dash_api 0.0.16 → 0.0.24

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 945983e9aaba31d04f8fde011da5a657e2d0d6159e6586e83ba8f6c03fa6653f
-  data.tar.gz: 24bc114dc3585acf020fcca25d0795a7da97edab9b433d37913fb9cbd99b7afb
+  metadata.gz: 41b4f85f96294e8f796ac017f3d52452c2dc13b963f6af9056d614ac5ee6ddb4
+  data.tar.gz: 0ceb837310db910dadd6c21937b9224832d5f498782ea9e964f68564f2d3cc28
 SHA512:
-  metadata.gz: 68eba8c684f9193eeb6495852659941655d66ef24a9ac7ae33201fa9e8e93ad384476eef60e9060ca8771b846a634f4b24b40bc36cd2b5bffcf8dcda0eae467e
-  data.tar.gz: d29484f82a3715c8af5fe7703e0115818c04ecd2a9be2ac5dd4eeaab672c0d7a4879990560cfb280e9c674de8925cff31fc125e8e9f94a965f109107be6474e4
+  metadata.gz: 3de8da8ec097ac9416550900b89b539c90bce4791925957bf0299df328faa58ccce6ec6dec7178b432c9ee850ea1f8e9a21024de28fe7727b04dc1133b2995c1
+  data.tar.gz: 1099ea57ccb8c4bc6e8770da6150f00b9459fac78d3a15fb8190f96147ae86b123e602be6c625e8f9ec145c766284142578e51c2997b4f3dd9f1fac09429ae77

data/README.md

@@ -16,6 +16,8 @@ DashAPI supports several features out of the box with little or no configuration
  - Associations
  - Pagination
  - JWT token authorization
+ - Firebase authorization
+ - Role-based access control 
 
 DashAPI is designed to help rapidly build fully functional, scalable and secure applications 
 by automatically generating REST APIs using any Postgres database. DashAPI also supports 
@@ -39,9 +41,9 @@ Mount the Dash API by updating your `routes.rb` file:
   mount DashApi::Engine, at: "/dash/api"
 ```
 
-Or install it yourself as:
+Install the pundit policy
 ```bash
-$ gem install dash_api
+rails g pundit:install 
 ```
 
 You can also configure DashApi with an initializer by creating a file at `config/initializers/dash_api.rb`.
@@ -50,13 +52,11 @@ You can also configure DashApi with an initializer by creating a file at `config
 # Place file at config/initializers/dash_api.rb
 
 DashApi.tap |config|
-  config.enable_auth = ENV['DASH_ENABLE_AUTH'] === true  
-  config.api_token = ENV['DASH_API_TOKEN']
   config.jwt_secret = ENV['DASH_JWT_SECRET']
-  config.exclude_fields = ENV['DASH_API_TOKEN'].split(" ") || []
-  config.exclude_tables = ENV['DASH_API_TOKEN'].split(" ") || []
 end 
 ```
+
+
 The DashAPI is now ready. You can view all tables at:
 `/dash/api`
 
@@ -126,6 +126,9 @@ GET /dash/api/books?filters=id:lt:10,published:eq:true
 ```
 
 The currently supported operators are:
+
+
+
 ```
 eq  - Equals
 neq - Not equals
@@ -296,46 +299,55 @@ Body
 }
 ```
 
-### API Token Authentication 
+### JWT Token Authorization 
 
-You may secure the Dash API using a dedicated API token or using a JWT token. 
+The recommended way to secure your API is to use a JWT token. To enable a JWT token, you must first 
+specify the JWT secret key in your configuration at `config/initializers/dash_api.rb` 
 
-For a fast and simple way to secure your API, you can specify an api_token in `config/initializers/dash_api.rb` which will allow all API requests.
+Dash API is designed to work alongside an existing API or an additional server which handles authentication. This is accomplished by using a shared JWT secret that is to decode the JWT token. 
 
+The JWT decoded object should be a json object and is expected to have a "role" field and a 
+corresponding "id" field to identify the ID of the user. 
 
 ```
 # /config/initializers/dash_api.rb
 
 DashApi.tap do |config|
-  config.enable_auth = true
-  config.api_token = ENV['DASH_API_TOKEN']  
+  config.jwt_secret = ENV['DASH_JWT_SECRET']  
   ...
 end 
 ```
 
-Ensure that the enable authentication flag `enable_auth` is set to `true`. 
-
-
-### JWT Token Authentication 
+### Firebase Authorization 
 
-The recommended and preferred way to secure your API is to use a JWT token. To enable a JWT token, you must first 
-specify the JWT secret key in your `config/initializers/dash_api.rb` 
-
-Note that if your Dash API works alongside an existing API or an additional server which handles authentication, you can use a shared JWT secret that is used by both services to decode the JWT token. The JWT tokenization 
-uses the RS
+DashAPI also supports handling [Firebase](https://firebase.google.com/) Authentication. When you sign in with a supported Firebase method, you will receive an `idToken` which is an encoded JWT token. You may use this token in your requests identically as you would a standard JWT token to authorize requests.
 
+To add Firebase support, add your Firebase Web API Key located under Firebase > Project > Settings to your Dash API configuration.
 
 ```
 # /config/initializers/dash_api.rb
 
 DashApi.tap do |config|
-  config.enable_auth = true
-  config.jwt_secret = ENV['DASH_JWT_SECRET']  
+  config.firebase_web_key = ENV['FIREBASE_WEB_KEY']  
   ...
 end 
 ```
 
-Ensure that the enable authentication flag `enable_auth` is set to `true`. 
+Note that since Firebase does not by default assign a `role` to the JWT payload, the DashAPI will inject the `role` key with value `user` to make it easier to manage your access policies. It will also inject a `provider` key with value `firebase` to more easily identify firebase requests in your Pundit policies. 
+
+For documentation on how to sign in users with Firebase, please check out the official [Firebase Authentication documentation](https://firebase.google.com/docs/auth).
+
+### API Authentication 
+
+To authenticate your requests, pass the encoded JWT token in your authorization headers:
+```
+Authorization: 'Bearer <JWT_TOKEN>'
+```
+
+You can also pass the token as a url paramter with every request:
+```
+/dash/api/...?token=<JWT_TOKEN>
+```
 
 The JWT token will also inspect for the `exp` key and if present will only allow requests with valid 
 expiration timestamps. For security purposes it's recommended that you encode your JWT tokens with an exp 
@@ -343,43 +355,132 @@ timestamp.
 
 To setup and test JWT tokens, we recommend you explore [jwt.io](https://jwt.io). 
 
-### API Authorization
+### Authorization (Pundit) 
 
-Once you've setup your authentication strategy above, either using the `api_token` or the `jwt_secret`, 
-you should pass your token to the DashAPI either as a URL parameter or using Bearer authentication 
+DashAPI uses the popular Ruby on Rails [Pundet](https://github.com/varvet/pundit) gem to manage 
+the authorization policies. Using pundit, you can restrict access to any table or method within a table
+according to "policies" that you define. These policies map to the User object that is passed from the JWT token. 
+
+When you first installed DashAPI, you run the pundit installation generator which creates an `ApplicationPolicy` file in `app/policies.` `ApplicationPolicy` defines all the default policies inherited by all tables in the DashAPI. 
+
+The benefit of using Pundit is that you can easily create an acesss policy or search scope by creating a policy for each table in your database that differs from the default policy. To do this, simple create a ruby class that matches the name of the table class followed by the term "Policy." For example, if you want to create a policy for your `orders` table then you can create a ruby class as follows
 
-You can pass the token as a url paramter:
 ```
-?token=<JWT_TOKEN>
+# Place this file in /app/policies/order_policy.rb
+
+def OrderPolicy < ApplicationPolicy 
+   ...   
+end 
 ```
 
-The preferred strategy is to pass the token using Bearer authentication in your headers:
+You can then specify the polify for each operation from the API. First, below is a sample policy class used by Pundit without any restrictions in place:
+
 ```
-Authorization: 'Bearer <JWT_TOKEN>'
+class OrderPolicy < ApplicationPolicy 
+
+  def index?
+    true 
+  end 
+
+  def show? 
+    true
+  end 
+
+  def update?     
+    true 
+  end 
+
+  def destroy?
+    true 
+  end 
+
+  class Scope
+    def initialize(user, scope)
+      @user  = user
+      @scope = scope
+    end
+
+    def resolve
+      scope.all 
+    end
+
+    private
+
+    attr_reader :user, :scope
+  end
+end   
+```
+
+### Authorization for scope queries 
+
+One common scenario is to restrict access to all `Orders` that only belong to the current user, unless ther user has role `admin` any have access to all `Orders.` You can easily achieve this by specifying the Scope class `resolve` method:
+
 ```
+def resolve 
+  if @user.role === 'admin' 
+    scope.all 
+  else 
+    scope.where(user_id: @user.id)
+  end
+end 
+```
+
+This will restrict all order results to those that only belong to the current user. Again, the user is the JSON payload that is decoded using the JWT token. For example, the token you encode and decode should have at the very least a unique identifier such as `id` or `uid` and a `role` field:
+
+{
+ id: 1,
+ first_name: 'John',
+ last_name: 'Doe',
+ role: 'admin'
+}
+
+When this JWT token is passed to Pundit using DashAPI, it will be accessible as `@user` and you can reference any attribute on user such as `@user.id` and `@user.role` within the Pundit policy class. 
 
 
-### Exclude fields and tables 
+### Authorization for CRUD operations
 
-The Dash API is not yet suitable for production scale applications. Please use with caution. 
+You can also override ride any specific CRUD operation by specifying the policy for that operation. This will allow you to provide access control that changes for `admins` and `users`.
 
-You can exclude fields from being serialized by specifying DASH_EXCLUDE_FIELDS
+As an example, lets only allow users to be able to delete an order if the order status is a `draft` order, and not an order that as been `paid.`
+
+```
+def destroy?
+  if @user.role === 'admin'
+    true 
+  else 
+    @user.id === @record.user_id && @record.status === 'draft'
+  end 
+end 
+```
+
+Pundit provides a simple yet powerful way to manage the access control policies of the DashAPI for any table. 
+
+
+### Serialization 
+
+DashAPI will serialize all data from the API using the `as_json` method on the Active Record object. You can exclude sensitive attributes from being serialized during `as_json` by specifying which attributes to ignore in `DashAPi.exclude_attributes` using space delimited attribute names.
 
