ackama / rails-template Goto Github PK
View Code? Open in Web Editor NEWApplication template for Rails 7 projects; preloaded with best practices for TDD, security, deployment, and developer productivity.
License: Other
Application template for Rails 7 projects; preloaded with best practices for TDD, security, deployment, and developer productivity.
License: Other
Merrin mentioned that we create test/
and spec/
in the Rails app which is bit confusing.
I did some research by creating a bunch of rails apps
rails --version
Rails 6.0.1
# create rails apps to compare
rails new --no-rc eoin-defaults
rails new --no-rc --skip-test eoin-skip-test
rails new --no-rc --skip-system-test eoin-skip-system-test
rails new --no-rc --skip-test --skip-system-test eoin-skip-test-skip-system-test
I found that if you pass --skip-test --skip-system-test
then:
:test
group in Gemfile is not createdtest/
directory is not createdIn all other cases the test/
directory is created.
I think we want the :test
group to be created in Gemfile
so we should manually remove the test/
dir as part of our template (in the after_bundle
hook so we run after the built-in Rails new stuff has already run).
We get the following warning when rubocop runs:
The following cops were added to RuboCop, but are not configured. Please set Enabled to either `true` or `false` in your `.rubocop.yml` file:
- Style/HashEachMethods (0.80)
- Style/HashTransformKeys (0.80)
- Style/HashTransformValues (0.80)
redis
gem not required (sidekiq
gem pulls it in already)I'm not sure we should default to including sidekiq - maybe we should ask user about it and only set it up if they agree?
https://github.com/rubocop-hq/rubocop-rspec
This is implemented in PR #93
We have an agreed template for project README that we as a dev team have in our wiki. We should incorporate this into our Rails template so we can easily use consistent documentation.
In config/application.rb
, there is an insert_after
rule:
insert_into_file "config/application.rb", after: /^require 'rails\/all'/ do
# the empty line at the beginning of this string is required
<<-'RUBY'
require_relative '../app/middleware/http_basic_auth'
RUBY
end
``
The problem is, if any `--skip-*` options are provided (`--skip-action-cable`, `--skip-action-mailbox` etc), the line is not matched, so the content is not inserted.This then causes an uninitialized constant:
rails webpacker:install
rails aborted!
NameError: uninitialized constant MyNewProject::Application::HttpBasicAuth
/home/josh/Projects/github.com/ackama/my-new-project/config/application.rb:32:in <class:Application>' /home/josh/Projects/github.com/ackama/my-new-project/config/application.rb:23:in
module:MyNewProject'
/home/josh/Projects/github.com/ackama/my-new-project/config/application.rb:22:in <main>' /home/josh/Projects/github.com/ackama/my-new-project/Rakefile:4:in
Caused by:
NameError: uninitialized constant MyNewProject::Application::HttpBasicAuth
/home/josh/Projects/github.com/ackama/my-new-project/config/application.rb:32:in <class:Application>' /home/josh/Projects/github.com/ackama/my-new-project/config/application.rb:23:in
module:MyNewProject'
/home/josh/Projects/github.com/ackama/my-new-project/config/application.rb:22:in <main>' /home/josh/Projects/github.com/ackama/my-new-project/Rakefile:4:in
Rials by default keeps a persistent session that the request/response cycle can add session data to. In order to make sure that we do not retain potential user data (outside of the warden user ID) in cookies, we should reset the session when the user logs out.
This will cause the entire session to be reset.
Rails log at info level is quite verbose which can be problematic in envs like Heroku. Moving to warn
level isn't ideal because we actually do want some logs. Lograge would fix this.
Details: https://securitytxt.org/
Something like config.log_level = ENV.fetch("LOG_LEVEL", "info").to_sym
in the environment config files for all deployed envs
We generally use 'UAT' as our 'staging'-equivalent environment name, so we should rename mentions of this environment.
Setup of performance tests is a little fiddly so it would be great to have it built-in
As a developer
I want to set up Devise with the standard configuration (user w. email/password auth, password resets)
So that I can quickly get going:
devise
gembundle exec rails g devise:install
bundle exec rails g devise User
We strongly encourage the use of "service" objects so having app/services
seems sensible.
I think it could be neat to have an example service (with an associated test) which includes a comment explaining the rationale behind services for devs who may not have worked in that way before.
