tina4ruby 3.2.1 → 3.9.2

data/lib/tina4/rack_app.rb

@@ -19,6 +19,9 @@ module Tina4
                                  .select { |d| Dir.exist?(d) }
       fallback = Dir.exist?(FRAMEWORK_PUBLIC_DIR) ? [FRAMEWORK_PUBLIC_DIR] : []
       @static_roots = (project_roots + fallback).freeze
+
+      # Shared WebSocket engine for route-based WS handling
+      @websocket_engine = Tina4::WebSocket.new
     end
 
     def call(env)
@@ -29,6 +32,15 @@ module Tina4
       # Fast-path: OPTIONS preflight
       return Tina4::CorsMiddleware.preflight_response(env) if method == "OPTIONS"
 
+      # WebSocket upgrade — match against registered ws_routes
+      if websocket_upgrade?(env)
+        ws_result = Tina4::Router.find_ws_route(path)
+        if ws_result
+          ws_route, ws_params = ws_result
+          return handle_websocket_upgrade(env, ws_route, ws_params)
+        end
+      end
+
       # Dev dashboard routes (handled before anything else)
       if path.start_with?("/__dev")
         dev_response = Tina4::DevAdmin.handle_request(env)
@@ -88,6 +100,23 @@ module Tina4
         end
       end
 
+      # Save session and set cookie if session was used
+      if result && defined?(rack_response)
+        status, headers, body_parts = rack_response
+        request_obj = env["tina4.request"]
+        if request_obj&.instance_variable_get(:@session)
+          sess = request_obj.session
+          sess.save
+          sid = sess.id
+          cookie_val = (env["HTTP_COOKIE"] || "")[/tina4_session=([^;]+)/, 1]
+          if sid && sid != cookie_val
+            ttl = Integer(ENV.fetch("TINA4_SESSION_TTL", 3600))
+            headers["set-cookie"] = "tina4_session=#{sid}; Path=/; HttpOnly; SameSite=Lax; Max-Age=#{ttl}"
+          end
+          rack_response = [status, headers, body_parts]
+        end
+      end
+
       rack_response
     rescue => e
       handle_500(e, env)
@@ -96,15 +125,43 @@ module Tina4
     private
 
     def handle_route(env, route, path_params)
-      # Auth check
+      # Auth check (legacy per-route auth_handler)
       if route.auth_handler
         auth_result = route.auth_handler.call(env)
         return handle_403(env["PATH_INFO"] || "/") unless auth_result
       end
 
+      # Secure-by-default: enforce bearer-token auth on write routes
+      if route.auth_required
+        auth_header = env["HTTP_AUTHORIZATION"] || ""
+        token = auth_header =~ /\ABearer\s+(.+)\z/i ? Regexp.last_match(1) : nil
+
+        # API_KEY bypass — matches tina4_python behavior
+        api_key = ENV["TINA4_API_KEY"] || ENV["API_KEY"]
+        if api_key && !api_key.empty? && token == api_key
+          env["tina4.auth_payload"] = { "api_key" => true }
+        elsif token
+          payload = Tina4::Auth.valid_token(token)
+          unless payload
+            return [401, { "content-type" => "application/json" }, [JSON.generate({ error: "Unauthorized" })]]
+          end
+          env["tina4.auth_payload"] = payload
+        else
+          return [401, { "content-type" => "application/json" }, [JSON.generate({ error: "Unauthorized" })]]
+        end
+      end
+
       request = Tina4::Request.new(env, path_params)
+      request.user = env["tina4.auth_payload"] if env["tina4.auth_payload"]
+      env["tina4.request"] = request  # Store for session save after response
       response = Tina4::Response.new
 
+      # Run global middleware (block-based + class-based before_* methods)
+      unless Tina4::Middleware.run_before(request, response)
+        # Middleware halted the request -- return whatever response was set
+        return response.to_rack
+      end
+
       # Run per-route middleware
       if route.respond_to?(:run_middleware)
         unless route.run_middleware(request, response)
@@ -112,21 +169,19 @@ module Tina4
         end
       end
 
-      # Execute handler — support (), (response), (request), or (request, response) signatures
-      # When 1 param: if named :request or :req, pass request; otherwise pass response
-      result = case route.handler.arity
-      when 0
-        route.handler.call
-      when 1
-        param_name = route.handler.parameters.first&.last
-        if param_name == :request || param_name == :req
-          route.handler.call(request)
+      # Execute handler — inject path params by name, then request/response
+      handler_params = route.handler.parameters.map(&:last)
+      route_params = path_params || {}
+      args = handler_params.map do |name|
+        if route_params.key?(name)
+          route_params[name]
+        elsif name == :request || name == :req
+          request
         else
-          route.handler.call(response)
+          response
         end
-      else
-        route.handler.call(request, response)
       end
+      result = args.empty? ? route.handler.call : route.handler.call(*args)
 
