Assets served from Rails deauthorizing client-side profiler

[Blayr]

When trying to validate my

Rack::MiniProfiler.config.authorization_mode = :allow_authorized

implementation in my development environment, all my /mini-profiler-resources/results requests were failing despite my ApplicationController doing Rack::MiniProfiler.authorize_request in a before_action on every request. After some investigating I found that when loading my assets (via rails), they responded with a Set-Cookie header that was deleting my __profilin cookie.

Even though my assets path was included in the skip_paths variable automatically and the skip_it variable was set to true
the header to delete the cookie would still be set in handle_cookie, deauthorizing the client when the server loaded the asset.

https://github.com/MiniProfiler/rack-mini-profiler/blob/5e42a57acab20125f910c0f29d82f19e7220ff31/lib/mini_profiler.rb#L168C1-L180C10

      skip_it = matches_action?('skip', env) || (
        @config.skip_paths &&
        @config.skip_paths.any? do |p|
          if p.instance_of?(String)
            path.start_with?(p)
          elsif p.instance_of?(Regexp)
            p.match?(path)
          end
        end
      )
      if skip_it
        return client_settings.handle_cookie(@app.call(env))
      end

https://github.com/MiniProfiler/rack-mini-profiler/blob/5e42a57acab20125f910c0f29d82f19e7220ff31/lib/mini_profiler/client_settings.rb#L42C1-L56C10

      def handle_cookie(result)
        status, headers, _body = result


        if (MiniProfiler.config.authorization_mode == :allow_authorized && !MiniProfiler.request_authorized?)
          # this is non-obvious, don't kill the profiling cookie on errors or short requests
          # this ensures that stuff that never reaches the rails stack does not kill profiling
          if status.to_i >= 200 && status.to_i < 300 && ((Process.clock_gettime(Process::CLOCK_MONOTONIC) - @start) > 0.1)
            discard_cookie!(headers)
          end
        else
          write!(headers)
        end


        result
      end

I created a patch for the company I currently work at to avoid deauthorizing specifically for that handle_cookie call, however I'm not sure if that is appropriate for the other condition checked in the same area as the skip_paths is checked. Hopefully i'm not missing some critical setup step that caused this.

master...Vidcruiter:rack-mini-profiler:master

[iberianpig]

@Blayr Thank you for creating the patch. It has fixed issue of discarding cookie by /assets requests.

In my environment, I've observed that there are some requests being made to the /assets/ directory.

• To address this, I added Rack::MiniProfiler.config.skip_paths = ['/assets'], ensuring that these requests are excluded from profiling checks.

• It's worth noting that even when Rails.config.public_file_server.enabled is set to false, requests to the /assets path may be still dispatched.

  • If an asset isn't found, the configuration option config.assets.unknown_asset_fallback (though deprecated and not slated for removal) allows for fallback handling.
  • When this fallback occurs, it results in additional requests to /assets, meaning that a dynamic configuration for skip_paths wouldn't inherently include /assets.

Additionally, thanks to the patch, the parameter preserve_cookie: true is now applied to asset requests, which prevents the deletion of the profiler cookie.

• Consequently, the unintended cookie deletion that previously triggered ActionController::RoutingError (No route matches [POST] "/mini-profiler-resources/results") no longer occurs.