otto 1.1.0.pre.alpha4 → 1.2.0

data/examples/basic/config.ru

@@ -0,0 +1,30 @@
+# examples/basic/config.ru
+
+# OTTO EXAMPLE APP CONFIG - 2011-12-17
+#
+# Usage:
+#
+#     $ thin -e dev -R config.ru -p 10770 start
+
+public_path = File.expand_path('../../public', __dir__)
+
+require_relative '../../lib/otto'
+require_relative 'app'
+
+app = Otto.new("routes")
+
+# DEV: Run web apps with extra logging and reloading
+if Otto.env?(:dev)
+
+  map('/') do
+    use Rack::CommonLogger
+    use Rack::Reloader, 0
+    app.option[:public] = public_path
+    app.add_static_path '/favicon.ico'
+    run app
+  end
+
+# PROD: run the webapp on the metal
+else
+  map('/') { run app }
+end

data/examples/basic/routes

@@ -0,0 +1,20 @@
+# examples/basic/routes
+
+# OTTO - ROUTES EXAMPLE
+
+# Each route has three parts:
+#  * HTTP verb (GET, POST, PUT, DELETE or HEAD)
+#  * URI path
+#  * Ruby class and method to call
+
+GET   /                         App#index
+POST  /                         App#receive_feedback
+GET   /redirect                 App#redirect
+GET   /robots.txt               App#robots_text
+
+GET   /bogus                    App#no_such_method
+
+# You can also define these handlers when no
+# route can be found or there's a server error. (optional)
+GET   /404                      App#not_found
+GET   /500                      App#server_error

data/examples/dynamic_pages/app.rb

@@ -0,0 +1,115 @@
+# examples/basic/app.rb (Streamlined with Design System)
+
+require_relative '../../lib/otto/design_system'
+
+class App
+  include Otto::DesignSystem
+
+  attr_reader :req, :res
+
+  def initialize(req, res)
+    @req = req
+    @res = res
+    res.headers['content-type'] = 'text/html; charset=utf-8'
+  end
+
+  def index
+    # This demonstrates nested heredocs in Ruby
+    # The outer heredoc uses <<~HTML delimiter
+    content = <<~HTML
+      <div class="otto-card otto-text-center">
+        <img src="/img/otto.jpg" alt="Otto Framework" class="otto-logo" />
+        <h1>Otto Framework</h1>
+        <p>Minimal Ruby web framework with style</p>
+      </div>
+
+      #{otto_card("Dynamic Pages") do
+        # This is a nested heredoc within the outer HTML heredoc
+        # It uses a different delimiter (EXAMPLES) to avoid conflicts
+        # The #{} interpolation allows the inner heredoc to be embedded
+        <<~EXAMPLES
+          #{otto_link("Product #100", "/product/100")} - View product page<br>
+          #{otto_link("Product #42", "/product/42")} - Different product<br>
+          #{otto_link("API Data", "/product/100.json")} - JSON endpoint
+        EXAMPLES
+      end}
+    HTML
+
+    res.send_cookie :sess, 1_234_567, 3600
+    res.body = otto_page(content)
+  end
+
+  def receive_feedback
+    message = req.params['msg']&.strip
+
+    content = if message.nil? || message.empty?
+      otto_alert("error", "Empty Message", "Please enter a message before submitting.")
+    else
+      otto_alert("success", "Feedback Received", "Thanks for your message!") +
+      otto_card("Your Message") { otto_code_block(message, 'text') }
+    end
+
+    content += "<p>#{otto_link("← Back", "/")}</p>"
+    res.body = otto_page(content, "Feedback")
+  end
+
+  def redirect
+    res.redirect '/robots.txt'
+  end
+
+  def robots_text
+    res.headers['content-type'] = 'text/plain'
+    res.body = ['User-agent: *', 'Disallow: /private'].join($/)
+  end
+
+  def display_product
+    prodid = req.params[:prodid]
+
+    # Check if JSON is requested via .json extension or Accept header
+    wants_json = req.path_info.end_with?('.json') ||
+                 req.env['HTTP_ACCEPT']&.include?('application/json')
+
+    if wants_json
+      res.headers['content-type'] = 'application/json; charset=utf-8'
+      res.body = format('{"product":%s,"msg":"Hint: try another value"}', prodid)
+    else
+      # Return HTML product page
+      product_data = {
+        "Product ID" => prodid,
+        "Name" => "Sample Product ##{prodid}",
+        "Price" => "$#{rand(10..999)}.99",
+        "Description" => "This is a demonstration product showing dynamic routing with parameter :prodid",
+        "Stock" => rand(0..50) > 5 ? "In Stock" : "Out of Stock"
+      }
+
+      product_html = product_data.map { |key, value|
+        "<p><strong>#{key}:</strong> #{escape_html(value.to_s)}</p>"
+      }.join
+
+      content = <<~HTML
+        #{otto_card("Product Details") { product_html }}
+
+        <p>
+          #{otto_link("← Back to Home", "/")} |
+          #{otto_link("View as JSON", "/product/#{prodid}.json")}
+        </p>
+      HTML
+
+      res.body = otto_page(content, "Product ##{prodid}")
+    end
+  end
+
+  def not_found
+    res.status = 404
+    content = otto_alert("error", "Not Found", "The requested page could not be found.")
+    content += "<p>#{otto_link("← Home", "/")}</p>"
+    res.body = otto_page(content, "404")
+  end
+
+  def server_error
+    res.status = 500
+    content = otto_alert("error", "Server Error", "An internal server error occurred.")
+    content += "<p>#{otto_link("← Home", "/")}</p>"
+    res.body = otto_page(content, "500")
+  end
+end

