model_driven_api 2.2.4

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: f796ea92049910892b48c1904c58192bb7a4b0021a0c0beef89c8e6106f7f64b
+  data.tar.gz: 5054f69acc854b47ab9a5825bb950d035882b05ea6285b81592989ab31d29343
+SHA512:
+  metadata.gz: bbea75413aa62fceddd25f003e23fd6ec16a37f7027be2af549e2f565d91fd8ad8ef93dc07e2bb5cb8b8121aeaf276370ec649222dec8b4893c87a815c4e8a73
+  data.tar.gz: 871479573af6861b9c0aaf9d323668aab7f75afc68452501dd9c1d9253a96cdfc90cd74891e46e0273dfa0abd14357260fe79ab0ffebc92a11766baf2fae28b5

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2020 
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,205 @@
+# Model Driven Api
+I've always been interested in effortless, no-fuss, conventions' based development, DRYness, and pragmatic programming, I've always thought that at this point of the technology evolution, we need not to configure too much to have our software run, having the software adapt to data layers and from there building up APIs, visualizations, etc. in an automatic way. This is a first step to have a schema driven API or better model drive, based on the underlining database, the data it has to serve and some sane dafults, or conventions. This effort also gives, thanks to meta programming, an insight on the actual schema, via the info API, the translations available and the DSL which can change the way the data is presented, leading to a strong base for automatica built of UIs consuming the API (react, vue, angular based PWAs, maybe! ;-) ).
+
+Doing this means also narrowing a bit the scope of the tools, taking decisions, at least for the first implementations and versions of this engine, so, this works well if the data is relational, this is a prerequisite (postgres, mysql, mssql, etc.).
+
+# Goal
+
+To have a comprehensive and meaningful API right out of the box by just creating migrations in your rails app or engine.
+
+# v2?
+
+Yes, this is the second version of such an effort and you can note it from the api calls, which are all under the ```/api/v2``` namespace the [/api/v1](https://github.com/gabrieletassoni/thecore_api) one, was were it all started, many ideas are ported from there, such as the generation of the automatic model based crud actions, as well as custom actions definitions and all the things that make also this gem useful for my daily job were already in place, but it was too coupled with [thecore](https://github.com/gabrieletassoni/thecore)'s [rails_admin](https://github.com/sferik/rails_admin) UI, making it impossible to create a complete UI-less, API only application, out of the box and directly based of the DB schema, with all the bells and whistles I needed (mainly self adapting, data and schema driven API functionalities).
+So it all began again, making a better thecore_api gem into this model_driven_api gem, more polished, more functional and self contained.
+
+# Standards Used
+
+* [JWT](https://github.com/jwt/ruby-jwt) for authentication.
+* [CanCanCan](https://github.com/CanCanCommunity/cancancan) for authorization.
+* [Ransack](https://github.com/activerecord-hackery/ransack) query engine for complex searches going beyond CRUD's listing scope.
+* Catch all routing rule to automatically add basic crud operations to any AR model in the app.
+
+## Usage
+How to use my plugin.
+
+## Installation
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'model_driven_api'
+```
+
+And then execute:
+```bash
+$ bundle
+```
+
+Or install it yourself as:
+```bash
+$ gem install model_driven_api
+```
+
+Then run the migrations:
+```bash
+$ rails db:migrate
+```
+
+This will setup a User model, Role model and the HABTM table between the two.
+
+Then, if you fire up your ```rails server``` you can already get a jwt and perform different operations.
+The default admin user created during the migration step has a randomly generated password you can find in a .passwords file in the root of your project, that's the initial password, in production you can replace that one, but for testing it proved handy to have it promptly available.
+
+## Consuming the API
+
+### Getting the Token
+
+The first thing that must be done by the client is to get a Token using the credentials:
+
+```bash
+POST http://localhost:3000/api/v2/authenticate
+```
+
+with a POST body like the one below:
+
+```json
+{
+	"auth": {
+		"email": "<REPLACE>",
+		"password": "<REPLACE>"
+	}
+}
+```
+
+This action will return in the header a *Token* you can use for the following requests.
+Bear in mind that the *Token* will expire within 15 minutes and that at each succesful request a new token is returned using the same *Token* header, so, at each interaction between client server, just making an authenticated and succesful request, will give you back a way of continuing to make authenticated requests without the extra overhead of an authentication for each one and without having to keep long expiry times for the *Token*.
+
+### Info API
+
+The info API **api/v2/info/** can be used to retrieve general information about the REST API:
+
+#### Version
+
+By issuing a GET on this api, you will get a response containing the version of the model_driven_api. 
+This is a request which doesn't require authentication, it could be used as a checkpoint for consuming the resources exposed by this engine.
+
+```bash
+GET http://localhost:3000/api/v2/info/version
+```
+
+Would produce a response body like this one:
+
+```json
+{
+  "version": "2.1.14"
+}
+```
+
+#### Roles
+
+**Authenticated Request** by issuing a GET request to */api/v2/info/roles*:
+
+```bash
+GET http://localhost:3000/api/v2/info/roles
+```
+
+Something like this can be retrieved:
+
+```json
+[
+  {
+    "id": 1,
+    "name": "role-1586521657646",
+    "created_at": "2020-04-10T12:27:38.061Z",
+    "updated_at": "2020-04-10T12:27:38.061Z",
+    "lock_version": 0
+  },
+  {
+    "id": 2,
+    "name": "role-1586522353509",
+    "created_at": "2020-04-10T12:39:14.276Z",
+    "updated_at": "2020-04-10T12:39:14.276Z",
+    "lock_version": 0
+  }
+]
+```
+
+#### Schema
+
+**Authenticated Request** This action will send back the *authorized* models accessible by the current user at least for the [:read ability](https://github.com/ryanb/cancan/wiki/checking-abilities). The list will also show the field types of the model and the associations.
+
+By issuing this GET request:
+
+```bash
+GET http://localhost:3000/api/v2/info/roles
+```
+
+You will get something like:
+
+```json
+{
+  "users": {
+    "id": "integer",
+    "email": "string",
+    "encrypted_password": "string",
+    "admin": "boolean",
+    "lock_version": "integer",
+    "associations": {
+      "has_many": [
+        "role_users",
+        "roles"
+      ],
+      "belongs_to": []
+    },
+    "methods": null
+  },
+  "role_users": {
+    "id": "integer",
+    "created_at": "datetime",
+    "updated_at": "datetime",
+    "associations": {
+      "has_many": [],
+      "belongs_to": [
+        "user",
+        "role"
+      ]
+    },
+    "methods": null
+  },
+  "roles": {
+    "id": "integer",
+    "name": "string",
+    "created_at": "datetime",
+    "updated_at": "datetime",
+    "lock_version": "integer",
+    "associations": {
+      "has_many": [
+        "role_users",
+        "users"
+      ],
+      "belongs_to": []
+    },
+    "methods": null
+  }
+}
+```
+
+The *methods* key will list the **custom actions** that can be used in addition to normal CRUD operations, these can be bulk actions and anything that can serve a purpose, usually to simplify the interaction between client and server (i.e. getting in one request the result of a complex computations which usually would be sorted out using more requests). Later on this topic.
+
+## Testing
+
+If you want to manually test the API using [Insomnia](https://insomnia.rest/) you can find the chained request in Insomnia v4 json format inside the **test/insomnia** folder.
+In the next few days, I'll publish also the rspec tests.
+
+## TODO
+
+* Integrate a settings gem
+* Add DSL for users and roles
+
+## References
+THanks to all these people for ideas:
+
+* [Billy Cheng](https://medium.com/@billy.sf.cheng/a-rails-6-application-part-1-api-1ee5ccf7ed01) For a way to have a nice and clean implementation of the JWT on top of Devise.
+* [Daniel](https://medium.com/@tdaniel/passing-refreshed-jwts-from-rails-api-using-headers-859f1cfe88e9) For a smart way to manage token expiration.
+
+## License
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,32 @@
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+
+require 'rdoc/task'
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'ModelDrivenApi'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.md')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+APP_RAKEFILE = File.expand_path("test/dummy/Rakefile", __dir__)
+load 'rails/tasks/engine.rake'
+
+load 'rails/tasks/statistics.rake'
+
+require 'bundler/gem_tasks'
+
+require 'rake/testtask'
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'test'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = false
+end
+
+task default: :test

data/app/commands/authenticate_user.rb

@@ -0,0 +1,32 @@
+class AuthenticateUser
+    class AccessDenied < StandardError
+        def message
+            "AuthenticationError"
+        end
+    end
+    prepend SimpleCommand
+    
+    def initialize(email, password)
+        @email = email
+        @password = password
+    end
+    
+    def call
+        JsonWebToken.encode(user_id: api_user.id) if api_user
+    end
+    
+    private
+    
+    attr_accessor :email, :password
+    
+    def api_user
+        user = User.find_by_email(email)
+        raise AccessDenied unless user.present?
+        
+        # Verify the password. You can create a blank method for now.
+        raise AccessDenied if user.authenticate(password).blank?
+        
+        return user
+    end
+    
+end

data/app/commands/authorize_api_request.rb

@@ -0,0 +1,33 @@
+class AuthorizeApiRequest
+    prepend SimpleCommand
+    
+    def initialize(headers = {})
+        @headers = headers
+    end
+    
+    def call
+        api_user
+    end
+    
+    private
+    
+    attr_reader :headers
+    
+    def api_user
+        @api_user ||= User.find(decoded_auth_token[:user_id]) if decoded_auth_token
+        @api_user || errors.add(:token, "Invalid token") && nil
+    end
+    
+    def decoded_auth_token
+        @decoded_auth_token ||= JsonWebToken.decode(http_auth_header)
+    end
+    
+    def http_auth_header
+        if headers['Authorization'].present?
+            return headers['Authorization'].split(' ').last
+        else
+            errors.add(:token, "Missing token")
+        end
+        nil
+    end
+end

data/app/controllers/api/v2/application_controller.rb

@@ -0,0 +1,154 @@
+class Api::V2::ApplicationController < ActionController::API
+    # Detect Locale from Accept-Language headers
+    include HttpAcceptLanguage::AutoLocale
+    # Actions will be authorized directly in the action
+    include CanCan::ControllerAdditions
+    include ::ApiExceptionManagement
+
+    attr_accessor :current_user
+    
+    before_action :authenticate_request
+    before_action :extract_model
+    before_action :find_record, only: [ :show, :destroy, :update ]
+    
+    # GET :controller/
+    def index
+        authorize! :index, @model
+
+        # Custom Action
+        status, result = check_for_custom_action
+        return render json: result, status: 200 if status == true
+
+        # Normal Index Action with Ransack querying
+        @q = (@model.column_names.include?("user_id") ? @model.where(user_id: current_user.id) : @model).ransack(@query.presence|| params[:q])
+        @records_all = @q.result(distinct: true)
+        page = (@page.presence || params[:page])
+        per = (@per.presence || params[:per])
+        pages_info = (@pages_info.presence || params[:pages_info])
+        count = (@count.presence || params[:count])
+        # Paging
+        @records = @records_all.page(page).per(per)
+        
+        # If there's the keyword pagination_info, then return a pagination info object
+        return render json: MultiJson.dump({count: @records_all.count,current_page_count: @records.count,next_page: @records.next_page,prev_page: @records.prev_page,is_first_page: @records.first_page?,is_last_page: @records.last_page?,is_out_of_range: @records.out_of_range?,pages_count: @records.total_pages,current_page_number: @records.current_page }) if !pages_info.blank?
+        
+        # puts "ALL RECORDS FOUND: #{@records_all.inspect}"
+        status = @records_all.blank? ? 404 : 200
+        # puts "If it's asked for page number, then paginate"
+        return render json: MultiJson.dump(@records, json_attrs), status: status if !page.blank? # (@json_attrs || {})
+        #puts "if you ask for count, then return a json object with just the number of objects"
+        return render json: MultiJson.dump({count: @records_all.count}) if !count.blank?
+        #puts "Default"
+        json_out = MultiJson.dump(@records_all, json_attrs)
+        #puts "JSON ATTRS: #{json_attrs}"
+        #puts "JSON OUT: #{json_out}"
+        render json: json_out, status: status #(@json_attrs || {})
+    end
+    
+    def show
+        authorize! :show, @record_id
+
+        # Custom Show Action
+        status, result = check_for_custom_action
+        return render json: result, status: 200 if status == true
+
+        # Normal Show
+        result = @record.to_json(json_attrs)
+        render json: result, status: 200
+    end
+    
+    def create
+        @record = @model.new(@body)
+        authorize! :create, @record
+
+        # Custom Action
+        status, result = check_for_custom_action
+        return render json: result, status: 200 if status == true
+
+        # Normal Create Action
+        @record.user_id = current_user.id if @model.column_names.include? "user_id"
+        @record.save!
+        render json: @record.to_json(json_attrs), status: 201
+    end
+    
+    def update
+        authorize! :update, @record
+
+        # Custom Action
+        status, result = check_for_custom_action
+        return render json: result, status: 200 if status == true
+
+        # Normal Update Action
+        @record.update_attributes!(@body)
+        render json: @record.to_json(json_attrs), status: 200
+    end
+    
+    def destroy
+        authorize! :destroy, @record
+
+        # Custom Action
+        status, result = check_for_custom_action
+        return render json: result, status: 200 if status == true
+
+        # Normal Destroy Action
+        return api_error(status: 500) unless @record.destroy
+        head :ok
+    end
+    
+    private
+
+    def check_for_custom_action
+        ## CUSTOM ACTION
+        # [GET|PUT|POST|DELETE] :controller?do=:custom_action
+        # or
+        # [GET|PUT|POST|DELETE] :controller/:id?do=:custom_action
+        unless params[:do].blank?
+            # Poor man's solution to avoid the possibility to 
+            # call an unwanted method in the AR Model.
+            resource = "custom_action_#{params[:do]}"
+            raise NoMethodError unless @model.respond_to?(resource)
+            return true, MultiJson.dump(params[:id].blank? ? @model.send(resource, params) : @model.send(resource, params[:id].to_i, params))
+        end
+        # if it's here there is no custom action in the request querystring
+        return false
+    end
+    
+    def authenticate_request
+        @current_user = AuthorizeApiRequest.call(request.headers).result
+        return unauthenticated! unless @current_user
+        current_user = @current_user
+        params[:current_user_id] = @current_user.id
+        # Now every time the user fires off a successful GET request, 
+        # a new token is generated and passed to them, and the clock resets.
+        response.headers['Token'] = JsonWebToken.encode(user_id: current_user.id)
+    end
+    
+    def find_record
+        record_id ||= (params[:path].split("/").second.to_i rescue nil)
+        @record = @model.column_names.include?("user_id") ? @model.where(id: (record_id.presence || @record_id.presence || params[:id]), user_id: current_user.id).first : @model.find((@record_id.presence || params[:id]))
+        return not_found! if @record.blank?
+    end
+    
+    def json_attrs
+        ((@model.json_attrs.presence || @json_attrs.presence || {}) rescue {})
+    end
+    
+    def extract_model
+        # This method is only valid for ActiveRecords
+        # For any other model-less controller, the actions must be 
+        # defined in the route, and must exist in the controller definition.
+        # So, if it's not an activerecord, the find model makes no sense at all
+        # thus must return 404.
+        @model = (params[:ctrl].classify.constantize rescue params[:path].split("/").first.classify.constantize rescue controller_path.classify.constantize rescue controller_name.classify.constantize rescue nil)
+        # Getting the body of the request if it exists, it's ok the singular or 
+        # plural form, this helps with automatic tests with Insomnia.
+        @body = params[@model.model_name.singular].presence || params[@model.model_name.route_key]
+        # Only ActiveRecords can have this model caputed 
+        return not_found! if (!@model.new.is_a? ActiveRecord::Base rescue false)
+    end
+
+    # Nullifying strong params for API
+    def params
+        request.parameters
+    end
+end

data/app/controllers/api/v2/authentication_controller.rb

@@ -0,0 +1,12 @@
+class Api::V2::AuthenticationController < ActionController::API
+    include ::ApiExceptionManagement
+
+    def authenticate
+        command = AuthenticateUser.call(params[:auth][:email], params[:auth][:password])
+        
+        if command.success?
+            response.headers['Token'] = command.result
+            head :ok
+        end
+    end
+end

data/app/controllers/api/v2/info_controller.rb

@@ -0,0 +1,68 @@
+class Api::V2::InfoController < Api::V2::ApplicationController
+  # Info uses a different auth method: username and password
+  skip_before_action :authenticate_request, only: [:version], raise: false
+  skip_before_action :extract_model
+  
+  # api :GET, '/api/v2/info/version', "Just prints the APPVERSION."
+  def version
+    render json: { version: ModelDrivenApi::VERSION }.to_json, status: 200
+  end
+
+  # api :GET, '/api/v2/info/roles'
+  # it returns the roles list
+  def roles
+    render json: ::Role.all.to_json, status: 200
+  end
+
+  # GET '/api/v2/info/translations'
+  def translations
+    render json: I18n.t(".", locale: (params[:locale].presence || :it)).to_json, status: 200
+  end
+
+  # GET '/api/v2/info/schema'
+  def schema
+    pivot = {}
+    # if Rails.env.development?
+    #   Rails.configuration.eager_load_namespaces.each(&:eager_load!) if Rails.version.to_i == 5 #Rails 5
+    #   Zeitwerk::Loader.eager_load_all if Rails.version.to_i >= 6 #Rails 6
+    # end
+    ApplicationRecord.subclasses.each do |d|
+      # Only if current user can read the model
+      if can? :read, d
+        model = d.to_s.underscore.tableize
+        pivot[model] ||= {}
+        d.columns_hash.each_pair do |key, val| 
+          pivot[model][key] = val.type unless key.ends_with? "_id"
+        end
+        # Only application record descendants to have a clean schema
+        pivot[model][:associations] ||= {
+          has_many: d.reflect_on_all_associations(:has_many).map { |a| 
+            a.name if (((a.options[:class_name].presence || a.name).to_s.classify.constantize.new.is_a? ApplicationRecord) rescue false)
+          }.compact, 
+          belongs_to: d.reflect_on_all_associations(:belongs_to).map { |a| 
+            a.name if (((a.options[:class_name].presence || a.name).to_s.classify.constantize.new.is_a? ApplicationRecord) rescue false)
+          }.compact
+        }
+        pivot[model][:methods] ||= (d.instance_methods(false).include?(:json_attrs) && !d.json_attrs.blank?) ? d.json_attrs[:methods] : nil
+      end
+    end
+    render json: pivot.to_json, status: 200
+  end
+
+  # GET '/api/v2/info/dsl'
+  def dsl
+    pivot = {}
+    # if Rails.env.development?
+    #   Rails.configuration.eager_load_namespaces.each(&:eager_load!) if Rails.version.to_i == 5 #Rails 5
+    #   Zeitwerk::Loader.eager_load_all if Rails.version.to_i >= 6 #Rails 6
+    # end
+    ApplicationRecord.subclasses.each do |d|
+      # Only if current user can read the model
+      if can? :read, d
+        model = d.to_s.underscore.tableize
+        pivot[model] = (d.instance_methods(false).include?(:json_attrs) && !d.json_attrs.blank?) ? d.json_attrs : nil
+      end
+    end
+    render json: pivot.to_json, status: 200
+  end
+end

data/app/controllers/api/v2/users_controller.rb

@@ -0,0 +1,9 @@
+class Api::V2::UsersController < Api::V2::ApplicationController
+  before_action :check_demoting, only: [ :update, :destroy ]
+  
+  private
+  
+  def check_demoting
+    unauthorized! StandardError.new("You cannot demote yourself") if (params[:id].to_i == current_user.id && (params[:user].keys.include?("admin") || params[:user].keys.include?("locked")))
+  end
+end

data/config/initializers/after_initialize_for_model_driven_api.rb

@@ -0,0 +1,9 @@
+require 'concerns/model_driven_api_user'
+require 'concerns/model_driven_api_role'
+
+Rails.application.configure do
+    config.after_initialize do
+        User.send(:include, ModelDrivenApiUser)
+        Role.send(:include, ModelDrivenApiRole)
+    end
+end

data/config/initializers/cors_api_thecore.rb

@@ -0,0 +1,11 @@
+# config/initializers/cors.rb
+Rails.application.config.middleware.insert_before 0, Rack::Cors do
+  allow do
+    origins '*'
+    resource '*',
+      headers: %w(Token),
+      methods: :any,
+      expose: %w(Token),
+      max_age: 600
+  end
+end

data/config/initializers/knock.rb

@@ -0,0 +1,59 @@
+# Knock.setup do |config|
+
+#   ## Expiration claim
+#   ## ----------------
+#   ##
+#   ## How long before a token is expired. If nil is provided, token will
+#   ## last forever.
+#   ##
+#   ## Default:
+#   # config.token_lifetime = 1.day
+
+
+#   ## Audience claim
+#   ## --------------
+#   ##
+#   ## Configure the audience claim to identify the recipients that the token
+#   ## is intended for.
+#   ##
+#   ## Default:
+#   # config.token_audience = nil
+
+#   ## If using Auth0, uncomment the line below
+#   # config.token_audience = -> { Rails.application.secrets.auth0_client_id }
+
+#   ## Signature algorithm
+#   ## -------------------
+#   ##
+#   ## Configure the algorithm used to encode the token
+#   ##
+#   ## Default:
+#   # config.token_signature_algorithm = 'HS256'
+
+#   ## Signature key
+#   ## -------------
+#   ##
+#   ## Configure the key used to sign tokens.
+#   ##
+#   ## Default:
+#   # config.token_secret_signature_key = -> { Rails.application.secrets.secret_key_base }
+
+#   ## If using Auth0, uncomment the line below
+#   # config.token_secret_signature_key = -> { JWT.base64url_decode Rails.application.secrets.auth0_client_secret }
+
+#   ## Public key
+#   ## ----------
+#   ##
+#   ## Configure the public key used to decode tokens, if required.
+#   ##
+#   ## Default:
+#   # config.token_public_key = nil
+
+#   ## Exception Class
+#   ## ---------------
+#   ##
+#   ## Configure the exception to be used when user cannot be found.
+#   ##
+#   ## Default:
+#   # config.not_found_exception_class_name = 'ActiveRecord::RecordNotFound'
+# end

data/config/initializers/wrap_parameters.rb

@@ -0,0 +1,14 @@
+# Be sure to restart your server when you modify this file.
+
+# This file contains settings for ActionController::ParamsWrapper which
+# is enabled by default.
+
+# Enable parameter wrapping for JSON. You can disable this by setting :format to an empty array.
+ActiveSupport.on_load(:action_controller) do
+  wrap_parameters format: [:json] if respond_to?(:wrap_parameters)
+end
+
+# To enable root element in JSON for ActiveRecord objects.
+# ActiveSupport.on_load(:active_record) do
+#  self.include_root_in_json = true
+# end

data/config/routes.rb

@@ -0,0 +1,33 @@
+# require 'ransack'
+
+Rails.application.routes.draw do
+    # REST API (Stateless)
+    namespace :api, constraints: { format: :json } do
+        namespace :v2 do
+            resources :users
+
+            namespace :info do
+                get :version
+                get :roles
+                get :translations
+                get :schema
+                get :dsl
+            end
+
+            post "authenticate" => "authentication#authenticate"
+            post ":ctrl/search" => 'application#index'
+
+            # Catchall routes
+            # # CRUD Show
+            get '*path/:id', to: 'application#show'
+            # # CRUD Index
+            get '*path', to: 'application#index'
+            # # CRUD Create
+            post '*path', to: 'application#create'
+            # # CRUD Update
+            put '*path/:id', to: 'application#update'
+            # # CRUD DElete
+            delete '*path/:id', to: 'application#destroy'
+        end
+    end
+end

data/lib/concerns/api_exception_management.rb

@@ -0,0 +1,58 @@
+module ApiExceptionManagement
+    extend ActiveSupport::Concern
+    
+    included do
+        rescue_from NoMethodError, with: :not_found!
+        rescue_from CanCan::AccessDenied, with: :unauthorized!
+        rescue_from AuthenticateUser::AccessDenied, with: :unauthenticated!
+        rescue_from ActionController::RoutingError, with: :not_found!
+        rescue_from ActiveModel::ForbiddenAttributesError, with: :fivehundred!
+        rescue_from ActiveRecord::RecordInvalid, with: :invalid!
+        rescue_from ActiveRecord::RecordNotFound, with: :not_found!
+        
+        def unauthenticated! exception = AuthenticateUser::AccessDenied.new
+            response.headers['WWW-Authenticate'] = "Token realm=Application"
+            return api_error status: 401, errors: exception.message
+        end
+        
+        def unauthorized! exception = CanCan::AccessDenied.new
+            return api_error status: 403, errors: exception.message
+        end
+        
+        def not_found! exception = StandardError.new
+            return api_error status: 404, errors: exception.message
+        end
+        
+        def invalid! exception = StandardError.new
+            return api_error status: 422, errors: exception.record.errors 
+        end
+        
+        def fivehundred! exception = StandardError.new
+            return api_error status: 500, errors: exception.message
+        end
+        
+        def api_error(status: 500, errors: [])
+            # puts errors.full_messages if !Rails.env.production? && errors.respond_to?(:full_messages)
+            head status && return if errors.empty?
+            
+            # For retrocompatibility, I try to send back only strings, as errors
+            errors_response = if errors.respond_to?(:full_messages) 
+                # Validation Errors
+                errors.full_messages.join(", ")
+            elsif errors.respond_to?(:error)
+                # Generic uncatched error
+                errors.error
+            elsif errors.respond_to?(:exception)
+                # Generic uncatchd error, if the :error property does not exist, exception will
+                errors.exception
+            elsif errors.is_a? Array
+                # An array of values, I like to have them merged
+                errors.join(", ")
+            else
+                # Uncatched Error, comething I don't know, I must return the errors as it is
+                errors
+            end
+            render json: {error: errors_response}, status: status
+        end
+    end
+end