 ```
 # /config/initializers/dash_api.rb
 DashApi.tap do |config|
   ...
-  config.exclude_fields = ENV['DASH_EXCLUDE_FIELDS'].split(' ') || []  
+  config.exclude_attributes = ENV['DASH_EXCLUDE_ATTRIBUTES'].split(' ') || []  
   ...
 end 
 ```
 
 Example: 
+
 ```
-config.exclude_fields = "encrypted_password hashed_password secret_token"
+# /config/initializers/dash_api.rb
+DashApi.tap do |config|
+  ...
+  config.exclude_attributes = "encrypted_password hashed_password"
+  ...
+end 
 ```
 
-You can also exclude tables from the API using the exclude_tables configuration:
+You can also exclude tables entirely from the API using the exclude_tables configuration by using space delimited table names:
 
 ```
 # /config/initializers/dash_api.rb

data/app/controllers/concerns/dash_api/api_exception.rb

@@ -0,0 +1,26 @@
+module DashApi 
+  module ApiException  
+    extend ActiveSupport::Concern
+
+    included do
+      include Pundit 
+
+      rescue_from Exception, with: :unprocessable_entity
+      rescue_from StandardError, with: :unprocessable_entity
+      rescue_from ActiveRecord::RecordNotFound, with: :unprocessable_entity
+      rescue_from ActiveRecord::ActiveRecordError, with: :unprocessable_entity        
+      rescue_from Pundit::NotAuthorizedError, with: :unauthorized
+
+        
+      def unprocessable_entity(e)
+        render json: { error: e }, status: :unprocessable_entity
+      end    
+
+      def unauthorized(e)
+        render json: { error: "You are not authorized to perform this action." }, status: :unprocessable_entity
+      end 
+  
+    end
+
+  end 
+end 

data/app/controllers/concerns/dash_api/auth.rb

@@ -0,0 +1,51 @@
+module DashApi 
+  module Auth   
+    extend ActiveSupport::Concern
+
+    included do
+      
+      private      
+
+      def current_user
+        unless auth_token.blank?
+          jwt_payload = jwt_token 
+        else 
+          jwt_payload = {role: "guest"}
+        end       
+        HashWithIndifferentAccess.new(jwt_payload)
+      end 
+  
+      def jwt_token    
+        case jwt_token_provider
+        when "firebase"            
+          DashApi::JsonWebToken.decode_firebase(auth_token) 
+        when "jwt"
+          DashApi::JsonWebToken.decode(auth_token) 
+        else 
+          raise "Unknown JWT token provider"
+        end 
+        rescue JWT::ExpiredSignature
+          raise "JWT token has expired"
+        rescue JWT::VerificationError, JWT::DecodeError
+          raise "Invalid JWT token"     
+      end 
+
+      def jwt_token_provider 
+        jwt = DashApi::JsonWebToken.decode_unverified(auth_token)
+        jwt[:firebase].present? ? "firebase" : "jwt"
+      end 
+  
+      def auth_token
+        http_token || params['token']      
+      end
+    
+      def http_token
+        if request.headers['Authorization'].present?
+          request.headers['Authorization'].split(' ').last
+        end
+      end  
+
+    end
+
+  end 
+end 

data/app/controllers/dash_api/api_controller.rb

@@ -1,88 +1,105 @@
 module DashApi
-  class ApiController < ApplicationController 
+  class ApiController < ApplicationController         
 
     skip_before_action :verify_authenticity_token
 
-    before_action :authenticate_request!
-    before_action :load_table 
     before_action :parse_query_params
+    before_action :load_dash_table 
 
-    def index                     
-      @dash_table.query(
-        keywords:       @query[:keywords],
-        select_fields:  @query[:select_fields],
-        sort_by:        @query[:sort_by],
-        sort_direction: @query[:sort_direction],
-        filters:        @query[:filters],
-        associations:   @query[:associations],  
-        page:           @query[:page],
-        per_page:       @query[:per_page]        
-      )      
+    def index                      
+      resources = dash_scope
+
+      authorize resources, :index? 
+
+      @filters.each{|filter| resources = resources.where(filter) }            
+      resources = resources.pg_search(@keywords) if @keywords.present?      
+      resources = resources.order(@order) if @order.present?          
+      resources = resources.select(@select) if @select.present?      
+      resources = resources.page(@page).per(@per_page)
 
       render json: { 
-        data: @dash_table.serialize, 
-        meta: @dash_table.page_info 
+        data: DashApi::Serializer.to_json(resources, includes: @includes),
+        meta: {
+          page: @page,
+          per_page: @per_page,
+          total_count: resources.total_count
+        }        
       }
     end 
 
     def show 
-      resource = @dash_table.query(
-        associations: @query[:associations],
-        filters: [{ field: :id, operator: "=", value: params[:id] }],
-        page: 1,
-        per_page: 1
-      )
-      render json: { data: @dash_table.serialize[0] }
+      resource = dash_scope.find(params[:id])
+      authorize resource, :show? 
+      render json: { 
+        data: DashApi::Serializer.to_json(resource, includes: @includes) 
+      }
     end 
 
     def create  
-      resource = @dash_table.create!(dash_params)
-      render json: { data: resource }    
+      resource = dash_scope.create!(dash_params)
+      authorize resource, :create? 
+      render json: { 
+        data: DashApi::Serializer.to_json(resource) 
+      }    
     end 
 
     def update 
-      resource = @dash_table.find(params[:id])
+      resource = dash_scope.find(params[:id])
+      authorize resource, :update? 
       if resource.update(dash_params)
-        render json: { data: resource }
+        render json: {           
+          data: DashApi::Serializer.to_json(resource)
+        }
       else 
         render json: { error: resource.errors.full_messages }, status: 422
       end 
     end 
 
     def destroy  
-      resource = @dash_table.find(params[:id])
+      resource = dash_scope.find(params[:id])
+      authorize resource, :destroy? 
       resource.destroy 
-      render json: { data: resource }    
+      render json: { data: DashApi::Serializer.to_json(resource) }    
     end 
 
     def update_many 
-      resources = @dash_table.where(id: params[:ids])
+      resources = dash_scope.where(id: params[:ids])
+      authorize resources, :update? 
       resources.update(dash_params)
-      render json: { data: resources }
+      render json: { data: DashApi::Serializer.to_json(resources) }
     end 
 
     def delete_many       
-      resources = @dash_table.where(id: params[:ids])
+      resources = dash_scope.where(id: params[:ids])
+      authorize resources, :destroy? 
       resources.destroy_all
-      render json: { data: resources }
+      render json: { data: DashApi::Serializer.to_json(resources) }
     end 
 
     private
 
     def parse_query_params
-      @query = DashApi::Query.parse(params)
+      query = DashApi::Query.parse(params)
+      @keywords = query[:keywords]
+      @page =query[:page]
+      @per_page = query[:per_page]
+      @order = query[:order]
+      @filters = query[:filters]
+      @select = query[:select_fields]
+      @includes = query[:associations]
     end 
 
-    def load_table 
+    def load_dash_table 
       raise "This resource is excluded." if DashApi.exclude_tables.include?(params[:table_name])      
-      @dash_table = DashTable.modelize(params[:table_name])
-      @dash_table.table_name = params[:table_name] 
+      @dash_table = DashTable.modelize(params[:table_name], includes: @includes)      
+    end 
+
+    def dash_scope 
+      policy_scope(@dash_table)
     end 
 
     def dash_params
-      params
-        .require(params[:table_name])
-        .permit!
+      params.require(params[:table_name]).permit!
     end 
 
   end 

data/app/controllers/dash_api/application_controller.rb

@@ -1,42 +1,7 @@
 module DashApi
-  class ApplicationController < ActionController::Base
-    
-    rescue_from Exception, with: :unprocessable_entity
-    rescue_from StandardError, with: :unprocessable_entity
-    rescue_from ActiveRecord::RecordNotFound, with: :unprocessable_entity
-    rescue_from ActiveRecord::ActiveRecordError, with: :unprocessable_entity
-
-  
-    def authenticate_request!       
-      if DashApi.enable_auth === true                
-        return true if auth_token === DashApi.api_token && !DashApi.api_token.blank?
-        jwt_token
-      end 
-    end 
-
-    private
-
-    def jwt_token      
-      DashApi::JsonWebToken.decode(auth_token)   
-      rescue JWT::ExpiredSignature
-        raise "JWT token has expired"
-      rescue JWT::VerificationError, JWT::DecodeError
-        raise "Invalid JWT token"     
-    end 
-
-    def auth_token
-      http_token || params['token']      
-    end
-  
-    def http_token
-      if request.headers['Authorization'].present?
-        request.headers['Authorization'].split(' ').last
-      end
-    end
-  
-    def unprocessable_entity(e)
-      render json: { error: e }, status: :unprocessable_entity
-    end
+  class ApplicationController < ActionController::Base    
+    include ApiException
+    include Auth 
 
   end
 end

data/app/controllers/dash_api/schema_controller.rb

@@ -1,7 +1,5 @@
 module DashApi
   class SchemaController < ApplicationController 
-    
-    before_action :authenticate_request!
 
     def index 
       tables = DashApi::Schema.table_names 

data/app/models/concerns/dash_api/dash_model.rb

@@ -2,202 +2,75 @@ module DashApi
   module DashModel 
     extend ActiveSupport::Concern
 
-    class_methods do 
+    class_methods do       
 
-        attr_accessor :scope, :includes
+      def modelize(table_name, includes: nil)         
 
-        def query(
-          keywords: nil,
-          select_fields: nil,
-          associations: nil,
-          sort_by: 'id',
-          sort_direction: 'asc',
-          filters: nil,
-          page: 1,
-          per_page: 20
-        )      
-
-        @current_scope = self.all       
-
-        filter(filters: filters)            
-        
-        sort(sort_by: sort_by, sort_direction: sort_direction)                  
-
-        full_text_search(keywords: keywords)          
-              
-        join_associations(associations: associations)
-
-        select_fields(fields: select_fields)               
-
-        paginate(page: page, per_page: per_page) 
-
-        @current_scope     
-      end 
-
-      # Filtering
-      # Filtering follows the URL pattern <field>.<attribute>=<operator>.<value>
-      # Filters can also be chained to AND filter queries together
-      #
-      # Example: /books?books.id=lte.10 returns all books with id <= 10 
-
-      def filter(filters: [])
-        filters.each do |filter|
-          @current_scope = @current_scope.where(["#{filter[:field]} #{filter[:operator]} ?", filter[:value]])        
+        # Create an Abstract Active Record class and 
+        # assign the table name from params 
+        class_name = table_name.singularize.capitalize        
+        if Object.const_defined? class_name
+          klass = class_name.constantize          
+        else 
+          klass = Object.const_set class_name, Class.new(DashApi::DashTable)
         end 
-      end
-
-      # Sorting 
-      # Sort any field in ascending or descending direction 
-      # Example: /books?order=title.asc
-
-      def sort(sort_by: nil, sort_direction: nil) 
-        return self unless sort_by && sort_direction
-        @current_scope = @current_scope.order("#{sort_by}": sort_direction)
-      end 
-
-      # Select 
-      # Only return select fields from the table, equivalent to SQL select()
-      # Example: /books?select=id,title,summary
+        klass.table_name = table_name.downcase.pluralize
 
-      def select_fields(fields: nil)
-        return unless fields              
-        @current_scope = @current_scope.select(fields) 
-      end 
+        # Define a default Pundit policy class for this model
+        if Object.const_defined? "#{class_name}Policy"
+          policy = "#{class_name}Policy".constantize          
+        else 
+          policy = Object.const_set "#{class_name}Policy", Class.new(ApplicationPolicy)
+        end 
 
-      # Search 
-      # Full-text search using the pg_search gem
-      # pg_search_scope is assigned dynamically against all table columns
-      # Example: books?keywords=Ruby+on+Rails
+        # Clear the cache since migrations don't restart the server. 
+        klass.reset_column_information
 
-      def full_text_search(keywords: nil) 
-        return if keywords.blank?
-        self.pg_search_scope(
-          :pg_search, 
-          against: self.searchable_fields, 
-          using: { 
-            tsearch: { 
-              any_word: false
-            } 
-          }
-        )
-        results = pg_search(keywords)      
-        @current_scope = results 
-      end 
-
-      # Paginate 
-      # Paginate the results with an offset and limit 
-      # Example: books?page=1&per_page=20
+        # Guest the model associations using Rails naming conventions
+        klass.build_associations(includes) if includes.present?
 
-      def paginate(per_page: 20, page: 1)
-        @page = page 
-        @per_page = per_page      
-        offset = (page-1)*per_page
-        @current_scope = @current_scope.limit(per_page).offset(offset)
+        # Define the pg_search_scope for this model
+        klass.build_index_fields
+        klass
       end 
-
-      # Join associations
-      # We infer the association as either belongs_to or has_many 
-      # based on whether the associated table name is singular or plural.
-      # We dynamically create the ActiveRecord class and set the appropriate 
-      # ActiveRecord:Relation relationships
-      #
-      # Example: books?includes=author,reviews
-
-      def join_associations(associations: nil)
+      
+      def build_associations(associations)
         return nil unless associations
-        @associations = associations
         associations.each do |table_name|
           klass = DashTable.modelize(table_name)
           if is_singular?(table_name)
             self.belongs_to table_name.singularize.to_sym 
             klass.has_many self.table_name.pluralize.to_sym 
-            @current_scope = @current_scope.includes(table_name.singularize.to_sym)
           else
             self.has_many table_name.pluralize.to_sym 
             klass.belongs_to self.table_name.singularize.to_sym 
-            @current_scope = @current_scope.includes(table_name.pluralize.to_sym)
           end 
         end
       end 
 
-      # Serialize
-      # We serialize with the appropriate associations
-      # based on whether the assocation is singular or plural.        
-      def serialize
-        if @associations
-          associations_sym = @associations.map{|table_name| 
-            is_singular?(table_name) ? 
-              table_name.singularize.to_sym : 
-              table_name.pluralize.to_sym 
+      def build_index_fields
+        self.pg_search_scope(
+          :pg_search, 
+          against: self.searchable_fields, 
+          using: { 
+            tsearch: { 
+              any_word: false
+            } 
           }
-
-          include_hash = {}
-          associations_sym.each do |association|
-            include_hash.merge!({
-              "#{association}": { 
-                except: DashApi.exclude_fields
-              } 
-            })
-          end 
-
-          @current_scope.as_json(
-            include: include_hash, 
-            except: DashApi.exclude_fields
-          )
-        else
-          @current_scope.as_json(except: DashApi.exclude_fields)
-        end 
+        )
       end 
 
       def is_singular?(name)
         name && name.singularize == name 
       end 
 
-      def page_info       
-        {
-          page: @page,
-          per_page: @per_page     
-        }
-      end
-
-      def table_columns
-        return [] if self.table_name.nil?
-        self.columns
-      end 
-
       def searchable_fields
         return [] if self.table_name.nil?
         self.columns.map(&:name).filter{|column| 
-          column unless DashApi.exclude_fields.include?(column.to_sym) 
+          column unless DashApi.exclude_attributes.include?(column.to_sym) 
         }
       end 
 
-      def modelize(table_name) 
-        class_name = table_name.singularize.capitalize
-        if Object.const_defined? class_name
-          class_name.constantize
-        else 
-          Object.const_set class_name, Class.new(DashApi::DashTable)
-        end 
-      end 
-          
-      def foreign_keys 
-        self.columns.map{|col| 
-          if col.name.downcase.split("_")[-1] == 'id' && col.name.downcase != 'id'
-            col.name 
-          end 
-        }.compact
-      end 
-
-      def foreign_table(foreign_key)
-        foreign_key.downcase.split('_').first.pluralize 
-      end 
-
-      def foreign_tables
-        foreign_keys.map{ |foreign_key| 
-          foreign_table(foreign_key)
-        }
-      end 
     end 
   end 
 end 

data/app/models/dash_api/dash_table.rb

@@ -5,5 +5,5 @@ module DashApi
     
     self.abstract_class = true    
     
-  end
+  end 
 end

data/app/services/dash_api/json_web_token.rb

@@ -1,19 +1,39 @@
+require 'net/http'
+require 'net/https'
+
 module DashApi 
   module JsonWebToken
-    require 'jwt'
-
+    require 'jwt'    
+    
     JWT_HASH_ALGORITHM = 'HS256'
+    GOOGLE_CERTS_URL = 'https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com'
 
     def self.encode(payload:, expiration:)
-      payload[:exp] = expiration || Time.now.advance(minutes: 15)
-      JWT.encode(payload, DashApi.jwt_secret, DashApi.jwt_hash_algorithm ||JWT_HASH_ALGORITHM)
+      payload[:exp] = expiration || 15.minutes.from_now.to_i
+      JWT.encode(payload, DashApi.jwt_secret, DashApi.jwt_hash_algorithm || JWT_HASH_ALGORITHM)
     end
 
     def self.decode(jwt_token)
-      HashWithIndifferentAccess.new(JWT.decode(jwt_token, DashApi.jwt_secret, true, {
+      jwt = JWT.decode(jwt_token, DashApi.jwt_secret, true, {
         algorithm: DashApi.jwt_algorithm || JWT_HASH_ALGORITHM
-      })[0])
+      })
+      HashWithIndifferentAccess.new(jwt[0])
     end
 
+    def self.decode_firebase(jwt_token)
+      firebase_web_key = DashApi.firebase_web_key
+      jwt = JWT.decode(jwt_token, firebase_web_key, true, { algorithm: 'RS256' })  do |header|
+        url = URI(GOOGLE_CERTS_URL)
+        json = JSON.parse(Net::HTTP.get(url))
+        public_key = OpenSSL::X509::Certificate.new(json[header['kid']]).public_key
+      end
+      jwt = jwt[0].merge({ role: "user", provider: "firebase" })
+      HashWithIndifferentAccess.new(jwt)
+    end 
+
+    def self.decode_unverified(jwt_token)
+      HashWithIndifferentAccess.new(JWT.decode(jwt_token, nil, false)[0])
+    end
+  
   end
 end

data/app/services/dash_api/query.rb

@@ -30,35 +30,30 @@
         select_fields = params[:select]&.split(',')
       end 
       
-      if params[:order]
+      if params[:order]        
         sort_by, sort_direction = params[:order].split(DELIMITER)        
         sort_direction = "desc" if sort_direction and !SORT_DIRECTIONS.include?(sort_direction)
+        order = { "#{sort_by}": sort_direction }
       end 
 
       if params[:includes] 
         associations = params[:includes].split(",").map(&:strip)
       end 
 
-      filters = []
+      filters = []      
       if params[:filters]
-        params[:filters].split(',').each do |filter_param|   
-          field, rel, value = filter_param.split(DELIMITER)
-          rel = "eq" unless OPERATORS.keys.include?(rel.to_sym)      
-          operator = OPERATORS[rel.to_sym] || '='
-          filters << { 
-            field: field, 
-            operator: operator, 
-            value: value 
-          }
-        end 
+        params[:filters].split(',').each do |filter_param|             
+          filters << format_filter(filter_param)
+        end  
       end 
-      
+
       page = params[:page]&.to_i || 1 
       per_page = params[:per_page]&.to_i || PER_PAGE 
 
       {
         keywords: keywords,
         select_fields: select_fields,
+        order: order,
         sort_by: sort_by,
         sort_direction: sort_direction,
         filters: filters,
@@ -68,5 +63,13 @@
       }
     end 
 
+    def self.format_filter(filter_param)
+      field, rel, value = filter_param.split(DELIMITER)
+      rel = "eq" unless OPERATORS.keys.include?(rel.to_sym)      
+      operator = OPERATORS[rel.to_sym] || '='   
+      condition = "#{field} #{operator} ?"
+      [condition, value]
+    end 
+
   end
 end 

data/app/services/dash_api/schema.rb

@@ -35,8 +35,11 @@ module DashApi
 
     def self.render_column(column)      
       {
+        friendly_name: column.human_name,
         name: column.name,
-        type: column.sql_type_metadata.type,
+        type: column.type,
+        array: column.array,
+        default: column.default,
         limit: column.sql_type_metadata.limit,
         precision: column.sql_type_metadata.precision,
         foreign_key: foreign_key?(column.name),

data/app/services/dash_api/serializer.rb

@@ -0,0 +1,19 @@
+module DashApi 
+  module Serializer 
+
+    def self.to_json(current_scope, includes: nil)             
+      opts = { except: DashApi.exclude_attributes }
+      if includes
+        include_hash = {}
+        includes.each {|table_name| include_hash.merge!({
+            "#{table_name}": { except: DashApi.exclude_attributes } 
+          })
+        }
+        current_scope.as_json(opts.merge(include: include_hash))
+      else
+        current_scope.as_json(opts)
+      end 
+    end 
+
+  end 
+end 

data/lib/dash_api/version.rb

@@ -1,3 +1,3 @@
 module DashApi
-  VERSION = '0.0.16'
+  VERSION = '0.0.24'
 end

data/lib/dash_api.rb

@@ -3,13 +3,12 @@ require "dash_api/engine"
 
 module DashApi
     
-  mattr_accessor :enable_auth
   mattr_accessor :jwt_secret 
   mattr_accessor :jwt_algorithm
 
-  mattr_accessor :api_token
+  mattr_accessor :firebase_web_key
 
-  mattr_accessor :exclude_fields
+  mattr_accessor :exclude_attributes
   mattr_accessor :exclude_tables
   
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dash_api
 version: !ruby/object:Gem::Version
-  version: 0.0.16
+  version: 0.0.24
 platform: ruby
 authors:
 - Rami Bitar
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-10-31 00:00:00.000000000 Z
+date: 2021-11-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -31,7 +31,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: 6.1.4.1
 - !ruby/object:Gem::Dependency
-  name: pg
+  name: dotenv-rails
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -45,7 +45,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: pg_search
+  name: jwt
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -73,7 +73,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: dotenv-rails
+  name: ostruct
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -87,7 +87,35 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: jwt
+  name: pundit
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: pg
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: pg_search
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -113,6 +141,8 @@ files:
 - Rakefile
 - app/assets/config/dash_manifest.js
 - app/assets/stylesheets/dash/application.css
+- app/controllers/concerns/dash_api/api_exception.rb
+- app/controllers/concerns/dash_api/auth.rb
 - app/controllers/dash_api/api_controller.rb
 - app/controllers/dash_api/application_controller.rb
 - app/controllers/dash_api/schema_controller.rb
@@ -125,19 +155,20 @@ files:
 - app/services/dash_api/json_web_token.rb
 - app/services/dash_api/query.rb
 - app/services/dash_api/schema.rb
+- app/services/dash_api/serializer.rb
 - app/views/layouts/dash_api/application.html.erb
 - config/routes.rb
 - lib/dash_api.rb
 - lib/dash_api/engine.rb
 - lib/dash_api/version.rb
 - lib/tasks/dash_tasks.rake
-homepage: https://github.com/skillhire/dash_api.git
+homepage: https://github.com/dash-api/dash-api.git
 licenses:
 - MIT
 metadata:
-  homepage_uri: https://github.com/skillhire/dash_api.git
-  source_code_uri: https://github.com/skillhire/dash_api.git
-  changelog_uri: https://github.com/skillhire/dash_api.git
+  homepage_uri: https://github.com/dash-api/dash-api.git
+  source_code_uri: https://github.com/dash-api/dash-api.git
+  changelog_uri: https://github.com/dash-api/dash-api.git
 post_install_message:
 rdoc_options: []
 require_paths: