propel_api 0.3.2 → 0.3.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0a2cc174f214b50c6e5f58829c9136661591fc142a1e14e09aaf7221c0e1ddda
-  data.tar.gz: ae2f7764a20f7dc8b22b35486c4d1ca68e4910321d98c624306293800326270b
+  metadata.gz: ab74f199f5f59a6a62a0f39a8c63960a7b1339b46bd32701219a6249f6cdb5a3
+  data.tar.gz: c4aa9676d91f4400cd54f0aa6d5ce0a022f9b6c893ec7b3124da057f679d8770
 SHA512:
-  metadata.gz: 4ca81a75e2225c0a2bdff55f17aef1e5f6067c7b19c0e815a074201b39a508a0f46d3afa6bcbc54225e7ebc3314cedf46ecdf18cccfa11c15b2031b0afc8c168
-  data.tar.gz: 2bab3dadb532118c96fbdc76e8fa389be29fa4d58801fc3dc7ab6fbea90cffa9534795035f306dd470f6d89f841b055909a3e582634fbae49c5296cc3f44e335
+  metadata.gz: 27513e98749a5b837f3f7c1e10280e49155ec5a8113c8319c1b8994e17efaf79cba9c549f74a82982a386fa30d2505d62aeadb84d7bd1af9e0debc9576a52d80
+  data.tar.gz: 8d1c4bc5f35ac31d8d42570c7d0829e488242512631ab5d883a382fddc77bb12f3c94daa36645b6fefbc92ab50ccad455a4464225749b047ca1dbbcc27f53fb0

data/CHANGELOG.md

@@ -10,6 +10,66 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Planned Features
 - GraphQL adapter support
 
+## [0.3.3] - 2025-01-XX
+
+### 🎉 Major Features Added
+- **Comprehensive Dynamic Filtering System**: Complete implementation of automatic URL query string filtering and scoping using the `has_scope` gem
+  - **Multi-Type Filtering Support**: Full filtering support across all data types (string, numeric, boolean, datetime, date, time)
+  - **Database-Agnostic Implementation**: Works seamlessly across SQLite, PostgreSQL, and MySQL without database-specific code
+  - **Automatic Scope Generation**: Dynamic scope generation based on model column types and filter operators
+  - **Intelligent Facet Integration**: Automatic inclusion of filterable fields in JSON facets for API responses
+
+### 🔍 Advanced Filtering Capabilities
+- **String Filtering**: Exact match (`_eq`), contains (`_contains`), starts with (`_starts_with`), ends with (`_ends_with`), in list (`_in`)
+- **Numeric Filtering**: Comparison operators (`_gt`, `_lt`, `_gte`, `_lte`), range filtering (`_range`), in list (`_in`)
+- **Boolean Filtering**: Multiple value format support (`true`/`false`, `1`/`0`, `yes`/`no`, `on`/`off`)
+- **DateTime Filtering**: Temporal comparisons (`_before`, `_after`), date extraction (`_year`, `_month`, `_day`), date matching (`_date`)
+- **Range Filtering**: Support for both array and string formats (e.g., `"150,350"` or `[150, 350]`)
+
+### 🛠️ Technical Implementation
+- **PropelDynamicScopeGenerator**: New generator class for automatic scope creation based on model columns
+- **PropelModelFiltersConcern**: Model concern for dynamic scope generation and filter parameter validation
+- **PropelControllerFiltersConcern**: Controller concern for has_scope integration and security validation
+- **PropelFilterOperators**: Configuration class defining available operators for each data type
+- **Database-Agnostic Datetime Parsing**: Ruby-based datetime parsing instead of SQL extraction functions
+
+### 🔒 Security & Performance
+- **Input Validation**: Comprehensive validation of filter parameters against allowed field names and operators
+- **SQL Injection Protection**: All parameters properly escaped and parameterized
+- **Multi-Tenancy Integration**: Automatic organization scoping for all filtered queries
+- **Sensitive Field Filtering**: Automatic exclusion of sensitive fields (passwords, tokens, etc.) from filtering
+- **Performance Optimization**: Efficient range queries and indexed field prioritization
+
+### 📊 Enhanced JSON Facet System
+- **Smart Field Inclusion**: Automatic inclusion of boolean and datetime fields in `:short` facets
+- **Exclusion Lists**: Configurable exclusion of specific fields (e.g., `created_at`, `updated_at`, `internal_flag`)
+- **Consistent Serialization**: Ensures filterable fields are available in API responses for client-side filtering
+
+### 🧪 Comprehensive Testing
+- **Test-Driven Development**: Complete test suite with 992 tests covering all filtering scenarios
+- **Fixture-Aware Testing**: Unique test data values to avoid conflicts with fixture data
+- **Multi-Tenancy Testing**: Proper testing of organization-scoped filtering
+- **Edge Case Coverage**: Testing of invalid inputs, empty values, and error conditions
+- **Database Compatibility**: Tests pass across SQLite, PostgreSQL, and MySQL
+
+### 📖 Documentation & Examples
+- **Comprehensive API Documentation**: Complete filtering documentation with examples for all operators
+- **Postman Collection Ready**: Detailed query parameter examples for testing
+- **Error Handling Guide**: Common error scenarios and troubleshooting tips
+- **Performance Guidelines**: Optimization recommendations for large datasets
+
+### 🔧 Configuration & Customization
+- **Flexible Operator Configuration**: Easy addition of new filter operators via `PropelFilterOperators`
+- **Customizable Field Exclusions**: Configurable lists for fields to exclude from facets
+- **Template-Based Generation**: All filtering code generated via ERB templates for easy customization
+- **Backward Compatibility**: Existing applications continue to work without changes
+
+### 🐛 Bug Fixes
+- **Template Syntax Errors**: Fixed ERB template syntax issues with `next` vs `return` in select blocks
+- **Scope Generation Caching**: Resolved issues with cached scopes not updating after template changes
+- **Datetime Parsing Errors**: Fixed datetime scope generation to handle multiple input formats
+- **SQL Compatibility**: Resolved SQLite `EXTRACT` function compatibility issues
+
 ## [0.3.2] - 2025-09-15
 
 ### 🐛 Critical Bug Fixes

data/README.md

@@ -1,6 +1,51 @@
 # PropelApi
 
-A comprehensive Rails generator that creates complete API resources with models, controllers, tests, and realistic seed data. Supports both PropelFacets (JSON Facet) and Graphiti serialization engines with **fixed route insertion** and proper indentation.
+A comprehensive Rails generator that creates complete API resources with models, controllers, tests, and realistic seed data. Supports both PropelFacets (JSON Facet) and Graphiti serialization engines with **fixed route insertion**, proper indentation, and **comprehensive dynamic filtering system**.
+
+## 🎉 NEW in v0.3.3: Dynamic Filtering System
+
+PropelApi now includes a complete automatic URL query string filtering and scoping system using the `has_scope` gem. This provides powerful, database-agnostic filtering across all data types with zero configuration required.
+
+### Quick Filtering Examples
+
+```bash
+# String filtering
+GET /api/v1/meetings?title_contains=Project&status_in=active,pending
+
+# Numeric filtering  
+GET /api/v1/meetings?max_participants_gte=50&max_participants_lte=200
+
+# Boolean filtering
+GET /api/v1/meetings?recording_enabled_eq=true&ai_research_enabled_eq=false
+
+# DateTime filtering
+GET /api/v1/meetings?start_time_after=2024-01-01T00:00:00Z&start_time_before=2024-12-31T23:59:59Z
+
+# Range filtering
+GET /api/v1/meetings?max_participants_range=150,350
+
+# Combined filtering with sorting and pagination
+GET /api/v1/meetings?title_contains=Project&max_participants_gte=50&order_by=start_time&page=1&limit=20
+```
+
+### Supported Filter Operators
+
+| Data Type | Operators | Examples |
+|-----------|-----------|----------|
+| **String** | `_eq`, `_contains`, `_starts_with`, `_ends_with`, `_in` | `name_eq=Acme`, `title_contains=Project` |
+| **Numeric** | `_eq`, `_gt`, `_lt`, `_gte`, `_lte`, `_range`, `_in` | `max_participants_gte=50`, `price_range=100,500` |
+| **Boolean** | `_eq` (supports `true`/`false`, `1`/`0`, `yes`/`no`, `on`/`off`) | `recording_enabled_eq=true` |
+| **DateTime** | `_before`, `_after`, `_year`, `_month`, `_day`, `_date` | `start_time_after=2024-01-01`, `created_at_year=2024` |
+| **Date** | Same as DateTime | `event_date_after=2024-01-01` |
+| **Time** | Same as DateTime | `start_time_hour=14` |
+
+### Automatic Features
+
+- **Zero Configuration**: Filtering works automatically for all generated resources
+- **Database Agnostic**: Works with SQLite, PostgreSQL, and MySQL
+- **Security Built-in**: SQL injection protection and input validation
+- **Multi-tenancy Ready**: Automatic organization scoping
+- **Performance Optimized**: Efficient queries with proper indexing support
 
