haveapi 0.28.1 → 0.28.2

data/lib/haveapi/spec/api_builder.rb

@@ -54,6 +54,16 @@ module HaveAPI::Spec
       opt(:action_state, backend)
     end
 
+    # Set action state authentication mode.
+    def action_state_auth(mode)
+      opt(:action_state_auth, mode)
+    end
+
+    # Set HTTP status for action validation errors. Nil preserves legacy 200.
+    def validation_error_http_status(status)
+      opt(:validation_error_http_status, status)
+    end
+
     # Set a custom mount path.
     def mount_to(path)
       opt(:mount, path)

data/lib/haveapi/spec/mock_action.rb

@@ -9,15 +9,16 @@ module HaveAPI::Spec
     end
 
     def call(input, user: nil, &)
-      action = @action.new(nil, @v, input, nil, HaveAPI::Context.new(
-                                                  @server,
-                                                  version: @v,
-                                                  action: @action,
-                                                  path: @path,
-                                                  params: input,
-                                                  user:,
-                                                  endpoint: true
-                                                ))
+      context = HaveAPI::Context.new(
+        @server,
+        version: @v,
+        action: @action,
+        path: @path,
+        input:,
+        user:,
+        endpoint: true
+      )
+      action = @action.new(nil, @v, {}, input, context)
 
       unless action.authorized?(user)
         raise 'Access denied. Insufficient permissions.'

data/lib/haveapi/spec/spec_methods.rb

@@ -15,6 +15,10 @@ module HaveAPI::Spec
       @api.default_version = default if default
       as = get_opt(:action_state)
       @api.action_state = as if as
+      asa = get_opt(:action_state_auth)
+      @api.action_state_auth = asa if asa
+      ves = get_opt(:validation_error_http_status)
+      @api.validation_error_http_status = ves if ves
       @api.mount(get_opt(:mount) || '/')
       @api.app
     end

data/lib/haveapi/version.rb

@@ -1,4 +1,4 @@
 module HaveAPI
   PROTOCOL_VERSION = '2.0'.freeze
-  VERSION = '0.28.1'.freeze
+  VERSION = '0.28.2'.freeze
 end

data/spec/action/runtime_spec.rb

@@ -130,7 +130,7 @@ describe HaveAPI::Action do
           end
 
           def exec
-            { value: params['account_id'] }
+            { value: path_params['account_id'] }
           end
         end
 
@@ -153,7 +153,7 @@ describe HaveAPI::Action do
           end
 
           def exec
-            { route_profile_id: params['profile_id'] }
+            { route_profile_id: path_params['profile_id'] }
           end
         end
 
@@ -231,6 +231,59 @@ describe HaveAPI::Action do
           end
         end
 
+        define_action(:MetadataSpecificOutput) do
+          route 'metadata_specific_output'
+          http_method :post
+
+          authorize do
+            output whitelist: [:ok]
+            meta_output blacklist: [:secret_status]
+            allow
+          end
+
+          meta(:global) do
+            output do
+              string :public_status
+              string :secret_status
+            end
+          end
+
+          output do
+            bool :ok
+            string :hidden_body
+          end
+
+          def exec
+            set_meta(public_status: 'queued', secret_status: 'internal-token')
+            { ok: true, hidden_body: 'body-secret' }
+          end
+        end
+
+        define_action(:WhitelistedIndex, superclass: HaveAPI::Actions::Default::Index) do
+          route 'whitelisted'
+
+          authorize do
+            output whitelist: [:name]
+            allow
+          end
+
+          output(:hash_list) do
+            string :name
+            string :secret
+          end
+
+          def count
+            2
+          end
+
+          def exec
+            [
+              { name: 'one', secret: 'hidden' },
+              { name: 'two', secret: 'hidden' }
+            ]
+          end
+        end
+
         define_action(:UnnamespacedInput) do
           route 'unnamespaced_input'
           http_method :post
@@ -246,18 +299,70 @@ describe HaveAPI::Action do
           end
 
           output do
-            bool :params_saw_secret
+            bool :has_params_method
             bool :input_saw_secret
           end
 
           def exec
             {
-              params_saw_secret: params.has_key?(:secret),
+              has_params_method: respond_to?(:params),
               input_saw_secret: input.has_key?(:secret)
             }
           end
         end
 
+        define_action(:UnnamespacedPathInput) do
+          route 'unnamespaced_input/{test_id}'
+          http_method :put
+          authorize { allow }
+
+          input(:hash, namespace: false) do
+            string :public
+            string :test_id
+          end
+
+          output do
+            bool :input_saw_test_id
+            string :input_test_id, nullable: true
+            string :path_test_id
+          end
+
+          def exec
+            {
+              input_saw_test_id: input.has_key?(:test_id),
+              input_test_id: input[:test_id],
+              path_test_id: path_params['test_id']
+            }
+          end
+        end
+
+        define_action(:QueryPathInput) do
+          route 'query_input/{test_id}'
+          http_method :get
+          authorize { allow }
+
+          input(:hash, namespace: false) do
+            string :filter
+            string :test_id
+          end
+
+          output do
+            bool :has_params_method
+            bool :input_saw_test_id
+            string :filter
+            string :path_test_id
+          end
+
+          def exec
+            {
+              has_params_method: respond_to?(:params),
+              input_saw_test_id: input.has_key?(:test_id),
+              filter: input[:filter],
+              path_test_id: path_params['test_id']
+            }
+          end
+        end
+
         define_action(:TopLevelBody) do
           route 'top_level_body'
           http_method :post
@@ -273,18 +378,76 @@ describe HaveAPI::Action do
           end
 
           output do
-            bool :params_saw_secret
+            bool :has_params_method
             bool :input_saw_secret
           end
 
           def exec
             {
-              params_saw_secret: params.has_key?(:secret),
+              has_params_method: respond_to?(:params),
               input_saw_secret: input.has_key?(:secret)
             }
           end
         end
 
+        define_action(:CustomPayload) do
+          route 'custom_payload'
+          http_method :post
+          authorize { allow }
+
+          input do
+            custom :payload
+          end
+
+          output do
+            bool :top_string_key
+            bool :top_symbol_key
+            bool :nested_string_key
+            bool :nested_symbol_key
+          end
+
+          def exec
+            payload = input[:payload]
+            nested = payload['response']
+
+            {
+              top_string_key: payload.has_key?('rawId'),
+              top_symbol_key: payload.has_key?(:rawId),
+              nested_string_key: nested.has_key?('clientDataJSON'),
+              nested_symbol_key: nested.has_key?(:clientDataJSON)
+            }
+          end
+        end
+
+        define_action(:CustomPayloadSymbols) do
+          route 'custom_payload_symbols'
+          http_method :post
+          authorize { allow }
+
+          input do
+            custom :payload, symbolize_keys: true
+          end
+
+          output do
+            bool :top_string_key
+            bool :top_symbol_key
+            bool :nested_string_key
+            bool :nested_symbol_key
+          end
+
+          def exec
+            payload = input[:payload]
+            nested = payload[:response]
+
+            {
+              top_string_key: payload.has_key?('rawId'),
+              top_symbol_key: payload.has_key?(:rawId),
+              nested_string_key: nested.has_key?('clientDataJSON'),
+              nested_symbol_key: nested.has_key?(:clientDataJSON)
+            }
+          end
+        end
+
         define_action(:Closed) do
           route 'closed'
           http_method :post
@@ -309,7 +472,7 @@ describe HaveAPI::Action do
           end
 
           def exec
-            { id: params['test_id'] }
+            { id: path_params['test_id'] }
           end
         end
 
@@ -457,7 +620,7 @@ describe HaveAPI::Action do
     it 'rejects optional-only input namespaces with invalid shapes' do
       call_api([:Test], :optional_shape, { test: 'not-a-hash' })
 
