Auto-resolve renderer password from ENV in Rails Pro#2921
Conversation
WalkthroughCode, tests, and docs align password resolution and security guidance for the Node Renderer: effective password resolution order is config.renderer_password (blank treated as missing) → password embedded in config.renderer_url → ENV["RENDERER_PASSWORD"]. Documentation adds host/network security guidance and REPL/VM RCE warnings. Changes
Sequence Diagram(s)sequenceDiagram
participant Rails as Rails App
participant Resolver as Password Resolver
participant URL as Renderer URL
participant ENV as ENV
participant Node as Node Renderer
Rails->>Resolver: provide `config.renderer_password` and `config.renderer_url`
Resolver->>Resolver: if config.password present and non-blank → use it
Resolver->>URL: parse password from `config.renderer_url` if config blank
URL-->>Resolver: return URL password (or blank)
alt URL blank
Resolver->>ENV: read `ENV["RENDERER_PASSWORD"]`
ENV-->>Resolver: return ENV password (or blank)
end
Resolver->>Rails: return effective password
Rails->>Node: connect using effective password
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 371fb88df6
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Review: Auto-resolve renderer password from ENV in Rails ProThe intent is solid and the test coverage is good. A few things worth addressing before merge: Error message contradicts new behavior The Installation doc comment is self-contradicting The added comment 'Optional: if omitted, Rails falls back to ENV...' sits above a line that still assigns CHANGELOG is unchecked The PR checklist marks 'Update CHANGELOG file' as unchecked. Per the project's contribution guidelines this should be filled in before merging. Positive notes The three-step precedence (config, URL, ENV) is cleanly implemented and aligns with Node-side behavior. The |
Greptile SummaryThis PR aligns the Rails-side Key changes:
Confidence Score: 2/5
Important Files Changed
Flowchart%%{init: {'theme': 'neutral'}}%%
flowchart TD
A[setup_renderer_creds called] --> B{renderer_creds.present?}
B -- Yes --> Z[Return early — already set]
B -- No --> C{renderer_creds is explicit empty string?}
C -- Yes --> D[explicit_blank = true]
C -- No --> E[explicit_blank = false]
D --> F[Extract creds from renderer_url URI]
E --> F
F --> G{URL creds found?}
G -- Yes --> H[Use URL-embedded creds]
G -- No --> I{explicit_blank?}
I -- Yes --> J[Skip ENV — fail-closed for explicit blank]
I -- No --> K[Resolve creds from ENV variable]
H --> L[validate_creds_for_production]
J --> L
K --> L
L --> M{creds present?}
M -- Yes --> N[Valid — proceed]
M -- No --> O{NodeRenderer in use?}
O -- No --> N
O -- Yes --> P{RAILS_ENV is dev or test?}
P -- Yes --> N
P -- No --> Q[Raise error — creds required in production]
|
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
🧹 Nitpick comments (2)
react_on_rails_pro/spec/react_on_rails_pro/configuration_spec.rb (1)
152-162: Use named subjects for the new examples.These new specs are good, but they should follow the repo RSpec convention by introducing named subjects for the configured result under test.
As per coding guidelines, "Use named subjects in RSpec tests (e.g.,
subject(:method_result) { ... }instead of unnamedsubject { ... })."Also applies to: 217-229, 253-264
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@react_on_rails_pro/spec/react_on_rails_pro/configuration_spec.rb` around lines 152 - 162, Introduce a named RSpec subject for the configured value instead of relying on implicit/unnamed subjects: after the ReactOnRailsPro.configure block, add a subject like subject(:configured_renderer_password) { ReactOnRailsPro.configuration.renderer_password } and change the expectation to use that named subject (e.g., expect(configured_renderer_password).to eq("env-password")). Apply the same pattern to the other examples mentioned (the examples around the other ranges) so each test exposes the result under test via a subject(:name) { ... } referencing ReactOnRailsPro.configuration or the specific method under test.react_on_rails_pro/lib/react_on_rails_pro/configuration.rb (1)
278-283: Tighten precedence wording for explicit empty-string override.Line 283 says empty-string assignment “will raise in production-like environments,” but with a URL-embedded password it won’t raise. Clarify that empty string blocks only the ENV fallback path.
✏️ Suggested wording update
- Rails resolves the password in this order: - 1) config.renderer_password (except empty string, which counts as missing) - 2) Password embedded in config.renderer_url (for example, https://:password@host:3800) - 3) ENV["RENDERER_PASSWORD"] - - An empty-string assignment still counts as missing and will raise in production-like environments. + Rails resolves the password in this order: + 1) config.renderer_password (except empty string, which is treated as unset) + 2) Password embedded in config.renderer_url (for example, https://:password@host:3800) + 3) ENV["RENDERER_PASSWORD"] (unless renderer_password was explicitly set to an empty string) + + An explicit empty-string assignment disables ENV fallback and will raise in production-like environments + when no URL password is present.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@react_on_rails_pro/lib/react_on_rails_pro/configuration.rb` around lines 278 - 283, The doc comment in Configuration about password resolution is misleading: change the sentence that currently reads “An empty-string assignment still counts as missing and will raise in production-like environments.” to clarify that assigning an empty string only prevents falling back to ENV["RENDERER_PASSWORD"], but does not override a password embedded in config.renderer_url; i.e., explicitly state that an empty-string renderer_password blocks the ENV fallback path while a URL-embedded password in config.renderer_url still takes precedence over ENV.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In `@react_on_rails_pro/lib/react_on_rails_pro/configuration.rb`:
- Around line 278-283: The doc comment in Configuration about password
resolution is misleading: change the sentence that currently reads “An
empty-string assignment still counts as missing and will raise in
production-like environments.” to clarify that assigning an empty string only
prevents falling back to ENV["RENDERER_PASSWORD"], but does not override a
password embedded in config.renderer_url; i.e., explicitly state that an
empty-string renderer_password blocks the ENV fallback path while a URL-embedded
password in config.renderer_url still takes precedence over ENV.
In `@react_on_rails_pro/spec/react_on_rails_pro/configuration_spec.rb`:
- Around line 152-162: Introduce a named RSpec subject for the configured value
instead of relying on implicit/unnamed subjects: after the
ReactOnRailsPro.configure block, add a subject like
subject(:configured_renderer_password) {
ReactOnRailsPro.configuration.renderer_password } and change the expectation to
use that named subject (e.g., expect(configured_renderer_password).to
eq("env-password")). Apply the same pattern to the other examples mentioned (the
examples around the other ranges) so each test exposes the result under test via
a subject(:name) { ... } referencing ReactOnRailsPro.configuration or the
specific method under test.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: d5c424df-278e-45ec-9632-7289ee31e92d
📒 Files selected for processing (4)
docs/pro/installation.mddocs/pro/node-renderer.mdreact_on_rails_pro/lib/react_on_rails_pro/configuration.rbreact_on_rails_pro/spec/react_on_rails_pro/configuration_spec.rb
|
@claude review this PR |
The Node Renderer executes arbitrary JavaScript via vm.runInContext(), making it a remote code execution service by design. The vm module is explicitly not a security boundary per the Node.js docs. The localhost default follows PostgreSQL's model: secure by default at the network layer, with authentication as a second layer for production environments. Add a Network Security section to basics.md explaining the threat model, the PostgreSQL analogy, and when/how to safely bind to 0.0.0.0. Strengthen the security cautions in js-configuration.md and container-deployment.md to reference the actual RCE risk rather than generic "don't expose services" warnings. Add RENDERER_HOST to the env var list in basics.md. Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
- installation.md: comment out renderer_password line in example so the "optional" comment is no longer contradicted by a hardcoded "changeme" fallback that prevents ENV auto-read from firing - configuration.rb error message: lead with the simpler fix (just set ENV) instead of instructing both ENV + initializer assignment - Clarify explicit-blank-password asymmetry: docs and error message now state that empty string skips the ENV fallback specifically, not all subsequent resolution steps Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Review follow-up summary (773ba27)Addressed 4 review comments, replied with rationale to 2 skipped items, and resolved all 6 threads. Fixed
Skipped with rationale
Note: The missing CHANGELOG entry was flagged separately in an earlier review pass. |
Review: Auto-resolve renderer password from ENV in Rails ProThe direction is right — aligning Ruby-side behavior with the Node renderer defaults reduces boilerplate and removes a common misconfiguration footgun. The security documentation additions are also a net positive. A few issues worth addressing before merge: Logic gap: explicit empty string + URL-embedded passwordThe most significant issue is in See inline comment on Documentation wording is self-contradictoryThe precedence list in See inline comment on Missing test for empty-string + URL-embedded-password interactionThere's no test covering See inline comment on Changelog not updatedThe PR checklist has "Update CHANGELOG file" unchecked. Per project conventions this should be filled in before merge. The ENV fallback logic itself (lines 242–244) is clean, the new tests for the happy path and production fail-closed behavior are correct, and the security documentation additions are accurate and useful. |
…sword An empty-string `config.renderer_password` now falls through to URL and ENV resolution just like nil, instead of blocking the ENV fallback. This simplifies the mental model: blank = not set. - Remove explicit_blank_password variable and guard - Update precedence docs and error message to remove empty-string special case - Change test: "" + ENV now resolves from ENV instead of raising - Add test: "" + URL-embedded password resolves from URL Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
- Remove Ruby code block with bare ENV.fetch("RENDERER_PASSWORD") that
would raise KeyError in development where the password is intentionally
absent. The bash export example and precedence list below are sufficient.
- Replace jargon "truthy password" with "non-empty password".
Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
|
|
||
| # Mirror Node-side defaults: if Rails config and URL are both missing a password, | ||
| # use RENDERER_PASSWORD from env. | ||
| self.renderer_password = ENV.fetch("RENDERER_PASSWORD", nil) if renderer_password.blank? |
There was a problem hiding this comment.
ENV.fetch("RENDERER_PASSWORD", nil) and ENV["RENDERER_PASSWORD"] are functionally identical — ENV[] already returns nil for missing keys. The fetch form adds no value here and may look like it implies a meaningful difference from a plain lookup.
| self.renderer_password = ENV.fetch("RENDERER_PASSWORD", nil) if renderer_password.blank? | |
| self.renderer_password = ENV["RENDERER_PASSWORD"] if renderer_password.blank? |
| @@ -195,6 +214,20 @@ def self.fetch(*) | |||
| end.to raise_error(ReactOnRailsPro::Error, /RENDERER_PASSWORD must be set/) | |||
| end | |||
There was a problem hiding this comment.
There's no test covering the case where RENDERER_PASSWORD is set to an empty string in the environment in production. Since "" is also blank, validate_renderer_password_for_production should still raise. Worth adding to confirm the fail-closed path holds when ENV["RENDERER_PASSWORD"] = "":
it "raises when RENDERER_PASSWORD env var is blank in production" do
allow(ENV).to receive(:[]).with("RAILS_ENV").and_return("production")
allow(ENV).to receive(:fetch).with("RENDERER_PASSWORD", nil).and_return("")
expect do
ReactOnRailsPro.configure do |config|
config.server_renderer = "NodeRenderer"
config.renderer_url = "https://localhost:3800"
end
end.to raise_error(ReactOnRailsPro::Error, /RENDERER_PASSWORD must be set/)
end
| end.to raise_error(ReactOnRailsPro::Error, /RENDERER_PASSWORD must be set/) | ||
| end.not_to raise_error | ||
|
|
||
| expect(ReactOnRailsPro.configuration.renderer_password).to eq("secure-password") |
There was a problem hiding this comment.
Heads-up on the semantic shift this test represents: previously config.renderer_password = "" in production was an error (the old test was named "raises when renderer_password is explicitly set to blank in production"). Now it silently falls through to ENV["RENDERER_PASSWORD"].
This is probably the right design — treating blank the same as unset is consistent and the resolution chain is clearly documented. But it's worth being aware that any callers who relied on renderer_password = "" to disable authentication (prevent any password from being used) will now silently pick up the env var instead. Worth a note in the CHANGELOG or migration guide for anyone upgrading from the old fail-closed behavior.
ReviewThe overall approach is solid — aligning Ruby-side password resolution with the Node Renderer's three-tier chain (config → URL → ENV) removes the footgun of needing an explicit initializer assignment, and the security documentation additions are a meaningful improvement. Things that look good:
Minor issues flagged inline:
|
There was a problem hiding this comment.
🧹 Nitpick comments (1)
react_on_rails_pro/spec/react_on_rails_pro/configuration_spec.rb (1)
253-280: Consider adding the blank-without-ENV negative case.You now test blank
renderer_passwordresolving from ENV and URL, but there isn’t an explicit example asserting it still raises in production-like env when both are absent. Adding that case would fully pin fail-closed behavior for the new blank path.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@react_on_rails_pro/spec/react_on_rails_pro/configuration_spec.rb` around lines 253 - 280, Add a negative test that ensures blank renderer_password still fails when neither ENV nor URL provide one: stub ENV["RAILS_ENV"] to "production", stub ENV.fetch("RENDERER_PASSWORD", nil) to return nil, set config.renderer_password = "" and config.renderer_url to a URL without an embedded password, then wrap ReactOnRailsPro.configure block and assert it raises (use expect { ReactOnRailsPro.configure { ... } }.to raise_error) and that ReactOnRailsPro.configuration.renderer_password is not set to a value; this uses the existing ReactOnRailsPro.configure and ReactOnRailsPro.configuration.renderer_password symbols referenced in the other specs.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In `@react_on_rails_pro/spec/react_on_rails_pro/configuration_spec.rb`:
- Around line 253-280: Add a negative test that ensures blank renderer_password
still fails when neither ENV nor URL provide one: stub ENV["RAILS_ENV"] to
"production", stub ENV.fetch("RENDERER_PASSWORD", nil) to return nil, set
config.renderer_password = "" and config.renderer_url to a URL without an
embedded password, then wrap ReactOnRailsPro.configure block and assert it
raises (use expect { ReactOnRailsPro.configure { ... } }.to raise_error) and
that ReactOnRailsPro.configuration.renderer_password is not set to a value; this
uses the existing ReactOnRailsPro.configure and
ReactOnRailsPro.configuration.renderer_password symbols referenced in the other
specs.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: fdd2dc00-5343-4e47-8c59-f3cc2db3ccc5
📒 Files selected for processing (4)
CHANGELOG.mddocs/pro/node-renderer.mdreact_on_rails_pro/lib/react_on_rails_pro/configuration.rbreact_on_rails_pro/spec/react_on_rails_pro/configuration_spec.rb
✅ Files skipped from review due to trivial changes (2)
- docs/pro/node-renderer.md
- CHANGELOG.md
…e-dedup * origin/main: (51 commits) Fix Content-Length mismatch and null renderingRequest errors in node renderer (#3069) Improve memory debugging docs with simpler heap snapshot approach (#3072) Enforce strict version matching in doctor and recommend doctor on errors (#3070) Remove immediate_hydration feature from codebase (#2834) Fix infinite fork loop when node renderer worker fails to bind port (#2881) Fix TanStack Router SSR hydration mismatch in Pro async path (#2932) Improve node renderer error messages for malformed render requests (#3068) Add interactive mode prompt to create-react-on-rails-app (#3063) docs: replace hardcoded version numbers with unversioned install commands (#2893) Remove Contributing section from docs sidebar (#3064) Consolidate docs comparison pages into single evaluation entry (#3065) Docs route cleanup: canonicalize worst verbose URL slugs (#3067) Add agent summary blocks to high-value docs pages (#3066) Fix brittle positional assertions in create-app tests (#2923) Auto-resolve renderer password from ENV in Rails Pro (#2921) Standardize bundle env vars from =yes to =true (#2925) Fix Pro generator multiline and template-literal rewrites (#2918) Fix spec/dummy Procfile.dev SERVER_BUNDLE_ONLY to match template convention (#2922) Add llms docs entry points (#2916) Bump version to 16.6.0.rc.0 ... # Conflicts: # packages/create-react-on-rails-app/src/create-app.ts
…lacement-2835-main * origin/main: (44 commits) Fix Content-Length mismatch and null renderingRequest errors in node renderer (#3069) Improve memory debugging docs with simpler heap snapshot approach (#3072) Enforce strict version matching in doctor and recommend doctor on errors (#3070) Remove immediate_hydration feature from codebase (#2834) Fix infinite fork loop when node renderer worker fails to bind port (#2881) Fix TanStack Router SSR hydration mismatch in Pro async path (#2932) Improve node renderer error messages for malformed render requests (#3068) Add interactive mode prompt to create-react-on-rails-app (#3063) docs: replace hardcoded version numbers with unversioned install commands (#2893) Remove Contributing section from docs sidebar (#3064) Consolidate docs comparison pages into single evaluation entry (#3065) Docs route cleanup: canonicalize worst verbose URL slugs (#3067) Add agent summary blocks to high-value docs pages (#3066) Fix brittle positional assertions in create-app tests (#2923) Auto-resolve renderer password from ENV in Rails Pro (#2921) Standardize bundle env vars from =yes to =true (#2925) Fix Pro generator multiline and template-literal rewrites (#2918) Fix spec/dummy Procfile.dev SERVER_BUNDLE_ONLY to match template convention (#2922) Add llms docs entry points (#2916) Bump version to 16.6.0.rc.0 ... # Conflicts: # CHANGELOG.md
### Summary Adds missing changelog entries to the `[Unreleased]` section for PRs merged since `v16.6.0.rc.0`. Analyzed 19 commits on `origin/main` since the last tag, identified 1 missing user-visible PR (#3069), and skipped 10 non-user-visible PRs (docs, tests, internal refactors). **New entries added:** - **Added**: `[Pro] Configurable HTTP keep-alive timeout for node renderer connections` (PR #3069) - **Fixed**: `[Pro] Fixed SSR failures from stale persistent HTTP/2 connections` (PR #3069) **Entries already present** (added in prior changelog updates): PRs #2834, #2881, #2918, #2921, #2923, #2932, #3063, #3068, #3070. **Skipped** (not user-visible): #2893 (docs), #2916 (docs), #2922 (test fix), #2923 (test fix), #2925 (internal refactor), #3064 (docs), #3065 (docs), #3066 (docs), #3067 (docs), #3072 (docs). ### Pull Request checklist - [x] ~Add/update test to cover these changes~ - [x] ~Update documentation~ - [x] Update CHANGELOG file ### Other Information No code changes — CHANGELOG.md only. <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > Low risk because this PR only changes documentation (`CHANGELOG.md`) and does not modify runtime code. > > **Overview** > Updates `CHANGELOG.md` *[Unreleased]* to include missing Pro release notes for PR `#3069`, documenting the new `renderer_http_keep_alive_timeout` config and the associated fix for SSR failures from stale persistent HTTP/2 connections to the node renderer. > > <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit 8d1a480. Bugbot is set up for automated code reviews on this repo. Configure [here](https://www.cursor.com/dashboard/bugbot).</sup> <!-- /CURSOR_SUMMARY --> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Interactive mode selection prompt for CLI tool when no explicit mode is specified * Configurable keep-alive timeout setting for Pro users (default 30 seconds) * **Bug Fixes** * Enhanced validation and error handling for invalid request payloads * Improved template literal handling in code generation * Better HTTP connection stability with enhanced diagnostic messaging <!-- end of auto-generated comment: release notes by coderabbit.ai --> Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]>
### Summary Align React on Rails Pro Ruby-side NodeRenderer password behavior with the Node renderer by falling back to `RENDERER_PASSWORD` when neither `config.renderer_password` nor a URL-embedded password is provided, while preserving fail-closed checks for production-like environments and explicit blank-password failures. This PR also updates configuration specs to cover env fallback, URL precedence, and blank-password behavior, and updates Pro docs to document the new password precedence and setup expectations. ### Pull Request checklist - [x] Add/update test to cover these changes - [x] Update documentation - [ ] Update CHANGELOG file ### Other Information Validated with targeted RuboCop + RSpec for the changed Pro files and Prettier checks for the updated docs. <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Changes NodeRenderer authentication configuration resolution on the Rails side, which can affect production startup/SSR connectivity if environments relied on previous blank-password behavior. > > **Overview** > Aligns Rails Pro `NodeRenderer` password resolution with the Node renderer by having `setup_renderer_password` fall back to `ENV["RENDERER_PASSWORD"]` when neither `config.renderer_password` nor a URL-embedded password is provided, with blank values treated as unset. > > Updates production-like validation messaging and expands RSpec coverage for precedence (config → URL → ENV) and blank-password cases, and refreshes docs/changelog with the new setup guidance plus additional renderer network-security warnings (including `RENDERER_HOST`/`0.0.0.0` implications). > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 9bc630a. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Documentation** * Clarified password resolution precedence: configured password → URL-embedded password → environment variable; removed a documented hardcoded fallback and advise relying on ENV unless overridden. * Added network-security guidance: renderer defaults to localhost, warns it executes JS in a VM context, and advises always using a password and private networking when binding to 0.0.0.0; introduced RENDERER_HOST docs. * **Improvements** * Blank or empty password values now fall through to URL/ENV resolution, enabling ENV-based fallback. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]>
### Summary Adds missing changelog entries to the `[Unreleased]` section for PRs merged since `v16.6.0.rc.0`. Analyzed 19 commits on `origin/main` since the last tag, identified 1 missing user-visible PR (#3069), and skipped 10 non-user-visible PRs (docs, tests, internal refactors). **New entries added:** - **Added**: `[Pro] Configurable HTTP keep-alive timeout for node renderer connections` (PR #3069) - **Fixed**: `[Pro] Fixed SSR failures from stale persistent HTTP/2 connections` (PR #3069) **Entries already present** (added in prior changelog updates): PRs #2834, #2881, #2918, #2921, #2923, #2932, #3063, #3068, #3070. **Skipped** (not user-visible): #2893 (docs), #2916 (docs), #2922 (test fix), #2923 (test fix), #2925 (internal refactor), #3064 (docs), #3065 (docs), #3066 (docs), #3067 (docs), #3072 (docs). ### Pull Request checklist - [x] ~Add/update test to cover these changes~ - [x] ~Update documentation~ - [x] Update CHANGELOG file ### Other Information No code changes — CHANGELOG.md only. <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > Low risk because this PR only changes documentation (`CHANGELOG.md`) and does not modify runtime code. > > **Overview** > Updates `CHANGELOG.md` *[Unreleased]* to include missing Pro release notes for PR `#3069`, documenting the new `renderer_http_keep_alive_timeout` config and the associated fix for SSR failures from stale persistent HTTP/2 connections to the node renderer. > > <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit 8d1a480. Bugbot is set up for automated code reviews on this repo. Configure [here](https://www.cursor.com/dashboard/bugbot).</sup> <!-- /CURSOR_SUMMARY --> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Interactive mode selection prompt for CLI tool when no explicit mode is specified * Configurable keep-alive timeout setting for Pro users (default 30 seconds) * **Bug Fixes** * Enhanced validation and error handling for invalid request payloads * Improved template literal handling in code generation * Better HTTP connection stability with enhanced diagnostic messaging <!-- end of auto-generated comment: release notes by coderabbit.ai --> Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]>
### Summary Align React on Rails Pro Ruby-side NodeRenderer password behavior with the Node renderer by falling back to `RENDERER_PASSWORD` when neither `config.renderer_password` nor a URL-embedded password is provided, while preserving fail-closed checks for production-like environments and explicit blank-password failures. This PR also updates configuration specs to cover env fallback, URL precedence, and blank-password behavior, and updates Pro docs to document the new password precedence and setup expectations. ### Pull Request checklist - [x] Add/update test to cover these changes - [x] Update documentation - [ ] Update CHANGELOG file ### Other Information Validated with targeted RuboCop + RSpec for the changed Pro files and Prettier checks for the updated docs. <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Changes NodeRenderer authentication configuration resolution on the Rails side, which can affect production startup/SSR connectivity if environments relied on previous blank-password behavior. > > **Overview** > Aligns Rails Pro `NodeRenderer` password resolution with the Node renderer by having `setup_renderer_password` fall back to `ENV["RENDERER_PASSWORD"]` when neither `config.renderer_password` nor a URL-embedded password is provided, with blank values treated as unset. > > Updates production-like validation messaging and expands RSpec coverage for precedence (config → URL → ENV) and blank-password cases, and refreshes docs/changelog with the new setup guidance plus additional renderer network-security warnings (including `RENDERER_HOST`/`0.0.0.0` implications). > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 9bc630a. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Documentation** * Clarified password resolution precedence: configured password → URL-embedded password → environment variable; removed a documented hardcoded fallback and advise relying on ENV unless overridden. * Added network-security guidance: renderer defaults to localhost, warns it executes JS in a VM context, and advises always using a password and private networking when binding to 0.0.0.0; introduced RENDERER_HOST docs. * **Improvements** * Blank or empty password values now fall through to URL/ENV resolution, enabling ENV-based fallback. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]>
### Summary Adds missing changelog entries to the `[Unreleased]` section for PRs merged since `v16.6.0.rc.0`. Analyzed 19 commits on `origin/main` since the last tag, identified 1 missing user-visible PR (#3069), and skipped 10 non-user-visible PRs (docs, tests, internal refactors). **New entries added:** - **Added**: `[Pro] Configurable HTTP keep-alive timeout for node renderer connections` (PR #3069) - **Fixed**: `[Pro] Fixed SSR failures from stale persistent HTTP/2 connections` (PR #3069) **Entries already present** (added in prior changelog updates): PRs #2834, #2881, #2918, #2921, #2923, #2932, #3063, #3068, #3070. **Skipped** (not user-visible): #2893 (docs), #2916 (docs), #2922 (test fix), #2923 (test fix), #2925 (internal refactor), #3064 (docs), #3065 (docs), #3066 (docs), #3067 (docs), #3072 (docs). ### Pull Request checklist - [x] ~Add/update test to cover these changes~ - [x] ~Update documentation~ - [x] Update CHANGELOG file ### Other Information No code changes — CHANGELOG.md only. <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > Low risk because this PR only changes documentation (`CHANGELOG.md`) and does not modify runtime code. > > **Overview** > Updates `CHANGELOG.md` *[Unreleased]* to include missing Pro release notes for PR `#3069`, documenting the new `renderer_http_keep_alive_timeout` config and the associated fix for SSR failures from stale persistent HTTP/2 connections to the node renderer. > > <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit 8d1a480. Bugbot is set up for automated code reviews on this repo. Configure [here](https://www.cursor.com/dashboard/bugbot).</sup> <!-- /CURSOR_SUMMARY --> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Interactive mode selection prompt for CLI tool when no explicit mode is specified * Configurable keep-alive timeout setting for Pro users (default 30 seconds) * **Bug Fixes** * Enhanced validation and error handling for invalid request payloads * Improved template literal handling in code generation * Better HTTP connection stability with enhanced diagnostic messaging <!-- end of auto-generated comment: release notes by coderabbit.ai --> Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]>
1 participant
Summary
Align React on Rails Pro Ruby-side NodeRenderer password behavior with the Node renderer by falling back to
RENDERER_PASSWORDwhen neitherconfig.renderer_passwordnor a URL-embedded password is provided, while preserving fail-closed checks for production-like environments and explicit blank-password failures. This PR also updates configuration specs to cover env fallback, URL precedence, and blank-password behavior, and updates Pro docs to document the new password precedence and setup expectations.Pull Request checklist
Other Information
Validated with targeted RuboCop + RSpec for the changed Pro files and Prettier checks for the updated docs.
Note
Medium Risk
Changes NodeRenderer authentication configuration resolution on the Rails side, which can affect production startup/SSR connectivity if environments relied on previous blank-password behavior.
Overview
Aligns Rails Pro
NodeRendererpassword resolution with the Node renderer by havingsetup_renderer_passwordfall back toENV["RENDERER_PASSWORD"]when neitherconfig.renderer_passwordnor a URL-embedded password is provided, with blank values treated as unset.Updates production-like validation messaging and expands RSpec coverage for precedence (config → URL → ENV) and blank-password cases, and refreshes docs/changelog with the new setup guidance plus additional renderer network-security warnings (including
RENDERER_HOST/0.0.0.0implications).Written by Cursor Bugbot for commit 9bc630a. This will update automatically on new commits. Configure here.
Summary by CodeRabbit
Documentation
Improvements