rhino-rails 0.9.0

data/lib/rhino/concerns/hidable_columns.rb

@@ -0,0 +1,180 @@
+# frozen_string_literal: true
+
+module Rhino
+  # Column-level visibility control concern.
+  # Mirrors the Laravel HidableColumns trait.
+  #
+  # Base hidden columns: password, remember_token, created_at, updated_at,
+  #   deleted_at, discarded_at, email_verified_at
+  #
+  # Usage:
+  #   class User < ApplicationRecord
+  #     include Rhino::HidableColumns
+  #
+  #     rhino_additional_hidden :secret_field, :internal_notes
+  #   end
+  #
+  # Adding computed attributes to JSON responses:
+  #   class Comment < Rhino::RhinoModel
+  #     def author_name
+  #       user&.name || 'Anonymous'
+  #     end
+  #
+  #     def rhino_computed_attributes
+  #       {
+  #         'author_name' => author_name
+  #       }
+  #     end
+  #   end
+  #
+  # Policy-based hiding:
+  #   class UserPolicy < Rhino::ResourcePolicy
+  #     def hidden_attributes_for_show(user)
+  #       has_role?(user, 'admin') ? [] : ['email', 'phone']
+  #     end
+  #
+  #     def permitted_attributes_for_show(user)
+  #       has_role?(user, 'admin') ? ['*'] : ['id', 'name', 'avatar']
+  #     end
+  #   end
+  module HidableColumns
+    extend ActiveSupport::Concern
+
+    BASE_HIDDEN_COLUMNS = %w[
+      password
+      password_digest
+      remember_token
+      created_at
+      updated_at
+      deleted_at
+      discarded_at
+      email_verified_at
+    ].freeze
+
+    included do
+      class_attribute :additional_hidden_columns, default: []
+    end
+
+    class_methods do
+      def rhino_additional_hidden(*columns)
+        self.additional_hidden_columns = columns.map(&:to_s)
+      end
+    end
+
+    # Get the list of columns to hide for the current user.
+    # Merges base + static + policy-defined hidden columns.
+    # Resolves the user from RequestStore automatically.
+    #
+    # @return [Array<String>] Column names to hide
+    def hidden_columns_for(user = nil)
+      user ||= rhino_current_user
+      columns = BASE_HIDDEN_COLUMNS.dup
+      columns.concat(additional_hidden_columns)
+      columns.concat(policy_hidden_columns(user))
+      columns.uniq
+    end
+
+    # Serialize to JSON excluding hidden columns and respecting policy whitelist.
+    #
+    # The current user is resolved automatically from RequestStore. Policy
+    # filtering (blacklist + whitelist) is applied AFTER computed attributes
+    # are merged, so computed attributes are always subject to policy control.
+    #
+    # Do NOT override this method. Override +rhino_computed_attributes+ instead
+    # to add computed/virtual attributes to the JSON response.
+    #
+    # @return [Hash]
+    def as_rhino_json
+      user = rhino_current_user
+      hidden = hidden_columns_for(user)
+      result = as_json(except: hidden)
+
+      # Merge computed attributes from model BEFORE applying policy filtering
+      computed = rhino_computed_attributes
+      result.merge!(computed) if computed.is_a?(Hash) && computed.any?
+
+      # Apply blacklist to the final hash (covers DB columns from as_json
+      # overrides AND computed attributes from rhino_computed_attributes)
+      hidden_set = Set.new(hidden)
+      result.reject! { |key, _| hidden_set.include?(key) }
+
+      # Apply whitelist to the final hash (covers computed attributes too)
+      permitted = policy_permitted_attributes(user)
+      if permitted && permitted != ['*']
+        permitted_set = Set.new(permitted.map(&:to_s))
+        permitted_set.add('id') # id is always allowed
+        result.select! { |key, _| permitted_set.include?(key) }
+      end
+
+      result
+    end
+
+    # Override this method in your model to add computed/virtual attributes
+    # to the JSON response. These attributes are subject to policy-level
+    # blacklist (+hidden_attributes_for_show+) and whitelist
+    # (+permitted_attributes_for_show+) just like database columns.
+    #
+    # @example
+    #   def rhino_computed_attributes
+    #     {
+    #       'full_name' => "#{first_name} #{last_name}",
+    #       'is_overdue' => due_date&.past?,
+    #       'days_until_expiry' => expiry_date ? (expiry_date - Date.current).to_i : nil
+    #     }
+    #   end
+    #
+    # @return [Hash] key-value pairs to merge into the JSON response
+    def rhino_computed_attributes
+      {}
+    end
+
+    private
+
+    # Resolves the current user from RequestStore.
+    # @return [Object, nil]
+    def rhino_current_user
+      RequestStore.store[:rhino_current_user] if defined?(RequestStore)
+    end
+
+    # Returns the permitted attributes list from the policy, or nil if no policy.
+    def policy_permitted_attributes(user)
+      policy_class = Pundit::PolicyFinder.new(self).policy
+      return nil unless policy_class
+
+      policy = policy_class.new(user, self)
+      if policy.respond_to?(:permitted_attributes_for_show)
+        policy.permitted_attributes_for_show(user)
+      end
+    rescue StandardError
+      nil
+    end
+
+    def policy_hidden_columns(user)
+      policy_class = Pundit::PolicyFinder.new(self).policy
+      return [] unless policy_class
+
+      policy = policy_class.new(user, self)
+      hidden = []
+
+      # Blacklist: hidden_attributes_for_show
+      if policy.respond_to?(:hidden_attributes_for_show)
+        hidden.concat(policy.hidden_attributes_for_show(user))
+      end
+
+      # Whitelist: permitted_attributes_for_show
+      # Hide DB columns not in permitted list (computed attributes handled in as_rhino_json)
+      if policy.respond_to?(:permitted_attributes_for_show)
+        permitted = policy.permitted_attributes_for_show(user)
+        if permitted != ['*']
+          all_columns = self.class.column_names
+          not_permitted = all_columns - permitted.map(&:to_s)
+          hidden.concat(not_permitted)
+        end
+      end
+
+      hidden
+    rescue StandardError
+      []
+    end
+  end
+end

data/lib/rhino/configuration.rb

@@ -0,0 +1,101 @@
+# frozen_string_literal: true
+
+module Rhino
+  class Configuration
+    attr_accessor :models, :route_groups, :multi_tenant, :invitations, :nested, :test_framework,
+                  :client_path, :mobile_path
+
+    def initialize
+      @models = {}
+      @route_groups = {}
+      @multi_tenant = {
+        organization_identifier_column: "id"
+      }
+      @invitations = {
+        expires_days: 7,
+        allowed_roles: nil
+      }
+      @nested = {
+        path: "nested",
+        max_operations: 50,
+        allowed_models: nil
+      }
+      @test_framework = "rspec"
+      @client_path = nil
+      @mobile_path = nil
+    end
+
+    # Register a model with its slug
+    # Usage: config.model :posts, 'Post'
+    def model(slug, klass_name)
+      @models[slug.to_sym] = klass_name.to_s
+    end
+
+    # Register a route group with its configuration
+    # Usage: config.route_group :tenant, prefix: ':organization', middleware: [Rhino::Middleware::ResolveOrganizationFromRoute], models: :all
+    def route_group(name, prefix: "", middleware: [], models: :all)
+      @route_groups[name.to_sym] = {
+        prefix: prefix.to_s,
+        middleware: Array(middleware),
+        models: models
+      }
+    end
+
+    # Resolve a model class from its slug
+    def resolve_model(slug)
+      klass_name = @models[slug.to_sym]
+      raise ActiveRecord::RecordNotFound, "The #{slug} model does not exist" unless klass_name
+
+      klass = klass_name.constantize
+      raise ActiveRecord::RecordNotFound, "The #{slug} model does not exist" unless klass
+
+      klass
+    rescue NameError
+      raise ActiveRecord::RecordNotFound, "The #{slug} model does not exist"
+    end
+
+    # Find the slug for a given model class
+    def slug_for(model_class)
+      class_name = model_class.is_a?(Class) ? model_class.name : model_class.class.name
+      @models.each do |slug, klass_name|
+        return slug if klass_name == class_name
+      end
+      nil
+    end
+
+    # Whether a 'tenant' route group is configured
+    def has_tenant_group?
+      @route_groups.key?(:tenant)
+    end
+
+    # Whether a 'public' route group is configured
+    def has_public_group?
+      @route_groups.key?(:public)
+    end
+
+    # Resolve the model slugs for a given route group
+    def models_for_group(group_name)
+      group = @route_groups[group_name.to_sym]
+      return [] unless group
+
+      group_models = group[:models]
+      if group_models == :all || group_models == "*"
+        @models.keys
+      else
+        Array(group_models).map(&:to_sym) & @models.keys
+      end
+    end
+
+    # Check if a model belongs to the 'public' route group
+    def public_model?(slug)
+      return false unless has_public_group?
+
+      models_for_group(:public).include?(slug.to_sym)
+    end
+
+    # Check if a specific slug belongs to a specific group
+    def model_in_group?(slug, group_name)
+      models_for_group(group_name).include?(slug.to_sym)
+    end
+  end
+end

data/lib/rhino/controllers/auth_controller.rb

@@ -0,0 +1,242 @@
+# frozen_string_literal: true
+
+module Rhino
+  # Authentication controller — mirrors Laravel AuthController exactly.
+  #
+  # Endpoints:
+  #   POST /api/auth/login
+  #   POST /api/auth/logout
+  #   POST /api/auth/password/recover
+  #   POST /api/auth/password/reset
+  #   POST /api/auth/register
+  class AuthController < ActionController::API
+    before_action :authenticate_user!, only: [:logout]
+
+    # POST /api/auth/login
+    def login
+      email = params[:email].to_s.strip
+      password = params[:password].to_s
+
+      if email.blank? || password.blank?
+        return render json: { message: "Invalid credentials" }, status: :unauthorized
+      end
+
+      user_class = "User".safe_constantize
+      return render json: { message: "Invalid credentials" }, status: :unauthorized unless user_class
+
+      user = user_class.find_by(email: email)
+
+      unless user&.authenticate(password)
+        return render json: { message: "Invalid credentials" }, status: :unauthorized
+      end
+
+      token = generate_api_token(user)
+
+      # Get the first organization the user belongs to
+      organization_slug = nil
+      if user.respond_to?(:organizations)
+        first_org = user.organizations.first
+        organization_slug = first_org&.slug
+      end
+
+      render json: {
+        token: token,
+        organization_slug: organization_slug
+      }, status: :ok
+    end
+
+    # POST /api/auth/logout
+    def logout
+      user = current_user
+
+      if user.respond_to?(:regenerate_api_token)
+        user.regenerate_api_token
+      elsif user.respond_to?(:update_column) && user.class.column_names.include?("api_token")
+        user.update_column(:api_token, SecureRandom.hex(32))
+      end
+
+      render json: { message: "Logged out successfully" }, status: :ok
+    end
+
+    # POST /api/auth/password/recover
+    def recover_password
+      email = params[:email].to_s.strip
+
+      if email.blank?
+        return render json: { errors: { email: ["The email field is required."] } }, status: :unprocessable_entity
+      end
+
+      user_class = "User".safe_constantize
+      user = user_class&.find_by(email: email)
+
+      if user
+        token = SecureRandom.hex(32)
+
+        # Store reset token
+        if user.respond_to?(:update_columns)
+          user.update_columns(
+            reset_password_token: token,
+            reset_password_sent_at: Time.current
+          )
+        end
+
+        # Send email via mailer if available
+        mailer_class = "Rhino::PasswordRecoveryMailer".safe_constantize
+        mailer_class&.recover(user, token)&.deliver_later
+      end
+
+      # Always return success to prevent email enumeration
+      render json: { message: "Password recovery email sent." }, status: :ok
+    end
+
+    # POST /api/auth/password/reset
+    def reset
+      errors = {}
+      errors[:token] = ["The token field is required."] if params[:token].blank?
+      errors[:email] = ["The email field is required."] if params[:email].blank?
+      errors[:password] = ["The password field is required."] if params[:password].blank?
+
+      if params[:password].present? && params[:password].length < 8
+        errors[:password] = ["The password must be at least 8 characters."]
