otto 1.5.0 → 2.0.0.pre1

data/lib/otto/route_handlers.rb

@@ -1,383 +1,17 @@
+# frozen_string_literal: true
+
 # lib/otto/route_handlers.rb
 
 class Otto
-  # Pluggable Route Handler Factory (Phase 4)
+  # Pluggable Route Handler Factory
+  #
   # Enables different execution patterns while maintaining backward compatibility
   module RouteHandlers
-
-    # Factory for creating appropriate handlers based on route definitions
-    class HandlerFactory
-      # Create a handler for the given route definition
-      # @param route_definition [Otto::RouteDefinition] The route definition
-      # @param otto_instance [Otto] The Otto instance for configuration access
-      # @return [BaseHandler] Appropriate handler for the route
-      def self.create_handler(route_definition, otto_instance = nil)
-        case route_definition.kind
-        when :logic
-          LogicClassHandler.new(route_definition, otto_instance)
-        when :instance
-          InstanceMethodHandler.new(route_definition, otto_instance)
-        when :class
-          ClassMethodHandler.new(route_definition, otto_instance)
-        else
-          raise ArgumentError, "Unknown handler kind: #{route_definition.kind}"
-        end
-      end
-    end
-
-    # Base class for all route handlers
-    # Provides common functionality and interface
-    class BaseHandler
-      attr_reader :route_definition, :otto_instance
-
-      def initialize(route_definition, otto_instance = nil)
-        @route_definition = route_definition
-        @otto_instance = otto_instance
-      end
-
-      # Execute the route handler
-      # @param env [Hash] Rack environment
-      # @param extra_params [Hash] Additional parameters
-      # @return [Array] Rack response array
-      def call(env, extra_params = {})
-        raise NotImplementedError, "Subclasses must implement #call"
-      end
-
-      protected
-
-      # Get the target class, loading it safely
-      # @return [Class] The target class
-      def target_class
-        @target_class ||= safe_const_get(route_definition.klass_name)
-      end
-
-      # Setup request and response with the same extensions and processing as Route#call
-      # @param req [Rack::Request] Request object
-      # @param res [Rack::Response] Response object
-      # @param env [Hash] Rack environment
-      # @param extra_params [Hash] Additional parameters
-      def setup_request_response(req, res, env, extra_params)
-        # Apply the same extensions as original Route#call
-        req.extend Otto::RequestHelpers
-        res.extend Otto::ResponseHelpers
-        res.request = req
-
-        # Make security config available to response helpers
-        if otto_instance&.respond_to?(:security_config) && otto_instance.security_config
-          env['otto.security_config'] = otto_instance.security_config
-        end
-
-        # Make route definition and options available to middleware and handlers
-        env['otto.route_definition'] = route_definition
-        env['otto.route_options'] = route_definition.options
-
-        # Process parameters through security layer
-        req.params.merge! extra_params
-        req.params.replace Otto::Static.indifferent_params(req.params)
-
-        # Add security headers
-        if otto_instance&.respond_to?(:security_config) && otto_instance.security_config
-          otto_instance.security_config.security_headers.each do |header, value|
-            res.headers[header] = value
-          end
-        end
-
-        # Setup class extensions if target_class is available
-        if target_class
-          target_class.extend Otto::Route::ClassMethods
-          target_class.otto = otto_instance if otto_instance
-        end
-
-        # Add security helpers if CSRF is enabled
-        if otto_instance&.respond_to?(:security_config) && otto_instance.security_config&.csrf_enabled?
-          res.extend Otto::Security::CSRFHelpers
-        end
-
-        # Add validation helpers
-        res.extend Otto::Security::ValidationHelpers
-      end
-
-      # Finalize response with the same processing as Route#call
-      # @param res [Rack::Response] Response object
-      # @return [Array] Rack response array
-      def finalize_response(res)
-        res.body = [res.body] unless res.body.respond_to?(:each)
-        res.finish
-      end
-
-      # Handle response using appropriate response handler
-      # @param result [Object] Result from route execution
-      # @param response [Rack::Response] Response object
-      # @param context [Hash] Additional context for response handling
-      def handle_response(result, response, context = {})
-        response_type = route_definition.response_type
-
-        # Get the appropriate response handler
-        handler_class = case response_type
-                       when 'json' then Otto::ResponseHandlers::JSONHandler
-                       when 'redirect' then Otto::ResponseHandlers::RedirectHandler
-                       when 'view' then Otto::ResponseHandlers::ViewHandler
-                       when 'auto' then Otto::ResponseHandlers::AutoHandler
-                       else Otto::ResponseHandlers::DefaultHandler
-                       end
-
-        handler_class.handle(result, response, context)
-      end
-
-      private
-
-      # Safely get a constant from a string name
-      # @param name [String] Class name
-      # @return [Class] The class
-      def safe_const_get(name)
-        name.split('::').inject(Object) do |scope, const_name|
-          scope.const_get(const_name)
-        end
-      rescue NameError => e
-        raise NameError, "Unknown class: #{name} (#{e})"
-      end
-    end
-
-    # Handler for Logic classes (new in Otto Framework Enhancement)
-    # Supports the OneTime Secret Logic class pattern
-    class LogicClassHandler < BaseHandler
-      def call(env, extra_params = {})
-        req = Rack::Request.new(env)
-        res = Rack::Response.new
-
-        begin
-          # Get authentication context if available
-          auth_result = env['otto.auth_result']
-
-          # Initialize Logic class with standard parameters
-          # Logic classes expect: session, user, params, locale
-          logic_params = req.params.merge(extra_params)
-          locale = env['otto.locale'] || 'en'
-
-          logic = if target_class.instance_method(:initialize).arity == 4
-                    # Standard Logic class constructor
-                    target_class.new(
-                      auth_result&.session,
-                      auth_result&.user,
-                      logic_params,
-                      locale
-                    )
-                  else
-                    # Fallback for custom constructors
-                    target_class.new(req, res)
-                  end
-
-          # Execute standard Logic class lifecycle
-          if logic.respond_to?(:raise_concerns)
-            logic.raise_concerns
-          end
-
-          result = if logic.respond_to?(:process)
-                     logic.process
-                   else
-                     logic.call || logic
-                   end
-
-          # Handle response with Logic instance context
-          handle_response(result, res, {
-            logic_instance: logic,
-            request: req,
-            status_code: logic.respond_to?(:status_code) ? logic.status_code : nil
-          })
-
-        rescue => e
-          # Error handling - return 500 with proper headers like main Otto error handler
-          error_id = SecureRandom.hex(8)
-          Otto.logger.error "[#{error_id}] #{e.class}: #{e.message}"
-          Otto.logger.debug "[#{error_id}] Backtrace: #{e.backtrace.join("\n")}" if Otto.debug
-
-          res.status = 500
-          res.headers['content-type'] = 'text/plain'
-
-          if Otto.env?(:dev, :development)
-            res.write "Server error (ID: #{error_id}). Check logs for details."
-          else
-            res.write "An error occurred. Please try again later."
-          end
-
-          # Add security headers if available
-          if otto_instance&.respond_to?(:security_config) && otto_instance.security_config
-            otto_instance.security_config.security_headers.each do |header, value|
-              res.headers[header] = value
-            end
-          end
-        end
-
-        res.finish
-      end
-    end
-
-    # Handler for instance methods (existing Otto pattern)
-    # Maintains backward compatibility for Controller#action patterns
-    class InstanceMethodHandler < BaseHandler
-      def call(env, extra_params = {})
-        req = Rack::Request.new(env)
-        res = Rack::Response.new
-
-        begin
-          # Apply the same extensions and processing as original Route#call
-          setup_request_response(req, res, env, extra_params)
-
-          # Create instance and call method (existing Otto behavior)
-          instance = target_class.new(req, res)
-          result = instance.send(route_definition.method_name)
-
-          # Only handle response if response_type is not default
-          if route_definition.response_type != 'default'
-            handle_response(result, res, {
-              instance: instance,
-              request: req
-            })
-          end
-
-        rescue => e
-          # Error handling - return 500 with proper headers like main Otto error handler
-          error_id = SecureRandom.hex(8)
-          Otto.logger.error "[#{error_id}] #{e.class}: #{e.message}"
-          Otto.logger.debug "[#{error_id}] Backtrace: #{e.backtrace.join("\n")}" if Otto.debug
-
-          res.status = 500
-          res.headers['content-type'] = 'text/plain'
-
-          if Otto.env?(:dev, :development)
-            res.write "Server error (ID: #{error_id}). Check logs for details."
-          else
-            res.write "An error occurred. Please try again later."
-          end
-
-          # Add security headers if available
-          if otto_instance&.respond_to?(:security_config) && otto_instance.security_config
-            otto_instance.security_config.security_headers.each do |header, value|
-              res.headers[header] = value
-            end
-          end
-        end
-
-        finalize_response(res)
-      end
-    end
-
-    # Handler for class methods (existing Otto pattern)
-    # Maintains backward compatibility for Controller.action patterns
-    class ClassMethodHandler < BaseHandler
-      def call(env, extra_params = {})
-        req = Rack::Request.new(env)
-        res = Rack::Response.new
-
-        begin
-          # Apply the same extensions and processing as original Route#call
-          setup_request_response(req, res, env, extra_params)
-
-          # Call class method directly (existing Otto behavior)
-          result = target_class.send(route_definition.method_name, req, res)
-
-          # Only handle response if response_type is not default
-          if route_definition.response_type != 'default'
-            handle_response(result, res, {
-              class: target_class,
-              request: req
-            })
-          end
-
-        rescue => e
-          # Error handling - return 500 with proper headers like main Otto error handler
-          error_id = SecureRandom.hex(8)
-          Otto.logger.error "[#{error_id}] #{e.class}: #{e.message}"
-          Otto.logger.debug "[#{error_id}] Backtrace: #{e.backtrace.join("\n")}" if Otto.debug
-
-          res.status = 500
-
-          # Content negotiation for error response
-          accept_header = env['HTTP_ACCEPT'].to_s
-          if accept_header.include?('application/json')
-            res.headers['content-type'] = 'application/json'
-            error_data = if Otto.env?(:dev, :development)
-              {
-                error: 'Internal Server Error',
-                message: 'Server error occurred. Check logs for details.',
-                error_id: error_id,
-              }
-            else
-              {
-                error: 'Internal Server Error',
-                message: 'An error occurred. Please try again later.',
-              }
-            end
-            res.write JSON.generate(error_data)
-          else
-            res.headers['content-type'] = 'text/plain'
-            if Otto.env?(:dev, :development)
-              res.write "Server error (ID: #{error_id}). Check logs for details."
-            else
-              res.write "An error occurred. Please try again later."
-            end
-          end
-
-          # Add security headers if available
-          if otto_instance&.respond_to?(:security_config) && otto_instance.security_config
-            otto_instance.security_config.security_headers.each do |header, value|
-              res.headers[header] = value
-            end
-          end
-        end
-
-        finalize_response(res)
-      end
-    end
-
-    # Custom handler for lambda/proc definitions (future extension)
-    class LambdaHandler < BaseHandler
-      def call(env, extra_params = {})
-        req = Rack::Request.new(env)
-        res = Rack::Response.new
-
-        begin
-          # Security: Lambda handlers require pre-configured procs from Otto instance
-          # This prevents code injection via eval and maintains security
-          handler_name = route_definition.klass_name
-          lambda_registry = otto_instance&.config&.dig(:lambda_handlers) || {}
-
-          lambda_proc = lambda_registry[handler_name]
-          unless lambda_proc.respond_to?(:call)
-            raise ArgumentError, "Lambda handler '#{handler_name}' not found in registry or not callable"
-          end
-
-          result = lambda_proc.call(req, res, extra_params)
-
-          handle_response(result, res, {
-            lambda: lambda_proc,
-            request: req
-          })
-
-        rescue => e
-          error_id = SecureRandom.hex(8)
-          Otto.logger.error "[#{error_id}] #{e.class}: #{e.message}"
-          Otto.logger.debug "[#{error_id}] Backtrace: #{e.backtrace.join("\n")}" if Otto.debug
-
-          res.status = 500
-          res.headers['content-type'] = 'text/plain'
-
-          if Otto.env?(:dev, :development)
-            res.write "Lambda handler error (ID: #{error_id}). Check logs for details."
-          else
-            res.write "An error occurred. Please try again later."
-          end
-
-          # Add security headers if available
-          if otto_instance&.respond_to?(:security_config) && otto_instance.security_config
-            otto_instance.security_config.security_headers.each do |header, value|
-              res.headers[header] = value
-            end
-          end
-        end
-
-        res.finish
-      end
-    end
+    require_relative 'route_handlers/base'
+    require_relative 'route_handlers/factory'
+    require_relative 'route_handlers/logic_class'
+    require_relative 'route_handlers/instance_method'
+    require_relative 'route_handlers/class_method'
+    require_relative 'route_handlers/lambda'
   end
 end

data/lib/otto/security/authentication/auth_strategy.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+# lib/otto/security/authentication/auth_strategy.rb
+#
+# Base class for all authentication strategies in Otto framework
+# Provides pluggable authentication patterns that can be customized per application
+
+class Otto
+  module Security
+    module Authentication
+      # Base class for all authentication strategies
+      class AuthStrategy
+        # Check if the request meets the authentication requirements
+        # @param env [Hash] Rack environment
+        # @param requirement [String] Authentication requirement string
+        # @return [Otto::Security::Authentication::StrategyResult, nil] StrategyResult for success, nil for failure
+        def authenticate(env, requirement)
+          raise NotImplementedError, 'Subclasses must implement #authenticate'
+        end
+
+        protected
+
+        # Helper to create successful strategy result
+        def success(user:, session: {}, auth_method: nil, **metadata)
+          Otto::Security::Authentication::StrategyResult.new(
+            session: session,
+            user: user,
+            auth_method: auth_method || self.class.name.split('::').last,
+            metadata: metadata
+          )
+        end
+
+        # Helper for authentication failure - return FailureResult
+        def failure(reason = nil)
+          Otto.logger.debug "[#{self.class}] Authentication failed: #{reason}" if reason
+          Otto::Security::Authentication::FailureResult.new(
+            failure_reason: reason || 'Authentication failed',
+            auth_method: self.class.name.split('::').last
+          )
+        end
+      end
+    end
+  end
+end

data/lib/otto/security/authentication/authentication_middleware.rb

@@ -0,0 +1,123 @@
+# frozen_string_literal: true
+
+require_relative 'strategy_result'
+require_relative 'failure_result'
+require_relative 'strategies/public_strategy'
+require_relative 'strategies/role_strategy'
+require_relative 'strategies/permission_strategy'
+
+class Otto
+  module Security
+    module Authentication
+      # Authentication middleware that enforces route-level auth requirements
+      class AuthenticationMiddleware
+        def initialize(app, security_config = {}, config = {})
+          @app = app
+          @security_config = security_config
+          @config = config
+          @strategies = config[:auth_strategies] || {}
+          @default_strategy = config[:default_auth_strategy] || 'publicly'
+
+          # Add default public strategy if not provided
+          @strategies['publicly'] ||= Strategies::PublicStrategy.new
+        end
+
+        def call(env)
+          # Check if this route has auth requirements
+          route_definition = env['otto.route_definition']
+
+          # If no route definition, create anonymous result and continue
+          unless route_definition
+            env['otto.strategy_result'] = Otto::Security::Authentication::StrategyResult.anonymous(
+              metadata: { ip: env['REMOTE_ADDR'] }
+            )
+            return @app.call(env)
+          end
+
+          auth_requirement = route_definition.auth_requirement
+
+          # If no auth requirement, create anonymous result and continue
+          unless auth_requirement
+            env['otto.strategy_result'] = Otto::Security::Authentication::StrategyResult.anonymous(
+              metadata: { ip: env['REMOTE_ADDR'] }
+            )
+            return @app.call(env)
+          end
+
+          # Find appropriate strategy
+          strategy = find_strategy(auth_requirement)
+          return auth_error_response("Unknown authentication strategy: #{auth_requirement}") unless strategy
+
+          # Perform authentication
+          strategy_result = strategy.authenticate(env, auth_requirement)
+
+          if strategy_result&.success?
+            # Success - store the strategy result directly
+            env['otto.strategy_result'] = strategy_result
+            env['otto.user'] = strategy_result.user # For convenience
+            env['otto.user_context'] = strategy_result.user_context # For convenience
+            @app.call(env)
+          else
+            # Failure - create anonymous result with failure info
+            failure_reason = strategy_result&.failure_reason || 'Authentication failed'
+            env['otto.strategy_result'] = Otto::Security::Authentication::StrategyResult.anonymous(
+              metadata: {
+                ip: env['REMOTE_ADDR'],
+                auth_failure: failure_reason,
+                attempted_strategy: auth_requirement,
+              }
+            )
+            auth_error_response(failure_reason)
+          end
+        end
+
+        private
+
+        def find_strategy(requirement)
+          # Try exact match first - this has highest priority
+          return @strategies[requirement] if @strategies[requirement]
+
+          # For colon-separated requirements like "role:admin", try prefix match
+          if requirement.include?(':')
+            prefix = requirement.split(':', 2).first
+
+            # Check if we have a strategy registered for the prefix
+            prefix_strategy = @strategies[prefix]
+            return prefix_strategy if prefix_strategy
+
+            # Try fallback patterns for role: and permission: requirements
+            if requirement.start_with?('role:')
+              return @strategies['role'] || Strategies::RoleStrategy.new([])
+            elsif requirement.start_with?('permission:')
+              return @strategies['permission'] || Strategies::PermissionStrategy.new([])
+            end
+          end
+
+          nil
+        end
+
+        def auth_error_response(message)
+          body = JSON.generate({
+                                 error: 'Authentication Required',
+            message: message,
+            timestamp: Time.now.to_i,
+                               })
+
+          headers = {
+            'Content-Type' => 'application/json',
+            'Content-Length' => body.bytesize.to_s,
+          }
+
+          # Add security headers if available from config hash or Otto instance
+          if @config.is_a?(Hash) && @config[:security_headers]
+            headers.merge!(@config[:security_headers])
+          elsif @config.respond_to?(:security_config) && @config.security_config
+            headers.merge!(@config.security_config.security_headers)
+          end
+
+          [401, headers, [body]]
+        end
+      end
+    end
+  end
+end

data/lib/otto/security/authentication/failure_result.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+# lib/otto/security/authentication/failure_result.rb
+
+class Otto
+  module Security
+    module Authentication
+      # Failure result for authentication failures
+      FailureResult = Data.define(:failure_reason, :auth_method) do
+        def success?
+          false
+        end
+
+        def failure?
+          true
+        end
+
+        def authenticated?
+          false
+        end
+
+        def anonymous?
+          true
+        end
+
+        def user_context
+          {}
+        end
+
+        def inspect
+          "#<FailureResult reason=#{failure_reason.inspect} method=#{auth_method}>"
+        end
+      end
+    end
+  end
+end

data/lib/otto/security/authentication/strategies/api_key_strategy.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+require_relative '../auth_strategy'
+
+class Otto
+  module Security
+    module Authentication
+      module Strategies
+        # API key authentication strategy
+        class APIKeyStrategy < AuthStrategy
+          def initialize(api_keys: [], header_name: 'X-API-Key', param_name: 'api_key')
+            @api_keys = Array(api_keys)
+            @header_name = header_name
+            @param_name = param_name
+          end
+
+          def authenticate(env, _requirement)
+            # Try header first, then query parameter
+            api_key = env["HTTP_#{@header_name.upcase.tr('-', '_')}"]
+
+            if api_key.nil?
+              request = Rack::Request.new(env)
+              api_key = request.params[@param_name]
+            end
+
+            return failure('No API key provided') unless api_key
+
+            if @api_keys.empty? || @api_keys.include?(api_key)
+              # Create a simple user hash for API key authentication
+              user_data = { api_key: api_key }
+              success(user: user_data, api_key: api_key)
+            else
+              failure('Invalid API key')
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/otto/security/authentication/strategies/permission_strategy.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+require_relative '../auth_strategy'
+
+class Otto
+  module Security
+    module Authentication
+      module Strategies
+        # Permission-based authentication strategy
+        class PermissionStrategy < AuthStrategy
+          def initialize(required_permissions, session_key: 'user_permissions')
+            @required_permissions = Array(required_permissions)
+            @session_key = session_key
+          end
+
+          def authenticate(env, requirement)
+            session = env['rack.session']
+            return failure('No session available') unless session
+
+            user_permissions = session[@session_key] || []
+            user_permissions = Array(user_permissions)
+
+            # Create user data from session
+            user_data = { user_permissions: user_permissions, session: session }
+
+            # Extract permission from requirement (e.g., "permission:write" -> "write")
+            required_permission = requirement.split(':', 2).last
+
+            if user_permissions.include?(required_permission)
+              success(user: user_data, user_permissions: user_permissions, required_permission: required_permission)
+            else
+              failure("Insufficient privileges - requires permission: #{required_permission}")
+            end
+          end
+
+          def user_context(env)
+            session = env['rack.session']
+            return {} unless session
+
+            user_permissions = session[@session_key] || []
+            { user_permissions: Array(user_permissions) }
+          end
+        end
+      end
+    end
+  end
+end