securial 0.8.1 → 1.0.1

data/lib/securial/logger.rb

@@ -1,15 +1,14 @@
 require_relative "logger/builder"
 
 module Securial
-  class << self
-    attr_accessor :logger
+  extend self
+  attr_accessor :logger
 
-    def logger
-      @logger ||= Logger::Builder.build
-    end
+  def logger
+    @logger ||= Logger::Builder.build
+  end
 
-    def logger=(logger)
-      @logger = logger
-    end
+  def logger=(logger)
+    @logger = logger
   end
 end

data/lib/securial/middleware/response_headers.rb

@@ -0,0 +1,19 @@
+module Securial
+  module Middleware
+    # This middleware removes sensitive headers from the request environment.
+    # It is designed to enhance security by ensuring that sensitive information
+    # is not inadvertently logged or processed.
+    class ResponseHeaders
+      def initialize(app)
+        @app = app
+      end
+
+      def call(env)
+        status, headers, response = @app.call(env)
+        headers["X-Securial-Mounted"] = "true"
+        headers["X-Securial-Developer"] = "Aly Badawy - https://alybadawy.com | @alybadawy"
+        [status, headers, response]
+      end
+    end
+  end
+end

data/lib/securial/middleware/transform_request_keys.rb

@@ -0,0 +1,35 @@
+module Securial
+  module Middleware
+    # This middleware transforms request keys to a specified format.
+    # It uses the KeyTransformer helper to apply the transformation.
+    #
+    # It reads the request body if the content type is JSON and transforms
+    # the keys to underscore format. If the body is not valid JSON, it does nothing.
+    class TransformRequestKeys
+      def initialize(app)
+        @app = app
+      end
+
+      def call(env)
+        if env["CONTENT_TYPE"]&.include?("application/json")
+          req = Rack::Request.new(env)
+          if (req.body&.size || 0) > 0
+            raw = req.body.read
+            req.body.rewind
+            begin
+              parsed = JSON.parse(raw)
+              transformed = Securial::Helpers::KeyTransformer.deep_transform_keys(parsed) do |key|
+                Securial::Helpers::KeyTransformer.underscore(key)
+              end
+              env["rack.input"] = StringIO.new(JSON.dump(transformed))
+              env["rack.input"].rewind
+            rescue JSON::ParserError
+              # no-op
+            end
+          end
+        end
+        @app.call(env)
+      end
+    end
+  end
+end

data/lib/securial/middleware/transform_response_keys.rb

@@ -0,0 +1,47 @@
+module Securial
+  module Middleware
+    # This middleware transforms response keys to a specified format.
+    # It uses the KeyTransformer helper to apply the transformation.
+    #
+    # It reads the response body if the content type is JSON and transforms
+    # the keys to the specified format (default is lowerCamelCase).
+    class TransformResponseKeys
+      def initialize(app, format: :lowerCamelCase)
+        @app = app
+      end
+
+      def call(env)
+        status, headers, response = @app.call(env)
+
+        if json_response?(headers)
+          body = extract_body(response)
+
+          if body.present?
+            format = Securial.configuration.response_keys_format
+            transformed = Securial::Helpers::KeyTransformer.deep_transform_keys(JSON.parse(body)) do |key|
+              Securial::Helpers::KeyTransformer.camelize(key, format)
+            end
+
+            new_body = [JSON.generate(transformed)]
+            headers["Content-Length"] = new_body.first.bytesize.to_s
+            return [status, headers, new_body]
+          end
+        end
+
+        [status, headers, response]
+      end
+
+      private
+
+      def json_response?(headers)
+        headers["Content-Type"]&.include?("application/json")
+      end
+
+      def extract_body(response)
+        response_body = ""
+        response.each { |part| response_body << part }
+        response_body
+      end
+    end
+  end
+end

data/lib/securial/middleware.rb

@@ -1,4 +1,7 @@
 require "securial/middleware/request_tag_logger"
+require "securial/middleware/transform_request_keys"
+require "securial/middleware/transform_response_keys"
+require "securial/middleware/response_headers"
 