       # Template rendering: when a template is set and the handler returned a Hash,
       # render the template with the hash as data and return the HTML response.
@@ -138,6 +193,10 @@ module Tina4
 
       # Skip auto_detect if handler already returned the response object
       final_response = result.equal?(response) ? result : Tina4::Response.auto_detect(result, response)
+
+      # Run global after middleware (block-based + class-based after_* methods)
+      Tina4::Middleware.run_after(request, final_response)
+
       final_response.to_rack
     end
 
@@ -199,10 +258,12 @@ module Tina4
     end
 
     def handle_404(path)
-      # Show landing page for GET "/" when no user route or template index exists
-      if path == "/" && should_show_landing_page?
-        return render_landing_page
-      end
+      # Try serving a template file (e.g. /hello -> src/templates/hello.twig or hello.html)
+      template_response = try_serve_template(path)
+      return template_response if template_response
+
+      # Show landing page for GET "/"
+      return render_landing_page if path == "/"
 
       Tina4::Log.warning("404 Not Found: #{path}")
       body = Tina4::Template.render_error(404, { "path" => path }) rescue "404 Not Found"
@@ -215,6 +276,62 @@ module Tina4
       %w[index.html index.twig index.erb].none? { |f| File.file?(File.join(templates_dir, f)) }
     end
 
+    def try_serve_template(path)
+      tpl_file = resolve_template(path)
+      return nil unless tpl_file
+
+      templates_dir = File.join(@root_dir, "src", "templates")
+      body = Tina4::Template.render(tpl_file, {}) rescue File.read(File.join(templates_dir, tpl_file))
+      [200, { "content-type" => "text/html" }, [body]]
+    end
+
+    # Resolve a URL path to a template file.
+    # Dev mode: checks filesystem every time for live changes.
+    # Production: uses a cached lookup built once at startup.
+    def resolve_template(path)
+      clean_path = path.sub(%r{^/}, "")
+      clean_path = "index" if clean_path.empty?
+      is_dev = %w[true 1 yes].include?(ENV.fetch("TINA4_DEBUG", "false").downcase)
+
+      if is_dev
+        templates_dir = File.join(@root_dir, "src", "templates")
+        %w[.twig .html].each do |ext|
+          candidate = clean_path + ext
+          return candidate if File.file?(File.join(templates_dir, candidate))
+        end
+        return nil
+      end
+
+      # Production: cached lookup
+      @template_cache ||= build_template_cache
+      @template_cache[clean_path]
+    end
+
+    def build_template_cache
+      cache = {}
+      templates_dir = File.join(@root_dir, "src", "templates")
+      return cache unless File.directory?(templates_dir)
+
+      Dir.glob(File.join(templates_dir, "**", "*.{twig,html}")).each do |f|
+        rel = f.sub(templates_dir + File::SEPARATOR, "").tr("\\", "/")
+        url_path = rel.sub(/\.(twig|html)$/, "")
+        cache[url_path] ||= rel
+      end
+      cache
+    end
+
+    def try_serve_index_template
+      templates_dir = File.join(@root_dir, "src", "templates")
+      %w[index.html index.twig index.erb].each do |f|
+        path = File.join(templates_dir, f)
+        if File.file?(path)
+          body = Tina4::Template.render(f, {}) rescue File.read(path)
+          return [200, { "content-type" => "text/html" }, [body]]
+        end
+      end
+      nil
+    end
+
     def render_landing_page
       port = ENV["PORT"] || "7145"
 
@@ -363,7 +480,22 @@ module Tina4
                     btn.disabled = false;
                     btn.textContent = 'Deploy & Try';
                 } else {
-                    window.location.href = tryUrl;
+                    // Wait for the newly deployed route to become reachable before navigating
+                    var attempts = 0;
+                    var maxAttempts = 5;
+                    function pollRoute() {
+                        fetch(tryUrl, {method: 'HEAD'}).then(function() {
+                            window.location.href = tryUrl;
+                        }).catch(function() {
+                            attempts++;
+                            if (attempts < maxAttempts) {
+                                setTimeout(pollRoute, 500);
+                            } else {
+                                window.location.href = tryUrl;
+                            }
+                        });
+                    }
+                    setTimeout(pollRoute, 500);
                 }
             }).catch(function(e) {
                 alert('Deploy error: ' + e.message);
@@ -420,6 +552,50 @@ module Tina4
       Tina4::Env.truthy?(ENV["TINA4_DEBUG"])
     end
 
