diff --git a/README.md b/README.md index dbd0b95a..b77e9bb8 100644 --- a/README.md +++ b/README.md @@ -77,7 +77,11 @@ - [Prevent Controller Action](#prevent-controller-action) - [Broadcasting Turbo Streams](#broadcasting-turbo-streams) - [State](#state) - - [Ephemeral Page State](#ephemeral-page-state) + - [Server Side State](#server-side-state) + - [Optimistic Client Side State](#optimistic-client-side-state) + - [Data Binding](#data-binding) + - [State Resolution](#state-resolution) + - [Page State](#page-state) - [Community](#community) - [Developing](#developing) - [Notable Files](#notable-files) @@ -206,7 +210,7 @@ TurboBoost::Commands.config.tap do |config| # opt-[in/out] of precompiling TurboBoost assets (*true, false) config.precompile_assets = true - # opt-[in/out] of forgery protection (true, *false) + # opt-[in/out] of forgery protection (*true, false) config.protect_from_forgery = true # opt-[in/out] of raising an error when an invalid command is invoked (true, false, *"development", "test", "production") @@ -214,6 +218,9 @@ TurboBoost::Commands.config.tap do |config| # opt-[in/out] of state resolution (true, *false) config.resolve_state = true + + # opt-[in/out] of verifying the client browser (*true, false) + config.verify_client = true end ``` @@ -529,9 +536,23 @@ _Learn more about Turbo Stream broadcasting by reading through the ## State -TODO: Document state tracking +### Server Side State + +TODO + +### Optimistic Client Side State + +TODO + +### Data Binding + +TODO + +### State Resolution + +TODO -### Ephemeral Page State +### Page State You can opt-in to remember transient page state when using Rails tag helpers with `turbo_boost[:remember]` to track element attribute values between requests. diff --git a/lib/turbo_boost/commands/engine.rb b/lib/turbo_boost/commands/engine.rb index 4a2713cc..9f01c3db 100644 --- a/lib/turbo_boost/commands/engine.rb +++ b/lib/turbo_boost/commands/engine.rb @@ -25,9 +25,10 @@ class Engine < ::Rails::Engine config.turbo_boost_commands[:alert_on_abort] = false # (true, false, "development", "test", "production") config.turbo_boost_commands[:alert_on_error] = false # (true, false, "development", "test", "production") config.turbo_boost_commands[:precompile_assets] = true # (true, false) - config.turbo_boost_commands[:protect_from_forgery] = false # (true, false) TODO: Support override in Commands + config.turbo_boost_commands[:protect_from_forgery] = true # (true, false) config.turbo_boost_commands[:raise_on_invalid_command] = "development" # (true, false, "development", "test", "production") config.turbo_boost_commands[:resolve_state] = false # (true, false) + config.turbo_boost_commands[:verify_client] = true # (true, false) initializer "turbo_boost_commands.configuration", before: :build_middleware_stack do |app| Mime::Type.register "text/vnd.turbo-boost.html", :turbo_boost diff --git a/lib/turbo_boost/commands/middlewares/entry_middleware.rb b/lib/turbo_boost/commands/middlewares/entry_middleware.rb index c0e697ee..b3ce3a46 100644 --- a/lib/turbo_boost/commands/middlewares/entry_middleware.rb +++ b/lib/turbo_boost/commands/middlewares/entry_middleware.rb @@ -33,6 +33,7 @@ def mime_type # @param request [Rack::Request] the request to check # @return [Boolean] def trusted_client?(request) + return true unless TurboBoost::Commands.config.verify_client client = DeviceDetector.new(request.env["HTTP_USER_AGENT"]) return false unless client.known? return false if client.bot? diff --git a/test/dummy/config/initializers/turbo_boost.rb b/test/dummy/config/initializers/turbo_boost.rb index d701a4d1..2dba6c9a 100644 --- a/test/dummy/config/initializers/turbo_boost.rb +++ b/test/dummy/config/initializers/turbo_boost.rb @@ -13,9 +13,10 @@ # - alert_on_abort, opt-(in/out) of alerting on abort (true, *false, "development", "test", "production") # - alert_on_error, opt-(in/out) of alerting on error (true, *false, "development", "test", "production") # - precompile_assets, opt-(in/out) of precompiling assets (*true, false) -# - protect_from_forgery, opt-(in/out) of forgery protection (true, *false) +# - protect_from_forgery, opt-(in/out) of forgery protection (*true, false) # - raise_on_invalid_command, opt-(in/out) of raising an error if invalid command requested (true, false, *"development", "test", "production") # - resolve_state, opt-(in/out) of state resolution (true, *false) +# - verify_client, opt-(in/out) of verifying the client browser (*true, false) # TurboBoost::Commands.config.tap do |config| config.alert_on_abort = "development" @@ -24,4 +25,5 @@ config.protect_from_forgery = true config.raise_on_invalid_command = "development" config.resolve_state = false + config.verify_client = true end