Add configuration option for verifying client browser (#144)

README.md

@@ -77,7 +77,11 @@
     - [Prevent Controller Action](#prevent-controller-action)
     - [Broadcasting Turbo Streams](#broadcasting-turbo-streams)
   - [State](#state)
-    - [Ephemeral Page State](#ephemeral-page-state)
+    - [Server Side State](#server-side-state)
+    - [Client Side State](#client-side-state)
+    - [Data Binding](#data-binding)
+    - [State Resolution](#state-resolution)
+    - [Page State](#page-state)
   - [Community](#community)
   - [Developing](#developing)
       - [Notable Files](#notable-files)
@@ -206,14 +210,17 @@ TurboBoost::Commands.config.tap do |config|
   # opt-[in/out] of precompiling TurboBoost assets (*true, false)
   config.precompile_assets = true
 
-  # opt-[in/out] of forgery protection (true, *false)
+  # opt-[in/out] of forgery protection (*true, false)
   config.protect_from_forgery = true
 
   # opt-[in/out] of raising an error when an invalid command is invoked (true, false, *"development", "test", "production")
   config.raise_on_invalid_command = "development"
 
   # opt-[in/out] of state resolution (true, *false)
   config.resolve_state = true
+
+  # opt-[in/out] of verifying the client browser (*true, false)
+  config.verify_client = true
 end
 ```
 
@@ -529,9 +536,23 @@ _Learn more about Turbo Stream broadcasting by reading through the
 
 ## State
 
-TODO: Document state tracking
+### Server Side State
+
+TODO
+
+### Client Side State
+
+TODO
+
+### Data Binding
+
+TODO
+
+### State Resolution
+
+TODO
 
-### Ephemeral Page State
+### Page State
 
 You can opt-in to remember transient page state when using Rails tag helpers with `turbo_boost[:remember]` to track
 element attribute values between requests.

lib/turbo_boost/commands/engine.rb

@@ -25,9 +25,10 @@ class Engine < ::Rails::Engine
     config.turbo_boost_commands[:alert_on_abort] = false # (true, false, "development", "test", "production")
     config.turbo_boost_commands[:alert_on_error] = false # (true, false, "development", "test", "production")
     config.turbo_boost_commands[:precompile_assets] = true # (true, false)
-    config.turbo_boost_commands[:protect_from_forgery] = false # (true, false) TODO: Support override in Commands
+    config.turbo_boost_commands[:protect_from_forgery] = true # (true, false)
     config.turbo_boost_commands[:raise_on_invalid_command] = "development" # (true, false, "development", "test", "production")
     config.turbo_boost_commands[:resolve_state] = false # (true, false)
+    config.turbo_boost_commands[:verify_client] = true # (true, false)
 
     initializer "turbo_boost_commands.configuration", before: :build_middleware_stack do |app|
       Mime::Type.register "text/vnd.turbo-boost.html", :turbo_boost

lib/turbo_boost/commands/middlewares/entry_middleware.rb

@@ -33,6 +33,7 @@ def mime_type
   # @param request [Rack::Request] the request to check
   # @return [Boolean]
   def trusted_client?(request)
+    return true unless TurboBoost::Commands.config.verify_client
     client = DeviceDetector.new(request.env["HTTP_USER_AGENT"])
     return false unless client.known?
     return false if client.bot?

test/dummy/config/initializers/turbo_boost.rb

@@ -13,9 +13,10 @@
 # - alert_on_abort, opt-(in/out) of alerting on abort (true, *false, "development", "test", "production")
 # - alert_on_error, opt-(in/out) of alerting on error (true, *false, "development", "test", "production")
 # - precompile_assets, opt-(in/out) of precompiling assets (*true, false)
-# - protect_from_forgery, opt-(in/out) of forgery protection (true, *false)
+# - protect_from_forgery, opt-(in/out) of forgery protection (*true, false)
 # - raise_on_invalid_command, opt-(in/out) of raising an error if invalid command requested (true, false, *"development", "test", "production")
 # - resolve_state, opt-(in/out) of state resolution (true, *false)
+# - verify_client, opt-(in/out) of verifying the client browser (*true, false)
 #
 TurboBoost::Commands.config.tap do |config|
   config.alert_on_abort = "development"
@@ -24,4 +25,5 @@
   config.protect_from_forgery = true
   config.raise_on_invalid_command = "development"
   config.resolve_state = false
+  config.verify_client = true
 end