haveapi 0.27.3 → 0.28.0

data/lib/haveapi/authentication/token/provider.rb

@@ -153,6 +153,8 @@ module HaveAPI::Authentication
         t = token(request)
 
         t && config.find_user_by_token(request, t)
+      rescue HaveAPI::AuthenticationError
+        nil
       end
 
       # Extract token from HTTP request
@@ -194,10 +196,7 @@ module HaveAPI::Authentication
       end
 
       def token_present?(value)
-        return false if value.nil?
-        return false if value.respond_to?(:empty?) && value.empty?
-
-        true
+        value.is_a?(String) && !value.empty?
       end
 
       def token_resource
@@ -228,7 +227,8 @@ module HaveAPI::Authentication
                                 END
               integer :interval, label: 'Interval',
                                  desc: 'How long will requested token be valid, in seconds.',
-                                 default: 60 * 5, fill: true
+                                 default: 60 * 5, fill: true,
+                                 number: { min: 1, max: 86_400 }
             end
 
             output(:hash) do
@@ -277,11 +277,30 @@ module HaveAPI::Authentication
 
             def exec
               provider = self.class.resource.token_instance
-              result = provider.config.class.revoke.handle.call(ActionRequest.new(
-                                                                  request:,
-                                                                  user: current_user,
-                                                                  token: provider.token(request)
-                                                                ), ActionResult.new)
+              begin
+                token = provider.token(request)
+                user = provider.authenticate(request)
+              rescue HaveAPI::Authentication::TokenConflict => e
+                error!(e.message, {}, http_status: 400)
+              end
+
+              unless user
+                error!(
+                  'Action requires user to authenticate with a token',
+                  {},
+                  http_status: 401
+                )
+              end
+
+              begin
+                result = provider.config.class.revoke.handle.call(ActionRequest.new(
+                                                                    request:,
+                                                                    user:,
+                                                                    token:
+                                                                  ), ActionResult.new)
+              rescue HaveAPI::AuthenticationError => e
+                error!(e.message)
+              end
 
               if result.ok?
                 ok!
@@ -305,11 +324,30 @@ module HaveAPI::Authentication
 
             def exec
               provider = self.class.resource.token_instance
-              result = provider.config.class.renew.handle.call(ActionRequest.new(
-                                                                 request:,
-                                                                 user: current_user,
-                                                                 token: provider.token(request)
-                                                               ), ActionResult.new)
+              begin
+                token = provider.token(request)
+                user = provider.authenticate(request)
+              rescue HaveAPI::Authentication::TokenConflict => e
+                error!(e.message, {}, http_status: 400)
+              end
+
+              unless user
+                error!(
+                  'Action requires user to authenticate with a token',
+                  {},
+                  http_status: 401
+                )
+              end
+
+              begin
+                result = provider.config.class.renew.handle.call(ActionRequest.new(
+                                                                   request:,
+                                                                   user:,
+                                                                   token:
+                                                                 ), ActionResult.new)
+              rescue HaveAPI::AuthenticationError => e
+                error!(e.message)
+              end
 
               if result.ok?
                 { valid_to: result.valid_to }

data/lib/haveapi/authorization.rb

@@ -30,7 +30,15 @@ module HaveAPI
     # Apply restrictions on query which selects objects from database.
     # Most common usage is restrict user to access only objects he owns.
     def restrict(**kwargs)
-      @restrict << kwargs
+      normalized = normalize_hash_keys(kwargs)
+
+      normalized.each do |key, value|
+        @restrict.each do |restriction|
+          deny if restriction.has_key?(key) && restriction[key] != value
+        end
+      end
+
+      @restrict << normalized
     end
 
     # Restrict parameters client can set/change.
@@ -65,7 +73,11 @@ module HaveAPI
       ret = {}
 
       @restrict.each do |r|
-        ret.update(r)
+        r.each do |key, value|
+          deny if ret.has_key?(key) && ret[key] != value
+
+          ret[key] = value
+        end
       end
 
       ret
@@ -79,12 +91,16 @@ module HaveAPI
       filter_inner(output, @output, params, format)
     end
 
