This Week in Rails: New security headers and many improvements

Hello everyone! This is Kir and Greg bringing you the latest news from the Rails world.

This Week’s Contributors

57 people contributed to Rails the past 2 weeks! If you’d like to join them, why not check out the list of open issues?

New security headers added

X-Download-Options and X-Permitted-Cross-Domain-Policies are now in the default header list.

Fix an edge case in rails db:create

Previously, when the schema cache was present and the database was not created yet, rails db:create would get a connection failure.

StreamingTemplateRenderer failed to forward I18n.locale

This commit fixes an issue when you use render stream: true and your current locale is not forwarded to the renderer.

Quote colum_names when building select

This PR makes sure the column names are quoted to avoid SQL syntax errors when there is a from clause used, and there are ignored columns set.

Cleanup variants in Active Storage

Active Storage will now destroy variants together with main blob when it’s deleted.

Custom server in system tests

With this PR, Rails won’t override your custom capybara server configuration, so for example you can use Unicorn instead of Puma .

Provide instant feedback when booting

From now on when you call rails s or rails console there is an instant feedback in the console to show Rails is booting.

Optimizing information_schema query for foreign_keys

By using CONSTRAINT_SCHEMA key for information_schema.referential_constraints there are performance improvements for Active Record.

Initial support for running Rails on FIPS-certified systems

This PR enables to set the hash function used by Rails from MD5 to FIPS supported ones by changing the active_support.use_fips_approved_hash_function configuration.

Log the original call site for an Active Record query

This change allows you to enable the logging of what line of application code is triggering SQL queries.

That’s it for this week, as always, we couldn’t cover all of the changes, but feel free to check the commits. If you’d like to join them, check out the list of open issues. Until next week!

This Week in Rails: Rails 5.2 beta, new PostgreSQL features, preload link and more!

Hello everyone! This is Roque bringing you the latest news from the Rails world.

Rails 5.2.0 beta released 🎉

This release includes Active Storage, a new framework provided by Rails to make it easier to upload and process files.

This Week’s Contributors

24 people contributed to Rails the past week! If you’d like to join them, why not check out the list of open issues?

Add support for PostgreSQL operator classes to add_index

The operator classes identify database operators to be used by the index for the columns. You can assign the same operator to all columns, or not. It currently only supports PostgreSQL.

Add ability to create PostgreSQL foreign keys without validation

Normally, PostgresSQL verifies that all rows in a table satisfy its foreign keys constraints. With this option, you can create these constraints without the overhead of checking if they are valid.

The helper creates a link tag with the preload keyword that allows you to basically define resources that pages will need very soon after loading. In addition, Rails will send HTTP2 Early Hints if the proxy server supports it, helping the fetch process.

Prevent Active Record scopes with reserved names

An error will be raised when defining scopes with names already defined by ActiveRecord::Relation instance methods.

That’s it for this week, as always, we couldn’t cover all of the changes, but feel free to check the commits. If you’d like to join them, check out the list of open issues. Until next week!

Rails 5.2.0 beta: Active Storage, Redis Cache Store, HTTP/2 Early Hints, CSP, Credentials

It’s been too hard to deal with file uploads in Rails for too long. Sure, there’s been a lot of fine plugins available, but it was overdue that we incorporated something right into the framework. So now we have!

With the new Active Storage framework in Rails 5.2, we’ve solved for the modern approach of uploading files straight to the cloud. Out of the box, there’s support for Amazon’s S3, Google’s Cloud Storage, and Microsoft Azure Cloud File Storage.

If you’re dealing with images, you can create variants on the fly. If you’re dealing with videos or PDFs, you can create previews on the fly. And regardless of the type, you can analyze uploads for metadata extraction asynchronously.

Active Storage was extracted from Basecamp 3 by George Claghorn and yours truly. So not only is the framework already used in production, it was born from production. There’s that Extraction Design guarantee stamp alright!

Speaking of extractions, Jeremy Daer has untangled the long jungle twine of hacks we were using at Basecamp to employ Redis for general partial, fragment, and other Rails caching jobs. There’s a sparkling new Redis Cache Store that incorporates all those years of veteran hacks into a cohesive unit that anyone can use.

This new Redis Cache Store supports Redis::Distributed, for Memcached-like sharding across Redises. It’s fault tolerant, so will treat failures like misses, rather than kill the request with an exception. It even supports distributed MGETs for that full partial collection caching goodness.

This comes together with a massive leap forward for cache efficiency with key recycling and compression both available by default. For Basecamp, it meant improving the cache lifetime by two orders of magnitude! We went from having caches trashed in as little as a day to having caches last for months. If you’re using partial caching and the nesting doll strategy, your cache lifetime will improve dramatically between these two changes.

We’ve also embraced the cherry of HTTP/2 with early hints through the work of Aaron Patterson and Eileen Uchitelle. This means we can automatically instruct the web server to send required style sheet and JavaScript assets early. Which means faster full page delivery, as who wouldn’t want that?

