that proxies /_proxy/{host}/{path} to the upstream host.
     #
-    # Strips frame-blocking headers so responses render inside an iframe.
-    # Rewrites Location headers so redirects stay within the proxy.
-    # Detects WebSocket upgrades and pipes frames bidirectionally.
+    # Header strategy (both request and response):
+    #   1. Whitelist — only known-safe headers pass through
+    #   2. Modify   — rewrite values (host, origin, cookies, redirects)
+    #   3. Add      — set headers the upstream/browser needs
     #
     class ProxyMiddleware
       PATTERN = %r{\A/_proxy/(?<host>[^/]+)(?<path>/.*)?\z}
 
-      HOP_HEADERS = %w[
-        connection
-        keep-alive
-        proxy-authenticate
-        proxy-authorization
-        te
-        trailers
-        transfer-encoding
-        upgrade
-      ].freeze
+      # ── Request headers whitelisted for forwarding to upstream ──
+      #
+      # Everything not on this list is dropped. This prevents leaking
+      # proxy-internal headers, browser metadata, and hop-by-hop headers.
+      #
+      REQUEST_WHITELIST = %w[
+        accept
+        accept-language
+        authorization
+        cache-control
+        content-type
+        content-length
+        cookie
+        if-match
+        if-modified-since
+        if-none-match
+        if-range
+        if-unmodified-since
+        pragma
+        range
+        x-requested-with
+      ].to_set.freeze
+
+      # ── Response headers whitelisted for forwarding to browser ──
+      #
+      # Everything not on this list is dropped. This prevents frame-
+      # blocking headers, CSP, HSTS, and hop-by-hop headers from
+      # reaching the browser inside the iframe.
+      #
+      RESPONSE_WHITELIST = %w[
+        accept-ranges
+        age
+        cache-control
+        content-disposition
+        content-language
+        content-length
+        content-range
+        content-type
+        date
+        etag
+        expires
+        last-modified
+        location
+        pragma
+        retry-after
+        set-cookie
+        vary
+        x-content-type-options
+        x-xss-protection
+      ].to_set.freeze
 
       def initialize(app)
-        @app     = app
-        @clients = {}
+        @app          = app
+        @clients      = {}
+        @proxy_host   = ENV['WRAP_IT_PROXY_HOST']
+        @cookie_domain = ENV.fetch('WRAP_IT_COOKIE_DOMAIN', '.cia.net')
       end
 
       def call(env)
-        PATTERN.match(env["PATH_INFO"].to_s).then do |match|
+        PATTERN.match(env['PATH_INFO'].to_s).then do |match|
           if match
-            host = match[:host]
-            path = match[:path] || "/"
+            host = match[:host].delete_suffix('.')
+            path = match[:path] || '/'
 
             if websocket?(env)
               proxy_websocket(env, host, path)
@@ -50,18 +93,19 @@ module WrapItRuby
 
       private
 
-      # ---- HTTP ----
+      # ── HTTP proxying ──
 
       def proxy_http(env, host, path)
         client = client_for(host)
 
-        query     = env["QUERY_STRING"]
-        full_path = query && !query.empty? ? "#{path}?#{query}" : path
-        headers   = forwarded_headers(env, host)
+        query     = env['QUERY_STRING']
+        query     = deproxify_query(query) if query && !query.empty?
+        full_path = (query && !query.empty?) ? "#{path}?#{query}" : path
+        headers   = build_request_headers(env, host)
         body      = read_body(env)
 
         request = Protocol::HTTP::Request.new(
-          "https", host, env["REQUEST_METHOD"], full_path, nil, headers, body
+          'https', host, env['REQUEST_METHOD'], full_path, nil, headers, body
         )
 
         response = client.call(request)
@@ -74,80 +118,133 @@ module WrapItRuby
           response.body&.close
         end
 
-        rack_headers = strip_headers(response.headers, host)
+        rack_headers = build_response_headers(response.headers, host)
         [response.status, rack_headers, rack_body]
       end
 
-      # ---- WebSocket ----
+      # ── WebSocket (safety net — handled by WebSocketProxy before Rack) ──
 
       def websocket?(env)
-        Async::WebSocket::Adapters::Rack.websocket?(env)
-        false
+        upgrade = env['HTTP_UPGRADE']
+        upgrade && upgrade.casecmp?('websocket')
       end
 
-      # ---- Helpers ----
-
-      def client_for(host)
-        @clients[host] ||= Async::HTTP::Client.new(
-          Async::HTTP::Endpoint.parse("https://#{host}"),
-          retries: 0
-        )
+      def proxy_websocket(_env, _host, _path)
+        [502, { 'content-type' => 'text/plain' }, ['WebSocket requests must be handled at Protocol::HTTP level']]
       end
 
-      def forwarded_headers(env, host)
+      # ── Request headers: whitelist → modify → add ──
+
+      def build_request_headers(env, host)
         headers = Protocol::HTTP::Headers.new
 
+        # 1. Whitelist: only forward known-safe headers
         env.each do |key, value|
-          next unless key.start_with?("HTTP_")
-          name = key.delete_prefix("HTTP_").downcase.tr("_", "-")
-          next if name == "host" || HOP_HEADERS.include?(name)
+          next unless key.start_with?('HTTP_')
+
+          name = key.delete_prefix('HTTP_').downcase.tr('_', '-')
+          next unless REQUEST_WHITELIST.include?(name)
+
           headers.add(name, value)
         end
 
-        headers.add("content-type", env["CONTENT_TYPE"])     if env["CONTENT_TYPE"]
-        headers.add("content-length", env["CONTENT_LENGTH"]) if env["CONTENT_LENGTH"]
-        headers.add("host", host)
+        # Also forward content-type/content-length from Rack env
+        headers.add('content-type', env['CONTENT_TYPE'])     if env['CONTENT_TYPE']
+        headers.add('content-length', env['CONTENT_LENGTH']) if env['CONTENT_LENGTH']
+
+        # 2. Modify: nothing to modify at this stage (cookies pass through
+        #    as-is since the .cia.net domain covers both proxy and upstream)
+
+        # 3. Add: set host for the upstream
+        headers.add('host', host)
 
         headers
       end
 
-      def strip_headers(upstream_headers, host)
+      # ── Response headers: whitelist → modify → add ──
+
+      def build_response_headers(upstream_headers, host)
         result = {}
+
+        # 1. Whitelist: only pass through known-safe headers
         upstream_headers.each do |name, value|
           key = name.downcase
-          next if key == "x-frame-options"
-          next if key == "content-security-policy"
-          next if key == "content-security-policy-report-only"
-          next if key == "content-encoding"
-          next if HOP_HEADERS.include?(key)
+          next unless RESPONSE_WHITELIST.include?(key)
+
+          # 2. Modify: rewrite specific headers
+          case key
+          when 'set-cookie'
+            value = rewrite_cookie_domain(value)
+          when 'location'
+            # Handled below after the loop
+          end
+
           result[name] = value
         end
 
-        # Rewrite Location headers so redirects stay within the proxy
-        if (location = result["location"] || result["Location"])
-          result_key = result.key?("location") ? "location" : "Location"
+        # Rewrite Location header (redirects stay within proxy)
+        rewrite_location(result, host)
+
+        result
+      end
+
+      # ── Helpers ──
+
+      def client_for(host)
+        @clients[host] ||= Async::HTTP::Client.new(
+          Async::HTTP::Endpoint.parse("https://#{host}"),
+          retries: 0
+        )
+      end
+
+      # Rewrites proxy URLs in query parameter values back to real upstream
+      # URLs. Fixes auth flows where upstream validates return_url against
+      # its own host.
+      def deproxify_query(query)
+        return query unless @proxy_host
+
+        proxy_prefix          = "https://#{@proxy_host}/_proxy/"
+        proxy_prefix_encoded  = CGI.escape("https://#{@proxy_host}/_proxy/")
+
+        query
+          .gsub(proxy_prefix_encoded) { |_m| CGI.escape('https://') }
+          .gsub(proxy_prefix)         { 'https://' }
+      end
+
+      # Rewrites Location headers so redirects stay within the proxy.
+      def rewrite_location(result, host)
+        if (location = result['location'] || result['Location'])
+          result_key = result.key?('location') ? 'location' : 'Location'
           begin
             uri = URI.parse(location)
-            if uri.host == host || uri.host&.end_with?(".#{host}")
-              redirect_host = uri.host || host
-              result[result_key] = "/_proxy/#{redirect_host}#{uri.path}#{"?#{uri.query}" if uri.query}"
-            elsif uri.relative?
-              result[result_key] = "/_proxy/#{host}#{location}"
+            if uri.host
+              result[result_key] = "/_proxy/#{uri.host.delete_suffix('.')}#{uri.path}#{"?#{uri.query}" if uri.query}"
+            else
+              resolved = URI.join("https://#{host}/", location)
+              result[result_key] = "/_proxy/#{host}#{resolved.path}#{"?#{resolved.query}" if resolved.query}"
             end
           rescue URI::InvalidURIError
             # leave it alone
           end
         end
+      end
 
-        result
+      # Rewrites Set-Cookie Domain to the configured cookie domain.
+      def rewrite_cookie_domain(cookie)
+        cookie.gsub(/Domain=[^;]+/i, "Domain=#{@cookie_domain}")
       end
 
       def read_body(env)
-        input = env["rack.input"]
+        input = env['rack.input']
         return nil unless input
+
         body = input.read
-        input.rewind rescue nil
-        body && !body.empty? ? Protocol::HTTP::Body::Buffered.wrap(body) : nil
+        begin
+          input.rewind
+        rescue StandardError
+          nil
+        end
+        (body && !body.empty?) ? Protocol::HTTP::Body::Buffered.wrap(body) : nil
       end
     end
   end

data/lib/wrap_it_ruby/middleware/root_relative_proxy_middleware.rb

@@ -43,9 +43,17 @@ module WrapItRuby
       private
 
       def extract_proxy_host(env)
+        # 1. Try the Referer path (works for browser-initiated asset loads)
         referer = env["HTTP_REFERER"]
-        match = REFERER_PATTERN.match(referer) if referer
-        match[:host] if match
+        if referer
+          match = REFERER_PATTERN.match(referer)
+          return match[:host].delete_suffix(".") if match
+        end
+
+        # 2. Fall back to X-Proxy-Host header (set by interception.js on
+        #    fetch/XHR — covers cases where the Referer lost the /_proxy/
+        #    prefix after a server-side rewrite hop)
+        env[PROXY_HOST_HEADER]&.delete_suffix(".")
       end
     end
   end

data/lib/wrap_it_ruby/middleware/script_injection_middleware.rb

@@ -27,7 +27,7 @@ module WrapItRuby
         path = env["PATH_INFO"].to_s
 
         if path.start_with?(PROXY_PREFIX)
-          host = path.delete_prefix(PROXY_PREFIX).split("/", 2).first
+          host = path.delete_prefix(PROXY_PREFIX).split("/", 2).first.delete_suffix(".")
           hosting_site = env["HTTP_HOST"]
 
           env.delete("HTTP_ACCEPT_ENCODING")
@@ -71,6 +71,12 @@ module WrapItRuby
           html.prepend(tag)
         end
 
+        # Strip restrictive referrer policies (e.g. strict-origin) that
+        # truncate the Referer to just the origin.  RootRelativeProxyMiddleware
+        # needs the full path (/_proxy/{host}/…) in the Referer to route
+        # root-relative asset requests back through the proxy.
+        html.gsub!(%r{<meta[^>]+name=["']referrer["'][^>]*>}i, "")
+
         headers.delete("content-length")
         headers["content-length"] = html.bytesize.to_s
         [html]