Security

Superglue stores your content in memory. If you were to navigate using a normal HTML link or form that does a full page reload the state would be destroyed.

Tip

Superglue does store the following in History.state for convience:

export interface HistoryState {
  /** Is always `true` so superglue can differentiate pages that have superglue enabled or not */
  superglue: true
  /** The scroll position X of the page*/
  posX: number
  /** The scroll position Y of the page*/
  posY: number
}

Authentication¶

You can use any Rails authentication system; Devise, Authentication Zero, etc. Superglue leverages standard Rails patterns - routes, controllers, and views - making it friendly with the Rails ecosystem.

Logging out¶

When implementing a logout button use a normal HTML link or form that does a full page reload. This will clear out Superglue's state in memory.

✅ Do

  <a href="/users/logout"> Logout </a>

❌ Don't

  <a data-sg-visit href="/users/logout"> Logout </a>

Navigational formats¶

When working with Devise, be sure to enable json as a navigational format

# config/initializers/devise.rb
config.navigational_formats = ["/", :html, :json]

CSRF Protection¶

Forms¶

Superglue comes with form_props to build forms. Like its Rails counterpart, form_with, form_props generates a CSRF token per form.

For example, the below would create two forms with unique CSRF tokens each:

json.updateFormA do
  form_props(model: @post) do |f|
    f.submit
  end
end

json.updateFormB do
  form_props(model: @post) do |f|
    f.submit
  end
end

`remote` and `visit`¶

Both functions will use a CSRF token generated at the page level when used with a non-GET request. This CSRF token can be accessed from the state returned from the useSuperglue hook and gets updated on each page response received. You can also make use of this state for your own custom fetch calls.