Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
2 changed files
with
187 additions
and
0 deletions.
There are no files selected for viewing
187 changes: 187 additions & 0 deletions
187
source/blog/2016-07-22-announcing-hanami-080.html.markdown
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,187 @@ | ||
--- | ||
title: Announcing Hanami v0.8.0 | ||
date: 2016-07-22 13:26 UTC | ||
tags: announcements | ||
author: Luca Guidi | ||
image: true | ||
excerpt: > | ||
New validations syntax with predicates, high level rules and error messages. | ||
JSON logger format, faster static assets serving. | ||
Subresource Integrity, updated Content Security Policy, and new HTTP security headers. | ||
--- | ||
|
||
This is the first minor release after the [project rebranding](/blog/2016/01/22/lotus-is-now-hanami.html) happened a few months ago. | ||
|
||
We waited for so long for this version in order to have the largest feedback cycle since this project was started four years ago. | ||
We had a lot of new contributions for new features, bug fixes, real world experiences. | ||
At this point we're really close to 1.0. | ||
|
||
In the meantime, we started tech alliances with [dry-rb](http://dry-rb.org) and [ROM](http://rom-rb.org). | ||
We're working close with these two amazing projects (and communities) to make the Ruby ecosystem stronger. | ||
|
||
As result of this collaboration, we can ship today a new and powerful validation syntax based on [dry-validation](http://dry-rb.org/gems/dry-validation). | ||
|
||
## Features | ||
|
||
### New Validations Syntax | ||
|
||
This new poweful syntax overcomes the limit that we have reached with the old design: no control on the order of execution and lack of extensibility. | ||
We realized that complex validation rules are hard to describe with DSL options, so we made possible to express these rules with Ruby macros. | ||
|
||
The results are astonishing: beside of the better expressiveness, we guardantee type safety and time execution which is faster than the past. | ||
|
||
```ruby | ||
# apps/web/controllers/books/create.rb | ||
module Web::Controllers::Books | ||
class Create | ||
include Web::Action | ||
|
||
params do | ||
required(:book).schema do | ||
required(:title).filled(:str?) | ||
required(:price).filled(:float?, gt?: 0.0) | ||
optional(:sale).filled(:bool?) | ||
end | ||
end | ||
|
||
def call(params) | ||
if params.valid? | ||
# persist | ||
else | ||
self.status = 422 | ||
end | ||
end | ||
end | ||
end | ||
``` | ||
|
||
```ruby | ||
# apps/web/views/books/create.rb | ||
module Web::Views::Books | ||
class Create | ||
include Web::View | ||
template 'books/new' | ||
end | ||
end | ||
``` | ||
|
||
```erb | ||
# apps/web/templates/books/new.html.erb | ||
<% unless params.valid? %> | ||
<div> | ||
<p>There was a problem</p> | ||
<ul> | ||
<% params.error_messages.each do |message| %> | ||
<li><%= message %></li> | ||
<% end %> | ||
</ul> | ||
</div> | ||
<% end %> | ||
``` | ||
|
||
### Subresource Integrity | ||
|
||
A CDN can dramatically improve page speed, but it can potentially open a security breach. | ||
If the CDN that we're using is compromised and serves evil javascript files, we're exposing our users to security attacks like Cross Site Scripting (XSS). | ||
|
||
To solve this problem browsers vendor introduced a defense called [Subresource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity). | ||
|
||
When enabled, the browser verifies that the checksum of the downloaded file, matches with the declared one. | ||
|
||
#### From A CDN | ||
|
||
If we're using jQuery from their CDN we should check on their website what's the checksum of the `.js` file and write: | ||
|
||
```erb | ||
<%= javascript 'https://code.jquery.com/jquery-3.1.0.min.js', integrity: 'sha256-cCueBR6CsyA4/9szpPfrX3s49M9vUU5BgtiJj06wt/s=' %> | ||
``` | ||
|
||
The output will be: | ||
|
||
```html | ||
<script integrity="sha256-cCueBR6CsyA4/9szpPfrX3s49M9vUU5BgtiJj06wt/s=" src="https://code.jquery.com/jquery-3.1.0.min.js" type="text/javascript" crossorigin="anonymous"></script> | ||
``` | ||
|
||
#### Local Assets | ||
|
||
