propel_api 0.1.4 → 0.2.0

data/lib/generators/propel_api/templates/controllers/api_controller_propel_facets.rb

@@ -3,7 +3,7 @@ class <%= api_controller_class_name %> < ApplicationController
   include Pagy::Backend
   include FacetRenderer
   include StrongParamsHelper
-  include PropelAuthentication
+  include PropelAuthenticationConcern
 
   before_action :authenticate_user
   before_action :set_resource, only: [:show, :update, :destroy]
@@ -15,7 +15,10 @@ class <%= api_controller_class_name %> < ApplicationController
   connect_facet :details, actions: [:show, :update, :create]
 
   def index
-    @pagy, resources = pagy(apply_scopes(resource_class.all))
+    scoped_resource = for_organization(resource_class)
+    return unless scoped_resource  # Early return if organization context missing
+    
+    @pagy, resources = pagy(apply_scopes(scoped_resource))
     render json: { 
       data: resources.map { |resource| resource_json(resource) },
       pagination: pagy_metadata(@pagy)
@@ -27,7 +30,13 @@ class <%= api_controller_class_name %> < ApplicationController
   end
 
   def create
-    @resource = resource_class.new(resource_params)
+    scoped_resource = for_organization(resource_class)
+    return unless scoped_resource  # Early return if organization context missing
+    
+    params_with_context = build_creation_params
+    return if params_with_context.empty?  # Early return if validation failed (response already rendered)
+    
+    @resource = scoped_resource.build(params_with_context)
     if @resource.save
       render json: { data: resource_json(@resource) }, status: :created
     else
@@ -55,7 +64,209 @@ class <%= api_controller_class_name %> < ApplicationController
   end
 
   def set_resource
-    @resource = resource_class.find(params[:id])
+    # Ensure resource is within organization scope
+    scoped_resource = for_organization(resource_class)
+    return unless scoped_resource  # Early return if organization context missing
+    
+    @resource = scoped_resource.find(params[:id])
+  end
+
+    # Organization scoping method with support for self-signup
+  def for_organization(model_class)
+    return render_organization_context_error unless current_organization_id
+
+    # Special case: Organization model should only show user's own organization
+    if model_class == Organization
+      return model_class.where(id: current_organization_id)
+    end
+    
+    # Start with organization scoping
+    scoped_query = model_class.for_organization(current_organization_id)
+    
+    # Additional agency scoping only if agency tenancy is enabled
+    apply_agency_scoping(scoped_query, model_class)
+  end
+
+  # Build parameters for resource creation with security-first flow
+  def build_creation_params
+    return {} unless validate_organization_context
+    
+    params = resource_params
+    
+    # FIRST: Security validation of any provided context (fail-fast with 403)
+    params = validate_provided_tenancy_context(params)
+    return {} if params.empty?                    # Early return on security failure
+    
+    # SECOND: Auto-assign missing context (only after security validation passes)
+    params = auto_assign_missing_context(params)
+    
+    # THIRD: Final validation (business rules, data format)
+    params = validate_final_tenancy_requirements(params)
+    return {} if params.empty?                    # Early return on validation failure
+    
+    params
+  end
+
+  private
+
+  # Render organization context error
+  def render_organization_context_error
+    render json: { 
+      error: 'Organization context required',
+      message: 'Valid organization_id must be provided in JWT token',
+      code: 'MISSING_ORGANIZATION_CONTEXT'
+    }, status: :forbidden
+    nil
+  end
+
+  # Validate organization context is available
+  def validate_organization_context
+    return true if current_organization_id
+    
+    render_organization_context_error
+    false
+  end
+
+  # Apply agency scoping if enabled and applicable
+  def apply_agency_scoping(scoped_query, model_class)
+    if agency_tenancy_enabled? && 
+       model_class.column_names.include?('agency_id') && 
+       current_agency_ids&.any?
+      scoped_query.where(agency_id: current_agency_ids)
+    else
+      scoped_query
+    end
+  end
+
+  # FIRST: Security validation of any provided tenancy context (fail-fast)
+  def validate_provided_tenancy_context(params)
+    # If organization_id is provided, verify user has access to it
+    if params[:organization_id].present?
+      unless params[:organization_id].to_i == current_organization_id
+        render json: { 
+          error: 'Unauthorized organization access',
+          message: 'You do not have access to create resources in this organization',
+          code: 'UNAUTHORIZED_ORGANIZATION_ACCESS'
+        }, status: :forbidden
+        return {}
+      end
+    end
+    
+    # If user_id is provided, verify it's authorized (for admin delegation scenarios)
+    if params[:user_id].present?
+      # For now, only allow current user (can be extended for admin delegation)
+      unless params[:user_id].to_i == current_user.id
+        render json: { 
+          error: 'Unauthorized user assignment',
+          message: 'You can only create resources as yourself (admin delegation not yet implemented)',
+          code: 'UNAUTHORIZED_USER_ASSIGNMENT'
+        }, status: :forbidden
+        return {}
+      end
+    end
+    
+    # If agency_id is provided, verify user has access to it
+    if params[:agency_id].present? && agency_tenancy_enabled?
+      unless current_agency_ids.include?(params[:agency_id].to_i)
+        render json: { 
+          error: 'Unauthorized agency access',
+          message: 'You do not have access to create resources in this agency',
+          code: 'UNAUTHORIZED_AGENCY_ACCESS'
+        }, status: :forbidden
+        return {}
+      end
+    end
+    
+    params
+  end
+
+  # SECOND: Auto-assign missing context based on configuration
+  def auto_assign_missing_context(params)
+    # Auto-assign organization_id if missing and not required to be explicit
+    if params[:organization_id].blank? && !require_organization_id?
+      # Special case: Organization model doesn't get organization_id assigned
+      unless resource_class == Organization
+        params[:organization_id] = current_organization_id
+      end
+    end
+    
+    # Auto-assign user_id if missing and not required to be explicit  
+    if params[:user_id].blank? && !require_user_id?
+      # Auto-assign user_id for models that have user association (except User model itself)
+      if resource_class != User && resource_class.column_names.include?('user_id')
+        params[:user_id] = current_user.id
+      end
+    end
+    
+    params
+  end
+
+
+
+  # Check if agency tenancy is enabled
+  def agency_tenancy_enabled?
+    # Check PropelAuthentication configuration (owns tenancy models)
+    if defined?(PropelAuthentication) && PropelAuthentication.respond_to?(:configuration)
+      PropelAuthentication.configuration.agency_tenancy
+    else
+      true  # Safe default - enables agency tenancy when configuration unavailable
+    end
+  end
+
+  # Check if explicit organization_id is required in API requests
+  def require_organization_id?
+    if defined?(PropelAuthentication) && PropelAuthentication.respond_to?(:configuration)
+      PropelAuthentication.configuration.require_organization_id
+    else
+      false  # Safe default - allow auto-assignment when configuration unavailable
+    end
+  end
+
+  # Check if explicit user_id is required in API requests
+  def require_user_id?
+    if defined?(PropelAuthentication) && PropelAuthentication.respond_to?(:configuration)
+      PropelAuthentication.configuration.require_user_id
+    else
+      false  # Safe default - allow auto-assignment when configuration unavailable
+    end
+  end
+
+
+
+  # THIRD: Final validation - ensure required fields are present after auto-assignment
+  def validate_final_tenancy_requirements(params)
+    errors = {}
+    
+    # Validate organization_id is present (after security check and auto-assignment)
+    if params[:organization_id].blank?
+      if require_organization_id?
+        errors[:organization_id] = ["is required - set require_organization_id = false to enable auto-assignment"]
+      else
+        errors[:organization_id] = ["could not be determined - check authentication context"]
+      end
+    end
+    
+    # Validate user_id is present for models that need it (after auto-assignment)
+    if resource_class.column_names.include?('user_id') && params[:user_id].blank?
+      if require_user_id?
+        errors[:user_id] = ["is required - set require_user_id = false to enable auto-assignment"]
+      else
+        errors[:user_id] = ["could not be determined - check authentication context"]
+      end
+    end
+    
+    # Validate agency_id is present for models that need it (business requirement)
+    if agency_tenancy_enabled? && resource_class.column_names.include?('agency_id') && params[:agency_id].blank?
+      errors[:agency_id] = ["is required when agency tenancy is enabled"]
+    end
+    
+    # Return validation errors if any
+    if errors.any?
+      render json: { errors: errors }, status: :unprocessable_entity
+      return {}
+    end
+    
+    params
   end
 
 <% if options[:with_comments] -%>

data/lib/generators/propel_api/templates/scaffold/facet_controller_template.rb.tt

@@ -1,11 +1,24 @@
 # frozen_string_literal: true
 
 class <%= controller_class_name_with_namespace %>Controller < <%= api_controller_class_name %>
+<% if class_name == 'Organization' -%>
+  # Organizations are created through signup flow for security
+  before_action :block_organization_creation, only: [:create]
+
+<% end -%>
 <% if options[:with_comments] -%>
   # Define which parameters are allowed for <%= class_name %> creation/updates
   # This uses the StrongParamsHelper concern from the base controller
 <% end -%>
-  permitted_params <%= permitted_param_names.map { |attribute| ":#{attribute}" }.join(', ') %>
+  permitted_params <%= permitted_param_names.map { |param| 
+    # If param already contains colon (JSON field syntax), use as-is
+    # Otherwise add colon prefix for regular fields
+    if param.to_s.include?(':')
+      param  # Already formatted as "field: {}" for JSON fields
+    else
+      ":#{param}"  # Add colon prefix for regular fields
+    end
+  }.join(', ') %>
 
 <% if options[:with_comments] -%>
   # Connect facets to actions - customize as needed for your <%= class_name.downcase %> model
@@ -82,4 +95,17 @@ class <%= controller_class_name_with_namespace %>Controller < <%= api_controller
   # end
 
 <% end -%>
+<% if class_name == 'Organization' -%>
+
+  private
+
+  def block_organization_creation
+    render json: { 
+      error: 'Organizations cannot be created through API',
+      message: 'Use the /signup endpoint to create new organizations',
+      code: 'ORGANIZATION_CREATION_BLOCKED',
+      hint: 'Organizations are created during user signup process for security'
+    }, status: :forbidden
+  end
+<% end -%>
 end

data/lib/generators/propel_api/templates/scaffold/facet_model_template.rb.tt

@@ -46,9 +46,10 @@ class <%= class_name %> < ApplicationRecord
 
 # Associations
 <% unless options[:skip_tenancy] -%>
-  # Multi-tenancy: Always include organization (required) and agency (optional)
+  # Multi-tenancy: Always include organization and agency for data isolation
+  # User/Agent associations are only added when explicitly specified as generator arguments
   belongs_to :organization
-  belongs_to :agency, optional: true
+  belongs_to :agency
   
 <% end -%>
 <% if defined?(relationship_inferrer) && relationship_inferrer.should_generate_associations? -%>
@@ -65,7 +66,7 @@ class <%= class_name %> < ApplicationRecord
 <% if attribute.name == 'organization' -%>
   belongs_to :organization
 <% else -%>
-  belongs_to :<%= attribute.name %>, optional: true
+  belongs_to :<%= attribute.name %>  # Add 'optional: true' if this should be optional
 <% end -%>
 <% end -%>
 <% end -%>
@@ -90,9 +91,9 @@ json_facet :short, fields: [:id<%
   short_attributes = attributes.select do |attr|
     # Include common identifying fields
     identifying_fields = %w[name title label slug username email status state active published visible enabled]
-    # Include simple types but exclude large content and timestamps
+    # Include simple types but exclude large content, JSON, and timestamps
     simple_types = [:string, :integer, :boolean, :decimal, :float]
-    # Exclude large content fields, timestamps, and security-sensitive fields
+    # Exclude large content fields, JSON/JSONB, timestamps, and security-sensitive fields
     excluded_patterns = /\A(description|content|body|notes|comment|bio|about|summary|created_at|updated_at|deleted_at|password|digest|token|secret|key|salt|encrypted|confirmation|unlock|reset|api_key|access_token|refresh_token)\z/i
     
     # Always exclude if the field contains security-sensitive words
@@ -119,7 +120,39 @@ json_facet :details, fields: [:id<%
     security_patterns.match?(attr.name.to_s) ||
     excluded_types.include?(attr.type)
   end
-  detail_attributes.each do |attribute| -%>, :<%= attribute.name %><% end -%><% attributes.select { |attr| attr.type == :references }.each do |reference| -%>, :<%= reference.name %><% end -%><% unless options[:skip_tenancy] -%>, :organization, :agency<% end -%>]
+  
+  # Collect all field names, avoiding duplicates
+  all_fields = Set.new
+  
+  # Add non-reference attributes
+  detail_attributes.reject { |attr| attr.type == :references }.each do |attribute|
+    all_fields << attribute.name.to_sym
+  end
+  
+  # Add reference attributes (convert association to foreign key format)
+  detail_attributes.select { |attr| attr.type == :references }.each do |reference|
+    all_fields << "#{reference.name}_id".to_sym
+  end
+  
+  # Add tenancy references if not skipped
+  unless options[:skip_tenancy]
+    all_fields << :organization_id
+    all_fields << :agency_id
+  end
+  
+  # Output the unique fields
+  all_fields.to_a.sort.each do |field| -%>, :<%= field %><% end -%>]<%
+  
+  # Generate include for nested objects (reference associations)
+  reference_associations = detail_attributes.select { |attr| attr.type == :references }.map(&:name)
+  unless options[:skip_tenancy]
+    reference_associations += %w[organization agency]
+  end
+  reference_associations.uniq!
+  
+  if reference_associations.any?
+    -%>, include: [<% reference_associations.each_with_index do |assoc, index| -%>:<%= assoc %><%= ',' if index < reference_associations.length - 1 %><% end -%>]<%
+  end -%>
 
 # Example of more complex json_facet configurations:
 #

data/lib/generators/propel_api/templates/seeds/seeds_template.rb.tt

@@ -107,14 +107,23 @@ if users.count < 6
     next if users.where(organization: org).count >= 2
     
     (2 - users.where(organization: org).count).times do
-      User.create!(
+      new_user = User.create!(
         email_address: Faker::Internet.unique.email,
         username: Faker::Internet.unique.username,
         first_name: Faker::Name.first_name,
         last_name: Faker::Name.last_name,
         password: "password123",
-        organization: org
+        organization: org,
+        confirmed_at: 1.week.ago  # Pre-confirm for easier testing
       )
+      
+      # Create agent association for agency access (CRITICAL for tenancy validation)
+      org_agencies = agencies.where(organization: org)
+      if org_agencies.any?
+        # Assign to random agency within organization
+        agency = org_agencies.sample
+        Agent.create!(user: new_user, agency: agency, role: 'member')
+      end
     end
   end
 <% else -%>