otto 1.2.0 → 1.4.0

data/examples/security_features/config.ru

@@ -13,7 +13,7 @@ require_relative '../../lib/otto'
 require_relative 'app'
 
 # Create Otto app with security features enabled
-app = Otto.new("./routes", {
+app = Otto.new('./routes', {
   # Enable CSRF protection for POST, PUT, DELETE requests
   csrf_protection: true,
 
@@ -42,14 +42,15 @@ app = Otto.new("./routes", {
   security_headers: {
     'content-security-policy' => "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self'",
     'strict-transport-security' => 'max-age=31536000; includeSubDomains',
-    'x-frame-options' => 'DENY'
-  }
-})
+    'x-frame-options' => 'DENY',
+  },
+}
+)
 
 # Optional: Configure additional security settings
 app.security_config.max_request_size = 5 * 1024 * 1024  # 5MB limit
-app.security_config.max_param_depth = 10                # Limit parameter nesting
-app.security_config.max_param_keys = 50                 # Limit parameters per request
+app.security_config.max_param_depth  = 10                # Limit parameter nesting
+app.security_config.max_param_keys   = 50                 # Limit parameters per request
 
 # Optional: Add static file serving with security
 app.option[:public] = public_path
@@ -62,20 +63,21 @@ if ENV['RACK_ENV'] == 'production'
   # More restrictive CSP for production
   app.set_security_headers({
     'content-security-policy' => "default-src 'self'; style-src 'self'; script-src 'self'; object-src 'none'",
-    'strict-transport-security' => 'max-age=63072000; includeSubDomains; preload'
-  })
+    'strict-transport-security' => 'max-age=63072000; includeSubDomains; preload',
+  },
+                          )
 else
   # Development-specific settings
-  puts "🔒 Security features enabled:"
-  puts "   ✓ CSRF Protection"
-  puts "   ✓ Input Validation"
-  puts "   ✓ Request Size Limits"
-  puts "   ✓ Security Headers"
-  puts "   ✓ Trusted Proxy Support"
-  puts ""
+  puts '🔒 Security features enabled:'
+  puts '   ✓ CSRF Protection'
+  puts '   ✓ Input Validation'
+  puts '   ✓ Request Size Limits'
+  puts '   ✓ Security Headers'
+  puts '   ✓ Trusted Proxy Support'
+  puts ''
 end
 
 # Mount the application
-map('/') {
+map('/') do
   run app
-}
+end

data/lib/otto/design_system.rb

@@ -1,11 +1,10 @@
 # lib/otto/design_system.rb
 
 class Otto
+  # Shared design system for Otto framework examples
+  # Provides consistent styling, components, and utilities
   module DesignSystem
-    # Shared design system for Otto framework examples
-    # Provides consistent styling, components, and utilities
-
-    def otto_page(content, title = "Otto Framework", additional_head = "")
+    def otto_page(content, title = 'Otto Framework', additional_head = '')
       <<~HTML
         <!DOCTYPE html>
         <html lang="en">
@@ -25,9 +24,9 @@ class Otto
       HTML
     end
 
-    def otto_input(name, type: "text", placeholder: "", value: "", required: false)
-      req_attr = required ? "required" : ""
-      val_attr = value.empty? ? "" : %{value="#{escape_html(value)}"}
+    def otto_input(name, type: 'text', placeholder: '', value: '', required: false)
+      req_attr = required ? 'required' : ''
+      val_attr = value.empty? ? '' : %(value="#{escape_html(value)}")
 
       <<~HTML
         <input
@@ -41,8 +40,8 @@ class Otto
       HTML
     end
 
-    def otto_textarea(name, placeholder: "", value: "", rows: 4, required: false)
-      req_attr = required ? "required" : ""
+    def otto_textarea(name, placeholder: '', value: '', rows: 4, required: false)
+      req_attr = required ? 'required' : ''
 
       <<~HTML
         <textarea
@@ -55,8 +54,8 @@ class Otto
       HTML
     end
 
-    def otto_button(text, type: "submit", variant: "primary", size: "default")
-      size_class = size == "small" ? "otto-btn-sm" : ""
+    def otto_button(text, type: 'submit', variant: 'primary', size: 'default')
+      size_class = size == 'small' ? 'otto-btn-sm' : ''
 
