actn-api 0.0.1

data/db/schemas/client.json

@@ -0,0 +1,41 @@
+{
+  "$schema": "http://json-schema.org/draft-04/schema#",   
+  "type": "object",
+  "properties": {
+    "apikey": {
+      "description": "Autogenerated API key for basic auth",
+      "type": "string"
+    },
+    "secret_hash": {
+      "description": "hashed version of api secret",
+      "type": "string"
+    },    
+    "domain": {
+      "description": "Allowed domain for CORS calls",
+      "type": "string"
+    },
+    "acl": {
+      "description": "Access control list",
+      "type": "object",
+      "patternProperties": {
+        "[allow|disallow]": { 
+          "type": "array",
+          "pattern": "/(\\*|GET|POST|PUT|PATCH|DELETE)(\\:\/.*)?/g"
+        }
+      },
+      "required": ["allow","disallow"]
+    },
+    "sessions": {
+      "description": "Active sessions belongs to client",
+      "type": "object",
+      "patternProperties": {
+        "/.*/": {
+          "type": "array",
+          "minItems": 2,          
+          "maxItems": 2
+        }
+      }
+    }
+  },
+  "required": ["apikey","secret_hash","domain","acl"]
+}

data/db/schemas/user.json

@@ -0,0 +1,23 @@
+{
+  "$schema": "http://json-schema.org/draft-04/schema#",   
+  "type": "object",
+  "properties": {
+    "first_name": {
+      "type": "string"
+    },
+    "last_name": {
+      "type": "string"
+    },
+    "email": {
+      "type": "string",
+      "format": "email"
+    },
+    "hash": {
+      "type": "string"
+    },
+    "phone": {
+      "type": "string"
+    }    
+  },
+  "required": ["first_name","last_name","email"]
+}

data/lib/actn/api/client.rb

@@ -0,0 +1,92 @@
+require 'actn/db/mod'
+require 'actn/core_ext/string'
+require 'bcrypt'
+
+module Actn
+  module Api
+    class Client < DB::Mod
+
+      self.table = "clients"
+      self.schema = "core"   
+  
+      BCrypt::Engine.cost = 4
+  
+      DEFAULT_ACL = {allow: ['*'], disallow: []}
+      TTL = 360
+  
+      attr_accessor :secret
+      
+      data_attr_accessor :apikey, :secret_hash, :domain, :sessions, :acl
+  
+      validates_presence_of :apikey, :domain, :acl, :secret_hash
+      
+      before_validation :set_defaults
+  
+      def self.find_for_auth domain, apikey
+        client = self.find_by(domain: domain, apikey: apikey)
+        client
+      end
+  
+      def auth_by_secret secret
+        self.secret == secret
+      end
+  
+      def auth_by_session session_id
+        return unless client_session = self.sessions[session_id]
+        if BCrypt::Password.new(client_session[0]) == session_id
+          if Time.now.to_f - client_session[1] > TTL
+            invalidated = self.update(sessions: self.sessions.tap{|s| s.delete session_id })
+            return false
+          else
+            return true
+          end
+        end
+      end 
+  
+      def set_session session_id
+        self.update( { sessions: {session_id => [BCrypt::Password.create(session_id), Time.now.to_f] }} )
+      end
+  
+      def secret
+        @hash ||= BCrypt::Password.new(self.secret_hash) if self.secret_hash
+      end
+
+      def credentials
+        {'apikey' => self.apikey, 'secret' => @secret}
+      end
+  
+      def reset_credentials!
+        reset_credentials
+        _update
+        self
+      end
+  
+      def can? resource
+        return if self.acl['disallow'].include?("*") || self.acl['disallow'].include?(resource)
+        self.acl['allow'].include?("*") || self.acl['allow'].include?(resource)
+      end
+      
+      def to_json options = {}
+        super(options.merge(methods: [:credentials], exclude: [:sessions, :secret_hash]))
+      end
+  
+      private
+  
+      def set_defaults 
+        self.domain = self.domain.to_domain        
+        self.sessions ||= {}
+        self.acl ||= DEFAULT_ACL
+        reset_credentials unless self.persisted?
+      end
+      
+      def reset_credentials
+        self.apikey = SecureRandom.hex
+        @secret = SecureRandom.hex
+        @hash = BCrypt::Password.create(@secret)
+        self.secret_hash = @hash
+      end
+
+    end
+
+  end
+end

