Farmbot-Web-App/config/application.rb

require_relative "../app/models/transport.rb"
require File.expand_path("../boot", __FILE__)
require_relative "../app/lib/celery_script/cs_heap"
require "rails/all"

# Require the gems listed in Gemfile, including any gems
# you've limited to :test, :development, or :production.
Bundler.require(:default, Rails.env)

module FarmBot
  class Application < Rails::Application
    Delayed::Worker.max_attempts = 4
    REDIS_ENV_KEY = ENV.fetch("WHERE_IS_REDIS_URL", "REDIS_URL")
    REDIS_URL = ENV.fetch(REDIS_ENV_KEY, "redis://redis:6379/0")
    gcs_enabled =
      %w[ GOOGLE_CLOUD_KEYFILE_JSON GCS_PROJECT GCS_BUCKET ].all? { |s| ENV.key? s }
    config.load_defaults 6.0
    config.active_storage.service = gcs_enabled ?
      :google : :local
    config.cache_store = :redis_cache_store, { url: REDIS_URL }
    config.middleware.use Rack::Attack
    config.active_record.schema_format = :sql
    config.active_record.belongs_to_required_by_default = false
    config.active_job.queue_adapter = :delayed_job
    config.action_dispatch.perform_deep_munge = false
    I18n.enforce_available_locales = false
    LOCAL_API_HOST = ENV.fetch("API_HOST", "parcel")
    PARCELJS_URL = "http://#{LOCAL_API_HOST}:3808"
    config.generators do |g|
      g.template_engine :erb
      g.test_framework :rspec, :fixture_replacement => :factory_bot, :views => false, :helper => false
      g.view_specs false
      g.helper_specs false
      g.fixture_replacement :factory_bot, :dir => "spec/factories"
    end
    config.autoload_paths << Rails.root.join("lib")
    config.autoload_paths << Rails.root.join("lib/sequence_migrations")
    config.middleware.insert_before ActionDispatch::Static, Rack::Cors do
      allow do
        origins "*"
        resource "/api/*",
                 headers: :any,
                 methods: [:get, :post, :delete, :put, :patch, :options, :head],
                 expose: "X-Farmbot-Rpc-Id",
                 credentials: false, # No cookies.
                 max_age: 0
      end
    end
    API_PORT = ENV["API_PORT"]
    Rails.application.routes.default_url_options[:host] = LOCAL_API_HOST
    Rails.application.routes.default_url_options[:port] = API_PORT || 3000
    # ¯\_(ツ)_/¯
    $API_URL = "//#{Rails.application.routes.default_url_options[:host]}:#{Rails.application.routes.default_url_options[:port]}"
    ALL_LOCAL_URIS = ([ENV["API_HOST"]] + (ENV["EXTRA_DOMAINS"] || "").split(","))
      .map { |x| x.present? ? "#{x}:#{ENV["API_PORT"]}" : nil }.compact
    SecureHeaders::Configuration.default do |config|
      config.hsts = "max-age=#{1.week.to_i}"
      # We need this off in dev mode otherwise email previews won't show up.
      config.x_frame_options = "ALLOW-FROM https://farm.bot" # For marketing demos
      config.x_content_type_options = "nosniff"
      config.x_xss_protection = "1; mode=block"
      config.x_download_options = "noopen"
      config.x_permitted_cross_domain_policies = "none"
      config.referrer_policy =
        %w(origin-when-cross-origin strict-origin-when-cross-origin)
      connect_src = ALL_LOCAL_URIS + [
        ENV["MQTT_HOST"],
        "api.github.com",
        "raw.githubusercontent.com",
        "openfarm.cc",
        "api.rollbar.com",
        PARCELJS_URL,
        ENV["FORCE_SSL"] ? "wss:" : "ws:",
        "localhost:#{API_PORT}",
        "localhost:3808",
        "browser-http-intake.logs.datadoghq.com",
        "#{ENV.fetch("API_HOST")}:#{API_PORT}",
        "#{ENV.fetch("API_HOST")}:3808",
      ]
      config.csp = {
        default_src: %w(https: 'self'),
        base_uri: %w('self'),
        block_all_mixed_content: false, # :( Some webcam feeds use http://
        connect_src: connect_src,
        font_src: %w(
          'self'
          data:
          maxcdn.bootstrapcdn.com
          fonts.googleapis.com
          fonts.gstatic.com
        ),
        form_action: %w('self'),
        frame_src: %w(*),       # We need "*" to support webcam users.
        img_src: %w(* data:),   # We need "*" to support webcam users.
