aha_builder_core 1.0.15 → 1.0.17

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7ab96bb0d7db25dcab119a0fc590ddfdc0a60b2984ae041f42f7380f9da1a229
-  data.tar.gz: 83b6752ca39af681cf7a617855b9cd3b89b2a83eef98c28c7e440b9018389bfb
+  metadata.gz: 913c608a336e01e9d8ac3084627502ccdbb27de2e1e29be6e820f9121c810b30
+  data.tar.gz: 0f9fae30f6eb0295b361a778166adba1f5ab85410060993d4731a334bed35446
 SHA512:
-  metadata.gz: da4a0a3dd5af21d498c34fab9c845928f017c8489c6cc857986fa70bc01fc318e440b1c555288afb872c8a29d46b6ed43dff0e8e8723f5d562635f598b7bcbff
-  data.tar.gz: 8c27600959bfa94734744c8ef7b2f27fd22173da39a04eef001835261d695368b31cc1959f4496e5a481b5c792ff0d199884e6d265b7d98771ff30f725483b3a
+  metadata.gz: d3aef9032b88ce77e637cecfba97720bcc47d00e2b0c340408df0fd1f1f60248707bcdf27a91150ddec008c034970f845fea601a756869a0002a03eda505eccf
+  data.tar.gz: 1070ef7ede56f66267aab822a8843beabe40fc3717faba0a3844b5a982072499e68b62fd392f045d2bce4d2c1d3ae3935299bc47259ae82d1e4cda655c95e4c2

data/README.md

@@ -18,7 +18,7 @@ No configuration is necessary and no environment variables are necessary.
 
 The authentication UI is provided completely by the core system. During authentication the user is redirected to the login page, and will return (via HTTP redirect) to the `/callback` URL when authentication is complete. Your application must implement a callback action at `/callback` to receive the code. Any value passed in as `state` is returned verbatim to the callback.
 
-Protection against CSRF atacks is handled internally by the Aha::Auth library and there is no need to use a nonce in the state parameter.
+Protection against CSRF attacks is handled internally by the Aha::Auth library and there is no need to use a nonce in the state parameter.
 
 ### Generate Login URL
 
@@ -88,7 +88,6 @@ local_user.update!(
 # Store tokens in session or database
 session[:session_token] = result[:session_token]
 session[:refresh_token] = result[:refresh_token]
-session[:user_id] = local_user.id
 
 # Redirect to application
 redirect_to root_path
@@ -115,10 +114,15 @@ end
 
 ### Logout
 
+Implement logout by making a Ruby call to the library.
+
 ```ruby
 Aha::Auth.logout(session_token: session_token)
 ```
 
+After logout the user should be redirected back to the login page. The front-end
+should not use XHR for the logout request since it can't handle a redirect.
+
 ## User Management
 
 Server-to-server operations (requires `api_key`):

data/lib/aha/auth/client.rb

@@ -49,31 +49,32 @@ module Aha
       # @param refresh_token [String, nil] Optional refresh token for automatic refresh
       # @return [Session] Session validation result
       def validate_session(session_token, refresh_token: nil)
+        claims = nil
+
         begin
           claims = decode_and_verify_token(session_token)
-          return Session.from_claims(claims) if claims
-        rescue ExpiredTokenError 
+        rescue ExpiredTokenError
           # Token has expired, attempt refresh
         end
 
-        if refresh_token
-          begin
-            tokens = authenticate_with_refresh_token(refresh_token: refresh_token)
-            new_claims = decode_and_verify_token(tokens[:session_token])
-
-            return Session.from_claims(
-              new_claims || claims,
-              refreshed: true,
-              new_session_token: tokens[:session_token],
-              new_refresh_token: tokens[:refresh_token]
-            )
-          rescue Error
-            return Session.invalid
+        if claims
+          # Valid session - check if we should proactively refresh based on lifetime
+          if refresh_token && token_needs_refresh?(claims)
+            # If refresh fails, we still want to return the existing session as valid
+            # until it fully expires, so we don't disrupt active users
+            return attempt_refresh(refresh_token) || Session.from_claims(claims)
           end
+
+          return Session.from_claims(claims)
+        end
+
+        if refresh_token
+          return attempt_refresh(refresh_token) || Session.invalid
         end
 
         Session.invalid
-      rescue InvalidTokenError, ExpiredTokenError
+      rescue InvalidTokenError, ExpiredTokenError => e
+        Rails.logger.info("Session token invalid or expired #{e.message}")
         Session.invalid
       end
 
@@ -82,9 +83,12 @@ module Aha
       # @param session_token [String] The session token to revoke
       # @return [Boolean] true if successful
       def logout(session_token:)
-        get("/api/core/auth_ui/logout", headers: { "Authorization" => "Bearer #{session_token}" })
+        claims = decode_and_verify_token(session_token)
+        user_id = claims["sub"] # JWT subject is the user_id
+
+        post("/api/core/auth/users/#{user_id}/logout", {})
         true
-      rescue ApiError
+      rescue InvalidTokenError, ExpiredTokenError, ApiError
         false
       end
 
@@ -97,6 +101,36 @@ module Aha
 
       private
 
+      def attempt_refresh(refresh_token)
+        tokens = authenticate_with_refresh_token(refresh_token: refresh_token)
+        new_claims = decode_and_verify_token(tokens[:session_token])
+        Session.from_claims(
+          new_claims,
+          refreshed: true,
+          new_session_token: tokens[:session_token],
+          new_refresh_token: tokens[:refresh_token]
+        )
+      rescue Error => e
+        Rails.logger.error("Session refresh failed: #{e.message}")
+        nil
+      end
+
+      # Determine if a token is approaching expiration and should be proactively refreshed
+      #
+      # @param claims [Hash] The decoded JWT claims
+      # @return [Boolean] true if the token should be refreshed
+      def token_needs_refresh?(claims)
+        iat = claims["iat"]
+        exp = claims["exp"]
+        return false unless iat && exp
+
+        lifetime = exp - iat
+        return false if lifetime <= 0
+
+        elapsed = Time.now.to_i - iat
+        elapsed.to_f / lifetime >= @configuration.refresh_lifetime_fraction
+      end
+
       def decode_and_verify_token(token)
         # First decode without verification to get the header
         header = JWT.decode(token, nil, false).last
@@ -106,7 +140,7 @@ module Aha
         public_key = @token_cache.get_key(kid) { fetch_jwks }
 
         unless public_key
-          # Try refreshing the cache in case there's a new key
+          # Force refresh the cache in case there's a new key
           @token_cache.refresh! { fetch_jwks }
           public_key = @token_cache.get_key(kid) { fetch_jwks }
           raise InvalidTokenError, "Unknown key ID: #{kid}" unless public_key
@@ -115,7 +149,11 @@ module Aha
         # Verify the token
         options = {
           algorithm: ALGORITHM,
-          verify_expiration: true
+          aud: @configuration.client_id.to_s,
+          verify_expiration: true,
+          verify_aud: true,
+          verify_iat: true,
+          required_claims: %w[sub sid aud iat exp],
         }
 
         decoded = JWT.decode(token, public_key, true, options)
@@ -157,6 +195,10 @@ module Aha
 
       def http_client
         @http_client ||= Faraday.new(url: @configuration.server_url) do |conn|
+          if @configuration.enable_logging && @configuration.logger
+            conn.response :logger, @configuration.logger, bodies: true
+          end
+
           conn.request :retry, max: 2, interval: 0.5, backoff_factor: 2
           conn.options.timeout = @configuration.timeout
 

data/lib/aha/auth/configuration.rb

@@ -15,19 +15,28 @@ module Aha
       # How long to cache JWKS keys (default: 1 hour)
       attr_accessor :jwks_cache_ttl
 
-      # Number of seconds before token expiry to trigger refresh (default: 120)
-      attr_accessor :refresh_threshold
+      # Fraction of token lifetime after which to attempt proactive refresh (default: 0.5)
+      # e.g. at 0.5, a 15-minute token triggers refresh after 7.5 minutes
+      attr_accessor :refresh_lifetime_fraction
 
       # HTTP timeout in seconds (default: 30)
       attr_accessor :timeout
 
+      # Enable logging of HTTP requests and responses (default: false)
+      attr_accessor :enable_logging
+
+      # Logger instance for HTTP logging (default: Rails.logger)
+      attr_accessor :logger
+
       def initialize
         @server_url = ENV.fetch("AHA_CORE_SERVER_URL", "https://secure.aha.io/api/core")
         @api_key = ENV.fetch("AHA_CORE_API_KEY", nil)
         @client_id = ENV.fetch("APPLICATION_ID", nil)
         @jwks_cache_ttl = 3600 # 1 hour
-        @refresh_threshold = 120 # 2 minutes
+        @refresh_lifetime_fraction = 0.5
         @timeout = 30
+        @enable_logging = false
+        @logger = Rails.logger
       end
 
       def validate!

data/lib/aha/auth/token_cache.rb

@@ -34,11 +34,6 @@ module Aha
         end
       end
 
-      # Check if the cache is stale
-      def stale?
-        @fetched_at.nil? || (Time.now.utc - @fetched_at) > @ttl
-      end
-
       # Clear the cache
       def clear!
         @mutex.synchronize do
@@ -49,6 +44,10 @@ module Aha
 
       private
 
+      def stale?
+        @fetched_at.nil? || (Time.now.utc - @fetched_at) > @ttl
+      end
+
       def refresh_if_needed(&fetcher)
         fetch_keys(&fetcher) if stale?
       end
@@ -59,7 +58,10 @@ module Aha
 