data/lib/actn/api/core.rb

@@ -0,0 +1,35 @@
+require 'helmet'
+require 'rack/csrf'
+require 'actn/db'
+require 'actn/api/user'
+require 'actn/api/mw/auth'
+require 'actn/api/mw/no_xss'
+require 'actn/api/goliath/validator'
+require 'actn/api/goliath/params'
+
+module Actn
+  module Api
+    class Core < Helmet::API
+  
+      OK = '{"success": true}'
+  
+      def self.inherited base
+
+        base.init
+        
+        super
+        
+        base.use Goliath::Rack::Params
+        base.use Goliath::Rack::Heartbeat
+  
+        base.use Mw::NoXSS
+        base.use Rack::Session::Cookie, secret: ENV['SECRET']
+        base.use Rack::Csrf, skip_if: proc { |request| 
+          request.env.key?('HTTP_X_APIKEY') && request.env.key?('HTTP_X_SECRET') 
+        }
+        
+      end
+          
+    end
+  end
+end

data/lib/actn/api/goliath/params.rb

@@ -0,0 +1,70 @@
+require 'oj'
+require 'rack/utils'
+
+module Goliath
+  module Rack
+    # URL_ENCODED = %r{^application/x-www-form-urlencoded}
+    # JSON_ENCODED = %r{^application/json}
+
+    # A middle ware to parse params. This will parse both the
+    # query string parameters and the body and place them into
+    # the _params_ hash of the Goliath::Env for the request.
+    #
+    # @example
+    #  use Goliath::Rack::Params
+    #
+    class Params
+      module Parser
+        def retrieve_params(env)
+          params = env['params'] || {}
+          begin
+            params.merge!(::Rack::Utils.parse_nested_query(env['QUERY_STRING']))
+            if env['rack.input']
+              post_params = ::Rack::Utils::Multipart.parse_multipart(env)
+              unless post_params
+                body = env['rack.input'].read
+                env['rack.input'].rewind
+
+                unless body.empty?
+                  post_params = case(env['CONTENT_TYPE'])
+                  when URL_ENCODED then
+                    ::Rack::Utils.parse_nested_query(body)
+                  when JSON_ENCODED then
+                    json = Oj.load(body)
+                    if json.is_a?(Hash)
+                      json
+                    else
+                      {'_json' => json}
+                    end
+                  else
+                    {}
+                  end
+                else
+                  post_params = {}
+                end
+              end
+              params = { 'query' => params, 'data' => post_params }
+            end
+          rescue StandardError => e
+            raise Goliath::Validation::BadRequestError, "Invalid parameters: #{e.class.to_s}"
+          end
+          params
+        end
+      end
+
+      include Goliath::Rack::Validator
+      include Parser
+
+      def initialize(app)
+        @app = app
+      end
+
+      def call(env)
+        Goliath::Rack::Validator.safely(env) do
+          env['params'] = retrieve_params(env)
+          @app.call(env)
+        end
+      end
+    end
+  end
+end

