otto 1.3.0 → 1.5.0

data/lib/otto/security/config.rb

@@ -24,7 +24,8 @@ class Otto
       attr_accessor :csrf_protection, :csrf_token_key, :csrf_header_key, :csrf_session_key,
         :max_request_size, :max_param_depth, :max_param_keys,
         :trusted_proxies, :require_secure_cookies,
-        :security_headers, :input_validation
+        :security_headers, :input_validation,
+        :csp_nonce_enabled, :debug_csp
 
       # Initialize security configuration with safe defaults
       #
@@ -42,6 +43,8 @@ class Otto
         @require_secure_cookies = false
         @security_headers       = default_security_headers
         @input_validation       = true
+        @csp_nonce_enabled      = false
+        @debug_csp              = false
       end
 
       # Enable CSRF (Cross-Site Request Forgery) protection
@@ -199,6 +202,53 @@ class Otto
         @security_headers['content-security-policy'] = policy
       end
 
+      # Enable Content Security Policy (CSP) with nonce support
+      #
+      # This enables dynamic CSP header generation with nonces for enhanced security.
+      # Unlike enable_csp!, this doesn't set a static policy but enables the response
+      # helper to generate CSP headers with nonces on a per-request basis.
+      #
+      # @param debug [Boolean] Enable debug logging for CSP headers (default: false)
+      # @return [void]
+      #
+      # @example
+      #   config.enable_csp_with_nonce!(debug: true)
+      def enable_csp_with_nonce!(debug: false)
+        @csp_nonce_enabled = true
+        @debug_csp         = debug
+      end
+
+      # Disable CSP nonce support
+      #
+      # @return [void]
+      def disable_csp_nonce!
+        @csp_nonce_enabled = false
+      end
+
+      # Check if CSP nonce support is enabled
+      #
+      # @return [Boolean] true if CSP nonce support is enabled
+      def csp_nonce_enabled?
+        @csp_nonce_enabled
+      end
+
+      # Check if CSP debug logging is enabled
+      #
+      # @return [Boolean] true if CSP debug logging is enabled
+      def debug_csp?
+        @debug_csp
+      end
+
+      # Generate a CSP policy string with the provided nonce
+      #
+      # @param nonce [String] The nonce value to include in the CSP
+      # @param development_mode [Boolean] Whether to use development-friendly directives
+      # @return [String] Complete CSP policy string
+      def generate_nonce_csp(nonce, development_mode: false)
+        directives = development_mode ? development_csp_directives(nonce) : production_csp_directives(nonce)
+        directives.join(' ')
+      end
+
       # Enable X-Frame-Options header to prevent clickjacking
       #
       # @param option [String] Frame options: 'DENY', 'SAMEORIGIN', or 'ALLOW-FROM uri'
@@ -298,6 +348,54 @@ class Otto
         a.bytes.zip(b.bytes) { |x, y| result |= x ^ y }
         result == 0
       end
+
+      # Generate CSP directives for development environment
+      #
+      # Development mode allows inline scripts/styles and hot reloading connections
+      # for better developer experience with build tools like Vite.
+      #
+      # @param nonce [String] The nonce value to include in script-src
+      # @return [Array<String>] Array of CSP directive strings
+      def development_csp_directives(nonce)
+        [
+          "default-src 'none';",
+          "script-src 'nonce-#{nonce}' 'unsafe-inline';",  # Allow inline scripts for development tools
+          "style-src 'self' 'unsafe-inline';",
+          "connect-src 'self' ws: wss: http: https:;",      # Allow HTTP and all WebSocket connections for dev tools
+          "img-src 'self' data:;",
+          "font-src 'self';",
+          "object-src 'none';",
+          "base-uri 'self';",
+          "form-action 'self';",
+          "frame-ancestors 'none';",
+          "manifest-src 'self';",
+          "worker-src 'self' data:;",
+        ]
+      end
+
+      # Generate CSP directives for production environment
+      #
+      # Production mode is more restrictive, only allowing HTTPS connections
+      # and nonce-only scripts for enhanced XSS protection.
+      #
+      # @param nonce [String] The nonce value to include in script-src
+      # @return [Array<String>] Array of CSP directive strings
+      def production_csp_directives(nonce)
+        [
+          "default-src 'none';",                     # Restrict to same origin by default
+          "script-src 'nonce-#{nonce}';",            # Only allow scripts with valid nonce
+          "style-src 'self' 'unsafe-inline';",       # Allow inline styles and same-origin stylesheets
+          "connect-src 'self' wss: https:;",         # Only HTTPS and secure WebSockets
+          "img-src 'self' data:;",                   # Allow images from same origin and data URIs
+          "font-src 'self';",                        # Allow fonts from same origin only
+          "object-src 'none';",                      # Block <object>, <embed>, and <applet> elements
+          "base-uri 'self';",                        # Restrict <base> tag targets to same origin
+          "form-action 'self';",                     # Restrict form submissions to same origin
+          "frame-ancestors 'none';",                 # Prevent site from being embedded in frames
+          "manifest-src 'self';",                    # Allow web app manifests from same origin
+          "worker-src 'self' data:;",                # Allow Workers from same origin and data blobs
+        ]
+      end
     end
 
