api_authenticator 0.2.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 321edb7c0d50d3e4b73771824e994e2a049242e80ec36edf5e7ab97ea64fb8fd
+  data.tar.gz: b3f867b93a93fb9295c3cbe28b04d46ccf809b0099a1fd96cd9eac5b343ec8f8
+SHA512:
+  metadata.gz: 887bc481a0eac05ca8527d7fd7e9ee7a0890f8f1907f05ef43727a1d7af7d61968d48c6eb22e59a24ddfee841be12a9369b436d03a90bb49ac7102cd17b9e211
+  data.tar.gz: 4e1b13ca8e25a1b986ad13868802ae04da105be95baa2914fbd53af98c6e1f2552b89ab2c85dcf15ae034dde5b25cf84921b3ea7084b1ce51905ad69fecfcb3e

data/.gitignore

@@ -0,0 +1,22 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp
+*.bundle
+*.so
+*.o
+*.a
+mkmf.log

data/.travis.yml

@@ -0,0 +1,8 @@
+nguage: ruby
+rvm:
+  - 1.9.3
+  - 2.0.0
+  - 2.1.0
+  - 2.1.1
+  - 2.1.5
+  - jruby-19mode

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in api_authenticator.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2014 Austin Fonacier
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,123 @@
+# ApiAuthenticator
+
+[![Code Climate](https://codeclimate.com/github/Spokeo/api_authenticator/badges/gpa.svg)](https://codeclimate.com/github/Spokeo/api_authenticator)
+[![Build Status](https://travis-ci.org/Spokeo/api_authenticator.svg)](https://travis-ci.org/Spokeo/api_authenticator)
+
+This gem will authenticate API requests using a slightly modified version HMAC-SHA1
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'api_authenticator'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install api_authenticator
+
+## Authentication
+
+This gem assumes headers being pass into the request.
+The two headers are:
+ - API-Time
+ - API-Token
+
+### API-Time
+The API-Time is a String UTC representation of the current time of request.
+
+For example:
+
+```ruby
+=> "2014-10-16 18:55:48 UTC"
+```
+
+### API-Token
+The token passed in is a SHA256 of the time AND the request URL.  The shared_secret_key is used as the encyrption key.
+
+```ruby
+digest = OpenSSL::Digest.new('sha256')
+
+env['API-Token'] = OpenSSL::HMAC.hexdigest(digest, shared_secret_key, "#{DateTime.now.new_offset(0)}#{request.original_url}")
+```
+
+
+## Configuration
+
+```ruby
+ApiAuthenticator.configure do |config|
+  config.shared_secret_keys = ["my_shared_token", "my_shared_token2"]
+  config.time_threshold = 2.hours
+  config.logger = Rails.logger
+  config.report_unauthenticated_requests = true
+end
+```
+
+ - shared_secret_keys: An Array of approved shared secret keys between the client and the server.
+ - time_threshold: The time threshold to allow requests.  So for example the entry above will only allow requests from 2 hours before now and 2 hours in the future.
+ - logger: Your logger
+ - report_unauthenticated_requests: will throw some basic information into your logger.warn.
+
+## Usage
+ There is a before_filter that is included in the gem.  If not authenticated it will automatically render a status 401.
+
+```ruby
+class ApiController
+  include ApiAuthenticator
+
+  before_filter :api_authenticator
+end
+```
+
+Or you can use it without the before_filter.
+Note here is that right now, if the request is not authenticated the gem with throw an exception.  All exceptions inherit from ApiAuthentiactor::BaseError
+
+```ruby
+class ApiController
+  def people
+    # Takes a Rails request object
+    begin
+      ApiAuthentiactor.authenticated_request?(request)
+    rescue ApiAuthenticator::InvalidTimeError => e
+      logger.error(e)
+    rescue ApiAuthenticator::InvalidTokenError => e
+      logger.error(e)
+    end
+  end
+end
+```
+
+
+## TODO:
+- Set time intervals instead of explicity passing in the time.
+
+## Running The Specs
+
+Just run rake:
+```
+rake
+```
+
+## Upggrading from 0.1.0 to 0.2.0
+
+The big change here is ApiAuthenticator now takes a list of shared secret keys.  So where there was
+```ruby
+ApiAuthenticator.shared_secret_key = 'key1'
+```
+
+it now takes an array
+
+```ruby
+ApiAuthenticator.shared_secret_keys = ['key1', 'key2']
+```
+
+## Contributing
+
+1. Fork it ( https://github.com/[my-github-username]/api_authenticator/fork )
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create a new Pull Request

data/Rakefile

@@ -0,0 +1,7 @@
+require "bundler/gem_tasks"
+require 'rspec/core/rake_task'
+
+RSpec::Core::RakeTask.new('spec')
+task :default => :spec
+task :test => :spec
+

data/api_authenticator.gemspec

@@ -0,0 +1,25 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'api_authenticator/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "api_authenticator"
+  spec.version       = ApiAuthenticator::VERSION
+  spec.authors       = ["Austin Fonacier"]
+  spec.email         = ["austinrf@gmail.com"]
+  spec.summary       = "This gem will authenticate API requests using a modified HMAC-SHA1"
+  spec.description   = "This gem will authenticate API requests using a modified HMAC-SHA1"
+  spec.homepage      = "https://github.com/Spokeo/api_authenticator"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files -z`.split("\x0")
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+
+  spec.add_development_dependency "bundler", "~> 1.7"
+  spec.add_development_dependency "rake"
+  spec.add_development_dependency 'rspec', '~> 3.3.0'
+  spec.add_dependency "activesupport"
+end

data/lib/api_authenticator.rb

@@ -0,0 +1,10 @@
+require 'logger'
+require 'api_authenticator/configuration'
+require 'api_authenticator/errors'
+require 'api_authenticator/authenticated_request'
+require 'api_authenticator/api_authenticator' if defined?(ActiveSupport)
+require "api_authenticator/version"
+
+module ApiAuthenticator
+  # Your code goes here...
+end

data/lib/api_authenticator/api_authenticator.rb

@@ -0,0 +1,25 @@
+require 'active_support'
+require 'active_support/concern'
+require 'digest'
+
+module ApiAuthenticator
+  extend ActiveSupport::Concern
+
+  # Before filter
+  def api_authenticator
+    begin
+      ApiAuthenticator.authenticated_request?(request)
+    rescue BaseError => e
+      report_unauthenticated_requests(e)
+      render( status: 401, nothing: true ) and return false
+    end
+  end
+
+  protected
+
+  # TODO: more stuff in here
+  def report_unauthenticated_requests(e)
+    ApiAuthenticator.logger.warn("failed request #{e.constructed_message}")
+  end
+
+end

data/lib/api_authenticator/authenticated_request.rb

@@ -0,0 +1,48 @@
+require 'openssl'
+require 'active_support/security_utils' if defined?(ActiveSupport)
+
+module ApiAuthenticator
+  # authenticated_request?
+  #
+  # Returns: True or False
+  def self.authenticated_request?(request)
+    time = nil
+    token = request.headers['API-Token']
+    begin
+      time = DateTime.parse(request.headers['API-Time'])
+    rescue ArgumentError, TypeError
+    end
+    valid_api_time?(time)
+    valid_api_token?(request.original_url, time, token)
+  end
+
+  protected
+
+  def self.valid_api_time?(time)
+    return false if time.nil?
+    utc_now = DateTime.now.new_offset(0)
+
+    lower_threshold = utc_now - time_threshold
+    upper_threshold = utc_now + time_threshold
+
+    if time < lower_threshold || time > upper_threshold
+      raise InvalidTimeError.new(upper_threshold, lower_threshold, time)
+    end
+  end
+
+  def self.valid_api_token?(request_url, time, token)
+    digest = OpenSSL::Digest.new('sha256')
+    keys_and_tokens = []
+    shared_secret_keys.each do |secret_key|
+      expected_token = OpenSSL::HMAC.hexdigest(digest, secret_key, "#{time}#{request_url}")
+      if defined?(ActiveSupport)
+         return true if ActiveSupport::SecurityUtils.secure_compare(expected_token, token)
+      else
+        return true if expected_token == token
+      end
+      keys_and_tokens << [secret_key, token, expected_token]
+    end
+
+    raise InvalidTokenError.new(time, keys_and_tokens)
+  end
+end

data/lib/api_authenticator/configuration.rb

@@ -0,0 +1,35 @@
+module ApiAuthenticator
+  @@logger = nil
+
+  def self.configure
+    yield self
+  end
+
+  def self.shared_secret_keys=(shared_secret_keys)
+    @@shared_secret_keys = shared_secret_keys
+  end
+
+  def self.shared_secret_keys
+    @@shared_secret_keys
+  end
+
+  def self.time_threshold=(time_threshold)
+    @@time_threshold = time_threshold
+  end
+
+  def self.time_threshold
+    @@time_threshold
+  end
+
+  def self.report_unauthenticated_requests=(report)
+    @@report_unauthenticated_requests = report || false
+  end
+
+  def self.logger=(logger)
+    @@logger = logger || Logger.new($stdout)
+  end
+
+  def self.logger
+    @@logger || Logger.new($stdout)
+  end
+end

data/lib/api_authenticator/errors.rb

@@ -0,0 +1,36 @@
+module ApiAuthenticator
+  class BaseError < StandardError
+  end
+
+  class InvalidTimeError < BaseError
+    attr_reader :upper_threshold, :lower_threshold, :actual_time
+
+    def initialize(upper_threshold, lower_threshold, actual_time)
+      @upper_threshold = upper_threshold
+      @lower_threshold = lower_threshold
+      @actual_time = actual_time
+    end
+
+    def constructed_message
+      "Invalid Time Error: upper threshold: #{@upper_threshold} lower threshold: #{@lower_threshold} actual time: #{@actual_time}"
+    end
+  end
+
+  class InvalidTokenError < BaseError
+    attr_reader :time, :keys_and_tokens
+
+    def initialize(time, keys_and_tokens)
+      @time = time
+      @keys_and_tokens = keys_and_tokens
+    end
+
+
+    def constructed_message
+      message = ""
+      @keys_and_tokens.each do |key_and_token|
+        message << "Invalid Token Error Time: #{@time} Shared Key: #{key_and_token[0]} expected token: #{key_and_token[2]} actual token: #{key_and_token[1]}"
+      end
+      message
+    end
+  end
+end

data/lib/api_authenticator/version.rb

@@ -0,0 +1,3 @@
+module ApiAuthenticator
+  VERSION = "0.2.1"
+end

data/spec/api_authenticator_spec.rb

@@ -0,0 +1,73 @@
+require 'spec_helper'
+require 'openssl'
+
+describe 'ApiAuthenticator' do
+  let :shared_key do
+    'asdf'
+  end
+
+  let :shared_key2 do
+    'fork123'
+  end
+
+  let :api_token do
+    digest = OpenSSL::Digest.new('sha256')
+    OpenSSL::HMAC.hexdigest(digest, shared_key, "#{DateTime.now.new_offset(0)}http://www.austinrocks.com/asdf")
+  end
+
+  let :valid_request do
+    time = DateTime.now.utc
+    double(:request, original_url: "http://www.austinrocks.com/asdf", headers: {"API-Time" => time.to_s, "API-Token" => api_token})
+  end
+
+  let :api_token2 do
+    digest = OpenSSL::Digest.new('sha256')
+    OpenSSL::HMAC.hexdigest(digest, shared_key2, "#{DateTime.now.new_offset(0)}http://www.austinrocks.com/asdf")
+  end
+
+  let :valid_request_shared_key2 do
+    time = DateTime.now.utc
+    double(:request, original_url: "http://www.austinrocks.com/asdf", headers: {"API-Time" => time.to_s, "API-Token" => api_token})
+  end
+
+  let :bad_time_request do
+    time = 6.years.from_now
+    double(:request, original_url: "http://www.austinrocks.com/asdf", headers: {"API-Time" => time.to_s, "API-Token" => api_token})
+  end
+
+  let :bad_token_request do
+    time = Time.now.utc
+    double(:request, original_url: "http://www.austinrocks.com/asdf", headers: {"API-Time" => time.to_s, "API-Token" => "AUSTIN LIVES IN YO TESTS"})
+  end
+
+  context "authenticated_request?" do
+    before :each do
+      ApiAuthenticator.configure do |config|
+        config.time_threshold = 2.hours
+        config.shared_secret_keys = [shared_key, shared_key2]
+      end
+    end
+
+    context 'valid_request' do
+      it "should not throw an exception" do
+        expect{ApiAuthenticator.authenticated_request?(valid_request)}.to_not raise_error
+      end
+
+      it "should not throw an exception with shared_key2" do
+        expect{ApiAuthenticator.authenticated_request?(valid_request_shared_key2)}.to_not raise_error
+      end
+    end
+
+    context 'invalid time' do
+      it "should raise InvalidTimeError" do
+        expect{ApiAuthenticator.authenticated_request?(bad_time_request)}.to raise_error(ApiAuthenticator::InvalidTimeError)
+      end
+    end
+
+    context 'bad api token' do
+      it "should raise InvalidTokenError" do
+        expect{ApiAuthenticator.authenticated_request?(bad_token_request)}.to raise_error(ApiAuthenticator::InvalidTokenError)
+      end
+    end
+  end
+end

data/spec/authenticator_concern_spec.rb

@@ -0,0 +1,69 @@
+require 'spec_helper'
+
+class TesterTemper
+  include ApiAuthenticator
+
+  attr_reader :request
+
+  def initialize(request)
+    @request = request
+  end
+end
+
+describe "ApiAuthenticator Concern" do
+  before :each do
+    ApiAuthenticator.configure do |config|
+      config.time_threshold = 2.hours
+      config.shared_secret_keys = [shared_key]
+    end
+  end
+
+  let :shared_key do
+    'asdf'
+  end
+
+  let :bad_time_request do
+    time = 6.years.from_now
+    double(:request, original_url: "http://www.austinrocks.com/asdf", headers: {"API-Time" => time.to_s, "API-Token" => Digest::SHA1.hexdigest("#{time}#{shared_key}")})
+  end
+
+  let :bad_token_request do
+    time = Time.now.utc
+    double(:request, original_url: "http://www.austinrocks.com/asdf", headers: {"API-Time" => time.to_s, "API-Token" => "AUSTIN LIVES IN YO TESTS"})
+  end
+  let :api_token do
+    digest = OpenSSL::Digest.new('sha256')
+    OpenSSL::HMAC.hexdigest(digest, shared_key, "#{DateTime.now.new_offset(0)}http://www.austinrocks.com/asdf")
+  end
+
+  let :valid_request do
+    time = DateTime.now.utc
+    double(:request, original_url: "http://www.austinrocks.com/asdf", headers: {"API-Time" => time.to_s, "API-Token" => api_token})
+  end
+
+  describe "api_authenticator" do
+    context 'successful requests' do
+      it "should not return false if authenticated_request" do
+        temp_class = TesterTemper.new(valid_request)
+        # expect(temp_class).to receive(:render) { }
+        expect(temp_class.api_authenticator).to be_truthy
+      end
+    end
+
+    context 'invalid token requests' do
+      it "should return false and render" do
+        temp_class = TesterTemper.new(bad_token_request)
+        expect(temp_class).to receive(:render) { }
+        expect(temp_class.api_authenticator).to be_falsey
+      end
+    end
+
+    context 'invalid time requests' do
+      it "should return false and render" do
+        temp_class = TesterTemper.new(bad_time_request)
+        expect(temp_class).to receive(:render) { }
+        expect(temp_class.api_authenticator).to be_falsey
+      end
+    end
+  end
+end

data/spec/errors_spec.rb

@@ -0,0 +1,17 @@
+require 'spec_helper'
+require 'active_support/core_ext'
+
+describe 'ApiAuthenticator::Errors' do
+  describe "InvalidTokenError" do
+    it "should have a constructed_message" do
+      error = ApiAuthenticator::InvalidTokenError.new(DateTime.now.utc, [[DateTime.now.utc, 'foobar', 'yolo']])
+      expect(error.constructed_message).to match(/Invalid\sToken\sError/)
+    end
+  end
+  describe "InvalidTimeError" do
+    it "should have a constructed_message" do
+      error = ApiAuthenticator::InvalidTimeError.new(DateTime.now.utc, DateTime.now.utc, DateTime.now.utc)
+      expect(error.constructed_message).to match(/Invalid\sTime\sError/)
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,8 @@
+require 'active_support'
+require 'active_support/core_ext'
+require 'api_authenticator'
+require 'digest'
+
+RSpec.configure do |config|
+end
+

metadata

@@ -0,0 +1,121 @@
+--- !ruby/object:Gem::Specification
+name: api_authenticator
+version: !ruby/object:Gem::Version
+  version: 0.2.1
+platform: ruby
+authors:
+- Austin Fonacier
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2018-07-12 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.7'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.7'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.3.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.3.0
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: This gem will authenticate API requests using a modified HMAC-SHA1
+email:
+- austinrf@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".travis.yml"
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- api_authenticator.gemspec
+- lib/api_authenticator.rb
+- lib/api_authenticator/api_authenticator.rb
+- lib/api_authenticator/authenticated_request.rb
+- lib/api_authenticator/configuration.rb
+- lib/api_authenticator/errors.rb
+- lib/api_authenticator/version.rb
+- spec/api_authenticator_spec.rb
+- spec/authenticator_concern_spec.rb
+- spec/errors_spec.rb
+- spec/spec_helper.rb
+homepage: https://github.com/Spokeo/api_authenticator
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.7.3
+signing_key: 
+specification_version: 4
+summary: This gem will authenticate API requests using a modified HMAC-SHA1
+test_files:
+- spec/api_authenticator_spec.rb
+- spec/authenticator_concern_spec.rb
+- spec/errors_spec.rb
+- spec/spec_helper.rb