The Rails 6 default is to supress webpacker output during compilation [1]. This leads to very obscure build failures that end with "...Compilation failed", with no reason why.
We should probably apply the webpack_compile_output: true
setting for production & staging environments to make sure that if asset compilation fails, we understand why.
Here's a patch:
commit b4698d7b0641d538a0cabb538a38178a9b093a56 (HEAD -> bugfix/resolve-deployment-failures)
Author: Josh McArthur <[email protected]>
Date: Tue Sep 24 14:12:09 2019 +1200
Enable webpacker compilation output when compiling in deployed environments
diff --git a/config/webpacker.yml b/config/webpacker.yml
index 88332c5..2046dc9 100644
--- a/config/webpacker.yml
+++ b/config/webpacker.yml
@@ -94,3 +94,6 @@ production:
# Cache manifest.json for performance
cache_manifest: true
+
+ # Provide output for deployment precompilation
+ webpack_compile_output: true
As a developer creating a new Rails project
I want to get a project created with all the latest documentation recommendations from the wider Ackama dev team
So that I don't have to think about document content or style.
curl
it)We almost always add roles - should we have a variant which creates a few common roles and (more importantly) has a bunch of tests ready to go?
:debug fills disks and is overwhelming in heroku
As a developer
When I set up a new project
I want to be able to configure environment variables to enable HTTP auth
So that I can deploy to UAT/staging and keep things under wraps
We are failing Lighthouse accessibility tests in the foundation-layout variant. The issue seems to be that the navigation elements are getting a menuitem
ARIA role and that role is required to be within an element that has one of group,
menu,
menubar`.
See the following for more details on the problem
The challenge for us is that these roles are applied dynamically by Foundation JS so we can't easily change them without being super hacky/brittle. I found foundation/foundation-sites#11453 which seems related and has been closed with a "Revisit for V7" label so I wouldn't expect a fix soon.
I'm not sure what the right course of action is here tbh. On the one hand, having some views which demonstrate how to use Foundation is useful but I don't want to turn off accessibility auditing. Discussion needed.
* ******************************************************
* Running all rspec specs
* ******************************************************
.......FF
Failures:
1) Homepage behaves like an accessible page with no errors
Failure/Error: expect(page).to be_accessible.according_to(:wcag2a, :wcag2aa)
Found 1 accessibility violation:
1) aria-required-parent: Certain ARIA roles must be contained by particular parents (critical)
https://dequeuniversity.com/rules/axe/3.5/aria-required-parent?application=axeAPI
The following 8 nodes violate this rule:
Selector: ul[data-accordion-menu="v8t6ie-accordion-menu"] > .navigation__item[role="treeitem"]:nth-child(1) > a[role="menuitem"][href="\#"]
HTML: <a href="#" role="menuitem">Right item 1</a>
Fix any of the following:
- Required ARIA parents role not present: menu, menubar
Selector: ul[data-accordion-menu="v8t6ie-accordion-menu"] > .navigation__item[role="treeitem"]:nth-child(2) > a[role="menuitem"][href="\#"]
HTML: <a href="#" role="menuitem">Right item 2</a>
Fix any of the following:
- Required ARIA parents role not present: menu, menubar
Selector: #l3x8gk-acc-menu-link > a[role="menuitem"][href="\#"]
HTML: <a href="#" role="menuitem">Right item 3</a>
Fix any of the following:
- Required ARIA parents role not present: menu, menubar
Selector: #f2g764-acc-menu-link > a[href="\/"][role="menuitem"]
HTML: <a href="/" role="menuitem">Left item 1</a>
Fix any of the following:
- Required ARIA parents role not present: menu, menubar
Selector: .navigation__item--borderless.navigation__item[role="treeitem"]:nth-child(2) > a[href="\/"][role="menuitem"]
HTML: <a href="/" role="menuitem">Left item 2</a>
Fix any of the following:
- Required ARIA parents role not present: menu, menubar
Selector: #\38 4sb4j-acc-menu-link > a[role="menuitem"][href="\#"]
HTML: <a href="#" role="menuitem">Second right item 1</a>
Fix any of the following:
- Required ARIA parents role not present: menu, menubar
Selector: .navigation__item--borderless.navigation__item[role="treeitem"]:nth-child(2) > a[role="menuitem"][href="\#"]
HTML: <a href="#" role="menuitem">Second right item 2</a>
Fix any of the following:
- Required ARIA parents role not present: menu, menubar
Selector: #\34 9j03z-acc-menu-link > a[role="menuitem"][href="\#"]
HTML: <a href="#" role="menuitem">Second right item 3</a>
Fix any of the following:
- Required ARIA parents role not present: menu, menubar
Invocation: axe.run({"runOnly":{"type":"tag","values":["wcag2a","wcag2aa"]}}, callback);
[Screenshot]: /home/travis/build/ackama/rails-template/template-test/dummy/foundation-layout/tmp/screenshots/failures_r_spec_example_groups_homepage_behaves_like_an_accessible_page_with_no_errors_583.png
Shared Example Group: "an accessible page" called from ./spec/system/home_feature_spec.rb:11
# ./spec/support/shared_examples/an_accessible_page.rb:3:in `block (2 levels) in <top (required)>'
2) Homepage behaves like an accessible page passes a Lighthouse accessibility audit
Failure/Error: expect(page).to pass_lighthouse_audit(:accessibility)
expected http://127.0.0.1:37821/ to pass Lighthouse accessibility audit
with a minimum score of 100
[Screenshot]: /home/travis/build/ackama/rails-template/template-test/dummy/foundation-layout/tmp/screenshots/failures_r_spec_example_groups_homepage_behaves_like_an_accessible_page_passes_a_lighthouse_accessibility_audit_390.png
Shared Example Group: "an accessible page" called from ./spec/system/home_feature_spec.rb:11
# ./spec/support/shared_examples/an_accessible_page.rb:7:in `block (2 levels) in <top (required)>'
Finished in 14.82 seconds (files took 4.58 seconds to load)
9 examples, 2 failures
Failed examples:
rspec ./spec/system/home_feature_spec.rb[1:2:1] # Homepage behaves like an accessible page with no errors
rspec ./spec/system/home_feature_spec.rb[1:2:2] # Homepage behaves like an accessible page passes a Lighthouse accessibility audit
I think making the commit is a good thing but pushing seems a step too far - there might be tweaks a dev wants to make locally before they push the "initial commit" and we are forcing them into force pushing by us pushing first. Thoughts?
Having a second pack, loaded withdefer
and suitably commented would encourage devs to load JS in the deferred pack if possible.
Devise has a paranoid configuration option that will cause forms that request an email address or other identifier to not indicate whether or not the user existed at all.
We should default to being paranoid, as this prevents someone from being able to detect whether the email address exists in the system or not.
A new version of sprockets was recently released which creates the following error
The short term fix is to add gem "sprockets", "~> 3.0"
to the gem file but a proper fix will need to be implement https://github.com/rails/sprockets/blob/master/UPGRADING.md#guide-to-upgrading-from-sprockets-3x-to-4x
Ackama has settled on main
as the new name for the default git branch (in line with upcoming changes from Github and Gitlab). This template is responsible for inital repo setup so it should set this up for us.
To replicate:
rails new user-has-many-genders \
--no-rc \
--database=postgresql \
--template=https://raw.githubusercontent.com/ackama/rails-template/master/template.rb \
--skip-active-storage
Expected:
Functional Rails app generated
Got:
A warning during generation:
gsub config/application.rb
File unchanged! The supplied flag value not found! config/application.rb
And then a crash:
gsub config/storage.yml
The template [https://raw.githubusercontent.com/ackama/rails-template/master/template.rb] could not be loaded. Error: No such file or directory @ rb_sysopen - /home/josh/Projects/github.com/ackama/my-new-project/config/storage.yml
We seem to be settling on Sentry as our default exception monitoring - it would be good to have a variant for it.
Following is an intermittent issue. Having recently updated my macOS to Catalina am having a issue with setting up the ackama rails template in using both rails 6.0.0
& ruby 2.6.2
and also with rails 6.0.1
and ruby 2.6.5
The issue seems to be that the bin/setup
script does not run automatically . In this particular instance the errors point to the gems Bootsnap
and ffi
not being found.
after running gem pristine bootsnap 1.4.5
and
gem pristine ffi 1.11.3
I ran bin/setup
(everything ran as I would expect)
and then I ran
brew update-reset
After running last command things seem to be working as normal until the bin/rake db: create:all
is run the next error happens.
Sprockets::Railtie::ManifestNeededError: Expected to find a manifest file in
app/assets/config/manifest.js
When setting up MDC-Harbours we used the command line flags --no-rc --skip-turbolinks --skip-spring --skip-action-mailbox
.
What should the Readme recommend?
We use pundit on almost all rails apps - it would be great to have it as a part of this template including a good set of tests. We could also add an example controller to demonstrate best practices in using it.
Font-awesome is included in the foundation variant as a remnant of the merge between this and Elspeths rails template.
It adds an unnecessary amount of extra weight to page loads and isn't used in any base styles or components so it should be a per project choice to add it rather than something included by default.
We use it a lot, maybe always?
NZISM:
System Classification(s): All Classifications; Compliance: SHOULD [CID:1858]
Agencies SHOULD implement a password policy enforcing either:a minimum password length of 16 characters with no complexity requirement; or
a minimum password length of ten characters, consisting of at least three of the following character sets:
lowercase characters (a-z);
uppercase characters (A-Z);
digits (0-9); and
punctuation and special characters.
I recommend we increase our required password length to 16 chars.
As a developer
I want to optionally introduce a dependency on Sidekiq (Redis, additional process)
So that I only get Sidekiq if I actually need it
lockable
is the best approach for preventing brute-force attacks within Devise. We should ensure that lockable is provisioned ON by default, and preferably set to a time-based locking strategy rather than the default that uses both time and link unlocks.
We should also investigate whether we can have lockout times exponentially increase rather than being a fixed period of time.
As a developer
I want a secure CSP to be generated when I create a new application using the template
So that I can adjust the existing CSP as I add new resources, rather than having to start one with scratch and make mistakes.
Currently the template has a bootstrap variant but does not provide options to use it. In conversation with @eoinkelly it came up that Ackama almost never uses Bootstrap any more, so rather than fixing this, the suggestion is to remove the template. Thoughts and feelings welcome...
I personally don't feel like I get a lot of value from git hook checks on the projects I'm on. I'm happy to go with whatever the consensus is but here's my reasoning:
Fixup rubocop
commits. I say reduce not eliminate because on larger projects (where rubocop takes a while to fun) I started adding -n
to git command to skip hooks because running them was just annoying in my context.While it's always possible for me to just be lazy, a few contexts where this makes sense are when you are committing a lot on a spike or trying to sort out some ops/CI issue which requires a lot of commits and the slowness becomes grating.
I don't think the benefits are worth the cost of adding lots of friction to the git commit
flow for most projects.
I think that we should remove it from the template and let teams opt-in to it if it makes sense for their use-case.
Many/most devs forget what's in their .railsrc
. I'm not sure the README in this repo should recommend using it because it's easy to forget what's in there.
I ran in to the following when setting up a new Rails project with this template - some might just be related to issues with my own dev setup, but Eoin thought it was worth creating an issue here as other people might run into something similar, and we might be able to add to the script to remind people to ensure these things are set as required (or at least add to the ReadMe).
When I first tried to the Rails new ... command with all of the options for the template, I got some general Ruby errors. Though I had 2.5.0 installed, I had to reinstall and set locally to resolve.
I had Rails ~5.3 installed in the folder I was running the command in, and needed Rails 6. I know this was in the ReadMe, but I hadn't checked before so had to stop and update Rails to resolve.
Next, I had an issue with the pg gem that made the script top running - I had to gem install to resolve and then start over.
I had the wrong version of Node. I had to set to 10 and then start over.
๐ I gave the script https://github.com:ackama/PROJECT-REPO.git
when it asked for the remote git repo, but should have given the SSH version. Maybe the script could give an example that indicates this should be the SSH version? eg. [[email protected]:USERNAME/PROJECT-REPO.git]
As per https://github.com/browserslist/browserslist#queries shall we use package.json
instead?
We are using Bitbucket pipelines for CI regularly now. It would be helpful to have a well commented starter config
I would love to be able to offer 2fa in our Rails apps for the same cost as regular user management.
I have used https://github.com/tinfoil/devise-two-factor successfully in the past. It's good but it doesn't provide any UI for managing the second factor e.g. creating it, resetting it, allowing admins to manage it etc. so we would need to create all that.
We would probably need to spend some time figuring out the UX of all that first.
ESLint should be part of our frontend CI process, just like sass-lint is.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.