propel_api 0.3.2 → 0.3.4

data/lib/generators/propel_api/core/named_base.rb

@@ -1263,38 +1263,54 @@ module PropelApi
       say "="*70, :red
     end
 
-    # Route management helper methods
+    # Route management helper methods - using Rails' gsub_file for proper insertion
     def insert_routes
+      return if route_already_exists?
+
+      if @api_namespace.present? && @api_version.present?
+        insert_nested_namespace_route
+      elsif @api_namespace.present?
+        insert_single_namespace_route
+      else
+        route "resources :#{route_name}"
+      end
+    end
+
+    private
+
+    def insert_nested_namespace_route
       routes_file = File.join(destination_root, "config/routes.rb")
-      return unless File.exist?(routes_file)
-      
       routes_content = File.read(routes_file)
       
-      if @api_namespace.present? && @api_version.present?
-        # Both namespace and version: insert into existing or create new structure
-        if has_nested_namespace?(routes_content, @api_namespace, @api_version)
-          resource_line = "    resources :#{route_name}"
-          insert_into_nested_namespace(routes_content, @api_namespace, @api_version, resource_line)
-        else
-          # Create new nested namespace structure
-          # Rails route method adds 2 spaces to each line, so we need to adjust for that
-          route_content = "namespace :#{@api_namespace} do\n  namespace :#{@api_version} do\n    resources :#{route_name}\n  end\nend"
-          route route_content
+      # Look for the nested namespace pattern and insert after it (flexible whitespace matching)
+      nested_pattern = /namespace\s+:#{@api_namespace}\s+do\s*\n\s*namespace\s+:#{@api_version}\s+do\s*\n/
+      
+      if routes_content.match?(nested_pattern)
+        # Use gsub_file to replace the namespace opening with namespace + our resource
+        gsub_file "config/routes.rb", nested_pattern do |match|
+          match + "      resources :#{route_name}\n"
         end
-      elsif @api_namespace.present?
-        # Only namespace: insert into existing or create new
-        if has_single_namespace?(routes_content, @api_namespace)
-          resource_line = "  resources :#{route_name}"
-          insert_into_single_namespace(routes_content, @api_namespace, resource_line)
-        else
-          # Create new namespace
-          # Rails route method adds 2 spaces to each line, so we need to adjust for that
-          route_content = "namespace :#{@api_namespace} do\n  resources :#{route_name}\nend"
-          route route_content
+      else
+        # Create new namespace block using Rails' route method
+        route "namespace :#{@api_namespace} do\n  namespace :#{@api_version} do\n    resources :#{route_name}\n  end\nend"
+      end
+    end
+
+    def insert_single_namespace_route
+      routes_file = File.join(destination_root, "config/routes.rb")
+      routes_content = File.read(routes_file)
+      
+      # Look for the single namespace pattern and insert after it
+      single_pattern = /namespace\s+:#{@api_namespace}\s+do\s*\n/
+      
+      if routes_content.match?(single_pattern)
+        # Use gsub_file to replace the namespace opening with namespace + our resource
+        gsub_file "config/routes.rb", single_pattern do |match|
+          match + "    resources :#{route_name}\n"
         end
       else
-        # No namespace: simple resources
-        route "resources :#{route_name}"
+        # Create new namespace block using Rails' route method
+        route "namespace :#{@api_namespace} do\n  resources :#{route_name}\nend"
       end
     end
 
@@ -1336,58 +1352,13 @@ module PropelApi
       end
     end
 
-    def has_nested_namespace?(content, namespace, version)
-      content.match?(/namespace\s+:#{namespace}\s+do.*?namespace\s+:#{version}\s+do/m)
-    end
-    
-    def has_single_namespace?(content, namespace)
-      content.match?(/namespace\s+:#{namespace}\s+do/)
-    end
-    
-    def insert_into_nested_namespace(content, namespace, version, resource_line)
-      # Check if resource already exists
-      existing_pattern = /namespace\s+:#{namespace}\s+do.*?namespace\s+:#{version}\s+do.*?resources\s+:#{route_name}/m
-      
-      if content.match?(existing_pattern)
-        say "Route for #{route_name} already exists in #{namespace}/#{version} namespace", :yellow
-        return
-      end
-      
-      # Find the position to insert the resource line
-      # Look for the end of the nested namespace's opening line
-      after_pattern = /namespace\s+:#{namespace}\s+do\s*\n\s*namespace\s+:#{version}\s+do\s*\n/
-      
-      if content.match?(after_pattern)
-        # Insert the resource line with proper indentation (4 spaces for nested namespace)
-        insert_into_file "config/routes.rb", "#{resource_line}\n", :after => after_pattern
-      else
-        # This shouldn't happen if has_nested_namespace? returned true, but handle it
-        route_content = "namespace :#{namespace} do\n  namespace :#{version} do\n#{resource_line}\n  end\nend"
-        route route_content
-      end
-    end
-
-    def insert_into_single_namespace(content, namespace, resource_line)
-      # Check if resource already exists
-      existing_pattern = /namespace\s+:#{namespace}\s+do.*?resources\s+:#{route_name}/m
-      
-      if content.match?(existing_pattern)
-        say "Route for #{route_name} already exists in #{namespace} namespace", :yellow
-        return
-      end
-      
-      # Find the position to insert the resource line
-      # Look for the end of the namespace's opening line
-      after_pattern = /namespace\s+:#{namespace}\s+do\s*\n/
+    def route_already_exists?
+      routes_file = File.join(destination_root, "config/routes.rb")
+      return false unless File.exist?(routes_file)
       
