propel_api 0.3.1.6 → 0.3.3

data/lib/generators/propel_api/install/install_generator.rb

@@ -37,6 +37,9 @@ module PropelApi
         
         # Optionally enhance CSRF error messages (non-breaking)
         add_csrf_error_handling
+        
+        # Add dynamic filtering capabilities to ApplicationRecord
+        add_model_filters_concern
       end
       
       case @adapter
@@ -113,6 +116,28 @@ module PropelApi
 
     private
 
+    def copy_propel_facets_concerns
+      if behavior == :revoke
+        # Remove concerns
+        remove_file "app/controllers/concerns/propel_controller_filters_concern.rb"
+        remove_file "app/models/concerns/propel_model_filters_concern.rb" 
+        remove_file "lib/propel_filter_operators.rb"
+        remove_file "lib/propel_dynamic_scope_generator.rb"
+        say "🗑️  Removed PropelApi filtering concerns", :red
+      else
+        # Copy concerns to host app using XX-prefixed source files
+        copy_file "concerns/propel_controller_filters_concern.rb", "app/controllers/concerns/propel_controller_filters_concern.rb"
+        copy_file "concerns/propel_model_filters_concern.rb", "app/models/concerns/propel_model_filters_concern.rb"
+        copy_file "lib/propel_filter_operators.rb", "lib/propel_filter_operators.rb"
+        copy_file "lib/propel_dynamic_scope_generator.rb", "lib/propel_dynamic_scope_generator.rb"
+        say "📦 Copied PropelApi filtering concerns to app", :green
+        say "   - Controller filtering: app/controllers/concerns/propel_controller_filters_concern.rb", :blue
+        say "   - Model filtering: app/models/concerns/propel_model_filters_concern.rb", :blue  
+        say "   - Filter operators: lib/propel_filter_operators.rb", :blue
+        say "   - Dynamic scope generator: lib/propel_dynamic_scope_generator.rb", :blue
+      end
+    end
+
     def create_api_base_controller
       template "controllers/api_base_controller.rb", "app/controllers/api/base_controller.rb"
       say "Created Api::BaseController for CSRF-free API endpoints", :green
@@ -144,6 +169,18 @@ module PropelApi
       say "You can manually add the rescue_from handler if desired", :blue
     end
 
+    def add_model_filters_concern
+      # Inject PropelModelFiltersConcern into ApplicationRecord
+      inject_into_class "app/models/application_record.rb", ApplicationRecord, <<-RUBY
+  include PropelModelFiltersConcern
+      RUBY
+      
+      say "Enhanced ApplicationRecord with dynamic filtering capabilities", :green
+    rescue => e
+      say "Could not inject PropelModelFiltersConcern into ApplicationRecord: #{e.message}", :yellow
+      say "You can manually add 'include PropelModelFiltersConcern' to ApplicationRecord if desired", :blue
+    end
+
     def copy_propel_facets_controller
       template "controllers/api_controller_propel_facets.rb", api_controller_path
       copy_example_controller
@@ -256,8 +293,12 @@ module PropelApi
       say "   end", :yellow
       say "\n5. See doc/api_controller_example.rb for complete usage examples"
       say "6. Your API endpoints will be available at: #{api_route_prefix}/..."
-      say "7. Pagination and filtering are built-in via Pagy and HasScope"
-      say "\n8. Generate resources using:"
+      say "7. Pagination and secure filtering are built-in via Pagy and PropelApi filtering"
+      say "8. Filtering examples:"
+      say "   GET /api/v1/users?name_contains=john&active_eq=true&sort=-created_at", :yellow
+      say "   - Secure field validation prevents SQL injection"
+      say "   - Sensitive fields (passwords, tokens) automatically excluded", :cyan
+      say "\n9. Generate resources using:"
       say "   rails generate propel_api Resource field1:type field2:type", :yellow
     end
 

data/lib/generators/propel_api/resource/resource_generator.rb

@@ -80,47 +80,11 @@ module PropelApi
     initialize_propel_api_settings
     
     if behavior == :revoke
-      # Find the migration file
-      migration_files = Dir[File.join(destination_root, "db/migrate/*_create_#{table_name}.rb")]
+      # Check for critical dependencies before destroying
+      check_for_critical_dependencies
       
