propel_api 0.1.3 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2412ee53a0d7ea8f145ef0fdc491b35099ca137238c8431512b58e63e75ee715
-  data.tar.gz: 1e7d0198d37aed70300eeca7972d41faf3d75b86d9e8c704fd63cd7ef250caf5
+  metadata.gz: fda016a4637d6921f4cbd7c1739aa12b652453b68f2bf00e627adda7a0384086
+  data.tar.gz: bee75517d7fee3d5f04536be44f5dba602bc5525076814a87e7b6f743a467913
 SHA512:
-  metadata.gz: 9437dfd83ecea7de889f9455e7097a4f0d4229b0475eb59e8d453695fe2cca302c6ccad2353bf78cb999c3e74bbc358d1b2264b0dcbad18db236c099f877160f
-  data.tar.gz: bdc7bd6e5a347c93700253634aaa277891d4cd4c88b2606d2c691f4dce285a304934ed4cf3ea2d46a5a536c2a71a7ccedf6294104e23c6339f225345e9e80cb3
+  metadata.gz: a19fc6c6f6c4d12773081adc7a856d7f4fcb1977c56cb3686334d8e316bb29ef540829f0f25adcd61ae6285f10a010691f063b0003bad463bc8b8624afd05974
+  data.tar.gz: 65349f86faa2e171c64b20d6699f90dc56649ae1b8c888f64ac8c3b76f147bbd301689ac79a0032c71cc134e3d1c3e380f0f5a1fbb7a35c46ea0adaebd63fb44

data/CHANGELOG.md

@@ -10,7 +10,90 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Planned Features
 - GraphQL adapter support
 
-## [0.1.2] - 2025-01-11
+## [0.2.0] - 2025-09-02
+
+### BREAKING CHANGES
+- **Security-first API architecture**: Complete redesign of tenancy validation flow
+  - Invalid tenancy context (organization_id, agency_id) now returns 403 Forbidden instead of 422 Unprocessable Entity
+  - Security validation occurs before business validation (prevents information disclosure)
+  - Error response structure changed from `{"errors": {...}}` to `{"error": "...", "message": "...", "code": "..."}`
+- **Controller generation format**: Generated controllers now use foreign key format in permitted_params
+  - `permitted_params :organization` → `permitted_params :organization_id`
+  - Ensures proper strong parameter filtering for security validation
+- **Configuration dependency**: `agency_tenancy` configuration moved to PropelAuthentication
+  - Remove `PropelApi.configuration.agency_tenancy` from config files
+  - Agency tenancy now controlled entirely by PropelAuthentication
+
+### Added
+- **Organization-level multi-tenancy security** - Complete data isolation between organizations
+  - All API queries automatically scoped to user's organization
+  - JWT tokens include `organization_id` for secure context extraction
+  - `for_organization(org_id)` scope added to ApplicationRecord base class
+  - Cross-organization data access completely blocked (show, update, delete return 404)
+  - New records automatically assigned to authenticated user's organization
+  - Comprehensive security test suite covering all attack vectors
+  - Zero impact on existing single-tenant applications
+- **Configurable auto-assignment**: Integration with PropelAuthentication tenancy configuration
+  - Respects `require_organization_id` and `require_user_id` settings from PropelAuthentication
+  - Helper methods: `require_organization_id?`, `require_user_id?` for configuration access
+- **Enhanced security validation**: Comprehensive unauthorized access protection
+  - Organization access validation with detailed error codes
+  - User assignment validation for admin delegation scenarios  
+  - Agency access validation with proper user permission checking
+- **Conditional test generation**: Tests now adapt behavior based on PropelAuthentication configuration
+  - Auto-assignment mode: Tests expect 201 Created with proper context assignment
+  - Strict mode: Tests expect 422 Unprocessable Entity when required fields missing
+  - Security tests: Tests expect 403 Forbidden for unauthorized access attempts
+
+### Fixed
+- **Authentication namespace conflict resolved** - Renamed authentication concern to prevent module name collision
+  - `PropelAuthentication` concern renamed to `PropelAuthenticationConcern` 
+  - Eliminates conflict between authentication controller concern and PropelAuthentication configuration module
+  - Updated all controller templates to use `include PropelAuthenticationConcern`
+  - Updated PropelFacets and Graphiti API controller templates
+  - Improved method visibility: `authenticate_user`, `current_user`, and `extract_jwt_token` are now public methods
+  - Enhanced flexibility for custom authentication scenarios (email notifications, audit logging, token refresh)
+- **Attribute introspection**: Fixed foreign key detection for User and other models with associations
+  - Database column introspection now properly generates foreign key format for permitted_params
+  - Association detection preserved for model relationship generation
+  - JSON field handling improved with proper `field: {}` syntax for nested objects
+- **Test data generation**: Enhanced User model test data generation
+  - Unique email and username generation to prevent fixture conflicts
+  - Proper field names for User model tests (email_address, username, password vs generic title)
+  - Model-specific test data patterns for comprehensive validation coverage
+
+### Security
+- **Multi-tenant data isolation** - Zero-trust organization scoping prevents data leaks
+  - Index queries: Users only see their organization's records
+  - Individual access: 404 responses for other organizations' records
+  - CRUD operations: All create/update/delete operations respect organization boundaries
+  - JWT security: Organization context properly extracted and validated
+  - Database-level enforcement via ActiveRecord scopes
+
+### Improved
+- **Multi-step security validation**: Three-phase validation for robust security
+  1. Security validation (403 for unauthorized access) 
+  2. Auto-assignment (based on configuration)
+  3. Final validation (422 for missing required fields)
+- **Authentication concern API design** - Better method organization and access patterns
+  - `authenticate_user` - Public method for `before_action` callbacks
+  - `current_user` - Public method for accessing authenticated user  
+  - `current_organization_id` - Public method for accessing organization context
+  - `extract_jwt_token` - Public method for custom authentication scenarios
+  - Clean separation between public API and internal implementation
+- **Template reliability**: Attribute detection using generator attributes instead of database queries during generation
+
+## [0.1.4] - 2025-08-15
+
+### Improved
+- Minor bug fixes and stability improvements
+
+## [0.1.3] - 2025-07-22
+
+### Improved
+- Performance optimizations and code refinements
+
+## [0.1.2] - 2025-07-15
 