     # Raised when a request exceeds the configured size limit

data/lib/otto/version.rb

@@ -1,5 +1,5 @@
 # lib/otto/version.rb
 
 class Otto
-  VERSION = '1.3.0'.freeze
+  VERSION = '1.5.0'.freeze
 end

data/lib/otto.rb

@@ -1,5 +1,6 @@
 require 'json'
 require 'logger'
+require 'ostruct'
 require 'securerandom'
 require 'uri'
 
@@ -7,14 +8,18 @@ require 'rack/request'
 require 'rack/response'
 require 'rack/utils'
 
+require_relative 'otto/route_definition'
 require_relative 'otto/route'
 require_relative 'otto/static'
 require_relative 'otto/helpers/request'
 require_relative 'otto/helpers/response'
+require_relative 'otto/response_handlers'
+require_relative 'otto/route_handlers'
 require_relative 'otto/version'
 require_relative 'otto/security/config'
 require_relative 'otto/security/csrf'
 require_relative 'otto/security/validator'
+require_relative 'otto/security/authentication'
 
 # Otto is a simple Rack router that allows you to define routes in a file
 # with built-in security features including CSRF protection, input validation,
@@ -42,8 +47,20 @@ class Otto
 
   @debug  = ENV['OTTO_DEBUG'] == 'true'
   @logger = Logger.new($stdout, Logger::INFO)
+  @global_config = {}
 
-  attr_reader :routes, :routes_literal, :routes_static, :route_definitions, :option, :static_route, :security_config
+  # Global configuration for all Otto instances
+  def self.configure
+    config = OpenStruct.new(@global_config)
+    yield config
+    @global_config = config.to_h
+  end
+
+  def self.global_config
+    @global_config
+  end
+
+  attr_reader :routes, :routes_literal, :routes_static, :route_definitions, :option, :static_route, :security_config, :locale_config, :auth_config, :route_handler_factory
   attr_accessor :not_found, :server_error, :middleware_stack
 
   def initialize(path = nil, opts = {})
@@ -57,10 +74,17 @@ class Otto
     }.merge(opts)
     @security_config   = Otto::Security::Config.new
     @middleware_stack  = []
+    @route_handler_factory = opts[:route_handler_factory] || Otto::RouteHandlers::HandlerFactory
+
+    # Configure locale support (merge global config with instance options)
+    configure_locale(opts)
 
     # Configure security based on options
     configure_security(opts)
 
+    # Configure authentication based on options
+    configure_authentication(opts)
+
     Otto.logger.debug "new Otto: #{opts}" if Otto.debug
     load(path) unless path.nil?
     super()
@@ -71,9 +95,12 @@ class Otto
     path = File.expand_path(path)
     raise ArgumentError, "Bad path: #{path}" unless File.exist?(path)
 
-    raw = File.readlines(path).select { |line| line =~ /^\w/ }.collect { |line| line.strip.split(/\s+/) }
+    raw = File.readlines(path).select { |line| line =~ /^\w/ }.collect { |line| line.strip }
     raw.each do |entry|
-      verb, path, definition                  = *entry
+      # Enhanced parsing: split only on first two whitespace boundaries
+      # This preserves parameters in the definition part
+      parts = entry.split(/\s+/, 3)
+      verb, path, definition = parts[0], parts[1], parts[2]
       route                                   = Otto::Route.new verb, path, definition
       route.otto                              = self
       path_clean                              = path.gsub(%r{/$}, '')
@@ -157,6 +184,7 @@ class Otto
   def handle_request(env)
     locale             = determine_locale env
     env['rack.locale'] = locale
+    env['otto.locale_config'] = @locale_config if @locale_config
     @static_route    ||= Rack::Files.new(option[:public]) if option[:public] && safe_dir?(option[:public])
     path_info          = Rack::Utils.unescape(env['PATH_INFO'])
     path_info          = '/' if path_info.to_s.empty?
@@ -370,8 +398,107 @@ class Otto
     @security_config.enable_frame_protection!(option)
   end
 
+  # Enable Content Security Policy (CSP) with nonce support for dynamic header generation.
+  # This enables the res.send_csp_headers response helper method.
+  #
+  # @param debug [Boolean] Enable debug logging for CSP headers (default: false)
+  # @example
+  #   otto.enable_csp_with_nonce!(debug: true)
+  def enable_csp_with_nonce!(debug: false)
+    @security_config.enable_csp_with_nonce!(debug: debug)
+  end
+
+  # Configure locale settings for the application
+  #
+  # @param available_locales [Hash] Hash of available locales (e.g., { 'en' => 'English', 'es' => 'Spanish' })
+  # @param default_locale [String] Default locale to use as fallback
+  # @example
+  #   otto.configure(
+  #     available_locales: { 'en' => 'English', 'es' => 'Spanish', 'fr' => 'French' },
+  #     default_locale: 'en'
+  #   )
+  def configure(available_locales: nil, default_locale: nil)
+    @locale_config ||= {}
+    @locale_config[:available_locales] = available_locales if available_locales
+    @locale_config[:default_locale] = default_locale if default_locale
+  end
+
+  # Enable authentication middleware for route-level access control.
+  # This will automatically check route auth parameters and enforce authentication.
+  #
+  # @example
+  #   otto.enable_authentication!
+  def enable_authentication!
+    return if middleware_enabled?(Otto::Security::AuthenticationMiddleware)
+
+    use Otto::Security::AuthenticationMiddleware, @auth_config
+  end
+
+  # Configure authentication strategies for route-level access control.
+  #
+  # @param strategies [Hash] Hash mapping strategy names to strategy instances
+  # @param default_strategy [String] Default strategy to use when none specified
+  # @example
+  #   otto.configure_auth_strategies({
+  #     'publically' => Otto::Security::PublicStrategy.new,
+  #     'authenticated' => Otto::Security::SessionStrategy.new(session_key: 'user_id'),
+  #     'role:admin' => Otto::Security::RoleStrategy.new(['admin']),
+  #     'api_key' => Otto::Security::APIKeyStrategy.new(api_keys: ['secret123'])
+  #   })
+  def configure_auth_strategies(strategies, default_strategy: 'publically')
+    @auth_config ||= {}
+    @auth_config[:auth_strategies] = strategies
+    @auth_config[:default_auth_strategy] = default_strategy
+
+    enable_authentication! unless strategies.empty?
+  end
+
+  # Add a single authentication strategy
+  #
+  # @param name [String] Strategy name
+  # @param strategy [Otto::Security::AuthStrategy] Strategy instance
+  # @example
+  #   otto.add_auth_strategy('custom', MyCustomStrategy.new)
+  def add_auth_strategy(name, strategy)
+    @auth_config ||= { auth_strategies: {}, default_auth_strategy: 'publically' }
+    @auth_config[:auth_strategies][name] = strategy
+
+    enable_authentication!
+  end
+
   private
 
+  def configure_locale(opts)
+    # Start with global configuration
+    global_config = self.class.global_config
+    @locale_config = nil
+
+    # Check if we have any locale configuration from any source
+    has_global_locale = global_config && (global_config[:available_locales] || global_config[:default_locale])
+    has_direct_options = opts[:available_locales] || opts[:default_locale]
+    has_legacy_config = opts[:locale_config]
+
+    # Only create locale_config if we have configuration from somewhere
+    if has_global_locale || has_direct_options || has_legacy_config
+      @locale_config = {}
+
+      # Apply global configuration first
+      @locale_config[:available_locales] = global_config[:available_locales] if global_config && global_config[:available_locales]
+      @locale_config[:default_locale] = global_config[:default_locale] if global_config && global_config[:default_locale]
+
+      # Apply direct instance options (these override global config)
+      @locale_config[:available_locales] = opts[:available_locales] if opts[:available_locales]
+      @locale_config[:default_locale] = opts[:default_locale] if opts[:default_locale]
+
+      # Legacy support: Configure locale if provided in initialization options via locale_config hash
+      if opts[:locale_config]
+        locale_opts = opts[:locale_config]
+        @locale_config[:available_locales] = locale_opts[:available_locales] || locale_opts[:available] if locale_opts[:available_locales] || locale_opts[:available]
+        @locale_config[:default_locale] = locale_opts[:default_locale] || locale_opts[:default] if locale_opts[:default_locale] || locale_opts[:default]
+      end
+    end
+  end
+
   def configure_security(opts)
     # Enable CSRF protection if requested
     enable_csrf_protection! if opts[:csrf_protection]
@@ -394,6 +521,19 @@ class Otto
     @middleware_stack.any? { |m| m == middleware_class }
   end
 
+  def configure_authentication(opts)
+    # Configure authentication strategies
+    @auth_config = {
+      auth_strategies: opts[:auth_strategies] || {},
+      default_auth_strategy: opts[:default_auth_strategy] || 'publically'
+    }
+
+    # Enable authentication middleware if strategies are configured
+    if opts[:auth_strategies] && !opts[:auth_strategies].empty?
+      enable_authentication!
+    end
+  end
+
   def handle_error(error, env)
     # Log error details internally but don't expose them
     error_id = SecureRandom.hex(8)

data/otto.gemspec

@@ -16,11 +16,11 @@ Gem::Specification.new do |spec|
   spec.homepage      = 'https://github.com/delano/otto'
   spec.require_paths = ['lib']
 
-  spec.required_ruby_version = ['>= 3.4', '< 4.0']
+  spec.required_ruby_version = ['>= 3.2', '< 4.0']
 
   # https://github.com/delano/otto/security/dependabot/5
   spec.add_dependency 'rexml', '>= 3.3.6'
-
+  spec.add_dependency 'ostruct'
   spec.add_dependency 'rack', '~> 3.1', '< 4.0'
   spec.add_dependency 'rack-parser', '~> 0.7'
   spec.metadata['rubygems_mfa_required'] = 'true'

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: otto
 version: !ruby/object:Gem::Version
-  version: 1.3.0
+  version: 1.5.0
 platform: ruby
 authors:
 - Delano Mandelbaum
@@ -23,6 +23,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 3.3.6
+- !ruby/object:Gem::Dependency
+  name: ostruct
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
@@ -63,27 +77,40 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/dependabot.yml"
+- ".github/workflows/ci.yml"
 - ".gitignore"
+- ".pre-commit-config.yaml"
+- ".pre-push-config.yaml"
 - ".rspec"
 - ".rubocop.yml"
 - Gemfile
 - Gemfile.lock
 - LICENSE.txt
 - README.md
+- docs/.gitignore
 - examples/basic/app.rb
 - examples/basic/config.ru
 - examples/basic/routes
 - examples/dynamic_pages/app.rb
 - examples/dynamic_pages/config.ru
 - examples/dynamic_pages/routes
+- examples/helpers_demo/app.rb
+- examples/helpers_demo/config.ru
+- examples/helpers_demo/routes
 - examples/security_features/app.rb
 - examples/security_features/config.ru
 - examples/security_features/routes
 - lib/otto.rb
 - lib/otto/design_system.rb
+- lib/otto/helpers/base.rb
 - lib/otto/helpers/request.rb
 - lib/otto/helpers/response.rb
+- lib/otto/response_handlers.rb
 - lib/otto/route.rb
+- lib/otto/route_definition.rb
+- lib/otto/route_handlers.rb
+- lib/otto/security/authentication.rb
 - lib/otto/security/config.rb
 - lib/otto/security/csrf.rb
 - lib/otto/security/validator.rb
@@ -104,7 +131,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '3.4'
+      version: '3.2'
   - - "<"
     - !ruby/object:Gem::Version
       version: '4.0'