app-rails: Update template-application-rails to version 1.0.0.post1.dev0+ba942ae

Author: nava-platform-bot

.template-application-rails/app-rails.yml

@@ -1,5 +1,5 @@
 # Changes here will be overwritten by Copier
-_commit: v0.4.1-39-g91f9597
+_commit: v1.0.0-1-gba942ae
 _src_path: https://github.com/navapbc/template-application-rails
 app_local_port: 3100
 app_name: app-rails

app-rails/app/controllers/application_controller.rb

@@ -28,4 +28,40 @@ def after_sign_in_path_for(resource)
 
     users_account_path
   end
+
+  # Intercept redirect_to to replace the host with APP_HOST (the public hostname).
+  def redirect_to(options = {}, response_options_and_flash = {})
+    app_host = ENV["APP_HOST"]
+    if app_host.present?
+      options = case options
+      when String
+        if options.start_with?("http://", "https://")
+          options.sub(%r{\Ahttps?://[^/]+}, "https://#{app_host}")
+        elsif options.start_with?("/")
+          "https://#{app_host}#{options}"
+        else
+          options
+        end
+      when Hash
+        { host: app_host, protocol: "https" }.merge(options)
+      else
+        options
+      end
+      response_options_and_flash = response_options_and_flash.merge(allow_other_host: true)
+    end
+    super
+  end
+
+  private
+
+  # Compare the Origin header against the configured APP_HOST (the public hostname) instead.
+  def valid_request_origin?
+    app_host = ENV["APP_HOST"]
+    if app_host.present?
+      request.origin.nil? || request.origin == "#{request.scheme}://#{app_host}"
+    else
+      super
+    end
+  end
+
 end

app-rails/app/controllers/users/mfa_controller.rb

@@ -34,7 +34,7 @@ def new
     # forcing the user to log in again
     if current_user.access_token_expires_within_minutes?(current_user.access_token, 5)
       sign_out(current_user)
-      redirect_to new_user_session_path
+      redirect_to new_user_session_url
       return
     end
 
@@ -58,12 +58,12 @@ def create
       return redirect_to({ action: :new }, flash: { errors: [ e.message ] })
     end
 
-    redirect_to root_path, { notice: I18n.t("users.mfa.create.success") }
+    redirect_to root_url, { notice: I18n.t("users.mfa.create.success") }
   end
 
   def destroy
     auth_service.disable_software_token(current_user)
-    redirect_to users_account_path, notice: I18n.t("users.accounts.edit.mfa_successfully_disabled")
+    redirect_to users_account_url, notice: I18n.t("users.accounts.edit.mfa_successfully_disabled")
   end
 
   private

app-rails/app/controllers/users/passwords_controller.rb

@@ -24,7 +24,7 @@ def send_reset_password_instructions
       return render :forgot, status: :unprocessable_content
     end
 
-    redirect_to users_reset_password_path
+    redirect_to users_reset_password_url
   end
 
   def reset
@@ -50,7 +50,7 @@ def confirm_reset
       return render :reset, status: :unprocessable_content
     end
 
-    redirect_to new_user_session_path, notice: I18n.t("users.passwords.reset.success")
+    redirect_to new_user_session_url, notice: I18n.t("users.passwords.reset.success")
   end
 
   private

app-rails/app/controllers/users/registrations_controller.rb

@@ -26,7 +26,7 @@ def create
       return render :new, status: :unprocessable_content
     end
 
-    redirect_to users_verify_account_path
+    redirect_to users_verify_account_url
   end
 
   def new_account_verification
@@ -50,7 +50,7 @@ def create_account_verification
       return render :new_account_verification, status: :unprocessable_content
     end
 
-    redirect_to new_user_session_path
+    redirect_to new_user_session_url
   end
 
   def resend_verification_code
@@ -65,7 +65,7 @@ def resend_verification_code
     auth_service.resend_verification_code(email)
 
     flash[:notice] = I18n.t("users.registrations.new_account_verification.resend_success")
-    redirect_to users_verify_account_path
+    redirect_to users_verify_account_url
   end
 
   private

app-rails/app/controllers/users/sessions_controller.rb

@@ -22,7 +22,7 @@ def create
         @form.password
       )
     rescue Auth::Errors::UserNotConfirmed => e
-      return redirect_to users_verify_account_path
+      return redirect_to users_verify_account_url
     rescue Auth::Errors::BaseAuthError => e
       flash.now[:errors] = [ e.message ]
       return render :new, status: :unprocessable_content
@@ -31,7 +31,7 @@ def create
     unless response[:user].present?
       session[:challenge_session] = response[:session]
       session[:challenge_email] = @form.email
-      return redirect_to session_challenge_path
+      return redirect_to session_challenge_url
     end
 
     auth_user(response[:user], response[:access_token])
@@ -40,7 +40,7 @@ def create
   # Show MFA
   def challenge
     if session[:challenge_session].nil?
-      return redirect_to new_user_session_path
+      return redirect_to new_user_session_url
     end
 
     @form = Users::AuthAppCodeForm.new

app-rails/config/environments/production.rb

@@ -50,7 +50,12 @@
 
   # Assume all access to the app is happening through a SSL-terminating reverse proxy.
   # Can be used together with config.force_ssl for Strict-Transport-Security and secure cookies.
-  # config.assume_ssl = true
+  config.assume_ssl = true
+
+  # Azure Application Gateway sets Host: <container-app-fqdn> on backend connections.
+  # Set the default URL host to APP_HOST so that redirects use the public hostname
+  # instead of the internal Container App FQDN.
+  config.action_dispatch.default_url_options = { host: ENV["APP_HOST"] }
 
   # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
   config.force_ssl = true