lib/action_controller/metal/force_ssl.rb
# frozen_string_literal: true require "active_support/core_ext/hash/except" require "active_support/core_ext/hash/slice" module ActionController # This module is deprecated in favor of +config.force_ssl+ in your environment # config file. This will ensure all endpoints not explicitly marked otherwise # will have all communication served over HTTPS. module ForceSSL # :nodoc: extend ActiveSupport::Concern include AbstractController::Callbacks ACTION_OPTIONS = [:only, :except, :if, :unless] URL_OPTIONS = [:protocol, :host, :domain, :subdomain, :port, :path] REDIRECT_OPTIONS = [:status, :flash, :alert, :notice] module ClassMethods # :nodoc: def force_ssl(options = {}) ActiveSupport::Deprecation.warn(<<-MESSAGE.squish) Controller-level `force_ssl` is deprecated and will be removed from Rails 6.1. Please enable `config.force_ssl` in your environment configuration to enable the ActionDispatch::SSL middleware to more fully enforce that your application communicate over HTTPS. If needed, you can use `config.ssl_options` to exempt matching endpoints from being redirected to HTTPS. MESSAGE action_options = options.slice(*ACTION_OPTIONS) redirect_options = options.except(*ACTION_OPTIONS) before_action(action_options) do force_ssl_redirect(redirect_options) end end end def force_ssl_redirect(host_or_options = nil) unless request.ssl? options = { protocol: "https://", host: request.host, path: request.fullpath, status: :moved_permanently, } if host_or_options.is_a?(Hash) options.merge!(host_or_options) elsif host_or_options options[:host] = host_or_options end secure_url = ActionDispatch::Http::URL.url_for(options.slice(*URL_OPTIONS)) flash.keep if respond_to?(:flash) && request.respond_to?(:flash) redirect_to secure_url, options.slice(*REDIRECT_OPTIONS) end end end end