From e98c86050a57e03ef61bd9f6b700fcc0c8b1c860 Mon Sep 17 00:00:00 2001 From: Eugen Rochko Date: Wed, 19 Apr 2023 16:07:29 +0200 Subject: [PATCH] Refactor `Cache-Control` and `Vary` definitions (#24347) --- .rubocop_todo.yml | 3 - app/controllers/accounts_controller.rb | 3 +- .../activitypub/base_controller.rb | 4 -- .../activitypub/collections_controller.rb | 3 +- .../followers_synchronizations_controller.rb | 3 +- .../activitypub/outboxes_controller.rb | 8 +-- .../activitypub/replies_controller.rb | 3 +- app/controllers/admin/base_controller.rb | 6 ++ app/controllers/api/base_controller.rb | 6 +- .../api/v1/custom_emojis_controller.rb | 2 - .../api/v1/instances/activity_controller.rb | 1 - .../api/v1/instances/peers_controller.rb | 1 - .../api/v1/instances_controller.rb | 1 - .../auth/registrations_controller.rb | 2 +- app/controllers/concerns/cache_concern.rb | 14 ++-- app/controllers/custom_css_controller.rb | 12 +--- app/controllers/disputes/base_controller.rb | 5 ++ app/controllers/emojis_controller.rb | 11 ++-- .../filters/statuses_controller.rb | 5 ++ app/controllers/filters_controller.rb | 5 ++ .../follower_accounts_controller.rb | 3 +- .../following_accounts_controller.rb | 3 +- app/controllers/invites_controller.rb | 5 ++ app/controllers/manifests_controller.rb | 5 +- .../oauth/authorizations_controller.rb | 2 +- .../authorized_applications_controller.rb | 5 ++ app/controllers/relationships_controller.rb | 5 ++ app/controllers/settings/base_controller.rb | 2 +- .../statuses_cleanup_controller.rb | 5 ++ app/controllers/statuses_controller.rb | 3 +- app/controllers/tags_controller.rb | 2 + .../well_known/host_meta_controller.rb | 4 +- .../well_known/nodeinfo_controller.rb | 4 +- .../well_known/webfinger_controller.rb | 13 ++-- config/application.rb | 1 + .../conditional_get_extensions.rb | 15 +++++ spec/controllers/accounts_controller_spec.rb | 4 ++ .../controllers/admin/base_controller_spec.rb | 8 +++ spec/controllers/api/base_controller_spec.rb | 6 ++ .../controllers/api/oembed_controller_spec.rb | 4 ++ .../auth/registrations_controller_spec.rb | 27 ++++++-- .../controllers/custom_css_controller_spec.rb | 18 ++++- .../filters/statuses_controller_spec.rb | 18 +++-- spec/controllers/filters_controller_spec.rb | 15 +++-- spec/controllers/invites_controller_spec.rb | 45 +++++++------ spec/controllers/manifests_controller_spec.rb | 15 ++++- .../oauth/authorizations_controller_spec.rb | 5 ++ ...authorized_applications_controller_spec.rb | 5 ++ .../relationships_controller_spec.rb | 66 ++++++++++--------- .../settings/aliases_controller_spec.rb | 9 ++- .../settings/applications_controller_spec.rb | 14 ++-- .../settings/deletes_controller_spec.rb | 11 +++- .../settings/exports_controller_spec.rb | 12 ++-- .../settings/imports_controller_spec.rb | 9 ++- .../login_activities_controller_spec.rb | 9 ++- .../migration/redirects_controller_spec.rb | 9 ++- .../preferences/appearance_controller_spec.rb | 8 ++- .../notifications_controller_spec.rb | 9 ++- .../preferences/other_controller_spec.rb | 9 ++- .../settings/profiles_controller_spec.rb | 9 ++- ..._authentication_methods_controller_spec.rb | 10 +-- .../statuses_cleanup_controller_spec.rb | 19 +++++- spec/controllers/statuses_controller_spec.rb | 4 ++ spec/controllers/tags_controller_spec.rb | 45 ++++++++++--- 64 files changed, 424 insertions(+), 173 deletions(-) create mode 100644 lib/action_controller/conditional_get_extensions.rb diff --git a/.rubocop_todo.yml b/.rubocop_todo.yml index 2e4801a552..9110956d13 100644 --- a/.rubocop_todo.yml +++ b/.rubocop_todo.yml @@ -1224,9 +1224,6 @@ Rails/ActiveRecordCallbacksOrder: Rails/ApplicationController: Exclude: - 'app/controllers/health_controller.rb' - - 'app/controllers/well_known/host_meta_controller.rb' - - 'app/controllers/well_known/nodeinfo_controller.rb' - - 'app/controllers/well_known/webfinger_controller.rb' # Configuration parameters: Database, Include. # SupportedDatabases: mysql, postgresql diff --git a/app/controllers/accounts_controller.rb b/app/controllers/accounts_controller.rb index 56229fd05c..7cdc40fb15 100644 --- a/app/controllers/accounts_controller.rb +++ b/app/controllers/accounts_controller.rb @@ -7,8 +7,9 @@ class AccountsController < ApplicationController include AccountControllerConcern include SignatureAuthentication + vary_by -> { public_fetch_mode? ? 'Accept' : 'Accept, Signature' } + before_action :require_account_signature!, if: -> { request.format == :json && authorized_fetch_mode? } - before_action :set_cache_headers skip_around_action :set_locale, if: -> { [:json, :rss].include?(request.format&.to_sym) } skip_before_action :require_functional!, unless: :whitelist_mode? diff --git a/app/controllers/activitypub/base_controller.rb b/app/controllers/activitypub/base_controller.rb index b8a7e0ab96..388d4b9e1d 100644 --- a/app/controllers/activitypub/base_controller.rb +++ b/app/controllers/activitypub/base_controller.rb @@ -7,10 +7,6 @@ class ActivityPub::BaseController < Api::BaseController private - def set_cache_headers - response.headers['Vary'] = 'Signature' if authorized_fetch_mode? - end - def skip_temporary_suspension_response? false end diff --git a/app/controllers/activitypub/collections_controller.rb b/app/controllers/activitypub/collections_controller.rb index d94a285eae..2188eb72a3 100644 --- a/app/controllers/activitypub/collections_controller.rb +++ b/app/controllers/activitypub/collections_controller.rb @@ -4,11 +4,12 @@ class ActivityPub::CollectionsController < ActivityPub::BaseController include SignatureVerification include AccountOwnedConcern + vary_by -> { 'Signature' if authorized_fetch_mode? } + before_action :require_account_signature!, if: :authorized_fetch_mode? before_action :set_items before_action :set_size before_action :set_type - before_action :set_cache_headers def show expires_in 3.minutes, public: public_fetch_mode? diff --git a/app/controllers/activitypub/followers_synchronizations_controller.rb b/app/controllers/activitypub/followers_synchronizations_controller.rb index 4e445bcb1f..976caa3445 100644 --- a/app/controllers/activitypub/followers_synchronizations_controller.rb +++ b/app/controllers/activitypub/followers_synchronizations_controller.rb @@ -4,9 +4,10 @@ class ActivityPub::FollowersSynchronizationsController < ActivityPub::BaseContro include SignatureVerification include AccountOwnedConcern + vary_by -> { 'Signature' if authorized_fetch_mode? } + before_action :require_account_signature! before_action :set_items - before_action :set_cache_headers def show expires_in 0, public: false diff --git a/app/controllers/activitypub/outboxes_controller.rb b/app/controllers/activitypub/outboxes_controller.rb index 60d201f763..bf10ba762a 100644 --- a/app/controllers/activitypub/outboxes_controller.rb +++ b/app/controllers/activitypub/outboxes_controller.rb @@ -6,9 +6,10 @@ class ActivityPub::OutboxesController < ActivityPub::BaseController include SignatureVerification include AccountOwnedConcern + vary_by -> { 'Signature' if authorized_fetch_mode? || page_requested? } + before_action :require_account_signature!, if: :authorized_fetch_mode? before_action :set_statuses - before_action :set_cache_headers def show if page_requested? @@ -16,6 +17,7 @@ class ActivityPub::OutboxesController < ActivityPub::BaseController else expires_in(3.minutes, public: public_fetch_mode?) end + render json: outbox_presenter, serializer: ActivityPub::OutboxSerializer, adapter: ActivityPub::Adapter, content_type: 'application/activity+json' end @@ -80,8 +82,4 @@ class ActivityPub::OutboxesController < ActivityPub::BaseController def set_account @account = params[:account_username].present? ? Account.find_local!(username_param) : Account.representative end - - def set_cache_headers - response.headers['Vary'] = 'Signature' if authorized_fetch_mode? || page_requested? - end end diff --git a/app/controllers/activitypub/replies_controller.rb b/app/controllers/activitypub/replies_controller.rb index 8e0f9de2ee..c38ff89d1c 100644 --- a/app/controllers/activitypub/replies_controller.rb +++ b/app/controllers/activitypub/replies_controller.rb @@ -7,9 +7,10 @@ class ActivityPub::RepliesController < ActivityPub::BaseController DESCENDANTS_LIMIT = 60 + vary_by -> { 'Signature' if authorized_fetch_mode? } + before_action :require_account_signature!, if: :authorized_fetch_mode? before_action :set_status - before_action :set_cache_headers before_action :set_replies def index diff --git a/app/controllers/admin/base_controller.rb b/app/controllers/admin/base_controller.rb index 5b7a7ec11a..4b5afbe157 100644 --- a/app/controllers/admin/base_controller.rb +++ b/app/controllers/admin/base_controller.rb @@ -8,6 +8,8 @@ module Admin layout 'admin' before_action :set_body_classes + before_action :set_cache_headers + after_action :verify_authorized private @@ -16,6 +18,10 @@ module Admin @body_classes = 'admin' end + def set_cache_headers + response.cache_control.replace(private: true, no_store: true) + end + def set_user @user = Account.find(params[:account_id]).user || raise(ActiveRecord::RecordNotFound) end diff --git a/app/controllers/api/base_controller.rb b/app/controllers/api/base_controller.rb index 41f3ce2ee3..d62416c53d 100644 --- a/app/controllers/api/base_controller.rb +++ b/app/controllers/api/base_controller.rb @@ -12,7 +12,7 @@ class Api::BaseController < ApplicationController before_action :require_authenticated_user!, if: :disallow_unauthenticated_api_access? before_action :require_not_suspended! - before_action :set_cache_headers + before_action :set_cache_control_defaults protect_from_forgery with: :null_session @@ -148,8 +148,8 @@ class Api::BaseController < ApplicationController doorkeeper_authorize!(*scopes) if doorkeeper_token end - def set_cache_headers - response.headers['Cache-Control'] = 'private, no-store' + def set_cache_control_defaults + response.cache_control.replace(private: true, no_store: true) end def disallow_unauthenticated_api_access? diff --git a/app/controllers/api/v1/custom_emojis_controller.rb b/app/controllers/api/v1/custom_emojis_controller.rb index 08b3474cc8..380dbe8bf3 100644 --- a/app/controllers/api/v1/custom_emojis_controller.rb +++ b/app/controllers/api/v1/custom_emojis_controller.rb @@ -1,8 +1,6 @@ # frozen_string_literal: true class Api::V1::CustomEmojisController < Api::BaseController - skip_before_action :set_cache_headers - def index expires_in 3.minutes, public: true render_with_cache(each_serializer: REST::CustomEmojiSerializer) { CustomEmoji.listed.includes(:category) } diff --git a/app/controllers/api/v1/instances/activity_controller.rb b/app/controllers/api/v1/instances/activity_controller.rb index bad61425a5..7ccfec7036 100644 --- a/app/controllers/api/v1/instances/activity_controller.rb +++ b/app/controllers/api/v1/instances/activity_controller.rb @@ -3,7 +3,6 @@ class Api::V1::Instances::ActivityController < Api::BaseController before_action :require_enabled_api! - skip_before_action :set_cache_headers skip_before_action :require_authenticated_user!, unless: :whitelist_mode? def show diff --git a/app/controllers/api/v1/instances/peers_controller.rb b/app/controllers/api/v1/instances/peers_controller.rb index 2877fec52d..b2669a84eb 100644 --- a/app/controllers/api/v1/instances/peers_controller.rb +++ b/app/controllers/api/v1/instances/peers_controller.rb @@ -3,7 +3,6 @@ class Api::V1::Instances::PeersController < Api::BaseController before_action :require_enabled_api! - skip_before_action :set_cache_headers skip_before_action :require_authenticated_user!, unless: :whitelist_mode? def index diff --git a/app/controllers/api/v1/instances_controller.rb b/app/controllers/api/v1/instances_controller.rb index 913319a869..3cdb404cb8 100644 --- a/app/controllers/api/v1/instances_controller.rb +++ b/app/controllers/api/v1/instances_controller.rb @@ -1,7 +1,6 @@ # frozen_string_literal: true class Api::V1::InstancesController < Api::BaseController - skip_before_action :set_cache_headers skip_before_action :require_authenticated_user!, unless: :whitelist_mode? def show diff --git a/app/controllers/auth/registrations_controller.rb b/app/controllers/auth/registrations_controller.rb index b55f7f309f..f9d30c1ebd 100644 --- a/app/controllers/auth/registrations_controller.rb +++ b/app/controllers/auth/registrations_controller.rb @@ -152,6 +152,6 @@ class Auth::RegistrationsController < Devise::RegistrationsController end def set_cache_headers - response.headers['Cache-Control'] = 'private, no-store' + response.cache_control.replace(private: true, no_store: true) end end diff --git a/app/controllers/concerns/cache_concern.rb b/app/controllers/concerns/cache_concern.rb index a5a9ba3e1f..ffede5839d 100644 --- a/app/controllers/concerns/cache_concern.rb +++ b/app/controllers/concerns/cache_concern.rb @@ -155,8 +155,16 @@ module CacheConcern end end + class_methods do + def vary_by(value) + before_action do |controller| + response.headers['Vary'] = value.respond_to?(:call) ? controller.instance_exec(&value) : value + end + end + end + def render_with_cache(**options) - raise ArgumentError, 'only JSON render calls are supported' unless options.key?(:json) || block_given? + raise ArgumentError, 'Only JSON render calls are supported' unless options.key?(:json) || block_given? key = options.delete(:key) || [[params[:controller], params[:action]].join('/'), options[:json].respond_to?(:cache_key) ? options[:json].cache_key : nil, options[:fields].nil? ? nil : options[:fields].join(',')].compact.join(':') expires_in = options.delete(:expires_in) || 3.minutes @@ -176,10 +184,6 @@ module CacheConcern end end - def set_cache_headers - response.headers['Vary'] = public_fetch_mode? ? 'Accept' : 'Accept, Signature' - end - def cache_collection(raw, klass) return raw unless klass.respond_to?(:with_includes) diff --git a/app/controllers/custom_css_controller.rb b/app/controllers/custom_css_controller.rb index 9270c467dc..e7a02ea89c 100644 --- a/app/controllers/custom_css_controller.rb +++ b/app/controllers/custom_css_controller.rb @@ -1,18 +1,8 @@ # frozen_string_literal: true -class CustomCssController < ApplicationController - skip_before_action :store_current_location - skip_before_action :require_functional! - skip_before_action :update_user_sign_in - skip_before_action :set_session_activity - - skip_around_action :set_locale - - before_action :set_cache_headers - +class CustomCssController < ActionController::Base # rubocop:disable Rails/ApplicationController def show expires_in 3.minutes, public: true - request.session_options[:skip] = true render content_type: 'text/css' end end diff --git a/app/controllers/disputes/base_controller.rb b/app/controllers/disputes/base_controller.rb index 865146b5cc..1054f3db80 100644 --- a/app/controllers/disputes/base_controller.rb +++ b/app/controllers/disputes/base_controller.rb @@ -9,10 +9,15 @@ class Disputes::BaseController < ApplicationController before_action :set_body_classes before_action :authenticate_user! + before_action :set_cache_headers private def set_body_classes @body_classes = 'admin' end + + def set_cache_headers + response.cache_control.replace(private: true, no_store: true) + end end diff --git a/app/controllers/emojis_controller.rb b/app/controllers/emojis_controller.rb index 41f1e1c5ca..72bc56de04 100644 --- a/app/controllers/emojis_controller.rb +++ b/app/controllers/emojis_controller.rb @@ -2,15 +2,12 @@ class EmojisController < ApplicationController before_action :set_emoji - before_action :set_cache_headers + + vary_by -> { 'Signature' if authorized_fetch_mode? } def show - respond_to do |format| - format.json do - expires_in 3.minutes, public: true - render_with_cache json: @emoji, content_type: 'application/activity+json', serializer: ActivityPub::EmojiSerializer, adapter: ActivityPub::Adapter - end - end + expires_in 3.minutes, public: true + render_with_cache json: @emoji, content_type: 'application/activity+json', serializer: ActivityPub::EmojiSerializer, adapter: ActivityPub::Adapter end private diff --git a/app/controllers/filters/statuses_controller.rb b/app/controllers/filters/statuses_controller.rb index 7779c6d95b..94993f938b 100644 --- a/app/controllers/filters/statuses_controller.rb +++ b/app/controllers/filters/statuses_controller.rb @@ -7,6 +7,7 @@ class Filters::StatusesController < ApplicationController before_action :set_filter before_action :set_status_filters before_action :set_body_classes + before_action :set_cache_headers PER_PAGE = 20 @@ -44,4 +45,8 @@ class Filters::StatusesController < ApplicationController def set_body_classes @body_classes = 'admin' end + + def set_cache_headers + response.cache_control.replace(private: true, no_store: true) + end end diff --git a/app/controllers/filters_controller.rb b/app/controllers/filters_controller.rb index cc5cb5d9f2..1881dd5a0b 100644 --- a/app/controllers/filters_controller.rb +++ b/app/controllers/filters_controller.rb @@ -6,6 +6,7 @@ class FiltersController < ApplicationController before_action :authenticate_user! before_action :set_filter, only: [:edit, :update, :destroy] before_action :set_body_classes + before_action :set_cache_headers def index @filters = current_account.custom_filters.includes(:keywords, :statuses).order(:phrase) @@ -54,4 +55,8 @@ class FiltersController < ApplicationController def set_body_classes @body_classes = 'admin' end + + def set_cache_headers + response.cache_control.replace(private: true, no_store: true) + end end diff --git a/app/controllers/follower_accounts_controller.rb b/app/controllers/follower_accounts_controller.rb index 9ced184491..3068c07e32 100644 --- a/app/controllers/follower_accounts_controller.rb +++ b/app/controllers/follower_accounts_controller.rb @@ -5,8 +5,9 @@ class FollowerAccountsController < ApplicationController include SignatureVerification include WebAppControllerConcern + vary_by -> { public_fetch_mode? ? 'Accept' : 'Accept, Signature' } + before_action :require_account_signature!, if: -> { request.format == :json && authorized_fetch_mode? } - before_action :set_cache_headers skip_around_action :set_locale, if: -> { request.format == :json } skip_before_action :require_functional!, unless: :whitelist_mode? diff --git a/app/controllers/following_accounts_controller.rb b/app/controllers/following_accounts_controller.rb index febd13c975..022884193d 100644 --- a/app/controllers/following_accounts_controller.rb +++ b/app/controllers/following_accounts_controller.rb @@ -5,8 +5,9 @@ class FollowingAccountsController < ApplicationController include SignatureVerification include WebAppControllerConcern + vary_by -> { public_fetch_mode? ? 'Accept' : 'Accept, Signature' } + before_action :require_account_signature!, if: -> { request.format == :json && authorized_fetch_mode? } - before_action :set_cache_headers skip_around_action :set_locale, if: -> { request.format == :json } skip_before_action :require_functional!, unless: :whitelist_mode? diff --git a/app/controllers/invites_controller.rb b/app/controllers/invites_controller.rb index 8d92147e27..9bc5164d59 100644 --- a/app/controllers/invites_controller.rb +++ b/app/controllers/invites_controller.rb @@ -7,6 +7,7 @@ class InvitesController < ApplicationController before_action :authenticate_user! before_action :set_body_classes + before_action :set_cache_headers def index authorize :invite, :create? @@ -49,4 +50,8 @@ class InvitesController < ApplicationController def set_body_classes @body_classes = 'admin' end + + def set_cache_headers + response.cache_control.replace(private: true, no_store: true) + end end diff --git a/app/controllers/manifests_controller.rb b/app/controllers/manifests_controller.rb index 960510f601..593b76c536 100644 --- a/app/controllers/manifests_controller.rb +++ b/app/controllers/manifests_controller.rb @@ -1,9 +1,6 @@ # frozen_string_literal: true -class ManifestsController < ApplicationController - skip_before_action :store_current_location - skip_before_action :require_functional! - +class ManifestsController < ActionController::Base # rubocop:disable Rails/ApplicationController def show expires_in 3.minutes, public: true render json: InstancePresenter.new, serializer: ManifestSerializer, root: 'instance' diff --git a/app/controllers/oauth/authorizations_controller.rb b/app/controllers/oauth/authorizations_controller.rb index 5449cfb1a2..66e774425d 100644 --- a/app/controllers/oauth/authorizations_controller.rb +++ b/app/controllers/oauth/authorizations_controller.rb @@ -34,6 +34,6 @@ class Oauth::AuthorizationsController < Doorkeeper::AuthorizationsController end def set_cache_headers - response.headers['Cache-Control'] = 'private, no-store' + response.cache_control.replace(private: true, no_store: true) end end diff --git a/app/controllers/oauth/authorized_applications_controller.rb b/app/controllers/oauth/authorized_applications_controller.rb index 45151cdd77..e3a3c4fc1e 100644 --- a/app/controllers/oauth/authorized_applications_controller.rb +++ b/app/controllers/oauth/authorized_applications_controller.rb @@ -7,6 +7,7 @@ class Oauth::AuthorizedApplicationsController < Doorkeeper::AuthorizedApplicatio before_action :authenticate_resource_owner! before_action :require_not_suspended!, only: :destroy before_action :set_body_classes + before_action :set_cache_headers skip_before_action :require_functional! @@ -30,4 +31,8 @@ class Oauth::AuthorizedApplicationsController < Doorkeeper::AuthorizedApplicatio def require_not_suspended! forbidden if current_account.suspended? end + + def set_cache_headers + response.cache_control.replace(private: true, no_store: true) + end end diff --git a/app/controllers/relationships_controller.rb b/app/controllers/relationships_controller.rb index de5dc58792..e87b5a656f 100644 --- a/app/controllers/relationships_controller.rb +++ b/app/controllers/relationships_controller.rb @@ -7,6 +7,7 @@ class RelationshipsController < ApplicationController before_action :set_accounts, only: :show before_action :set_relationships, only: :show before_action :set_body_classes + before_action :set_cache_headers helper_method :following_relationship?, :followed_by_relationship?, :mutual_relationship? @@ -70,4 +71,8 @@ class RelationshipsController < ApplicationController def set_body_classes @body_classes = 'admin' end + + def set_cache_headers + response.cache_control.replace(private: true, no_store: true) + end end diff --git a/app/controllers/settings/base_controller.rb b/app/controllers/settings/base_controller.rb index 8722fd64ae..64dcd47d12 100644 --- a/app/controllers/settings/base_controller.rb +++ b/app/controllers/settings/base_controller.rb @@ -14,7 +14,7 @@ class Settings::BaseController < ApplicationController end def set_cache_headers - response.headers['Cache-Control'] = 'private, no-store' + response.cache_control.replace(private: true, no_store: true) end def require_not_suspended! diff --git a/app/controllers/statuses_cleanup_controller.rb b/app/controllers/statuses_cleanup_controller.rb index e912967fd7..19ae971ce4 100644 --- a/app/controllers/statuses_cleanup_controller.rb +++ b/app/controllers/statuses_cleanup_controller.rb @@ -6,6 +6,7 @@ class StatusesCleanupController < ApplicationController before_action :authenticate_user! before_action :set_policy before_action :set_body_classes + before_action :set_cache_headers def show; end @@ -36,4 +37,8 @@ class StatusesCleanupController < ApplicationController def set_body_classes @body_classes = 'admin' end + + def set_cache_headers + response.cache_control.replace(private: true, no_store: true) + end end diff --git a/app/controllers/statuses_controller.rb b/app/controllers/statuses_controller.rb index d369cd8e6d..07927d119f 100644 --- a/app/controllers/statuses_controller.rb +++ b/app/controllers/statuses_controller.rb @@ -6,11 +6,12 @@ class StatusesController < ApplicationController include Authorization include AccountOwnedConcern + vary_by -> { public_fetch_mode? ? 'Accept' : 'Accept, Signature' } + before_action :require_account_signature!, only: [:show, :activity], if: -> { request.format == :json && authorized_fetch_mode? } before_action :set_status before_action :set_instance_presenter before_action :redirect_to_original, only: :show - before_action :set_cache_headers before_action :set_body_classes, only: :embed after_action :set_link_headers diff --git a/app/controllers/tags_controller.rb b/app/controllers/tags_controller.rb index 4b747c9add..4afc1aca5f 100644 --- a/app/controllers/tags_controller.rb +++ b/app/controllers/tags_controller.rb @@ -7,6 +7,8 @@ class TagsController < ApplicationController PAGE_SIZE = 20 PAGE_SIZE_MAX = 200 + vary_by -> { public_fetch_mode? ? 'Accept' : 'Accept, Signature' } + before_action :require_account_signature!, if: -> { request.format == :json && authorized_fetch_mode? } before_action :authenticate_user!, if: :whitelist_mode? before_action :set_local diff --git a/app/controllers/well_known/host_meta_controller.rb b/app/controllers/well_known/host_meta_controller.rb index 2fd6bc7cc9..201da9fbc3 100644 --- a/app/controllers/well_known/host_meta_controller.rb +++ b/app/controllers/well_known/host_meta_controller.rb @@ -1,11 +1,9 @@ # frozen_string_literal: true module WellKnown - class HostMetaController < ActionController::Base + class HostMetaController < ActionController::Base # rubocop:disable Rails/ApplicationController include RoutingHelper - before_action { response.headers['Vary'] = 'Accept' } - def show @webfinger_template = "#{webfinger_url}?resource={uri}" expires_in 3.days, public: true diff --git a/app/controllers/well_known/nodeinfo_controller.rb b/app/controllers/well_known/nodeinfo_controller.rb index 11a699ebc8..ab6b8f5a40 100644 --- a/app/controllers/well_known/nodeinfo_controller.rb +++ b/app/controllers/well_known/nodeinfo_controller.rb @@ -1,11 +1,9 @@ # frozen_string_literal: true module WellKnown - class NodeInfoController < ActionController::Base + class NodeInfoController < ActionController::Base # rubocop:disable Rails/ApplicationController include CacheConcern - before_action { response.headers['Vary'] = 'Accept' } - def index expires_in 3.days, public: true render_with_cache json: {}, serializer: NodeInfo::DiscoverySerializer, adapter: NodeInfo::Adapter, expires_in: 3.days, root: 'nodeinfo' diff --git a/app/controllers/well_known/webfinger_controller.rb b/app/controllers/well_known/webfinger_controller.rb index 2b296ea3be..a06253f456 100644 --- a/app/controllers/well_known/webfinger_controller.rb +++ b/app/controllers/well_known/webfinger_controller.rb @@ -1,7 +1,7 @@ # frozen_string_literal: true module WellKnown - class WebfingerController < ActionController::Base + class WebfingerController < ActionController::Base # rubocop:disable Rails/ApplicationController include RoutingHelper before_action :set_account @@ -34,7 +34,12 @@ module WellKnown end def check_account_suspension - expires_in(3.minutes, public: true) && gone if @account.suspended_permanently? + gone if @account.suspended_permanently? + end + + def gone + expires_in(3.minutes, public: true) + head 410 end def bad_request @@ -46,9 +51,5 @@ module WellKnown expires_in(3.minutes, public: true) head 404 end - - def gone - head 410 - end end end diff --git a/config/application.rb b/config/application.rb index f0e65f4437..171dab11f6 100644 --- a/config/application.rb +++ b/config/application.rb @@ -43,6 +43,7 @@ require_relative '../lib/chewy/strategy/bypass_with_warning' require_relative '../lib/webpacker/manifest_extensions' require_relative '../lib/webpacker/helper_extensions' require_relative '../lib/rails/engine_extensions' +require_relative '../lib/action_controller/conditional_get_extensions' require_relative '../lib/active_record/database_tasks_extensions' require_relative '../lib/active_record/batches' require_relative '../lib/simple_navigation/item_extensions' diff --git a/lib/action_controller/conditional_get_extensions.rb b/lib/action_controller/conditional_get_extensions.rb new file mode 100644 index 0000000000..192ed341ea --- /dev/null +++ b/lib/action_controller/conditional_get_extensions.rb @@ -0,0 +1,15 @@ +# frozen_string_literal: true + +module