atproto_auth 0.0.1 → 0.1.1

data/lib/atproto_auth/storage/memory.rb

@@ -0,0 +1,191 @@
+# frozen_string_literal: true
+
+require "monitor"
+
+module AtprotoAuth
+  module Storage
+    # Thread-safe in-memory storage implementation
+    class Memory < Interface
+      def initialize
+        super
+        @data = {}
+        @locks = {}
+        @expirations = {}
+        @monitor = Monitor.new
+        @cleanup_interval = 60 # 1 minute
+        start_cleanup_thread
+      end
+
+      def set(key, value, ttl: nil)
+        validate_key!(key)
+        validate_ttl!(ttl)
+
+        @monitor.synchronize do
+          @data[key] = value
+          set_expiration(key, ttl) if ttl
+          true
+        end
+      end
+
+      def get(key)
+        validate_key!(key)
+
+        @monitor.synchronize do
+          return nil if expired?(key)
+
+          @data[key]
+        end
+      end
+
+      def delete(key)
+        validate_key!(key)
+
+        @monitor.synchronize do
+          @data.delete(key)
+          @expirations.delete(key)
+          true
+        end
+      end
+
+      def exists?(key)
+        validate_key!(key)
+
+        @monitor.synchronize do
+          return false unless @data.key?(key)
+          return false if expired?(key)
+
+          true
+        end
+      end
+
+      def multi_get(keys)
+        keys.each { |key| validate_key!(key) }
+
+        @monitor.synchronize do
+          result = {}
+          keys.each do |key|
+            result[key] = @data[key] if @data.key?(key) && !expired?(key)
+          end
+          result
+        end
+      end
+
+      def multi_set(hash, ttl: nil)
+        hash.each_key { |key| validate_key!(key) }
+        validate_ttl!(ttl)
+
+        @monitor.synchronize do
+          hash.each do |key, value|
+            @data[key] = value
+            set_expiration(key, ttl) if ttl
+          end
+          true
+        end
+      end
+
+      def acquire_lock(key, ttl:)
+        validate_key!(key)
+        validate_ttl!(ttl)
+        lock_key = "lock:#{key}"
+
+        @monitor.synchronize do
+          return false if @locks[lock_key] && !lock_expired?(lock_key)
+
+          @locks[lock_key] = Time.now.to_i + ttl
+          true
+        end
+      end
+
+      def release_lock(key)
+        validate_key!(key)
+        lock_key = "lock:#{key}"
+
+        @monitor.synchronize do
+          @locks.delete(lock_key)
+          true
+        end
+      end
+
+      def with_lock(key, ttl: 30)
+        raise ArgumentError, "Block required" unless block_given?
+
+        acquired = acquire_lock(key, ttl: ttl)
+        raise LockError, "Failed to acquire lock" unless acquired
+
+        begin
+          yield
+        ensure
+          release_lock(key)
+        end
+      end
+
+      def clear
+        @monitor.synchronize do
+          @data.clear
+          @expirations.clear
+          @locks.clear
+        end
+      end
+
+      private
+
+      def expired?(key)
+        return false unless @expirations.key?(key)
+
+        expiry = @expirations[key]
+        if Time.now.to_i >= expiry
+          @data.delete(key)
+          @expirations.delete(key)
+          true
+        else
+          false
+        end
+      end
+
+      def lock_expired?(lock_key)
+        expiry = @locks[lock_key]
+        return false unless expiry
+
+        if Time.now.to_i >= expiry
+          @locks.delete(lock_key)
+          true
+        else
+          false
+        end
+      end
+
+      def set_expiration(key, ttl)
+        @expirations[key] = Time.now.to_i + ttl
+      end
+
+      def cleanup_expired
+        @monitor.synchronize do
+          now = Time.now.to_i
+
+          # Cleanup expired data
+          @expirations.each do |key, expiry|
+            if now >= expiry
+              @data.delete(key)
+              @expirations.delete(key)
+            end
+          end
+
+          # Cleanup expired locks
+          @locks.delete_if { |_, expiry| now >= expiry }
+        end
+      end
+
+      def start_cleanup_thread
+        Thread.new do
+          loop do
+            sleep @cleanup_interval
+            cleanup_expired
+          rescue StandardError => e
+            # Log error but keep thread running
+            AtprotoAuth.configuration.logger.error "Storage cleanup error: #{e.message}"
+          end
+        end
+      end
+    end
+  end
+end