The security problem described above doesn't concern only CDNs, but local files too. | ||
Imagine we have a compromised file system and someone was able to replace our javascripts with evil files: we would be vulnerable to the same kind of attack. | ||
|
||
As a defense against this security problem, Hanami **enables Subresource Integrity by default in production.** | ||
When we [precompile the assets](/guides/command-line/assets) at the deploy time, Hanami calculates the checksum of all our assets and it adds a special HTML attribute `integrity` to our asset tags like `<script>`. | ||
|
||
```erb | ||
<%= javascript 'application' %> | ||
``` | ||
|
||
```html | ||
<script src="/assets/application-92cab02f6d2d51253880cd98d91f1d0e.js" type="text/javascript" integrity="sha256-WB2pRuy8LdgAZ0aiFxLN8DdfRjKJTc4P4xuEw31iilM=" crossorigin="anonymous"></script> | ||
``` | ||
|
||
### Security Updates | ||
|
||
We updated our default security settings to support [Content Security Policy](https://content-security-policy.com) 1.1 and 2.0 (1.0 is still supported). | ||
|
||
Alongside with this improvement, we have now turned on two extra security HTTP headers: `X-Content-Type-Options` and `X-XSS-Protection`. | ||
|
||
### Misc | ||
|
||
New settings for logging: Hanami now supports per environment stream (standard output, file, etc..), level and formatter. | ||
Because of JSON parseability, for production env there is now a JSON formatter for the logger. | ||
|
||
## Upgrade Notes | ||
|
||
Please have a look at the [upgrade notes for v0.8.0](/guides/upgrade-notes/v080). | ||
|
||
## Contributors | ||
|
||
We're grateful for each person who contributed to this release. | ||
These lovely people are: | ||
|
||
* [Alexander Gräfe](https://github.com/rickenharp) | ||
* [Alexandr Subbotin](https://github.com/KELiON) | ||
* [Andrew De Ponte](https://github.com/cyphactor) | ||
* [Andrey Deryabin](https://github.com/aderyabin) | ||
* [Andrey Morskov](https://github.com/accessd) | ||
* [Anton Davydov](https://github.com/davydovanton) | ||
* [Ariejan de Vroom](https://github.com/ariejan) | ||
* [Artem Nistratov](https://github.com/ADone) | ||
* [Beat](https://github.com/beatrichartz) | ||
* [Bernardo Farah](https://github.com/berfarah) | ||
* [Cang Ta](https://github.com/hoksilato) | ||
* [Dane Balia](https://github.com/daneb) | ||
* [Eric Freese](https://github.com/ericfreese) | ||
* [Erol Fornoles](https://github.com/Erol) | ||
* [Felipe Espinoza](https://github.com/fespinoza) | ||
* [Hiếu Nguyễn](https://github.com/hieuk09) | ||
* [Josh Bodah](https://github.com/jbodah) | ||
* [Kadu Ribeiro](https://github.com/duduribeiro) | ||
* [Karim Tarek](https://github.com/karimmtarek) | ||
* [Leonardo Saraiva](https://github.com/vyper) | ||
* [Lucas Amorim](https://github.com/lucasallan) | ||
* [Mahesh](https://github.com/maheshm) | ||
* [Marcello Rocha](https://github.com/mereghost) | ||
* [Matt McFarland](https://github.com/vanetix) | ||
* [Matthew Gibbons](https://github.com/accuser) | ||
* [Maxim Dorofienko](https://github.com/mdorfin) | ||
* [Neil Matatall](https://github.com/oreoshake) | ||
* [Nicola Racco](https://github.com/nicolaracco) | ||
* [Nikita Shilnikov](https://github.com/flash-gordon) | ||
* [Nikolay Shebanov](https://github.com/killthekitten) | ||
* [Ozawa Sakuro](https://github.com/sakuro) | ||
* [Pascal Betz](https://github.com/pascalbetz) | ||
* [Rogério Ramos](https://github.com/habutre) | ||
* [Rogério Zambon](https://github.com/rogeriozambon) | ||
* [Sean Collins](https://github.com/cllns) | ||
* [Sebastjan Hribar](https://github.com/sebastjan-hribar) | ||
* [Semyon Pupkov](https://github.com/artofhuman) | ||
* [Semyon Pupkov](https://github.com/artofhuman) | ||
* [Steve Hook](https://github.com/stevehook) | ||
* [TheSmartnik](https://github.com/TheSmartnik) | ||
* [Tran Duy Khoa](https://github.com/duykhoa) | ||
* [Vasilis Spilka](https://github.com/vasspilka) | ||
* [akhramov](https://github.com/akhramov) | ||
* [deepj](https://github.com/deepj) | ||
* [nessur](https://github.com/nessur) | ||
|
||
Thank you all! |
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.