auto_strong_parameters 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 7957f41175cec758139ef39f6b1b1889b7d164c51b658cf09ad58f9a14fc8b9e
+  data.tar.gz: a5775efa5e7ad60032c7915832bc86f5119bf3496e9a16269a922c6ab696ee08
+SHA512:
+  metadata.gz: 68b0628b21442f52584f689266f736e62ce810ecfb629d94208e8ea72d531c210243e0952ffcaca46bbfbe579a0cfb5ae37aebbf83910e3817ed7183e593760d
+  data.tar.gz: 71a53c2f1d3ee226d73ea6f8f8467f76e10b35b2cd02e6cd18b5241f53c13077f038abacc2286ee5fba06d65361b6cd33c3cd6110f720885699a096498c71c20

data/README.md

@@ -0,0 +1,103 @@
+# Auto Strong Parameters
+
+Auto Strong Parameters detects the fields included in a form and automatically permits them in the controller. You no longer need to manually enumerate the params you've submitted. You can fall back to standard Strong Parameters when you need custom behavior.
+
+Rails 4.0 introduced Rails developers to the world of Strong Parameters. This gem is an extension to the model that Strong Parameters introduced, intended to reduce or eliminate the busy work that Strong Paramters introduced. As Giles Bowkett wrote, "tedious, repetitive work is for computers to do."
+
+- :white_check_mark: Seamless integration: replace `require(key).permit` calls with `auto_permit!(key)`
+- :safety_vest: Safe from malicious tampering due to message signing
+- :trophy: Graceful upgrade and fallback to standard Strong Parameters
+- :bow: No more busy work enumerating permitted parameters twice
+
+## How it works (TL;DR)
+
+```ruby
+# Replace this...
+user_params = params.require(:user).permit(:first_name, :email)
+
+# ...with this
+user_params = params.auto_permit!(:user)
+```
+
+## How it works
+
+Before:
+```ruby
+
+# View
+<%= form_with @user do |f| %>
+  First name: <%= f.text_field :first_name %>
+  Email: <%= f.email_field :email %>
+<% end %>
+
+
+# Controller
+user_params = params.require(:user).permit(:first_name, :email)
+# => { first_name: "Dave", email: "dave@example.com }
+@user = User.create(user_params)
+```
+
+After:
+
+```ruby
+# View - unchanged
+<%= form_with @user do |f| %>
+  First name: <%= f.text_field :first_name %>
+  Email: <%= f.email_field :email %>
+<% end %>
+
+
+# Controller - no enumeration required, your form dictates what is allowed
+user_params = params.auto_permit!(:user)
+# => { first_name: "Dave", email: "dave@example.com }
+@user = User.create(user_params)
+```
+
+
+## How to use
+
+Add to your Gemfile, `bundle install` and go.
+
+```ruby
+gem 'auto_strong_parameters'
+```
+
+## Motivation
+
+The Rails 2.x design of including permitted attributes in the model was a limited design. Models could be updated by users of different roles and having a single list was too restrictive.
+
+Strong Parameters moved permitted attribute assertions from the model to the controller. To this day, parameters are authorized in the controllers they are submitted to. This change was for the better because it meant that each controller could assert its own set of parameters.
+
+Strong Parameters still has the problem that multiple forms can submit to a single controller action. This issues means developers must implement controller-side configuration and know where each submission is coming from so that the correct parameters are authorized for all allowed situations. Additionally, there is fundamentally always double entry of what parameters you want to save - once by adding an input to your form and once again in the controller.
+
+This design suggests that we can go one step further. Parameters are literally setup when you write your form code in your view. Each `f.text_field` or `f.number_field` says that you want that parameter in the form and accepted by the server. The form itself is the documentation as to what parameters can be submitted. 
+
+The natural solution is for the framework to handle authorizing the parameters that the developer already told it to put in the form.
+
+## Compatibility
+
+Official support is currently set for all supported Rails releases as well as stable releases maintained by Rails LTS. There is no separate branch for separate versions, it is a goal keep this gem compatible for the life of Strong Parameters (Rails 4.0 - present).
+
+- Ruby 2.7+, but should work fine with Ruby 2.0+
+- Rails 4.2, 5.2, 6.0+
+
+### Form Builders
+
+Auto Strong Parameters currently only supports the built-in Rails form builder class. If you use a different form builder and would like to see it supported, open a ticket, or better yet, write it and contribute back!
+
+### Unofficial compatibility
+
+Our gemspec dictates Rails 4.0+ support but we do not test versions 4.0, 4.1, 5.0, or 5.1. It may work on those versions but it is not officially supported. This is a "use at your own risk" allowance - you should seriously reconsider running Rails 4.0/4.1 and 5.0/5.1 because they do not receive security updates or attention from official sources or private companies at all.
+
+### Why support Rails 4+?
+
+There are thousands of Rails apps on old versions of Rails maintained by small teams that are unable to perform version upgrades. This gem aims to help make working with Strong Parameters easier and more seamless - one less headache when considering whether and when to upgrade. This is one way we can help relieve the upgrade and maintenance burden for folks on old versions of Rails.
+
+Long-term support for non-officially-supported versions of Rails is offered by [Rails LTS](https://railslts.com) (no official affiliation, just a happy customer). Since Rails LTS is the only way that you can get these old versions of Rails to work with current Ruby versions, this gem is tested against them rather than the final releases from [rails/rails](https://github.com/rails/rails). In order to successfully run all our tests, you may need a license to get a copy of Rails LTS 4.2.
+
+All that said, AutoStrongParameters should work fine with standard Rails 4.2 even if you are running an EOL version of Ruby.
+
+
+## Contributing
+
+Contributions are welcome! If you use it and it doesn't work for you, please open an issue! If it DOES work for you, also let me know!

data/Rakefile

@@ -0,0 +1,11 @@
+require "bundler/gem_tasks"
+require "rake/testtask"
+require 'appraisal'
+
+Rake::TestTask.new do |t|
+  t.libs << "test"
+  t.pattern = "test/**/*_test.rb"
+end
+
+desc "Run tests"
+task default: :test

data/lib/auto_strong_parameters/auto_form_params.rb

@@ -0,0 +1,71 @@
+# frozen_string_literal: true
+
+module AutoStrongParameters::AutoFormParams
+  extend ActiveSupport::Concern
+
+  included do
+    attr_reader :_asp_fields
+  end
+
+  ASP_NAME_REGEX = /\sname=\"(.+?)\"/
+  ASP_DIGIT_REGEX = /\[\d+\]/
+
+  TRACKED_FIELDS = %w(
+    search_field telephone_field date_field time_field datetime_field
+    month_field week_field url_field email_field number_field range_field
+    file_field password_field text_area text_field radio_button
+  )
+
+  TRACKED_FIELDS.each do |name|
+    module_eval <<-RUBY_EVAL, __FILE__, __LINE__ + 1
+      def #{name}(*args)
+        super.tap do |res|
+          _asp_track_field(res)
+        end
+      end
+    RUBY_EVAL
+  end
+
+  private
+
+  def _asp_track_field(field)
+    @_asp_fields ||= []
+    @_asp_fields << field.match(ASP_NAME_REGEX)[1].gsub(ASP_DIGIT_REGEX, '[]')
+  end
+
+  # Generate a hidden input with the signed value of the params shape for this
+  # form. Append to the form.
+  def _asp_hidden_tag
+    if _asp_fields.present?
+      # puts "========= Adding tag =========="
+      # puts _asp_fields.inspect
+      name = AutoStrongParameters.asp_message_key
+      to_sign = asp_fields_to_shape
+      signature = AutoStrongParameters.verifier.generate(to_sign)
+
+      "<input type='hidden' name='#{name}' value='#{signature}' />".html_safe
+    else
+      ""
+    end
+  end
+
+  # This implementation is taken from Rails 7.0 but is largely the same as the
+  # version found in Rails 4.2. Since Rails doesn't give us a nice hook to add
+  # in our functionality, we do it by bringing in the full method and
+  # augmenting it here.
+  def form_tag_with_body(html_options, content)
+    output = form_tag_html(html_options)
+    output << content.to_s if content
+    output << _asp_hidden_tag
+    output.safe_concat("</form>")
+  end
+
+  # Concatenate all form element "name" values into a valid query string, parse
+  # it with Rack, and then convert to a Strong Parameters "shape" to be signed
+  # and sent to the server.
+  def asp_fields_to_shape
+    AutoStrongParameters.to_strong_params_shape(
+      Rack::Utils.parse_nested_query(_asp_fields.join("=&") + "=")
+    )
+  end
+end