        manifest_src: %w('self'),
        media_src: %w(),
        object_src: %w(),
        sandbox: %w(
          allow-scripts
          allow-forms
          allow-same-origin
          allow-modals
          allow-popups
        ),
        plugin_types: %w(),
        script_src: [
          "'self'",
          "'unsafe-eval'",
          "'unsafe-inline'",
          "cdnjs.cloudflare.com",
          "chrome-extension:",
          "localhost:3808",
          PARCELJS_URL,
          "www.datadoghq-browser-agent.com",
        ],
        style_src: %w(
          'self'
          'unsafe-inline'
          fonts.googleapis.com
          maxcdn.bootstrapcdn.com
          fonts.gstatic.com
        ),
        worker_src: %w(),
        upgrade_insecure_requests: false, # WHY? Some people run webcam feeds
                                          # over plain http://. I wish they
                                          # wouldn't, but I think it's too much
                                          # of an inconvenience to block that
                                          # feature. Comments welcome -RC.
        report_uri: %w(/csp_reports),
      }
    end
  end
end
Try to use AMQP as message queue for background workers 2017-11-08 08:11:31 -07:00			`require_relative "../app/models/transport.rb"`
Update rack middleware config 2019-04-17 14:48:54 -06:00			`require File.expand_path("../boot", __FILE__)`
Fix const auto-loader problems, change belongs_to behavior to allow `nil` by default (sorry). 2019-10-24 11:44:11 -06:00			`require_relative "../app/lib/celery_script/cs_heap"`
[UNSTABLE] Remove most mongoid stuff, not done. 2016-08-19 23:24:00 -06:00			`require "rails/all"`
Introduce a "Flat IR" for sequence nodes (#655) This is the first release of the Flat IR storage mechanism. 2018-02-11 12:33:46 -07:00
Finished base app 2014-03-12 07:42:11 -06:00			`# Require the gems listed in Gemfile, including any gems`
			`# you've limited to :test, :development, or :production.`
			`Bundler.require(:default, Rails.env)`
Update rack middleware config 2019-04-17 14:48:54 -06:00
rename application from `dss` to `farmbot` 2015-03-09 04:31:05 -06:00			`module FarmBot`
Finished base app 2014-03-12 07:42:11 -06:00			`class Application < Rails::Application`
Stub out Garden and PlantTemplate 2018-04-18 15:50:20 -06:00			`Delayed::Worker.max_attempts = 4`
Use Redis as caching mechanism 2018-10-05 09:58:16 -06:00			`REDIS_ENV_KEY = ENV.fetch("WHERE_IS_REDIS_URL", "REDIS_URL")`
Update rack middleware config 2019-04-17 14:48:54 -06:00			`REDIS_URL = ENV.fetch(REDIS_ENV_KEY, "redis://redis:6379/0")`
Add tests 2019-07-25 12:10:06 -06:00			`gcs_enabled =`
			`%w[ GOOGLE_CLOUD_KEYFILE_JSON GCS_PROJECT GCS_BUCKET ].all? { \|s\| ENV.key? s }`
Fix const auto-loader problems, change belongs_to behavior to allow `nil` by default (sorry). 2019-10-24 11:44:11 -06:00			`config.load_defaults 6.0`
Add tests 2019-07-25 12:10:06 -06:00			`config.active_storage.service = gcs_enabled ?`
			`:google : :local`
Update rack middleware config 2019-04-17 14:48:54 -06:00			`config.cache_store = :redis_cache_store, { url: REDIS_URL }`
Add middlewares back 2019-04-18 12:46:00 -06:00			`config.middleware.use Rack::Attack`
Updates to DB - PinBinding stuff. 2018-07-19 08:54:42 -06:00			`config.active_record.schema_format = :sql`
Fix const auto-loader problems, change belongs_to behavior to allow `nil` by default (sorry). 2019-10-24 11:44:11 -06:00			`config.active_record.belongs_to_required_by_default = false`
Update rack middleware config 2019-04-17 14:48:54 -06:00			`config.active_job.queue_adapter = :delayed_job`
Fix failing tests 2016-05-09 09:08:42 -06:00			`config.action_dispatch.perform_deep_munge = false`
Updating mongoid.yml 2014-05-22 07:42:45 -06:00			`I18n.enforce_available_locales = false`
More webpack reference removals. 2019-01-30 07:00:26 -07:00			`LOCAL_API_HOST = ENV.fetch("API_HOST", "parcel")`
Update rack middleware config 2019-04-17 14:48:54 -06:00			`PARCELJS_URL = "http://#{LOCAL_API_HOST}:3808"`
Stubbed out dashboard and data pages 2014-05-08 08:02:51 -06:00			`config.generators do \|g\|`
Scaffold for mailer. 2016-12-01 11:50:07 -07:00			`g.template_engine :erb`
Upgrade to latest FactoryBot 2017-10-22 07:19:50 -06:00			`g.test_framework :rspec, :fixture_replacement => :factory_bot, :views => false, :helper => false`
Stubbed out dashboard and data pages 2014-05-08 08:02:51 -06:00			`g.view_specs false`
			`g.helper_specs false`
Update rack middleware config 2019-04-17 14:48:54 -06:00			`g.fixture_replacement :factory_bot, :dir => "spec/factories"`
Stubbed out dashboard and data pages 2014-05-08 08:02:51 -06:00			`end`
Update rack middleware config 2019-04-17 14:48:54 -06:00			`config.autoload_paths << Rails.root.join("lib")`
			`config.autoload_paths << Rails.root.join("lib/sequence_migrations")`
Config fixes 2016-11-23 11:40:22 -07:00			`config.middleware.insert_before ActionDispatch::Static, Rack::Cors do`
Added CORS support 2015-10-20 13:25:08 -06:00			`allow do`
Update rack middleware config 2019-04-17 14:48:54 -06:00			`origins "*"`
			`resource "/api/*",`
Added CORS support 2015-10-20 13:25:08 -06:00			`headers: :any,`
			`methods: [:get, :post, :delete, :put, :patch, :options, :head],`
Heroku is doing something with x-Request-Id. Try X-Farmbot-Rpc-Id instead 2017-12-29 11:57:32 -07:00			`expose: "X-Farmbot-Rpc-Id",`
Added CORS support 2015-10-20 13:25:08 -06:00			`credentials: false, # No cookies.`
			`max_age: 0`
			`end`
			`end`
Interpolate API_PORT into docker-compose.yml. Fixes #1598 2019-11-25 12:24:14 -07:00			`API_PORT = ENV["API_PORT"]`
DRY up the usage of ENV["API_HOST"] 2018-01-23 10:18:20 -07:00			`Rails.application.routes.default_url_options[:host] = LOCAL_API_HOST`
Interpolate API_PORT into docker-compose.yml. Fixes #1598 2019-11-25 12:24:14 -07:00			`Rails.application.routes.default_url_options[:port] = API_PORT \|\| 3000`
Second pass for Heroku upgrade 2016-11-08 15:09:46 -07:00			`# ¯\_(ツ)_/¯`
Update rack middleware config 2019-04-17 14:48:54 -06:00			`$API_URL = "//#{Rails.application.routes.default_url_options[:host]}:#{Rails.application.routes.default_url_options[:port]}"`
			`ALL_LOCAL_URIS = ([ENV["API_HOST"]] + (ENV["EXTRA_DOMAINS"] \|\| "").split(","))`
Test EXTRA_DOMAINS + CSP updates 2018-01-13 09:39:43 -07:00			`.map { \|x\| x.present? ? "#{x}:#{ENV["API_PORT"]}" : nil }.compact`
CSP + Reporter done. Need to tune policy config 2018-01-12 15:56:13 -07:00			`SecureHeaders::Configuration.default do \|config\|`
Update rack middleware config 2019-04-17 14:48:54 -06:00			`config.hsts = "max-age=#{1.week.to_i}"`
`critical_email` channel + mailers 2018-03-26 09:35:54 -06:00			`# We need this off in dev mode otherwise email previews won't show up.`
Use whitelist for config.x_frame_options 2019-06-19 13:08:05 -06:00			`config.x_frame_options = "ALLOW-FROM https://farm.bot" # For marketing demos`
Update rack middleware config 2019-04-17 14:48:54 -06:00			`config.x_content_type_options = "nosniff"`
			`config.x_xss_protection = "1; mode=block"`
			`config.x_download_options = "noopen"`
CSP + Reporter done. Need to tune policy config 2018-01-12 15:56:13 -07:00			`config.x_permitted_cross_domain_policies = "none"`
Disable config.x_frame_options 2019-06-19 11:45:46 -06:00			`config.referrer_policy =`
			`%w(origin-when-cross-origin strict-origin-when-cross-origin)`
Fix moment import error 2019-02-01 08:38:27 -07:00			`connect_src = ALL_LOCAL_URIS + [`
			`ENV["MQTT_HOST"],`
			`"api.github.com",`
			`"raw.githubusercontent.com",`
			`"openfarm.cc",`
			`"api.rollbar.com",`
			`PARCELJS_URL,`
			`ENV["FORCE_SSL"] ? "wss:" : "ws:",`
Interpolate API_PORT into docker-compose.yml. Fixes #1598 2019-11-25 12:24:14 -07:00			`"localhost:#{API_PORT}",`
Fix moment import error 2019-02-01 08:38:27 -07:00			`"localhost:3808",`
Add browser-http-intake.logs.datadoghq.com to CSP 2019-09-10 13:16:25 -06:00			`"browser-http-intake.logs.datadoghq.com",`
Interpolate API_PORT into docker-compose.yml. Fixes #1598 2019-11-25 12:24:14 -07:00			`"#{ENV.fetch("API_HOST")}:#{API_PORT}",`
Fix moment import error 2019-02-01 08:38:27 -07:00			`"#{ENV.fetch("API_HOST")}:3808",`
			`]`
:tada: :tada: :tada: App loads under parcel. Thanks, @mischnic !! 2019-02-01 10:35:03 -07:00			`config.csp = {`
CSP + Reporter done. Need to tune policy config 2018-01-12 15:56:13 -07:00			`default_src: %w(https: 'self'),`
			`base_uri: %w('self'),`
:heavy_check_mark: Done with content security policy 2018-01-13 08:44:11 -07:00			`block_all_mixed_content: false, # :( Some webcam feeds use http://`
Fix moment import error 2019-02-01 08:38:27 -07:00			`connect_src: connect_src,`
Fourth draft of CSP- test on staging 2018-01-13 08:38:33 -07:00			`font_src: %w(`
			`'self'`
			`data:`
			`maxcdn.bootstrapcdn.com`
			`fonts.googleapis.com`
			`fonts.gstatic.com`
			`),`
Update rack middleware config 2019-04-17 14:48:54 -06:00			`form_action: %w('self'),`
			`frame_src: %w(), # We need "" to support webcam users.`
			`img_src: %w(* data:), # We need "*" to support webcam users.`
CSP + Reporter done. Need to tune policy config 2018-01-12 15:56:13 -07:00			`manifest_src: %w('self'),`
Update rack middleware config 2019-04-17 14:48:54 -06:00			`media_src: %w(),`
			`object_src: %w(),`
Fourth draft of CSP- test on staging 2018-01-13 08:38:33 -07:00			`sandbox: %w(`
			`allow-scripts`
			`allow-forms`
			`allow-same-origin`
			`allow-modals`
Misc bug fixes and refactoring (#627) * allow external docs links * match upgrade path test cases * style updates: prefer return < over ( * refactor util * import refactor * fix sequence step scroll * refactor mocked paths * remove unnecessary prop * zoom level checks * misc fixes * sync and estop button fixes * don't sync WebAppConfigs 2018-01-20 07:46:44 -07:00			`allow-popups`
Fourth draft of CSP- test on staging 2018-01-13 08:38:33 -07:00			`),`
First draft of CSP- test on staging 2018-01-13 08:20:28 -07:00			`plugin_types: %w(),`
Fix bug for self hosted users noted by @nicmel (thanks!) 2018-01-23 10:07:19 -07:00			`script_src: [`
			`"'self'",`
			`"'unsafe-eval'",`
			`"'unsafe-inline'",`
			`"cdnjs.cloudflare.com",`
			`"chrome-extension:",`
			`"localhost:3808",`
More webpack reference removals. 2019-02-01 07:56:03 -07:00			`PARCELJS_URL,`
[EXPERIMENTAL] Conditionally add DataDog agent. 2019-09-10 13:03:06 -06:00			`"www.datadoghq-browser-agent.com",`
Fix bug for self hosted users noted by @nicmel (thanks!) 2018-01-23 10:07:19 -07:00			`],`
Fourth draft of CSP- test on staging 2018-01-13 08:38:33 -07:00			`style_src: %w(`
Serve bootstrap, font awesome locally 2018-04-03 10:23:22 -06:00			`'self'`
Fourth draft of CSP- test on staging 2018-01-13 08:38:33 -07:00			`'unsafe-inline'`
			`fonts.googleapis.com`
			`maxcdn.bootstrapcdn.com`
			`fonts.gstatic.com`
			`),`
First draft of CSP- test on staging 2018-01-13 08:20:28 -07:00			`worker_src: %w(),`
Fourth draft of CSP- test on staging 2018-01-13 08:33:34 -07:00			`upgrade_insecure_requests: false, # WHY? Some people run webcam feeds`
			`# over plain http://. I wish they`
			`# wouldn't, but I think it's too much`
spellcheck 2019-02-19 19:10:08 -07:00			`# of an inconvenience to block that`
Fourth draft of CSP- test on staging 2018-01-13 08:33:34 -07:00			`# feature. Comments welcome -RC.`
Update rack middleware config 2019-04-17 14:48:54 -06:00			`report_uri: %w(/csp_reports),`
CSP + Reporter done. Need to tune policy config 2018-01-12 15:56:13 -07:00			`}`
			`end`
Finished base app 2014-03-12 07:42:11 -06:00			`end`
			`end`