data/lib/actn/api/goliath/validator.rb

@@ -0,0 +1,54 @@
+require 'oj'
+
+module Goliath
+  module Rack
+    module Validator
+      module_function
+      ERROR = 'error'
+
+      # @param status_code [Integer] HTTP status code for this error.
+      # @param msg [String] message to inject into the response body.
+      # @param headers [Hash] Response headers to preserve in an error response;
+      #   (the Content-Length header, if any, is removed)
+      def validation_error(status_code, msg, headers={})
+        headers.delete('Content-Length')
+        [status_code, headers, Oj.dump({ERROR => msg})]
+      end
+
+      # Execute a block of code safely.
+      #
+      # If the block raises any exception that derives from
+      # Goliath::Validation::Error (see specifically those in
+      # goliath/validation/standard_http_errors.rb), it will be turned into the
+      # corresponding 4xx response with a corresponding message.
+      #
+      # If the block raises any other kind of error, we log it and return a
+      # less-communicative 500 response.
+      #
+      # @example
+      #   # will convert the ForbiddenError exception into a 403 response
+      #   # and an uncaught error in do_something_risky! into a 500 response
+      #   safely(env, headers) do
+      #     raise ForbiddenError unless account_info['valid'] == true
+      #     do_something_risky!
+      #     [status, headers, body]
+      #   end
+      #
+      #
+      # @param env [Goliath::Env] The current request env
+      # @param headers [Hash] Response headers to preserve in an error response
+      #
+      def safely(env, headers={})
+        begin
+          yield
+        rescue Goliath::Validation::Error => e
+          validation_error(e.status_code, e.message, headers)
+        rescue Exception => e
+          env.logger.error(e.message)
+          env.logger.error(e.backtrace.join("\n"))
+          validation_error(500, e.message, headers)
+        end
+      end
+    end
+  end
+end

data/lib/actn/api/mw/auth.rb

@@ -0,0 +1,122 @@
+require 'goliath/rack'
+require 'goliath/validation'
+require 'bcrypt'
+
+##
+# Bync.rb
+# Bouncer of our midningt api club
+
+module Actn
+  module Api  
+    module Mw    
+      class Auth
+        
+        include Goliath::Rack::BarrierAroundware
+        include Goliath::Validation
+      
+        class MissingApikeyError     < BadRequestError   ; end
+        class InvalidCredentialsError  < UnauthorizedError ; end
+      
+        attr_accessor :client, :opts
+        
+        def initialize(env, opts = {})
+          self.opts = opts
+          super(env)
+        end
+      
+        
+        def pre_process
+          
+          unless excluded?
+              
+            validate_apikey! 
+
+            # On non-GET non-HEAD requests, we have to check auth now.
+            unless lazy_authorization?
+              perform     # yield execution until user_info has arrived
+              authorize_client!
+            end
+          
+          end
+          
+          return Goliath::Connection::AsyncResponse
+        end
+      
+        def post_process
+          
+          unless excluded?
+              
+            # We have to check auth now, we skipped it before
+            if lazy_authorization?
+              validate_client!
+            end
+
+          end
+        
+          [status, headers, body]
+        end
+
+        def lazy_authorization?
+          (env['REQUEST_METHOD'] == 'GET') || (env['REQUEST_METHOD'] == 'HEAD')
+        end
+
+        def validate_apikey!
+          return true if with_session? && current_user_uuid
+          raise MissingApikeyError.new("Missing Api Key") if apikey.to_s.empty?
+        end
+        
+        def validate_client!          
+          return true if with_session? && current_user_uuid          
+          raise Goliath::Validation::UnauthorizedError unless client_valid?
+        end
+
+        def authorize_client!
+          return true if with_session? && current_user_uuid          
+          unless client_valid? && client_authorized?
+            raise InvalidCredentialsError.new("Invalid Credentials")
+          end
+          env['rack.session'][:user_uuid] = self.client.uuid
+        end
+
+        def apikey
+          env['HTTP_X_APIKEY']
+        end
+        
+        def secret
+          env['HTTP_X_SECRET']
+        end        
+        
+        def client_valid?
+          self.client = Client.find_for_auth(host, apikey)
+        end
+      
+        def client_authorized?
+          return unless self.client
+          (
+          self.secret.nil? ? 
+          self.client.auth_by_session(env['rack.session'].id) : 
+          self.client.auth_by_secret(self.secret)
+          ) && self.client.can?("#{env['REQUEST_METHOD']}:#{env['REQUEST_PATH']}")
+        end
+        
+        def host
+          (env['HTTP_ORIGIN'] || env['HTTP_HOST']).to_domain
+        end
+        
+        def excluded?
+          opts[:exclude].nil? ? false : (env['REQUEST_PATH'] =~ opts[:exclude])
+        end  
+        
+        def with_session?
+          opts[:with_session]
+        end      
+        
+        def current_user_uuid
+          env['rack.session'][:user_uuid]
+        end
+
+      
+      end
+    end
+  end
+end

data/lib/actn/api/mw/cors.rb

@@ -0,0 +1,58 @@
+require 'goliath/rack'
+require 'rack/csrf'
+
+##
+# Cors.rb
+# Cross domain middle ware
+
+
+module Actn
+  module Api  
+    module Mw
+      class Cors
+      
+        include Goliath::Rack::AsyncMiddleware
+
+        def initialize(app)
+          @app = app
+        end
+
+        def call(env)
+          if env['REQUEST_METHOD'] == 'OPTIONS'
+            [200, cors_headers(env,false), []]
+          else
+            super(env)
+          end
+        end
+
+        def post_process(env, status, headers, body)
+          headers = cors_headers(env).merge(headers)
+          [status, headers, body]
+        end
+
+        private
+        
+        attr_accessor :options
+  
+        def cors_headers env, csrf = true
+          headers = {}
+          headers['Access-Control-Allow-Credentials'] = 'true'
+          headers['Access-Control-Allow-Origin'] = env['HTTP_ORIGIN']
+          headers['Access-Control-Allow-Methods'] = 'GET, POST, PUT, PATCH, DELETE, OPTIONS'
+          headers['Access-Control-Allow-Headers'] = '*, X-Requested-With, X-Prototype-Version, X-CSRF-Token, Authorization, Origin, Accept, Content-Type, Referer'
+          headers['Access-Control-Expose-Headers'] = 'X_CSRF_TOKEN, X_APIKEY'
+          headers['Access-Control-Max-Age'] = "#{Client::TTL}"
+          headers['P3P'] = 'CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"'
+          
+          headers['X_CSRF_TOKEN'] = Rack::Csrf.token(env) if csrf
+          
+          client_headers_to_approve = env['HTTP_ACCESS_CONTROL_REQUEST_HEADERS'].to_s.gsub(/[^\w\-\,]+/,'') 
+          headers['Access-Control-Allow-Headers'] += ",#{client_headers_to_approve}" if not client_headers_to_approve.empty?
+                    
+          headers
+        end
+      
+      end
+    end
+  end
+end

data/lib/actn/api/mw/no_xss.rb

@@ -0,0 +1,28 @@
+require 'goliath/rack'
+
+##
+# Sec.rb
+# Security comes first
+
+module Actn
+  module Api    
+    module Mw
+      class NoXSS
+    
+        include Goliath::Rack::AsyncMiddleware
+    
+        HEADERS = {
+          'X-Frame-Options' => 'SAMEORIGIN',
+          'X-XSS-Protection' => '1; mode=block',
+          'X-Content-Type-Options' => 'nosniff'
+        }
+    
+        def post_process(env, status, headers, body)
+          headers.update HEADERS
+          [status, headers, body]
+        end
+    
+      end
+    end
+  end
+end

data/lib/actn/api/public.rb

@@ -0,0 +1,89 @@
+require 'goliath'
+require 'actn/db/set'
+require 'actn/api/client'
+require 'actn/api/mw/auth'
+require 'actn/api/mw/cors'
+require 'actn/api/mw/no_xss'
+require 'actn/api/goliath/validator'
+require 'actn/api/goliath/params'
+
+module Actn
+  module Api
+    class Public < Goliath::API
+    
+      CT_JS = { 'Content-Type' => 'application/javascript' }
+      CT_JSON = {'Content-Type' => 'application/json'}
+          
+          
+      def self.inherited base
+        
+        super
+        
+        base.use Goliath::Rack::Params
+        base.use Goliath::Rack::Heartbeat
+
+        base.use Mw::NoXSS
+        base.use Rack::Session::Cookie, secret: ENV['SECRET']
+        base.use Rack::Csrf, skip: ['OPTIONS:/.*'], skip_if: proc { |r| ENV['RACK_ENV'] == "test" }
+        base.use Mw::Cors
+        base.use Goliath::Rack::BarrierAroundwareFactory, Mw::Auth, exclude: /^\/connect$/
+        
+        super
+      end
+
+  
+      def process table, path
+        raise NotImplementedError
+      end
+      
+      
+
+      def response env
+
+        path = env['REQUEST_PATH'] || "/"
+
+        unless table = path[1..-1].split("/").first
+          raise Goliath::Validation::Error.new(400, "model identifier missing")
+        end
+  
+        begin
+          json = process(table,path)
+        rescue PG::InternalError => e
+          if e.message =~ /does not exist/
+            raise Goliath::Validation::NotFoundError.new("resource not found")        
+          else
+            raise e
+          end
+        end
+      
+        status = json =~ /errors/ ? 406 : 200
+
+        [status, CT_JSON, json]
+
+      end
+      
+      private
+      
+      def limit
+        query['limit'] || 50
+      end
+      
+      def page
+        ((query['page'] || 1).to_i - 1)
+      end
+
+      def offset
+        limit * page
+      end
+      
+      def query
+        params['query']
+      end
+      
+      def data
+        params['data']
+      end      
+  
+    end
+  end
+end

data/lib/actn/api/user.rb

@@ -0,0 +1,59 @@
+require 'actn/db/mod'
+require 'actn/core_ext/string'
+require 'bcrypt'
+
+module Actn
+  
+  module Api
+  
+    class User < DB::Mod
+    
+      BCrypt::Engine.cost = 4
+  
+      self.schema = "core"
+      self.table = "users"
+    
+      def self.find_for_auth params
+        return unless user = self.find_by('email' => params['email'])
+        return unless user.password == params['password']
+        user.uuid
+      end
+  
+      attr_accessor :password, :password_confirmation
+  
+      data_attr_accessor :first_name, :last_name, :email, :hash, :phone
+  
+      validates_presence_of :first_name, :last_name, :email
+      validates_presence_of :password, :password_confirmation, unless: 'persisted?'
+      validates_confirmation_of :password, unless: 'persisted?'
+      validate :validate_unique_email, unless: 'persisted?'
+      
+      before_create :set_password
+  
+      def password
+        if self.hash
+          @password ||= BCrypt::Password.new(self.hash) 
+        else
+          @password
+        end
+      end
+      
+      def to_json options = {}
+        super(options.merge(:exclude [:hash]))
+      end      
+  
+      private
+      
+      def set_password
+        @password = BCrypt::Password.create(self.password)
+        self.hash = @password
+      end
+      
+  
+      def validate_unique_email
+        errors.add(:email, "has already been taken") if self.class.find_by('email' => self.email)
+      end
+  
+    end
+  end
+end

data/lib/actn/api/version.rb

@@ -0,0 +1,5 @@
+module Actn
+  module Api
+    VERSION = "0.0.1"
+  end
+end

data/lib/actn/api.rb

@@ -0,0 +1,16 @@
+require "actn/paths"
+require "actn/db"
+require "actn/api/version"
+
+module Actn
+  module Api
+    include Paths
+    
+    def self.gem_root
+      @@gem_root ||= File.expand_path('../../../', __FILE__)
+    end
+    
+  end
+end
+
+Actn::DB.paths << Actn::Api.gem_root