-      if content.match?(after_pattern)
-        # Insert the resource line with proper indentation (resource_line already has correct 2 spaces)
-        insert_into_file "config/routes.rb", "#{resource_line}\n", :after => after_pattern
-      else
-        # This shouldn't happen if has_single_namespace? returned true, but handle it
-        route_content = "namespace :#{namespace} do\n    resources :#{route_name}\n  end"
-        route route_content
-      end
+      routes_content = File.read(routes_file)
+      # Check for actual route declarations (not comments) - must be at start of line or after whitespace  
+      routes_content.match?(/^\s*resources\s+:#{Regexp.escape(route_name)}(\s|$)/)
     end
 
     def cleanup_empty_namespaces(content)

data/lib/generators/propel_api/install/install_generator.rb

@@ -37,6 +37,9 @@ module PropelApi
         
         # Optionally enhance CSRF error messages (non-breaking)
         add_csrf_error_handling
+        
+        # Add dynamic filtering capabilities to ApplicationRecord
+        add_model_filters_concern
       end
       
       case @adapter
@@ -113,6 +116,28 @@ module PropelApi
 
     private
 
+    def copy_propel_facets_concerns
+      if behavior == :revoke
+        # Remove concerns
+        remove_file "app/controllers/concerns/propel_controller_filters_concern.rb"
+        remove_file "app/models/concerns/propel_model_filters_concern.rb" 
+        remove_file "lib/propel_filter_operators.rb"
+        remove_file "lib/propel_dynamic_scope_generator.rb"
+        say "🗑️  Removed PropelApi filtering concerns", :red
+      else
+        # Copy concerns to host app using XX-prefixed source files
+        copy_file "concerns/propel_controller_filters_concern.rb", "app/controllers/concerns/propel_controller_filters_concern.rb"
+        copy_file "concerns/propel_model_filters_concern.rb", "app/models/concerns/propel_model_filters_concern.rb"
+        copy_file "lib/propel_filter_operators.rb", "lib/propel_filter_operators.rb"
+        copy_file "lib/propel_dynamic_scope_generator.rb", "lib/propel_dynamic_scope_generator.rb"
+        say "📦 Copied PropelApi filtering concerns to app", :green
+        say "   - Controller filtering: app/controllers/concerns/propel_controller_filters_concern.rb", :blue
+        say "   - Model filtering: app/models/concerns/propel_model_filters_concern.rb", :blue  
+        say "   - Filter operators: lib/propel_filter_operators.rb", :blue
+        say "   - Dynamic scope generator: lib/propel_dynamic_scope_generator.rb", :blue
+      end
+    end
+
     def create_api_base_controller
       template "controllers/api_base_controller.rb", "app/controllers/api/base_controller.rb"
       say "Created Api::BaseController for CSRF-free API endpoints", :green
@@ -144,6 +169,18 @@ module PropelApi
       say "You can manually add the rescue_from handler if desired", :blue
     end
 
+    def add_model_filters_concern
+      # Inject PropelModelFiltersConcern into ApplicationRecord
+      inject_into_class "app/models/application_record.rb", ApplicationRecord, <<-RUBY
+  include PropelModelFiltersConcern
+      RUBY
+      
+      say "Enhanced ApplicationRecord with dynamic filtering capabilities", :green
+    rescue => e
+      say "Could not inject PropelModelFiltersConcern into ApplicationRecord: #{e.message}", :yellow
+      say "You can manually add 'include PropelModelFiltersConcern' to ApplicationRecord if desired", :blue
+    end
+
     def copy_propel_facets_controller
       template "controllers/api_controller_propel_facets.rb", api_controller_path
       copy_example_controller
@@ -256,8 +293,12 @@ module PropelApi
       say "   end", :yellow
       say "\n5. See doc/api_controller_example.rb for complete usage examples"
       say "6. Your API endpoints will be available at: #{api_route_prefix}/..."
-      say "7. Pagination and filtering are built-in via Pagy and HasScope"
-      say "\n8. Generate resources using:"
+      say "7. Pagination and secure filtering are built-in via Pagy and PropelApi filtering"
+      say "8. Filtering examples:"
+      say "   GET /api/v1/users?name_contains=john&active_eq=true&sort=-created_at", :yellow
+      say "   - Secure field validation prevents SQL injection"
+      say "   - Sensitive fields (passwords, tokens) automatically excluded", :cyan
+      say "\n9. Generate resources using:"
       say "   rails generate propel_api Resource field1:type field2:type", :yellow
     end
 

data/lib/generators/propel_api/templates/concerns/propel_controller_filters_concern.rb

