aha_builder_core 1.0.3 → 1.0.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3bfa1fb612c68e9997d4058381ef9c4b6b8d7eb61ddcbb52800fac41ace7fcd0
-  data.tar.gz: e673fd8edc82b0ae0f1a7c32ecf82bdd6c8368ebe2b8b626dc4e5d1cf6d6b696
+  metadata.gz: 8242fcb16eead2a99076077e2722d5815501f5fc3234eebfbf53a37648d79e5d
+  data.tar.gz: 854469a275e4e2cc06469e9d3fd967c3039b565c66ca344ac2df39f37daf94d0
 SHA512:
-  metadata.gz: a2b43eeff2fbea68a9b7b908097ca88bf858504035671808c8dac2716b0621d37219c06f92aaed8d9be7eb6571da665a1f8fed95f52cf02f3d02ba4151c29898
-  data.tar.gz: 927e0f48d3a1d2e4cb492ccefa7cb3bc377468ac7c57b3896abcaaa449a3b85a42cad99392927f0733127b28a7fe612d0f365c55060993b3c545c8c193048606
+  metadata.gz: 51e7277709855e865c53940dfec85081cab5c9c2b0b74c53cfd383a70c5cc01ad4cd725451f0268ae3515d2c0985ec17704ae3fb1d51a4f8204a398f438aa13b
+  data.tar.gz: 9385a9e023d76fc58f4dd802cb0dcacd2f773e055f75b549e2be59f11c2832dd9cc357de0c31c13e857ccf85e9645d26c760b1a765e8a61f9f95886f0976b50d

data/README.md

@@ -1,6 +1,6 @@
 # Aha Builder Core Client
 
-Ruby client for Aha! Builder core authentication services.
+Ruby client for Aha! Builder core authentication services which provides login and signup using email/password, social logins (Google, Github, Microsoft), SAML SSO and password reset.
 
 ## Installation
 
@@ -18,6 +18,8 @@ No configuration is necessary and no environment variables are necessary.
 
 The authentication UI is provided completely by the core system. During authentication the user is redirected to the login page, and will return (via HTTP redirect) to the `/callback` URL when authentication is complete. Your application must implement a callback action at `/callback` to receive the code. Any value passed in as `state` is returned verbatim to the callback.
 
+Protection against CSRF atacks is handled internally by the Aha::Auth library and there is no need to use a nonce in the state parameter.
+
 ### Generate Login URL
 
 Redirect users to the authentication and signup UI:

data/lib/aha/auth/version.rb

@@ -2,6 +2,6 @@
 
 module Aha
   module Auth
-    VERSION = "1.0.3"
+    VERSION = "1.0.5"
   end
 end

data/lib/aha/auth.rb

@@ -4,6 +4,8 @@ require "faraday"
 require "faraday/retry"
 require "jwt"
 require "concurrent"
+require "active_support"
+require "active_support/core_ext"
 
 require_relative "auth/version"
 require_relative "auth/errors"
@@ -40,11 +42,28 @@ module Aha
 
       # Generate login URL for redirecting users to the auth server
       #
+      # @param session [Hash] Session hash to store the nonce for CSRF verification
       # @param state [String] Optional state parameter to pass through the auth flow
       # @return [String] The login URL
-      def login_url(state: nil)
-        params = { client_id: configuration.client_id }
-        params[:state] = state if state
+      def login_url(session:, state: nil)
+        # Generate a nonce for CSRF protection
+        nonce = SecureRandom.hex(10)
+
+        # Store nonce in the client's session if provided
+        session[:auth_nonce] = nonce if session
+
+        # Encode the state with nonce
+        state_data = {
+          tunneled_state: state,
+          nonce: nonce,
+        }
+
+        encoded_state = Base64.urlsafe_encode64(state_data.to_json, padding: false)
+
+        params = {
+          client_id: configuration.client_id,
+          state: encoded_state
+        }
 
         query = URI.encode_www_form(params)
         "#{configuration.server_url}/auth_ui/start?#{query}"
@@ -52,10 +71,30 @@ module Aha
 
       # Exchange an authorization code for tokens
       #
-      # @param code [String] The authorization code from the callback
+      # @param code [String] The authorization code from the callback (may include nonce)
+      # @param session [Hash] Session hash containing the nonce for CSRF verification
       # @return [Hash] Token response with :session_token, :refresh_token, :expires_at, :user
-      def authenticate_with_code(code:)
-        client.authenticate_with_code(code: code)
+      def authenticate_with_code(code:, session:)
+        # Split the code and nonce if present
+        actual_code, nonce = code.split(".", 2)
+
+        # Verify CSRF protection if nonce is present
+        if nonce
+          session_nonce = session[:auth_nonce]
+
+          # Verify nonce matches
+          if session_nonce.blank? || session_nonce != nonce
+            raise "CSRF verification failed: nonce mismatch"
+          end
+
+          # Clear the nonce from session after verification
+          session.delete(:auth_nonce)
+        else
+          # If we fon't have a none, we can't verify CSRF.
+          raise "CSRF verification failed: unable to verify nonce"
+        end
+
+        client.authenticate_with_code(code: actual_code)
       end
 
