tina4ruby 3.13.2 → 3.13.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a9136344be97c23d23b85f26a14f5a992cf7df49c16ff6d8a60c928461ab222b
-  data.tar.gz: ea8eb37ac2e183ff58551b4e513e37359075dd1aab8672ea16a02d99acae9980
+  metadata.gz: f850a40f190c65782dd6f995b210335fa8b5c230c241b7d7031e34c0118f5d9e
+  data.tar.gz: 15a8e7d8cfdadd898917d1604d64cfd3f84dcc83838f5c4bf2a7f2c7ec66df3c
 SHA512:
-  metadata.gz: 1317a3d0298906f4470f46cb86288b1b0573364028b7d15244aa04447b69509132c7f443924368c75bb1461b146ff93ca5d0d8a418fa29825eb120221c72e135
-  data.tar.gz: fadb37d5d3a570212a75eb5f683fbf78bfe4af0e78128d96fb293c355c66631bd3bfad570a3d320e47c30da2209ec01ebacfe2be26edc1dc2c7dec13a819c0d0
+  metadata.gz: a457acd04c35cfd41a88def3fae8717b054a131fdd674d00eff2eda4bdc5a6084918b5f40622090613f7009eb7007b0135ff0b0cb3df0749d1def6b7ca0834cd
+  data.tar.gz: 65d449d0775ed2599739c7fceffe4f74fa1b0c488cb85a09e257070a3b6c1aa59c85e4d56a5bf0a84c6ad239b2e729099b29c8b9d5edf1719bf59738fe8852af

data/lib/tina4/env.rb

@@ -83,6 +83,14 @@ module Tina4
       "TINA4_SECRET" => "tina4-secret-change-me"
     }.freeze
 
+    # Typed env-var coercion — parity with tina4_python's Env class,
+    # tina4-php's Tina4\Env, and tina4-nodejs's Env. Truthy values
+    # (case-insensitive after strip): "1", "true", "on", "yes", "y", "t".
+    # Falsy: "0", "false", "off", "no", "n", "f", empty string. Anything
+    # else falls through to default.
+    TRUTHY = %w[1 true on yes y t].freeze
+    FALSY  = %w[0 false off no n f].freeze
+
     # Check if a value is truthy for env boolean checks.
     #
     # Accepts: "true", "True", "TRUE", "1", "yes", "Yes", "YES", "on", "On", "ON".
@@ -91,6 +99,58 @@ module Tina4
       %w[true 1 yes on].include?(val.to_s.strip.downcase)
     end
 
+    # Read an env var and coerce to Boolean. Returns +default+ when the
+    # var is unset or holds a value outside the TRUTHY/FALSY tables.
+    # Never raises — bad input falls through to default.
+    def self.bool(name, default: false)
+      raw = ENV[name.to_s]
+      return default if raw.nil?
+      token = raw.strip.downcase
+      return true  if TRUTHY.include?(token)
+      return false if FALSY.include?(token) || token.empty?
+      default
+    end
+
+    # Read an env var and coerce to Integer. Logs a warning via Tina4::Log
+    # (if loaded) and returns +default+ on parse failure. Never raises.
+    def self.int(name, default: 0)
+      raw = ENV[name.to_s]
+      return default if raw.nil?
+      Integer(raw.strip)
+    rescue ArgumentError, TypeError
+      log_warning("Env.int(#{name.inspect}): could not parse #{raw.inspect} as Integer — using default #{default.inspect}")
+      default
+    end
+
+    # Read an env var and coerce to Float. Logs a warning via Tina4::Log
+    # (if loaded) and returns +default+ on parse failure. Never raises.
+    def self.float(name, default: 0.0)
+      raw = ENV[name.to_s]
+      return default if raw.nil?
+      Float(raw.strip)
+    rescue ArgumentError, TypeError
+      log_warning("Env.float(#{name.inspect}): could not parse #{raw.inspect} as Float — using default #{default.inspect}")
+      default
+    end
+
+    # Read an env var as a String. Returns +default+ when unset.
+    # Whitespace is preserved — this is a pass-through for the raw env value,
+    # matching Python's Env.str semantics.
+    def self.str(name, default: "")
+      raw = ENV[name.to_s]
+      return default if raw.nil?
+      raw
+    end
+
+    # Emit a warning via Tina4::Log without creating a load-order dependency.
+    # Mirrors Python's Env._log_warning: silently skip if Log isn't loaded.
+    def self.log_warning(message)
+      Tina4::Log.warning(message) if defined?(Tina4::Log)
+    rescue NameError, StandardError
+      # Log not wired up yet (very early bootstrap) — swallow.
+    end
+    private_class_method :log_warning
+
     class << self
       def load_env(root_dir = Dir.pwd)
         env_file = resolve_env_file(root_dir)

