haveapi 0.28.0 → 0.28.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4dc49769be220f91aa34770fa280e1507a3eef56ad97f1cdda575a4d42f42ad0
-  data.tar.gz: '09177e0cf827dbed3e8a31290c2f0088a7e7857bab9c4cbd2d3953a55a84747e'
+  metadata.gz: 1c0e9ead0f7cf99be75dc598c843487b2609b0cdc902694b800b9fcdb7df7ef9
+  data.tar.gz: 1689ebabcc73b7c9f31c53d328abf133f3ab6b3feb6c7892ddbfa1f32f7e426d
 SHA512:
-  metadata.gz: 0bbac0d82fcfcba37da6874b54b667036cac326aead8da3e573ce1fac77a986fe191d3e6fb1c1754d65cb0fc5f7fb4d7c7d1d7f5fe329e0135a019fb00100561
-  data.tar.gz: d031c935fffbb7ccd5f4262598fae87e93b8055d393576336d4afd5f4b14a3e19c77d024dcfede042d1e37ac72f8a5d79fc84e96dd94f2a5e0e74ca9984840d9
+  metadata.gz: 44f5728075305342ec0e01a35d80c9ec85a07552b15b44acb1a5ee8139017dd5a0c669ee415f2ecd9b8a66a4eff65a8968fde169d5cbec38e767a036e81cc97a
+  data.tar.gz: 40acf5edb198ccb57b8f195342c9aed5d8badbfb87f6e65fda2725f641d21ee1cd8f348d5393e99d12441f56015e0679c371a53f4ab25999fdb6ba592d322789

data/haveapi.gemspec

@@ -15,7 +15,7 @@ Gem::Specification.new do |s|
   s.required_ruby_version = ">= #{File.read('../../.ruby-version').strip}"
 
   s.add_dependency 'activesupport', '>= 7.1'
-  s.add_dependency 'haveapi-client', '~> 0.28.0'
+  s.add_dependency 'haveapi-client', '~> 0.28.2'
   s.add_dependency 'json'
   s.add_dependency 'mail'
   s.add_dependency 'nesty', '~> 1.0'

data/lib/haveapi/action.rb

@@ -259,9 +259,9 @@ module HaveAPI
       end
 
       def from_context(c)
-        ret = new(nil, c.version, c.params, nil, c)
+        ret = new(nil, c.version, c.path_params || c.path_params_from_args, c.input || c.params || {}, c)
         ret.instance_exec do
-          @safe_params = @params.dup
+          @safe_input = self.class.input && input_from_params(raw_input_params(self.class.input))
           @authorization = c.authorization
           @current_user = c.current_user
         end
@@ -287,7 +287,9 @@ module HaveAPI
         params = {}
 
         path_param_names(path).each do |name|
-          params[name] = values.shift.to_s
+          value = values.shift.to_s
+          params[name] = value
+          params[name.to_sym] = value
         end
 
         params
@@ -306,14 +308,12 @@ module HaveAPI
       end
     end
 
-    def initialize(request, version, params, body, context)
+    def initialize(request, version, params, input_params, context)
       super()
       @request = request
       @version = version
       @route_params = params.dup
-      @body = body || {}
-      @params = params
-      @params.update(@body)
+      @raw_input = input_params || {}
       @context = context
       @context.action = self.class
       @context.action_instance = self
@@ -333,25 +333,28 @@ module HaveAPI
     end
 
     def validate!
-      @params = validate
+      validate
     rescue ValidationError => e
-      error!(e.message, e.to_hash, http_status: 400)
+      opts = {}
+      status = @context.server.validation_error_http_status
+      opts[:http_status] = status if status
+
+      error!(e.message, e.to_hash, opts)
     end
 
     def authorized?(user)
       @current_user = user
-      @authorization.authorized?(user, extract_path_params)
+      @authorization.authorized?(user, path_params)
     end
 
-    def params
-      @safe_params
+    def path_params
+      @path_params ||= extract_path_params
     end
 
     def input
       return unless self.class.input
 
-      ns = self.class.input.namespace
-      ns ? @safe_params[ns] : @safe_params
+      @safe_input
     end
 
     def meta
@@ -593,51 +596,37 @@ module HaveAPI
 
     def validate
       # Validate standard input
-      @safe_params = @route_params.dup
+      @safe_input = nil
       input = self.class.input
 
       if input
-        raw_params = @route_params.merge(@body)
+        raw_params = raw_input_params(input)
 