-      if migration_files.any?
-        migration_file = migration_files.first
-        migration_version = File.basename(migration_file).split('_').first
-        
-        # Check if migration was executed
-        if migration_was_executed?(migration_version)
-          say "\n" + "="*80, :red
-          say "⚠️  MIGRATION ALREADY EXECUTED!", :red
-          say "="*80, :red
-          say "\n📋 Migration #{migration_version} (create_#{table_name}) has been executed.", :yellow
-          say "\n🚨 Rails does not automatically rollback migrations for safety reasons.", :yellow
-          say "\n✅ To safely destroy this resource:", :green
-          say "   1. First rollback: rails db:rollback", :green
-          say "   2. Then destroy:   rails destroy propel_api #{class_name}", :green
-          say "\n💡 Alternative approaches:", :cyan
-          say "   • Check migration status: rails db:migrate:status"
-          say "   • Rollback specific:     rails db:migrate:down VERSION=#{migration_version}"
-          say "\n" + "="*80, :red
-          raise Thor::Error, "Please rollback the migration first, then re-run destroy command."
-        else
-          # Migration not executed, check if safe to delete
-          if safe_to_delete_migration?(migration_version)
-            say "Removing migration: #{File.basename(migration_file)}", :red
-            File.delete(migration_file)
-          else
-            say "\n" + "="*80, :yellow
-            say "⚠️  MIGRATION CLEANUP REQUIRED", :yellow
-            say "="*80, :yellow
-            say "\n📋 Found unexecuted migration: #{File.basename(migration_file)}", :cyan
-            say "\n🚨 Cannot auto-delete due to intervening migrations.", :yellow
-            say "💡 Please manually remove when safe:", :green
-            say "   rm #{migration_file}"
-            say "\n" + "="*80, :yellow
-          end
-        end
-      else
-        say "No migration file found for #{table_name}", :yellow
-      end
+      # Generate proper removal migration following Rails conventions
+      generate_removal_migration
     else
       # Check for tenancy and warn if missing (unless warnings are disabled)
       check_tenancy_attributes_and_warn unless options[:skip_tenancy]
@@ -154,32 +118,49 @@ module PropelApi
       validate_attributes_exist
     end
     
-    case @adapter
-    when 'propel_facets'
-      template "scaffold/facet_model_template.rb.tt", "app/models/#{file_name}.rb"
-    when 'graphiti'
-      template "scaffold/graphiti_model_template.rb.tt", "app/models/#{file_name}.rb"
-    else
-      raise "Unknown adapter: #{@adapter}. Run 'rails generate propel_api:install' first."
+    # Note: Relationship cleanup is now handled by the comprehensive dependency auto-fix system
+    # No need for separate inverse relationship logic here
+    
+    # Direct template call - Rails can reverse this automatically (unless skipped)!
+    unless behavior == :revoke && options[:skip_model]
+      case @adapter
+      when 'propel_facets'
+        template "scaffold/facet_model_template.rb.tt", "app/models/#{file_name}.rb"
+      when 'graphiti'
+        template "scaffold/graphiti_model_template.rb.tt", "app/models/#{file_name}.rb"
+      else
+        raise "Unknown adapter: #{@adapter}. Run 'rails generate propel_api:install' first."
+      end
     end
 
-    # Apply inverse relationships to existing parent models
-    apply_inverse_relationships
+    # Apply inverse relationships AFTER template creation
+    if behavior != :revoke
+      apply_inverse_relationships
+    end
   end
 
   def create_controller
-    # Use shared method from Base class
-    create_propel_controller
+    create_propel_controller_template
   end
 
-  def create_routes
-    # Use shared method from Base class  
+  def add_routes
     create_propel_routes
   end
 
-  def create_tests
-    # Use shared method from Base class with all test types
-    create_propel_tests(test_types: [:model, :controller, :integration, :fixtures])
+  def create_model_test
+    create_propel_model_test unless behavior == :revoke && options[:skip_tests]
+  end
+
+  def create_controller_test
+    create_propel_controller_test unless behavior == :revoke && options[:skip_tests]
+  end
+
+  def create_integration_test
+    create_propel_integration_test unless behavior == :revoke && options[:skip_tests]
+  end
+
+  def create_fixtures
+    create_propel_fixtures unless behavior == :revoke && options[:skip_tests]
   end
 
   def create_seeds
@@ -288,13 +269,20 @@ module PropelApi
       next_steps << "Customize facets in: app/models/#{file_name}.rb"
     end
     
-    show_propel_completion_message(
-      resource_type: "Resource",
-      generated_files: generated_files,
-      next_steps: next_steps
-    )
+    if behavior == :revoke
+      # Use shared destroy completion message from named_base
+      show_destroy_completion_message
+    else
+      show_propel_completion_message(
+        resource_type: "Resource",
+        generated_files: generated_files,
+        next_steps: next_steps
+      )
+    end
   end
 
+
+
   private
 
   def relationship_inferrer
@@ -419,6 +407,130 @@ module PropelApi
     end
   end
 
+  def remove_inverse_relationships
+    # Use Rails model reflection - much cleaner approach!
+    begin
+      model_class = class_name.constantize
+      
+      # Get all belongs_to associations using Rails reflection
+      belongs_to_associations = model_class.reflect_on_all_associations(:belongs_to)
+      
+      belongs_to_associations.each do |association|
+        # Skip polymorphic associations (they don't get inverse relationships)
+        next if association.polymorphic?
+        
+        parent_class_name = association.class_name
+        parent_model_file = "app/models/#{parent_class_name.underscore}.rb"
+        full_path = File.join(destination_root, parent_model_file)
+        
+        # Skip if parent model doesn't exist
+        next unless File.exist?(full_path)
+        
+        # The inverse relationship we need to remove
+        inverse_relationship = "has_many :#{table_name}, dependent: :destroy"
+        
+        begin
+          remove_specific_relationship(full_path, inverse_relationship, parent_class_name)
+        rescue => e
+          say "Warning: Could not remove relationship from #{parent_model_file}: #{e.message}", :yellow
+        end
+      end
+      
+    rescue NameError => e
+      # Fallback: Parse attributes from migration file if model class doesn't exist
+      migration_attributes = get_attributes_from_migration
+      belongs_to_attributes = migration_attributes.select { |attr| attr[:type] == :references }
+      
+      belongs_to_attributes.each do |attr|
+        # Skip polymorphic references
+        next if attr[:polymorphic]
+        
+        parent_class_name = attr[:name].classify
+        parent_model_file = "app/models/#{parent_class_name.underscore}.rb"
+        full_path = File.join(destination_root, parent_model_file)
+        
+        # Skip if parent model doesn't exist
+        next unless File.exist?(full_path)
+        
+        inverse_relationship = "has_many :#{table_name}, dependent: :destroy"
+        
+        begin
+          remove_specific_relationship(full_path, inverse_relationship, parent_class_name)
+        rescue => e
+          say "Warning: Could not remove relationship from #{parent_model_file}: #{e.message}", :yellow
+        end
+      end
+    end
+  end
+
+  def get_attributes_from_migration
+    # Find the migration file (using same pattern as create_migration)
+    migration_files = Dir[File.join(destination_root, "db/migrate/*_create_#{table_name}.rb")]
+    return [] unless migration_files.any?
+    
+    migration_file = migration_files.first
+    migration_content = File.read(migration_file)
+    
+    # Parse t.references and t.string, t.text, etc. lines
+    parsed_attributes = []
+    
+    # Match references with polymorphic option
+    migration_content.scan(/t\.references\s+:(\w+).*?(polymorphic:\s*true)?/) do |name, polymorphic|
+      parsed_attributes << {
+        name: name,
+        type: :references,
+        polymorphic: !polymorphic.nil?
+      }
+    end
+    
+    # Match other attribute types
+    %w[string text integer decimal boolean datetime date json jsonb].each do |type|
+      migration_content.scan(/t\.#{type}\s+:(\w+)/) do |name|
+        parsed_attributes << {
+          name: name.first,
+          type: type.to_sym,
+          polymorphic: false
+        }
+      end
+    end
+    
+    parsed_attributes
+  end
+
+  def remove_specific_relationship(model_file_path, relationship, parent_class_name)
+    content = File.read(model_file_path)
+    original_content = content.dup
+    
+    # Remove the relationship line if it exists
+    relationship_pattern = /^\s*#{Regexp.escape(relationship)}\s*\n/
+    if content.match?(relationship_pattern)
+      content = content.gsub(relationship_pattern, '')
+      File.write(model_file_path, content)
+      say "  ❌ Removed from #{parent_class_name}: #{relationship}", :red
+    else
+      say "  ⚠️  Relationship not found in #{parent_class_name}: #{relationship}", :yellow
+    end
+  end
+
+  def remove_from_parent_model(model_file_path, relationships, parent_class_name)
+    content = File.read(model_file_path)
+    original_content = content.dup
+    
+    relationships.each do |relationship|
+      # Remove the relationship line if it exists
+      relationship_pattern = /^\s*#{Regexp.escape(relationship)}\s*\n/
+      if content.match?(relationship_pattern)
+        content = content.gsub(relationship_pattern, '')
+        say "  ❌ Removed from #{parent_class_name}: #{relationship}", :red
+      end
+    end
+    
+    # Only write if content changed
+    if content != original_content
+      File.write(model_file_path, content)
+    end
+  end
+
   def update_parent_model(model_file_path, relationships, parent_class_name)
     content = File.read(model_file_path)
     original_content = content.dup

data/lib/generators/propel_api/templates/concerns/propel_controller_filters_concern.rb

@@ -0,0 +1,141 @@
+# frozen_string_literal: true
+
+# DynamicControllerFiltersConcern
+#
+# Provides dynamic filtering capabilities for API controllers using has_scope.
+# This concern automatically generates and registers scopes based on the model's
+# database columns and their types.
+#
+# Features:
+# - Automatic scope generation based on column types
+# - Security validation of filter parameters
+# - Error handling for malformed filters
+# - Support for all standard filter operators
+#
+# Usage:
+#   class Api::V1::TeamsController < Api::V1::ApiController
+#     include PropelControllerFiltersConcern
+#   end
+#
+module PropelControllerFiltersConcern
+  extend ActiveSupport::Concern
+
+  included do
+    include HasScope
+    
+    # Track which scopes have been registered to avoid duplicates
+    class_attribute :_registered_scopes, default: Set.new
+    
+    # Register dynamic scopes when the controller is first used
+    before_action :ensure_dynamic_scopes_registered, prepend: true
+  end
+
+  private
+
+  def ensure_dynamic_scopes_registered
+    return if self.class._registered_scopes.include?(resource_class.name)
+    
+    model_class = resource_class
+    return unless model_class&.respond_to?(:columns)
+    
+    # Ensure scopes are generated for the model (lazy loading)
+    model_class.ensure_scopes_generated!
+    
+    # Generate scopes for the model
+    generator = PropelDynamicScopeGenerator.new(model_class)
+    generator.generate_scopes!
+    
+    # Register has_scope calls for this controller
+    generator.register_controller_scopes(self.class)
+    
+    # Mark as registered to avoid duplicate work
+    self.class._registered_scopes << model_class.name
+  rescue StandardError => e
+    Rails.logger.error "Error registering dynamic scopes: #{e.message}"
+    Rails.logger.error e.backtrace.join("\n")
+  end
+
+  # Override apply_scopes to add security validation and error handling
+  def apply_scopes(base_scope)
+    # Filter out any potentially dangerous or unsupported parameters
+    safe_params = filter_safe_parameters(params)
+    
+    # Apply scopes with error handling
+    result = super(base_scope, safe_params)
+    result || base_scope
+  rescue StandardError => e
+    Rails.logger.warn "Error in apply_scopes: #{e.message}"
+    base_scope
+  end
+
+  # Security: Filter out dangerous or unsupported parameters
+  def filter_safe_parameters(params)
+    return {} unless params.is_a?(ActionController::Parameters)
+    
+    # Get allowed filter parameters based on model columns
+    allowed_filters = allowed_filter_parameters
+    
+    # Filter to only include known, safe parameters
+    safe_params = params.slice(*allowed_filters)
+    
+    # Log any filtered out parameters for security monitoring
+    filtered_params = params.except(*allowed_filters).except(:controller, :action, :format)
+    if filtered_params.present?
+      Rails.logger.warn "Filtered out potentially unsafe parameters: #{filtered_params.keys.join(', ')}"
+    end
+    
+    safe_params
+  end
+
+  # Get list of allowed filter parameters based on model columns
+  def allowed_filter_parameters
+    return [] unless resource_class&.respond_to?(:columns)
+    
+    allowed = []
+    
+    resource_class.columns.each do |column|
+      name = column.name
+      type = column.type
+      sql_type = column.sql_type_metadata.sql_type
+      
+      # Skip sensitive fields
+      next if sensitive_field?(name)
+      
+      # Get operators for this column type
+      operators = PropelFilterOperators.operators_for(type, sql_type)
+      
+      # Add parameter names for each operator
+      operators.each do |operator|
+        allowed << "#{name}_#{operator}".to_sym
+      end
+    end
+    
+    # Add special parameters
+    allowed += [:order_by, :page, :limit, :per_page]
+    
+    allowed
+  end
+
+  # Check if a field name is considered sensitive and should not be filterable
+  def sensitive_field?(field_name)
+    sensitive_fields = %w[
+      password password_hash password_digest
+      token secret_key api_key
+      encrypted_data encrypted_password
+      salt pepper
+      private_key public_key
+      ssn social_security_number
+      credit_card_number
+      bank_account_number
+    ]
+    
+    sensitive_fields.any? { |sensitive| field_name.downcase.include?(sensitive) }
+  end
+
+  # Override to provide better error messages for invalid filters
+  def handle_invalid_filter(filter_name, error)
+    Rails.logger.warn "Invalid filter '#{filter_name}': #{error.message}"
+    # Don't raise the error, just log it and continue
+    # This prevents one bad filter from breaking the entire request
+  end
+end

data/lib/generators/propel_api/templates/concerns/propel_model_filters_concern.rb

@@ -0,0 +1,128 @@
+# frozen_string_literal: true
+
+# DynamicModelFiltersConcern
+#
+# Provides dynamic filtering capabilities for ActiveRecord models.
+# This concern automatically generates scopes based on the model's
+# database columns and their types.
+#
+# Features:
+# - Automatic scope generation based on column types
+# - Support for all standard filter operators
+# - Type-aware filtering (boolean, string, numeric, datetime)
+# - Security validation of filter parameters
+#
+# Usage:
+#   class Team < ApplicationRecord
+#     include PropelModelFiltersConcern
+#   end
+#
+module PropelModelFiltersConcern
+  extend ActiveSupport::Concern
+
+  included do
+    # Track which scopes have been generated to avoid duplicates
+    class_attribute :_generated_scopes, default: Set.new
+    
+    # Generate scopes lazily when first needed
+    # This prevents issues with abstract classes like ApplicationRecord
+  end
+
+  class_methods do
+    # Generate all dynamic scopes for this model
+    def generate_dynamic_scopes!
+      return if _generated_scopes.include?(name)
+      
+      # Skip abstract classes (like ApplicationRecord)
+      return if abstract_class?
+      
+      # Skip if the model doesn't have a table (e.g., abstract classes)
+      return unless table_exists?
+      
+      generator = PropelDynamicScopeGenerator.new(self)
+      generator.generate_scopes!
+      
+      # Mark as generated to avoid duplicate work
+      _generated_scopes << name
+    rescue StandardError => e
+      Rails.logger.error "Error generating dynamic scopes for #{name}: #{e.message}"
+      Rails.logger.error e.backtrace.join("\n")
+    end
+
+    # Ensure scopes are generated (lazy loading)
+    def ensure_scopes_generated!
+      generate_dynamic_scopes! unless _generated_scopes.include?(name)
+    end
+
+    # Get all available filter parameters for this model
+    def available_filter_parameters
+      return [] unless respond_to?(:columns)
+      
+      allowed = []
+      
+      columns.each do |column|
+        name = column.name
+        type = column.type
+        sql_type = column.sql_type_metadata.sql_type
+        
+        # Skip sensitive fields
+        next if sensitive_field?(name)
+        
+        # Get operators for this column type
+        operators = PropelFilterOperators.operators_for(type, sql_type)
+        
+        # Add parameter names for each operator
+        operators.each do |operator|
+          allowed << "#{name}_#{operator}".to_sym
+        end
+      end
+      
+      allowed
+    end
+
+    # Check if a field name is considered sensitive
+    def sensitive_field?(field_name)
+      sensitive_fields = %w[
+        password password_hash password_digest
+        token secret_key api_key
+        encrypted_data encrypted_password
+        salt pepper
+        private_key public_key
+        ssn social_security_number
+        credit_card_number
+        bank_account_number
+      ]
+      
+      sensitive_fields.any? { |sensitive| field_name.downcase.include?(sensitive) }
+    end
+
+    # Get filterable columns for this model
+    def filterable_columns
+      return [] unless respond_to?(:columns)
+      
+      columns.reject { |column| sensitive_field?(column.name) }
+    end
+
+    # Get operators available for a specific column
+    def operators_for_column(column_name)
+      column = columns.find { |c| c.name == column_name }
+      return [] unless column
+      
+      PropelFilterOperators.operators_for(column.type, column.sql_type_metadata.sql_type)
+    end
+
+    # Validate filter parameters
+    def validate_filter_parameters(params)
+      return {} unless params.is_a?(ActionController::Parameters)
+      
+      allowed_filters = available_filter_parameters
+      params.slice(*allowed_filters)
+    end
+  end
+
+  private
+
+  def ensure_dynamic_scopes_generated
+    self.class.generate_dynamic_scopes!
+  end
+end

data/lib/generators/propel_api/templates/controllers/api_controller_propel_facets.rb

@@ -4,6 +4,7 @@ class <%= api_controller_class_name %> < Api::BaseController
   include FacetRenderer
   include StrongParamsHelper
   include PropelAuthenticationConcern
+  include PropelControllerFiltersConcern
 
   before_action :authenticate_user
   before_action :set_resource, only: [:show, :update, :destroy]