data/lib/tina4/log.rb

@@ -203,8 +203,10 @@ module Tina4
         ts = utc_timestamp
         rid = get_request_id
         rid_str = rid ? " [#{rid}]" : ""
+        fn = caller_name
+        fn_str = fn ? " [#{fn}]" : ""
         ctx = @current_context && !@current_context.empty? ? " #{JSON.generate(@current_context)}" : ""
-        "#{ts} [#{level_str.ljust(7)}]#{rid_str} #{message}#{ctx}"
+        "#{ts} [#{level_str.ljust(7)}]#{rid_str}#{fn_str} #{message}#{ctx}"
       end
 
       def json_line(level, message)
@@ -216,10 +218,46 @@ module Tina4
         }
         rid = get_request_id
         entry[:request_id] = rid if rid
+        fn = caller_name
+        entry[:function] = fn if fn
         entry[:context] = @current_context if @current_context && !@current_context.empty?
         JSON.generate(entry)
       end
 
+      # Names that belong to Log itself — walk past them so the reported
+      # frame is the real caller (e.g. the route handler or service
+      # method that called Log.info). Kept as a Set for O(1) lookup.
+      OWN_FRAMES = %w[
+        caller_name format_line json_line log colorize write_to_file
+        debug info warning error critical
+      ].freeze
+
+      # Names that are noise — Ruby block labels, lambdas, top-level
+      # script frames. We skip these the same way Python skips <module>
+      # and <lambda>.
+      NOISE_FRAME_RE = /\A(?:block(?: \(\d+ levels\))? in |<top \(required\)>|<main>)/
+
+      # Return the name of the function that called Log.{debug,info,warning,error}.
+      # Active only when TINA4_LOG_FUNC=true (parity feature #41).
+      # Returns nil on any error so it never crashes a log call.
+      def caller_name
+        return nil unless Tina4::Env.bool("TINA4_LOG_FUNC")
+
+        # caller_locations(2, 16) skips this method + log() and gives us
+        # up to 16 frames to walk. We bail out the moment we hit a frame
+        # whose base_label isn't in OWN_FRAMES and isn't a block label.
+        locs = caller_locations(2, 16) || []
+        locs.each do |loc|
+          label = loc.base_label.to_s
+          next if OWN_FRAMES.include?(label)
+          next if label.empty? || NOISE_FRAME_RE.match?(label)
+          return label
+        end
+        nil
+      rescue StandardError
+        nil
+      end
+
       def colorize(level, line)
         color = case level
                 when :debug   then COLORS[:cyan]

data/lib/tina4/rack_app.rb

@@ -317,19 +317,43 @@ module Tina4
         end
       end
 
-      # Execute handler — inject path params by name, then request/response
+      # Build the route-handler call as a lambda so function-style
+      # middleware can wrap it. Path params are still bound by name —
+      # the continuation just forwards the (possibly-mutated)
+      # request/response pair the outer middleware chose to pass in.
       handler_params = route.handler.parameters.map(&:last)
       route_params = path_params || {}
-      args = handler_params.map do |name|
-        if route_params.key?(name)
-          route_params[name]
-        elsif name == :request || name == :req
-          request
-        else
-          response
+      invoke_handler = lambda do |req, resp|
+        args = handler_params.map do |name|
+          if route_params.key?(name)
+            route_params[name]
+          elsif name == :request || name == :req
+            req
+          else
+            resp
+          end
+        end
+        args.empty? ? route.handler.call : route.handler.call(*args)
+      end
+
+      # Fold any function-style middleware on this route into a
+      # Russian-doll chain wrapping the handler. First declared is the
+      # outermost layer — it receives the request first, calls
+      # next_handler to descend, and runs its "after" code on the way
+      # out. Class-based middleware (before_*/after_*) is handled
+      # separately by run_middleware above and never goes through here.
+      # tina4-book#141 PY-10-01 (cross-framework parity).
+      fn_mws = route.respond_to?(:function_middleware) ? route.function_middleware : []
+      if fn_mws.empty?
+        result = invoke_handler.call(request, response)
+      else
+        chain = invoke_handler
+        fn_mws.reverse_each do |mw|
+          inner = chain
+          chain = lambda { |req, resp| mw.call(req, resp, inner) }
         end
+        result = chain.call(request, response)
       end
-      result = args.empty? ? route.handler.call : route.handler.call(*args)
 
       # Template rendering: when a template is set and the handler returned a Hash,
       # render the template with the hash as data and return the HTML response.

data/lib/tina4/request.rb

@@ -35,6 +35,63 @@ module Tina4
     end
   end
 
+  # Hash subclass for HTTP headers — string keys are case-insensitive.
+  #
+  # HTTP header field-names are case-insensitive per RFC 7230 §3.2. With
+  # this class, request.headers["Content-Type"], .headers["content-type"],
+  # and .headers["CONTENT-TYPE"] all return the same value. Keys are
+  # stored lowercase internally.
+  #
+  # Cross-framework parity: same behaviour ships in tina4-python
+  # (CaseInsensitiveDict), tina4-php (Tina4\Request), tina4-nodejs
+  # (Tina4Request). tina4-book#141 PY-10-03 — chapter 10 examples
+  # documented headers["Content-Type"] for years; this makes them work.
+  class CaseInsensitiveHash < Hash
+    def [](key)
+      super(normalize_key(key))
+    end
+
+    def []=(key, value)
+      super(normalize_key(key), value)
+    end
+
+    def fetch(key, *args, &block)
+      super(normalize_key(key), *args, &block)
+    end
+
+    def key?(key)
+      super(normalize_key(key))
+    end
+    alias has_key? key?
+    alias include?  key?
+    alias member?   key?
+
+    def delete(key, &block)
+      super(normalize_key(key), &block)
+    end
+
+    def store(key, value)
+      super(normalize_key(key), value)
+    end
+
+    def merge(other)
+      result = dup
+      other.each { |k, v| result[k] = v }
+      result
+    end
+
+    def merge!(other)
+      other.each { |k, v| self[k] = v }
+      self
+    end
+
+    private
+
+    def normalize_key(key)
+      key.is_a?(String) ? key.downcase : key
+    end
+  end
+
   class Request
     attr_reader :env, :method, :path, :query_string, :content_type,
                 :path_params, :ip
@@ -139,7 +196,10 @@ module Tina4
     end
 
     def header(name)
-      headers[name.to_s.downcase.gsub("-", "_")]
+      # Headers are stored in a CaseInsensitiveHash keyed by lowercase-
+      # dashed names ("content-type", "x-api-key"). The hash normalises
+      # the lookup case automatically, so pass the dashed form through.
+      headers[name.to_s.tr("_", "-")]
     end
 
     def json_body
@@ -169,12 +229,22 @@ module Tina4
     end
 
     def extract_headers
-      h = {}
+      h = CaseInsensitiveHash.new
       @env.each do |key, value|
         if key.start_with?("HTTP_")
-          h[key[5..-1].downcase] = value
+          # Rack normalises "Content-Type" to "HTTP_CONTENT_TYPE" — we
+          # store as "content-type" (lowercase, dashed) so both
+          # headers["Content-Type"] and the legacy headers["content_type"]
+          # via the `header()` helper resolve to the same value. The
+          # CaseInsensitiveHash handles the case-insensitive part.
+          h[key[5..-1].tr("_", "-").downcase] = value
         end
       end
+      # CONTENT_TYPE / CONTENT_LENGTH live at the top level of the Rack
+      # env (no HTTP_ prefix per the Rack spec) — surface them too so
+      # request.headers["Content-Type"] works for POST bodies.
+      h["content-type"] = @env["CONTENT_TYPE"] if @env["CONTENT_TYPE"] && !@env["CONTENT_TYPE"].empty?
+      h["content-length"] = @env["CONTENT_LENGTH"] if @env["CONTENT_LENGTH"] && !@env["CONTENT_LENGTH"].to_s.empty?
       h
     end
 

data/lib/tina4/router.rb

@@ -17,9 +17,11 @@ module Tina4
       @swagger_meta = swagger_meta
       @middleware = middleware.freeze
       @template = template&.freeze
-      # Write routes are secure by default, unless custom middleware is registered
-      # (developer handles auth themselves via middleware)
-      @auth_required = %w[POST PUT PATCH DELETE].include?(@method) && middleware.empty?
+      # Write routes are secure by default — bearer-token auth is enforced
+      # on POST/PUT/PATCH/DELETE regardless of attached middleware.
+      # Middleware is additive, never an auth bypass. tina4-book#141
+      # PY-10-02. Call .no_auth on the route to opt out explicitly.
+      @auth_required = %w[POST PUT PATCH DELETE].include?(@method)
       @cached = false
       @param_names = []
       @path_regex = compile_pattern(@path)
@@ -50,13 +52,18 @@ module Tina4
     # Dual-mode: getter (no args) returns the middleware array;
     # setter (with args) appends middleware and returns self for chaining.
     # Router.post("/api") { ... }.middleware(AuthMiddleware)
+    #
+    # Middleware is purely additive — registering middleware NEVER flips
+    # @auth_required off. The secure-by-default gate for write methods
+    # (POST/PUT/PATCH/DELETE) stays in effect; if a route truly wants to
+    # opt out of the built-in bearer check, call .no_auth explicitly.
+    # tina4-book#141 PY-10-02 — previously, attaching ANY middleware
+    # silently turned off auth_required, which let attackers bypass auth
+    # by routing through a logging middleware. Cross-framework parity.
     def middleware(*middleware_classes)
       return @middleware if middleware_classes.empty?
 
       @middleware = @middleware.dup + middleware_classes
-      # Custom middleware means developer handles auth — disable built-in gate
-      # unless .secure was explicitly called.
-      @auth_required = false unless @auth_required
       self
     end
 
@@ -83,15 +90,50 @@ module Tina4
       end
     end
 
-    # Run per-route middleware chain; returns true if all pass
+    # Run per-route CLASS-based middleware. Function-style middleware
+    # (Proc/Lambda taking 3+ args: req, resp, next_handler) is skipped
+    # here — it's dispatched separately via #function_middleware which
+    # wraps the route handler in a continuation chain (see rack_app.rb).
+    #
+    # Returns true if all class-based middleware passed, false if any
+    # returned literal false (halt request).
     def run_middleware(request, response)
       @middleware.each do |mw|
+        next if Route.function_middleware?(mw)
         result = mw.call(request, response)
         return false if result == false
       end
       true
     end
 
+    # Function-style middleware attached to this route, in declaration
+    # order. The route dispatcher folds them into a Russian-doll
+    # continuation chain — first declared is the OUTERMOST layer (runs
+    # first on the way in, last on the way out). tina4-book#141
+    # PY-10-01 — chapter 10 documented 8+ examples of function middleware
+    # for years; before this fix the framework silently ignored them.
+    def function_middleware
+      @middleware.select { |mw| Route.function_middleware?(mw) }
+    end
+
+    # Detect Express/FastAPI-style function middleware.
+    #
+    # A Proc/Lambda/Method whose arity indicates 3+ positional params
+    # (req, resp, next_handler). Ruby arity quirk: required-args-only
+    # arity is non-negative; if the callable accepts a splat or
+    # optionals, arity is negated (-required-1). We treat arity >= 3
+    # OR arity <= -4 as function-style. Anything else (a class with
+    # before_*/after_* methods, or a 2-arg callable) is treated as
+    # class-style and goes through #run_middleware.
+    def self.function_middleware?(mw)
+      return false if mw.is_a?(Class) || mw.is_a?(Module)
+      return false unless mw.respond_to?(:arity)
+      ar = mw.arity
+      ar >= 3 || ar <= -4
+    rescue StandardError
+      false
+    end
+
     private
 
     def normalize_path(path)

data/lib/tina4/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Tina4
-  VERSION = "3.13.2"
+  VERSION = "3.13.4"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: tina4ruby
 version: !ruby/object:Gem::Version
-  version: 3.13.2
+  version: 3.13.4
 platform: ruby
 authors:
 - Tina4 Team
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2026-06-03 00:00:00.000000000 Z
+date: 2026-06-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack