feat: allow rack protection to be turned off so that the headers can …

…be managed in nginx

lib/pact_broker/app.rb

@@ -118,7 +118,9 @@ def prepare_app
 
     def configure_middleware
       # NOTE THAT NONE OF THIS IS PROTECTED BY AUTH - is that ok?
-      @app_builder.use Rack::Protection, except: [:path_traversal, :remote_token, :session_hijacking, :http_origin]
+      if configuration.use_rack_protection
+        @app_builder.use Rack::Protection, except: [:path_traversal, :remote_token, :session_hijacking, :http_origin]
+      end
       @app_builder.use Rack::PactBroker::InvalidUriProtection
       @app_builder.use Rack::PactBroker::StoreBaseURL
       @app_builder.use Rack::PactBroker::AddPactBrokerVersionHeader

lib/pact_broker/configuration.rb

@@ -32,7 +32,7 @@ class Configuration
       :base_equality_only_on_content_that_affects_verification_results
     ]
 
-    attr_accessor :log_dir, :database_connection, :auto_migrate_db, :auto_migrate_db_data, :use_hal_browser, :html_pact_renderer
+    attr_accessor :log_dir, :database_connection, :auto_migrate_db, :auto_migrate_db_data, :use_hal_browser, :html_pact_renderer, :use_rack_protection
     attr_accessor :validate_database_connection_config, :enable_diagnostic_endpoints, :version_parser, :sha_generator
     attr_accessor :use_case_sensitive_resource_names, :order_versions_by_date
     attr_accessor :check_for_potential_duplicate_pacticipant_names
@@ -62,6 +62,7 @@ def self.default_configuration
       config.log_dir = File.expand_path("./log")
       config.auto_migrate_db = true
       config.auto_migrate_db_data = true
+      config.use_rack_protection = true
       config.use_hal_browser = true
       config.validate_database_connection_config = true
       config.enable_diagnostic_endpoints = true