grape 2.3.0 → 2.4.0

data/lib/grape/middleware/formatter.rb

@@ -3,16 +3,9 @@
 module Grape
   module Middleware
     class Formatter < Base
-      CHUNKED = 'chunked'
-      FORMAT = 'format'
-
-      def default_options
-        {
-          default_format: :txt,
-          formatters: {},
-          parsers: {}
-        }
-      end
+      DEFAULT_OPTIONS = {
+        default_format: :txt
+      }.freeze
 
       def before
         negotiate_content_type
@@ -69,34 +62,27 @@ module Grape
         end
       end
 
-      def request
-        @request ||= Rack::Request.new(env)
-      end
-
-      # store read input in env['api.request.input']
       def read_body_input
-        return unless
-          (request.post? || request.put? || request.patch? || request.delete?) &&
-          (!request.form_data? || !request.media_type) &&
-          !request.parseable_data? &&
-          (request.content_length.to_i.positive? || request.env[Grape::Http::Headers::HTTP_TRANSFER_ENCODING] == CHUNKED)
+        input = rack_request.body # reads RACK_INPUT
+        return if input.nil?
+        return unless read_body_input?
 
-        return unless (input = env[Rack::RACK_INPUT])
-
-        rewind_input input
+        input.try(:rewind)
         body = env[Grape::Env::API_REQUEST_INPUT] = input.read
         begin
-          read_rack_input(body) if body && !body.empty?
+          read_rack_input(body)
         ensure
-          rewind_input input
+          input.try(:rewind)
         end
       end
 
-      # store parsed input in env['api.request.body']
       def read_rack_input(body)
-        fmt = request.media_type ? mime_types[request.media_type] : options[:default_format]
+        return if body.empty?
+
+        media_type = rack_request.media_type
+        fmt = media_type ? mime_types[media_type] : options[:default_format]
 
-        throw :error, status: 415, message: "The provided content-type '#{request.media_type}' is not supported." unless content_type_for(fmt)
+        throw :error, status: 415, message: "The provided content-type '#{media_type}' is not supported." unless content_type_for(fmt)
         parser = Grape::Parser.parser_for fmt, options[:parsers]
         if parser
           begin
@@ -119,63 +105,43 @@ module Grape
         end
       end
 
+      # this middleware will not try to format the following content-types since Rack already handles them
+      # when calling Rack's `params` function
+      # - application/x-www-form-urlencoded
+      # - multipart/form-data
+      # - multipart/related
+      # - multipart/mixed
+      def read_body_input?
+        (rack_request.post? || rack_request.put? || rack_request.patch? || rack_request.delete?) &&
+          !(rack_request.form_data? && rack_request.content_type) &&
+          !rack_request.parseable_data? &&
+          (rack_request.content_length.to_i.positive? || rack_request.env['HTTP_TRANSFER_ENCODING'] == 'chunked')
+      end
+
       def negotiate_content_type
-        fmt = format_from_extension || format_from_params || options[:format] || format_from_header || options[:default_format]
+        fmt = format_from_extension || query_params['format'] || options[:format] || format_from_header || options[:default_format]
         if content_type_for(fmt)
-          env[Grape::Env::API_FORMAT] = fmt
+          env[Grape::Env::API_FORMAT] = fmt.to_sym
         else
           throw :error, status: 406, message: "The requested format '#{fmt}' is not supported."
         end
       end
 
       def format_from_extension
-        parts = request.path.split('.')
-
-        if parts.size > 1
-          extension = parts.last
-          # avoid symbol memory leak on an unknown format
-          return extension.to_sym if content_type_for(extension)
-        end
-        nil
-      end
-
-      def format_from_params
-        fmt = Rack::Utils.parse_nested_query(env[Rack::QUERY_STRING])[FORMAT]
-        # avoid symbol memory leak on an unknown format
-        return fmt.to_sym if content_type_for(fmt)
+        request_path = rack_request.path.try(:scrub)
+        dot_pos = request_path.rindex('.')
+        return unless dot_pos
 
-        fmt
+        extension = request_path[dot_pos + 1..]
+        extension if content_type_for(extension)
       end
 
       def format_from_header
-        mime_array.each do |t|
-          return mime_types[t] if mime_types.key?(t)
-        end
-        nil
-      end
-
-      def mime_array
-        accept = env[Grape::Http::Headers::HTTP_ACCEPT]
-        return [] unless accept
-
-        accept_into_mime_and_quality = %r{
-          (
-            \w+/[\w+.-]+)     # eg application/vnd.example.myformat+xml
-          (?:
-           (?:;[^,]*?)?       # optionally multiple formats in a row
-           ;\s*q=([\w.]+)     # optional "quality" preference (eg q=0.5)
-          )?
-        }x
-
-        vendor_prefix_pattern = /vnd\.[^+]+\+/
-
-        accept.scan(accept_into_mime_and_quality)
-              .sort_by { |_, quality_preference| -(quality_preference ? quality_preference.to_f : 1.0) }
-              .flat_map { |mime, _| [mime, mime.sub(vendor_prefix_pattern, '')] }
-      end
+        accept_header = env['HTTP_ACCEPT'].try(:scrub)
+        return if accept_header.blank?
 
-      def rewind_input(input)
-        input.rewind if input.respond_to?(:rewind)
+        media_type = Rack::Utils.best_q_match(accept_header, mime_types.keys)
+        mime_types[media_type] if media_type
       end
     end
   end

data/lib/grape/middleware/stack.rb

@@ -5,10 +5,11 @@ module Grape
     # Class to handle the stack of middlewares based on ActionDispatch::MiddlewareStack
     # It allows to insert and insert after
     class Stack
+      extend Forwardable
       class Middleware
         attr_reader :args, :block, :klass
 
-        def initialize(klass, *args, &block)
+        def initialize(klass, args, block)
           @klass = klass
           @args = args
           @block = block
@@ -31,8 +32,12 @@ module Grape
           klass.to_s
         end
 
-        def use_in(builder)
-          builder.use(@klass, *@args, &@block)
+        def build(builder)
+          # we need to force the ruby2_keywords_hash for middlewares that initialize contains keywords
+          # like ActionDispatch::RequestId since middleware arguments are serialized
+          # https://rubyapi.org/3.4/o/hash#method-c-ruby2_keywords_hash
+          args[-1] = Hash.ruby2_keywords_hash(args[-1]) if args.last.is_a?(Hash) && Hash.respond_to?(:ruby2_keywords_hash)
+          builder.use(klass, *args, &block)
         end
       end
 
@@ -40,33 +45,17 @@ module Grape
 
       attr_accessor :middlewares, :others
 
+      def_delegators :middlewares, :each, :size, :last, :[]
+
       def initialize
         @middlewares = []
         @others = []
       end
 
-      def each(&block)
-        @middlewares.each(&block)
-      end
-
-      def size
-        middlewares.size
-      end
-
-      def last
-        middlewares.last
-      end
-
-      def [](index)
-        middlewares[index]
-      end
-
-      def insert(index, *args, &block)
+      def insert(index, klass, *args, &block)
         index = assert_index(index, :before)
-        middleware = self.class::Middleware.new(*args, &block)
-        middlewares.insert(index, middleware)
+        middlewares.insert(index, self.class::Middleware.new(klass, args, block))
       end
-      ruby2_keywords :insert if respond_to?(:ruby2_keywords, true)
 
       alias insert_before insert
 
@@ -74,38 +63,39 @@ module Grape
         index = assert_index(index, :after)
         insert(index + 1, *args, &block)
       end
-      ruby2_keywords :insert_after if respond_to?(:ruby2_keywords, true)
 
-      def use(...)
-        middleware = self.class::Middleware.new(...)
+      def use(klass, *args, &block)
+        middleware = self.class::Middleware.new(klass, args, block)
         middlewares.push(middleware)
       end
 
       def merge_with(middleware_specs)
-        middleware_specs.each do |operation, *args|
+        middleware_specs.each do |operation, klass, *args|
           if args.last.is_a?(Proc)
             last_proc = args.pop
-            public_send(operation, *args, &last_proc)
+            public_send(operation, klass, *args, &last_proc)
           else
-            public_send(operation, *args)
+            public_send(operation, klass, *args)
           end
         end
       end
 
       # @return [Rack::Builder] the builder object with our middlewares applied
-      def build(builder = Rack::Builder.new)
-        others.shift(others.size).each { |m| merge_with(m) }
-        middlewares.each do |m|
-          m.use_in(builder)
+      def build
+        Rack::Builder.new.tap do |builder|
+          others.shift(others.size).each { |m| merge_with(m) }
+          middlewares.each do |m|
+            m.build(builder)
+          end
         end
-        builder
       end
 
