onetime-up 0.6.0 → 0.6.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: daf373c819502e6a34a5a85fe033e39323cec0d5136af81b394fcd597171601f
-  data.tar.gz: 9c5408c3eed4b30065a4093a0e2302fd41f96a127607feaef0e72200b534c3de
+  metadata.gz: 829b100c0882cdb8e5f797d27d0f9e52e576cd20f20235f7836532f3872b74ea
+  data.tar.gz: 9df7bd8e315d3fe6339619016b1b03c0450bbfb9c6a83644f1ce9bcf77e77fd6
 SHA512:
-  metadata.gz: a3149a2f9bfe3112ebcdcbaedabb184d42e0849781b589a8bfaf54a001b5f1b97437d922b59b31911c087563b2182f69761c4e1b34325637c9a0a4090132733d
-  data.tar.gz: 5032db644622b154dfd770a974befb924a9bed99c2f0548e3f4f1abf417a9296355b89b09b241d28f3ee645dfb69e1042205fd4abb6bf005bc3ac4819c87d12c
+  metadata.gz: 905c34dd750efb26e2d3af6314d22b30d8a101885a9eef965d730a2c71849b80b54e6ddf6bad8f952c1de8a4a822b1df0f26667dc7b4cc883fec0efe25221d6d
+  data.tar.gz: 53e8f305c78a4a79a539adb359508078835ae83f96156f8c9abd503ff7adce81d758411d86efffb30833eae46588ff5e8d6937dd316892020bc5291712d60f44

data/CHANGELOG.md

@@ -1,5 +1,14 @@
 # Changelog
 
+## [Unreleased]
+
+### Fixed
+
+- Update library callers to API v2 response shapes (`record.receipt`, `record.secret`, reveal `record.secret_value`)
+- Restore `apiversion` path handling for callers that pass an API version explicitly
+- Add safer CLI response handling for changed or partial API responses
+- Accept secret URLs from root and regional onetimesecret.com hosts
+
 ## [0.6.0] - 2026-01-18
 
 ### Added
@@ -8,9 +17,11 @@ Major/breaking changes:
 
 - Upgrade to API v2
 - Rename command "metadata" to "receipt"
+- Change the default API host from the root service to the EU region (`https://eu.onetimesecret.com/api`)
 
 Other changes:
 
+- Add opt-in official API contract validation for v2 endpoint shapes
 - Remove Rakefile, signing data and Jeweler references
 - Simplified and modernized gemspec (set minimum Ruby to 3.2)
 - Add Gemfile

data/README.md

@@ -2,8 +2,43 @@
 
 Fork of the Ruby program [`One-Time Secret`](https://github.com/onetimesecret/onetime-ruby), using the API v2.
 
-See the original website for usage (commands are unchanged).
+## Basic usage
+
+Share a secret:
+
+```sh
+echo "secret text" | onetime share
+```
+
+Share a secret protected by a passphrase:
+
+```sh
+echo "secret text" | onetime share -p "shared-passphrase"
+```
+
+Retrieve a secret:
+
+```sh
+onetime secret SECRET_KEY
+```
+
+Generate a random secret:
+
+```sh
+onetime generate
+```
+
+Use JSON or YAML output:
+
+```sh
+onetime -j generate
+onetime -y receipt RECEIPT_KEY
+```
 
 ## Breaking changes
 
 The command `metadata` has been renamed `receipt` for consistency with the API.
+
+The default API host is now `https://eu.onetimesecret.com/api`.
+
+The library now uses API v2 response shapes. Programmatic callers should read receipt data from `record.receipt` and secret data from `record.secret` or reveal responses from `record.secret_value`.

data/bin/onetime

@@ -51,7 +51,7 @@ class Onetime::CLI
       if @res.nil?
         raise RuntimeError, 'Could not complete request'
       elsif @api.response.code != 200
-        raise RuntimeError, @res['message']
+        raise RuntimeError, OT::API.response_error_message(@res)
       end
       case obj.global.format
       when 'json'
@@ -71,11 +71,15 @@ class Onetime::CLI
     command :receipt do |obj|
       raise RuntimeError, "csv not supported" if obj.global.format == 'csv'
       raise RuntimeError, "Usage: #{$0} receipt <KEY>" unless obj.argv.key
-      @res = @api.get '/receipt/%s' % obj.argv.key
+
+      # Handle case where argv.key might be an array due to drydock parsing
+      receipt_key = Array(obj.argv.key).first.to_s
+
+      @res = @api.get '/receipt/%s' % receipt_key
       if @res.nil?
         raise RuntimeError, 'Could not complete request'
       elsif @api.response.code != 200
-        raise RuntimeError, @res['message']
+        raise RuntimeError, OT::API.response_error_message(@res)
       end
       case obj.global.format
       when 'json'
@@ -94,17 +98,18 @@ class Onetime::CLI
     command :secret do |obj|
       raise RuntimeError, "csv not supported" if obj.global.format == 'csv'
       raise RuntimeError, "Usage: #{$0} secret <KEY>" unless obj.argv.key
-      opts = {}
+
+      # Handle case where argv.key might be an array due to drydock parsing
+      secret_key = Array(obj.argv.key).first.to_s
+
+      opts = { continue: true }
       opts[:passphrase] = obj.option.passphrase if obj.option.passphrase
-      base_uri = URI.parse Onetime::API.base_uri
-      if obj.argv.key =~ /#{base_uri.hostname}\/secret\/([a-zA-Z0-9]+)/
-        obj.argv.key = $1
-      end
-      @res = @api.post '/secret/%s/reveal' % [obj.argv.key], opts
+      secret_key = OT::API.extract_secret_key(secret_key)
+      @res = @api.post '/secret/%s/reveal' % [secret_key], opts
       if @res.nil?
         raise RuntimeError, 'Could not complete request'
       elsif @api.response.code != 200
-        raise RuntimeError, @res['message']
+        raise RuntimeError, OT::API.response_error_message(@res)
       end
       case obj.global.format
       when 'json'
@@ -112,7 +117,7 @@ class Onetime::CLI
       when 'yaml'
         puts @res.to_yaml
       else
-        value = @res['record'] && @res['record']['value']
+        value = @res.dig('record', 'secret_value')
         puts value if value
       end
     end
@@ -146,9 +151,10 @@ class Onetime::CLI
       if @res.nil?
         raise RuntimeError, 'Could not complete request'
       elsif @api.response.code != 200
-        raise RuntimeError, @res['message']
+        raise RuntimeError, OT::API.response_error_message(@res)
       end
-      secret_key = @res['record']['secret']['key']
+      secret_key = OT::API.secret_key_from_response(@res)
+      raise RuntimeError, 'Unexpected response: missing record.secret.key' unless secret_key
       uri = OT::API.web_uri('secret', secret_key)
       case obj.global.format
       when 'json'
@@ -156,9 +162,9 @@ class Onetime::CLI
       when 'yaml'
         puts @res.to_yaml
       else
-        recipient = @res['details']['recipient']
-        if recipient && !recipient.compact.empty?
-          STDERR.puts '# Secret link sent to: %s' % recipient.join(',')
+        recipients = OT::API.recipients_from_response(@res)
+        if !recipients.empty?
+          STDERR.puts '# Secret link sent to: %s' % recipients.join(',')
         else
           puts uri
         end
@@ -178,9 +184,10 @@ class Onetime::CLI
       if @res.nil?
         raise RuntimeError, 'Could not complete request'
       elsif @api.response.code != 200
-        raise RuntimeError, @res['message']
+        raise RuntimeError, OT::API.response_error_message(@res)
       end
-      secret_key = @res['record']['secret']['key']
+      secret_key = OT::API.secret_key_from_response(@res)
+      raise RuntimeError, 'Unexpected response: missing record.secret.key' unless secret_key
       uri = OT::API.web_uri('secret', secret_key)
       case obj.global.format
       when 'json'
@@ -190,9 +197,9 @@ class Onetime::CLI
       when 'csv'
         puts uri
       else
-        recipient = @res['details']['recipient']
-        if recipient && !recipient.compact.empty?
-          STDERR.puts '# Secret link sent to: %s' % recipient.join(',')
+        recipients = OT::API.recipients_from_response(@res)
+        if !recipients.empty?
+          STDERR.puts '# Secret link sent to: %s' % recipients.join(',')
         else
           puts uri
         end

data/lib/onetime/api.rb

@@ -41,11 +41,12 @@ module Onetime
     base_uri 'https://eu.onetimesecret.com/api'
     format :json
     headers 'X-Onetime-Client' => 'ruby: %s/%s' % [RUBY_VERSION, Onetime::VERSION]
-    attr_reader :opts, :response, :custid, :key, :default_params, :anonymous
+    attr_reader :opts, :response, :custid, :key, :default_params, :anonymous, :apiversion
     def initialize custid=nil, key=nil, opts={}
       unless ENV['ONETIME_HOST'].to_s.empty?
         self.class.base_uri ENV['ONETIME_HOST']
       end
+      @apiversion = opts.delete(:apiversion) || opts.delete('apiversion') || 2
       @opts = opts
       @default_params = {}
       @custid = custid || ENV['ONETIME_CUSTID']
@@ -65,8 +66,15 @@ module Onetime
       opts[:query] = (params || {}).merge default_params
       execute_request :get, path, opts
     end
-    def post path, params=nil
+    def post path, params=nil, request_opts={}
       opts = self.opts.clone
+      wrap = if request_opts.key?(:wrap)
+        request_opts[:wrap]
+      elsif request_opts.key?('wrap')
+        request_opts['wrap']
+      else
+        :auto
+      end
       body_params = (params || {}).merge default_params
 
       # V2 API uses JSON format
@@ -75,9 +83,7 @@ module Onetime
         'Accept' => 'application/json'
       })
 
-      # Only /secret/conceal and /secret/generate wrap params in "secret" key
-      # Other endpoints (reveal, burn, etc.) do NOT wrap
-      if path =~ /\/secret\/(conceal|generate)$/
+      if wrap_secret_body?(path, wrap)
         body_params = { secret: body_params }
       end
 
@@ -86,16 +92,21 @@ module Onetime
       execute_request :post, path, opts
     end
     def api_path *args
-      args.unshift ['', 'v2'] # force leading slash and v2 version
+      args.unshift ['', "v#{apiversion}"] # force leading slash and version
       path = args.flatten.join('/')
       path.gsub(/\/+/, '/')
     end
     private
+    def wrap_secret_body?(path, wrap)
+      return false if wrap == false || wrap.nil?
+      return true if wrap == :secret
+      api_path(path).match?(%r{\A/v\d+/secret/(conceal|generate)/?\z})
+    end
+
     def execute_request meth, path, opts
       path = api_path [path]
       @response = self.class.send meth, path, opts
-      result = self.class.indifferent_params @response.parsed_response
-      result
+      self.class.indifferent_params @response.parsed_response
     end
     class << self
       def web_uri *args
@@ -128,6 +139,55 @@ module Onetime
       def indifferent_hash
         Hash.new {|hash,key| hash[key.to_s] if Symbol === key }
       end
+      def extract_secret_key(value, api_base_uri=base_uri)
+        return value unless value
+
+        uri = URI.parse(value.to_s)
+        return value unless uri.host && uri.path
+        return value unless accepted_secret_host?(uri.host, api_base_uri)
+
+        match = uri.path.match(%r{\A/secret/([a-zA-Z0-9]+)\z})
+        match ? match[1] : value
+      rescue URI::InvalidURIError
+        value
+      end
+
+      def response_error_message(response)
+        return 'Could not complete request' if response.nil?
+
+        # Symbol lookups preserve behavior for plain Ruby hashes even though
+        # parsed API responses usually support indifferent access.
+        ['message', :message, 'error', :error, 'field', :field].each do |key|
+          value = response[key] if response.respond_to?(:[])
+          return value.to_s unless value.to_s.empty?
+        end
+        response.to_s
+      end
+
+      def secret_key_from_response(response)
+        response&.dig('record', 'secret', 'key')
+      end
+
+      def receipt_key_from_response(response)
+        response&.dig('record', 'receipt', 'key') || response&.dig('record', 'metadata', 'key')
+      end
+
+      def recipients_from_response(response)
+        recipients = response&.dig('record', 'receipt', 'recipients')
+        if recipients.nil? || recipients == '' || (recipients.is_a?(Array) && recipients.empty?)
+          recipients = response&.dig('details', 'recipient')
+        end
+        Array(recipients).flatten.compact.reject { |recipient| recipient.to_s.empty? }
+      end
+
+      private
+
+      def accepted_secret_host?(host, api_base_uri)
+        configured_host = URI.parse(api_base_uri.to_s).host
+        host == configured_host || host == 'onetimesecret.com' || host.end_with?('.onetimesecret.com')
+      rescue URI::InvalidURIError
+        host == 'onetimesecret.com' || host.end_with?('.onetimesecret.com')
+      end
     end
   end
 end

data/lib/onetime/version.rb

@@ -1,3 +1,3 @@
 module Onetime
-  VERSION = "0.6.0"
+  VERSION = "0.6.2"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: onetime-up
 version: !ruby/object:Gem::Version
-  version: 0.6.0
+  version: 0.6.2
 platform: ruby
 authors:
 - Delano Mandelbaum
 - Saverio Miroddi
 bindir: bin
 cert_chain: []
-date: 1980-01-02 00:00:00.000000000 Z
+date: 2026-05-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: drydock
@@ -102,7 +102,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 2.0.0
 requirements: []
-rubygems_version: 3.6.7
+rubygems_version: 4.0.7
 specification_version: 4
 summary: Command-line tool and library for onetimesecret.com API (API v2)
 test_files: []