otto 2.0.0.pre8 → 2.0.0.pre9

data/lib/otto/route_handlers/logic_class.rb

@@ -1,8 +1,6 @@
 # lib/otto/route_handlers/logic_class.rb
 #
 # frozen_string_literal: true
-require 'json'
-require 'securerandom'
 
 require_relative 'base'
 
@@ -20,98 +18,95 @@ class Otto
     # For endpoints requiring direct request access (sessions, cookies, headers,
     # or logout flows), use controller handlers (Controller#action or Controller.action).
     class LogicClassHandler < BaseHandler
-      def call(env, extra_params = {})
-        start_time = Otto::Utils.now_in_μs
-        req = Rack::Request.new(env)
-        res = Rack::Response.new
+      protected
 
+      # Invoke Logic class with constrained signature
+      # @param req [Rack::Request] Request object
+      # @param res [Rack::Response] Response object
+      # @return [Array] [result, context] for handle_response
+      def invoke_target(req, _res)
+        env = req.env
+
+        # Get strategy result (guaranteed to exist from RouteAuthWrapper)
+        strategy_result = env['otto.strategy_result']
+
+        # Extract params including JSON body parsing
+        logic_params = extract_logic_params(req, env)
+
+        # Get locale
+        locale = env['otto.locale'] || 'en'
+
+        # Instantiate Logic class
+        logic = target_class.new(strategy_result, logic_params, locale)
+
+        # Execute standard Logic class lifecycle
+        logic.raise_concerns if logic.respond_to?(:raise_concerns)
+
+        result = if logic.respond_to?(:process)
+                   logic.process
+                 else
+                   logic.call || logic
+                 end
+
+        context = {
+          logic_instance: logic,
+                 request: req,
+             status_code: logic.respond_to?(:status_code) ? logic.status_code : nil,
+        }
+
+        [result, context]
+      end
+
+      # Extract logic parameters including JSON body parsing
+      # @param req [Rack::Request] Request object
+      # @param env [Hash] Rack environment
+      # @return [Hash] Parameters for Logic class
+      def extract_logic_params(req, env)
+        # req.params already has extra_params merged and indifferent_params applied
+        # by setup_request_response in BaseHandler
+        logic_params = req.params.dup
+
+        # Handle JSON request bodies
+        if req.content_type&.include?('application/json') && req.body.size.positive?
+          logic_params = parse_json_body(req, env, logic_params)
+        end
+
+        logic_params
+      end
+
+      # Parse JSON request body with error handling
+      # @param req [Rack::Request] Request object
+      # @param env [Hash] Rack environment
+      # @param logic_params [Hash] Current parameters
+      # @return [Hash] Parameters with JSON merged (or original if parsing fails)
+      def parse_json_body(req, env, logic_params)
         begin
-          # Get strategy result (guaranteed to exist from RouteAuthWrapper)
-          strategy_result = env['otto.strategy_result']
-
-          # Initialize Logic class with new signature: context, params, locale
-          logic_params = req.params.merge(extra_params)
-
-          # Handle JSON request bodies
-          if req.content_type&.include?('application/json') && req.body.size.positive?
-            begin
-              req.body.rewind
-              json_data = JSON.parse(req.body.read)
-              logic_params = logic_params.merge(json_data) if json_data.is_a?(Hash)
-            rescue JSON::ParserError => e
-              # Base context pattern: create once, reuse for correlation
-              base_context = Otto::LoggingHelpers.request_context(env)
-
-              Otto.structured_log(:error, "JSON parsing error",
-                base_context.merge(
-                  handler: "#{target_class}#call",
-                  error: e.message,
-                  error_class: e.class.name,
-                  duration: Otto::Utils.now_in_μs - start_time
-                )
-              )
-
-              Otto::LoggingHelpers.log_backtrace(e,
-                base_context.merge(handler: "#{target_class}#call")
-              )
-            end
-          end
-
-          locale = env['otto.locale'] || 'en'
-
-          logic = target_class.new(strategy_result, logic_params, locale)
-
-          # Execute standard Logic class lifecycle
-          logic.raise_concerns if logic.respond_to?(:raise_concerns)
-
-          result = if logic.respond_to?(:process)
-                     logic.process
-                   else
-                     logic.call || logic
-                   end
-
-          # Handle response with Logic instance context
-          handle_response(result, res, {
-                            logic_instance: logic,
-            request: req,
-            status_code: logic.respond_to?(:status_code) ? logic.status_code : nil,
-                          })
-        rescue StandardError => e
-          # Check if we're being called through Otto's integrated context (vs direct handler testing)
-          # In integrated context, let Otto's centralized error handler manage the response
-          # In direct testing context, handle errors locally for unit testing
-          if otto_instance
-            # Store handler context in env for centralized error handler
-            handler_name = "#{target_class}#call"
-            env['otto.handler'] = handler_name
-            env['otto.handler_duration'] = Otto::Utils.now_in_μs - start_time
-
-            raise e # Re-raise to let Otto's centralized error handler manage the response
-          else
-            # Direct handler testing context - handle errors locally with security improvements
-            error_id = SecureRandom.hex(8)
-            Otto.logger.error "[#{error_id}] #{e.class}: #{e.message}"
-            Otto.logger.debug "[#{error_id}] Backtrace: #{e.backtrace.join("\n")}" if Otto.debug
-
-            res.status                  = 500
-            res.headers['content-type'] = 'text/plain'
-
-            if Otto.env?(:dev, :development)
-              res.write "Server error (ID: #{error_id}). Check logs for details."
-            else
-              res.write 'An error occurred. Please try again later.'
-            end
-
-            # Add security headers if available
-            if otto_instance.respond_to?(:security_config) && otto_instance.security_config
-              otto_instance.security_config.security_headers.each do |header, value|
-                res.headers[header] = value
-              end
-            end
-          end
+          req.body.rewind
+          json_data = JSON.parse(req.body.read)
+          logic_params = logic_params.merge(json_data) if json_data.is_a?(Hash)
+        rescue JSON::ParserError => e
+          # Base context pattern: create once, reuse for correlation
+          log_context = Otto::LoggingHelpers.request_context(env)
+
+          Otto.structured_log(:error, 'JSON parsing error',
+            log_context.merge(
+              handler: handler_name,
+              error: e.message,
+              error_class: e.class.name,
+              duration: Otto::Utils.now_in_μs - @start_time
+            ))
+
+          Otto::LoggingHelpers.log_backtrace(e,
+            log_context.merge(handler: handler_name))
         end
 
-        res.finish
+        logic_params
+      end
+
+      # Format handler name for Logic routes
+      # @return [String] Handler name in format "ClassName#call"
+      def handler_name
+        "#{target_class.name}#call"
       end
     end
   end

data/lib/otto/security/authentication/auth_strategy.rb

@@ -1,7 +1,7 @@
 # lib/otto/security/authentication/auth_strategy.rb
 #
 # frozen_string_literal: true
-#
+
 # Base class for all authentication strategies in Otto framework
 # Provides pluggable authentication patterns that can be customized per application
 
@@ -33,7 +33,7 @@ class Otto
             user: user,
             auth_method: auth_method || self.class.name.split('::').last,
             metadata: metadata,
-            strategy_name: nil  # Will be set by RouteAuthWrapper
+            strategy_name: nil # Will be set by RouteAuthWrapper
           )
         end
 

data/lib/otto/security/authentication/strategy_result.rb

@@ -320,16 +320,16 @@ class Otto
         # @return [Hash] Hash representation of the context
         def to_h
           {
-            session: session,
-            user: user,
-            auth_method: auth_method,
-            metadata: metadata,
-            authenticated: authenticated?,
+                           session: session,
+                              user: user,
+                       auth_method: auth_method,
+                          metadata: metadata,
+                     authenticated: authenticated?,
             auth_attempt_succeeded: auth_attempt_succeeded?,
-            user_id: user_id,
-            user_name: user_name,
-            roles: roles,
-            permissions: permissions
+                           user_id: user_id,
+                         user_name: user_name,
+                             roles: roles,
+                       permissions: permissions,
           }
         end
       end

data/lib/otto/security/authorization_error.rb

@@ -40,7 +40,7 @@ class Otto
     #     end
     #   end
     #
-    class AuthorizationError < StandardError
+    class AuthorizationError < Otto::ForbiddenError
       # Optional additional context for logging/debugging
       attr_reader :resource, :action, :user_id
 

data/lib/otto/security/config.rb

@@ -436,12 +436,12 @@ class Otto
     end
 
     # Raised when a request exceeds the configured size limit
-    class RequestTooLargeError < StandardError; end
+    class RequestTooLargeError < Otto::PayloadTooLargeError; end
 
     # Raised when CSRF token validation fails
-    class CSRFError < StandardError; end
+    class CSRFError < Otto::ForbiddenError; end
 
     # Raised when input validation fails (XSS, SQL injection, etc.)
-    class ValidationError < StandardError; end
+    class ValidationError < Otto::BadRequestError; end
   end
 end

data/lib/otto/security/rate_limiter.rb

@@ -55,9 +55,13 @@ class Otto
             'retry-after' => (match_data[:period] - (now % match_data[:period])).to_s,
           }
 
-          # Check if request expects JSON
-          accept_header = request.env['HTTP_ACCEPT'].to_s
-          if accept_header.include?('application/json')
+          # Content negotiation for rate limit response
+          # Route's response_type takes precedence over Accept header
+          route_def = request.env['otto.route_definition']
+          wants_json = (route_def&.response_type == 'json') ||
+                       request.env['HTTP_ACCEPT'].to_s.include?('application/json')
+
+          if wants_json
             error_response = {
               error: 'Rate limit exceeded',
               message: 'Too many requests',

data/lib/otto/version.rb

@@ -3,5 +3,5 @@
 # frozen_string_literal: true
 
 class Otto
-  VERSION = '2.0.0.pre8'
+  VERSION = '2.0.0.pre9'
 end

data/lib/otto.rb

@@ -17,6 +17,7 @@ require_relative 'otto/static'
 require_relative 'otto/helpers'
 require_relative 'otto/response_handlers'
 require_relative 'otto/route_handlers'
+require_relative 'otto/errors'
 require_relative 'otto/locale'
 require_relative 'otto/mcp'
 require_relative 'otto/core'
@@ -79,9 +80,10 @@ class Otto
     load(path) unless path.nil?
     super()
 
-    # Auto-register AuthorizationError for 403 Forbidden responses
-    # This allows Logic classes to raise AuthorizationError for resource-level access control
-    register_error_handler(Otto::Security::AuthorizationError, status: 403, log_level: :warn)
+    # Auto-register all Otto framework error classes
+    # This allows Logic classes and framework code to raise appropriate errors
+    # without requiring manual registration in implementing projects
+    register_framework_errors
 
     # Build the middleware app once after all initialization is complete
     build_app!
@@ -586,6 +588,48 @@ class Otto
     configure_mcp(opts)
   end
 
+  # Register all Otto framework error classes with appropriate status codes
+  #
+  # This method auto-registers base HTTP error classes and all framework-specific
+  # error classes (Security, MCP) so that raising them automatically returns the
+  # correct HTTP status code instead of 500.
+  #
+  # Users can override these registrations by calling register_error_handler
+  # after Otto.new with custom status codes or log levels.
+  #
+  # @return [void]
+  # @api private
+  def register_framework_errors
+    # Base HTTP errors (for direct use or subclassing by implementing projects)
+    register_error_from_class(Otto::NotFoundError)
+    register_error_from_class(Otto::BadRequestError)
+    register_error_from_class(Otto::UnauthorizedError)
+    register_error_from_class(Otto::ForbiddenError)
+    register_error_from_class(Otto::PayloadTooLargeError)
+
+    # Security module errors
+    register_error_from_class(Otto::Security::AuthorizationError)
+    register_error_from_class(Otto::Security::CSRFError)
+    register_error_from_class(Otto::Security::RequestTooLargeError)
+    register_error_from_class(Otto::Security::ValidationError)
+
+    # MCP module errors
+    register_error_from_class(Otto::MCP::ValidationError)
+  end
+
+  # Register an error handler using the error class as the single source of truth
+  #
+  # @param error_class [Class] Error class that responds to default_status and default_log_level
+  # @return [void]
+  # @api private
+  def register_error_from_class(error_class)
+    register_error_handler(
+      error_class,
+      status: error_class.default_status,
+      log_level: error_class.default_log_level
+    )
+  end
+
   class << self
     attr_accessor :debug, :logger # rubocop:disable ThreadSafety/ClassAndModuleAttributes
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: otto
 version: !ruby/object:Gem::Version
-  version: 2.0.0.pre8
+  version: 2.0.0.pre9
 platform: ruby
 authors:
 - Delano Mandelbaum
@@ -175,6 +175,8 @@ files:
 - docs/ipaddr-encoding-quirk.md
 - docs/migrating/v2.0.0-pre1.md
 - docs/migrating/v2.0.0-pre2.md
+- docs/modern-authentication-authorization-landscape.md
+- docs/multi-strategy-authentication-design.md
 - examples/.gitignore
 - examples/advanced_routes/README.md
 - examples/advanced_routes/app.rb
@@ -243,6 +245,7 @@ files:
 - lib/otto/core/uri_generator.rb
 - lib/otto/design_system.rb
 - lib/otto/env_keys.rb
+- lib/otto/errors.rb
 - lib/otto/helpers.rb
 - lib/otto/helpers/base.rb
 - lib/otto/helpers/request.rb