Return 307 status instead of 301 when rerouting POST requests to SSL

When `config.force_ssl` is set to `true`, any POST/PUT/DELETE requests coming in to non-secure url are being redirected with a 301 status.
However, when that happens, the request is converted to a GET request and ends up hitting a different action on the controller.

Since we can not do non-GET redirects, we can instead redirect with a 307 status code instead to indicate to the caller that a fresh request should be tried preserving the original request method.

`rack-ssl` gem which was used to achieve this before we had this middleware directly baked into Rails also used to do the same, ref: https://github.com/josh/rack-ssl/blob/master/lib/rack/ssl.rb#L54

This would be specially important for any apps switching from older version of Rails or apps which expose an API through Rails.

1 files changed, 14 insertions, 0 deletions

diff --git a/actionpack/test/dispatch/ssl_test.rb b/actionpack/test/dispatch/ssl_test.rb
index ccddb90bb5..71b274bf1e 100644
--- a/actionpack/test/dispatch/ssl_test.rb
+++ b/actionpack/test/dispatch/ssl_test.rb
@@ -38,6 +38,16 @@ class RedirectSSLTest < SSLTest
     assert_equal redirect[:body].join, @response.body
   end
 
+  def assert_post_redirected(redirect: {}, from: "http://a/b?c=d",
+    to: from.sub("http", "https"))
+
+    self.app = build_app ssl_options: { redirect: redirect }
+
+    post from
+    assert_response redirect[:status] || 307
+    assert_redirected_to to
+  end
+
   test "exclude can avoid redirect" do
     excluding = { exclude: -> request { request.path =~ /healthcheck/ } }
 
@@ -57,6 +67,10 @@ class RedirectSSLTest < SSLTest
     assert_redirected
   end
 
+  test "http POST is redirected to https with status 307" do
+    assert_post_redirected
+  end
+
   test "redirect with non-301 status" do
     assert_redirected redirect: { status: 307 }
   end