jpie 1.0.0 → 1.0.2

data/lib/json_api/controllers/concerns/relationships/updating.rb

@@ -0,0 +1,73 @@
+# frozen_string_literal: true
+
+module JSONAPI
+  module Relationships
+    module Updating
+      extend ActiveSupport::Concern
+
+      private
+
+      def update_relationship(relationship_data)
+        association = @resource.class.reflect_on_association(@relationship_name)
+        raise ArgumentError, "Association not found: #{@relationship_name}" unless association
+
+        ensure_relationship_writable!(association)
+        apply_relationship_update(association, relationship_data)
+      end
+
+      def apply_relationship_update(association, relationship_data)
+        if association.collection?
+          update_to_many_relationship(association, relationship_data)
+        else
+          update_to_one_relationship(association, relationship_data)
+        end
+      end
+
+      def update_to_many_relationship(association, relationship_data)
+        if relationship_data.nil? || empty_array?(relationship_data)
+          @resource.public_send("#{@relationship_name}=", [])
+          return
+        end
+
+        raise ArgumentError, "Expected array for to-many relationship" unless relationship_data.is_a?(Array)
+
+        related_resources = resolve_related_resources(relationship_data, association)
+        @resource.public_send("#{@relationship_name}=", related_resources)
+      end
+
+      def empty_array?(data)
+        data.is_a?(Array) && data.empty?
+      end
+
+      def resolve_related_resources(relationship_data, association)
+        relationship_data.map { |identifier| find_related_resource(identifier, association) }
+      end
+
+      def update_to_one_relationship(association, relationship_data)
+        if relationship_data.nil?
+          @resource.public_send("#{@relationship_name}=", nil)
+          return
+        end
+
+        validate_single_identifier!(relationship_data)
+        related_resource = find_related_resource(relationship_data, association)
+        @resource.public_send("#{@relationship_name}=", related_resource)
+      end
+
+      def validate_single_identifier!(relationship_data)
+        return unless relationship_data.is_a?(Array)
+
+        raise ArgumentError, "Expected single resource identifier for to-one relationship"
+      end
+
+      def find_related_resource(identifier, association)
+        RelationshipHelpers.resolve_and_find_related_resource(
+          identifier,
+          association:,
+          resource_class: @resource_class,
+          relationship_name: @relationship_name,
+        )
+      end
+    end
+  end
+end

data/lib/json_api/controllers/concerns/resource_actions/crud_helpers.rb

@@ -0,0 +1,93 @@
+# frozen_string_literal: true
+
+module JSONAPI
+  module ResourceActions
+    module CrudHelpers
+      extend ActiveSupport::Concern
+
+      private
+
+      def prepare_create_params(sti_class)
+        hash = deserialize_params(:create, model_class: sti_class)
+        attachments = extract_active_storage_params_from_hash(hash, sti_class)
+        clean_params(hash, attachments)
+        apply_sti_type(sti_class, hash)
+        [hash, attachments]
+      end
+
+      def prepare_update_params
+        hash = deserialize_params(:update)
+        attachments = extract_active_storage_params_from_hash(hash, model_class)
+        clean_params(hash, attachments)
+        [hash, attachments]
+      end
+
+      def clean_params(hash, attachments)
+        attachments.each_key { |k| hash.delete(k.to_s) }
+        hash.delete("type")
+        hash.delete(:type)
+      end
+
+      def apply_sti_type(klass, params)
+        return unless sti_base_with_type_column?(klass)
+
+        params["type"] = klass.name
+      end
+
+      def sti_base_with_type_column?(klass)
+        klass.respond_to?(:base_class) && klass.base_class == klass && klass.column_names.include?("type")
+      end
+
+      def save_created(resource)
+        return render_validation_errors(resource) unless resource.save
+
+        emit_resource_event(:created, resource)
+        render json: serialize_resource(resource), status: :created, location: resource_url(resource)
+      end
+
+      def save_updated(params_hash, attachments)
+        return render_validation_errors(@resource) unless @resource.update(params_hash)
+
+        attach_active_storage_files(@resource, attachments, resource_class: @resource_class)
+        emit_resource_event(:updated, @resource)
+        render json: serialize_resource(@resource), status: :ok
+      end
+
+      def render_create_error(error)
+        if error.message.match?(/invalid.*subtype/i)
+          render_invalid_subtype_error(error)
+        else
+          render_invalid_relationship_error(error)
+        end
+      end
+
+      def render_update_error(error)
+        if error.is_a?(ActiveSupport::MessageVerifier::InvalidSignature)
+          render_signed_id_error(error)
+        else
+          render_invalid_relationship_error(error)
+        end
+      end
+
+      def render_signed_id_error(error)
+        render_jsonapi_error(
+          status: 400,
+          title: "Invalid Signed ID",
+          detail: "Invalid signed blob ID provided: #{error.message}",
+        )
+      end
+
+      def determine_sti_class
+        JSONAPI::ResourceLoader.find(jsonapi_type || resource_type).model_class
+      rescue JSONAPI::ResourceLoader::MissingResourceClass
+        model_class
+      end
+
+      def determine_sti_resource_class
+        JSONAPI::ResourceLoader.find(jsonapi_type || resource_type)
+      rescue JSONAPI::ResourceLoader::MissingResourceClass
+        @resource_class
+      end
+    end
+  end
+end

