jpie 1.0.0 → 1.0.2

data/Rakefile

@@ -6,3 +6,25 @@ require "rspec/core/rake_task"
 RSpec::Core::RakeTask.new(:spec)
 
 task default: :spec
+
+# Override release task to require OTP code
+# Usage: GEM_HOST_OTP_CODE=123456 rake release
+Rake::Task["release"].enhance do
+  # This runs after the original release task
+end
+
+Rake::Task["release"].prerequisites.unshift("release:require_otp")
+
+namespace :release do
+  task :require_otp do
+    unless ENV["GEM_HOST_OTP_CODE"]
+      abort <<~ERROR
+        ERROR: GEM_HOST_OTP_CODE environment variable is required for release.
+
+        Usage: GEM_HOST_OTP_CODE=123456 rake release
+
+        Get your OTP code from your authenticator app.
+      ERROR
+    end
+  end
+end

data/jpie.gemspec

@@ -1,31 +1,31 @@
 # frozen_string_literal: true
 
-lib = File.expand_path('lib', __dir__)
+lib = File.expand_path("lib", __dir__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
-require 'json_api/version'
+require "json_api/version"
 
 Gem::Specification.new do |spec|
-  spec.name          = 'jpie'
+  spec.name          = "jpie"
   spec.version       = JSONAPI::VERSION
-  spec.authors       = ['Emil Kampp']
-  spec.email         = ['emil@kampp.me']
+  spec.authors       = ["Emil Kampp"]
+  spec.email         = ["emil@kampp.me"]
 
-  spec.summary       = 'JSON:API compliant Rails gem for producing and consuming JSON:API resources'
-  spec.description   = 'A Rails 8+ gem that provides jsonapi_resources routing DSL and generic JSON:API controllers'
-  spec.homepage      = 'https://github.com/klaay/json_api'
-  spec.license       = 'MIT'
+  spec.summary       = "JSON:API compliant Rails gem for producing and consuming JSON:API resources"
+  spec.description   = "A Rails 8+ gem that provides jsonapi_resources routing DSL and generic JSON:API controllers"
+  spec.homepage      = "https://github.com/klaay/json_api"
+  spec.license       = "MIT"
 
   spec.files         = Dir.chdir(File.expand_path(__dir__)) do
     `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
   end
-  spec.bindir        = 'exe'
+  spec.bindir        = "exe"
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
-  spec.require_paths = ['lib']
+  spec.require_paths = ["lib"]
 
-  spec.required_ruby_version = '>= 3.4.0'
+  spec.required_ruby_version = ">= 3.4.0"
 
-  spec.add_dependency 'actionpack', '~> 8.0', '>= 8.0.0'
-  spec.add_dependency 'rails', '~> 8.0', '>= 8.0.0'
+  spec.add_dependency "actionpack", "~> 8.0", ">= 8.0.0"
+  spec.add_dependency "rails", "~> 8.0", ">= 8.0.0"
 
-  spec.metadata['rubygems_mfa_required'] = 'true'
+  spec.metadata["rubygems_mfa_required"] = "true"
 end

data/kiln/app/resources/user_message_resource.rb

@@ -1,2 +1,4 @@
+# frozen_string_literal: true
+
 class UserMessageResource < MessageResource
 end

data/lib/jpie.rb

@@ -3,4 +3,3 @@
 # jpie gem entry point
 # Requires the json_api code which provides the JSONAPI namespace
 require "json_api"
-

data/lib/json_api/active_storage/deserialization.rb

@@ -19,18 +19,19 @@ module JSONAPI
       def attach_files(record, attachment_params, definition: nil)
         return if attachment_params.empty?
 