         @keys = {}
         jwks["keys"].each do |key_data|
+          # Valdate the key is appropriate for our use.
           next unless key_data["kty"] == "RSA"
+          next unless key_data["use"] == "sig"
+          next unless key_data["alg"] == "RS256"
 
           kid = key_data["kid"]
           @keys[kid] = build_rsa_key(key_data)

data/lib/aha/auth/users_resource.rb

@@ -11,9 +11,9 @@ module Aha
       # Create a new user
       #
       # @param email [String] User's email address
-      # @param first_name [String] User's first name
-      # @param last_name [String] User's last name
-      # @param password [String] User's password
+      # @param first_name [String] User's first name (optional)
+      # @param last_name [String] User's last name (optional)
+      # @param password [String] User's password (optional)
       # @return [User] The created user
       def create(email:, first_name:, last_name:, password:)
         response = post(

data/lib/aha/auth.rb

@@ -77,26 +77,13 @@ module Aha
       def authenticate_with_code(code:, cookies:)
         # Split the code and nonce if present
         actual_code, nonce = code.split(".", 2)
+        
+        raise "CSRF verification failed: unable to verify nonce" unless nonce
 
-        # Verify CSRF protection if nonce is present
-        if nonce
-          cookie_nonce = cookies[:auth_nonce]
-
-          # Verify nonce matches
-          if cookie_nonce.blank? 
-            raise "CSRF verification failed: nonce missing in cookie"
-          end
-
-          if cookie_nonce != nonce
-            raise "CSRF verification failed: nonce mismatch"
-          end
-
-          # Clear the nonce from session after verification
-          cookies.delete(:auth_nonce)
-        else
-          # If we fon't have a none, we can't verify CSRF.
-          raise "CSRF verification failed: unable to verify nonce"
-        end
+        cookie_nonce = cookies[:auth_nonce]
+        cookies.delete(:auth_nonce)
+        raise "CSRF verification failed: nonce missing in cookie" if cookie_nonce.blank? 
+        raise "CSRF verification failed: nonce mismatch" if cookie_nonce != nonce
 
         client.authenticate_with_code(code: actual_code)
       end

data/lib/aha/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Aha
-  VERSION = "1.0.15"
+  VERSION = "1.0.17"
 end

data/lib/generators/aha_builder_core/auth/USAGE

@@ -16,7 +16,7 @@ Example:
     And add routes:
         get "login" => "sessions#new"
         get "callback" => "sessions#callback"
-        delete "logout" => "sessions#logout"
+        get "logout" => "sessions#logout"
 
     You can add custom attributes to the User model:
         bin/rails generate aha_builder_core:auth company:string role:string

data/lib/generators/aha_builder_core/auth/templates/authentication.rb.tt

@@ -23,7 +23,7 @@ module Authentication
         session[:refresh_token] = session_result.new_refresh_token
       end
 
-      @current_user = User.find_by(id: session[:user_id])
+      @current_user = User.find_by(id: session_result.user_id)
       Current.user = @current_user
     else
       clear_session
@@ -50,9 +50,7 @@ module Authentication
   end
 
   def clear_session
-    session.delete(:session_token)
-    session.delete(:refresh_token)
-    session.delete(:user_id)
+    reset_session
     @current_user = nil
   end
 end

data/lib/generators/aha_builder_core/auth/templates/sessions_controller.rb.tt

@@ -4,7 +4,7 @@ class SessionsController < ApplicationController
 
   def new
     redirect_to Aha::Auth.login_url(
-      state: { return_to: params[:return_to] || root_path }.to_json,
+      state: { return_to: relative_url(params[:return_to] || root_path) }.to_json,
       cookies:
     ), allow_other_host: true
   end
@@ -25,10 +25,9 @@ class SessionsController < ApplicationController
 
       session[:session_token] = result[:session_token]
       session[:refresh_token] = result[:refresh_token]
-      session[:user_id] = user.id
 
       state = JSON.parse(params[:state]) rescue {}
-      redirect_to state["return_to"] || root_path
+      redirect_to relative_url(state["return_to"] || root_path)
     else
       redirect_to login_path, alert: "Authentication failed. Please try again."
     end
@@ -49,4 +48,13 @@ class SessionsController < ApplicationController
     clear_session
     redirect_to root_path, notice: "Successfully signed out."
   end
+
+  private
+
+  def relative_url(url) 
+    uri = URI.parse(url) 
+    [[uri.path, uri.query].compact.join("?"), uri.fragment].compact.join("#") 
+  rescue StandardError => e 
+    nil 
+  end 
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aha_builder_core
 version: !ruby/object:Gem::Version
-  version: 1.0.15
+  version: 1.0.17
 platform: ruby
 authors:
 - Aha! Labs Inc.
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2026-01-16 00:00:00.000000000 Z
+date: 2026-02-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport