api_guard_grape 0.5.1

data/Rakefile

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+
+require 'rdoc/task'
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'ApiGuard'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.md')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+load 'rails/tasks/statistics.rake'
+
+require 'bundler/gem_tasks'

data/app/controllers/api_guard/application_controller.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+module ApiGuard
+  class ApplicationController < ActionController::Base
+    skip_before_action :verify_authenticity_token, raise: false
+
+    def authenticate_resource
+      public_send("authenticate_and_set_#{resource_name}")
+    end
+  end
+end

data/app/controllers/api_guard/authentication_controller.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+require_dependency 'api_guard/application_controller'
+
+module ApiGuard
+  class AuthenticationController < ApplicationController
+    before_action :find_resource, only: [:create]
+    before_action :authenticate_resource, only: [:destroy]
+
+    def create
+      if resource.authenticate(params[:password])
+        create_token_and_set_header(resource, resource_name)
+        render_success(message: I18n.t('api_guard.authentication.signed_in'))
+      else
+        render_error(422, message: I18n.t('api_guard.authentication.invalid_login_credentials'))
+      end
+    end
+
+    def destroy
+      blacklist_token
+      render_success(message: I18n.t('api_guard.authentication.signed_out'))
+    end
+
+    private
+
+    def find_resource
+      self.resource = resource_class.find_by(email: params[:email].downcase.strip) if params[:email].present?
+      render_error(422, message: I18n.t('api_guard.authentication.invalid_login_credentials')) unless resource
+    end
+  end
+end

data/app/controllers/api_guard/passwords_controller.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+require_dependency 'api_guard/application_controller'
+
+module ApiGuard
+  class PasswordsController < ApplicationController
+    before_action :authenticate_resource, only: [:update]
+
+    def update
+      invalidate_old_jwt_tokens(current_resource)
+
+      if current_resource.update(password_params)
+        blacklist_token unless ApiGuard.invalidate_old_tokens_on_password_change
+        destroy_all_refresh_tokens(current_resource)
+
+        create_token_and_set_header(current_resource, resource_name)
+        render_success(message: I18n.t('api_guard.password.changed'))
+      else
+        render_error(422, object: current_resource)
+      end
+    end
+
+    private
+
+    def password_params
+      params.permit(:password, :password_confirmation)
+    end
+  end
+end

data/app/controllers/api_guard/registration_controller.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+require_dependency 'api_guard/application_controller'
+
+module ApiGuard
+  class RegistrationController < ApplicationController
+    before_action :authenticate_resource, only: [:destroy]
+
+    def create
+      init_resource(sign_up_params)
+      if resource.save
+        create_token_and_set_header(resource, resource_name)
+        render_success(message: I18n.t('api_guard.registration.signed_up'))
+      else
+        render_error(422, object: resource)
+      end
+    end
+
+    def destroy
+      current_resource.destroy
+      render_success(message: I18n.t('api_guard.registration.account_deleted'))
+    end
+
+    private
+
+    def sign_up_params
+      params.permit(:email, :password, :password_confirmation)
+    end
+  end
+end

data/app/controllers/api_guard/tokens_controller.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+require_dependency 'api_guard/application_controller'
+
+module ApiGuard
+  class TokensController < ApplicationController
+    before_action :authenticate_resource, only: [:create]
+    before_action :find_refresh_token, only: [:create]
+
+    def create
+      create_token_and_set_header(current_resource, resource_name)
+
+      @refresh_token.destroy
+      blacklist_token if ApiGuard.blacklist_token_after_refreshing
+
+      render_success(message: I18n.t('api_guard.access_token.refreshed'))
+    end
+
+    private
+
+    def find_refresh_token
+      refresh_token_from_header = request.headers['Refresh-Token']
+
+      if refresh_token_from_header
+        @refresh_token = find_refresh_token_of(current_resource, refresh_token_from_header)
+        return render_error(401, message: I18n.t('api_guard.refresh_token.invalid')) unless @refresh_token
+      else
+        render_error(401, message: I18n.t('api_guard.refresh_token.missing'))
+      end
+    end
+  end
+end

data/config/locales/en.yml

@@ -0,0 +1,22 @@
+en:
+  api_guard:
+    authentication:
+      signed_in: 'Signed in successfully'
+      signed_out: 'Signed out successfully'
+      invalid_login_credentials: 'Invalid login credentials'
+    password:
+      changed: 'Password changed successfully'
+    registration:
+      signed_up: 'Signed up successfully'
+      account_deleted: 'Account deleted successfully'
+    access_token:
+      refreshed: 'Token refreshed successfully'
+      missing: 'Access token is missing in the request'
+      invalid: 'Invalid access token'
+      expired: 'Access token expired'
+    refresh_token:
+      invalid: 'Invalid refresh token'
+      missing: 'Refresh token is missing in the request'
+    response:
+      success: 'success'
+      error: 'error'

