hanami · timriley · Sep 17, 2024 · Sep 2, 2024 · Sep 2, 2024 · Sep 2, 2024
diff --git a/lib/hanami/action.rb b/lib/hanami/action.rb
@@ -39,7 +39,7 @@ def self.gem_loader
         loader.ignore(
           "#{root}/hanami-controller.rb",
           "#{root}/hanami/controller/version.rb",
-          "#{root}/hanami/action/{constants,errors,params,validatable}.rb"
+          "#{root}/hanami/action/{constants,errors,validatable}.rb"
         )
         loader.inflector.inflect("csrf_protection" => "CSRFProtection")
       end
@@ -72,6 +72,7 @@ def self.gem_loader
     setting :public_directory, default: Config::DEFAULT_PUBLIC_DIRECTORY
     setting :before_callbacks, default: Utils::Callbacks::Chain.new, mutable: true
     setting :after_callbacks, default: Utils::Callbacks::Chain.new, mutable: true
+    setting :contract_class
 
     # @!scope class
 
@@ -105,24 +106,6 @@ def self.inherited(subclass)
           include Validatable if defined?(Validatable)
         end
       end
-
-      if instance_variable_defined?(:@params_class)
-        subclass.instance_variable_set(:@params_class, @params_class)
-      end
-    end
-
-    # Returns the class which defines the params
-    #
-    # Returns the class which has been provided to define the
-    # params. By default this will be Hanami::Action::Params.
-    #
-    # @return [Class] A params class (when whitelisted) or
-    #   Hanami::Action::Params
-    #
-    # @api private
-    # @since 0.7.0
-    def self.params_class
-      @params_class || BaseParams
     end
 
     # Placeholder for the `.params` method. Raises an error when the hanami-validations gem is not
@@ -298,12 +281,21 @@ def self.handle_exception(...)
       config.handle_exception(...)
     end
 
+    # @since 2.0.0
+    # @api private
+    private attr_reader :config
+
+    # @since 2.2.0
+    # @api private
+    private attr_reader :contract
+
     # Returns a new action
     #
     # @since 2.0.0
     # @api public
-    def initialize(config: self.class.config)
+    def initialize(config: self.class.config, contract: nil)
       @config = config
+      @contract = contract || config.contract_class&.new # TODO: tests showing this overridden by a dep
       freeze
     end
 
@@ -316,7 +308,7 @@ def call(env)
       response = nil
 
       halted = catch :halt do
-        params   = self.class.params_class.new(env)
+        params = Params.new(env: env, contract: contract)
         request  = build_request(
           env: env,
           params: params,
@@ -412,10 +404,6 @@ def _requires_no_body?(res)
 
     private
 
-    # @since 2.0.0
-    # @api private
-    attr_reader :config
-
     # @since 2.0.0
     # @api private
     def enforce_accepted_mime_types(request)

diff --git a/lib/hanami/action/base_params.rb b/lib/hanami/action/base_params.rb
diff --git a/lib/hanami/action/csrf_protection.rb b/lib/hanami/action/csrf_protection.rb
@@ -131,14 +131,14 @@ def invalid_csrf_token?(req, res)
         return false unless verify_csrf_token?(req, res)
 
         missing_csrf_token?(req, res) ||
-          !::Rack::Utils.secure_compare(req.session[CSRF_TOKEN], req.params[CSRF_TOKEN])
+          !::Rack::Utils.secure_compare(req.session[CSRF_TOKEN], req.params.raw[CSRF_TOKEN.to_s])
       end
 
       # Verify the CSRF token was passed in params.
       #
       # @api private
       def missing_csrf_token?(req, *)
-        Hanami::Utils::Blank.blank?(req.params[CSRF_TOKEN])
+        Hanami::Utils::Blank.blank?(req.params.raw[CSRF_TOKEN.to_s])
       end
 
       # Generates a random CSRF Token