Class: Otto

Inherits:

Object

• Object
• Otto

Extended by:

ClassMethods

Defined in:

lib/otto.rb,
lib/otto/route.rb,
lib/otto/static.rb,
lib/otto/version.rb,
lib/otto/helpers/base.rb,
lib/otto/design_system.rb,
lib/otto/security/csrf.rb,
lib/otto/route_handlers.rb,
lib/otto/helpers/request.rb,
lib/otto/security/config.rb,
lib/otto/helpers/response.rb,
lib/otto/route_definition.rb,
lib/otto/response_handlers.rb,
lib/otto/security/validator.rb,
lib/otto/security/authentication.rb

Overview

lib/otto/security/authentication.rb

Configurable authentication strategy system for Otto framework Provides pluggable authentication patterns that can be customized per application

Usage:

otto = Otto.new('routes.txt', {
  auth_strategies: {
    'publically' => PublicStrategy.new,
    'authenticated' => SessionStrategy.new,
    'role:admin' => RoleStrategy.new(['admin']),
    'api_key' => APIKeyStrategy.new
  }
})

Defined Under Namespace

Modules: BaseHelpers, ClassMethods, DesignSystem, RequestHelpers, ResponseHandlers, ResponseHelpers, RouteHandlers, Security, Static Classes: Route, RouteDefinition

Constant Summary

LIB_HOME =

__dir__

VERSION =

'1.5.0'.freeze

Class Attribute Summary

• .debug ⇒ Object

  Returns the value of attribute debug.

• .logger ⇒ Object

  Returns the value of attribute logger.

Instance Attribute Summary

• #auth_config ⇒ Object readonly

  Returns the value of attribute auth_config.

• #locale_config ⇒ Object readonly

  Returns the value of attribute locale_config.

• #middleware_stack ⇒ Object

  Returns the value of attribute middleware_stack.

• #not_found ⇒ Object

  Returns the value of attribute not_found.

• #option ⇒ Object (also: #options) readonly

  Returns the value of attribute option.

• #route_definitions ⇒ Object readonly

  Returns the value of attribute route_definitions.

• #route_handler_factory ⇒ Object readonly

  Returns the value of attribute route_handler_factory.

• #routes ⇒ Object readonly

  Returns the value of attribute routes.

• #routes_literal ⇒ Object readonly

  Returns the value of attribute routes_literal.

• #routes_static ⇒ Object readonly

  Returns the value of attribute routes_static.

• #security_config ⇒ Object readonly

  Returns the value of attribute security_config.

• #server_error ⇒ Object

  Returns the value of attribute server_error.

• #static_route ⇒ Object readonly

  Returns the value of attribute static_route.

Class Method Summary

• .configure {|config| ... } ⇒ Object

  Global configuration for all Otto instances.

• .global_config ⇒ Object

Instance Method Summary

• #add_auth_strategy(name, strategy) ⇒ Object

  Add a single authentication strategy.

• #add_static_path(path) ⇒ Object
• #add_trusted_proxy(proxy) ⇒ Object

  Add a trusted proxy server for accurate client IP detection.

• #call(env) ⇒ Object
• #configure(available_locales: nil, default_locale: nil) ⇒ Object

  Configure locale settings for the application.

• #configure_auth_strategies(strategies, default_strategy: 'publically') ⇒ Object

  Configure authentication strategies for route-level access control.

• #determine_locale(env) ⇒ Object
• #enable_authentication! ⇒ Object

  Enable authentication middleware for route-level access control.

• #enable_csp!(policy = "default-src 'self'") ⇒ Object

  Enable Content Security Policy (CSP) header to prevent XSS attacks.

• #enable_csp_with_nonce!(debug: false) ⇒ Object

  Enable Content Security Policy (CSP) with nonce support for dynamic header generation.

• #enable_csrf_protection! ⇒ Object

  Enable CSRF protection for POST, PUT, DELETE, and PATCH requests.

• #enable_frame_protection!(option = 'SAMEORIGIN') ⇒ Object

  Enable X-Frame-Options header to prevent clickjacking attacks.

• #enable_hsts!(max_age: 31_536_000, include_subdomains: true) ⇒ Object

  Enable HTTP Strict Transport Security (HSTS) header.

• #enable_request_validation! ⇒ Object

  Enable request validation including input sanitization, size limits, and protection against XSS and SQL injection attacks.

• #handle_request(env) ⇒ Object
• #initialize(path = nil, opts = {}) ⇒ Otto constructor

  A new instance of Otto.

• #load(path) ⇒ Object
• #safe_dir?(path) ⇒ Boolean
• #safe_file?(path) ⇒ Boolean
• #set_security_headers(headers) ⇒ Object

  Set custom security headers that will be added to all responses.

• #uri(route_definition, params = {}) ⇒ Object

  Return the URI path for the given route_definition e.g.

• #use(middleware) ⇒ Object

  Add middleware to the stack.

Methods included from ClassMethods

default, env?, path

Constructor Details

#initialize(path = nil, opts = {}) ⇒ Otto

Returns a new instance of Otto.

# File 'lib/otto.rb', line 66

def initialize(path = nil, opts = {})
  @routes_static     = { GET: {} }
  @routes            = { GET: [] }
  @routes_literal    = { GET: {} }
  @route_definitions = {}
  @option            = {
    public: nil,
    locale: 'en',
  }.merge(opts)
  @security_config   = Otto::Security::Config.new
  @middleware_stack  = []
  @route_handler_factory = opts[:route_handler_factory] || Otto::RouteHandlers::HandlerFactory

  # Configure locale support (merge global config with instance options)
  configure_locale(opts)

  # Configure security based on options
  configure_security(opts)

  # Configure authentication based on options
  configure_authentication(opts)

  Otto.logger.debug "new Otto: #{opts}" if Otto.debug
  load(path) unless path.nil?
  super()
end

Class Attribute Details

.debug ⇒ Object

Returns the value of attribute debug.

# File 'lib/otto.rb', line 610

def debug
  @debug
end

.logger ⇒ Object

Returns the value of attribute logger.

# File 'lib/otto.rb', line 610

def logger
  @logger
end

Instance Attribute Details

#auth_config ⇒ Object (readonly)

Returns the value of attribute auth_config.

# File 'lib/otto.rb', line 63

def auth_config
  @auth_config
end

#locale_config ⇒ Object (readonly)

Returns the value of attribute locale_config.

# File 'lib/otto.rb', line 63

def locale_config
  @locale_config
end

#middleware_stack ⇒ Object

Returns the value of attribute middleware_stack.

# File 'lib/otto.rb', line 64

def middleware_stack
  @middleware_stack
end

#not_found ⇒ Object

Returns the value of attribute not_found.

# File 'lib/otto.rb', line 64

def not_found
  @not_found
end

#option ⇒ Object (readonly) Also known as: options

Returns the value of attribute option.

# File 'lib/otto.rb', line 63

def option
  @option
end

#route_definitions ⇒ Object (readonly)

Returns the value of attribute route_definitions.

# File 'lib/otto.rb', line 63

def route_definitions
  @route_definitions
end

#route_handler_factory ⇒ Object (readonly)

Returns the value of attribute route_handler_factory.

# File 'lib/otto.rb', line 63

def route_handler_factory
  @route_handler_factory
end

#routes ⇒ Object (readonly)

Returns the value of attribute routes.

# File 'lib/otto.rb', line 63

def routes
  @routes
end

#routes_literal ⇒ Object (readonly)

Returns the value of attribute routes_literal.

# File 'lib/otto.rb', line 63

def routes_literal
  @routes_literal
end

#routes_static ⇒ Object (readonly)

Returns the value of attribute routes_static.

# File 'lib/otto.rb', line 63

def routes_static
  @routes_static
end

#security_config ⇒ Object (readonly)

Returns the value of attribute security_config.

# File 'lib/otto.rb', line 63

def security_config
  @security_config
end

#server_error ⇒ Object

Returns the value of attribute server_error.

# File 'lib/otto.rb', line 64

def server_error
  @server_error
end

#static_route ⇒ Object (readonly)

Returns the value of attribute static_route.

# File 'lib/otto.rb', line 63

def static_route
  @static_route
end

Class Method Details

.configure {|config| ... } ⇒ Object

Global configuration for all Otto instances

Yields:

• (config)

# File 'lib/otto.rb', line 53

def self.configure
  config = OpenStruct.new(@global_config)
  yield config
  @global_config = config.to_h
end

.global_config ⇒ Object

# File 'lib/otto.rb', line 59

def self.global_config
  @global_config
end

Instance Method Details

#add_auth_strategy(name, strategy) ⇒ Object

Add a single authentication strategy

Examples:

otto.add_auth_strategy('custom', MyCustomStrategy.new)

Parameters:

• name (String) —

  Strategy name

• strategy (Otto::Security::AuthStrategy) —

  Strategy instance

# File 'lib/otto.rb', line 462

def add_auth_strategy(name, strategy)
  @auth_config ||= { auth_strategies: {}, default_auth_strategy: 'publically' }
  @auth_config[:auth_strategies][name] = strategy

  enable_authentication!
end

#add_static_path(path) ⇒ Object

# File 'lib/otto.rb', line 159

def add_static_path(path)
  return unless safe_file?(path)

  base_path                      = File.split(path).first
  # Files in the root directory can refer to themselves
  base_path                      = path if base_path == '/'
  File.join(option[:public], base_path)
  Otto.logger.debug "new static route: #{base_path} (#{path})" if Otto.debug
  routes_static[:GET][base_path] = base_path
end

#add_trusted_proxy(proxy) ⇒ Object

Add a trusted proxy server for accurate client IP detection. Only requests from trusted proxies will have their forwarded headers honored.

Examples:

otto.add_trusted_proxy('10.0.0.0/8')
otto.add_trusted_proxy(/^172\.16\./)

Parameters:

• proxy (String, Regexp) —

  IP address, CIDR range, or regex pattern

# File 'lib/otto.rb', line 353

def add_trusted_proxy(proxy)
  @security_config.add_trusted_proxy(proxy)
end

#call(env) ⇒ Object

# File 'lib/otto.rb', line 170

def call(env)
  # Apply middleware stack
  app = ->(e) { handle_request(e) }
  @middleware_stack.reverse_each do |middleware|
    app = middleware.new(app, @security_config)
  end

  begin
    app.call(env)
  rescue StandardError => ex
    handle_error(ex, env)
  end
end

#configure(available_locales: nil, default_locale: nil) ⇒ Object

Configure locale settings for the application

Examples:

otto.configure(
  available_locales: { 'en' => 'English', 'es' => 'Spanish', 'fr' => 'French' },
  default_locale: 'en'
)

Parameters:

• available_locales (Hash) (defaults to: nil) —

  Hash of available locales (e.g., { ‘en’ => ‘English’, ‘es’ => ‘Spanish’ })

• default_locale (String) (defaults to: nil) —

  Default locale to use as fallback

# File 'lib/otto.rb', line 420

def configure(available_locales: nil, default_locale: nil)
  @locale_config ||= {}
  @locale_config[:available_locales] = available_locales if available_locales
  @locale_config[:default_locale] = default_locale if default_locale
end

#configure_auth_strategies(strategies, default_strategy: 'publically') ⇒ Object

Configure authentication strategies for route-level access control.

Examples:

otto.configure_auth_strategies({
  'publically' => Otto::Security::PublicStrategy.new,
  'authenticated' => Otto::Security::SessionStrategy.new(session_key: 'user_id'),
  'role:admin' => Otto::Security::RoleStrategy.new(['admin']),
  'api_key' => Otto::Security::APIKeyStrategy.new(api_keys: ['secret123'])
})

Parameters:

• strategies (Hash) —

  Hash mapping strategy names to strategy instances

• default_strategy (String) (defaults to: 'publically') —

  Default strategy to use when none specified

# File 'lib/otto.rb', line 448

def configure_auth_strategies(strategies, default_strategy: 'publically')
  @auth_config ||= {}
  @auth_config[:auth_strategies] = strategies
  @auth_config[:default_auth_strategy] = default_strategy

  enable_authentication! unless strategies.empty?
end

#determine_locale(env) ⇒ Object

# File 'lib/otto.rb', line 294

def determine_locale(env)
  accept_langs = env['HTTP_ACCEPT_LANGUAGE']
  accept_langs = option[:locale] if accept_langs.to_s.empty?
  locales      = []
  unless accept_langs.empty?
    locales = accept_langs.split(',').map do |l|
      l += ';q=1.0' unless /;q=\d+(?:\.\d+)?$/.match?(l)
      l.split(';q=')
    end.sort_by do |_locale, qvalue|
      qvalue.to_f
    end.collect do |locale, _qvalue|
      locale
    end.reverse
  end
  Otto.logger.debug "locale: #{locales} (#{accept_langs})" if Otto.debug
  locales.empty? ? nil : locales
end

#enable_authentication! ⇒ Object

Enable authentication middleware for route-level access control. This will automatically check route auth parameters and enforce authentication.

Examples:

otto.enable_authentication!

# File 'lib/otto.rb', line 431

def enable_authentication!
  return if middleware_enabled?(Otto::Security::AuthenticationMiddleware)

  use Otto::Security::AuthenticationMiddleware, @auth_config
end

#enable_csp!(policy = "default-src 'self'") ⇒ Object

Enable Content Security Policy (CSP) header to prevent XSS attacks. The default policy only allows resources from the same origin.

Examples:

otto.enable_csp!("default-src 'self'; script-src 'self' 'unsafe-inline'")

Parameters:

• policy (String) (defaults to: "default-src 'self'") —

  CSP policy string (default: “default-src ‘self’”)

# File 'lib/otto.rb', line 388

def enable_csp!(policy = "default-src 'self'")
  @security_config.enable_csp!(policy)
end

#enable_csp_with_nonce!(debug: false) ⇒ Object

Enable Content Security Policy (CSP) with nonce support for dynamic header generation. This enables the res.send_csp_headers response helper method.

Examples:

otto.enable_csp_with_nonce!(debug: true)

Parameters:

• debug (Boolean) (defaults to: false) —

  Enable debug logging for CSP headers (default: false)

# File 'lib/otto.rb', line 407

def enable_csp_with_nonce!(debug: false)
  @security_config.enable_csp_with_nonce!(debug: debug)
end

#enable_csrf_protection! ⇒ Object

Enable CSRF protection for POST, PUT, DELETE, and PATCH requests. This will automatically add CSRF tokens to HTML forms and validate them on unsafe HTTP methods.

Examples:

otto.enable_csrf_protection!

# File 'lib/otto.rb', line 327

def enable_csrf_protection!
  return if middleware_enabled?(Otto::Security::CSRFMiddleware)

  @security_config.enable_csrf_protection!
  use Otto::Security::CSRFMiddleware
end

#enable_frame_protection!(option = 'SAMEORIGIN') ⇒ Object

Enable X-Frame-Options header to prevent clickjacking attacks.

Examples:

otto.enable_frame_protection!('DENY')

Parameters:

• option (String) (defaults to: 'SAMEORIGIN') —

  Frame options: ‘DENY’, ‘SAMEORIGIN’, or ‘ALLOW-FROM uri’

# File 'lib/otto.rb', line 397

def enable_frame_protection!(option = 'SAMEORIGIN')
  @security_config.enable_frame_protection!(option)
end

#enable_hsts!(max_age: 31_536_000, include_subdomains: true) ⇒ Object

Enable HTTP Strict Transport Security (HSTS) header. WARNING: This can make your domain inaccessible if HTTPS is not properly configured. Only enable this when you’re certain HTTPS is working correctly.

