tina4ruby 3.0.0 → 3.9.2

data/lib/tina4/rack_app.rb

@@ -19,6 +19,9 @@ module Tina4
                                  .select { |d| Dir.exist?(d) }
       fallback = Dir.exist?(FRAMEWORK_PUBLIC_DIR) ? [FRAMEWORK_PUBLIC_DIR] : []
       @static_roots = (project_roots + fallback).freeze
+
+      # Shared WebSocket engine for route-based WS handling
+      @websocket_engine = Tina4::WebSocket.new
     end
 
     def call(env)
@@ -29,6 +32,15 @@ module Tina4
       # Fast-path: OPTIONS preflight
       return Tina4::CorsMiddleware.preflight_response(env) if method == "OPTIONS"
 
+      # WebSocket upgrade — match against registered ws_routes
+      if websocket_upgrade?(env)
+        ws_result = Tina4::Router.find_ws_route(path)
+        if ws_result
+          ws_route, ws_params = ws_result
+          return handle_websocket_upgrade(env, ws_route, ws_params)
+        end
+      end
+
       # Dev dashboard routes (handled before anything else)
       if path.start_with?("/__dev")
         dev_response = Tina4::DevAdmin.handle_request(env)
@@ -88,23 +100,68 @@ module Tina4
         end
       end
 
+      # Save session and set cookie if session was used
+      if result && defined?(rack_response)
+        status, headers, body_parts = rack_response
+        request_obj = env["tina4.request"]
+        if request_obj&.instance_variable_get(:@session)
+          sess = request_obj.session
+          sess.save
+          sid = sess.id
+          cookie_val = (env["HTTP_COOKIE"] || "")[/tina4_session=([^;]+)/, 1]
+          if sid && sid != cookie_val
+            ttl = Integer(ENV.fetch("TINA4_SESSION_TTL", 3600))
+            headers["set-cookie"] = "tina4_session=#{sid}; Path=/; HttpOnly; SameSite=Lax; Max-Age=#{ttl}"
+          end
+          rack_response = [status, headers, body_parts]
+        end
+      end
+
       rack_response
     rescue => e
-      handle_500(e)
+      handle_500(e, env)
     end
 
     private
 
     def handle_route(env, route, path_params)
-      # Auth check
+      # Auth check (legacy per-route auth_handler)
       if route.auth_handler
         auth_result = route.auth_handler.call(env)
         return handle_403(env["PATH_INFO"] || "/") unless auth_result
       end
 
+      # Secure-by-default: enforce bearer-token auth on write routes
+      if route.auth_required
+        auth_header = env["HTTP_AUTHORIZATION"] || ""
+        token = auth_header =~ /\ABearer\s+(.+)\z/i ? Regexp.last_match(1) : nil
+
+        # API_KEY bypass — matches tina4_python behavior
+        api_key = ENV["TINA4_API_KEY"] || ENV["API_KEY"]
+        if api_key && !api_key.empty? && token == api_key
+          env["tina4.auth_payload"] = { "api_key" => true }
+        elsif token
+          payload = Tina4::Auth.valid_token(token)
+          unless payload
+            return [401, { "content-type" => "application/json" }, [JSON.generate({ error: "Unauthorized" })]]
+          end
+          env["tina4.auth_payload"] = payload
+        else
+          return [401, { "content-type" => "application/json" }, [JSON.generate({ error: "Unauthorized" })]]
+        end
+      end
+
       request = Tina4::Request.new(env, path_params)
+      request.user = env["tina4.auth_payload"] if env["tina4.auth_payload"]
+      env["tina4.request"] = request  # Store for session save after response
       response = Tina4::Response.new
 
+      # Run global middleware (block-based + class-based before_* methods)
+      unless Tina4::Middleware.run_before(request, response)
+        # Middleware halted the request -- return whatever response was set
+        return response.to_rack
+      end
+
       # Run per-route middleware
       if route.respond_to?(:run_middleware)
         unless route.run_middleware(request, response)
@@ -112,8 +169,19 @@ module Tina4
         end
       end
 
-      # Execute handler
-      result = route.handler.call(request, response)
+      # Execute handler — inject path params by name, then request/response
+      handler_params = route.handler.parameters.map(&:last)
+      route_params = path_params || {}
+      args = handler_params.map do |name|
+        if route_params.key?(name)
+          route_params[name]
+        elsif name == :request || name == :req
+          request
+        else
+          response
+        end
+      end
+      result = args.empty? ? route.handler.call : route.handler.call(*args)
 
       # Template rendering: when a template is set and the handler returned a Hash,
       # render the template with the hash as data and return the HTML response.
@@ -125,6 +193,10 @@ module Tina4
 
       # Skip auto_detect if handler already returned the response object
       final_response = result.equal?(response) ? result : Tina4::Response.auto_detect(result, response)
+
+      # Run global after middleware (block-based + class-based after_* methods)
+      Tina4::Middleware.run_after(request, final_response)
+
       final_response.to_rack
     end
 
@@ -186,10 +258,12 @@ module Tina4
     end
 
     def handle_404(path)
-      # Show landing page for GET "/" when no user route or template index exists
-      if path == "/" && should_show_landing_page?
-        return render_landing_page
-      end
+      # Try serving a template file (e.g. /hello -> src/templates/hello.twig or hello.html)
+      template_response = try_serve_template(path)
+      return template_response if template_response
+
+      # Show landing page for GET "/"
+      return render_landing_page if path == "/"
 
       Tina4::Log.warning("404 Not Found: #{path}")
       body = Tina4::Template.render_error(404, { "path" => path }) rescue "404 Not Found"
@@ -202,6 +276,62 @@ module Tina4
       %w[index.html index.twig index.erb].none? { |f| File.file?(File.join(templates_dir, f)) }
     end
 
+    def try_serve_template(path)
+      tpl_file = resolve_template(path)
+      return nil unless tpl_file
+
+      templates_dir = File.join(@root_dir, "src", "templates")
+      body = Tina4::Template.render(tpl_file, {}) rescue File.read(File.join(templates_dir, tpl_file))
+      [200, { "content-type" => "text/html" }, [body]]
+    end
+
+    # Resolve a URL path to a template file.
+    # Dev mode: checks filesystem every time for live changes.
+    # Production: uses a cached lookup built once at startup.
+    def resolve_template(path)
+      clean_path = path.sub(%r{^/}, "")
+      clean_path = "index" if clean_path.empty?
+      is_dev = %w[true 1 yes].include?(ENV.fetch("TINA4_DEBUG", "false").downcase)
+
+      if is_dev
+        templates_dir = File.join(@root_dir, "src", "templates")
+        %w[.twig .html].each do |ext|
+          candidate = clean_path + ext
+          return candidate if File.file?(File.join(templates_dir, candidate))
+        end
+        return nil
+      end
+
+      # Production: cached lookup
+      @template_cache ||= build_template_cache
+      @template_cache[clean_path]
+    end
+
+    def build_template_cache
+      cache = {}
+      templates_dir = File.join(@root_dir, "src", "templates")
+      return cache unless File.directory?(templates_dir)
+
+      Dir.glob(File.join(templates_dir, "**", "*.{twig,html}")).each do |f|
+        rel = f.sub(templates_dir + File::SEPARATOR, "").tr("\\", "/")
+        url_path = rel.sub(/\.(twig|html)$/, "")
+        cache[url_path] ||= rel
+      end
+      cache
+    end
+
+    def try_serve_index_template
+      templates_dir = File.join(@root_dir, "src", "templates")
+      %w[index.html index.twig index.erb].each do |f|
+        path = File.join(templates_dir, f)
+        if File.file?(path)
+          body = Tina4::Template.render(f, {}) rescue File.read(path)
+          return [200, { "content-type" => "text/html" }, [body]]
+        end
+      end
+      nil
+    end
+
     def render_landing_page
       port = ENV["PORT"] || "7145"
 
@@ -350,7 +480,22 @@ module Tina4
                     btn.disabled = false;
                     btn.textContent = 'Deploy & Try';
                 } else {
-                    window.location.href = tryUrl;
+                    // Wait for the newly deployed route to become reachable before navigating
+                    var attempts = 0;
+                    var maxAttempts = 5;
+                    function pollRoute() {
+                        fetch(tryUrl, {method: 'HEAD'}).then(function() {
+                            window.location.href = tryUrl;
+                        }).catch(function() {
+                            attempts++;
+                            if (attempts < maxAttempts) {
+                                setTimeout(pollRoute, 500);
+                            } else {
+                                window.location.href = tryUrl;
+                            }
+                        });
+                    }
+                    setTimeout(pollRoute, 500);
                 }
             }).catch(function(e) {
                 alert('Deploy error: ' + e.message);
@@ -388,12 +533,12 @@ module Tina4
       [200, { "content-type" => "text/html; charset=utf-8" }, [html]]
     end
 
-    def handle_500(error)
+    def handle_500(error, env = nil)
       Tina4::Log.error("500 Internal Server Error: #{error.message}")
       Tina4::Log.error(error.backtrace&.first(10)&.join("\n"))
       if dev_mode?
         # Rich error overlay with stack trace, source context, and line numbers
-        body = Tina4::ErrorOverlay.render(error)
+        body = Tina4::ErrorOverlay.render(error, request: env)
       else
         body = Tina4::Template.render_error(500, {
           "error_message" => "#{error.message}\n#{error.backtrace&.first(10)&.join("\n")}",
@@ -407,6 +552,50 @@ module Tina4
       Tina4::Env.truthy?(ENV["TINA4_DEBUG"])
     end
 
+    def websocket_upgrade?(env)
+      upgrade = env["HTTP_UPGRADE"] || ""
+      upgrade.downcase == "websocket"
+    end
+
+    def handle_websocket_upgrade(env, ws_route, ws_params)
+      # Rack hijack is required for WebSocket upgrades
+      unless env["rack.hijack"]
+        Tina4::Log.warning("WebSocket upgrade requested but rack.hijack not available")
+        return [426, { "content-type" => "text/plain" }, ["WebSocket upgrade requires rack.hijack support"]]
+      end
+
+      env["rack.hijack"].call
+      socket = env["rack.hijack_io"]
+
+      # Wire the route handler into the WebSocket engine events
+      handler = ws_route.handler
+
+      # Create a dedicated WebSocket engine for this route so handlers stay isolated
+      ws = Tina4::WebSocket.new
+
+      ws.on(:open) do |connection|
+        connection.params = ws_params
+        handler.call(connection, :open, nil)
+      end
+
+      ws.on(:message) do |connection, data|
+        handler.call(connection, :message, data)
+      end
+
+      ws.on(:close) do |connection|
+        handler.call(connection, :close, nil)
+      end
+
+      ws.on(:error) do |connection, error|
+        Tina4::Log.error("WebSocket error on #{ws_route.path}: #{error.message}")
+      end
+
+      ws.handle_upgrade(env, socket)
+
+      # Return async response (-1 signals Rack the response is handled via hijack)
+      [-1, {}, []]
+    end
+
     def inject_dev_overlay(body, request_info)
       version = Tina4::VERSION
       method = request_info[:method]

data/lib/tina4/request.rb

@@ -6,6 +6,12 @@ module Tina4
   class Request
     attr_reader :env, :method, :path, :query_string, :content_type,
                 :path_params, :ip
+    attr_accessor :user
+
+    # Maximum upload size in bytes (default 10 MB). Override via TINA4_MAX_UPLOAD_SIZE env var.
+    TINA4_MAX_UPLOAD_SIZE = Integer(ENV.fetch("TINA4_MAX_UPLOAD_SIZE", 10_485_760))
+
+    class PayloadTooLarge < StandardError; end
 
     def initialize(env, path_params = {})
       @env = env
@@ -15,6 +21,13 @@ module Tina4
       @content_type = env["CONTENT_TYPE"] || ""
       @path_params = path_params
 
+      # Check upload size limit
+      content_length = (env["CONTENT_LENGTH"] || 0).to_i
+      if content_length > TINA4_MAX_UPLOAD_SIZE
+        raise PayloadTooLarge,
+          "Request body (#{content_length} bytes) exceeds TINA4_MAX_UPLOAD_SIZE (#{TINA4_MAX_UPLOAD_SIZE} bytes)"
+      end
+
       # Client IP with X-Forwarded-For support
       @ip = extract_client_ip
 
@@ -52,7 +65,7 @@ module Tina4
     end
 
     def session
-      @session ||= @env["tina4.session"] || {}
+      @session ||= Tina4::Session.new(@env)
     end
 
     # Raw body string

data/lib/tina4/response.rb

@@ -110,6 +110,32 @@ module Tina4
       self
     end
 
+    # Standard error response envelope.
+    #
+    # Usage:
+    #   response.error("VALIDATION_FAILED", "Email is required", 400)
+    #
+    def error(code, message, status_code = 400)
+      @status_code = status_code
+      @headers["content-type"] = JSON_CONTENT_TYPE
+      @body = JSON.generate({
+        error: true,
+        code: code,
+        message: message,
+        status: status_code
+      })
+      self
+    end
+
+    # Build a standard error envelope hash (class method).
+    #
+    # Usage:
+    #   response.json(Tina4::Response.error_envelope("NOT_FOUND", "Resource not found", 404), status: 404)
+    #
+    def self.error_envelope(code, message, status = 400)
+      { error: true, code: code, message: message, status: status }
+    end
+
     # Chainable header setter
     def header(name, value = nil)
       if value.nil?