2017-11-08 08:11:31 -07:00
|
|
|
require_relative "../app/models/transport.rb"
|
2014-03-12 07:42:11 -06:00
|
|
|
require File.expand_path('../boot', __FILE__)
|
|
|
|
|
|
2016-08-19 23:24:00 -06:00
|
|
|
require "rails/all"
|
2014-03-12 07:42:11 -06:00
|
|
|
# Require the gems listed in Gemfile, including any gems
|
|
|
|
|
# you've limited to :test, :development, or :production.
|
|
|
|
|
Bundler.require(:default, Rails.env)
|
|
|
|
|
|
2015-03-09 04:31:05 -06:00
|
|
|
module FarmBot
|
2014-03-12 07:42:11 -06:00
|
|
|
class Application < Rails::Application
|
2017-11-09 09:45:11 -07:00
|
|
|
config.active_job.queue_adapter = :delayed_job
|
2016-05-09 09:08:42 -06:00
|
|
|
config.action_dispatch.perform_deep_munge = false
|
2014-05-22 07:42:45 -06:00
|
|
|
I18n.enforce_available_locales = false
|
2014-05-08 08:02:51 -06:00
|
|
|
config.generators do |g|
|
2016-12-01 11:50:07 -07:00
|
|
|
g.template_engine :erb
|
2017-10-22 07:19:50 -06:00
|
|
|
g.test_framework :rspec, :fixture_replacement => :factory_bot, :views => false, :helper => false
|
2014-05-08 08:02:51 -06:00
|
|
|
g.view_specs false
|
|
|
|
|
g.helper_specs false
|
2017-10-22 07:19:50 -06:00
|
|
|
g.fixture_replacement :factory_bot, :dir => 'spec/factories'
|
2014-05-08 08:02:51 -06:00
|
|
|
end
|
2015-01-12 06:14:18 -07:00
|
|
|
config.autoload_paths << Rails.root.join('lib')
|
2016-12-15 13:11:48 -07:00
|
|
|
config.autoload_paths << Rails.root.join('lib/sequence_migrations')
|
2016-11-23 11:40:22 -07:00
|
|
|
config.middleware.insert_before ActionDispatch::Static, Rack::Cors do
|
2015-10-20 13:25:08 -06:00
|
|
|
allow do
|
|
|
|
|
origins '*'
|
|
|
|
|
resource '/api/*',
|
|
|
|
|
headers: :any,
|
|
|
|
|
methods: [:get, :post, :delete, :put, :patch, :options, :head],
|
2017-12-29 11:57:32 -07:00
|
|
|
expose: "X-Farmbot-Rpc-Id",
|
2015-10-20 13:25:08 -06:00
|
|
|
credentials: false, # No cookies.
|
|
|
|
|
max_age: 0
|
|
|
|
|
end
|
|
|
|
|
end
|
2016-12-15 13:11:48 -07:00
|
|
|
Rails.application.routes.default_url_options[:host] = ENV["API_HOST"] || "localhost"
|
2017-07-06 14:04:13 -06:00
|
|
|
Rails.application.routes.default_url_options[:port] = ENV["API_PORT"] || 3000
|
2016-11-08 15:09:46 -07:00
|
|
|
# ¯\_(ツ)_/¯
|
|
|
|
|
$API_URL = "//#{ Rails.application.routes.default_url_options[:host] }:#{ Rails.application.routes.default_url_options[:port] }"
|
2018-01-12 15:56:13 -07:00
|
|
|
SecureHeaders::Configuration.default do |config|
|
|
|
|
|
config.cookies = {
|
|
|
|
|
secure: true, # mark all cookies as "Secure"
|
|
|
|
|
httponly: true, # mark all cookies as "HttpOnly"
|
|
|
|
|
samesite: {
|
|
|
|
|
lax: true # mark all cookies as SameSite=lax
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
# Add "; preload" and submit the site to hstspreload.org for best protection.
|
|
|
|
|
config.hsts = "max-age=#{1.week.to_i}"
|
|
|
|
|
config.x_frame_options = "DENY"
|
|
|
|
|
config.x_content_type_options = "nosniff"
|
|
|
|
|
config.x_xss_protection = "1; mode=block"
|
|
|
|
|
config.x_download_options = "noopen"
|
|
|
|
|
config.x_permitted_cross_domain_policies = "none"
|
|
|
|
|
config.referrer_policy = %w(origin-when-cross-origin strict-origin-when-cross-origin)
|
|
|
|
|
config.csp = {
|
2018-01-13 08:20:28 -07:00
|
|
|
# preserve_schemes: true, # default: false. Schemes are removed from host sources to save bytes and discourage mixed content.
|
2018-01-12 15:56:13 -07:00
|
|
|
|
|
|
|
|
# directive values: these values will directly translate into source directives
|
|
|
|
|
default_src: %w(https: 'self'),
|
|
|
|
|
base_uri: %w('self'),
|
|
|
|
|
block_all_mixed_content: true, # see http://www.w3.org/TR/mixed-content/
|
|
|
|
|
child_src: %w('self'), # if child-src isn't supported, the value for frame-src will be set.
|
2018-01-13 08:20:28 -07:00
|
|
|
connect_src: [ENV["MQTT_HOST"],
|
|
|
|
|
"#{ENV["API_HOST"]}:#{ENV["API_PORT"]}",
|
|
|
|
|
"api.github.com",
|
|
|
|
|
"raw.githubusercontent.com",
|
2018-01-13 08:29:15 -07:00
|
|
|
"openfarm.cc",
|
|
|
|
|
"api.rollbar.com"] +
|
2018-01-13 08:20:28 -07:00
|
|
|
(Rails.env.production? ? %w(wss:) : %w(ws: localhost:3000 localhost:3808)),
|
|
|
|
|
font_src: %w('self' data: maxcdn.bootstrapcdn.com fonts.googleapis.com fonts.gstatic.com),
|
|
|
|
|
form_action: %w('self'), # React forms sometimes post to ''
|
2018-01-12 15:56:13 -07:00
|
|
|
frame_ancestors: %w('none'),
|
2018-01-13 08:20:28 -07:00
|
|
|
img_src: %w(* data:), # We need "*" to support webcam users.
|
2018-01-12 15:56:13 -07:00
|
|
|
manifest_src: %w('self'),
|
2018-01-13 08:20:28 -07:00
|
|
|
media_src: %w(),
|
|
|
|
|
object_src: %w(),
|
|
|
|
|
sandbox: %w(allow-scripts allow-forms allow-same-origin allow-modals),
|
|
|
|
|
plugin_types: %w(),
|
2018-01-13 08:26:14 -07:00
|
|
|
script_src: %w('self' 'unsafe-eval' 'unsafe-inline' cdnjs.cloudflare.com) +
|
2018-01-13 08:20:28 -07:00
|
|
|
(Rails.env.production? ? [] : %w(chrome-extension: localhost:3808)),
|
|
|
|
|
style_src: %w('unsafe-inline' fonts.googleapis.com
|
|
|
|
|
maxcdn.bootstrapcdn.com fonts.gstatic.com),
|
|
|
|
|
worker_src: %w(),
|
|
|
|
|
upgrade_insecure_requests: Rails.env.production?,
|
2018-01-13 08:26:14 -07:00
|
|
|
report_uri: %w(/csrf_reports)
|
2018-01-12 15:56:13 -07:00
|
|
|
}
|
|
|
|
|
end
|
2014-03-12 07:42:11 -06:00
|
|
|
end
|
|
|
|
|
end
|
