otto 1.5.0 → 2.0.0.pre1

data/lib/otto/security/config.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # lib/otto/security/config.rb
 
 require 'securerandom'
@@ -22,10 +24,11 @@ class Otto
     #   config.max_param_depth = 16
     class Config
       attr_accessor :csrf_protection, :csrf_token_key, :csrf_header_key, :csrf_session_key,
-        :max_request_size, :max_param_depth, :max_param_keys,
-        :trusted_proxies, :require_secure_cookies,
-        :security_headers, :input_validation,
-        :csp_nonce_enabled, :debug_csp
+                    :max_request_size, :max_param_depth, :max_param_keys,
+                    :trusted_proxies, :require_secure_cookies,
+                    :security_headers, :input_validation,
+                    :csp_nonce_enabled, :debug_csp, :mcp_auth,
+                    :rate_limiting_config
 
       # Initialize security configuration with safe defaults
       #
@@ -45,6 +48,7 @@ class Otto
         @input_validation       = true
         @csp_nonce_enabled      = false
         @debug_csp              = false
+        @rate_limiting_config   = {}
       end
 
       # Enable CSRF (Cross-Site Request Forgery) protection
@@ -94,12 +98,12 @@ class Otto
       #   config.add_trusted_proxy(['10.0.0.1', '172.16.0.0/12'])
       def add_trusted_proxy(proxy)
         case proxy
-        when String
+        when String, Regexp
           @trusted_proxies << proxy
         when Array
           @trusted_proxies.concat(proxy)
         else
-          raise ArgumentError, 'Proxy must be a String or Array'
+          raise ArgumentError, 'Proxy must be a String, Regexp, or Array'
         end
       end
 
@@ -133,7 +137,7 @@ class Otto
         size = content_length.to_i
         if size > @max_request_size
           raise Otto::Security::RequestTooLargeError,
-            "Request size #{size} exceeds maximum #{@max_request_size}"
+                "Request size #{size} exceeds maximum #{@max_request_size}"
         end
         true
       end
@@ -306,8 +310,8 @@ class Otto
       end
 
       def store_session_id(request, session_id)
-          session                   = request.session
-          session[csrf_session_key] = session_id if session
+        session                   = request.session
+        session[csrf_session_key] = session_id if session
       rescue StandardError
         # Cookie fallback handled in inject_csrf_token
       end
@@ -359,9 +363,9 @@ class Otto
       def development_csp_directives(nonce)
         [
           "default-src 'none';",
-          "script-src 'nonce-#{nonce}' 'unsafe-inline';",  # Allow inline scripts for development tools
+          "script-src 'nonce-#{nonce}' 'unsafe-inline';", # Allow inline scripts for development tools
           "style-src 'self' 'unsafe-inline';",
-          "connect-src 'self' ws: wss: http: https:;",      # Allow HTTP and all WebSocket connections for dev tools
+          "connect-src 'self' ws: wss: http: https:;", # Allow HTTP and all WebSocket connections for dev tools
           "img-src 'self' data:;",
           "font-src 'self';",
           "object-src 'none';",