On the topic of performance, Rails now ships with Bootsnap in the default Gemfile, created by our friends at Shopify. It generally reduces application boot times by over 50%.

Rails has always been in the forefront of making your web applications more secure, leading the way with built-in CSRF and XSS protection and we’ve enhanced that further in Rails 5.2 with the addition of a new DSL that allows you to configure a Content Security Policy for your application. You can configure a global default policy and then override it on a per-resource basis and even use lambdas to inject per-request values into the header such as account subdomains in a multi-tenant application.

But it’s not all just new starry-eyed wonders. In Rails 5.1, we added encrypted secrets. These secrets were like the old secrets but, uhm, more secret, because, you know, ENCRYPTION! Confusing? Yes. Why would you want secrets that weren’t really secret? Well, you don’t.

In Rails 5.2, we’ve rectified the mess by deprecating the two different kinds of secrets and introduced a new shared concept called Credentials. Credentials, like AWS access keys and other forms of logins and passwords, were the dominant use case for secrets, so why not just call a spade a spade. So spade it is!

Credentials are always encrypted. This means they’re safe to check into revision control, as long as you keep the key out of it. That means atomic deploys, no need to mess with a flurry of environment variables, and other benefits of having all credentials that the app needs in one place, safe and secure.

In addition, we’ve opened up the API underlying Credentials, so you can easily deal with other encrypted configurations, keys, and files.

Since Rails 5.1, we’ve also made great strides with Webpacker. So Rails 5.2 is meant to pair beautifully with the new Webpacker 3.0 release. Rails has fully embraced modern JavaScript with a pre-configured build pipeline run by Webpack. We keep strengthening that relationship.

And of course there’s about five bajillion other fixes, improvements, and tweaks in this new, big release of Rails. It’s been lovingly tendered over the past seven months or so since Rails 5.1. We’re so happy to share all this with you, and as always thank the many, many contributors for their continued effort to make Rails the wonderful framework that it is.

This is the first beta release of Rails 5.2. We are still putting the final touches on everything, but you are strongly encouraged to give it a spin! Please try to both upgrade existing apps and start new apps on it. We need your help for a solid release. Note that Basecamp is already running the latest in production, so while there might still be some issues, it’s already in respectable shape.

Note also that this is likely to be the last “minor” (pretty major for a minor, if you ask me!) release of the 5-series. Our next target will be Rails 6.0!

This Week in Rails: expiring counters, flush db connections, connection fork safety and more!

Hi! Prathamesh here! Let’s see what we have in store today from the Rails world.

This Week’s Contributors

This week we had 25 contributors. 8 of them were first time contributors!!!! 🎉

Support expiring counters for Memcached Store

This change adds supports for passing expires_in options to the #increment and #decrement methods of the Memcached  store.

Flush idle database connections automatically

A new configuration to flush the idle database connections after a specified period. Defaults to 300 seconds. This change will ensure that you don’t have idle database connections hanging around in your connection pool.

Improve Active Record connection fork safety

This change ensures that forked children don’t send quit/shutdown/goodbye messages to the server on connections that belonged to their parent. It will prevent the connection leakagethat might happen when connections are not closed when workers are forked from parent process.

Generate ids by default for form_with helper

When form_with was introduced the auto generation of ids was disabled. Labels don’t play well in such cases when the inputs don’t have ids and it also made it harder to test the forms. This change enables the auto-generation of ids by default and allows to disable it using a config.

Pass informative arguments to all calls of ActiveRecord::RecordNotFound error

ActiveRecord::RecordNotFoundError accepts arguments such as primary_key, model_name and the arguments besides the error message. This change makes all the calls to this error uniform by passing these arguments wherever they were missing.

Make secure_compare method not leak length information

This change makes sure that even in case of variable length strings, the ActiveSupport::SecurityUtils.secure_compare doesn’t leak the length information.

That’s all we’ve got for this week, but do check out the full list of changes yourself. Over and out! See you next week ✌️

This Week in Rails: Better Source Code Formatting, Improved Ajax API and more!

Hi! Tim here! About to bring you the latest in all things Rails….

This Week’s Contributors

This week we had 12 contributors, including 1 for the very first time! Huge thanks to all of you!

Make beforeSend optional in Rails.ajax

Rails.ajax requires a beforeSend parameter but for some this means having to supply a no-op function. It can now be omitted entirely, thanks to this enhancement!

Prevent source line wrapping in rescue layout

You may be used to seeing source extracts in development mode when encountering runtime errors. Long lines currently get wrapped, but this change aids readability by letting you scroll instead.

That’s all we’ve got for this week, but do check out the full list of changes yourself. Wishing you all a Happy Friday, many Friday Hugs, and not too many Hallowe’en candy hangovers! Over and out!

This Week in Rails: 5.1 deprecations removed, SystemTestCase load hook and more!

