otto 1.2.0 → 1.3.0

data/lib/otto/design_system.rb

@@ -1,11 +1,10 @@
 # lib/otto/design_system.rb
 
 class Otto
+  # Shared design system for Otto framework examples
+  # Provides consistent styling, components, and utilities
   module DesignSystem
-    # Shared design system for Otto framework examples
-    # Provides consistent styling, components, and utilities
-
-    def otto_page(content, title = "Otto Framework", additional_head = "")
+    def otto_page(content, title = 'Otto Framework', additional_head = '')
       <<~HTML
         <!DOCTYPE html>
         <html lang="en">
@@ -25,9 +24,9 @@ class Otto
       HTML
     end
 
-    def otto_input(name, type: "text", placeholder: "", value: "", required: false)
-      req_attr = required ? "required" : ""
-      val_attr = value.empty? ? "" : %{value="#{escape_html(value)}"}
+    def otto_input(name, type: 'text', placeholder: '', value: '', required: false)
+      req_attr = required ? 'required' : ''
+      val_attr = value.empty? ? '' : %(value="#{escape_html(value)}")
 
       <<~HTML
         <input
@@ -41,8 +40,8 @@ class Otto
       HTML
     end
 
-    def otto_textarea(name, placeholder: "", value: "", rows: 4, required: false)
-      req_attr = required ? "required" : ""
+    def otto_textarea(name, placeholder: '', value: '', rows: 4, required: false)
+      req_attr = required ? 'required' : ''
 
       <<~HTML
         <textarea
@@ -55,8 +54,8 @@ class Otto
       HTML
     end
 
-    def otto_button(text, type: "submit", variant: "primary", size: "default")
-      size_class = size == "small" ? "otto-btn-sm" : ""
+    def otto_button(text, type: 'submit', variant: 'primary', size: 'default')
+      size_class = size == 'small' ? 'otto-btn-sm' : ''
 
       <<~HTML
         <button type="#{type}" class="otto-btn otto-btn-#{variant} #{size_class}">
@@ -66,7 +65,7 @@ class Otto
     end
 
     def otto_alert(type, title, message, dismissible: false)
-      dismiss_btn = dismissible ? '<button class="otto-alert-dismiss" onclick="this.parentElement.remove()">×</button>' : ""
+      dismiss_btn = dismissible ? '<button class="otto-alert-dismiss" onclick="this.parentElement.remove()">×</button>' : ''
 
       <<~HTML
         <div class="otto-alert otto-alert-#{type}">
@@ -77,9 +76,9 @@ class Otto
       HTML
     end
 
-    def otto_card(title = nil, &block)
-      content = block_given? ? yield : ""
-      title_html = title ? "<h2 class=\"otto-card-title\">#{escape_html(title)}</h2>" : ""
+    def otto_card(title = nil, &)
+      content    = block_given? ? yield : ''
+      title_html = title ? "<h2 class=\"otto-card-title\">#{escape_html(title)}</h2>" : ''
 
       <<~HTML
         <div class="otto-card">
@@ -90,7 +89,7 @@ class Otto
     end
 
     def otto_link(text, href, external: false)
-      target_attr = external ? 'target="_blank" rel="noopener noreferrer"' : ""
+      target_attr = external ? 'target="_blank" rel="noopener noreferrer"' : ''
 
       <<~HTML
         <a href="#{escape_html(href)}" class="otto-link" #{target_attr}>
@@ -99,7 +98,7 @@ class Otto
       HTML
     end
 
-    def otto_code_block(code, language = "")
+    def otto_code_block(code, language = '')
       <<~HTML
         <div class="otto-code-block">
           <pre><code class="language-#{language}">#{escape_html(code)}</code></pre>
@@ -111,12 +110,13 @@ class Otto
 
     def escape_html(text)
       return '' if text.nil?
+
       text.to_s
-          .gsub('&', '&amp;')
-          .gsub('<', '&lt;')
-          .gsub('>', '&gt;')
-          .gsub('"', '&quot;')
-          .gsub("'", '&#x27;')
+        .gsub('&', '&amp;')
+        .gsub('<', '&lt;')
+        .gsub('>', '&gt;')
+        .gsub('"', '&quot;')
+        .gsub("'", '&#x27;')
     end
 
     def otto_styles

data/lib/otto/helpers/request.rb

@@ -18,7 +18,7 @@ class Otto
       forwarded_ips = [
         env['HTTP_X_FORWARDED_FOR'],
         env['HTTP_X_REAL_IP'],
-        env['HTTP_CLIENT_IP']
+        env['HTTP_CLIENT_IP'],
       ].compact.map { |header| header.split(/,\s*/) }.flatten
 
       # Return the first valid IP that's not a private/loopback address
@@ -115,8 +115,6 @@ class Otto
         otto.security_config
       elsif defined?(Otto) && Otto.respond_to?(:security_config)
         Otto.security_config
-      else
-        nil
       end
     end
 
@@ -153,7 +151,7 @@ class Otto
         /\A192\.168\./,              # 192.168.0.0/16
         /\A169\.254\./,              # 169.254.0.0/16 (link-local)
         /\A224\./,                   # 224.0.0.0/4 (multicast)
-        /\A0\./                      # 0.0.0.0/8
+        /\A0\./,                      # 0.0.0.0/8
       ]
 
       private_ranges.any? { |range| ip.match?(range) }
@@ -163,7 +161,7 @@ class Otto
       return false unless ip
 
       # Check for localhost
-      return true if ip == '127.0.0.1' || ip == '::1'
+      return true if ['127.0.0.1', '::1'].include?(ip)
 
       # Check for private IP ranges
       private_ip?(ip)

data/lib/otto/helpers/response.rb

@@ -5,72 +5,46 @@ class Otto
     attr_accessor :request
 
     def send_secure_cookie(name, value, ttl, opts = {})
-      send_cookie name, value, ttl, opts.merge(secure: true)
-    end
-
-    def send_cookie(name, value, ttl, opts = {})
       # Default security options
       defaults = {
         secure: true,
         httponly: true,
-        samesite: :lax,
-        path: '/'
+        same_site: :strict,
+        path: '/',
       }
 
       # Merge with provided options
       cookie_opts = defaults.merge(opts)
 
-      # Adjust secure flag for local development
-      if request.local?
-        cookie_opts[:secure] = false
-      end
-
       # Set expiration using max-age (preferred) and expires (fallback)
-      if ttl && ttl > 0
+      if ttl&.positive?
         cookie_opts[:max_age] = ttl
         cookie_opts[:expires] = (Time.now.utc + ttl + 10)
-      elsif ttl && ttl < 0
+      elsif ttl&.negative?
         # For deletion, set both to past date
         cookie_opts[:max_age] = 0
-        cookie_opts[:expires] = Time.now.utc - 86400
+        cookie_opts[:expires] = Time.now.utc - 86_400
       end
 
       # Set the cookie value
       cookie_opts[:value] = value
 
       # Validate SameSite attribute
-      valid_samesite = [:strict, :lax, :none, 'Strict', 'Lax', 'None']
-      unless valid_samesite.include?(cookie_opts[:samesite])
-        cookie_opts[:samesite] = :lax
-      end
+      valid_same_site         = [:strict, :lax, :none, 'Strict', 'Lax', 'None']
+      cookie_opts[:same_site] = :strict unless valid_same_site.include?(cookie_opts[:same_site])
 
       # If SameSite=None, Secure must be true
-      if cookie_opts[:samesite].to_s.downcase == 'none'
-        cookie_opts[:secure] = true
-      end
+      cookie_opts[:secure] = true if cookie_opts[:same_site].to_s.downcase == 'none'
 
       set_cookie name, cookie_opts
     end
 
-    def delete_cookie(name, opts = {})
-      # Ensure we use the same path and domain when deleting
-      delete_opts = {
-        path: opts[:path] || '/',
-        domain: opts[:domain],
-        secure: opts[:secure],
-        httponly: opts[:httponly],
-        samesite: opts[:samesite]
-      }.compact
-
-      send_cookie name, '', -1, delete_opts
-    end
-
     def send_session_cookie(name, value, opts = {})
       # Session cookies don't have expiration
       session_opts = opts.merge(
         secure: true,
         httponly: true,
-        samesite: :lax
+        samesite: :strict,
       )
 
       # Remove expiration-related options for session cookies
@@ -78,9 +52,7 @@ class Otto
       session_opts.delete(:expires)
 
       # Adjust secure flag for local development
-      if request.local?
-        session_opts[:secure] = false
-      end
+      session_opts[:secure] = false if request.local?
 
       session_opts[:value] = value
       set_cookie name, session_opts

data/lib/otto/route.rb

@@ -33,20 +33,20 @@ class Otto
     # @param definition [String] Class and method definition (Class.method or Class#method)
     # @raise [ArgumentError] if definition format is invalid or class name is unsafe
     def initialize(verb, path, definition)
-      @verb = verb.to_s.upcase.to_sym
-      @path = path
-      @definition = definition
+      @verb           = verb.to_s.upcase.to_sym
+      @path           = path
+      @definition     = definition
       @pattern, @keys = *compile(@path)
       if !@definition.index('.').nil?
         @klass, @name = @definition.split('.')
-        @kind = :class
+        @kind         = :class
       elsif !@definition.index('#').nil?
         @klass, @name = @definition.split('#')
-        @kind = :instance
+        @kind         = :instance
       else
         raise ArgumentError, "Bad definition: #{@definition}"
       end
-      @klass = safe_const_get(@klass)
+      @klass          = safe_const_get(@klass)
       # @method = @klass.method(@name)
     end
 
@@ -85,8 +85,8 @@ class Otto
 
       begin
         Object.const_get(class_name)
-      rescue NameError => e
-        raise ArgumentError, "Class not found: #{class_name} - #{e.message}"
+      rescue NameError => ex
+        raise ArgumentError, "Class not found: #{class_name} - #{ex.message}"
       end
     end
 
@@ -109,11 +109,11 @@ class Otto
     # @return [Array] Rack response array [status, headers, body]
     def call(env, extra_params = {})
       extra_params ||= {}
-      req = Rack::Request.new(env)
-      res = Rack::Response.new
+      req            = Rack::Request.new(env)
+      res            = Rack::Response.new
       req.extend Otto::RequestHelpers
       res.extend Otto::ResponseHelpers
-      res.request = req
+      res.request    = req
 
       # Process parameters through security layer
       req.params.merge! extra_params
@@ -158,7 +158,7 @@ class Otto
       keys = []
       if path.respond_to? :to_str
         special_chars = %w[. + ( ) $]
-        pattern =
+        pattern       =
           path.to_str.gsub(/((:\w+)|[\*#{special_chars.join}])/) do |match|
             case match
             when '*'

data/lib/otto/security/config.rb

@@ -22,26 +22,26 @@ class Otto
     #   config.max_param_depth = 16
     class Config
       attr_accessor :csrf_protection, :csrf_token_key, :csrf_header_key, :csrf_session_key,
-                    :max_request_size, :max_param_depth, :max_param_keys,
-                    :trusted_proxies, :require_secure_cookies,
-                    :security_headers, :input_validation
+        :max_request_size, :max_param_depth, :max_param_keys,
+        :trusted_proxies, :require_secure_cookies,
+        :security_headers, :input_validation
 
       # Initialize security configuration with safe defaults
       #
       # All security features are disabled by default to maintain backward
       # compatibility with existing Otto applications.
       def initialize
-        @csrf_protection = false
-        @csrf_token_key = '_csrf_token'
-        @csrf_header_key = 'HTTP_X_CSRF_TOKEN'
-        @csrf_session_key = '_csrf_session_id'
-        @max_request_size = 10 * 1024 * 1024 # 10MB
-        @max_param_depth = 32
-        @max_param_keys = 64
-        @trusted_proxies = []
+        @csrf_protection        = false
+        @csrf_token_key         = '_csrf_token'
+        @csrf_header_key        = 'HTTP_X_CSRF_TOKEN'
+        @csrf_session_key       = '_csrf_session_id'
+        @max_request_size       = 10 * 1024 * 1024 # 10MB
+        @max_param_depth        = 32
+        @max_param_keys         = 64
+        @trusted_proxies        = []
         @require_secure_cookies = false
-        @security_headers = default_security_headers
-        @input_validation = true
+        @security_headers       = default_security_headers
+        @input_validation       = true
       end
 
       # Enable CSRF (Cross-Site Request Forgery) protection
@@ -96,7 +96,7 @@ class Otto
         when Array
           @trusted_proxies.concat(proxy)
         else
-          raise ArgumentError, "Proxy must be a String or Array"
+          raise ArgumentError, 'Proxy must be a String or Array'
         end
       end
 
@@ -130,19 +130,19 @@ class Otto
         size = content_length.to_i
         if size > @max_request_size
           raise Otto::Security::RequestTooLargeError,
-                "Request size #{size} exceeds maximum #{@max_request_size}"
+            "Request size #{size} exceeds maximum #{@max_request_size}"
         end
         true
       end
 
       def generate_csrf_token(session_id = nil)
-        base = session_id || 'no-session'
-        token = SecureRandom.hex(32)
+        base       = session_id || 'no-session'
+        token      = SecureRandom.hex(32)
         hash_input = base + ':' + token
-        signature = Digest::SHA256.hexdigest(hash_input)
+        signature  = Digest::SHA256.hexdigest(hash_input)
         csrf_token = "#{token}:#{signature}"
 
-        puts "=== CSRF Generation ==="
+        puts '=== CSRF Generation ==='
         puts "hash_input: #{hash_input.inspect}"
         puts "signature: #{signature}"
         puts "csrf_token: #{csrf_token}"
@@ -156,12 +156,12 @@ class Otto
         token_part, signature = token.split(':')
         return false if token_part.nil? || signature.nil?
 
-        base = session_id || 'no-session'
-        hash_input = "#{base}:#{token_part}"
+        base               = session_id || 'no-session'
+        hash_input         = "#{base}:#{token_part}"
         expected_signature = Digest::SHA256.hexdigest(hash_input)
-        comparison_result = secure_compare(signature, expected_signature)
+        comparison_result  = secure_compare(signature, expected_signature)
 
-        puts "=== CSRF Verification ==="
+        puts '=== CSRF Verification ==='
         puts "hash_input: #{hash_input.inspect}"
         puts "received_signature: #{signature}"
         puts "expected_signature: #{expected_signature}"
@@ -179,9 +179,9 @@ class Otto
       # @param max_age [Integer] Maximum age in seconds (default: 1 year)
       # @param include_subdomains [Boolean] Apply to all subdomains (default: true)
       # @return [void]
-      def enable_hsts!(max_age: 31536000, include_subdomains: true)
-        hsts_value = "max-age=#{max_age}"
-        hsts_value += "; includeSubDomains" if include_subdomains
+      def enable_hsts!(max_age: 31_536_000, include_subdomains: true)
+        hsts_value                                     = "max-age=#{max_age}"
+        hsts_value                                    += '; includeSubDomains' if include_subdomains
         @security_headers['strict-transport-security'] = hsts_value
       end
 
@@ -245,27 +245,23 @@ class Otto
             return session[csrf_session_key] if session[csrf_session_key]
             return session['session_id'] if session['session_id']
           end
-        rescue
+        rescue StandardError
           # Fall through to cookies
         end
 
         # Try cookies
         request.cookies['_otto_session'] ||
-        request.cookies['session_id'] ||
-        request.cookies['_session_id']
+          request.cookies['session_id'] ||
+          request.cookies['_session_id']
       end
 
       def store_session_id(request, session_id)
-        begin
-          session = request.session
+          session                   = request.session
           session[csrf_session_key] = session_id if session
-        rescue
-          # Cookie fallback handled in inject_csrf_token
-        end
+      rescue StandardError
+        # Cookie fallback handled in inject_csrf_token
       end
 
-      private
-
       # Default security headers applied to all responses
       #
       # These headers provide basic defense against common web vulnerabilities:
@@ -282,7 +278,7 @@ class Otto
         {
           'x-content-type-options' => 'nosniff',
           'x-xss-protection' => '1; mode=block',
-          'referrer-policy' => 'strict-origin-when-cross-origin'
+          'referrer-policy' => 'strict-origin-when-cross-origin',
         }
       end
 
@@ -298,7 +294,7 @@ class Otto
       def secure_compare(a, b)
         return false if a.nil? || b.nil? || a.length != b.length
 
-        result = 0
+        result                                = 0
         a.bytes.zip(b.bytes) { |x, y| result |= x ^ y }
         result == 0
       end

data/lib/otto/security/csrf.rb

@@ -3,12 +3,14 @@
 require 'securerandom'
 
 class Otto
+  # CSRF protection middleware for Otto framework
   module Security
+    # Middleware that provides Cross-Site Request Forgery (CSRF) protection
     class CSRFMiddleware
       SAFE_METHODS = %w[GET HEAD OPTIONS TRACE].freeze
 
       def initialize(app, config = nil)
-        @app = app
+        @app    = app
         @config = config || Otto::Security::Config.new
       end
 
@@ -25,9 +27,7 @@ class Otto
         end
 
         # Validate CSRF token for unsafe methods
-        unless valid_csrf_token?(request)
-          return csrf_error_response
-        end
+        return csrf_error_response unless valid_csrf_token?(request)
 
         @app.call(env)
       end
@@ -54,8 +54,7 @@ class Otto
         token ||= request.env[@config.csrf_header_key]
 
         # Try alternative header format
-        token ||= request.env['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest' ?
-                    request.env['HTTP_X_CSRF_TOKEN'] : nil
+        token ||= request.env['HTTP_X_CSRF_TOKEN'] if request.env['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest'
 
         token
       end
@@ -68,7 +67,7 @@ class Otto
         return response unless response.is_a?(Array) && response.length >= 3
 
         status, headers, body = response
-        content_type = headers.find { |k, v| k.downcase == 'content-type' }&.last
+        content_type          = headers.find { |k, _v| k.downcase == 'content-type' }&.last
 
         return response unless content_type&.include?('text/html')
 
@@ -85,14 +84,12 @@ class Otto
         body_content = body.respond_to?(:join) ? body.join : body.to_s
 
         if body_content.match?(/<head>/i)
-          meta_tag = %(<meta name="csrf-token" content="#{csrf_token}">)
+          meta_tag     = %(<meta name="csrf-token" content="#{csrf_token}">)
           body_content = body_content.sub(/<head>/i, "<head>\n#{meta_tag}")
 
           # Update content length if present
-          content_length_key = headers.keys.find { |k| k.downcase == 'content-length' }
-          if content_length_key
-            headers[content_length_key] = body_content.bytesize.to_s
-          end
+          content_length_key          = headers.keys.find { |k| k.downcase == 'content-length' }
+          headers[content_length_key] = body_content.bytesize.to_s if content_length_key
 
           [status, headers, [body_content]]
         else
@@ -106,8 +103,8 @@ class Otto
         return if existing_cookie == session_id
 
         # Set the session cookie
-        cookie_value = "#{session_id}; Path=/; HttpOnly; SameSite=Lax"
-        cookie_value += "; Secure" if request.scheme == 'https'
+        cookie_value  = "#{session_id}; Path=/; HttpOnly; SameSite=Lax"
+        cookie_value += '; Secure' if request.scheme == 'https'
 
         # Handle existing Set-Cookie headers
         existing_cookies = headers['set-cookie'] || headers['Set-Cookie']
@@ -126,8 +123,8 @@ class Otto
       def html_response?(response)
         return false unless response.is_a?(Array) && response.length >= 2
 
-        headers = response[1]
-        content_type = headers.find { |k, v| k.downcase == 'content-type' }&.last
+        headers      = response[1]
+        content_type = headers.find { |k, _v| k.downcase == 'content-type' }&.last
         content_type&.include?('text/html')
       end
 
@@ -136,34 +133,30 @@ class Otto
           403,
           {
             'content-type' => 'application/json',
-            'content-length' => csrf_error_body.bytesize.to_s
+            'content-length' => csrf_error_body.bytesize.to_s,
           },
-          [csrf_error_body]
+          [csrf_error_body],
         ]
       end
 
       def csrf_error_body
         {
           error: 'CSRF token validation failed',
-          message: 'The request could not be authenticated. Please refresh the page and try again.'
+          message: 'The request could not be authenticated. Please refresh the page and try again.',
         }.to_json
       end
-
     end
 
+    # Helper methods for CSRF token handling in views and controllers
     module CSRFHelpers
       def csrf_token
         if @csrf_token.nil? && otto.respond_to?(:security_config)
-          session_id = otto.security_config.get_or_create_session_id(req)
+          session_id  = otto.security_config.get_or_create_session_id(req)
           @csrf_token = otto.security_config.generate_csrf_token(session_id)
         end
         @csrf_token
       end
 
-      private
-
-      public
-
       def csrf_meta_tag
         %(<meta name="csrf-token" content="#{csrf_token}">)
       end
@@ -173,8 +166,11 @@ class Otto
       end
 
       def csrf_token_key
-        otto.respond_to?(:security_config) ?
-          otto.security_config.csrf_token_key : '_csrf_token'
+        if otto.respond_to?(:security_config)
+          otto.security_config.csrf_token_key
+        else
+          '_csrf_token'
+        end
       end
     end
   end