ackama / rails-template Goto Github PK

I would love to be able to offer 2fa in our Rails apps for the same cost as regular user management.

I have used https://github.com/tinfoil/devise-two-factor successfully in the past. It's good but it doesn't provide any UI for managing the second factor e.g. creating it, resetting it, allowing admins to manage it etc. so we would need to create all that.

We would probably need to spend some time figuring out the UX of all that first.

Following is an intermittent issue. Having recently updated my macOS to Catalina am having a issue with setting up the ackama rails template in using both rails 6.0.0 & ruby 2.6.2 and also with rails 6.0.1 and ruby 2.6.5

The issue seems to be that the bin/setup script does not run automatically . In this particular instance the errors point to the gems Bootsnap and ffi not being found.

after running gem pristine bootsnap 1.4.5
and
gem pristine ffi 1.11.3
I ran bin/setup (everything ran as I would expect)
and then I ran
brew update-reset

After running last command things seem to be working as normal until the bin/rake db: create:all is run the next error happens.

Sprockets::Railtie::ManifestNeededError: Expected to find a manifest file in
app/assets/config/manifest.js

https://github.com/flyerhzm/bullet

ESLint should be part of our frontend CI process, just like sass-lint is.

Merrin mentioned that we create test/ and spec/ in the Rails app which is bit confusing.

I did some research by creating a bunch of rails apps

rails --version
Rails 6.0.1

# create rails apps to compare
rails new --no-rc eoin-defaults
rails new --no-rc --skip-test  eoin-skip-test
rails new --no-rc  --skip-system-test eoin-skip-system-test
rails new --no-rc --skip-test --skip-system-test eoin-skip-test-skip-system-test

I found that if you pass --skip-test --skip-system-test then:

• the :test group in Gemfile is not created
• the test/ directory is not created

In all other cases the test/ directory is created.

Conclusion

I think we want the :test group to be created in Gemfile so we should manually remove the test/ dir as part of our template (in the after_bundle hook so we run after the built-in Rails new stuff has already run).

Setup of performance tests is a little fiddly so it would be great to have it built-in

I personally don't feel like I get a lot of value from git hook checks on the projects I'm on. I'm happy to go with whatever the consensus is but here's my reasoning:

Costs

1. We have linters for everything anyway (so overcommit isn't actually doing new checks) - CI will catch any code issues before anybody else sees them.
2. Overcommit really gets in the way sometimes when you are working on a spike or doing some ops/CI change that requires a lot of commit & push flow.
3. Git hooks don't play particularly nicely with Git GUIs e.g. SourceTree makes me do a lot of clicking to find out why overcommit was sad if a commit fails
4. The cross-platform issues outlined by @G-Rath on PR #105

Benefits

1. The only benefit I see is that it should reduce the number of Fixup rubocop commits. I say reduce not eliminate because on larger projects (where rubocop takes a while to fun) I started adding -n to git command to skip hooks because running them was just annoying in my context.

While it's always possible for me to just be lazy, a few contexts where this makes sense are when you are committing a lot on a spike or trying to sort out some ops/CI issue which requires a lot of commits and the slowness becomes grating.

Summary

I don't think the benefits are worth the cost of adding lots of friction to the git commit flow for most projects.

I think that we should remove it from the template and let teams opt-in to it if it makes sense for their use-case.

In config/application.rb, there is an insert_after rule:

insert_into_file "config/application.rb", after: /^require 'rails\/all'/ do
  # the empty line at the beginning of this string is required
  <<-'RUBY'

    require_relative '../app/middleware/http_basic_auth'
  RUBY
end
``

The problem is, if any `--skip-*` options are provided (`--skip-action-cable`, `--skip-action-mailbox` etc), the line is not matched, so the content is not inserted.This then causes an uninitialized constant:

   rails  webpacker:install

rails aborted!
NameError: uninitialized constant MyNewProject::Application::HttpBasicAuth
/home/josh/Projects/github.com/ackama/my-new-project/config/application.rb:32:in <class:Application>' /home/josh/Projects/github.com/ackama/my-new-project/config/application.rb:23:in module:MyNewProject'
/home/josh/Projects/github.com/ackama/my-new-project/config/application.rb:22:in <main>' /home/josh/Projects/github.com/ackama/my-new-project/Rakefile:4:in

Caused by:
NameError: uninitialized constant MyNewProject::Application::HttpBasicAuth
/home/josh/Projects/github.com/ackama/my-new-project/config/application.rb:32:in <class:Application>' /home/josh/Projects/github.com/ackama/my-new-project/config/application.rb:23:in module:MyNewProject'
/home/josh/Projects/github.com/ackama/my-new-project/config/application.rb:22:in <main>' /home/josh/Projects/github.com/ackama/my-new-project/Rakefile:4:in

:debug fills disks and is overwhelming in heroku

To replicate:

rails new user-has-many-genders \
  --no-rc \
  --database=postgresql \
  --template=https://raw.githubusercontent.com/ackama/rails-template/master/template.rb \
--skip-active-storage 

Expected:

Functional Rails app generated

Got:

A warning during generation:

        gsub        config/application.rb
File unchanged! The supplied flag value not found!        config/application.rb

And then a crash:

        gsub      config/storage.yml
The template [https://raw.githubusercontent.com/ackama/rails-template/master/template.rb] could not be loaded. Error: No such file or directory @ rb_sysopen - /home/josh/Projects/github.com/ackama/my-new-project/config/storage.yml

Currently the template has a bootstrap variant but does not provide options to use it. In conversation with @eoinkelly it came up that Ackama almost never uses Bootstrap any more, so rather than fixing this, the suggestion is to remove the template. Thoughts and feelings welcome...

I think making the commit is a good thing but pushing seems a step too far - there might be tweaks a dev wants to make locally before they push the "initial commit" and we are forcing them into force pushing by us pushing first. Thoughts?

Details: https://securitytxt.org/

Rials by default keeps a persistent session that the request/response cycle can add session data to. In order to make sure that we do not retain potential user data (outside of the warden user ID) in cookies, we should reset the session when the user logs out.

This will cause the entire session to be reset.

A new version of sprockets was recently released which creates the following error

The short term fix is to add gem "sprockets", "~> 3.0" to the gem file but a proper fix will need to be implement https://github.com/rails/sprockets/blob/master/UPGRADING.md#guide-to-upgrading-from-sprockets-3x-to-4x

We get the following warning when rubocop runs:

The following cops were added to RuboCop, but are not configured. Please set Enabled to either `true` or `false` in your `.rubocop.yml` file:
 - Style/HashEachMethods (0.80)
 - Style/HashTransformKeys (0.80)
 - Style/HashTransformValues (0.80)

We are failing Lighthouse accessibility tests in the foundation-layout variant. The issue seems to be that the navigation elements are getting a menuitem ARIA role and that role is required to be within an element that has one of group, menu, menubar`.

See the following for more details on the problem

• https://web.dev/aria-required-parent/?utm_source=lighthouse&utm_medium=devtools
• https://www.w3.org/TR/wai-aria-1.1/#menuitem

The challenge for us is that these roles are applied dynamically by Foundation JS so we can't easily change them without being super hacky/brittle. I found foundation/foundation-sites#11453 which seems related and has been closed with a "Revisit for V7" label so I wouldn't expect a fix soon.

I'm not sure what the right course of action is here tbh. On the one hand, having some views which demonstrate how to use Foundation is useful but I don't want to turn off accessibility auditing. Discussion needed.

Test failure output

* ******************************************************
* Running all rspec specs
* ******************************************************
.......FF
Failures:
  1) Homepage behaves like an accessible page with no errors
     Failure/Error: expect(page).to be_accessible.according_to(:wcag2a, :wcag2aa)
     
       Found 1 accessibility violation:
     
       1) aria-required-parent: Certain ARIA roles must be contained by particular parents (critical)
           https://dequeuniversity.com/rules/axe/3.5/aria-required-parent?application=axeAPI
           The following 8 nodes violate this rule:
           
               Selector: ul[data-accordion-menu="v8t6ie-accordion-menu"] > .navigation__item[role="treeitem"]:nth-child(1) > a[role="menuitem"][href="\#"]
               HTML: <a href="#" role="menuitem">Right item 1</a>
               Fix any of the following:
               - Required ARIA parents role not present: menu, menubar
               
               Selector: ul[data-accordion-menu="v8t6ie-accordion-menu"] > .navigation__item[role="treeitem"]:nth-child(2) > a[role="menuitem"][href="\#"]
               HTML: <a href="#" role="menuitem">Right item 2</a>
               Fix any of the following:
               - Required ARIA parents role not present: menu, menubar
               
               Selector: #l3x8gk-acc-menu-link > a[role="menuitem"][href="\#"]
               HTML: <a href="#" role="menuitem">Right item 3</a>
               Fix any of the following:
               - Required ARIA parents role not present: menu, menubar
               
               Selector: #f2g764-acc-menu-link > a[href="\/"][role="menuitem"]
               HTML: <a href="/" role="menuitem">Left item 1</a>
               Fix any of the following:
               - Required ARIA parents role not present: menu, menubar
               
               Selector: .navigation__item--borderless.navigation__item[role="treeitem"]:nth-child(2) > a[href="\/"][role="menuitem"]
               HTML: <a href="/" role="menuitem">Left item 2</a>
               Fix any of the following:
               - Required ARIA parents role not present: menu, menubar
               
               Selector: #\38 4sb4j-acc-menu-link > a[role="menuitem"][href="\#"]
               HTML: <a href="#" role="menuitem">Second right item 1</a>
               Fix any of the following:
               - Required ARIA parents role not present: menu, menubar
               
               Selector: .navigation__item--borderless.navigation__item[role="treeitem"]:nth-child(2) > a[role="menuitem"][href="\#"]
               HTML: <a href="#" role="menuitem">Second right item 2</a>
               Fix any of the following:
               - Required ARIA parents role not present: menu, menubar
               
               Selector: #\34 9j03z-acc-menu-link > a[role="menuitem"][href="\#"]
               HTML: <a href="#" role="menuitem">Second right item 3</a>
               Fix any of the following:
               - Required ARIA parents role not present: menu, menubar
               
       Invocation: axe.run({"runOnly":{"type":"tag","values":["wcag2a","wcag2aa"]}}, callback);
     
     [Screenshot]: /home/travis/build/ackama/rails-template/template-test/dummy/foundation-layout/tmp/screenshots/failures_r_spec_example_groups_homepage_behaves_like_an_accessible_page_with_no_errors_583.png
     
     Shared Example Group: "an accessible page" called from ./spec/system/home_feature_spec.rb:11
     # ./spec/support/shared_examples/an_accessible_page.rb:3:in `block (2 levels) in <top (required)>'
  2) Homepage behaves like an accessible page passes a Lighthouse accessibility audit
     Failure/Error: expect(page).to pass_lighthouse_audit(:accessibility)
     
       expected http://127.0.0.1:37821/ to pass Lighthouse accessibility audit
       with a minimum score of 100
     
     [Screenshot]: /home/travis/build/ackama/rails-template/template-test/dummy/foundation-layout/tmp/screenshots/failures_r_spec_example_groups_homepage_behaves_like_an_accessible_page_passes_a_lighthouse_accessibility_audit_390.png
     
     Shared Example Group: "an accessible page" called from ./spec/system/home_feature_spec.rb:11
     # ./spec/support/shared_examples/an_accessible_page.rb:7:in `block (2 levels) in <top (required)>'
Finished in 14.82 seconds (files took 4.58 seconds to load)
9 examples, 2 failures
Failed examples:
rspec ./spec/system/home_feature_spec.rb[1:2:1] # Homepage behaves like an accessible page with no errors
rspec ./spec/system/home_feature_spec.rb[1:2:2] # Homepage behaves like an accessible page passes a Lighthouse accessibility audit

Many/most devs forget what's in their .railsrc. I'm not sure the README in this repo should recommend using it because it's easy to forget what's in there.

When setting up MDC-Harbours we used the command line flags --no-rc --skip-turbolinks --skip-spring --skip-action-mailbox.

What should the Readme recommend?

We use it a lot, maybe always?

I ran in to the following when setting up a new Rails project with this template - some might just be related to issues with my own dev setup, but Eoin thought it was worth creating an issue here as other people might run into something similar, and we might be able to add to the script to remind people to ensure these things are set as required (or at least add to the ReadMe).

1. When I first tried to the Rails new ... command with all of the options for the template, I got some general Ruby errors. Though I had 2.5.0 installed, I had to reinstall and set locally to resolve.

2. I had Rails ~5.3 installed in the folder I was running the command in, and needed Rails 6. I know this was in the ReadMe, but I hadn't checked before so had to stop and update Rails to resolve.

3. Next, I had an issue with the pg gem that made the script top running - I had to gem install to resolve and then start over.

4. I had the wrong version of Node. I had to set to 10 and then start over.

5. 🐘 I gave the script https://github.com:ackama/PROJECT-REPO.git when it asked for the remote git repo, but should have given the SSH version. Maybe the script could give an example that indicates this should be the SSH version? eg. [[email protected]:USERNAME/PROJECT-REPO.git]

We are using Bitbucket pipelines for CI regularly now. It would be helpful to have a well commented starter config

We strongly encourage the use of "service" objects so having app/services seems sensible.

I think it could be neat to have an example service (with an associated test) which includes a comment explaining the rationale behind services for devs who may not have worked in that way before.

• redis gem not required (sidekiq gem pulls it in already)
• we shouldn't install sidekiq as the global active_job.queue_adaptor because it forces you to have redis running to run your tests
• we seem to be setting up the routes for the web panel in both an initializer and routes.rb - we should only do this once

NZISM:

System Classification(s): All Classifications; Compliance: SHOULD [CID:1858]
Agencies SHOULD implement a password policy enforcing either:

a minimum password length of 16 characters with no complexity requirement; or
a minimum password length of ten characters, consisting of at least three of the following character sets:
lowercase characters (a-z);
uppercase characters (A-Z);
digits (0-9); and
punctuation and special characters.

I recommend we increase our required password length to 16 chars.

As a developer

I want a secure CSP to be generated when I create a new application using the template

So that I can adjust the existing CSP as I add new resources, rather than having to start one with scratch and make mistakes.

We generally use 'UAT' as our 'staging'-equivalent environment name, so we should rename mentions of this environment.

Something like config.log_level = ENV.fetch("LOG_LEVEL", "info").to_sym in the environment config files for all deployed envs

• Spring `Bundler: failed to load command spring
• Yarn version
• no Bootstrap prompt

As a developer

I want to optionally introduce a dependency on Sidekiq (Redis, additional process)

So that I only get Sidekiq if I actually need it

• Move existing Sidekiq generation code to a variant
• Add check for Redis to bin/setup (?)
• Add new variant tests

Ackama has settled on main as the new name for the default git branch (in line with upcoming changes from Github and Gitlab). This template is responsible for inital repo setup so it should set this up for us.

As a developer

When I set up a new project

I want to be able to configure environment variables to enable HTTP auth

So that I can deploy to UAT/staging and keep things under wraps

• Copy authentication code from another Ackama project
• Add example environment variables, commented out

I'm not sure we should default to including sidekiq - maybe we should ask user about it and only set it up if they agree?

lockable is the best approach for preventing brute-force attacks within Devise. We should ensure that lockable is provisioned ON by default, and preferably set to a time-based locking strategy rather than the default that uses both time and link unlocks.

We should also investigate whether we can have lockout times exponentially increase rather than being a fixed period of time.

Rails log at info level is quite verbose which can be problematic in envs like Heroku. Moving to warn level isn't ideal because we actually do want some logs. Lograge would fix this.

Devise has a paranoid configuration option that will cause forms that request an email address or other identifier to not indicate whether or not the user existed at all.

We should default to being paranoid, as this prevents someone from being able to detect whether the email address exists in the system or not.

We almost always add roles - should we have a variant which creates a few common roles and (more importantly) has a bunch of tests ready to go?

The Rails 6 default is to supress webpacker output during compilation [1]. This leads to very obscure build failures that end with "...Compilation failed", with no reason why.

We should probably apply the webpack_compile_output: true setting for production & staging environments to make sure that if asset compilation fails, we understand why.

Here's a patch:

commit b4698d7b0641d538a0cabb538a38178a9b093a56 (HEAD -> bugfix/resolve-deployment-failures)
Author: Josh McArthur <[email protected]>
Date:   Tue Sep 24 14:12:09 2019 +1200

    Enable webpacker compilation output when compiling in deployed environments

diff --git a/config/webpacker.yml b/config/webpacker.yml
index 88332c5..2046dc9 100644
--- a/config/webpacker.yml
+++ b/config/webpacker.yml
@@ -94,3 +94,6 @@ production:

   # Cache manifest.json for performance
   cache_manifest: true
+
+  # Provide output for deployment precompilation
+  webpack_compile_output: true

We have an agreed template for project README that we as a dev team have in our wiki. We should incorporate this into our Rails template so we can easily use consistent documentation.

We use pundit on almost all rails apps - it would be great to have it as a part of this template including a good set of tests. We could also add an example controller to demonstrate best practices in using it.

We seem to be settling on Sentry as our default exception monitoring - it would be good to have a variant for it.

Having a second pack, loaded withdefer and suitably commented would encourage devs to load JS in the deferred pack if possible.

As a developer

I want to set up Devise with the standard configuration (user w. email/password auth, password resets)

So that I can quickly get going:

• Add devise gem
• bundle exec rails g devise:install
• Do we have an email address from ENV to send mail from? 00
• bundle exec rails g devise User
• System tests

As per https://github.com/browserslist/browserslist#queries shall we use package.json instead?

https://github.com/rubocop-hq/rubocop-rspec

This is implemented in PR #93

As a developer creating a new Rails project

I want to get a project created with all the latest documentation recommendations from the wider Ackama dev team

So that I don't have to think about document content or style.

• Decide where README template should canonically live (it's in the wiki at the moment, which is private)
• Determine how to fetch it (e.g. private wiki might need to be cloned, public could curl it)
• Add step to template.rb to fetch the README somehow

Font-awesome is included in the foundation variant as a remnant of the merge between this and Elspeths rails template.
It adds an unnecessary amount of extra weight to page loads and isn't used in any base styles or components so it should be a per project choice to add it rather than something included by default.