Hey there, it’s Kasper, bringing you the latest edition of This Week in Rails!

Remove Rails 5.1 deprecations from the code

All the code that was deprecated in Rails 5.1 is now removed in one fell swoop by the Rails 5.2 release manager — now you know how these removals are handled too, so please don’t send individual removal PRs.

Psssst: it also brings us another step closer to the first 5.2 beta.

Add SystemTestCase load hook

Allows gems or app code to hook in when
ActionDispatch::SystemTestCase has been fully loaded.

Add allow_other_host option to redirect_back

When passed false, the new allow_other_host option will restrict redirect_back links to just the current host, so users will only stay on your site.

It’s not on by default, so users can enjoy a trip off-world on another host.

That’s it for this now! As always, there isn’t enough time to cover every change if you’d like check out the full list of changes yourself.

This Week in Rails: PhantomJS replaced with Chrome headless, bugfixes and more!

Hi there! It’s Kir, bringing you a new edition of This Week in Rails!

Replace PhantomJS with Selenium/Chrome headless

PhantomJS has been abandoned. At the same time Chrome provides native support for headless mode that is now the recommended way.

Allow symbol list for ignored_columns

This PR fixes a bug when assigning symbols to ignored_columns in Active Record was ignored. Now the accessor accepts both strings and symbols.

Fix ajax callbacks in UJS

Previously, returning false from the ajax:beforeSend callback didn’t cancel the request as it was expected.

That’s it for this now! As always, there isn’t enough time to cover every change if you’d like check out the full list of changes yourself.

This Week in Rails: Redis 4.0 support, fixes and more!

Hello everyone! This is Roque bringing you the latest news from the Rails world.

redis-rb 4.0 support

Adds support to Redis greater or equal to 3.3, and less than 5.

This Week’s Contributors

25 people contributed to Rails the past week! If you’d like to join them, why not check out the list of open issues?

Introduce blob representation to Active Storage

Returns an ActiveStorage::Preview instance to preview a blob, or an ActiveStorage::Variant instance for an image.

Safer redirect_back method

The allow_other_host can now block redirects to a different host. The option is true by default to make it backward compatible.

Fix Active Support cache clean up

Rails was using the stored keys to remove files, instead of the filenames.

Fix Active Job to yield error when rescheduling fails

The retry_on method now yields the actual error to the block instead of the exception class.

That’s it for this week, as always, we couldn’t cover all of the changes, but feel free to check the commits. If you’d like to join them, check out the list of open issues. Until next week!

This Week in Rails: HTTP/2 Early hints, friendly error message and more!

Hi there! It’s Prathamesh from Pune, enjoying rain 🌧, sipping ☕️ coffee  and bringing you latest news from the Rails world. Let’s get started!

This Week’s Contributors

13 people contributed to Rails the past week! If you’d like to join them, why not check out the list of open issues?

HTTP2 early hints support for Rails

Early Hints is a new HTTP status code that allows your application to send links to assets that you would like to load early. The spec is still in draft but Rails is ready to support it along with Puma. Check this blog post to know more about this feature.

Friendly error message when unsubscribing from non-existent Action Cable subscription

If for some reason the frontend code tries to unsubscribe from a non existing Action Cable subscription, then a friendly error message will be displayed:

Unable to find subscription with identifier: {“channel”:”SomeChannel”}.

Earlier, it used to show:

NoMethodError - undefined method `unsubscribe_from_channel’ for nil:NilClass

Feel free to check out the full list of changes.

Thanks to the 13 people contributed to Rails last week. If you’d like to join them, check out the list of open issues. Until next week 👋 

This Week in Rails: getting closer to Rails 5.2 beta

Hi there! It’s Claudio from sunny Los Angeles. Step by step we are getting closer to the first beta of Rails 5.2. Check out the changes that occurred in Ra-Ra-Rails-land last week.

Rails 4.2.10 released

Unless more regressions are found this will likely be the last release for Rails 4.2.

This Week’s Contributors

28 people contributed to Rails the past week! If you’d like to join them, why not check out the list of open issues?

Preview PDFs and videos

If you use Active Storage, you can now easily provide image previews for PDF files and videos!

Add Key Rotation to MessageEncryptor and MessageVerifier and simplify the Cookies middleware

This PR introduces ActiveSupport::KeyRotator which provides an interface for easily rotating between different encryption ciphers or message digests, salts, and secrets.

Implement change_table_comment and change_column_comment for MySQL

The two methods were only implemented for PostgreSQL.

Ensure HWIA#transform_keys returns HWIA

Makes #transform_keys coherent with other methods of HashWithIndifferentAccess such as #transform_values, #select and #reject.

Treat Set as an Array in Relation#where

You can now safely use Set in your Active Record query, e.g.: 

User.where(id: Set.new([1, 2]))

Feel free to check out the full list of changes.

Thanks to the 28 people contributed to Rails last week. If you’d like to join them, check out the list of open issues.