verikloak-rails 0.2.0 → 0.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: dda87b3f2293f4c0cf05710290a503fd5c15712758f685987385d1b0677938cc
-  data.tar.gz: a299ad22f31b4871fde437e026557b106134e32dece4e7cb45be4073d0269a48
+  metadata.gz: 1add58266f9789a0e9263c36d5e33ab80207b02a87b999d22b5fa65b813f5f36
+  data.tar.gz: 58d956084cc1631e4a0854744627dd3ba95350f7a9c1687665b7025fd943addb
 SHA512:
-  metadata.gz: '0149e3053f208dd90c26ec07a960ff14969cdcda74400403f4ab02376110b31624189b6612bf2d6d3d7857c15d1c2b3190da9b472c487d9a3866eaf4de3aa8f7'
-  data.tar.gz: 2fa3507b18f362cb3523332256a0608bd95564e0a0e0dfb4a17b97b9fafbdb1ddad31fa34bbe8788d52546e1f22dd43b97174ce1474c24385838fef743f5b8ae
+  metadata.gz: 183bb26475f75704c35880db14e67ea5a83a3c3923d3ca8c6788c92e7735a2d00deabb681f0e65b8bf561e2b6a5aa0cfb4e7ccc24760c091dbe0145f87558311
+  data.tar.gz: 24bc9a344903243e2c63015c4429b8ea713467df15636021f91fc4698a39600ecd0a84e9caccac489ffc1e1d809353961170008ceabed24a106ad65e1b720fef

data/CHANGELOG.md

@@ -7,6 +7,17 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ---
 
+## [0.2.1] - 2025-09-21
+
+### Changed
+- Simplify `with_required_audience!` to always raise `Verikloak::Error`, letting the shared handler render forbidden responses
+
+### Fixed
+- Ensure the 500 JSON renderer logs exceptions against the actual Rails logger even when wrapped by tagged logging adapters
+
+### Documentation
+- Describe the `rescue_pundit` configuration flag and default initializer settings
+
 ## [0.2.0] - 2025-09-14
 
 ### Breaking

data/README.md

@@ -40,7 +40,7 @@ Then configure `config/initializers/verikloak.rb`.
 | `current_user_claims` | Verified JWT claims (string keys) | `Hash` or `nil` | — |
 | `current_subject` | Convenience accessor for `sub` claim | `String` or `nil` | — |
 | `current_token` | Raw Bearer token from the request | `String` or `nil` | — |
-| `with_required_audience!(*aud)` | Enforce that `aud` includes all required entries | `void` | Renders standardized 403 JSON when requirements are not met |
+| `with_required_audience!(*aud)` | Enforce that `aud` includes all required entries | `void` | Raises `Verikloak::Error('forbidden')` so the concern renders standardized 403 JSON and halts the action |
 
 ### Data Sources
 | Value | Rack env keys | Fallback (RequestStore) | Notes |
@@ -110,7 +110,7 @@ Keys under `config.verikloak`:
 | `logger_tags` | Array<Symbol> | Tags to add to Rails logs. Supports `:request_id`, `:sub` | `[:request_id, :sub]` |
 | `error_renderer` | Object responding to `render(controller, error)` | Override error rendering | built-in JSON renderer |
 | `auto_include_controller` | Boolean | Auto-include controller concern | `true` |
-| `render_500_json` | Boolean | Rescue `StandardError` and render JSON 500 | `false` |
+| `render_500_json` | Boolean | Rescue `StandardError`, log the exception, and render JSON 500 | `false` |
 | `rescue_pundit` | Boolean | Rescue `Pundit::NotAuthorizedError` to 403 JSON when Pundit is present | `true` |
 
 Environment variable examples are in the generated initializer.

data/lib/verikloak/rails/configuration.rb

@@ -35,11 +35,16 @@ module Verikloak
     # @!attribute [rw] render_500_json
     #   Rescue StandardError and render a JSON 500 response.
     #   @return [Boolean]
+    # @!attribute [rw] rescue_pundit
+    #   Rescue `Pundit::NotAuthorizedError` and render JSON 403 responses.
+    #   @return [Boolean]
     class Configuration
       attr_accessor :discovery_url, :audience, :issuer, :leeway, :skip_paths,
                     :logger_tags, :error_renderer, :auto_include_controller,
                     :render_500_json, :rescue_pundit
 
+      # Initialize configuration with sensible defaults for Rails apps.
+      # @return [void]
       def initialize
         @discovery_url = nil
         @audience      = nil

data/lib/verikloak/rails/controller.rb

@@ -16,7 +16,8 @@ module Verikloak
         before_action :authenticate_user!
         # Register generic error handler first so specific handlers take precedence.
         if Verikloak::Rails.config.render_500_json
-          rescue_from StandardError do |_e|
+          rescue_from StandardError do |e|
+            _verikloak_log_internal_error(e)
             render json: { error: 'internal_server_error', message: 'An unexpected error occurred' },
                    status: :internal_server_error
           end
@@ -84,13 +85,14 @@ module Verikloak
       #
       # @param required [Array<String>] one or more audiences to require
       # @return [void]
+      # @raise [Verikloak::Error] when the required audience is missing
       # @example
       #   with_required_audience!('my-api', 'payments')
       def with_required_audience!(*required)
         aud = Array(current_user_claims&.dig('aud'))
         return if required.flatten.all? { |r| aud.include?(r) }
 
-        render json: { error: 'forbidden', message: 'Required audience not satisfied' }, status: :forbidden
+        raise ::Verikloak::Error.new('forbidden', 'Required audience not satisfied')
       end
 
       private
@@ -118,10 +120,50 @@ module Verikloak
         end
         if Verikloak::Rails.config.logger_tags.include?(:sub)
           sub = current_subject
-          tags << "sub:#{sub}" if sub
+          if sub
+            sanitized = sub.to_s.gsub(/[[:cntrl:]]+/, ' ').strip
+            tags << "sub:#{sanitized}" unless sanitized.empty?
+          end
         end
         tags
       end
+
+      # Write StandardError details to the controller or Rails logger when
+      # rendering the generic 500 JSON response. Logging ensures the
+      # underlying failure is still visible to operators even though the
+      # response body is static.
+      #
+      # @param exception [Exception]
+      # @return [void]
+      def _verikloak_log_internal_error(exception)
+        target_logger = _verikloak_base_logger
+        return unless target_logger.respond_to?(:error)
+
+        target_logger.error("[Verikloak] #{exception.class}: #{exception.message}")
+        backtrace = exception.backtrace
+        target_logger.error(backtrace.join("\n")) if backtrace&.any?
+      rescue StandardError
+        # Never allow logging failures to interfere with request handling.
+        nil
+      end
+
+      # Locate the innermost logger that responds to `error`.
+      # @return [Object, nil]
+      def _verikloak_base_logger
+        root_logger = if defined?(::Rails) && ::Rails.respond_to?(:logger)
+                        ::Rails.logger
+                      elsif respond_to?(:logger)
+                        logger
+                      end
+        current = root_logger
+        while current.respond_to?(:logger)
+          next_logger = current.logger
+          break if next_logger.nil? || next_logger.equal?(current)
+
+          current = next_logger
+        end
+        current
+      end
     end
   end
 end

data/lib/verikloak/rails/version.rb

@@ -2,6 +2,6 @@
 
 module Verikloak
   module Rails
-    VERSION = '0.2.0'
+    VERSION = '0.2.1'
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: verikloak-rails
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.2.1
 platform: ruby
 authors:
 - taiyaky
@@ -73,7 +73,7 @@ metadata:
   source_code_uri: https://github.com/taiyaky/verikloak-rails
   changelog_uri: https://github.com/taiyaky/verikloak-rails/blob/main/CHANGELOG.md
   bug_tracker_uri: https://github.com/taiyaky/verikloak-rails/issues
-  documentation_uri: https://rubydoc.info/gems/verikloak-rails/0.2.0
+  documentation_uri: https://rubydoc.info/gems/verikloak-rails/0.2.1
   rubygems_mfa_required: 'true'
 rdoc_options: []
 require_paths: