securial 0.8.1 → 1.0.0

data/lib/securial/config/configuration.rb

@@ -1,67 +1,17 @@
 require "securial/config/validation"
+require "securial/config/signature"
 require "securial/helpers/regex_helper"
 
 module Securial
   module Config
     class Configuration
-      def self.default_config_attributes # rubocop:disable Metrics/MethodLength
-        {
-          # General configuration
-          app_name: "Securial",
-
-          # Logger configuration
-          log_to_file: !Rails.env.test?,
-          log_to_stdout: !Rails.env.test?,
-          log_file_level: :debug,
-          log_stdout_level: :debug,
-
-          # Roles configuration
-          admin_role: :admin,
-
-          session_expiration_duration: 3.minutes,
-          session_secret: "secret",
-          session_algorithm: :hs256,
-          session_refresh_token_expires_in: 1.week,
-
-          # Mailer configuration
-          mailer_sender: "no-reply@example.com",
-          mailer_sign_up_enabled: true,
-          mailer_sign_up_subject: "SECURIAL: Welcome to Our Service",
-          mailer_sign_in_enabled: true,
-          mailer_sign_in_subject: "SECURIAL: Sign In Notification",
-          mailer_update_account_enabled: true,
-          mailer_update_account_subject: "SECURIAL: Account Update Notification",
-          mailer_forgot_password_subject: "SECURIAL: Password Reset Instructions",
-
-          # Password configuration
-          password_min_length: 8,
-          password_max_length: 128,
-          password_complexity: Securial::Helpers::RegexHelper::PASSWORD_REGEX,
-          password_expires: true,
-          password_expires_in: 90.days,
-          reset_password_token_expires_in: 2.hours,
-          reset_password_token_secret: "reset_secret",
-
-          # Response configuration
-          response_keys_format: :snake_case,
-          timestamps_in_response: :all,
-
-          # Security configuration
-          security_headers: :strict,
-          rate_limiting_enabled: true,
-          rate_limit_requests_per_minute: 60,
-          rate_limit_response_status: 429,
-          rate_limit_response_message: "Too many requests, please try again later.",
-        }
-      end
-
       def initialize
-        self.class.default_config_attributes.each do |attr, default_value|
+        Securial::Config::Signature.default_config_attributes.each do |attr, default_value|
           instance_variable_set("@#{attr}", default_value)
         end
       end
 
-      default_config_attributes.each_key do |attr|
+      Securial::Config::Signature.default_config_attributes.each_key do |attr|
         define_method(attr) { instance_variable_get("@#{attr}") }
 
         define_method("#{attr}=") do |value|

data/lib/securial/config/signature.rb

@@ -0,0 +1,107 @@
+module Securial
+  module Config
+    module Signature
+      LOG_LEVELS         = %i[debug info warn error fatal unknown].freeze
+      SESSION_ALGORITHMS = %i[hs256 hs384 hs512].freeze
+      SECURITY_HEADERS   = %i[strict default none].freeze
+      TIMESTAMP_OPTIONS  = %i[all admins_only none].freeze
+      RESPONSE_KEYS_FORMATS = %i[snake_case lowerCamelCase UpperCamelCase].freeze
+
+      extend self
+
+      def config_signature
+        [
+          general_signature,
+          logger_signature,
+          roles_signature,
+          session_signature,
+          mailer_signature,
+          password_signature,
+          response_signature,
+          security_signature,
+        ].reduce({}, :merge)
+      end
+
+      def default_config_attributes
+        config_signature.transform_values do |options|
+          options[:default]
+        end
+      end
+
+      private
+
+      def general_signature
+        {
+          app_name: { type: String, required: true, default: "Securial" },
+        }
+      end
+
+      def logger_signature
+        {
+          log_to_file: { type: [TrueClass, FalseClass], required: true, default: Rails.env.test? ? false : true },
+          log_file_level: { type: Symbol, required: "log_to_file", allowed_values: LOG_LEVELS, default: :debug },
+          log_to_stdout: { type: [TrueClass, FalseClass], required: true, default: Rails.env.test? ? false : true },
+          log_stdout_level: { type: Symbol, required: "log_to_stdout", allowed_values: LOG_LEVELS, default: :debug },
+        }
+      end
+
+      def roles_signature
+        {
+          admin_role: { type: String, required: true, default: "admin" },
+        }
+      end
+
+      def session_signature
+        {
+          session_expiration_duration: { type: ActiveSupport::Duration, required: true, default: 3.minutes },
+          session_secret: { type: String, required: true, default: "secret" },
+          session_algorithm: { type: Symbol, required: true, allowed_values: SESSION_ALGORITHMS, default: :hs256 },
+          session_refresh_token_expires_in: { type: ActiveSupport::Duration, required: true, default: 1.week },
+        }
+      end
+
+      def mailer_signature
+        {
+          mailer_sender: { type: String, required: true, default: "no-reply@example.com" },
+          mailer_sign_up_enabled: { type: [TrueClass, FalseClass], required: true, default: true },
+          mailer_sign_up_subject: { type: String, required: "mailer_sign_up_enabled", default: "SECURIAL: Welcome to Our Service" },
+          mailer_sign_in_enabled: { type: [TrueClass, FalseClass], required: true, default: true },
+          mailer_sign_in_subject: { type: String, required: "mailer_sign_in_enabled", default: "SECURIAL: Sign In Notification" },
+          mailer_update_account_enabled: { type: [TrueClass, FalseClass], required: true, default: true },
+          mailer_update_account_subject: { type: String, required: "mailer_update_account_enabled", default: "SECURIAL: Account Update Notification" },
+          mailer_forgot_password_subject: { type: String, required: true, default: "SECURIAL: Password Reset Instructions" },
+        }
+      end
+
+      def password_signature
+        {
+          password_min_length: { type: Numeric, required: true, default: 8 },
+          password_max_length: { type: Numeric, required: true, default: 128 },
+          password_complexity: { type: Regexp, required: true, default: Securial::Helpers::RegexHelper::PASSWORD_REGEX },
+          password_expires: { type: [TrueClass, FalseClass], required: true, default: true },
+          password_expires_in: { type: ActiveSupport::Duration, required: "password_expires", default: 90.days },
+          reset_password_token_expires_in: { type: ActiveSupport::Duration, required: true, default: 2.hours },
+          reset_password_token_secret: { type: String, required: true, default: "reset_secret" },
+        }
+      end
+
+      def response_signature
+        {
+          response_keys_format: { type: Symbol, required: true, allowed_values:
+            RESPONSE_KEYS_FORMATS, default: :snake_case, },
+          timestamps_in_response: { type: Symbol, required: true, allowed_values: TIMESTAMP_OPTIONS, default: :all },
+        }
+      end
+
+      def security_signature
+        {
+          security_headers: { type: Symbol, required: true, allowed_values: SECURITY_HEADERS, default: :strict },
+          rate_limiting_enabled: { type: [TrueClass, FalseClass], required: true, default: true },
+          rate_limit_requests_per_minute: { type: Numeric, required: "rate_limiting_enabled", default: 60 },
+          rate_limit_response_status: { type: Numeric, required: "rate_limiting_enabled", default: 429 },
+          rate_limit_response_message: { type: String, required: "rate_limiting_enabled", default: "Too many requests, please try again later." },
+        }
+      end
+    end
+  end
+end

data/lib/securial/config/validation.rb

@@ -1,24 +1,68 @@
 require "securial/logger"
-require "securial/config/validation/logger_validation"
-require "securial/config/validation/roles_validation"
-require "securial/config/validation/session_validation"
-require "securial/config/validation/mailer_validation"
-require "securial/config/validation/password_validation"
-require "securial/config/validation/response_validation"
-require "securial/config/validation/security_validation"
 
 module Securial
   module Config
     module Validation
       class << self
         def validate_all!(securial_config)
-          Securial::Config::Validation::LoggerValidation.validate!(securial_config)
-          Securial::Config::Validation::RolesValidation.validate!(securial_config)
-          Securial::Config::Validation::SessionValidation.validate!(securial_config)
-          Securial::Config::Validation::MailerValidation.validate!(securial_config)
-          Securial::Config::Validation::PasswordValidation.validate!(securial_config)
-          Securial::Config::Validation::ResponseValidation.validate!(securial_config)
-          Securial::Config::Validation::SecurityValidation.validate!(securial_config)
+          signature = Securial::Config::Signature.config_signature
+
+          validate_required_fields!(signature, securial_config)
+          validate_types_and_values!(signature, securial_config)
+          validate_password_lengths!(securial_config)
+        end
+
+        private
+
+        def validate_required_fields!(signature, config)
+          signature.each do |key, options|
+            value = config.send(key)
+            required = options[:required]
+            if required == true && value.nil?
+              raise_error("#{key} is required but not provided.")
+            elsif required.is_a?(String)
+              dynamic_required = config.send(required)
+              signature[key][:required] = dynamic_required
+              if dynamic_required && value.nil?
+                raise_error("#{key} is required but not provided when #{required} is true.")
+              end
+            end
+          end
+        end
+
+        def validate_types_and_values!(signature, config)
+          signature.each do |key, options|
+            next unless signature[key][:required]
+            value = config.send(key)
+            types = Array(options[:type])
+
+            unless types.any? { |type| value.is_a?(type) }
+              raise_error("#{key} must be of type(s) #{types.join(', ')}, but got #{value.class}.")
+            end
+
+            if options[:type] == ActiveSupport::Duration && value <= 0
+              raise_error("#{key} must be a positive duration, but got #{value}.")
+            end
+
+            if options[:type] == Numeric && value < 0
+              raise_error("#{key} must be a non-negative numeric value, but got #{value}.")
+            end
+
+            if options[:allowed_values] && options[:allowed_values].exclude?(value)
+              raise_error("#{key} must be one of #{options[:allowed_values].join(', ')}, but got #{value}.")
+            end
+          end
+        end
+
+        def validate_password_lengths!(config)
+          if config.password_min_length > config.password_max_length
+            raise_error("password_min_length cannot be greater than password_max_length.")
+          end
+        end
+
+        def raise_error(msg)
+          Securial.logger.fatal msg
+          raise Securial::Error::Config::InvalidConfigurationError, msg
         end
       end
     end

data/lib/securial/config.rb

@@ -1,6 +1,8 @@
 require "securial/config/configuration"
+require "securial/config/signature"
 require "securial/config/validation"
 
+
 module Securial
   class << self
     attr_accessor :configuration

data/lib/securial/engine.rb

@@ -1,8 +1,10 @@
 require "securial/auth"
 require "securial/config"
+require "securial/error"
 require "securial/helpers"
 require "securial/logger"
 require "securial/middleware"
+require "securial/security"
 
 module Securial
   class Engine < ::Rails::Engine

data/lib/securial/engine_initializers.rb

@@ -5,7 +5,7 @@ module Securial
         :password,
         :password_confirmation,
         :password_reset_token,
-        :reset_password_token
+        :reset_password_token,
       ]
     end
 
@@ -16,10 +16,29 @@ module Securial
       end
     end
 
-    initializer "securial.logger_middleware" do |app|
+    initializer "securial.security.request_rate_limiter" do |app|
+      if Securial.configuration.rate_limiting_enabled
+        Securial::Security::RequestRateLimiter.apply!
+        app.middleware.use Rack::Attack
+      end
+    end
+
+    initializer "securial.middleware.transform_request_keys" do |app|
+      app.middleware.use Securial::Middleware::TransformRequestKeys
+    end
+
+    initializer "securial.middleware.transform_response_keys" do |app|
+      app.middleware.use Securial::Middleware::TransformResponseKeys
+    end
+
+    initializer "securial.middleware.logger" do |app|
       app.middleware.use Securial::Middleware::RequestTagLogger
     end
 
+    initializer "securial.middleware.response_headers" do |app|
+      app.middleware.use Securial::Middleware::ResponseHeaders
+    end
+
     initializer "securial.extend_application_controller" do
       ActiveSupport.on_load(:action_controller_base) { include Securial::Identity }
       ActiveSupport.on_load(:action_controller_api)  { include Securial::Identity }

data/lib/securial/error/config.rb

@@ -4,34 +4,6 @@ module Securial
       class InvalidConfigurationError < Securial::Error::BaseError
         default_message "Invalid configuration for Securial"
       end
-
-      class LoggerValidationError < InvalidConfigurationError
-        default_message "Logger configuration validation failed"
-      end
-
-      class RolesValidationError < InvalidConfigurationError
-        default_message "Roles configuration validation failed"
-      end
-
-      class SessionValidationError < InvalidConfigurationError
-        default_message "Session configuration validation failed"
-      end
-
-      class MailerValidationError < InvalidConfigurationError
-        default_message "Mailer configuration validation failed"
-      end
-
-      class PasswordValidationError < InvalidConfigurationError
-        default_message "Password configuration validation failed"
-      end
-
-      class ResponseValidationError < InvalidConfigurationError
-        default_message "Response configuration validation failed"
-      end
-
-      class SecurityValidationError < InvalidConfigurationError
-        default_message "Security configuration validation failed"
-      end
     end
   end
 end

data/lib/securial/helpers/key_transformer.rb

@@ -0,0 +1,33 @@
+module Securial
+  module Helpers
+    module KeyTransformer
+      module_function
+
+      def camelize(str, format)
+        case format
+        when :lowerCamelCase
+          str.to_s.camelize(:lower)
+        when :UpperCamelCase
+          str.to_s.camelize
+        else
+          str.to_s
+        end
+      end
+
+      def self.underscore(str)
+        str.to_s.underscore
+      end
+
+      def self.deep_transform_keys(obj, &block)
+        case obj
+        when Hash
+          obj.transform_keys(&block).transform_values { |v| deep_transform_keys(v, &block) }
+        when Array
+          obj.map { |e| deep_transform_keys(e, &block) }
+        else
+          obj
+        end
+      end
+    end
+  end
+end

data/lib/securial/helpers.rb

@@ -1,6 +1,7 @@
 require "securial/helpers/normalizing_helper"
 require "securial/helpers/regex_helper"
 require "securial/helpers/roles_helper"
+require "securial/helpers/key_transformer"
 
 module Securial
   module Helpers

data/lib/securial/middleware/response_headers.rb

@@ -0,0 +1,19 @@
+module Securial
+  module Middleware
+    # This middleware removes sensitive headers from the request environment.
+    # It is designed to enhance security by ensuring that sensitive information
+    # is not inadvertently logged or processed.
+    class ResponseHeaders
+      def initialize(app)
+        @app = app
+      end
+
+      def call(env)
+        status, headers, response = @app.call(env)
+        headers["X-Securial-Mounted"] = "true"
+        headers["X-Securial-Developer"] = "Aly Badawy - https://alybadawy.com | @alybadawy"
+        [status, headers, response]
+      end
+    end
+  end
+end

data/lib/securial/middleware/transform_request_keys.rb

@@ -0,0 +1,35 @@
+module Securial
+  module Middleware
+    # This middleware transforms request keys to a specified format.
+    # It uses the KeyTransformer helper to apply the transformation.
+    #
+    # It reads the request body if the content type is JSON and transforms
+    # the keys to underscore format. If the body is not valid JSON, it does nothing.
+    class TransformRequestKeys
+      def initialize(app)
+        @app = app
+      end
+
+      def call(env)
+        if env["CONTENT_TYPE"]&.include?("application/json")
+          req = Rack::Request.new(env)
+          if (req.body&.size || 0) > 0
+            raw = req.body.read
+            req.body.rewind
+            begin
+              parsed = JSON.parse(raw)
+              transformed = Securial::Helpers::KeyTransformer.deep_transform_keys(parsed) do |key|
+                Securial::Helpers::KeyTransformer.underscore(key)
+              end
+              env["rack.input"] = StringIO.new(JSON.dump(transformed))
+              env["rack.input"].rewind
+            rescue JSON::ParserError
+              # no-op
+            end
+          end
+        end
+        @app.call(env)
+      end
+    end
+  end
+end

data/lib/securial/middleware/transform_response_keys.rb

@@ -0,0 +1,47 @@
+module Securial
+  module Middleware
+    # This middleware transforms response keys to a specified format.
+    # It uses the KeyTransformer helper to apply the transformation.
+    #
+    # It reads the response body if the content type is JSON and transforms
+    # the keys to the specified format (default is lowerCamelCase).
+    class TransformResponseKeys
+      def initialize(app, format: :lowerCamelCase)
+        @app = app
+      end
+
+      def call(env)
+        status, headers, response = @app.call(env)
+
+        if json_response?(headers)
+          body = extract_body(response)
+
+          if body.present?
+            format = Securial.configuration.response_keys_format
+            transformed = Securial::Helpers::KeyTransformer.deep_transform_keys(JSON.parse(body)) do |key|
+              Securial::Helpers::KeyTransformer.camelize(key, format)
+            end
+
+            new_body = [JSON.generate(transformed)]
+            headers["Content-Length"] = new_body.first.bytesize.to_s
+            return [status, headers, new_body]
+          end
+        end
+
+        [status, headers, response]
+      end
+
+      private
+
+      def json_response?(headers)
+        headers["Content-Type"]&.include?("application/json")
+      end
+
+      def extract_body(response)
+        response_body = ""
+        response.each { |part| response_body << part }
+        response_body
+      end
+    end
+  end
+end

data/lib/securial/middleware.rb

@@ -1,4 +1,7 @@
 require "securial/middleware/request_tag_logger"
+require "securial/middleware/transform_request_keys"
+require "securial/middleware/transform_response_keys"
+require "securial/middleware/response_headers"
 
 module Securial
   module Middleware

data/lib/securial/security/request_rate_limiter.rb

@@ -0,0 +1,45 @@
+require "rack/attack"
+require "securial/config"
+
+module Securial
+  module Security
+    module RequestRateLimiter
+      module_function
+
+      def apply! # rubocop:disable Metrics/MethodLength
+        resp_status = Securial.configuration.rate_limit_response_status
+        resp_message = Securial.configuration.rate_limit_response_message
+        throttle_configs = [
+          { name: "securial/logins/ip", path: "sessions/login", key: ->(req) { req.ip } },
+          { name: "securial/logins/email", path: "sessions/login", key: ->(req) { req.params["email_address"].to_s.downcase.strip } },
+          { name: "securial/password_resets/ip", path: "password/forgot", key: ->(req) { req.ip } },
+          { name: "securial/password_resets/email", path: "password/forgot", key: ->(req) { req.params["email_address"].to_s.downcase.strip } },
+        ]
+
+        throttle_configs.each do |config|
+          Rack::Attack.throttle(config[:name],
+                                limit: ->(_req) { Securial.configuration.rate_limit_requests_per_minute },
+                                period: 1.minute
+          ) do |req|
+            if req.path.include?(config[:path]) && req.post?
+              config[:key].call(req)
+            end
+          end
+        end
+
+        # Custom response for throttled requests
+        Rack::Attack.throttled_responder = lambda do |request|
+          retry_after = (request.env["rack.attack.match_data"] || {})[:period]
+          [
+            resp_status,
+            {
+              "Content-Type" => "application/json",
+              "Retry-After" => retry_after.to_s,
+            },
+            [{ error: resp_message }.to_json],
+          ]
+        end
+      end
+    end
+  end
+end

data/lib/securial/security.rb

@@ -0,0 +1,8 @@
+require "securial/security/request_rate_limiter"
+
+ module Securial
+  module Security
+    # This module serves as a namespace for security-related functionality.
+    # It can be extended with additional security features in the future.
+  end
+ end

data/lib/securial/version.rb

@@ -1,3 +1,3 @@
 module Securial
-  VERSION = "0.8.1".freeze
+  VERSION = "1.0.0".freeze
 end

data/lib/tasks/securial_routes.rake

@@ -0,0 +1,26 @@
+namespace :securial do
+  desc "Print all routes for the Securial engine"
+  task routes: :environment do
+    engine = Securial::Engine
+    routes = engine.routes
+
+    puts "Routes for Securial::Engine:"
+    all_routes = routes.routes.map do |route|
+      {
+        verb: route.verb,
+        path: route.path.spec.to_s.gsub("(.:format)", ""),
+        name: route.name,
+        controller: route.defaults[:controller],
+        action: route.defaults[:action],
+      }
+    end
+
+    # Print in a table format with adjusted column widths
+    puts "%-10s %-35s %-35s %-30s" % ["Verb", "Path", "Name", "Controller#Action"]
+    puts "-" * 110
+    all_routes.each do |r|
+      ctrl_action = [r[:controller], r[:action]].compact.join("#")
+      puts "%-10s %-35s %-35s %-30s" % [r[:verb], r[:path], r[:name], ctrl_action]
+    end
+  end
+end