ActionController + module ConditionalGetExtensions + def expires_in(*) + # This backports a fix from Rails 7 so that a more private Cache-Control + # can be overriden by calling expires_in on a specific controller action + response.cache_control.delete(:no_store) + + super + end + end +end + +ActionController::ConditionalGet.prepend(ActionController::ConditionalGetExtensions) diff --git a/spec/controllers/accounts_controller_spec.rb b/spec/controllers/accounts_controller_spec.rb index 9c38b30322..0cdccd70d1 100644 --- a/spec/controllers/accounts_controller_spec.rb +++ b/spec/controllers/accounts_controller_spec.rb @@ -17,6 +17,10 @@ RSpec.describe AccountsController, type: :controller do expect(session).to be_empty end + it 'returns Vary header' do + expect(response.headers['Vary']).to include 'Accept' + end + it 'returns public Cache-Control header' do expect(response.headers['Cache-Control']).to include 'public' end diff --git a/spec/controllers/admin/base_controller_spec.rb b/spec/controllers/admin/base_controller_spec.rb index 5fbf8777c7..bfb9d2c7d4 100644 --- a/spec/controllers/admin/base_controller_spec.rb +++ b/spec/controllers/admin/base_controller_spec.rb @@ -18,6 +18,14 @@ describe Admin::BaseController, type: :controller do expect(response).to have_http_status(403) end + it 'returns private cache control headers' do + routes.draw { get 'success' => 'admin/base#success' } + sign_in(Fabricate(:user, role: UserRole.find_by(name: 'Moderator'))) + get :success + + expect(response.headers['Cache-Control']).to include('private, no-store') + end + it 'renders admin layout as a moderator' do routes.draw { get 'success' => 'admin/base#success' } sign_in(Fabricate(:user, role: UserRole.find_by(name: 'Moderator'))) diff --git a/spec/controllers/api/base_controller_spec.rb b/spec/controllers/api/base_controller_spec.rb index c286b8cbfc..080eab3c05 100644 --- a/spec/controllers/api/base_controller_spec.rb +++ b/spec/controllers/api/base_controller_spec.rb @@ -15,6 +15,12 @@ describe Api::BaseController do end end + it 'returns private cache control headers by default' do + routes.draw { get 'success' => 'api/base#success' } + get :success + expect(response.headers['Cache-Control']).to include('private, no-store') + end + describe 'forgery protection' do before do routes.draw { post 'success' => 'api/base#success' } diff --git a/spec/controllers/api/oembed_controller_spec.rb b/spec/controllers/api/oembed_controller_spec.rb index 930f362505..02875ee9f3 100644 --- a/spec/controllers/api/oembed_controller_spec.rb +++ b/spec/controllers/api/oembed_controller_spec.rb @@ -17,5 +17,9 @@ RSpec.describe Api::OEmbedController, type: :controller do it 'returns http success' do expect(response).to have_http_status(200) end + + it 'returns private cache control headers' do + expect(response.headers['Cache-Control']).to include('private, no-store') + end end end diff --git a/spec/controllers/auth/registrations_controller_spec.rb b/spec/controllers/auth/registrations_controller_spec.rb index e3a00fa397..fffa7e06d7 100644 --- a/spec/controllers/auth/registrations_controller_spec.rb +++ b/spec/controllers/auth/registrations_controller_spec.rb @@ -33,27 +33,42 @@ RSpec.describe Auth::RegistrationsController, type: :controller do end describe 'GET #edit' do - it 'returns http success' do + before do request.env['devise.mapping'] = Devise.mappings[:user] sign_in(Fabricate(:user)) get :edit + end + + it 'returns http success' do expect(response).to have_http_status(200) end + + it 'returns private cache control header' do + expect(response.headers['Cache-Control']).to include('private, no-store') + end end describe 'GET #update' do - it 'returns http success' do + let(:user) { Fabricate(:user) } + + before do request.env['devise.mapping'] = Devise.mappings[:user] - sign_in(Fabricate(:user), scope: :user) + sign_in(user, scope: :user) post :update + end + + it 'returns http success' do expect(response).to have_http_status(200) end + it 'returns private cache control headers' do + expect(response.headers['Cache-Control']).to include('private, no-store') + end + context 'when suspended' do + let(:user) { Fabricate(:user, account_attributes: { username: 'test', suspended_at: Time.now.utc }) } + it 'returns http forbidden' do - request.env['devise.mapping'] = Devise.mappings[:user] - sign_in(Fabricate(:user, account_attributes: { username: 'test', suspended_at: Time.now.utc }), scope: :user) - post :update expect(response).to have_http_status(403) end end diff --git a/spec/controllers/custom_css_controller_spec.rb b/spec/controllers/custom_css_controller_spec.rb index 47fe6031fa..99d36d21b9 100644 --- a/spec/controllers/custom_css_controller_spec.rb +++ b/spec/controllers/custom_css_controller_spec.rb @@ -6,9 +6,25 @@ describe CustomCssController do render_views describe 'GET #show' do - it 'returns http success' do + before do get :show + end + + it 'returns http success' do expect(response).to have_http_status(200) end + + it 'returns public cache control header' do + expect(response.headers['Cache-Control']).to include('public') + end + + it 'does not set cookies' do + expect(response.cookies).to be_empty + expect(response.headers['Set-Cookies']).to be_nil + end + + it 'does not set sessions' do + expect(session).to be_empty + end end end diff --git a/spec/controllers/filters/statuses_controller_spec.rb b/spec/controllers/filters/statuses_controller_spec.rb index 492361188b..2c80613302 100644 --- a/spec/controllers/filters/statuses_controller_spec.rb +++ b/spec/controllers/filters/statuses_controller_spec.rb @@ -18,21 +18,27 @@ describe Filters::StatusesController do context 'with a signed in user' do context 'with the filter user signed in' do - before { sign_in(filter.account.user) } + before do + sign_in(filter.account.user) + get :index, params: { filter_id: filter } + end it 'returns http success' do - get :index, params: { filter_id: filter } - expect(response).to have_http_status(200) end + + it 'returns private cache control headers' do + expect(response.headers['Cache-Control']).to include('private, no-store') + end end context 'with another user signed in' do - before { sign_in(Fabricate(:user)) } + before do + sign_in(Fabricate(:user)) + get :index, params: { filter_id: filter } + end it 'returns http not found' do - get :index, params: { filter_id: filter } - expect(response).to have_http_status(404) end end diff --git a/spec/controllers/filters_controller_spec.rb b/spec/controllers/filters_controller_spec.rb index f68f87ba7a..091f714bb3 100644 --- a/spec/controllers/filters_controller_spec.rb +++ b/spec/controllers/filters_controller_spec.rb @@ -7,21 +7,28 @@ describe FiltersController do describe 'GET #index' do context 'with signed out user' do - it 'redirects' do + before do get :index + end + it 'redirects' do expect(response).to be_redirect end end context 'with a signed in user' do - before { sign_in(Fabricate(:user)) } + before do + sign_in(Fabricate(:user)) + get :index + end it 'returns http success' do - get :index - expect(response).to have_http_status(200) end + + it 'returns private cache control headers' do + expect(response.headers['Cache-Control']).to include('private, no-store') + end end end end diff --git a/spec/controllers/invites_controller_spec.rb b/spec/controllers/invites_controller_spec.rb index 408c5e1b53..8718403bf3 100644 --- a/spec/controllers/invites_controller_spec.rb +++ b/spec/controllers/invites_controller_spec.rb @@ -5,35 +5,40 @@ require 'rails_helper' describe InvitesController do render_views + let(:user) { Fabricate(:user) } + before do sign_in user end describe 'GET #index' do - subject { get :index } - - let(:user) { Fabricate(:user) } - let!(:invite) { Fabricate(:invite, user: user) } + before do + Fabricate(:invite, user: user) + end context 'when everyone can invite' do before do UserRole.everyone.update(permissions: UserRole.everyone.permissions | UserRole::FLAGS[:invite_users]) + get :index end - it 'renders index page' do - expect(subject).to render_template :index - expect(assigns(:invites)).to include invite - expect(assigns(:invites).count).to eq 1 + it 'returns http success' do + expect(response).to have_http_status(:success) + end + + it 'returns private cache control headers' do + expect(response.headers['Cache-Control']).to include('private, no-store') end end context 'when not everyone can invite' do before do UserRole.everyone.update(permissions: UserRole.everyone.permissions & ~UserRole::FLAGS[:invite_users]) + get :index end - it 'returns 403' do - expect(subject).to have_http_status 403 + it 'returns http forbidden' do + expect(response).to have_http_status(403) end end end @@ -42,8 +47,6 @@ describe InvitesController do subject { post :create, params: { invite: { max_uses: '10', expires_in: 1800 } } } context 'when everyone can invite' do - let(:user) { Fabricate(:user) } - before do UserRole.everyone.update(permissions: UserRole.everyone.permissions | UserRole::FLAGS[:invite_users]) end @@ -56,26 +59,28 @@ describe InvitesController do end context 'when not everyone can invite' do - let(:user) { Fabricate(:user) } - before do UserRole.everyone.update(permissions: UserRole.everyone.permissions & ~UserRole::FLAGS[:invite_users]) end - it 'returns 403' do - expect(subject).to have_http_status 403 + it 'returns http forbidden' do + expect(subject).to have_http_status(403) end end end describe 'DELETE #create' do - subject { delete :destroy, params: { id: invite.id } } + let(:invite) { Fabricate(:invite, user: user, expires_at: nil) } - let(:user) { Fabricate(:user) } - let!(:invite) { Fabricate(:invite, user: user, expires_at: nil) } + before do + delete :destroy, params: { id: invite.id } + end + + it 'redirects' do + expect(response).to redirect_to invites_path + end it 'expires invite' do - expect(subject).to redirect_to invites_path expect(invite.reload).to be_expired end end diff --git a/spec/controllers/manifests_controller_spec.rb b/spec/controllers/manifests_controller_spec.rb index ecd6957fc2..d0699c438b 100644 --- a/spec/controllers/manifests_controller_spec.rb +++ b/spec/controllers/manifests_controller_spec.rb @@ -7,11 +7,24 @@ describe ManifestsController do describe 'GET #show' do before do - get :show, format: :json + get :show end it 'returns http success' do expect(response).to have_http_status(200) end + + it 'returns public cache control header' do + expect(response.headers['Cache-Control']).to include('public') + end + + it 'does not set cookies' do + expect(response.cookies).to be_empty + expect(response.headers['Set-Cookies']).to be_nil + end + + it 'does not set sessions' do + expect(session).to be_empty + end end end diff --git a/spec/controllers/oauth/authorizations_controller_spec.rb b/spec/controllers/oauth/authorizations_controller_spec.rb index c5eeea397e..6f087625c5 100644 --- a/spec/controllers/oauth/authorizations_controller_spec.rb +++ b/spec/controllers/oauth/authorizations_controller_spec.rb @@ -31,6 +31,11 @@ RSpec.describe Oauth::AuthorizationsController, type: :controller do expect(response).to have_http_status(200) end + it 'returns private cache control headers' do + subject + expect(response.headers['Cache-Control']).to include('private, no-store') + end + it 'gives options to authorize and deny' do subject expect(response.body).to match(/Authorize/) diff --git a/spec/controllers/oauth/authorized_applications_controller_spec.rb b/spec/controllers/oauth/authorized_applications_controller_spec.rb index 885bfa35b3..b54610604c 100644 --- a/spec/controllers/oauth/authorized_applications_controller_spec.rb +++ b/spec/controllers/oauth/authorized_applications_controller_spec.rb @@ -27,6 +27,11 @@ describe Oauth::AuthorizedApplicationsController do expect(response).to have_http_status(200) end + it 'returns private cache control headers' do + subject + expect(response.headers['Cache-Control']).to include('private, no-store') + end + include_examples 'stores location for user' end diff --git a/spec/controllers/relationships_controller_spec.rb b/spec/controllers/relationships_controller_spec.rb index 53a5daa517..9495fc214f 100644 --- a/spec/controllers/relationships_controller_spec.rb +++ b/spec/controllers/relationships_controller_spec.rb @@ -7,42 +7,39 @@ describe RelationshipsController do let(:user) { Fabricate(:user) } - shared_examples 'authenticate user' do - it 'redirects when not signed in' do - expect(subject).to redirect_to '/auth/sign_in' - end - end - describe 'GET #show' do - subject { get :show, params: { page: 2, relationship: 'followed_by' } } + context 'when signed in' do + before do + sign_in user, scope: :user + get :show, params: { page: 2, relationship: 'followed_by' } + end - it 'assigns @accounts' do - Fabricate(:account, domain: 'old').follow!(user.account) - Fabricate(:account, domain: 'recent').follow!(user.account) + it 'returns http success' do + expect(response).to have_http_status(200) + end - sign_in user, scope: :user - subject - - assigned = assigns(:accounts).per(1).to_a - expect(assigned.size).to eq 1 - expect(assigned[0].domain).to eq 'old' + it 'returns private cache control headers' do + expect(response.headers['Cache-Control']).to include('private, no-store') + end end - it 'returns http success' do - sign_in user, scope: :user - subject - expect(response).to have_http_status(200) - end + context 'when not signed in' do + before do + get :show, params: { page: 2, relationship: 'followed_by' } + end - include_examples 'authenticate user' + it 'redirects when not signed in' do + expect(response).to redirect_to '/auth/sign_in' + end + end end describe 'PATCH #update' do - let(:poopfeast) { Fabricate(:account, username: 'poopfeast', domain: 'example.com') } + let(:alice) { Fabricate(:account, username: 'alice', domain: 'example.com') } shared_examples 'redirects back to followers page' do it 'redirects back to followers page' do - poopfeast.follow!(user.account) + alice.follow!