 module Securial
   module Middleware

data/lib/securial/security/request_rate_limiter.rb

@@ -0,0 +1,45 @@
+require "rack/attack"
+require "securial/config"
+
+module Securial
+  module Security
+    module RequestRateLimiter
+      extend self
+
+      def apply! # rubocop:disable Metrics/MethodLength
+        resp_status = Securial.configuration.rate_limit_response_status
+        resp_message = Securial.configuration.rate_limit_response_message
+        throttle_configs = [
+          { name: "securial/logins/ip", path: "sessions/login", key: ->(req) { req.ip } },
+          { name: "securial/logins/email", path: "sessions/login", key: ->(req) { req.params["email_address"].to_s.downcase.strip } },
+          { name: "securial/password_resets/ip", path: "password/forgot", key: ->(req) { req.ip } },
+          { name: "securial/password_resets/email", path: "password/forgot", key: ->(req) { req.params["email_address"].to_s.downcase.strip } },
+        ]
+
+        throttle_configs.each do |config|
+          Rack::Attack.throttle(config[:name],
+                                limit: ->(_req) { Securial.configuration.rate_limit_requests_per_minute },
+                                period: 1.minute
+          ) do |req|
+            if req.path.include?(config[:path]) && req.post?
+              config[:key].call(req)
+            end
+          end
+        end
+
+        # Custom response for throttled requests
+        Rack::Attack.throttled_responder = lambda do |request|
+          retry_after = (request.env["rack.attack.match_data"] || {})[:period]
+          [
+            resp_status,
+            {
+              "Content-Type" => "application/json",
+              "Retry-After" => retry_after.to_s,
+            },
+            [{ error: resp_message }.to_json],
+          ]
+        end
+      end
+    end
+  end
+end

data/lib/securial/security.rb

@@ -0,0 +1,8 @@
+require "securial/security/request_rate_limiter"
+
+ module Securial
+  module Security
+    # This module serves as a namespace for security-related functionality.
+    # It can be extended with additional security features in the future.
+  end
+ end

data/lib/securial/version.rb

@@ -1,3 +1,3 @@
 module Securial
-  VERSION = "0.8.1".freeze
+  VERSION = "1.0.1".freeze
 end

data/lib/securial.rb

@@ -4,8 +4,8 @@ require "securial/engine"
 require "jbuilder"
 
 module Securial
-  class << self
-    delegate :protected_namespace, to: Securial::Helpers::RolesHelper
-    delegate :titleized_admin_role, to: Securial::Helpers::RolesHelper
-  end
+  extend self
+
+  delegate :protected_namespace, to: Securial::Helpers::RolesHelper
+  delegate :titleized_admin_role, to: Securial::Helpers::RolesHelper
 end

