bullet_train-api 1.2.4 → 1.2.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8a6ade62a135239a02645844a31778eb34be494d8d131510318af2d9fa9c2b8b
-  data.tar.gz: 915b02cc7c7fac7f0cc3ef27440be6a8799d22da2fe08ae55175b3d3747b0191
+  metadata.gz: f59f190e9824ebdddbfd66d07c2cd778024d9e4bd22ad5737325105b61548e06
+  data.tar.gz: a7be7d343a2eb2b774b70491a6a6380a1d9525e0643495488b1f7d68efa4743e
 SHA512:
-  metadata.gz: e5642cd39f8e915e71d178ee09395025b70c80483a2807de87b88bbc542e39bb58ad6e3b33f0ad739f3d1f1d00802a660b78dd6c367384da9a74c9e4966e56db
-  data.tar.gz: 37d861c517b06e93cf67249ac91047b30eaa9c5e19a509a7a211abe4cf89a1ed31170f3c800dad20402c840ccfa80727bdf83cf2eb72e4b9b4b8c48cba9739ef
+  metadata.gz: 570d41d45f2b17e401c2ece3c93acd45ba8463e84332739c033d6eb5cac787b63ef820b016dbbebb944fb737788a704e72b7aec57919375e8077ed2c835794d7
+  data.tar.gz: 6132f0a3d6d3438591b36beaf6451527936046bcccf7fef96175511eda1df95daa34e37f7c962b975564603388541d54eb12805cad0f1cfad2b931b8f2bbc87a

data/app/controllers/concerns/api/v1/users/controller_base.rb

@@ -30,6 +30,8 @@ module Api::V1::Users::ControllerBase
       member_actions: (defined?(MEMBER_ACTIONS) ? MEMBER_ACTIONS : []),
       collection_actions: (defined?(COLLECTION_ACTIONS) ? COLLECTION_ACTIONS : [])
 
+    prepend_before_action :resolve_me
+
     private
 
     include StrongParameters
@@ -39,6 +41,12 @@ module Api::V1::Users::ControllerBase
   def index
   end
 
+  def resolve_me
+    if current_user && params[:id]&.downcase == "me"
+      params[:id] = current_user.id
+    end
+  end
+
   # GET /api/v1/users/:id
   def show
   end

data/app/models/platform/access_token.rb

@@ -28,5 +28,18 @@ class Platform::AccessToken < ApplicationRecord
   def label_string
     description
   end
+
+  def system_level?
+    return false unless application
+    !application.team_id
+  end
+
+  def description
+    if system_level?
+      application.name
+    else
+      super
+    end
+  end
   # 🚅 add methods above.
 end

data/app/models/platform/application.rb

@@ -4,7 +4,7 @@ class Platform::Application < ApplicationRecord
   include Doorkeeper::Orm::ActiveRecord::Mixins::Application
   # 🚅 add concerns above.
 
-  belongs_to :team
+  belongs_to :team, optional: true
   # 🚅 add belongs_to associations above.
 
   # 🚅 add has_many associations above.

data/app/views/account/platform/applications/index.html.erb

@@ -2,5 +2,6 @@
   <% p.content_for :title, t('.section') %>
   <% p.content_for :body do %>
     <%= render 'index', applications: @applications %>
+    <%= render 'account/platform/access_tokens/index', access_tokens: @team.platform_agent_access_tokens, context: @team %>
   <% end %>
 <% end %>

data/app/views/account/platform/connections/new.html.erb

@@ -0,0 +1,42 @@
+<%= render 'account/shared/workflow/box' do |p| %>
+  <% p.content_for :title, t('.header', application_name: @application.name) %>
+  <% p.content_for :body do %>
+    <ul class="space-y" data-turbo="false">
+      <% @teams.each do |team| %>
+        <li class="bg-white border overflow-hidden sm:rounded-md dark:bg-sealBlue-400">
+          <% body = capture do %>
+            <div class="px-4 py-4 flex items-center sm:pl-8 sm:pr-6">
+              <div class="min-w-0 flex-1 sm:flex sm:items-center sm:justify-between">
+                <div class="flex text-xl font-semibold text-blue uppercase group-hover:text-blue-dark tracking-widest dark:text-white">
+                  <%= team.name %>
+                </div>
+                <% unless can? :connect, team %>
+                  <div class="ml-5 flex-shrink-0 text-gray-400">
+                    <%= t(".not_allowed") %>
+                  </div>
+                <% end %>
+              </div>
+              <% if can? :connect, team %>
+                <div class="ml-5 flex-shrink-0">
+                  <svg class="h-5 w-5 text-gray-400" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 20 20" fill="currentColor" aria-hidden="true">
+                    <path fill-rule="evenodd" d="M7.293 14.707a1 1 0 010-1.414L10.586 10 7.293 6.707a1 1 0 011.414-1.414l4 4a1 1 0 010 1.414l-4 4a1 1 0 01-1.414 0z" clip-rule="evenodd" />
+                  </svg>
+                </div>
+              <% end %>
+            </div>
+          <% end %>
+
+          <% if can? :connect, team %>
+            <%= link_to request.url + "&team_id=#{team.id}", class: "group block hover:bg-gray-50 dark:hover:bg-sealBlue-400 dark:text-sealBlue-800" do %>
+              <%= body %>
+            <% end %>
+          <% else %>
+            <div class="block dark:text-sealBlue-800">
+              <%= body %>
+            </div>
+          <% end %>
+        </li>
+      <% end %>
+    </ul>
+  <% end %>
+<% end %>

data/config/locales/en/platform/access_tokens.en.yml

@@ -67,6 +67,9 @@ en:
         platform/application:
           header: API Access Tokens
           description: You can use Access Tokens to allow %{application_name} to make requests to the API.
+        team:
+          header: Platform Connections
+          description: The following Platform Applications are connected to your account. The Access Tokens issued to these Platform Applications are available below in case you need to debug these integrations.
       fields: *fields
       buttons: *buttons
     show:

data/config/locales/en/platform/connections.en.yml

@@ -0,0 +1,7 @@
+en:
+  account:
+    platform:
+      connections:
+        new:
+          header: "Connect %{application_name} to Team"
+          not_allowed: Not Allowed

data/lib/bullet_train/api/version.rb

@@ -1,5 +1,5 @@
 module BulletTrain
   module Api
-    VERSION = "1.2.4"
+    VERSION = "1.2.6"
   end
 end

data/lib/bullet_train/api.rb

@@ -1,6 +1,7 @@
 require "bullet_train/api/version"
 require "bullet_train/api/engine"
 require "bullet_train/api/strong_parameters_reporter"
+require "bullet_train/platform/connection_workflow"
 
 # require "wine_bouncer"
 require "pagy"

data/lib/bullet_train/platform/connection_workflow.rb

@@ -0,0 +1,64 @@
+require "bullet_train/platform"
+
+class BulletTrain::Platform::ConnectionWorkflow
+  def to_proc
+    proc do
+      # Load the platform application in question.
+      # TODO Do we need to check the client secret or does Doorkeeper do that for us?
+      @application = Platform::Application.find_by(uid: params[:client_id])
+
+      # If the user is current signed in.
+      if current_user
+        # If the client application is opting into a team-level connection instead of a user-level connection, they have
+        # to select a team.
+        if params[:new_installation]
+          # If they selected a team on the team selection page.
+          if params[:team_id]
+            # Load the selected team.
+            team = Team.find(params[:team_id])
+
+            # Throw an error if they aren't allowed to create connections on this team.
+            authorize! :connect, team
+
+            # Create a faux membership and user that represent this connection.
+            # We have to do this because all our permissions are based on users, so team-level connections need a user.
+            faux_password = SecureRandom.hex
+            faux_user = User.create(
+              email: "noreply+#{SecureRandom.hex}@bullettrain.co",
+              password: faux_password,
+              password_confirmation: faux_password,
+              platform_agent_of: @application,
+              first_name: @application.name
+            )
+
+            # TODO I think we can get rid of `platform_agent` because we have `platform_agent_of_id`.
+            faux_membership = team.memberships.create(
+              user: faux_user,
+              platform_agent: true,
+              platform_agent_of: @application,
+              added_by: team.memberships.find_by(user: current_user)
+            )
+
+            faux_membership.roles << Role.admin
+
+            # We're done! Return the user, it'll be associated with the access grant and subsequent access token.
+            faux_user
+          else
+            # Show them a list of all their teams.
+            # We'll disable the teams they can't create connections for in the view.
+            @teams = current_user.teams
+
+            render "account/platform/connections/new"
+          end
+        else
+          # If the client application isn't specifically opting into a team-level installation, just connect on behalf of the user.
+          current_user
+        end
+      else
+        # If they're not signed in, redirect them to the sign in page and set a return URL via params.
+        # This is a crazy workaround for the fact that Safari doesn't let us create a session at the same time we redirect.
+        redirect_to new_user_session_path(return_url: request.url)
+      end
+    end
+  end
+end

data/lib/bullet_train/platform.rb

@@ -0,0 +1,2 @@
+module BulletTrain::Platform
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: bullet_train-api
 version: !ruby/object:Gem::Version
-  version: 1.2.4
+  version: 1.2.6
 platform: ruby
 authors:
 - Andrew Culver
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-12-17 00:00:00.000000000 Z
+date: 2022-12-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: standard
@@ -162,6 +162,7 @@ files:
 - app/views/account/platform/applications/new.html.erb
 - app/views/account/platform/applications/show.html.erb
 - app/views/account/platform/applications/show.json.jbuilder
+- app/views/account/platform/connections/new.html.erb
 - app/views/api/v1/open_api/shared/_paths.yaml.erb
 - app/views/api/v1/open_api/teams/_paths.yaml.erb
 - app/views/api/v1/open_api/users/_paths.yaml.erb
@@ -186,13 +187,14 @@ files:
 - config/locales/en/me.en.yml
 - config/locales/en/platform/access_tokens.en.yml
 - config/locales/en/platform/applications.en.yml
+- config/locales/en/platform/connections.en.yml
 - config/routes.rb
-- docs/api.md
-- docs/api/versioning.md
 - lib/bullet_train/api.rb
 - lib/bullet_train/api/engine.rb
 - lib/bullet_train/api/strong_parameters_reporter.rb
 - lib/bullet_train/api/version.rb
+- lib/bullet_train/platform.rb
+- lib/bullet_train/platform/connection_workflow.rb
 - lib/tasks/bullet_train/api_tasks.rake
 homepage: https://github.com/bullet-train-co/bullet_train-api
 licenses:

data/docs/api/versioning.md

@@ -1,63 +0,0 @@
-# API Versioning
-Bullet Train's API layer is designed to help support the need of software developers to evolve their API over time while continuing to maintain support for versions of the API that users have already built against.
-
-## What is API versioning?
-By default, Bullet Train will build out a "V1" version of your API. The version number is intended to represent a contract with your users that as long as they're hitting `/api/v1` endpoints, the structure of URLs, requests, and responses won't change in a way that will break the integrations they've created.
-
-If a change to the API would break the established contract, we want to bump the API version number so we can differentiate between developers building against the latest version of the API (e.g. "V2") and developers who wrote code against the earlier version of the API (e.g. "V1"). This allows us the opportunity to ensure that older versions of the API continue to work as previously expected by the earlier developers.
-
-## When should you take advantage of API versioning?
-You want to bump API versions as sparingly as possible. Even with all the tooling Bullet Train provides, maintaining backwards compatibility of older API versions comes at an ongoing cost. Generally speaking, you should only bump your API version when a customer is already using an API endpoint and you're making changes to the structure of your domain model that are not strictly additive and will break the established contract.
-
-Importantly, if the changes you're making to your domain model are only additive, you don't need to bump your API version. Users shouldn't care that you're adding new attributes or new endpoints to your API, just as long as the ones they're already using don't change in a way that is breaking for them.
-
-## Background
-By default, the following components in your API are created in versioned namespaces:
-
- - API controllers are in `app/controllers/api/v1` and live in an `Api::V1` module.
- - JSON views are in `app/controllers/api/v1`.
- - Routes are in `config/routes/api/v1.rb`.
- - Tests are in `test/controllers/api/v1` and live in an `Api::V1` module.
-
-> It's also impotant to keep in mind that some dependencies of your API and API tests like models, factories, and permissions are not versioned, but as we'll cover later, this is something our approach helps you work around.
-
-## Bumping Your API Version
-
-⚠️ You must do this _before_ making the breaking changes to your API.
-
-If you're in a situation where you know you need to bump your API version to help lock-in a backward compatible version of your API, you can simply run:
-
-```
-rake bullet_train:api:bump_version
-```
-
-> TODO This Rake task doesn't exist yet.
-
-## What happens when you bump an API version?
-When you bump your API version, all of the files and directories that are namespaced with the API version number will be duplicated into a new namespace for the new API version number.
-
-For example, when bumping from "V1" to "V2":
-
- - A copy of all the API controllers in `app/controllers/api/v1` are copied into `app/controllers/api/v2`.
- - A copy of all the JSON views in `app/views/api/v1` are copied into `app/views/api/v2`.
- - A copy of all the routes in `config/routes/api/v1.rb` are copied into `config/routes/api/v2.rb`.
- - A copy of all the tests in `test/controllers/api/v1` are copied into `test/controllers/api/v2`.
-
-We also bump the value of `BulletTrain::Api.current_version` in `config/initializers/api.rb` so tools like Super Scaffolding know which version of your API to update going forward.
-
-## How does this help?
-As a baseline, keeping a wholesale copy of the versioned API components helps lock in their behavior and protect them from change going forward. It's not a silver bullet, since unversioned dependencies (like your model, factories, and permissions) can still affect the behavior of these versioned API components, but even in that case these copied files give us a place where we can implement the logic that helps older versions of the API continue to operate even as unversioned components like our domain model continue changing.
-
-### Versioned API Tests
-By versioning our API tests, we lock in a copy of what the assumptions were for older versions of the API. Should unversioned dependencies like our domain model change in ways that break earlier versions of our API, the test suite will let us know and help us figure out when we've implemented the appropriate logic in the older version of the API controller to restore the expected behavior for that version of the API.
-
-## Advanced Topics
-
-### Object-Oriented Inheritance
-In order to reduce the surface area of legacy API controllers that you're maintaining, it might make sense in some cases to have an older versioned API controller simply inherit from a newer version or the current version of the same API controller. For example, this might make sense for endpoints that you know didn't have breaking changes across API versions.
-
-### Backporting New Features to Legacy API Versions
-Typically we'd recommend you use new feature availability to encourage existing API users to upgrade to the latest version of the API. However, in some situations you may really need to make a newer API feature available to a user who is locked into a legacy version of your API for some other endpoint. This is totally fine if the feature is only additive. For example, if you're just adding a newer API endpoint in a legacy version of the API, you can simply have the new API controller in the legacy version of the API inherit from the API controller in the current version of the API.
-
-### Pruning Unused Legacy API Endpoints
-Maintaining legacy endpoints has a very real cost, so you may choose to identify which endpoints aren't being used on legacy versions of your API and prune them from that version entirely. This has the effect of requiring existing API users to keep their API usage up-to-date before expanding the surface area of usage, which may or may not be desirable for you.