data/config/routes.rb

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+ApiGuard::Engine.routes.draw do
+  # Can't see anything here?
+  # Goto 'lib/api_guard/route_mapper.rb'
+end

data/lib/api_guard.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+require 'api_guard/engine'
+require 'api_guard/route_mapper'
+require 'api_guard/modules'
+
+module ApiGuard
+  autoload :AppSecretKey, 'api_guard/app_secret_key'
+
+  module Test
+    autoload :ControllerHelper, 'api_guard/test/controller_helper'
+  end
+
+  mattr_accessor :token_validity
+  self.token_validity = 1.day
+
+  mattr_accessor :token_signing_secret
+  self.token_signing_secret = nil
+
+  mattr_accessor :invalidate_old_tokens_on_password_change
+  self.invalidate_old_tokens_on_password_change = false
+
+  mattr_accessor :blacklist_token_after_refreshing
+  self.blacklist_token_after_refreshing = false
+
+  mattr_accessor :api_guard_associations
+  self.api_guard_associations = {}
+
+  mattr_reader :mapped_resource do
+    {}
+  end
+
+  def self.setup
+    yield self
+  end
+
+  def self.map_resource(routes_for, class_name)
+    mapped_resource[routes_for.to_sym] = ApiGuard::ResourceMapper.new(routes_for, class_name)
+  end
+end

data/lib/api_guard/app_secret_key.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module ApiGuard
+  class AppSecretKey
+    def initialize(application)
+      @application = application
+    end
+
+    def detect
+      secret_key_base(:credentials) || secret_key_base(:secrets) ||
+        secret_key_base(:config) || secret_key_base
+    end
+
+    private
+
+    def secret_key_base(source = nil)
+      return @application.secret_key_base unless source
+
+      @application.send(source).secret_key_base.presence if @application.respond_to?(source)
+    end
+  end
+end

data/lib/api_guard/engine.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module ApiGuard
+  class Engine < ::Rails::Engine
+    isolate_namespace ApiGuard
+
+    config.generators do |g|
+      g.test_framework :rspec
+      g.fixture_replacement :factory_girl, dir: 'spec/factories'
+    end
+
+    # Use 'secret_key_base' from Rails secrets if 'token_signing_secret' is not configured
+    initializer 'ApiGuard.token_signing_secret' do |app|
+      ApiGuard.token_signing_secret ||= ApiGuard::AppSecretKey.new(app).detect
+    end
+  end
+end

data/lib/api_guard/jwt_auth/authentication.rb

@@ -0,0 +1,98 @@
+# frozen_string_literal: true
+
+module ApiGuard
+  module JwtAuth
+    # Common module for API authentication
+    module Authentication
+      # Handle authentication of the resource dynamically
+      def method_missing(name, *args)
+        method_name = name.to_s
+
+        if method_name.start_with?('authenticate_and_set_')
+          resource_name = method_name.split('authenticate_and_set_')[1]
+          authenticate_and_set_resource(resource_name)
+        else
+          super
+        end
+      end
+
+      def respond_to_missing?(method_name, include_private = false)
+        method_name.to_s.start_with?('authenticate_and_set_') || super
+      end
+
+      # Authenticate the JWT token and set resource
+      def authenticate_and_set_resource(resource_name)
+        @resource_name = resource_name
+
+        @token = request.headers['Authorization']&.split('Bearer ')&.last
+        return render_error(401, message: I18n.t('api_guard.access_token.missing')) unless @token
+
+        authenticate_token
+
+        # Render error response only if no resource found and no previous render happened
+        render_error(401, message: I18n.t('api_guard.access_token.invalid')) if !current_resource && !performed?
+      rescue JWT::DecodeError => e
+        if e.message == 'Signature has expired'
+          render_error(401, message: I18n.t('api_guard.access_token.expired'))
+        else
+          render_error(401, message: I18n.t('api_guard.access_token.invalid'))
+        end
+      end
+
+      # Decode the JWT token
+      # and don't verify token expiry for refresh token API request
+      def decode_token
+        # TODO: Set token refresh controller dynamic
+        verify_token = (controller_name != 'tokens' || action_name != 'create')
+        @decoded_token = decode(@token, verify_token)
+      end
+
+      # Returns whether the JWT token is issued after the last password change
+      # Returns true if password hasn't changed by the user
+      def valid_issued_at?(resource)
+        return true unless ApiGuard.invalidate_old_tokens_on_password_change
+
+        !resource.token_issued_at || @decoded_token[:iat] >= resource.token_issued_at.to_i
+      end
+
+      # Defines "current_{{resource_name}}" method and "@current_{{resource_name}}" instance variable
+      # that returns "resource" value
+      def define_current_resource_accessors(resource)
+        define_singleton_method("current_#{@resource_name}") do
+          instance_variable_get("@current_#{@resource_name}") ||
+            instance_variable_set("@current_#{@resource_name}", resource)
+        end
+      end
+
+      # Authenticate the resource with the '{{resource_name}}_id' in the decoded JWT token
+      # and also, check for valid issued at time and not blacklisted
+      #
+      # Also, set "current_{{resource_name}}" method and "@current_{{resource_name}}" instance variable
+      # for accessing the authenticated resource
+      def authenticate_token
+        return unless decode_token
+
+        resource = find_resource_from_token(@resource_name.classify.constantize)
+
+        if resource && valid_issued_at?(resource) && !blacklisted?(resource)
+          define_current_resource_accessors(resource)
+        else
+          render_error(401, message: I18n.t('api_guard.access_token.invalid'))
+        end
+      end
+
+      def find_resource_from_token(resource_class)
+        resource_id = @decoded_token[:"#{@resource_name}_id"]
+        return if resource_id.blank?
+
+        resource_class.find_by(id: resource_id)
+      end
+
+      def current_resource
+        return unless respond_to?("current_#{@resource_name}")
+
+        public_send("current_#{@resource_name}")
+      end
+    end
+  end
+end

data/lib/api_guard/jwt_auth/blacklist_token.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+module ApiGuard
+  module JwtAuth
+    # Common module for token blacklisting functionality
+    module BlacklistToken
+      def blacklisted_token_association(resource)
+        resource.class.blacklisted_token_association
+      end
+
+      def token_blacklisting_enabled?(resource)
+        blacklisted_token_association(resource).present?
+      end
+
+      def blacklisted_tokens_for(resource)
+        blacklisted_token_association = blacklisted_token_association(resource)
+        resource.send(blacklisted_token_association)
+      end
+
+      # Returns whether the JWT token is blacklisted or not
+      def blacklisted?(resource)
+        return false unless token_blacklisting_enabled?(resource)
+
+        blacklisted_tokens_for(resource).exists?(token: @token)
+      end
+
+      # Blacklist the current JWT token from future access
+      def blacklist_token
+        return unless token_blacklisting_enabled?(current_resource)
+
+        blacklisted_tokens_for(current_resource).create(token: @token, expire_at: Time.at(@decoded_token[:exp]).utc)
+      end
+    end
+  end
+end

data/lib/api_guard/jwt_auth/json_web_token.rb

@@ -0,0 +1,72 @@
+# frozen_string_literal: true
+
+require 'jwt'
+
+module ApiGuard
+  module JwtAuth
+    # Common module for JWT operations
+    module JsonWebToken
+      def current_time
+        @current_time ||= Time.now.utc
+      end
+
+      def token_expire_at
+        @token_expire_at ||= (current_time + ApiGuard.token_validity).to_i
+      end
+
+      def token_issued_at
+        @token_issued_at ||= current_time.to_i
+      end
+
+      # Encode the payload with the secret key and return the JWT token
+      def encode(payload)
+        JWT.encode(payload, ApiGuard.token_signing_secret)
+      end
+
+      # Decode the JWT token and return the payload
+      def decode(token, verify = true)
+        HashWithIndifferentAccess.new(
+          JWT.decode(token, ApiGuard.token_signing_secret, verify, verify_iat: true)[0]
+        )
+      end
+
+      # Create a JWT token with resource detail in payload.
+      # Also, create refresh token if enabled for the resource.
+      #
+      # This creates expired JWT token if the argument 'expired_token' is true which can be used for testing.
+      def jwt_and_refresh_token(resource, resource_name, expired_token = false)
+        payload = {
+          "#{resource_name}_id": resource.id,
+          exp: expired_token ? token_issued_at : token_expire_at,
+          iat: token_issued_at
+        }
+
+        # Add custom data in the JWT token payload
+        payload.merge!(resource.jwt_token_payload) if resource.respond_to?(:jwt_token_payload)
+
+        [encode(payload), new_refresh_token(resource)]
+      end
+
+      # Create tokens and set response headers
+      def create_token_and_set_header(resource, resource_name)
+        access_token, refresh_token = jwt_and_refresh_token(resource, resource_name)
+        set_token_headers(access_token, refresh_token)
+      end
+
+      # Set token details in response headers
+      def set_token_headers(token, refresh_token = nil)
+        response.headers['Access-Token'] = token
+        response.headers['Refresh-Token'] = refresh_token if refresh_token
+        response.headers['Expire-At'] = token_expire_at.to_s
+      end
+
+      # Set token issued at to current timestamp
+      # to restrict access to old access(JWT) tokens
+      def invalidate_old_jwt_tokens(resource)
+        return unless ApiGuard.invalidate_old_tokens_on_password_change
+
+        resource.token_issued_at = Time.at(token_issued_at).utc
+      end
+    end
+  end
+end