linzer 0.7.9.beta1 → 0.7.9.beta3

data/flake.nix

@@ -1,11 +1,23 @@
 {
   inputs = {
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
-    # XXX: should work, not tested yet on MacOS
-    # systems.url = "github:nix-systems/default";
-    systems.url = "github:nix-systems/default-linux";
-    ruby-nix.url = "github:inscapist/ruby-nix";
-    bundix.url = "github:inscapist/bundix";
+
+    systems = {
+      url = "github:nix-systems/default-linux";
+      # XXX: should work, not tested yet on MacOS
+      # url = "github:nix-systems/default";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    ruby-nix = {
+      url = "github:inscapist/ruby-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    bundix = {
+      url = "github:inscapist/bundix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
   outputs = {

data/lib/faraday/http_signature/middleware.rb

@@ -0,0 +1,296 @@
+# frozen_string_literal: true
+
+module Faraday
+  module HttpSignature
+    # Raised when HTTP response signature verification fails in strict mode.
+    #
+    # Inherits from {Faraday::Error} so that standard Faraday error handling
+    # (e.g. +rescue Faraday::Error+) catches verification failures.
+    # The original {Linzer::VerifyError} is preserved as {#wrapped_exception}
+    # and the {Faraday::Response} is available via {#response}.
+    #
+    # @example Catching a verification failure
+    #   begin
+    #     response = conn.get("/")
+    #   rescue Faraday::HttpSignature::VerifyError => e
+    #     e.message            # => "Failed to verify message: Invalid signature."
+    #     e.response           # => the Faraday::Response object
+    #     e.wrapped_exception  # => the original Linzer::VerifyError
+    #   end
+    #
+    # @see Middleware
+    class VerifyError < Faraday::Error; end
+
+    # Raised when HTTP request signature creation fails.
+    #
+    # Inherits from {Faraday::Error} so that standard Faraday error handling
+    # (e.g. +rescue Faraday::Error+) catches verification failures.
+    # The original {Linzer::Error} is preserved as {#wrapped_exception}.
+    #
+    # @example Catching a signing failure
+    #   begin
+    #     response = conn.post("/")
+    #   rescue Faraday::HttpSignature::SigningError => e
+    #     e.message            # => "Failed to sign message: Missing component."
+    #     e.wrapped_exception  # => the original Linzer::Error
+    #   end
+    #
+    # @see Middleware
+    class SigningError < Faraday::Error; end
+
+    # Faraday middleware for HTTP message signing and verification (RFC 9421).
+    #
+    # When registered via +request+, signs outgoing requests (default).
+    # When registered via +response+, verifies incoming response signatures.
+    # When registered via +use+, signs requests by default; pass
+    # +verify_response: true+ to also verify responses.
+    #
+    # == Verification result metadata
+    #
+    # After response verification, the middleware stores results in
+    # +env[:http_signature_verified]+ (+true+ or +false+) and
+    # +env[:http_signature]+ (the {Linzer::Signature} on success).
+    # These are accessible via +response.env[:http_signature_verified]+.
+    #
+    # @example Sign requests
+    #   conn = Faraday.new(url: "https://example.com") do |f|
+    #     f.request :http_signature, key: my_key, components: %w[@method @path]
+    #   end
+    #
+    # @example Verify responses
+    #   conn = Faraday.new(url: "https://example.com") do |f|
+    #     f.response :http_signature, verify_key: server_pubkey
+    #   end
+    #
+    # @example Lenient verification (no exception on failure)
+    #   conn = Faraday.new(url: "https://example.com") do |f|
+    #     f.response :http_signature, verify_key: server_pubkey, strict: false
+    #   end
+    #   response = conn.get("/")
+    #   response.env[:http_signature_verified]  # => true or false
+    #
+    # @see https://datatracker.ietf.org/doc/html/rfc9421 RFC 9421
+    class Middleware < Faraday::Middleware
+      # Default options for the base middleware class (used by +use+
+      # and +request+ registrations). Signs requests, does not verify
+      # responses, strict mode enabled.
+      DEFAULT_OPTIONS = {
+        sign_request:    true,
+        verify_response: false,
+        strict:          true
+      }.freeze
+
+      # Configuration options for the HTTP signature middleware.
+      #
+      # @!attribute [rw] key
+      #   @return [Linzer::Key, nil] generic key used for signing or
+      #     verification when only one mode is active
+      # @!attribute [rw] sign_request
+      #   @return [Boolean] whether to sign outgoing requests
+      #     (defaults to +true+)
+      # @!attribute [rw] sign_key
+      #   @return [Linzer::Key, nil] explicit key for signing; required
+      #     when both signing and verification are enabled
+      # @!attribute [rw] components
+      #   @return [Array<String>] HTTP message components to include in
+      #     the signature (e.g. +["@method", "@path", "content-type"]+)
+      # @!attribute [rw] verify_response
+      #   @return [Boolean] whether to verify incoming response signatures
+      #     (defaults to +false+)
+      # @!attribute [rw] verify_key
+      #   @return [Linzer::Key, nil] explicit key for verification; required
+      #     when both signing and verification are enabled
+      # @!attribute [rw] params
+      #   @return [Hash] additional signature parameters
+      #     (e.g. +{ tag: "my_tag" }+)
+      # @!attribute [rw] strict
+      #   @return [Boolean] when +true+ (default), raises
+      #     {VerifyError} on verification failure; when +false+,
+      #     sets +env[:http_signature_verified]+ to +false+ and continues
+      class Options < Faraday::Options.new(:key, :sign_request, :sign_key, :components, :verify_response, :verify_key, :params, :strict)
+        # Returns the generic key.
+        # @return [Linzer::Key, nil]
+        def key
+          self[:key]
+        end
+
+        # Whether outgoing requests should be signed.
+        # Defaults to +true+ (returns +true+ when unset).
+        # @return [Boolean]
+        def sign_request?
+          self[:sign_request] != false
+        end
+
+        # Whether incoming responses should be verified.
+        # Defaults to +false+ (returns +false+ when unset).
+        # @return [Boolean]
+        def verify_response?
+          self[:verify_response]
+        end
+
+        # Whether verification failures should raise an exception.
+        # Defaults to +true+ (returns +true+ when unset).
+        # @return [Boolean]
+        def strict?
+          self[:strict] != false
+        end
+
+        # Returns the list of HTTP message components to sign.
+        # @return [Array<String>]
+        def components
+          Array(self[:components])
+        end
+
+        # Returns additional signature parameters.
+        # @return [Hash]
+        def params
+          Hash(self[:params])
+        end
+      end
+
+      # Creates a new middleware instance.
+      #
+      # Merges class-level {DEFAULT_OPTIONS} with the user-provided options
+      # so that subclasses ({Request}, {Response}) can override defaults.
+      #
+      # @param app [#call] the next middleware or adapter in the stack
+      # @param options [Hash, nil] middleware options
+      # @option options [Linzer::Key] :key generic key for signing or verification
+      # @option options [Linzer::Key] :sign_key explicit signing key
+      # @option options [Linzer::Key] :verify_key explicit verification key
+      # @option options [Array<String>] :components components to sign
+      # @option options [Hash] :params additional signature parameters
+      # @option options [Boolean] :sign_request (+true+) whether to sign requests
+      # @option options [Boolean] :verify_response (+false+) whether to verify responses
+      # @option options [Boolean] :strict (+true+) raise on verification failure
+      def initialize(app, options = nil)
+        super(app)
+        defaults = self.class::DEFAULT_OPTIONS
+        merged = defaults.merge(Hash(options))
+        @options = Options.from(merged)
+      end
+
+      # Signs the outgoing request when {Options#sign_request?} is +true+.
+      #
+      # Resolves the signing key, builds a {Linzer::Message} from the
+      # Faraday environment, generates a signature over the configured
+      # components, and merges the +signature+ and +signature-input+
+      # headers into the request.
+      #
+      # @param env [Faraday::Env] the middleware environment
+      # @return [Faraday::Env, nil] the modified env, or +nil+ if signing
+      #   is disabled
+      # @raise [Linzer::Error] if no valid signing key is available
+      def on_request(env)
+        return unless options.sign_request?
+
+        key = resolve_signing_key
+        request = Linzer::Faraday::Utils.create_request(env)
+        message = Linzer::Message.new(request)
+
+        signature = Linzer.sign(key, message, options.components, options.params)
+        env.request_headers.merge!(signature.to_h)
+        env
+      rescue Linzer::Error => e
+        raise SigningError, e if options.strict?
+      end
+
+      # Verifies the response signature when {Options#verify_response?} is +true+.
+      #
+      # On success, sets +env[:http_signature_verified]+ to +true+ and
+      # +env[:http_signature]+ to the verified {Linzer::Signature}.
+      #
+      # On failure in strict mode (default), raises {VerifyError}.
+      # In lenient mode (+strict: false+), sets
+      # +env[:http_signature_verified]+ to +false+ and allows the response
+      # to continue through the middleware stack.
+      #
+      # @param env [Faraday::Env] the middleware environment
+      # @return [Faraday::Env, nil] the modified env, or +nil+ if verifying
+      #   is disabled
+      # @raise [VerifyError] if verification fails and +strict+ is +true+
+      # @raise [Linzer::Error] if no valid verification key is available
+      def on_complete(env)
+        env[:http_signature_verified] = false
+        return unless options.verify_response?
+
+        key = resolve_verify_key
+        response = ::Faraday::Response.new(env)
+        message = Linzer::Message.new(response)
+        signature = Linzer::Signature.build(response.headers)
+
+        Linzer.verify(key, message, signature)
+        env[:http_signature_verified] = true
+        env[:http_signature] = signature
+        env
+      rescue Linzer::Error => e
+        raise VerifyError.new(e, response: response) if options.strict?
+      end
+
+      private
+
+      # Resolves the key to use for signing requests.
+      #
+      # Prefers {Options#sign_key}. Falls back to the generic {Options#key}
+      # when only one mode (sign or verify) is active. When both modes are
+      # active, the generic key is ambiguous and +sign_key+ must be set
+      # explicitly.
+      #
+      # @return [Linzer::Key] the resolved signing key
+      # @raise [Linzer::Error] if no key is available or the key is invalid
+      def resolve_signing_key
+        key = options.sign_key
+        key ||= options.key unless options.sign_request? && options.verify_response?
+        raise Linzer::Error, "No signing key provided!" if !key
+        raise Linzer::Error, "Invalid key!" if !key.is_a?(Linzer::Key)
+
+        key
+      end
+
+      # Resolves the key to use for verifying response signatures.
+      #
+      # Prefers {Options#verify_key}. Falls back to the generic {Options#key}
+      # when only one mode (sign or verify) is active. When both modes are
+      # active, the generic key is ambiguous and +verify_key+ must be set
+      # explicitly.
+      #
+      # @return [Linzer::Key] the resolved verification key
+      # @raise [Linzer::Error] if no key is available or the key is invalid
+      def resolve_verify_key
+        key = options.verify_key
+        key ||= options.key unless options.sign_request? && options.verify_response?
+        raise Linzer::Error, "No verification key provided!" if !key
+        raise Linzer::Error, "Invalid key!" if !key.is_a?(Linzer::Key)
+
+        key
+      end
+
+      # Subclass registered under {Faraday::Request}.
+      #
+      # Inherits the base {DEFAULT_OPTIONS} which sign requests by default
+      # and do not verify responses.
+      #
+      # @example
+      #   f.request :http_signature, key: my_key, components: %w[@method @path]
+      class Request < self
+      end
+
+      # Subclass registered under {Faraday::Response}.
+      #
+      # Overrides {DEFAULT_OPTIONS} to verify responses by default and
+      # not sign requests.
+      #
+      # @example
+      #   f.response :http_signature, verify_key: server_pubkey
+      class Response < self
+        # Default options for the response subclass. Verifies responses
+        # and does not sign requests.
+        DEFAULT_OPTIONS = {
+          sign_request:    false,
+          verify_response: true,
+          strict:          true
+        }.freeze
+      end
+    end
+  end
+end

