Merge branch 'jeremyevans:master' into master

jeremyevans · Oct 3, 2024 · 7ad42ae · 7ad42ae
2 parents 1417261 + f4b9c51
commit 7ad42ae
Show file tree

Hide file tree

Showing 160 changed files with 5,900 additions and 940 deletions.
diff --git a/.ci.gemfile b/.ci.gemfile
@@ -25,12 +25,6 @@ else
   gem 'json'
 end
 
-if RUBY_VERSION < '2.2.0'
-  gem 'sass', '< 3.5'
-else
-  gem 'sassc'
-end
-
 case RUBY_VERSION[0, 3]
 when '1.9', '2.0'
   gem 'rack', '<1.6'
@@ -42,7 +36,9 @@ when '2.5'
   gem 'rack', '<2.2'
 when '2.6'
   gem 'rack', '<3'
-when '2.4', '3.1'
+when '2.7'
+  gem 'rack', '<3.1'
+when '2.4', '3.3'
   # Test main branch of Rack for lowest and highest supported
   # Ruby version
   gem 'rack', :git => 'https://github.com/rack/rack'

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -15,12 +15,12 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        ruby: [ "1.9.3", "2.0.0", 2.1, 2.2, 2.3, 2.4, 2.5, 2.6, 2.7, "3.0", 3.1, 3.2, jruby-9.1, jruby-9.2, jruby-9.3, jruby-9.4, truffleruby-head ]
+        ruby: [ "1.9.3", "2.0.0", 2.1, 2.3, 2.4, 2.5, 2.6, 2.7, "3.0", 3.1, 3.2, 3.3, jruby-9.1, jruby-9.2, jruby-9.3, jruby-9.4 ]
     name: ${{ matrix.ruby }}
     env:
       BUNDLE_GEMFILE: .ci.gemfile
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
     - uses: ruby/setup-ruby@v1
       with:
         ruby-version: ${{ matrix.ruby }}

diff --git a/.gitignore b/.gitignore
@@ -5,4 +5,4 @@
 /www/public/rdoc/
 /spec/iv-*.erb
 /spec/pid-*
-Gemfile.lock
+/spec/render_coverage-*
diff --git a/CHANGELOG b/CHANGELOG
@@ -1,3 +1,117 @@
+= master
+
+* Evaluate class_matcher and symbol_matcher blocks in route-block context (jeremyevans)
+
+* Allow class_matcher and symbol_matcher blocks to return non-arrays (jeremyevans)
+
+* Make class_matcher and symbol_matcher plugin be able to build on top of existing registered matchers (jeremyevans)
+
+* Make capture_erb plugin not break if String#capture is defined (jeremyevans)
+
+= 3.84.0 (2024-09-12)
+
+* Add hsts plugin for setting Strict-Transport-Security header (jeremyevans)
+
+* Remove documentation from the gem to reduce gem size by 25% (jeremyevans)
+
+= 3.83.0 (2024-08-12)
+
+* Add assume_ssl plugin for making request ssl? method always return true (jeremyevans)
+
+= 3.82.0 (2024-07-12)
+
+* Add :encodings option to public plugin to support configurable encoding order (jeremyevans)
+
+* Add :zstd option to public plugin to supplement it to serve zstd-compressed files with .zst extension (jeremyevans)
+
+* Make capture_erb plugin call integrate better with erubi/capture_block (jeremyevans)
+
+= 3.81.0 (2024-06-12)
+
+* Make assets plugin :early_hints option follow Rack 3 SPEC if using Rack 3 (jeremyevans)
+
+* Correctly parse Ruby 3.4 backtraces in exception_page plugin (jeremyevans)
+
+* Support :until and :seconds option in hmac_paths plugin, for paths valid only until a specific time (jeremyevans)
+
+= 3.80.0 (2024-05-10)
+
+* Support :namespace option in hmac_paths plugin, allowing for easy per-user/per-group HMAC paths (jeremyevans)
+
+= 3.79.0 (2024-04-12)
+
+* Do not update template mtime when there is an error reloading templates in the render plugin (jeremyevans)
+
+* Add hmac_paths plugin for preventing path enumeration and supporting access control (jeremyevans)
+
+= 3.78.0 (2024-03-13)
+
+* Add permissions_policy plugin for setting Permissions-Policy header (jeremyevans)
+
+= 3.77.0 (2024-02-12)
+
+* Support formaction/formmethod attributes in forms in route_csrf plugin (jeremyevans)
+
+= 3.76.0 (2024-01-12)
+
+* Support :filter plugin option in error_mail and error_email for filtering parameters, environment variables, and session values (jeremyevans) (#346)
+
+* Set temporary name on Ruby 3.3 in middleware plugin for middleware class created (janko) (#344)
+
+* Add break plugin, for using break inside a routing block to return from the block and keep routing (jeremyevans)
+
+= 3.75.0 (2023-12-14)
+
+* Add cookie_flags plugin, for overriding, warning, or raising for incorrect cookie flags (jeremyevans)
+
+= 3.74.0 (2023-11-13)
+
+* Add redirect_http_to_https plugin, helping to ensure future requests from the browser are submitted via HTTPS (jeremyevans)
+
+= 3.73.0 (2023-10-13)
+
+* Support :next_if_not_found option for middleware plugin (jeremyevans) (#334)
+
+* Remove dependency on base64 library from sessions and route_csrf plugin, as it will not be part of the standard library in Ruby 3.4+ (jeremyevans)
+
+= 3.72.0 (2023-09-12)
+
+* Add invalid_request_body plugin for custom handling of invalid request bodies (jeremyevans)
+
+* Warn when defining method that expects 1 argument when block requires multiple arguments when :check_arity option is set to :warn (jeremyevans)
+
+* Implement the match_hooks plugin using the match_hook_args plugin (jeremyevans)
+
+= 3.71.0 (2023-08-14)
+
+* Add match_hook_args plugin, similar to match_hooks but support matchers and block args as hook arguments (jeremyevans)
+
+= 3.70.0 (2023-07-12)
+
+* Add plain_hash_response_headers plugin, using a plain hash for response headers on Rack 3 for much better performance (jeremyevans)
+
+* Use lower case response header keys by default on Rack 3, instead of relying on Rack::Headers conversion (jeremyevans)
+
+= 3.69.0 (2023-06-13)
+
+* Allow symbol_matcher in symbol_matchers plugin to take a block to allow type conversion (jeremyevans)
+
+= 3.68.0 (2023-05-11)
+
+* Make Roda.run in multi_run plugin accept blocks to allow autoloading the apps to dispatch to (jeremyevans)
+
+= 3.67.0 (2023-04-12)
+
+* Add custom_block_results plugin for registering custom block result handlers (jeremyevans)
+
+= 3.66.0 (2023-03-13)
+
+* Support overriding exception page assets via exception_page_{css,js} instance methods (jeremyevans) (#306)
+
+* Avoid keeping reference to Roda instance that caches an inline template (jeremyevans)
+
+* Add render_coverage plugin, using tilt 2.1 features to allow for compiled templates in Ruby <3.2 (jeremyevans)
+
 = 3.65.0 (2023-02-13)
 
 * Make indifferent_params plugin work with changes in rack main branch (jeremyevans)

diff --git a/Gemfile b/Gemfile
diff --git a/README.rdoc b/README.rdoc
@@ -723,7 +723,7 @@ Note that when subclassing, Roda only does a shallow clone of the settings.
 
 If you store nested structures and plan to mutate them in subclasses,
 it is your responsibility to dup the nested structures inside +Roda.inherited+
-(making sure to call +super+).  This should be is done so that that modifications
+(making sure to call +super+).  This should be is done so that modifications
 to the parent class made after subclassing do _not_ affect the subclass, and
 vice-versa.
 
@@ -851,9 +851,8 @@ should use an appropriate external middleware.
 It is possible to use other session cookie middleware such as
 <tt>Rack::Session::Cookie</tt>, but other middleware may not have the same security
 features that Roda's session support does.  For example, the session cookies used by
-the <tt>Rack::Session::Cookie</tt> middleware are not encrypted, just signed to
-prevent tampering.  This means you should not store any secret data in the session
-when using <tt>Rack::Session::Cookie</tt>.
+the <tt>Rack::Session::Cookie</tt> middleware provided by Rack before Rack 3 are not
+encrypted, just signed to prevent tampering.
 
 For any cookie-based sessions, make sure that the necessary secrets (+:secret+ option)
 are not disclosed to an attacker.  Knowledge of the
@@ -960,17 +959,17 @@ application level using using the +default_headers+ plugin:
 Strict-Transport-Security :: Enforces SSL/TLS Connections to the application.
 X-Content-Type-Options :: Forces some browsers to respect a declared Content-Type header.
 X-Frame-Options :: Provides click-jacking protection by not allowing usage inside a frame.
-X-XSS-Protection :: Enables an XSS mitigation filter in some browsers.
+                   Only include this if you want to support and protect old browsers that
+                   do not support Content-Security-Policy.
 
 Example:
 
   class App < Roda
     plugin :default_headers,
       'Content-Type'=>'text/html',
-      'Strict-Transport-Security'=>'max-age=16070400;',
+      'Strict-Transport-Security'=>'max-age=63072000; includeSubDomains',
       'X-Content-Type-Options'=>'nosniff',
-      'X-Frame-Options'=>'deny',
-      'X-XSS-Protection'=>'1; mode=block'
+      'X-Frame-Options'=>'deny'
   end
 
 === Rendering Templates Derived From User Input
@@ -1007,25 +1006,16 @@ constants and removing them when any of the reloadable loaded files changes. It
 +require+ and +require_relative+ when activated (usually in the development environment). No
 configurations other than +reloadable_paths+ are required.
 
-Both {rerun}[https://github.com/alexch/rerun] and
-{shotgun}[https://github.com/rtomayko/shotgun] use a fork/exec approach for loading new
-versions of your app.  rerun is faster as it only reloads the app on changes, whereas
-shotgun reloads the app on every request.  Both work without any changes to application
+{rerun}[https://github.com/alexch/rerun] uses a fork/exec approach for loading new
+versions of your app.  It work without any changes to application
 code, but may be slower as they have to reload the entire application on every change.
-However, for small apps that load quickly, either may be a good approach.
-
-{Rack::Reloader}[https://github.com/rack/rack/blob/master/lib/rack/reloader.rb] ships
-with rack and just reloads monitored files when they change, without unloading constants.
-It's fast but may cause issues in cases where you remove classes, constants, or methods,
-or when you are not clearing out cached data manually when files are reloaded.
+However, for small apps that load quickly, it may be a good approach.
 
 There is no one reloading solution that is the best for all applications and development
 approaches.  Consider your needs and the tradeoffs of each of the reloading approaches,
-and pick the one you think will work best.
-
-If you are unsure where to start, it may be best to start with rerun or shotgun
-(unless you're running on JRuby or Windows), and only consider other options if rerun or
-shotgun are not fast enough.
+and pick the one you think will work best.  If you are unsure where to start,
+it may be best to start with Zeitwerk, and only consider other options if it does not
+work well for you.
 
 == Plugins
 
@@ -1144,4 +1134,3 @@ MIT
 == Maintainer
 
 Jeremy Evans <code@jeremyevans.net>
-
diff --git a/Rakefile b/Rakefile
@@ -21,7 +21,7 @@ end
 RDOC_OPTS = ["--line-numbers", "--inline-source", '--title', 'Roda: Routing tree web toolkit']
 
 begin
-  gem 'hanna-nouveau'
+  gem 'hanna'
   RDOC_OPTS.concat(['-f', 'hanna'])
 rescue Gem::LoadError
 end
@@ -84,6 +84,7 @@ end
 desc "Run specs with coverage"
 task "spec_cov" do
   spec.call('COVERAGE'=>'< 4')
+  spec.call('COVERAGE'=>'< 3.1')
   spec.call('COVERAGE'=>'< 3')
   spec.call('COVERAGE'=>'< 1.6', 'RODA_RENDER_COMPILED_METHOD_SUPPORT'=>'no')
 end

diff --git a/doc/conventions.rdoc b/doc/conventions.rdoc
@@ -55,7 +55,7 @@ via <tt>irb -r ./models</tt>, without loading the Roda application.
 migrations.
 
 +spec/+ (or +test/+ should contain your specifications/tests.  For a small application, it's recommended
-to a have a single file for your model tests, and a single file for your web/integration tests.
+to have a single file for your model tests, and a single file for your web/integration tests.
 