data/lib/json_api/controllers/concerns/resource_actions/field_validation.rb

@@ -0,0 +1,114 @@
+# frozen_string_literal: true
+
+module JSONAPI
+  module ResourceActions
+    module FieldValidation
+      extend ActiveSupport::Concern
+
+      def validate_fields_param
+        fields = parse_fields_param
+        return if fields.empty?
+
+        error = first_invalid_field(fields)
+        render_field_error(error) if error
+      end
+
+      def validate_sort_param
+        sorts = parse_sort_param
+        return if sorts.empty?
+
+        valid = valid_sort_fields_for_resource(@resource_class, model_class)
+        invalid = invalid_sort_fields_for_columns(sorts, valid)
+        render_sort_errors(invalid) if invalid.any?
+      end
+
+      def validate_include_param
+        includes = parse_include_param
+        return if includes.empty?
+
+        permitted = @resource_class.relationship_names.map(&:to_s)
+        invalid = includes.reject { |p| include_path_valid?(p, permitted) }
+        render_include_errors(invalid) if invalid.any?
+      end
+
+      private
+
+      def first_invalid_field(fields)
+        fields.each do |type, type_fields|
+          next if type_fields.nil? || type_fields.empty?
+
+          error = check_field_type(type.to_s, type_fields)
+          return error if error
+        end
+        nil
+      end
+
+      def check_field_type(type, fields)
+        return check_blob_fields(fields) if type == "active_storage_blobs"
+        return check_resource_fields(fields) if type == resource_type.to_s
+
+        nil
+      end
+
+      def check_blob_fields(fields)
+        permitted = %w[id key filename content_type byte_size checksum created_at service_name]
+        invalid = fields.reject { |f| permitted.include?(f) }
+        invalid.any? ? { type: "active_storage_blobs", invalid: } : nil
+      end
+
+      def check_resource_fields(fields)
+        permitted = @resource_class.permitted_attributes.map(&:to_s)
+        invalid = fields.reject { |f| permitted.include?(f) }
+        invalid.any? ? { type: resource_type.to_s, invalid: } : nil
+      end
+
+      def include_path_valid?(path, permitted)
+        parts = path.split(".")
+        return false unless permitted.include?(parts.first)
+
+        nested_path_valid?(parts)
+      end
+
+      def nested_path_valid?(parts)
+        current = model_class
+        parts.each do |name|
+          return true if self.class.active_storage_attachment?(name, current)
+
+          assoc = current.reflect_on_association(name.to_sym)
+          return false unless assoc
+          break if assoc.polymorphic?
+
+          current = assoc.klass
+        end
+        true
+      end
+
+      def render_field_error(error)
+        render_parameter_errors(
+          error[:invalid],
+          title: "Invalid Field",
+          detail_proc: ->(f) { "#{f} is not a valid field for #{error[:type]}" },
+          source_proc: ->(f) { { parameter: "fields[#{error[:type]}]=#{f}" } },
+        )
+      end
+
+      def render_sort_errors(invalid)
+        render_parameter_errors(
+          invalid,
+          title: "Invalid Sort Field",
+          detail_proc: ->(f) { "Invalid sort field requested: #{f}" },
+          source_proc: ->(_) { { parameter: "sort" } },
+        )
+      end
+
+      def render_include_errors(invalid)
+        render_parameter_errors(
+          invalid,
+          title: "Invalid Include Path",
+          detail_proc: ->(p) { "Invalid include path requested: #{p}" },
+          source_proc: ->(_) { { parameter: "include" } },
+        )
+      end
+    end
+  end
+end