-        attachment_params.each do |attachment_name, blob_or_blobs|
-          attachment = record.public_send(attachment_name)
-          is_has_many = blob_or_blobs.is_a?(Array)
-          append_only = is_has_many && append_only_enabled?(attachment_name, definition)
-
-          if is_has_many
-            handle_has_many_attachment(attachment, blob_or_blobs, append_only:,
-                                                                  attachment_name:, definition:)
-          else
-            handle_has_one_attachment(attachment, blob_or_blobs, attachment_name:,
-                                                                 definition:)
-          end
+        attachment_params.each do |name, blobs|
+          attach_single(record, name, blobs, definition)
+        end
+      end
+
+      def attach_single(record, name, blobs, definition)
+        attachment = record.public_send(name)
+        if blobs.is_a?(Array)
+          handle_has_many_attachment(attachment, blobs,
+                                     append_only: append_only_enabled?(name, definition),
+                                     attachment_name: name, definition:,)
+        else
+          handle_has_one_attachment(attachment, blobs, attachment_name: name, definition:)
         end
       end
 
@@ -80,17 +81,26 @@ module JSONAPI
 
       # Private helper methods
       def handle_has_many_attachment(attachment, blob_or_blobs, append_only:, attachment_name:, definition:)
-        if blob_or_blobs.empty?
-          return if append_only
+        return handle_empty_blobs(attachment, append_only, attachment_name, definition) if blob_or_blobs.empty?
+        return append_blobs(attachment, blob_or_blobs) if append_only
 
-          attachment.purge if purge_on_nil_enabled?(attachment_name, definition) && attachment.attached?
-        elsif append_only
-          existing_blobs = attachment.attached? ? attachment.blobs.to_a : []
-          attachment.attach(existing_blobs + blob_or_blobs)
-        else
-          attachment.purge if attachment.attached?
-          attachment.attach(blob_or_blobs)
-        end
+        replace_blobs(attachment, blob_or_blobs)
+      end
+
+      def handle_empty_blobs(attachment, append_only, attachment_name, definition)
+        return if append_only
+
+        attachment.purge if purge_on_nil_enabled?(attachment_name, definition) && attachment.attached?
+      end
+
+      def append_blobs(attachment, blob_or_blobs)
+        existing_blobs = attachment.attached? ? attachment.blobs.to_a : []
+        attachment.attach(existing_blobs + blob_or_blobs)
+      end
+
+      def replace_blobs(attachment, blob_or_blobs)
+        attachment.purge if attachment.attached?
+        attachment.attach(blob_or_blobs)
       end
 
       def handle_has_one_attachment(attachment, blob_or_blobs, attachment_name:, definition:)

data/lib/json_api/active_storage/detection.rb

@@ -21,53 +21,48 @@ module JSONAPI
       def filter_from_includes(includes_hash, current_model_class)
         return {} unless defined?(::ActiveStorage)
 
-        filtered = {}
-        includes_hash.each do |key, value|
-          # Skip ActiveStorage attachments - they'll be loaded on-demand by the serializer
-          next if current_model_class.reflect_on_attachment(key).present?
-
-          # Check if this is a regular association
-          association = current_model_class.reflect_on_association(key)
-          next if association.nil?
-
-          if value.is_a?(Hash) && value.any?
-            # For polymorphic associations, we can't determine the class at compile time,
-            # so we skip filtering and include the nested hash as-is
-            if association.polymorphic?
-              filtered[key] = value
-            else
-              # Recursively filter nested includes, using the associated class
-              nested_class = association.klass
-              nested_filtered = filter_from_includes(value, nested_class)
-              filtered[key] = nested_filtered if nested_filtered.any?
-            end
-          else
-            filtered[key] = value
-          end
+        includes_hash.each_with_object({}) do |(key, value), filtered|
+          process_include_entry(key, value, current_model_class, filtered)
         end
-        filtered
+      end
+
+      def process_include_entry(key, value, current_model_class, filtered)
+        return if current_model_class.reflect_on_attachment(key).present?
+
+        association = current_model_class.reflect_on_association(key)
+        return if association.nil?
+
+        result = filter_include_value(value, association)
+        filtered[key] = result unless result.nil?
+      end
+
+      def filter_include_value(value, association)
+        return value unless value.is_a?(Hash) && value.any?
+        return value if association.polymorphic?
+
+        nested_filtered = filter_from_includes(value, association.klass)
+        nested_filtered.any? ? nested_filtered : nil
       end
 
       def filter_polymorphic_from_includes(includes_hash, current_model_class)
-        filtered = {}
-
-        includes_hash.each do |key, value|
-          association = current_model_class.reflect_on_association(key)
-          next unless association
-
-          # Skip polymorphic associations entirely for preloading
-          next if association.polymorphic?
-
-          if value.is_a?(Hash) && value.any?
-            nested_class = association.klass
-            nested_filtered = filter_polymorphic_from_includes(value, nested_class)
-            filtered[key] = nested_filtered if nested_filtered.any?
-          else
-            filtered[key] = value
-          end
+        includes_hash.each_with_object({}) do |(key, value), filtered|
+          process_polymorphic_include(key, value, current_model_class, filtered)
         end
+      end
+
+      def process_polymorphic_include(key, value, model_class, filtered)
+        association = model_class.reflect_on_association(key)
+        return unless association && !association.polymorphic?
+
+        result = resolve_polymorphic_value(value, association)
+        filtered[key] = result if result
+      end
+
+      def resolve_polymorphic_value(value, association)
+        return value unless value.is_a?(Hash) && value.any?
 
-        filtered
+        nested = filter_polymorphic_from_includes(value, association.klass)
+        nested.any? ? nested : nil
       end
     end
   end

data/lib/json_api/active_storage/serialization.rb

@@ -9,19 +9,21 @@ module JSONAPI
         return nil unless defined?(::ActiveStorage)
 
         attachment = record.public_send(attachment_name)
+        return nil unless attachment.respond_to?(:attached?)
 
-        if attachment.respond_to?(:attached?) && attachment.attached?
-          # has_many_attached returns an array-like object
-          if attachment.is_a?(::ActiveStorage::Attached::Many)
-            attachment.blobs.map { |blob| serialize_blob_identifier(blob) }
-          else
-            # has_one_attached
-            serialize_blob_identifier(attachment.blob)
-          end
-        elsif attachment.respond_to?(:attached?) && !attachment.attached?
-          # Not attached - return nil for has_one, empty array for has_many
-          attachment.is_a?(::ActiveStorage::Attached::Many) ? [] : nil
+        attachment.attached? ? serialize_attached(attachment) : empty_attachment_value(attachment)
+      end
+
+      def serialize_attached(attachment)
+        if attachment.is_a?(::ActiveStorage::Attached::Many)
+          return attachment.blobs.map { |blob| serialize_blob_identifier(blob) }
         end
+
+        serialize_blob_identifier(attachment.blob)
+      end
+
+      def empty_attachment_value(attachment)
+        attachment.is_a?(::ActiveStorage::Attached::Many) ? [] : nil
       end
 
       def serialize_blob_identifier(blob)

data/lib/json_api/configuration.rb

@@ -2,17 +2,16 @@
 
 module JSONAPI
   class Configuration
-    attr_accessor :default_page_size, :max_page_size, :jsonapi_version, :jsonapi_meta, :authorization_handler,
+    attr_accessor :default_page_size, :max_page_size, :jsonapi_meta, :authorization_handler,
                   :authorization_scope, :document_meta_resolver
 
     def initialize
       @default_page_size = 25
       @max_page_size = 100
-      @jsonapi_version = "1.1"
       @jsonapi_meta = nil
       @authorization_handler = nil
       @authorization_scope = nil
-      @document_meta_resolver = ->(controller:) { {} }
+      @document_meta_resolver = ->(controller:) { {} } # rubocop:disable Lint/UnusedBlockArgument
       @base_controller_class = "ActionController::API"
     end
 
@@ -20,7 +19,7 @@ module JSONAPI
       if value.is_a?(Class)
         @base_controller_class = value.name
       elsif value.is_a?(String)
-        raise ArgumentError, "base_controller_class cannot be blank" if value.blank?
+        raise ArgumentError, "base_controller_class cannot be blank" if value.nil? || value.strip.empty?
 
         @base_controller_class = value
       else
@@ -38,7 +37,7 @@ module JSONAPI
 
     def resolved_base_controller_class
       class_name = @base_controller_class
-      raise ArgumentError, "base_controller_class cannot be blank" if class_name.blank?
+      raise ArgumentError, "base_controller_class cannot be blank" if class_name.nil? || class_name.empty?
 
       class_name.constantize
     end

data/lib/json_api/controllers/base_controller.rb

@@ -17,9 +17,9 @@ module JSONAPI
           {
             status: "403",
             title: "Forbidden",
-            detail:
-          }
-        ]
+            detail:,
+          },
+        ],
       }, status: :forbidden
     end
   end

data/lib/json_api/controllers/concerns/controller_helpers/authorization.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+module JSONAPI
+  module ControllerHelpers
+    module Authorization
+      extend ActiveSupport::Concern
+
+      protected
+
+      def apply_authorization_scope(scope, action:)
+        handler = JSONAPI.configuration.authorization_scope
+        return scope unless handler
+
+        handler.call(controller: self, scope:, action:, model_class:)
+      end
+
+      def authorize_resource_action!(record, action:, context: nil)
+        handler = JSONAPI.configuration.authorization_handler
+        return unless handler
+
+        handler.call(controller: self, record:, action:, context:)
+      end
+
+      def current_user
+        nil
+      end
+      public :current_user
+    end
+  end
+end

data/lib/json_api/controllers/concerns/controller_helpers/document_meta.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module JSONAPI
+  module ControllerHelpers
+    module DocumentMeta
+      extend ActiveSupport::Concern
+
+      protected
+
+      def jsonapi_document_meta(extra_meta = {})
+        resolver = JSONAPI.configuration.document_meta_resolver
+        base_meta = resolver ? resolver.call(controller: self) : {}
+        meta = base_meta.merge(extra_meta || {})
+        return {} if meta.empty?
+
+        meta
+      end
+    end
+  end
+end

data/lib/json_api/controllers/concerns/controller_helpers/error_rendering.rb

@@ -0,0 +1,64 @@
+# frozen_string_literal: true
+
+module JSONAPI
+  module ControllerHelpers
+    module ErrorRendering
+      extend ActiveSupport::Concern
+
+      protected
+
+      def render_resource_not_found_error(message)
+        render_jsonapi_error(
+          status: 404,
+          title: "Resource Not Found",
+          detail: message,
+        )
+      end
+
+      def render_model_not_found_error(error)
+        render_jsonapi_error(
+          status: 404,
+          title: "Resource Not Found",
+          detail: "Model class for '#{@resource_name}' not found: #{error.message}",
+        )
+      end
+
+      def render_invalid_relationship_error(error)
+        render_jsonapi_error(
+          status: 400,
+          title: "Invalid Relationship",
+          detail: error.message,
+        )
+      end
+
+      def render_validation_errors(resource)
+        errors = resource.errors.map do |error|
+          {
+            status: "422",
+            title: "Validation Error",
+            detail: error.full_message,
+            source: { pointer: "/data/attributes/#{error.attribute}" },
+          }
+        end
+
+        render json: { errors: }, status: :unprocessable_entity
+      end
+
+      def render_parameter_not_allowed_error(error)
+        error_params = error.respond_to?(:params) ? error.params : []
+        detail = error_params.present? ? error_params.join(", ") : "Relationship or attribute is read-only"
+
+        render json: { errors: [parameter_not_allowed_error(detail)] }, status: :bad_request
+      end
+
+      def parameter_not_allowed_error(detail)
+        {
+          status: "400",
+          code: "parameter_not_allowed",
+          title: "Parameter Not Allowed",
+          detail:,
+        }
+      end
+    end
+  end
+end

data/lib/json_api/controllers/concerns/controller_helpers/parsing.rb

@@ -0,0 +1,127 @@
+# frozen_string_literal: true
+
+module JSONAPI
+  module ControllerHelpers
+    module Parsing
+      extend ActiveSupport::Concern
+
+      included do
+        before_action :parse_jsonapi_body, if: -> { modifying_request? }
+      end
+
+      protected
+
+      def parse_jsonapi_body
+        return unless jsonapi_content_type?
+        return if params[:data].present?
+
+        parse_and_apply_json_body
+      rescue JSON::ParserError
+        # Invalid JSON - will be handled by validation
+      end
+
+      def modifying_request?
+        request.post? || request.patch? || request.put? || request.delete?
+      end
+
+      def jsonapi_content_type?
+        request.content_type&.include?("application/vnd.api+json")
+      end
+
+      def parse_and_apply_json_body
+        body = request.body.read
+        request.body.rewind
+        return if body.blank?
+
+        parsed = JSON.parse(body)
+        parsed.deep_transform_keys!(&:to_sym)
+        request.env["action_dispatch.request.request_parameters"] = parsed
+      end
+
+      def jsonapi_params
+        data = params.require(:data)
+        return data if data.is_a?(Array)
+
+        permitted = data.permit(:type, :id, attributes: {})
+        permitted[:relationships] = permit_relationships(data) if data[:relationships].present?
+        permitted
+      end
+
+      def permit_relationships(data)
+        result = {}
+        data[:relationships].each do |key, value|
+          result[key] = value.permit(data: %i[type id]) if value.is_a?(ActionController::Parameters)
+        end
+        result
+      end
+
+      def jsonapi_attributes
+        (jsonapi_params[:attributes] || {}).to_h
+      end
+
+      def jsonapi_relationships
+        jsonapi_params[:relationships] || {}
+      end
+
+      def jsonapi_type
+        data = jsonapi_params
+        return data.first[:type] if data.is_a?(Array)
+
+        data[:type]
+      end
+
+      def jsonapi_id
+        data = jsonapi_params
+        return data.first[:id].to_s.presence if data.is_a?(Array)
+
+        data[:id].to_s.presence
+      end
+
+      def parse_include_param
+        return [] unless params[:include]
+
+        params[:include].to_s.split(",").map(&:strip)
+      end
+
+      def parse_fields_param
+        return {} unless params[:fields]
+
+        params[:fields].permit!.to_h.each_with_object({}) do |(type, fields), hash|
+          hash[type.to_sym] = fields.to_s.split(",").map(&:strip)
+        end
+      end
+
+      def parse_filter_param
+        return {} unless params[:filter]
+
+        raw_filters = params[:filter].permit!.to_h
+        JSONAPI::ParamHelpers.flatten_filter_hash(raw_filters)
+      end
+
+      def parse_sort_param
+        return [] unless params[:sort]
+
+        params[:sort].to_s.split(",").map(&:strip)
+      end
+
+      def parse_page_param
+        return {} unless params[:page]
+
+        params[:page].permit(:number, :size).to_h
+      end
+
+      def invalid_sort_fields_for_columns(sorts, available_columns)
+        sorts.filter_map do |sort_field|
+          field = JSONAPI::RelationshipHelpers.extract_sort_field_name(sort_field)
+          field unless available_columns.include?(field.to_s)
+        end
+      end
+
+      def valid_sort_fields_for_resource(resource_class, model_class)
+        model_columns = model_class.column_names.map(&:to_sym)
+        resource_sortable_fields = resource_class.permitted_sortable_fields.map(&:to_sym)
+        (model_columns + resource_sortable_fields).uniq.map(&:to_s)
+      end
+    end
+  end
+end

data/lib/json_api/controllers/concerns/controller_helpers/resource_setup.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+module JSONAPI
+  module ControllerHelpers
+    module ResourceSetup
+      extend ActiveSupport::Concern
+
+      included do
+        attr_reader :resource_class, :model_class
+      end
+
+      protected
+
+      def set_resource_name
+        @resource_name = params[:resource_type].to_s.singularize
+      end
+
+      def set_resource_class
+        @resource_class = JSONAPI::ResourceLoader.find(params[:resource_type])
+        @model_class = @resource_class.model_class
+      rescue JSONAPI::ResourceLoader::MissingResourceClass => e
+        render_resource_not_found_error(e.message)
+      rescue NameError => e
+        render_model_not_found_error(e)
+      end
+
+      def set_resource
+        @resource = @preloaded_resource || model_class.find(params[:id])
+      rescue ActiveRecord::RecordNotFound
+        render_jsonapi_error(
+          status: 404,
+          title: "Record Not Found",
+          detail: "Could not find #{@resource_name} with id '#{params[:id]}'",
+        )
+      end
+    end
+  end
+end