data/lib/faraday/http_signature.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+require "faraday"
+require_relative "http_signature/middleware"
+
+module Faraday
+  # Faraday middleware for signing and verifying HTTP messages
+  # as defined in RFC 9421.
+  #
+  # Three registration points are provided so the middleware can be added
+  # via +request+, +response+ or +use+, each with appropriate defaults:
+  #
+  # @example Sign outgoing requests
+  #   conn = Faraday.new(url: "https://example.com") do |f|
+  #     f.request :http_signature, key: my_key, components: %w[@method @path]
+  #   end
+  #
+  # @example Verify incoming responses
+  #   conn = Faraday.new(url: "https://example.com") do |f|
+  #     f.response :http_signature, verify_key: server_pubkey
+  #   end
+  #
+  # @example Sign requests and verify responses
+  #   conn = Faraday.new(url: "https://example.com") do |f|
+  #     f.use :http_signature, sign_key: my_key, verify_key: server_pubkey,
+  #       verify_response: true, components: %w[@method @path]
+  #   end
+  #
+  # @see Faraday::HttpSignature::Middleware
+  # @see https://datatracker.ietf.org/doc/html/rfc9421 RFC 9421 - HTTP Message Signatures
+  module HttpSignature
+    Faraday::Request.register_middleware(http_signature:    Faraday::HttpSignature::Middleware::Request)
+    Faraday::Response.register_middleware(http_signature:   Faraday::HttpSignature::Middleware::Response)
+    Faraday::Middleware.register_middleware(http_signature: Faraday::HttpSignature::Middleware)
+  end
+end