data/examples/dynamic_pages/config.ru

@@ -0,0 +1,30 @@
+# examples/basic/config.ru
+
+# OTTO EXAMPLE APP CONFIG - 2025-08-18
+#
+# Usage:
+#
+#     $ thin -e dev -R config.ru -p 10770 start
+
+public_path = File.expand_path('../../public', __dir__)
+
+require_relative '../../lib/otto'
+require_relative 'app'
+
+app = Otto.new("routes")
+
+# DEV: Run web apps with extra logging and reloading
+if Otto.env?(:dev)
+
+  map('/') do
+    use Rack::CommonLogger
+    use Rack::Reloader, 0
+    app.option[:public] = public_path
+    app.add_static_path '/favicon.ico'
+    run app
+  end
+
+# PROD: run the webapp on the metal
+else
+  map('/') { run app }
+end

data/{example → examples/dynamic_pages}/routes

@@ -1,3 +1,5 @@
+# examples/basic/routes
+
 # OTTO - ROUTES EXAMPLE
 
 # Each route has three parts:
@@ -13,7 +15,7 @@ GET   /product/:prodid          App#display_product
 
 GET   /bogus                    App#no_such_method
 
-# You can also define these handlers when no 
-# route can be found or there's a server error. (optional) 
+# You can also define these handlers when no
+# route can be found or there's a server error. (optional)
 GET   /404                      App#not_found
-GET   /500                      App#server_error
+GET   /500                      App#server_error

data/examples/security_features/app.rb

@@ -0,0 +1,273 @@
+# examples/security_features/app.rb (Updated with Design System)
+
+require_relative '../../lib/otto/design_system'
+
+class SecureApp
+  include Otto::DesignSystem
+  include Otto::Security::CSRFHelpers
+
+  attr_reader :req, :res
+
+  def initialize(req, res)
+    @req = req
+    @res = res
+    res.headers['content-type'] = 'text/html; charset=utf-8'
+  end
+
+  def otto
+    self.class.otto
+  end
+
+  def index
+    csrf_tag = respond_to?(:csrf_form_tag) ? csrf_form_tag : ''
+
+    content = <<~HTML
+      <div class="otto-card otto-text-center">
+        <img src="/img/otto.jpg" alt="Otto Framework" class="otto-logo" />
+        <h1>Otto Security Features</h1>
+        <p class="otto-mb-md">Security demonstration for the Otto framework</p>
+      </div>
+
+      #{otto_card("CSRF Protected Feedback") do
+
+        <<~FORM
+          <form method="post" action="/feedback" class="otto-form">
+            #{csrf_tag}
+            <label>Message:</label>
+            #{otto_textarea("message", placeholder: "Enter your feedback...", required: true)}
+            #{otto_button("Submit Feedback", variant: "primary")}
+          </form>
+        FORM
+
+      end}
+
+      #{otto_card("File Upload Validation") do
+        <<~UPLOAD
+          <form method="post" action="/upload" enctype="multipart/form-data" class="otto-form">
+            #{csrf_tag}
+            <label>Choose file:</label>
+            <input type="file" name="upload_file" class="otto-input">
+            #{otto_button("Upload File", variant: "primary")}
+          </form>
+        UPLOAD
+      end}
+
+      #{otto_card("User Profile Input Validation") do
+        <<~PROFILE
+          <form method="post" action="/profile" class="otto-form">
+            #{csrf_tag}
+            <label>Name:</label>
+            #{otto_input("name", placeholder: "Your name", required: true)}
+
+            <label>Email:</label>
+            #{otto_input("email", type: "email", placeholder: "your@email.com", required: true)}
+
+            <label>Bio:</label>
+            #{otto_textarea("bio", placeholder: "Tell us about yourself...")}
+
+            #{otto_button("Update Profile", variant: "primary")}
+          </form>
+        PROFILE
+      end}
+
+      #{otto_card("Security Information") do
+        <<~INFO
+          <h3>Security Features Active:</h3>
+          <ul>
+            <li><strong>CSRF Protection:</strong> All forms include CSRF tokens</li>
+            <li><strong>Input Validation:</strong> Server-side validation with length limits</li>
+            <li><strong>XSS Prevention:</strong> HTML escaping for all user inputs</li>
+            <li><strong>Security Headers:</strong> Comprehensive header security policy</li>
+          </ul>
+
+          <p class="otto-mt-md">
+            <strong>Test XSS Protection:</strong> Try entering
+            #{otto_code_block('<script>alert("XSS")</script>', 'html')}
+            in any form field to see input sanitization in action.
+          </p>
+
+          <p class="otto-mt-md">
+            #{otto_link("View Request Headers", "/headers")}
+          </p>
+        INFO
+      end}
+    HTML
+
+    res.body = otto_page(content, "Otto Security Features")
+  end
+
+  def receive_feedback
+    begin
+      message = req.params['message']
+
+      if respond_to?(:validate_input)
+        safe_message = validate_input(message, max_length: 1000, allow_html: false)
+      else
+        safe_message = message.to_s.strip
+        raise "Message too long" if safe_message.length > 1000
+      end
+
+      if safe_message.empty?
+        content = otto_alert("error", "Validation Error", "Message cannot be empty.")
+      else
+        content = <<~HTML
+          #{otto_alert("success", "Feedback Received", "Thank you for your feedback!")}
+
+          #{otto_card("Your Message") do
+            otto_code_block(safe_message, 'text')
+          end}
+        HTML
+      end
+
+    rescue Otto::Security::ValidationError => e
+      content = otto_alert("error", "Security Validation Failed", e.message)
+    rescue => e
+      content = otto_alert("error", "Processing Error", "An error occurred processing your request.")
+    end
+
+    content += "<p class=\"otto-mt-lg\">#{otto_link("← Back to form", "/")}</p>"
+    res.body = otto_page(content, "Feedback Response")
+  end
+
+  def upload_file
+    begin
+      uploaded_file = req.params['upload_file']
+
+      if uploaded_file.nil? || uploaded_file.empty?
+        content = otto_alert("error", "Upload Error", "No file was selected.")
+      else
+        filename = uploaded_file[:filename] rescue uploaded_file.original_filename rescue 'unknown'
+
+        if respond_to?(:sanitize_filename)
+          safe_filename = sanitize_filename(filename)
+        else
+          safe_filename = File.basename(filename.to_s).gsub(/[^\w\-_\.]/, '_')
+        end
+
+        file_info = {
+          "Original filename" => filename,
+          "Sanitized filename" => safe_filename,
+          "Content type" => uploaded_file[:type] || 'unknown',
+          "Security status" => "File validated and processed safely"
+        }
+
+        info_html = file_info.map { |key, value|
+          "<p><strong>#{key}:</strong> #{escape_html(value)}</p>"
+        }.join
+
+        content = <<~HTML
+          #{otto_alert("success", "File Upload Successful", "File processed and validated successfully!")}
+
+          #{otto_card("File Information") do
+            info_html
+          end}
+
+          <div class="otto-alert otto-alert-info">
+            <h3 class="otto-alert-title">Demo Notice</h3>
+            <p class="otto-alert-message">This is a demonstration - files are validated but not permanently stored.</p>
+          </div>
+        HTML
+      end
+
+    rescue Otto::Security::ValidationError => e
+      content = otto_alert("error", "File Validation Failed", e.message)
+    rescue => e
+      content = otto_alert("error", "Upload Error", "An error occurred during file upload.")
+    end
+
+    content += "<p class=\"otto-mt-lg\">#{otto_link("← Back to form", "/")}</p>"
+    res.body = otto_page(content, "Upload Response")
+  end
+
+  def update_profile
+    begin
+      name = req.params['name']
+      email = req.params['email']
+      bio = req.params['bio']
+
+      if respond_to?(:validate_input)
+        safe_name = validate_input(name, max_length: 100)
+        safe_email = validate_input(email, max_length: 255)
+        safe_bio = validate_input(bio, max_length: 500, allow_html: false)
+      else
+        safe_name = name.to_s.strip[0..99]
+        safe_email = email.to_s.strip[0..254]
+        safe_bio = bio.to_s.strip[0..499]
+      end
+
+      unless safe_email.match?(/\A[^@\s]+@[^@\s]+\z/)
+        raise Otto::Security::ValidationError, "Invalid email format"
+      end
+
+      profile_data = {
+        "Name" => safe_name,
+        "Email" => safe_email,
+        "Bio" => safe_bio,
+        "Updated" => Time.now.strftime("%Y-%m-%d %H:%M:%S UTC")
+      }
+
+      profile_html = profile_data.map { |key, value|
+        "<p><strong>#{key}:</strong> #{escape_html(value)}</p>"
+      }.join
+
+      content = <<~HTML
+        #{otto_alert("success", "Profile Updated", "Your profile has been updated successfully!")}
+
+        #{otto_card("Profile Data") do
+          profile_html
+        end}
+      HTML
+
+    rescue Otto::Security::ValidationError => e
+      content = otto_alert("error", "Profile Validation Failed", e.message)
+    rescue => e
+      content = otto_alert("error", "Update Error", "An error occurred updating your profile.")
+    end
+
+    content += "<p class=\"otto-mt-lg\">#{otto_link("← Back to form", "/")}</p>"
+    res.body = otto_page(content, "Profile Update")
+  end
+
+  def show_headers
+    res.headers['content-type'] = 'application/json; charset=utf-8'
+
+    safe_headers = {}
+    req.env.each do |key, value|
+      if key.start_with?('HTTP_') || %w[REQUEST_METHOD PATH_INFO QUERY_STRING].include?(key)
+        safe_headers[key] = value.to_s[0..200]
+      end
+    end
+
+    response_data = {
+      message: "Request headers analysis (filtered for security)",
+      client_ip: req.respond_to?(:client_ipaddress) ? req.client_ipaddress : req.ip,
+      secure_connection: req.respond_to?(:secure?) ? req.secure? : false,
+      timestamp: Time.now.utc.iso8601,
+      headers: safe_headers,
+      security_analysis: {
+        csrf_protection: respond_to?(:csrf_token_valid?) ? "Active" : "Basic",
+        content_security: "Headers validated and filtered",
+        xss_protection: "HTML escaping enabled"
+      }
+    }
+
+    require 'json'
+    res.body = JSON.pretty_generate(response_data)
+  end
+
+  def not_found
+    res.status = 404
+    content = otto_alert("error", "Page Not Found", "The requested page could not be found.")
+    content += "<p>#{otto_link("← Back to home", "/")}</p>"
+    res.body = otto_page(content, "404 - Not Found")
+  end
+
+  def server_error
+    res.status = 500
+    error_id = req.env['otto.error_id'] || SecureRandom.hex(8)
+    content = otto_alert("error", "Server Error", "An internal server error occurred.")
+    content += "<p><small>Error ID: #{escape_html(error_id)}</small></p>"
+    content += "<p>#{otto_link("← Back to home", "/")}</p>"
+    res.body = otto_page(content, "500 - Server Error")
+  end
+end