@@ -0,0 +1,141 @@
+# frozen_string_literal: true
+
+# DynamicControllerFiltersConcern
+#
+# Provides dynamic filtering capabilities for API controllers using has_scope.
+# This concern automatically generates and registers scopes based on the model's
+# database columns and their types.
+#
+# Features:
+# - Automatic scope generation based on column types
+# - Security validation of filter parameters
+# - Error handling for malformed filters
+# - Support for all standard filter operators
+#
+# Usage:
+#   class Api::V1::TeamsController < Api::V1::ApiController
+#     include PropelControllerFiltersConcern
+#   end
+#
+module PropelControllerFiltersConcern
+  extend ActiveSupport::Concern
+
+  included do
+    include HasScope
+    
+    # Track which scopes have been registered to avoid duplicates
+    class_attribute :_registered_scopes, default: Set.new
+    
+    # Register dynamic scopes when the controller is first used
+    before_action :ensure_dynamic_scopes_registered, prepend: true
+  end
+
+  private
+
+  def ensure_dynamic_scopes_registered
+    return if self.class._registered_scopes.include?(resource_class.name)
+    
+    model_class = resource_class
+    return unless model_class&.respond_to?(:columns)
+    
+    # Ensure scopes are generated for the model (lazy loading)
+    model_class.ensure_scopes_generated!
+    
+    # Generate scopes for the model
+    generator = PropelDynamicScopeGenerator.new(model_class)
+    generator.generate_scopes!
+    
+    # Register has_scope calls for this controller
+    generator.register_controller_scopes(self.class)
+    
+    # Mark as registered to avoid duplicate work
+    self.class._registered_scopes << model_class.name
+  rescue StandardError => e
+    Rails.logger.error "Error registering dynamic scopes: #{e.message}"
+    Rails.logger.error e.backtrace.join("\n")
+  end
+
+  # Override apply_scopes to add security validation and error handling
+  def apply_scopes(base_scope)
+    # Filter out any potentially dangerous or unsupported parameters
+    safe_params = filter_safe_parameters(params)
+    
+    # Apply scopes with error handling
+    result = super(base_scope, safe_params)
+    result || base_scope
+  rescue StandardError => e
+    Rails.logger.warn "Error in apply_scopes: #{e.message}"
+    base_scope
+  end
+
+  # Security: Filter out dangerous or unsupported parameters
+  def filter_safe_parameters(params)
+    return {} unless params.is_a?(ActionController::Parameters)
+    
+    # Get allowed filter parameters based on model columns
+    allowed_filters = allowed_filter_parameters
+    
+    # Filter to only include known, safe parameters
+    safe_params = params.slice(*allowed_filters)
+    
+    # Log any filtered out parameters for security monitoring
+    filtered_params = params.except(*allowed_filters).except(:controller, :action, :format)
+    if filtered_params.present?
+      Rails.logger.warn "Filtered out potentially unsafe parameters: #{filtered_params.keys.join(', ')}"
+    end
+    
+    safe_params
+  end
+
+  # Get list of allowed filter parameters based on model columns
+  def allowed_filter_parameters
+    return [] unless resource_class&.respond_to?(:columns)
+    
+    allowed = []
+    
+    resource_class.columns.each do |column|
+      name = column.name
+      type = column.type
+      sql_type = column.sql_type_metadata.sql_type
+      
+      # Skip sensitive fields
+      next if sensitive_field?(name)
+      
+      # Get operators for this column type
+      operators = PropelFilterOperators.operators_for(type, sql_type)
+      
+      # Add parameter names for each operator
+      operators.each do |operator|
+        allowed << "#{name}_#{operator}".to_sym
+      end
+    end
+    
+    # Add special parameters
+    allowed += [:order_by, :page, :limit, :per_page]
+    
+    allowed
+  end
+
+  # Check if a field name is considered sensitive and should not be filterable
+  def sensitive_field?(field_name)
+    sensitive_fields = %w[
+      password password_hash password_digest
+      token secret_key api_key
+      encrypted_data encrypted_password
+      salt pepper
+      private_key public_key
+      ssn social_security_number
+      credit_card_number
+      bank_account_number
+    ]
+    
+    sensitive_fields.any? { |sensitive| field_name.downcase.include?(sensitive) }
+  end
+
+  # Override to provide better error messages for invalid filters
+  def handle_invalid_filter(filter_name, error)
+    Rails.logger.warn "Invalid filter '#{filter_name}': #{error.message}"
+    # Don't raise the error, just log it and continue
+    # This prevents one bad filter from breaking the entire request
+  end
+end

data/lib/generators/propel_api/templates/concerns/propel_model_filters_concern.rb

