whoosh 1.4.1 → 1.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5baff744454d485e7f9788aca18285ece0c8901a5abea6f9c2f3fd4a22a7de75
-  data.tar.gz: 6c2062d73b6bec5e60c0adfd897e7e8aec5d10fa366439471592fc196bfe5bbd
+  metadata.gz: 3029bc3666ce5b81096d8248de52ac25f31e6cc11e271ad954058d9241bf48fb
+  data.tar.gz: 4a62476bf115c24635c2833ddf0814ec49de5b7e036a138e37f197ef8fb51905
 SHA512:
-  metadata.gz: 7ef32b36e7405fe117eefc60908baf71a9553d328ccd2fd7823c715b7e37d4f01aeedc29a7cb1709e865410d407a32bc511f49353b90339702a06bb7f9a31425
-  data.tar.gz: 75188ded90b9205cb7c779d18252ef842989ec84d76ad78e1167d4ca267e544918b39c5d2a3596abe0b2d6001620e98e4272a75bdd62491b4130127bba78487c
+  metadata.gz: 1152664925e99cce8c668a87aa0e9e131bb48a59b4cb967569fa76224f4ae50ab00aa9658231eb9312ea640993cfb46f904bf9248200bf40a5f65df282a7ac71
+  data.tar.gz: 8c32d13d07cdfe9fdf8ff5ab201ba72632c054ee9ef60540a06f00dd4d0303755ddb7c22b0e6fad702003e0c3b088c69c062d606e1dee947f08f2330faf74285

data/README.md

@@ -13,7 +13,7 @@
   <img src="https://img.shields.io/badge/ruby-%3E%3D%203.4.0-red" alt="Ruby">
   <img src="https://img.shields.io/badge/rack-3.0-blue" alt="Rack">
   <img src="https://img.shields.io/badge/license-MIT-green" alt="License">
-  <img src="https://img.shields.io/badge/tests-542%20passing-brightgreen" alt="Tests">
+  <img src="https://img.shields.io/badge/tests-564%20passing-brightgreen" alt="Tests">
   <img src="https://img.shields.io/badge/overhead-2.5%C2%B5s-orange" alt="Performance">
 </p>
 

data/lib/whoosh/app.rb

@@ -250,6 +250,31 @@ module Whoosh
       Paginate.cursor(collection, cursor: cursor, limit: limit, column: column)
     end
 
+    def redirect(url, status: 302)
+      Response.redirect(url, status: status)
+    end
+
+    def download(data, filename:, content_type: nil)
+      Response.download(data, filename: filename, content_type: content_type || "application/octet-stream")
+    end
+
+    def send_file(path, content_type: nil)
+      Response.file(path, content_type: content_type)
+    end
+
+    def serve_static(prefix, root:)
+      get "#{prefix}/:_static_path" do |req|
+        file_path = File.join(root, req.params[:_static_path])
+        real = File.realpath(file_path) rescue nil
+        real_root = File.realpath(root) rescue root
+        if real && real.start_with?(real_root) && File.file?(real)
+          Response.file(real)
+        else
+          Response.not_found
+        end
+      end
+    end
+
     # --- Endpoint loading ---
 
     def load_endpoints(dir)
@@ -396,66 +421,71 @@ module Whoosh
       security_headers = Middleware::SecurityHeaders::HEADERS
 
       -> (env) {
-        # 1. RequestLimit — check content length
-        content_length = env["CONTENT_LENGTH"]&.to_i || 0
-        if content_length > max_bytes
-          return [413, { "content-type" => "application/json" },
-            [JSON.generate({ error: "request_too_large", max_bytes: max_bytes })]]
-        end
+        begin
+          # 1. RequestLimit — check content length
+          content_length = env["CONTENT_LENGTH"]&.to_i || 0
+          if content_length > max_bytes
+            return [413, { "content-type" => "application/json" },
+              [JSON.generate({ error: "request_too_large", max_bytes: max_bytes })]]
+          end
 