+    def permitted_input_names(params)
+      permitted_params(params, @input).map(&:name)
+    end
+
     private
 
     def filter_inner(allowed_params, direction, params, format)
       allowed = {}
 
-      allowed_params.each do |p|
+      permitted_params(allowed_params, direction).each do |p|
         if params.has_param?(p.name)
           allowed[p.name] = format ? p.format_output(params[p.name]) : params[p.name]
 
@@ -93,29 +109,37 @@ module HaveAPI
         end
       end
 
-      return allowed unless direction
+      allowed
+    end
 
-      if direction[:whitelist]
-        ret = {}
+    def permitted_params(params, direction)
+      return params unless direction
 
-        direction[:whitelist].each do |p|
-          ret[p] = allowed[p] if allowed.has_key?(p)
-        end
-
-        ret
+      if direction[:whitelist]
+        whitelist = normalize_names(direction[:whitelist])
 
+        params.select { |p| whitelist.include?(p.name) }
       elsif direction[:blacklist]
-        ret = allowed.dup
+        blacklist = normalize_names(direction[:blacklist])
 
-        direction[:blacklist].each do |p|
-          ret.delete(p)
-        end
+        params.reject { |p| blacklist.include?(p.name) }
+      else
+        params
+      end
+    end
 
-        ret
+    def normalize_names(names)
+      names.map { |name| normalize_key(name) }
+    end
 
-      else
-        allowed
+    def normalize_hash_keys(hash)
+      hash.each_with_object({}) do |(key, value), ret|
+        ret[normalize_key(key)] = value
       end
     end
+
+    def normalize_key(key)
+      key.is_a?(String) ? key.to_sym : key
+    end
   end
 end

data/lib/haveapi/client_examples/php_client.rb

@@ -94,7 +94,7 @@ module HaveAPI::ClientExamples
       out << "$reply = $api->#{resource_path.join('->')}->#{action_name}"
       out << "(#{args.join(', ')});\n"
 
-      return (out << response(sample)) if sample[:status]
+      return out << response(sample) if sample[:status]
 
       out << '// Throws exception \\HaveAPI\\Client\\Exception\\ActionFailed'
       out

data/lib/haveapi/client_examples/ruby_client.rb

@@ -55,7 +55,7 @@ module HaveAPI::ClientExamples
       out << "reply = client.#{resource_path.join('.')}.#{action_name}"
       out << "(#{args.join(', ')})" unless args.empty?
 
-      return (out << response(sample)) if sample[:status]
+      return out << response(sample) if sample[:status]
 
       out << "\n"
       out << '# Raises exception HaveAPI::Client::ActionFailed'

data/lib/haveapi/context.rb

@@ -2,11 +2,13 @@ module HaveAPI
   class Context
     attr_accessor :server, :version, :request, :resource, :action, :path, :args,
                   :params, :current_user, :authorization, :endpoint, :resource_path,
-                  :action_instance, :action_prepare, :layout, :doc
+                  :action_instance, :action_prepare, :layout, :doc,
+                  :auth_users_by_version
 
     def initialize(server, version: nil, request: nil, resource: [], action: nil,
                    path: nil, args: nil, params: nil, user: nil,
-                   authorization: nil, endpoint: nil, resource_path: [], doc: false)
+                   authorization: nil, endpoint: nil, resource_path: [], doc: false,
+                   auth_users_by_version: nil)
       @server = server
       @version = version
       @request = request
@@ -20,6 +22,7 @@ module HaveAPI
       @endpoint = endpoint
       @resource_path = resource_path
       @doc = doc
+      @auth_users_by_version = auth_users_by_version
     end
 
     def resolved_path
@@ -79,7 +82,7 @@ module HaveAPI
 
       my_args = args.clone
 
-      path.scan(/\{([a-zA-Z\-_]+)\}/) do |match|
+      path.scan(/\{([a-zA-Z0-9\-_]+)\}/) do |match|
         path_param = match.first
         ret[path_param] = my_args.shift
       end
@@ -94,7 +97,10 @@ module HaveAPI
     private
 
