tina4ruby 3.0.0 → 3.9.2

data/lib/tina4/middleware.rb

@@ -11,6 +11,11 @@ module Tina4
         @after_handlers ||= []
       end
 
+      # Registry of class-based middleware (registered via Router.use)
+      def global_middleware
+        @global_middleware ||= []
+      end
+
       def before(pattern = nil, &block)
         before_handlers << { pattern: pattern, handler: block }
       end
@@ -19,26 +24,63 @@ module Tina4
         after_handlers << { pattern: pattern, handler: block }
       end
 
+      # Register a class-based middleware globally.
+      # The class should define static before_* and/or after_* methods.
+      def use(klass)
+        global_middleware << klass unless global_middleware.include?(klass)
+      end
+
       def clear!
         @before_handlers = []
         @after_handlers = []
+        @global_middleware = []
       end
 
+      # Run all "before" hooks: block-based handlers, then class-based before_* methods.
+      # Returns [request, response] on success, or false to halt the request.
       def run_before(request, response)
+        # 1. Block-based before handlers (backward compat)
         before_handlers.each do |entry|
           next unless matches_pattern?(request.path, entry[:pattern])
           result = entry[:handler].call(request, response)
-          # If handler returns false, halt the request
           return false if result == false
         end
+
+        # 2. Class-based middleware: call every before_* method
+        global_middleware.each do |klass|
+          before_methods_for(klass).each do |method_name|
+            result = klass.send(method_name, request, response)
+            # Support returning [request, response] (Python convention) or false to halt
+            if result == false
+              return false
+            elsif result.is_a?(Array) && result.length == 2
+              request, response = result
+              # If response already has a non-2xx status, halt processing
+              return false if response.status_code >= 400
+            end
+          end
+        end
+
         true
       end
 
+      # Run all "after" hooks: block-based handlers, then class-based after_* methods.
       def run_after(request, response)
+        # 1. Block-based after handlers (backward compat)
         after_handlers.each do |entry|
           next unless matches_pattern?(request.path, entry[:pattern])
           entry[:handler].call(request, response)
         end
+
+        # 2. Class-based middleware: call every after_* method
+        global_middleware.each do |klass|
+          after_methods_for(klass).each do |method_name|
+            result = klass.send(method_name, request, response)
+            if result.is_a?(Array) && result.length == 2
+              request, response = result
+            end
+          end
+        end
       end
 
       private
@@ -54,6 +96,312 @@ module Tina4
           true
         end
       end
+
+      # Collect all public class methods matching before_*
+      def before_methods_for(klass)
+        klass.methods(false).select { |m| m.to_s.start_with?("before_") }.sort
+      end
+
+      # Collect all public class methods matching after_*
+      def after_methods_for(klass)
+        klass.methods(false).select { |m| m.to_s.start_with?("after_") }.sort
+      end
+    end
+  end
+
+  # ---------------------------------------------------------------------------
+  # Built-in class-based middleware
+  # ---------------------------------------------------------------------------
+
+  # CorsClassMiddleware -- sets CORS headers from env vars on every response.
+  # Uses the same config source as CorsMiddleware module.
+  class CorsClassMiddleware
+    class << self
+      def before_cors(request, response)
+        config = load_config
+        origin = resolve_origin(request, config)
+
+        response.headers["access-control-allow-origin"]  = origin
+        response.headers["access-control-allow-methods"] = config[:methods]
+        response.headers["access-control-allow-headers"] = config[:headers]
+        response.headers["access-control-max-age"]       = config[:max_age]
+        if config[:credentials] == "true"
+          response.headers["access-control-allow-credentials"] = "true"
+        end
+
+        [request, response]
+      end
+
+      private
+
+      def load_config
+        {
+          origins:     ENV["TINA4_CORS_ORIGINS"]     || "*",
+          methods:     ENV["TINA4_CORS_METHODS"]     || "GET, POST, PUT, PATCH, DELETE, OPTIONS",
+          headers:     ENV["TINA4_CORS_HEADERS"]     || "Content-Type,Authorization,X-Request-ID",
+          max_age:     ENV["TINA4_CORS_MAX_AGE"]     || "86400",
+          credentials: ENV["TINA4_CORS_CREDENTIALS"] || "false"
+        }
+      end
+
+      def resolve_origin(request, config)
+        request_origin = request.headers["origin"] || request.headers["referer"]
+
+        if config[:origins] == "*"
+          "*"
+        elsif request_origin
+          allowed = config[:origins].split(",").map(&:strip)
+          clean = request_origin.chomp("/")
+          allowed.include?(clean) ? clean : allowed.first || "*"
+        else
+          config[:origins].split(",").first&.strip || "*"
+        end
+      end
+    end
+  end
+
+  # RateLimiterMiddleware -- tracks requests per IP, returns 429 when exceeded.
+  # Config via env: TINA4_RATE_LIMIT (default 100), TINA4_RATE_WINDOW (default 60s).
+  class RateLimiterMiddleware
+    @store = {}
+    @mutex = Mutex.new
+    @last_cleanup = Time.now
+
+    class << self
+      def before_rate_limit(request, response)
+        limit  = (ENV["TINA4_RATE_LIMIT"]  || 100).to_i
+        window = (ENV["TINA4_RATE_WINDOW"] || 60).to_i
+        ip = request.ip || "unknown"
+        now = Time.now
+
+        cleanup_if_needed(now, window)
+
+        @mutex.synchronize do
+          @store[ip] ||= []
+          entries = @store[ip]
+
+          # Sliding window -- drop expired timestamps
+          cutoff = now - window
+          entries.reject! { |t| t < cutoff }
+
+          if entries.length >= limit
+            oldest = entries.first
+            retry_after = [(oldest + window - now).ceil, 1].max
+
+            response.headers["X-RateLimit-Limit"]     = limit.to_s
+            response.headers["X-RateLimit-Remaining"]  = "0"
+            response.headers["X-RateLimit-Reset"]      = (oldest + window).to_i.to_s
+            response.headers["Retry-After"]            = retry_after.to_s
+            response.json({ error: "Too Many Requests", retry_after: retry_after }, 429)
+
+            return [request, response]
+          end
+
+          entries << now
+
+          response.headers["X-RateLimit-Limit"]     = limit.to_s
+          response.headers["X-RateLimit-Remaining"]  = (limit - entries.length).to_s
+          response.headers["X-RateLimit-Reset"]      = (now + window).to_i.to_s
+        end
+
+        [request, response]
+      end
+
+      # Allow resetting state (useful in tests)
+      def reset!
+        @mutex.synchronize { @store.clear }
+      end
+
+      private
+
+      def cleanup_if_needed(now, window)
+        return if now - @last_cleanup < window
+
+        @mutex.synchronize do
+          return if now - @last_cleanup < window
+
+          cutoff = now - window
+          @store.delete_if do |_ip, entries|
+            entries.reject! { |t| t < cutoff }
+            entries.empty?
+          end
+          @last_cleanup = now
+        end
+      end
+    end
+  end
+
+  # RequestLoggerMiddleware -- logs method, path, and elapsed time for every request.
+  class RequestLoggerMiddleware
+    @request_times = {}
+    @mutex = Mutex.new
+
+    class << self
+      def before_log(request, response)
+        request_key = "#{request.object_id}"
+        @mutex.synchronize do
+          @request_times[request_key] = Process.clock_gettime(Process::CLOCK_MONOTONIC)
+        end
+        [request, response]
+      end
+
+      def after_log(request, response)
+        request_key = "#{request.object_id}"
+        start_time = @mutex.synchronize { @request_times.delete(request_key) }
+
+        if start_time
+          elapsed_ms = ((Process.clock_gettime(Process::CLOCK_MONOTONIC) - start_time) * 1000).round(3)
+        else
+          elapsed_ms = 0.0
+        end
+
+        Tina4::Log.info("[RequestLogger] #{request.method} #{request.path} -> #{response.status_code} (#{elapsed_ms}ms)")
+        [request, response]
+      end
+
+      def reset!
+        @mutex.synchronize { @request_times.clear }
+      end
+    end
+  end
+
+  # CsrfMiddleware -- validates form tokens on state-changing requests.
+  #
+  # Off by default -- only active when TINA4_CSRF=true in .env or when
+  # registered explicitly via Router.use(CsrfMiddleware).
+  #
+  # Behaviour:
+  #   - Skips GET, HEAD, OPTIONS requests.
+  #   - Skips routes marked .no_auth.
+  #   - Skips requests with a valid Authorization: Bearer header (API clients).
+  #   - Checks request.body["formToken"] then request.headers["X-Form-Token"].
+  #   - Rejects if token found in request.query["formToken"] (log warning, 403).
+  #   - Validates token with Auth.valid_token using SECRET env var.
+  #   - If token payload has session_id, verifies it matches request.session.session_id.
+  #   - Returns 403 with response.json({error: "CSRF_INVALID", message: ...}, 403) on failure.
+  class CsrfMiddleware
+    class << self
+      def before_csrf(request, response)
+        # Allow disabling CSRF via env var
+        csrf_env = ENV["TINA4_CSRF"].to_s.downcase
+        return [request, response] if %w[false 0 no].include?(csrf_env)
+
+        # Skip safe HTTP methods
+        method = (request.method || "GET").upcase
+        return [request, response] if %w[GET HEAD OPTIONS].include?(method)
+
+        # Skip routes marked no_auth
+        handler = request.respond_to?(:handler) ? request.handler : nil
+        if handler
+          no_auth = if handler.is_a?(Hash)
+                      handler[:no_auth] || handler[:noAuth]
+                    elsif handler.respond_to?(:no_auth)
+                      handler.no_auth
+                    end
+          return [request, response] if no_auth
+        end
+
+        # Skip requests with valid Bearer token (API clients)
+        headers = request.respond_to?(:headers) ? request.headers : {}
+        auth_header = headers["authorization"] || headers["Authorization"] || ""
+        if auth_header.start_with?("Bearer ")
+          bearer_token = auth_header[7..].strip
+          unless bearer_token.empty?
+            payload = Tina4::Auth.valid_token(bearer_token)
+            return [request, response] if payload
+          end
+        end
+
+        # Reject if token is in query string (security risk)
+        query = if request.respond_to?(:params)
+                  request.params
+                elsif request.respond_to?(:query)
+                  request.query
+                else
+                  {}
+                end
+        query ||= {}
+
+        if query.is_a?(Hash) && query["formToken"] && !query["formToken"].to_s.empty?
+          Tina4::Log.warning("[CSRF] Token found in query string — rejected for security")
+          response.json({ error: "CSRF_INVALID", message: "Form token must not be sent in the URL query string" }, 403)
+          return [request, response]
+        end
+
+        # Extract token: body first, then header
+        token = nil
+        body = request.respond_to?(:body) ? request.body : nil
+        body ||= {}
+        token = body["formToken"] if body.is_a?(Hash)
+
+        if token.nil? || token.to_s.empty?
+          token = headers["X-Form-Token"] || headers["x-form-token"] || ""
+        end
+
+        if token.nil? || token.to_s.empty?
+          response.json({ error: "CSRF_INVALID", message: "Invalid or missing form token" }, 403)
+          return [request, response]
+        end
+
+        # Validate the token
+        payload = Tina4::Auth.valid_token(token.to_s)
+
+        if payload.nil?
+          response.json({ error: "CSRF_INVALID", message: "Invalid or missing form token" }, 403)
+          return [request, response]
+        end
+
+        # Session binding — if token has session_id, verify it matches
+        token_session_id = payload["session_id"]
+        if token_session_id
+          current_session_id = nil
+          session = request.respond_to?(:session) ? request.session : nil
+          if session
+            current_session_id = if session.respond_to?(:session_id)
+                                   session.session_id
+                                 elsif session.is_a?(Hash)
+                                   session["session_id"]
+                                 elsif session.respond_to?(:get)
+                                   session.get("session_id")
+                                 end
+          end
+
+          if current_session_id && token_session_id != current_session_id
+            response.json({ error: "CSRF_INVALID", message: "Invalid or missing form token" }, 403)
+            return [request, response]
+          end
+        end
+
+        [request, response]
+      end
+    end
+  end
+
+  # SecurityHeadersMiddleware -- injects security headers on every response.
+  # Config via env:
+  #   TINA4_FRAME_OPTIONS       — X-Frame-Options (default: SAMEORIGIN)
+  #   TINA4_HSTS                — Strict-Transport-Security max-age (default: "" = off)
+  #   TINA4_CSP                 — Content-Security-Policy (default: "default-src 'self'")
+  #   TINA4_REFERRER_POLICY     — Referrer-Policy (default: strict-origin-when-cross-origin)
+  #   TINA4_PERMISSIONS_POLICY  — Permissions-Policy (default: camera=(), microphone=(), geolocation=())
+  class SecurityHeadersMiddleware
+    class << self
+      def before_security(request, response)
+        response.headers["X-Frame-Options"] = ENV["TINA4_FRAME_OPTIONS"] || "SAMEORIGIN"
+        response.headers["X-Content-Type-Options"] = "nosniff"
+
+        hsts = ENV["TINA4_HSTS"] || ""
+        unless hsts.empty?
+          response.headers["Strict-Transport-Security"] = "max-age=#{hsts}; includeSubDomains"
+        end
+
+        response.headers["Content-Security-Policy"] = ENV["TINA4_CSP"] || "default-src 'self'"
+        response.headers["Referrer-Policy"] = ENV["TINA4_REFERRER_POLICY"] || "strict-origin-when-cross-origin"
+        response.headers["X-XSS-Protection"] = "0"
+        response.headers["Permissions-Policy"] = ENV["TINA4_PERMISSIONS_POLICY"] || "camera=(), microphone=(), geolocation=()"
+
+        [request, response]
+      end
     end
   end
 end