data/lib/linzer/faraday/utils.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module Linzer
+  # Faraday integration for Linzer.
+  #
+  # @see file:lib/linzer/faraday.rb
+  module Faraday
+    # Utility methods for converting Faraday middleware objects into
+    # types compatible with Linzer adapters.
+    module Utils
+      # Creates a {::Faraday::Request} from a middleware environment.
+      #
+      # Builds a minimal request suitable for use with
+      # {Linzer::Message::Adapter::Faraday::Request}, preserving the
+      # original HTTP method, URL, and headers from the environment.
+      #
+      # @param env [::Faraday::Env] the middleware environment
+      # @return [::Faraday::Request] a new request object
+      def self.create_request(env)
+        ::Faraday::Request.create(env.method) do |req|
+          req.params  = ::Faraday::Utils::ParamsHash.new
+          req.headers = ::Faraday::Utils::Headers.new(env.request_headers.dup)
+          req.options = ::Faraday::ConnectionOptions.from(nil).request
+          req.url       env.url
+        end
+      end
+    end
+  end
+end

data/lib/linzer/faraday.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+# Faraday integration for Linzer.
+#
+# Require this file to automatically register Faraday message adapters
+# and the HTTP signature (RFC 9421) middleware.
+#
+# This sets up:
+# - {Linzer::Message::Adapter::Faraday::Request} for {::Faraday::Request}
+# - {Linzer::Message::Adapter::Faraday::Response} for {::Faraday::Response}
+# - {Faraday::HttpSignature::Middleware} registered as +:http_signature+
+#   on +Faraday::Request+, +Faraday::Response+ and +Faraday::Middleware+
+#
+# @example
+#   require "linzer/faraday"
+#
+#   conn = Faraday.new(url: "https://example.com") do |f|
+#     f.request :http_signature, key: my_key, components: %w[@method @path]
+#   end
+
+require "faraday"
+require "linzer"
+require "faraday/http_signature"
+require "linzer/message/adapter/faraday/request"
+require "linzer/message/adapter/faraday/response"
+require "linzer/faraday/utils"
+
+Linzer::Message.register_adapter(Faraday::Request,  Linzer::Message::Adapter::Faraday::Request)
+Linzer::Message.register_adapter(Faraday::Response, Linzer::Message::Adapter::Faraday::Response)

data/lib/linzer/http.rb

@@ -78,6 +78,14 @@ module Linzer
     private
 
     # Executes a signed HTTP request.
+    #
+    # Validates inputs, builds and signs the request, then sends it.
+    #
+    # @param verb [Symbol] the HTTP method (e.g. +:get+, +:post+)
+    # @param uri [String] the request URI
+    # @param options [Hash] request options
+    # @return [Net::HTTPResponse] the response
+    # @raise [Linzer::Error] if the verb or key is invalid
     def request(verb, uri, options = {})
       validate_verb(verb)
 
@@ -100,10 +108,16 @@ module Linzer
       do_request(http, uri, verb, options[:data], signature, headers)
     end
 
+    # Returns the default covered components for signing.
+    # @return [Array<String>]
     def default_components
       Linzer::Options::DEFAULT[:covered_components]
     end
 
+    # Validates that the HTTP verb is recognized.
+    #
+    # @param verb [Symbol] the HTTP method
+    # @raise [Linzer::Error] if the verb is unknown
     def validate_verb(verb)
       method_name = verb.to_s.upcase
       if !known_http_methods.include?(method_name)
@@ -111,17 +125,32 @@ module Linzer
       end
     end
 
+    # Validates that the signing key is present and usable.
+    #
+    # @param key [Linzer::Key] the signing key
+    # @return [Linzer::Key] the validated key
+    # @raise [Linzer::Error] if the key is nil or does not respond to +#sign+
     def validate_key(key)
       raise Linzer::Error, "Key can not be nil!"    if !key
       raise Linzer::Error, "Key object is invalid!" if !key.respond_to?(:sign)
       key
     end
 
+    # Builds request headers, adding a default User-Agent if not present.
+    #
+    # @param headers [Hash] user-provided headers
+    # @return [Hash] headers with User-Agent ensured
     def build_headers(headers)
       return headers if headers.transform_keys(&:downcase).key?("user-agent")
       headers.merge({"user-agent" => "Linzer/#{Linzer::VERSION}"})
     end
 
+    # Builds a Net::HTTP request object for the given method and URI.
+    #
+    # @param method [Symbol] the HTTP method
+    # @param uri [String] the request URI
+    # @param headers [Hash] request headers to set
+    # @return [Net::HTTPRequest] the constructed request
     def build_request(method, uri, headers)
       request_class = Net::HTTP.const_get(method.to_s.capitalize)
       request = request_class.new(URI(uri))
@@ -129,7 +158,10 @@ module Linzer
       request
     end
 
-    # Determines if the HTTP method typically has a request body.
+    # Checks if the HTTP method typically carries a request body.
+    #
+    # @param verb [Symbol] the HTTP method
+    # @return [Boolean] +true+ for POST, PUT, PATCH, and WebDAV write methods
     def with_body?(verb)
       # common HTTP
       return false if %i[get head options trace delete].include?(verb)
@@ -142,6 +174,16 @@ module Linzer
       true
     end
 
+    # Sends the HTTP request with the signature headers attached.
+    #
+    # @param http [Net::HTTP] the HTTP connection
+    # @param uri [String] the request URI
+    # @param verb [Symbol] the HTTP method
+    # @param data [String, nil] the request body
+    # @param signature [Linzer::Signature] the generated signature
+    # @param headers [Hash] request headers
+    # @return [Net::HTTPResponse] the response
+    # @raise [Linzer::Error] if a body is required but not provided
     def do_request(http, uri, verb, data, signature, headers)
       if with_body?(verb)
         if !data

data/lib/linzer/message/adapter/abstract.rb

@@ -96,7 +96,10 @@ module Linzer
         private
 
         # Parses a field name string into a FieldId.
-        # @return [FieldId, nil] The parsed identifier, or nil if invalid
+        #
+        # @param field_name [String] the component identifier string
+        # @return [FieldId, nil] the parsed identifier, or +nil+ if invalid
+        # @raise [Error] if +@status+ is used in a request message
         def parse_field_name(field_name)
           field_id  = FieldId.new(field_name: field_name)
           component = field_id.item
@@ -117,8 +120,12 @@ module Linzer
           raise Linzer::Error, msg unless message.request?
         end
 
-        # Validates component identifier parameters.
-        # @return [Object, nil] The validated name, or nil if invalid
+        # Validates component identifier parameters against RFC 9421 rules.
+        #
+        # @param name [Starry::Item] the parsed component identifier
+        # @param method [Symbol] +:derived+ or +:field+
+        # @return [Starry::Item, nil] the validated name, or +nil+ if
+        #   the parameter combination is invalid
         def validate_parameters(name, method)
           has_unknown = name.parameters.any? { |p, _| !KNOWN_PARAMETERS.include?(p) }
           return nil if has_unknown
@@ -149,6 +156,13 @@ module Linzer
         private_constant :KNOWN_PARAMETERS
 
