Class: ActiveCanvas::Configuration

Inherits:

Object

• Object
• ActiveCanvas::Configuration

Defined in:

lib/active_canvas/configuration.rb

Constant Summary

DANGEROUS_CONTENT_TYPES =

Dangerous content types that are always blocked

%w[
  application/x-executable
  application/x-sharedlib
  application/x-mach-binary
  text/html
  application/javascript
  text/javascript
  application/x-httpd-php
].freeze

Instance Attribute Summary

• #admin_parent_controller ⇒ Object

  Parent controller class for admin controllers Set to a string like “Admin::ApplicationController” to inherit authentication Example: config.admin_parent_controller = “Admin::ApplicationController”.

• #ai_max_response_size ⇒ Object

  Maximum response size for AI streaming.

• #ai_rate_limit_per_minute ⇒ Object

  > AI Security Rate limit for AI requests (per minute per IP).

• #ai_stream_idle_timeout ⇒ Object

  Idle timeout for AI streaming (no data received).

• #ai_stream_timeout ⇒ Object

  Maximum stream timeout for AI chat.

• #allow_svg_uploads ⇒ Object

  Allow SVG uploads (disabled by default due to XSS risks).

• #allowed_ai_image_hosts ⇒ Object

  Allowed hosts for AI-generated image downloads.

• #allowed_content_types ⇒ Object

  Allowed MIME types for uploads.

• #allowed_html_attributes ⇒ Object

  Allowed HTML attributes (when sanitize_content is true).

• #allowed_html_tags ⇒ Object

  Allowed HTML tags (when sanitize_content is true).

• #authenticate_admin ⇒ Object

  Authentication callback for admin pages Set to a proc/lambda or method name symbol Example: config.authenticate_admin = :authenticate_admin_user! Example: config.authenticate_admin = -> { redirect_to login_path unless current_user&.admin? }.

• #authenticate_public ⇒ Object

  > Authentication Authentication callback for public pages Set to a proc/lambda that will be called as a before_action Example: config.authenticate_public = -> { redirect_to login_path unless current_user }.

• #autosave_interval ⇒ Object

  > Page Settings Auto-save interval in seconds (0 = disabled).

• #css_framework ⇒ Object

  > CSS Framework Default CSS framework: :tailwind, :bootstrap5, :none Can be overridden in admin settings.

• #current_user_method ⇒ Object

  Current user method name (used by AI features, version tracking, etc.).

• #editor_blocks ⇒ Object

  > Editor Settings Default blocks available in the editor.

• #enable_ai_features ⇒ Object

  Enable/disable specific editor features.

• #enable_asset_manager ⇒ Object

  Returns the value of attribute enable_asset_manager.

• #enable_code_editor ⇒ Object

  Returns the value of attribute enable_code_editor.

• #enable_uploads ⇒ Object

  > Media Uploads Enable/disable file uploads.

• #http_basic_password ⇒ Object

  Returns the value of attribute http_basic_password.

• #http_basic_user ⇒ Object

  HTTP Basic Auth credentials (used when authenticate_admin = :http_basic_auth).

• #max_screenshot_size ⇒ Object

  Maximum screenshot size (base64 encoded).

• #max_upload_size ⇒ Object

  Maximum upload size in bytes.

• #max_versions_per_page ⇒ Object

  Maximum versions to keep per page (0 = unlimited).

• #public_parent_controller ⇒ Object

  Returns the value of attribute public_parent_controller.

• #public_uploads ⇒ Object

  Make uploads publicly accessible (false = signed, expiring URLs).

• #sanitize_content ⇒ Object

  > Security Sanitize HTML content on save.

• #storage_service ⇒ Object

  Active Storage service name (nil = default service).

Instance Method Summary

• #ai_available? ⇒ Boolean

  Helper to check if AI features are enabled.

• #effective_allowed_content_types ⇒ Object

  Get effective allowed content types (includes SVG if enabled, excludes dangerous types).

• #enforce_authentication! ⇒ Object

  Check if authentication is properly configured for production.

• #http_basic_auth_configured? ⇒ Boolean

  Check if HTTP Basic Auth is configured.

• #initialize ⇒ Configuration constructor

  A new instance of Configuration.

• #tailwind_compilation_available? ⇒ Boolean

  Helper to check if Tailwind compilation is available.

Constructor Details

#initialize ⇒ Configuration

Returns a new instance of Configuration.

# File 'lib/active_canvas/configuration.rb', line 120

def initialize
  # Authentication - open by default (configure in initializer!)
  @authenticate_public = nil
  @authenticate_admin = nil
  @http_basic_user = nil
  @http_basic_password = nil
  @admin_parent_controller = "ActionController::Base"
  @public_parent_controller = "ActionController::Base"
  @current_user_method = :current_user

  # CSS Framework
  @css_framework = :tailwind

  # Media Uploads
  @enable_uploads = true
  @max_upload_size = 10.megabytes
  @allowed_content_types = %w[
    image/jpeg
    image/png
    image/gif
    image/webp
    image/avif
    application/pdf
  ]
  @allow_svg_uploads = false
  @storage_service = nil
  @public_uploads = false

  # Editor Settings
  @editor_blocks = :all
  @enable_ai_features = true
  @enable_code_editor = true
  @enable_asset_manager = true

  # Page Settings
  @autosave_interval = 60
  @max_versions_per_page = 50

  # Security
  @sanitize_content = true
  @allowed_html_tags = %w[
    h1 h2 h3 h4 h5 h6 p div span a img ul ol li
    table thead tbody tr th td
    section article header footer nav main aside
    figure figcaption blockquote pre code
    strong em b i u s mark small sub sup
    br hr
    form input button label select option textarea
    iframe video audio source
  ]
  @allowed_html_attributes = %w[
    class id style href src alt title target rel
    width height loading name type value placeholder
    disabled readonly checked selected multiple
    action method enctype
    controls autoplay loop muted poster
    frameborder allowfullscreen allow
  ]

  # AI Security
  @ai_rate_limit_per_minute = 30
  @ai_stream_timeout = 5.minutes
  @ai_stream_idle_timeout = 30.seconds
  @ai_max_response_size = 1.megabyte
  @max_screenshot_size = 10.megabytes
  @allowed_ai_image_hosts = %w[
    oaidalleapiprodscus.blob.core.windows.net
    dalleprodsec.blob.core.windows.net
  ]
end

Instance Attribute Details

#admin_parent_controller ⇒ Object

Parent controller class for admin controllers Set to a string like “Admin::ApplicationController” to inherit authentication Example: config.admin_parent_controller = “Admin::ApplicationController”

# File 'lib/active_canvas/configuration.rb', line 22

def admin_parent_controller
  @admin_parent_controller
end

#ai_max_response_size ⇒ Object

Maximum response size for AI streaming

# File 'lib/active_canvas/configuration.rb', line 101

def ai_max_response_size
  @ai_max_response_size
end

#ai_rate_limit_per_minute ⇒ Object

> AI Security

Rate limit for AI requests (per minute per IP)

# File 'lib/active_canvas/configuration.rb', line 92

def ai_rate_limit_per_minute
  @ai_rate_limit_per_minute
end

#ai_stream_idle_timeout ⇒ Object

Idle timeout for AI streaming (no data received)

# File 'lib/active_canvas/configuration.rb', line 98

def ai_stream_idle_timeout
  @ai_stream_idle_timeout
end

#ai_stream_timeout ⇒ Object

Maximum stream timeout for AI chat

# File 'lib/active_canvas/configuration.rb', line 95

def ai_stream_timeout
  @ai_stream_timeout
end

#allow_svg_uploads ⇒ Object

Allow SVG uploads (disabled by default due to XSS risks). SECURITY: SVGs can contain <script>/onload. ActiveCanvas serves uploaded SVGs with Content-Disposition: attachment on the signed-URL path to prevent top-level execution. NOTE: this disposition is NOT applied when public_uploads is true and the storage service is public (the file is served inline from the public bucket/origin). If you enable SVG uploads, prefer serving uploads from a SEPARATE origin/bucket, especially with public_uploads.

# File 'lib/active_canvas/configuration.rb', line 50

def allow_svg_uploads
  @allow_svg_uploads
end

#allowed_ai_image_hosts ⇒ Object

Allowed hosts for AI-generated image downloads

# File 'lib/active_canvas/configuration.rb', line 107

def allowed_ai_image_hosts
  @allowed_ai_image_hosts
end

#allowed_content_types ⇒ Object

Allowed MIME types for uploads

# File 'lib/active_canvas/configuration.rb', line 41

def allowed_content_types
  @allowed_content_types
end

#allowed_html_attributes ⇒ Object

Allowed HTML attributes (when sanitize_content is true)

# File 'lib/active_canvas/configuration.rb', line 88

def allowed_html_attributes
  @allowed_html_attributes
end

#allowed_html_tags ⇒ Object

Allowed HTML tags (when sanitize_content is true)

# File 'lib/active_canvas/configuration.rb', line 85

def allowed_html_tags
  @allowed_html_tags
end

#authenticate_admin ⇒ Object

Authentication callback for admin pages Set to a proc/lambda or method name symbol Example: config.authenticate_admin = :authenticate_admin_user! Example: config.authenticate_admin = -> { redirect_to login_path unless current_user&.admin? }

# File 'lib/active_canvas/configuration.rb', line 13

def authenticate_admin
  @authenticate_admin
end

#authenticate_public ⇒ Object

> Authentication

Authentication callback for public pages Set to a proc/lambda that will be called as a before_action Example: config.authenticate_public = -> { redirect_to login_path unless current_user }

# File 'lib/active_canvas/configuration.rb', line 7

def authenticate_public
  @authenticate_public
end

#autosave_interval ⇒ Object

> Page Settings

Auto-save interval in seconds (0 = disabled)

# File 'lib/active_canvas/configuration.rb', line 75

def autosave_interval
  @autosave_interval
end

#css_framework ⇒ Object

> CSS Framework

Default CSS framework: :tailwind, :bootstrap5, :none Can be overridden in admin settings

# File 'lib/active_canvas/configuration.rb', line 31

def css_framework
  @css_framework
end

#current_user_method ⇒ Object

Current user method name (used by AI features, version tracking, etc.)

# File 'lib/active_canvas/configuration.rb', line 26

def current_user_method
  @current_user_method
end

#editor_blocks ⇒ Object

> Editor Settings

Default blocks available in the editor

# File 'lib/active_canvas/configuration.rb', line 66

def editor_blocks
  @editor_blocks
end

#enable_ai_features ⇒ Object

Enable/disable specific editor features

# File 'lib/active_canvas/configuration.rb', line 69

def enable_ai_features
  @enable_ai_features
end

#enable_asset_manager ⇒ Object

Returns the value of attribute enable_asset_manager.

# File 'lib/active_canvas/configuration.rb', line 71

def enable_asset_manager
  @enable_asset_manager
end

#enable_code_editor ⇒ Object

Returns the value of attribute enable_code_editor.

# File 'lib/active_canvas/configuration.rb', line 70

def enable_code_editor
  @enable_code_editor
end

#enable_uploads ⇒ Object

> Media Uploads

Enable/disable file uploads

# File 'lib/active_canvas/configuration.rb', line 35

def enable_uploads
  @enable_uploads
end

#http_basic_password ⇒ Object

Returns the value of attribute http_basic_password.

# File 'lib/active_canvas/configuration.rb', line 17

def http_basic_password
  @http_basic_password
end

#http_basic_user ⇒ Object

HTTP Basic Auth credentials (used when authenticate_admin = :http_basic_auth)

# File 'lib/active_canvas/configuration.rb', line 16

def http_basic_user
  @http_basic_user
end

#max_screenshot_size ⇒ Object

Maximum screenshot size (base64 encoded)

# File 'lib/active_canvas/configuration.rb', line 104

def max_screenshot_size
  @max_screenshot_size
end

#max_upload_size ⇒ Object

Maximum upload size in bytes

# File 'lib/active_canvas/configuration.rb', line 38

def max_upload_size
  @max_upload_size
end

#max_versions_per_page ⇒ Object

Maximum versions to keep per page (0 = unlimited)

# File 'lib/active_canvas/configuration.rb', line 78

def max_versions_per_page
  @max_versions_per_page
end

#public_parent_controller ⇒ Object

Returns the value of attribute public_parent_controller.

# File 'lib/active_canvas/configuration.rb', line 23

def public_parent_controller
  @public_parent_controller
end

#public_uploads ⇒ Object

Make uploads publicly accessible (false = signed, expiring URLs). NOTE: this only takes effect when the Active Storage service is ALSO declared ‘public: true` in config/storage.yml. For S3, make the bucket public via a BUCKET POLICY (per-object ACLs are ignored on modern buckets with Object Ownership = Bucket owner enforced / Block Public Access). For a public Disk service outside a request, set Rails.application.routes.default_url_options.

# File 'lib/active_canvas/configuration.rb', line 62

def public_uploads
  @public_uploads
end

#sanitize_content ⇒ Object

> Security

Sanitize HTML content on save

# File 'lib/active_canvas/configuration.rb', line 82

def sanitize_content
  @sanitize_content
end

#storage_service ⇒ Object

Active Storage service name (nil = default service)

# File 'lib/active_canvas/configuration.rb', line 53

def storage_service
  @storage_service
end

Instance Method Details

#ai_available? ⇒ Boolean

Helper to check if AI features are enabled

Returns:

• (Boolean)

# File 'lib/active_canvas/configuration.rb', line 235

def ai_available?
  @enable_ai_features
end

#effective_allowed_content_types ⇒ Object

Get effective allowed content types (includes SVG if enabled, excludes dangerous types)

# File 'lib/active_canvas/configuration.rb', line 192

def effective_allowed_content_types
  types = allowed_content_types.dup
  types << "image/svg+xml" if allow_svg_uploads
  (types - DANGEROUS_CONTENT_TYPES).uniq
end

#enforce_authentication! ⇒ Object

Check if authentication is properly configured for production

Raises:

• (SecurityError)

# File 'lib/active_canvas/configuration.rb', line 199

def enforce_authentication!
  return unless defined?(Rails) && Rails.env.production?
  return if authenticate_admin.present?
  return if admin_parent_controller != "ActionController::Base"

  raise SecurityError, <<~MSG
    [ActiveCanvas] Admin authentication is not configured!

    Your admin interface is currently open to anyone. Configure authentication in your initializer:

    ActiveCanvas.configure do |config|
      # Option 1: Use your app's authentication method (recommended)
      config.authenticate_admin = :authenticate_user!

      # Option 2: Inherit from your admin base controller
      config.admin_parent_controller = "Admin::ApplicationController"

      # Option 3: Use HTTP Basic Auth
      config.authenticate_admin = :http_basic_auth
      config.http_basic_user = "admin"
      config.http_basic_password = Rails.application.credentials.active_canvas_password
    end

    For development, you can use HTTP Basic Auth with default credentials,
    but ALWAYS configure proper authentication for production.
  MSG
end

#http_basic_auth_configured? ⇒ Boolean

Check if HTTP Basic Auth is configured

Returns:

• (Boolean)

# File 'lib/active_canvas/configuration.rb', line 228

def http_basic_auth_configured?
  authenticate_admin == :http_basic_auth &&
    http_basic_user.present? &&
    http_basic_password.present?
end

#tailwind_compilation_available? ⇒ Boolean

Helper to check if Tailwind compilation is available

Returns:

• (Boolean)

# File 'lib/active_canvas/configuration.rb', line 240

def tailwind_compilation_available?
  @css_framework == :tailwind && defined?(Tailwindcss::Ruby)
end