data/lib/tina4/migration.rb

@@ -9,7 +9,7 @@ module Tina4
 
     def initialize(db, migrations_dir: nil)
       @db = db
-      @migrations_dir = migrations_dir || File.join(Dir.pwd, "src", "migrations")
+      @migrations_dir = migrations_dir || resolve_migrations_dir
       ensure_tracking_table
     end
 
@@ -89,14 +89,28 @@ module Tina4
 
     private
 
+    # Resolve migrations directory: prefer src/migrations, fall back to migrations/
+    def resolve_migrations_dir
+      src_dir = File.join(Dir.pwd, "src", "migrations")
+      return src_dir if Dir.exist?(src_dir)
+
+      root_dir = File.join(Dir.pwd, "migrations")
+      return root_dir if Dir.exist?(root_dir)
+
+      # Default to src/migrations (will be created when needed)
+      src_dir
+    end
+
     def ensure_tracking_table
       unless @db.table_exists?(TRACKING_TABLE)
         @db.execute(<<~SQL)
           CREATE TABLE #{TRACKING_TABLE} (
             id INTEGER PRIMARY KEY,
             migration_name VARCHAR(255) NOT NULL,
+            description VARCHAR(255) DEFAULT '',
             batch INTEGER NOT NULL DEFAULT 1,
-            executed_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
+            executed_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+            passed INTEGER NOT NULL DEFAULT 1
           )
         SQL
         Tina4::Log.info("Created migrations tracking table")
@@ -104,17 +118,17 @@ module Tina4
     end
 
     def completed_migrations
-      result = @db.fetch("SELECT migration_name FROM #{TRACKING_TABLE} ORDER BY id")
+      result = @db.fetch("SELECT migration_name FROM #{TRACKING_TABLE} WHERE passed = 1 ORDER BY id")
       result.map { |r| r[:migration_name] }
     end
 
     def completed_migrations_with_batch
-      result = @db.fetch("SELECT id, migration_name, batch FROM #{TRACKING_TABLE} ORDER BY id")
+      result = @db.fetch("SELECT id, migration_name, batch FROM #{TRACKING_TABLE} WHERE passed = 1 ORDER BY id")
       result.map { |r| { id: r[:id], migration_name: r[:migration_name], batch: r[:batch] } }
     end
 
     def next_batch_number
-      result = @db.fetch_one("SELECT MAX(batch) as max_batch FROM #{TRACKING_TABLE}")
+      result = @db.fetch_one("SELECT MAX(batch) as max_batch FROM #{TRACKING_TABLE} WHERE passed = 1")
       (result && result[:max_batch] ? result[:max_batch].to_i : 0) + 1
     end
 
@@ -123,12 +137,24 @@ module Tina4
 
       completed = completed_migrations
       # Support both .rb and .sql migration files
+      # Accept both 000001_name.sql (sequential) and YYYYMMDDHHMMSS_name.sql (timestamp) patterns
       Dir.glob(File.join(@migrations_dir, "*.{rb,sql}"))
          .reject { |f| f.end_with?(".down.sql") }
-         .sort
+         .sort_by { |f| migration_sort_key(File.basename(f)) }
          .reject { |f| completed.include?(File.basename(f)) }
     end
 
+    # Sort key that handles both 000001_name.sql and 20240315120000_name.sql patterns.
+    # Both are zero-padded numeric prefixes so alphabetical sorting works, but we
+    # extract the prefix explicitly to guarantee correct ordering when mixed.
+    def migration_sort_key(filename)
+      if filename =~ /\A(\d+)/
+        [$1.to_i, filename]
+      else
+        [0, filename]
+      end
+    end
+
     def run_migration(file, batch)
       name = File.basename(file)
       Tina4::Log.info("Running migration: #{name}")
@@ -138,10 +164,11 @@ module Tina4
         else
           execute_sql_file(file)
         end
-        record_migration(name, batch)
+        record_migration(name, batch, passed: 1)
         { name: name, status: "success" }
       rescue => e
         Tina4::Log.error("Migration failed: #{name} - #{e.message}")
+        record_migration(name, batch, passed: 0)
         { name: name, status: "failed", error: e.message }
       end
     end
@@ -181,17 +208,111 @@ module Tina4
       migration.__send__(direction, @db)
     end
 