data/lib/concerns/model_driven_api_role.rb

@@ -0,0 +1,47 @@
+module ModelDrivenApiRole
+    extend ActiveSupport::Concern
+    
+    included do
+        ## DSL (AKA what to show in the returned JSON)
+        # Use @@json_attrs to drive json rendering for 
+        # API model responses (index, show and update ones).
+        # For reference:
+        # https://api.rubyonrails.org/classes/ActiveModel/Serializers/JSON.html
+        # The object passed accepts only these keys:
+        # - only: list [] of model field names in symbol notation to be shown in JSON 
+        #       serialization.
+        # - except: exclude these fields from the JSON serialization, is a list []
+        #        of model field names in symbol notation.
+        # - methods: include the result of some methods defined in the model (virtual
+        #       fields).
+        # - include: include associated models, it's a list [] of hashes {} which also 
+        #       accepts the [:only, :except, :methods, :include] keys.
+        cattr_accessor :json_attrs
+        @@json_attrs = ModelDrivenApi.smart_merge((json_attrs || {}), {
+            except: [
+                :lock_version,
+                :created_at,
+                :updated_at
+            ],
+            include: [users: {
+                only: [:id]
+            }]
+        })
+
+        ## CUSTOM ACTIONS
+        # Here you can add custom actions to be called from the API
+        # The action must return an serializable (JSON) object.
+
+        # Here you can find an example *without* ID, in the API it could be called like this:
+        # GET /api/v2/:controller?do=test&parameter=sample
+        # def self.custom_action_test params=nil
+        #     { test: [ :first, :second, :third ], params: params}
+        # end
+
+        # Here you can find an example *with* ID, in the API it could be called like this:
+        # GET /api/v2/:controller/:id?do=test_with_id&parameter=sample
+        # def self.custom_action_test_with_id id=nil, params=nil
+        #     { test: [ :first, :second, :third ], id: id, params: params}
+        # end
+    end
+end

data/lib/concerns/model_driven_api_user.rb

@@ -0,0 +1,46 @@
+module ModelDrivenApiUser
+    extend ActiveSupport::Concern
+    
+    included do
+
+        ## DSL (AKA what to show in the returned JSON)
+        # Use @@json_attrs to drive json rendering for 
+        # API model responses (index, show and update ones).
+        # For reference:
+        # https://api.rubyonrails.org/classes/ActiveModel/Serializers/JSON.html
+        # The object passed accepts only these keys:
+        # - only: list [] of model field names in symbol notation to be shown in JSON 
+        #       serialization.
+        # - except: exclude these fields from the JSON serialization, is a list []
+        #        of model field names in symbol notation.
+        # - methods: include the result of some methods defined in the model (virtual
+        #       fields).
+        # - include: include associated models, it's a list [] of hashes {} which also 
+        #       accepts the [:only, :except, :methods, :include] keys.
+        cattr_accessor :json_attrs
+        @@json_attrs = ModelDrivenApi.smart_merge((json_attrs || {}), {
+            except: [
+                :lock_version,
+                :created_at,
+                :updated_at
+            ],
+            include: [:roles]
+        })
+
+        ## CUSTOM ACTIONS
+        # Here you can add custom actions to be called from the API
+        # The action must return an serializable (JSON) object.
+
+        # Here you can find an example *without* ID, in the API it could be called like this:
+        # GET /api/v2/:controller?do=test&parameter=sample
+        # def self.custom_action_test params=nil
+        #     { test: [ :first, :second, :third ], params: params}
+        # end
+
+        # Here you can find an example *with* ID, in the API it could be called like this:
+        # GET /api/v2/:controller/:id?do=test_with_id&parameter=sample
+        # def self.custom_action_test_with_id id=nil, params=nil
+        #     { test: [ :first, :second, :third ], id: id, params: params}
+        # end
+    end
+end

data/lib/json_web_token.rb

@@ -0,0 +1,14 @@
+class JsonWebToken
+    class << self
+      def encode(payload, expiry = 15.minutes.from_now.to_i)
+        JWT.encode(payload.merge(exp: expiry), Rails.application.secrets.secret_key_base)
+      end
+      
+      def decode(token)
+        body = JWT.decode(token, Rails.application.secrets.secret_key_base)[0]
+        HashWithIndifferentAccess.new body
+      rescue
+        nil
+      end
+    end
+  end

data/lib/model_driven_api/engine.rb

@@ -0,0 +1,12 @@
+module ModelDrivenApi
+  class Engine < ::Rails::Engine
+    # appending migrations to the main app's ones
+    initializer :append_migrations do |app|
+      unless app.root.to_s.match root.to_s
+        config.paths["db/migrate"].expanded.each do |expanded_path|
+          app.config.paths["db/migrate"] << expanded_path
+        end
+      end
+    end
+  end
+end

data/lib/model_driven_api/version.rb

@@ -0,0 +1,3 @@
+module ModelDrivenApi
+  VERSION = '2.2.4'
+end

data/lib/model_driven_api.rb

@@ -0,0 +1,23 @@
+require 'thecore_backend_commons'
+require 'rack/cors'
+require 'ransack'
+require 'json_web_token'
+require "kaminari"
+require "multi_json"
+require "simple_command"
+
+require 'concerns/api_exception_management'
+
+require 'deep_merge/rails_compat'
+
+require "model_driven_api/engine"
+
+module ModelDrivenApi
+  def self.smart_merge src, dest
+      src.deeper_merge! dest, {
+          extend_existing_arrays: true, 
+          merge_hash_arrays: true
+      }
+      src
+  end
+end

data/lib/tasks/model_driven_api_tasks.rake

@@ -0,0 +1,4 @@
+# desc "Explaining what the task does"
+# task :model_driven_api do
+#   # Task goes here
+# end

metadata

@@ -0,0 +1,180 @@
+--- !ruby/object:Gem::Specification
+name: model_driven_api
+version: !ruby/object:Gem::Version
+  version: 2.2.4
+platform: ruby
+authors:
+- Gabriele Tassoni
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2020-05-22 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: thecore_backend_commons
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.1'
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.2'
+- !ruby/object:Gem::Dependency
+  name: simple_command
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.1'
+- !ruby/object:Gem::Dependency
+  name: kaminari
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+- !ruby/object:Gem::Dependency
+  name: ransack
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.3'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.3'
+- !ruby/object:Gem::Dependency
+  name: rack-cors
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.1'
+- !ruby/object:Gem::Dependency
+  name: multi_json
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.14'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.14'
+- !ruby/object:Gem::Dependency
+  name: deep_merge
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+description: Ruby on Rails REST APIs built by convention using the DB schema as the
+  foundation.
+email:
+- gabriele.tassoni@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- MIT-LICENSE
+- README.md
+- Rakefile
+- app/commands/authenticate_user.rb
+- app/commands/authorize_api_request.rb
+- app/controllers/api/v2/application_controller.rb
+- app/controllers/api/v2/authentication_controller.rb
+- app/controllers/api/v2/info_controller.rb
+- app/controllers/api/v2/users_controller.rb
+- config/initializers/after_initialize_for_model_driven_api.rb
+- config/initializers/cors_api_thecore.rb
+- config/initializers/knock.rb
+- config/initializers/wrap_parameters.rb
+- config/routes.rb
+- lib/concerns/api_exception_management.rb
+- lib/concerns/model_driven_api_role.rb
+- lib/concerns/model_driven_api_user.rb
+- lib/json_web_token.rb
+- lib/model_driven_api.rb
+- lib/model_driven_api/engine.rb
+- lib/model_driven_api/version.rb
+- lib/tasks/model_driven_api_tasks.rake
+homepage: https://github.com/gabrieletassoni/model_driven_api
+licenses:
+- MIT
+metadata:
+  allowed_push_host: https://rubygems.org
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.0.3
+signing_key: 
+specification_version: 4
+summary: Convention based RoR engine which uses DB schema introspection to create
+  REST APIs.
+test_files: []