tarsier 0.1.0

data/lib/tarsier/middleware/compression.rb

@@ -0,0 +1,113 @@
+# frozen_string_literal: true
+
+require "zlib"
+
+module Tarsier
+  module Middleware
+    # Response compression middleware
+    # Supports gzip and deflate encoding
+    class Compression < Base
+      DEFAULT_OPTIONS = {
+        min_size: 1024,
+        level: Zlib::DEFAULT_COMPRESSION,
+        content_types: %w[
+          text/html
+          text/plain
+          text/css
+          text/javascript
+          application/javascript
+          application/json
+          application/xml
+          image/svg+xml
+        ]
+      }.freeze
+
+      ENCODINGS = {
+        "gzip" => :gzip,
+        "deflate" => :deflate
+      }.freeze
+
+      def initialize(app, **options)
+        super
+        @options = DEFAULT_OPTIONS.merge(options)
+      end
+
+      def call(request, response)
+        @app.call(request, response)
+
+        return response unless should_compress?(request, response)
+
+        encoding = preferred_encoding(request)
+        return response unless encoding
+
+        compress_response(response, encoding)
+        response
+      end
+
+      private
+
+      def should_compress?(request, response)
+        return false if response.streaming?
+        return false unless response.body.is_a?(String)
+        return false if response.body.bytesize < @options[:min_size]
+        return false unless compressible_content_type?(response)
+        return false if already_compressed?(response)
+
+        true
+      end
+
+      def compressible_content_type?(response)
+        content_type = response.get_header("Content-Type")
+        return false unless content_type
+
+        @options[:content_types].any? { |type| content_type.include?(type) }
+      end
+
+      def already_compressed?(response)
+        response.get_header("Content-Encoding")
+      end
+
+      def preferred_encoding(request)
+        accept = request.header("Accept-Encoding")
+        return nil unless accept
+
+        ENCODINGS.each do |name, method|
+          return method if accept.include?(name)
+        end
+
+        nil
+      end
+
+      def compress_response(response, encoding)
+        original = response.body
+        compressed = case encoding
+                     when :gzip then gzip_compress(original)
+                     when :deflate then deflate_compress(original)
+                     end
+
+        # Only use compressed version if it's actually smaller
+        if compressed.bytesize < original.bytesize
+          response.body = compressed
+          response.set_header("Content-Encoding", encoding.to_s)
+          response.set_header("Content-Length", compressed.bytesize.to_s)
+          response.set_header("Vary", "Accept-Encoding")
+        end
+      end
+
+      def gzip_compress(data)
+        io = StringIO.new
+        io.set_encoding("BINARY")
+
+        gz = Zlib::GzipWriter.new(io, @options[:level])
+        gz.write(data)
+        gz.close
+
+        io.string
+      end
+
+      def deflate_compress(data)
+        Zlib::Deflate.deflate(data, @options[:level])
+      end
+    end
+  end
+end

