otto 2.0.0.pre1 → 2.0.0.pre3

data/lib/otto/route.rb

@@ -45,10 +45,10 @@ class Otto
     #     "V2::Logic::AuthSession auth=authenticated response=redirect" (enhanced)
     # @raise [ArgumentError] if definition format is invalid or class name is unsafe
     def initialize(verb, path, definition)
-      @pattern, @keys = *compile(path)
+      pattern, keys = *compile(path)
 
       # Create immutable route definition
-      @route_definition = Otto::RouteDefinition.new(verb, path, definition, pattern: @pattern, keys: @keys)
+      @route_definition = Otto::RouteDefinition.new(verb, path, definition, pattern: pattern, keys: keys)
 
       # Resolve the class
       @klass = safe_const_get(@route_definition.klass_name)
@@ -87,52 +87,6 @@ class Otto
       @route_definition.options
     end
 
-    private
-
-    # Safely resolve a class name using Object.const_get with security validations
-    # This replaces the previous eval() usage to prevent code injection attacks.
-    #
-    # Security features:
-    # - Validates class name format (must start with capital letter)
-    # - Prevents access to dangerous system classes
-    # - Blocks relative class references (starting with ::)
-    # - Provides clear error messages for debugging
-    #
-    # @param class_name [String] The class name to resolve
-    # @return [Class] The resolved class
-    # @raise [ArgumentError] if class name is invalid, forbidden, or not found
-    def safe_const_get(class_name)
-      # Validate class name format
-      unless class_name.match?(/\A[A-Z][a-zA-Z0-9_]*(?:::[A-Z][a-zA-Z0-9_]*)*\z/)
-        raise ArgumentError, "Invalid class name format: #{class_name}"
-      end
-
-      # Prevent dangerous class names
-      forbidden_classes = %w[
-        Kernel Module Class Object BasicObject
-        File Dir IO Process System
-        Binding Proc Method UnboundMethod
-        Thread ThreadGroup Fiber
-        ObjectSpace GC
-      ]
-
-      if forbidden_classes.include?(class_name) || class_name.start_with?('::')
-        raise ArgumentError, "Forbidden class name: #{class_name}"
-      end
-
-      begin
-        Object.const_get(class_name)
-      rescue NameError => e
-        raise ArgumentError, "Class not found: #{class_name} - #{e.message}"
-      end
-    end
-
-    public
-
-    def pattern_regexp
-      Regexp.new(@path.gsub('/*', '/.+'))
-    end
-
     # Execute the route by calling the associated class method
     #
     # This method handles the complete request/response cycle with built-in security:
@@ -218,6 +172,48 @@ class Otto
 
     private
 
+    # Safely resolve a class name using Object.const_get with security validations
+    # This replaces the previous eval() usage to prevent code injection attacks.
+    #
+    # Security features:
+    # - Validates class name format (must start with capital letter)
+    # - Prevents access to dangerous system classes
+    # - Blocks relative class references (starting with ::)
+    # - Provides clear error messages for debugging
+    #
+    # @param class_name [String] The class name to resolve
+    # @return [Class] The resolved class
+    # @raise [ArgumentError] if class name is invalid, forbidden, or not found
+    def safe_const_get(class_name)
+      # Validate class name format
+      unless class_name.match?(/\A[A-Z][a-zA-Z0-9_]*(?:::[A-Z][a-zA-Z0-9_]*)*\z/)
+        raise ArgumentError, "Invalid class name format: #{class_name}"
+      end
+
+      # Remove any leading :: then add exactly one
+      fq_class_name = "::#{class_name.sub(/^::+/, '')}"
+
+      # Prevent dangerous class names
+      forbidden_classes = %w[
+        Kernel Module Class Object BasicObject
+        File Dir IO Process System
+        Binding Proc Method UnboundMethod
+        Thread ThreadGroup Fiber
+        ObjectSpace GC
+      ]
+
+      if forbidden_classes.include?(class_name) || class_name.start_with?('::')
+        raise ArgumentError, "Forbidden class name: #{class_name}"
+      end
+
+      begin
+        # Always guarantee exactly two leading colons
+        Object.const_get(fq_class_name)
+      rescue NameError => e
+        raise ArgumentError, "Class not found: #{fq_class_name} - #{e.message}"
+      end
+    end
+
     def compile(path)
       keys = []
 

data/lib/otto/route_handlers/base.rb

@@ -1,6 +1,5 @@
-# frozen_string_literal: true
-
 # lib/otto/route_handlers/base.rb
+
 require 'json'
 
 class Otto

data/lib/otto/route_handlers/factory.rb

@@ -3,6 +3,7 @@
 # lib/otto/route_handlers/factory.rb
 
 require_relative 'base'
+require_relative '../security/authentication/route_auth_wrapper'
 
 class Otto
   module RouteHandlers
@@ -13,16 +14,30 @@ class Otto
       # @param otto_instance [Otto] The Otto instance for configuration access
       # @return [BaseHandler] Appropriate handler for the route
       def self.create_handler(route_definition, otto_instance = nil)
-        case route_definition.kind
-        when :logic
-          LogicClassHandler.new(route_definition, otto_instance)
-        when :instance
-          InstanceMethodHandler.new(route_definition, otto_instance)
-        when :class
-          ClassMethodHandler.new(route_definition, otto_instance)
-        else
-          raise ArgumentError, "Unknown handler kind: #{route_definition.kind}"
+        # Create base handler based on route kind
+        handler_class = case route_definition.kind
+                        when :logic then LogicClassHandler
+                        when :instance then InstanceMethodHandler
+                        when :class then ClassMethodHandler
+                        else
+                          raise ArgumentError, "Unknown handler kind: #{route_definition.kind}"
+                        end
+
+        handler = handler_class.new(route_definition, otto_instance)
+
+        # Always wrap with RouteAuthWrapper to ensure env['otto.strategy_result'] is set
+        # - Routes WITH auth requirement: Enforces authentication
+        # - Routes WITHOUT auth requirement: Sets anonymous StrategyResult
+        if otto_instance&.auth_config
+          handler = Otto::Security::Authentication::RouteAuthWrapper.new(
+            handler,
+            route_definition,
+            otto_instance.auth_config,
+            otto_instance.security_config
+          )
         end
+
+        handler
       end
     end
   end

data/lib/otto/route_handlers/logic_class.rb

@@ -17,8 +17,8 @@ class Otto
         res = Rack::Response.new
 
         begin
-          # Get strategy result (guaranteed to exist from auth middleware)
-          strategy_result = env['otto.strategy_result'] || Otto::Security::Authentication::StrategyResult.anonymous
+          # Get strategy result (guaranteed to exist from RouteAuthWrapper)
+          strategy_result = env['otto.strategy_result']
 
           # Initialize Logic class with new signature: context, params, locale
           logic_params = req.params.merge(extra_params)

data/lib/otto/security/authentication/auth_failure.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+# lib/otto/security/authentication/failure_result.rb
+
+class Otto
+  module Security
+    module Authentication
+      # Failure result for authentication failures
+      AuthFailure = Data.define(:failure_reason, :auth_method) do
+        # AuthFailure represents authentication failure
+        # Returned by strategies when authentication fails
+        # Contains failure reason for error messages
+
+        # Check if authenticated - always false for failures
+        #
+        # @return [Boolean] False (failures are never authenticated)
+        def authenticated?
+          false
+        end
+
+        # Check if anonymous - always true for failures
+        #
+        # @return [Boolean] True (failures have no user)
+        def anonymous?
+          true
+        end
+
+        # Get empty user context for failures
+        #
+        # @return [Hash] Empty hash
+        def user_context
+          {}
+        end
+
+        # Create a string representation for debugging
+        #
+        # @return [String] Debug representation
+        def inspect
+          "#<AuthFailure reason=#{failure_reason.inspect} method=#{auth_method}>"
+        end
+      end
+    end
+  end
+end

data/lib/otto/security/authentication/auth_strategy.rb

@@ -13,7 +13,7 @@ class Otto
         # Check if the request meets the authentication requirements
         # @param env [Hash] Rack environment
         # @param requirement [String] Authentication requirement string
-        # @return [Otto::Security::Authentication::StrategyResult, nil] StrategyResult for success, nil for failure
+        # @return [Otto::Security::Authentication::StrategyResult, Otto::Security::Authentication::AuthFailure] StrategyResult for success, AuthFailure for failure
         def authenticate(env, requirement)
           raise NotImplementedError, 'Subclasses must implement #authenticate'
         end
@@ -30,10 +30,10 @@ class Otto
           )
         end
 
-        # Helper for authentication failure - return FailureResult
+        # Helper for authentication failure - return AuthFailure
         def failure(reason = nil)
           Otto.logger.debug "[#{self.class}] Authentication failed: #{reason}" if reason
-          Otto::Security::Authentication::FailureResult.new(
+          Otto::Security::Authentication::AuthFailure.new(
             failure_reason: reason || 'Authentication failed',
             auth_method: self.class.name.split('::').last
           )

data/lib/otto/security/authentication/route_auth_wrapper.rb

@@ -0,0 +1,260 @@
+# frozen_string_literal: true
+
+# lib/otto/security/authentication/route_auth_wrapper.rb
+
+class Otto
+  module Security
+    module Authentication
+      # Wraps route handlers to enforce authentication requirements
+      #
+      # This wrapper executes authentication strategies AFTER routing but BEFORE
+      # route handler execution. This solves the architectural issue where
+      # middleware-based authentication runs before routing (so can't access route info).
+      #
+      # Flow:
+      #   1. Route matched (route_definition available)
+      #   2. RouteAuthWrapper#call invoked
+      #   3. Execute auth strategy based on route's auth_requirement
+      #   4. Set env['otto.strategy_result'], env['otto.user']
+      #   5. If auth fails, return 401 or redirect
+      #   6. If auth succeeds, call wrapped handler
+      #
+      # @example
+      #   handler = InstanceMethodHandler.new(route_def, otto)
+      #   wrapped = RouteAuthWrapper.new(handler, route_def, auth_config)
+      #   wrapped.call(env, extra_params)
+      #
+      class RouteAuthWrapper
+        attr_reader :wrapped_handler, :route_definition, :auth_config, :security_config
+
+        def initialize(wrapped_handler, route_definition, auth_config, security_config = nil)
+          @wrapped_handler  = wrapped_handler
+          @route_definition = route_definition
+          @auth_config      = auth_config  # Hash: { auth_strategies: {}, default_auth_strategy: 'publicly' }
+          @security_config  = security_config
+          @strategy_cache   = {}  # Cache resolved strategies to avoid repeated lookups
+        end
+
+        # Execute authentication then call wrapped handler
+        #
+        # For routes WITHOUT auth requirement: Sets anonymous StrategyResult
+        # For routes WITH auth requirement: Enforces authentication
+        #
+        # @param env [Hash] Rack environment
+        # @param extra_params [Hash] Additional parameters
+        # @return [Array] Rack response array
+        def call(env, extra_params = {})
+          auth_requirement = route_definition.auth_requirement
+
+          # Routes without auth requirement get anonymous StrategyResult
+          unless auth_requirement
+            # Note: env['REMOTE_ADDR'] is masked by IPPrivacyMiddleware by default
+            metadata = { ip: env['REMOTE_ADDR'] }
+            metadata[:country] = env['otto.geo_country'] if env['otto.geo_country']
+
+            result = StrategyResult.anonymous(metadata: metadata)
+            env['otto.strategy_result'] = result
+            env['otto.user'] = nil
+            env['otto.user_context'] = result.user_context
+            return wrapped_handler.call(env, extra_params)
+          end
+
+          # Routes WITH auth requirement: Execute authentication strategy
+          strategy = get_strategy(auth_requirement)
+
+          unless strategy
+            Otto.logger.error "[RouteAuthWrapper] No strategy found for requirement: #{auth_requirement}"
+            return unauthorized_response(env, "Authentication strategy not configured")
+          end
+
+          # Execute the strategy
+          result = strategy.authenticate(env, auth_requirement)
+
+          # Handle authentication failure
+          if result.is_a?(AuthFailure)
+            # Create anonymous result with failure info for logging/auditing
+            # Note: env['REMOTE_ADDR'] is masked by IPPrivacyMiddleware by default
+            metadata = {
+              ip: env['REMOTE_ADDR'],
+              auth_failure: result.failure_reason,
+              attempted_strategy: auth_requirement
+            }
+            metadata[:country] = env['otto.geo_country'] if env['otto.geo_country']
+
+            env['otto.strategy_result'] = StrategyResult.anonymous(metadata: metadata)
+            env['otto.user'] = nil
+            env['otto.user_context'] = {}
+            return auth_failure_response(env, result)
+          end
+
+          # Set environment variables for controllers/logic on success
+          env['otto.strategy_result'] = result
+          env['otto.user'] = result.user
+          env['otto.user_context'] = result.user_context
+
+          # SESSION PERSISTENCE: This assignment is INTENTIONAL, not a merge operation.
+          # We must ensure env['rack.session'] and strategy_result.session reference
+          # the SAME object so that:
+          #   1. Logic classes write to strategy_result.session
+          #   2. Rack's session middleware persists env['rack.session']
+          #   3. Changes from (1) are included in (2)
+          #
+          # Using merge! instead would break this - the objects must be identical.
+          env['rack.session'] = result.session if result.is_a?(StrategyResult) && result.session
+
+          # Authentication succeeded - call wrapped handler
+          wrapped_handler.call(env, extra_params)
+        end
+
+        private
+
+        # Get strategy from auth_config hash with sophisticated pattern matching
+        #
+        # Supports:
+        # - Exact match: 'authenticated' → looks up auth_config[:auth_strategies]['authenticated']
+        # - Prefix match: 'role:admin' → looks up 'role' strategy
+        # - Fallback: 'role:*' → creates default RoleStrategy
+        # - Fallback: 'permission:*' → creates default PermissionStrategy
+        #
+        # Results are cached to avoid repeated lookups for the same requirement.
+        #
+        # @param requirement [String] Auth requirement from route
+        # @return [AuthStrategy, nil] Strategy instance or nil
+        def get_strategy(requirement)
+          return nil unless auth_config && auth_config[:auth_strategies]
+
+          # Check cache first
+          return @strategy_cache[requirement] if @strategy_cache.key?(requirement)
+
+          # Try exact match first - this has highest priority
+          strategy = auth_config[:auth_strategies][requirement]
+          if strategy
+            @strategy_cache[requirement] = strategy
+            return strategy
+          end
+
+          # For colon-separated requirements like "role:admin", try prefix match
+          if requirement.include?(':')
+            prefix = requirement.split(':', 2).first
+
+            # Check if we have a strategy registered for the prefix
+            prefix_strategy = auth_config[:auth_strategies][prefix]
+            if prefix_strategy
+              @strategy_cache[requirement] = prefix_strategy
+              return prefix_strategy
+            end
+
+            # Try fallback patterns for role: and permission: requirements
+            if requirement.start_with?('role:')
+              # Cache the fallback strategy under 'role:' key to create it only once
+              strategy = @strategy_cache['role:'] ||= begin
+                auth_config[:auth_strategies]['role'] || Strategies::RoleStrategy.new([])
+              end
+              @strategy_cache[requirement] = strategy
+              return strategy
+            elsif requirement.start_with?('permission:')
+              # Cache the fallback strategy under 'permission:' key
