class ModelApi::SuppressLoginRedirectMiddleware

Public Class Methods

new(app) click to toggle source
# File lib/model-api/suppress_login_redirect_middleware.rb, line 3
def initialize(app)
  @app = app
  @api_root = nil
end

Public Instance Methods

call(env) click to toggle source
# File lib/model-api/suppress_login_redirect_middleware.rb, line 8
def call(env)
  unless @api_roots.present?
    options = Rails.application.config.class.class_variable_get(:@@options)
    options ||= {}
    @api_roots = options[:api_middleware_root_paths] || ['api']
    @api_roots = [@api_roots] unless @api_roots.is_a?(Array)
    @api_roots = @api_roots.map { |path| path.starts_with?('/') ? path : "/#{path}" }
  end
  response = @app.call(env)
  if response[0].to_i == 302
    @api_roots.each do |path|
      next unless env['REQUEST_PATH'].to_s.starts_with?(path) &&
          (loc = response[1].find { |a| a[0] == 'Location' }).present? &&
          loc[1].to_s.ends_with?('/users/sign_in')

      # Mimic headers returned from API endpoint 404's for security reasons.
      response_headers = ModelApi::Utils.common_http_headers.merge(
          'Content-Type' => 'application/json',
          'X-Content-Type-Options' => 'nosniff',
          'X-Frame-Options' => 'SAMEORIGIN',
          'X-Request-Id' => SecureRandom.uuid,
          'X-UA-Compatible' => 'chrome=1',
          'X-XSS-Protection' => '1; mode=block'
      )
      return [404, response_headers, [ModelApi::Utils.not_found_response_body]]
    end
  end
  response
end