api_guardian 0.1.0.pre

data/lib/api_guardian/concerns/api_errors/handler.rb

@@ -0,0 +1,145 @@
+require 'active_support/concern'
+
+# TODO: Break this into further modules to decrease complexity
+
+module ApiGuardian
+  module Concerns
+    module ApiErrors
+      module Handler
+        extend ActiveSupport::Concern
+        include ApiErrors::Renderer
+
+        included do
+          def api_error_handler(exception)
+            if exception.is_a? Pundit::NotAuthorizedError
+              user_not_authorized
+            elsif exception.is_a? ActionController::ParameterMissing
+              malformed_request(exception)
+            elsif exception.is_a? ActiveRecord::RecordInvalid
+              record_invalid(exception)
+            elsif exception.is_a? ActiveRecord::RecordNotFound
+              render_not_found
+            elsif exception.is_a? ApiGuardian::Errors::InvalidContentTypeError
+              invalid_content_type
+            elsif exception.is_a? ApiGuardian::Errors::InvalidRequestBodyError
+              invalid_request_body(exception)
+            elsif exception.is_a? ApiGuardian::Errors::InvalidRequestResourceTypeError
+              invalid_request_resource_type(exception)
+            elsif exception.is_a? ApiGuardian::Errors::InvalidRequestResourceIdError
+              invalid_request_resource_id(exception)
+            elsif exception.is_a? ApiGuardian::Errors::InvalidUpdateActionError
+              invalid_update_action
+            elsif exception.is_a? ApiGuardian::Errors::ResetTokenUserMismatchError
+              reset_token_mismatch
+            elsif exception.is_a? ApiGuardian::Errors::ResetTokenExpiredError
+              reset_token_expired
+            else
+              generic_error_handler(exception)
+            end
+          end
+
+          def doorkeeper_unauthorized_render_options(_)
+            error = construct_error(
+              401, 'not_authenticated', 'Not Authenticated',
+              'You must be logged in.'
+            )
+            { json: { errors: [error] } }
+          end
+
+          protected
+
+          def user_not_authorized
+            render_error(
+              403, 'not_authorized', 'Not Authorized',
+              'You are not authorized to perform this action.'
+            )
+          end
+
+          def malformed_request(exception)
+            render_error(
+              400, 'malformed_request', 'Malformed Request',
+              exception.message
+            )
+          end
+
+          def record_invalid(exception)
+            formatted_errors = []
+            used_fields = []
+            record = exception.record
+            record.errors.each do |error|
+              next if used_fields.include? error.to_s
+              formatted_error = {
+                field: error.to_s,
+                detail: record.errors[error][0]
+              }
+              formatted_errors.push formatted_error
+              used_fields.push error.to_s
+            end
+            formatted_errors = formatted_errors.sort_by { |k| k[:field] }
+            render_error(422, 'unprocessable_entity', 'Unprocessable Entity', formatted_errors)
+          end
+
+          def render_not_found
+            render_error(
+              404, 'not_found', 'Not Found', 'Resource or endpoint missing: ' +
+              request.original_url
+            )
+          end
+
+          def generic_error_handler(exception)
+            render_error(500, nil, nil, nil, exception)
+          end
+
+          def invalid_content_type
+            render_error(
+              415, 'invalid_content_type', 'Invalid Content Type',
+              'Supported content types are: application/vnd.api+json'
+            )
+          end
+
+          def invalid_request_body(exception)
+            render_error(
+              400, 'invalid_request_body', 'Invalid Request Body',
+              "The '#{exception.message}' property is required."
+            )
+          end
+
+          def invalid_request_resource_type(exception)
+            render_error(
+              400, 'invalid_request_resource_type', 'Invalid Request Resource Type',
+              "Expected 'type' property to be '#{exception.message}' for this resource."
+            )
+          end
+
+          def invalid_request_resource_id(exception)
+            render_error(
+              400, 'invalid_request_resource_id', 'Invalid Request Resource ID',
+              "Request 'id' property does not match 'id' of URI. Provided: #{exception.message}, Expected: #{params[:id]}"
+            )
+          end
+
+          def invalid_update_action
+            render_error(
+              405, 'method_not_allowed', 'Method Not Allowed',
+              'Resource update action expects PATCH method.'
+            )
+          end
+
+          def reset_token_mismatch
+            render_error(
+              403, 'reset_token_mismatch', 'Reset Token Mismatch',
+              'Reset token is not valid for the supplied email address.'
+            )
+          end
+
+          def reset_token_expired
+            render_error(
+              403, 'reset_token_expired', 'Reset Token Expired',
+              'This reset token has expired. Tokens are valid for 24 hours.'
+            )
+          end
+        end
+      end
+    end
+  end
+end