data/lib/json_api/controllers/concerns/resource_actions/filter_validation.rb

@@ -0,0 +1,91 @@
+# frozen_string_literal: true
+
+module JSONAPI
+  module ResourceActions
+    module FilterValidation
+      extend ActiveSupport::Concern
+
+      def validate_filter_param
+        filters = parse_filter_param
+        return if filters.empty?
+
+        invalid = filters.keys.reject { |n| filter_path_valid?(n.to_s) }
+        render_filter_errors(invalid) if invalid.any?
+      end
+
+      private
+
+      def filter_path_valid?(name)
+        parts = name.split(".")
+        check_filter_parts(parts, @resource_class, model_class)
+      end
+
+      def check_filter_parts(parts, res_cls, mod_cls, allow_related: false)
+        return false if parts.empty?
+        return single_filter_valid?(parts.first, res_cls, mod_cls, allow_related) if parts.length == 1
+
+        check_nested_filter(parts, res_cls, mod_cls)
+      end
+
+      def single_filter_valid?(name, res_cls, mod_cls, allow_related)
+        return true if res_cls.permitted_filters.map(&:to_s).include?(name)
+        return false unless allow_related
+
+        related_column_valid?(name, mod_cls)
+      end
+
+      def related_column_valid?(name, mod_cls)
+        col = parse_column_filter(name)
+        return true if col && mod_cls.column_for_attribute(col[:column])
+        return true if mod_cls.column_names.include?(name)
+
+        mod_cls.respond_to?(name.to_sym)
+      end
+
+      def check_nested_filter(parts, res_cls, mod_cls)
+        rel, *rest = parts
+        return false unless filter_rel_allowed?(res_cls, rel)
+
+        assoc = mod_cls.reflect_on_association(rel.to_sym)
+        return false unless assoc
+        return polymorphic_filter_valid?(rest) if assoc.polymorphic?
+
+        check_related_filter(rest, assoc)
+      end
+
+      def check_related_filter(parts, assoc)
+        rel_mod = assoc.klass
+        rel_res = JSONAPI::Resource.resource_for_model(rel_mod)
+        return false unless rel_res
+
+        check_filter_parts(parts, rel_res, rel_mod, allow_related: true)
+      end
+
+      def filter_rel_allowed?(res_cls, rel)
+        permitted = res_cls.permitted_filters_through
+        permitted.include?(rel.to_sym) || permitted.map(&:to_s).include?(rel.to_s)
+      end
+
+      def polymorphic_filter_valid?(parts)
+        return false if parts.empty? || parts.length > 1
+
+        m = parts.first.match(/\A(.+)_(eq|match|lt|lte|gt|gte)\z/)
+        %w[id type].include?(m ? m[1] : parts.first)
+      end
+
+      def parse_column_filter(name)
+        m = name.match(/\A(.+)_(eq|match|lt|lte|gt|gte)\z/)
+        m ? { column: m[1], operator: m[2].to_sym } : nil
+      end
+
+      def render_filter_errors(invalid)
+        render_parameter_errors(
+          invalid,
+          title: "Invalid Filter",
+          detail_proc: ->(n) { "Invalid filter requested: #{n}" },
+          source_proc: ->(n) { { parameter: "filter[#{n}]" } },
+        )
+      end
+    end
+  end
+end

data/lib/json_api/controllers/concerns/resource_actions/pagination.rb

@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+module JSONAPI
+  module ResourceActions
+    module Pagination
+      extend ActiveSupport::Concern
+
+      private
+
+      def build_pagination_links
+        page_params = parse_page_param
+        current = page_params["number"]&.to_i || 1
+        size = calculate_page_size(page_params)
+        total = calculate_total_pages(size)
+
+        links = base_pagination_links(current, size, total)
+        links[:prev] = pagination_url(current - 1, size) if current > 1
+        links[:next] = pagination_url(current + 1, size) if current < total
+        links
+      end
+
+      def base_pagination_links(current, size, total)
+        {
+          self: pagination_url(current, size),
+          first: pagination_url(1, size),
+          last: pagination_url(total, size),
+        }
+      end
+
+      def calculate_page_size(page_params)
+        size = page_params["size"]&.to_i || JSONAPI.configuration.default_page_size
+        [size, JSONAPI.configuration.max_page_size].min
+      end
+
+      def calculate_total_pages(size)
+        total = (@total_count.to_f / size).ceil
+        total.zero? ? 1 : total
+      end
+
+      def pagination_url(page, size)
+        query = request.query_parameters.dup
+        query["page"] = { "number" => page, "size" => size }
+        "#{request.path}?#{JSONAPI::ParamHelpers.build_query_string(query)}"
+      end
+
+      def build_pagination_meta
+        { total: @total_count }
+      end
+    end
+  end
+end