@@ -0,0 +1,128 @@
+# frozen_string_literal: true
+
+# DynamicModelFiltersConcern
+#
+# Provides dynamic filtering capabilities for ActiveRecord models.
+# This concern automatically generates scopes based on the model's
+# database columns and their types.
+#
+# Features:
+# - Automatic scope generation based on column types
+# - Support for all standard filter operators
+# - Type-aware filtering (boolean, string, numeric, datetime)
+# - Security validation of filter parameters
+#
+# Usage:
+#   class Team < ApplicationRecord
+#     include PropelModelFiltersConcern
+#   end
+#
+module PropelModelFiltersConcern
+  extend ActiveSupport::Concern
+
+  included do
+    # Track which scopes have been generated to avoid duplicates
+    class_attribute :_generated_scopes, default: Set.new
+    
+    # Generate scopes lazily when first needed
+    # This prevents issues with abstract classes like ApplicationRecord
+  end
+
+  class_methods do
+    # Generate all dynamic scopes for this model
+    def generate_dynamic_scopes!
+      return if _generated_scopes.include?(name)
+      
+      # Skip abstract classes (like ApplicationRecord)
+      return if abstract_class?
+      
+      # Skip if the model doesn't have a table (e.g., abstract classes)
+      return unless table_exists?
+      
+      generator = PropelDynamicScopeGenerator.new(self)
+      generator.generate_scopes!
+      
+      # Mark as generated to avoid duplicate work
+      _generated_scopes << name
+    rescue StandardError => e
+      Rails.logger.error "Error generating dynamic scopes for #{name}: #{e.message}"
+      Rails.logger.error e.backtrace.join("\n")
+    end
+
+    # Ensure scopes are generated (lazy loading)
+    def ensure_scopes_generated!
+      generate_dynamic_scopes! unless _generated_scopes.include?(name)
+    end
+
+    # Get all available filter parameters for this model
+    def available_filter_parameters
+      return [] unless respond_to?(:columns)
+      
+      allowed = []
+      
+      columns.each do |column|
+        name = column.name
+        type = column.type
+        sql_type = column.sql_type_metadata.sql_type
+        
+        # Skip sensitive fields
+        next if sensitive_field?(name)
+        
+        # Get operators for this column type
+        operators = PropelFilterOperators.operators_for(type, sql_type)
+        
+        # Add parameter names for each operator
+        operators.each do |operator|
+          allowed << "#{name}_#{operator}".to_sym
+        end
+      end
+      
+      allowed
+    end
+
+    # Check if a field name is considered sensitive
+    def sensitive_field?(field_name)
+      sensitive_fields = %w[
+        password password_hash password_digest
+        token secret_key api_key
+        encrypted_data encrypted_password
+        salt pepper
+        private_key public_key
+        ssn social_security_number
+        credit_card_number
+        bank_account_number
+      ]
+      
+      sensitive_fields.any? { |sensitive| field_name.downcase.include?(sensitive) }
+    end
+
+    # Get filterable columns for this model
+    def filterable_columns
+      return [] unless respond_to?(:columns)
+      
+      columns.reject { |column| sensitive_field?(column.name) }
+    end
+
+    # Get operators available for a specific column
+    def operators_for_column(column_name)
+      column = columns.find { |c| c.name == column_name }
+      return [] unless column
+      
+      PropelFilterOperators.operators_for(column.type, column.sql_type_metadata.sql_type)
+    end
+
+    # Validate filter parameters
+    def validate_filter_parameters(params)
+      return {} unless params.is_a?(ActionController::Parameters)
+      
+      allowed_filters = available_filter_parameters
+      params.slice(*allowed_filters)
+    end
+  end
+
+  private
+
+  def ensure_dynamic_scopes_generated
+    self.class.generate_dynamic_scopes!
+  end
+end

data/lib/generators/propel_api/templates/controllers/api_controller_propel_facets.rb

@@ -4,6 +4,7 @@ class <%= api_controller_class_name %> < Api::BaseController
   include FacetRenderer
   include StrongParamsHelper
   include PropelAuthenticationConcern
+  include PropelControllerFiltersConcern
 
   before_action :authenticate_user
   before_action :set_resource, only: [:show, :update, :destroy]