data/examples/security_features/config.ru

@@ -0,0 +1,81 @@
+# examples/security_features/config.ru
+
+# OTTO SECURE EXAMPLE APP CONFIG - 2025-07-18
+#
+# Usage:
+#
+#     $ thin -e dev -R config.ru -p 10770 start
+#
+
+public_path = File.expand_path('../../public', __dir__)
+
+require_relative '../../lib/otto'
+require_relative 'app'
+
+# Create Otto app with security features enabled
+app = Otto.new("./routes", {
+  # Enable CSRF protection for POST, PUT, DELETE requests
+  csrf_protection: true,
+
+  # Enable input validation and sanitization
+  request_validation: true,
+
+  # Configure trusted proxy servers (adjust for your infrastructure)
+  trusted_proxies: [
+    # The primary RFC 1918 private ranges
+    '127.0.0.1',        # Local development
+    '10.0.0.0/8',       # Private Class A
+    '172.16.0.0/12',    # Private Class B
+    '192.168.0.0/16',   # Private Class C
+
+    # Other reserved ranges that I often forget about
+    # '127.0.0.0/8',      # Loopback
+    # '100.64.0.0/10',    # Carrier-grade NAT
+    # '169.254.0.0/16',   # RFC 3927 - Automatic Private IP Addressing (APIPA)
+    # '198.18.0.0/15',    # RFC 2544 - Benchmarking methodology
+    # '203.0.113.0/24',   # RFC 5737 - Documentation examples
+    # '224.0.0.0/4',      # Multicast
+    # '240.0.0.0/4',      # RFC 1112 - Class E (experimental)
+  ],
+
+  # Custom security headers
+  security_headers: {
+    'content-security-policy' => "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self'",
+    'strict-transport-security' => 'max-age=31536000; includeSubDomains',
+    'x-frame-options' => 'DENY'
+  }
+})
+
+# Optional: Configure additional security settings
+app.security_config.max_request_size = 5 * 1024 * 1024  # 5MB limit
+app.security_config.max_param_depth = 10                # Limit parameter nesting
+app.security_config.max_param_keys = 50                 # Limit parameters per request
+
+# Optional: Add static file serving with security
+app.option[:public] = public_path
+
+# Development vs Production configuration
+if ENV['RACK_ENV'] == 'production'
+  # Production-specific settings
+  app.security_config.require_secure_cookies = true
+
+  # More restrictive CSP for production
+  app.set_security_headers({
+    'content-security-policy' => "default-src 'self'; style-src 'self'; script-src 'self'; object-src 'none'",
+    'strict-transport-security' => 'max-age=63072000; includeSubDomains; preload'
+  })
+else
+  # Development-specific settings
+  puts "🔒 Security features enabled:"
+  puts "   ✓ CSRF Protection"
+  puts "   ✓ Input Validation"
+  puts "   ✓ Request Size Limits"
+  puts "   ✓ Security Headers"
+  puts "   ✓ Trusted Proxy Support"
+  puts ""
+end
+
+# Mount the application
+map('/') {
+  run app
+}

data/examples/security_features/routes

@@ -0,0 +1,11 @@
+# examples/security_features/routes
+
+GET   /                         SecureApp#index
+POST  /feedback                 SecureApp#receive_feedback
+POST  /upload                   SecureApp#upload_file
+POST  /profile                  SecureApp#update_profile
+GET   /headers                  SecureApp#show_headers
+
+# Error handlers (optional)
+GET   /404                      SecureApp#not_found
+GET   /500                      SecureApp#server_error