haveapi 0.27.3 → 0.28.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ec45b62af7fa8653e5f1a304b57746a9a2858db8b75c6a1d8a3deb5536cc7946
-  data.tar.gz: 0a991e394ccf4a4629f8d755fcfdfa9fd76af6fe37c696d361c1d9340ea8763c
+  metadata.gz: 57ff88678f46548f5a2717e7aae799df778723b95b0384471e873b17b0791669
+  data.tar.gz: 2062ffb0fef65373b74d7ecef1eae40c0cf16433eef60d3d28c52c3b8b4c7e9e
 SHA512:
-  metadata.gz: 693eb912e8215aa93c1c7b009475d91a752bfee1a2d4faeb33d59728168def03128dc7738c264e52f6cef3a87b7e7e11362a4da2f227deb057a9a89e50813705
-  data.tar.gz: e11fd922568a2ed631a702ec71e8e4631759bee27ecd122029e50af3fb389cde4f7167a0c26876b79b1db220d434b4c3117cb338e1a1fb3f529d85675fa91f1d
+  metadata.gz: 5c9d3bc013ac270b3de0b411838a69ac20c920eef8d11cf7552da3e9a852328ab493a5642fc3d4490e7d126d8114f6eda38269b06da2ad3f32a711fa673cbdb3
+  data.tar.gz: 3deaf826dbc931825edd8babd1b453faf9521015bf07450d24e2c290bd37cbd0f47cf2dbde90e2245cf5cefa4c673723c97283c1c836f0826cd517117ad44500

data/Gemfile

@@ -7,7 +7,7 @@ group :test do
   gem 'rack-test'
   gem 'rackup'
   gem 'rspec'
-  gem 'rubocop', require: false
+  gem 'rubocop', '~> 1.85.0', require: false
   gem 'rubocop-rspec', require: false
   gem 'webrick'
 

data/haveapi.gemspec

@@ -15,7 +15,7 @@ Gem::Specification.new do |s|
   s.required_ruby_version = ">= #{File.read('../../.ruby-version').strip}"
 
   s.add_dependency 'activesupport', '>= 7.1'
-  s.add_dependency 'haveapi-client', '~> 0.27.3'
+  s.add_dependency 'haveapi-client', '~> 0.28.1'
   s.add_dependency 'json'
   s.add_dependency 'mail'
   s.add_dependency 'nesty', '~> 1.0'

data/lib/haveapi/action.rb

@@ -4,6 +4,8 @@ require 'haveapi/metadata'
 
 module HaveAPI
   class Action < Common
+    PATH_PARAM_PATTERN = /\{([a-zA-Z0-9\-_]+)\}/
+
     obj_type :action
     has_attr :version
     has_attr :desc
@@ -206,7 +208,7 @@ module HaveAPI
       end
 
       def describe(context)
-        authorization = (@authorization && @authorization.clone) || Authorization.new
+        authorization = (@authorization && @authorization.clone) || Authorization.new {}
         add_pre_authorize_blocks(authorization, context)
 
         if (context.endpoint || context.current_user) \
@@ -276,6 +278,23 @@ module HaveAPI
         end
       end
 
+      def path_param_names(path)
+        path.scan(PATH_PARAM_PATTERN).map(&:first)
+      end
+
+      def path_params(path, args)
+        values = args.is_a?(Array) ? args.dup : [args]
+        params = {}
+
+        path_param_names(path).each do |name|
+          value = values.shift.to_s
+          params[name] = value
+          params[name.to_sym] = value
+        end
+
+        params
+      end
+
       def add_pre_authorize_blocks(authorization, context)
         ret = Action.call_hooks(
           :pre_authorize,
@@ -293,8 +312,10 @@ module HaveAPI
       super()
       @request = request
       @version = version
+      @route_params = params.dup
+      @body = body || {}
       @params = params
-      @params.update(body) if body
+      @params.update(@body)
       @context = context
       @context.action = self.class
       @context.action_instance = self
@@ -316,7 +337,7 @@ module HaveAPI
     def validate!
       @params = validate
     rescue ValidationError => e
-      error!(e.message, e.to_hash)
+      error!(e.message, e.to_hash, http_status: 400)
     end
 
     def authorized?(user)
@@ -329,7 +350,10 @@ module HaveAPI
     end
 
     def input
-      @safe_params[self.class.input.namespace] if self.class.input
+      return unless self.class.input
+
+      ns = self.class.input.namespace
+      ns ? @safe_params[ns] : @safe_params
     end
 
     def meta
@@ -420,7 +444,7 @@ module HaveAPI
               out,
               true
             )
-            @reply_meta[:global].update(out.meta)
+            @reply_meta[:global].update(filtered_object_meta(out.meta, safe_ret))
 
           when :object_list
             safe_ret = []
@@ -433,7 +457,11 @@ module HaveAPI
                 out,
                 true
               )
-              safe_ret.last.update({ Metadata.namespace => out.meta }) unless meta[:no]
+              next if meta[:no]
+
+              safe_ret.last.update({
+                Metadata.namespace => filtered_object_meta(out.meta, safe_ret.last)
+              })
             end
 
           when :hash
@@ -444,8 +472,7 @@ module HaveAPI
             )
 
           when :hash_list
-            safe_ret = ret
-            safe_ret.map! do |hash|
+            safe_ret = ret.map do |hash|
               @authorization.filter_output(
                 out_params,
                 adapter.output(@context, hash),
@@ -462,7 +489,7 @@ module HaveAPI
           end
 
           ns = { output.namespace => safe_ret }
-          ns[Metadata.namespace] = @reply_meta[:global] unless meta[:no]
+          ns[Metadata.namespace] = filtered_global_meta unless meta[:no]
 
           [true, ns]
 
@@ -568,74 +595,138 @@ module HaveAPI
 
     def validate
       # Validate standard input
-      @safe_params = @params.dup
+      @safe_params = @route_params.dup
       input = self.class.input
 
       if input
+        raw_params = @route_params.merge(@body)
+
         # First check layout
-        input.check_layout(@safe_params)
+        input.check_layout(raw_params)
 
         # Then filter allowed params
         case input.layout
         when :object_list, :hash_list
-          @safe_params[input.namespace].map! do |obj|
+          filtered = raw_params[input.namespace].map do |obj|
             @authorization.filter_input(
               self.class.input.params,
               self.class.model_adapter(self.class.input.layout).input(obj)
             )
           end
+          if input.namespace
+            @safe_params[input.namespace] = filtered
+          else
+            @safe_params = filtered
+          end
 
         else
-          @safe_params[input.namespace] = @authorization.filter_input(
+          filtered = @authorization.filter_input(
             self.class.input.params,
-            self.class.model_adapter(self.class.input.layout).input(@safe_params[input.namespace])
+            self.class.model_adapter(self.class.input.layout).input(
+              input.namespace ? raw_params[input.namespace] : raw_params
+            )
           )
+          if input.namespace
+            @safe_params[input.namespace] = filtered
+          else
+            self.class.input.params.each do |p|
+              @safe_params.delete(p.name)
+              @safe_params.delete(p.name.to_s)
+            end
+            @safe_params.update(filtered)
+          end
         end
 
         # Now check required params, convert types and set defaults
-        input.validate(@safe_params)
+        input.validate(
+          @safe_params,
+          context: @context,
+          only: @authorization.permitted_input_names(self.class.input.params)
+        )
       end
 
-      # Validate metadata input
-      auth = Authorization.new { allow }
+      validate_metadata(input)
+    end
+
+    def validate_metadata(input)
       @metadata = {}
 
-      return if input && %i[object_list hash_list].include?(input.layout)
+      validate_metadata_type(:global, @authorization)
+      validate_metadata_type(:object, @authorization, input) if input && !%i[object_list hash_list].include?(input.layout)
+    end
 
-      %i[object global].each do |v|
-        meta = self.class.meta(v)
-        next unless meta
+    def validate_metadata_type(type, auth, input = nil)
+      meta = self.class.meta(type)
+      return unless meta && meta.input
 
-        raw_meta = nil
+      params = metadata_params(type, input)
+      params = {} if params.nil?
+      meta.input.check_layout(params)
 
-        [Metadata.namespace, Metadata.namespace.to_s].each do |ns|
-          params = v == :object ? (@params[input.namespace] && @params[input.namespace][ns]) : @params[ns]
-          next unless params
+      raw_meta = auth.filter_input(
+        meta.input.params,
+        self.class.model_adapter(meta.input.layout).input(params)
+      )
 
-          raw_meta = auth.filter_input(
-            meta.input.params,
-            self.class.model_adapter(meta.input.layout).input(params)
-          )
+      @metadata.update(
+        meta.input.validate(
+          raw_meta,
+          context: @context,
+          only: auth.permitted_input_names(meta.input.params)
+        )
+      )
+    end
 
-          break if raw_meta
-        end
+    def metadata_params(type, input)
+      case type
+      when :global
+        fetch_metadata_from(@params)
+      when :object
+        return unless input && input.namespace
 
-        next unless raw_meta
+        obj_params = @params[input.namespace]
+        fetch_metadata_from(obj_params) if obj_params.is_a?(Hash)
+      end
+    end
 
-        @metadata.update(meta.input.validate(raw_meta))
+    def fetch_metadata_from(params)
+      [Metadata.namespace, Metadata.namespace.to_s].each do |ns|
+        return params[ns] if params && params.has_key?(ns)
       end
+
+      nil
     end
 
     # @return <Hash<Symbol, String>> path parameters and their values
     def extract_path_params
       ret = {}
 
-      @context.path.scan(/\{([a-zA-Z\-_]+)\}/) do |match|
-        path_param = match.first
-        ret[path_param] = @params[path_param]
+      self.class.path_param_names(@context.path).each do |path_param|
+        ret[path_param] = if @route_params.has_key?(path_param)
+                            @route_params[path_param]
+                          else
+                            @route_params[path_param.to_sym]
+                          end
       end
 
       ret
     end
+
+    def filtered_global_meta
+      global_meta = self.class.meta(:global)
+      return @reply_meta[:global] unless global_meta && global_meta.output
+
+      @authorization.filter_output(
+        global_meta.output.params,
+        self.class.model_adapter(global_meta.output.layout).output(@context, @reply_meta[:global]),
+        true
+      )
+    end
+
+    def filtered_object_meta(object_meta, safe_object)
+      return object_meta if safe_object.has_key?(:id) || safe_object.has_key?('id')
+
+      object_meta.except(:path_params, 'path_params')
+    end
   end
 end

data/lib/haveapi/actions/paginable.rb

@@ -1,11 +1,13 @@
 module HaveAPI::Actions
   module Paginable
+    MAX_LIMIT = 1_000
+
     def self.included(action)
       action.input do
         integer :from_id, label: 'From ID', desc: 'List objects with greater/lesser ID',
                           number: { min: 0 }
         integer :limit, label: 'Limit', desc: 'Number of objects to retrieve',
-                        number: { min: 0 }
+                        number: { min: 0, max: MAX_LIMIT }
       end
     end
   end

data/lib/haveapi/authentication/basic/provider.rb

@@ -32,6 +32,8 @@ module HaveAPI::Authentication
         end
 
         user
+      rescue ArgumentError, EncodingError
+        nil
       end
 
       def describe

data/lib/haveapi/authentication/chain.rb

@@ -12,13 +12,13 @@ module HaveAPI::Authentication
       versions.each do |v|
         @instances[v] ||= []
 
-        @chain[v] && @chain[v].each { |p| register_provider(v, p) }
+        @chain[v] && @chain[v].each { |p| register_provider(v, p, global: false) }
       end
 
       return unless @chain[:all]
 
       @chain[:all].each do |p|
-        @instances.each_key { |v| register_provider(v, p) }
+        @instances.each_key { |v| register_provider(v, p, global: true) }
       end
 
       # @chain.each do |p|
@@ -61,7 +61,10 @@ module HaveAPI::Authentication
         ret[provider.name][:resources] = {}
 
         @server.routes[context.version][:authentication][provider.name][:resources].each do |r, children|
-          ret[provider.name][:resources][r.resource_name.underscore.to_sym] = r.describe(children, context)
+          desc = r.describe(children, context)
+          next if desc[:actions].empty? && desc[:resources].empty?
+
+          ret[provider.name][:resources][r.resource_name.underscore.to_sym] = desc
         end
       end
 
@@ -91,16 +94,16 @@ module HaveAPI::Authentication
     end
 
     def empty?
-      @chain.empty?
+      @chain.empty? || @chain.values.all?(&:empty?)
     end
 
     protected
 
-    def register_provider(v, p)
+    def register_provider(v, p, global:)
       instance = p.new(@server, v)
       @instances[v] << instance
 