-      expect(last_response.status).to eq(400)
+      expect(last_response.status).to eq(200)
       expect(api_response).not_to be_ok
       expect(api_response.message).to eq('invalid input layout')
     end
@@ -465,7 +628,7 @@ describe HaveAPI::Action do
     it 'rejects list inputs with invalid element shapes' do
       call_api([:Test], :batch, { tests: ['not-a-hash'], _meta: { confirmed: true } })
 
-      expect(last_response.status).to eq(400)
+      expect(last_response.status).to eq(200)
       expect(api_response).not_to be_ok
       expect(api_response.message).to eq('invalid input layout')
     end
@@ -473,13 +636,13 @@ describe HaveAPI::Action do
     it 'validates global metadata on list input actions' do
       call_api([:Test], :batch, { tests: [{ label: 'one' }] })
 
-      expect(last_response.status).to eq(400)
+      expect(last_response.status).to eq(200)
       expect(api_response).not_to be_ok
       expect(api_response.errors[:confirmed]).to include('required parameter missing')
 
       call_api([:Test], :batch, { tests: [{ label: 'one' }], _meta: { confirmed: 'maybe' } })
 
-      expect(last_response.status).to eq(400)
+      expect(last_response.status).to eq(200)
       expect(api_response).not_to be_ok
       expect(api_response.errors[:confirmed].first).to include('not a valid boolean')
     end
@@ -487,7 +650,7 @@ describe HaveAPI::Action do
     it 'rejects malformed metadata namespaces' do
       call_api([:Test], :echo, { test: { msg: 'hi' }, _meta: 'not-a-hash' })
 
-      expect(last_response.status).to eq(400)
+      expect(last_response.status).to eq(200)
       expect(api_response).not_to be_ok
       expect(api_response.message).to eq('invalid input layout')
     end
@@ -558,16 +721,68 @@ describe HaveAPI::Action do
       expect(api_response.response[:_meta]).not_to have_key(:secret_status)
     end
 
-    it 'filters unnamespaced input in the safe params view' do
+    it 'applies metadata-specific output filters to global metadata' do
+      call_api([:Test], :metadata_specific_output, {})
+
+      expect(last_response.status).to eq(200)
+      expect(api_response).to be_ok
+      expect(api_response[:test]).to include(ok: true)
+      expect(api_response[:test]).not_to have_key(:hidden_body)
+      expect(api_response.response[:_meta]).to include(public_status: 'queued')
+      expect(api_response.response[:_meta]).not_to have_key(:secret_status)
+    end
+
+    it 'keeps global metadata when body output uses a whitelist' do
+      get '/v1/tests/whitelisted', { _meta: { count: true } }, input: ''
+
+      expect(last_response.status).to eq(200)
+      expect(api_response).to be_ok
+      expect(api_response.response[:_meta]).to include(total_count: 2)
+    end
+
+    it 'filters unnamespaced input without exposing legacy params' do
       call_api([:Test], :unnamespaced_input, { public: 'ok', secret: 'hidden' })
 
       expect(last_response.status).to eq(200)
       expect(api_response).to be_ok
-      expect(api_response[:test][:params_saw_secret]).to be(false)
+      expect(api_response[:test][:has_params_method]).to be(false)
       expect(api_response[:test][:input_saw_secret]).to be(false)
     end
 
-    it 'does not expose top-level JSON keys outside the input namespace as safe params' do
+    it 'keeps path parameters out of unnamespaced body input' do
+      call_api(:put, '/v1/tests/unnamespaced_input/route-id', { public: 'ok' })
+
+      expect(last_response.status).to eq(200)
+      expect(api_response).to be_ok
+      expect(api_response[:test][:input_saw_test_id]).to be(false)
+      expect(api_response[:test][:path_test_id]).to eq('route-id')
+    end
+
+    it 'exposes client values through input without changing path identity' do
+      call_api(:put, '/v1/tests/unnamespaced_input/route-id', {
+        public: 'ok',
+        test_id: 'body-id'
+      })
+
+      expect(last_response.status).to eq(200)
+      expect(api_response).to be_ok
+      expect(api_response[:test][:input_saw_test_id]).to be(true)
+      expect(api_response[:test][:input_test_id]).to eq('body-id')
+      expect(api_response[:test][:path_test_id]).to eq('route-id')
+    end
+
+    it 'keeps route ids out of GET query input' do
+      get '/v1/tests/query_input/route-id', { filter: 'visible' }, input: ''
+
+      expect(last_response.status).to eq(200)
+      expect(api_response).to be_ok
+      expect(api_response[:test][:has_params_method]).to be(false)
+      expect(api_response[:test][:input_saw_test_id]).to be(false)
+      expect(api_response[:test][:filter]).to eq('visible')
+      expect(api_response[:test][:path_test_id]).to eq('route-id')
+    end
+
+    it 'does not expose top-level JSON keys outside the input namespace' do
       call_api([:Test], :top_level_body, {
         secret: 'top-level hidden',
         test: {
@@ -578,10 +793,50 @@ describe HaveAPI::Action do
 
       expect(last_response.status).to eq(200)
       expect(api_response).to be_ok
-      expect(api_response[:test][:params_saw_secret]).to be(false)
+      expect(api_response[:test][:has_params_method]).to be(false)
       expect(api_response[:test][:input_saw_secret]).to be(false)
     end
 
+    it 'keeps custom payload field names string-keyed by default' do
+      call_api([:Test], :custom_payload, {
+        test: {
+          payload: {
+            rawId: 'credential-id',
+            response: {
+              clientDataJSON: 'client-data'
+            }
+          }
+        }
+      })
+
+      expect(last_response.status).to eq(200)
+      expect(api_response).to be_ok
+      expect(api_response[:test][:top_string_key]).to be(true)
+      expect(api_response[:test][:top_symbol_key]).to be(false)
+      expect(api_response[:test][:nested_string_key]).to be(true)
+      expect(api_response[:test][:nested_symbol_key]).to be(false)
+    end
+
+    it 'symbolizes custom payload field names when requested' do
+      call_api([:Test], :custom_payload_symbols, {
+        test: {
+          payload: {
+            rawId: 'credential-id',
+            response: {
+              clientDataJSON: 'client-data'
+            }
+          }
+        }
+      })
+
+      expect(last_response.status).to eq(200)
+      expect(api_response).to be_ok
+      expect(api_response[:test][:top_string_key]).to be(false)
+      expect(api_response[:test][:top_symbol_key]).to be(true)
+      expect(api_response[:test][:nested_string_key]).to be(false)
+      expect(api_response[:test][:nested_symbol_key]).to be(true)
+    end
+
     it 'denies OPTIONS for actions without an authorization block without raising' do
       call_api(:options, '/v1/tests/closed?method=POST')
 

data/spec/action/validation_http_status_spec.rb

@@ -0,0 +1,76 @@
+# frozen_string_literal: true
+
+describe HaveAPI::Action do
+  describe 'validation error HTTP status' do
+    context 'with compatibility behavior' do
+      api do
+        define_resource(:ValidationStatus) do
+          version 1
+          auth false
+
+          define_action(:Create, superclass: HaveAPI::Actions::Default::Create) do
+            authorize { allow }
+
+            input do
+              string :name, required: true
+            end
+
+            output do
+              string :name
+            end
+
+            def exec
+              { name: input[:name] }
+            end
+          end
+        end
+      end
+
+      default_version 1
+
+      it 'keeps validation envelopes on HTTP 200 by default' do
+        call_api([:ValidationStatus], :create, { validation_status: {} })
+
+        expect(last_response.status).to eq(200)
+        expect(api_response).not_to be_ok
+        expect(api_response.errors[:name]).to include('required parameter missing')
+      end
+    end
+
+    context 'with configured HTTP 400 status' do
+      api do
+        define_resource(:StrictValidationStatus) do
+          version 1
+          auth false
+
+          define_action(:Create, superclass: HaveAPI::Actions::Default::Create) do
+            authorize { allow }
+
+            input do
+              string :name, required: true
+            end
+
+            output do
+              string :name
+            end
+
+            def exec
+              { name: input[:name] }
+            end
+          end
+        end
+      end
+
+      default_version 1
+      validation_error_http_status 400
+
+      it 'returns HTTP 400 for validation envelopes' do
+        call_api([:StrictValidationStatus], :create, { strict_validation_status: {} })
+
+        expect(last_response.status).to eq(400)
+        expect(api_response).not_to be_ok
+        expect(api_response.errors[:name]).to include('required parameter missing')
+      end
+    end
+  end
+end

data/spec/action_state_spec.rb

@@ -225,7 +225,7 @@ describe HaveAPI::Resources::ActionState do
 
       get_action '/v1/action_states/1/poll', action_state: { timeout: 31 }
 
-      expect(last_response.status).to eq(400)
+      expect(last_response.status).to eq(200)
       expect(api_response).not_to be_ok
       expect(api_response.errors[:timeout].first).to include('range <0, 30>')
     end
@@ -333,12 +333,12 @@ describe HaveAPI::Resources::ActionState do
       header 'Accept', 'application/json'
     end
 
-    it 'requires authentication for action state resources' do
+    it 'uses backend-defined anonymous behavior by default' do
       get_action '/v1/action_states'
 
-      expect(last_response.status).to eq(401)
-      expect(api_response).not_to be_ok
-      expect(ActionStateSpec::Backend.list_calls).to be_empty
+      expect(last_response.status).to eq(200)
+      expect(api_response).to be_ok
+      expect(ActionStateSpec::Backend.list_calls.last[:user]).to be_nil
     end
 
     it 'passes authenticated users to the action state backend' do
@@ -350,4 +350,27 @@ describe HaveAPI::Resources::ActionState do
       expect(ActionStateSpec::Backend.list_calls.last[:user].id).to eq(1)
     end
   end
+
+  context 'with action_state auth required' do
+    empty_api
+    use_version 1
+    default_version 1
+    action_state ActionStateSpec::Backend
+    action_state_auth :required
+    auth_chain ActionStateSpec::BasicProvider
+
+    before do
+      ActionStateSpec::Backend.reset!
+      ActionStateSpec::Backend.add_state(ActionStateSpec::State.new(id: 1))
+      header 'Accept', 'application/json'
+    end
+
+    it 'requires authentication before reaching the action state backend' do
+      get_action '/v1/action_states'
+
+      expect(last_response.status).to eq(401)
+      expect(api_response).not_to be_ok
+      expect(ActionStateSpec::Backend.list_calls).to be_empty
+    end
+  end
 end

data/spec/documentation/auth_filtering_spec.rb

@@ -142,7 +142,7 @@ describe DocAuthFilteringSpec do
 
           # rubocop:disable RSpec/NoExpectationExample
           example 'admin-only public result' do
-            authorize { |user| user&.login == 'admin' }
+            authorize { |user| user.login == 'admin' }
             response({ msg: 'ADMIN_ONLY_RESULT' })
           end
           # rubocop:enable RSpec/NoExpectationExample
@@ -242,13 +242,25 @@ describe DocAuthFilteringSpec do
       expect(api_response[:method]).to eq('GET')
     end
 
-    it 'hides examples denied to anonymous users from version docs' do
+    it 'includes examples for anonymous version docs without evaluating example auth' do
       header 'Authorization', nil
       call_api(:options, '/v1/')
 
       expect(last_response.status).to eq(200)
       expect(api_response).to be_ok
 
+      examples = api_response[:resources][:secure][:actions][:public][:examples]
+      expect(examples.size).to eq(1)
+      expect(examples.first[:response][:msg]).to eq('ADMIN_ONLY_RESULT')
+    end
+
+    it 'hides examples denied to authenticated users from version docs' do
+      login('user', 'pass')
+      call_api(:options, '/v1/')
+
+      expect(last_response.status).to eq(200)
+      expect(api_response).to be_ok
+
       examples = api_response[:resources][:secure][:actions][:public][:examples]
       expect(examples).to be_empty
     end