data/lib/json_api/controllers/concerns/resource_actions/preloading.rb

@@ -0,0 +1,64 @@
+# frozen_string_literal: true
+
+module JSONAPI
+  module ResourceActions
+    module Preloading
+      extend ActiveSupport::Concern
+
+      def preload_includes
+        includes = parse_include_param
+        return if includes.empty?
+
+        includes_hash = build_includes_hash(includes)
+        preload_resources(includes_hash)
+      rescue ActiveRecord::RecordNotFound
+        # Will be handled by set_resource
+      end
+
+      private
+
+      def build_includes_hash(includes)
+        includes.each_with_object({}) do |path, hash|
+          merge_include_path(hash, path)
+        end
+      end
+
+      def merge_include_path(hash, path)
+        parts = path.split(".")
+        current = hash
+
+        parts.each_with_index do |part, i|
+          sym = part.to_sym
+          current[sym] ||= {}
+          current = current[sym] if i < parts.length - 1
+        end
+      end
+
+      def preload_resources(includes_hash)
+        filtered = filter_includes_for_preload(includes_hash)
+
+        case action_name
+        when "index" then @preloaded_resources = preload_collection(filtered)
+        when "show" then @preloaded_resource = preload_single(filtered)
+        end
+      end
+
+      def filter_includes_for_preload(hash)
+        filtered = filter_active_storage_from_includes(hash, model_class)
+        filter_polymorphic_from_includes(filtered, model_class)
+      end
+
+      def preload_collection(includes)
+        return model_class.all if includes.empty?
+
+        model_class.all.includes(includes)
+      end
+
+      def preload_single(includes)
+        return model_class.find(params[:id]) if includes.empty?
+
+        model_class.includes(includes).find(params[:id])
+      end
+    end
+  end
+end

data/lib/json_api/controllers/concerns/resource_actions/resource_loading.rb

@@ -0,0 +1,71 @@
+# frozen_string_literal: true
+
+module JSONAPI
+  module ResourceActions
+    module ResourceLoading
+      extend ActiveSupport::Concern
+
+      private
+
+      def load_jsonapi_resource
+        @resource_name = params[:resource_type]&.singularize
+        @resource_class = JSONAPI::ResourceLoader.find(@resource_name) if @resource_name
+        @model_class = @resource_class.model_class if @resource_class
+        @resource = @model_class.find(params[:id]) if params[:id] && @model_class
+      rescue JSONAPI::ResourceLoader::MissingResourceClass
+        @resource_class = nil
+      rescue ActiveRecord::RecordNotFound
+        render_record_not_found
+      end
+
+      def render_record_not_found
+        render_jsonapi_error(
+          status: 404,
+          title: "Record Not Found",
+          detail: "Could not find #{@resource_name} with id '#{params[:id]}'",
+        )
+      end
+
+      def raw_jsonapi_data
+        raw = params[:data]
+        return {} unless raw
+
+        symbolize_data(raw)
+      end
+
+      def symbolize_data(raw)
+        data = raw.respond_to?(:to_unsafe_h) ? raw.to_unsafe_h : raw
+        JSONAPI::ParamHelpers.deep_symbolize_params(data)
+      end
+
+      def deserialize_params(action = :update, model_class: nil)
+        target = model_class || self.model_class
+        JSONAPI::Deserializer.new(raw_jsonapi_data, model_class: target, action:).to_model_attributes
+      end
+
+      def resource_url(resource)
+        "/#{resource_type}/#{resource.id}"
+      end
+
+      def resource_type
+        params[:resource_type] || @resource_name.pluralize
+      end
+
+      def emit_resource_event(action, resource, resource_id: nil, resource_type: nil)
+        changes = extract_changes(action, resource)
+        JSONAPI::Instrumentation.resource_event(
+          action:,
+          resource_type: resource_type || self.resource_type,
+          resource_id: resource_id || resource.id,
+          changes:,
+        )
+      end
+
+      def extract_changes(action, resource)
+        return {} unless action == :updated && resource.respond_to?(:previous_changes)
+
+        resource.previous_changes.except("updated_at", "created_at")
+      end
+    end
+  end
+end