+              strategy = @strategy_cache['permission:'] ||= begin
+                auth_config[:auth_strategies]['permission'] || Strategies::PermissionStrategy.new([])
+              end
+              @strategy_cache[requirement] = strategy
+              return strategy
+            end
+          end
+
+          # Cache nil results too to avoid repeated failed lookups
+          @strategy_cache[requirement] = nil
+          nil
+        end
+
+        # Generate 401 response for authentication failure
+        #
+        # @param env [Hash] Rack environment
+        # @param result [AuthFailure] Failure result from strategy
+        # @return [Array] Rack response array
+        def auth_failure_response(env, result)
+          # Check if request wants JSON
+          accept_header = env['HTTP_ACCEPT'] || ''
+          wants_json = accept_header.include?('application/json')
+
+          if wants_json
+            json_auth_error(result)
+          else
+            html_auth_error(result)
+          end
+        end
+
+        # Generate JSON 401 response
+        #
+        # @param result [AuthFailure] Failure result
+        # @return [Array] Rack response array
+        def json_auth_error(result)
+          body = {
+            error: 'Authentication Required',
+            message: result.failure_reason || 'Not authenticated',
+            timestamp: Time.now.to_i
+          }.to_json
+
+          headers = {
+            'content-type' => 'application/json',
+            'content-length' => body.bytesize.to_s
+          }
+
+          # Add security headers if available
+          merge_security_headers!(headers)
+
+          [401, headers, [body]]
+        end
+
+        # Generate HTML 401 response or redirect
+        #
+        # @param result [AuthFailure] Failure result
+        # @return [Array] Rack response array
+        def html_auth_error(result)
+          # For HTML requests, redirect to login
+          login_path = auth_config[:login_path] || '/signin'
+
+          headers = { 'location' => login_path }
+
+          # Add security headers if available
+          merge_security_headers!(headers)
+
+          [302, headers, ["Redirecting to #{login_path}"]]
+        end
+
+        # Generate generic unauthorized response
+        #
+        # @param env [Hash] Rack environment
+        # @param message [String] Error message
+        # @return [Array] Rack response array
+        def unauthorized_response(env, message)
+          accept_header = env['HTTP_ACCEPT'] || ''
+          wants_json = accept_header.include?('application/json')
+
+          if wants_json
+            body = { error: message }.to_json
+            headers = {
+              'content-type' => 'application/json',
+              'content-length' => body.bytesize.to_s
+            }
+            merge_security_headers!(headers)
+            [401, headers, [body]]
+          else
+            headers = { 'content-type' => 'text/plain' }
+            merge_security_headers!(headers)
+            [401, headers, [message]]
+          end
+        end
+
+        # Merge security headers into response headers
+        #
+        # @param headers [Hash] Response headers hash to merge into
+        def merge_security_headers!(headers)
+          return unless security_config
+
+          headers.merge!(security_config.security_headers)
+        end
+      end
+    end
+  end
+end

data/lib/otto/security/authentication/strategies/{public_strategy.rb → noauth_strategy.rb}

@@ -8,9 +8,13 @@ class Otto
     module Authentication
       module Strategies
         # Public access strategy - always allows access
-        class PublicStrategy < AuthStrategy
+        class NoAuthStrategy < AuthStrategy
           def authenticate(env, _requirement)
-            Otto::Security::Authentication::StrategyResult.anonymous(metadata: { ip: env['REMOTE_ADDR'] })
+            # Note: env['REMOTE_ADDR'] is masked by IPPrivacyMiddleware by default
+            metadata = { ip: env['REMOTE_ADDR'] }
+            metadata[:country] = env['otto.geo_country'] if env['otto.geo_country']
+
+            Otto::Security::Authentication::StrategyResult.anonymous(metadata: metadata)
           end
         end
       end