(user.account) sign_in user, scope: :user subject @@ -58,27 +55,36 @@ describe RelationshipsController do end context 'when select parameter is provided' do - subject { patch :update, params: { form_account_batch: { account_ids: [poopfeast.id] }, remove_domains_from_followers: '' } } + subject { patch :update, params: { form_account_batch: { account_ids: [alice.id] }, remove_domains_from_followers: '' } } it 'soft-blocks followers from selected domains' do - poopfeast.follow!(user.account) + alice.follow!(user.account) sign_in user, scope: :user subject - expect(poopfeast.following?(user.account)).to be false + expect(alice.following?(user.account)).to be false end it 'does not unfollow users from selected domains' do - user.account.follow!(poopfeast) + user.account.follow!(alice) sign_in user, scope: :user subject - expect(user.account.following?(poopfeast)).to be true + expect(user.account.following?(alice)).to be true + end + + context 'when not signed in' do + before do + subject + end + + it 'redirects when not signed in' do + expect(response).to redirect_to '/auth/sign_in' + end end - include_examples 'authenticate user' include_examples 'redirects back to followers page' end end diff --git a/spec/controllers/settings/aliases_controller_spec.rb b/spec/controllers/settings/aliases_controller_spec.rb index ef8724faf4..9636c1ac55 100644 --- a/spec/controllers/settings/aliases_controller_spec.rb +++ b/spec/controllers/settings/aliases_controller_spec.rb @@ -13,10 +13,17 @@ describe Settings::AliasesController do end describe 'GET #index' do - it 'returns http success' do + before do get :index + end + + it 'returns http success' do expect(response).to have_http_status(200) end + + it 'returns private cache control headers' do + expect(response.headers['Cache-Control']).to include('private, no-store') + end end describe 'POST #create' do diff --git a/spec/controllers/settings/applications_controller_spec.rb b/spec/controllers/settings/applications_controller_spec.rb index 5c6b04a155..e12628a18b 100644 --- a/spec/controllers/settings/applications_controller_spec.rb +++ b/spec/controllers/settings/applications_controller_spec.rb @@ -13,13 +13,17 @@ describe Settings::ApplicationsController do end describe 'GET #index' do - let!(:other_app) { Fabricate(:application) } - - it 'shows apps' do + before do + Fabricate(:application) get :index + end + + it 'returns http success' do expect(response).to have_http_status(200) - expect(assigns(:applications)).to include(app) - expect(assigns(:applications)).to_not include(other_app) + end + + it 'returns private cache control headers' do + expect(response.headers['Cache-Control']).to include('private, no-store') end end diff --git a/spec/controllers/settings/deletes_controller_spec.rb b/spec/controllers/settings/deletes_controller_spec.rb index a7edac6a96..7ee18f9fb1 100644 --- a/spec/controllers/settings/deletes_controller_spec.rb +++ b/spec/controllers/settings/deletes_controller_spec.rb @@ -11,20 +11,27 @@ describe Settings::DeletesController do before do sign_in user, scope: :user + get :show end it 'renders confirmation page' do - get :show expect(response).to have_http_status(200) end + it 'returns private cache control headers' do + expect(response.headers['Cache-Control']).to include('private, no-store') + end + context 'when suspended' do let(:user) { Fabricate(:user, account_attributes: { suspended_at: Time.now.utc }) } it 'returns http forbidden' do - get :show expect(response).to have_http_status(403) end + + it 'returns private cache control headers' do + expect(response.headers['Cache-Control']).to include('private, no-store') + end end end diff --git a/spec/controllers/settings/exports_controller_spec.rb b/spec/controllers/settings/exports_controller_spec.rb index a46fe095d8..6a42021318 100644 --- a/spec/controllers/settings/exports_controller_spec.rb +++ b/spec/controllers/settings/exports_controller_spec.rb @@ -11,16 +11,16 @@ describe Settings::ExportsController do before do sign_in user, scope: :user + get :show end - it 'renders export' do - get :show - - export = assigns(:export) - expect(export).to be_instance_of Export - expect(export.account).to eq user.account + it 'returns http success' do expect(response).to have_http_status(200) end + + it 'returns private cache control headers' do + expect(response.headers['Cache-Control']).to include('private, no-store') + end end context 'when not signed in' do diff --git a/spec/controllers/settings/imports_controller_spec.rb b/spec/controllers/settings/imports_controller_spec.rb index 78973df2b3..98ba897e41 100644 --- a/spec/controllers/settings/imports_controller_spec.rb +++ b/spec/controllers/settings/imports_controller_spec.rb @@ -10,10 +10,17 @@ RSpec.describe Settings::ImportsController, type: :controller do end describe 'GET #show' do - it 'returns http success' do + before do get :show + end + + it 'returns http success' do expect(response).to have_http_status(200) end + + it 'returns private cache control headers' do + expect(response.headers['Cache-Control']).to include('private, no-store') + end end describe 'POST #create' do diff --git a/spec/controllers/settings/login_activities_controller_spec.rb b/spec/controllers/settings/login_activities_controller_spec.rb index 6f1f3de314..80c8f484cc 100644 --- a/spec/controllers/settings/login_activities_controller_spec.rb +++ b/spec/controllers/settings/login_activities_controller_spec.rb @@ -12,9 +12,16 @@ describe Settings::LoginActivitiesController do end describe 'GET #index' do - it 'returns http success' do + before do get :index + end + + it 'returns http success' do expect(response).to have_http_status(200) end + + it 'returns private cache control headers' do + expect(response.headers['Cache-Control']).to include('private, no-store') + end end end diff --git a/spec/controllers/settings/migration/redirects_controller_spec.rb b/spec/controllers/settings/migration/redirects_controller_spec.rb index 54897bb7fd..aa6df64cff 100644 --- a/spec/controllers/settings/migration/redirects_controller_spec.rb +++ b/spec/controllers/settings/migration/redirects_controller_spec.rb @@ -12,10 +12,17 @@ describe Settings::Migration::RedirectsController do end describe 'GET #new' do - it 'returns http success' do + before do get :new + end + + it 'returns http success' do expect(response).to have_http_status(200) end + + it 'returns private cache control headers' do + expect(response.headers['Cache-Control']).to include('private, no-store') + end end describe 'POST #create' do diff --git a/spec/controllers/settings/preferences/appearance_controller_spec.rb b/spec/controllers/settings/preferences/appearance_controller_spec.rb index df0237a6b3..083bf49544 100644 --- a/spec/controllers/settings/preferences/appearance_controller_spec.rb +++ b/spec/controllers/settings/preferences/appearance_controller_spec.rb @@ -12,11 +12,17 @@ describe Settings::Preferences::AppearanceController do end describe 'GET #show' do - it 'returns http success' do + before do get :show + end + it 'returns http success' do expect(response).to have_http_status(200) end + + it 'returns private