data/lib/tasks/securial_routes.rake

@@ -0,0 +1,26 @@
+namespace :securial do
+  desc "Print all routes for the Securial engine"
+  task routes: :environment do
+    engine = Securial::Engine
+    routes = engine.routes
+
+    puts "Routes for Securial::Engine:"
+    all_routes = routes.routes.map do |route|
+      {
+        verb: route.verb,
+        path: route.path.spec.to_s.gsub("(.:format)", ""),
+        name: route.name,
+        controller: route.defaults[:controller],
+        action: route.defaults[:action],
+      }
+    end
+
+    # Print in a table format with adjusted column widths
+    puts "%-10s %-35s %-35s %-30s" % ["Verb", "Path", "Name", "Controller#Action"]
+    puts "-" * 110
+    all_routes.each do |r|
+      ctrl_action = [r[:controller], r[:action]].compact.join("#")
+      puts "%-10s %-35s %-35s %-30s" % [r[:verb], r[:path], r[:name], ctrl_action]
+    end
+  end
+end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: securial
 version: !ruby/object:Gem::Version
-  version: 0.8.1
+  version: 1.0.1
 platform: ruby
 authors:
 - Aly Badawy
 bindir: bin
 cert_chain: []
-date: 2025-06-06 00:00:00.000000000 Z
+date: 2025-06-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -43,28 +43,48 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.11'
+        version: '2.13'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.11'
+        version: '2.13'
 - !ruby/object:Gem::Dependency
   name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '3.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '3.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3.2'
+- !ruby/object:Gem::Dependency
+  name: rack-attack
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.10'
+        version: '6.7'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.10'
+        version: '6.7'
 description: Securial is a mountable Rails engine that provides robust, extensible
   authentication and access control for Rails applications. It supports JWT, API tokens,
   session-based auth, and is designed for easy integration with modern web and mobile
@@ -127,6 +147,7 @@ files:
 - db/migrate/20250604110520_create_securial_users.rb
 - db/migrate/20250604123805_create_securial_role_assignments.rb
 - db/migrate/20250604184841_create_securial_sessions.rb
+- db/migrate/20250606182648_seed_roles_and_users.rb
 - lib/generators/factory_bot/model/model_generator.rb
 - lib/generators/factory_bot/templates/factory.erb
 - lib/generators/securial/install/install_generator.rb
@@ -146,16 +167,11 @@ files:
 - lib/securial/auth/auth_encoder.rb
 - lib/securial/auth/session_creator.rb
 - lib/securial/auth/token_generator.rb
+- lib/securial/cli.rb
 - lib/securial/config.rb
 - lib/securial/config/configuration.rb
+- lib/securial/config/signature.rb
 - lib/securial/config/validation.rb
-- lib/securial/config/validation/logger_validation.rb
-- lib/securial/config/validation/mailer_validation.rb
-- lib/securial/config/validation/password_validation.rb
-- lib/securial/config/validation/response_validation.rb
-- lib/securial/config/validation/roles_validation.rb
-- lib/securial/config/validation/security_validation.rb
-- lib/securial/config/validation/session_validation.rb
 - lib/securial/engine.rb
 - lib/securial/engine_initializers.rb
 - lib/securial/error.rb
@@ -167,6 +183,7 @@ files:
 - lib/securial/factories/securial/sessions.rb
 - lib/securial/factories/securial/users.rb
 - lib/securial/helpers.rb
+- lib/securial/helpers/key_transformer.rb
 - lib/securial/helpers/normalizing_helper.rb
 - lib/securial/helpers/regex_helper.rb
 - lib/securial/helpers/roles_helper.rb
@@ -176,23 +193,34 @@ files:
 - lib/securial/logger/formatter.rb
 - lib/securial/middleware.rb
 - lib/securial/middleware/request_tag_logger.rb
+- lib/securial/middleware/response_headers.rb
+- lib/securial/middleware/transform_request_keys.rb
+- lib/securial/middleware/transform_response_keys.rb
+- lib/securial/security.rb
+- lib/securial/security/request_rate_limiter.rb
 - lib/securial/version.rb
+- lib/tasks/securial_routes.rake
 - lib/tasks/securial_tasks.rake
 homepage: https://github.com/AlyBadawy/Securial/wiki
 licenses:
 - MIT
 metadata:
-  release_date: '2025-06-06'
+  release_date: '2025-06-24'
   allowed_push_host: https://rubygems.org
   homepage_uri: https://github.com/AlyBadawy/Securial/wiki
   source_code_uri: https://github.com/AlyBadawy/Securial
   changelog_uri: https://github.com/AlyBadawy/Securial/blob/main/CHANGELOG.md
 post_install_message: "\n    ---\n    [SECURIAL] Thank you for installing Securial!\n\n
-  \   Securial is a mountable Rails engine that provides robust,\n    extensible authentication
-  and access control for Rails applications.\n      Please review the [changelog]
-  and [WIKI] for more info on the latest\n      changes and how to use this gem/engine:\n
-  \     [changelog]:  https://github.com/AlyBadawy/Securial/blob/main/CHANGELOG.md\n
-  \     [WIKI]:       https://github.com/AlyBadawy/Securial/wiki\n    ---\n  "
+  \   Securial is a mountable Rails engine that provides robust, extensible\n    authentication
+  and access control for Rails applications. It supports JWT,\n    API tokens, session-based
+  auth, and is designed for easy integration with\n    modern web and mobile apps.\n\n
+  \   Usage:\n      securial new APP_NAME [rails_options...]    # Create a new Rails
+  app with Securial pre-installed\n      securial -v, --version                      #
+  Show the Securial gem version\n      securial -h, --help                         #
+  Show this help message\n\n    Example:\n      securial new myapp --api --database=postgresql
+  -T\n\n    More Info:\n      review the [changelog] and [WIKI] for more info on the
+  latest\n      changes and how to use this gem/engine:\n        [Changelog]:  https://github.com/AlyBadawy/Securial/blob/main/CHANGELOG.md\n
+  \       [WIKI]:       https://github.com/AlyBadawy/Securial/wiki\n    ---\n  "
 rdoc_options: []
 require_paths:
 - lib

data/lib/securial/config/validation/logger_validation.rb

@@ -1,29 +0,0 @@
-require "securial/error"
-
-module Securial
-  module Config
-    module Validation
-      module LoggerValidation
-        class << self
-          LEVELS = %i[debug info warn error fatal unknown].freeze
-
-          def validate!(securial_config)
-            allowed_options = {
-              log_to_file: [securial_config.log_to_file, [true, false], "boolean"],
-              log_to_stdout: [securial_config.log_to_stdout, [true, false], "boolean"],
-              log_file_level: [securial_config.log_file_level, LEVELS, "symbol"],
-              log_stdout_level: [securial_config.log_stdout_level, LEVELS, "symbol"],
-            }
-
-            allowed_options.each do |attr, (value, allowed, type)|
-              unless allowed.include?(value)
-                allowed_values = type == "symbol" ? allowed.map { |v| ":#{v}" }.join(", ") : allowed.join(", ")
-                raise Securial::Error::Config::LoggerValidationError, "#{attr} must be a #{type}. Allowed values: #{allowed_values}. Received: #{value.inspect}"
-              end
-            end
-          end
-        end
-      end
-    end
-  end
-end

data/lib/securial/config/validation/mailer_validation.rb

@@ -1,24 +0,0 @@
-require "securial/error"
-
-module Securial
-  module Config
-    module Validation
-      module MailerValidation
-        class << self
-          def validate!(securial_config)
-            if securial_config.mailer_sender.blank?
-              error_message = "Mailer sender is not set."
-              Securial.logger.fatal(error_message)
-              raise Securial::Error::Config::MailerValidationError, error_message
-            end
-            if securial_config.mailer_sender !~  URI::MailTo::EMAIL_REGEXP
-              error_message = "Mailer sender is not a valid email address."
-              Securial.logger.fatal(error_message)
-              raise Securial::Error::Config::MailerValidationError, error_message
-            end
-          end
-        end
-      end
-    end
-  end
-end

