propel_api 0.2.1 → 0.3.1

data/lib/generators/propel_api/resource/resource_generator.rb

@@ -4,45 +4,77 @@ require_relative '../core/named_base'
 module PropelApi
   class ResourceGenerator < PropelApi::NamedBase
     source_root File.expand_path("../templates", __dir__)
+
   
   desc <<~DESC
     Generate a complete API resource with model, migration, controller, and routes
     
-    ASSOCIATION EXAMPLES:
+    BASIC USAGE:
+      rails generate propel_api:resource Product name:string price:decimal
+      → Creates model, migration, controller, routes, tests, and fixtures
+      → Requires confirmation if multi-tenancy attributes are missing
     
-    Standard belongs_to/has_many (automatic):
-      rails generate propel_api Article title:string user:references category:references
-      → Article belongs_to :user, :category
-      → User/Category has_many :articles, dependent: :destroy
+    MULTI-TENANT RESOURCES (RECOMMENDED):
+      rails generate propel_api:resource Product name:string organization:references agency:references
+      → Includes multi-tenancy associations for proper data isolation
+      → organization:references (required) - isolates data by organization
+      → agency:references (optional) - sub-organization grouping
     
-         Polymorphic associations:
-       rails generate propel_api Comment content:text commentable:references
-       → Comment belongs_to :commentable, polymorphic: true
-       
-       rails generate propel_api Attachment name:string resource_parent:references  
-       → Attachment belongs_to :resource, polymorphic: true
+    POLYMORPHIC ASSOCIATIONS:
+      rails generate propel_api:resource Comment content:text commentable:polymorphic
+      → Comment belongs_to :commentable, polymorphic: true
+      → Auto-discovers available parent models for fixtures/seeds
+      → No quotes needed! (also supports commentable:references:polymorphic)
+      
+      rails generate propel_api:resource Comment content:text commentable:polymorphic --parents commentable:Post,Photo,Video
+      → Generates fixtures and seeds with specified polymorphic parent types
+      → Ensures realistic test data and development seeds
+      
+      LEGACY SYNTAX (still supported):
+      rails generate propel_api:resource Comment content:text "commentable:references{polymorphic}"
     
-         
+    SKIP CONFIRMATIONS:
+      rails generate propel_api:resource Tag name:string --skip-tenancy
+      → No confirmation prompts about missing multi-tenancy attributes
     
-    Skip associations entirely:
-      rails generate propel_api Article title:string user:references --skip-associations
+    SKIP ASSOCIATIONS:
+      rails generate propel_api:resource Article title:string user:references --skip-associations
       → No associations generated (manual setup required)
   DESC
   
   argument :attributes, type: :array, default: [], banner: "field:type field:type"
   
+  def initialize(args = [], local_options = {}, config = {})
+    # Process attributes to handle our custom polymorphic syntax
+    processed_args = args.dup
+    if processed_args.length > 1
+      # Convert user-friendly polymorphic syntax to Rails format
+      processed_args[1..-1] = processed_args[1..-1].map do |attr|
+        convert_polymorphic_syntax(attr)
+      end
+    end
+    
+    super(processed_args, local_options, config)
+  end
+  
   class_option :skip_associations,
                type: :boolean,
                desc: "Skip automatic association generation"
                
   class_option :skip_tenancy,
                type: :boolean,
-               desc: "Skip multi-tenancy foundation (organization and agency)"
+               default: false,
+               desc: "Skip warnings about missing multi-tenancy attributes (organization/agency)"
                
   class_option :with_comments,
                type: :boolean,
                default: false,
                desc: "Include usage comments in generated controller"
+               
+  class_option :parents,
+               type: :hash,
+               default: {},
+               desc: "Specify parent types for polymorphic associations (e.g., --parents commentable:Post,Photo,Video)"
 
   def create_migration
     initialize_propel_api_settings
@@ -90,7 +122,20 @@ module PropelApi
         say "No migration file found for #{table_name}", :yellow
       end
     else
-      generate :migration, "create_#{table_name}", *migration_attributes
+      # Check for tenancy and warn if missing (unless warnings are disabled)
+      check_tenancy_attributes_and_warn unless options[:skip_tenancy]
+      
+      # Build migration arguments from processed attributes
+      # This ensures our custom polymorphic syntax is converted to Rails format
+      migration_args = attributes.map do |attr|
+        if attr.type == :references && attr.respond_to?(:polymorphic?) && attr.polymorphic?
+          "#{attr.name}:references{polymorphic}"
+        else
+          "#{attr.name}:#{attr.type}"
+        end
+      end
+      
+      generate :migration, "create_#{table_name}", *migration_args
       # Post-process migration to make non-organization references nullable
       update_migration_constraints
     end
@@ -256,6 +301,98 @@ module PropelApi
     @relationship_inferrer
   end
 
+  def check_tenancy_attributes_and_warn
+    # Check configuration first - this enforces organizational standards
+    return unless should_check_tenancy_by_config?
+    
+    # Analyze what's missing based on configuration
+    missing_attributes = analyze_missing_tenancy_attributes
+    
+    # Only proceed if there are missing attributes
+    return if missing_attributes.empty?
+    
+    # Show warning about missing tenancy attributes
+    say "\n" + "="*80, :yellow
+    say "⚠️  MULTI-TENANCY CONFIRMATION REQUIRED", :yellow
+    say "="*80, :yellow
+    
+    # Show what's missing based on configuration
+    say "\n📋 This resource is missing required tenancy attributes:", :red
+    missing_attributes.each do |attr|
+      say "   • #{attr}:references (required by system policy)", :red
+    end
+    
+    # Show recommended command with missing attributes
+    missing_attrs = missing_attributes.map { |attr| "#{attr}:references" }.join(' ')
+    say "\n💡 Recommended command:", :green
+    say "   rails g propel_api:resource #{class_name} #{formatted_attributes} #{missing_attrs}", :green
+    
+    say "\n" + "="*80, :yellow
+    
+    # Require confirmation to proceed without tenancy
+    unless yes?("\n🚨 Do you want to continue WITHOUT required tenancy attributes? (y/N)")
+      say "\n✋ Generation cancelled. Please add the required tenancy attributes.", :red
+      say "💡 To skip this confirmation in the future: --skip-tenancy", :blue
+      exit 1
+    end
+    
+    say "\n🚨 Proceeding without required tenancy! This may violate system policies.", :yellow
+    
+    say ""
+  end
+
+  def should_check_tenancy_by_config?
+    # First check: Is tenancy enforcement enabled in configuration?
+    return false unless PropelApi.configuration.enforce_tenancy
+    
+    # Second check: Should this specific model be checked?
+    return should_have_tenancy_by_heuristics?
+  end
+  
+  def should_have_tenancy_by_heuristics?
+    # Skip tenancy warnings for certain model types that typically don't need it
+    # This provides a fallback when configuration doesn't specify exceptions
+    skip_tenancy_models = %w[
+      Organization Agency User
+    ]
+    
+    # Skip if this is one of the models that doesn't typically need tenancy
+    return false if skip_tenancy_models.include?(class_name)
+    
+    # Skip if this looks like a join table or through table
+    return false if table_name.include?('_') && table_name.split('_').length == 2
+    
+    # Skip if this is clearly a polymorphic join (like comments, attachments, etc.)
+    polymorphic_attributes = attributes.select { |attr| attr.respond_to?(:polymorphic?) && attr.polymorphic? }
+    return false if polymorphic_attributes.any? && attributes.length <= 3
+    
+    # Otherwise, assume it needs tenancy
+    true
+  end
+  
+  def analyze_missing_tenancy_attributes
+    # Get configured required tenancy attributes
+    required_attrs = PropelApi.configuration.required_tenancy_attributes || []
+    
+    # Check which attributes are present in the generator arguments
+    present_attrs = attributes.select { |attr| attr.type == :references }.map { |attr| attr.name.to_sym }
+    
+    # Find missing required attributes
+    missing_attrs = required_attrs - present_attrs
+    
+    missing_attrs
+  end
+
+  def formatted_attributes
+    attributes.map { |attr| 
+      if attr.type == :references && attr.respond_to?(:polymorphic?) && attr.polymorphic?
+        "\"#{attr.name}:references{polymorphic}\""
+      else
+        "#{attr.name}:#{attr.type}"
+      end
+    }.join(' ')
+  end
+
   def apply_inverse_relationships
     return unless @relationship_inferrer.should_generate_associations?
     return if behavior == :revoke
@@ -358,55 +495,17 @@ module PropelApi
     file_name.pluralize
   end
 
-  def migration_attributes
-    # Always include organization (required) and agency (optional) for multi-tenancy
-    # unless --skip-tenancy flag is used
-    if options[:skip_tenancy]
-      # Only include what the developer explicitly specified
-      attributes.map { |attr| "#{attr.name}:#{attr.type}" }
-    else
-      # Include multi-tenancy foundation by default
-      standard_attributes = ["organization:references", "agency:references"]
-      
-      # Add user-specified attributes, but skip organization and agency if they're already specified
-      user_attributes = attributes.map { |attr| "#{attr.name}:#{attr.type}" }
-      user_attributes.reject! { |attr| attr.start_with?("organization:") || attr.start_with?("agency:") }
-      
-      # Combine standard and user attributes
-      standard_attributes + user_attributes
-    end
-  end
 
   def permitted_param_names
-    if options[:skip_tenancy]
-      # Only include what the developer explicitly specified
-      attributes.map do |attr|
-        # Convert references to foreign key names for permitted params
-        # e.g., organization:references becomes organization_id
-        if attr.type == :references
-          "#{attr.name}_id"
-        else
-          attr.name
-        end
-      end
-    else
-      # Always include organization_id (required) and agency_id (optional) for multi-tenancy
-      standard_params = ["organization_id", "agency_id"]
-      
-      # Add user-specified attributes, but skip organization and agency if they're already specified
-      user_params = attributes.map do |attr|
-        # Convert references to foreign key names for permitted params
-        # e.g., organization:references becomes organization_id
-        if attr.type == :references
-          "#{attr.name}_id"
-        else
-          attr.name
-        end
+    # Include exactly what the developer specified
+    attributes.map do |attr|
+      # Convert references to foreign key names for permitted params
+      # e.g., organization:references becomes organization_id
+      if attr.type == :references
+        "#{attr.name}_id"
+      else
+        attr.name
       end
-      user_params.reject! { |param| param == "organization_id" || param == "agency_id" }
-      
-      # Combine standard and user params
-      standard_params + user_params
     end
   end
 
@@ -488,8 +587,12 @@ module PropelApi
     content = File.read(migration_file)
     
     # Update references to be nullable except for organization
+    # BUT preserve polymorphic references as-is (they should have polymorphic: true, not foreign_key: true)
     # organization:references should remain: null: false, foreign_key: true
-    # All other references should become: null: true, foreign_key: true
+    # All other non-polymorphic references should become: null: true, foreign_key: true
+    # Polymorphic references should remain: null: true/false, polymorphic: true
+    
+    # First pass: Handle regular references (with foreign_key: true)
     updated_content = content.gsub(/t\.references :(\w+), null: false, foreign_key: true/) do |match|
       reference_name = $1
       if reference_name == 'organization'
@@ -499,6 +602,18 @@ module PropelApi
       end
     end
     
+    # Second pass: Ensure polymorphic references stay polymorphic (don't change polymorphic: true lines)
+    # This is a safety check - Rails should generate polymorphic: true correctly,
+    # but if somehow foreign_key: true got generated for polymorphic fields, fix it
+    polymorphic_attrs = attributes.select { |attr| attr.type == :references && attr.respond_to?(:polymorphic?) && attr.polymorphic? }
+    polymorphic_attrs.each do |attr|
+      # If we find a polymorphic attribute that somehow got foreign_key: true, fix it
+      polymorphic_with_fk_pattern = /t\.references :#{attr.name}, null: (true|false), foreign_key: true/
+      if updated_content.match?(polymorphic_with_fk_pattern)
+        updated_content = updated_content.gsub(polymorphic_with_fk_pattern, "t.references :#{attr.name}, null: true, polymorphic: true")
+      end
+    end
+    
     # Write the updated migration back to file
     File.write(migration_file, updated_content)
   end
@@ -530,5 +645,32 @@ module PropelApi
     # 2. Newer migrations exist but none have been executed
     true
   end
+
+  private
+
+  # Convert user-friendly polymorphic syntax to Rails' expected format
+  def convert_polymorphic_syntax(attr_string)
+    # Handle different polymorphic syntaxes:
+    # commentable:polymorphic -> commentable:references{polymorphic}
+    # commentable:references:polymorphic -> commentable:references{polymorphic}
+    # commentable:references{polymorphic} -> commentable:references{polymorphic} (unchanged)
+    
+    return attr_string unless attr_string.include?(':')
+    
+    parts = attr_string.split(':')
+    field_name = parts[0]
+    
+    # Check for our new polymorphic syntaxes
+    if parts.length == 2 && parts[1] == 'polymorphic'
+      # commentable:polymorphic -> commentable:references{polymorphic}
+      return "#{field_name}:references{polymorphic}"
+    elsif parts.length == 3 && parts[1] == 'references' && parts[2] == 'polymorphic'
+      # commentable:references:polymorphic -> commentable:references{polymorphic}
+      return "#{field_name}:references{polymorphic}"
+    else
+      # Leave unchanged (regular attributes or legacy {polymorphic} syntax)
+      return attr_string
+    end
+  end
   end
 end

data/lib/generators/propel_api/templates/config/propel_api.rb.tt

@@ -6,7 +6,7 @@
 
 module PropelApi
   class Configuration
-    attr_accessor :adapter, :namespace, :version
+    attr_accessor :adapter, :namespace, :version, :enforce_tenancy, :required_tenancy_attributes
     attr_reader :attribute_filter
     
     def initialize
@@ -15,6 +15,10 @@ module PropelApi
       @namespace = 'api'         # Default API namespace
       @version = 'v1'           # Default API version
       
+      # Multi-tenancy configuration - simple boolean
+      @enforce_tenancy = true   # true = enforce tenancy (default), false = no checking
+      @required_tenancy_attributes = [:organization, :agency]  # Required when enforce_tenancy is true
+      
       # Initialize the configurable attribute filter
       @attribute_filter = PropelApi::AttributeFilter.new
     end
@@ -132,6 +136,27 @@ PropelApi.configure do |config|
   # API version: 'v1', 'v2', etc. or nil for no versioning
   config.version = <%= @api_version ? "'#{@api_version}'" : 'nil' %>
   
+  # Multi-tenancy enforcement configuration
+  # Simple boolean: enforce tenancy requirements or not
+  config.enforce_tenancy = true  # Default: enforce tenancy (require confirmation if missing)
+  
+  # Define which tenancy attributes are required for your system
+  config.required_tenancy_attributes = [:organization, :agency]  # Both required by default
+  
+  # Examples of different tenancy configurations:
+  #
+  # Organization-only tenancy:
+  # config.required_tenancy_attributes = [:organization]
+  #
+  # Agency-only tenancy:  
+  # config.required_tenancy_attributes = [:agency]
+  #
+  # Extended enterprise multi-tenancy:
+  # config.required_tenancy_attributes = [:organization, :agency, :department]
+  #
+  # Single-tenant application (no tenancy checking):
+  # config.enforce_tenancy = false
+  
   # Customize attribute filtering for your project's naming conventions
   # Examples:
   # 

data/lib/generators/propel_api/templates/controllers/api_base_controller.rb

@@ -0,0 +1,75 @@
+# frozen_string_literal: true
+
+##
+# Base controller for API endpoints ONLY
+# 
+# ⚠️  SECURITY WARNING: This controller disables CSRF protection!
+# ⚠️  ONLY use this for stateless JSON API endpoints with JWT authentication
+# ⚠️  DO NOT use this for web controllers that serve HTML or handle sessions
+# 
+# For web controllers, inherit from ApplicationController instead.
+#
+class Api::BaseController < ActionController::Base
+  # Set up and then skip CSRF protection for API endpoints (they use JWT tokens instead)
+  protect_from_forgery with: :null_session
+  skip_before_action :verify_authenticity_token
+  
+  # Disable session handling for API requests (stateless)
+  before_action :disable_session
+  before_action :ensure_json_request, if: -> { Rails.env.production? }
+  
+  # Handle common API errors
+  rescue_from ActiveRecord::RecordNotFound, with: :record_not_found
+  rescue_from ActionController::ParameterMissing, with: :parameter_missing
+  rescue_from ActiveRecord::RecordInvalid, with: :record_invalid
+  
+  private
+  
+  def disable_session
+    request.session_options[:skip] = true
+  end
+  
+  def ensure_json_request
+    unless request.format.json? || request.content_type&.include?('application/json')
+      Rails.logger.warn "Non-JSON request to API controller: #{controller_name}##{action_name}"
+      render json: { 
+        error: 'Invalid request format',
+        message: 'This endpoint only accepts JSON requests'
+      }, status: :not_acceptable
+    end
+  end
+  
+  def record_not_found(exception)
+    Rails.logger.error "API Record not found: #{exception.message}"
+    render json: { 
+      error: 'Record not found',
+      message: 'The requested resource could not be found'
+    }, status: :not_found
+  end
+  
+  def parameter_missing(exception)
+    Rails.logger.error "API Parameter missing: #{exception.message}"
+    render json: { 
+      error: 'Missing required parameters',
+      message: 'Required parameters are missing from the request'
+    }, status: :bad_request
+  end
+  
+  def record_invalid(exception)
+    Rails.logger.error "API Record invalid: #{exception.record.errors.full_messages}"
+    
+    # In development, show full validation errors for debugging
+    # In production, show generic message to prevent information disclosure
+    errors = if Rails.env.development?
+      exception.record.errors.full_messages
+    else
+      ['Validation failed - please check your input']
+    end
+    
+    render json: { 
+      error: 'Validation failed',
+      errors: errors
+    }, status: :unprocessable_content
+  end
+end
+

data/lib/generators/propel_api/templates/controllers/api_controller_graphiti.rb

@@ -1,4 +1,4 @@
-class <%= api_controller_class_name %> < ApplicationController
+class <%= api_controller_class_name %> < Api::BaseController
   include Graphiti::Rails
   include Graphiti::Responders
   include PropelAuthenticationConcern
@@ -41,7 +41,7 @@ class <%= api_controller_class_name %> < ApplicationController
     if resource_instance.save
       respond_with(resource_instance, status: :created)
     else
-      respond_with(resource_instance.errors, status: :unprocessable_entity)
+      respond_with(resource_instance.errors, status: :unprocessable_content)
     end
   end
 
@@ -54,7 +54,7 @@ class <%= api_controller_class_name %> < ApplicationController
     if resource_instance.update_attributes
       respond_with(resource_instance)
     else
-      respond_with(resource_instance.errors, status: :unprocessable_entity)
+      respond_with(resource_instance.errors, status: :unprocessable_content)
     end
   end
 

data/lib/generators/propel_api/templates/controllers/api_controller_propel_facets.rb

@@ -1,4 +1,4 @@
-class <%= api_controller_class_name %> < ApplicationController
+class <%= api_controller_class_name %> < Api::BaseController
   include HasScope
   include Pagy::Backend
   include FacetRenderer
@@ -40,7 +40,7 @@ class <%= api_controller_class_name %> < ApplicationController
     if @resource.save
       render json: { data: resource_json(@resource) }, status: :created
     else
-      render json: { errors: @resource.errors }, status: :unprocessable_entity
+      render json: { errors: @resource.errors }, status: :unprocessable_content
     end
   end
 
@@ -48,7 +48,7 @@ class <%= api_controller_class_name %> < ApplicationController
     if @resource.update(resource_params)
       render json: { data: resource_json(@resource) }
     else
-      render json: { errors: @resource.errors }, status: :unprocessable_entity
+      render json: { errors: @resource.errors }, status: :unprocessable_content
     end
   end
 
@@ -73,6 +73,9 @@ class <%= api_controller_class_name %> < ApplicationController
 
     # Organization scoping method with support for self-signup
   def for_organization(model_class)
+    # Skip tenancy if controller explicitly opts out
+    return model_class if respond_to?(:skip_tenancy?) && skip_tenancy?
+    
     return render_organization_context_error unless current_organization_id
 
     # Special case: Organization model should only show user's own organization
@@ -80,6 +83,9 @@ class <%= api_controller_class_name %> < ApplicationController
       return model_class.where(id: current_organization_id)
     end
     
+    # Skip if model doesn't have organization_id column
+    return model_class unless model_class.column_names.include?('organization_id')
+    
     # Start with organization scoping
     scoped_query = model_class.for_organization(current_organization_id)
     
@@ -89,7 +95,10 @@ class <%= api_controller_class_name %> < ApplicationController
 
   # Build parameters for resource creation with security-first flow
   def build_creation_params
-    return {} unless validate_organization_context
+    # Skip organization validation if controller opts out or model doesn't have organization_id
+    unless (respond_to?(:skip_tenancy?) && skip_tenancy?) || !resource_class.column_names.include?('organization_id')
+      return {} unless validate_organization_context
+    end
     
     params = resource_params
     
@@ -141,7 +150,8 @@ class <%= api_controller_class_name %> < ApplicationController
   # FIRST: Security validation of any provided tenancy context (fail-fast)
   def validate_provided_tenancy_context(params)
     # If organization_id is provided, verify user has access to it
-    if params[:organization_id].present?
+    # Only validate if model actually has organization_id column
+    if params[:organization_id].present? && resource_class.column_names.include?('organization_id')
       unless params[:organization_id].to_i == current_organization_id
         render json: { 
           error: 'Unauthorized organization access',
@@ -185,7 +195,8 @@ class <%= api_controller_class_name %> < ApplicationController
     # Auto-assign organization_id if missing and not required to be explicit
     if params[:organization_id].blank? && !require_organization_id?
       # Special case: Organization model doesn't get organization_id assigned
-      unless resource_class == Organization
+      # Only assign if model has organization_id column
+      if resource_class != Organization && resource_class.column_names.include?('organization_id')
         params[:organization_id] = current_organization_id
       end
     end
@@ -201,13 +212,11 @@ class <%= api_controller_class_name %> < ApplicationController
     params
   end
 
-
-
   # Check if agency tenancy is enabled
   def agency_tenancy_enabled?
     # Check PropelAuthentication configuration (owns tenancy models)
     if defined?(PropelAuthentication) && PropelAuthentication.respond_to?(:configuration)
-      PropelAuthentication.configuration.agency_tenancy
+      PropelAuthentication.configuration.agency_required?
     else
       true  # Safe default - enables agency tenancy when configuration unavailable
     end
@@ -238,7 +247,8 @@ class <%= api_controller_class_name %> < ApplicationController
     errors = {}
     
     # Validate organization_id is present (after security check and auto-assignment)
-    if params[:organization_id].blank?
+    # Only validate if model actually has organization_id column
+    if resource_class.column_names.include?('organization_id') && params[:organization_id].blank?
       if require_organization_id?
         errors[:organization_id] = ["is required - set require_organization_id = false to enable auto-assignment"]
       else
@@ -262,7 +272,7 @@ class <%= api_controller_class_name %> < ApplicationController
     
     # Return validation errors if any
     if errors.any?
-      render json: { errors: errors }, status: :unprocessable_entity
+      render json: { errors: errors }, status: :unprocessable_content
       return {}
     end
     
@@ -281,7 +291,7 @@ class <%= api_controller_class_name %> < ApplicationController
   def pagy_metadata(pagy)
     {
       current_page: pagy.page,
-      per_page: pagy.items,
+      per_page: pagy.limit,
       total_pages: pagy.pages,
       total_count: pagy.count,
       next_page: pagy.next,

data/lib/generators/propel_api/templates/controllers/example_controller.rb.tt

@@ -42,7 +42,7 @@ module Api
     #   if @resource.save
     #     render json: { data: resource_json(@resource) }, status: :created
     #   else
-    #     render json: { errors: @resource.errors }, status: :unprocessable_entity
+    #     render json: { errors: @resource.errors }, status: :unprocessable_content
     #   end
     # end
   end
@@ -82,7 +82,7 @@ module Api
     #   if resource_instance.save
     #     respond_with(resource_instance, status: :created)
     #   else
-    #     respond_with(resource_instance.errors, status: :unprocessable_entity)
+    #     respond_with(resource_instance.errors, status: :unprocessable_content)
     #   end
     # end
   end

data/lib/generators/propel_api/templates/errors/propel_api_csrf_error.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+##
+# PropelAPI CSRF Error Handler
+# Provides helpful guidance when developers send JSON requests to web controllers
+#
+class PropelApiCsrfError < StandardError
+  def self.handle_csrf_error_for_json(controller)
+    # Log security event for monitoring
+    Rails.logger.warn "CSRF bypass attempted on #{controller.controller_name}##{controller.action_name} from #{controller.request.remote_ip}"
+    
+    controller.render json: {
+      error: "CSRF token verification failed",
+      message: "This endpoint requires CSRF protection and is intended for web browser requests.",
+      hint: "For API requests, use the Propel-generated API controllers instead.",
+      note: "API controllers are CSRF-free and use JWT authentication."
+    }, status: :unprocessable_content
+  end
+end