+    # Split SQL into individual statements, handling:
+    # - $$ delimited stored procedure blocks
+    # - // delimited blocks
+    # - Block comments /* ... */
+    # - Line comments -- ...
+    # Matches the Python/Node.js approach: extract blocks first, split on ;, restore blocks.
+    def split_sql_statements(sql, delimiter = ";")
+      blocks = []
+
+      # Extract $$ ... $$ blocks (stored procedures, triggers, etc.)
+      processed = sql.gsub(/\$\$(.*?)\$\$/m) do
+        blocks << $~.to_s
+        "__BLOCK_#{blocks.length - 1}__"
+      end
+
+      # Extract // ... // blocks
+      processed = processed.gsub(/\/\/(.*?)\/\//m) do
+        blocks << $~.to_s
+        "__BLOCK_#{blocks.length - 1}__"
+      end
+
+      # Remove block comments (/* ... */) but not inside stored proc blocks (already extracted)
+      clean = processed.gsub(/\/\*.*?\*\//m, "")
+
+      statements = []
+      clean.split(delimiter).each do |stmt|
+        lines = []
+        stmt.split("\n").each do |line|
+          stripped = line.strip
+          next if stripped.empty? || stripped.start_with?("--")
+          # Remove inline comments (-- after SQL)
+          comment_pos = line.index("--")
+          line = line[0...comment_pos] if comment_pos && comment_pos >= 0
+          lines << line
+        end
+        cleaned = lines.join("\n").strip
+
+        # Restore block placeholders
+        blocks.each_with_index do |block, i|
+          cleaned = cleaned.gsub("__BLOCK_#{i}__", block)
+        end
+
+        statements << cleaned unless cleaned.empty?
+      end
+
+      statements
+    end
+
     def execute_sql_file(file)
       sql = File.read(file)
-      statements = sql.split(";").map(&:strip).reject(&:empty?)
+      statements = split_sql_statements(sql)
       statements.each do |stmt|
-        next if stmt.start_with?("--")
+        # Firebird lacks IF NOT EXISTS for ALTER TABLE ADD.
+        # Pre-check the system catalogue so duplicate columns are
+        # silently skipped instead of raising an error.
+        skip_reason = should_skip_for_firebird(stmt)
+        if skip_reason
+          Tina4::Log.info("Migration #{File.basename(file)}: #{skip_reason}")
+          next
+        end
         @db.execute(stmt)
       end
     end
 
-    def record_migration(name, batch)
-      @db.insert(TRACKING_TABLE, { migration_name: name, batch: batch })
+    # Regex to match ALTER TABLE <table> ADD <column> ...
+    ALTER_ADD_RE = /\A\s*ALTER\s+TABLE\s+(?:"([^"]+)"|(\S+))\s+ADD\s+(?:"([^"]+)"|(\S+))/i
+
+    def firebird?
+      @db.driver_name == "firebird"
+    end
+
+    # Check if a column already exists in a Firebird table via RDB$RELATION_FIELDS.
+    # Firebird stores unquoted identifiers in upper-case.
+    def firebird_column_exists?(table, column)
+      row = @db.fetch_one(
+        "SELECT 1 FROM RDB\$RELATION_FIELDS WHERE RDB\$RELATION_NAME = ? AND TRIM(RDB\$FIELD_NAME) = ?",
+        [table.upcase, column.upcase]
+      )
+      !row.nil?
+    end
+
+    # If stmt is an ALTER TABLE ... ADD on Firebird and the column already exists,
+    # returns a skip reason. Returns nil if the statement should execute normally.
+    def should_skip_for_firebird(stmt)
+      return nil unless firebird?
+
+      m = stmt.match(ALTER_ADD_RE)
+      return nil unless m
+
+      table = m[1] || m[2]
+      column = m[3] || m[4]
+
+      if firebird_column_exists?(table, column)
+        "Column #{column} already exists in #{table}, skipping"
+      end
+    end
+
+    def record_migration(name, batch, passed: 1)
+      # Extract description from filename (strip numeric prefix and extension)
+      stem = File.basename(name, File.extname(name))
+      desc = stem.sub(/\A\d+_/, "").tr("_", " ")
+      @db.execute(
+        "INSERT INTO #{TRACKING_TABLE} (migration_name, description, batch, passed) VALUES (?, ?, ?, ?)",
+        [name, desc, batch, passed]
+      )
     end
 
     def remove_migration_record(name)