class RubyNative::TunnelCookieMiddleware

hostname (e.g. ‘abc-123.trycloudflare.com`) so it persists normally.
Removing the domain attribute lets the cookie scope to the exact tunnel
breaking authentication.
suffix domain. Browsers and WKWebView silently reject those cookies,
store. Through a tunnel this resolves to `.trycloudflare.com`, a public
Many Rails apps configure `domain: :all, tld_length: 2` on their session
comes through a Cloudflare tunnel (*.trycloudflare.com).
Strips the `domain=` attribute from Set-Cookie headers when the request

def call(env)

def call(env)
  status, headers, body = @app.call(env)
  if tunnel_request?(env) && headers["set-cookie"]
    strip_cookie_domain!(headers)
  end
  [status, headers, body]
end

def initialize(app)

def initialize(app)
  @app = app
end

def strip_cookie_domain!(headers)

def strip_cookie_domain!(headers)
  raw = headers["set-cookie"]
  cookies = raw.is_a?(Array) ? raw : raw.split("\n")
  stripped = cookies.map { |cookie| cookie.gsub(/;\s*domain=[^;]*/i, "") }
  headers["set-cookie"] = (stripped.length == 1) ? stripped.first : stripped
end

def tunnel_request?(env)

def tunnel_request?(env)
  host = env["HTTP_HOST"] || env["SERVER_NAME"] || ""
  host.match?(TUNNEL_HOST_PATTERN)
end

Modules

Classes

class RubyNative::TunnelCookieMiddleware

def call(env)

def initialize(app)

def strip_cookie_domain!(headers)

def tunnel_request?(env)

Namespace

Instance Methods

Defined in