data/lib/api_guardian/concerns/api_errors/renderer.rb

@@ -0,0 +1,45 @@
+require 'active_support/concern'
+
+module ApiGuardian
+  module Concerns
+    module ApiErrors
+      module Renderer
+        extend ActiveSupport::Concern
+
+        included do
+          def render_error(status, code, title, detail, exception = nil)
+            error = construct_error status, code, title, detail
+            if Rails.env.production?
+              render json: { errors: [error] }, status: status
+            else
+              if exception
+                render json: { errors: [error], exception: exception.class.name,
+                               message: exception.message, trace: exception.backtrace[0, 10] },
+                       status: status
+              else
+                render json: { errors: [error] }, status: status
+              end
+            end
+          end
+
+          protected
+
+          def construct_error(status, code, title, detail)
+            # TODO: Create error log here
+            {
+              id: SecureRandom.uuid,
+              code: code || 'unknown',
+              status: status.to_s || '500',
+              title: title || 'Unknown',
+              detail: detail || 'An unknown error has occurred and has been logged.'
+            }
+          end
+
+          def render(**_)
+            return super if defined?(super)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/api_guardian/concerns/api_request/validator.rb

@@ -0,0 +1,66 @@
+require 'active_support/concern'
+
+module ApiGuardian
+  module Concerns
+    module ApiRequest
+      module Validator
+        extend ActiveSupport::Concern
+
+        included do
+          def validate_api_request
+            validate_content_type
+
+            # Make sure we conform to json-api request spec
+            case request.method
+            when 'POST'
+              validate_post_request
+            when 'PATCH'
+              validate_patch_request
+            end
+
+            if action_name == 'update' && request.method != 'PATCH'
+              fail ApiGuardian::Errors::InvalidUpdateActionError, request.method
+            end
+          end
+
+          protected
+
+          def validate_content_type
+            if request.body.read != '' && request.headers['Content-Type'] != 'application/vnd.api+json'
+              fail ApiGuardian::Errors::InvalidContentTypeError, "Invalid content type #{request.headers['Content-Type']}"
+            end
+          end
+
+          def validate_post_request
+            validate_request_type
+          end
+
+          def validate_patch_request
+            validate_request_id
+            validate_request_type
+          end
+
+          def validate_request_id
+            top_params = params.fetch(:data)
+            fail ApiGuardian::Errors::InvalidRequestBodyError, 'id' unless top_params.fetch(:id, nil)
+
+            expected_request_id = params[:id]
+            request_id = top_params.fetch(:id, nil)
+
+            fail ApiGuardian::Errors::InvalidRequestResourceIdError, request_id unless request_id == expected_request_id
+          end
+
+          def validate_request_type
+            top_params = params.fetch(:data)
+            fail ApiGuardian::Errors::InvalidRequestBodyError, 'type' unless top_params.fetch(:type, nil)
+
+            expected_request_type = resource_name.pluralize.downcase
+            request_type = top_params.fetch(:type, nil)
+
+            fail ApiGuardian::Errors::InvalidRequestResourceTypeError, expected_request_type unless request_type == expected_request_type
+          end
+        end
+      end
+    end
+  end
+end

data/lib/api_guardian/configuration.rb

@@ -0,0 +1,171 @@
+module ApiGuardian
+  class Configuration
+    # Controls whether the sign up route is enabled.
+    # Defaults to `true`. Set to `false` to disable user creation routes.
+    # The setting is ignored if routes are disabled.
+    # @param [Boolean] value
+    # @return [Boolean]
+    attr_writer :allow_sign_up
+
+    # The domain to use for the clearance remember token cookie.
+    # Defaults to `nil`, which causes the cookie domain to default to the
+    # domain of the request. For more, see
+    # [RFC6265](http://tools.ietf.org/html/rfc6265#section-5.2.3).
+    # @return [String]
+    attr_accessor :cookie_domain
+
+    # A lambda called to set the remember token cookie expires attribute.
+    # The lambda accepts the collection of cookies as an argument which
+    # allows for changing the expiration according to those cookies.
+    # This could be used, for example, to set a session cookie unless
+    # a `remember_me` cookie was also present. By default, cookie expiration
+    # is one year. For more on cookie expiration see
+    # [RFC6265](http://tools.ietf.org/html/rfc6265#section-5.2.1).
+    # @return [Lambda]
+    attr_accessor :cookie_expiration
+
+    # The name of Clearance's remember token cookie.
+    # Defaults to `remember_token`.
+    # @return [String]
+    attr_accessor :cookie_name
+
+    # Controls which paths the remember token cookie is valid for.
+    # Defaults to `"/"` for the entire domain. For more, see
+    # [RFC6265](http://tools.ietf.org/html/rfc6265#section-5.1.4).
+    # @return [String]
+    attr_accessor :cookie_path
+
+    # Controls whether the  HttpOnly flag should be set on the remember token
+    # cookie. Defaults to `false`. If `true`, the cookie will not be made
+    # available to JavaScript. For more see
+    # [RFC6265](http://tools.ietf.org/html/rfc6265#section-5.2.6).
+    # @return [Boolean]
+    attr_accessor :httponly
+
+    # Controls the address the password reset email is sent from.
+    # Defaults to reply@example.com.
+    # @return [String]
+    attr_accessor :mailer_sender
+
+    # The password strategy to use when authenticating and setting passwords.
+    # Defaults to {Clearance::PasswordStrategies::BCrypt}.
+    # @return [Module #authenticated? #password=]
+    attr_accessor :password_strategy
+
+    # The default path Clearance will redirect signed in users to.
+    # Defaults to `"/"`. This can often be overridden for specific scenarios by
+    # overriding controller methods that rely on it.
+    # @return [String]
+    attr_accessor :redirect_url
+
+    # Set to `false` to disable Clearance's built-in routes.
+    # Defaults to `true`. When set to false, your app is responsible for all
+    # routes. You can dump a copy of Clearance's default routes with
+    # `rails generate clearance:routes`.
+    # @return [Boolean]
+    attr_writer :routes
+
+    # Controls the secure setting on the remember token cookie.
+    # Defaults to `false`. When set, the browser will only send the
+    # cookie to the server over HTTPS. You should set this value to true in
+    # live environments to prevent session hijacking. For more, see
+    # [RFC6265](http://tools.ietf.org/html/rfc6265#section-5.2.5).
+    # @return [Boolean]
+    attr_accessor :secure_cookie
+
+    # The array of sign in guards to run when signing a user in.
+    # Defaults to an empty array. Sign in guards respond to `call` and are
+    # initialized with a session and the current stack. Each guard can decide
+    # to fail the sign in, yield to the next guard, or allow the sign in.
+    # @return [Array<#call>]
+    attr_accessor :sign_in_guards
+
+    # The ActiveRecord class that represents users in your application.
+    # Defualts to `::User`.
+    # @return [ActiveRecord::Base]
+    attr_accessor :user_model
+
+    def initialize
+      @allow_sign_up = true
+      @cookie_expiration = ->(cookies) { 1.year.from_now.utc }
+      @cookie_domain = nil
+      @cookie_path = '/'
+      @cookie_name = "remember_token"
+      @httponly = false
+      @mailer_sender = 'reply@example.com'
+      @redirect_url = '/'
+      @routes = true
+      @secure_cookie = false
+      @sign_in_guards = []
+    end
+
+    def user_model
+      @user_model ||= ::User
+    end
+
+    # Is the user sign up route enabled?
+    # @return [Boolean]
+    def allow_sign_up?
+      @allow_sign_up
+    end
+
+    # Specifies which controller actions are allowed for user resources.
+    # This will be `[:create]` is `allow_sign_up` is true (the default), and
+    # empty otherwise.
+    # @return [Array<Symbol>]
+    def  user_actions
+      if allow_sign_up?
+        [:create]
+      else
+        []
+      end
+    end
+
+    # The name of foreign key parameter for the configured user model.
+    # This is derived from the `model_name` of the `user_model` setting.
+    # In the default configuration, this is `user_id`.
+    # @return [Symbol]
+    def user_id_parameter
+      "#{user_model.model_name.singular}_id".to_sym
+    end
+
+    # @return [Boolean] are Clearance's built-in routes enabled?
+    def routes_enabled?
+      @routes
+    end
+
+    # Reloads the clearance user model class.
+    # This is called from the Clearance engine to reload the configured
+    # user class during each request while in development mode, but only once
+    # in production.
+    #
+    # @api private
+    def reload_user_model
+      if @user_model.present?
+        @user_model = @user_model.to_s.constantize
+      end
+    end
+  end
+
+  # @return [Clearance::Configuration] Clearance's current configuration
+  def self.configuration
+    @configuration ||= Configuration.new
+  end
+
+  # Set Clearance's configuration
+  # @param config [Clearance::Configuration]
+  def self.configuration=(config)
+    @configuration = config
+  end
+
+  # Modify Clearance's current configuration
+  # @yieldparam [Clearance::Configuration] config current Clearance config
+  # ```
+  # Clearance.configure do |config|
+  #   config.routes = false
+  # end
+  # ```
+  def self.configure
+    yield configuration
+  end
+end

data/lib/api_guardian/engine.rb

@@ -0,0 +1,23 @@
+require 'doorkeeper'
+
+module ApiGuardian
+  Doorkeeper = ::Doorkeeper
+
+  class Engine < ::Rails::Engine
+    isolate_namespace ApiGuardian
+
+    config.generators do |g|
+      g.test_framework :rspec, fixture: false
+      g.fixture_replacement :factory_girl, dir: 'spec/factories'
+      g.assets false
+      g.helper false
+    end
+
+    config.middleware.insert_before 0, "Rack::Cors" do
+      allow do
+        origins '*'
+        resource '*', :headers => :any, :methods => [:get, :post, :options]
+      end
+    end
+  end
+end