       <<~HTML
         <button type="#{type}" class="otto-btn otto-btn-#{variant} #{size_class}">
@@ -66,7 +65,7 @@ class Otto
     end
 
     def otto_alert(type, title, message, dismissible: false)
-      dismiss_btn = dismissible ? '<button class="otto-alert-dismiss" onclick="this.parentElement.remove()">×</button>' : ""
+      dismiss_btn = dismissible ? '<button class="otto-alert-dismiss" onclick="this.parentElement.remove()">×</button>' : ''
 
       <<~HTML
         <div class="otto-alert otto-alert-#{type}">
@@ -77,9 +76,9 @@ class Otto
       HTML
     end
 
-    def otto_card(title = nil, &block)
-      content = block_given? ? yield : ""
-      title_html = title ? "<h2 class=\"otto-card-title\">#{escape_html(title)}</h2>" : ""
+    def otto_card(title = nil, &)
+      content    = block_given? ? yield : ''
+      title_html = title ? "<h2 class=\"otto-card-title\">#{escape_html(title)}</h2>" : ''
 
       <<~HTML
         <div class="otto-card">
@@ -90,7 +89,7 @@ class Otto
     end
 
     def otto_link(text, href, external: false)
-      target_attr = external ? 'target="_blank" rel="noopener noreferrer"' : ""
+      target_attr = external ? 'target="_blank" rel="noopener noreferrer"' : ''
 
       <<~HTML
         <a href="#{escape_html(href)}" class="otto-link" #{target_attr}>
@@ -99,7 +98,7 @@ class Otto
       HTML
     end
 
-    def otto_code_block(code, language = "")
+    def otto_code_block(code, language = '')
       <<~HTML
         <div class="otto-code-block">
           <pre><code class="language-#{language}">#{escape_html(code)}</code></pre>
@@ -111,12 +110,13 @@ class Otto
 
     def escape_html(text)
       return '' if text.nil?
+
       text.to_s
-          .gsub('&', '&amp;')
-          .gsub('<', '&lt;')
-          .gsub('>', '&gt;')
-          .gsub('"', '&quot;')
-          .gsub("'", '&#x27;')
+        .gsub('&', '&amp;')
+        .gsub('<', '&lt;')
+        .gsub('>', '&gt;')
+        .gsub('"', '&quot;')
+        .gsub("'", '&#x27;')
     end
 
     def otto_styles

data/lib/otto/helpers/base.rb

@@ -0,0 +1,27 @@
+# lib/otto/helpers/base.rb
+
+class Otto
+  module BaseHelpers
+    # Build application path by joining path segments
+    #
+    # This method safely joins multiple path segments, handling
+    # duplicate slashes and ensuring proper path formatting.
+    # Includes the script name (mount point) as the first segment.
+    #
+    # @param paths [Array<String>] Path segments to join
+    # @return [String] Properly formatted path
+    #
+    # @example
+    #   app_path('api', 'v1', 'users')
+    #   # => "/myapp/api/v1/users"
+    #
+    # @example
+    #   app_path(['admin', 'settings'])
+    #   # => "/myapp/admin/settings"
+    def app_path(*paths)
+      paths = paths.flatten.compact
+      paths.unshift(env['SCRIPT_NAME']) if env['SCRIPT_NAME']
+      paths.join('/').gsub('//', '/')
+    end
+  end
+end

data/lib/otto/helpers/request.rb

@@ -1,7 +1,11 @@
 # lib/otto/helpers/request.rb
 
+require_relative 'base'
+
 class Otto
   module RequestHelpers
+    include Otto::BaseHelpers
+
     def user_agent
       env['HTTP_USER_AGENT']
     end
@@ -18,7 +22,7 @@ class Otto
       forwarded_ips = [
         env['HTTP_X_FORWARDED_FOR'],
         env['HTTP_X_REAL_IP'],
-        env['HTTP_CLIENT_IP']
+        env['HTTP_CLIENT_IP'],
       ].compact.map { |header| header.split(/,\s*/) }.flatten
 