 +Rakefile+ should contain the rake tasks for the application.  The convention is that the
 default rake task will run all specs/tests related to the application.  If you are using

diff --git a/doc/release_notes/3.66.0.txt b/doc/release_notes/3.66.0.txt
@@ -0,0 +1,23 @@
+= New Features
+
+* A render_coverage plugin has been added, which will cause compiled
+  template code to be saved to a folder and loaded using load instead
+  of eval. This allows for coverage to work for the compiled template
+  code in Ruby versions before 3.2.  It can also allow for verbose
+  syntax warnings in compiled template code (ignored by eval), and
+  can also be useful for static analysis of compiled template code.
+  This plugin requires tilt 2.1+.
+
+* The exception_page plugin now supports exception_page_{css,js}
+  instance methods for overriding the CSS and JavaScript on the
+  generated exception page.
+
+= Other Improvements
+
+* Using inline templates (render/view :inline option) no longer keeps
+  a reference to the Roda instance that caches the template.
+
+= Backwards Compatibility
+
+* The Render::TemplateMtimeWrapper API has changed.  Any external
+  use of this class needs to be updated.
diff --git a/doc/release_notes/3.67.0.txt b/doc/release_notes/3.67.0.txt
@@ -0,0 +1,25 @@
+= New Feature
+
+* A custom_block_results plugin has been added for custom handling
+  of block results.  This allows routing blocks to return
+  arbitrary objects instead of just String, nil, and false, and
+  to have custom handling for them. For example, if you want to
+  be able to have your routing blocks return the status code to use,
+  you could do:
+
+    plugin :custom_block_results
+
+    handle_block_result Integer do |result|
+      response.status_code = result
+    end
+
+    route do |r|
+      200
+    end
+
+  While the expected use of the handle_block_result method is with
+  class arguments, you can use any argument that implements an
+  appropriate === method.
+
+  The symbol_views and json plugins, which support additional block
+  results, now use the custom_block_results plugin internally.
diff --git a/doc/release_notes/3.68.0.txt b/doc/release_notes/3.68.0.txt
@@ -0,0 +1,21 @@
+= New Feature
+
+* Roda.run in the multi_run plugin now accepts blocks, to allow
+  autoloading of apps to dispatch to:
+
+    class App < Roda
+      plugin :multi_run
+
+      run("other_app"){OtherApp}
+
+      route do |r|
+        r.multi_run
+      end
+    end
+
+  With the above example, the block is not evaluated until a
+  request for the /other_app branch is received.  If OtherApp is
+  autoloaded, this can speed up application startup and partial
+  testing. When freezing the application (for production use),
+  the block is eagerly loaded, so that requests to the
+  /other_app branch do not call the block on every request.
diff --git a/doc/release_notes/3.69.0.txt b/doc/release_notes/3.69.0.txt
@@ -0,0 +1,33 @@
+= New Feature
+
+* The symbol_matcher method in the symbol_matchers plugin now
+  supports a block to allow for type conversion of matched
+  segments:
+
+    symbol_matcher(:date, /(\d\d\d\d)-(\d\d)-(\d\d)/) do |y, m, d|
+      [Date.new(y.to_i, m.to_i, d.to_i)]
+    end
+
+    route do |r|
+      r.on :date do |date|
+        # date is an instance of Date
+      end
+    end
+
+  As shown above, the block should return an array of objects to yield
+  to the match block.
+
+  If you have a segment match the passed regexp, but decide during block
+  processing that you do not want to treat it as a match, you can have the
+  block return nil or false.  This is useful if you want to make sure you
+  are using valid data:
+
+    symbol_matcher(:date, /(\d\d\d\d)-(\d\d)-(\d\d)/) do |y, m, d|
+      y = y.to_i
+      m = m.to_i
+      d = d.to_i
+      [Date.new(y, m, d)] if Date.valid_date?(y, m, d)
+    end
+
+  When providing a block when using the symbol_matchers method, that
+  symbol may not work with the params_capturing plugin.
diff --git a/doc/release_notes/3.70.0.txt b/doc/release_notes/3.70.0.txt
@@ -0,0 +1,19 @@
+= New Features
+
+* A plain_hash_response_headers plugin has been added.  On Rack 3,
+  this changes Roda to use a plain hash for response headers (as it
+  does on Rack 2), instead of using Rack::Headers (the default on
+  Rack 3).  For a minimal app, using this plugin can almost double
+  the performance on Rack 3.  Before using this plugin, you should
+  make sure that all response headers set explictly in your
+  application are already lower-case.
+
+= Improvements
+
+* Roda now natively uses lower-case for all response headers set
+  implicitly when using Rack 3.  Previously, Roda used mixed-case
+  response headers and had Rack::Headers handle the conversion to
+  lower-case (Rack 3 requires lower-case response headers). Note
+  that Rack::Headers is still used for response headers by default
+  on Rack 3, as applications may not have converted to using
+  lower-case response headers.