 ### Added
 - **Automatic inverse relationship generation** - When creating resources with references, parent models are automatically updated
@@ -42,7 +125,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - **Better error handling** - Graceful recovery when parent model modifications fail
 - **Console output** - Color-coded feedback for relationship additions and warnings
 
-## [0.1.1] - 2025-01-10
+## [0.1.1] - 2025-07-11
 
 ### Added
 - **Optional usage comments in controllers** - `--with-comments` flag for generators

data/lib/generators/propel_api/core/named_base.rb

@@ -2,6 +2,7 @@
 
 require_relative 'configuration_methods'
 require_relative 'path_generation_methods'
+require_relative 'relationship_inferrer'
 
 ##
 # Named base class for PropelApi generators that work with named resources
@@ -44,6 +45,10 @@ module PropelApi
       file_name.pluralize
     end
 
+    def singular_route_name
+      file_name
+    end
+
     def api_route_path
       path_parts = []
       path_parts << @api_namespace if @api_namespace.present?
@@ -60,6 +65,14 @@ module PropelApi
       path_parts.join("_")
     end
 
+    def api_singular_route_helper
+      path_parts = []
+      path_parts << @api_namespace if @api_namespace.present?
+      path_parts << @api_version if @api_version.present?
+      path_parts << singular_route_name
+      path_parts.join("_")
+    end
+
     # Model introspection methods for existing models
     def introspect_model_attributes
       return [] unless model_exists?
@@ -70,30 +83,46 @@ module PropelApi
       # Extract basic attribute information from model file
       attributes = []
       
-      # Look for belongs_to associations
-      model_content.scan(/belongs_to\s+:(\w+)(?:,\s*(.*))?/) do |association, options|
-        # Convert belongs_to to reference attribute
-        attr_name = "#{association}_id"
-        unless should_exclude_from_permitted_params?(attr_name, :integer)
-          attributes << {
-            name: attr_name,
-            type: :integer,
-            reference: association
-          }
+      # Use RelationshipInferrer to introspect existing associations
+      association_data = RelationshipInferrer.introspect_existing_associations(model_content)
+      association_names = association_data[:association_names]
+      
+      # Add association attributes (with filtering)
+      association_data[:attributes].each do |attr_data|
+        unless should_exclude_from_permitted_params?(attr_data[:name], attr_data[:type])
+          attributes << attr_data
         end
       end
       
       # Look for basic validations that might indicate attributes
+      # Exclude association names (they're already handled above as foreign keys)
+      # NOTE: Only add validated attributes if they weren't already detected by schema introspection
+      # This prevents overriding correct types (e.g., :decimal) with default :string
       model_content.scan(/validates\s+:(\w+)/) do |attr|
         attr_name = attr.first
-        unless attributes.any? { |a| a[:name] == attr_name } || should_exclude_from_permitted_params?(attr_name, :string)
+        unless association_names.include?(attr_name) || 
+               attributes.any? { |a| a[:name] == attr_name } ||  # Proper deduplication - don't override existing attributes
+               should_exclude_from_permitted_params?(attr_name, :string)
           attributes << {
             name: attr_name,
-            type: :string  # Default to string for validated attributes
+            type: :string  # Only use :string as fallback for truly unknown attributes
           }
         end
       end
       
+      # Detect common virtual attributes patterns
+      # Handle has_secure_password virtual attributes (password, password_confirmation)
+      if model_content.match?(/has_secure_password|include\s+Authenticatable/)
+        unless should_exclude_from_permitted_params?('password', :string) || 
+               attributes.any? { |a| a[:name] == 'password' }
+          attributes << { name: 'password', type: :string, required: true }
+        end
+        unless should_exclude_from_permitted_params?('password_confirmation', :string) ||
+               attributes.any? { |a| a[:name] == 'password_confirmation' }
+          attributes << { name: 'password_confirmation', type: :string, required: false }
+        end
+      end
+      
       # Try to introspect from schema if available
       if defined?(ActiveRecord::Base) && model_class_defined?
         begin
@@ -103,13 +132,25 @@ module PropelApi
               attr_name = column.name
               attr_type = schema_type_to_generator_type(column.type)
               
-              # Skip if we already have this attribute or if it should be excluded
-              next if attributes.any? { |a| a[:name] == attr_name } || should_exclude_from_permitted_params?(attr_name, attr_type)
+              # Skip if it should be excluded or if foreign key is covered by association
+              # Also skip foreign key columns if we already have the corresponding association
+              foreign_key_association = attr_name.end_with?('_id') ? attr_name.gsub(/_id$/, '') : nil
+              already_has_association = foreign_key_association && attributes.any? { |a| a[:name] == foreign_key_association && a[:type] == :references }
               
-              attributes << {
-                name: attr_name,
-                type: attr_type
-              }
+              next if already_has_association || should_exclude_from_permitted_params?(attr_name, attr_type)
+              
+              # Schema introspection is authoritative - override existing attributes with correct database types
+              # EXCEPT for associations, which should remain as :references
+              existing_index = attributes.find_index { |a| a[:name] == attr_name }
+              if existing_index
+                existing_attr = attributes[existing_index]
+                # Don't override associations detected by RelationshipInferrer
+                unless existing_attr[:type] == :references
+                  attributes[existing_index] = { name: attr_name, type: attr_type }  # Override with correct schema type
+                end
+              else
+                attributes << { name: attr_name, type: attr_type }  # Add new attribute
+              end
             end
           end
         rescue => e
@@ -126,19 +167,37 @@ module PropelApi
       
       attributes = introspect_model_attributes
       
-      # Convert attributes to permitted param names (filtering already applied in introspect_model_attributes)
+      # Convert attributes to permitted param names with proper Rails strong parameter syntax
       params = attributes.map do |attr|
-        attr[:name]
-      end
-      
-      # Always include common multi-tenancy params if not already included
-      %w[organization_id agency_id].each do |param|
-        params << param unless params.include?(param)
+        # For foreign key columns (organization_id, agency_id, user_id), use column name directly
+        if attr[:name].end_with?('_id') && model_has_association_for_foreign_key?(attr[:name])
+          attr[:name]  # Keep foreign key format: organization_id, agency_id, user_id
+        elsif attr[:type] == :references
+          # Convert association references to foreign key format for strong parameters
+          "#{attr[:name]}_id"  # Convert :organization to :organization_id for permitted_params
+        elsif attr[:type] == :json
+          # JSON/JSONB fields need hash syntax for Rails strong parameters to allow nested objects
+          "#{attr[:name]}: {}"
+        else
+          attr[:name]  # Regular attributes: title, description, price, etc.
+        end
       end
       
