atproto_auth 0.0.1 → 0.1.0

data/lib/atproto_auth/client.rb

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-# rubocop:disable Metrics/PerceivedComplexity, Metrics/AbcSize, Metrics/CyclomaticComplexity
-
 module AtprotoAuth
   # Main client class for AT Protocol OAuth implementation. Handles the complete
   # OAuth flow including authorization, token management, and identity verification.
@@ -12,6 +10,16 @@ module AtprotoAuth
     # Error raised when token operations fail
     class TokenError < Error; end
 
+    # Error raised when session operations fail
+    class SessionError < Error
+      attr_reader :session_id
+
+      def initialize(message, session_id: nil)
+        @session_id = session_id
+        super(message)
+      end
+    end
+
     # @return [String] OAuth client ID
     attr_reader :client_id
     # @return [String] OAuth redirect URI
@@ -59,6 +67,9 @@ module AtprotoAuth
         scope: scope
       )
 
+      # Store session with storage backend
+      session_manager.update_session(session)
+
       # Resolve identity and authorization server if handle provided
       if handle
         auth_info = resolve_from_handle(handle, session)
@@ -96,34 +107,39 @@ module AtprotoAuth
       # Verify issuer matches session
       raise CallbackError, "Issuer mismatch" unless session.auth_server && session.auth_server.issuer == iss
 
-      # Exchange code for tokens
-      token_response = exchange_code(
-        code: code,
-        session: session
-      )
-
-      # Validate token response
-      validate_token_response!(token_response, session)
-
-      # Create token set and store in session
-      token_set = State::TokenSet.new(
-        access_token: token_response["access_token"],
-        token_type: token_response["token_type"],
-        expires_in: token_response["expires_in"],
-        refresh_token: token_response["refresh_token"],
-        scope: token_response["scope"],
-        sub: token_response["sub"]
-      )
-      session.tokens = token_set
+      AtprotoAuth.storage.with_lock(Storage::KeyBuilder.lock_key("session", session.session_id), ttl: 30) do
+        # Exchange code for tokens
+        token_response = exchange_code(
+          code: code,
+          session: session
+        )
 
-      {
-        access_token: token_set.access_token,
-        token_type: token_set.token_type,
-        expires_in: (token_set.expires_at - Time.now).to_i,
-        refresh_token: token_set.refresh_token,
-        scope: token_set.scope,
-        session_id: session.session_id
-      }
+        # Validate token response
+        validate_token_response!(token_response, session)
+
+        # Create token set and store in session
+        token_set = State::TokenSet.new(
+          access_token: token_response["access_token"],
+          token_type: token_response["token_type"],
+          expires_in: token_response["expires_in"],
+          refresh_token: token_response["refresh_token"],
+          scope: token_response["scope"],
+          sub: token_response["sub"]
+        )
+        session.tokens = token_set
+
+        # Update stored session
+        session_manager.update_session(session)
+
+        {
+          access_token: token_set.access_token,
+          token_type: token_set.token_type,
+          expires_in: (token_set.expires_at - Time.now).to_i,
+          refresh_token: token_set.refresh_token,
+          scope: token_set.scope,
+          session_id: session.session_id
+        }
+      end
     end
 
     # Gets active tokens for a session
@@ -142,6 +158,38 @@ module AtprotoAuth
       }
     end
 
+    # Refreshes tokens for a session
+    # @param session_id [String] ID of session to refresh
+    def refresh_token(session_id)
+      session = session_manager.get_session(session_id)
+      raise TokenError, "Invalid session" unless session
+      raise TokenError, "Session not authorized" unless session.renewable?
+
+      AtprotoAuth.storage.with_lock(Storage::KeyBuilder.lock_key("session", session.session_id), ttl: 30) do
+        refresher = Token::Refresh.new(
+          session: session,
+          dpop_client: @dpop_client,
+          auth_server: session.auth_server,
+          client_metadata: client_metadata
+        )
+
+        new_tokens = refresher.perform!
+        session.tokens = new_tokens
+
+        # Update stored session
+        session_manager.update_session(session)
+
+        {
+          access_token: new_tokens.access_token,
+          token_type: new_tokens.token_type,
+          expires_in: (new_tokens.expires_at - Time.now).to_i,
+          refresh_token: new_tokens.refresh_token,
+          scope: new_tokens.scope,
+          session_id: session.session_id
+        }
+      end
+    end
+
     # Checks if a session has valid tokens
     # @param session_id [String] ID of session to check
     # @return [Boolean] true if session exists and has valid tokens
@@ -174,6 +222,21 @@ module AtprotoAuth
       }
     end
 
+    # Removes a session and its stored data
+    # @param session_id [String] ID of session to remove
+    # @return [void]
+    def remove_session(session_id)
+      key = Storage::KeyBuilder.session_key(session_id)
+      AtprotoAuth.storage.delete(key)
+      session_manager.remove_session(session_id)
+    end
+
+    # Cleans up expired sessions from storage
+    # @return [void]
+    def cleanup_expired_sessions
+      session_manager.cleanup_expired
+    end
+
     private
 
     def load_client_metadata(metadata)
@@ -214,6 +277,9 @@ module AtprotoAuth
       server = resolve_auth_server(resolution[:pds])
       session.authorization_server = server
 
+      # Update stored session
+      session_manager.update_session(session)
+
       { server: server, pds: resolution[:pds] }
     end
 
@@ -222,6 +288,9 @@ module AtprotoAuth
       server = resolve_auth_server(pds_url)
       session.authorization_server = server
 
+      # Update stored session
+      session_manager.update_session(session)
+
       { server: server, pds: pds_url }
     end
 
@@ -296,8 +365,6 @@ module AtprotoAuth
 
       # Handle DPoP nonce requirement
       if requires_dpop_nonce?(response)
-        puts "*" * 88
-        puts "requires_dpop_nonce"
         # Extract and store nonce from error response
         extract_dpop_nonce(response)
         dpop_client.process_response(response[:headers], session.auth_server.issuer)
@@ -322,11 +389,6 @@ module AtprotoAuth
         http_uri: session.auth_server.token_endpoint
       )
 
-      # Log the DPoP proof details
-      AtprotoAuth.configuration.logger.debug "Token Request DPoP Proof:"
-      AtprotoAuth.configuration.logger.debug "- Key: #{dpop_client.public_key}"
-      AtprotoAuth.configuration.logger.debug "- Proof: #{proof}"
-
       body = {
         grant_type: "authorization_code",
         code: code,
@@ -406,5 +468,3 @@ module AtprotoAuth
     end
   end
 end
-
-# rubocop:enable Metrics/PerceivedComplexity, Metrics/AbcSize, Metrics/CyclomaticComplexity

data/lib/atproto_auth/client_metadata.rb

@@ -56,7 +56,7 @@ module AtprotoAuth
 
     private
 
-    def validate_and_set_metadata!(metadata) # rubocop:disable Metrics/AbcSize
+    def validate_and_set_metadata!(metadata)
       # Required fields
       @application_type = validate_application_type(metadata["application_type"])
       @client_id = validate_client_id!(metadata["client_id"])
@@ -208,7 +208,7 @@ module AtprotoAuth
       end
     end
 
-    def validate_auth_methods!(metadata) # rubocop:disable Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
+    def validate_auth_methods!(metadata)
       @token_endpoint_auth_method = metadata["token_endpoint_auth_method"]
       return unless @token_endpoint_auth_method == "private_key_jwt"
 

data/lib/atproto_auth/configuration.rb

@@ -3,15 +3,49 @@
 require "logger"
 
 module AtprotoAuth
+  class ConfigurationError < Error; end
+
   # Configuration class for global AtprotoAuth settings
   class Configuration
-    attr_accessor :default_token_lifetime, :dpop_nonce_lifetime, :http_client, :logger
+    attr_accessor :default_token_lifetime,
+                  :dpop_nonce_lifetime,
+                  :encryption,
+                  :http_client,
+                  :logger,
+                  :storage
 
     def initialize
       @default_token_lifetime = 300 # 5 minutes in seconds
       @dpop_nonce_lifetime = 300 # 5 minutes in seconds
+      @encryption = nil
       @http_client = nil
       @logger = Logger.new($stdout)
+      @storage = AtprotoAuth::Storage::Memory.new
+    end
+
+    # Validates the current configuration
+    # @raise [ConfigurationError] if configuration is invalid
+    def validate!
+      validate_storage!
+      validate_http_client!
+      true
+    end
+
+    private
+
+    def validate_storage!
+      raise ConfigurationError, "Storage must be configured" if @storage.nil?
+      return if @storage.is_a?(AtprotoAuth::Storage::Interface)
+
+      raise ConfigurationError, "Storage must implement Storage::Interface"
+    end
+
+    def validate_http_client!
+      return if @http_client.nil? # Allow nil for testing
+
+      return if @http_client.respond_to?(:get) && @http_client.respond_to?(:post)
+
+      raise ConfigurationError, "HTTP client must implement get and post methods"
     end
   end
 end

data/lib/atproto_auth/dpop/key_manager.rb

@@ -189,7 +189,7 @@ module AtprotoAuth
         asn1_to_raw(signature)
       end
 
-      def extract_ec_key # rubocop:disable Metrics/AbcSize
+      def extract_ec_key
         # Extract the raw EC key from JOSE JWK
         key_data = @keypair.to_map
         raise KeyError, "Private key required for signing" unless key_data["d"] # Private key component

data/lib/atproto_auth/dpop/nonce_manager.rb

@@ -1,40 +1,31 @@
 # frozen_string_literal: true
 
-require "monitor"
-
 module AtprotoAuth
   module DPoP
     # Manages DPoP nonces provided by servers during the OAuth flow.
-    # Tracks separate nonces for Resource Server and Authorization Server.
+    # Tracks separate nonces for each server using persistent storage.
     # Thread-safe to handle concurrent requests.
     class NonceManager
       # Error for nonce-related issues
       class NonceError < AtprotoAuth::Error; end
 
-      # Represents a stored nonce with its timestamp
+      # Represents a stored nonce with its server URL
       class StoredNonce
-        attr_reader :value, :timestamp, :server_url
+        attr_reader :value, :server_url, :timestamp
 
-        def initialize(value, server_url)
+        def initialize(value, server_url, timestamp: nil)
           @value = value
           @server_url = server_url
-          @timestamp = Time.now.to_i
-        end
-
-        def expired?(ttl = nil)
-          return false unless ttl
-
-          (Time.now.to_i - @timestamp) > ttl
+          @timestamp = timestamp || Time.now.to_i
         end
       end
 
-      # Maximum time in seconds a nonce is considered valid
+      # Default time in seconds a nonce is considered valid
       DEFAULT_TTL = 300 # 5 minutes
 
       def initialize(ttl: nil)
         @ttl = ttl || DEFAULT_TTL
-        @nonces = {}
-        @monitor = Monitor.new
+        @serializer = Serialization::StoredNonce.new
       end
 
       # Updates the stored nonce for a server
@@ -45,9 +36,13 @@ module AtprotoAuth
         validate_inputs!(nonce, server_url)
         origin = normalize_server_url(server_url)
 
-        @monitor.synchronize do
-          @nonces[origin] = StoredNonce.new(nonce, origin)
-        end
+        stored_nonce = StoredNonce.new(nonce, origin)
+        serialized = @serializer.serialize(stored_nonce)
+
+        key = Storage::KeyBuilder.nonce_key(origin)
+        return if AtprotoAuth.storage.set(key, serialized, ttl: @ttl)
+
+        raise NonceError, "Failed to store nonce"
       end
 
       # Gets the current nonce for a server
@@ -57,36 +52,26 @@ module AtprotoAuth
       def get(server_url)
         validate_server_url!(server_url)
         origin = normalize_server_url(server_url)
+        key = Storage::KeyBuilder.nonce_key(origin)
 
-        @monitor.synchronize do
-          stored = @nonces[origin]
-          return nil if stored.nil? || stored.expired?(@ttl)
+        stored = AtprotoAuth.storage.get(key)
+        return nil unless stored
 
-          stored.value
+        begin
+          stored_nonce = @serializer.deserialize(stored)
+          stored_nonce.value
+        rescue Serialization::Error => e
+          raise NonceError, "Failed to deserialize nonce: #{e.message}"
         end
       end
 
-      # Clears an expired nonce for a server
+      # Clears a nonce for a server
       # @param server_url [String] The server's URL
       def clear(server_url)
-        @monitor.synchronize do
-          @nonces.delete(server_url)
-        end
-      end
-
-      # Clears all stored nonces
-      def clear_all
-        @monitor.synchronize do
-          @nonces.clear
-        end
-      end
-
-      # Get all currently stored server URLs
-      # @return [Array<String>] Array of server URLs with stored nonces
-      def server_urls
-        @monitor.synchronize do
-          @nonces.keys
-        end
+        validate_server_url!(server_url)
+        origin = normalize_server_url(server_url)
+        key = Storage::KeyBuilder.nonce_key(origin)
+        AtprotoAuth.storage.delete(key)
       end
 
       # Check if a server has a valid nonce
@@ -94,11 +79,9 @@ module AtprotoAuth
       # @return [Boolean] true if server has a valid nonce
       def valid_nonce?(server_url)
         validate_server_url!(server_url)
-
-        @monitor.synchronize do
-          stored = @nonces[server_url]
-          !stored.nil? && !stored.expired?(@ttl)
-        end
+        origin = normalize_server_url(server_url)
+        key = Storage::KeyBuilder.nonce_key(origin)
+        AtprotoAuth.storage.exists?(key)
       end
 
       private

data/lib/atproto_auth/encryption.rb

@@ -0,0 +1,156 @@
+# frozen_string_literal: true
+
+# lib/atproto_auth/encryption.rb
+module AtprotoAuth
+  module Encryption
+    class Error < AtprotoAuth::Error; end
+    class ConfigurationError < Error; end
+    class EncryptionError < Error; end
+    class DecryptionError < Error; end
+
+    # HKDF implementation based on RFC 5869
+    module HKDF
+      def self.derive(secret, salt:, info:, length:)
+        # 1. extract
+        prk = OpenSSL::HMAC.digest(
+          OpenSSL::Digest.new("SHA256"),
+          salt.empty? ? "\x00" * 32 : salt,
+          secret.to_s
+        )
+
+        # 2. expand
+        n = (length.to_f / 32).ceil
+        t = [""]
+        output = ""
+        1.upto(n) do |i|
+          t[i] = OpenSSL::HMAC.digest(
+            OpenSSL::Digest.new("SHA256"),
+            prk,
+            t[i - 1] + info + [i].pack("C")
+          )
+          output += t[i]
+        end
+        output[0, length]
+      end
+    end
+
+    # Core encryption service - used internally by serializers
+    class Service
+      CIPHER = "aes-256-gcm"
+      VERSION = 1
+
+      def initialize
+        @key_provider = KeyProvider.new
+      end
+
+      def encrypt(data, context:)
+        validate_encryption_inputs!(data, context)
+
+        iv = SecureRandom.random_bytes(12)
+
+        cipher = OpenSSL::Cipher.new(CIPHER)
+        cipher.encrypt
+        cipher.key = @key_provider.key_for_context(context)
+        cipher.iv = iv
+        cipher.auth_data = context.to_s
+
+        encrypted = cipher.update(data.to_s) + cipher.final
+        auth_tag = cipher.auth_tag
+
+        {
+          version: VERSION,
+          iv: Base64.strict_encode64(iv),
+          data: Base64.strict_encode64(encrypted),
+          tag: Base64.strict_encode64(auth_tag)
+        }
+      rescue StandardError => e
+        raise EncryptionError, "Encryption failed: #{e.message}"
+      end
+
+      def decrypt(encrypted, context:)
+        validate_decryption_inputs!(encrypted, context)
+        validate_encrypted_data!(encrypted)
+
+        iv = Base64.strict_decode64(encrypted[:iv])
+        data = Base64.strict_decode64(encrypted[:data])
+        auth_tag = Base64.strict_decode64(encrypted[:tag])
+
+        cipher = OpenSSL::Cipher.new(CIPHER)
+        cipher.decrypt
+        cipher.key = @key_provider.key_for_context(context)
+        cipher.iv = iv
+        cipher.auth_tag = auth_tag
+        cipher.auth_data = context.to_s
+
+        cipher.update(data) + cipher.final
+      rescue ArgumentError => e
+        raise DecryptionError, "Invalid encrypted data format: #{e.message}"
+      rescue StandardError => e
+        raise DecryptionError, "Decryption failed: #{e.message}"
+      end
+
+      private
+
+      def validate_encryption_inputs!(data, context)
+        raise EncryptionError, "Data cannot be nil" if data.nil?
+        raise EncryptionError, "Context cannot be nil" if context.nil?
+        raise EncryptionError, "Context must be a string" unless context.is_a?(String)
+        raise EncryptionError, "Context cannot be empty" if context.empty?
+      end
+
+      def validate_decryption_inputs!(encrypted, context)
+        raise DecryptionError, "Encrypted data cannot be nil" if encrypted.nil?
+        raise DecryptionError, "Context cannot be nil" if context.nil?
+        raise DecryptionError, "Context must be a string" unless context.is_a?(String)
+        raise DecryptionError, "Context cannot be empty" if context.empty?
+      end
+
+      def validate_encrypted_data!(encrypted)
+        raise DecryptionError, "Invalid encrypted data format" unless encrypted.is_a?(Hash)
+
+        unless encrypted[:version] == VERSION
+          raise DecryptionError, "Unsupported encryption version: #{encrypted[:version]}"
+        end
+
+        %i[iv data tag].each do |field|
+          raise DecryptionError, "Missing required field: #{field}" unless encrypted[field].is_a?(String)
+        end
+      end
+    end
+
+    # Handles key management and derivation
+    class KeyProvider
+      def initialize
+        @master_key = load_master_key
+      end
+
+      def key_for_context(context)
+        raise ConfigurationError, "Context is required" if context.nil?
+
+        HKDF.derive(
+          @master_key,
+          salt: salt_for_context(context),
+          info: "atproto-#{context}",
+          length: 32
+        )
+      end
+
+      private
+
+      def load_master_key
+        # Try environment variable first
+        key = ENV.fetch("ATPROTO_MASTER_KEY", nil)
+        return Base64.strict_decode64(key) if key
+
+        # Generate and store a random key if not configured
+        key = SecureRandom.random_bytes(32)
+        warn "WARNING: Using randomly generated encryption key - tokens will not persist across restarts"
+        key
+      end
+
+      def salt_for_context(context)
+        OpenSSL::Digest.digest("SHA256", "atproto-salt-#{context}")
+      end
+    end
+  end
+end

data/lib/atproto_auth/http_client.rb

@@ -136,7 +136,7 @@ module AtprotoAuth
       raise HttpError.new("Request failed: #{e.message}", nil)
     end
 
-    def make_post_request(uri, body, headers = {}, redirect_count = 0) # rubocop:disable Metrics/AbcSize
+    def make_post_request(uri, body, headers = {}, redirect_count = 0)
       http = Net::HTTP.new(uri.host, uri.port)
       configure_http_client!(http)
 
@@ -182,7 +182,7 @@ module AtprotoAuth
     # - headers: Hash of headers from the original request
     # - redirect_count: Number of redirects so far
     # - body: Request body for POST requests
-    def handle_redirect(**kwargs) # rubocop:disable Metrics/AbcSize
+    def handle_redirect(**kwargs)
       response = kwargs[:response]
       redirect_count = kwargs[:redirect_count]
 

data/lib/atproto_auth/identity/document.rb

@@ -78,7 +78,7 @@ module AtprotoAuth
         raise DocumentError, "Invalid DID format (must be did:plc:): #{did}"
       end
 
-      def validate_services!(services) # rubocop:disable Metrics/CyclomaticComplexity
+      def validate_services!(services)
         return if services.nil?
         raise DocumentError, "services must be an array" unless services.is_a?(Array)
 

data/lib/atproto_auth/identity/resolver.rb

@@ -119,7 +119,7 @@ module AtprotoAuth
         normalized.downcase
       end
 
-      def resolve_handle_dns(handle) # rubocop:disable Metrics/CyclomaticComplexity
+      def resolve_handle_dns(handle)
         domain = extract_domain(handle)
         return nil unless domain