-
Notifications
You must be signed in to change notification settings - Fork 3
/
app.rb
110 lines (92 loc) · 2.45 KB
/
app.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
require './roda_app'
require './models'
require './mailer'
require './jobs'
class App < RodaApp
# PLUGINS
plugin :flash
plugin :render, escape: true, layout: './layout'
plugin :sessions, secret: ENV.fetch('SESSION_SECRET'), cookie_options: { max_age: 86_400 * 30 }
plugin :route_csrf
plugin :slash_path_empty
plugin :disallow_file_uploads # use direct uploads from client instead
plugin :precompile_templates
plugin :forme_route_csrf
plugin :partials
plugin :assets, {
css: %w[
colors.css
typography.css
layout.css
ui.css
reset.css
app.css
],
js: [],
gzip: true
}
plugin :not_found do
view '404'
end
plugin :default_headers,
'Content-Type' => 'text/html',
'Strict-Transport-Security' => 'max-age=16070400;',
'X-Content-Type-Options' => 'nosniff',
'X-Frame-Options' => 'deny',
'X-XSS-Protection' => '1; mode=block'
plugin :content_security_policy do |csp|
csp.default_src :none
csp.style_src :self
csp.script_src :self
csp.connect_src :self
csp.img_src :self
csp.font_src :self
csp.form_action :self
csp.base_uri :none
csp.frame_ancestors :none
csp.block_all_mixed_content
end
if development?
plugin :exception_page
class RodaRequest
def assets
exception_page_assets
super
end
end
end
plugin :error_handler do |e|
case e
when Roda::RodaPlugins::RouteCsrf::InvalidToken
@page_title = 'Invalid Security Token'
response.status = 400
view(content: '<p>An invalid security token was submitted with this request, and this request could not be processed.</p>')
when Sequel::NoMatchingRow
response.status = 404
halt
else
$stderr.print "#{e.class}: #{e.message}\n"
$stderr.print e.backtrace
next exception_page(e, assets: true) if development?
@page_title = 'Internal Server Error'
view(content: '')
end
end
compile_assets unless development?
# don't call r. everywhere
request_delegate :root, :on, :is, :get, :post, :redirect, :params, :halt, :hash_routes, :assets
Dir[File.join(__dir__, "routes", "*.rb")].each do |file|
require file
end
route do
assets if development?
check_csrf!
@current_user = User.first(id: session['user_id'])
def current_user!
return if @current_user
response.status = 404
halt
end
hash_routes
end
end