RubyGems - tina4ruby - Versions diffs - 3.13.3 → 3.13.4 - Mend

tina4ruby 3.13.3 → 3.13.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6806b64505d23caba2d53a7b08b1411aa1e0ca924ea883d660dedae1c81f5766
-  data.tar.gz: e168b0a72f99e8cab66c1532a0909d480e10e330c65104749ec8dafb4e26837d
+  metadata.gz: f850a40f190c65782dd6f995b210335fa8b5c230c241b7d7031e34c0118f5d9e
+  data.tar.gz: 15a8e7d8cfdadd898917d1604d64cfd3f84dcc83838f5c4bf2a7f2c7ec66df3c
 SHA512:
-  metadata.gz: fd1d7d614b01886cb2e70ffcd04503ce3155073350f70dc92e6414816c5993a39b63b91965f49c30ea3275a6c72b62eea510ba64db74db0384ad925d7bdb0b76
-  data.tar.gz: 745992728883c28e11d3716977a9bb9e5f58d4a043b7aa285c6dc8113b8c95d3ffef10ac7b52aa339ef0172c308687f6c3004926af1daf1f4a3737601c008994
+  metadata.gz: a457acd04c35cfd41a88def3fae8717b054a131fdd674d00eff2eda4bdc5a6084918b5f40622090613f7009eb7007b0135ff0b0cb3df0749d1def6b7ca0834cd
+  data.tar.gz: 65d449d0775ed2599739c7fceffe4f74fa1b0c488cb85a09e257070a3b6c1aa59c85e4d56a5bf0a84c6ad239b2e729099b29c8b9d5edf1719bf59738fe8852af

data/lib/tina4/rack_app.rb CHANGED Viewed

@@ -317,19 +317,43 @@ module Tina4
         end
       end
-      # Execute handler — inject path params by name, then request/response
+      # Build the route-handler call as a lambda so function-style
+      # middleware can wrap it. Path params are still bound by name —
+      # the continuation just forwards the (possibly-mutated)
+      # request/response pair the outer middleware chose to pass in.
       handler_params = route.handler.parameters.map(&:last)
       route_params = path_params || {}
-      args = handler_params.map do |name|
-        if route_params.key?(name)
-          route_params[name]
-        elsif name == :request || name == :req
-          request
-        else
-          response
+      invoke_handler = lambda do |req, resp|
+        args = handler_params.map do |name|
+          if route_params.key?(name)
+            route_params[name]
+          elsif name == :request || name == :req
+            req
+          else
+            resp
+          end
+        end
+        args.empty? ? route.handler.call : route.handler.call(*args)
+      end
+      # Fold any function-style middleware on this route into a
+      # Russian-doll chain wrapping the handler. First declared is the
+      # outermost layer — it receives the request first, calls
+      # next_handler to descend, and runs its "after" code on the way
+      # out. Class-based middleware (before_*/after_*) is handled
+      # separately by run_middleware above and never goes through here.
+      # tina4-book#141 PY-10-01 (cross-framework parity).
+      fn_mws = route.respond_to?(:function_middleware) ? route.function_middleware : []
+      if fn_mws.empty?
+        result = invoke_handler.call(request, response)
+      else
+        chain = invoke_handler
+        fn_mws.reverse_each do |mw|
+          inner = chain
+          chain = lambda { |req, resp| mw.call(req, resp, inner) }
         end
+        result = chain.call(request, response)
       end
-      result = args.empty? ? route.handler.call : route.handler.call(*args)
       # Template rendering: when a template is set and the handler returned a Hash,
       # render the template with the hash as data and return the HTML response.

data/lib/tina4/request.rb CHANGED Viewed

@@ -35,6 +35,63 @@ module Tina4
     end
   end
+  # Hash subclass for HTTP headers — string keys are case-insensitive.
+  #
+  # HTTP header field-names are case-insensitive per RFC 7230 §3.2. With
+  # this class, request.headers["Content-Type"], .headers["content-type"],
+  # and .headers["CONTENT-TYPE"] all return the same value. Keys are
+  # stored lowercase internally.
+  #
+  # Cross-framework parity: same behaviour ships in tina4-python
+  # (CaseInsensitiveDict), tina4-php (Tina4\Request), tina4-nodejs
+  # (Tina4Request). tina4-book#141 PY-10-03 — chapter 10 examples
+  # documented headers["Content-Type"] for years; this makes them work.
+  class CaseInsensitiveHash < Hash
+    def [](key)
+      super(normalize_key(key))
+    end
+    def []=(key, value)
+      super(normalize_key(key), value)
+    end
+    def fetch(key, *args, &block)
+      super(normalize_key(key), *args, &block)
+    end
+    def key?(key)
+      super(normalize_key(key))
+    end
+    alias has_key? key?
+    alias include?  key?
+    alias member?   key?
+    def delete(key, &block)
+      super(normalize_key(key), &block)
+    end
+    def store(key, value)
+      super(normalize_key(key), value)
+    end
+    def merge(other)
+      result = dup
+      other.each { |k, v| result[k] = v }
+      result
+    end
+    def merge!(other)
+      other.each { |k, v| self[k] = v }
+      self
+    end
+    private
+    def normalize_key(key)
+      key.is_a?(String) ? key.downcase : key
+    end
+  end
   class Request
     attr_reader :env, :method, :path, :query_string, :content_type,
                 :path_params, :ip
@@ -139,7 +196,10 @@ module Tina4
     end
     def header(name)
-      headers[name.to_s.downcase.gsub("-", "_")]
+      # Headers are stored in a CaseInsensitiveHash keyed by lowercase-
+      # dashed names ("content-type", "x-api-key"). The hash normalises
+      # the lookup case automatically, so pass the dashed form through.
+      headers[name.to_s.tr("_", "-")]
     end
     def json_body
@@ -169,12 +229,22 @@ module Tina4
     end
     def extract_headers
-      h = {}
+      h = CaseInsensitiveHash.new
       @env.each do |key, value|
         if key.start_with?("HTTP_")
-          h[key[5..-1].downcase] = value
+          # Rack normalises "Content-Type" to "HTTP_CONTENT_TYPE" — we
+          # store as "content-type" (lowercase, dashed) so both
+          # headers["Content-Type"] and the legacy headers["content_type"]
+          # via the `header()` helper resolve to the same value. The
+          # CaseInsensitiveHash handles the case-insensitive part.
+          h[key[5..-1].tr("_", "-").downcase] = value
         end
       end
+      # CONTENT_TYPE / CONTENT_LENGTH live at the top level of the Rack
+      # env (no HTTP_ prefix per the Rack spec) — surface them too so
+      # request.headers["Content-Type"] works for POST bodies.
+      h["content-type"] = @env["CONTENT_TYPE"] if @env["CONTENT_TYPE"] && !@env["CONTENT_TYPE"].empty?
+      h["content-length"] = @env["CONTENT_LENGTH"] if @env["CONTENT_LENGTH"] && !@env["CONTENT_LENGTH"].to_s.empty?
       h
     end

data/lib/tina4/router.rb CHANGED Viewed

@@ -17,9 +17,11 @@ module Tina4
       @swagger_meta = swagger_meta
       @middleware = middleware.freeze
       @template = template&.freeze
-      # Write routes are secure by default, unless custom middleware is registered
-      # (developer handles auth themselves via middleware)
-      @auth_required = %w[POST PUT PATCH DELETE].include?(@method) && middleware.empty?
+      # Write routes are secure by default — bearer-token auth is enforced
+      # on POST/PUT/PATCH/DELETE regardless of attached middleware.
+      # Middleware is additive, never an auth bypass. tina4-book#141
+      # PY-10-02. Call .no_auth on the route to opt out explicitly.
+      @auth_required = %w[POST PUT PATCH DELETE].include?(@method)
       @cached = false
       @param_names = []
       @path_regex = compile_pattern(@path)
@@ -50,13 +52,18 @@ module Tina4
     # Dual-mode: getter (no args) returns the middleware array;
     # setter (with args) appends middleware and returns self for chaining.
     # Router.post("/api") { ... }.middleware(AuthMiddleware)
+    #
+    # Middleware is purely additive — registering middleware NEVER flips
+    # @auth_required off. The secure-by-default gate for write methods
+    # (POST/PUT/PATCH/DELETE) stays in effect; if a route truly wants to
+    # opt out of the built-in bearer check, call .no_auth explicitly.
+    # tina4-book#141 PY-10-02 — previously, attaching ANY middleware
+    # silently turned off auth_required, which let attackers bypass auth
+    # by routing through a logging middleware. Cross-framework parity.
     def middleware(*middleware_classes)
       return @middleware if middleware_classes.empty?
       @middleware = @middleware.dup + middleware_classes
-      # Custom middleware means developer handles auth — disable built-in gate
-      # unless .secure was explicitly called.
-      @auth_required = false unless @auth_required
       self
     end
@@ -83,15 +90,50 @@ module Tina4
       end
     end
-    # Run per-route middleware chain; returns true if all pass
+    # Run per-route CLASS-based middleware. Function-style middleware
+    # (Proc/Lambda taking 3+ args: req, resp, next_handler) is skipped
+    # here — it's dispatched separately via #function_middleware which
+    # wraps the route handler in a continuation chain (see rack_app.rb).
+    #
+    # Returns true if all class-based middleware passed, false if any
+    # returned literal false (halt request).
     def run_middleware(request, response)
       @middleware.each do |mw|
+        next if Route.function_middleware?(mw)
         result = mw.call(request, response)
         return false if result == false
       end
       true
     end
+    # Function-style middleware attached to this route, in declaration
+    # order. The route dispatcher folds them into a Russian-doll
+    # continuation chain — first declared is the OUTERMOST layer (runs
+    # first on the way in, last on the way out). tina4-book#141
+    # PY-10-01 — chapter 10 documented 8+ examples of function middleware
+    # for years; before this fix the framework silently ignored them.
+    def function_middleware
+      @middleware.select { |mw| Route.function_middleware?(mw) }
+    end
+    # Detect Express/FastAPI-style function middleware.
+    #
+    # A Proc/Lambda/Method whose arity indicates 3+ positional params
+    # (req, resp, next_handler). Ruby arity quirk: required-args-only
+    # arity is non-negative; if the callable accepts a splat or
+    # optionals, arity is negated (-required-1). We treat arity >= 3
+    # OR arity <= -4 as function-style. Anything else (a class with
+    # before_*/after_* methods, or a 2-arg callable) is treated as
+    # class-style and goes through #run_middleware.
+    def self.function_middleware?(mw)
+      return false if mw.is_a?(Class) || mw.is_a?(Module)
+      return false unless mw.respond_to?(:arity)
+      ar = mw.arity
+      ar >= 3 || ar <= -4
+    rescue StandardError
+      false
+    end
     private
     def normalize_path(path)

data/lib/tina4/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module Tina4
-  VERSION = "3.13.3"
+  VERSION = "3.13.4"
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: tina4ruby
 version: !ruby/object:Gem::Version
-  version: 3.13.3
+  version: 3.13.4
 platform: ruby
 authors:
 - Tina4 Team
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2026-06-03 00:00:00.000000000 Z
+date: 2026-06-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack