Class: ActiveCanvas::Configuration

Inherits:
Object
  • Object
show all
Defined in:
lib/active_canvas/configuration.rb

Constant Summary collapse

DANGEROUS_CONTENT_TYPES =

Dangerous content types that are always blocked

%w[
  application/x-executable
  application/x-sharedlib
  application/x-mach-binary
  text/html
  application/javascript
  text/javascript
  application/x-httpd-php
].freeze

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initializeConfiguration

Returns a new instance of Configuration.



108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
 
# File 'lib/active_canvas/configuration.rb', line 108

def initialize
  # Authentication - open by default (configure in initializer!)
  @authenticate_public = nil
  @authenticate_admin = nil
  @http_basic_user = nil
  @http_basic_password = nil
  @admin_parent_controller = "ActionController::Base"
  @public_parent_controller = "ActionController::Base"
  @current_user_method = :current_user

  # CSS Framework
  @css_framework = :tailwind

  # Media Uploads
  @enable_uploads = true
  @max_upload_size = 10.megabytes
  @allowed_content_types = %w[
    image/jpeg
    image/png
    image/gif
    image/webp
    image/avif
    application/pdf
  ]
  @allow_svg_uploads = false
  @storage_service = nil
  @public_uploads = false

  # Editor Settings
  @editor_blocks = :all
  @enable_ai_features = true
  @enable_code_editor = true
  @enable_asset_manager = true

  # Page Settings
  @autosave_interval = 60
  @max_versions_per_page = 50

  # Security
  @sanitize_content = true
  @allowed_html_tags = %w[
    h1 h2 h3 h4 h5 h6 p div span a img ul ol li
    table thead tbody tr th td
    section article header footer nav main aside
    figure figcaption blockquote pre code
    strong em b i u s mark small sub sup
    br hr
    form input button label select option textarea
    iframe video audio source
  ]
  @allowed_html_attributes = %w[
    class id style href src alt title target rel
    width height loading name type value placeholder
    disabled readonly checked selected multiple
    action method enctype
    controls autoplay loop muted poster
    frameborder allowfullscreen allow
  ]

  # AI Security
  @ai_rate_limit_per_minute = 30
  @ai_stream_timeout = 5.minutes
  @ai_stream_idle_timeout = 30.seconds
  @ai_max_response_size = 1.megabyte
  @max_screenshot_size = 10.megabytes
  @allowed_ai_image_hosts = %w[
    oaidalleapiprodscus.blob.core.windows.net
    dalleprodsec.blob.core.windows.net
  ]
end

Instance Attribute Details

#admin_parent_controllerObject

Parent controller class for admin controllers Set to a string like “Admin::ApplicationController” to inherit authentication Example: config.admin_parent_controller = “Admin::ApplicationController”



22
23
24
 
# File 'lib/active_canvas/configuration.rb', line 22

def admin_parent_controller
  @admin_parent_controller
end

#ai_max_response_sizeObject

Maximum response size for AI streaming



89
90
91
 
# File 'lib/active_canvas/configuration.rb', line 89

def ai_max_response_size
  @ai_max_response_size
end

#ai_rate_limit_per_minuteObject

> AI Security

Rate limit for AI requests (per minute per IP)



80
81
82
 
# File 'lib/active_canvas/configuration.rb', line 80

def ai_rate_limit_per_minute
  @ai_rate_limit_per_minute
end

#ai_stream_idle_timeoutObject

Idle timeout for AI streaming (no data received)



86
87
88
 
# File 'lib/active_canvas/configuration.rb', line 86

def ai_stream_idle_timeout
  @ai_stream_idle_timeout
end

#ai_stream_timeoutObject

Maximum stream timeout for AI chat



83
84
85
 
# File 'lib/active_canvas/configuration.rb', line 83

def ai_stream_timeout
  @ai_stream_timeout
end

#allow_svg_uploadsObject

Allow SVG uploads (disabled by default due to XSS risks)



44
45
46
 
# File 'lib/active_canvas/configuration.rb', line 44

def allow_svg_uploads
  @allow_svg_uploads
end

#allowed_ai_image_hostsObject

Allowed hosts for AI-generated image downloads



95
96
97
 
# File 'lib/active_canvas/configuration.rb', line 95

def allowed_ai_image_hosts
  @allowed_ai_image_hosts
end

#allowed_content_typesObject

Allowed MIME types for uploads



41
42
43
 
# File 'lib/active_canvas/configuration.rb', line 41

def allowed_content_types
  @allowed_content_types
end

#allowed_html_attributesObject

Allowed HTML attributes (when sanitize_content is true)



76
77
78
 
# File 'lib/active_canvas/configuration.rb', line 76

def allowed_html_attributes
  @allowed_html_attributes
end

#allowed_html_tagsObject

Allowed HTML tags (when sanitize_content is true)



73
74
75
 
# File 'lib/active_canvas/configuration.rb', line 73

def allowed_html_tags
  @allowed_html_tags
end

#authenticate_adminObject

Authentication callback for admin pages Set to a proc/lambda or method name symbol Example: config.authenticate_admin = :authenticate_admin_user! Example: config.authenticate_admin = -> { redirect_to login_path unless current_user&.admin? }



13
14
15
 
# File 'lib/active_canvas/configuration.rb', line 13

def authenticate_admin
  @authenticate_admin
end

#authenticate_publicObject

> Authentication

Authentication callback for public pages Set to a proc/lambda that will be called as a before_action Example: config.authenticate_public = -> { redirect_to login_path unless current_user }



7
8
9
 
# File 'lib/active_canvas/configuration.rb', line 7

def authenticate_public
  @authenticate_public
end

#autosave_intervalObject

> Page Settings

Auto-save interval in seconds (0 = disabled)



63
64
65
 
# File 'lib/active_canvas/configuration.rb', line 63

def autosave_interval
  @autosave_interval
end

#css_frameworkObject

> CSS Framework

Default CSS framework: :tailwind, :bootstrap5, :none Can be overridden in admin settings



31
32
33
 
# File 'lib/active_canvas/configuration.rb', line 31

def css_framework
  @css_framework
end

#current_user_methodObject

Current user method name (used by AI features, version tracking, etc.)



26
27
28
 
# File 'lib/active_canvas/configuration.rb', line 26

def current_user_method
  @current_user_method
end

#editor_blocksObject

> Editor Settings

Default blocks available in the editor



54
55
56
 
# File 'lib/active_canvas/configuration.rb', line 54

def editor_blocks
  @editor_blocks
end

#enable_ai_featuresObject

Enable/disable specific editor features



57
58
59
 
# File 'lib/active_canvas/configuration.rb', line 57

def enable_ai_features
  @enable_ai_features
end

#enable_asset_managerObject

Returns the value of attribute enable_asset_manager.



59
60
61
 
# File 'lib/active_canvas/configuration.rb', line 59

def enable_asset_manager
  @enable_asset_manager
end

#enable_code_editorObject

Returns the value of attribute enable_code_editor.



58
59
60
 
# File 'lib/active_canvas/configuration.rb', line 58

def enable_code_editor
  @enable_code_editor
end

#enable_uploadsObject

> Media Uploads

Enable/disable file uploads



35
36
37
 
# File 'lib/active_canvas/configuration.rb', line 35

def enable_uploads
  @enable_uploads
end

#http_basic_passwordObject

Returns the value of attribute http_basic_password.



17
18
19
 
# File 'lib/active_canvas/configuration.rb', line 17

def http_basic_password
  @http_basic_password
end

#http_basic_userObject

HTTP Basic Auth credentials (used when authenticate_admin = :http_basic_auth)



16
17
18
 
# File 'lib/active_canvas/configuration.rb', line 16

def http_basic_user
  @http_basic_user
end

#max_screenshot_sizeObject

Maximum screenshot size (base64 encoded)



92
93
94
 
# File 'lib/active_canvas/configuration.rb', line 92

def max_screenshot_size
  @max_screenshot_size
end

#max_upload_sizeObject

Maximum upload size in bytes



38
39
40
 
# File 'lib/active_canvas/configuration.rb', line 38

def max_upload_size
  @max_upload_size
end

#max_versions_per_pageObject

Maximum versions to keep per page (0 = unlimited)



66
67
68
 
# File 'lib/active_canvas/configuration.rb', line 66

def max_versions_per_page
  @max_versions_per_page
end

#public_parent_controllerObject

Returns the value of attribute public_parent_controller.



23
24
25
 
# File 'lib/active_canvas/configuration.rb', line 23

def public_parent_controller
  @public_parent_controller
end

#public_uploadsObject

Make uploads publicly accessible (false = use signed URLs)



50
51
52
 
# File 'lib/active_canvas/configuration.rb', line 50

def public_uploads
  @public_uploads
end

#sanitize_contentObject

> Security

Sanitize HTML content on save



70
71
72
 
# File 'lib/active_canvas/configuration.rb', line 70

def sanitize_content
  @sanitize_content
end

#storage_serviceObject

Active Storage service name (nil = default service)



47
48
49
 
# File 'lib/active_canvas/configuration.rb', line 47

def storage_service
  @storage_service
end

Instance Method Details

#ai_available?Boolean

Helper to check if AI features are enabled

Returns:

  • (Boolean) 


223
224
225
 
# File 'lib/active_canvas/configuration.rb', line 223

def ai_available?
  @enable_ai_features
end

#effective_allowed_content_typesObject

Get effective allowed content types (includes SVG if enabled, excludes dangerous types)



180
181
182
183
184
 
# File 'lib/active_canvas/configuration.rb', line 180

def effective_allowed_content_types
  types = allowed_content_types.dup
  types << "image/svg+xml" if allow_svg_uploads
  types - DANGEROUS_CONTENT_TYPES
end

#enforce_authentication!Object

Check if authentication is properly configured for production

Raises:

  • (SecurityError) 


187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
 
# File 'lib/active_canvas/configuration.rb', line 187

def enforce_authentication!
  return unless defined?(Rails) && Rails.env.production?
  return if authenticate_admin.present?
  return if admin_parent_controller != "ActionController::Base"

  raise SecurityError, <<~MSG
    [ActiveCanvas] Admin authentication is not configured!

    Your admin interface is currently open to anyone. Configure authentication in your initializer:

    ActiveCanvas.configure do |config|
      # Option 1: Use your app's authentication method (recommended)
      config.authenticate_admin = :authenticate_user!

      # Option 2: Inherit from your admin base controller
      config.admin_parent_controller = "Admin::ApplicationController"

      # Option 3: Use HTTP Basic Auth
      config.authenticate_admin = :http_basic_auth
      config.http_basic_user = "admin"
      config.http_basic_password = Rails.application.credentials.active_canvas_password
    end

    For development, you can use HTTP Basic Auth with default credentials,
    but ALWAYS configure proper authentication for production.
  MSG
end

#http_basic_auth_configured?Boolean

Check if HTTP Basic Auth is configured

Returns:

  • (Boolean) 


216
217
218
219
220
 
# File 'lib/active_canvas/configuration.rb', line 216

def http_basic_auth_configured?
  authenticate_admin == :http_basic_auth &&
    http_basic_user.present? &&
    http_basic_password.present?
end

#tailwind_compilation_available?Boolean

Helper to check if Tailwind compilation is available

Returns:

  • (Boolean) 


228
229
230
 
# File 'lib/active_canvas/configuration.rb', line 228

def tailwind_compilation_available?
  @css_framework == :tailwind && defined?(Tailwindcss::Ruby)
end