-      @server.add_auth_routes(v, instance, prefix: instance.name.to_s)
+      @server.add_auth_routes(v, instance, prefix: instance.name.to_s, global:)
 
       resource_module = instance.resource_module
       return if resource_module.nil?
@@ -109,7 +112,8 @@ module HaveAPI::Authentication
         v,
         instance.name,
         resource_module,
-        prefix: instance.name.to_s
+        prefix: instance.name.to_s,
+        global:
       )
     end
   end

data/lib/haveapi/authentication/oauth2/config.rb

@@ -88,7 +88,8 @@ module HaveAPI::Authentication
       # @param token [String]
       # @param token_type_hint [nil, 'access_token', 'refresh_token']
       # @return [:revoked, :unsupported]
-      def handle_post_revoke(sinatra_request, token, token_type_hint: nil); end
+      # @param client [Client, nil] authenticated revoking client
+      def handle_post_revoke(sinatra_request, token, token_type_hint: nil, client: nil); end
 
       # Find client by ID
       # @param client_id [String]
@@ -156,15 +157,36 @@ module HaveAPI::Authentication
           state: req.state
         }
 
-        if req.code_challenge.present? && req.code_challenge_method.present?
+        if req.code_challenge.present?
+          scalar_oauth2_param!(req.code_challenge, 'code_challenge')
+          code_challenge_method = if req.code_challenge_method.present?
+                                    scalar_oauth2_param!(
+                                      req.code_challenge_method,
+                                      'code_challenge_method'
+                                    )
+                                  else
+                                    'plain'
+                                  end
+
           ret.update(
             code_challenge: req.code_challenge,
-            code_challenge_method: req.code_challenge_method
+            code_challenge_method:
           )
         end
 
         ret
       end
+
+      private
+
+      def scalar_oauth2_param!(value, name)
+        return value if value.is_a?(String)
+
+        raise Rack::OAuth2::Server::Abstract::BadRequest.new(
+          :invalid_request,
+          "\"#{name}\" must be a string."
+        )
+      end
     end
   end
 end

data/lib/haveapi/authentication/oauth2/provider.rb

@@ -96,19 +96,19 @@ module HaveAPI::Authentication
         that = self
 
         sinatra.get @authorize_path do
-          that.authorization_endpoint(self).call(request.env)
+          that.call_authorization_endpoint(self)
         end
 
         sinatra.post @authorize_path do
-          that.authorization_endpoint(self).call(request.env)
+          that.call_authorization_endpoint(self)
         end
 
         sinatra.post @token_path do
-          that.token_endpoint(self).call(request.env)
+          that.call_token_endpoint(self)
         end
 
         sinatra.post @revoke_path do
-          that.revoke_endpoint(self).call(request.env)
+          that.call_revoke_endpoint(self)
         end
       end
 
@@ -131,6 +131,8 @@ module HaveAPI::Authentication
           end
 
         token && config.find_user_by_access_token(request, token)
+      rescue HaveAPI::AuthenticationError
+        nil
       end
 
       def token_from_authorization_header(request)
@@ -139,6 +141,8 @@ module HaveAPI::Authentication
         return unless auth_header.provided? && !auth_header.parts.first.nil? && auth_header.scheme.to_s == 'bearer'
 
         auth_header.params
+      rescue ArgumentError, EncodingError
+        nil
       end
 
       def token_from_haveapi_header(request)
@@ -249,10 +253,15 @@ module HaveAPI::Authentication
                 req.invalid_grant!
               end
 
-              if authorization.code_challenge && authorization.code_challenge_method
+              if authorization.code_challenge
+                req.invalid_grant! unless authorization.code_challenge.is_a?(String)
+
+                code_challenge_method = authorization.code_challenge_method || 'plain'
+                req.invalid_grant! unless code_challenge_method.is_a?(String)
+
                 req.verify_code_verifier!(
                   authorization.code_challenge,
-                  authorization.code_challenge_method.to_sym
+                  code_challenge_method.to_sym
                 )
               end
 
@@ -289,10 +298,16 @@ module HaveAPI::Authentication
 
       def revoke_endpoint(handler)
         RevokeEndpoint.new do |req, _res|
+          req.invalid_client! if req.client_id.nil? || req.client_id.empty?
+          req.invalid_client! if req.client_secret.nil? || req.client_secret.empty?
+
+          client = config.find_client_by_id(req.client_id)
+          req.invalid_client! if client.nil? || !client.check_secret(req.client_secret)
+
           ret = config.handle_post_revoke(
             handler.request,
             req.token,
-            token_type_hint: req.token_type_hint
+            **revoke_kwargs(req, client)
           )
 
           case ret
@@ -306,17 +321,83 @@ module HaveAPI::Authentication
         end
       end
 
+      def call_authorization_endpoint(handler)
+        return invalid_request unless scalar_params?(
+          handler.params,
+          %w[client_id response_type redirect_uri state scope response_mode
+             code_challenge code_challenge_method]
+        )
+
+        finish_oauth_errors do
+          authorization_endpoint(handler).call(handler.request.env)
+        end
+      end
+
+      def call_token_endpoint(handler)
+        return invalid_request unless scalar_params?(
+          handler.params,
+          %w[grant_type client_id client_secret code redirect_uri refresh_token
+             code_verifier client_assertion client_assertion_type]
+        )
+
+        finish_oauth_errors do
+          token_endpoint(handler).call(handler.request.env)
+        end
+      end
+
+      def call_revoke_endpoint(handler)
+        return invalid_request unless scalar_params?(
+          handler.params,
+          %w[token token_type_hint client_id client_secret]
+        )
+
+        finish_oauth_errors do
+          revoke_endpoint(handler).call(handler.request.env)
+        end
+      end
+
       private
 
+      def scalar_params?(params, names)
+        names.all? do |name|
+          value = params[name]
+          value.nil? || value.is_a?(String)
+        end
+      end
+
+      def finish_oauth_errors
+        yield
+      rescue Rack::OAuth2::Server::Abstract::Error => e
+        begin
+          e.finish
+        rescue Rack::OAuth2::Server::Abstract::Error
+          Rack::OAuth2::Server::Abstract::BadRequest.new(e.error, e.description).finish
+        end
+      rescue ArgumentError, EncodingError
+        invalid_request
+      end
+
+      def invalid_request
+        Rack::OAuth2::Server::Abstract::BadRequest.new(:invalid_request).finish
+      end
+
+      def revoke_kwargs(req, client)
+        kwargs = { token_type_hint: req.token_type_hint }
+        params = config.method(:handle_post_revoke).parameters
+
+        if params.any? { |type, name| type == :keyrest || (type == :key && name == :client) }
+          kwargs[:client] = client
+        end
+
+        kwargs
+      end
+
       def header_to_env(header)
         "HTTP_#{header.upcase.gsub('-', '_')}"
       end
 
       def token_present?(value)
-        return false if value.nil?
-        return false if value.respond_to?(:empty?) && value.empty?
-
-        true
+        value.is_a?(String) && !value.empty?
       end
     end
   end

data/lib/haveapi/authentication/oauth2/revoke_endpoint.rb

@@ -1,22 +1,55 @@
 require 'rack/oauth2'
+require 'rack/auth/basic'
 
 module HaveAPI::Authentication
   module OAuth2
     class RevokeEndpoint < Rack::OAuth2::Server::Abstract::Handler
       def _call(env)
-        @request  = Request.new(env)
+        @request = Request.new(env)
+        @request.attr_missing!
         @response = Response.new(request)
-        super
+        super.finish
+      rescue Rack::OAuth2::Server::Abstract::Error => e
+        e.finish
       end
 
       class Request < Rack::OAuth2::Server::Abstract::Request
         attr_required :token
-        attr_optional :token_type_hint
+        attr_optional :client_id, :client_secret, :token_type_hint
 
         def initialize(env)
+          auth = Rack::Auth::Basic::Request.new(env)
+
+          if auth.provided? && auth.basic?
+            @client_id, @client_secret = auth.credentials.map do |credential|
+              Rack::OAuth2::Util.www_form_url_decode(credential)
+            end
+          end
+
           super
+          @client_secret ||= params['client_secret']
           @token = params['token']
           @token_type_hint = params['token_type_hint']
+
+          invalid_request! unless scalar_request_params?
+        rescue ArgumentError, EncodingError
+          invalid_request!
+        end
+
+        def invalid_client!(description = nil, options = {})
+          raise Rack::OAuth2::Server::Token::Unauthorized.new(
+            :invalid_client,
+            description,
+            options
+          )
+        end
+
+        def invalid_request!(description = nil, options = {})
+          raise Rack::OAuth2::Server::Abstract::BadRequest.new(
+            :invalid_request,
+            description,
+            options
+          )
         end
 
         def unsupported_token_type!(description = nil, options = {})
@@ -26,6 +59,14 @@ module HaveAPI::Authentication
             options
           )
         end
+
+        private
+
+        def scalar_request_params?
+          [client_id, client_secret, token, token_type_hint].all? do |value|
+            value.nil? || value.is_a?(String)
+          end
+        end
       end
 
       class Response < Rack::OAuth2::Server::Abstract::Response