data/lib/otto/security/configurator.rb

@@ -0,0 +1,219 @@
+# frozen_string_literal: true
+
+# lib/otto/security/configurator.rb
+
+require_relative 'middleware/csrf_middleware'
+require_relative 'middleware/validation_middleware'
+require_relative 'authentication/authentication_middleware'
+require_relative 'middleware/rate_limit_middleware'
+
+# Security configuration facade for Otto framework
+class Otto
+  module Security
+    # Consolidates all security configuration methods into a single configurator class.
+    # This provides a unified interface for configuring CSRF protection, input validation,
+    # rate limiting, trusted proxies, and authentication strategies.
+    class Configurator
+      attr_reader :security_config, :middleware_stack
+      attr_accessor :auth_config
+
+      def initialize(security_config, middleware_stack, auth_config = nil)
+        @security_config = security_config
+        @middleware_stack = middleware_stack
+        # Use provided auth_config or initialize a new one
+        @auth_config = auth_config || { auth_strategies: {}, default_auth_strategy: 'publicly' }
+      end
+
+      # Unified security configuration method with sensible defaults
+      #
+      # Provides a comprehensive, one-stop configuration method for Otto's security features.
+      # This method allows configuring multiple security aspects in a single call, with flexible options.
+      #
+      # @param csrf_protection [Boolean, Hash] Enable CSRF protection
+      #   - `true`: Enable with default settings
+      #   - `Hash`: Provide custom CSRF configuration
+      # @param request_validation [Boolean] Enable input validation and sanitization
+      # @param rate_limiting [Boolean, Hash] Enable rate limiting
+      #   - `true`: Enable with default settings
+      #   - `Hash`: Provide custom rate limiting rules
+      # @param trusted_proxies [String, Array<String>] IP addresses or CIDR ranges to trust
+      # @param security_headers [Hash] Custom security headers to merge with defaults
+      # @param hsts [Boolean] Enable HTTP Strict Transport Security
+      # @param csp [Boolean, String] Enable Content Security Policy
+      # @param frame_protection [Boolean, String] Enable frame protection
+      # @param authentication [Boolean] Enable authentication
+      #
+      # @example Configure multiple security features in one call
+      #   otto.security.configure(
+      #     csrf_protection: true,
+      #     request_validation: true,
+      #     rate_limiting: { requests_per_minute: 100 },
+      #     trusted_proxies: ['10.0.0.0/8'],
+      #     security_headers: { 'x-custom-header' => 'value' },
+      #     hsts: true,
+      #     csp: "default-src 'self'",
+      #     frame_protection: 'SAMEORIGIN'
+      #   )
+      def configure(
+        csrf_protection: false,
+        request_validation: false,
+        rate_limiting: false,
+        trusted_proxies: [],
+        security_headers: {},
+        hsts: false,
+        csp: false,
+        frame_protection: false,
+        authentication: false
+      )
+        enable_csrf_protection! if csrf_protection
+        enable_request_validation! if request_validation
+        enable_rate_limiting!(rate_limiting.is_a?(Hash) ? rate_limiting : {}) if rate_limiting
+
+        Array(trusted_proxies).each { |proxy| add_trusted_proxy(proxy) }
+        self.security_headers = security_headers unless security_headers.empty?
+
+        enable_hsts! if hsts
+        enable_csp! if csp
+        enable_frame_protection! if frame_protection
+        enable_authentication! if authentication
+      end
+
+      # Enable CSRF protection for POST, PUT, DELETE, and PATCH requests.
+      # This will automatically add CSRF tokens to HTML forms and validate
+      # them on unsafe HTTP methods.
+      def enable_csrf_protection!
+        return if middleware_enabled?(Otto::Security::Middleware::CSRFMiddleware)
+
+        @security_config.enable_csrf_protection!
+        @middleware_stack.add(Otto::Security::Middleware::CSRFMiddleware)
+      end
+
+      # Enable request validation including input sanitization, size limits,
+      # and protection against XSS and SQL injection attacks.
+      def enable_request_validation!
+        return if middleware_enabled?(Otto::Security::Middleware::ValidationMiddleware)
+
+        @security_config.input_validation = true
+        @middleware_stack.add(Otto::Security::Middleware::ValidationMiddleware)
+      end
+
+      # Enable rate limiting to protect against abuse and DDoS attacks.
+      # This will automatically add rate limiting rules based on client IP.
+      #
+      # @param options [Hash] Rate limiting configuration options
+      # @option options [Integer] :requests_per_minute Maximum requests per minute per IP (default: 100)
+      # @option options [Hash] :custom_rules Custom rate limiting rules
+      def enable_rate_limiting!(options = {})
+        return if middleware_enabled?(Otto::Security::Middleware::RateLimitMiddleware)
+
+        configure_rate_limiting(options)
+        @middleware_stack.add(Otto::Security::Middleware::RateLimitMiddleware)
+      end
+
+      # Add a custom rate limiting rule.
+      #
+      # @param name [String, Symbol] Rule name
+      # @param options [Hash] Rule configuration
+      # @option options [Integer] :limit Maximum requests
+      # @option options [Integer] :period Time period in seconds (default: 60)
+      # @option options [Proc] :condition Optional condition proc that receives request
+      def add_rate_limit_rule(name, options)
+        @security_config.rate_limiting_config[:custom_rules] ||= {}
+        @security_config.rate_limiting_config[:custom_rules][name.to_s] = options
+      end
+
+      # Add a trusted proxy server for accurate client IP detection.
+      # Only requests from trusted proxies will have their forwarded headers honored.
+      #
+      # @param proxy [String, Regexp] IP address, CIDR range, or regex pattern
+      def add_trusted_proxy(proxy)
+        @security_config.add_trusted_proxy(proxy)
+      end
+
+      # Set custom security headers that will be added to all responses.
+      # These merge with the default security headers.
+      #
+      # @param headers [Hash] Hash of header name => value pairs
+      def security_headers=(headers)
+        @security_config.security_headers.merge!(headers)
+      end
+
+      # Enable HTTP Strict Transport Security (HSTS) header.
+      # WARNING: This can make your domain inaccessible if HTTPS is not properly
+      # configured. Only enable this when you're certain HTTPS is working correctly.
+      #
+      # @param max_age [Integer] Maximum age in seconds (default: 1 year)
+      # @param include_subdomains [Boolean] Apply to all subdomains (default: true)
+      def enable_hsts!(max_age: 31_536_000, include_subdomains: true)
+        @security_config.enable_hsts!(max_age: max_age, include_subdomains: include_subdomains)
+      end
+
+      # Enable Content Security Policy (CSP) header to prevent XSS attacks.
+      # The default policy only allows resources from the same origin.
+      #
+      # @param policy [String] CSP policy string (default: "default-src 'self'")
+      def enable_csp!(policy = "default-src 'self'")
+        @security_config.enable_csp!(policy)
+      end
+
+      # Enable X-Frame-Options header to prevent clickjacking attacks.
+      #
+      # @param option [String] Frame options: 'DENY', 'SAMEORIGIN', or 'ALLOW-FROM uri'
+      def enable_frame_protection!(option = 'SAMEORIGIN')
+        @security_config.enable_frame_protection!(option)
+      end
+
+      # Enable Content Security Policy (CSP) with nonce support for dynamic header generation.
+      # This enables the res.send_csp_headers response helper method.
+      #
+      # @param debug [Boolean] Enable debug logging for CSP headers (default: false)
+      def enable_csp_with_nonce!(debug: false)
+        @security_config.enable_csp_with_nonce!(debug: debug)
+      end
+
+      # Enable authentication middleware for route-level access control.
+      # This will automatically check route auth parameters and enforce authentication.
+      def enable_authentication!
+        return if middleware_enabled?(Otto::Security::Authentication::AuthenticationMiddleware)
+
+        @middleware_stack.add(Otto::Security::Authentication::AuthenticationMiddleware, @auth_config)
+      end
+
+      # Add a single authentication strategy
+      #
+      # @param name [String] Strategy name
+      # @param strategy [Otto::Security::Authentication::AuthStrategy] Strategy instance
+      def add_auth_strategy(name, strategy)
+        @auth_config[:auth_strategies][name] = strategy
+        enable_authentication!
+      end
+
+      # Configure authentication strategies for route-level access control.
+      #
+      # @param strategies [Hash] Hash mapping strategy names to strategy instances
+      # @param default_strategy [String] Default strategy to use when none specified
+      def configure_auth_strategies(strategies, default_strategy: 'publicly')
+        # Merge new strategies with existing ones, preserving shared state
+        @auth_config[:auth_strategies].merge!(strategies)
+        @auth_config[:default_auth_strategy] = default_strategy
+        enable_authentication! unless strategies.empty?
+      end
+
+      # Configure rate limiting settings.
+      #
+      # @param config [Hash] Rate limiting configuration
+      # @option config [Integer] :requests_per_minute Maximum requests per minute per IP
+      # @option config [Hash] :custom_rules Hash of custom rate limiting rules
+      # @option config [Object] :cache_store Custom cache store for rate limiting
+      def configure_rate_limiting(config)
+        @security_config.rate_limiting_config.merge!(config)
+      end
+
+      private
+
+      def middleware_enabled?(middleware_class)
+        @middleware_stack.includes?(middleware_class)
+      end
+    end
+  end
+end

data/lib/otto/security/csrf.rb

@@ -1,151 +1,16 @@
+# frozen_string_literal: true
+
 # lib/otto/security/csrf.rb
+#
+# Index file for CSRF protection components
+# Provides backward compatibility for existing CSRF usage
 
-require 'securerandom'
+require_relative 'middleware/csrf_middleware'
 
 class Otto
-  # CSRF protection middleware for Otto framework
   module Security
-    # Middleware that provides Cross-Site Request Forgery (CSRF) protection
-    class CSRFMiddleware
-      SAFE_METHODS = %w[GET HEAD OPTIONS TRACE].freeze
-
-      def initialize(app, config = nil)
-        @app    = app
-        @config = config || Otto::Security::Config.new
-      end
-
-      def call(env)
-        return @app.call(env) unless @config.csrf_enabled?
-
-        request = Rack::Request.new(env)
-
-        # Skip CSRF protection for safe methods
-        if safe_method?(request.request_method)
-          response = @app.call(env)
-          response = inject_csrf_token(request, response) if html_response?(response)
-          return response
-        end
-
-        # Validate CSRF token for unsafe methods
-        return csrf_error_response unless valid_csrf_token?(request)
-
-        @app.call(env)
-      end
-
-      private
-
-      def safe_method?(method)
-        SAFE_METHODS.include?(method.upcase)
-      end
-
-      def valid_csrf_token?(request)
-        token = extract_csrf_token(request)
-        return false if token.nil? || token.empty?
-
-        session_id = @config.get_or_create_session_id(request)
-        @config.verify_csrf_token(token, session_id)
-      end
-
-      def extract_csrf_token(request)
-        # Try form parameter first
-        token = request.params[@config.csrf_token_key]
-
-        # Try header if not in params
-        token ||= request.env[@config.csrf_header_key]
-
-        # Try alternative header format
-        token ||= request.env['HTTP_X_CSRF_TOKEN'] if request.env['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest'
-
-        token
-      end
-
-      def extract_session_id(request)
-        @config.get_or_create_session_id(request)
-      end
-
-      def inject_csrf_token(request, response)
-        return response unless response.is_a?(Array) && response.length >= 3
-
-        status, headers, body = response
-        content_type          = headers.find { |k, _v| k.downcase == 'content-type' }&.last
-
-        return response unless content_type&.include?('text/html')
-
-        # Get or create session ID
-        session_id = @config.get_or_create_session_id(request)
-
-        # Ensure session ID is saved to cookie if it was newly created
-        ensure_session_cookie(request, headers, session_id)
-
-        # Generate new CSRF token
-        csrf_token = @config.generate_csrf_token(session_id)
-
-        # Inject meta tag into HTML head
-        body_content = body.respond_to?(:join) ? body.join : body.to_s
-
-        if body_content.match?(/<head>/i)
-          meta_tag     = %(<meta name="csrf-token" content="#{csrf_token}">)
-          body_content = body_content.sub(/<head>/i, "<head>\n#{meta_tag}")
-
-          # Update content length if present
-          content_length_key          = headers.keys.find { |k| k.downcase == 'content-length' }
-          headers[content_length_key] = body_content.bytesize.to_s if content_length_key
-
-          [status, headers, [body_content]]
-        else
-          response
-        end
-      end
-
-      def ensure_session_cookie(request, headers, session_id)
-        # Check if session ID already exists in cookies
-        existing_cookie = request.cookies['_otto_session']
-        return if existing_cookie == session_id
-
-        # Set the session cookie
-        cookie_value  = "#{session_id}; Path=/; HttpOnly; SameSite=Lax"
-        cookie_value += '; Secure' if request.scheme == 'https'
-
-        # Handle existing Set-Cookie headers
-        existing_cookies = headers['set-cookie'] || headers['Set-Cookie']
-        if existing_cookies
-          # Append to existing cookies (handle both string and array formats)
-          if existing_cookies.is_a?(Array)
-            existing_cookies << "_otto_session=#{cookie_value}"
-          else
-            headers['set-cookie'] = [existing_cookies, "_otto_session=#{cookie_value}"]
-          end
-        else
-          headers['set-cookie'] = "_otto_session=#{cookie_value}"
-        end
-      end
-
-      def html_response?(response)
-        return false unless response.is_a?(Array) && response.length >= 2
-
-        headers      = response[1]
-        content_type = headers.find { |k, _v| k.downcase == 'content-type' }&.last
-        content_type&.include?('text/html')
-      end
-
-      def csrf_error_response
-        [
-          403,
-          {
-            'content-type' => 'application/json',
-            'content-length' => csrf_error_body.bytesize.to_s,
-          },
-          [csrf_error_body],
-        ]
-      end
-
-      def csrf_error_body
-        {
-          error: 'CSRF token validation failed',
-          message: 'The request could not be authenticated. Please refresh the page and try again.',
-        }.to_json
-      end
-    end
+    # Backward compatibility alias
+    CSRFMiddleware = Middleware::CSRFMiddleware
 
     # Helper methods for CSRF token handling in views and controllers
     module CSRFHelpers

data/lib/otto/security/middleware/csrf_middleware.rb

@@ -0,0 +1,151 @@
+# frozen_string_literal: true
+
+require_relative '../config'
+
+class Otto
+  module Security
+    module Middleware
+      # Middleware that provides Cross-Site Request Forgery (CSRF) protection
+      class CSRFMiddleware
+        SAFE_METHODS = %w[GET HEAD OPTIONS TRACE].freeze
+
+        def initialize(app, config = nil)
+          @app    = app
+          @config = config || Otto::Security::Config.new
+        end
+
+        def call(env)
+          return @app.call(env) unless @config.csrf_enabled?
+
+          request = Rack::Request.new(env)
+
+          # Skip CSRF protection for safe methods
+          if safe_method?(request.request_method)
+            response = @app.call(env)
+            response = inject_csrf_token(request, response) if html_response?(response)
+            return response
+          end
+
+          # Validate CSRF token for unsafe methods
+          return csrf_error_response unless valid_csrf_token?(request)
+
+          @app.call(env)
+        end
+
+        private
+
+        def safe_method?(method)
+          SAFE_METHODS.include?(method.upcase)
+        end
+
+        def valid_csrf_token?(request)
+          token = extract_csrf_token(request)
+          return false if token.nil? || token.empty?
+
+          session_id = @config.get_or_create_session_id(request)
+          @config.verify_csrf_token(token, session_id)
+        end
+
+        def extract_csrf_token(request)
+          # Try form parameter first
+          token = request.params[@config.csrf_token_key]
+
+          # Try header if not in params
+          token ||= request.env[@config.csrf_header_key]
+
+          # Try alternative header format
+          token ||= request.env['HTTP_X_CSRF_TOKEN'] if request.env['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest'
+
+          token
+        end
+
+        def extract_session_id(request)
+          @config.get_or_create_session_id(request)
+        end
+
+        def inject_csrf_token(request, response)
+          return response unless response.is_a?(Array) && response.length >= 3
+
+          status, headers, body = response
+          content_type          = headers.find { |k, _v| k.downcase == 'content-type' }&.last
+
+          return response unless content_type&.include?('text/html')
+
+          # Get or create session ID
+          session_id = @config.get_or_create_session_id(request)
+
+          # Ensure session ID is saved to cookie if it was newly created
+          ensure_session_cookie(request, headers, session_id)
+
+          # Generate new CSRF token
+          csrf_token = @config.generate_csrf_token(session_id)
+
+          # Inject meta tag into HTML head
+          body_content = body.respond_to?(:join) ? body.join : body.to_s
+
+          if body_content.match?(/<head>/i)
+            meta_tag     = %(<meta name="csrf-token" content="#{csrf_token}">)
+            body_content = body_content.sub(/<head>/i, "<head>\n#{meta_tag}")
+
+            # Update content length if present
+            content_length_key          = headers.keys.find { |k| k.downcase == 'content-length' }
+            headers[content_length_key] = body_content.bytesize.to_s if content_length_key
+
+            [status, headers, [body_content]]
+          else
+            response
+          end
+        end
+
+        def ensure_session_cookie(request, headers, session_id)
+          # Check if session ID already exists in cookies
+          existing_cookie = request.cookies['_otto_session']
+          return if existing_cookie == session_id
+
+          # Set the session cookie
+          cookie_value  = "#{session_id}; Path=/; HttpOnly; SameSite=Lax"
+          cookie_value += '; Secure' if request.scheme == 'https'
+
+          # Handle existing Set-Cookie headers
+          existing_cookies = headers['set-cookie'] || headers['Set-Cookie']
+          if existing_cookies
+            # Append to existing cookies (handle both string and array formats)
+            if existing_cookies.is_a?(Array)
+              existing_cookies << "_otto_session=#{cookie_value}"
+            else
+              headers['set-cookie'] = [existing_cookies, "_otto_session=#{cookie_value}"]
+            end
+          else
+            headers['set-cookie'] = "_otto_session=#{cookie_value}"
+          end
+        end
+
+        def html_response?(response)
+          return false unless response.is_a?(Array) && response.length >= 2
+
+          headers      = response[1]
+          content_type = headers.find { |k, _v| k.downcase == 'content-type' }&.last
+          content_type&.include?('text/html')
+        end
+
+        def csrf_error_response
+          [
+            403,
+            {
+              'content-type' => 'application/json',
+              'content-length' => csrf_error_body.bytesize.to_s,
+            },
+            [csrf_error_body],
+          ]
+        end
+
+        def csrf_error_body
+          {
+            error: 'CSRF token validation failed',
+            message: 'The request could not be authenticated. Please refresh the page and try again.',
+          }.to_json
+        end
+      end
+    end
+  end
+end

data/lib/otto/security/middleware/rate_limit_middleware.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+require_relative '../rate_limiter'
+
+class Otto
+  module Security
+    module Middleware
+      # Middleware for applying rate limiting to HTTP requests
+      class RateLimitMiddleware
+        def initialize(app, security_config = nil)
+          @app = app
+          @security_config = security_config
+          @rate_limiter_available = defined?(Rack::Attack)
+
+          if @rate_limiter_available
+            configure_rate_limiting
+          else
+            Otto.logger.warn '[Otto] rack-attack not available - rate limiting disabled'
+          end
+        end
+
+        def call(env)
+          return @app.call(env) unless @rate_limiter_available
+
+          # Let rack-attack handle the rate limiting
+          @app.call(env)
+        end
+
+        private
+
+        def configure_rate_limiting
+          config = @security_config&.rate_limiting_config || {}
+          Otto::Security::RateLimiting.configure_rack_attack!(config)
+        end
+      end
+    end
+  end
+end