     def resolve_arg!(path, arg)
-      path.sub!(/\{[a-zA-Z\-_]+\}/, arg.to_s)
+      value = arg.to_s
+      raise HaveAPI::ValidationError, 'invalid path parameter encoding' unless value.valid_encoding?
+
+      path.sub!(/\{[a-zA-Z0-9\-_]+\}/, value)
     end
   end
 end

data/lib/haveapi/example.rb

@@ -41,21 +41,17 @@ module HaveAPI
     end
 
     def authorized?(context)
-      if (context.endpoint || context.current_user) \
-          && @authorization && !@authorization.call(context.current_user)
-        false
-      else
-        true
-      end
+      return true unless @authorization
+
+      @authorization.call(context.current_user) ? true : false
     end
 
     def provided?
-      if instance_variables.detect do |v|
-        instance_variable_get(v)
-      end
-        true
-      else
-        false
+      instance_variables.any? do |v|
+        value = instance_variable_get(v)
+        next false if v == :@title && value.to_s.empty?
+
+        !value.nil? && value != false
       end
     end
 
@@ -65,8 +61,8 @@ module HaveAPI
           title: @title,
           comment: @comment,
           path_params: @path_params,
-          request: filter_input_params(context, @request),
-          response: filter_output_params(context, @response),
+          request: @request.nil? ? nil : filter_input_params(context, @request),
+          response: @response.nil? ? nil : filter_output_params(context, @response),
           status: @status.nil? ? true : @status,
           message: @message,
           errors: @errors,
@@ -80,6 +76,8 @@ module HaveAPI
     protected
 
     def filter_input_params(context, input)
+      return nil if input.nil?
+
       case context.action.input.layout
       when :object, :hash
         context.authorization.filter_input(
@@ -91,14 +89,15 @@ module HaveAPI
         input.map do |obj|
           context.authorization.filter_input(
             context.action.input.params,
-            ModelAdapters::Hash.output(context, obj),
-            true
+            ModelAdapters::Hash.output(context, obj)
           )
         end
       end
     end
 
     def filter_output_params(context, output)
+      return nil if output.nil?
+
       case context.action.output.layout
       when :object, :hash
         context.authorization.filter_output(

data/lib/haveapi/extensions/action_exceptions.rb

@@ -5,12 +5,12 @@ module HaveAPI::Extensions
     class << self
       def enabled(server)
         HaveAPI::Action.connect_hook(:exec_exception) do |ret, _context, e|
-          break(ret) unless @exceptions
-
-          @exceptions.each do |handler|
-            if e.is_a?(handler[:klass])
-              ret = handler[:block].call(ret, e)
-              break
+          if @exceptions
+            @exceptions.each do |handler|
+              if e.is_a?(handler[:klass])
+                ret = handler[:block].call(ret, e)
+                break
+              end
             end
           end
 

data/lib/haveapi/model_adapters/active_record.rb

@@ -19,6 +19,8 @@ module HaveAPI::ModelAdapters
 
     module Action
       module InstanceMethods
+        MAX_INCLUDE_DEPTH = 16
+
         # Helper method that sets correct ActiveRecord includes
         # according to the meta includes sent by the user.
         # `q` is the model or partial AR query. If not set,
@@ -77,6 +79,14 @@ module HaveAPI::ModelAdapters
           paginable = input[parameter]
           limit = input[:limit]
 
+          if limit && limit > HaveAPI::Actions::Paginable::MAX_LIMIT
+            error!(
+              "limit has to be maximally #{HaveAPI::Actions::Paginable::MAX_LIMIT}",
+              {},
+              http_status: 400
+            )
+          end
+
           q = yield(q, paginable) if paginable
           q = q.limit(limit) if limit
           q
@@ -87,40 +97,54 @@ module HaveAPI::ModelAdapters
         def ar_parse_includes(raw)
           return @ar_parsed_includes if @ar_parsed_includes
 
-          @ar_parsed_includes = ar_inner_includes(raw).select do |inc|
-            # Drop associations that are not registered in the AR:
-            #   The API resource may have associations that are not based on
-            #   associations in AR.
-            if inc.is_a?(::Hash)
-              inc.each_key do |k|
-                next(false) unless self.class.model.reflections.has_key?(k.to_s)
-              end
+          @ar_parsed_includes = raw.filter_map do |assoc|
+            ar_parse_include_path(assoc, self.class.model)
+          end
+        end
 
-            else
-              next(false) unless self.class.model.reflections.has_key?(inc.to_s)
-            end
+        # Kept for callers that used the old parser directly.
+        def ar_inner_includes(includes)
+          includes.filter_map do |assoc|
+            parts = assoc.to_s.split('__').reject(&:empty?).map(&:to_sym)
+            next if parts.empty? || parts.size > MAX_INCLUDE_DEPTH
 
-            true
+            ar_include_tree(parts)
           end
         end
 
-        # Called by ar_parse_includes for recursion purposes.
-        def ar_inner_includes(includes)
-          args = []
+        def ar_parse_include_path(path, model)
+          parts = path.to_s.split('__')
+          return if parts.empty? || parts.size > MAX_INCLUDE_DEPTH
+
+          current_model = model
+          symbols = []
+          i = 0
+
+          while i < parts.size
+            part = parts[i]
+            return if part.empty?
 
-          includes.each do |assoc|
-            if assoc.index('__')
-              tmp = {}
-              parts = assoc.split('__')
-              tmp[parts.first.to_sym] = ar_inner_includes([parts[1..].join('__')])
+            begin
+              reflection = current_model.reflections[part.to_s]
+              return unless reflection
 
-              args << tmp
-            else
-              args << assoc.to_sym
+              symbols << part.to_sym
+              current_model = reflection.klass
+            rescue NameError
+              return
             end
+            i += 1
           end
 
-          args
+          ar_include_tree(symbols)
+        end
+
+        def ar_include_tree(parts)
+          ret = parts.last
+          (parts.size - 2).downto(0) do |i|
+            ret = { parts[i] => [ret] }
+          end
+          ret
         end
 
         # Default includes contain all associated resources specified
@@ -153,7 +177,9 @@ module HaveAPI::ModelAdapters
           raise HaveAPI::ValidationError, "not a valid id #{original.inspect}"
         end
 
-        if raw.is_a?(String)
+        if raw.is_a?(Array) || raw.is_a?(Hash) || [true, false].include?(raw)
+          raise HaveAPI::ValidationError, "not a valid id #{original.inspect}"
+        elsif raw.is_a?(String)
           stripped = raw.strip
 
           if stripped.empty?
@@ -163,9 +189,6 @@ module HaveAPI::ModelAdapters
           end
 
           raw = stripped
-
-        elsif [true, false].include?(raw)
-          raise HaveAPI::ValidationError, "not a valid id #{original.inspect}"
         end
 
         value = if integer_pk?(model)
@@ -177,11 +200,17 @@ module HaveAPI::ModelAdapters
                   raw
                 end
 
-        if extra[:fetch]
-          model.instance_exec(value, &extra[:fetch])
-        else
-          model.find(value)
+        ret = if extra[:fetch]
+                model.instance_exec(value, &extra[:fetch])
+              else
+                model.find(value)
+              end
+
+        if ret.nil? && !allow_null
+          raise HaveAPI::ValidationError, 'resource not found'
         end
+
+        ret
       rescue ::ActiveRecord::RecordNotFound
         raise HaveAPI::ValidationError, 'resource not found'
       rescue ArgumentError, TypeError
@@ -234,10 +263,20 @@ module HaveAPI::ModelAdapters
         return unless %i[object object_list].include?(action.input.layout)
 
         clean = proc do |raw|
-          if raw.is_a?(String)
-            raw.strip.split(',')
-          elsif raw.is_a?(Array)
-            raw
+          values = if raw.is_a?(String)
+                     raw.strip.split(',')
+                   elsif raw.is_a?(Array)
+                     raw
+                   else
+                     raise HaveAPI::ValidationError, 'includes must be a string or array'
+                   end
+
+          values.map do |value|
+            unless value.is_a?(String)
+              raise HaveAPI::ValidationError, 'includes must contain only strings'
+            end
+
+            value.strip
           end
         end
 
@@ -306,49 +345,82 @@ module HaveAPI::ModelAdapters
         res_output = res_show.output
 
         args = res_show.resolve_path_params(val)
+        resolve_assoc = includes_include?(param.name)
+        pass_includes = includes_pass_on_to(param.name) if resolve_assoc
 
-        if includes_include?(param.name)
-          push_cls = @context.action
-          push_ins = @context.action_instance
+        with_association_context(res_show, args) do |show|
+          # Tell the child action it is being checked as a nested association.
+          show.flags[:inner_assoc] = true
 
-          pass_includes = includes_pass_on_to(param.name)
+          return unauthorized_resource unless show.authorized?(@context.current_user)
+          return unauthorized_resource unless show_prepared?(show)
 
-          show = res_show.new(
-            push_ins.request,
-            push_ins.version,
-            {},
-            nil,
-            @context
-          )
-          show.meta[:includes] = pass_includes
+          if resolve_assoc
+            show.meta[:includes] = pass_includes
 
-          # This flag is used to tell the action that it is being used
-          # as a nested association, that it wasn't called directly by the user.
-          show.flags[:inner_assoc] = true
+            ret = show.safe_output(val)
 
-          show.authorized?(push_ins.current_user) # FIXME: handle false
+            raise "#{res_show} resolve failed" unless ret[0]
 
-          ret = show.safe_output(val)
+            ret[1][res_show.output.namespace].update({
+                _meta: ret[1][:_meta].update(resolved: true)
+            })
 
-          @context.action_instance = push_ins
-          @context.action = push_cls
+          else
+            {
+              param.value_id => val.send(res_output[param.value_id].db_name),
+              param.value_label => val.send(res_output[param.value_label].db_name),
+              _meta: {
+                path_params: args.is_a?(Array) ? args : [args],
+                resolved: false
+              }
+            }
+          end
+        end
+      end
 
-          raise "#{res_show} resolve failed" unless ret[0]
+      def with_association_context(res_show, args)
+        push_cls = @context.action
+        push_ins = @context.action_instance
+        push_path = @context.path
+        @context.path = res_show.build_route('')
+
+        res_show.new(
+          push_ins.request,
+          push_ins.version,
+          res_show.path_params(@context.path, args),
+          nil,
+          @context
+        )
+        yield @context.action_instance
+      ensure
+        restore_context(push_cls, push_ins, push_path)
+      end
 
-          ret[1][res_show.output.namespace].update({
-              _meta: ret[1][:_meta].update(resolved: true)
-          })
+      def restore_context(action, action_instance, path)
+        @context.action = action
+        @context.action_instance = action_instance
+        @context.path = path
+      end
 
-        else
-          {
-            param.value_id => val.send(res_output[param.value_id].db_name),
-            param.value_label => val.send(res_output[param.value_label].db_name),
-            _meta: {
-              path_params: args.is_a?(Array) ? args : [args],
-              resolved: false
-            }
-          }
+      def show_prepared?(show)
+        completed = Object.new
+        ret = catch(:return) do
+          show.validate!
+          show.prepare
+          completed
         end
+
+        ret.equal?(completed)
+      end
+
+      def unauthorized_resource
+        {
+          _meta: {
+            resolved: false,
+            authorized: false
+          }
+        }
       end
 
       # Should an association with `name` be resolved?

data/lib/haveapi/model_adapters/hash.rb

@@ -11,7 +11,7 @@ module HaveAPI::ModelAdapters
     end
 
     class Input < ::HaveAPI::ModelAdapter::Input
-      def self.clean(model, raw)
+      def self.clean(model, raw, _extra = nil)
         raw
       end
     end