otto 2.0.0.pre7 → 2.0.0.pre9

data/lib/otto.rb

@@ -17,6 +17,7 @@ require_relative 'otto/static'
 require_relative 'otto/helpers'
 require_relative 'otto/response_handlers'
 require_relative 'otto/route_handlers'
+require_relative 'otto/errors'
 require_relative 'otto/locale'
 require_relative 'otto/mcp'
 require_relative 'otto/core'
@@ -79,9 +80,10 @@ class Otto
     load(path) unless path.nil?
     super()
 
-    # Auto-register AuthorizationError for 403 Forbidden responses
-    # This allows Logic classes to raise AuthorizationError for resource-level access control
-    register_error_handler(Otto::Security::AuthorizationError, status: 403, log_level: :warn)
+    # Auto-register all Otto framework error classes
+    # This allows Logic classes and framework code to raise appropriate errors
+    # without requiring manual registration in implementing projects
+    register_framework_errors
 
     # Build the middleware app once after all initialization is complete
     build_app!
@@ -586,6 +588,48 @@ class Otto
     configure_mcp(opts)
   end
 
+  # Register all Otto framework error classes with appropriate status codes
+  #
+  # This method auto-registers base HTTP error classes and all framework-specific
+  # error classes (Security, MCP) so that raising them automatically returns the
+  # correct HTTP status code instead of 500.
+  #
+  # Users can override these registrations by calling register_error_handler
+  # after Otto.new with custom status codes or log levels.
+  #
+  # @return [void]
+  # @api private
+  def register_framework_errors
+    # Base HTTP errors (for direct use or subclassing by implementing projects)
+    register_error_from_class(Otto::NotFoundError)
+    register_error_from_class(Otto::BadRequestError)
+    register_error_from_class(Otto::UnauthorizedError)
+    register_error_from_class(Otto::ForbiddenError)
+    register_error_from_class(Otto::PayloadTooLargeError)
+
+    # Security module errors
+    register_error_from_class(Otto::Security::AuthorizationError)
+    register_error_from_class(Otto::Security::CSRFError)
+    register_error_from_class(Otto::Security::RequestTooLargeError)
+    register_error_from_class(Otto::Security::ValidationError)
+
+    # MCP module errors
+    register_error_from_class(Otto::MCP::ValidationError)
+  end
+
+  # Register an error handler using the error class as the single source of truth
+  #
+  # @param error_class [Class] Error class that responds to default_status and default_log_level
+  # @return [void]
+  # @api private
+  def register_error_from_class(error_class)
+    register_error_handler(
+      error_class,
+      status: error_class.default_status,
+      log_level: error_class.default_log_level
+    )
+  end
+
   class << self
     attr_accessor :debug, :logger # rubocop:disable ThreadSafety/ClassAndModuleAttributes
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: otto
 version: !ruby/object:Gem::Version
-  version: 2.0.0.pre7
+  version: 2.0.0.pre9
 platform: ruby
 authors:
 - Delano Mandelbaum
@@ -169,14 +169,14 @@ files:
 - LICENSE.txt
 - README.md
 - bin/rspec
-- changelog.d/20251103_235431_delano_86_improve_error_logging.rst
-- changelog.d/20251109_025012_claude_fix_backtrace_sanitization.rst
 - changelog.d/README.md
 - changelog.d/scriv.ini
 - docs/.gitignore
 - docs/ipaddr-encoding-quirk.md
 - docs/migrating/v2.0.0-pre1.md
 - docs/migrating/v2.0.0-pre2.md
+- docs/modern-authentication-authorization-landscape.md
+- docs/multi-strategy-authentication-design.md
 - examples/.gitignore
 - examples/advanced_routes/README.md
 - examples/advanced_routes/app.rb
@@ -245,6 +245,7 @@ files:
 - lib/otto/core/uri_generator.rb
 - lib/otto/design_system.rb
 - lib/otto/env_keys.rb
+- lib/otto/errors.rb
 - lib/otto/helpers.rb
 - lib/otto/helpers/base.rb
 - lib/otto/helpers/request.rb
@@ -289,6 +290,9 @@ files:
 - lib/otto/security/authentication/auth_failure.rb
 - lib/otto/security/authentication/auth_strategy.rb
 - lib/otto/security/authentication/route_auth_wrapper.rb
+- lib/otto/security/authentication/route_auth_wrapper/response_builder.rb
+- lib/otto/security/authentication/route_auth_wrapper/role_authorization.rb
+- lib/otto/security/authentication/route_auth_wrapper/strategy_resolver.rb
 - lib/otto/security/authentication/strategies/api_key_strategy.rb
 - lib/otto/security/authentication/strategies/noauth_strategy.rb
 - lib/otto/security/authentication/strategies/permission_strategy.rb

data/changelog.d/20251103_235431_delano_86_improve_error_logging.rst

@@ -1,15 +0,0 @@
-Added
------
-
-- Error handler registration system for expected business logic errors. Register handlers with ``otto.register_error_handler(ErrorClass, status: 404, log_level: :info)`` to return proper HTTP status codes and avoid logging expected errors as 500s with backtraces. Supports custom response handlers via blocks for complete control over error responses.
-
-Changed
--------
-
-- Backtrace logging now always logs at ERROR level (was DEBUG) with sanitized file paths for security. Backtraces for unhandled 500 errors are always logged regardless of ``OTTO_DEBUG`` setting, with paths sanitized to prevent exposing system information (project files show relative paths, gems show ``[GEM] name-version/path``, Ruby stdlib shows ``[RUBY] filename``).
-- Increased backtrace limit from 10 to 20 lines for critical errors to provide better debugging context.
-
-AI Assistance
--------------
-
-- Implemented error handler registration architecture with comprehensive test coverage (17 test cases) using sequential thinking to work through security implications and design decisions. AI assisted with path sanitization strategy, error classification patterns, and ensuring backward compatibility with existing error handling.

data/changelog.d/20251109_025012_claude_fix_backtrace_sanitization.rst

@@ -1,37 +0,0 @@
-.. Changed in: otto
-.. Fixes issue:
-
-Improved backtrace sanitization security and readability
----------------------------------------------------------
-
-**Security Enhancements:**
-
-- Fixed bundler gem path detection to correctly sanitize git-based gems
-- Now properly handles nested gem paths like ``/gems/3.4.0/bundler/gems/otto-abc123/``
-- Strips git hash suffixes from bundler gems (``otto-abc123def456`` → ``otto``)
-- Removes version numbers from regular gems (``rack-3.2.4`` → ``rack``)
-- Prevents exposure of absolute paths, usernames, and project names in logs
-
-**Improvements:**
-
-- Bundler gems now show as ``[GEM] otto/lib/otto/route.rb:142`` instead of ``[GEM] 3.4.0/bundler/gems/...``
-- Regular gems show cleaner output: ``[GEM] rack/lib/rack.rb:20`` instead of ``[GEM] rack-3.2.4/lib/rack.rb:20``
-- Multi-hyphenated gem names handled correctly (``active-record-import-1.5.0`` → ``active-record-import``)
-- Better handling of version-only directory names in gem paths
-
-**Documentation:**
-
-- Added comprehensive backtrace sanitization section to CLAUDE.md
-- Documented security guarantees and sanitization rules
-- Added examples showing before/after path transformations
-- Created comprehensive test suite for backtrace sanitization
-
-**Rationale:**
-
-Raw backtraces expose sensitive information:
-- Usernames (``/Users/alice/``, ``/home/admin/``)
-- Project structure and internal organization
-- Gem installation paths and Ruby versions
-- System architecture details
-
-This improvement ensures all backtraces are sanitized automatically, preventing accidental leakage of sensitive system information while maintaining readability for debugging.