Improved API Support from downstream

This merges support from changes and improvements made in Sauron to be
part of this library.

This adds middleware the Rails rack stack. It sits after the Rails debug
exceptions middleware so it can intercept errors prior to Rails handling
them. It also seem to move our middleware after the other debug
middleware plugins. This is good for the test environment so we actually
see our JSON error messages.

There is a bit of boiler plate setup code here just to make Rails happy.

This also moves the previous custom resource controller code out into
the lib directory prepping it for extraction.

This adds error pages for beacons and team resources in the API. This
conforms to the JSON API by adding:

- a 409 code if there is a conflict
- always rendering an array of errors
- showing the error attr path in the request

In order to handle the conflict a new module is available to use. It
sits on top of the uniqueness validator. It uses it to shim in what
attrs may or may not have a uniqueness conflict. This is necessary to
check if a specific attribute was a conflict instead of relying on
inspecting the generated message.

No current resources in the public API use the conflict validator.

Author: csexton

lib/kracken/controllers/json_api_compatible.rb

@@ -1,47 +1,194 @@
+require 'kracken/controllers/json_api_compatible'
+
 module Kracken
   module Controllers
     module JsonApiCompatible
+
+      class ResourceNotFound < StandardError
+        attr_reader :missing_ids, :resource
+        def initialize(resource, missing_ids)
+          @missing_ids = Array(missing_ids)
+          @resource    = resource
+          super(
+            "Couldn't find #{resource} with id(s): #{missing_ids.join(', ')}"
+          )
+        end
+      end
+
+      class TokenUnauthorized < StandardError
+        def initialize(msg = nil)
+          msg ||= 'HTTP Token: Access denied.'
+          super(msg)
+        end
+      end
+
+      class UnprocessableEntity < StandardError; end
+
+      module MungeAndMirror
+        # Wraps the data root in an Array, if it is not already an Array. This
+        # will not wrap the value if the resource root is not present.
+        def munge_resource_root!
+          return unless params.key?(resource_type)
+          # We don't want to munge a non-existent key
+          params[resource_type] = Array.wrap(params[resource_type])
+          munge_optional_id!
+        end
+
+      private
+
+        def munge_chained_param_ids!
+          return unless params[:id]
+          params[:id] = params[:id].split(/,\s*/)
+        end
+
+        def can_munge_ids?
+          (!params[:id].nil? && params[:id].size == 1) &&
+            params[resource_type].size == 1
+        end
+
+        def munge_optional_id!
+          return unless can_munge_ids?
+          params[resource_type].first[:id] ||= params[:id].first
+        end
+      end
+
+      module Macros
+        def self.extended(klass)
+          klass.instance_exec do
+            include MungeAndMirror
+          end
+        end
+
+        def resource_type(type = nil)
+          if type
+            alias_method "#{type}_root", :data_root
+            @_resource_type = type.to_sym
+          end
+          @_resource_type ||= :data
+        end
+
+        def munge_resource_root!
+          before_action :munge_resource_root!
+        end
+
+        def verify_scoped_resource(resource, options = {})
+          name = "verify_scoped_#{resource}"
+          relation = options.extract!(:as).fetch(:as, resource).to_s.pluralize
+          scope = options.extract!(:scope).fetch(:scope, :current_user)
+          resource_id = (resource_type == resource.to_sym) ? :id : "#{resource}_id"
+          define_method(name) do
+            param_ids = Array(params[resource_id])
+            found_ids = self.send(scope)
+                            .send(relation)
+                            .where(id: param_ids)
+                            .ids
+                            .map(&:to_s)
+            missing_ids = param_ids - found_ids
+            unless missing_ids.empty?
+              raise ResourceNotFound.new(resource, missing_ids)
+            end
+          end
+          before_action name, options
+        end
+
+        def verify_required_params(options = {})
+          before_action :verify_required_params!, options
+        end
+      end
+
       def self.included(base)
         base.instance_exec do
+          extend Macros
+
           before_action :munge_chained_param_ids!
           skip_before_action :verify_authenticity_token
+        end
+      end
 
-          unless Rails.application.config.consider_all_requests_local
-            rescue_from StandardError do |error|
-              render_json_error 500, error
-            end
-
-            rescue_from ActionController::RoutingError do |error|
-              render_json_error 404, error
-            end
+      # NOTE: Monkey-patch until this is merged into the gem
+      def request_http_token_authentication(realm = 'Application')
+        headers["WWW-Authenticate"] = %(Token realm="#{realm.gsub(/"/, "")}")
+        raise TokenUnauthorized
+      end
 
-            if defined? ActiveRecord
-              rescue_from ActiveRecord::RecordNotFound do |error|
-                render_json_error 404, error
-              end
-            end
+      module DataIntegrity
+        # Scan each item in the data root and enforce it has an id set.
+        def enforce_resource_ids!
+          Array.wrap(data_root).each do |resource|
+            resource.require(:id)
           end
+        end
 
+        # Check the provided params to make sure the root resource type key is set.
+        # If the value for the key is an array, make sure all of the contained hashes
+        # have an `id` set.
+        def verify_required_params!
+          return unless params.require(resource_type) && params[:id]
+          if Array === data_root
+            enforce_resource_ids!
+          elsif params[:id].many?
+            raise UnprocessableEntity,
+                  "Single beacon object provided but multiple resources requested"
+          end
         end
       end
+      include DataIntegrity
 
-      private
+      module VirtualAttributes
+        # Grab the data root from the params.
+        #
+        # This will either be params[:data] or the custom resource type set on the
+        # class.
+        def data_root
+          params[resource_type]
+        end
 
-      def munge_chained_param_ids!
-        return unless params[:id]
-        params[:id] = params[:id].split(/,\s*/)
+        # Get the set resource type from the class
+        def resource_type
+          self.class.resource_type
+        end
       end
+      include VirtualAttributes
 
-      def render_json_error(status, error)
-        notify_bugsnag(error)
-        body = {error: {message: error.message, backtrace: error.backtrace}}
-        render status: status, json: body
+    # Common Actions Necessary in JSON API controllers
+
+      # Wrap a block in an Active Record transaction
+      #
+      # The return value of the block is checked to see if it should be considered
+      # successful. If the value is falsey the transaction is rolledback. If a
+      # collection of ActiveRecord (or quacking) objects are returned they are
+      # checked to make sure none have any errors.
+      def in_transaction
+        ActiveRecord::Base.transaction {
+          memo = yield
+          was_success = !!memo && Array(memo).all? { |t| t.errors.empty? }
+          was_success or raise ActiveRecord::Rollback
+        }
       end
 
-      def notify_bugsnag(error)
-        Bugsnag.notify(error) if defined? BugSnag
+      # Process parameters in the standard JSON API way.
+      #
+      # If there is no set `id`, the request was likely a `POST` / create action.
+      # The params are mapped to the permitted params. Otherwise, index the data by
+      # the supplied ids and transform all the values based on the provided
+      # permitted params (for strong parameters).  Only objects whose `id`s match
+      # the requested ids are returned.
+      #
+      # If the data was a Hash, then the single `permit_params` object is returned.
+      # Or the tuple [`id`, `permitd_params`] respectively.
+      def process_params(permitted_params)
+        single_resource = Hash === data_root
+        data = Array.wrap(data_root)
+        mapping = if params[:id].blank?
+                    data.map { |attrs| attrs.permit(permitted_params) }
+                  else
+                    data.index_by { |d| d[:id].to_s }
+                      .transform_values { |attrs| attrs.permit(permitted_params) }
+                      .slice(*params[:id])
+                  end
+        single_resource ? mapping.first : mapping
       end
+
     end
   end
 end
-

lib/kracken/controllers/token_authenticatable.rb

@@ -10,7 +10,14 @@ def self.included(base)
         base.instance_exec do
           before_action :authenticate_user_with_token!
           helper_method :current_user
+
+          rescue_from Kracken::RequestError do |_|
+            # TODO: Handle other types of errors (such as if the server is down)
+            raise Kracken::Controllers::JsonApiCompatible::TokenUnauthorized,
+              "Invalid credentials"
+          end
         end
+
       end
 
       attr_reader :current_user

lib/kracken/json_api.rb

@@ -0,0 +1,21 @@
+require_relative 'json_api/exception_wrapper'
+require_relative 'json_api/path'
+require_relative 'json_api/public_exceptions'
+require_relative 'json_api/request'
+require_relative 'json_api/routing_mapper'
+
+module Kracken
+  module JsonApi
+    def self.has_path?(request)
+      paths.any? { |path| path.matches?(request) }
+    end
+
+    def self.paths
+      @paths ||= []
+    end
+
+    def self.add_path(path)
+      paths << Path.new(path)
+    end
+  end
+end

lib/kracken/json_api/exception_wrapper.rb

@@ -0,0 +1,25 @@
+module Kracken
+  module JsonApi
+    class ExceptionWrapper < ActionDispatch::ExceptionWrapper
+      cattr_accessor :rescue_with_details_responses
+      @@rescue_with_details_responses = Hash.new
+      @@rescue_with_details_responses.merge!(
+        'Kracken::Controllers::JsonApiCompatible::ResourceNotFound' => :not_found,
+        'Kracken::Controllers::JsonApiCompatible::TokenUnauthorized' => :unauthorized,
+        'Kracken::Controllers::JsonApiCompatible::UnprocessableEntity' => :unprocessable_entity,
+      )
+
+      def self.status_code_for_exception(class_name)
+        if @@rescue_with_details_responses.has_key?(class_name)
+          Rack::Utils.status_code(@@rescue_with_details_responses[class_name])
+        else
+          Rack::Utils.status_code(@@rescue_responses[class_name])
+        end
+      end
+
+      def is_details_exception?
+        @@rescue_with_details_responses.has_key?(exception.class.name)
+      end
+    end
+  end
+end

lib/kracken/json_api/path.rb

@@ -0,0 +1,15 @@
+module Kracken
+  module JsonApi
+    class Path
+      attr_reader :path_match
+
+      def initialize(path)
+        @path_match = Pathname(path).join('*').to_path
+      end
+
+      def matches?(request)
+        request.supports_json_format? && request.path.fnmatch?(path_match)
+      end
+    end
+  end
+end