discourse/config/initializers/006-mini_profiler.rb

# frozen_string_literal: true

# If Mini Profiler is included via gem
if Rails.configuration.respond_to?(:load_mini_profiler) && Rails.configuration.load_mini_profiler &&
     RUBY_ENGINE == "ruby"
  require "rack-mini-profiler"
  require "stackprof"

  begin
    require "memory_profiler"
  rescue => e
    STDERR.put "#{e} failed to require mini profiler"
  end

  # initialization is skipped so trigger it
  Rack::MiniProfilerRails.initialize!(Rails.application)
end

if defined?(Rack::MiniProfiler) && defined?(Rack::MiniProfiler::Config)
  # note, we may want to add some extra security here that disables mini profiler in a multi hosted env unless user global admin
  #   raw_connection means results are not namespaced
  #
  # namespacing gets complex, cause mini profiler is in the rack chain way before multisite
  Rack::MiniProfiler.config.storage_instance =
    Rack::MiniProfiler::RedisStore.new(connection: DiscourseRedis.new(nil, namespace: false))

  Rack::MiniProfiler.config.snapshot_every_n_requests = GlobalSetting.mini_profiler_snapshots_period
  Rack::MiniProfiler.config.snapshots_transport_destination_url =
    GlobalSetting.mini_profiler_snapshots_transport_url
  Rack::MiniProfiler.config.snapshots_transport_auth_key =
    GlobalSetting.mini_profiler_snapshots_transport_auth_key
  Rack::MiniProfiler.config.skip_paths =
    %w[
      /assets/
      /cdn_asset/
      /extra-locales/
      /favicon/proxied
      /highlight-js/
      /images/
      /javascripts/
      /letter_avatar_proxy/
      /letter_avatar/
      /logs
      /manifest.webmanifest
      /message-bus/
      /opensearch.xml
      /presence/
      /secure-media-uploads/
      /secure-uploads/
      /srv/status
      /stylesheets/
      /svg-sprite/
      /theme-javascripts
      /topics/timings
      /uploads/
      /user_avatar/
    ].map { |path| "#{Discourse.base_path}#{path}" }.concat([/.*theme-qunit/])

  # we DO NOT WANT mini-profiler loading on anything but real desktops and laptops
  # so let's rule out all handheld, tablet, and mobile devices
  Rack::MiniProfiler.config.pre_authorize_cb =
    lambda { |env| env["HTTP_USER_AGENT"] !~ /iPad|iPhone|Android/ }

  # without a user provider our results will use the ip address for namespacing
  #  with a load balancer in front this becomes really bad as some results can
  #  be stored associated with ip1 as the user and retrieved using ip2 causing 404s
  Rack::MiniProfiler.config.user_provider =
    lambda do |env|
      request = Rack::Request.new(env)
      id = request.cookies["_t"] || request.ip || "unknown"
      id = id.to_s
      # some security, lets not have these tokens floating about
      Digest::MD5.hexdigest(id)
    end

  # Cookie path should be set to the base path so Discourse's session cookie path
  #  does not get clobbered.
  Rack::MiniProfiler.config.cookie_path = Discourse.base_path.presence || "/"

  Rack::MiniProfiler.config.position = "right"

  Rack::MiniProfiler.config.backtrace_ignores ||= []
  Rack::MiniProfiler.config.backtrace_ignores << %r{lib/rack/message_bus.rb}
  Rack::MiniProfiler.config.backtrace_ignores << %r{config/initializers/silence_logger}
  Rack::MiniProfiler.config.backtrace_ignores << %r{config/initializers/quiet_logger}

  Rack::MiniProfiler.config.backtrace_includes = [%r{^/?(app|config|lib|test|plugins)}]

  Rack::MiniProfiler.config.max_traces_to_show = 100 if Rails.env.development?

