otto 1.4.0 → 1.6.0

data/lib/otto/route_handlers.rb

@@ -0,0 +1,412 @@
+# lib/otto/route_handlers.rb
+
+class Otto
+  # Pluggable Route Handler Factory (Phase 4)
+  # Enables different execution patterns while maintaining backward compatibility
+  module RouteHandlers
+    # Factory for creating appropriate handlers based on route definitions
+    class HandlerFactory
+      # Create a handler for the given route definition
+      # @param route_definition [Otto::RouteDefinition] The route definition
+      # @param otto_instance [Otto] The Otto instance for configuration access
+      # @return [BaseHandler] Appropriate handler for the route
+      def self.create_handler(route_definition, otto_instance = nil)
+        case route_definition.kind
+        when :logic
+          LogicClassHandler.new(route_definition, otto_instance)
+        when :instance
+          InstanceMethodHandler.new(route_definition, otto_instance)
+        when :class
+          ClassMethodHandler.new(route_definition, otto_instance)
+        else
+          raise ArgumentError, "Unknown handler kind: #{route_definition.kind}"
+        end
+      end
+    end
+
+    # Base class for all route handlers
+    # Provides common functionality and interface
+    class BaseHandler
+      attr_reader :route_definition, :otto_instance
+
+      def initialize(route_definition, otto_instance = nil)
+        @route_definition = route_definition
+        @otto_instance    = otto_instance
+      end
+
+      # Execute the route handler
+      # @param env [Hash] Rack environment
+      # @param extra_params [Hash] Additional parameters
+      # @return [Array] Rack response array
+      def call(env, extra_params = {})
+        raise NotImplementedError, 'Subclasses must implement #call'
+      end
+
+      protected
+
+      # Get the target class, loading it safely
+      # @return [Class] The target class
+      def target_class
+        @target_class ||= safe_const_get(route_definition.klass_name)
+      end
+
+      # Setup request and response with the same extensions and processing as Route#call
+      # @param req [Rack::Request] Request object
+      # @param res [Rack::Response] Response object
+      # @param env [Hash] Rack environment
+      # @param extra_params [Hash] Additional parameters
+      def setup_request_response(req, res, env, extra_params)
+        # Apply the same extensions as original Route#call
+        req.extend Otto::RequestHelpers
+        res.extend Otto::ResponseHelpers
+        res.request = req
+
+        # Make security config available to response helpers
+        if otto_instance.respond_to?(:security_config) && otto_instance.security_config
+          env['otto.security_config'] = otto_instance.security_config
+        end
+
+        # Make route definition and options available to middleware and handlers
+        env['otto.route_definition'] = route_definition
+        env['otto.route_options']    = route_definition.options
+
+        # Process parameters through security layer
+        req.params.merge! extra_params
+        req.params.replace Otto::Static.indifferent_params(req.params)
+
+        # Add security headers
+        if otto_instance.respond_to?(:security_config) && otto_instance.security_config
+          otto_instance.security_config.security_headers.each do |header, value|
+            res.headers[header] = value
+          end
+        end
+
+        # Setup class extensions if target_class is available
+        if target_class
+          target_class.extend Otto::Route::ClassMethods
+          target_class.otto = otto_instance if otto_instance
+        end
+
+        # Add security helpers if CSRF is enabled
+        if otto_instance.respond_to?(:security_config) && otto_instance.security_config&.csrf_enabled?
+          res.extend Otto::Security::CSRFHelpers
+        end
+
+        # Add validation helpers
+        res.extend Otto::Security::ValidationHelpers
+      end
+
+      # Finalize response with the same processing as Route#call
+      # @param res [Rack::Response] Response object
+      # @return [Array] Rack response array
+      def finalize_response(res)
+        res.body = [res.body] unless res.body.respond_to?(:each)
+        res.finish
+      end
+
+      # Handle response using appropriate response handler
+      # @param result [Object] Result from route execution
+      # @param response [Rack::Response] Response object
+      # @param context [Hash] Additional context for response handling
+      def handle_response(result, response, context = {})
+        response_type = route_definition.response_type
+
+        # Get the appropriate response handler
+        handler_class = case response_type
+                       when 'json' then Otto::ResponseHandlers::JSONHandler
+                       when 'redirect' then Otto::ResponseHandlers::RedirectHandler
+                       when 'view' then Otto::ResponseHandlers::ViewHandler
+                       when 'auto' then Otto::ResponseHandlers::AutoHandler
+                       else Otto::ResponseHandlers::DefaultHandler
+                       end
+
+        handler_class.handle(result, response, context)
+      end
+
+      private
+
+      # Safely get a constant from a string name
+      # @param name [String] Class name
+      # @return [Class] The class
+      def safe_const_get(name)
+        name.split('::').inject(Object) do |scope, const_name|
+          scope.const_get(const_name)
+        end
+      rescue NameError => ex
+        raise NameError, "Unknown class: #{name} (#{ex})"
+      end
+    end
+
+    # Handler for Logic classes (new in Otto Framework Enhancement)
+    # Supports the OneTime Secret Logic class pattern
+    class LogicClassHandler < BaseHandler
+      def call(env, extra_params = {})
+        req = Rack::Request.new(env)
+        res = Rack::Response.new
+
+        begin
+          # Get authentication context if available
+          auth_result = env['otto.auth_result']
+
+          # Initialize Logic class with standard parameters
+          # Logic classes expect: session, user, params, locale
+          logic_params = req.params.merge(extra_params)
+          locale       = env['otto.locale'] || 'en'
+
+          logic = if target_class.instance_method(:initialize).arity == 4
+                    # Standard Logic class constructor
+                    target_class.new(
+                      auth_result&.session,
+                      auth_result&.user,
+                      logic_params,
+                      locale,
+                    )
+                  else
+                    # Fallback for custom constructors
+                    target_class.new(req, res)
+                  end
+
+          # Execute standard Logic class lifecycle
+          if logic.respond_to?(:raise_concerns)
+            logic.raise_concerns
+          end
+
+          result = if logic.respond_to?(:process)
+                     logic.process
+                   else
+                     logic.call || logic
+                   end
+
+          # Handle response with Logic instance context
+          handle_response(result, res, {
+            logic_instance: logic,
+            request: req,
+            status_code: logic.respond_to?(:status_code) ? logic.status_code : nil,
+          }
+          )
+        rescue StandardError => ex
+          # Check if we're being called through Otto's integrated context (vs direct handler testing)
+          # In integrated context, let Otto's centralized error handler manage the response
+          # In direct testing context, handle errors locally for unit testing
+          if otto_instance
+            # Log error for handler-specific context but let Otto's centralized error handler manage the response
+            Otto.logger.error "[LogicClassHandler] #{ex.class}: #{ex.message}"
+            Otto.logger.debug "[LogicClassHandler] Backtrace: #{ex.backtrace.join("\n")}" if Otto.debug
+            raise ex  # Re-raise to let Otto's centralized error handler manage the response
+          else
+            # Direct handler testing context - handle errors locally with security improvements
+            error_id = SecureRandom.hex(8)
+            Otto.logger.error "[#{error_id}] #{ex.class}: #{ex.message}"
+            Otto.logger.debug "[#{error_id}] Backtrace: #{ex.backtrace.join("\n")}" if Otto.debug
+
+            res.status                  = 500
+            res.headers['content-type'] = 'text/plain'
+
+            if Otto.env?(:dev, :development)
+              res.write "Server error (ID: #{error_id}). Check logs for details."
+            else
+              res.write 'An error occurred. Please try again later.'
+            end
+
+            # Add security headers if available
+            if otto_instance.respond_to?(:security_config) && otto_instance.security_config
+              otto_instance.security_config.security_headers.each do |header, value|
+                res.headers[header] = value
+              end
+            end
+          end
+        end
+
+        res.finish
+      end
+    end
+
+    # Handler for instance methods (existing Otto pattern)
+    # Maintains backward compatibility for Controller#action patterns
+    class InstanceMethodHandler < BaseHandler
+      def call(env, extra_params = {})
+        req = Rack::Request.new(env)
+        res = Rack::Response.new
+
+        begin
+          # Apply the same extensions and processing as original Route#call
+          setup_request_response(req, res, env, extra_params)
+
+          # Create instance and call method (existing Otto behavior)
+          instance = target_class.new(req, res)
+          result   = instance.send(route_definition.method_name)
+
+          # Only handle response if response_type is not default
+          if route_definition.response_type != 'default'
+            handle_response(result, res, {
+              instance: instance,
+              request: req,
+            }
+            )
+          end
+        rescue StandardError => ex
+          # Check if we're being called through Otto's integrated context (vs direct handler testing)
+          # In integrated context, let Otto's centralized error handler manage the response
+          # In direct testing context, handle errors locally for unit testing
+          if otto_instance
+            # Log error for handler-specific context but let Otto's centralized error handler manage the response
+            Otto.logger.error "[InstanceMethodHandler] #{ex.class}: #{ex.message}"
+            Otto.logger.debug "[InstanceMethodHandler] Backtrace: #{ex.backtrace.join("\n")}" if Otto.debug
+            raise ex  # Re-raise to let Otto's centralized error handler manage the response
+          else
+            # Direct handler testing context - handle errors locally with security improvements
+            error_id = SecureRandom.hex(8)
+            Otto.logger.error "[#{error_id}] #{ex.class}: #{ex.message}"
+            Otto.logger.debug "[#{error_id}] Backtrace: #{ex.backtrace.join("\n")}" if Otto.debug
+
+            res.status                  = 500
+            res.headers['content-type'] = 'text/plain'
+
+            if Otto.env?(:dev, :development)
+              res.write "Server error (ID: #{error_id}). Check logs for details."
+            else
+              res.write 'An error occurred. Please try again later.'
+            end
+
+            # Add security headers if available
+            if otto_instance.respond_to?(:security_config) && otto_instance.security_config
+              otto_instance.security_config.security_headers.each do |header, value|
+                res.headers[header] = value
+              end
+            end
+          end
+        end
+
+        finalize_response(res)
+      end
+    end
+
+    # Handler for class methods (existing Otto pattern)
+    # Maintains backward compatibility for Controller.action patterns
+    class ClassMethodHandler < BaseHandler
+      def call(env, extra_params = {})
+        req = Rack::Request.new(env)
+        res = Rack::Response.new
+
+        begin
+          # Apply the same extensions and processing as original Route#call
+          setup_request_response(req, res, env, extra_params)
+
+          # Call class method directly (existing Otto behavior)
+          result = target_class.send(route_definition.method_name, req, res)
+
+          # Only handle response if response_type is not default
+          if route_definition.response_type != 'default'
+            handle_response(result, res, {
+              class: target_class,
+              request: req,
+            }
+            )
+          end
+        rescue StandardError => ex
+          # Check if we're being called through Otto's integrated context (vs direct handler testing)
+          # In integrated context, let Otto's centralized error handler manage the response
+          # In direct testing context, handle errors locally for unit testing
+          if otto_instance
+            # Log error for handler-specific context but let Otto's centralized error handler manage the response
+            Otto.logger.error "[ClassMethodHandler] #{ex.class}: #{ex.message}"
+            Otto.logger.debug "[ClassMethodHandler] Backtrace: #{ex.backtrace.join("\n")}" if Otto.debug
+            raise ex  # Re-raise to let Otto's centralized error handler manage the response
+          else
+            # Direct handler testing context - handle errors locally with security improvements
+            error_id = SecureRandom.hex(8)
+            Otto.logger.error "[#{error_id}] #{ex.class}: #{ex.message}"
+            Otto.logger.debug "[#{error_id}] Backtrace: #{ex.backtrace.join("\n")}" if Otto.debug
+
+            res.status = 500
+
+            # Content negotiation for error response
+            accept_header = env['HTTP_ACCEPT'].to_s
+            if accept_header.include?('application/json')
+              res.headers['content-type'] = 'application/json'
+              error_data                  = if Otto.env?(:dev, :development)
+                {
+                  error: 'Internal Server Error',
+                  message: 'Server error occurred. Check logs for details.',
+                  error_id: error_id,
+                }
+              else
+                {
+                  error: 'Internal Server Error',
+                  message: 'An error occurred. Please try again later.',
+                }
+              end
+              res.write JSON.generate(error_data)
+            else
+              res.headers['content-type'] = 'text/plain'
+              if Otto.env?(:dev, :development)
+                res.write "Server error (ID: #{error_id}). Check logs for details."
+              else
+                res.write 'An error occurred. Please try again later.'
+              end
+            end
+
+            # Add security headers if available
+            if otto_instance.respond_to?(:security_config) && otto_instance.security_config
+              otto_instance.security_config.security_headers.each do |header, value|
+                res.headers[header] = value
+              end
+            end
+          end
+        end
+
+        finalize_response(res)
+      end
+    end
+
+    # Custom handler for lambda/proc definitions (future extension)
+    class LambdaHandler < BaseHandler
+      def call(env, extra_params = {})
+        req = Rack::Request.new(env)
+        res = Rack::Response.new
+
+        begin
+          # Security: Lambda handlers require pre-configured procs from Otto instance
+          # This prevents code injection via eval and maintains security
+          handler_name    = route_definition.klass_name
+          lambda_registry = otto_instance&.config&.dig(:lambda_handlers) || {}
+
+          lambda_proc = lambda_registry[handler_name]
+          unless lambda_proc.respond_to?(:call)
+            raise ArgumentError, "Lambda handler '#{handler_name}' not found in registry or not callable"
+          end
+
+          result = lambda_proc.call(req, res, extra_params)
+
+          handle_response(result, res, {
+            lambda: lambda_proc,
+            request: req,
+          }
+          )
+        rescue StandardError => ex
+          error_id = SecureRandom.hex(8)
+          Otto.logger.error "[#{error_id}] #{ex.class}: #{ex.message}"
+          Otto.logger.debug "[#{error_id}] Backtrace: #{ex.backtrace.join("\n")}" if Otto.debug
+
+          res.status                  = 500
+          res.headers['content-type'] = 'text/plain'
+
+          if Otto.env?(:dev, :development)
+            res.write "Lambda handler error (ID: #{error_id}). Check logs for details."
+          else
+            res.write 'An error occurred. Please try again later.'
+          end
+
+          # Add security headers if available
+          if otto_instance.respond_to?(:security_config) && otto_instance.security_config
+            otto_instance.security_config.security_headers.each do |header, value|
+              res.headers[header] = value
+            end
+          end
+        end
+
+        res.finish
+      end
+    end
+  end
+end

data/lib/otto/security/authentication.rb

@@ -0,0 +1,289 @@
+# lib/otto/security/authentication.rb
+#
+# Configurable authentication strategy system for Otto framework
+# Provides pluggable authentication patterns that can be customized per application
+#
+# Usage:
+#   otto = Otto.new('routes.txt', {
+#     auth_strategies: {
+#       'publically' => PublicStrategy.new,
+#       'authenticated' => SessionStrategy.new,
+#       'role:admin' => RoleStrategy.new(['admin']),
+#       'api_key' => APIKeyStrategy.new
+#     }
+#   })
+
+class Otto
+  module Security
+    # Base class for all authentication strategies
+    class AuthStrategy
+      # Check if the request meets the authentication requirements
+      # @param env [Hash] Rack environment
+      # @param requirement [String] Authentication requirement string
+      # @return [AuthResult] Result containing success status and context
+      def authenticate(env, requirement)
+        raise NotImplementedError, 'Subclasses must implement #authenticate'
+      end
+
+      # Optional: Extract user context for authenticated requests
+      # @param env [Hash] Rack environment
+      # @return [Hash] User context hash
+      def user_context(env)
+        {}
+      end
+
+      protected
+
+      # Helper to create successful auth result
+      def success(user_context = {})
+        AuthResult.new(true, user_context)
+      end
+
+      # Helper to create failed auth result
+      def failure(reason = 'Authentication failed')
+        AuthResult.new(false, {}, reason)
+      end
+    end
+
+    # Result object for authentication attempts
+    class AuthResult
+      attr_reader :user_context, :failure_reason
+
+      def initialize(success, user_context = {}, failure_reason = nil)
+        @success = success
+        @user_context = user_context
+        @failure_reason = failure_reason
+      end
+
+      def success?
+        @success
+      end
+
+      def failure?
+        !@success
+      end
+    end
+
+    # Public access strategy - always allows access
+    class PublicStrategy < AuthStrategy
+      def authenticate(env, requirement)
+        success
+      end
+    end
+
+    # Session-based authentication strategy
+    class SessionStrategy < AuthStrategy
+      def initialize(session_key: 'user_id', session_store: nil)
+        @session_key = session_key
+        @session_store = session_store
+      end
+
+      def authenticate(env, requirement)
+        session = env['rack.session']
+        return failure('No session available') unless session
+
+        user_id = session[@session_key]
+        return failure('Not authenticated') unless user_id
+
+        success(user_id: user_id, session: session)
+      end
+
+      def user_context(env)
+        session = env['rack.session']
+        return {} unless session
+
+        user_id = session[@session_key]
+        user_id ? { user_id: user_id } : {}
+      end
+    end
+
+    # Role-based authentication strategy
+    class RoleStrategy < AuthStrategy
+      def initialize(allowed_roles, session_key: 'user_roles')
+        @allowed_roles = Array(allowed_roles)
+        @session_key = session_key
+      end
+
+      def authenticate(env, requirement)
+        session = env['rack.session']
+        return failure('No session available') unless session
+
+        user_roles = session[@session_key] || []
+        user_roles = Array(user_roles)
+
+        # For requirements like "role:admin", extract the role part
+        if requirement.include?(':')
+          required_role = requirement.split(':', 2).last
+          if user_roles.include?(required_role)
+            success(user_roles: user_roles, required_role: required_role)
+          else
+            failure("Insufficient privileges - requires role: #{required_role}")
+          end
+        else
+          # For direct strategy matches, check if user has any of the allowed roles
+          matching_roles = user_roles & @allowed_roles
+          if matching_roles.any?
+            success(user_roles: user_roles, allowed_roles: @allowed_roles, matching_roles: matching_roles)
+          else
+            failure("Insufficient privileges - requires one of roles: #{@allowed_roles.join(', ')}")
+          end
+        end
+      end
+
+      def user_context(env)
+        session = env['rack.session']
+        return {} unless session
+
+        user_roles = session[@session_key] || []
+        { user_roles: Array(user_roles) }
+      end
+    end
+
+    # API key authentication strategy
+    class APIKeyStrategy < AuthStrategy
+      def initialize(api_keys: [], header_name: 'X-API-Key', param_name: 'api_key')
+        @api_keys = Array(api_keys)
+        @header_name = header_name
+        @param_name = param_name
+      end
+
+      def authenticate(env, requirement)
+        # Try header first, then query parameter
+        api_key = env["HTTP_#{@header_name.upcase.tr('-', '_')}"]
+
+        if api_key.nil?
+          request = Rack::Request.new(env)
+          api_key = request.params[@param_name]
+        end
+
+        return failure('No API key provided') unless api_key
+
+        if @api_keys.empty? || @api_keys.include?(api_key)
+          success(api_key: api_key)
+        else
+          failure('Invalid API key')
+        end
+      end
+    end
+
+    # Permission-based authentication strategy
+    class PermissionStrategy < AuthStrategy
+      def initialize(required_permissions, session_key: 'user_permissions')
+        @required_permissions = Array(required_permissions)
+        @session_key = session_key
+      end
+
+      def authenticate(env, requirement)
+        session = env['rack.session']
+        return failure('No session available') unless session
+
+        user_permissions = session[@session_key] || []
+        user_permissions = Array(user_permissions)
+
+        # Extract permission from requirement (e.g., "permission:write" -> "write")
+        required_permission = requirement.split(':', 2).last
+
+        if user_permissions.include?(required_permission)
+          success(user_permissions: user_permissions, required_permission: required_permission)
+        else
+          failure("Insufficient privileges - requires permission: #{required_permission}")
+        end
+      end
+
+      def user_context(env)
+        session = env['rack.session']
+        return {} unless session
+
+        user_permissions = session[@session_key] || []
+        { user_permissions: Array(user_permissions) }
+      end
+    end
+
+    # Authentication middleware that enforces route-level auth requirements
+    class AuthenticationMiddleware
+      def initialize(app, config = {})
+        @app = app
+        @config = config
+        @strategies = config[:auth_strategies] || {}
+        @default_strategy = config[:default_auth_strategy] || 'publically'
+
+        # Add default public strategy if not provided
+        @strategies['publically'] ||= PublicStrategy.new
+      end
+
+      def call(env)
+        # Check if this route has auth requirements
+        route_definition = env['otto.route_definition']
+        return @app.call(env) unless route_definition
+
+        auth_requirement = route_definition.auth_requirement
+        return @app.call(env) unless auth_requirement
+
+        # Find appropriate strategy
+        strategy = find_strategy(auth_requirement)
+        unless strategy
+          return auth_error_response("Unknown authentication strategy: #{auth_requirement}")
+        end
+
+        # Perform authentication
+        auth_result = strategy.authenticate(env, auth_requirement)
+
+        if auth_result.success?
+          # Add user context to environment for handlers to use
+          env['otto.user_context'] = auth_result.user_context
+          env['otto.auth_result'] = auth_result
+          @app.call(env)
+        else
+          auth_error_response(auth_result.failure_reason)
+        end
+      end
+
+      private
+
+      def find_strategy(requirement)
+        # Try exact match first - this has highest priority
+        return @strategies[requirement] if @strategies[requirement]
+
+        # For colon-separated requirements like "role:admin", try prefix match
+        if requirement.include?(':')
+          prefix = requirement.split(':', 2).first
+
+          # Check if we have a strategy registered for the prefix
+          prefix_strategy = @strategies[prefix]
+          return prefix_strategy if prefix_strategy
+
+          # Try fallback patterns for role: and permission: requirements
+          if requirement.start_with?('role:')
+            return @strategies['role'] || RoleStrategy.new([])
+          elsif requirement.start_with?('permission:')
+            return @strategies['permission'] || PermissionStrategy.new([])
+          end
+        end
+
+        nil
+      end
+
+      def auth_error_response(message)
+        body = JSON.generate({
+          error: 'Authentication Required',
+          message: message,
+          timestamp: Time.now.to_i
+        })
+
+        headers = {
+          'Content-Type' => 'application/json',
+          'Content-Length' => body.bytesize.to_s
+        }
+
+        # Add security headers if available from config hash or Otto instance
+        if @config.is_a?(Hash) && @config[:security_headers]
+          headers.merge!(@config[:security_headers])
+        elsif @config.respond_to?(:security_config) && @config.security_config
+          headers.merge!(@config.security_config.security_headers)
+        end
+
+        [401, headers, [body]]
+      end
+    end
+  end
+end