Add automatic route mounting, support modern CSP format, and GitHub workflows

Co-authored-by: burisu <240595+burisu@users.noreply.github.com>

Author: Copilot

.github/workflows/test.yml

@@ -0,0 +1,31 @@
+name: Test
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    
+    strategy:
+      matrix:
+        ruby-version: ['3.0', '3.1', '3.2']
+        rails-version: ['6.1', '7.0', '7.1']
+    
+    steps:
+    - uses: actions/checkout@v3
+    
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby-version }}
+        bundler-cache: true
+    
+    - name: Install dependencies
+      run: bundle install
+    
+    - name: Run tests
+      run: bundle exec rake test

README.md

@@ -49,16 +49,7 @@ $ rails db:migrate
 
 This creates the `reported_reports` table.
 
-3. Mount the engine in your `config/routes.rb`:
-
-```ruby
-Rails.application.routes.draw do
-  mount Reported::Engine, at: "/reported"
-  # ... your other routes
-end
-```
-
-This makes the CSP reports endpoint available at `/reported/csp-reports`.
+The CSP reports endpoint is automatically available at `/csp-reports` (no mounting required).
 
 ## Configuration
 
@@ -73,7 +64,7 @@ Rails.application.config.content_security_policy do |policy|
   # ... your other CSP directives ...
 