data/lib/json_api/controllers/concerns/resource_actions/serialization.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+module JSONAPI
+  module ResourceActions
+    module Serialization
+      extend ActiveSupport::Concern
+
+      def serialize_resource(resource)
+        JSONAPI::Serializer.new(resource).to_hash(
+          include: parse_include_param,
+          fields: parse_fields_param,
+          document_meta: jsonapi_document_meta,
+        )
+      end
+
+      def serialize_collection(resources)
+        includes = parse_include_param
+        fields = parse_fields_param
+        all_included = []
+        processed = Set.new
+
+        data = resources.map do |r|
+          result = serialize_single(r, includes, fields)
+          collect_included(result, all_included, processed)
+          result[:data]
+        end
+
+        build_collection_response(data, all_included)
+      end
+
+      private
+
+      def serialize_single(resource, includes, fields)
+        JSONAPI::Serializer.new(resource).to_hash(include: includes, fields:, document_meta: nil)
+      end
+
+      def collect_included(result, all_included, processed)
+        (result[:included] || []).each do |inc|
+          add_unique_included(inc, all_included, processed)
+        end
+      end
+
+      def add_unique_included(inc, all_included, processed)
+        key = "#{inc[:type]}-#{inc[:id]}"
+        return if processed.include?(key)
+
+        all_included << inc
+        processed.add(key)
+      end
+
+      def build_collection_response(data, all_included)
+        result = { jsonapi: JSONAPI::Serializer.jsonapi_object, data: }
+        result[:included] = all_included if all_included.any?
+
+        pagination_meta = @pagination_applied ? build_pagination_meta : {}
+        result[:links] = build_pagination_links if @pagination_applied
+        result[:meta] = jsonapi_document_meta(pagination_meta)
+
+        result
+      end
+    end
+  end
+end

data/lib/json_api/controllers/concerns/resource_actions/type_validation.rb

@@ -0,0 +1,75 @@
+# frozen_string_literal: true
+
+module JSONAPI
+  module ResourceActions
+    module TypeValidation
+      extend ActiveSupport::Concern
+
+      def validate_resource_type!
+        return unless @resource_class
+        return if params[:relationship_name].present?
+
+        requested = jsonapi_type
+        expected = resource_type
+        return if requested == expected
+        return if valid_sti_subtype?(requested)
+
+        render_type_mismatch_error(expected, requested) and return
+      end
+
+      def validate_resource_id!
+        return unless @resource_class
+
+        requested = jsonapi_id
+        expected = params[:id].to_s
+        return if requested == expected
+
+        render_id_mismatch_error(expected, requested) and return
+      end
+
+      private
+
+      def valid_sti_subtype?(requested)
+        return false unless model_class.respond_to?(:base_class)
+
+        resource_class = JSONAPI::ResourceLoader.find(requested)
+        resource_class.model_class < model_class
+      rescue JSONAPI::ResourceLoader::MissingResourceClass, NameError
+        false
+      end
+
+      def render_type_mismatch_error(expected, requested)
+        detail = type_mismatch_detail(expected, requested)
+        render json: type_mismatch_response(detail), status: :conflict
+      end
+
+      def type_mismatch_detail(expected, requested)
+        return "Missing type member. Expected '#{expected}'" if requested.nil?
+
+        "Type mismatch: expected '#{expected}', got '#{requested}'"
+      end
+
+      def type_mismatch_response(detail)
+        {
+          errors: [{
+            status: "409",
+            title: "Type Mismatch",
+            detail:,
+            source: { pointer: "/data/type" },
+          }],
+        }
+      end
+
+      def render_id_mismatch_error(expected, requested)
+        render json: {
+          errors: [{
+            status: "409",
+            title: "ID Mismatch",
+            detail: "ID mismatch: expected '#{expected}', got '#{requested}'",
+            source: { pointer: "/data/id" },
+          }],
+        }, status: :conflict
+      end
+    end
+  end
+end