Module: Otto::EnvKeys
- Defined in:
- lib/otto/env_keys.rb
Overview
Rack environment keys used by Otto framework
All Otto-specific keys are namespaced under ‘otto.*’ to avoid conflicts with other Rack middleware or applications.
Defined Under Namespace
Modules: Privacy
Constant Summary collapse
- ROUTE_DEFINITION =
Route definition parsed from routes file Type: Otto::RouteDefinition Set by: Otto::Core::Router#parse_routes Used by: AuthenticationMiddleware, RouteHandlers, LogicClassHandler
'otto.route_definition'- ROUTE_OPTIONS =
Route-specific options parsed from route string Type: Hash (e.g., { response: ‘json’, csrf: ‘exempt’, auth: ‘authenticated’ }) Set by: Otto::RouteDefinition#initialize Used by: CSRFMiddleware, RouteHandlers
'otto.route_options'- STRATEGY_RESULT =
Authentication strategy result containing session/user state Type: Otto::Security::Authentication::StrategyResult Set by: RouteAuthWrapper (wraps all route handlers) Used by: RouteHandlers, LogicClasses, Controllers Guarantee: ALWAYS present - either authenticated or anonymous - Routes WITH auth requirement: Authenticated StrategyResult or 401/302 - Routes WITHOUT auth requirement: Anonymous StrategyResult
'otto.strategy_result'- SECURITY_CONFIG =
Security configuration object Type: Otto::Security::Config Set by: Otto#initialize, SecurityConfig Used by: All security middleware (CSRF, Headers, Validation)
'otto.security_config'- NONCE =
Per-request CSP nonce, minted lazily on first access and memoized here. Type: String (base64) Set by: Otto::Security::CSP.nonce / Otto::Request#csp_nonce (first touch) Used by: views (stamping script/style nonces) and Otto::Security::CSP::EmitMiddleware (emit-if-consumed) Note: this is the DEFAULT key. Apps with an existing convention can point the accessor at their own key via Otto::Security::Config#csp_nonce_key (e.g. ‘onetime.nonce’), so the header and views still share one value.
'otto.nonce'- VIA_TRUSTED_PROXY =
Whether the request arrived via a trusted proxy. Type: Boolean Set by: IPPrivacyMiddleware (every request, evaluated on the original peer BEFORE REMOTE_ADDR is masked). This is the trusted-proxy identity check (does REMOTE_ADDR match a configured trusted_proxies CIDR?) — it is independent of count-based depth mode, which resolves the client IP but never grants proxy trust for forwarded proto. Used by: Otto::Request#secure? to authorize X-Forwarded-Proto / X-Scheme without depending on the (masked) REMOTE_ADDR
'otto.via_trusted_proxy'- LOCALE =
Resolved locale for current request Type: String (e.g., ‘en’, ‘es’, ‘fr’) Set by: LocaleMiddleware Used by: RouteHandlers, LogicClasses, Views
'otto.locale'- LOCALE_CONFIG =
Locale configuration object Type: Otto::LocaleConfig Set by: LocaleMiddleware Used by: Locale resolution logic
'otto.locale_config'- AVAILABLE_LOCALES =
Available locales for the application Type: Array
Set by: LocaleConfig Used by: Locale middleware, language switchers 'otto.available_locales'- DEFAULT_LOCALE =
Default/fallback locale Type: String Set by: LocaleConfig Used by: Locale middleware when resolution fails
'otto.default_locale'- ERROR_ID =
Unique error ID for tracking/logging Type: String (hex format, e.g., ‘4ac47cb3a6d177ef’) Set by: ErrorHandler, RouteHandlers Used by: Error responses, logging, support
'otto.error_id'- CLIENT_IP =
Canonical client IP, resolved once early by IPPrivacyMiddleware (“resolve once, read everywhere”). Downstream code (client_ipaddress, Request#ip) reads this instead of re-deriving from REMOTE_ADDR / XFF. Type: String Set by: IPPrivacyMiddleware (every request, all modes) Value: masked IP when privacy enabled; resolved real IP when privacy disabled or the address is exempt (private/localhost) Note: presence also acts as the idempotency guard for the middleware
'otto.client_ip'- ORIGINAL_IP =
Original client IP address (only when privacy disabled) Type: String Set by: IPPrivacyMiddleware (when privacy disabled) Used by: Debugging, legitimate use cases requiring real IP NOTE: Not available when privacy is enabled (intentional)
'otto.original_ip'- ORIGINAL_USER_AGENT =
Original User-Agent string (only when privacy disabled) Type: String Set by: IPPrivacyMiddleware (when privacy disabled) Used by: Bot detection, browser feature detection NOTE: Not available when privacy is enabled (intentional)
'otto.original_user_agent'- ORIGINAL_REFERER =
Original Referer URL (only when privacy disabled) Type: String Set by: IPPrivacyMiddleware (when privacy disabled) Used by: Analytics, debugging NOTE: Not available when privacy is enabled (intentional)
'otto.original_referer'- MCP_HTTP_ENDPOINT =
MCP HTTP endpoint path Type: String (default: ‘/_mcp’) Set by: Otto::MCP::Server#enable! Used by: MCP middleware, SchemaValidationMiddleware
'otto.mcp_http_endpoint'