grape
grape copied to clipboard
ruby-grape
Customized Errors No Longer Including CORS Related Headers Upgrading from 1.0 to 1.3
Steps to reproduce
What we need to do to see your problem or bug?
I've upgraded Grape from 1.0 to 1.3.3 and can no longer add Access-Control-Allow-Origin and Access-Control-Request-Method to the errors thrown by grape. I am using rescue_from :all to generate the desired status code for errors thrown by active record validations and other causes via this method as well.
rescue_from :all do |error|
error! error.message, FilmCal::Base.status_code_for(error, error.class.to_s), {
'Access-Control-Allow-Origin' => '*',
'Access-Control-Request-Method' => '*'
}
end
The errors throw with the correct status code in my specs BUT the customized headers are not being set.
The more detailed the issue, the more likely that we will fix it ASAP.
To get around the issue earlier on Grape 1.0 -- I returned a custom Rack::Response but AFTER upgrading to 1.3.3 this resulted in all of my specs receiving a 500 error with the message "Invalid Response":
def self.cors_response_to_error(error)
log_error(error)
eclass = error.class.to_s
message = "OAuth error: #{error}" if eclass =~ /WineBouncer::Errors/
opts = prepare_opts(message, error, eclass)
opts[:trace] = error.backtrace[0, 10] unless Rails.env.production?
Rack::Response.new(opts.to_json, status_code_for(error, eclass),
'Content-Type' => 'application/json',
'Access-Control-Allow-Origin' => '*',
'Access-Control-Request-Method' => '*').finish
end
So my thought was maybe this work around was no longer needed. However, I cannot get the standard error! method to honor the customized headers. Without them my client does not receive the errors returned by the server as they are no longer CORS.
Expected behavior
Tell us what should happen
The error response should have 'Access-Control-Allow-Origin' = '' and 'Access-Control-Request-Method' = ''.
Actual behavior
Tell us what happens instead
The headers were not present in the response with or without the explicit customization in the call to error!. All other responses (successfull responses) are receiving the custom headers via:
before do
header['Access-Control-Allow-Origin'] = '*'
header['Access-Control-Request-Method'] = '*'
end
It's only the errors that are not.
System configuration
You can help us to understand your problem if you will share some very useful information about your project environment (don't forget to remove any confidential data if it exists). config.ru
# This file is used by Rack-based servers to start the application.
require 'rack'
require 'rack/cors'
use Rack::Cors do
allow do
origins '*'
resource '*', headers: :any, methods: [:get, :post, :put, :patch, :delete, :options, :head]
end
end
require_relative 'config/environment'
run Rails.application
Ruby version: `` ruby '2.7.1'
Gemfile.lock:
Gemfile.lock content
GIT
remote: https://github.com/antek-drzewiecki/wine_bouncer.git
revision: c82b88f73c7adc43a8e89ca73f7e18952ec30de4
specs:
wine_bouncer (1.0.4)
doorkeeper (>= 1.4, < 6.0)
grape (>= 0.10)
GEM
remote: https://rubygems.org/
specs:
actioncable (6.0.3.2)
actionpack (= 6.0.3.2)
nio4r (~> 2.0)
websocket-driver (>= 0.6.1)
actionmailbox (6.0.3.2)
actionpack (= 6.0.3.2)
activejob (= 6.0.3.2)
activerecord (= 6.0.3.2)
activestorage (= 6.0.3.2)
activesupport (= 6.0.3.2)
mail (>= 2.7.1)
actionmailer (6.0.3.2)
actionpack (= 6.0.3.2)
actionview (= 6.0.3.2)
activejob (= 6.0.3.2)
mail (~> 2.5, >= 2.5.4)
rails-dom-testing (~> 2.0)
actionpack (6.0.3.2)
actionview (= 6.0.3.2)
activesupport (= 6.0.3.2)
rack (~> 2.0, >= 2.0.8)
rack-test (>= 0.6.3)
rails-dom-testing (~> 2.0)
rails-html-sanitizer (~> 1.0, >= 1.2.0)
actiontext (6.0.3.2)
actionpack (= 6.0.3.2)
activerecord (= 6.0.3.2)
activestorage (= 6.0.3.2)
activesupport (= 6.0.3.2)
nokogiri (>= 1.8.5)
actionview (6.0.3.2)
activesupport (= 6.0.3.2)
builder (~> 3.1)
erubi (~> 1.4)
rails-dom-testing (~> 2.0)
rails-html-sanitizer (~> 1.1, >= 1.2.0)
active_model_serializers (0.10.10)
actionpack (>= 4.1, < 6.1)
activemodel (>= 4.1, < 6.1)
case_transform (>= 0.2)
jsonapi-renderer (>= 0.1.1.beta1, < 0.3)
activejob (6.0.3.2)
activesupport (= 6.0.3.2)
globalid (>= 0.3.6)
activemodel (6.0.3.2)
activesupport (= 6.0.3.2)
activerecord (6.0.3.2)
activemodel (= 6.0.3.2)
activesupport (= 6.0.3.2)
activestorage (6.0.3.2)
actionpack (= 6.0.3.2)
activejob (= 6.0.3.2)
activerecord (= 6.0.3.2)
marcel (~> 0.3.1)
activesupport (6.0.3.2)
concurrent-ruby (~> 1.0, >= 1.0.2)
i18n (>= 0.7, < 2)
minitest (~> 5.1)
tzinfo (~> 1.1)
zeitwerk (~> 2.2, >= 2.2.2)
acts_as_list (1.0.1)
activerecord (>= 4.2)
addressable (2.7.0)
public_suffix (>= 2.0.2, < 5.0)
ast (2.4.0)
aws-eventstream (1.1.0)
aws-partitions (1.334.0)
aws-sdk-core (3.102.0)
aws-eventstream (~> 1, >= 1.0.2)
aws-partitions (~> 1, >= 1.239.0)
aws-sigv4 (~> 1.1)
jmespath (~> 1.0)
aws-sdk-kms (1.35.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-lambda (1.45.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-s3 (1.70.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sdk-kms (~> 1)
aws-sigv4 (~> 1.1)
aws-sdk-sns (1.26.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sigv4 (1.2.1)
aws-eventstream (~> 1, >= 1.0.2)
bcrypt (3.1.13)
benchmark-ips (2.7.2)
bootsnap (1.4.6)
msgpack (~> 1.0)
builder (3.2.4)
byebug (10.0.2)
case_transform (0.2)
activesupport
choice (0.2.0)
coderay (1.1.3)
concurrent-ruby (1.1.6)
connection_pool (2.2.3)
crack (0.4.3)
safe_yaml (~> 1.0.0)
crass (1.0.6)
daemons (1.3.1)
database_cleaner (1.8.5)
derailed_benchmarks (1.3.4)
benchmark-ips (~> 2)
get_process_mem (~> 0)
heapy (~> 0)
memory_profiler (~> 0)
rack (>= 1)
rake (> 10, < 13)
thor (~> 0.19)
devise (4.7.2)
bcrypt (~> 3.0)
orm_adapter (~> 0.1)
railties (>= 4.1.0)
responders
warden (~> 1.2.3)
diff-lcs (1.4.2)
docile (1.3.2)
doorkeeper (5.4.0)
railties (>= 5)
doorkeeper-jwt (0.4.0)
jwt (~> 2.1)
dotenv (2.7.5)
dotenv-rails (2.7.5)
dotenv (= 2.7.5)
railties (>= 3.2, < 6.1)
down (5.1.1)
addressable (~> 2.5)
dry-configurable (0.11.6)
concurrent-ruby (~> 1.0)
dry-core (~> 0.4, >= 0.4.7)
dry-equalizer (~> 0.2)
dry-container (0.7.2)
concurrent-ruby (~> 1.0)
dry-configurable (~> 0.1, >= 0.1.3)
dry-core (0.4.9)
concurrent-ruby (~> 1.0)
dry-equalizer (0.3.0)
dry-inflector (0.2.0)
dry-logic (1.0.6)
concurrent-ruby (~> 1.0)
dry-core (~> 0.2)
dry-equalizer (~> 0.2)
dry-types (1.4.0)
concurrent-ruby (~> 1.0)
dry-container (~> 0.3)
dry-core (~> 0.4, >= 0.4.4)
dry-equalizer (~> 0.3)
dry-inflector (~> 0.1, >= 0.1.2)
dry-logic (~> 1.0, >= 1.0.2)
erubi (1.9.0)
eventmachine (1.2.7)
factory_bot (6.0.2)
activesupport (>= 5.0.0)
factory_bot_rails (6.0.0)
factory_bot (~> 6.0.0)
railties (>= 5.0.0)
faraday (1.0.1)
multipart-post (>= 1.2, < 3)
ffi (1.13.1)
formatador (0.2.5)
get_process_mem (0.2.5)
ffi (~> 1.0)
globalid (0.4.2)
activesupport (>= 4.2.0)
grape (1.3.3)
activesupport
builder
dry-types (>= 1.1)
mustermann-grape (~> 1.0.0)
rack (>= 1.3.0)
rack-accept
grape-active_model_serializers (1.5.2)
active_model_serializers (>= 0.10.0)
grape (>= 0.8.0)
grape_logging (1.8.3)
grape
rack
guard (2.16.2)
formatador (>= 0.2.4)
listen (>= 2.7, < 4.0)
lumberjack (>= 1.0.12, < 2.0)
nenv (~> 0.1)
notiffany (~> 0.0)
pry (>= 0.9.12)
shellany (~> 0.0)
thor (>= 0.18.1)
guard-rubocop (1.3.0)
guard (~> 2.0)
rubocop (~> 0.20)
haml (5.0.4)
temple (>= 0.8.0)
tilt
hashdiff (0.3.7)
hashie (3.5.7)
hashie-forbidden_attributes (0.1.1)
hashie (>= 3.0)
heapy (0.1.4)
holidays (8.3.0)
i18n (1.8.3)
concurrent-ruby (~> 1.0)
jaro_winkler (1.5.2)
jmespath (1.4.0)
json (2.3.0)
jsonapi-renderer (0.2.2)
jwt (2.2.1)
launchy (2.4.3)
addressable (~> 2.3)
letter_opener (1.6.0)
launchy (~> 2.2)
listen (3.0.8)
rb-fsevent (~> 0.9, >= 0.9.4)
rb-inotify (~> 0.9, >= 0.9.7)
loofah (2.6.0)
crass (~> 1.0.2)
nokogiri (>= 1.5.9)
lumberjack (1.2.6)
mail (2.7.1)
mini_mime (>= 0.1.1)
mailcatcher (0.2.4)
eventmachine
haml
i18n
json
mail
sinatra
skinny (>= 0.1.2)
sqlite3-ruby
thin
marcel (0.3.3)
mimemagic (~> 0.3.2)
memory_profiler (0.9.11)
method_source (1.0.0)
mimemagic (0.3.5)
mini_mime (1.0.2)
mini_portile2 (2.4.0)
minitest (5.14.1)
msgpack (1.3.3)
multipart-post (2.1.1)
mustermann (1.1.1)
ruby2_keywords (~> 0.0.1)
mustermann-grape (1.0.1)
mustermann (>= 1.0.0)
nenv (0.3.0)
nio4r (2.5.2)
nokogiri (1.10.9)
mini_portile2 (~> 2.4.0)
notiffany (0.1.3)
nenv (~> 0.1)
shellany (~> 0.0)
orm_adapter (0.5.0)
parallel (1.14.0)
parser (2.6.0.0)
ast (~> 2.4.0)
pg (1.0.0)
powerpack (0.1.2)
pry (0.13.1)
coderay (~> 1.1)
method_source (~> 1.0)
psych (3.1.0)
public_suffix (4.0.5)
puma (4.3.5)
nio4r (~> 2.0)
puma_worker_killer (0.1.1)
get_process_mem (~> 0.2)
puma (>= 2.7, < 5)
rack (2.2.3)
rack-accept (0.4.5)
rack (>= 0.4)
rack-cors (1.0.2)
rack-protection (2.0.3)
rack
rack-test (1.1.0)
rack (>= 1.0, < 3)
rails (6.0.3.2)
actioncable (= 6.0.3.2)
actionmailbox (= 6.0.3.2)
actionmailer (= 6.0.3.2)
actionpack (= 6.0.3.2)
actiontext (= 6.0.3.2)
actionview (= 6.0.3.2)
activejob (= 6.0.3.2)
activemodel (= 6.0.3.2)
activerecord (= 6.0.3.2)
activestorage (= 6.0.3.2)
activesupport (= 6.0.3.2)
bundler (>= 1.3.0)
railties (= 6.0.3.2)
sprockets-rails (>= 2.0.0)
rails-dom-testing (2.0.3)
activesupport (>= 4.2.0)
nokogiri (>= 1.6)
rails-erd (1.5.2)
activerecord (>= 3.2)
activesupport (>= 3.2)
choice (~> 0.2.0)
ruby-graphviz (~> 1.2)
rails-html-sanitizer (1.3.0)
loofah (~> 2.3)
rails_12factor (0.0.3)
rails_serve_static_assets
rails_stdout_logging
rails_serve_static_assets (0.0.5)
rails_stdout_logging (0.0.5)
railties (6.0.3.2)
actionpack (= 6.0.3.2)
activesupport (= 6.0.3.2)
method_source
rake (>= 0.8.7)
thor (>= 0.20.3, < 2.0)
rainbow (3.0.0)
rake (12.3.3)
rb-fsevent (0.10.4)
rb-inotify (0.10.1)
ffi (~> 1.0)
redis (4.0.3)
responders (3.0.1)
actionpack (>= 5.0)
railties (>= 5.0)
rspec-core (3.9.2)
rspec-support (~> 3.9.3)
rspec-expectations (3.9.2)
diff-lcs (>= 1.2.0, < 2.0)
rspec-support (~> 3.9.0)
rspec-mocks (3.9.1)
diff-lcs (>= 1.2.0, < 2.0)
rspec-support (~> 3.9.0)
rspec-rails (4.0.1)
actionpack (>= 4.2)
activesupport (>= 4.2)
railties (>= 4.2)
rspec-core (~> 3.9)
rspec-expectations (~> 3.9)
rspec-mocks (~> 3.9)
rspec-support (~> 3.9)
rspec-support (3.9.3)
rspec_junit_formatter (0.4.1)
rspec-core (>= 2, < 4, != 2.12.0)
rubocop (0.65.0)
jaro_winkler (~> 1.5.1)
parallel (~> 1.10)
parser (>= 2.5, != 2.5.1.1)
powerpack (~> 0.1)
psych (>= 3.1.0)
rainbow (>= 2.2.2, < 4.0)
ruby-progressbar (~> 1.7)
unicode-display_width (~> 1.4.0)
ruby-graphviz (1.2.3)
ruby-progressbar (1.10.0)
ruby2_keywords (0.0.2)
safe_yaml (1.0.4)
sentry-raven (3.0.0)
faraday (>= 1.0)
shellany (0.0.1)
shoulda-matchers (4.3.0)
activesupport (>= 4.2.0)
sidekiq (5.2.9)
connection_pool (~> 2.2, >= 2.2.2)
rack (~> 2.0)
rack-protection (>= 1.5.0)
redis (>= 3.3.5, < 4.2)
simplecov (0.18.5)
docile (~> 1.1)
simplecov-html (~> 0.11)
simplecov-html (0.12.2)
sinatra (2.0.3)
mustermann (~> 1.0)
rack (~> 2.0)
rack-protection (= 2.0.3)
tilt (~> 2.0)
skinny (0.2.2)
eventmachine (~> 1.0)
thin
spring (2.0.2)
activesupport (>= 4.2)
spring-watcher-listen (2.0.1)
listen (>= 2.7, < 4.0)
spring (>= 1.2, < 3.0)
sprockets (4.0.2)
concurrent-ruby (~> 1.0)
rack (> 1, < 3)
sprockets-rails (3.2.1)
actionpack (>= 4.0)
activesupport (>= 4.0)
sprockets (>= 3.0.0)
sqlite3 (1.3.13)
sqlite3-ruby (1.3.3)
sqlite3 (>= 1.3.3)
stackprof (0.2.12)
temple (0.8.0)
thin (1.7.2)
daemons (~> 1.0, >= 1.0.9)
eventmachine (~> 1.0, >= 1.0.4)
rack (>= 1, < 3)
thor (0.20.3)
thread_safe (0.3.6)
tilt (2.0.9)
timecop (0.9.1)
tzinfo (1.2.7)
thread_safe (~> 0.1)
unicode-display_width (1.4.1)
validates_email_format_of (1.6.3)
i18n
vcr (6.0.0)
warden (1.2.8)
rack (>= 2.0.6)
webmock (3.4.2)
addressable (>= 2.3.6)
crack (>= 0.3.2)
hashdiff
websocket-driver (0.7.2)
websocket-extensions (>= 0.1.0)
websocket-extensions (0.1.5)
zeitwerk (2.3.0)
PLATFORMS
ruby
DEPENDENCIES
active_model_serializers (~> 0.10.10)
acts_as_list (~> 1.0.1)
aws-sdk-core (~> 3)
aws-sdk-lambda (~> 1)
aws-sdk-s3 (~> 1)
aws-sdk-sns (~> 1)
bootsnap (>= 1.4.2)
byebug
database_cleaner
derailed_benchmarks
devise (~> 4.7.2)
doorkeeper (~> 5.4.0)
doorkeeper-jwt (~> 0.4.0)
dotenv (~> 2.7.1)
dotenv-rails (~> 2.7.1)
down
factory_bot_rails
ffi (~> 1.13.1)
grape (~> 1.3.3)
grape-active_model_serializers (~> 1.5.2)
grape_logging (~> 1.8.3)
guard-rubocop
hashie-forbidden_attributes
holidays
letter_opener
listen (~> 3.0.5)
mailcatcher
pg
puma (~> 4.1)
puma_worker_killer
rack-cors
rails (~> 6.0.3, >= 6.0.3.2)
rails-erd
rails_12factor
rake (~> 12.3.3)
redis (~> 4.0.1)
rspec-core
rspec-expectations
rspec-mocks
rspec-rails (~> 4.0.0)
rspec-support
rspec_junit_formatter
rubocop (~> 0.65.0)
sentry-raven
shoulda-matchers
sidekiq
simplecov
spring
spring-watcher-listen (~> 2.0.0)
stackprof
timecop
tzinfo-data
validates_email_format_of (~> 1.6.3)
vcr
webmock
wine_bouncer!
RUBY VERSION
ruby 2.7.1p83
BUNDLED WITH
2.1.4
Here is an example of what's happening in my specs. All of my specs that return a 200 response have the correct headers. For example this spec passes:
it 'returns a 200 with the [redacted] if the user is [redacted]' do
#...
get_as_user path
expect(response.status).to eq(200)
body = JSON.parse(response.body)
expect(body.length).to eq 2
result_ids = [body[0]['uuid'], body[1]['uuid']]
expect(result_ids.include?(first_event.uuid)).to eq true
expect(result_ids.include?(second_event.uuid)).to eq true
expect(response.headers['Content-Type']).to match('json')
expect(response.headers['Access-Control-Allow-Origin']).to eq('*')
expect(response.headers['Access-Control-Request-Method']).to eq('*')
end
However, any spec expecting an error gets the right content-type, error code, etc.. but the additional CORS headers are no longer present:
it 'returns a 404 if the user does not have permission' do
get_as_user path
expect(response.status).to eq(404)
expect(response.headers['Content-Type']).to match('json')
expect(response.headers['Access-Control-Allow-Origin']).to eq('*')
expect(response.headers['Access-Control-Request-Method']).to eq('*')
end
At the very least I would say that the regression is not expected. Do you think you could turn this spec into one in the Grape project that was succeeding < 1.3.3?
Sure. Is there a specific set of specs I should look at when writing one for the library to test this? Let me know and I will work on a PR.
@dblock you know it looks like this must just be an issue with 1.3.3. I upgraded to 1.4 by installing directly from master and my specs pass when I use the headers option on error! as mentioned earlier:
rescue_from :all do |error|
error! error.message, FilmCal::Base.status_code_for(error, error.class.to_s), {
'Access-Control-Allow-Origin' => '*',
'Access-Control-Request-Method' => '*'
}
end
My work around returning a rack response directly still returns an "Invalid Response" error but that is not a big deal as it was a work around anyway.
I am a little worried that we introduced a regression, then fixed it, but still don't have specs for this. I don't see anything in CHANGELOG that says something like this should be fixed. Do appreciate if you could write a set of specs for this behavior, add a new file in spec/grape/api and we can see if we already have something similar later. Once you have a failing spec on 1.3.3 try bisecting it down to a fix in 1.4.0.