Class: RubyNative::Screenshots::SessionsController

Inherits:

ActionController::Base

Object
ActionController::Base
RubyNative::Screenshots::SessionsController

show all

Defined in:: app/controllers/ruby_native/screenshots/sessions_controller.rb

Overview

Validates the per-app screenshot key, signs in the configured screenshot user, and sets a session-scoped cookie that the host app can use to render deterministically (freeze timestamps, hide notifications, etc.).

The key is accepted via the ‘X-RubyNative-Screenshot-Key` header or the `?ruby_native_screenshot_key=` URL parameter. WKWebView drops custom headers across redirect chains in some iOS versions, so the URL-param fallback is the primary path used by Ruby Native’s screenshot pipeline.

Instance Method Summary collapse

#show ⇒ Object

Instance Method Details

#show ⇒ `Object`

# File 'app/controllers/ruby_native/screenshots/sessions_controller.rb', line 12

def show
  # Defense in depth: prevent the URL (which carries the key as a query
  # param on the way in) from leaking via the Referer header to anything
  # the redirect target loads.
  response.headers["Referrer-Policy"] = "no-referrer"

  unless RubyNative.screenshot_key.present? && RubyNative.screenshot_sign_in.present?
    Rails.logger.info { "[RubyNative] /native/screenshots/session called but screenshot config is not set" }
    head :not_found
    return
  end

  unless valid_key?
    Rails.logger.info { "[RubyNative] /native/screenshots/session rejected: invalid key" }
    head :unauthorized
    return
  end

  RubyNative.screenshot_sign_in.call(self)

  cookies[:_ruby_native_screenshot_session] = {
    value: "1",
    httponly: true,
    secure: request.ssl?,
    same_site: :lax
  }

  redirect_to safe_return_to, allow_other_host: false
end

Class: RubyNative::Screenshots::SessionsController

Overview

Instance Method Summary collapse

Instance Method Details

#show ⇒ Object

#show ⇒ `Object`