cache control headers' do + expect(response.headers['Cache-Control']).to include('private, no-store') + end end describe 'PUT #update' do diff --git a/spec/controllers/settings/preferences/notifications_controller_spec.rb b/spec/controllers/settings/preferences/notifications_controller_spec.rb index 29b7b6aec5..6a04df9edb 100644 --- a/spec/controllers/settings/preferences/notifications_controller_spec.rb +++ b/spec/controllers/settings/preferences/notifications_controller_spec.rb @@ -12,10 +12,17 @@ describe Settings::Preferences::NotificationsController do end describe 'GET #show' do - it 'returns http success' do + before do get :show + end + + it 'returns http success' do expect(response).to have_http_status(200) end + + it 'returns private cache control headers' do + expect(response.headers['Cache-Control']).to include('private, no-store') + end end describe 'PUT #update' do diff --git a/spec/controllers/settings/preferences/other_controller_spec.rb b/spec/controllers/settings/preferences/other_controller_spec.rb index 249d1b5b59..750510b04b 100644 --- a/spec/controllers/settings/preferences/other_controller_spec.rb +++ b/spec/controllers/settings/preferences/other_controller_spec.rb @@ -12,10 +12,17 @@ describe Settings::Preferences::OtherController do end describe 'GET #show' do - it 'returns http success' do + before do get :show + end + + it 'returns http success' do expect(response).to have_http_status(200) end + + it 'returns private cache control headers' do + expect(response.headers['Cache-Control']).to include('private, no-store') + end end describe 'PUT #update' do diff --git a/spec/controllers/settings/profiles_controller_spec.rb b/spec/controllers/settings/profiles_controller_spec.rb index 563e60271f..52ae1f5191 100644 --- a/spec/controllers/settings/profiles_controller_spec.rb +++ b/spec/controllers/settings/profiles_controller_spec.rb @@ -13,10 +13,17 @@ RSpec.describe Settings::ProfilesController, type: :controller do end describe 'GET #show' do - it 'returns http success' do + before do get :show + end + + it 'returns http success' do expect(response).to have_http_status(200) end + + it 'returns private cache control headers' do + expect(response.headers['Cache-Control']).to include('private, no-store') + end end describe 'PUT #update' do diff --git a/spec/controllers/settings/two_factor_authentication_methods_controller_spec.rb b/spec/controllers/settings/two_factor_authentication_methods_controller_spec.rb index 153eca1a5a..3e61912ad4 100644 --- a/spec/controllers/settings/two_factor_authentication_methods_controller_spec.rb +++ b/spec/controllers/settings/two_factor_authentication_methods_controller_spec.rb @@ -26,23 +26,25 @@ describe Settings::TwoFactorAuthenticationMethodsController do describe 'when user has enabled otp' do before do user.update(otp_required_for_login: true) + get :index end it 'returns http success' do - get :index - expect(response).to have_http_status(200) end + + it 'returns private cache control headers' do + expect(response.headers['Cache-Control']).to include('private, no-store') + end end describe 'when user has not enabled otp' do before do user.update(otp_required_for_login: false) + get :index end it 'redirects to enable otp' do - get :index - expect(response).to redirect_to(settings_otp_authentication_path) end end diff --git a/spec/controllers/statuses_cleanup_controller_spec.rb b/spec/controllers/statuses_cleanup_controller_spec.rb index 969778bbfe..693260f92b 100644 --- a/spec/controllers/statuses_cleanup_controller_spec.rb +++ b/spec/controllers/statuses_cleanup_controller_spec.rb @@ -11,19 +11,32 @@ RSpec.describe StatusesCleanupController, type: :controller do end describe 'GET #show' do - it 'returns http success' do + before do get :show + end + + it 'returns http success' do expect(response).to have_http_status(200) end + + it 'returns private cache control headers' do + expect(response.headers['Cache-Control']).to include('private, no-store') + end end describe 'PUT #update' do - it 'updates the account status cleanup policy' do + before do put :update, params: { account_statuses_cleanup_policy: { enabled: true, min_status_age: 2.weeks.seconds, keep_direct: false, keep_polls: true } } - expect(response).to redirect_to(statuses_cleanup_path) + end + + it 'updates the account status cleanup policy' do expect(@user.account.statuses_cleanup_policy.enabled).to be true expect(@user.account.statuses_cleanup_policy.keep_direct).to be false expect(@user.account.statuses_cleanup_policy.keep_polls).to be true end + + it 'redirects' do + expect(response).to redirect_to(statuses_cleanup_path) + end end end diff --git a/spec/controllers/statuses_controller_spec.rb b/spec/controllers/statuses_controller_spec.rb index c8b503d683..f0a40707fe 100644 --- a/spec/controllers/statuses_controller_spec.rb +++ b/spec/controllers/statuses_controller_spec.rb @@ -15,6 +15,10 @@ describe StatusesController do expect(session).to be_empty end + it 'returns Vary header' do + expect(response.headers['Vary']).to include 'Accept' + end + it 'returns public Cache-Control header' do expect(response.headers['Cache-Control']).to include 'public' end diff --git a/spec/controllers/tags_controller_spec.rb b/spec/controllers/tags_controller_spec.rb index 8a3fa0bf8c..9287a6ab52 100644 --- a/spec/controllers/tags_controller_spec.rb +++ b/spec/controllers/tags_controller_spec.rb @@ -6,21 +6,50 @@ RSpec.describe TagsController, type: :controller do render_views describe 'GET #show' do - let!(:tag) { Fabricate(:tag, name: 'test') } - let!(:local) { Fabricate(:status, tags: [tag], text: 'local #test') } - let!(:remote) { Fabricate(:status, tags: [tag], text: 'remote #test', account: Fabricate(:account, domain: 'remote')) } - let!(:late) { Fabricate(:status, tags: [tag], text: 'late #test') } + let(:format) { 'html' } + let(:tag) { Fabricate(:tag, name: 'test') } + let(:tag_name) { tag&.name } + + before do + get :show, params: { id: tag_name, format: format } + end context 'when tag exists' do - it 'returns http success' do - get :show, params: { id: 'test', max_id: late.id } - expect(response).to have_http_status(200) + context 'when requested as HTML' do + it 'returns http success' do + expect(response).to have_http_status(200) + end + + it 'returns Vary header' do + expect(response.headers['Vary']).to eq 'Accept' + end + + it 'returns public Cache-Control header' do + expect(response.headers['Cache-Control']).to include 'public' + end + end + + context 'when requested as JSON' do + let(:format) { 'json' } + + it 'returns http success' do + expect(response).to have_http_status(200) + end + + it 'returns Vary header' do + expect(response.headers['Vary']).to eq 'Accept' + end + + it 'returns public Cache-Control header' do + expect(response.headers['Cache-Control']).to include 'public' + end end end context 'when tag does not exist' do + let(:tag_name) { 'hoge' } + it 'returns http not found' do - get :show, params: { id: 'none' } expect(response).to have_http_status(404) end end