+    def websocket_upgrade?(env)
+      upgrade = env["HTTP_UPGRADE"] || ""
+      upgrade.downcase == "websocket"
+    end
+
+    def handle_websocket_upgrade(env, ws_route, ws_params)
+      # Rack hijack is required for WebSocket upgrades
+      unless env["rack.hijack"]
+        Tina4::Log.warning("WebSocket upgrade requested but rack.hijack not available")
+        return [426, { "content-type" => "text/plain" }, ["WebSocket upgrade requires rack.hijack support"]]
+      end
+
+      env["rack.hijack"].call
+      socket = env["rack.hijack_io"]
+
+      # Wire the route handler into the WebSocket engine events
+      handler = ws_route.handler
+
+      # Create a dedicated WebSocket engine for this route so handlers stay isolated
+      ws = Tina4::WebSocket.new
+
+      ws.on(:open) do |connection|
+        connection.params = ws_params
+        handler.call(connection, :open, nil)
+      end
+
+      ws.on(:message) do |connection, data|
+        handler.call(connection, :message, data)
+      end
+
+      ws.on(:close) do |connection|
+        handler.call(connection, :close, nil)
+      end
+
+      ws.on(:error) do |connection, error|
+        Tina4::Log.error("WebSocket error on #{ws_route.path}: #{error.message}")
+      end
+
+      ws.handle_upgrade(env, socket)
+
+      # Return async response (-1 signals Rack the response is handled via hijack)
+      [-1, {}, []]
+    end
+
     def inject_dev_overlay(body, request_info)
       version = Tina4::VERSION
       method = request_info[:method]

data/lib/tina4/request.rb

@@ -6,6 +6,12 @@ module Tina4
   class Request
     attr_reader :env, :method, :path, :query_string, :content_type,
                 :path_params, :ip
+    attr_accessor :user
+
+    # Maximum upload size in bytes (default 10 MB). Override via TINA4_MAX_UPLOAD_SIZE env var.
+    TINA4_MAX_UPLOAD_SIZE = Integer(ENV.fetch("TINA4_MAX_UPLOAD_SIZE", 10_485_760))
+
+    class PayloadTooLarge < StandardError; end
 
     def initialize(env, path_params = {})
       @env = env
@@ -15,6 +21,13 @@ module Tina4
       @content_type = env["CONTENT_TYPE"] || ""
       @path_params = path_params
 
+      # Check upload size limit
+      content_length = (env["CONTENT_LENGTH"] || 0).to_i
+      if content_length > TINA4_MAX_UPLOAD_SIZE
+        raise PayloadTooLarge,
+          "Request body (#{content_length} bytes) exceeds TINA4_MAX_UPLOAD_SIZE (#{TINA4_MAX_UPLOAD_SIZE} bytes)"
+      end
+
       # Client IP with X-Forwarded-For support
       @ip = extract_client_ip
 
@@ -52,7 +65,7 @@ module Tina4
     end
 
     def session
-      @session ||= @env["tina4.session"] || {}
+      @session ||= Tina4::Session.new(@env)
     end
 
     # Raw body string

data/lib/tina4/response.rb

@@ -110,6 +110,32 @@ module Tina4
       self
     end
 
+    # Standard error response envelope.
+    #
+    # Usage:
+    #   response.error("VALIDATION_FAILED", "Email is required", 400)
+    #
+    def error(code, message, status_code = 400)
+      @status_code = status_code
+      @headers["content-type"] = JSON_CONTENT_TYPE
+      @body = JSON.generate({
+        error: true,
+        code: code,
+        message: message,
+        status: status_code
+      })
+      self
+    end
+
+    # Build a standard error envelope hash (class method).
+    #
+    # Usage:
+    #   response.json(Tina4::Response.error_envelope("NOT_FOUND", "Resource not found", 404), status: 404)
+    #
+    def self.error_envelope(code, message, status = 400)
+      { error: true, code: code, message: message, status: status }
+    end
+
     # Chainable header setter
     def header(name, value = nil)
       if value.nil?

data/lib/tina4/router.rb

@@ -4,6 +4,7 @@ module Tina4
   class Route
     attr_reader :method, :path, :handler, :auth_handler, :swagger_meta,
                 :path_regex, :param_names, :middleware, :template
+    attr_accessor :auth_required, :cached
 
     def initialize(method, path, handler, auth_handler: nil, swagger_meta: {}, middleware: [], template: nil)
       @method = method.to_s.upcase.freeze
@@ -13,11 +14,34 @@ module Tina4
       @swagger_meta = swagger_meta
       @middleware = middleware.freeze
       @template = template&.freeze
+      @auth_required = %w[POST PUT PATCH DELETE].include?(@method)
+      @cached = false
       @param_names = []
       @path_regex = compile_pattern(@path)
       @param_names.freeze
     end
 
+    # Mark this route as requiring bearer-token authentication.
+    # Returns self for chaining: Router.get("/path") { ... }.secure
+    def secure
+      @auth_required = true
+      self
+    end
+
+    # Opt out of the secure-by-default auth on write routes.
+    # Returns self for chaining: Router.post("/login") { ... }.no_auth
+    def no_auth
+      @auth_required = false
+      self
+    end
+
+    # Mark this route as cacheable.
+    # Returns self for chaining: Router.get("/path") { ... }.cache
+    def cache
+      @cached = true
+      self
+    end
+
     # Returns params hash if matched, false otherwise
     def match?(request_path, request_method = nil)
       return false if request_method && @method != "ANY" && @method != request_method.to_s.upcase
@@ -105,12 +129,98 @@ module Tina4
     end
   end
 
+  # A registered WebSocket route with path pattern matching (reuses Route's compile logic)
+  class WebSocketRoute
+    attr_reader :path, :handler, :path_regex, :param_names
+
+    def initialize(path, handler)
+      @path = normalize_path(path).freeze
+      @handler = handler
+      @param_names = []
+      @path_regex = compile_pattern(@path)
+      @param_names.freeze
+    end
+
+    # Returns params hash if matched, false otherwise
+    def match?(request_path)
+      match = @path_regex.match(request_path)
+      return false unless match
+
+      if @param_names.empty?
+        {}
+      else
+        params = {}
+        @param_names.each_with_index do |param_def, i|
+          raw_value = match[i + 1]
+          params[param_def[:name]] = raw_value
+        end
+        params
+      end
+    end
+
+    private
+
+    def normalize_path(path)
+      p = path.to_s.gsub("\\", "/")
+      p = "/#{p}" unless p.start_with?("/")
+      p = p.chomp("/") unless p == "/"
+      p
+    end
+
+    def compile_pattern(path)
+      return Regexp.new("\\A/\\z") if path == "/"
+
+      parts = path.split("/").reject(&:empty?)
+      regex_parts = parts.map do |part|
+        if part =~ /\A\{(\w+)\}\z/
+          name = Regexp.last_match(1)
+          @param_names << { name: name.to_sym }
+          '([^/]+)'
+        else
+          Regexp.escape(part)
+        end
+      end
+      Regexp.new("\\A/#{regex_parts.join("/")}\\z")
+    end
+  end
+
   module Router
     class << self
       def routes
         @routes ||= []
       end
 
+      # Registered WebSocket routes
+      def ws_routes
+        @ws_routes ||= []
+      end
+
+      # Register a WebSocket route.
+      # The handler block receives (connection, event, data) where:
+      #   connection — WebSocketConnection with #send, #broadcast, #close, #params
+      #   event      — :open, :message, or :close
+      #   data       — String payload for :message, nil for :open/:close
+      def websocket(path, &block)
+        ws_route = WebSocketRoute.new(path, block)
+        ws_routes << ws_route
+        Tina4::Log.debug("WebSocket route registered: #{path}")
+        ws_route
+      end
+
+      # Find a matching WebSocket route for a given path.
+      # Returns [ws_route, params] or nil.
+      def find_ws_route(path)
+        normalized = path.gsub("\\", "/")
+        normalized = "/#{normalized}" unless normalized.start_with?("/")
+        normalized = normalized.chomp("/") unless normalized == "/"
+
+        ws_routes.each do |ws_route|
+          params = ws_route.match?(normalized)
+          return [ws_route, params] if params
+        end
+        nil
+      end
+
       # Routes indexed by HTTP method for O(1) method lookup
       def method_index
         @method_index ||= Hash.new { |h, k| h[k] = [] }
@@ -169,9 +279,26 @@ module Tina4
         nil
       end
 
+      # Register a class-based middleware globally.
+      # The class should define static before_* and/or after_* methods.
+      # Example:
+      #   class AuthMiddleware
+      #     def self.before_auth(request, response)
+      #       unless request.headers["authorization"]
+      #         return [request, response.json({ error: "Unauthorized" }, 401)]
+      #       end
+      #       [request, response]
+      #     end
+      #   end
+      #   Tina4::Router.use(AuthMiddleware)
+      def use(klass)
+        Tina4::Middleware.use(klass)
+      end
+
       def clear!
         @routes = []
         @method_index = Hash.new { |h, k| h[k] = [] }
+        @ws_routes = []
       end
 
       def group(prefix, auth_handler: nil, middleware: [], &block)

data/lib/tina4/service_runner.rb

@@ -171,7 +171,7 @@ module Tina4
 
       def run_loop(name, handler, options, ctx)
         max_retries = options.fetch(:max_retries, 3)
-        sleep_interval = (ENV["TINA4_SERVICE_SLEEP"] || 1).to_f
+        sleep_interval = (ENV["TINA4_SERVICE_SLEEP"] || 5).to_i.to_f
 
         if options[:daemon]
           run_daemon(name, handler, options, ctx, max_retries)

data/lib/tina4/session.rb

@@ -108,7 +108,8 @@ module Tina4
     end
 
     def cookie_header
-      "#{@options[:cookie_name]}=#{@id}; Path=/; HttpOnly; SameSite=Lax; Max-Age=#{@options[:max_age]}"
+      samesite = ENV["TINA4_SESSION_SAMESITE"] || "Lax"
+      "#{@options[:cookie_name]}=#{@id}; Path=/; HttpOnly; SameSite=#{samesite}; Max-Age=#{@options[:max_age]}"
     end
 
     private
@@ -135,6 +136,10 @@ module Tina4
         Tina4::SessionHandlers::RedisHandler.new(@options[:handler_options])
       when :mongo, :mongodb
         Tina4::SessionHandlers::MongoHandler.new(@options[:handler_options])
+      when :valkey
+        Tina4::SessionHandlers::ValkeyHandler.new(@options[:handler_options])
+      when :database, :db
+        Tina4::SessionHandlers::DatabaseHandler.new(@options[:handler_options])
       else
         Tina4::SessionHandlers::FileHandler.new(@options[:handler_options])
       end

data/lib/tina4/session_handlers/database_handler.rb

@@ -0,0 +1,66 @@
+# frozen_string_literal: true
+
+require "json"
+
+module Tina4
+  module SessionHandlers
+    class DatabaseHandler
+      TABLE_NAME = "tina4_session"
+
+      CREATE_TABLE_SQL = <<~SQL
+        CREATE TABLE IF NOT EXISTS #{TABLE_NAME} (
+            session_id VARCHAR(255) PRIMARY KEY,
+            data TEXT NOT NULL,
+            expires_at REAL NOT NULL
+        )
+      SQL
+
+      def initialize(options = {})
+        @ttl = options[:ttl] || 86400
+        @db = options[:db] || Tina4::Database.new(ENV["DATABASE_URL"])
+        ensure_table
+      end
+
+      def read(session_id)
+        row = @db.fetch_one("SELECT data, expires_at FROM #{TABLE_NAME} WHERE session_id = ?", [session_id])
+        return nil unless row
+
+        expires_at = row["expires_at"].to_f
+        if expires_at > 0 && expires_at < Time.now.to_f
+          destroy(session_id)
+          return nil
+        end
+
+        JSON.parse(row["data"])
+      rescue JSON::ParserError
+        nil
+      end
+
+      def write(session_id, data)
+        expires_at = @ttl > 0 ? Time.now.to_f + @ttl : 0.0
+        json_data = JSON.generate(data)
+
+        existing = @db.fetch_one("SELECT session_id FROM #{TABLE_NAME} WHERE session_id = ?", [session_id])
+        if existing
+          @db.execute("UPDATE #{TABLE_NAME} SET data = ?, expires_at = ? WHERE session_id = ?", [json_data, expires_at, session_id])
+        else
+          @db.execute("INSERT INTO #{TABLE_NAME} (session_id, data, expires_at) VALUES (?, ?, ?)", [session_id, json_data, expires_at])
+        end
+      end
+
+      def destroy(session_id)
+        @db.execute("DELETE FROM #{TABLE_NAME} WHERE session_id = ?", [session_id])
+      end
+
+      def cleanup
+        @db.execute("DELETE FROM #{TABLE_NAME} WHERE expires_at > 0 AND expires_at < ?", [Time.now.to_f])
+      end
+
+      private
+
+      def ensure_table
+        @db.execute(CREATE_TABLE_SQL)
+      end
+    end
+  end
+end

data/lib/tina4/swagger.rb

@@ -18,7 +18,7 @@ module Tina4
         {
           "openapi" => "3.0.3",
           "info" => {
-            "title" => ENV["PROJECT_NAME"] || "Tina4 Ruby API",
+            "title" => ENV["SWAGGER_TITLE"] || ENV["PROJECT_NAME"] || "Tina4 API",
             "version" => ENV["VERSION"] || Tina4::VERSION,
             "description" => "Auto-generated API documentation"
           },