atproto_auth 0.0.1 → 0.1.1

data/lib/atproto_auth/serialization/base.rb

@@ -0,0 +1,189 @@
+# frozen_string_literal: true
+
+module AtprotoAuth
+  module Serialization
+    class Error < AtprotoAuth::Error; end
+
+    class VersionError < Error; end
+
+    class TypeMismatchError < Error; end
+
+    class ValidationError < Error; end
+
+    # Base serializer that all type-specific serializers inherit from
+    class Base
+      CURRENT_VERSION = 1
+      SENSITIVE_FIELDS = [
+        "access_token",
+        "refresh_token",
+        "private_key",
+        "d", # EC private key component
+        "pkce_verifier"
+      ].freeze
+
+      class << self
+        # Serialize object to storage format
+        # @param obj [Object] Object to serialize
+        # @return [String] JSON serialized data
+        def serialize(obj)
+          new.serialize(obj)
+        end
+
+        # Deserialize from storage format
+        # @param data [String] JSON serialized data
+        # @return [Object] Deserialized object
+        def deserialize(data)
+          new.deserialize(data)
+        end
+      end
+
+      def initialize
+        @encryption = Encryption::Service.new
+      end
+
+      # Serialize object to storage format
+      # @param obj [Object] Object to serialize
+      # @return [String] JSON serialized data
+      def serialize(obj)
+        validate_object!(obj)
+
+        # First serialize the object
+        data = {
+          version: CURRENT_VERSION,
+          type: type_identifier,
+          created_at: Time.now.utc.iso8601,
+          updated_at: Time.now.utc.iso8601,
+          data: serialize_data(obj)
+        }
+
+        # Then encrypt sensitive fields
+        encrypt_sensitive_fields!(data)
+
+        # Finally convert to JSON
+        JSON.generate(data)
+      end
+
+      # Deserialize from storage format
+      # @param data [String] JSON serialized data
+      # @return [Object] Deserialized object
+      def deserialize(data)
+        parsed = parse_json(data)
+        validate_serialized_data!(parsed)
+
+        # Decrypt sensitive fields
+        decrypt_sensitive_fields!(parsed)
+
+        # Deserialize according to version
+        deserialize_version(parsed)
+      end
+
+      private
+
+      def encrypt_sensitive_fields!(data, path: [])
+        return unless data.is_a?(Hash)
+
+        data.each do |key, value|
+          current_path = path + [key]
+
+          if sensitive_field?(key)
+            data[key] = @encryption.encrypt(
+              value.to_s,
+              context: current_path.join(".")
+            )
+          elsif value.is_a?(Hash)
+            encrypt_sensitive_fields!(value, path: current_path)
+          elsif value.is_a?(Array)
+            value.each_with_index do |v, i|
+              encrypt_sensitive_fields!(v, path: current_path + [i.to_s]) if v.is_a?(Hash)
+            end
+          end
+        end
+      end
+
+      def decrypt_sensitive_fields!(data, path: [])
+        return unless data.is_a?(Hash)
+
+        data.each do |key, value|
+          current_path = path + [key]
+          if sensitive_field?(key)
+            data[key] = @encryption.decrypt(
+              value.transform_keys(&:to_sym),
+              context: current_path.join(".")
+            )
+          elsif value.is_a?(Hash)
+            decrypt_sensitive_fields!(value, path: current_path)
+          elsif value.is_a?(Array)
+            value.each_with_index do |v, i|
+              decrypt_sensitive_fields!(v, path: current_path + [i.to_s]) if v.is_a?(Hash)
+            end
+          end
+        end
+      end
+
+      def sensitive_field?(field)
+        SENSITIVE_FIELDS.any? do |sensitive_field|
+          field.to_s == sensitive_field
+        end
+      end
+
+      # Type identifier for serialized data
+      # @return [String]
+      def type_identifier
+        raise NotImplementedError
+      end
+
+      # Serialize object to hash
+      # @param obj [Object] Object to serialize
+      # @return [Hash] Serialized data
+      def serialize_data(_obj)
+        raise NotImplementedError
+      end
+
+      # Deserialize object from hash
+      # @param data [Hash] Serialized data
+      # @return [Object] Deserialized object
+      def deserialize_data(_data)
+        raise NotImplementedError
+      end
+
+      # Validate object before serialization
+      # @param obj [Object] Object to validate
+      # @raise [ValidationError] if object is invalid
+      def validate_object!(_obj)
+        raise NotImplementedError
+      end
+
+      def parse_json(data)
+        JSON.parse(data)
+      rescue JSON::ParserError => e
+        raise Error, "Invalid JSON data: #{e.message}"
+      end
+
+      def validate_serialized_data!(data)
+        raise Error, "Invalid serialized data format" unless data.is_a?(Hash)
+
+        unless data["type"] == type_identifier
+          raise TypeMismatchError,
+                "Expected type #{type_identifier}, got #{data["type"]}"
+        end
+
+        raise VersionError, "Invalid version format" unless data["version"].is_a?(Integer)
+
+        return unless data["version"] > CURRENT_VERSION
+
+        raise VersionError,
+              "Version #{data["version"]} not supported"
+      end
+
+      def deserialize_version(data)
+        case data["version"]
+        when 1
+          deserialize_data(data["data"])
+        else
+          raise VersionError,
+                "Unknown version: #{data["version"]}"
+        end
+      end
+    end
+  end
+end

data/lib/atproto_auth/serialization/dpop_key.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module AtprotoAuth
+  module Serialization
+    # Handles serialization of DPoP keys
+    class DPoPKey < Base
+      def type_identifier
+        "DPoPKey"
+      end
+
+      private
+
+      def validate_object!(obj)
+        return if obj.is_a?(AtprotoAuth::DPoP::KeyManager)
+
+        raise ValidationError,
+              "Expected KeyManager object, got #{obj.class}"
+      end
+
+      def serialize_data(obj)
+        obj.to_jwk(include_private: true).to_h
+      end
+
+      def deserialize_data(data)
+        AtprotoAuth::DPoP::KeyManager.from_jwk(data)
+      end
+    end
+  end
+end

data/lib/atproto_auth/serialization/session.rb

@@ -0,0 +1,77 @@
+# frozen_string_literal: true
+
+module AtprotoAuth
+  module Serialization
+    # Handles serialization of Session objects
+    class Session < Base
+      def type_identifier
+        "Session"
+      end
+
+      private
+
+      def validate_object!(obj)
+        return if obj.is_a?(AtprotoAuth::State::Session)
+
+        raise ValidationError,
+              "Expected Session object, got #{obj.class}"
+      end
+
+      def serialize_data(obj)
+        {
+          session_id: obj.session_id,
+          state_token: obj.state_token,
+          client_id: obj.client_id,
+          scope: obj.scope,
+          pkce_verifier: obj.pkce_verifier,
+          pkce_challenge: obj.pkce_challenge,
+          did: obj.did,
+          tokens: serialize_token_set(obj.tokens),
+          auth_server: serialize_auth_server(obj.auth_server)
+        }
+      end
+
+      def deserialize_data(data)
+        AtprotoAuth::State::Session.new(
+          client_id: data["client_id"],
+          scope: data["scope"],
+          did: data["did"],
+          auth_server: deserialize_auth_server(data["auth_server"])
+        ).tap do |session|
+          # Set readonly attributes
+          session.instance_variable_set(:@session_id, data["session_id"])
+          session.instance_variable_set(:@state_token, data["state_token"])
+          session.instance_variable_set(:@pkce_verifier, data["pkce_verifier"])
+          session.instance_variable_set(:@pkce_challenge, data["pkce_challenge"])
+
+          # Set tokens if present
+          session.tokens = deserialize_token_set(data["tokens"]) if data["tokens"]
+        end
+      end
+
+      def serialize_token_set(tokens)
+        return nil unless tokens
+
+        TokenSet.new.serialize(tokens)
+      end
+
+      def deserialize_token_set(data)
+        return nil unless data
+
+        TokenSet.new.deserialize(data)
+      end
+
+      def serialize_auth_server(server)
+        return nil unless server
+
+        server.to_h
+      end
+
+      def deserialize_auth_server(data)
+        return nil unless data
+
+        AtprotoAuth::ServerMetadata::AuthorizationServer.new(data)
+      end
+    end
+  end
+end

data/lib/atproto_auth/serialization/stored_nonce.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+module AtprotoAuth
+  module Serialization
+    # Handles serialization of StoredNonce objects
+    class StoredNonce < Base
+      def type_identifier
+        "StoredNonce"
+      end
+
+      private
+
+      def validate_object!(obj)
+        return if obj.is_a?(AtprotoAuth::DPoP::NonceManager::StoredNonce)
+
+        raise ValidationError,
+              "Expected StoredNonce object, got #{obj.class}"
+      end
+
+      def serialize_data(obj)
+        {
+          value: obj.value,
+          server_url: obj.server_url,
+          timestamp: obj.timestamp
+        }
+      end
+
+      def deserialize_data(data)
+        AtprotoAuth::DPoP::NonceManager::StoredNonce.new(
+          data["value"],
+          data["server_url"],
+          timestamp: Time.at(data["timestamp"])
+        )
+      end
+    end
+  end
+end

data/lib/atproto_auth/serialization/token_set.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+module AtprotoAuth
+  module Serialization
+    # Handles serialization of TokenSet objects
+    class TokenSet < Base
+      def type_identifier
+        "TokenSet"
+      end
+
+      private
+
+      def validate_object!(obj)
+        return if obj.is_a?(AtprotoAuth::State::TokenSet)
+
+        raise ValidationError,
+              "Expected TokenSet object, got #{obj.class}"
+      end
+
+      def serialize_data(obj)
+        {
+          access_token: obj.access_token,
+          refresh_token: obj.refresh_token,
+          token_type: obj.token_type,
+          expires_at: obj.expires_at.utc.iso8601,
+          scope: obj.scope,
+          sub: obj.sub
+        }
+      end
+
+      def deserialize_data(data)
+        AtprotoAuth::State::TokenSet.new(
+          access_token: data["access_token"],
+          refresh_token: data["refresh_token"],
+          token_type: data["token_type"],
+          expires_in: (Time.parse(data["expires_at"]) - Time.now).to_i,
+          scope: data["scope"],
+          sub: data["sub"]
+        )
+      end
+    end
+  end
+end

data/lib/atproto_auth/server_metadata/authorization_server.rb

@@ -57,9 +57,28 @@ module AtprotoAuth
         new(metadata)
       end
 
+      def to_h
+        {
+          issuer: issuer,
+          authorization_endpoint: authorization_endpoint,
+          token_endpoint: token_endpoint,
+          pushed_authorization_request_endpoint: pushed_authorization_request_endpoint,
+          response_types_supported: response_types_supported,
+          grant_types_supported: grant_types_supported,
+          code_challenge_methods_supported: code_challenge_methods_supported,
+          token_endpoint_auth_methods_supported: token_endpoint_auth_methods_supported,
+          token_endpoint_auth_signing_alg_values_supported: token_endpoint_auth_signing_alg_values_supported,
+          scopes_supported: scopes_supported,
+          dpop_signing_alg_values_supported: dpop_signing_alg_values_supported,
+          authorization_response_iss_parameter_supported: true,
+          require_pushed_authorization_requests: true,
+          client_id_metadata_document_supported: true
+        }
+      end
+
       private
 
-      def validate_and_set_metadata!(metadata) # rubocop:disable Metrics/AbcSize
+      def validate_and_set_metadata!(metadata)
         REQUIRED_FIELDS.each do |field|
           raise InvalidAuthorizationServer, "#{field} is required" unless metadata[field]
         end

data/lib/atproto_auth/state/session_manager.rb

@@ -1,18 +1,11 @@
 # frozen_string_literal: true
 
-require "securerandom"
-require "time"
-require "monitor"
-
 module AtprotoAuth
   module State
-    # Manages active OAuth sessions
+    # Manages active OAuth sessions with secure persistent storage
     class SessionManager
-      include MonitorMixin
-
       def initialize
-        super # Initialize MonitorMixin
-        @sessions = {}
+        @serializer = Serialization::Session.new
       end
 
       # Creates and stores a new session
@@ -29,8 +22,31 @@ module AtprotoAuth
           did: did
         )
 
-        synchronize do
-          @sessions[session.session_id] = session
+        # Store both session and state mapping atomically
+        session_key = Storage::KeyBuilder.session_key(session.session_id)
+        state_key = Storage::KeyBuilder.state_key(session.state_token)
+
+        AtprotoAuth.storage.with_lock(session_key, ttl: 30) do
+          serialized = @serializer.serialize(session)
+          AtprotoAuth.storage.set(session_key, serialized)
+          AtprotoAuth.storage.set(state_key, session.session_id)
+        end
+
+        session
+      end
+
+      # Updates an existing session
+      # @return [Session] The session to update
+      # @return [Session] The updated session
+      def update_session(session)
+        session_key = Storage::KeyBuilder.session_key(session.session_id)
+
+        AtprotoAuth.storage.with_lock(session_key, ttl: 30) do
+          serialized = @serializer.serialize(session)
+          AtprotoAuth.storage.set(session_key, serialized)
+
+          state_key = Storage::KeyBuilder.state_key(session.state_token)
+          AtprotoAuth.storage.set(state_key, session.session_id)
         end
 
         session
@@ -40,8 +56,24 @@ module AtprotoAuth
       # @param session_id [String] Session ID to look up
       # @return [Session, nil] The session if found
       def get_session(session_id)
-        synchronize do
-          @sessions[session_id]
+        session_key = Storage::KeyBuilder.session_key(session_id)
+
+        begin
+          serialized = AtprotoAuth.storage.get(session_key)
+          return nil unless serialized
+        rescue StandardError => e
+          AtprotoAuth.configuration.logger.error("Failed to get session: #{e.message}")
+          return nil
+        end
+
+        begin
+          session = @serializer.deserialize(serialized)
+          return nil if !session.renewable? && session.tokens&.expired?
+
+          session
+        rescue StandardError => e
+          AtprotoAuth.configuration.logger.error("Failed to deserialize session: #{e.message}")
+          nil
         end
       end
 
@@ -49,26 +81,41 @@ module AtprotoAuth
       # @param state [String] State token to look up
       # @return [Session, nil] The session if found
       def get_session_by_state(state)
-        synchronize do
-          @sessions.values.find { |session| session.validate_state(state) }
+        return nil unless state
+
+        state_key = Storage::KeyBuilder.state_key(state)
+
+        begin
+          session_id = AtprotoAuth.storage.get(state_key)
+          return nil unless session_id
+        rescue StandardError => e
+          AtprotoAuth.configuration.logger.error("Failed to get session by state: #{e.message}")
+          return nil
         end
+
+        get_session(session_id)
       end
 
       # Removes a session
       # @param session_id [String] Session ID to remove
       # @return [void]
       def remove_session(session_id)
-        synchronize do
-          @sessions.delete(session_id)
+        session = get_session(session_id)
+        return unless session
+
+        session_key = Storage::KeyBuilder.session_key(session_id)
+        state_key = Storage::KeyBuilder.state_key(session.state_token)
+
+        AtprotoAuth.storage.with_lock(session_key, ttl: 30) do
+          AtprotoAuth.storage.delete(session_key)
+          AtprotoAuth.storage.delete(state_key)
         end
       end
 
       # Removes all expired sessions
       # @return [void]
       def cleanup_expired
-        synchronize do
-          @sessions.delete_if { |_, session| !session.renewable? && session.tokens&.expired? }
-        end
+        # No-op - expiry handled by storage TTL and retrieval validation
       end
     end
   end

data/lib/atproto_auth/storage/interface.rb

@@ -0,0 +1,112 @@
+# frozen_string_literal: true
+
+module AtprotoAuth
+  module Storage
+    # Base storage interface that all implementations must conform to
+    class Interface
+      # Store a value with optional TTL
+      # @param key [String] Storage key
+      # @param value [Object] Value to store
+      # @param ttl [Integer, nil] Time-to-live in seconds
+      # @return [Boolean] Success status
+      # @raise [StorageError] if operation fails
+      def set(key, value, ttl: nil)
+        raise NotImplementedError
+      end
+
+      # Retrieve a value
+      # @param key [String] Storage key
+      # @return [Object, nil] Stored value or nil if not found
+      # @raise [StorageError] if operation fails
+      def get(key)
+        raise NotImplementedError
+      end
+
+      # Delete a value
+      # @param key [String] Storage key
+      # @return [Boolean] Success status
+      # @raise [StorageError] if operation fails
+      def delete(key)
+        raise NotImplementedError
+      end
+
+      # Check if key exists
+      # @param key [String] Storage key
+      # @return [Boolean] True if key exists
+      # @raise [StorageError] if operation fails
+      def exists?(key)
+        raise NotImplementedError
+      end
+
+      # Get multiple values
+      # @param keys [Array<String>] Storage keys
+      # @return [Hash<String, Object>] Key-value pairs
+      # @raise [StorageError] if operation fails
+      def multi_get(keys)
+        raise NotImplementedError
+      end
+
+      # Store multiple values
+      # @param hash [Hash<String, Object>] Key-value pairs
+      # @param ttl [Integer, nil] Time-to-live in seconds
+      # @return [Boolean] Success status
+      # @raise [StorageError] if operation fails
+      def multi_set(hash, ttl: nil)
+        raise NotImplementedError
+      end
+
+      # Acquire a lock
+      # @param key [String] Lock key
+      # @param ttl [Integer] Lock timeout in seconds
+      # @return [Boolean] True if lock acquired
+      # @raise [StorageError] if operation fails
+      def acquire_lock(key, ttl:)
+        raise NotImplementedError
+      end
+
+      # Release a lock
+      # @param key [String] Lock key
+      # @return [Boolean] Success status
+      # @raise [StorageError] if operation fails
+      def release_lock(key)
+        raise NotImplementedError
+      end
+
+      # Execute block with lock
+      # @param key [String] Lock key
+      # @param ttl [Integer] Lock timeout in seconds
+      # @yield Block to execute with lock
+      # @return [Object] Block result
+      # @raise [StorageError] if operation fails
+      def with_lock(key, ttl: 30)
+        raise NotImplementedError
+      end
+
+      protected
+
+      # Validate key format
+      # @param key [String] Key to validate
+      # @raise [StorageError] if key is invalid
+      def validate_key!(key)
+        raise StorageError, "Key cannot be nil" if key.nil?
+        raise StorageError, "Key must be a string" unless key.is_a?(String)
+        raise StorageError, "Key cannot be empty" if key.empty?
+        raise StorageError, "Invalid key format" unless key.start_with?("atproto:")
+      end
+
+      # Validate TTL value
+      # @param ttl [Integer, nil] TTL to validate
+      # @raise [StorageError] if TTL is invalid
+      def validate_ttl!(ttl)
+        return if ttl.nil?
+        raise StorageError, "TTL must be a positive integer" unless ttl.is_a?(Integer) && ttl.positive?
+      end
+    end
+
+    # Base error class for storage operations
+    class StorageError < AtprotoAuth::Error; end
+
+    # Error for lock-related operations
+    class LockError < StorageError; end
+  end
+end

data/lib/atproto_auth/storage/key_builder.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+module AtprotoAuth
+  module Storage
+    # Utility for building storage keys with correct format
+    class KeyBuilder
+      NAMESPACE_SEPARATOR = ":"
+      NAMESPACE_PREFIX = "atproto"
+
+      class << self
+        def session_key(id)
+          build_key("session", id)
+        end
+
+        def state_key(token)
+          build_key("state", token)
+        end
+
+        def nonce_key(server_url)
+          build_key("nonce", server_url)
+        end
+
+        def dpop_key(client_id)
+          build_key("dpop", client_id)
+        end
+
+        def lock_key(namespace, id)
+          build_key("lock", namespace, id)
+        end
+
+        private
+
+        def build_key(*parts)
+          [NAMESPACE_PREFIX, *parts].join(NAMESPACE_SEPARATOR)
+        end
+      end
+    end
+  end
+end