Roda and Rails routing behavior is different for explicit formats (.html etc)

[angerson]

This isn't a bug but it's something security-relevant that rodauth-rails could address.

Rails will route /foo.html and /foo.json to the same controller as /foo. However, Roda doesn't consider /foo.html or /foo.json to be part of the /foo routing tree. If rodauth_app.rb sets up authentication with r.on instead of r.path.start_with? then it's possible to bypass require_account.

# If you visit `/foo` then account handling works, 
# but visiting `/foo.html` goes through to the page 
# without checking for an account.
r.on "foo" do
  rodauth.require_account
end

Those who ignore rodauth-rails's authentication example (with r.path.start_with?) because r.on looks cleaner may end up exposing private sections of their application without knowing.

Maybe this routing difference could be bridged in the rodauth-rails integration? If not, the rodauth_app.rb template already recommends start_with?, but it may be good to add a more explicit warning about this unintuitive behavior.

[janko]

Yeah, I'm wondering what's a good solution for this, or we just need to make the documentation clearer.

Note that the code that you posted wouldn't work for a /foo(.format) Rails route anyway, because the r.on block would early return a 404 response, since no explicit response was returned inside if the block. You'd have to call r.pass for Roda to exit the r.on block and continue routing, so that the Rails app can be reached (this is what rodauth-rails calls on r.rodauth when a path prefix is configured).