       # @description Add middlewares with :use operation to the stack. Store others with :insert_* operation for later
       # @param [Array] other_specs An array of middleware specifications (e.g. [[:use, klass], [:insert_before, *args]])
       def concat(other_specs)
-        @others << Array(other_specs).reject { |o| o.first == :use }
-        merge_with(Array(other_specs).select { |o| o.first == :use })
+        use, not_use = other_specs.partition { |o| o.first == :use }
+        others << not_use
+        merge_with(use)
       end
 
       protected

data/lib/grape/middleware/versioner/accept_version_header.rb

@@ -18,9 +18,7 @@ module Grape
       # route.
       class AcceptVersionHeader < Base
         def before
-          potential_version = env[Grape::Http::Headers::HTTP_ACCEPT_VERSION]
-          potential_version = potential_version.scrub unless potential_version.nil?
-
+          potential_version = env['HTTP_ACCEPT_VERSION'].try(:scrub)
           not_acceptable!('Accept-Version header must be set.') if strict? && potential_version.blank?
 
           return if potential_version.blank?

data/lib/grape/middleware/versioner/base.rb

@@ -4,28 +4,20 @@ module Grape
   module Middleware
     module Versioner
       class Base < Grape::Middleware::Base
-        DEFAULT_PATTERN = /.*/i.freeze
-        DEFAULT_PARAMETER = 'apiver'
+        DEFAULT_OPTIONS = {
+          pattern: /.*/i.freeze,
+          version_options: {
+            strict: false,
+            cascade: true,
+            parameter: 'apiver'
+          }.freeze
+        }.freeze
 
         def self.inherited(klass)
           super
           Versioner.register(klass)
         end
 
-        def default_options
-          {
-            versions: nil,
-            prefix: nil,
-            mount_path: nil,
-            pattern: DEFAULT_PATTERN,
-            version_options: {
-              strict: false,
-              cascade: true,
-              parameter: DEFAULT_PARAMETER
-            }
-          }
-        end
-
         def versions
           options[:versions]
         end
@@ -66,7 +58,7 @@ module Grape
         end
 
         def error_headers
-          cascade? ? { Grape::Http::Headers::X_CASCADE => 'pass' } : {}
+          cascade? ? { 'X-Cascade' => 'pass' } : {}
         end
 
         def potential_version_match?(potential_version)
@@ -74,7 +66,7 @@ module Grape
         end
 
         def version_not_found!
-          throw :error, status: 404, message: '404 API Version Not Found', headers: { Grape::Http::Headers::X_CASCADE => 'pass' }
+          throw :error, status: 404, message: '404 API Version Not Found', headers: { 'X-Cascade' => 'pass' }
         end
       end
     end

data/lib/grape/middleware/versioner/header.rb

@@ -49,7 +49,7 @@ module Grape
         end
 
         def accept_header
-          env[Grape::Http::Headers::HTTP_ACCEPT]
+          env['HTTP_ACCEPT']
         end
 
         def strict_header_checks!

data/lib/grape/middleware/versioner/param.rb

@@ -20,12 +20,11 @@ module Grape
       #   env['api.version'] => 'v1'
       class Param < Base
         def before
-          potential_version = Rack::Utils.parse_nested_query(env[Rack::QUERY_STRING])[parameter_key]
+          potential_version = query_params[parameter_key]
           return if potential_version.blank?
 
           version_not_found! unless potential_version_match?(potential_version)
-          env[Grape::Env::API_VERSION] = potential_version
-          env[Rack::RACK_REQUEST_QUERY_HASH].delete(parameter_key) if env.key? Rack::RACK_REQUEST_QUERY_HASH
+          env[Grape::Env::API_VERSION] = env[Rack::RACK_REQUEST_QUERY_HASH].delete(parameter_key)
         end
       end
     end

data/lib/grape/params_builder/base.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+module Grape
+  module ParamsBuilder
+    class Base
+      class << self
+        def call(_params)
+          raise NotImplementedError
+        end
+
+        def inherited(klass)
+          super
+          ParamsBuilder.register(klass)
+        end
+      end
+    end
+  end
+end

data/lib/grape/params_builder/hash.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+module Grape
+  module ParamsBuilder
+    class Hash < Base
+      def self.call(params)
+        params.deep_symbolize_keys
+      end
+    end
+  end
+end

data/lib/grape/params_builder/hash_with_indifferent_access.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+module Grape
+  module ParamsBuilder
+    class HashWithIndifferentAccess < Base
+      def self.call(params)
+        params.with_indifferent_access
+      end
+    end
+  end
+end

data/lib/grape/params_builder/hashie_mash.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+module Grape
+  module ParamsBuilder
+    class HashieMash < Base
+      def self.call(params)
+        ::Hashie::Mash.new(params)
+      end
+    end
+  end
+end

data/lib/grape/params_builder.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module Grape
+  module ParamsBuilder
+    extend Grape::Util::Registry
+
+    SHORT_NAME_LOOKUP = {
+      'Grape::Extensions::Hash::ParamBuilder' => :hash,
+      'Grape::Extensions::ActiveSupport::HashWithIndifferentAccess::ParamBuilder' => :hash_with_indifferent_access,
+      'Grape::Extensions::Hashie::Mash::ParamBuilder' => :hashie_mash
+    }.freeze
+
+    module_function
+
+    def params_builder_for(short_name)
+      verified_short_name = verify_short_name!(short_name)
+
+      raise Grape::Exceptions::UnknownParamsBuilder, verified_short_name unless registry.key?(verified_short_name)
+
+      registry[verified_short_name]
+    end
+
+    def verify_short_name!(short_name)
+      return short_name if short_name.is_a?(Symbol)
+
+      class_name = short_name.name
+      SHORT_NAME_LOOKUP[class_name].tap do |real_short_name|
+        Grape.deprecator.warn "#{class_name} has been deprecated. Use short name :#{real_short_name} instead."
+      end
+    end
+  end
+end

data/lib/grape/request.rb

@@ -2,50 +2,189 @@
 
 module Grape
   class Request < Rack::Request
-    HTTP_PREFIX = 'HTTP_'
+    # Based on rack 3 KNOWN_HEADERS
+    # https://github.com/rack/rack/blob/4f15e7b814922af79605be4b02c5b7c3044ba206/lib/rack/headers.rb#L10
+
+    KNOWN_HEADERS = %w[
+      Accept
+      Accept-CH
+      Accept-Encoding
+      Accept-Language
+      Accept-Patch
+      Accept-Ranges
+      Accept-Version
+      Access-Control-Allow-Credentials
+      Access-Control-Allow-Headers
+      Access-Control-Allow-Methods
+      Access-Control-Allow-Origin
+      Access-Control-Expose-Headers
+      Access-Control-Max-Age
+      Age
+      Allow
+      Alt-Svc
+      Authorization
+      Cache-Control
+      Client-Ip
+      Connection
+      Content-Disposition
+      Content-Encoding
+      Content-Language
+      Content-Length
+      Content-Location
+      Content-MD5
+      Content-Range
+      Content-Security-Policy
+      Content-Security-Policy-Report-Only
+      Content-Type
+      Cookie
+      Date
+      Delta-Base
+      Dnt
+      ETag
+      Expect-CT
+      Expires
+      Feature-Policy
+      Forwarded
+      Host
+      If-Modified-Since
+      If-None-Match
+      IM
+      Last-Modified
+      Link
+      Location
+      NEL
+      P3P
+      Permissions-Policy
+      Pragma
+      Preference-Applied
+      Proxy-Authenticate
+      Public-Key-Pins
+      Range
+      Referer
+      Referrer-Policy
+      Refresh
+      Report-To
+      Retry-After
+      Sec-Fetch-Dest
+      Sec-Fetch-Mode
+      Sec-Fetch-Site
+      Sec-Fetch-User
+      Server
+      Set-Cookie
+      Status
+      Strict-Transport-Security
+      Timing-Allow-Origin
+      Tk
+      Trailer
+      Transfer-Encoding
+      Upgrade
+      Upgrade-Insecure-Requests
+      User-Agent
+      Vary
+      Version
+      Via
+      Warning
+      WWW-Authenticate
+      X-Accel-Buffering
+      X-Accel-Charset
+      X-Accel-Expires
+      X-Accel-Limit-Rate
+      X-Accel-Mapping
+      X-Accel-Redirect
+      X-Access-Token
+      X-Auth-Request-Access-Token
+      X-Auth-Request-Email
+      X-Auth-Request-Groups
+      X-Auth-Request-Preferred-Username
+      X-Auth-Request-Redirect
+      X-Auth-Request-Token
+      X-Auth-Request-User
+      X-Cascade
+      X-Client-Ip
+      X-Content-Duration
+      X-Content-Security-Policy
+      X-Content-Type-Options
+      X-Correlation-Id
+      X-Download-Options
+      X-Forwarded-Access-Token
+      X-Forwarded-Email
+      X-Forwarded-For
+      X-Forwarded-Groups
+      X-Forwarded-Host
+      X-Forwarded-Port
+      X-Forwarded-Preferred-Username
+      X-Forwarded-Proto
+      X-Forwarded-Scheme
+      X-Forwarded-Ssl
+      X-Forwarded-Uri
+      X-Forwarded-User
+      X-Frame-Options
+      X-HTTP-Method-Override
+      X-Permitted-Cross-Domain-Policies
+      X-Powered-By
+      X-Real-IP
+      X-Redirect-By
+      X-Request-Id
+      X-Requested-With
+      X-Runtime
+      X-Sendfile
+      X-Sendfile-Type
+      X-UA-Compatible
+      X-WebKit-CS
+      X-XSS-Protection
+    ].each_with_object({}) do |header, response|
+      response["HTTP_#{header.upcase.tr('-', '_')}"] = header
+    end.freeze
 
     alias rack_params params
+    alias rack_cookies cookies
 
     def initialize(env, build_params_with: nil)
-      extend build_params_with || Grape.config.param_builder
       super(env)
+      @params_builder = Grape::ParamsBuilder.params_builder_for(build_params_with || Grape.config.param_builder)
     end
 
     def params
-      @params ||= build_params
-    rescue EOFError
-      raise Grape::Exceptions::EmptyMessageBody.new(content_type)
-    rescue Rack::Multipart::MultipartPartLimitError
-      raise Grape::Exceptions::TooManyMultipartFiles.new(Rack::Utils.multipart_part_limit)
+      @params ||= make_params
     end
 
     def headers
       @headers ||= build_headers
     end
 
-    private
+    def cookies
+      @cookies ||= Grape::Cookies.new(-> { rack_cookies })
+    end
 
+    # needs to be public until extensions param_builder are removed
     def grape_routing_args
-      args = env[Grape::Env::GRAPE_ROUTING_ARGS].dup
       # preserve version from query string parameters
-      args.delete(:version)
-      args.delete(:route_info)
-      args
+      env[Grape::Env::GRAPE_ROUTING_ARGS]&.except(:version, :route_info) || {}
     end
 
-    def build_headers
-      Grape::Util::Lazy::Object.new do
-        env.each_pair.with_object(Grape::Util::Header.new) do |(k, v), headers|
-          next unless k.to_s.start_with? HTTP_PREFIX
+    private
 
-          transformed_header = Grape::Http::Headers::HTTP_HEADERS[k] || transform_header(k)
-          headers[transformed_header] = v
-        end
-      end
+    def make_params
+      @params_builder.call(rack_params).deep_merge!(grape_routing_args)
+    rescue EOFError
+      raise Grape::Exceptions::EmptyMessageBody.new(content_type)
+    rescue Rack::Multipart::MultipartPartLimitError, Rack::Multipart::MultipartTotalPartLimitError
+      raise Grape::Exceptions::TooManyMultipartFiles.new(Rack::Utils.multipart_part_limit)
+    rescue Rack::QueryParser::ParamsTooDeepError
+      raise Grape::Exceptions::TooDeepParameters.new(Rack::Utils.param_depth_limit)
+    rescue Rack::Utils::ParameterTypeError
+      raise Grape::Exceptions::ConflictingTypes
+    rescue Rack::Utils::InvalidParameterError
+      raise Grape::Exceptions::InvalidParameters
     end
 
-    def transform_header(header)
-      -header[5..].tr('_', '-').downcase
+    def build_headers
+      each_header.with_object(Grape::Util::Header.new) do |(k, v), headers|
+        next unless k.start_with? 'HTTP_'
+
+        transformed_header = KNOWN_HEADERS.fetch(k) { -k[5..].tr('_', '-').downcase }
+        headers[transformed_header] = v
+      end
     end
   end
 end

data/lib/grape/router/route.rb

@@ -55,7 +55,7 @@ module Grape
 
       def upcase_method(method)
         method_s = method.to_s
-        Grape::Http::Headers::SUPPORTED_METHODS.detect { |m| m.casecmp(method_s).zero? } || method_s.upcase
+        Grape::HTTP_SUPPORTED_METHODS.detect { |m| m.casecmp(method_s).zero? } || method_s.upcase
       end
     end
   end