module Sprockets::Server
def bad_request_response(env)
def bad_request_response(env) if head_request?(env) [ 400, { Rack::CONTENT_TYPE => "text/plain", Rack::CONTENT_LENGTH => "0" }, [] ] else [ 400, { Rack::CONTENT_TYPE => "text/plain", Rack::CONTENT_LENGTH => "11" }, [ "Bad Request" ] ] end end
def cache_headers(env, etag)
def cache_headers(env, etag) headers = {} # Set caching headers headers[Rack::CACHE_CONTROL] = +"public" headers[Rack::ETAG] = %("#{etag}") # If the request url contains a fingerprint, set a long # expires on the response if path_fingerprint(env["PATH_INFO"]) headers[Rack::CACHE_CONTROL] << ", max-age=31536000, immutable" # Otherwise set `must-revalidate` since the asset could be modified. else headers[Rack::CACHE_CONTROL] << ", must-revalidate" headers[VARY] = "Accept-Encoding" end headers end
def call(env)
A request for `"/assets/foo/bar.js"` will search your
end
run Sprockets::Environment.new
map "/assets" do
in the path.
Mapping your environment at a url prefix will serve all assets
headers, and body.
`env` Hash and returns a three item tuple with the status code,
`call` implements the Rack 1.x specification which accepts an
def call(env) start_time = Time.now.to_f time_elapsed = lambda { ((Time.now.to_f - start_time) * 1000).to_i } unless ALLOWED_REQUEST_METHODS.include? env['REQUEST_METHOD'] return method_not_allowed_response end msg = "Served asset #{env['PATH_INFO']} -" # Extract the path from everything after the leading slash full_path = Rack::Utils.unescape(env['PATH_INFO'].to_s.sub(/^\//, '')) path = full_path unless path.valid_encoding? return bad_request_response(env) end # Strip fingerprint if fingerprint = path_fingerprint(path) path = path.sub("-#{fingerprint}", '') end # URLs containing a `".."` are rejected for security reasons. if forbidden_request?(path) return forbidden_response(env) end if fingerprint if_match = fingerprint elsif env['HTTP_IF_MATCH'] if_match = env['HTTP_IF_MATCH'][/"(\w+)"$/, 1] end if env['HTTP_IF_NONE_MATCH'] if_none_match = env['HTTP_IF_NONE_MATCH'][/"(\w+)"$/, 1] end # Look up the asset. asset = find_asset(path) # Fallback to looking up the asset with the full path. # This will make assets that are hashed with webpack or # other js bundlers work consistently between production # and development pipelines. if asset.nil? && (asset = find_asset(full_path)) if_match = asset.etag if fingerprint fingerprint = asset.etag end if asset.nil? status = :not_found elsif fingerprint && asset.etag != fingerprint status = :not_found elsif if_match && asset.etag != if_match status = :precondition_failed elsif if_none_match && asset.etag == if_none_match status = :not_modified else status = :ok end case status when :ok logger.info "#{msg} 200 OK (#{time_elapsed.call}ms)" ok_response(asset, env) when :not_modified logger.info "#{msg} 304 Not Modified (#{time_elapsed.call}ms)" not_modified_response(env, if_none_match) when :not_found logger.info "#{msg} 404 Not Found (#{time_elapsed.call}ms)" not_found_response(env) when :precondition_failed logger.info "#{msg} 412 Precondition Failed (#{time_elapsed.call}ms)" precondition_failed_response(env) end rescue Exception => e logger.error "Error compiling asset #{path}:" logger.error "#{e.class.name}: #{e.message}" case File.extname(path) when ".js" # Re-throw JavaScript asset exceptions to the browser logger.info "#{msg} 500 Internal Server Error\n\n" return javascript_exception_response(e) when ".css" # Display CSS asset exceptions in the browser logger.info "#{msg} 500 Internal Server Error\n\n" return css_exception_response(e) else raise end end
def css_exception_response(exception)
Returns a CSS response that hides all elements on the page and
def css_exception_response(exception) message = "\n#{exception.class.name}: #{exception.message}" backtrace = "\n #{exception.backtrace.first}" body = <<-CSS html { padding: 18px 36px; } head { display: block; } body { margin: 0; padding: 0; } body > * { display: none !important; } head:after, body:before, body:after { display: block !important; } head:after { font-family: sans-serif; font-size: large; font-weight: bold; content: "Error compiling CSS asset"; } body:before, body:after { font-family: monospace; white-space: pre-wrap; } body:before { font-weight: bold; content: "#{escape_css_content(message)}"; } body:after { content: "#{escape_css_content(backtrace)}"; } CSS [ 200, { Rack::CONTENT_TYPE => "text/css; charset=utf-8", Rack::CONTENT_LENGTH => body.bytesize.to_s }, [ body ] ] end
def escape_css_content(content)
def escape_css_content(content) content. gsub('\\', '\\\\005c '). gsub("\n", '\\\\000a '). gsub('"', '\\\\0022 '). gsub('/', '\\\\002f ') end
def forbidden_request?(path)
def forbidden_request?(path) # Prevent access to files elsewhere on the file system # # http://example.org/assets/../../../etc/passwd # path.include?("..") || absolute_path?(path) || path.include?("://") end
def forbidden_response(env)
def forbidden_response(env) if head_request?(env) [ 403, { Rack::CONTENT_TYPE => "text/plain", Rack::CONTENT_LENGTH => "0" }, [] ] else [ 403, { Rack::CONTENT_TYPE => "text/plain", Rack::CONTENT_LENGTH => "9" }, [ "Forbidden" ] ] end end
def head_request?(env)
def head_request?(env) env['REQUEST_METHOD'] == 'HEAD' end
def headers(env, asset, length)
def headers(env, asset, length) headers = {} # Set content length header headers[Rack::CONTENT_LENGTH] = length.to_s # Set content type header if type = asset.content_type # Set charset param for text/* mime types if type.start_with?("text/") && asset.charset type += "; charset=#{asset.charset}" end headers[Rack::CONTENT_TYPE] = type end headers.merge(cache_headers(env, asset.etag)) end
def javascript_exception_response(exception)
Returns a JavaScript response that re-throws a Ruby exception
def javascript_exception_response(exception) err = "#{exception.class.name}: #{exception.message}\n (in #{exception.backtrace[0]})" body = "throw Error(#{err.inspect})" [ 200, { Rack::CONTENT_TYPE => "application/javascript", Rack::CONTENT_LENGTH => body.bytesize.to_s }, [ body ] ] end
def method_not_allowed_response
def method_not_allowed_response [ 405, { Rack::CONTENT_TYPE => "text/plain", Rack::CONTENT_LENGTH => "18" }, [ "Method Not Allowed" ] ] end
def not_found_response(env)
def not_found_response(env) if head_request?(env) [ 404, { Rack::CONTENT_TYPE => "text/plain", Rack::CONTENT_LENGTH => "0", X_CASCADE => "pass" }, [] ] else [ 404, { Rack::CONTENT_TYPE => "text/plain", Rack::CONTENT_LENGTH => "9", X_CASCADE => "pass" }, [ "Not found" ] ] end end
def not_modified_response(env, etag)
def not_modified_response(env, etag) [ 304, cache_headers(env, etag), [] ] end
def ok_response(asset, env)
def ok_response(asset, env) if head_request?(env) [ 200, headers(env, asset, 0), [] ] else [ 200, headers(env, asset, asset.length), asset ] end end
def path_fingerprint(path)
# => "0aa2105d29558f3eb790d411d7d8fb66"
"foo-0aa2105d29558f3eb790d411d7d8fb66.js"
Gets ETag fingerprint.
def path_fingerprint(path) path[/-([0-9a-zA-Z]{7,128})\.[^.]+\z/, 1] end
def precondition_failed_response(env)
def precondition_failed_response(env) if head_request?(env) [ 412, { Rack::CONTENT_TYPE => "text/plain", Rack::CONTENT_LENGTH => "0", X_CASCADE => "pass" }, [] ] else [ 412, { Rack::CONTENT_TYPE => "text/plain", Rack::CONTENT_LENGTH => "19", X_CASCADE => "pass" }, [ "Precondition Failed" ] ] end end