data/lib/atproto_auth/storage/redis.rb

@@ -0,0 +1,119 @@
+# frozen_string_literal: true
+
+require "redis"
+
+module AtprotoAuth
+  module Storage
+    # Redis storage implementation
+    class Redis < Interface
+      # Error raised for Redis-specific issues
+      class RedisError < StorageError; end
+
+      def initialize(redis_client: nil)
+        super()
+        @redis_client = redis_client || ::Redis.new
+      end
+
+      def set(key, value, ttl: nil)
+        validate_key!(key)
+        validate_ttl!(ttl) if ttl
+
+        @redis_client.set(key, value, ex: ttl)
+        true
+      rescue ::Redis::BaseError => e
+        raise RedisError, "Failed to set value: #{e.message}"
+      end
+
+      def get(key)
+        validate_key!(key)
+
+        value = @redis_client.get(key)
+        value.nil? || value == "" ? nil : value
+      rescue ::Redis::BaseError => e
+        raise RedisError, "Failed to get value: #{e.message}"
+      end
+
+      def delete(key)
+        validate_key!(key)
+
+        @redis_client.del(key).positive?
+      rescue ::Redis::BaseError => e
+        raise RedisError, "Failed to delete value: #{e.message}"
+      end
+
+      def exists?(key)
+        validate_key!(key)
+
+        @redis_client.exists?(key)
+      rescue ::Redis::BaseError => e
+        raise RedisError, "Failed to check existence: #{e.message}"
+      end
+
+      def multi_get(keys)
+        keys.each { |key| validate_key!(key) }
+
+        values = @redis_client.mget(keys)
+        result = {}
+
+        # Only include non-nil values in result hash
+        keys.zip(values).each do |key, value|
+          next if value.nil? || value == ""
+
+          result[key] = value
+        end
+
+        result
+      rescue ::Redis::BaseError => e
+        raise RedisError, "Failed to get multiple values: #{e.message}"
+      end
+
+      def multi_set(hash, ttl: nil)
+        hash.each_key { |key| validate_key!(key) }
+        validate_ttl!(ttl) if ttl
+
+        @redis_client.multi do |tx|
+          hash.each do |key, value|
+            tx.set(key, value, ex: ttl)
+          end
+        end
+        true
+      rescue ::Redis::BaseError => e
+        raise RedisError, "Failed to set multiple values: #{e.message}"
+      end
+
+      def acquire_lock(key, ttl:)
+        validate_key!(key)
+        validate_ttl!(ttl)
+
+        lock_key = "atproto:locks:#{key}"
+        @redis_client.set(lock_key, Time.now.to_i, nx: true, ex: ttl)
+      rescue ::Redis::BaseError => e
+        raise RedisError, "Failed to acquire lock: #{e.message}"
+      end
+
+      def release_lock(key)
+        validate_key!(key)
+
+        lock_key = "atproto:locks:#{key}"
+        @redis_client.del(lock_key).positive?
+      rescue ::Redis::BaseError => e
+        raise RedisError, "Failed to release lock: #{e.message}"
+      end
+
+      def with_lock(key, ttl: 30)
+        raise ArgumentError, "Block required" unless block_given?
+
+        acquired = acquire_lock(key, ttl: ttl)
+        raise LockError, "Failed to acquire lock" unless acquired
+
+        begin
+          yield
+        ensure
+          release_lock(key)
+        end
+      rescue ::Redis::BaseError => e
+        raise RedisError, "Lock operation failed: #{e.message}"
+      end
+    end
+  end
+end

data/lib/atproto_auth/token/refresh.rb

@@ -0,0 +1,249 @@
+# frozen_string_literal: true
+
+module AtprotoAuth
+  module Token
+    # Base error class for token-related errors
+    class Error < AtprotoAuth::Error
+      attr_reader :token_type, :error_code, :retry_possible
+
+      def initialize(message, token_type:, error_code:, retry_possible: false)
+        @token_type = token_type
+        @error_code = error_code
+        @retry_possible = retry_possible
+        super(message)
+      end
+    end
+
+    # Specific token error types
+    class ExpiredTokenError < Error
+      def initialize(token_type:)
+        super(
+          "Token has expired",
+          token_type: token_type,
+          error_code: "token_expired",
+          retry_possible: true
+        )
+      end
+    end
+
+    # Raised when a token is structurally valid but has been invalidated or revoked
+    class InvalidTokenError < Error
+      def initialize(token_type:)
+        super(
+          "Token is invalid",
+          token_type: token_type,
+          error_code: "token_invalid",
+          retry_possible: false
+        )
+      end
+    end
+
+    # Raised during token refresh operations, includes retry information and server responses
+    class RefreshError < Error
+      def initialize(message, retry_possible: true)
+        super(
+          message,
+          token_type: "refresh",
+          error_code: "refresh_failed",
+          retry_possible: retry_possible
+        )
+      end
+    end
+
+    # Handles token refresh operations with retry logic
+    class Refresh
+      include MonitorMixin
+
+      # Maximum number of refresh attempts
+      MAX_RETRIES = 3
+      # Base delay between retries in seconds
+      BASE_DELAY = 1
+      # Maximum delay between retries in seconds
+      MAX_DELAY = 8
+
+      attr_reader :session, :dpop_client, :auth_server, :client_metadata
+
+      def initialize(session:, dpop_client:, auth_server:, client_metadata:)
+        super() # Initialize MonitorMixin
+        @session = session
+        @dpop_client = dpop_client
+        @auth_server = auth_server
+        @attempt_count = 0
+        @client_metadata = client_metadata
+      end
+
+      # Performs token refresh with retry logic
+      # @return [TokenSet] New token set
+      # @raise [RefreshError] if refresh fails
+      def perform!
+        synchronize do
+          raise RefreshError.new("No refresh token available", retry_possible: false) unless session.renewable?
+          raise RefreshError.new("No access token to refresh", retry_possible: false) if session.tokens.nil?
+
+          with_retries do
+            request_token_refresh
+          end
+        end
+      end
+
+      private
+
+      def with_retries
+        @attempt_count = 0
+        last_error = nil
+
+        while @attempt_count < MAX_RETRIES
+          begin
+            return yield
+          rescue StandardError => e
+            last_error = e
+            @attempt_count += 1
+
+            # Don't retry if error indicates retry not possible
+            raise e if e.respond_to?(:retry_possible) && !e.retry_possible
+
+            sleep calculate_delay if @attempt_count < MAX_RETRIES
+          end
+        end
+
+        # Reached max retries
+        raise RefreshError.new(
+          "Token refresh failed after #{MAX_RETRIES} attempts: #{last_error.message}",
+          retry_possible: false
+        )
+      end
+
+      def calculate_delay
+        # Exponential backoff with jitter
+        delay = [BASE_DELAY * (2**(@attempt_count - 1)), MAX_DELAY].min
+        delay + (rand * 0.5 * delay) # Add up to 50% jitter
+      end
+
+      def request_token_refresh
+        # Generate DPoP proof for token request
+        proof = dpop_client.generate_proof(
+          http_method: "POST",
+          http_uri: auth_server.token_endpoint
+        )
+
+        # Build refresh request
+        body = {
+          grant_type: "refresh_token",
+          refresh_token: session.tokens.refresh_token,
+          scope: session.scope
+        }
+
+        # Add client authentication if available
+        add_client_authentication!(body) if client_metadata.confidential?
+
+        # Make request
+        response = AtprotoAuth.configuration.http_client.post(
+          auth_server.token_endpoint,
+          body: body,
+          headers: {
+            "Content-Type" => "application/x-www-form-urlencoded",
+            "DPoP" => proof
+          }
+        )
+
+        handle_refresh_response(response)
+      end
+
+      def add_client_authentication!(body)
+        return unless session.client_metadata.jwks && !session.client_metadata.jwks["keys"].empty?
+
+        signing_key = JOSE::JWK.from_map(session.client_metadata.jwks["keys"].first)
+        client_assertion = PAR::ClientAssertion.new(
+          client_id: session.client_metadata.client_id,
+          signing_key: signing_key
+        )
+
+        body.merge!(
+          client_assertion_type: PAR::CLIENT_ASSERTION_TYPE,
+          client_assertion: client_assertion.generate_jwt(
+            audience: auth_server.issuer
+          )
+        )
+      end
+
+      def handle_refresh_response(response)
+        case response[:status]
+        when 200
+          process_successful_response(response)
+        when 400
+          handle_400_response(response)
+        when 401
+          raise RefreshError.new("Refresh token is invalid", retry_possible: false)
+        when 429
+          handle_rate_limit_response(response)
+        else
+          raise RefreshError, "Unexpected response: #{response[:status]}"
+        end
+      end
+
+      def process_successful_response(response)
+        data = JSON.parse(response[:body])
+        validate_refresh_response!(data)
+
+        AtprotoAuth::State::TokenSet.new(
+          access_token: data["access_token"],
+          token_type: data["token_type"],
+          expires_in: data["expires_in"],
+          refresh_token: data["refresh_token"],
+          scope: data["scope"],
+          sub: data["sub"]
+        )
+      rescue JSON::ParserError => e
+        raise RefreshError, "Invalid response format: #{e.message}"
+      end
+
+      def handle_400_response(response)
+        error_data = JSON.parse(response[:body])
+        error_description = error_data["error_description"] || error_data["error"]
+
+        # Handle DPoP nonce requirement
+        if error_data["error"] == "use_dpop_nonce"
+          dpop_client.process_response(response[:headers], auth_server.issuer)
+          raise RefreshError, "Retry with DPoP nonce"
+        end
+
+        raise RefreshError.new(
+          "Refresh request failed: #{error_description}",
+          retry_possible: false
+        )
+      rescue JSON::ParserError
+        raise RefreshError, "Invalid error response format"
+      end
+
+      def handle_rate_limit_response(response)
+        # Extract retry-after if available
+        retry_after = response[:headers]["Retry-After"]&.to_i || calculate_delay
+        raise RefreshError, "Rate limited - retry after #{retry_after} seconds"
+      end
+
+      def validate_refresh_response!(data)
+        # Required fields
+        %w[access_token token_type expires_in scope sub].each do |field|
+          raise RefreshError.new("Missing #{field} in response", retry_possible: false) unless data[field]
+        end
+
+        # Token type must be DPoP
+        unless data["token_type"] == "DPoP"
+          raise RefreshError.new("Invalid token_type: #{data["token_type"]}", retry_possible: false)
+        end
+
+        # Scope must include original scopes
+        original_scopes = session.scope.split
+        response_scopes = data["scope"].split
+        unless (original_scopes - response_scopes).empty?
+          raise RefreshError.new("Invalid scope in response", retry_possible: false)
+        end
+
+        # Subject must match
+        return if data["sub"] == session.tokens.sub
+
+        raise RefreshError.new("Subject mismatch in response", retry_possible: false)
+      end
+    end
+  end
+end

data/lib/atproto_auth/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module AtprotoAuth
-  VERSION = "0.0.1"
+  VERSION = "0.1.1"
 end

data/lib/atproto_auth.rb

@@ -5,12 +5,18 @@ require "jwt"
 
 require "atproto_auth/version"
 
-require "atproto_auth/configuration"
 require "atproto_auth/errors"
+require "atproto_auth/configuration"
+require "atproto_auth/encryption"
 require "atproto_auth/client_metadata"
 require "atproto_auth/http_client"
 require "atproto_auth/pkce"
 
+require "atproto_auth/storage/interface"
+require "atproto_auth/storage/key_builder"
+require "atproto_auth/storage/memory"
+require "atproto_auth/storage/redis"
+
 require "atproto_auth/server_metadata"
 require "atproto_auth/server_metadata/origin_url"
 require "atproto_auth/server_metadata/authorization_server"
@@ -36,6 +42,14 @@ require "atproto_auth/par/request"
 require "atproto_auth/par/response"
 require "atproto_auth/par/client"
 
+require "atproto_auth/serialization/base"
+require "atproto_auth/serialization/dpop_key"
+require "atproto_auth/serialization/session"
+require "atproto_auth/serialization/stored_nonce"
+require "atproto_auth/serialization/token_set"
+
+require "atproto_auth/token/refresh"
+
 require "atproto_auth/client"
 
 # AtprotoAuth is a Ruby library implementing the AT Protocol OAuth specification.
@@ -51,6 +65,20 @@ module AtprotoAuth
 
     def configure
       yield(configuration)
+      configuration.validate!
+      configuration
+    end
+
+    # Gets the configured storage backend
+    # @return [Storage::Interface] The configured storage implementation
+    def storage
+      configuration.storage
+    end
+
+    # Resets the configuration to defaults
+    # Primarily used in testing
+    def reset_configuration!
+      @configuration = Configuration.new
     end
   end
 end