+      end
+
+      if params[:password].present? && params[:password] != params[:password_confirmation]
+        errors[:password_confirmation] = ["The password confirmation does not match."]
+      end
+
+      unless errors.empty?
+        return render json: { errors: errors }, status: :unprocessable_entity
+      end
+
+      user_class = "User".safe_constantize
+      user = user_class&.find_by(email: params[:email])
+
+      unless user
+        return render json: { message: "Token is invalid or expired." }, status: :bad_request
+      end
+
+      # Verify token
+      valid_token = user.respond_to?(:reset_password_token) &&
+                    user.reset_password_token == params[:token] &&
+                    user.respond_to?(:reset_password_sent_at) &&
+                    user.reset_password_sent_at.present? &&
+                    user.reset_password_sent_at > 1.hour.ago
+
+      unless valid_token
+        return render json: { message: "Token is invalid or expired." }, status: :bad_request
+      end
+
+      # Update password
+      user.password = params[:password]
+      user.reset_password_token = nil
+      user.reset_password_sent_at = nil
+      user.save!
+
+      render json: { message: "Password has been reset." }, status: :ok
+    end
+
+    # POST /api/auth/register
+    def register_with_invitation
+      errors = {}
+      errors[:token] = ["The token field is required."] if params[:token].blank?
+      errors[:name] = ["The name field is required."] if params[:name].blank?
+      errors[:email] = ["The email field is required."] if params[:email].blank?
+      errors[:password] = ["The password field is required."] if params[:password].blank?
+
+      if params[:password].present? && params[:password].length < 8
+        errors[:password] = ["The password must be at least 8 characters."]
+      end
+
+      if params[:password].present? && params[:password] != params[:password_confirmation]
+        errors[:password_confirmation] = ["The password confirmation does not match."]
+      end
+
+      user_class = "User".safe_constantize
+      if user_class && params[:email].present? && user_class.exists?(email: params[:email])
+        errors[:email] = ["The email has already been taken."]
+      end
+
+      unless errors.empty?
+        return render json: { errors: errors }, status: :unprocessable_entity
+      end
+
+      # Find invitation
+      invitation = OrganizationInvitation.find_by(token: params[:token], status: "pending")
+
+      unless invitation
+        return render json: { message: "Invalid or expired invitation token" }, status: :not_found
+      end
+
+      if invitation.expired?
+        invitation.update!(status: "expired")
+        return render json: { message: "This invitation has expired" }, status: :unprocessable_entity
+      end
+
+      # Validate email matches invitation
+      unless invitation.email == params[:email]
+        return render json: { message: "Email does not match the invitation" }, status: :unprocessable_entity
+      end
+
+      # Create user
+      user = user_class.create!(
+        name: params[:name],
+        email: params[:email],
+        password: params[:password]
+      )
+
+      # Accept invitation (adds user to organization)
+      invitation.accept!(user)
+
+      # Generate token
+      token = generate_api_token(user)
+
+      # Get organization slug for redirect
+      organization = invitation.organization
+      organization_slug = organization&.slug
+
+      render json: {
+        message: "Registration successful",
+        token: token,
+        user: user.as_json(except: %w[password_digest api_token reset_password_token]),
+        organization_slug: organization_slug
+      }, status: :created
+    end
+
+    private
+
+    def authenticate_user!
+      unless current_user
+        render json: { message: "Unauthenticated." }, status: :unauthorized
+      end
+    end
+
+    def current_user
+      @current_user ||= begin
+        token = request.headers["Authorization"]&.sub(/\ABearer /, "")
+        return nil unless token
+
+        user_class = "User".safe_constantize
+        return nil unless user_class
+
+        if user_class.respond_to?(:find_by_api_token)
+          user_class.find_by_api_token(token)
+        elsif user_class.column_names.include?("api_token")
+          user_class.find_by(api_token: token)
+        end
+      end
+    end
+
+    def generate_api_token(user)
+      if user.respond_to?(:regenerate_api_token)
+        user.regenerate_api_token
+        user.api_token
+      elsif user.class.column_names.include?("api_token")
+        token = SecureRandom.hex(32)
+        user.update_column(:api_token, token)
+        token
+      else
+        SecureRandom.hex(32)
+      end
+    end
+  end
+end