         # First check layout
         input.check_layout(raw_params)
 
         # Then filter allowed params
-        case input.layout
-        when :object_list, :hash_list
-          filtered = raw_params[input.namespace].map do |obj|
-            @authorization.filter_input(
-              self.class.input.params,
-              self.class.model_adapter(self.class.input.layout).input(obj)
-            )
-          end
-          if input.namespace
-            @safe_params[input.namespace] = filtered
-          else
-            @safe_params = filtered
-          end
-
-        else
-          filtered = @authorization.filter_input(
-            self.class.input.params,
-            self.class.model_adapter(self.class.input.layout).input(
-              input.namespace ? raw_params[input.namespace] : raw_params
-            )
-          )
-          if input.namespace
-            @safe_params[input.namespace] = filtered
-          else
-            self.class.input.params.each do |p|
-              @safe_params.delete(p.name)
-              @safe_params.delete(p.name.to_s)
-            end
-            @safe_params.update(filtered)
-          end
-        end
+        @safe_input = case input.layout
+                      when :object_list, :hash_list
+                        input_from_params(raw_params).map do |obj|
+                          @authorization.filter_input(
+                            self.class.input.params,
+                            self.class.model_adapter(self.class.input.layout).input(obj)
+                          )
+                        end
+
+                      else
+                        @authorization.filter_input(
+                          self.class.input.params,
+                          self.class.model_adapter(self.class.input.layout).input(
+                            input_from_params(raw_params)
+                          )
+                        )
+                      end
 
         # Now check required params, convert types and set defaults
         input.validate(
-          @safe_params,
+          validated_input_params(input),
           context: @context,
           only: @authorization.permitted_input_names(self.class.input.params)
         )
@@ -678,15 +667,42 @@ module HaveAPI
     def metadata_params(type, input)
       case type
       when :global
-        fetch_metadata_from(@params)
+        fetch_metadata_from(@raw_input)
       when :object
         return unless input && input.namespace
 
-        obj_params = @params[input.namespace]
+        obj_params = fetch_param(@raw_input, input.namespace)
         fetch_metadata_from(obj_params) if obj_params.is_a?(Hash)
       end
     end
 
+    def raw_input_params(input)
+      return @raw_input.dup unless input.namespace
+
+      { input.namespace => fetch_param(@raw_input, input.namespace) }
+    end
+
+    def validated_input_params(input)
+      input.namespace ? { input.namespace => @safe_input } : @safe_input
+    end
+
+    def input_from_params(params)
+      input = self.class.input
+      return unless input
+
+      input.namespace ? fetch_param(params, input.namespace) : params
+    end
+
+    def fetch_param(params, name)
+      return unless params
+      return params[name] if params.has_key?(name)
+
+      string_name = name.to_s
+      return params[string_name] if params.has_key?(string_name)
+
+      nil
+    end
+
     def fetch_metadata_from(params)
       [Metadata.namespace, Metadata.namespace.to_s].each do |ns|
         return params[ns] if params && params.has_key?(ns)
@@ -714,7 +730,7 @@ module HaveAPI
       global_meta = self.class.meta(:global)
       return @reply_meta[:global] unless global_meta && global_meta.output
 
-      @authorization.filter_output(
+      @authorization.filter_meta_output(
         global_meta.output.params,
         self.class.model_adapter(global_meta.output.layout).output(@context, @reply_meta[:global]),
         true

data/lib/haveapi/authentication/token/provider.rb

@@ -242,6 +242,12 @@ module HaveAPI::Authentication
               allow
             end
 
+            def validate!
+              validate
+            rescue HaveAPI::ValidationError => e
+              error!(e.message, e.to_hash, http_status: 400)
+            end
+
             def exec
               config = self.class.resource.token_instance.config
 
@@ -378,6 +384,12 @@ module HaveAPI::Authentication
                 allow
               end
 
+              def validate!
+                validate
+              rescue HaveAPI::ValidationError => e
+                error!(e.message, e.to_hash, http_status: 400)
+              end
+
               define_method(:exec) do
                 begin
                   result = config.handle.call(ActionRequest.new(

data/lib/haveapi/authorization.rb

@@ -61,6 +61,13 @@ module HaveAPI
       }
     end
 
+    def meta_output(whitelist: nil, blacklist: nil)
+      @meta_output = {
+        whitelist:,
+        blacklist:
+      }
+    end
+
     def allow
       throw(:rule, true)
     end
@@ -91,6 +98,10 @@ module HaveAPI
       filter_inner(output, @output, params, format)
     end
 