data/lib/auto_strong_parameters/auto_permit.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module AutoStrongParameters
+  module AutoPermit
+    def auto_permit!(key)
+      shape = asp_auto_permitted_params(key)
+
+      require(key).permit(shape[key])
+    end
+
+    def asp_auto_permitted_params(key)
+      if sig = self[key][AutoStrongParameters.asp_message_key]
+        AutoStrongParameters.verifier.verify(sig) rescue {}
+      else
+        {}
+      end.with_indifferent_access
+    end
+  end
+end

data/lib/auto_strong_parameters/controller_permitter.rb

@@ -0,0 +1,2 @@
+module AutoStrongParameters::ControllerPermitter
+end

data/lib/auto_strong_parameters/railtie.rb

@@ -0,0 +1,28 @@
+require 'auto_strong_parameters/auto_permit'
+require 'auto_strong_parameters/auto_form_params'
+
+module AutoStrongParameters
+  require 'rails/railtie'
+
+  class Railtie < ::Rails::Railtie
+    initializer 'auto_strong_parameters.add_to_rails' do
+      ActiveSupport.on_load :action_view do
+        AutoStrongParameters::Railtie.apply_form_helpers_patch
+      end
+
+      ActiveSupport.on_load :action_controller do
+        AutoStrongParameters::Railtie.apply_auto_permit_patch
+      end
+    end
+  end
+
+  class Railtie
+    def self.apply_form_helpers_patch
+      ActionView::Base.send(:include, AutoStrongParameters::AutoFormParams)
+    end
+
+    def self.apply_auto_permit_patch
+      ActionController::Parameters.send(:include, AutoStrongParameters::AutoPermit)
+    end
+  end
+end

data/lib/auto_strong_parameters/version.rb

@@ -0,0 +1,3 @@
+module AutoStrongParameters
+  VERSION = "0.0.1"
+end

data/lib/auto_strong_parameters.rb

@@ -0,0 +1,79 @@
+# frozen_string_literal: true
+
+require 'rails'
+require 'auto_strong_parameters/railtie'
+
+module AutoStrongParameters
+  # Rails' message_verifier exists with a stable API in all versions of Rails
+  # since 4.2.
+  def self.verifier
+    @verifier ||=
+      ActiveSupport::MessageVerifier.new("auto_strong_parameters", serializer: JSON)
+  end
+
+  # Provide your own custom verifier for AutoStrongParameters. Must respond to
+  # #generate which takes an object and returns a string and #verify which
+  # takes a string and returns an object.
+  def self.verifier=(custom_verifier)
+    @verifier = custom_verifier
+  end
+
+  def self.asp_message_key
+    @asp_message_key ||= :"_asp_params"
+  end
+
+  def self.asp_message_key=(val)
+    @asp_message_key = val
+  end
+
+  def self.to_strong_params_shape(obj)
+    items = Set.new
+    hsh = {}
+
+    case obj
+    when Hash
+      obj.each do |key, val|
+        case val
+        when Hash
+          hsh[key] ||= {}
+          hsh[key] = to_strong_params_shape(val)
+        when Array
+          hsh[key] ||= []
+          hsh[key] << to_strong_params_shape(val)
+        else
+          items << key.to_s
+        end
+      end
+      if hsh.empty?
+        items.flatten.to_a
+      elsif items.empty?
+        hsh
+      else
+        hsh.transform_values!(&:flatten)
+        [*items.flatten, hsh].flatten
+      end
+
+    when Array
+      obj.each do |item|
+        case item
+        when Hash
+          items << to_strong_params_shape(item)
+        when Array
+          items << to_strong_params_shape(item)
+        else
+          # nothing
+        end
+      end
+
+      if hsh.empty?
+        items.flatten.to_a
+      else
+        hsh.transform_values!(&:flatten)
+        [*items.flatten, hsh]
+      end
+
+    else
+      nil
+    end
+  end
+end

data/test/apps/basic_controller.rb

@@ -0,0 +1,47 @@
+class BasicController < ActionController::Base
+  include Rails.application.routes.url_helpers
+
+  self.view_paths = [ActionView::FixtureResolver.new(
+    "basic/new.html.erb" => <<~NEW_USER_FORM
+      <%= form_for @user, url: "/auto_permit" do |f| %>
+        <%= f.text_field :name %>
+        <%= email_field :user, :email %>
+        <%= f.text_area :description %>
+        <%= f.telephone_field :phone %>
+        <%= f.date_field :dob %>
+        <%= f.time_field :lunch_time %>
+        <%= f.datetime_field :confirmed_at %>
+        <%= f.month_field :birth_month %>
+        <%= f.week_field :birthday_week %>
+        <%= f.url_field :favorite_url %>
+        <%= f.number_field :age %>
+        <%= f.range_field :years_of_experience %>
+        <%= f.password_field :password %>
+        <%= f.radio_button :preferred_phone_os, :iphone %>
+        <%= f.radio_button :preferred_phone_os, :android %>
+        <%= f.fields_for :parents do |parf| %>
+          <%= parf.text_field :name %>
+          <%= parf.text_area :job %>
+        <% end %>
+        <%= f.fields_for :pet do |petf| %>
+          <%= petf.text_field :nickname %>
+          <%= petf.number_field :age %>
+        <% end %>
+      <% end %>
+    NEW_USER_FORM
+  )]
+
+  def new
+    @user = User.new
+  end
+
+  def auto_permit
+    u = params.auto_permit!(:user)
+    render json: u
+  end
+
+  def unpermitted
+    u = params.require(:user).permit(:name, pets: [:kind])
+    render json: u
+  end
+end

data/test/apps/models.rb

@@ -0,0 +1,3 @@
+require_relative './user'
+require_relative './pet'
+require_relative './parent'

data/test/apps/parent.rb

@@ -0,0 +1,5 @@
+class Parent
+  include ActiveModel::Model
+
+  attr_accessor :name, :job
+end

data/test/apps/pet.rb

@@ -0,0 +1,5 @@
+class Pet
+  include ActiveModel::Model
+
+  attr_accessor :nickname, :age
+end

data/test/apps/rails42.rb

@@ -0,0 +1,57 @@
+require "rails"
+
+[
+  #'active_record',
+  'active_model',
+  'action_controller',
+  'action_view',
+  #'action_mailer',
+  #'active_job',
+  'rails/test_unit',
+  #'sprockets',
+].each do |framework|
+  begin
+    require "#{framework}/railtie"
+  rescue LoadError
+  end
+end
+
+require 'action_view/testing/resolvers'
+require 'rails/test_help'
+
+require 'auto_strong_parameters'
+
+require_relative './test_app'
+
+module Rails42
+  class Application < Rails::Application
+    config.root = File.expand_path("../../..", __FILE__)
+    config.cache_classes = true
+
+    config.eager_load = false
+    config.serve_static_files  = true
+    config.static_cache_control = "public, max-age=3600"
+
+    config.consider_all_requests_local       = true
+    config.action_controller.perform_caching = false
+
+    config.action_dispatch.show_exceptions = false
+
+    config.action_controller.allow_forgery_protection = false
+
+    config.active_support.deprecation = :stderr
+
+    config.active_support.test_order = :sorted
+
+    config.middleware.delete "Rack::Lock"
+    config.middleware.delete "ActionDispatch::Flash"
+    config.middleware.delete "ActionDispatch::BestStandardsSupport"
+    config.secret_key_base = TestApp.secret_key_base
+    routes.append(&TestApp.routes)
+  end
+end
+
+require_relative './models'
+require_relative './basic_controller'
+
+Rails42::Application.initialize!

data/test/apps/rails52.rb

@@ -0,0 +1,57 @@
+require "rails"
+
+[
+  #'active_record',
+  'active_model',
+  'action_controller',
+  'action_view',
+  #'action_mailer',
+  #'active_job',
+  'rails/test_unit',
+  #'sprockets',
+].each do |framework|
+  begin
+    require "#{framework}/railtie"
+  rescue LoadError
+  end
+end
+
+require 'action_view/testing/resolvers'
+require 'rails/test_help'
+
+require 'auto_strong_parameters'
+
+require_relative './test_app'
+
+module Rails52
+  class Application < Rails::Application
+    config.root = File.expand_path("../../..", __FILE__)
+    config.cache_classes = true
+
+    config.eager_load = false
+    config.serve_static_files  = true
+    config.static_cache_control = "public, max-age=3600"
+
+    config.consider_all_requests_local       = true
+    config.action_controller.perform_caching = false
+
+    config.action_dispatch.show_exceptions = false
+
+    config.action_controller.allow_forgery_protection = false
+
+    config.active_support.deprecation = :stderr
+
+    config.active_support.test_order = :sorted
+
+    config.middleware.delete "Rack::Lock"
+    config.middleware.delete "ActionDispatch::Flash"
+    config.middleware.delete "ActionDispatch::BestStandardsSupport"
+    config.secret_key_base = TestApp.secret_key_base
+    routes.append(&TestApp.routes)
+  end
+end
+
+require_relative './models'
+require_relative './basic_controller'
+
+Rails52::Application.initialize!

data/test/apps/rails60.rb

@@ -0,0 +1,57 @@
+require "rails"
+
+[
+  #'active_record',
+  'active_model',
+  'action_controller',
+  'action_view',
+  #'action_mailer',
+  #'active_job',
+  'rails/test_unit',
+  #'sprockets',
+].each do |framework|
+  begin
+    require "#{framework}/railtie"
+  rescue LoadError
+  end
+end
+
+require 'action_view/testing/resolvers'
+require 'rails/test_help'
+
+require 'auto_strong_parameters'
+
+require_relative './test_app'
+
+module Rails60
+  class Application < Rails::Application
+    config.root = File.expand_path("../../..", __FILE__)
+    config.cache_classes = true
+
+    config.eager_load = false
+    config.serve_static_files  = true
+    config.static_cache_control = "public, max-age=3600"
+
+    config.consider_all_requests_local       = true
+    config.action_controller.perform_caching = false
+
+    config.action_dispatch.show_exceptions = false
+
+    config.action_controller.allow_forgery_protection = false
+
+    config.active_support.deprecation = :stderr
+
+    config.active_support.test_order = :sorted
+
+    config.middleware.delete "Rack::Lock"
+    config.middleware.delete "ActionDispatch::Flash"
+    config.middleware.delete "ActionDispatch::BestStandardsSupport"
+    config.secret_key_base = TestApp.secret_key_base
+    routes.append(&TestApp.routes)
+  end
+end
+
+require_relative './models'
+require_relative './basic_controller'
+
+Rails60::Application.initialize!

data/test/apps/rails61.rb

@@ -0,0 +1,57 @@
+require "rails"
+
+[
+  #'active_record',
+  'active_model',
+  'action_controller',
+  'action_view',
+  #'action_mailer',
+  #'active_job',
+  'rails/test_unit',
+  #'sprockets',
+].each do |framework|
+  begin
+    require "#{framework}/railtie"
+  rescue LoadError
+  end
+end
+
+require 'action_view/testing/resolvers'
+require 'rails/test_help'
+
+require 'auto_strong_parameters'
+
+require_relative './test_app'
+
+module Rails61
+  class Application < Rails::Application
+    config.root = File.expand_path("../../..", __FILE__)
+    config.cache_classes = true
+
+    config.eager_load = false
+    config.serve_static_files  = true
+    config.static_cache_control = "public, max-age=3600"
+
+    config.consider_all_requests_local       = true
+    config.action_controller.perform_caching = false
+
+    config.action_dispatch.show_exceptions = false
+
+    config.action_controller.allow_forgery_protection = false
+
+    config.active_support.deprecation = :stderr
+
+    config.active_support.test_order = :sorted
+
+    config.middleware.delete "Rack::Lock"
+    config.middleware.delete "ActionDispatch::Flash"
+    config.middleware.delete "ActionDispatch::BestStandardsSupport"
+    config.secret_key_base = TestApp.secret_key_base
+    routes.append(&TestApp.routes)
+  end
+end
+
+require_relative './models'
+require_relative './basic_controller'
+
+Rails61::Application.initialize!

data/test/apps/rails70.rb

@@ -0,0 +1,56 @@
+require "rails"
+
+[
+  #'active_record',
+  'active_model',
+  'action_controller',
+  'action_view',
+  #'action_mailer',
+  #'active_job',
+  'rails/test_unit',
+  #'sprockets',
+].each do |framework|
+  begin
+    require "#{framework}/railtie"
+  rescue LoadError
+  end
+end
+
+require 'action_view/testing/resolvers'
+require 'rails/test_help'
+
+require 'auto_strong_parameters'
+
+require_relative './test_app'
+
+module Rails70
+  class Application < Rails::Application
+    config.root = File.expand_path("../../..", __FILE__)
+    config.cache_classes = true
+
+    config.eager_load = false
+    config.serve_static_files  = true
+    config.static_cache_control = "public, max-age=3600"
+
+    config.consider_all_requests_local       = true
+    config.action_controller.perform_caching = false
+
+    config.action_dispatch.show_exceptions = false
+
+    config.action_controller.allow_forgery_protection = false
+
+    config.active_support.deprecation = :stderr
+
+    config.active_support.test_order = :sorted
+
+    config.middleware.delete Rack::Lock
+    config.middleware.delete ActionDispatch::Flash
+    config.secret_key_base = TestApp.secret_key_base
+    routes.append(&TestApp.routes)
+  end
+end
+
+require_relative './models'
+require_relative './basic_controller'
+
+Rails70::Application.initialize!

data/test/apps/routes.rb

@@ -0,0 +1,7 @@
+def routes_block
+  -> do
+    get "new" => "basic#new"
+    post "auto_permit" => "basic#auto_permit"
+    post "unpermitted" => "basic#unpermitted"
+  end
+end

data/test/apps/test_app.rb

@@ -0,0 +1,13 @@
+class TestApp
+  def self.routes
+    -> do
+      get "new" => "basic#new"
+      post "auto_permit" => "basic#auto_permit"
+      post "unpermitted" => "basic#unpermitted"
+    end
+  end
+
+  def self.secret_key_base
+    '49837489qkuweoiuoqwehisuakshdjksadhaisdy78o34y138974xyqp9rmye8yrpiokeuioqwzyoiuxftoyqiuxrhm3iou1hrzmjk'
+  end
+end

data/test/apps/user.rb

@@ -0,0 +1,23 @@
+class User
+  include ActiveModel::Model
+
+  attr_accessor :name, :email, :description, :phone, :dob, :lunch_time,
+    :confirmed_at, :birth_month, :birthday_week, :favorite_url, :age,
+    :years_of_experience, :password, :preferred_phone_os
+
+  def parents
+    @parents ||= [Parent.new]
+  end
+
+  def parents_attributes=(val)
+    @parents = Array.wrap(val)
+  end
+
+  def pet
+    @pet ||= Pet.new
+  end
+
+  def pet_attributes=(val)
+    @pet = val
+  end
+end

data/test/auto_form_params_test.rb

@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+class AutoFormParamsTest < ActionController::TestCase
+  setup do
+    @controller = BasicController.new
+  end
+
+  def signature
+    AutoStrongParameters.verifier.generate(permitted_keys)
+  end
+
+  def permitted_keys
+    {
+      "user" => [
+        "name",
+        "email",
+        "description",
+        "phone",
+        "dob",
+        "lunch_time",
+        "confirmed_at",
+        "birth_month",
+        "birthday_week",
+        "favorite_url",
+        "age",
+        "years_of_experience",
+        "password",
+        "preferred_phone_os",
+        {
+          "parents_attributes"=>[
+            "name",
+            "job",
+          ],
+          "pet_attributes"=>[
+            "nickname",
+            "age",
+          ],
+        },
+      ],
+    }
+  end
+
+  def test_new
+    get :new
+    assert_response :ok
+
+    assert_select "form[id='new_user']"
+    assert_select "form[id='new_user'] input[name='#{AutoStrongParameters.asp_message_key}']" do
+      assert_select "[value=?]", signature
+    end
+  end
+end

data/test/auto_permit_test.rb

@@ -0,0 +1,71 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+class AutoPermitTest < ActionController::TestCase
+  setup do
+    @controller = BasicController.new
+  end
+
+  def user_params
+    {
+      name: 'John',
+      age: '30',
+      pets: [
+        { name: "Fluffy", kind: "dog" }
+      ],
+    }
+  end
+
+  def signature
+    AutoStrongParameters.verifier.generate(permitted_keys)
+  end
+
+  def message_key
+    AutoStrongParameters.asp_message_key
+  end
+
+  def permitted_keys
+    { "user" => ['name', 'age', { 'pets' => ['name', 'kind'] }] }
+  end
+
+  # Rails 4.2 does not have the keyword API for #process et al.
+  def process_args(args)
+    if defined? Rails42
+      args
+    else
+      { params: args }
+    end
+  end
+
+  def test_unpermitted
+    post :unpermitted, **process_args(user: user_params)
+    assert_response :ok
+    j = ActiveSupport::JSON.decode(response.body)
+
+    assert_equal 'John', j['name']
+    assert_nil j['age']
+    assert_nil j['pets'][0]['name']
+    assert_equal 'dog', j['pets'][0]['kind']
+  end
+
+  def test_auto_permit
+    post :auto_permit, **process_args(user: user_params.merge(message_key => signature))
+    assert_response :ok
+    j = ActiveSupport::JSON.decode(response.body)
+
+    assert_equal 'John', j['name']
+    assert_equal '30', j['age']
+    assert_equal 'dog', j['pets'][0]['kind']
+    assert_equal 'Fluffy', j['pets'][0]['name']
+  end
+
+  def test_auto_permit_incorrect_signature
+    post :auto_permit, **process_args(user: user_params.merge(message_key => 'abc123'))
+    assert_response :ok
+    j = ActiveSupport::JSON.decode(response.body)
+
+    assert_nil j['name']
+    assert_nil j['age']
+  end
+end

data/test/auto_strong_parameters_test.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require 'test_helper'
+
+class AutoStrongParametersTest < Minitest::Test
+  def to_strong_params_shape(h)
+    AutoStrongParameters.to_strong_params_shape(h)
+  end
+
+  def test_to_strong_params_shape
+    assert_equal ["name"], to_strong_params_shape({"name" => "Steve"})
+    assert_equal ["name", "age"], to_strong_params_shape({"name" => "Steve", age: 5})
+    assert_equal ["name", {"pet" => ["name"]}], to_strong_params_shape({"name" => "Steve", "pet" => { "name" => "Fluffy" }})
+    assert_equal ["name", {"pet" => ["name"]}], to_strong_params_shape({"name" => "Steve", "pet" => { "name" => "Fluffy" }})
+  end
+end

data/test/test_helper.rb

@@ -0,0 +1,23 @@
+require 'bundler/setup'
+require 'minitest/autorun'
+require 'pry'
+
+ENV["RAILS_ENV"] = "test"
+ENV['DATABASE_URL'] = 'sqlite3://localhost/:memory:'
+
+require 'rails'
+
+case Rails.version.slice(0, 3)
+when "4.2"
+  require "apps/rails42"
+when "5.2"
+  require "apps/rails52"
+when "6.0"
+  require "apps/rails60"
+when "6.1"
+  require "apps/rails61"
+when "7.0"
+  require "apps/rails70"
+else
+  raise "Un-tested version of Rails: #{Rails.version}"
+end

metadata

@@ -0,0 +1,152 @@
+--- !ruby/object:Gem::Specification
+name: auto_strong_parameters
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Drew Ulmer
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2023-08-17 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '4.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '4.0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: appraisal
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description:
+email: drew@unabridgedsoftware.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- README.md
+- Rakefile
+- lib/auto_strong_parameters.rb
+- lib/auto_strong_parameters/auto_form_params.rb
+- lib/auto_strong_parameters/auto_permit.rb
+- lib/auto_strong_parameters/controller_permitter.rb
+- lib/auto_strong_parameters/railtie.rb
+- lib/auto_strong_parameters/version.rb
+- test/apps/basic_controller.rb
+- test/apps/models.rb
+- test/apps/parent.rb
+- test/apps/pet.rb
+- test/apps/rails42.rb
+- test/apps/rails52.rb
+- test/apps/rails60.rb
+- test/apps/rails61.rb
+- test/apps/rails70.rb
+- test/apps/routes.rb
+- test/apps/test_app.rb
+- test/apps/user.rb
+- test/auto_form_params_test.rb
+- test/auto_permit_test.rb
+- test/auto_strong_parameters_test.rb
+- test/test_helper.rb
+homepage: https://github.com/unabridged/auto_strong_parameters
+licenses:
+- MIT
+metadata: {}
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.1.6
+signing_key:
+specification_version: 4
+summary: Automatic require and permit of Strong Paramters for your Rails forms.
+test_files:
+- test/auto_form_params_test.rb
+- test/test_helper.rb
+- test/apps/routes.rb
+- test/apps/test_app.rb
+- test/apps/rails52.rb
+- test/apps/rails42.rb
+- test/apps/basic_controller.rb
+- test/apps/parent.rb
+- test/apps/pet.rb
+- test/apps/rails61.rb
+- test/apps/models.rb
+- test/apps/rails60.rb
+- test/apps/rails70.rb
+- test/apps/user.rb
+- test/auto_strong_parameters_test.rb
+- test/auto_permit_test.rb