Examples:

otto.enable_hsts!(max_age: 86400, include_subdomains: false)

Parameters:

• max_age (Integer) (defaults to: 31_536_000) —

  Maximum age in seconds (default: 1 year)

• include_subdomains (Boolean) (defaults to: true) —

  Apply to all subdomains (default: true)

# File 'lib/otto.rb', line 378

def enable_hsts!(max_age: 31_536_000, include_subdomains: true)
  @security_config.enable_hsts!(max_age: max_age, include_subdomains: include_subdomains)
end

#enable_request_validation! ⇒ Object

Enable request validation including input sanitization, size limits, and protection against XSS and SQL injection attacks.

Examples:

otto.enable_request_validation!

# File 'lib/otto.rb', line 339

def enable_request_validation!
  return if middleware_enabled?(Otto::Security::ValidationMiddleware)

  @security_config.input_validation = true
  use Otto::Security::ValidationMiddleware
end

#handle_request(env) ⇒ Object

# File 'lib/otto.rb', line 184

def handle_request(env)
  locale             = determine_locale env
  env['rack.locale'] = locale
  env['otto.locale_config'] = @locale_config if @locale_config
  @static_route    ||= Rack::Files.new(option[:public]) if option[:public] && safe_dir?(option[:public])
  path_info          = Rack::Utils.unescape(env['PATH_INFO'])
  path_info          = '/' if path_info.to_s.empty?

  begin
    path_info_clean = path_info
      .encode(
        'UTF-8', # Target encoding
        invalid: :replace, # Replace invalid byte sequences
        undef: :replace,   # Replace characters undefined in UTF-8
        replace: '',        # Use empty string for replacement
      )
      .gsub(%r{/$}, '') # Remove trailing slash, if present
  rescue ArgumentError => ex
    # Log the error but don't expose details
    Otto.logger.error '[Otto.handle_request] Path encoding error'
    Otto.logger.debug "[Otto.handle_request] Error details: #{ex.message}" if Otto.debug
    # Set a default value or use the original path_info
    path_info_clean = path_info
  end

  base_path      = File.split(path_info).first
  # Files in the root directory can refer to themselves
  base_path      = path_info if base_path == '/'
  http_verb      = env['REQUEST_METHOD'].upcase.to_sym
  literal_routes = routes_literal[http_verb] || {}
  literal_routes.merge! routes_literal[:GET] if http_verb == :HEAD
  if static_route && http_verb == :GET && routes_static[:GET].member?(base_path)
    # Otto.logger.debug " request: #{path_info} (static)"
    static_route.call(env)
  elsif literal_routes.has_key?(path_info_clean)
    route = literal_routes[path_info_clean]
    # Otto.logger.debug " request: #{http_verb} #{path_info} (literal route: #{route.verb} #{route.path})"
    route.call(env)
  elsif static_route && http_verb == :GET && safe_file?(path_info)
    Otto.logger.debug " new static route: #{base_path} (#{path_info})" if Otto.debug
    routes_static[:GET][base_path] = base_path
    static_route.call(env)
  else
    extra_params  = {}
    found_route   = nil
    valid_routes  = routes[http_verb] || []
    valid_routes.push(*routes[:GET]) if http_verb == :HEAD
    valid_routes.each do |route|
      # Otto.logger.debug " request: #{http_verb} #{path_info} (trying route: #{route.verb} #{route.pattern})"
      next unless (match = route.pattern.match(path_info))

      values       = match.captures.to_a
      # The first capture returned is the entire matched string b/c
      # we wrapped the entire regex in parens. We don't need it to
      # the full match.
      values.shift
      extra_params =
        if route.keys.any?
          route.keys.zip(values).each_with_object({}) do |(k, v), hash|
            if k == 'splat'
              (hash[k] ||= []) << v
            else
              hash[k] = v
            end
          end
        elsif values.any?
          { 'captures' => values }
        else
          {}
        end
      found_route  = route
      break
    end
    found_route ||= literal_routes['/404']
    if found_route
      found_route.call env, extra_params
    else
      @not_found || Otto::Static.not_found
    end
  end
end

#load(path) ⇒ Object

Raises:

• (ArgumentError)

# File 'lib/otto.rb', line 94

def load(path)
  path = File.expand_path(path)
  raise ArgumentError, "Bad path: #{path}" unless File.exist?(path)

  raw = File.readlines(path).select { |line| line =~ /^\w/ }.collect { |line| line.strip }
  raw.each do |entry|
    # Enhanced parsing: split only on first two whitespace boundaries
    # This preserves parameters in the definition part
    parts = entry.split(/\s+/, 3)
    verb, path, definition = parts[0], parts[1], parts[2]
    route                                   = Otto::Route.new verb, path, definition
    route.otto                              = self
    path_clean                              = path.gsub(%r{/$}, '')
    @route_definitions[route.definition]    = route
    Otto.logger.debug "route: #{route.pattern}" if Otto.debug
    @routes[route.verb]                   ||= []
    @routes[route.verb] << route
    @routes_literal[route.verb]           ||= {}
    @routes_literal[route.verb][path_clean] = route
  rescue StandardError
    Otto.logger.error "Bad route in #{path}: #{entry}"
  end
  self
end

#safe_dir?(path) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/otto.rb', line 144

def safe_dir?(path)
  return false if path.nil? || path.empty?

  # Clean and expand the path
  clean_path = path.delete("\0").strip
  return false if clean_path.empty?

  expanded_path = File.expand_path(clean_path)

  # Check directory exists, is readable, and has proper ownership
  File.directory?(expanded_path) &&
    File.readable?(expanded_path) &&
    (File.owned?(expanded_path) || File.grpowned?(expanded_path))
end

#safe_file?(path) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/otto.rb', line 119

def safe_file?(path)
  return false if option[:public].nil? || option[:public].empty?
  return false if path.nil? || path.empty?

  # Normalize and resolve the public directory path
  public_dir = File.expand_path(option[:public])
  return false unless File.directory?(public_dir)

  # Clean the requested path - remove null bytes and normalize
  clean_path = path.delete("\0").strip
  return false if clean_path.empty?

  # Join and expand to get the full resolved path
  requested_path = File.expand_path(File.join(public_dir, clean_path))

  # Ensure the resolved path is within the public directory (prevents path traversal)
  return false unless requested_path.start_with?(public_dir + File::SEPARATOR)

  # Check file exists, is readable, and is not a directory
  File.exist?(requested_path) &&
    File.readable?(requested_path) &&
    !File.directory?(requested_path) &&
    (File.owned?(requested_path) || File.grpowned?(requested_path))
end

#set_security_headers(headers) ⇒ Object

Set custom security headers that will be added to all responses. These merge with the default security headers.

Examples:

otto.set_security_headers({
  'content-security-policy' => "default-src 'self'",
  'strict-transport-security' => 'max-age=31536000'
})

Parameters:

• headers (Hash) —

  Hash of header name => value pairs

# File 'lib/otto.rb', line 366

def set_security_headers(headers)
  @security_config.security_headers.merge!(headers)
end

#uri(route_definition, params = {}) ⇒ Object

Return the URI path for the given route_definition e.g.

Otto.default.path 'YourClass.somemethod'  #=> /some/path

# File 'lib/otto.rb', line 271

def uri(route_definition, params = {})
  # raise RuntimeError, "Not working"
  route = @route_definitions[route_definition]
  return if route.nil?

  local_params = params.clone
  local_path   = route.path.clone

  local_params.each_pair do |k, v|
    next unless local_path.match(":#{k}")

    local_path.gsub!(":#{k}", v.to_s)
    local_params.delete(k)
  end

  uri = URI::HTTP.new(nil, nil, nil, nil, nil, local_path, nil, nil, nil)
  unless local_params.empty?
    query_string = local_params.map { |k, v| "#{URI.encode_www_form_component(k)}=#{URI.encode_www_form_component(v)}" }.join('&')
    uri.query    = query_string
  end
  uri.to_s
end

#use(middleware) ⇒ Object

Add middleware to the stack

Parameters:

• middleware (Class) —

  The middleware class to add

• args (Array) —

  Additional arguments for the middleware

• block (Proc) —

  Optional block for middleware configuration

# File 'lib/otto.rb', line 317

def use(middleware, *, &)
  @middleware_stack << middleware
end