 ## Installation
 

data/lib/generators/propel_api/core/named_base.rb

@@ -1263,38 +1263,54 @@ module PropelApi
       say "="*70, :red
     end
 
-    # Route management helper methods
+    # Route management helper methods - using Rails' gsub_file for proper insertion
     def insert_routes
+      return if route_already_exists?
+
+      if @api_namespace.present? && @api_version.present?
+        insert_nested_namespace_route
+      elsif @api_namespace.present?
+        insert_single_namespace_route
+      else
+        route "resources :#{route_name}"
+      end
+    end
+
+    private
+
+    def insert_nested_namespace_route
       routes_file = File.join(destination_root, "config/routes.rb")
-      return unless File.exist?(routes_file)
-      
       routes_content = File.read(routes_file)
       
-      if @api_namespace.present? && @api_version.present?
-        # Both namespace and version: insert into existing or create new structure
-        if has_nested_namespace?(routes_content, @api_namespace, @api_version)
-          resource_line = "    resources :#{route_name}"
-          insert_into_nested_namespace(routes_content, @api_namespace, @api_version, resource_line)
-        else
-          # Create new nested namespace structure
-          # Rails route method adds 2 spaces to each line, so we need to adjust for that
-          route_content = "namespace :#{@api_namespace} do\n  namespace :#{@api_version} do\n    resources :#{route_name}\n  end\nend"
-          route route_content
+      # Look for the nested namespace pattern and insert after it (flexible whitespace matching)
+      nested_pattern = /namespace\s+:#{@api_namespace}\s+do\s*\n\s*namespace\s+:#{@api_version}\s+do\s*\n/
+      
+      if routes_content.match?(nested_pattern)
+        # Use gsub_file to replace the namespace opening with namespace + our resource
+        gsub_file "config/routes.rb", nested_pattern do |match|
+          match + "      resources :#{route_name}\n"
         end
-      elsif @api_namespace.present?
-        # Only namespace: insert into existing or create new
-        if has_single_namespace?(routes_content, @api_namespace)
-          resource_line = "  resources :#{route_name}"
-          insert_into_single_namespace(routes_content, @api_namespace, resource_line)
-        else
-          # Create new namespace
-          # Rails route method adds 2 spaces to each line, so we need to adjust for that
-          route_content = "namespace :#{@api_namespace} do\n  resources :#{route_name}\nend"
-          route route_content
+      else
+        # Create new namespace block using Rails' route method
+        route "namespace :#{@api_namespace} do\n  namespace :#{@api_version} do\n    resources :#{route_name}\n  end\nend"
+      end
+    end
+
+    def insert_single_namespace_route
+      routes_file = File.join(destination_root, "config/routes.rb")
+      routes_content = File.read(routes_file)
+      
+      # Look for the single namespace pattern and insert after it
+      single_pattern = /namespace\s+:#{@api_namespace}\s+do\s*\n/
+      
+      if routes_content.match?(single_pattern)
+        # Use gsub_file to replace the namespace opening with namespace + our resource
+        gsub_file "config/routes.rb", single_pattern do |match|
+          match + "    resources :#{route_name}\n"
         end
       else
-        # No namespace: simple resources
-        route "resources :#{route_name}"
+        # Create new namespace block using Rails' route method
+        route "namespace :#{@api_namespace} do\n  resources :#{route_name}\nend"
       end
     end
 
@@ -1336,58 +1352,13 @@ module PropelApi
       end
     end
 
-    def has_nested_namespace?(content, namespace, version)
-      content.match?(/namespace\s+:#{namespace}\s+do.*?namespace\s+:#{version}\s+do/m)
-    end
-    
-    def has_single_namespace?(content, namespace)
-      content.match?(/namespace\s+:#{namespace}\s+do/)
-    end
-    
-    def insert_into_nested_namespace(content, namespace, version, resource_line)
-      # Check if resource already exists
-      existing_pattern = /namespace\s+:#{namespace}\s+do.*?namespace\s+:#{version}\s+do.*?resources\s+:#{route_name}/m
-      
-      if content.match?(existing_pattern)
-        say "Route for #{route_name} already exists in #{namespace}/#{version} namespace", :yellow
-        return
-      end
-      
-      # Find the position to insert the resource line
-      # Look for the end of the nested namespace's opening line
-      after_pattern = /namespace\s+:#{namespace}\s+do\s*\n\s*namespace\s+:#{version}\s+do\s*\n/
-      
-      if content.match?(after_pattern)
-        # Insert the resource line with proper indentation (4 spaces for nested namespace)
-        insert_into_file "config/routes.rb", "#{resource_line}\n", :after => after_pattern
-      else
-        # This shouldn't happen if has_nested_namespace? returned true, but handle it
-        route_content = "namespace :#{namespace} do\n  namespace :#{version} do\n#{resource_line}\n  end\nend"
-        route route_content
-      end
-    end
-
-    def insert_into_single_namespace(content, namespace, resource_line)
-      # Check if resource already exists
-      existing_pattern = /namespace\s+:#{namespace}\s+do.*?resources\s+:#{route_name}/m
-      
-      if content.match?(existing_pattern)
-        say "Route for #{route_name} already exists in #{namespace} namespace", :yellow
-        return
-      end
-      
-      # Find the position to insert the resource line
-      # Look for the end of the namespace's opening line
-      after_pattern = /namespace\s+:#{namespace}\s+do\s*\n/
+    def route_already_exists?
+      routes_file = File.join(destination_root, "config/routes.rb")
+      return false unless File.exist?(routes_file)
       
-      if content.match?(after_pattern)
-        # Insert the resource line with proper indentation (resource_line already has correct 2 spaces)
-        insert_into_file "config/routes.rb", "#{resource_line}\n", :after => after_pattern
-      else
-        # This shouldn't happen if has_single_namespace? returned true, but handle it
-        route_content = "namespace :#{namespace} do\n    resources :#{route_name}\n  end"
-        route route_content
-      end
+      routes_content = File.read(routes_file)
+      # Check for actual route declarations (not comments) - must be at start of line or after whitespace  
+      routes_content.match?(/^\s*resources\s+:#{Regexp.escape(route_name)}(\s|$)/)
     end
 
     def cleanup_empty_namespaces(content)

data/lib/generators/propel_api/install/install_generator.rb

@@ -37,6 +37,9 @@ module PropelApi
         
         # Optionally enhance CSRF error messages (non-breaking)
         add_csrf_error_handling
+        
+        # Add dynamic filtering capabilities to ApplicationRecord
+        add_model_filters_concern
       end
       
       case @adapter
@@ -113,6 +116,28 @@ module PropelApi
 
     private
 
+    def copy_propel_facets_concerns
+      if behavior == :revoke
+        # Remove concerns
+        remove_file "app/controllers/concerns/propel_controller_filters_concern.rb"
+        remove_file "app/models/concerns/propel_model_filters_concern.rb" 
+        remove_file "lib/propel_filter_operators.rb"
+        remove_file "lib/propel_dynamic_scope_generator.rb"
+        say "🗑️  Removed PropelApi filtering concerns", :red
+      else
+        # Copy concerns to host app using XX-prefixed source files
+        copy_file "concerns/propel_controller_filters_concern.rb", "app/controllers/concerns/propel_controller_filters_concern.rb"
+        copy_file "concerns/propel_model_filters_concern.rb", "app/models/concerns/propel_model_filters_concern.rb"
+        copy_file "lib/propel_filter_operators.rb", "lib/propel_filter_operators.rb"
+        copy_file "lib/propel_dynamic_scope_generator.rb", "lib/propel_dynamic_scope_generator.rb"
+        say "📦 Copied PropelApi filtering concerns to app", :green
+        say "   - Controller filtering: app/controllers/concerns/propel_controller_filters_concern.rb", :blue
+        say "   - Model filtering: app/models/concerns/propel_model_filters_concern.rb", :blue  
+        say "   - Filter operators: lib/propel_filter_operators.rb", :blue
+        say "   - Dynamic scope generator: lib/propel_dynamic_scope_generator.rb", :blue
+      end
+    end
+
     def create_api_base_controller
       template "controllers/api_base_controller.rb", "app/controllers/api/base_controller.rb"
       say "Created Api::BaseController for CSRF-free API endpoints", :green
@@ -144,6 +169,18 @@ module PropelApi
       say "You can manually add the rescue_from handler if desired", :blue
     end
 
+    def add_model_filters_concern
+      # Inject PropelModelFiltersConcern into ApplicationRecord
+      inject_into_class "app/models/application_record.rb", ApplicationRecord, <<-RUBY
+  include PropelModelFiltersConcern
+      RUBY
+      
+      say "Enhanced ApplicationRecord with dynamic filtering capabilities", :green
+    rescue => e
+      say "Could not inject PropelModelFiltersConcern into ApplicationRecord: #{e.message}", :yellow
+      say "You can manually add 'include PropelModelFiltersConcern' to ApplicationRecord if desired", :blue
+    end
+
     def copy_propel_facets_controller
       template "controllers/api_controller_propel_facets.rb", api_controller_path
       copy_example_controller
@@ -256,8 +293,12 @@ module PropelApi
       say "   end", :yellow
       say "\n5. See doc/api_controller_example.rb for complete usage examples"
       say "6. Your API endpoints will be available at: #{api_route_prefix}/..."
-      say "7. Pagination and filtering are built-in via Pagy and HasScope"
-      say "\n8. Generate resources using:"
+      say "7. Pagination and secure filtering are built-in via Pagy and PropelApi filtering"
+      say "8. Filtering examples:"
+      say "   GET /api/v1/users?name_contains=john&active_eq=true&sort=-created_at", :yellow
+      say "   - Secure field validation prevents SQL injection"
+      say "   - Sensitive fields (passwords, tokens) automatically excluded", :cyan
+      say "\n9. Generate resources using:"
       say "   rails generate propel_api Resource field1:type field2:type", :yellow
     end
 

data/lib/generators/propel_api/templates/concerns/propel_controller_filters_concern.rb

@@ -0,0 +1,141 @@
+# frozen_string_literal: true
+
+# DynamicControllerFiltersConcern
+#
+# Provides dynamic filtering capabilities for API controllers using has_scope.
+# This concern automatically generates and registers scopes based on the model's
+# database columns and their types.
+#
+# Features:
+# - Automatic scope generation based on column types
+# - Security validation of filter parameters
+# - Error handling for malformed filters
+# - Support for all standard filter operators
+#
+# Usage:
+#   class Api::V1::TeamsController < Api::V1::ApiController
+#     include PropelControllerFiltersConcern
+#   end
+#
+module PropelControllerFiltersConcern
+  extend ActiveSupport::Concern
+
+  included do
+    include HasScope
+    
+    # Track which scopes have been registered to avoid duplicates
+    class_attribute :_registered_scopes, default: Set.new
+    
+    # Register dynamic scopes when the controller is first used
+    before_action :ensure_dynamic_scopes_registered, prepend: true
+  end
+
+  private
+
+  def ensure_dynamic_scopes_registered
+    return if self.class._registered_scopes.include?(resource_class.name)
+    
+    model_class = resource_class
+    return unless model_class&.respond_to?(:columns)
+    
+    # Ensure scopes are generated for the model (lazy loading)
+    model_class.ensure_scopes_generated!
+    
+    # Generate scopes for the model
+    generator = PropelDynamicScopeGenerator.new(model_class)
+    generator.generate_scopes!
+    
+    # Register has_scope calls for this controller
+    generator.register_controller_scopes(self.class)
+    
+    # Mark as registered to avoid duplicate work
+    self.class._registered_scopes << model_class.name
+  rescue StandardError => e
+    Rails.logger.error "Error registering dynamic scopes: #{e.message}"
+    Rails.logger.error e.backtrace.join("\n")
+  end
+
+  # Override apply_scopes to add security validation and error handling
+  def apply_scopes(base_scope)
+    # Filter out any potentially dangerous or unsupported parameters
+    safe_params = filter_safe_parameters(params)
+    
+    # Apply scopes with error handling
+    result = super(base_scope, safe_params)
+    result || base_scope
+  rescue StandardError => e
+    Rails.logger.warn "Error in apply_scopes: #{e.message}"
+    base_scope
+  end
+
+  # Security: Filter out dangerous or unsupported parameters
+  def filter_safe_parameters(params)
+    return {} unless params.is_a?(ActionController::Parameters)
+    
+    # Get allowed filter parameters based on model columns
+    allowed_filters = allowed_filter_parameters
+    
+    # Filter to only include known, safe parameters
+    safe_params = params.slice(*allowed_filters)
+    
+    # Log any filtered out parameters for security monitoring
+    filtered_params = params.except(*allowed_filters).except(:controller, :action, :format)
+    if filtered_params.present?
+      Rails.logger.warn "Filtered out potentially unsafe parameters: #{filtered_params.keys.join(', ')}"
+    end
+    
+    safe_params
+  end
+
+  # Get list of allowed filter parameters based on model columns
+  def allowed_filter_parameters
+    return [] unless resource_class&.respond_to?(:columns)
+    
+    allowed = []
+    
+    resource_class.columns.each do |column|
+      name = column.name
+      type = column.type
+      sql_type = column.sql_type_metadata.sql_type
+      
+      # Skip sensitive fields
+      next if sensitive_field?(name)
+      
+      # Get operators for this column type
+      operators = PropelFilterOperators.operators_for(type, sql_type)
+      
+      # Add parameter names for each operator
+      operators.each do |operator|
+        allowed << "#{name}_#{operator}".to_sym
+      end
+    end
+    
+    # Add special parameters
+    allowed += [:order_by, :page, :limit, :per_page]
+    
+    allowed
+  end
+
+  # Check if a field name is considered sensitive and should not be filterable
+  def sensitive_field?(field_name)
+    sensitive_fields = %w[
+      password password_hash password_digest
+      token secret_key api_key
+      encrypted_data encrypted_password
+      salt pepper
+      private_key public_key
+      ssn social_security_number
+      credit_card_number
+      bank_account_number
+    ]
+    
+    sensitive_fields.any? { |sensitive| field_name.downcase.include?(sensitive) }
+  end
+
+  # Override to provide better error messages for invalid filters
+  def handle_invalid_filter(filter_name, error)
+    Rails.logger.warn "Invalid filter '#{filter_name}': #{error.message}"
+    # Don't raise the error, just log it and continue
+    # This prevents one bad filter from breaking the entire request
+  end
+end

data/lib/generators/propel_api/templates/concerns/propel_model_filters_concern.rb

@@ -0,0 +1,128 @@
+# frozen_string_literal: true
+
+# DynamicModelFiltersConcern
+#
+# Provides dynamic filtering capabilities for ActiveRecord models.
+# This concern automatically generates scopes based on the model's
+# database columns and their types.
+#
+# Features:
+# - Automatic scope generation based on column types
+# - Support for all standard filter operators
+# - Type-aware filtering (boolean, string, numeric, datetime)
+# - Security validation of filter parameters
+#
+# Usage:
+#   class Team < ApplicationRecord
+#     include PropelModelFiltersConcern
+#   end
+#
+module PropelModelFiltersConcern
+  extend ActiveSupport::Concern
+
+  included do
+    # Track which scopes have been generated to avoid duplicates
+    class_attribute :_generated_scopes, default: Set.new
+    
+    # Generate scopes lazily when first needed
+    # This prevents issues with abstract classes like ApplicationRecord
+  end
+
+  class_methods do
+    # Generate all dynamic scopes for this model
+    def generate_dynamic_scopes!
+      return if _generated_scopes.include?(name)
+      
+      # Skip abstract classes (like ApplicationRecord)
+      return if abstract_class?
+      
+      # Skip if the model doesn't have a table (e.g., abstract classes)
+      return unless table_exists?
+      
+      generator = PropelDynamicScopeGenerator.new(self)
+      generator.generate_scopes!
+      
+      # Mark as generated to avoid duplicate work
+      _generated_scopes << name
+    rescue StandardError => e
+      Rails.logger.error "Error generating dynamic scopes for #{name}: #{e.message}"
+      Rails.logger.error e.backtrace.join("\n")
+    end
+
+    # Ensure scopes are generated (lazy loading)
+    def ensure_scopes_generated!
+      generate_dynamic_scopes! unless _generated_scopes.include?(name)
+    end
+
+    # Get all available filter parameters for this model
+    def available_filter_parameters
+      return [] unless respond_to?(:columns)
+      
+      allowed = []
+      
+      columns.each do |column|
+        name = column.name
+        type = column.type
+        sql_type = column.sql_type_metadata.sql_type
+        
+        # Skip sensitive fields
+        next if sensitive_field?(name)
+        
+        # Get operators for this column type
+        operators = PropelFilterOperators.operators_for(type, sql_type)
+        
+        # Add parameter names for each operator
+        operators.each do |operator|
+          allowed << "#{name}_#{operator}".to_sym
+        end
+      end
+      
+      allowed
+    end
+
+    # Check if a field name is considered sensitive
+    def sensitive_field?(field_name)
+      sensitive_fields = %w[
+        password password_hash password_digest
+        token secret_key api_key
+        encrypted_data encrypted_password
+        salt pepper
+        private_key public_key
+        ssn social_security_number
+        credit_card_number
+        bank_account_number
+      ]
+      
+      sensitive_fields.any? { |sensitive| field_name.downcase.include?(sensitive) }
+    end
+
+    # Get filterable columns for this model
+    def filterable_columns
+      return [] unless respond_to?(:columns)
+      
+      columns.reject { |column| sensitive_field?(column.name) }
+    end
+
+    # Get operators available for a specific column
+    def operators_for_column(column_name)
+      column = columns.find { |c| c.name == column_name }
+      return [] unless column
+      
+      PropelFilterOperators.operators_for(column.type, column.sql_type_metadata.sql_type)
+    end
+
+    # Validate filter parameters
+    def validate_filter_parameters(params)
+      return {} unless params.is_a?(ActionController::Parameters)
+      
+      allowed_filters = available_filter_parameters
+      params.slice(*allowed_filters)
+    end
+  end
+
+  private
+
+  def ensure_dynamic_scopes_generated
+    self.class.generate_dynamic_scopes!
+  end
+end

data/lib/generators/propel_api/templates/controllers/api_controller_propel_facets.rb

@@ -4,6 +4,7 @@ class <%= api_controller_class_name %> < Api::BaseController
   include FacetRenderer
   include StrongParamsHelper
   include PropelAuthenticationConcern
+  include PropelControllerFiltersConcern
 
   before_action :authenticate_user
   before_action :set_resource, only: [:show, :update, :destroy]