rhales 0.3.0 → 0.5.3

data/demo/rhales-roda-demo/app.rb

@@ -0,0 +1,325 @@
+# demo/rhales-roda-demo/app.rb
+#
+# frozen_string_literal: true
+
+require 'logger'
+require 'roda'
+require 'sequel'
+require 'securerandom'
+require 'bcrypt'
+require 'rack/session'
+
+# Add the lib directory to the load path
+$:.unshift(File.expand_path('../../lib', __dir__))
+require 'rhales'
+require 'rhales/integrations/tilt'
+require 'mail'
+
+Mail.defaults do
+  delivery_method :smtp, {
+    address: 'localhost',
+    port: 1025,
+    domain: 'localhost.localdomain',
+    enable_starttls_auto: false,
+  }
+end
+
+class RhalesDemo < Roda
+  # Demo accounts for testing - matches migration seed data
+  DEMO_ACCOUNTS = [
+    {
+      email: 'demo@example.com',
+      password: 'demo123',
+      role: 'user',
+    },
+    {
+      email: 'admin@example.com',
+      password: 'admin123',
+      role: 'admin',
+    },
+  ].freeze
+
+  # Database setup - use file-based SQLite for persistence
+  DB = Sequel.sqlite(File.join(__dir__, 'db', 'demo.db'))
+
+  DB.extension :date_arithmetic
+
+  logger = Logger.new($stdout)
+
+  class << self
+    def get_secret
+      secret = DB[:_demo_secrets].get(:value) # `get` automatically gets the first row
+
+      if secret.nil?
+        secret = SecureRandom.hex(64)
+        DB[:_demo_secrets].insert_conflict.insert(
+          name: 'migration-default',
+          value: secret,
+        )
+      end
+
+      secret
+    end
+  end
+
+  # Run migrations if needed
+  Sequel.extension :migration
+  Sequel::Migrator.run(DB, File.join(__dir__, 'db', 'migrate'))
+
+  secret_value = RhalesDemo.get_secret
+  logger.info("[demo] Secret value: #{secret_value}")
+
+  opts[:root] = File.dirname(__FILE__)
+
+  # Configure Rhales with Tilt integration
+  Rhales.configure do |config|
+    config.template_paths  = [File.join(opts[:root], 'templates')]
+    config.cache_templates = false
+  end
+
+  # Use Roda's render plugin with Rhales engine
+  # Note: Layout handling is done by Rhales ViewComposition, not Roda
+  plugin :render,
+    engine: 'rue',
+    views: File.join(opts[:root], 'templates'),
+    layout: true
+
+  plugin :flash
+  plugin :sessions, secret: secret_value, key: 'rhales-demo.session'
+  plugin :route_csrf
+
+  # Simple Rodauth configuration
+  plugin :rodauth do
+    db DB
+
+    # Used for HMAC operations in various Rodauth features like password reset
+    # tokens, email verification, etc. If it changes, existing tokens become
+    # invalid (users lose pending password resets, etc).
+    # e.g. SecureRandom.hex(64)
+    hmac_secret ENV['RODAUTH_HMAC_SECRET'] || secret_value
+
+    enable :change_login, :change_password, :close_account, :create_account,
+      :lockout, :login, :logout, :remember, :reset_password, :verify_account,
+      :otp_modify_email, :otp_lockout_email, :recovery_codes, :sms_codes,
+      :disallow_password_reuse, :password_grace_period, :active_sessions,
+      :verify_login_change, :change_password_notify, :confirm_password,
+      :email_auth, :disallow_common_passwords
+
+    login_redirect '/'
+    logout_redirect '/'
+    create_account_redirect '/'
+
+    # Set custom routes to match our templates
+    create_account_route 'register'
+
+    # Skip status checks for demo simplicity
+    skip_status_checks? true
+
+    # Use email as login - param name should match form field
+    login_param 'login'
+    login_confirm_param 'login'
+
+    # The following hooks are kept to document their availability and naming.
+    # They can be implemented with custom logic as needed.
+    # before_login
+    # before_create_account
+    # after_login_failure
+    # after_create_account
+    # login_error_flash
+    # create_account_error_flash
+    # account_from_login
+    # password_match?
+
+    # AVAILABLE VARIABLES FOR ALL RODAUTH VIEWS:
+    # Global (auto-injected by plugin):
+    #   - rodauth.* : Full Rodauth object (csrf_tag, logged_in?, etc.)
+    #   - flash_notice : Success message from flash[:notice]
+    #   - flash_error : Error message from flash[:error]
+    #   - current_path : Current URL path
+    #   - request_method : HTTP method
+    #   - demo_accounts : Demo credentials array
+    #
+    # View-specific variables available via rodauth object:
+    #   - login.rue: rodauth.login, rodauth.login_error_flash
+    #   - create_account.rue: rodauth.login_confirm, rodauth.create_account_error_flash
+    #   - verify_account.rue: rodauth.verify_account_key_value
+    #   - change_login.rue: rodauth.login, rodauth.login_confirm
+    #   - change_password.rue: rodauth.new_password_param, rodauth.password_confirm_param
+    #   - reset_password.rue: rodauth.reset_password_key_value
+    #   - close_account.rue: (requires current password confirmation)
+    #   - logout.rue: (minimal data, typically POST-only)
+    #
+    # Additional enabled features (templates auto-created if needed):
+    #   - lockout.rue: rodauth.lockout_error_flash (account lockout after failed attempts)
+    #   - remember.rue: rodauth.remember_param (remember login checkbox)
+    #   - verify_login_change.rue: rodauth.verify_login_change_key_value (email change verification)
+    #   - change_password_notify.rue: (notification after password change)
+    #   - confirm_password.rue: rodauth.password_param (password confirmation for sensitive operations)
+    #   - email_auth.rue: rodauth.email_auth_key_value (passwordless email authentication)
+    #   - recovery_codes.rue: rodauth.recovery_codes (backup 2FA codes)
+    #   - sms_codes.rue: rodauth.sms_phone, rodauth.sms_code (SMS 2FA)
+    #   - otp_modify_email.rue: rodauth.otp_* (TOTP setup/modification)
+    #   - active_sessions.rue: rodauth.active_sessions (manage multiple login sessions)
+    #
+    # Templates automatically discovered in templates/ directory:
+    #   login.rue, create_account.rue, logout.rue, verify_account.rue,
+    #   change_login.rue, change_password.rue, reset_password.rue, close_account.rue
+  end
+
+  # Simple auth helper - uses Rodauth's session management
+  def current_user
+    return nil unless rodauth.logged_in?
+
+    @current_user ||= DB[:accounts].where(id: rodauth.session_value).first
+  end
+
+  def roda_secret
+    @roda_secret ||= RhalesDemo.get_secret
+  end
+
+  def logged_in?
+    rodauth.logged_in?
+  end
+
+  # Set CSP header using upstream Rhales functionality
+  def set_csp_header
+    # Get CSP header from request env (set by Rhales view rendering)
+    csp_header                                  = request.env['csp_header']
+    response.headers['Content-Security-Policy'] = csp_header if csp_header
+  end
+
+  route do |r|
+    r.rodauth
+
+    # Home route - shows different content based on auth state
+    r.root do
+      result = if logged_in?
+        locals = {
+          'welcome_message' => "Welcome back, #{current_user[:email]}!",
+          'login_time' => Time.now.strftime('%Y-%m-%d %H:%M:%S'),
+          # Dashboard specific props
+          'features' => [
+            {
+              'title' => 'Authenticated Access',
+              'description' => 'Only visible when logged in',
+              'icon' => '🔐',
+            },
+            {
+              'title' => 'Session Management',
+              'description' => 'Powered by Rodauth',
+              'icon' => '👤',
+            },
+            {
+              'title' => 'API Integration',
+              'description' => 'Fetch data with hydrated endpoints',
+              'icon' => '⚡',
+            },
+          ],
+          'api_endpoints' => {
+            'user' => '/api/user',
+            'demo_data' => '/api/demo-data',
+          },
+        }
+        view('dashboard',
+          locals: template_locals(locals),
+          layout: false,
+        )
+      else
+        # Home page props
+        locals = {
+          'page_type' => 'home',
+          'features' => [
+            {
+              'title' => 'Single File Components',
+              'description' => 'Combine templates, data, and logic in one file',
+              'icon' => '📦',
+            },
+            {
+              'title' => 'Type-Safe Hydration',
+              'description' => 'Zod schemas ensure contract safety',
+              'icon' => '🛡️',
+            },
+            {
+              'title' => 'Security First',
+              'description' => 'CSP nonces and HTML escaping by default',
+              'icon' => '🔒',
+            },
+            {
+              'title' => 'Framework Agnostic',
+              'description' => 'Works with Roda, Sinatra, Rails, and more',
+              'icon' => '🔧',
+            },
+          ],
+        }
+        view('home', locals: template_locals(locals), layout: false)
+      end
+
+      # Set CSP header after view rendering
+      set_csp_header
+      result
+    end
+
+    # Simple API endpoint for RSFC hydration demo
+    r.get 'api/user' do
+      response['Content-Type'] = 'application/json'
+
+      if logged_in?
+        {
+          authenticated: true,
+          user: current_user,
+          server_time: Time.now.iso8601,
+        }.to_json
+      else
+        { authenticated: false }.to_json
+      end
+    end
+
+    # Demo data endpoint
+    r.get 'api/demo-data' do
+      response['Content-Type'] = 'application/json'
+      {
+        message: 'This data was loaded dynamically via JavaScript!',
+        timestamp: Time.now.to_i,
+        random_number: rand(1000),
+      }.to_json
+    end
+  end
+
+  # Helper method to provide common template data
+  # Returns hash with :client_data and :server_data keys for Rhales v2.0+
+  def template_locals(additional_locals = {})
+    # Separate client (serialized to browser) from server (template-only) data
+    client_defaults = {
+      # Authentication state
+      'authenticated' => respond_to?(:logged_in?) ? logged_in? : false,
+
+      # Demo accounts for login page
+      'demo_accounts' => DEMO_ACCOUNTS,
+    }
+
+    server_defaults = {
+      # Layout props (required by layouts/main.rue)
+      'app_name' => 'Rhales Demo',
+      'year' => Time.now.year,
+
+      # Flash messages (already handled by Tilt, but keeping for consistency)
+      'flash_notice' => respond_to?(:flash) ? flash['notice'] : nil,
+      'flash_error' => respond_to?(:flash) ? flash['error'] : nil,
+    }
+
+    # Merge additional locals
+    client_data = client_defaults.merge(additional_locals.fetch('client_data', {}))
+    server_data = server_defaults.merge(additional_locals.fetch('server_data', {}))
+
+    # Also merge any top-level keys into client for backward compatibility
+    additional_locals.each do |key, value|
+      next if key == 'client_data' || key == 'server_data'
+      client_data[key] = value
+    end
+
+    {
+      client_data: client_data,
+      server_data: server_data,
+    }
+  end
+end

data/demo/rhales-roda-demo/bin/rackup

@@ -0,0 +1,26 @@
+#!/usr/bin/env ruby
+
+#
+# This file was generated by Bundler.
+#
+# The application 'rackup' is installed as part of a gem, and
+# this file is here to facilitate running it.
+#
+
+ENV["BUNDLE_GEMFILE"] ||= File.expand_path("../Gemfile", __dir__)
+
+bundle_binstub = File.expand_path("bundle", __dir__)
+
+if File.file?(bundle_binstub)
+  if File.read(bundle_binstub, 300).include?("This file was generated by Bundler")
+    load(bundle_binstub)
+  else
+    abort("Your `bin/bundle` was not generated by Bundler, so this binstub cannot run.
+Replace `bin/bundle` by running `bundle binstubs bundler --force`, then run this command again.")
+  end
+end
+
+require "rubygems"
+require "bundler/setup"
+
+load Gem.bin_path("rackup", "rackup")

data/demo/rhales-roda-demo/config.ru

@@ -0,0 +1,13 @@
+require_relative 'app'
+
+# Add the lib directory to the load path for middleware
+$:.unshift(File.expand_path('../../lib', __dir__))
+require 'rhales/middleware/json_responder'
+
+# Enable JSON responses for API clients
+# When Accept: application/json header is present, return hydration data as JSON
+use Rhales::Middleware::JsonResponder,
+  enabled: true,
+  include_metadata: ENV['RACK_ENV'] == 'development'
+
+run RhalesDemo.freeze.app

data/demo/rhales-roda-demo/db/migrate/001_create_rodauth_tables.rb

@@ -0,0 +1,266 @@
+# demo/rhales-roda-demo/db/migrate/001_create_rodauth_tables.rb
+#
+# frozen_string_literal: true
+
+Sequel.migration do
+  up do
+    primary_key_type = ENV['RODAUTH_SPEC_UUID'] && database_type == :postgres ? :uuid : :bigint
+
+    extension :date_arithmetic
+
+    # Used by the account verification and close account features
+    create_table(:account_statuses) do
+      Integer :id, primary_key: true
+      String :name, null: false, unique: true
+    end
+    from(:account_statuses).import([:id, :name], [[1, 'Unverified'], [2, 'Verified'], [3, 'Closed']])
+
+    db = self
+    create_table(:accounts) do
+      if primary_key_type == :uuid
+        uuid :id, primary_key: true, default: Sequel.function(:gen_random_uuid)
+      else
+        primary_key :id, type: :Bignum
+      end
+      foreign_key :status_id, :account_statuses, null: false, default: 1
+      if db.database_type == :postgres
+        citext :email, null: false
+        constraint :valid_email, email: /^[^,;@ \r\n]+@[^,@; \r\n]+\.[^,@; \r\n]+$/
+      else
+        String :email, null: false
+      end
+      if db.supports_partial_indexes?
+        index :email, unique: true, where: { status_id: [1, 2] }
+      else
+        index :email, unique: true
+      end
+    end
+
+    deadline_opts = proc do |days|
+      if database_type == :mysql
+        { null: false }
+      else
+        { null: false, default: Sequel.date_add(Sequel::CURRENT_TIMESTAMP, days: days) }
+      end
+    end
+
+    # Used by the audit logging feature
+    json_type = case database_type
+    when :postgres
+      :jsonb
+    when :sqlite, :mysql
+      :json
+    else
+      String
+    end
+    create_table(:account_authentication_audit_logs) do
+      if primary_key_type == :uuid
+        uuid :id, primary_key: true, default: Sequel.function(:gen_random_uuid)
+      else
+        primary_key :id, type: :Bignum
+      end
+      foreign_key :account_id, :accounts, null: false, type: primary_key_type
+      DateTime :at, null: false, default: Sequel::CURRENT_TIMESTAMP
+      String :message, null: false
+      column :metadata, json_type
+      index [:account_id, :at], name: :audit_account_at_idx
+      index :at, name: :audit_at_idx
+    end
+
+    # Used by the password reset feature
+    create_table(:account_password_reset_keys) do
+      foreign_key :id, :accounts, primary_key: true, type: primary_key_type
+      String :key, null: false
+      DateTime :deadline, deadline_opts[1]
+      DateTime :email_last_sent, null: false, default: Sequel::CURRENT_TIMESTAMP
+    end
+
+    # Used by the jwt refresh feature
+    create_table(:account_jwt_refresh_keys) do
+      if primary_key_type == :uuid
+        uuid :id, primary_key: true, default: Sequel.function(:gen_random_uuid)
+      else
+        primary_key :id, type: :Bignum
+      end
+      foreign_key :account_id, :accounts, null: false, type: primary_key_type
+      String :key, null: false
+      DateTime :deadline, deadline_opts[1]
+      index :account_id, name: :account_jwt_rk_account_id_idx
+    end
+
+    # Used by the account verification feature
+    create_table(:account_verification_keys) do
+      foreign_key :id, :accounts, primary_key: true, type: primary_key_type
+      String :key, null: false
+      DateTime :requested_at, null: false, default: Sequel::CURRENT_TIMESTAMP
+      DateTime :email_last_sent, null: false, default: Sequel::CURRENT_TIMESTAMP
+    end
+
+    # Used by the verify login change feature
+    create_table(:account_login_change_keys) do
+      foreign_key :id, :accounts, primary_key: true, type: primary_key_type
+      String :key, null: false
+      String :login, null: false
+      DateTime :deadline, deadline_opts[1]
+    end
+
+    # Used by the remember me feature
+    create_table(:account_remember_keys) do
+      foreign_key :id, :accounts, primary_key: true, type: primary_key_type
+      String :key, null: false
+      DateTime :deadline, deadline_opts[14]
+    end
+
+    # Used by the lockout feature
+    create_table(:account_login_failures) do
+      foreign_key :id, :accounts, primary_key: true, type: primary_key_type
+      Integer :number, null: false, default: 1
+    end
+    create_table(:account_lockouts) do
+      foreign_key :id, :accounts, primary_key: true, type: primary_key_type
+      String :key, null: false
+      DateTime :deadline, deadline_opts[1]
+      DateTime :email_last_sent
+    end
+
+    # Used by the email auth feature
+    create_table(:account_email_auth_keys) do
+      foreign_key :id, :accounts, primary_key: true, type: primary_key_type
+      String :key, null: false
+      DateTime :deadline, deadline_opts[1]
+      DateTime :email_last_sent, null: false, default: Sequel::CURRENT_TIMESTAMP
+    end
+
+    # Used by the password expiration feature
+    create_table(:account_password_change_times) do
+      foreign_key :id, :accounts, primary_key: true, type: primary_key_type
+      DateTime :changed_at, null: false, default: Sequel::CURRENT_TIMESTAMP
+    end
+
+    # Used by the account expiration feature
+    create_table(:account_activity_times) do
+      foreign_key :id, :accounts, primary_key: true, type: primary_key_type
+      DateTime :last_activity_at, null: false
+      DateTime :last_login_at, null: false
+      DateTime :expired_at
+    end
+
+    # Used by the single session feature
+    create_table(:account_session_keys) do
+      foreign_key :id, :accounts, primary_key: true, type: primary_key_type
+      String :key, null: false
+    end
+
+    # Used by the active sessions feature
+    create_table(:account_active_session_keys) do
+      foreign_key :account_id, :accounts, type: primary_key_type
+      String :session_id
+      Time :created_at, null: false, default: Sequel::CURRENT_TIMESTAMP
+      Time :last_use, null: false, default: Sequel::CURRENT_TIMESTAMP
+      primary_key [:account_id, :session_id]
+    end
+
+    # Used by the webauthn feature
+    create_table(:account_webauthn_user_ids) do
+      foreign_key :id, :accounts, primary_key: true, type: primary_key_type
+      String :webauthn_id, null: false
+    end
+    create_table(:account_webauthn_keys) do
+      foreign_key :account_id, :accounts, type: primary_key_type
+      String :webauthn_id
+      String :public_key, null: false
+      Integer :sign_count, null: false
+      Time :last_use, null: false, default: Sequel::CURRENT_TIMESTAMP
+      primary_key [:account_id, :webauthn_id]
+    end
+
+    # Used by the otp feature
+    create_table(:account_otp_keys) do
+      foreign_key :id, :accounts, primary_key: true, type: primary_key_type
+      String :key, null: false
+      Integer :num_failures, null: false, default: 0
+      Time :last_use, null: false, default: Sequel::CURRENT_TIMESTAMP
+    end
+
+    # Used by the otp_unlock feature
+    create_table(:account_otp_unlocks) do
+      foreign_key :id, :accounts, primary_key: true, type: primary_key_type
+      Integer :num_successes, null: false, default: 1
+      Time :next_auth_attempt_after, null: false, default: Sequel::CURRENT_TIMESTAMP
+    end
+
+    # Used by the recovery codes feature
+    create_table(:account_recovery_codes) do
+      foreign_key :id, :accounts, type: primary_key_type
+      String :code
+      primary_key [:id, :code]
+    end
+
+    # Used by the sms codes feature
+    create_table(:account_sms_codes) do
+      foreign_key :id, :accounts, primary_key: true, type: primary_key_type
+      String :phone_number, null: false
+      Integer :num_failures
+      String :code
+      DateTime :code_issued_at, null: false, default: Sequel::CURRENT_TIMESTAMP
+    end
+
+    case database_type
+    when :postgres
+      user = get(Sequel.lit('current_user')) + '_password'
+      run "GRANT REFERENCES ON accounts TO #{user}"
+    when :mysql, :mssql
+      user = if database_type == :mysql
+        get(Sequel.lit('current_user')).sub(/_password@/, '@')
+      else
+        get(Sequel.function(:DB_NAME))
+      end
+      run "GRANT SELECT, INSERT, UPDATE, DELETE ON account_statuses TO #{user}"
+      run "GRANT SELECT, INSERT, UPDATE, DELETE ON accounts TO #{user}"
+      run "GRANT SELECT, INSERT, UPDATE, DELETE ON account_authentication_audit_logs TO #{user}"
+      run "GRANT SELECT, INSERT, UPDATE, DELETE ON account_password_reset_keys TO #{user}"
+      run "GRANT SELECT, INSERT, UPDATE, DELETE ON account_jwt_refresh_keys TO #{user}"
+      run "GRANT SELECT, INSERT, UPDATE, DELETE ON account_verification_keys TO #{user}"
+      run "GRANT SELECT, INSERT, UPDATE, DELETE ON account_login_change_keys TO #{user}"
+      run "GRANT SELECT, INSERT, UPDATE, DELETE ON account_remember_keys TO #{user}"
+      run "GRANT SELECT, INSERT, UPDATE, DELETE ON account_login_failures TO #{user}"
+      run "GRANT SELECT, INSERT, UPDATE, DELETE ON account_email_auth_keys TO #{user}"
+      run "GRANT SELECT, INSERT, UPDATE, DELETE ON account_lockouts TO #{user}"
+      run "GRANT SELECT, INSERT, UPDATE, DELETE ON account_password_change_times TO #{user}"
+      run "GRANT SELECT, INSERT, UPDATE, DELETE ON account_activity_times TO #{user}"
+      run "GRANT SELECT, INSERT, UPDATE, DELETE ON account_session_keys TO #{user}"
+      run "GRANT SELECT, INSERT, UPDATE, DELETE ON account_active_session_keys TO #{user}"
+      run "GRANT SELECT, INSERT, UPDATE, DELETE ON account_webauthn_user_ids TO #{user}"
+      run "GRANT SELECT, INSERT, UPDATE, DELETE ON account_webauthn_keys TO #{user}"
+      run "GRANT SELECT, INSERT, UPDATE, DELETE ON account_otp_keys TO #{user}"
+      run "GRANT SELECT, INSERT, UPDATE, DELETE ON account_otp_unlocks TO #{user}"
+      run "GRANT SELECT, INSERT, UPDATE, DELETE ON account_recovery_codes TO #{user}"
+      run "GRANT SELECT, INSERT, UPDATE, DELETE ON account_sms_codes TO #{user}"
+    end
+  end
+
+  down do
+    drop_table(:account_sms_codes,
+      :account_recovery_codes,
+      :account_otp_unlocks,
+      :account_otp_keys,
+      :account_webauthn_keys,
+      :account_webauthn_user_ids,
+      :account_active_session_keys,
+      :account_session_keys,
+      :account_activity_times,
+      :account_password_change_times,
+      :account_email_auth_keys,
+      :account_lockouts,
+      :account_login_failures,
+      :account_remember_keys,
+      :account_login_change_keys,
+      :account_verification_keys,
+      :account_jwt_refresh_keys,
+      :account_password_reset_keys,
+      :account_authentication_audit_logs,
+      :accounts,
+      :account_statuses,
+    )
+  end
+end