propel_api 0.2.0 → 0.2.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +8 -37
- data/lib/propel_api.rb +1 -1
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 8fb51b38b12561c709712a339a39cf3639cd1e8a16149f72c00f1566ee37bdcf
|
|
4
|
+
data.tar.gz: a90352463962e6385b895cf339195b6860f0d5e98ccf1c4e6e3237957f6895cf
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: a2d01e1bcc8f7a749e8de4101d6f7be9dc5c4a7b2b0f2b7d5dc78e630dbba0102cedee82ff957cd210bde487a66c0b936a546b50c75f38e45db84dabcc74e6d0
|
|
7
|
+
data.tar.gz: 94dad0a33d4fd5af9327d42b21faa0a69bcdd7a018d914293db3643e68496b4b4f979d99cb14f8683b0df3040f6f15b55b6c4ff47c72015da9eaf6d336d5fb83
|
data/CHANGELOG.md
CHANGED
|
@@ -10,19 +10,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
10
10
|
### Planned Features
|
|
11
11
|
- GraphQL adapter support
|
|
12
12
|
|
|
13
|
-
## [0.2.
|
|
13
|
+
## [0.2.1] - 2025-01-14
|
|
14
|
+
|
|
15
|
+
### Fixed
|
|
16
|
+
- **Dependency update**: Improved compatibility with PropelFacets 0.2.1
|
|
17
|
+
- API controllers now work correctly with fixed `for_organization` scope installation
|
|
18
|
+
- Resolves `NoMethodError` when using generated controllers in fresh Rails installations
|
|
14
19
|
|
|
15
|
-
|
|
16
|
-
- **Security-first API architecture**: Complete redesign of tenancy validation flow
|
|
17
|
-
- Invalid tenancy context (organization_id, agency_id) now returns 403 Forbidden instead of 422 Unprocessable Entity
|
|
18
|
-
- Security validation occurs before business validation (prevents information disclosure)
|
|
19
|
-
- Error response structure changed from `{"errors": {...}}` to `{"error": "...", "message": "...", "code": "..."}`
|
|
20
|
-
- **Controller generation format**: Generated controllers now use foreign key format in permitted_params
|
|
21
|
-
- `permitted_params :organization` → `permitted_params :organization_id`
|
|
22
|
-
- Ensures proper strong parameter filtering for security validation
|
|
23
|
-
- **Configuration dependency**: `agency_tenancy` configuration moved to PropelAuthentication
|
|
24
|
-
- Remove `PropelApi.configuration.agency_tenancy` from config files
|
|
25
|
-
- Agency tenancy now controlled entirely by PropelAuthentication
|
|
20
|
+
## [0.2.0] - 2025-09-02
|
|
26
21
|
|
|
27
22
|
### Added
|
|
28
23
|
- **Organization-level multi-tenancy security** - Complete data isolation between organizations
|
|
@@ -31,19 +26,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
31
26
|
- `for_organization(org_id)` scope added to ApplicationRecord base class
|
|
32
27
|
- Cross-organization data access completely blocked (show, update, delete return 404)
|
|
33
28
|
- New records automatically assigned to authenticated user's organization
|
|
34
|
-
- Comprehensive security test suite covering all attack vectors
|
|
29
|
+
- Comprehensive security test suite with 12 tests covering all attack vectors
|
|
35
30
|
- Zero impact on existing single-tenant applications
|
|
36
|
-
- **Configurable auto-assignment**: Integration with PropelAuthentication tenancy configuration
|
|
37
|
-
- Respects `require_organization_id` and `require_user_id` settings from PropelAuthentication
|
|
38
|
-
- Helper methods: `require_organization_id?`, `require_user_id?` for configuration access
|
|
39
|
-
- **Enhanced security validation**: Comprehensive unauthorized access protection
|
|
40
|
-
- Organization access validation with detailed error codes
|
|
41
|
-
- User assignment validation for admin delegation scenarios
|
|
42
|
-
- Agency access validation with proper user permission checking
|
|
43
|
-
- **Conditional test generation**: Tests now adapt behavior based on PropelAuthentication configuration
|
|
44
|
-
- Auto-assignment mode: Tests expect 201 Created with proper context assignment
|
|
45
|
-
- Strict mode: Tests expect 422 Unprocessable Entity when required fields missing
|
|
46
|
-
- Security tests: Tests expect 403 Forbidden for unauthorized access attempts
|
|
47
31
|
|
|
48
32
|
### Fixed
|
|
49
33
|
- **Authentication namespace conflict resolved** - Renamed authentication concern to prevent module name collision
|
|
@@ -53,14 +37,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
53
37
|
- Updated PropelFacets and Graphiti API controller templates
|
|
54
38
|
- Improved method visibility: `authenticate_user`, `current_user`, and `extract_jwt_token` are now public methods
|
|
55
39
|
- Enhanced flexibility for custom authentication scenarios (email notifications, audit logging, token refresh)
|
|
56
|
-
- **Attribute introspection**: Fixed foreign key detection for User and other models with associations
|
|
57
|
-
- Database column introspection now properly generates foreign key format for permitted_params
|
|
58
|
-
- Association detection preserved for model relationship generation
|
|
59
|
-
- JSON field handling improved with proper `field: {}` syntax for nested objects
|
|
60
|
-
- **Test data generation**: Enhanced User model test data generation
|
|
61
|
-
- Unique email and username generation to prevent fixture conflicts
|
|
62
|
-
- Proper field names for User model tests (email_address, username, password vs generic title)
|
|
63
|
-
- Model-specific test data patterns for comprehensive validation coverage
|
|
64
40
|
|
|
65
41
|
### Security
|
|
66
42
|
- **Multi-tenant data isolation** - Zero-trust organization scoping prevents data leaks
|
|
@@ -71,17 +47,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
71
47
|
- Database-level enforcement via ActiveRecord scopes
|
|
72
48
|
|
|
73
49
|
### Improved
|
|
74
|
-
- **Multi-step security validation**: Three-phase validation for robust security
|
|
75
|
-
1. Security validation (403 for unauthorized access)
|
|
76
|
-
2. Auto-assignment (based on configuration)
|
|
77
|
-
3. Final validation (422 for missing required fields)
|
|
78
50
|
- **Authentication concern API design** - Better method organization and access patterns
|
|
79
51
|
- `authenticate_user` - Public method for `before_action` callbacks
|
|
80
52
|
- `current_user` - Public method for accessing authenticated user
|
|
81
53
|
- `current_organization_id` - Public method for accessing organization context
|
|
82
54
|
- `extract_jwt_token` - Public method for custom authentication scenarios
|
|
83
55
|
- Clean separation between public API and internal implementation
|
|
84
|
-
- **Template reliability**: Attribute detection using generator attributes instead of database queries during generation
|
|
85
56
|
|
|
86
57
|
## [0.1.4] - 2025-08-15
|
|
87
58
|
|
data/lib/propel_api.rb
CHANGED