-        # 2. Request ID (from RequestLogger)
-        request_id = env["HTTP_X_REQUEST_ID"] || SecureRandom.uuid
-        env["whoosh.request_id"] = request_id
-
-        start_time = Process.clock_gettime(Process::CLOCK_MONOTONIC)
-
-        # 3. CORS preflight
-        origin = env["HTTP_ORIGIN"]
-        if env["REQUEST_METHOD"] == "OPTIONS" && origin
-          cors_headers = {
-            "access-control-allow-methods" => "GET, POST, PUT, PATCH, DELETE, OPTIONS",
-            "access-control-allow-headers" => "Content-Type, Authorization, X-API-Key, X-Request-ID",
-            "access-control-max-age" => "86400",
-            "access-control-allow-origin" => "*",
-            "access-control-expose-headers" => "X-Request-ID",
-            "vary" => "Origin"
-          }
-          return [204, cors_headers, []]
-        end
+          # 2. Request ID (from RequestLogger)
+          request_id = env["HTTP_X_REQUEST_ID"] || SecureRandom.uuid
+          env["whoosh.request_id"] = request_id
+
+          start_time = Process.clock_gettime(Process::CLOCK_MONOTONIC)
+
+          # 3. CORS preflight
+          origin = env["HTTP_ORIGIN"]
+          if env["REQUEST_METHOD"] == "OPTIONS" && origin
+            cors_headers = {
+              "access-control-allow-methods" => "GET, POST, PUT, PATCH, DELETE, OPTIONS",
+              "access-control-allow-headers" => "Content-Type, Authorization, X-API-Key, X-Request-ID",
+              "access-control-max-age" => "86400",
+              "access-control-allow-origin" => "*",
+              "access-control-expose-headers" => "X-Request-ID",
+              "vary" => "Origin"
+            }
+            return [204, cors_headers, []]
+          end
 
-        # 4. Handle request (core)
-        status, headers, body = handle_request(env)
+          # 4. Handle request (core)
+          status, headers, body = handle_request(env)
 
-        # Ensure headers are mutable (streaming returns frozen headers)
-        headers = headers.dup if headers.frozen?
+          # Ensure headers are mutable (streaming returns frozen headers)
+          headers = headers.dup if headers.frozen?
 
-        # 5. Security headers (inline, no allocation)
-        security_headers.each { |k, v| headers[k] ||= v }
+          # 5. Security headers (inline, no allocation)
+          security_headers.each { |k, v| headers[k] ||= v }
 
-        # 6. CORS headers
-        if origin
-          headers["access-control-allow-origin"] = "*"
-          headers["access-control-expose-headers"] = "X-Request-ID"
-          headers["vary"] = "Origin"
-        end
+          # 6. CORS headers
+          if origin
+            headers["access-control-allow-origin"] = "*"
+            headers["access-control-expose-headers"] = "X-Request-ID"
+            headers["vary"] = "Origin"
+          end
 
-        # 7. Request ID in response
-        headers["x-request-id"] = request_id
+          # 7. Request ID in response
+          headers["x-request-id"] = request_id
 
-        # 8. Logging + metrics
-        duration_ms = ((Process.clock_gettime(Process::CLOCK_MONOTONIC) - start_time) * 1000).round(2)
-        logger.info("request_complete",
-          method: env["REQUEST_METHOD"], path: env["PATH_INFO"],
-          status: status, duration_ms: duration_ms, request_id: request_id)
+          # 8. Logging + metrics
+          duration_ms = ((Process.clock_gettime(Process::CLOCK_MONOTONIC) - start_time) * 1000).round(2)
+          logger.info("request_complete",
+            method: env["REQUEST_METHOD"], path: env["PATH_INFO"],
+            status: status, duration_ms: duration_ms, request_id: request_id)
 
-        if metrics
-          metrics.increment("whoosh_requests_total",
-            labels: { method: env["REQUEST_METHOD"], path: env["PATH_INFO"], status: status.to_s })
-          metrics.observe("whoosh_request_duration_seconds",
-            duration_ms / 1000.0, labels: { path: env["PATH_INFO"] })
-        end
+          if metrics
+            metrics.increment("whoosh_requests_total",
+              labels: { method: env["REQUEST_METHOD"], path: env["PATH_INFO"], status: status.to_s })
+            metrics.observe("whoosh_request_duration_seconds",
+              duration_ms / 1000.0, labels: { path: env["PATH_INFO"] })
+          end
 
-        [status, headers, body]
+          [status, headers, body]
+        rescue => e
+          [500, { "content-type" => "application/json" },
+            [JSON.generate({ error: "internal_error", message: e.message })]]
+        end
       }
     end
 
@@ -509,7 +539,8 @@ module Whoosh
         generator.add_route(
           method: route[:method], path: route[:path],
           request_schema: handler[:request_schema],
-          response_schema: handler[:response_schema]
+          response_schema: handler[:response_schema],
+          query_schema: handler[:query_schema]
         )
       end
 
@@ -540,13 +571,14 @@ module Whoosh
       })
     end
 
-    def add_route(method, path, request: nil, response: nil, **metadata, &block)
+    def add_route(method, path, request: nil, response: nil, query: nil, **metadata, &block)
       full_path = "#{@group_prefix}#{path}"
       merged_metadata = @group_metadata.merge(metadata)
       handler = {
         block: block,
         request_schema: request,
         response_schema: response,
+        query_schema: query,
         middleware: @group_middleware.dup
       }
       @router.add(method, full_path, handler, **merged_metadata)
@@ -662,6 +694,10 @@ module Whoosh
         @strategies[:jwt] = Auth::Jwt.new(secret: secret, algorithm: algorithm, expiry: expiry)
       end
 
+      def oauth2(provider: :custom, **opts)
+        @strategies[:oauth2] = Auth::OAuth2.new(provider: provider, **opts)
+      end
+
       def build
         @strategies.values.first
       end

data/lib/whoosh/auth/oauth2.rb

@@ -1,18 +1,74 @@
-# lib/whoosh/auth/oauth2.rb
 # frozen_string_literal: true
 
+require "securerandom"
+
 module Whoosh
   module Auth
     class OAuth2
-      def initialize(token_url: "/oauth/token", validator: nil)
+      PROVIDERS = {
+        google: {
+          authorize_url: "https://accounts.google.com/o/oauth2/v2/auth",
+          token_url: "https://oauth2.googleapis.com/token",
+          userinfo_url: "https://www.googleapis.com/oauth2/v3/userinfo"
+        },
+        github: {
+          authorize_url: "https://github.com/login/oauth/authorize",
+          token_url: "https://github.com/login/oauth/access_token",
+          userinfo_url: "https://api.github.com/user"
+        },
+        apple: {
+          authorize_url: "https://appleid.apple.com/auth/authorize",
+          token_url: "https://appleid.apple.com/auth/token",
+          userinfo_url: nil
+        }
+      }.freeze
+
+      attr_reader :provider
+
+      def initialize(provider: :custom, client_id: nil, client_secret: nil,
+                     authorize_url: nil, token_url: nil, userinfo_url: nil,
+                     redirect_uri: nil, scopes: [], validator: nil)
+        @provider = provider
+        @client_id = client_id
+        @client_secret = client_secret
+        @authorize_url = authorize_url
         @token_url = token_url
+        @userinfo_url = userinfo_url
+        @redirect_uri = redirect_uri
+        @scopes = scopes
         @validator = validator
+        apply_provider_defaults if PROVIDERS[@provider]
+      end
+
+      def authorize_url(state: SecureRandom.hex(16))
+        params = {
+          client_id: @client_id, redirect_uri: @redirect_uri,
+          response_type: "code", scope: @scopes.join(" "), state: state
+        }
+        "#{@authorize_url}?#{URI.encode_www_form(params)}"
+      end
+
+      def exchange_code(code)
+        response = HTTP.post(@token_url, json: {
+          client_id: @client_id, client_secret: @client_secret,
+          code: code, redirect_uri: @redirect_uri, grant_type: "authorization_code"
+        }, headers: { "Accept" => "application/json" })
+        raise Errors::UnauthorizedError, "Token exchange failed: #{response.status}" unless response.ok?
+        response.json
+      end
+
+      def userinfo(access_token)
+        return nil unless @userinfo_url
+        response = HTTP.get(@userinfo_url, headers: {
+          "Authorization" => "Bearer #{access_token}", "Accept" => "application/json"
+        })
+        raise Errors::UnauthorizedError, "Userinfo failed" unless response.ok?
+        response.json
       end
 
       def authenticate(request)
         auth_header = request.headers["Authorization"]
-        raise Errors::UnauthorizedError, "Missing authorization header" unless auth_header
-
+        raise Errors::UnauthorizedError, "Missing authorization" unless auth_header
         token = auth_header.sub(/\ABearer\s+/i, "")
         raise Errors::UnauthorizedError, "Missing token" if token.empty?
 
@@ -20,13 +76,20 @@ module Whoosh
           result = @validator.call(token)
           raise Errors::UnauthorizedError, "Invalid token" unless result
           result
+        elsif @userinfo_url
+          userinfo(token)
         else
           { token: token }
         end
       end
 
-      def token_url
-        @token_url
+      private
+
+      def apply_provider_defaults
+        defaults = PROVIDERS[@provider]
+        @authorize_url ||= defaults[:authorize_url]
+        @token_url ||= defaults[:token_url]
+        @userinfo_url ||= defaults[:userinfo_url]
       end
     end
   end

data/lib/whoosh/http.rb

@@ -33,6 +33,22 @@ module Whoosh
         request(:delete, url, headers: headers, timeout: timeout)
       end
 
+      # Run multiple HTTP requests concurrently
+      def concurrent(*requests)
+        threads = requests.map do |req|
+          method = req[:method] || :get
+          url = req[:url]
+          opts = req.except(:method, :url)
+          Thread.new { send(method, url, **opts) }
+        end
+        threads.map(&:value)
+      end
+
+      # Returns an async client for non-blocking requests
+      def async
+        AsyncClient.new
+      end
+
       private
 
       def request(method, url, json: nil, body: nil, headers: {}, timeout: 30)
@@ -69,5 +85,13 @@ module Whoosh
         req
       end
     end
+
+    class AsyncClient
+      def get(url, **opts) = Thread.new { HTTP.get(url, **opts) }
+      def post(url, **opts) = Thread.new { HTTP.post(url, **opts) }
+      def put(url, **opts) = Thread.new { HTTP.put(url, **opts) }
+      def patch(url, **opts) = Thread.new { HTTP.patch(url, **opts) }
+      def delete(url, **opts) = Thread.new { HTTP.delete(url, **opts) }
+    end
   end
 end

data/lib/whoosh/middleware/security_headers.rb

@@ -10,7 +10,8 @@ module Whoosh
         "strict-transport-security" => "max-age=31536000; includeSubDomains",
         "x-download-options" => "noopen",
         "x-permitted-cross-domain-policies" => "none",
-        "referrer-policy" => "strict-origin-when-cross-origin"
+        "referrer-policy" => "strict-origin-when-cross-origin",
+        "content-security-policy" => "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'"
       }.freeze
 
       def initialize(app)

data/lib/whoosh/openapi/generator.rb

@@ -12,7 +12,7 @@ module Whoosh
         @paths = {}
       end
 
-      def add_route(method:, path:, request_schema: nil, response_schema: nil, description: nil)
+      def add_route(method:, path:, request_schema: nil, response_schema: nil, query_schema: nil, description: nil)
         openapi_path = path.gsub(/:(\w+)/, '{\1}')
         http_method = method.downcase.to_sym
         @paths[openapi_path] ||= {}
@@ -23,6 +23,18 @@ module Whoosh
           operation[:parameters] = params.map { |p| { name: p, in: "path", required: true, schema: { type: "string" } } }
         end
 
+        if query_schema
+          qs = SchemaConverter.convert(query_schema)
+          (qs[:properties] || {}).each do |name, prop|
+            operation[:parameters] ||= []
+            operation[:parameters] << {
+              name: name.to_s, in: "query",
+              required: qs[:required]&.include?(name) || false,
+              schema: prop, description: prop[:description]
+            }
+          end
+        end
+
         if request_schema
           operation[:requestBody] = {
             required: true,

data/lib/whoosh/request.rb

@@ -54,6 +54,16 @@ module Whoosh
       end
     end
 
+    def cookies
+      @cookies ||= begin
+        raw = @env["HTTP_COOKIE"] || ""
+        raw.split(";").each_with_object({}) do |pair, h|
+          k, v = pair.strip.split("=", 2)
+          h[k] = v if k
+        end
+      end
+    end
+
     def files
       @files ||= begin
         storage = @env["whoosh.storage"]

data/lib/whoosh/response.rb

@@ -4,6 +4,30 @@ module Whoosh
   class Response
     JSON_HEADERS = { "content-type" => "application/json" }.freeze
 
+    MIME_TYPES = { ".html" => "text/html", ".json" => "application/json", ".css" => "text/css",
+      ".js" => "application/javascript", ".png" => "image/png", ".jpg" => "image/jpeg",
+      ".svg" => "image/svg+xml", ".pdf" => "application/pdf", ".txt" => "text/plain" }.freeze
+
+    def self.redirect(url, status: 302)
+      [status, { "location" => url }, []]
+    end
+
+    def self.download(data, filename:, content_type: "application/octet-stream")
+      [200, { "content-type" => content_type, "content-disposition" => "attachment; filename=\"#{filename}\"" }, [data]]
+    end
+
+    def self.file(path, content_type: nil)
+      raise Errors::NotFoundError unless File.exist?(path)
+      ct = content_type || guess_content_type(path)
+      body = File.binread(path)
+      [200, { "content-type" => ct, "content-length" => body.bytesize.to_s }, [body]]
+    end
+
+    def self.guess_content_type(path)
+      ext = File.extname(path).downcase
+      MIME_TYPES[ext] || "application/octet-stream"
+    end
+
     def self.json(data, status: 200, headers: {})
       body = Serialization::Json.encode(data)
       response_headers = if headers.empty?

data/lib/whoosh/schema.rb

@@ -23,6 +23,16 @@ module Whoosh
         super
         subclass.instance_variable_set(:@fields, {})
         subclass.instance_variable_set(:@contract, nil)
+        subclass.instance_variable_set(:@custom_validators, [])
+      end
+
+      def validate_with(&block)
+        @custom_validators ||= []
+        @custom_validators << block
+      end
+
+      def custom_validators
+        @custom_validators || []
       end
 
       def field(name, type, **options)
@@ -78,6 +88,11 @@ module Whoosh
           end
         end
 
+        # Third pass: custom validators
+        self.custom_validators.each do |validator|
+          validator.call(validated, errors)
+        end
+
         return Result.new(data: nil, errors: errors) unless errors.empty?
 
         Result.new(data: apply_defaults(validated), errors: [])

data/lib/whoosh/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Whoosh
-  VERSION = "1.4.1"
+  VERSION = "1.5.0"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: whoosh
 version: !ruby/object:Gem::Version
-  version: 1.4.1
+  version: 1.5.0
 platform: ruby
 authors:
 - Johannes Dwi Cahyo