       # Return the first valid IP that's not a private/loopback address
@@ -70,7 +74,11 @@ class Otto
       ip = client_ipaddress
       return false unless ip
 
-      local_or_private_ip?(ip)
+      # Check both IP and server name for comprehensive localhost detection
+      server_name        = env['SERVER_NAME']
+      local_server_names = ['localhost', '127.0.0.1', '0.0.0.0']
+
+      local_or_private_ip?(ip) && local_server_names.include?(server_name)
     end
 
     def secure?
@@ -107,16 +115,12 @@ class Otto
       [prefix, http_host, request_path].join
     end
 
-    private
-
     def otto_security_config
       # Try to get security config from various sources
       if respond_to?(:otto) && otto.respond_to?(:security_config)
         otto.security_config
       elsif defined?(Otto) && Otto.respond_to?(:security_config)
         Otto.security_config
-      else
-        nil
       end
     end
 
@@ -138,7 +142,7 @@ class Otto
 
       # Validate each octet
       octets = clean_ip.split('.')
-      return nil unless octets.all? { |octet| (0..255).include?(octet.to_i) }
+      return nil unless octets.all? { |octet| (0..255).cover?(octet.to_i) }
 
       clean_ip
     end
@@ -153,7 +157,7 @@ class Otto
         /\A192\.168\./,              # 192.168.0.0/16
         /\A169\.254\./,              # 169.254.0.0/16 (link-local)
         /\A224\./,                   # 224.0.0.0/4 (multicast)
-        /\A0\./                      # 0.0.0.0/8
+        /\A0\./,                      # 0.0.0.0/8
       ]
 
       private_ranges.any? { |range| ip.match?(range) }
@@ -163,10 +167,223 @@ class Otto
       return false unless ip
 
       # Check for localhost
-      return true if ip == '127.0.0.1' || ip == '::1'
+      return true if ['127.0.0.1', '::1'].include?(ip)
 
       # Check for private IP ranges
       private_ip?(ip)
     end
+
+    # Collect and format HTTP header details from the request environment
+    #
+    # This method extracts and formats specific HTTP headers, including
+    # Cloudflare and proxy-related headers, for logging and debugging purposes.
+    #
+    # @param header_prefix [String, nil] Custom header prefix to include (e.g. 'X_SECRET_')
+    # @param additional_keys [Array<String>] Additional header keys to collect
+    # @return [String] Formatted header details as "key: value" pairs
+    #
+    # @example Basic usage
+    #   collect_proxy_headers
+    #   # => "X-Forwarded-For: 203.0.113.195 Remote-Addr: 192.0.2.1"
+    #
+    #
+    # @example With custom prefix
+    #   collect_proxy_headers(header_prefix: 'X_CUSTOM_')
+    #   # => "X-Forwarded-For: 203.0.113.195 X-Custom-Token: abc123"
+    def collect_proxy_headers(header_prefix: nil, additional_keys: [])
+      keys = %w[
+        HTTP_FLY_REQUEST_ID
+        HTTP_VIA
+        HTTP_X_FORWARDED_PROTO
+        HTTP_X_FORWARDED_FOR
+        HTTP_X_FORWARDED_HOST
+        HTTP_X_FORWARDED_PORT
+        HTTP_X_SCHEME
+        HTTP_X_REAL_IP
+        HTTP_CF_IPCOUNTRY
+        HTTP_CF_RAY
+        REMOTE_ADDR
+      ]
+
+      # Add any header that begins with the specified prefix
+      if header_prefix
+        prefix_keys = env.keys.select { |key| key.upcase.start_with?("HTTP_#{header_prefix.upcase}") }
+        keys.concat(prefix_keys)
+      end
+
+      # Add any additional keys requested
+      keys.concat(additional_keys) if additional_keys.any?
+
+      keys.sort.filter_map do |key|
+        value = env[key]
+        next unless value
+
+        # Normalize the header name to look like browser dev console
+        # e.g. Content-Type instead of HTTP_CONTENT_TYPE
+        pretty_name = key.sub(/^HTTP_/, '').split('_').map(&:capitalize).join('-')
+        "#{pretty_name}: #{value}"
+      end.join(' ')
+    end
+
+    # Format request details as a single string for logging
+    #
+    # This method combines IP address, HTTP method, path, query parameters,
+    # and proxy header details into a single formatted string suitable for logging.
+    #
+    # @param header_prefix [String, nil] Custom header prefix for proxy headers
+    # @return [String] Formatted request details
+    #
+    # @example
+    #   format_request_details
+    #   # => "192.0.2.1; GET /path?query=string; Proxy[X-Forwarded-For: 203.0.113.195 Remote-Addr: 192.0.2.1]"
+    #
+    def format_request_details(header_prefix: nil)
+      header_details = collect_proxy_headers(header_prefix: header_prefix)
+
+      details = [
+        client_ipaddress,
+        "#{request_method} #{env['PATH_INFO']}?#{env['QUERY_STRING']}",
+        "Proxy[#{header_details}]",
+      ]
+
+      details.join('; ')
+    end
+
+    # Check if user agent matches blocked patterns
+    #
+    # This method checks if the current request's user agent string
+    # matches any of the provided blocked agent patterns.
+    #
+    # @param blocked_agents [Array<String, Symbol, Regexp>] Patterns to check against
+    # @return [Boolean] true if user agent is allowed, false if blocked
+    #
+    # @example
+    #   blocked_user_agent?([:bot, :crawler, 'BadAgent'])
+    #   # => false if user agent contains 'bot', 'crawler', or 'BadAgent'
+    def blocked_user_agent?(blocked_agents: [])
+      return true if blocked_agents.empty?
+
+      user_agent_string = user_agent.to_s.downcase
+      return true if user_agent_string.empty?
+
+      blocked_agents.flatten.any? do |agent|
+        case agent
+        when Regexp
+          user_agent_string.match?(agent)
+        else
+          user_agent_string.include?(agent.to_s.downcase)
+        end
+      end
+    end
+
+    # Build application path by joining path segments
+    #
+    # This method safely joins multiple path segments, handling
+    # duplicate slashes and ensuring proper path formatting.
+    # Includes the script name (mount point) as the first segment.
+    #
+    # @param paths [Array<String>] Path segments to join
+    # @return [String] Properly formatted path
+    #
+    # @example
+    #   app_path('api', 'v1', 'users')
+    #   # => "/myapp/api/v1/users"
+    #
+    # @example
+    #   app_path(['admin', 'settings'])
+    #   # => "/myapp/admin/settings"
+    def app_path(*paths)
+      paths = paths.flatten.compact
+      paths.unshift(env['SCRIPT_NAME']) if env['SCRIPT_NAME']
+      paths.join('/').gsub('//', '/')
+    end
+
+    # Set the locale for the request based on multiple sources
+    #
+    # This method determines the locale to be used for the request by checking
+    # the following sources in order of precedence:
+    # 1. The locale parameter passed to the method
+    # 2. The locale query parameter in the request
+    # 3. The user's saved locale preference (if provided)
+    # 4. The rack.locale environment variable
+    #
+    # If a valid locale is found, it's stored in the request environment.
+    # If no valid locale is found, the default locale is used.
+    #
+    # @param locale [String, nil] The locale to use, if specified
+    # @param opts [Hash] Configuration options
+    # @option opts [Hash] :available_locales Hash of available locales to validate against (required unless configured at Otto level)
+    # @option opts [String] :default_locale Default locale to use as fallback (required unless configured at Otto level)
+    # @option opts [String, nil] :preferred_locale User's saved locale preference
+    # @option opts [String] :locale_env_key Environment key to store the locale (default: 'locale')
+    # @option opts [Boolean] :debug Enable debug logging for locale selection
+    # @return [String] The selected locale
+    #
+    # @example Basic usage
+    #   check_locale!(
+    #     available_locales: { 'en' => 'English', 'es' => 'Spanish' },
+    #     default_locale: 'en'
+    #   )
+    #   # => 'en'
+    #
+    # @example With user preference
+    #   check_locale!(nil, {
+    #     available_locales: { 'en' => 'English', 'es' => 'Spanish' },
+    #     default_locale: 'en',
+    #     preferred_locale: 'es'
+    #   })
+    #   # => 'es'
+    #
+    # @example Using Otto-level configuration
+    #   # Otto configured with: Otto.new(routes, { locale_config: { available: {...}, default: 'en' } })
+    #   check_locale!('es')  # Uses Otto's config automatically
+    #   # => 'es'
+    #
+    def check_locale!(locale = nil, opts = {})
+      # Get configuration from options, Otto config, or environment (in that order)
+      otto_config = env['otto.locale_config']
+
+      available_locales = opts[:available_locales] ||
+                          otto_config&.dig(:available_locales) ||
+                          env['otto.available_locales']
+      default_locale    = opts[:default_locale] ||
+                          otto_config&.dig(:default_locale) ||
+                          env['otto.default_locale']
+      preferred_locale  = opts[:preferred_locale]
+      locale_env_key    = opts[:locale_env_key] || 'locale'
+      debug_enabled     = opts[:debug] || false
+
+      # Guard clause - required configuration must be present
+      unless available_locales && default_locale
+        raise ArgumentError, 'available_locales and default_locale are required (provide via opts or Otto configuration)'
+      end
+
+      # Check sources in order of precedence
+      locale ||= env['rack.request.query_hash'] && env['rack.request.query_hash']['locale']
+      locale ||= preferred_locale if preferred_locale
+      locale ||= (env['rack.locale'] || []).first
+
+      # Validate locale against available translations
+      have_translations = locale && available_locales.key?(locale.to_s)
+
+      # Debug logging if enabled
+      if debug_enabled && defined?(Otto.logger)
+        message = format(
+          '[check_locale!] sources[param=%s query=%s user=%s rack=%s] valid=%s',
+          locale,
+          env.dig('rack.request.query_hash', 'locale'),
+          preferred_locale,
+          (env['rack.locale'] || []).first,
+          have_translations
+        )
+        Otto.logger.debug message
+      end
+
+      # Set the locale in request environment
+      selected_locale = have_translations ? locale : default_locale
+      env[locale_env_key] = selected_locale
+
+      selected_locale
+    end
   end
 end

data/lib/otto/helpers/response.rb

@@ -1,76 +1,54 @@
 # lib/otto/helpers/response.rb
 
+require_relative 'base'
+
 class Otto
   module ResponseHelpers
+    include Otto::BaseHelpers
+
     attr_accessor :request
 
     def send_secure_cookie(name, value, ttl, opts = {})
-      send_cookie name, value, ttl, opts.merge(secure: true)
-    end
-
-    def send_cookie(name, value, ttl, opts = {})
       # Default security options
       defaults = {
         secure: true,
         httponly: true,
-        samesite: :lax,
-        path: '/'
+        same_site: :strict,
+        path: '/',
       }
 
       # Merge with provided options
       cookie_opts = defaults.merge(opts)
 
-      # Adjust secure flag for local development
-      if request.local?
-        cookie_opts[:secure] = false
-      end
-
       # Set expiration using max-age (preferred) and expires (fallback)
-      if ttl && ttl > 0
+      if ttl&.positive?
         cookie_opts[:max_age] = ttl
         cookie_opts[:expires] = (Time.now.utc + ttl + 10)
-      elsif ttl && ttl < 0
+      elsif ttl&.negative?
         # For deletion, set both to past date
         cookie_opts[:max_age] = 0
-        cookie_opts[:expires] = Time.now.utc - 86400
+        cookie_opts[:expires] = Time.now.utc - 86_400
       end
 
       # Set the cookie value
       cookie_opts[:value] = value
 
       # Validate SameSite attribute
-      valid_samesite = [:strict, :lax, :none, 'Strict', 'Lax', 'None']
-      unless valid_samesite.include?(cookie_opts[:samesite])
-        cookie_opts[:samesite] = :lax
-      end
+      valid_same_site         = [:strict, :lax, :none, 'Strict', 'Lax', 'None']
+      cookie_opts[:same_site] = :strict unless valid_same_site.include?(cookie_opts[:same_site])
 
       # If SameSite=None, Secure must be true
-      if cookie_opts[:samesite].to_s.downcase == 'none'
-        cookie_opts[:secure] = true
-      end
+      cookie_opts[:secure] = true if cookie_opts[:same_site].to_s.downcase == 'none'
 
       set_cookie name, cookie_opts
     end
 
-    def delete_cookie(name, opts = {})
-      # Ensure we use the same path and domain when deleting
-      delete_opts = {
-        path: opts[:path] || '/',
-        domain: opts[:domain],
-        secure: opts[:secure],
-        httponly: opts[:httponly],
-        samesite: opts[:samesite]
-      }.compact
-
-      send_cookie name, '', -1, delete_opts
-    end
-
     def send_session_cookie(name, value, opts = {})
       # Session cookies don't have expiration
       session_opts = opts.merge(
         secure: true,
         httponly: true,
-        samesite: :lax
+        samesite: :strict,
       )
 
       # Remove expiration-related options for session cookies
@@ -78,9 +56,7 @@ class Otto
       session_opts.delete(:expires)
 
       # Adjust secure flag for local development
-      if request.local?
-        session_opts[:secure] = false
-      end
+      session_opts[:secure] = false if request.local?
 
       session_opts[:value] = value
       set_cookie name, session_opts
@@ -104,5 +80,76 @@ class Otto
 
       headers
     end
+
+    # Set Content Security Policy (CSP) headers with nonce support
+    #
+    # This method generates and sets CSP headers with the provided nonce value,
+    # following the same usage pattern as send_cookie methods. The CSP policy
+    # is generated dynamically based on the security configuration and environment.
+    #
+    # @param content_type [String] Content-Type header value to set
+    # @param nonce [String] Nonce value to include in CSP directives
+    # @param opts [Hash] Options for CSP generation
+    # @option opts [Otto::Security::Config] :security_config Security config to use
+    # @option opts [Boolean] :development_mode Use development-friendly CSP directives
+    # @option opts [Boolean] :debug Enable debug logging for this request
+    # @return [void]
+    #
+    # @example Basic usage
+    #   nonce = SecureRandom.base64(16)
+    #   res.send_csp_headers('text/html; charset=utf-8', nonce)
+    #
+    # @example With options
+    #   res.send_csp_headers('text/html; charset=utf-8', nonce, {
+    #     development_mode: Rails.env.development?,
+    #     debug: true
+    #   })
+    def send_csp_headers(content_type, nonce, opts = {})
+      # Set content type if not already set
+      headers['content-type'] ||= content_type
+
+      # Warn if CSP header already exists but don't skip
+      if headers['content-security-policy']
+        warn 'CSP header already set, overriding with nonce-based policy'
+      end
+
+      # Get security configuration
+      security_config = opts[:security_config] ||
+                        (request&.env && request.env['otto.security_config']) ||
+                        nil
+
+      # Skip if CSP nonce support is not enabled
+      return unless security_config&.csp_nonce_enabled?
+
+      # Generate CSP policy with nonce
+      development_mode = opts[:development_mode] || false
+      csp_policy       = security_config.generate_nonce_csp(nonce, development_mode: development_mode)
+
+      # Debug logging if enabled
+      debug_enabled = opts[:debug] || security_config.debug_csp?
+      if debug_enabled && defined?(Otto.logger)
+        Otto.logger.debug "[CSP] #{csp_policy}"
+      end
+
+      # Set the CSP header
+      headers['content-security-policy'] = csp_policy
+    end
+
+    # Set cache control headers to prevent caching
+    #
+    # This method sets comprehensive cache control headers to ensure that
+    # the response is not cached by browsers, proxies, or CDNs. This is
+    # particularly useful for sensitive pages or dynamic content that
+    # should always be fresh.
+    #
+    # @return [void]
+    #
+    # @example
+    #   res.no_cache!
+    def no_cache!
+      headers['cache-control'] = 'no-store, no-cache, must-revalidate, max-age=0'
+      headers['expires']       = 'Mon, 7 Nov 2011 00:00:00 UTC'
+      headers['pragma']        = 'no-cache'
+    end
   end
 end