       params
     end
 
+    def model_has_association_for_foreign_key?(foreign_key)
+      return false unless model_class_defined?
+      
+      begin
+        association_name = foreign_key.gsub('_id', '')
+        model_class = class_name.constantize
+        model_class.reflect_on_association(association_name.to_sym).present?
+      rescue
+        false
+      end
+    end
+
     def validate_attributes_exist
       return if options[:all_attributes] || !model_exists?
       
@@ -265,8 +324,8 @@ module PropelApi
       # Fallback: Use the same patterns as templates for consistency
       attr_str = attribute_name.to_s
       
-      # Exclude timestamps and internal fields (same as templates)
-      excluded_patterns = /\A(created_at|updated_at|deleted_at|password_digest|reset_password_token|confirmation_token|unlock_token)\z/i
+      # Fallback: Basic exclusion patterns (PropelApi.attribute_filter should handle most cases)
+      excluded_patterns = /\A(id|created_at|updated_at|deleted_at|password_digest|reset_password_token|confirmation_token|unlock_token)\z/i
       
       # Always exclude security-sensitive fields (same as templates)
       security_patterns = /(password|digest|token|secret|key|salt|encrypted|confirmation|unlock|reset|api_key|access_token|refresh_token)/i
@@ -305,6 +364,8 @@ module PropelApi
         :date
       when :time
         :time
+      when :json, :jsonb
+        :json
       else
         :string
       end

data/lib/generators/propel_api/core/relationship_inferrer.rb

@@ -19,6 +19,42 @@ class RelationshipInferrer
     @inverse_relationships = {}
   end
   
+  # Class method to introspect existing associations from model content
+  # Returns: { association_names: [], attributes: [] }
+  def self.introspect_existing_associations(model_content)
+    association_names = []
+    attributes = []
+    
+    # Look for belongs_to associations
+    model_content.scan(/belongs_to\s+:(\w+)(?:,\s*(.*))?/) do |association, options|
+      association_names << association
+      
+      # Convert belongs_to to reference attribute for controller generation
+      attributes << {
+        name: association,  # Use association name for template (organization, not organization_id)
+        type: :references,
+        reference: association
+      }
+    end
+    
+    # Look for has_many associations (for completeness)
+    model_content.scan(/has_many\s+:(\w+)(?:,\s*(.*))?/) do |association, options|
+      # We don't create controller attributes for has_many, but track for validation exclusion
+      association_names << association
+    end
+    
+    # Look for has_one associations (for completeness)
+    model_content.scan(/has_one\s+:(\w+)(?:,\s*(.*))?/) do |association, options|
+      # We don't create controller attributes for has_one, but track for validation exclusion
+      association_names << association
+    end
+    
+    {
+      association_names: association_names.uniq,
+      attributes: attributes
+    }
+  end
+  
   # Generate relationships for this model
   def belongs_to_relationships
     relationships = []
@@ -64,12 +100,9 @@ class RelationshipInferrer
     # Add inverse relationship for non-polymorphic references only
     add_inverse_relationship(class_name, standard_has_many)
     
-    # All references except organization are optional by default (PropelAPI convention)
-    if reference_name == 'organization'
-      "belongs_to :#{reference_name}"
-    else
-      "belongs_to :#{reference_name}, optional: true"
-    end
+    # All references are required by default (Rails convention)
+    # Add 'optional: true' manually if optional behavior is needed
+    "belongs_to :#{reference_name}"
   end
   
   def polymorphic_belongs_to(attribute)
@@ -84,8 +117,9 @@ class RelationshipInferrer
       base_name = attribute.name.to_s
     end
     
-    # Polymorphic associations are optional by default (PropelAPI convention)
-    "belongs_to :#{base_name}, polymorphic: true, optional: true"
+    # Polymorphic associations default to required (Rails convention)
+    # Add 'optional: true' manually if optional behavior is needed
+    "belongs_to :#{base_name}, polymorphic: true"
   end
   
 

data/lib/generators/propel_api/templates/config/propel_api.rb.tt

@@ -26,9 +26,10 @@ module PropelApi
     attr_accessor :sensitive_patterns, :excluded_patterns, :large_content_patterns
     
     def initialize
-      # Security-sensitive field patterns
+      # Security-sensitive field patterns (exclude from permitted params)
+      # Note: Excludes stored/hashed fields but allows input fields like password, password_confirmation
       @sensitive_patterns = [
-        /(password|digest|token|secret|key|salt|encrypted|confirmation|unlock|reset|api_key|access_token|refresh_token)/i,
+        /(password_digest|reset_password_token|confirmation_token|unlock_token|remember_token|digest|secret|key|salt|encrypted|api_key|access_token|refresh_token)/i,
         /\A(ssn|social_security|credit_card|cvv|pin|tax_id)\z/i
       ]
       

data/lib/generators/propel_api/templates/controllers/api_controller_graphiti.rb

@@ -1,7 +1,7 @@
 class <%= api_controller_class_name %> < ApplicationController
   include Graphiti::Rails
   include Graphiti::Responders
-  include PropelAuthentication
+  include PropelAuthenticationConcern
 
   before_action :authenticate_user
 
@@ -17,17 +17,26 @@ class <%= api_controller_class_name %> < ApplicationController
   
 <% end -%>
   def index
-    resources = resource.all(params)
+    scoped_params = params_with_organization_scope
+    return unless scoped_params  # Early return if organization context missing
+    
+    resources = resource.all(scoped_params)
     respond_with(resources)
   end
 
   def show  
-    resource_instance = resource.find(params)
+    scoped_params = params_with_organization_scope
+    return unless scoped_params  # Early return if organization context missing
+    
+    resource_instance = resource.find(scoped_params)
     respond_with(resource_instance)
   end
 
   def create
-    resource_instance = resource.build(params)
+    scoped_params = params_with_organization_context
+    return unless scoped_params  # Early return if organization context missing
+    
+    resource_instance = resource.build(scoped_params)
     
     if resource_instance.save
       respond_with(resource_instance, status: :created)
@@ -37,7 +46,10 @@ class <%= api_controller_class_name %> < ApplicationController
   end
 
   def update
-    resource_instance = resource.find(params)
+    scoped_params = params_with_organization_scope
+    return unless scoped_params  # Early return if organization context missing
+    
+    resource_instance = resource.find(scoped_params)
     
     if resource_instance.update_attributes
       respond_with(resource_instance)
@@ -47,7 +59,10 @@ class <%= api_controller_class_name %> < ApplicationController
   end
 
   def destroy
-    resource_instance = resource.find(params)
+    scoped_params = params_with_organization_scope
+    return unless scoped_params  # Early return if organization context missing
+    
+    resource_instance = resource.find(scoped_params)
     resource_instance.destroy
     
     respond_with(resource_instance)
@@ -77,6 +92,34 @@ class <%= api_controller_class_name %> < ApplicationController
     raise "#{resource_class_name} not found. Please create it using: rails generate graphiti:resource #{controller_name.classify}"
   end
 
+  # Add organization scope to params for query operations
+  def params_with_organization_scope
+    unless current_organization_id
+      render json: { 
+        error: 'Organization context required',
+        message: 'Valid organization_id must be provided in JWT token',
+        code: 'MISSING_ORGANIZATION_CONTEXT'
+      }, status: :forbidden
+      return nil
+    end
+    
+    params.merge(organization_scope: current_organization_id)
+  end
+
+  # Add organization context to params for create operations
+  def params_with_organization_context
+    unless current_organization_id
+      render json: { 
+        error: 'Organization context required',
+        message: 'Valid organization_id must be provided in JWT token',
+        code: 'MISSING_ORGANIZATION_CONTEXT'
+      }, status: :forbidden
+      return nil
+    end
+    
+    params.merge(organization_id: current_organization_id)
+  end
+
 <% if options[:with_comments] -%>
   # Graphiti handles parameter filtering through resources automatically
   # No need for manual strong parameters - resources define allowed attributes