  Rack::MiniProfiler.config.content_security_policy_nonce =
    Proc.new do |env, headers|
      if csp = headers["Content-Security-Policy"]
        csp[/script-src[^;]+'nonce-([^']+)'/, 1]
      end
    end

  Rack::MiniProfiler.counter_method(Redis::Client, :call) { "redis" }
  # Rack::MiniProfiler.counter_method(ActiveRecord::QueryMethods, 'build_arel')
  # Rack::MiniProfiler.counter_method(Array, 'uniq')
  # require "#{Rails.root}/vendor/backports/notification"

  # inst = Class.new
  # class << inst
  #   def start(name,id,payload)
  #     if Rack::MiniProfiler.current && name !~ /(process_action.action_controller)|(render_template.action_view)/
  #       @prf ||= {}
  #       @prf[id] ||= []
  #       @prf[id] << Rack::MiniProfiler.start_step("#{payload[:serializer] if name =~ /serialize.serializer/} #{name}")
  #     end
  #   end

  #   def finish(name,id,payload)
  #     if Rack::MiniProfiler.current && name !~ /(process_action.action_controller)|(render_template.action_view)/
  #       t = @prf[id].pop
  #       @prf.delete id unless t
  #       Rack::MiniProfiler.finish_step t
  #     end
  #   end
  # end
  # disabling for now cause this slows stuff down too much
  # ActiveSupport::Notifications.subscribe(/.*/, inst)

  # Rack::MiniProfiler.profile_method ActionView::PathResolver, 'find_templates'
end

if ENV["PRINT_EXCEPTIONS"]
  trace =
    TracePoint.new(:raise) do |tp|
      puts tp.raised_exception
      puts tp.raised_exception.backtrace.join("\n")
      puts
    end
  trace.enable
end
DEV: enable frozen string literal on all files This reduces chances of errors where consumers of strings mutate inputs and reduces memory usage of the app. Test suite passes now, but there may be some stuff left, so we will run a few sites on a branch prior to merging 2019-05-02 17:17:27 -05:00			`# frozen_string_literal: true`

Initial release of Discourse 2013-02-05 13:16:51 -06:00			`# If Mini Profiler is included via gem`
DEV: Compatibility with TruffleRuby (#16641) 2022-05-04 20:50:02 -05:00			`if Rails.configuration.respond_to?(:load_mini_profiler) && Rails.configuration.load_mini_profiler &&`
			`RUBY_ENGINE == "ruby"`
introduce rack:cache as a default, so users don't need to configure apache or nginx under rack cache we are able to serve 620reqs a second per thin (on my machine) before it 12 (on my machine) reorganised so mini profilers can be cleanly disabled from config file added caching for categories index move production.rb to production.sample.rb 2013-04-11 01:24:08 -05:00			`require "rack-mini-profiler"`
DEV: update rack-mini-profiler (#11597) Included support for flamegraphs using speedscope! 2020-12-28 20:54:41 -06:00			`require "stackprof"`
Partially revert https://github.com/discourse/discourse/commit/09b92dd3. 2016-06-30 12:21:40 -05:00
			`begin`
			`require "memory_profiler"`
			`rescue => e`
			`STDERR.put "#{e} failed to require mini profiler"`
			`end`
Ruby 2.2 fixes 2014-12-28 20:30:54 -06:00
introduce rack:cache as a default, so users don't need to configure apache or nginx under rack cache we are able to serve 620reqs a second per thin (on my machine) before it 12 (on my machine) reorganised so mini profilers can be cleanly disabled from config file added caching for categories index move production.rb to production.sample.rb 2013-04-11 01:24:08 -05:00			`# initialization is skipped so trigger it`
			`Rack::MiniProfilerRails.initialize!(Rails.application)`
			`end`

DEV: update mini profiler This provides us with instrumentation missing after rails upgrade Latest version of rails uses exec_params internally which is no longer routed to intercepted methods in mini profiler 1.0.0 2018-12-09 21:29:20 -06:00			`if defined?(Rack::MiniProfiler) && defined?(Rack::MiniProfiler::Config)`
mini profiler fix for multisite 2013-03-25 01:19:59 -05:00			`# note, we may want to add some extra security here that disables mini profiler in a multi hosted env unless user global admin`
			`# raw_connection means results are not namespaced`
			`#`
			`# namespacing gets complex, cause mini profiler is in the rack chain way before multisite`
Fix Redis command errors when trying to start app with a readonly Redis. 2017-08-02 00:32:01 -05:00			`Rack::MiniProfiler.config.storage_instance =`
			`Rack::MiniProfiler::RedisStore.new(connection: DiscourseRedis.new(nil, namespace: false))`
Initial release of Discourse 2013-02-05 13:16:51 -06:00
DEV: Add ENV variable for enabling MiniProfiler snapshots (#10690) * DEV: Add ENV variable for enabling MiniProfiler snapshots * MiniProfiler is not loaded in test env 2020-09-17 10:18:35 -05:00			`Rack::MiniProfiler.config.snapshot_every_n_requests = GlobalSetting.mini_profiler_snapshots_period`
DEV: Add optional ENV variables for MiniProfiler snapshots transporter (#10985) 2020-10-21 11:37:28 -05:00			`Rack::MiniProfiler.config.snapshots_transport_destination_url =`
			`GlobalSetting.mini_profiler_snapshots_transport_url`
			`Rack::MiniProfiler.config.snapshots_transport_auth_key =`
			`GlobalSetting.mini_profiler_snapshots_transport_auth_key`
DEV: Improve mini_profiler skipped paths (#20544) - Remove no-longer-used `commits-widget` and `site_customizations` paths - Add `/presence/` - Move from regex to strings. The unanchored regexes were causing unexpected behaviour (e.g. if a topic had the word `assets` in its slug, it would be skipped). When passed strings, mini-profiler uses `String#starts_with?` for comparison - Add `Discourse.base_path` to ensure proper functionality in subfolder environments 2023-03-06 05:39:15 -06:00			`Rack::MiniProfiler.config.skip_paths =`
			`%w[`
			`/assets/`
			`/cdn_asset/`
			`/extra-locales/`
			`/favicon/proxied`
			`/highlight-js/`
			`/images/`
			`/javascripts/`
			`/letter_avatar_proxy/`
			`/letter_avatar/`
			`/logs`
			`/manifest.webmanifest`
			`/message-bus/`
			`/opensearch.xml`
			`/presence/`
			`/secure-media-uploads/`
			`/secure-uploads/`
			`/srv/status`
			`/stylesheets/`
			`/svg-sprite/`
			`/theme-javascripts`
			`/topics/timings`
			`/uploads/`
			`/user_avatar/`
DEV: Run QUnit tests for official Discourse themes (#24405) Why this change? As the number of themes which the Discourse team supports officially grows, we want to ensure that changes made to Discourse core do not break the plugins. As such, we are adding a step to our Github actions test job to run the QUnit tests for all official themes. What does this change do? This change adds a new job to our tests Github actions workflow to run the QUnit tests for all official plugins. This is achieved with the following changes: 1. Update `testem.js` to rely on the `THEME_TEST_PAGES` env variable to set the `test_page` option when running theme QUnit tests with testem. The `test_page` option [allows an array to be specified](https://github.com/testem/testem#multiple-test-pages) such that tests for multiple pages can be run at the same time. We are relying on a ENV variable because the `testem` CLI does not support passing a list of pages to the `--test_page` option. 2. Support a `/testem-theme-qunit/:testem_id/theme-qunit` Rails route in the development environment. This is done because testem prefixes the path with a unique ID to the configured `test_page` URL. This is problematic for us because we proxy all testem requests to the Rails server and testem's proxy configuration option does not allow us to easily rewrite the URL to remove the prefix. Therefore, we configure a proxy in testem to prefix `theme-qunit` requests with `/testem-theme-qunit` which can then be easily identified by the Rails server and routed accordingly. 3. Update `qunit:test` to support a `THEME_IDS` environment variable which will allow it to run QUnit tests for multiple themes at the same time. 4. Support `bin/rake themes:qunit[ids,"<theme_id>\|<theme_id>"]` to run the QUnit tests for multiple themes at the same time. 5. Adds a `themes:qunit_all_official` Rake task which runs the QUnit tests for all the official themes. 2023-11-16 17:17:32 -06:00			`].map { \|path\| "#{Discourse.base_path}#{path}" }.concat([/.*theme-qunit/])`
ignore uploads for mini profiler 2015-04-16 21:16:37 -05:00
clarify why block all mobile/tablet for miniprofiler 2016-03-15 18:54:40 -05:00			`# we DO NOT WANT mini-profiler loading on anything but real desktops and laptops`
			`# so let's rule out all handheld, tablet, and mobile devices`
remove trailing whitespaces :heart: 2013-02-25 10:42:20 -06:00			`Rack::MiniProfiler.config.pre_authorize_cb =`
DEV: Add ENV variable for enabling MiniProfiler snapshots (#10690) * DEV: Add ENV variable for enabling MiniProfiler snapshots * MiniProfiler is not loaded in test env 2020-09-17 10:18:35 -05:00			`lambda { \|env\| env["HTTP_USER_AGENT"] !~ /iPad\|iPhone\|Android/ }`
Initial release of Discourse 2013-02-05 13:16:51 -06:00
comment out dead code add some explanations 2013-03-24 22:09:28 -05:00			`# without a user provider our results will use the ip address for namespacing`
			`# with a load balancer in front this becomes really bad as some results can`
Migrate all jasmine specs to Qunit. Removed Jasmine. 2013-06-19 14:06:23 -05:00			`# be stored associated with ip1 as the user and retrieved using ip2 causing 404s`
wow, this has been broken for OH so long, we need to segragate users correctly so MP results work as expected 2013-03-24 21:52:03 -05:00			`Rack::MiniProfiler.config.user_provider =`
			`lambda do \|env\|`
fix mp in prd 2013-03-24 22:36:55 -05:00			`request = Rack::Request.new(env)`
			`id = request.cookies["_t"] \|\| request.ip \|\| "unknown"`
			`id = id.to_s`
			`# some security, lets not have these tokens floating about`
			`Digest::MD5.hexdigest(id)`
wow, this has been broken for OH so long, we need to segragate users correctly so MP results work as expected 2013-03-24 21:52:03 -05:00			`end`