data/lib/securial/config/validation/password_validation.rb

@@ -1,91 +0,0 @@
-require "securial/error"
-
-module Securial
-  module Config
-    module Validation
-      module PasswordValidation
-        class << self
-          def validate!(securial_config)
-            validate_password_reset_subject!(securial_config)
-            validate_password_min_max_length!(securial_config)
-            validate_password_complexity!(securial_config)
-            validate_password_expiration!(securial_config)
-            validate_password_reset_token!(securial_config)
-          end
-
-          private
-
-          def validate_password_reset_token!(securial_config)
-            if securial_config.reset_password_token_secret.blank?
-              error_message = "Reset password token secret is not set."
-              Securial.logger.fatal(error_message)
-              raise Securial::Error::Config::PasswordValidationError, error_message
-            end
-            unless securial_config.reset_password_token_secret.is_a?(String)
-              error_message = "Reset password token secret must be a String."
-              Securial.logger.fatal(error_message)
-              raise Securial::Error::Config::PasswordValidationError, error_message
-            end
-            unless securial_config.reset_password_token_expires_in.is_a?(ActiveSupport::Duration) && securial_config.reset_password_token_expires_in > 0
-              error_message = "Reset password token expiration must be a valid ActiveSupport::Duration greater than 0."
-              Securial.logger.fatal(error_message)
-              raise Securial::Error::Config::PasswordValidationError, error_message
-            end
-          end
-
-          def validate_password_reset_subject!(securial_config)
-            if securial_config.mailer_forgot_password_subject.blank?
-              error_message = "Password reset email subject is not set."
-              Securial.logger.fatal(error_message)
-              raise Securial::Error::Config::PasswordValidationError, error_message
-            end
-            unless securial_config.mailer_forgot_password_subject.is_a?(String)
-              error_message = "Password reset email subject must be a String."
-              Securial.logger.fatal(error_message)
-              raise Securial::Error::Config::PasswordValidationError, error_message
-            end
-          end
-
-          def validate_password_min_max_length!(securial_config)
-            unless securial_config.password_min_length.is_a?(Integer) && securial_config.password_min_length > 0
-              error_message = "Password minimum length must be a positive integer."
-              Securial.logger.fatal(error_message)
-              raise Securial::Error::Config::PasswordValidationError, error_message
-            end
-            unless securial_config.password_max_length.is_a?(Integer) && securial_config.password_max_length >= securial_config.password_min_length
-              error_message = "Password maximum length must be an integer greater than or equal to the minimum length."
-              Securial.logger.fatal(error_message)
-              raise Securial::Error::Config::PasswordValidationError, error_message
-            end
-          end
-
-          def validate_password_complexity!(securial_config)
-            if securial_config.password_complexity.nil? || !securial_config.password_complexity.is_a?(Regexp)
-              error_message = "Password complexity regex is not set or is not a valid Regexp."
-              Securial.logger.fatal(error_message)
-              raise Securial::Error::Config::PasswordValidationError, error_message
-            end
-          end
-
-          def validate_password_expiration!(securial_config)
-            unless securial_config.password_expires.is_a?(TrueClass) || securial_config.password_expires.is_a?(FalseClass)
-              error_message = "Password expiration must be a boolean value."
-              Securial.logger.fatal(error_message)
-              raise Securial::Error::Config::PasswordValidationError, error_message
-            end
-
-            if securial_config.password_expires == true && (
-              securial_config.password_expires_in.nil? ||
-              !securial_config.password_expires_in.is_a?(ActiveSupport::Duration) ||
-              securial_config.password_expires_in <= 0
-              )
-              error_message = "Password expiration duration is not set or is not a valid ActiveSupport::Duration."
-              Securial.logger.fatal(error_message)
-              raise Securial::Error::Config::PasswordValidationError, error_message
-            end
-          end
-        end
-      end
-    end
-  end
-end

data/lib/securial/config/validation/response_validation.rb

@@ -1,37 +0,0 @@
-require "securial/error"
-
-module Securial
-  module Config
-    module Validation
-      module ResponseValidation
-        class << self
-          VALID_TIMESTAMP_OPTIONS = %i[all admins_only none].freeze
-          VALID_RESPONSE_KEYS_FORMATS = %i[snake_case lowerCamelCase UpperCamelCase].freeze
-
-          def validate!(securial_config)
-            validate_response_keys_format!(securial_config)
-            validate_timestamps_in_response!(securial_config)
-          end
-
-          private
-
-          def validate_response_keys_format!(securial_config)
-            unless VALID_RESPONSE_KEYS_FORMATS.include?(securial_config.response_keys_format)
-              error_message = "Invalid response_keys_format option. Valid options are: #{VALID_RESPONSE_KEYS_FORMATS.map(&:inspect).join(', ')}."
-              Securial.logger.fatal(error_message)
-              raise Securial::Error::Config::ResponseValidationError, error_message
-            end
-          end
-
-          def validate_timestamps_in_response!(securial_config)
-            unless VALID_TIMESTAMP_OPTIONS.include?(securial_config.timestamps_in_response)
-              error_message = "Invalid timestamps_in_response option. Valid options are: #{VALID_TIMESTAMP_OPTIONS.map(&:inspect).join(', ')}."
-              Securial.logger.fatal(error_message)
-              raise Securial::Error::Config::ResponseValidationError, error_message
-            end
-          end
-        end
-      end
-    end
-  end
-end

data/lib/securial/config/validation/roles_validation.rb

@@ -1,32 +0,0 @@
-require "securial/error"
-
-module Securial
-  module Config
-    module Validation
-      module RolesValidation
-        class << self
-          def validate!(securial_config)
-            if securial_config.admin_role.nil? || securial_config.admin_role.to_s.strip.empty?
-              error_message = "Admin role is not set."
-              Securial.logger.fatal(error_message)
-              raise Securial::Error::Config::RolesValidationError, error_message
-            end
-
-            unless securial_config.admin_role.is_a?(Symbol) || securial_config.admin_role.is_a?(String)
-              error_message = "Admin role must be a Symbol or String."
-              Securial.logger.fatal(error_message)
-              raise Securial::Error::Config::RolesValidationError, error_message
-            end
-
-            admin_role_downcase = securial_config.admin_role.to_s.downcase
-            if admin_role_downcase == "account" || admin_role_downcase == "accounts"
-              error_message = "The admin role cannot be 'account' or 'accounts' as it conflicts with the default routes."
-              Securial.logger.fatal(error_message)
-              raise Securial::Error::Config::RolesValidationError, error_message
-            end
-          end
-        end
-      end
-    end
-  end
-end

data/lib/securial/config/validation/security_validation.rb

@@ -1,56 +0,0 @@
-require "securial/error"
-
-module Securial
-  module Config
-    module Validation
-      module SecurityValidation
-        class << self
-          VALID_SECURITY_HEADERS = %i[strict default none].freeze
-
-          def validate!(securial_config)
-            validate_security_headers!(securial_config)
-            validate_rate_limiting!(securial_config)
-          end
-
-          private
-
-          def validate_security_headers!(securial_config)
-            unless VALID_SECURITY_HEADERS.include?(securial_config.security_headers)
-              error_message = "Invalid security_headers option. Valid options are: #{VALID_SECURITY_HEADERS.map(&:inspect).join(', ')}."
-              Securial.logger.fatal(error_message)
-              raise Securial::Error::Config::SecurityValidationError, error_message
-            end
-          end
-
-          def validate_rate_limiting!(securial_config) # rubocop:disable Metrics/MethodLength
-            unless securial_config.rate_limiting_enabled.is_a?(TrueClass) || securial_config.rate_limiting_enabled.is_a?(FalseClass)
-              error_message = "rate_limiting_enabled must be a boolean value."
-              Securial.logger.fatal(error_message)
-              raise Securial::Error::Config::SecurityValidationError, error_message
-            end
-
-            return unless securial_config.rate_limiting_enabled
-
-            unless securial_config.rate_limit_requests_per_minute.is_a?(Integer) && securial_config.rate_limit_requests_per_minute > 0
-              error_message = "rate_limit_requests_per_minute must be a positive integer when rate limiting is enabled."
-              Securial.logger.fatal(error_message)
-              raise Securial::Error::Config::SecurityValidationError, error_message
-            end
-
-            unless securial_config.rate_limit_response_status.is_a?(Integer) && securial_config.rate_limit_response_status.between?(400, 599)
-              error_message = "rate_limit_response_status must be an HTTP status code between 4xx and 5xx."
-              Securial.logger.fatal(error_message)
-              raise Securial::Error::Config::SecurityValidationError, error_message
-            end
-
-            unless securial_config.rate_limit_response_message.is_a?(String) && !securial_config.rate_limit_response_message.strip.empty?
-              error_message = "rate_limit_response_message must be a non-empty String."
-              Securial.logger.fatal(error_message)
-              raise Securial::Error::Config::SecurityValidationError, error_message
-            end
-          end
-        end
-      end
-    end
-  end
-end