onetime-up 0.6.1 → 0.6.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2365f0f0c13cd862a91ae999e1ba0da6c17fcf764d523e8e1c53571709e12025
-  data.tar.gz: 91f6e4b782395f53047321174913a5719a05c1a0af2d5336897a4a90e47da6b5
+  metadata.gz: 829b100c0882cdb8e5f797d27d0f9e52e576cd20f20235f7836532f3872b74ea
+  data.tar.gz: 9df7bd8e315d3fe6339619016b1b03c0450bbfb9c6a83644f1ce9bcf77e77fd6
 SHA512:
-  metadata.gz: af94a360f15d01c1e70ec0284d9ffe31ec709012f7f5f2af5b3e618de0ad0b6533fa4b2aa07aecaf384fce3bc5cf2c2f60fead9d36670359e19e2309fc1a0862
-  data.tar.gz: af55d8f2c1b2b72aaa933dd5231bbcb0b11972b13c4d6190889feca72e78010e0556ae93ea3d13466a4e06a5c59fd043c07a2c03d1a4bdf7d06973e114a7b750
+  metadata.gz: 905c34dd750efb26e2d3af6314d22b30d8a101885a9eef965d730a2c71849b80b54e6ddf6bad8f952c1de8a4a822b1df0f26667dc7b4cc883fec0efe25221d6d
+  data.tar.gz: 53e8f305c78a4a79a539adb359508078835ae83f96156f8c9abd503ff7adce81d758411d86efffb30833eae46588ff5e8d6937dd316892020bc5291712d60f44

data/CHANGELOG.md

@@ -1,5 +1,14 @@
 # Changelog
 
+## [Unreleased]
+
+### Fixed
+
+- Update library callers to API v2 response shapes (`record.receipt`, `record.secret`, reveal `record.secret_value`)
+- Restore `apiversion` path handling for callers that pass an API version explicitly
+- Add safer CLI response handling for changed or partial API responses
+- Accept secret URLs from root and regional onetimesecret.com hosts
+
 ## [0.6.0] - 2026-01-18
 
 ### Added
@@ -8,9 +17,11 @@ Major/breaking changes:
 
 - Upgrade to API v2
 - Rename command "metadata" to "receipt"
+- Change the default API host from the root service to the EU region (`https://eu.onetimesecret.com/api`)
 
 Other changes:
 
+- Add opt-in official API contract validation for v2 endpoint shapes
 - Remove Rakefile, signing data and Jeweler references
 - Simplified and modernized gemspec (set minimum Ruby to 3.2)
 - Add Gemfile

data/README.md

@@ -2,8 +2,43 @@
 
 Fork of the Ruby program [`One-Time Secret`](https://github.com/onetimesecret/onetime-ruby), using the API v2.
 
-See the original website for usage (commands are unchanged).
+## Basic usage
+
+Share a secret:
+
+```sh
+echo "secret text" | onetime share
+```
+
+Share a secret protected by a passphrase:
+
+```sh
+echo "secret text" | onetime share -p "shared-passphrase"
+```
+
+Retrieve a secret:
+
+```sh
+onetime secret SECRET_KEY
+```
+
+Generate a random secret:
+
+```sh
+onetime generate
+```
+
+Use JSON or YAML output:
+
+```sh
+onetime -j generate
+onetime -y receipt RECEIPT_KEY
+```
 
 ## Breaking changes
 
 The command `metadata` has been renamed `receipt` for consistency with the API.
+
+The default API host is now `https://eu.onetimesecret.com/api`.
+
+The library now uses API v2 response shapes. Programmatic callers should read receipt data from `record.receipt` and secret data from `record.secret` or reveal responses from `record.secret_value`.

data/bin/onetime

@@ -51,7 +51,7 @@ class Onetime::CLI
       if @res.nil?
         raise RuntimeError, 'Could not complete request'
       elsif @api.response.code != 200
-        raise RuntimeError, @res['message']
+        raise RuntimeError, OT::API.response_error_message(@res)
       end
       case obj.global.format
       when 'json'
@@ -79,7 +79,7 @@ class Onetime::CLI
       if @res.nil?
         raise RuntimeError, 'Could not complete request'
       elsif @api.response.code != 200
-        raise RuntimeError, @res['message']
+        raise RuntimeError, OT::API.response_error_message(@res)
       end
       case obj.global.format
       when 'json'
@@ -104,15 +104,12 @@ class Onetime::CLI
 
       opts = { continue: true }
       opts[:passphrase] = obj.option.passphrase if obj.option.passphrase
-      base_uri = URI.parse Onetime::API.base_uri
-      if secret_key =~ /#{base_uri.hostname}\/secret\/([a-zA-Z0-9]+)/
-        secret_key = $1
-      end
+      secret_key = OT::API.extract_secret_key(secret_key)
       @res = @api.post '/secret/%s/reveal' % [secret_key], opts
       if @res.nil?
         raise RuntimeError, 'Could not complete request'
       elsif @api.response.code != 200
-        raise RuntimeError, @res['message']
+        raise RuntimeError, OT::API.response_error_message(@res)
       end
       case obj.global.format
       when 'json'
@@ -154,9 +151,10 @@ class Onetime::CLI
       if @res.nil?
         raise RuntimeError, 'Could not complete request'
       elsif @api.response.code != 200
-        raise RuntimeError, @res['message']
+        raise RuntimeError, OT::API.response_error_message(@res)
       end
-      secret_key = @res['record']['secret']['key']
+      secret_key = OT::API.secret_key_from_response(@res)
+      raise RuntimeError, 'Unexpected response: missing record.secret.key' unless secret_key
       uri = OT::API.web_uri('secret', secret_key)
       case obj.global.format
       when 'json'
@@ -164,9 +162,9 @@ class Onetime::CLI
       when 'yaml'
         puts @res.to_yaml
       else
-        recipient = @res['details']['recipient']
-        if recipient && !recipient.compact.empty?
-          STDERR.puts '# Secret link sent to: %s' % recipient.join(',')
+        recipients = OT::API.recipients_from_response(@res)
+        if !recipients.empty?
+          STDERR.puts '# Secret link sent to: %s' % recipients.join(',')
         else
           puts uri
         end
@@ -186,9 +184,10 @@ class Onetime::CLI
       if @res.nil?
         raise RuntimeError, 'Could not complete request'
       elsif @api.response.code != 200
-        raise RuntimeError, @res['message']
+        raise RuntimeError, OT::API.response_error_message(@res)
       end
-      secret_key = @res['record']['secret']['key']
+      secret_key = OT::API.secret_key_from_response(@res)
+      raise RuntimeError, 'Unexpected response: missing record.secret.key' unless secret_key
       uri = OT::API.web_uri('secret', secret_key)
       case obj.global.format
       when 'json'
@@ -198,9 +197,9 @@ class Onetime::CLI
       when 'csv'
         puts uri
       else
-        recipient = @res['details']['recipient']
-        if recipient && !recipient.compact.empty?
-          STDERR.puts '# Secret link sent to: %s' % recipient.join(',')
+        recipients = OT::API.recipients_from_response(@res)
+        if !recipients.empty?
+          STDERR.puts '# Secret link sent to: %s' % recipients.join(',')
         else
           puts uri
         end

data/lib/onetime/api.rb

@@ -41,11 +41,12 @@ module Onetime
     base_uri 'https://eu.onetimesecret.com/api'
     format :json
     headers 'X-Onetime-Client' => 'ruby: %s/%s' % [RUBY_VERSION, Onetime::VERSION]
-    attr_reader :opts, :response, :custid, :key, :default_params, :anonymous
+    attr_reader :opts, :response, :custid, :key, :default_params, :anonymous, :apiversion
     def initialize custid=nil, key=nil, opts={}
       unless ENV['ONETIME_HOST'].to_s.empty?
         self.class.base_uri ENV['ONETIME_HOST']
       end
+      @apiversion = opts.delete(:apiversion) || opts.delete('apiversion') || 2
       @opts = opts
       @default_params = {}
       @custid = custid || ENV['ONETIME_CUSTID']
@@ -65,8 +66,15 @@ module Onetime
       opts[:query] = (params || {}).merge default_params
       execute_request :get, path, opts
     end
-    def post path, params=nil
+    def post path, params=nil, request_opts={}
       opts = self.opts.clone
+      wrap = if request_opts.key?(:wrap)
+        request_opts[:wrap]
+      elsif request_opts.key?('wrap')
+        request_opts['wrap']
+      else
+        :auto
+      end
       body_params = (params || {}).merge default_params
 
       # V2 API uses JSON format
@@ -75,9 +83,7 @@ module Onetime
         'Accept' => 'application/json'
       })
 
-      # Only /secret/conceal and /secret/generate wrap params in "secret" key
-      # Other endpoints (reveal, burn, etc.) do NOT wrap
-      if path =~ /\/secret\/(conceal|generate)$/
+      if wrap_secret_body?(path, wrap)
         body_params = { secret: body_params }
       end
 
@@ -86,16 +92,21 @@ module Onetime
       execute_request :post, path, opts
     end
     def api_path *args
-      args.unshift ['', 'v2'] # force leading slash and v2 version
+      args.unshift ['', "v#{apiversion}"] # force leading slash and version
       path = args.flatten.join('/')
       path.gsub(/\/+/, '/')
     end
     private
+    def wrap_secret_body?(path, wrap)
+      return false if wrap == false || wrap.nil?
+      return true if wrap == :secret
+      api_path(path).match?(%r{\A/v\d+/secret/(conceal|generate)/?\z})
+    end
+
     def execute_request meth, path, opts
       path = api_path [path]
       @response = self.class.send meth, path, opts
-      result = self.class.indifferent_params @response.parsed_response
-      result
+      self.class.indifferent_params @response.parsed_response
     end
     class << self
       def web_uri *args
@@ -128,6 +139,55 @@ module Onetime
       def indifferent_hash
         Hash.new {|hash,key| hash[key.to_s] if Symbol === key }
       end
+      def extract_secret_key(value, api_base_uri=base_uri)
+        return value unless value
+
+        uri = URI.parse(value.to_s)
+        return value unless uri.host && uri.path
+        return value unless accepted_secret_host?(uri.host, api_base_uri)
+
+        match = uri.path.match(%r{\A/secret/([a-zA-Z0-9]+)\z})
+        match ? match[1] : value
+      rescue URI::InvalidURIError
+        value
+      end
+
+      def response_error_message(response)
+        return 'Could not complete request' if response.nil?
+
+        # Symbol lookups preserve behavior for plain Ruby hashes even though
+        # parsed API responses usually support indifferent access.
+        ['message', :message, 'error', :error, 'field', :field].each do |key|
+          value = response[key] if response.respond_to?(:[])
+          return value.to_s unless value.to_s.empty?
+        end
+        response.to_s
+      end
+
+      def secret_key_from_response(response)
+        response&.dig('record', 'secret', 'key')
+      end
+
+      def receipt_key_from_response(response)
+        response&.dig('record', 'receipt', 'key') || response&.dig('record', 'metadata', 'key')
+      end
+
+      def recipients_from_response(response)
+        recipients = response&.dig('record', 'receipt', 'recipients')
+        if recipients.nil? || recipients == '' || (recipients.is_a?(Array) && recipients.empty?)
+          recipients = response&.dig('details', 'recipient')
+        end
+        Array(recipients).flatten.compact.reject { |recipient| recipient.to_s.empty? }
+      end
+
+      private
+
+      def accepted_secret_host?(host, api_base_uri)
+        configured_host = URI.parse(api_base_uri.to_s).host
+        host == configured_host || host == 'onetimesecret.com' || host.end_with?('.onetimesecret.com')
+      rescue URI::InvalidURIError
+        host == 'onetimesecret.com' || host.end_with?('.onetimesecret.com')
+      end
     end
   end
 end

data/lib/onetime/version.rb

@@ -1,3 +1,3 @@
 module Onetime
-  VERSION = "0.6.1"
+  VERSION = "0.6.2"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: onetime-up
 version: !ruby/object:Gem::Version
-  version: 0.6.1
+  version: 0.6.2
 platform: ruby
 authors:
 - Delano Mandelbaum
 - Saverio Miroddi
 bindir: bin
 cert_chain: []
-date: 2026-01-19 00:00:00.000000000 Z
+date: 2026-05-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: drydock
@@ -102,7 +102,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: 2.0.0
 requirements: []
-rubygems_version: 3.6.7
+rubygems_version: 4.0.7
 specification_version: 4
 summary: Command-line tool and library for onetimesecret.com API (API v2)
 test_files: []