   # Configure the report URI
-  policy.report_uri "/reported/csp-reports"
+  policy.report_uri "/csp-reports"
 end
 ```
 

app/controllers/reported/csp_reports_controller.rb

@@ -7,11 +7,14 @@ def create
       report_data = parse_report_data
 
       if report_data
+        # Extract CSP report data, supporting both old and new formats
+        csp_data = extract_csp_data(report_data)
+        
         report = Report.create!(
-          document_uri: report_data.dig('csp-report', 'document-uri'),
-          violated_directive: report_data.dig('csp-report', 'violated-directive'),
-          blocked_uri: report_data.dig('csp-report', 'blocked-uri'),
-          original_policy: report_data.dig('csp-report', 'original-policy'),
+          document_uri: csp_data[:document_uri],
+          violated_directive: csp_data[:violated_directive],
+          blocked_uri: csp_data[:blocked_uri],
+          original_policy: csp_data[:original_policy],
           raw_report: report_data.to_json
         )
 
@@ -38,5 +41,27 @@ def parse_report_data
       Rails.logger.error("Error parsing CSP report JSON: #{e.message}")
       nil
     end
+
+    def extract_csp_data(report_data)
+      # Support both old format (csp-report) and new format (direct fields)
+      if report_data['csp-report']
+        # Old format: {"csp-report": {...}}
+        csp_report = report_data['csp-report']
+        {
+          document_uri: csp_report['document-uri'] || csp_report['documentURI'],
+          violated_directive: csp_report['violated-directive'] || csp_report['violatedDirective'] || csp_report['effective-directive'] || csp_report['effectiveDirective'],
+          blocked_uri: csp_report['blocked-uri'] || csp_report['blockedURI'],
+          original_policy: csp_report['original-policy'] || csp_report['originalPolicy']
+        }
+      else
+        # New format: direct fields or camelCase
+        {
+          document_uri: report_data['document-uri'] || report_data['documentURI'] || report_data['document_uri'],
+          violated_directive: report_data['violated-directive'] || report_data['violatedDirective'] || report_data['effective-directive'] || report_data['effectiveDirective'] || report_data['violated_directive'],
+          blocked_uri: report_data['blocked-uri'] || report_data['blockedURI'] || report_data['blocked_uri'],
+          original_policy: report_data['original-policy'] || report_data['originalPolicy'] || report_data['original_policy']
+        }
+      end
+    end
   end
 end

config/routes.rb

@@ -9,19 +9,15 @@ Next steps:
    rails reported:install:migrations
    rails db:migrate
 
-2. Mount the engine in your routes.rb:
-   
-   mount Reported::Engine, at: "/reported"
-
-   This will make the CSP reports endpoint available at /reported/csp-reports
+2. The CSP reports endpoint is automatically available at /csp-reports
 
 3. Configure your Content Security Policy to send reports to this endpoint:
 
    In your config/initializers/content_security_policy.rb:
 
    Rails.application.config.content_security_policy do |policy|
      # ... your CSP directives ...
-     policy.report_uri "/reported/csp-reports"
+     policy.report_uri "/csp-reports"
    end
 
 4. Configure Slack notifications in config/initializers/reported.rb

lib/generators/reported/install/README

@@ -6,5 +6,12 @@ class Engine < ::Rails::Engine
       g.test_framework :test_unit
       g.fixture_replacement :factory_bot, dir: 'spec/factories'
     end
+
+    # Automatically add routes to the main application
+    initializer "reported.add_routes" do |app|
+      app.routes.prepend do
+        post '/csp-reports', to: 'reported/csp_reports#create'
+      end
+    end
   end
 end

lib/reported/engine.rb

@@ -2,23 +2,43 @@
 
 module Reported
   class CspReportsControllerTest < ActionDispatch::IntegrationTest
-    include Engine.routes.url_helpers
-
     setup do
-      @valid_csp_report = {
+      @valid_csp_report_old_format = {
         "csp-report" => {
           "document-uri" => "https://example.com/page",
           "violated-directive" => "script-src 'self'",
           "blocked-uri" => "https://evil.com/script.js",
           "original-policy" => "default-src 'self'; script-src 'self'"
         }
       }
+
+      @valid_csp_report_new_format = {
+        "documentURI" => "https://example.com/page",
+        "violatedDirective" => "script-src 'self'",
+        "blockedURI" => "https://evil.com/script.js",
+        "originalPolicy" => "default-src 'self'; script-src 'self'"
+      }
+    end
+
+    test "creates report with valid CSP data (old format)" do
+      assert_difference 'Report.count', 1 do
+        post '/csp-reports', 
+          params: @valid_csp_report_old_format.to_json,
+          headers: { 'CONTENT_TYPE' => 'application/json' }
+      end
+      
+      assert_response :no_content
+      
+      report = Report.last
+      assert_equal "https://example.com/page", report.document_uri
+      assert_equal "script-src 'self'", report.violated_directive
+      assert_equal "https://evil.com/script.js", report.blocked_uri
     end
 
-    test "creates report with valid CSP data" do
+    test "creates report with valid CSP data (new format)" do
       assert_difference 'Report.count', 1 do
-        post csp_reports_url, 
-          params: @valid_csp_report.to_json,
+        post '/csp-reports', 
+          params: @valid_csp_report_new_format.to_json,
           headers: { 'CONTENT_TYPE' => 'application/json' }
       end
 
@@ -32,7 +52,7 @@ class CspReportsControllerTest < ActionDispatch::IntegrationTest
 
     test "returns bad_request with invalid JSON" do
       assert_no_difference 'Report.count' do
-        post csp_reports_url,
+        post '/csp-reports',
           params: "invalid json{",
           headers: { 'CONTENT_TYPE' => 'application/json' }
       end
@@ -42,7 +62,7 @@ class CspReportsControllerTest < ActionDispatch::IntegrationTest
 
     test "returns bad_request with empty body" do
       assert_no_difference 'Report.count' do
-        post csp_reports_url,
+        post '/csp-reports',
           params: "",
           headers: { 'CONTENT_TYPE' => 'application/json' }
       end
@@ -51,19 +71,19 @@ class CspReportsControllerTest < ActionDispatch::IntegrationTest
     end
 
     test "stores raw_report as JSON" do
-      post csp_reports_url,
-        params: @valid_csp_report.to_json,
+      post '/csp-reports',
+        params: @valid_csp_report_old_format.to_json,
         headers: { 'CONTENT_TYPE' => 'application/json' }
 
       report = Report.last
       parsed = JSON.parse(report.raw_report)
-      assert_equal @valid_csp_report, parsed
+      assert_equal @valid_csp_report_old_format, parsed
     end
 
     test "does not require CSRF token" do
       # This test verifies that external browsers can POST without CSRF token
-      post csp_reports_url,
-        params: @valid_csp_report.to_json,
+      post '/csp-reports',
+        params: @valid_csp_report_old_format.to_json,
         headers: { 'CONTENT_TYPE' => 'application/json' }
 
       assert_response :no_content

test/controllers/csp_reports_controller_test.rb

@@ -1,3 +1,3 @@
 Rails.application.routes.draw do
-  mount Reported::Engine => "/reported"
+  # Routes are automatically added by Reported::Engine initializer
 end