otto 2.0.0.pre8 → 2.0.0.pre10

data/lib/otto/route_handlers/instance_method.rb

@@ -1,7 +1,6 @@
 # lib/otto/route_handlers/instance_method.rb
 #
 # frozen_string_literal: true
-require 'securerandom'
 
 require_relative 'base'
 
@@ -17,62 +16,16 @@ class Otto
     # Use this handler for endpoints requiring request-level control (logout,
     # session management, cookie manipulation, custom header handling).
     class InstanceMethodHandler < BaseHandler
-      def call(env, extra_params = {})
-        start_time = Otto::Utils.now_in_μs
-        req = Rack::Request.new(env)
-        res = Rack::Response.new
-
-        begin
-          # Apply the same extensions and processing as original Route#call
-          setup_request_response(req, res, env, extra_params)
-
-          # Create instance and call method (existing Otto behavior)
-          instance = target_class.new(req, res)
-          result   = instance.send(route_definition.method_name)
-
-          # Only handle response if response_type is not default
-          if route_definition.response_type != 'default'
-            handle_response(result, res, {
-                              instance: instance,
-                              request: req,
-                            })
-          end
-        rescue StandardError => e
-          # Check if we're being called through Otto's integrated context (vs direct handler testing)
-          # In integrated context, let Otto's centralized error handler manage the response
-          # In direct testing context, handle errors locally for unit testing
-          if otto_instance
-            # Store handler context in env for centralized error handler
-            handler_name = "#{target_class}##{route_definition.method_name}"
-            env['otto.handler'] = handler_name
-            env['otto.handler_duration'] = Otto::Utils.now_in_μs - start_time
-
-            raise e # Re-raise to let Otto's centralized error handler manage the response
-          else
-            # Direct handler testing context - handle errors locally with security improvements
-            error_id = SecureRandom.hex(8)
-            Otto.logger.error "[#{error_id}] #{e.class}: #{e.message}"
-            Otto.logger.debug "[#{error_id}] Backtrace: #{e.backtrace.join("\n")}" if Otto.debug
-
-            res.status                  = 500
-            res.headers['content-type'] = 'text/plain'
-
-            if Otto.env?(:dev, :development)
-              res.write "Server error (ID: #{error_id}). Check logs for details."
-            else
-              res.write 'An error occurred. Please try again later.'
-            end
-
-            # Add security headers if available
-            if otto_instance.respond_to?(:security_config) && otto_instance.security_config
-              otto_instance.security_config.security_headers.each do |header, value|
-                res.headers[header] = value
-              end
-            end
-          end
-        end
-
-        finalize_response(res)
+      protected
+
+      # Invoke the instance method on the target class
+      # @param req [Rack::Request] Request object
+      # @param res [Rack::Response] Response object
+      # @return [Array] [result, context] for handle_response
+      def invoke_target(req, res)
+        instance = target_class.new(req, res)
+        result = instance.send(route_definition.method_name)
+        [result, { instance: instance, request: req }]
       end
     end
   end

data/lib/otto/route_handlers/lambda.rb

@@ -11,8 +11,8 @@ class Otto
     class LambdaHandler < BaseHandler
       def call(env, extra_params = {})
         start_time = Otto::Utils.now_in_μs
-        req = Rack::Request.new(env)
-        res = Rack::Response.new
+        req = otto_instance ? otto_instance.request_class.new(env) : Otto::Request.new(env)
+        res = otto_instance ? otto_instance.response_class.new : Otto::Response.new
 
         begin
           # Security: Lambda handlers require pre-configured procs from Otto instance

data/lib/otto/route_handlers/logic_class.rb

@@ -1,8 +1,6 @@
 # lib/otto/route_handlers/logic_class.rb
 #
 # frozen_string_literal: true
-require 'json'
-require 'securerandom'
 
 require_relative 'base'
 
@@ -20,98 +18,95 @@ class Otto
     # For endpoints requiring direct request access (sessions, cookies, headers,
     # or logout flows), use controller handlers (Controller#action or Controller.action).
     class LogicClassHandler < BaseHandler
-      def call(env, extra_params = {})
-        start_time = Otto::Utils.now_in_μs
-        req = Rack::Request.new(env)
-        res = Rack::Response.new
+      protected
 
+      # Invoke Logic class with constrained signature
+      # @param req [Rack::Request] Request object
+      # @param res [Rack::Response] Response object
+      # @return [Array] [result, context] for handle_response
+      def invoke_target(req, _res)
+        env = req.env
+
+        # Get strategy result (guaranteed to exist from RouteAuthWrapper)
+        strategy_result = env['otto.strategy_result']
+
+        # Extract params including JSON body parsing
+        logic_params = extract_logic_params(req, env)
+
+        # Get locale
+        locale = env['otto.locale'] || 'en'
+
+        # Instantiate Logic class
+        logic = target_class.new(strategy_result, logic_params, locale)
+
+        # Execute standard Logic class lifecycle
+        logic.raise_concerns if logic.respond_to?(:raise_concerns)
+
+        result = if logic.respond_to?(:process)
+                   logic.process
+                 else
+                   logic.call || logic
+                 end
+
+        context = {
+          logic_instance: logic,
+                 request: req,
+             status_code: logic.respond_to?(:status_code) ? logic.status_code : nil,
+        }
+
+        [result, context]
+      end
+
+      # Extract logic parameters including JSON body parsing
+      # @param req [Rack::Request] Request object
+      # @param env [Hash] Rack environment
+      # @return [Hash] Parameters for Logic class
+      def extract_logic_params(req, env)
+        # req.params already has extra_params merged and indifferent_params applied
+        # by setup_request_response in BaseHandler
+        logic_params = req.params.dup
+
+        # Handle JSON request bodies
+        if req.content_type&.include?('application/json') && req.body.size.positive?
+          logic_params = parse_json_body(req, env, logic_params)
+        end
+
+        logic_params
+      end
+
+      # Parse JSON request body with error handling
+      # @param req [Rack::Request] Request object
+      # @param env [Hash] Rack environment
+      # @param logic_params [Hash] Current parameters
+      # @return [Hash] Parameters with JSON merged (or original if parsing fails)
+      def parse_json_body(req, env, logic_params)
         begin
-          # Get strategy result (guaranteed to exist from RouteAuthWrapper)
-          strategy_result = env['otto.strategy_result']
-
-          # Initialize Logic class with new signature: context, params, locale
-          logic_params = req.params.merge(extra_params)
-
-          # Handle JSON request bodies
-          if req.content_type&.include?('application/json') && req.body.size.positive?
-            begin
-              req.body.rewind
-              json_data = JSON.parse(req.body.read)
-              logic_params = logic_params.merge(json_data) if json_data.is_a?(Hash)
-            rescue JSON::ParserError => e
-              # Base context pattern: create once, reuse for correlation
-              base_context = Otto::LoggingHelpers.request_context(env)
-
-              Otto.structured_log(:error, "JSON parsing error",
-                base_context.merge(
-                  handler: "#{target_class}#call",
-                  error: e.message,
-                  error_class: e.class.name,
-                  duration: Otto::Utils.now_in_μs - start_time
-                )
-              )
-
-              Otto::LoggingHelpers.log_backtrace(e,
-                base_context.merge(handler: "#{target_class}#call")
-              )
-            end
-          end
-
-          locale = env['otto.locale'] || 'en'
-
-          logic = target_class.new(strategy_result, logic_params, locale)
-
-          # Execute standard Logic class lifecycle
-          logic.raise_concerns if logic.respond_to?(:raise_concerns)
-
-          result = if logic.respond_to?(:process)
-                     logic.process
-                   else
-                     logic.call || logic
-                   end
-
-          # Handle response with Logic instance context
-          handle_response(result, res, {
-                            logic_instance: logic,
-            request: req,
-            status_code: logic.respond_to?(:status_code) ? logic.status_code : nil,
-                          })
-        rescue StandardError => e
-          # Check if we're being called through Otto's integrated context (vs direct handler testing)
-          # In integrated context, let Otto's centralized error handler manage the response
-          # In direct testing context, handle errors locally for unit testing
-          if otto_instance
-            # Store handler context in env for centralized error handler
-            handler_name = "#{target_class}#call"
-            env['otto.handler'] = handler_name
-            env['otto.handler_duration'] = Otto::Utils.now_in_μs - start_time
-
-            raise e # Re-raise to let Otto's centralized error handler manage the response
-          else
-            # Direct handler testing context - handle errors locally with security improvements
-            error_id = SecureRandom.hex(8)
-            Otto.logger.error "[#{error_id}] #{e.class}: #{e.message}"
-            Otto.logger.debug "[#{error_id}] Backtrace: #{e.backtrace.join("\n")}" if Otto.debug
-
-            res.status                  = 500
-            res.headers['content-type'] = 'text/plain'
-
-            if Otto.env?(:dev, :development)
-              res.write "Server error (ID: #{error_id}). Check logs for details."
-            else
-              res.write 'An error occurred. Please try again later.'
-            end
-
-            # Add security headers if available
-            if otto_instance.respond_to?(:security_config) && otto_instance.security_config
-              otto_instance.security_config.security_headers.each do |header, value|
-                res.headers[header] = value
-              end
-            end
-          end
+          req.body.rewind
+          json_data = JSON.parse(req.body.read)
+          logic_params = logic_params.merge(json_data) if json_data.is_a?(Hash)
+        rescue JSON::ParserError => e
+          # Base context pattern: create once, reuse for correlation
+          log_context = Otto::LoggingHelpers.request_context(env)
+
+          Otto.structured_log(:error, 'JSON parsing error',
+            log_context.merge(
+              handler: handler_name,
+              error: e.message,
+              error_class: e.class.name,
+              duration: Otto::Utils.now_in_μs - @start_time
+            ))
+
+          Otto::LoggingHelpers.log_backtrace(e,
+            log_context.merge(handler: handler_name))
         end
 
-        res.finish
+        logic_params
+      end
+
+      # Format handler name for Logic routes
+      # @return [String] Handler name in format "ClassName#call"
+      def handler_name
+        "#{target_class.name}#call"
       end
     end
   end

data/lib/otto/security/authentication/auth_strategy.rb

@@ -1,7 +1,7 @@
 # lib/otto/security/authentication/auth_strategy.rb
 #
 # frozen_string_literal: true
-#
+
 # Base class for all authentication strategies in Otto framework
 # Provides pluggable authentication patterns that can be customized per application
 
@@ -33,7 +33,7 @@ class Otto
             user: user,
             auth_method: auth_method || self.class.name.split('::').last,
             metadata: metadata,
-            strategy_name: nil  # Will be set by RouteAuthWrapper
+            strategy_name: nil # Will be set by RouteAuthWrapper
           )
         end
 

data/lib/otto/security/authentication/strategies/api_key_strategy.rb

@@ -21,7 +21,7 @@ class Otto
             api_key = env["HTTP_#{@header_name.upcase.tr('-', '_')}"]
 
             if api_key.nil?
-              request = Rack::Request.new(env)
+              request = Otto::Request.new(env)
               api_key = request.params[@param_name]
             end
 

data/lib/otto/security/authentication/strategy_result.rb

@@ -320,16 +320,16 @@ class Otto
         # @return [Hash] Hash representation of the context
         def to_h
           {
-            session: session,
-            user: user,
-            auth_method: auth_method,
-            metadata: metadata,
-            authenticated: authenticated?,
+                           session: session,
+                              user: user,
+                       auth_method: auth_method,
+                          metadata: metadata,
+                     authenticated: authenticated?,
             auth_attempt_succeeded: auth_attempt_succeeded?,
-            user_id: user_id,
-            user_name: user_name,
-            roles: roles,
-            permissions: permissions
+                           user_id: user_id,
+                         user_name: user_name,
+                             roles: roles,
+                       permissions: permissions,
           }
         end
       end

data/lib/otto/security/authorization_error.rb

@@ -40,7 +40,7 @@ class Otto
     #     end
     #   end
     #
-    class AuthorizationError < StandardError
+    class AuthorizationError < Otto::ForbiddenError
       # Optional additional context for logging/debugging
       attr_reader :resource, :action, :user_id
 

data/lib/otto/security/config.rb

@@ -436,12 +436,12 @@ class Otto
     end
 
     # Raised when a request exceeds the configured size limit
-    class RequestTooLargeError < StandardError; end
+    class RequestTooLargeError < Otto::PayloadTooLargeError; end
 
     # Raised when CSRF token validation fails
-    class CSRFError < StandardError; end
+    class CSRFError < Otto::ForbiddenError; end
 
     # Raised when input validation fails (XSS, SQL injection, etc.)
-    class ValidationError < StandardError; end
+    class ValidationError < Otto::BadRequestError; end
   end
 end

data/lib/otto/security/core.rb

@@ -0,0 +1,167 @@
+# lib/otto/security/core.rb
+#
+# frozen_string_literal: true
+
+class Otto
+  module Security
+    # Core security configuration methods included in the Otto class.
+    # Provides the public API for enabling and configuring security features.
+    module Core
+      # Enable CSRF protection for POST, PUT, DELETE, and PATCH requests.
+      # This will automatically add CSRF tokens to HTML forms and validate
+      # them on unsafe HTTP methods.
+      #
+      # @example
+      #   otto.enable_csrf_protection!
+      def enable_csrf_protection!
+        ensure_not_frozen!
+        return if @middleware.includes?(Otto::Security::Middleware::CSRFMiddleware)
+
+        @security_config.enable_csrf_protection!
+        use Otto::Security::Middleware::CSRFMiddleware
+      end
+
+      # Enable request validation including input sanitization, size limits,
+      # and protection against XSS and SQL injection attacks.
+      #
+      # @example
+      #   otto.enable_request_validation!
+      def enable_request_validation!
+        ensure_not_frozen!
+        return if @middleware.includes?(Otto::Security::Middleware::ValidationMiddleware)
+
+        @security_config.input_validation = true
+        use Otto::Security::Middleware::ValidationMiddleware
+      end
+
+      # Enable rate limiting to protect against abuse and DDoS attacks.
+      # This will automatically add rate limiting rules based on client IP.
+      #
+      # @param options [Hash] Rate limiting configuration options
+      # @option options [Integer] :requests_per_minute Maximum requests per minute per IP (default: 100)
+      # @option options [Hash] :custom_rules Custom rate limiting rules
+      # @example
+      #   otto.enable_rate_limiting!(requests_per_minute: 50)
+      def enable_rate_limiting!(options = {})
+        ensure_not_frozen!
+        return if @middleware.includes?(Otto::Security::Middleware::RateLimitMiddleware)
+
+        @security.configure_rate_limiting(options)
+        use Otto::Security::Middleware::RateLimitMiddleware
+      end
+
+      # Add a custom rate limiting rule.
+      #
+      # @param name [String, Symbol] Rule name
+      # @param options [Hash] Rule configuration
+      # @option options [Integer] :limit Maximum requests
+      # @option options [Integer] :period Time period in seconds (default: 60)
+      # @option options [Proc] :condition Optional condition proc that receives request
+      # @example
+      #   otto.add_rate_limit_rule('uploads', limit: 5, period: 300, condition: ->(req) { req.post? && req.path.include?('upload') })
+      def add_rate_limit_rule(name, options)
+        ensure_not_frozen!
+        @security_config.rate_limiting_config[:custom_rules][name.to_s] = options
+      end
+
+      # Add a trusted proxy server for accurate client IP detection.
+      # Only requests from trusted proxies will have their forwarded headers honored.
+      #
+      # @param proxy [String, Regexp] IP address, CIDR range, or regex pattern
+      # @example
+      #   otto.add_trusted_proxy('10.0.0.0/8')
+      #   otto.add_trusted_proxy(/^172\.16\./)
+      def add_trusted_proxy(proxy)
+        ensure_not_frozen!
+        @security_config.add_trusted_proxy(proxy)
+      end
+
+      # Set custom security headers that will be added to all responses.
+      # These merge with the default security headers.
+      #
+      # @param headers [Hash] Hash of header name => value pairs
+      # @example
+      #   otto.set_security_headers({
+      #     'content-security-policy' => "default-src 'self'",
+      #     'strict-transport-security' => 'max-age=31536000'
+      #   })
+      def set_security_headers(headers)
+        ensure_not_frozen!
+        @security_config.security_headers.merge!(headers)
+      end
+
+      # Enable HTTP Strict Transport Security (HSTS) header.
+      # WARNING: This can make your domain inaccessible if HTTPS is not properly
+      # configured. Only enable this when you're certain HTTPS is working correctly.
+      #
+      # @param max_age [Integer] Maximum age in seconds (default: 1 year)
+      # @param include_subdomains [Boolean] Apply to all subdomains (default: true)
+      # @example
+      #   otto.enable_hsts!(max_age: 86400, include_subdomains: false)
+      def enable_hsts!(max_age: 31_536_000, include_subdomains: true)
+        ensure_not_frozen!
+        @security_config.enable_hsts!(max_age: max_age, include_subdomains: include_subdomains)
+      end
+
+      # Enable Content Security Policy (CSP) header to prevent XSS attacks.
+      # The default policy only allows resources from the same origin.
+      #
+      # @param policy [String] CSP policy string (default: "default-src 'self'")
+      # @example
+      #   otto.enable_csp!("default-src 'self'; script-src 'self' 'unsafe-inline'")
+      def enable_csp!(policy = "default-src 'self'")
+        ensure_not_frozen!
+        @security_config.enable_csp!(policy)
+      end
+
+      # Enable X-Frame-Options header to prevent clickjacking attacks.
+      #
+      # @param option [String] Frame options: 'DENY', 'SAMEORIGIN', or 'ALLOW-FROM uri'
+      # @example
+      #   otto.enable_frame_protection!('DENY')
+      def enable_frame_protection!(option = 'SAMEORIGIN')
+        ensure_not_frozen!
+        @security_config.enable_frame_protection!(option)
+      end
+
+      # Enable Content Security Policy (CSP) with nonce support for dynamic header generation.
+      # This enables the res.send_csp_headers response helper method.
+      #
+      # @param debug [Boolean] Enable debug logging for CSP headers (default: false)
+      # @example
+      #   otto.enable_csp_with_nonce!(debug: true)
+      def enable_csp_with_nonce!(debug: false)
+        ensure_not_frozen!
+        @security_config.enable_csp_with_nonce!(debug: debug)
+      end
+
+      # Add an authentication strategy with a registered name
+      #
+      # This is the primary public API for registering authentication strategies.
+      # The name you provide here will be available as `strategy_result.strategy_name`
+      # in your application code, making it easy to identify which strategy authenticated
+      # the current request.
+      #
+      # Also available via Otto::Security::Configurator for consolidated security config.
+      #
+      # @param name [String, Symbol] Strategy name (e.g., 'session', 'api_key', 'jwt')
+      # @param strategy [AuthStrategy] Strategy instance
+      # @example
+      #   otto.add_auth_strategy('session', SessionStrategy.new(session_key: 'user_id'))
+      #   otto.add_auth_strategy('api_key', APIKeyStrategy.new)
+      # @raise [ArgumentError] if strategy name already registered
+      def add_auth_strategy(name, strategy)
+        ensure_not_frozen!
+        # Ensure auth_config is initialized (handles edge case where it might be nil)
+        @auth_config = { auth_strategies: {}, default_auth_strategy: 'noauth' } if @auth_config.nil?
+
+        # Strict mode: Detect strategy name collisions
+        if @auth_config[:auth_strategies].key?(name)
+          raise ArgumentError, "Authentication strategy '#{name}' is already registered"
+        end
+
+        @auth_config[:auth_strategies][name] = strategy
+      end
+    end
+  end
+end

data/lib/otto/security/middleware/csrf_middleware.rb

@@ -19,7 +19,7 @@ class Otto
         def call(env)
           return @app.call(env) unless @config.csrf_enabled?
 
-          request = Rack::Request.new(env)
+          request = Otto::Request.new(env)
 
           # Skip CSRF protection for safe methods
           if safe_method?(request.request_method)

data/lib/otto/security/middleware/validation_middleware.rb

@@ -32,7 +32,7 @@ class Otto
         def call(env)
           return @app.call(env) unless @config.input_validation
 
-          request = Rack::Request.new(env)
+          request = Otto::Request.new(env)
 
           begin
             # Validate request size

data/lib/otto/security/rate_limiter.rb

@@ -55,9 +55,13 @@ class Otto
             'retry-after' => (match_data[:period] - (now % match_data[:period])).to_s,
           }
 
-          # Check if request expects JSON
-          accept_header = request.env['HTTP_ACCEPT'].to_s
-          if accept_header.include?('application/json')
+          # Content negotiation for rate limit response
+          # Route's response_type takes precedence over Accept header
+          route_def = request.env['otto.route_definition']
+          wants_json = (route_def&.response_type == 'json') ||
+                       request.env['HTTP_ACCEPT'].to_s.include?('application/json')
+
+          if wants_json
             error_response = {
               error: 'Rate limit exceeded',
               message: 'Too many requests',

data/lib/otto/security.rb

@@ -2,6 +2,7 @@
 #
 # frozen_string_literal: true
 
+require_relative 'security/core'
 require_relative 'security/authentication/strategy_result'
 require_relative 'security/authorization_error'
 require_relative 'security/config'

data/lib/otto/version.rb

@@ -3,5 +3,5 @@
 # frozen_string_literal: true
 
 class Otto
-  VERSION = '2.0.0.pre8'
+  VERSION = '2.0.0.pre10'
 end