otto 2.0.0.pre2 → 2.0.0.pre3

data/lib/otto/security/authentication/route_auth_wrapper.rb

@@ -25,22 +25,41 @@ class Otto
       #   wrapped.call(env, extra_params)
       #
       class RouteAuthWrapper
-        attr_reader :wrapped_handler, :route_definition, :auth_config
+        attr_reader :wrapped_handler, :route_definition, :auth_config, :security_config
 
-        def initialize(wrapped_handler, route_definition, auth_config)
+        def initialize(wrapped_handler, route_definition, auth_config, security_config = nil)
           @wrapped_handler  = wrapped_handler
           @route_definition = route_definition
           @auth_config      = auth_config  # Hash: { auth_strategies: {}, default_auth_strategy: 'publicly' }
+          @security_config  = security_config
+          @strategy_cache   = {}  # Cache resolved strategies to avoid repeated lookups
         end
 
         # Execute authentication then call wrapped handler
         #
+        # For routes WITHOUT auth requirement: Sets anonymous StrategyResult
+        # For routes WITH auth requirement: Enforces authentication
+        #
         # @param env [Hash] Rack environment
         # @param extra_params [Hash] Additional parameters
         # @return [Array] Rack response array
         def call(env, extra_params = {})
-          # Execute authentication strategy for this route
           auth_requirement = route_definition.auth_requirement
+
+          # Routes without auth requirement get anonymous StrategyResult
+          unless auth_requirement
+            # Note: env['REMOTE_ADDR'] is masked by IPPrivacyMiddleware by default
+            metadata = { ip: env['REMOTE_ADDR'] }
+            metadata[:country] = env['otto.geo_country'] if env['otto.geo_country']
+
+            result = StrategyResult.anonymous(metadata: metadata)
+            env['otto.strategy_result'] = result
+            env['otto.user'] = nil
+            env['otto.user_context'] = result.user_context
+            return wrapped_handler.call(env, extra_params)
+          end
+
+          # Routes WITH auth requirement: Execute authentication strategy
           strategy = get_strategy(auth_requirement)
 
           unless strategy
@@ -51,36 +70,107 @@ class Otto
           # Execute the strategy
           result = strategy.authenticate(env, auth_requirement)
 
-          # Set environment variables for controllers/logic
-          env['otto.strategy_result'] = result
-          env['otto.user'] = result.user if result.is_a?(StrategyResult)
-          env['otto.user_context'] = result.user_context if result.is_a?(StrategyResult)
-
           # Handle authentication failure
-          if result.is_a?(FailureResult)
+          if result.is_a?(AuthFailure)
+            # Create anonymous result with failure info for logging/auditing
+            # Note: env['REMOTE_ADDR'] is masked by IPPrivacyMiddleware by default
+            metadata = {
+              ip: env['REMOTE_ADDR'],
+              auth_failure: result.failure_reason,
+              attempted_strategy: auth_requirement
+            }
+            metadata[:country] = env['otto.geo_country'] if env['otto.geo_country']
+
+            env['otto.strategy_result'] = StrategyResult.anonymous(metadata: metadata)
+            env['otto.user'] = nil
+            env['otto.user_context'] = {}
             return auth_failure_response(env, result)
           end
 
+          # Set environment variables for controllers/logic on success
+          env['otto.strategy_result'] = result
+          env['otto.user'] = result.user
+          env['otto.user_context'] = result.user_context
+
+          # SESSION PERSISTENCE: This assignment is INTENTIONAL, not a merge operation.
+          # We must ensure env['rack.session'] and strategy_result.session reference
+          # the SAME object so that:
+          #   1. Logic classes write to strategy_result.session
+          #   2. Rack's session middleware persists env['rack.session']
+          #   3. Changes from (1) are included in (2)
+          #
+          # Using merge! instead would break this - the objects must be identical.
+          env['rack.session'] = result.session if result.is_a?(StrategyResult) && result.session
+
           # Authentication succeeded - call wrapped handler
           wrapped_handler.call(env, extra_params)
         end
 
         private
 
-        # Get strategy from auth_config hash
+        # Get strategy from auth_config hash with sophisticated pattern matching
+        #
+        # Supports:
+        # - Exact match: 'authenticated' → looks up auth_config[:auth_strategies]['authenticated']
+        # - Prefix match: 'role:admin' → looks up 'role' strategy
+        # - Fallback: 'role:*' → creates default RoleStrategy
+        # - Fallback: 'permission:*' → creates default PermissionStrategy
+        #
+        # Results are cached to avoid repeated lookups for the same requirement.
         #
         # @param requirement [String] Auth requirement from route
         # @return [AuthStrategy, nil] Strategy instance or nil
         def get_strategy(requirement)
           return nil unless auth_config && auth_config[:auth_strategies]
 
-          auth_config[:auth_strategies][requirement]
+          # Check cache first
+          return @strategy_cache[requirement] if @strategy_cache.key?(requirement)
+
+          # Try exact match first - this has highest priority
+          strategy = auth_config[:auth_strategies][requirement]
+          if strategy
+            @strategy_cache[requirement] = strategy
+            return strategy
+          end
+
+          # For colon-separated requirements like "role:admin", try prefix match
+          if requirement.include?(':')
+            prefix = requirement.split(':', 2).first
+
+            # Check if we have a strategy registered for the prefix
+            prefix_strategy = auth_config[:auth_strategies][prefix]
+            if prefix_strategy
+              @strategy_cache[requirement] = prefix_strategy
+              return prefix_strategy
+            end
+
+            # Try fallback patterns for role: and permission: requirements
+            if requirement.start_with?('role:')
+              # Cache the fallback strategy under 'role:' key to create it only once
+              strategy = @strategy_cache['role:'] ||= begin
+                auth_config[:auth_strategies]['role'] || Strategies::RoleStrategy.new([])
+              end
+              @strategy_cache[requirement] = strategy
+              return strategy
+            elsif requirement.start_with?('permission:')
+              # Cache the fallback strategy under 'permission:' key
+              strategy = @strategy_cache['permission:'] ||= begin
+                auth_config[:auth_strategies]['permission'] || Strategies::PermissionStrategy.new([])
+              end
+              @strategy_cache[requirement] = strategy
+              return strategy
+            end
+          end
+
+          # Cache nil results too to avoid repeated failed lookups
+          @strategy_cache[requirement] = nil
+          nil
         end
 
         # Generate 401 response for authentication failure
         #
         # @param env [Hash] Rack environment
-        # @param result [FailureResult] Failure result from strategy
+        # @param result [AuthFailure] Failure result from strategy
         # @return [Array] Rack response array
         def auth_failure_response(env, result)
           # Check if request wants JSON
@@ -96,7 +186,7 @@ class Otto
 
         # Generate JSON 401 response
         #
-        # @param result [FailureResult] Failure result
+        # @param result [AuthFailure] Failure result
         # @return [Array] Rack response array
         def json_auth_error(result)
           body = {
@@ -105,26 +195,31 @@ class Otto
             timestamp: Time.now.to_i
           }.to_json
 
-          [
-            401,
-            { 'content-type' => 'application/json' },
-            [body]
-          ]
+          headers = {
+            'content-type' => 'application/json',
+            'content-length' => body.bytesize.to_s
+          }
+
+          # Add security headers if available
+          merge_security_headers!(headers)
+
+          [401, headers, [body]]
         end
 
         # Generate HTML 401 response or redirect
         #
-        # @param result [FailureResult] Failure result
+        # @param result [AuthFailure] Failure result
         # @return [Array] Rack response array
         def html_auth_error(result)
           # For HTML requests, redirect to login
           login_path = auth_config[:login_path] || '/signin'
 
-          [
-            302,
-            { 'location' => login_path },
-            ["Redirecting to #{login_path}"]
-          ]
+          headers = { 'location' => login_path }
+
+          # Add security headers if available
+          merge_security_headers!(headers)
+
+          [302, headers, ["Redirecting to #{login_path}"]]
         end
 
         # Generate generic unauthorized response
@@ -138,11 +233,27 @@ class Otto
 
           if wants_json
             body = { error: message }.to_json
-            [401, { 'content-type' => 'application/json' }, [body]]
+            headers = {
+              'content-type' => 'application/json',
+              'content-length' => body.bytesize.to_s
+            }
+            merge_security_headers!(headers)
+            [401, headers, [body]]
           else
-            [401, { 'content-type' => 'text/plain' }, [message]]
+            headers = { 'content-type' => 'text/plain' }
+            merge_security_headers!(headers)
+            [401, headers, [message]]
           end
         end
+
+        # Merge security headers into response headers
+        #
+        # @param headers [Hash] Response headers hash to merge into
+        def merge_security_headers!(headers)
+          return unless security_config
+
+          headers.merge!(security_config.security_headers)
+        end
       end
     end
   end

data/lib/otto/security/authentication/strategies/noauth_strategy.rb

@@ -10,7 +10,11 @@ class Otto
         # Public access strategy - always allows access
         class NoAuthStrategy < AuthStrategy
           def authenticate(env, _requirement)
-            Otto::Security::Authentication::StrategyResult.anonymous(metadata: { ip: env['REMOTE_ADDR'] })
+            # Note: env['REMOTE_ADDR'] is masked by IPPrivacyMiddleware by default
+            metadata = { ip: env['REMOTE_ADDR'] }
+            metadata[:country] = env['otto.geo_country'] if env['otto.geo_country']
+
+            Otto::Security::Authentication::StrategyResult.anonymous(metadata: metadata)
           end
         end
       end

data/lib/otto/security/authentication.rb

@@ -7,8 +7,8 @@
 
 require_relative 'authentication/auth_strategy'
 require_relative 'authentication/strategy_result'
-require_relative 'authentication/failure_result'
-require_relative 'authentication/authentication_middleware'
+require_relative 'authentication/auth_failure'
+require_relative 'authentication/route_auth_wrapper'
 
 # Load all strategies
 require_relative 'authentication/strategies/noauth_strategy'
@@ -26,10 +26,9 @@ class Otto
     RoleStrategy = Authentication::Strategies::RoleStrategy
     APIKeyStrategy = Authentication::Strategies::APIKeyStrategy
     PermissionStrategy = Authentication::Strategies::PermissionStrategy
-    AuthenticationMiddleware = Authentication::AuthenticationMiddleware
   end
 
   # Top-level backward compatibility aliases
   StrategyResult = Security::Authentication::StrategyResult
-  FailureResult = Security::Authentication::FailureResult
+  AuthFailure = Security::Authentication::AuthFailure
 end

data/lib/otto/security/config.rb

@@ -4,6 +4,7 @@
 
 require 'securerandom'
 require 'digest'
+require_relative '../core/freezable'
 
 class Otto
   module Security
@@ -23,12 +24,15 @@ class Otto
     #   config.max_request_size = 5 * 1024 * 1024  # 5MB
     #   config.max_param_depth = 16
     class Config
-      attr_accessor :csrf_protection, :csrf_token_key, :csrf_header_key, :csrf_session_key,
-                    :max_request_size, :max_param_depth, :max_param_keys,
-                    :trusted_proxies, :require_secure_cookies,
-                    :security_headers, :input_validation,
-                    :csp_nonce_enabled, :debug_csp, :mcp_auth,
-                    :rate_limiting_config
+      include Otto::Core::Freezable
+
+      attr_accessor :input_validation, :max_param_depth, :csrf_token_key, :rate_limiting_config, :csrf_session_key, :max_request_size, :max_param_keys
+
+      attr_reader :csrf_protection,  :csrf_header_key,
+                  :trusted_proxies, :require_secure_cookies,
+                  :security_headers,
+                  :csp_nonce_enabled, :debug_csp, :mcp_auth,
+                  :ip_privacy_config
 
       # Initialize security configuration with safe defaults
       #
@@ -48,7 +52,8 @@ class Otto
         @input_validation       = true
         @csp_nonce_enabled      = false
         @debug_csp              = false
-        @rate_limiting_config   = {}
+        @rate_limiting_config   = { custom_rules: {} }
+        @ip_privacy_config      = Otto::Privacy::Config.new
       end
 
       # Enable CSRF (Cross-Site Request Forgery) protection
@@ -60,14 +65,20 @@ class Otto
       # - Provide helper methods for forms and AJAX requests
       #
       # @return [void]
+      # @raise [FrozenError] if configuration is frozen
       def enable_csrf_protection!
+        raise FrozenError, 'Cannot modify frozen configuration' if frozen?
+
         @csrf_protection = true
       end
 
       # Disable CSRF protection
       #
       # @return [void]
+      # @raise [FrozenError] if configuration is frozen
       def disable_csrf_protection!
+        raise FrozenError, 'Cannot modify frozen configuration' if frozen?
+
         @csrf_protection = false
       end
 
@@ -86,6 +97,7 @@ class Otto
       #
       # @param proxy [String, Array] IP address, CIDR range, or array of addresses
       # @raise [ArgumentError] if proxy is not a String or Array
+      # @raise [FrozenError] if configuration is frozen
       # @return [void]
       #
       # @example Add single proxy
@@ -97,6 +109,8 @@ class Otto
       # @example Add multiple proxies
       #   config.add_trusted_proxy(['10.0.0.1', '172.16.0.0/12'])
       def add_trusted_proxy(proxy)
+        raise FrozenError, 'Cannot modify frozen configuration' if frozen?
+
         case proxy
         when String, Regexp
           @trusted_proxies << proxy
@@ -175,7 +189,10 @@ class Otto
       # @param max_age [Integer] Maximum age in seconds (default: 1 year)
       # @param include_subdomains [Boolean] Apply to all subdomains (default: true)
       # @return [void]
+      # @raise [FrozenError] if configuration is frozen
       def enable_hsts!(max_age: 31_536_000, include_subdomains: true)
+        raise FrozenError, 'Cannot modify frozen configuration' if frozen?
+
         hsts_value                                     = "max-age=#{max_age}"
         hsts_value                                    += '; includeSubDomains' if include_subdomains
         @security_headers['strict-transport-security'] = hsts_value
@@ -188,10 +205,13 @@ class Otto
       #
       # @param policy [String] CSP policy string (default: "default-src 'self'")
       # @return [void]
+      # @raise [FrozenError] if configuration is frozen
       #
       # @example Custom policy
       #   config.enable_csp!("default-src 'self'; script-src 'self' 'unsafe-inline'")
       def enable_csp!(policy = "default-src 'self'")
+        raise FrozenError, 'Cannot modify frozen configuration' if frozen?
+
         @security_headers['content-security-policy'] = policy
       end
 
@@ -203,10 +223,13 @@ class Otto
       #
       # @param debug [Boolean] Enable debug logging for CSP headers (default: false)
       # @return [void]
+      # @raise [FrozenError] if configuration is frozen
       #
       # @example
       #   config.enable_csp_with_nonce!(debug: true)
       def enable_csp_with_nonce!(debug: false)
+        raise FrozenError, 'Cannot modify frozen configuration' if frozen?
+
         @csp_nonce_enabled = true
         @debug_csp         = debug
       end
@@ -214,7 +237,10 @@ class Otto
       # Disable CSP nonce support
       #
       # @return [void]
+      # @raise [FrozenError] if configuration is frozen
       def disable_csp_nonce!
+        raise FrozenError, 'Cannot modify frozen configuration' if frozen?
+
         @csp_nonce_enabled = false
       end
 
@@ -246,7 +272,10 @@ class Otto
       #
       # @param option [String] Frame options: 'DENY', 'SAMEORIGIN', or 'ALLOW-FROM uri'
       # @return [void]
+      # @raise [FrozenError] if configuration is frozen
       def enable_frame_protection!(option = 'SAMEORIGIN')
+        raise FrozenError, 'Cannot modify frozen configuration' if frozen?
+
         @security_headers['x-frame-options'] = option
       end
 
@@ -254,6 +283,7 @@ class Otto
       #
       # @param headers [Hash] Hash of header name => value pairs
       # @return [void]
+      # @raise [FrozenError] if configuration is frozen
       #
       # @example
       #   config.set_custom_headers({
@@ -261,9 +291,23 @@ class Otto
       #     'cross-origin-opener-policy' => 'same-origin'
       #   })
       def set_custom_headers(headers)
+        raise FrozenError, 'Cannot modify frozen configuration' if frozen?
+
         @security_headers.merge!(headers)
       end
 
+      # Override deep_freeze! to ensure rate_limiting_config has custom_rules initialized
+      #
+      # This pre-initializes any lazy values before freezing to prevent FrozenError
+      # when accessing configuration after it's frozen.
+      #
+      # @return [self] The frozen configuration
+      def deep_freeze!
+        # Ensure custom_rules is initialized (should already be done in constructor)
+        @rate_limiting_config[:custom_rules] ||= {}
+        super
+      end
+
       def get_or_create_session_id(request)
         # Try existing sources first
         session_id = extract_existing_session_id(request)

data/lib/otto/security/configurator.rb

@@ -4,7 +4,6 @@
 
 require_relative 'middleware/csrf_middleware'
 require_relative 'middleware/validation_middleware'
-require_relative 'authentication/authentication_middleware'
 require_relative 'middleware/rate_limit_middleware'
 
 # Security configuration facade for Otto framework
@@ -75,7 +74,6 @@ class Otto
         enable_hsts! if hsts
         enable_csp! if csp
         enable_frame_protection! if frame_protection
-        enable_authentication! if authentication
       end
 
       # Enable CSRF protection for POST, PUT, DELETE, and PATCH requests.
@@ -118,7 +116,6 @@ class Otto
       # @option options [Integer] :period Time period in seconds (default: 60)
       # @option options [Proc] :condition Optional condition proc that receives request
       def add_rate_limit_rule(name, options)
-        @security_config.rate_limiting_config[:custom_rules] ||= {}
         @security_config.rate_limiting_config[:custom_rules][name.to_s] = options
       end
 
@@ -171,21 +168,12 @@ class Otto
         @security_config.enable_csp_with_nonce!(debug: debug)
       end
 
-      # Enable authentication middleware for route-level access control.
-      # This will automatically check route auth parameters and enforce authentication.
-      def enable_authentication!
-        return if middleware_enabled?(Otto::Security::Authentication::AuthenticationMiddleware)
-
-        @middleware_stack.add(Otto::Security::Authentication::AuthenticationMiddleware, @auth_config)
-      end
-
       # Add a single authentication strategy
       #
       # @param name [String] Strategy name
       # @param strategy [Otto::Security::Authentication::AuthStrategy] Strategy instance
       def add_auth_strategy(name, strategy)
         @auth_config[:auth_strategies][name] = strategy
-        enable_authentication!
       end
 
       # Configure authentication strategies for route-level access control.
@@ -196,7 +184,6 @@ class Otto
         # Merge new strategies with existing ones, preserving shared state
         @auth_config[:auth_strategies].merge!(strategies)
         @auth_config[:default_auth_strategy] = default_strategy
-        enable_authentication! unless strategies.empty?
       end
 
       # Configure rate limiting settings.