Class: Sentiero::Web::BaseApp

Inherits:
Object
  • Object
show all
Includes:
Escaping, Formatting
Defined in:
lib/sentiero/web/base_app.rb

Overview

Shared, non-routing machinery for the dashboard UI Rack apps (DashboardApp, AnalyticsApp, MonitoringApp): auth, CSRF, escaping, security headers, asset serving, the routing combinators, and the render_page view-rendering entry point. Subclasses implement their own #call routing.

Direct Known Subclasses

AnalyticsApp, AssetsApp, DashboardApp, MonitoringApp

Constant Summary collapse

ASSETS_DIR =
File.expand_path("assets", __dir__).freeze
CSP_POLICY =
[
  "default-src 'self'",
  "script-src 'self'",
  "style-src 'self' 'unsafe-inline'",
  "img-src 'self' data:",
  "frame-src 'self' blob:"
].join("; ").freeze
CONTENT_TYPES =
{
  ".css" => "text/css",
  ".js" => "application/javascript",
  ".html" => "text/html",
  ".png" => "image/png",
  ".svg" => "image/svg+xml"
}.freeze
AUTH_WARNING_LOCK =

Warn at most once per process: the Roda plugin and /analytics delegation construct apps per request, so a per-construction warning would spam.

Mutex.new

Constants included from Escaping

Escaping::HTML_UNSAFE_IN_SCRIPT, Escaping::HTML_UNSAFE_IN_SCRIPT_PATTERN

Class Method Summary collapse

Methods included from Formatting

#format_duration, #format_vital, #parse_browser, #parse_device

Methods included from Escaping

#escape_html, #escape_js_string, #escape_json

Class Method Details

.reset_auth_warning!Object



70
71
72
# File 'lib/sentiero/web/base_app.rb', line 70

def reset_auth_warning!
  @auth_warning_emitted = false
end

.warn_unauthenticated_onceObject

With no auth configured the dashboard fails closed (403) unless allow_insecure_dashboard is set, in which case it serves unauthenticated and we warn once. Called on BaseApp so both subclasses share one flag (class ivars aren't inherited).



53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
# File 'lib/sentiero/web/base_app.rb', line 53

def warn_unauthenticated_once
  config = Sentiero.configuration
  return if config.basic_auth || config.auth_callback
  return unless config.allow_insecure_dashboard

  AUTH_WARNING_LOCK.synchronize do
    return if @auth_warning_emitted
    @auth_warning_emitted = true
  end

  warn "[Sentiero] dashboard mounted with allow_insecure_dashboard and no " \
    "authentication (config.basic_auth and config.auth_callback both unset); " \
    "session recordings and analytics are publicly accessible to anyone who " \
    "can reach this mount. Set config.basic_auth or config.auth_callback to " \
    "protect it."
end