data/lib/tarsier/middleware/cors.rb

@@ -0,0 +1,101 @@
+# frozen_string_literal: true
+
+module Tarsier
+  module Middleware
+    # CORS (Cross-Origin Resource Sharing) middleware
+    # Handles preflight requests and sets appropriate headers
+    class CORS < Base
+      DEFAULT_OPTIONS = {
+        origins: "*",
+        methods: %w[GET POST PUT PATCH DELETE OPTIONS],
+        headers: %w[Content-Type Authorization Accept X-Requested-With],
+        expose_headers: [],
+        max_age: 86_400,
+        credentials: false
+      }.freeze
+
+      def initialize(app, **options)
+        super
+        @options = DEFAULT_OPTIONS.merge(options)
+      end
+
+      def call(request, response)
+        origin = request.header("Origin")
+
+        # Handle preflight OPTIONS request
+        if request.options? && origin
+          handle_preflight(request, response, origin)
+          return response
+        end
+
+        # Add CORS headers to actual request
+        add_cors_headers(response, origin) if origin
+
+        @app.call(request, response)
+      end
+
+      private
+
+      def handle_preflight(request, response, origin)
+        return unless allowed_origin?(origin)
+
+        response.status = 204
+        add_cors_headers(response, origin)
+
+        requested_method = request.header("Access-Control-Request-Method")
+        requested_headers = request.header("Access-Control-Request-Headers")
+
+        if requested_method && allowed_method?(requested_method)
+          response.set_header("Access-Control-Allow-Methods", @options[:methods].join(", "))
+        end
+
+        if requested_headers
+          response.set_header("Access-Control-Allow-Headers", allowed_headers(requested_headers))
+        end
+
+        response.set_header("Access-Control-Max-Age", @options[:max_age].to_s)
+        response.body = ""
+      end
+
+      def add_cors_headers(response, origin)
+        return unless allowed_origin?(origin)
+
+        response.set_header("Access-Control-Allow-Origin", cors_origin(origin))
+
+        if @options[:credentials]
+          response.set_header("Access-Control-Allow-Credentials", "true")
+        end
+
+        if @options[:expose_headers].any?
+          response.set_header("Access-Control-Expose-Headers", @options[:expose_headers].join(", "))
+        end
+
+        response.set_header("Vary", "Origin")
+      end
+
+      def allowed_origin?(origin)
+        return true if @options[:origins] == "*"
+        return true if @options[:origins].include?(origin)
+
+        Array(@options[:origins]).any? do |pattern|
+          pattern.is_a?(Regexp) ? pattern.match?(origin) : pattern == origin
+        end
+      end
+
+      def cors_origin(origin)
+        @options[:origins] == "*" && !@options[:credentials] ? "*" : origin
+      end
+
+      def allowed_method?(method)
+        @options[:methods].map(&:upcase).include?(method.upcase)
+      end
+
+      def allowed_headers(requested)
+        requested_list = requested.split(",").map(&:strip)
+        allowed = @options[:headers].map(&:downcase)
+
+        requested_list.select { |h| allowed.include?(h.downcase) }.join(", ")
+      end
+    end
+  end
+end

data/lib/tarsier/middleware/csrf.rb

@@ -0,0 +1,88 @@
+# frozen_string_literal: true
+
+require "securerandom"
+
+module Tarsier
+  module Middleware
+    # CSRF (Cross-Site Request Forgery) protection middleware
+    # Validates tokens for state-changing requests
+    class CSRF < Base
+      SAFE_METHODS = %w[GET HEAD OPTIONS TRACE].freeze
+      TOKEN_LENGTH = 32
+      HEADER_NAME = "X-CSRF-Token"
+      PARAM_NAME = "_csrf_token"
+      SESSION_KEY = :csrf_token
+
+      def initialize(app, **options)
+        super
+        @skip_paths = options[:skip] || []
+        @token_length = options[:token_length] || TOKEN_LENGTH
+      end
+
+      def call(request, response)
+        return @app.call(request, response) if skip_csrf?(request)
+
+        session = request.env["tarsier.session"] ||= {}
+
+        if safe_request?(request)
+          ensure_token(session)
+          @app.call(request, response)
+        else
+          if valid_token?(request, session)
+            rotate_token(session) if @options[:rotate]
+            @app.call(request, response)
+          else
+            handle_invalid_token(response)
+          end
+        end
+      end
+
+      private
+
+      def skip_csrf?(request)
+        @skip_paths.any? { |path| request.path.start_with?(path) }
+      end
+
+      def safe_request?(request)
+        SAFE_METHODS.include?(request.method.to_s)
+      end
+
+      def ensure_token(session)
+        session[SESSION_KEY] ||= generate_token
+      end
+
+      def generate_token
+        SecureRandom.hex(@token_length)
+      end
+
+      def valid_token?(request, session)
+        expected = session[SESSION_KEY]
+        return false unless expected
+
+        provided = request.header(HEADER_NAME) ||
+                   request.params[PARAM_NAME]
+
+        return false unless provided
+
+        secure_compare(expected, provided)
+      end
+
+      def rotate_token(session)
+        session[SESSION_KEY] = generate_token
+      end
+
+      def handle_invalid_token(response)
+        response.status = 403
+        response.content_type = "application/json"
+        response.body = '{"error":"Invalid CSRF token"}'
+      end
+
+      # Constant-time string comparison to prevent timing attacks
+      def secure_compare(a, b)
+        return false unless a.bytesize == b.bytesize
+
+        a.bytes.zip(b.bytes).reduce(0) { |acc, (x, y)| acc | (x ^ y) }.zero?
+      end
+    end
+  end
+end

data/lib/tarsier/middleware/logger.rb

@@ -0,0 +1,74 @@
+# frozen_string_literal: true
+
+module Tarsier
+  module Middleware
+    # Request logging middleware
+    # Logs request details and timing information
+    class Logger < Base
+      COLORS = {
+        green: "\e[32m",
+        yellow: "\e[33m",
+        red: "\e[31m",
+        cyan: "\e[36m",
+        reset: "\e[0m"
+      }.freeze
+
+      def initialize(app, logger: nil, **options)
+        super(app, **options)
+        @logger = logger || default_logger
+        @colorize = options.fetch(:colorize, $stdout.tty?)
+      end
+
+      def call(request, response)
+        start_time = Process.clock_gettime(Process::CLOCK_MONOTONIC)
+
+        @app.call(request, response)
+
+        duration = Process.clock_gettime(Process::CLOCK_MONOTONIC) - start_time
+        log_request(request, response, duration)
+
+        response
+      end
+
+      private
+
+      def log_request(request, response, duration)
+        status = response.status
+        method = request.method
+        path = request.path
+        duration_ms = (duration * 1000).round(2)
+
+        message = format_log(method, path, status, duration_ms)
+        @logger.info(message)
+      end
+
+      def format_log(method, path, status, duration_ms)
+        if @colorize
+          status_color = status_color(status)
+          "#{colorize(method.to_s.ljust(7), :cyan)} #{path} " \
+            "#{colorize(status.to_s, status_color)} #{duration_ms}ms"
+        else
+          "#{method.to_s.ljust(7)} #{path} #{status} #{duration_ms}ms"
+        end
+      end
+
+      def status_color(status)
+        case status
+        when 200..299 then :green
+        when 300..399 then :cyan
+        when 400..499 then :yellow
+        else :red
+        end
+      end
+
+      def colorize(text, color)
+        "#{COLORS[color]}#{text}#{COLORS[:reset]}"
+      end
+
+      def default_logger
+        require "logger"
+        ::Logger.new($stdout, formatter: proc { |_, _, _, msg| "#{msg}\n" })
+      end
+    end
+  end
+end

data/lib/tarsier/middleware/rate_limit.rb

@@ -0,0 +1,110 @@
+# frozen_string_literal: true
+
+module Tarsier
+  module Middleware
+    # Rate limiting middleware with sliding window algorithm
+    # Supports per-IP and per-user rate limiting
+    class RateLimit < Base
+      DEFAULT_OPTIONS = {
+        limit: 100,
+        window: 60,
+        key_prefix: "tarsier:rate_limit:",
+        headers: true
+      }.freeze
+
+      def initialize(app, store: nil, **options)
+        super(app, **options)
+        @options = DEFAULT_OPTIONS.merge(options)
+        @store = store || MemoryStore.new
+      end
+
+      def call(request, response)
+        key = rate_limit_key(request)
+        current_time = Time.now.to_i
+        window_start = current_time - @options[:window]
+
+        # Clean old entries and count requests
+        count = @store.count_and_clean(key, window_start)
+
+        if count >= @options[:limit]
+          handle_rate_limited(response, count, current_time)
+          return response
+        end
+
+        # Record this request
+        @store.record(key, current_time)
+
+        # Add rate limit headers
+        add_headers(response, count + 1, current_time) if @options[:headers]
+
+        @app.call(request, response)
+      end
+
+      private
+
+      def rate_limit_key(request)
+        identifier = if @options[:key_generator]
+                       @options[:key_generator].call(request)
+                     else
+                       request.ip
+                     end
+
+        "#{@options[:key_prefix]}#{identifier}"
+      end
+
+      def handle_rate_limited(response, count, current_time)
+        response.status = 429
+        response.content_type = "application/json"
+        response.body = '{"error":"Rate limit exceeded"}'
+
+        add_headers(response, count, current_time)
+        response.set_header("Retry-After", @options[:window].to_s)
+      end
+
+      def add_headers(response, count, current_time)
+        remaining = [@options[:limit] - count, 0].max
+        reset_time = current_time + @options[:window]
+
+        response.set_header("X-RateLimit-Limit", @options[:limit].to_s)
+        response.set_header("X-RateLimit-Remaining", remaining.to_s)
+        response.set_header("X-RateLimit-Reset", reset_time.to_s)
+      end
+
+      # Simple in-memory store for rate limiting
+      # Replace with Redis store for production multi-process deployments
+      class MemoryStore
+        def initialize
+          @data = {}
+          @mutex = Mutex.new
+        end
+
+        def count_and_clean(key, window_start)
+          @mutex.synchronize do
+            @data[key] ||= []
+            @data[key].reject! { |t| t < window_start }
+            @data[key].size
+          end
+        end
+
+        def record(key, timestamp)
+          @mutex.synchronize do
+            @data[key] ||= []
+            @data[key] << timestamp
+          end
+        end
+
+        def clear(key)
+          @mutex.synchronize do
+            @data.delete(key)
+          end
+        end
+
+        def clear_all
+          @mutex.synchronize do
+            @data.clear
+          end
+        end
+      end
+    end
+  end
+end

data/lib/tarsier/middleware/stack.rb

@@ -0,0 +1,143 @@
+# frozen_string_literal: true
+
+module Tarsier
+  module Middleware
+    # Fiber-aware middleware stack with zero allocations for unused middleware
+    # Supports per-route middleware and conditional execution
+    class Stack
+      attr_reader :middlewares
+
+      def initialize
+        @middlewares = []
+        @compiled = nil
+      end
+
+      # Add middleware to the stack
+      # @param middleware [Class] middleware class
+      # @param args [Array] middleware arguments
+      # @param options [Hash] middleware options
+      # @return [self]
+      def use(middleware, *args, **options)
+        @middlewares << { klass: middleware, args: args, options: options }
+        @compiled = nil
+        self
+      end
+
+      # Insert middleware before another
+      # @param existing [Class] existing middleware class
+      # @param middleware [Class] middleware to insert
+      # @param args [Array] middleware arguments
+      # @param options [Hash] middleware options
+      # @return [self]
+      def insert_before(existing, middleware, *args, **options)
+        index = find_index(existing)
+        raise MiddlewareError, "Middleware not found: #{existing}" unless index
+
+        @middlewares.insert(index, { klass: middleware, args: args, options: options })
+        @compiled = nil
+        self
+      end
+
+      # Insert middleware after another
+      # @param existing [Class] existing middleware class
+      # @param middleware [Class] middleware to insert
+      # @param args [Array] middleware arguments
+      # @param options [Hash] middleware options
+      # @return [self]
+      def insert_after(existing, middleware, *args, **options)
+        index = find_index(existing)
+        raise MiddlewareError, "Middleware not found: #{existing}" unless index
+
+        @middlewares.insert(index + 1, { klass: middleware, args: args, options: options })
+        @compiled = nil
+        self
+      end
+
+      # Remove middleware from the stack
+      # @param middleware [Class] middleware class to remove
+      # @return [self]
+      def delete(middleware)
+        @middlewares.reject! { |m| m[:klass] == middleware }
+        @compiled = nil
+        self
+      end
+
+      # Swap one middleware for another
+      # @param existing [Class] existing middleware class
+      # @param middleware [Class] replacement middleware
+      # @param args [Array] middleware arguments
+      # @param options [Hash] middleware options
+      # @return [self]
+      def swap(existing, middleware, *args, **options)
+        index = find_index(existing)
+        raise MiddlewareError, "Middleware not found: #{existing}" unless index
+
+        @middlewares[index] = { klass: middleware, args: args, options: options }
+        @compiled = nil
+        self
+      end
+
+      # Build the middleware chain
+      # @param app [Object] the final application
+      # @return [Object] the compiled middleware chain
+      def build(app)
+        @compiled ||= compile(app)
+      end
+
+      # Call the middleware stack
+      # @param request [Request] the request object
+      # @param response [Response] the response object
+      # @param app [Object] the final application
+      # @return [Response]
+      def call(request, response, app)
+        chain = build(app)
+        chain.call(request, response)
+      end
+
+      # Check if middleware is in the stack
+      # @param middleware [Class] middleware class
+      # @return [Boolean]
+      def include?(middleware)
+        @middlewares.any? { |m| m[:klass] == middleware }
+      end
+
+      # Get middleware count
+      # @return [Integer]
+      def size
+        @middlewares.size
+      end
+
+      # Clear all middleware
+      # @return [self]
+      def clear
+        @middlewares.clear
+        @compiled = nil
+        self
+      end
+
+      private
+
+      def find_index(middleware)
+        @middlewares.index { |m| m[:klass] == middleware }
+      end
+
+      def compile(app)
+        @middlewares.reverse.reduce(app) do |next_app, middleware|
+          build_middleware(middleware, next_app)
+        end
+      end
+
+      def build_middleware(config, app)
+        klass = config[:klass]
+        args = config[:args]
+        options = config[:options]
+
+        if options.empty?
+          klass.new(app, *args)
+        else
+          klass.new(app, *args, **options)
+        end
+      end
+    end
+  end
+end