data/docs/api.md

@@ -1,106 +0,0 @@
-# REST API
-We believe every SaaS application should have an API and [webhooks](https://github.com/bullet-train-co/bullet_train-base/blob/main/docs/webhooks/outgoing.md) available to users, so Bullet Train aims to help automate the creation of a production-grade REST API using Rails-native tooling and provides a forward-thinking strategy for its long-term maintenance.
-
-## Background
-Vanilla Rails scaffolding actually provides simple API functionality out-of-the-box: You can append `.json` to the URL of any scaffold and it will render a JSON representation instead of an HTML view. This functionality continues to work in Bullet Train, but our API implementation also builds on this simple baseline using the same tools with additional organization and some new patterns. 
-
-## Goals
-
-### Zero-Effort API
-As with vanilla Rails scaffolding, Super Scaffolding automatically generates your API as you scaffold new models, and unlike vanilla Rails scaffolding, it will automatically keep it up-to-date as you scaffold additional attributes onto your models.
-
-### Versioning by Default
-By separating out and versioning API controllers, views, routes, and tests, Bullet Train provides [a methodology and tooling](/docs/api/versioning.md) to help ensure that once users have built against your API, changes in the structure of your domain model and API don't unexpectedly break existing integrations. You can [read more about API versioning](/docs/api/versioning.md).
-
-### Standard Rails Tooling
-APIs are built using standard Rails tools like `ActiveController::API`, [Strong Parameters](https://api.rubyonrails.org/classes/ActionController/StrongParameters.html), `config/routes.rb`, and [Jbuilder](https://github.com/rails/jbuilder). Maintaining API endpoints doesn't require special knowledge and feels like regular Rails development.
-
-### Outsourced Authentication
-In the same way we've adopted [Devise](https://github.com/heartcombo/devise) for best-of-breed and battle-tested authentication on the browser side, we've adopted [Doorkeeper](https://github.com/doorkeeper-gem/doorkeeper) for best-of-breed and battle-tested authentication on the API side.
-
-### DRY Authorization Logic
-Because our API endpoints are standard Rails controllers, they're able to leverage the exact same [permissions definitions and authorization logic](https://github.com/bullet-train-co/bullet_train-base/blob/main/docs/permissions.md) as our account controllers.
-
-## Structure
-Where vanilla Rails uses a single controller in `app/controllers` for both in-browser and API requests, Bullet Train splits these into two separate controllers, one in `app/controllers/account` and another in `app/controllers/api/v1`, although a lot of logic is shared between the two.
-
-API endpoints are defined in three parts:
-
-1. Routes are defined in `config/routes/api/v1.rb`.
-2. Controllers are defined in the `app/controllers/api/v1` directory.
-3. Jbuilder views are defined in the `app/views/api/v1` directory.
-
-## "API First" and Supporting Account Controllers
-As previously mentioned, there is a lot of shared logic between account and API controllers. Importantly, there are a couple of responsbilities that are implemented "API first" in API controllers and then utilized by account controllers.
-
-### Strong Parameters
-The primary definition of Strong Parameters for a given resource is defined in the most recent version of the API controller and included from there by the account controller. In account controllers, where you might expect to see a Strong Parameters definition, you'll see the following instead:
-
-```ruby
-include strong_parameters_from_api
-```
-
-> This may feel counter-intuitive to some developers and you might wonder why we don't flip this around and have the primary definition in the account controller and have the API controller delegate to it. The answer is a pragmatic one: creating and maintaining the defintion of Strong Paramters in the API controller means it gets automatically frozen in time should you ever need to [bump your API version number](/api/docs/versioning.md). We probably _could_ accomplish this if things were the other way around, but it wouldn't happen automatically.
-
-If by chance there are additional attributes that should be permitted or specific logic that needs to be run as part of the account controller (or inversely, only in the API controller), you can specify that in the controller like so:
-
-```ruby
-def permitted_fields
-  [:some_specific_attribute]
-end
-
-def permitted_arrays
-  {some_collection: []}
-end
-
-def process_params(strong_params)
-  assign_checkboxes(strong_params, :some_checkboxes)
-  strong_params
-end
-```
-
-### Delegating `.json` View Rendering on Account Controllers
-
-In Bullet Train, when you append `.json` to an account URL, the account controller doesn't actually have any `.json.jbuilder` templates in its view directory within `app/views/account`. Instead, by default the controller is configured to delegate the JSON rendering to the corresponding Jbuilder templates in the most recent version of the API, like so:
-
-```ruby
-# GET /account/projects/:id or /account/projects/:id.json
-def show
-  delegate_json_to_api
-end
-```
-
-## Usage Example
-First, provision a platform application in section titled "Your Applications" in the "Developers" menu of the application. When you create a new platform application, an access token that doesn't automatically expire will be automatically provisioned along with it. You can then use the access token to hit the API, as seen in the following Ruby-based example:
-
-```ruby
-require 'net/http'
-require 'uri'
-
-# Configure an API client.
-client = Net::HTTP.new('localhost', 3000)
-
-headers = {
-  "Content-Type" => "application/json",
-  "Authorization" => "Bearer GfNLkDmzOTqAacR1Kqv0VJo7ft2TT-S_p8C6zPDBFhg"
-}
-
-# Fetch the team details.
-response = client.get("/api/v1/teams/1", headers)
-
-# Parse response.
-team = JSON.parse(response.body)
-
-# Update team name.
-team["name"] = "Updated Team Name"
-
-# Push the update to the API.
-# Note that the team attributes are nested under a `team` key in the JSON body.
-response = client.patch("/api/v1/teams/1", {team: team}.to_json, headers)
-```
-
-## Advanced Topics
- - [API Versioning](/docs/api/versioning.md)
-
-## A Note About Other Serializers and API Frameworks
-In early versions of Bullet Train we made the decision to adopt a specific serialization library, [ActiveModelSerializers](https://github.com/rails-api/active_model_serializers) and in subsequent versions we went as far as to adopt an entire third-party framework ([Grape](https://github.com/ruby-grape/grape)) and a third-party API specification ([JSON:API](https://jsonapi.org)). We now consider it out-of-scope to try and make such decisions on behalf of developers. Support for them in Bullet Train applications and in Super Scaffolding could be created by third-parties.