         # Retrieves a component value with parameter processing.
+        #
+        # Handles +;req+, +;sf+, +;key+, and +;bs+ parameters by
+        # delegating to the corresponding helper methods.
+        #
+        # @param name [Starry::Item] the parsed component identifier
+        # @param method [Symbol] +:derived+ or +:field+
+        # @return [String, Integer, nil] the component value
         def retrieve(name, method)
           if !name.parameters.empty?
             valid_params = validate_parameters(name, method)
@@ -176,6 +190,10 @@ module Linzer
         end
 
         # Processes a structured field value with optional key extraction.
+        #
+        # @param value [String] the raw header value to parse as a dictionary
+        # @param key [String, nil] if present, extracts a single dictionary member
+        # @return [String] the serialized structured field value
         # @see https://www.rfc-editor.org/rfc/rfc9421.html#section-2.1.1
         def sf(value, key = nil)
           dict = Starry.parse_dictionary(value)
@@ -188,19 +206,31 @@ module Linzer
           end
         end
 
-        # Binary-wraps a field value.
+        # Binary-wraps a field value as a byte sequence.
+        #
+        # @param value [String] the header value to wrap
+        # @return [String] the serialized byte sequence
         # @see https://www.rfc-editor.org/rfc/rfc9421.html#section-2.1.3
         def bs(value)
           Starry.serialize(value.encode(Encoding::ASCII_8BIT))
         end
 
         # Retrieves a trailer field value.
+        #
         # @abstract Subclasses should implement if trailer support is needed.
+        # @param trailer [Object] the trailer field identifier
+        # @return [String, nil] the trailer value
+        # @raise [Error] always, since no built-in adapters support trailers
         def tr(trailer)
           raise Error, "Sub-classes are required to implement this method!"
         end
 
-        # Retrieves a field from the attached request.
+        # Retrieves a field from the attached request (for +;req+ parameter).
+        #
+        # @param field [Starry::Item] the component identifier
+        # @param method [Symbol] +:derived+ or +:field+
+        # @return [String, nil] the value from the attached request, or
+        #   +nil+ if no request is attached
         def req(field, method)
           attached_request? ? @attached_request[String(field)] : nil
         end

data/lib/linzer/message/adapter/faraday/request.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+module Linzer
+  class Message
+    module Adapter
+      module Faraday
+        # Adapter for {::Faraday::Request} objects from the faraday gem.
+        #
+        # Extends the generic request adapter with faraday-specific
+        # derived component retrieval, field lookup, and URI handling.
+        #
+        # @note Not loaded automatically to avoid making faraday a hard
+        #   dependency. Require +"linzer/faraday"+ to register this adapter.
+        #
+        # @see Generic::Request
+        # @see https://github.com/lostisland/faraday faraday gem
+        class Request < Generic::Request
+          private
+
+          # Resolves a derived component value from the request.
+          #
+          # @param name [Starry::Item] the parsed component identifier
+          # @return [String, nil] the derived value, or +nil+ if unknown
+          def derived(name)
+            url = @operation.path
+            case name.value
+            when "@method"         then @operation.http_method.to_s.upcase
+            when "@target-uri"     then uri.to_s
+            when "@authority"      then url.authority.downcase
+            when "@scheme"         then url.scheme.downcase
+            when "@request-target" then uri.request_uri
+            when "@path"           then url.path
+            when "@query"          then "?%s" % String(uri_query)
+            when "@query-param"    then query_param(uri_query, name)
+            end
+          end
+
+          # Builds the full URI including query parameters.
+          #
+          # @return [URI] the complete request URI with encoded query string
+          def uri
+            uri = @operation.path.dup
+            uri.query = URI.encode_www_form(@operation.params)
+            uri
+          end
+
+          # Returns the raw query string from the request URI.
+          #
+          # Prefers the raw query string from the URI when available,
+          # as Faraday normalises percent-encoding when parsing params
+          # (e.g. +%2D+ becomes +-+), which would break signature
+          # verification.
+          #
+          # @return [String, nil] the raw query string
+          def uri_query
+            url = @operation.path
+            url.query || uri.query
+          end
+        end
+      end
+    end
+  end
+end