Don't rebuild the middleware stack when using with_routing
#54705
+63
−8
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Fix rails#54595 - ### Problem When using the `with_routing` helper method in an integration test, we rebuild the middleware stack so that the entrypoint of our new stack is the new RouteSet object. By rebuilding the middleware stack from scratch, we may end un-configuring a middleware from an application. We also break the contract of the Rails initialization process. For instance, if you have a middleware that needs to be configured, after the Rails routes are loaded, this is what it would look like: ```ruby # config/application.rb warden_config = nil config.middleware.use Warden::Manager do |config| # The Warden middleware yields its config when the middleware is # instantiated. We can't configure warden yet as the routes # are not yet loaded. warden_config = config end initializer :configure_warden do ActiveSupport.on_load(:after_routes_loaded) do # The routes are now loaded, we can configure warden end end ``` This snippet follows the order of the documented Rails initialization process where first the middleware stack is built and then the routes gets loaded. -------------------- By rebuilding the middleware stack, we unconfigure what was done in the initializer. ### Solution Since rebuilding the middleware stack has some caveats, my idea is to modify the middleware stack original entry point and redefine `call` so that it calls our new RouteSet middleware. We have a reference to the original RouteSet middleware thanks to the `application.routes` method.
This was referenced Mar 6, 2025
|
I'll try to review this tomorrow morning, it's a bit too hairy for tonight. |
|
Verified my test suite passes against this branch (and devise 4.9.4) |
byroot
added a commit
that referenced
this pull request
Mar 7, 2025
Don't rebuild the middleware stack when using `with_routing`
|
Thanks for reviewing! Also thank you @quixoten for helping debug the issue ! |
stevenharman
pushed a commit
to docsend/activerecord-session_store
that referenced
this pull request
Apr 3, 2025
This change allows the disabling of fallback used to access old, insecure sessions, and rewrite them as secure sessions. The fallback was originally added as part of the mitigation of CVE-2019-25025 several years back. However, this fallback mechanism was added over 5 years ago. In many cases, or at least in our case, the expiry on old, insecure, sessions has long since passed. We'd like the ability to disable the fallback entirely as it will never be a valid path for us. See: rails#151 Also, we had to improve our patch for `ActionDispatch::Assertions::RoutingAssertions::WithIntegrationRouting` to handle middleware correctly. This is the same implementation as was added in Rails 8.0. See: rails/rails#54705
stevenharman
pushed a commit
to docsend/activerecord-session_store
that referenced
this pull request
Apr 4, 2025
This change allows the disabling of fallback used to access old, insecure sessions, and rewrite them as secure sessions. The fallback was originally added as part of the mitigation of CVE-2019-25025 several years back. However, this fallback mechanism was added over 5 years ago. In many cases, or at least in our case, the expiry on old, insecure, sessions has long since passed. We'd like the ability to disable the fallback entirely as it will never be a valid path for us. See: rails#151 Also, we had to improve our patch for `ActionDispatch::Assertions::RoutingAssertions::WithIntegrationRouting` to handle middleware correctly. This is the same implementation as was added in Rails 8.0. See: rails/rails#54705
stevenharman
pushed a commit
to docsend/activerecord-session_store
that referenced
this pull request
Apr 4, 2025
This change allows the disabling of fallback used to access old, insecure sessions, and rewrite them as secure sessions. The fallback was originally added as part of the mitigation of CVE-2019-25025 several years back. However, this fallback mechanism was added over 5 years ago. In many cases, or at least in our case, the expiry on old, insecure, sessions has long since passed. We'd like the ability to disable the fallback entirely as it will never be a valid path for us. See: rails#151 Also, we had to improve our patch for `ActionDispatch::Assertions::RoutingAssertions::WithIntegrationRouting` to handle middleware correctly. This is the same implementation as was added in Rails 8.0. See: rails/rails#54705
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation / Background
Fix #54595
Detail
Problem
When using the
with_routinghelper method in an integration test, we rebuild the middleware stack so that the entrypoint of our new stack is the new RouteSet object.By rebuilding the middleware stack from scratch, we may end un-configuring a middleware from an application. We also break the contract of the Rails initialization process.
For instance, if you have a middleware that needs to be configured, after the Rails routes are loaded, this is what it would look like:
This snippet follows the order of the documented Rails initialization process where first the middleware stack is built and then the routes gets loaded.
By rebuilding the middleware stack, we unconfigure what was done in the initializer.
Solution
Since rebuilding the middleware stack has some caveats, my idea is to modify the middleware stack original entry point and redefine
callso that it calls our new RouteSet middleware.We have a reference to the original RouteSet middleware thanks to the
application.routesmethod.Checklist
Before submitting the PR make sure the following are checked:
[Fix #issue-number]