+    def filter_meta_output(output, params, format = false)
+      filter_inner(output, meta_output_filter, params, format)
+    end
+
     def permitted_input_names(params)
       permitted_params(params, @input).map(&:name)
     end
@@ -128,6 +139,16 @@ module HaveAPI
       end
     end
 
+    def meta_output_filter
+      return @meta_output if @meta_output
+      return unless @output && @output[:blacklist]
+
+      {
+        whitelist: nil,
+        blacklist: @output[:blacklist]
+      }
+    end
+
     def normalize_names(names)
       names.map { |name| normalize_key(name) }
     end

data/lib/haveapi/context.rb

@@ -2,13 +2,13 @@ module HaveAPI
   class Context
     attr_accessor :server, :version, :request, :resource, :action, :path, :args,
                   :params, :current_user, :authorization, :endpoint, :resource_path,
-                  :action_instance, :action_prepare, :layout, :doc,
+                  :path_params, :input, :action_instance, :action_prepare, :layout, :doc,
                   :auth_users_by_version
 
     def initialize(server, version: nil, request: nil, resource: [], action: nil,
                    path: nil, args: nil, params: nil, user: nil,
                    authorization: nil, endpoint: nil, resource_path: [], doc: false,
-                   auth_users_by_version: nil)
+                   auth_users_by_version: nil, path_params: nil, input: nil)
       @server = server
       @version = version
       @request = request
@@ -17,6 +17,8 @@ module HaveAPI
       @path = path
       @args = args
       @params = params
+      @path_params = path_params
+      @input = input
       @current_user = user
       @authorization = authorization
       @endpoint = endpoint
@@ -64,6 +66,19 @@ module HaveAPI
       ret
     end
 
+    def action_path_for(action, args = nil)
+      ret = @server.path_for_action(@version, action) || path_for(action)
+
+      ret = ret.dup
+      args.each { |arg| resolve_arg!(ret, arg) } if args
+
+      ret
+    end
+
+    def path_params_for(action, args)
+      action.path_params(action_path_for(action), args)
+    end
+
     def call_path_params(action, obj)
       ret = params && action.resolve_path_params(obj)
 

data/lib/haveapi/example.rb

@@ -42,6 +42,7 @@ module HaveAPI
 
     def authorized?(context)
       return true unless @authorization
+      return true unless context.current_user
 
       @authorization.call(context.current_user) ? true : false
     end

data/lib/haveapi/extensions/exception_mailer.rb

@@ -227,8 +227,12 @@ module HaveAPI::Extensions
                   <td><%=h context.args %></td>
                 </tr>
                 <tr>
-                  <th>Parameters</th>
-                  <td><%=h context.params %></td>
+                  <th>Path parameters</th>
+                  <td><%=h context.path_params %></td>
+                </tr>
+                <tr>
+                  <th>Input</th>
+                  <td><%=h context.input %></td>
                 </tr>
                 <tr>
                   <th>User</th>

data/lib/haveapi/metadata.rb

@@ -48,7 +48,7 @@ module HaveAPI
       def describe(context)
         {
           input: @input && @input.describe(context),
-          output: @output && @output.describe(context)
+          output: @output && @output.describe(context, metadata: true)
         }
       end
     end

data/lib/haveapi/model_adapters/active_record.rb

@@ -383,24 +383,29 @@ module HaveAPI::ModelAdapters
         push_cls = @context.action
         push_ins = @context.action_instance
         push_path = @context.path
-        @context.path = res_show.build_route('')
+        push_path_params = @context.path_params
+        path = @context.action_path_for(res_show)
+        path_params = @context.path_params_for(res_show, args)
+        @context.path = path
+        @context.path_params = path_params
 
         res_show.new(
           push_ins.request,
           push_ins.version,
-          res_show.path_params(@context.path, args),
+          path_params,
           nil,
           @context
         )
         yield @context.action_instance
       ensure
-        restore_context(push_cls, push_ins, push_path)
+        restore_context(push_cls, push_ins, push_path, push_path_params)
       end
 
-      def restore_context(action, action_instance, path)
+      def restore_context(action, action_instance, path, path_params)
         @context.action = action
         @context.action_instance = action_instance
         @context.path = path
+        @context.path_params = path_params
       end
 
       def show_prepared?(show)

data/lib/haveapi/parameters/resource.rb

@@ -159,19 +159,20 @@ module HaveAPI::Parameters
       return if record.nil? || context.nil?
       return unless show_action.authorization
 
-      path = show_action.build_route('')
-      path_params = show_action.path_params(path, show_action.resolve_path_params(record))
+      path = context.action_path_for(show_action)
+      path_params = context.path_params_for(show_action, show_action.resolve_path_params(record))
       child_context = HaveAPI::Context.new(
         context.server,
         version: context.version,
         request: context.request,
         action: show_action,
         path:,
-        params: path_params,
+        path_params:,
+        input: {},
         user: context.current_user,
         endpoint: context.endpoint
       )
-      action = show_action.new(context.request, context.version, path_params, nil, child_context)
+      action = show_action.new(context.request, context.version, path_params, {}, child_context)
       return if action.authorized?(context.current_user)
 
       raise HaveAPI::ValidationError, 'resource not found'

data/lib/haveapi/parameters/typed.rb

@@ -3,7 +3,10 @@ require 'time'
 
 module HaveAPI::Parameters
   class Typed
-    ATTRIBUTES = %i[label desc type db_name default fill clean protected load_validators nullable].freeze
+    ATTRIBUTES = %i[
+      label desc type db_name default fill clean protected load_validators
+      nullable symbolize_keys
+    ].freeze
 
     attr_reader :name, :label, :desc, :type, :default
 
@@ -79,7 +82,8 @@ module HaveAPI::Parameters
     end
 
     def clean(raw)
-      return validate_cleaned_value(instance_exec(raw, &@clean)) if @clean
+      clean_raw = custom? ? normalize_custom_keys(raw) : raw
+      return validate_cleaned_value(instance_exec(clean_raw, &@clean)) if @clean
 
       if raw.nil?
         return nil if nullable?
@@ -110,6 +114,9 @@ module HaveAPI::Parameters
       elsif @type == String || @type == Text
         coerce_string(raw)
 
+      elsif custom?
+        clean_raw
+
       else
         raw
       end
@@ -153,6 +160,31 @@ module HaveAPI::Parameters
       value
     end
 
+    def custom?
+      @type == Custom
+    end
+
+    def normalize_custom_keys(value)
+      case value
+      when ::Hash
+        value.each_with_object({}) do |(key, inner), ret|
+          ret[normalize_custom_key(key)] = normalize_custom_keys(inner)
+        end
+      when ::Array
+        value.map { |inner| normalize_custom_keys(inner) }
+      else
+        value
+      end
+    end
+
+    def normalize_custom_key(key)
+      if @symbolize_keys
+        key.respond_to?(:to_sym) ? key.to_sym : key.to_s.to_sym
+      else
+        key.to_s
+      end
+    end
+
     def strip_string(value)
       value.strip
     rescue ArgumentError, Encoding::CompatibilityError

data/lib/haveapi/params.rb

@@ -167,11 +167,11 @@ module HaveAPI
     end
 
     # Action returns custom data.
-    def custom(name, **kwargs, &block)
-      add_param(name, apply(kwargs, type: Custom, clean: block))
+    def custom(name, symbolize_keys: false, **kwargs, &block)
+      add_param(name, apply(kwargs, type: Custom, clean: block, symbolize_keys:))
     end
 
-    def describe(context)
+    def describe(context, metadata: false)
       context.layout = layout
 
       ret = { parameters: {} }
@@ -183,17 +183,7 @@ module HaveAPI
         ret[:parameters][p.name] = p.describe(context)
       end
 
-      ret[:parameters] = if @direction == :input
-                           context.authorization.filter_input(
-                             @params,
-                             ModelAdapters::Hash.output(context, ret[:parameters])
-                           )
-                         else
-                           context.authorization.filter_output(
-                             @params,
-                             ModelAdapters::Hash.output(context, ret[:parameters])
-                           )
-                         end
+      ret[:parameters] = filtered_description_parameters(context, ret, metadata)
 
       ret
     end
@@ -293,6 +283,18 @@ module HaveAPI
 
     private
 
+    def filtered_description_parameters(context, ret, metadata)
+      params = ModelAdapters::Hash.output(context, ret[:parameters])
+
+      if @direction == :input
+        context.authorization.filter_input(@params, params)
+      elsif metadata
+        context.authorization.filter_meta_output(@params, params)
+      else
+        context.authorization.filter_output(@params, params)
+      end
+    end
+
     def add_param(name, kwargs)
       p = Parameters::Typed.new(name, kwargs)
 

data/lib/haveapi/resources/action_state.rb

@@ -111,7 +111,7 @@ module HaveAPI::Resources
         loop do
           state = @context.server.action_state.new(
             current_user,
-            id: params[:action_state_id]
+            id: path_params['action_state_id']
           )
 
           error!('action state not found') unless state.valid?
@@ -148,7 +148,7 @@ module HaveAPI::Resources
       def exec
         state = @context.server.action_state.new(
           current_user,
-          id: params[:action_state_id]
+          id: path_params['action_state_id']
         )
 
         return state_to_hash(state) if state.valid?
@@ -169,7 +169,7 @@ module HaveAPI::Resources
       def exec
         state = @context.server.action_state.new(
           current_user,
-          id: params[:action_state_id]
+          id: path_params['action_state_id']
         )
 
         error!('action state not found') unless state.valid?

data/lib/haveapi/server.rb

@@ -6,8 +6,9 @@ require 'haveapi/hooks'
 
 module HaveAPI
   class Server
-    attr_accessor :default_version, :action_state
-    attr_reader :root, :routes, :module_name, :auth_chain, :versions, :extensions
+    attr_accessor :default_version, :action_state, :validation_error_http_status
+    attr_reader :root, :routes, :module_name, :auth_chain, :versions, :extensions,
+                :action_state_auth
 
     include Hookable
 
@@ -220,6 +221,19 @@ module HaveAPI
       @allowed_headers = ['Content-Type']
       @auth_chain = HaveAPI::Authentication::Chain.new(self)
       @extensions = []
+      @action_state_auth = :backend
+      @validation_error_http_status = nil
+    end
+
+    def action_state_auth=(mode)
+      @action_state_auth = case mode
+                           when :backend, false, nil
+                             :backend
+                           when :required, true
+                             :required
+                           else
+                             raise ArgumentError, "unsupported action_state_auth #{mode.inspect}"
+                           end
     end
 
     # Include specific version `v` of API.
@@ -530,7 +544,7 @@ module HaveAPI
         end
 
         begin
-          body = raw_body.empty? ? nil : JSON.parse(raw_body, symbolize_names: true)
+          body = raw_body.empty? ? nil : JSON.parse(raw_body)
         rescue JSON::ParserError
           report_error(400, {}, 'Bad JSON syntax')
         end
@@ -539,8 +553,8 @@ module HaveAPI
           report_error(400, {}, 'JSON body must be an object')
         end
 
-        action_params = body_method ? settings.api_server.send(:path_params, route, params) : params
-        context_params = body ? action_params.merge(body) : action_params
+        action_params = settings.api_server.send(:path_params, route, params)
+        action_input = body_method ? (body || {}) : request.GET
 
         context = Context.new(
           settings.api_server,
@@ -548,13 +562,14 @@ module HaveAPI
           request: self,
           action: route.action,
           path: route.path,
-          params: context_params,
+          path_params: action_params,
+          input: action_input,
           user: current_user,
           endpoint: true,
           resource_path: route.resource_path
         )
 
-        action = route.action.new(request, v, action_params, body, context)
+        action = route.action.new(request, v, action_params, action_input, context)
 
         unless action.authorized?(current_user)
           report_error(403, {}, 'Access denied. Insufficient permissions.')
@@ -674,10 +689,18 @@ module HaveAPI
       r.describe(hash, context)
     end
 
+    def path_for_action(version, action)
+      routes = @routes && @routes[version]
+      return unless routes
+
+      find_action_path(routes[:resources], action)
+    end
+
     def action_state_auth_required?(route)
+      return false unless route.action.resource == HaveAPI::Resources::ActionState
       return false if @auth_chain.empty?
 
-      route.action.resource == HaveAPI::Resources::ActionState
+      @action_state_auth == :required
     end
 
     def version_prefix(v)
@@ -753,5 +776,17 @@ module HaveAPI
     def do_authenticate(v, request)
       @auth_chain.authenticate(v, request)
     end
+
+    def find_action_path(resources, action)
+      resources.each_value do |node|
+        path = node[:actions][action]
+        return path if path
+
+        path = find_action_path(node[:resources], action)
+        return path if path
+      end
+
+      nil
+    end
   end
 end