FIX: dev subfolder session cookies (#16031) rack-mini-profiler was setting a cookie path of / which was clobbering the session cookie path of Discourse.base_path. Fixes some issues when local dev is unable to read or write from/to the user session, such as during omniauth CSRF checks. 2022-02-23 08:42:57 -06:00			`# Cookie path should be set to the base path so Discourse's session cookie path`
			`# does not get clobbered.`
DEV: Ensure Mini Profiler's `cookie_path` is not empty or nil (#16039) Follow-up to https://github.com/discourse/discourse/commit/9c50c69bd22b8017bc5e83c661045ac865f859b4. 2022-02-23 13:18:58 -06:00			`Rack::MiniProfiler.config.cookie_path = Discourse.base_path.presence \|\| "/"`
FIX: dev subfolder session cookies (#16031) rack-mini-profiler was setting a cookie path of / which was clobbering the session cookie path of Discourse.base_path. Fixes some issues when local dev is unable to read or write from/to the user session, such as during omniauth CSRF checks. 2022-02-23 08:42:57 -06:00
FIX: CSS tweak and production position fix for miniprofiler (#17493) * DEV: Format miniprofiler html * FIX: Move miniprofiler to the right in production * UX: Fix and merge miniprofiler css 2022-07-14 06:03:43 -05:00			`Rack::MiniProfiler.config.position = "right"`

Initial release of Discourse 2013-02-05 13:16:51 -06:00			`Rack::MiniProfiler.config.backtrace_ignores \|\|= []`
			`Rack::MiniProfiler.config.backtrace_ignores << %r{lib/rack/message_bus.rb}`
			`Rack::MiniProfiler.config.backtrace_ignores << %r{config/initializers/silence_logger}`
			`Rack::MiniProfiler.config.backtrace_ignores << %r{config/initializers/quiet_logger}`

FIX: rack-mini-profiler not showing plugin frames Previously the default stack suppressor in rack-mini-profiler was excluding the plugin directory. This made islolating issues more complicated cause you needed to defer to pp=full-backtrace which is both slow and noisy 2019-08-19 00:47:53 -05:00			`Rack::MiniProfiler.config.backtrace_includes = [%r{^/?(app\|config\|lib\|test\|plugins)}]`

DEV: Increase number of mini-profiler traces in development. Assets are served via the server in development and the default 20 traces is too little for the number of assets we load in development. 2021-06-10 01:22:47 -05:00			`Rack::MiniProfiler.config.max_traces_to_show = 100 if Rails.env.development?`

FEATURE: Add experimental option for strict-dynamic CSP (#25664) The strict-dynamic CSP directive is supported in all our target browsers, and makes for a much simpler configuration. Instead of allowlisting paths, we use a per-request nonce to authorize `<script>` tags, and then those scripts are allowed to load additional scripts (or add additional inline scripts) without restriction. This becomes especially useful when admins want to add external scripts like Google Tag Manager, or advertising scripts, which then go on to load a ton of other scripts. All script tags introduced via themes will automatically have the nonce attribute applied, so it should be zero-effort for theme developers. Plugins may need some changes if they are inserting their own script tags. This commit introduces a strict-dynamic-based CSP behind an experimental `content_security_policy_strict_dynamic` site setting. 2024-02-16 05:16:54 -06:00			`Rack::MiniProfiler.config.content_security_policy_nonce =`
			`Proc.new do \|env, headers\|`
			`if csp = headers["Content-Security-Policy"]`
			`csp[/script-src[^;]+'nonce-([^']+)'/, 1]`
			`end`
			`end`

DEV: Track redis calls count in mini profiler (#11088) 2020-10-30 11:11:22 -05:00			`Rack::MiniProfiler.counter_method(Redis::Client, :call) { "redis" }`
some soample counter methods 2013-08-30 01:44:17 -05:00			`# Rack::MiniProfiler.counter_method(ActiveRecord::QueryMethods, 'build_arel')`
			`# Rack::MiniProfiler.counter_method(Array, 'uniq')`
Initial release of Discourse 2013-02-05 13:16:51 -06:00			`# require "#{Rails.root}/vendor/backports/notification"`

comment out dead code add some explanations 2013-03-24 22:09:28 -05:00			`# inst = Class.new`
			`# class << inst`
			`# def start(name,id,payload)`
			`# if Rack::MiniProfiler.current && name !~ /(process_action.action_controller)\|(render_template.action_view)/`
			`# @prf \|\|= {}`
			`# @prf[id] \|\|= []`
			`# @prf[id] << Rack::MiniProfiler.start_step("#{payload[:serializer] if name =~ /serialize.serializer/} #{name}")`
			`# end`
			`# end`

			`# def finish(name,id,payload)`
			`# if Rack::MiniProfiler.current && name !~ /(process_action.action_controller)\|(render_template.action_view)/`
			`# t = @prf[id].pop`
			`# @prf.delete id unless t`
			`# Rack::MiniProfiler.finish_step t`
			`# end`
			`# end`
			`# end`
Initial release of Discourse 2013-02-05 13:16:51 -06:00			`# disabling for now cause this slows stuff down too much`
			`# ActiveSupport::Notifications.subscribe(/.*/, inst)`

			`# Rack::MiniProfiler.profile_method ActionView::PathResolver, 'find_templates'`
			`end`
add some extra diagnostics 2015-08-19 01:58:25 -05:00
			`if ENV["PRINT_EXCEPTIONS"]`
			`trace =`
			`TracePoint.new(:raise) do \|tp\|`
			`puts tp.raised_exception`
			`puts tp.raised_exception.backtrace.join("\n")`
			`puts`
			`end`
			`trace.enable`
			`end`