       # Refresh tokens using a refresh token

data/lib/generators/aha_builder_core/auth/USAGE

@@ -0,0 +1,27 @@
+Description:
+    Generates authentication scaffolding for Aha Builder Core integration.
+    Creates User model, migration, SessionsController, Authentication concern,
+    Current model, and routes.
+
+Example:
+    bin/rails generate aha_builder_core:auth
+
+    This will create:
+        app/models/user.rb
+        app/models/current.rb
+        app/controllers/sessions_controller.rb
+        app/controllers/concerns/authentication.rb
+        db/migrate/XXXXXXXXXXXXXX_create_users.rb
+
+    And add routes:
+        get "login" => "sessions#new"
+        get "callback" => "sessions#callback"
+        delete "logout" => "sessions#logout"
+
+    You can add custom attributes to the User model:
+        bin/rails generate aha_builder_core:auth company:string role:string
+
+    This adds company and role columns to the users table migration.
+
+Options:
+    --skip-migration    Skip generating the database migration

data/lib/generators/aha_builder_core/auth/auth_generator.rb

@@ -0,0 +1,138 @@
+# frozen_string_literal: true
+
+require "rails/generators"
+require "rails/generators/active_record"
+
+module AhaBuilderCore
+  class AuthGenerator < Rails::Generators::Base
+    include ActiveRecord::Generators::Migration
+
+    source_root File.expand_path("templates", __dir__)
+
+    argument :attributes, type: :array, default: [], banner: "field[:type] field[:type]"
+
+    class_option :skip_migration, type: :boolean, default: false, desc: "Skip migration generation"
+
+    def generate_migration_file
+      return if options[:skip_migration]
+
+      migration_template "migration.rb.tt", File.join(db_migrate_path, "create_users.rb")
+    end
+
+    def create_user_model
+      template "user.rb.tt", "app/models/user.rb"
+    end
+
+    def create_current_model
+      template "current.rb.tt", "app/models/current.rb"
+    end
+
+    def create_sessions_controller
+      template "sessions_controller.rb.tt", "app/controllers/sessions_controller.rb"
+    end
+
+    def create_authentication_concern
+      template "authentication.rb.tt", "app/controllers/concerns/authentication.rb"
+    end
+
+    def add_routes
+      route <<~RUBY
+        get "login", to: "sessions#new", as: :new_session
+        get "callback", to: "sessions#callback", as: :session_callback
+        delete "logout", to: "sessions#logout", as: :logout
+      RUBY
+    end
+
+    def add_inertia_auth_share
+      return unless File.exist?("app/controllers/inertia_controller.rb")
+
+      inject_into_file "app/controllers/inertia_controller.rb",
+        after: "inertia_share flash: -> { flash.to_hash }\n" do
+          <<-RUBY
+  inertia_share auth: -> {
+    {
+      user: current_user&.as_json(only: %i[id email first_name last_name])
+    }
+  }
+          RUBY
+        end
+    end
+
+    def add_authentication_to_application_controller
+      inject_into_file "app/controllers/application_controller.rb",
+        after: "class ApplicationController < ActionController::Base\n" do
+          "  include Authentication\n"
+        end
+    end
+
+    def add_typescript_types
+      types_file = "app/frontend/types/index.ts"
+      return unless File.exist?(types_file)
+
+      gsub_file types_file,
+        /export interface Flash \{\n  alert\?: string\n  notice\?: string\n\}\n\nexport interface SharedData \{\n  flash: Flash\n  \[key: string\]: unknown\n\}/,
+        <<~TYPESCRIPT.chomp
+          export interface Flash {
+            alert?: string
+            notice?: string
+          }
+
+          export interface AuthUser {
+            id: number
+            email: string
+            first_name: string | null
+            last_name: string | null
+          }
+
+          export interface SharedData {
+            flash: Flash
+            auth: {
+              user: AuthUser | null
+            }
+            [key: string]: unknown
+          }
+        TYPESCRIPT
+    end
+
+    def generate_js_routes
+      say "\nRegenerating js-routes file...", :green
+      rails_command "js:routes"
+    end
+
+    def display_instructions
+      say "\nAha Auth setup complete!", :green
+    end
+
+    private
+
+    def auth_attributes
+      %w[
+        auth_identifier:string
+        email:string
+        first_name:string
+        last_name:string
+        email_verified:boolean
+      ]
+    end
+
+    def all_attributes
+      @all_attributes ||= (auth_attributes + attributes.map(&:to_s)).map do |attr|
+        Rails::Generators::GeneratedAttribute.parse(attr)
+      end
+    end
+
+    def custom_attributes
+      @custom_attributes ||= attributes.map do |attr|
+        Rails::Generators::GeneratedAttribute.parse(attr.to_s)
+      end
+    end
+
+    def migration_class_name
+      "CreateUsers"
+    end
+
+    def table_name
+      "users"
+    end
+  end
+end

data/lib/generators/aha_builder_core/auth/templates/authentication.rb.tt

@@ -0,0 +1,57 @@
+module Authentication
+  extend ActiveSupport::Concern
+
+  included do
+    before_action :authenticate
+    helper_method :current_user, :logged_in?
+  end
+
+  private
+
+  def authenticate
+    return unless session[:session_token].present?
+
+    session_result = Aha::Auth.validate_session(
+      session[:session_token],
+      refresh_token: session[:refresh_token]
+    )
+
+    if session_result.valid?
+      if session_result.refreshed?
+        session[:session_token] = session_result.new_session_token
+        session[:refresh_token] = session_result.new_refresh_token
+      end
+
+      @current_user = User.find_by(id: session[:user_id])
+      Current.user = @current_user
+    else
+      clear_session
+      redirect_to login_path, alert: "Your session has expired. Please log in again."
+    end
+  rescue Aha::Auth::ApiError => e
+    Rails.logger.error "Session validation failed: #{e.message}"
+    clear_session
+    redirect_to login_path, alert: "Authentication error. Please log in again."
+  end
+
+  def current_user
+    @current_user ||= Current.user
+  end
+
+  def logged_in?
+    current_user.present?
+  end
+
+  def require_authentication
+    return if logged_in?
+
+    redirect_to login_path(return_to: request.fullpath), alert: "You must be logged in to access this page."
+  end
+
+  def clear_session
+    session.delete(:session_token)
+    session.delete(:refresh_token)
+    session.delete(:user_id)
+    @current_user = nil
+  end
+end

data/lib/generators/aha_builder_core/auth/templates/current.rb.tt

@@ -0,0 +1,3 @@
+class Current < ActiveSupport::CurrentAttributes
+  attribute :user
+end

data/lib/generators/aha_builder_core/auth/templates/migration.rb.tt

@@ -0,0 +1,21 @@
+class <%= migration_class_name %> < ActiveRecord::Migration[<%= ActiveRecord::Migration.current_version %>]
+  def change
+    create_table :users do |t|
+      t.string :auth_identifier, null: false
+      t.string :email, null: false
+      t.string :first_name
+      t.string :last_name
+      t.boolean :email_verified, default: false, null: false
+<% custom_attributes.each do |attribute| -%>
+<% unless attribute.virtual? -%>
+      t.<%= attribute.type %> :<%= attribute.name %><%= attribute.inject_options %>
+<% end -%>
+<% end -%>
+
+      t.timestamps
+    end
+
+    add_index :users, :auth_identifier, unique: true
+    add_index :users, :email, unique: true
+  end
+end

data/lib/generators/aha_builder_core/auth/templates/sessions_controller.rb.tt

@@ -0,0 +1,50 @@
+class SessionsController < ApplicationController
+  skip_before_action :authenticate, only: [ :new, :callback ]
+
+  def new
+    redirect_to Aha::Auth.login_url(
+      state: { return_to: params[:return_to] || root_path }.to_json,
+      session:
+    ), allow_other_host: true
+  end
+
+  def callback
+    if params[:code].present?
+      result = Aha::Auth.authenticate_with_code(code: params[:code], session:)
+
+      user = User.find_or_initialize_by(auth_identifier: result[:user]["id"])
+
+      user.update!(
+        email: result[:user]["email"],
+        first_name: result[:user]["first_name"],
+        last_name: result[:user]["last_name"],
+        email_verified: result[:user]["email_verified"]
+      )
+
+      session[:session_token] = result[:session_token]
+      session[:refresh_token] = result[:refresh_token]
+      session[:user_id] = user.id
+
+      state = JSON.parse(params[:state]) rescue {}
+      redirect_to state["return_to"] || root_path
+    else
+      redirect_to new_session_path, alert: "Authentication failed. Please try again."
+    end
+  rescue Aha::Auth::ApiError => e
+    Rails.logger.error "Authentication failed: #{e.message}"
+    redirect_to new_session_path, alert: "Authentication failed. Please try again."
+  end
+
+  def logout
+    if session[:session_token]
+      begin
+        Aha::Auth.logout(session_token: session[:session_token])
+      rescue => e
+        Rails.logger.error "Logout error: #{e.message}"
+      end
+    end
+
+    clear_session
+    redirect_to root_path, notice: "Successfully signed out."
+  end
+end

data/lib/generators/aha_builder_core/auth/templates/user.rb.tt

@@ -0,0 +1,8 @@
+class User < ApplicationRecord
+  validates :auth_identifier, presence: true, uniqueness: true
+  validates :email, presence: true, uniqueness: true, format: { with: URI::MailTo::EMAIL_REGEXP }
+
+  def name
+    "#{first_name} #{last_name}".strip.presence || email
+  end
+end

data/lib/generators/aha_builder_core/blob_storage/USAGE

@@ -0,0 +1,19 @@
+Description:
+    Configures Active Storage to use Aha blob storage service.
+
+    This generator sets up S3-compatible blob storage for file uploads
+    using environment variables provided by the container orchestrator.
+
+Example:
+    bin/rails generate aha_builder_core:blob_storage
+
+    This will:
+    - Run active_storage:install to create required migrations
+    - Add aws-sdk-s3 gem to Gemfile
+    - Update config/storage.yml with blob storage configuration
+    - Set config.active_storage.service = :blob in development.rb
+    - Set config.active_storage.service = :blob in production.rb
+
+Prerequisites:
+    The container must have blob storage attached via the SetupBlobStorageTool
+    which sets the required BLOB_UPLOADS_S3_* environment variables.

data/lib/generators/aha_builder_core/blob_storage/blob_storage_generator.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+require "rails/generators"
+
+module AhaBuilderCore
+  class BlobStorageGenerator < Rails::Generators::Base
+    source_root File.expand_path("templates", __dir__)
+
+    def install_active_storage
+      run "bin/rails active_storage:install"
+    end
+
+    def add_aws_sdk_gem
+      gem "aws-sdk-s3", require: false unless gem_exists?("aws-sdk-s3")
+    end
+
+    def update_storage_yml
+      template "storage.yml.tt", "config/storage.yml", force: true
+    end
+
+    def update_development_environment
+      gsub_file "config/environments/development.rb",
+        /config\.active_storage\.service\s*=\s*:\w+/,
+        "config.active_storage.service = :blob"
+    end
+
+    def update_production_environment
+      gsub_file "config/environments/production.rb",
+        /config\.active_storage\.service\s*=\s*:\w+/,
+        "config.active_storage.service = :blob"
+    end
+
+    def display_instructions
+      say "\nBlob storage configured!", :green
+    end
+
+    private
+
+    def gem_exists?(gem_name)
+      File.read("Gemfile").include?(gem_name)
+    end
+  end
+end

data/lib/generators/aha_builder_core/blob_storage/templates/storage.yml.tt

@@ -0,0 +1,16 @@
+test:
+  service: Disk
+  root: <%%= Rails.root.join("tmp/storage") %>
+
+local:
+  service: Disk
+  root: <%%= Rails.root.join("storage") %>
+
+blob:
+  service: S3
+  endpoint: <%%= ENV.fetch('BLOB_UPLOADS_S3_ENDPOINT') %>
+  access_key_id: <%%= ENV.fetch('BLOB_UPLOADS_S3_ACCESS_KEY_ID') %>
+  secret_access_key: <%%= ENV.fetch('BLOB_UPLOADS_S3_SECRET_ACCESS_KEY') %>
+  region: <%%= ENV.fetch('BLOB_UPLOADS_S3_REGION', 'us-east-1') %>
+  bucket: <%%= ENV.fetch('BLOB_UPLOADS_S3_BUCKET') %>
+  force_path_style: true

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aha_builder_core
 version: !ruby/object:Gem::Version
-  version: 1.0.3
+  version: 1.0.5
 platform: ruby
 authors:
 - Aha! Labs Inc.
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2026-01-01 00:00:00.000000000 Z
+date: 2026-01-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -125,6 +125,16 @@ files:
 - lib/aha/auth/users_resource.rb
 - lib/aha/auth/version.rb
 - lib/aha_builder_core.rb
+- lib/generators/aha_builder_core/auth/USAGE
+- lib/generators/aha_builder_core/auth/auth_generator.rb
+- lib/generators/aha_builder_core/auth/templates/authentication.rb.tt
+- lib/generators/aha_builder_core/auth/templates/current.rb.tt
+- lib/generators/aha_builder_core/auth/templates/migration.rb.tt
+- lib/generators/aha_builder_core/auth/templates/sessions_controller.rb.tt
+- lib/generators/aha_builder_core/auth/templates/user.rb.tt
+- lib/generators/aha_builder_core/blob_storage/USAGE
+- lib/generators/aha_builder_core/blob_storage/blob_storage_generator.rb
+- lib/generators/aha_builder_core/blob_storage/templates/storage.yml.tt
 homepage: https://www.aha.io
 licenses:
 - MIT