otto 2.0.0.pre2 → 2.0.0.pre7

data/lib/otto/response_handlers.rb

@@ -1,6 +1,6 @@
-# frozen_string_literal: true
-
 # lib/otto/response_handlers.rb
+#
+# frozen_string_literal: true
 
 class Otto
   module ResponseHandlers

data/lib/otto/route.rb

@@ -1,6 +1,6 @@
-# frozen_string_literal: true
-
 # lib/otto/route.rb
+#
+# frozen_string_literal: true
 
 class Otto
   # Otto::Route
@@ -158,8 +158,8 @@ class Otto
         if response_type != 'default'
           context = {
             logic_instance: (kind == :instance ? inst : nil),
-            status_code: nil,
-            redirect_path: nil,
+               status_code: nil,
+             redirect_path: nil,
           }
 
           Otto::ResponseHandlers::HandlerFactory.handle_response(result, res, response_type, context)

data/lib/otto/route_definition.rb

@@ -1,6 +1,6 @@
-# frozen_string_literal: true
-
 # lib/otto/route_definition.rb
+#
+# frozen_string_literal: true
 
 class Otto
   # Immutable data class representing a complete route definition
@@ -73,10 +73,37 @@ class Otto
       @options.fetch(key.to_sym, default)
     end
 
-    # Get authentication requirement
+    # Get authentication requirement (backward compatibility - returns first requirement)
     # @return [String, nil] The auth requirement or nil
     def auth_requirement
-      option(:auth)
+      auth_requirements.first
+    end
+
+    # Get all authentication requirements as an array
+    # Supports multiple strategies: auth=session,apikey,oauth
+    # @return [Array<String>] Array of auth requirement strings
+    def auth_requirements
+      auth = option(:auth)
+      return [] unless auth
+
+      auth.split(',').map(&:strip).reject(&:empty?)
+    end
+
+    # Get role requirement for route-level authorization
+    # Supports single role or comma-separated roles (OR logic): role=admin,editor
+    # @return [String, nil] The role requirement or nil
+    def role_requirement
+      option(:role)
+    end
+
+    # Get all role requirements as an array
+    # Supports multiple roles with OR logic: role=admin,editor
+    # @return [Array<String>] Array of role requirement strings
+    def role_requirements
+      role = option(:role)
+      return [] unless role
+
+      role.split(',').map(&:strip).reject(&:empty?)
     end
 
     # Get response type
@@ -111,16 +138,16 @@ class Otto
     # @return [Hash]
     def to_h
       {
-        verb: @verb,
-        path: @path,
-        definition: @definition,
-        target: @target,
-        klass_name: @klass_name,
+               verb: @verb,
+               path: @path,
+         definition: @definition,
+             target: @target,
+         klass_name: @klass_name,
         method_name: @method_name,
-        kind: @kind,
-        options: @options,
-        pattern: @pattern,
-        keys: @keys,
+               kind: @kind,
+            options: @options,
+            pattern: @pattern,
+               keys: @keys,
       }
     end
 
@@ -166,11 +193,11 @@ class Otto
       case target
       when /^(.+)\.(.+)$/
         # Class.method - call class method directly
-        { klass_name: $1, method_name: $2, kind: :class }
+        { klass_name: ::Regexp.last_match(1), method_name: ::Regexp.last_match(2), kind: :class }
 
       when /^(.+)#(.+)$/
         # Class#method - instantiate then call instance method
-        { klass_name: $1, method_name: $2, kind: :instance }
+        { klass_name: ::Regexp.last_match(1), method_name: ::Regexp.last_match(2), kind: :instance }
 
       when /^[A-Z][A-Za-z0-9_]*(?:::[A-Z][A-Za-z0-9_]*)*$/
         # Bare class name - instantiate the class

data/lib/otto/route_handlers/base.rb

@@ -1,6 +1,7 @@
+# lib/otto/route_handlers/base.rb
+#
 # frozen_string_literal: true
 
-# lib/otto/route_handlers/base.rb
 require 'json'
 
 class Otto

data/lib/otto/route_handlers/class_method.rb

@@ -1,6 +1,6 @@
-# frozen_string_literal: true
-
 # lib/otto/route_handlers/class_method.rb
+#
+# frozen_string_literal: true
 
 require 'json'
 require 'securerandom'
@@ -13,6 +13,7 @@ class Otto
     # Maintains backward compatibility for Controller.action patterns
     class ClassMethodHandler < BaseHandler
       def call(env, extra_params = {})
+        start_time = Otto::Utils.now_in_μs
         req = Rack::Request.new(env)
         res = Rack::Response.new
 
@@ -25,19 +26,22 @@ class Otto
 
           # Only handle response if response_type is not default
           if route_definition.response_type != 'default'
-            handle_response(result, res, {
-                              class: target_class,
+            handle_response(result, res,
+            {
+                class: target_class,
               request: req,
-                            })
+            })
           end
         rescue StandardError => e
           # Check if we're being called through Otto's integrated context (vs direct handler testing)
           # In integrated context, let Otto's centralized error handler manage the response
           # In direct testing context, handle errors locally for unit testing
           if otto_instance
-            # Log error for handler-specific context but let Otto's centralized error handler manage the response
-            Otto.logger.error "[ClassMethodHandler] #{e.class}: #{e.message}"
-            Otto.logger.debug "[ClassMethodHandler] Backtrace: #{e.backtrace.join("\n")}" if Otto.debug
+            # Store handler context in env for centralized error handler
+            handler_name = "#{target_class.name}##{route_definition.method_name}"
+            env['otto.handler'] = handler_name
+            env['otto.handler_duration'] = Otto::Utils.now_in_μs - start_time
+
             raise e # Re-raise to let Otto's centralized error handler manage the response
           else
             # Direct handler testing context - handle errors locally with security improvements
@@ -51,26 +55,15 @@ class Otto
             accept_header = env['HTTP_ACCEPT'].to_s
             if accept_header.include?('application/json')
               res.headers['content-type'] = 'application/json'
-              error_data                  = if Otto.env?(:dev, :development)
-                                              {
-                                                error: 'Internal Server Error',
-                                                message: 'Server error occurred. Check logs for details.',
-                                                error_id: error_id,
-                                              }
-                                            else
-                                              {
-                                                error: 'Internal Server Error',
-                                                message: 'An error occurred. Please try again later.',
-                                              }
-                                            end
+              error_data                  = {
+                   error: 'Internal Server Error',
+                 message: 'Server error occurred. Check logs for details.',
+                error_id: error_id,
+              }
               res.write JSON.generate(error_data)
             else
               res.headers['content-type'] = 'text/plain'
-              if Otto.env?(:dev, :development)
-                res.write "Server error (ID: #{error_id}). Check logs for details."
-              else
-                res.write 'An error occurred. Please try again later.'
-              end
+              res.write "Server error (ID: #{error_id}). Check logs for details."
             end
 
             # Add security headers if available

data/lib/otto/route_handlers/factory.rb

@@ -1,8 +1,9 @@
-# frozen_string_literal: true
-
 # lib/otto/route_handlers/factory.rb
+#
+# frozen_string_literal: true
 
 require_relative 'base'
+require_relative '../security/authentication/route_auth_wrapper'
 
 class Otto
   module RouteHandlers
@@ -14,24 +15,25 @@ class Otto
       # @return [BaseHandler] Appropriate handler for the route
       def self.create_handler(route_definition, otto_instance = nil)
         # Create base handler based on route kind
-        handler = case route_definition.kind
-                  when :logic
-                    LogicClassHandler.new(route_definition, otto_instance)
-                  when :instance
-                    InstanceMethodHandler.new(route_definition, otto_instance)
-                  when :class
-                    ClassMethodHandler.new(route_definition, otto_instance)
-                  else
-                    raise ArgumentError, "Unknown handler kind: #{route_definition.kind}"
-                  end
+        handler_class = case route_definition.kind
+                        when :logic then LogicClassHandler
+                        when :instance then InstanceMethodHandler
+                        when :class then ClassMethodHandler
+                        else
+                          raise ArgumentError, "Unknown handler kind: #{route_definition.kind}"
+                        end
+
+        handler = handler_class.new(route_definition, otto_instance)
 
-        # Wrap with auth enforcement if route has auth requirement
-        if route_definition.auth_requirement && otto_instance&.auth_config
-          require_relative '../security/authentication/route_auth_wrapper'
+        # Always wrap with RouteAuthWrapper to ensure env['otto.strategy_result'] is set
+        # - Routes WITH auth requirement: Enforces authentication
+        # - Routes WITHOUT auth requirement: Sets anonymous StrategyResult
+        if otto_instance&.auth_config
           handler = Otto::Security::Authentication::RouteAuthWrapper.new(
             handler,
             route_definition,
-            otto_instance.auth_config
+            otto_instance.auth_config,
+            otto_instance.security_config
           )
         end
 

data/lib/otto/route_handlers/instance_method.rb

@@ -1,6 +1,6 @@
-# frozen_string_literal: true
-
 # lib/otto/route_handlers/instance_method.rb
+#
+# frozen_string_literal: true
 require 'securerandom'
 
 require_relative 'base'
@@ -11,6 +11,7 @@ class Otto
     # Maintains backward compatibility for Controller#action patterns
     class InstanceMethodHandler < BaseHandler
       def call(env, extra_params = {})
+        start_time = Otto::Utils.now_in_μs
         req = Rack::Request.new(env)
         res = Rack::Response.new
 
@@ -34,9 +35,11 @@ class Otto
           # In integrated context, let Otto's centralized error handler manage the response
           # In direct testing context, handle errors locally for unit testing
           if otto_instance
-            # Log error for handler-specific context but let the centralized error handler manage the response
-            Otto.logger.error "[InstanceMethodHandler] #{e.class}: #{e.message}"
-            Otto.logger.debug "[InstanceMethodHandler] Backtrace: #{e.backtrace.join("\n")}" if Otto.debug
+            # Store handler context in env for centralized error handler
+            handler_name = "#{target_class}##{route_definition.method_name}"
+            env['otto.handler'] = handler_name
+            env['otto.handler_duration'] = Otto::Utils.now_in_μs - start_time
+
             raise e # Re-raise to let Otto's centralized error handler manage the response
           else
             # Direct handler testing context - handle errors locally with security improvements

data/lib/otto/route_handlers/lambda.rb

@@ -1,6 +1,6 @@
-# frozen_string_literal: true
-
 # lib/otto/route_handlers/lambda.rb
+#
+# frozen_string_literal: true
 require 'securerandom'
 
 require_relative 'base'
@@ -10,6 +10,7 @@ class Otto
     # Custom handler for lambda/proc definitions (future extension)
     class LambdaHandler < BaseHandler
       def call(env, extra_params = {})
+        start_time = Otto::Utils.now_in_μs
         req = Rack::Request.new(env)
         res = Rack::Response.new
 
@@ -31,25 +32,12 @@ class Otto
             request: req,
                           })
         rescue StandardError => e
-          error_id = SecureRandom.hex(8)
-          Otto.logger.error "[#{error_id}] #{e.class}: #{e.message}"
-          Otto.logger.debug "[#{error_id}] Backtrace: #{e.backtrace.join("\n")}" if Otto.debug
-
-          res.status                  = 500
-          res.headers['content-type'] = 'text/plain'
+          # Store handler context in env for centralized error handler
+          handler_name = "Lambda[#{route_definition.klass_name}]"
+          env['otto.handler'] = handler_name
+          env['otto.handler_duration'] = Otto::Utils.now_in_μs - start_time
 
-          if Otto.env?(:dev, :development)
-            res.write "Lambda handler error (ID: #{error_id}). Check logs for details."
-          else
-            res.write 'An error occurred. Please try again later.'
-          end
-
-          # Add security headers if available
-          if otto_instance.respond_to?(:security_config) && otto_instance.security_config
-            otto_instance.security_config.security_headers.each do |header, value|
-              res.headers[header] = value
-            end
-          end
+          raise e # Re-raise to let Otto's centralized error handler manage the response
         end
 
         res.finish

data/lib/otto/route_handlers/logic_class.rb

@@ -1,6 +1,6 @@
-# frozen_string_literal: true
-
 # lib/otto/route_handlers/logic_class.rb
+#
+# frozen_string_literal: true
 require 'json'
 require 'securerandom'
 
@@ -13,12 +13,13 @@ class Otto
     # Logic classes use signature: initialize(context, params, locale)
     class LogicClassHandler < BaseHandler
       def call(env, extra_params = {})
+        start_time = Otto::Utils.now_in_μs
         req = Rack::Request.new(env)
         res = Rack::Response.new
 
         begin
-          # Get strategy result (guaranteed to exist from auth middleware)
-          strategy_result = env['otto.strategy_result'] || Otto::Security::Authentication::StrategyResult.anonymous
+          # Get strategy result (guaranteed to exist from RouteAuthWrapper)
+          strategy_result = env['otto.strategy_result']
 
           # Initialize Logic class with new signature: context, params, locale
           logic_params = req.params.merge(extra_params)
@@ -30,7 +31,21 @@ class Otto
               json_data = JSON.parse(req.body.read)
               logic_params = logic_params.merge(json_data) if json_data.is_a?(Hash)
             rescue JSON::ParserError => e
-              Otto.logger.error "[LogicClassHandler] JSON parsing error: #{e.message}"
+              # Base context pattern: create once, reuse for correlation
+              base_context = Otto::LoggingHelpers.request_context(env)
+
+              Otto.structured_log(:error, "JSON parsing error",
+                base_context.merge(
+                  handler: "#{target_class}#call",
+                  error: e.message,
+                  error_class: e.class.name,
+                  duration: Otto::Utils.now_in_μs - start_time
+                )
+              )
+
+              Otto::LoggingHelpers.log_backtrace(e,
+                base_context.merge(handler: "#{target_class}#call")
+              )
             end
           end
 
@@ -58,9 +73,11 @@ class Otto
           # In integrated context, let Otto's centralized error handler manage the response
           # In direct testing context, handle errors locally for unit testing
           if otto_instance
-            # Log error for handler-specific context but let Otto's centralized error handler manage the response
-            Otto.logger.error "[LogicClassHandler] #{e.class}: #{e.message}"
-            Otto.logger.debug "[LogicClassHandler] Backtrace: #{e.backtrace.join("\n")}" if Otto.debug
+            # Store handler context in env for centralized error handler
+            handler_name = "#{target_class}#call"
+            env['otto.handler'] = handler_name
+            env['otto.handler_duration'] = Otto::Utils.now_in_μs - start_time
+
             raise e # Re-raise to let Otto's centralized error handler manage the response
           else
             # Direct handler testing context - handle errors locally with security improvements

data/lib/otto/route_handlers.rb

@@ -1,6 +1,6 @@
-# frozen_string_literal: true
-
 # lib/otto/route_handlers.rb
+#
+# frozen_string_literal: true
 
 class Otto
   # Pluggable Route Handler Factory

data/lib/otto/security/authentication/{failure_result.rb → auth_failure.rb}

@@ -1,13 +1,13 @@
+# lib/otto/security/authentication/auth_failure.rb
+#
 # frozen_string_literal: true
 
-# lib/otto/security/authentication/failure_result.rb
-
 class Otto
   module Security
     module Authentication
       # Failure result for authentication failures
-      FailureResult = Data.define(:failure_reason, :auth_method) do
-        # FailureResult represents authentication failure
+      AuthFailure = Data.define(:failure_reason, :auth_method) do
+        # AuthFailure represents authentication failure
         # Returned by strategies when authentication fails
         # Contains failure reason for error messages
 
@@ -36,7 +36,7 @@ class Otto
         #
         # @return [String] Debug representation
         def inspect
-          "#<FailureResult reason=#{failure_reason.inspect} method=#{auth_method}>"
+          "#<AuthFailure reason=#{failure_reason.inspect} method=#{auth_method}>"
         end
       end
     end

data/lib/otto/security/authentication/auth_strategy.rb

@@ -1,7 +1,7 @@
-# frozen_string_literal: true
-
 # lib/otto/security/authentication/auth_strategy.rb
 #
+# frozen_string_literal: true
+#
 # Base class for all authentication strategies in Otto framework
 # Provides pluggable authentication patterns that can be customized per application
 
@@ -13,7 +13,9 @@ class Otto
         # Check if the request meets the authentication requirements
         # @param env [Hash] Rack environment
         # @param requirement [String] Authentication requirement string
-        # @return [Otto::Security::Authentication::StrategyResult, nil] StrategyResult for success, nil for failure
+        # @return [Otto::Security::Authentication::StrategyResult,
+        #          Otto::Security::Authentication::AuthFailure]
+        #          StrategyResult for success, AuthFailure for failure
         def authenticate(env, requirement)
           raise NotImplementedError, 'Subclasses must implement #authenticate'
         end
@@ -21,19 +23,24 @@ class Otto
         protected
 
         # Helper to create successful strategy result
+        #
+        # NOTE: strategy_name will be injected by RouteAuthWrapper after strategy execution.
+        # Strategies don't know their registered name, so we pass nil here and let the wrapper
+        # set it based on how the strategy was registered via add_auth_strategy(name, strategy).
         def success(user:, session: {}, auth_method: nil, **metadata)
           Otto::Security::Authentication::StrategyResult.new(
             session: session,
             user: user,
             auth_method: auth_method || self.class.name.split('::').last,
-            metadata: metadata
+            metadata: metadata,
+            strategy_name: nil  # Will be set by RouteAuthWrapper
           )
         end
 
-        # Helper for authentication failure - return FailureResult
+        # Helper for authentication failure - return AuthFailure
         def failure(reason = nil)
           Otto.logger.debug "[#{self.class}] Authentication failed: #{reason}" if reason
-          Otto::Security::Authentication::FailureResult.new(
+          Otto::Security::Authentication::AuthFailure.new(
             failure_reason: reason || 'Authentication failed',
             auth_method: self.class.name.split('::').last
           )