authify-api 0.4.3 → 0.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 836953fab50ba0ca070a7556a2d23a20951d5d49
-  data.tar.gz: 8923b8d048285d3dc09440fa598855d174e4a87d
+  metadata.gz: 5033995f7f6ff20f2149dc9f334c65b05448f4ae
+  data.tar.gz: 91c04c240880c69e414e3798c8233736855208cb
 SHA512:
-  metadata.gz: 9aea4b4146a3a8652fee589e2e414f8e144110b3367421815dae87a3a76b4de58c16985fd5dc6616907dfb85788b5cc704bb46be9d00a6e756f49f6e13a4fc3b
-  data.tar.gz: 73c3b021b747f9cd8690257be62b4c1f4080e3a994c3576e4bfdc61233e732f0863a578a95f876c6894a66e5573e89a994d80ffbacb1a41728ca1a0eec3d7b7e
+  metadata.gz: 5892be4a3773859531a761a9d38bc45f1436def5c6e98917e58400806728affc775b1a62a92c946226e7ba611781059fb7b63b77489c5e2ceec4d73e61c8bbaf
+  data.tar.gz: e2fa79cc813152f078308a65e4b933389a6097cce821089ce8f9601af6cae39766267a6c450ba1beb9154be40edd4efb2ac8e87d9359e3795321c05334c672d3

data/.rubocop.yml

@@ -20,7 +20,7 @@ Metrics/PerceivedComplexity:
   Max: 9
 
 Metrics/BlockLength:
-  Max: 30
+  Max: 35
   Exclude:
     - '*.gemspec'
     - 'lib/authify/api/controllers/*.rb'

data/README.md

@@ -94,6 +94,9 @@ Alternate User Identities. These are other services that the user can login via
 **`/organizations`**
 Organizations. These are high-level groupings of users and groups. Non-administrators should only be able to see limited amounts of information about organizations.
 
+**`/trusted-delegates`**
+Trusted Delegates. These are heavily-integrated applications that can offload some of the API's functionality (usually getting a user's credentials). All actions on this controller require `admin` access to Authify. See [Trusted Delegates](#trusted_delegates) below for more info.
+
 **`/users`**
 Users controller.
 
@@ -101,7 +104,7 @@ Users controller.
 
 In addition to expiring JWTs provided via `/jwt/token` for normal user interactions, Trusted Delegates can perform any action by providing the `X-Authify-Access`, `X-Authify-Secret`, and the `X-Authify-On-Behalf-Of` headers. The `Access` and `Secret` headers are used to authenticate the remote application, and the `On-Behalf-Of` is used to impersonate the user (determined through a process on the remote, trusted delegate's end to establish the user's identity).
 
-Note that while these sound similar to User API keys, these Trusted Delegate credentials are longer and can not be interchanged with User API Keys. These values do not expire and are not easily created or removed. For this reason, they should be used **very** sparingly. They can only be created, listed, or removed via a set of `rake` commands run server-side. These are:
+Note that while these sound similar to User API keys, these Trusted Delegate credentials are longer and can not be interchanged with User API Keys. These values do not expire and are not easily created or removed. For this reason, they should be used **very** sparingly. In a pinch, they can be created, listed, or removed via a set of `rake` commands run server-side. These are:
 
 * `rake delegate:add[<name>]` - where `<name>` is the unique name of the trusted delegate. For example, `rake delegate:add[foo]` adds a remote delegate named `foo`. This command will output a key / value set providing the access\_key and secret\_key. The secret\_key is stored as a one-way hash in the DB, so it can never be retrieved again.
 * `rake delegate:list` - lists the names of all trusted delegates along with their access keys.
@@ -201,6 +204,7 @@ This will return JSON similar to the following:
 {
   "id": 172,
   "email": "someuser@mycompany.com",
+  "handle": "someuser",
   "verified": false
 }
 ```
@@ -226,6 +230,7 @@ This will return JSON similar to the following:
 {
   "id": 172,
   "email": "someuser@mycompany.com",
+  "handle": "someuser",
   "verified": true,
   "jwt": "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzUxMiJ9.eyJleHAiOjE0ODY0ODcyODcsImlhdCI6MTQ4NjQ4MzY4NywiaXNzIjoiTXkgQXdlc29tZSBDb21wYW55IEluYy4iLCJzY29wZXMiOlsidXNlcl9hY2Nlc3MiXSwidXNlciI6eyJ1c2VybmFtZSI6ImZvb0BiYXIuY29tIiwidWlkIjoyLCJvcmdhbml6YXRpb25zIjpbXSwiZ3JvdXBzIjpbXX19.AWfPpKX9mP03Djz3-LMneJdEVsXQm_4GOPVCdkfiiBeIR4pVLKTVrNoNdlNgSEkZEeUw1RPsVxpAR7wDgB4cNcYiAP3fNaD8OPyWfOQAV0lTvDUSH3YU39cZAVwvbX9HleOHBLrFGBbui5wSvfi7WZZlH808psiuUAVhBOe7mfrNiHGB"
 }
@@ -365,7 +370,7 @@ to include a `templates` section like this:
 }
 ```
 
-Authify's templating supports something that looks a bit like [Handlebars](http://handlebarsjs.com/) templating (though it doesn't yet support most of the Handlebars features). This is useful for allowing the injection of dynamic data into your templates. Available expressions should be declared in the README section that describes a template-capable endpoint.
+Authify's uses [Liquid](https://shopify.github.io/liquid/) for templating. This is useful for allowing the injection of dynamic data into your templates, and it also supports a robust set of [tags](https://shopify.github.io/liquid/basics/introduction/#tags) for iteration and control flow, as well as [filters](https://shopify.github.io/liquid/basics/introduction/#filters) for manipulating data. Predefined variables and available expressions should be declared in the README section that describes a template-capable endpoint.
 
 For some template data, escaping can be difficult or inconvenient. For these situations, Authify supports optional [Base64](https://en.wikipedia.org/wiki/Base64) encoding of values. To provide a Base64-encoded value, just declare it as such using `{base64}` followed by the data:
 

data/authify-api.gemspec

@@ -38,6 +38,7 @@ Gem::Specification.new do |spec|
   spec.add_runtime_dependency 'puma', '~> 3.7'
   spec.add_runtime_dependency 'resque', '~> 1.26'
   spec.add_runtime_dependency 'hitimes', '~> 1.2'
+  spec.add_runtime_dependency 'liquid', '~> 4.0'
 
   spec.add_development_dependency 'bundler', '~> 1.12'
   spec.add_development_dependency 'rake', '~> 10.0'

data/db/migrate/20170711151033_add_handle_to_user.rb

@@ -0,0 +1,12 @@
+# User handle
+class AddHandleToUser < ActiveRecord::Migration[5.0]
+  def up
+    add_column :users, :handle, :string
+    add_index :users, :handle, unique: true
+  end
+
+  def down
+    remove_index :users, :handle
+    remove_column :users, :handle
+  end
+end

data/db/migrate/20170712101155_add_unique_index_to_groups.rb

@@ -0,0 +1,6 @@
+# Adds a unique index on the group name and org
+class AddUniqueIndexToGroups < ActiveRecord::Migration[5.1]
+  def change
+    add_index :groups, %i[name organization_id], unique: true
+  end
+end

data/db/migrate/20170712101438_add_unique_index_to_identities.rb

@@ -0,0 +1,6 @@
+# Adding a unique index to identities on uid and provider
+class AddUniqueIndexToIdentities < ActiveRecord::Migration[5.1]
+  def change
+    add_index :identities, %i[uid provider], unique: true
+  end
+end

data/db/migrate/20170712103319_add_unique_index_to_organizations.rb

@@ -0,0 +1,6 @@
+# Adding a unique index to name on organizations
+class AddUniqueIndexToOrganizations < ActiveRecord::Migration[5.1]
+  def change
+    add_index :organizations, :name, unique: true, name: :index_organizations_unique_on_name
+  end
+end

data/db/migrate/20170712103320_add_unique_index_to_users.rb

@@ -0,0 +1,6 @@
+# Adding a unique index to email on users
+class AddUniqueIndexToUsers < ActiveRecord::Migration[5.1]
+  def change
+    add_index :users, :email, unique: true, name: :index_users_unique_on_email
+  end
+end

data/db/migrate/20170714051226_set_default_handle_on_users.rb

@@ -0,0 +1,16 @@
+# Sets a handle for users without one
+class SetDefaultHandleOnUsers < ActiveRecord::Migration[5.1]
+  def up
+    Authify::API::Models::User.reset_column_information
+    Authify::API::Models::User.all.each do |user|
+      tmp_handle = Authify::API::Models::User.uniq_handle_generator(user.full_name, user.email)
+      user.handle = tmp_handle unless user.handle
+      puts "Setting handle #{user.handle} for User #{user.id}"
+      user.save
+    end
+  end
+
+  def down
+    # nothing to do
+  end
+end

data/db/schema.rb

@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 20170609181046) do
+ActiveRecord::Schema.define(version: 20170714051226) do
 
   create_table "apikeys", id: :integer, force: :cascade, options: "ENGINE=InnoDB DEFAULT CHARSET=utf8" do |t|
     t.integer "user_id"
@@ -28,6 +28,7 @@ ActiveRecord::Schema.define(version: 20170609181046) do
     t.text "description"
     t.datetime "created_at", null: false
     t.datetime "updated_at", null: false
+    t.index ["name", "organization_id"], name: "index_groups_on_name_and_organization_id", unique: true
     t.index ["name"], name: "index_groups_on_name"
     t.index ["organization_id"], name: "index_groups_on_organization_id"
   end
@@ -46,6 +47,7 @@ ActiveRecord::Schema.define(version: 20170609181046) do
     t.datetime "created_at", null: false
     t.datetime "updated_at", null: false
     t.index ["provider"], name: "index_identities_on_provider"
+    t.index ["uid", "provider"], name: "index_identities_on_uid_and_provider", unique: true
     t.index ["uid"], name: "index_identities_on_uid"
     t.index ["user_id"], name: "index_identities_on_user_id"
   end
@@ -70,6 +72,7 @@ ActiveRecord::Schema.define(version: 20170609181046) do
     t.datetime "created_at", null: false
     t.datetime "updated_at", null: false
     t.index ["name"], name: "index_organizations_on_name"
+    t.index ["name"], name: "index_organizations_unique_on_name", unique: true
   end
 
   create_table "trusted_delegates", id: :integer, force: :cascade, options: "ENGINE=InnoDB DEFAULT CHARSET=utf8" do |t|
@@ -92,8 +95,11 @@ ActiveRecord::Schema.define(version: 20170609181046) do
     t.boolean "admin", default: false, null: false
     t.boolean "verified"
     t.string "verification_token"
+    t.string "handle"
     t.index ["admin"], name: "index_users_on_admin"
     t.index ["email"], name: "index_users_on_email"
+    t.index ["email"], name: "index_users_unique_on_email", unique: true
+    t.index ["handle"], name: "index_users_on_handle", unique: true
     t.index ["verified"], name: "index_users_on_verified"
   end
 

data/lib/authify/api.rb

@@ -13,6 +13,7 @@ require 'connection_pool'
 require 'moneta'
 require 'resque'
 require 'hitimes'
+require 'liquid'
 
 # Internal Requirements
 module Authify
@@ -41,12 +42,14 @@ require 'authify/api/controllers/apikey'
 require 'authify/api/controllers/group'
 require 'authify/api/controllers/identity'
 require 'authify/api/controllers/organization'
+require 'authify/api/controllers/trusted_delegate'
 require 'authify/api/controllers/user'
 require 'authify/api/serializers/apikey_serializer'
 require 'authify/api/serializers/group_serializer'
 require 'authify/api/serializers/identity_serializer'
 require 'authify/api/serializers/user_serializer'
 require 'authify/api/serializers/organization_serializer'
+require 'authify/api/serializers/trusted_delegate_serializer'
 require 'authify/api/helpers/jwt_encryption'
 require 'authify/api/helpers/api_user'
 require 'authify/api/helpers/text_processing'

data/lib/authify/api/controllers/trusted_delegate.rb

@@ -0,0 +1,48 @@
+module Authify
+  module API
+    module Controllers
+      TrustedDelegate = proc do
+        helpers do
+          def find(id)
+            Models::TrustedDelegate.find(id.to_i)
+          end
+
+          def modifiable_fields
+            %i[name]
+          end
+
+          def filtered_attributes(attributes)
+            attributes.select do |k, _v|
+              modifiable_fields.include?(k)
+            end
+          end
+        end
+
+        index(roles: %i[admin]) do
+          Models::TrustedDelegate.all
+        end
+
+        show(roles: %i[admin]) do
+          last_modified resource.updated_at
+          next resource, exclude: [:secret_key]
+        end
+
+        create(roles: %i[admin]) do |attrs|
+          key = Models::TrustedDelegate.new filtered_attributes(attrs)
+          key.access_key = Models::TrustedDelegate.generate_access_key
+          key.set_secret!
+          key.save
+          next key.id, key
+        end
+
+        destroy(roles: %i[admin]) do
+          resource.destroy
+        end
+
+        show_many do |ids|
+          Models::TrustedDelegate.find(ids)
+        end
+      end
+    end
+  end
+end

data/lib/authify/api/controllers/user.rb

@@ -26,17 +26,18 @@ module Authify
           end
 
           def modifiable_fields
-            %i[full_name email].tap do |a|
+            %i[full_name email handle].tap do |a|
               a << :admin if role.include?(:admin)
             end
           end
 
           def indexable_fields
-            %i[full-name admin apikeys groups organizations identities].tap do |a|
+            %i[full-name admin handle groups organizations identities].tap do |a|
               if role?(:admin) || role?(:myself)
                 a << :verified
                 a << :email
                 a << :'created-at'
+                a << :apikeys
               end
             end
           end

data/lib/authify/api/helpers/text_processing.rb

@@ -11,10 +11,9 @@ module Authify
           hash.update(hash) { |_, v| v.is_a?(String) ? human_readable(v) : v }
         end
 
-        # Interpolates handlebars-style templates
-        # OPTIMIZE: this can probably be faster
+        # Interpolates handlebars-style (liquid) templates
         def dehandlebar(text, data = {})
-          text.gsub(/{{([a-z0-9_-]+)}}/) { data[Regexp.last_match[1].to_sym].to_s }
+          Liquid::Template.parse(text).render(data, error_mode: :warn, strict_variables: true)
         end
 
         def human_readable(text)

data/lib/authify/api/models/group.rb

@@ -5,6 +5,8 @@ module Authify
       class Group < ActiveRecord::Base
         include JSONAPIUtils
 
+        validates_uniqueness_of :name, scope: :organization_id
+
         belongs_to :organization,
                    required: true,
                    class_name: 'Authify::API::Models::Organization'

data/lib/authify/api/models/identity.rb

@@ -5,6 +5,8 @@ module Authify
       class Identity < ActiveRecord::Base
         include JSONAPIUtils
 
+        validates_uniqueness_of :uid, scope: :provider
+
         belongs_to :user,
                    required: true,
                    class_name: 'Authify::API::Models::User'

data/lib/authify/api/models/organization.rb

@@ -5,6 +5,8 @@ module Authify
       class Organization < ActiveRecord::Base
         include JSONAPIUtils
 
+        validates_uniqueness_of :name
+
         has_many :organization_memberships,
                  class_name: 'Authify::API::Models::OrganizationMembership',
                  dependent: :destroy

data/lib/authify/api/models/trusted_delegate.rb

@@ -5,6 +5,7 @@ module Authify
       class TrustedDelegate < ActiveRecord::Base
         include Core::SecureHashing
         extend Core::SecureHashing
+        include JSONAPIUtils
 
         attr_reader :secret_key
 

data/lib/authify/api/models/user.rb

@@ -10,6 +10,7 @@ module Authify
         attr_reader :password
 
         validates_uniqueness_of :email
+        validates_uniqueness_of :handle
         validates_format_of :email, with: /[-a-z0-9_+\.+]+\@([-a-z0-9]+\.)+[a-z0-9]{2,4}/i
 
         has_many :apikeys,
@@ -33,8 +34,9 @@ module Authify
 
         # Encrypts the password into the password_digest attribute.
         def password=(plain_password)
+          return false unless viable(plain_password)
           @password = plain_password
-          self.password_digest = salted_sha512(plain_password) if viable(plain_password)
+          self.password_digest = salted_sha512(plain_password)
         end
 
         def authenticate(unencrypted_password)
@@ -57,7 +59,7 @@ module Authify
           valid_until = valid_time.to_i
           self.verification_token = "#{token}:#{valid_until}"
 
-          subdata = { token: token, valid_until: valid_time }
+          subdata = { 'token' => token, 'valid_until' => valid_time }
 
           email_opts = {
             body: if opts.key?(:body)
@@ -98,10 +100,26 @@ module Authify
           provided_identity.user if provided_identity
         end
 
+        def self.uniq_handle_generator(name, email)
+          possibilities = [email.split('@').first.downcase.gsub(/[._-]/, '')]
+          possibilities << name.downcase.gsub(/[.-]/, '_') if name && !name.empty?
+          possibilities.each do |possibility|
+            return possibility unless find_by_handle(possibility)
+          end
+          100.times do
+            possibilities.each do |possibility|
+              rando_num = rand(9999)
+              attempt   = "#{possibility.downcase.gsub(/[.-]/, '_')}#{rando_num}"
+              return attempt unless find_by_handle(attempt)
+            end
+          end
+          false # didn't work if we got here
+        end
+
         private
 
         def viable(string)
-          string && !string.empty?
+          string && !string.empty? && string.length >= 8
         end
       end
     end

data/lib/authify/api/serializers/trusted_delegate_serializer.rb

@@ -0,0 +1,19 @@
+module Authify
+  module API
+    module Serializers
+      # JSON API Serializer for TrustedDelegate model
+      class TrustedDelegateSerializer
+        include JSONAPI::Serializer
+
+        def type
+          'trusted-delegates'
+        end
+
+        attribute :name
+        attribute :access_key
+        attribute :secret_key
+        attribute :created_at
+      end
+    end
+  end
+end

data/lib/authify/api/serializers/user_serializer.rb

@@ -10,6 +10,7 @@ module Authify
         attribute :admin
         attribute :created_at
         attribute :verified
+        attribute :handle
 
         has_many :apikeys
         has_many :groups

data/lib/authify/api/services/api.rb

@@ -67,6 +67,7 @@ module Authify
         resource :identities, &Controllers::Identity
         resource :groups, &Controllers::Group
         resource :organizations, &Controllers::Organization
+        resource :trusted_delegate, &Controllers::TrustedDelegate
         resource :users, &Controllers::User
 
         freeze_jsonapi

data/lib/authify/api/services/registration.rb

@@ -48,6 +48,7 @@ module Authify
 
         post '/signup' do
           email = @parsed_body[:email]
+          handle = @parsed_body[:handle]
           via = @parsed_body[:via]
           password = @parsed_body[:password]
           name = @parsed_body[:name]
@@ -57,8 +58,12 @@ module Authify
           halt(403, 'Password Required') unless password || remote_app
 
           new_user = Models::User.new(email: email)
+          new_user.handle = handle || Models::User.uniq_handle_generator(name, email)
           new_user.full_name = name if name
-          new_user.password = password if password
+          if password
+            new_user.password = password
+            halt(422, 'Invalid password') unless new_user.password
+          end
           if via && via[:provider] && remote_app
             new_user.identities.build(
               provider: via[:provider], uid: via[:uid] ? via[:uid] : email
@@ -73,7 +78,7 @@ module Authify
           halt(422, 'Failed to save user') unless new_user.save
           update_current_user new_user
 
-          response = { id: new_user.id, email: new_user.email }
+          response = { id: new_user.id, email: new_user.email, handle: new_user.handle }
           if new_user.verified? || !CONFIG[:verifications][:required]
             response[:verified] = true
             response[:jwt]      = jwt_token(user: new_user)
@@ -99,11 +104,14 @@ module Authify
           if token && @parsed_body[:password] && found_user.verify(token)
             found_user.verified = true
             found_user.password = @parsed_body[:password]
+            halt(422, 'Invalid password') unless found_user.password == @parsed_body[:password]
+
             found_user.save
             Metrics.instance.increment('registration.password.resets')
             {
               id: found_user.id,
               email: found_user.email,
+              handle: found_user.handle,
               verified: found_user.verified?,
               jwt: jwt_token(user: found_user)
             }.to_json

data/lib/authify/api/version.rb

@@ -2,8 +2,8 @@ module Authify
   module API
     VERSION = [
       0, # Major
-      4, # Minor
-      3  # Patch
+      5, # Minor
+      0  # Patch
     ].join('.')
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: authify-api
 version: !ruby/object:Gem::Version
-  version: 0.4.3
+  version: 0.5.0
 platform: ruby
 authors:
 - Jonathan Gnagy
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2017-06-16 00:00:00.000000000 Z
+date: 2017-07-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: authify-core
@@ -218,6 +218,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.2'
+- !ruby/object:Gem::Dependency
+  name: liquid
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.0'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -387,12 +401,19 @@ files:
 - db/migrate/20170208021933_add_admin_to_user.rb
 - db/migrate/20170208022427_set_default_for_user_admin.rb
 - db/migrate/20170328151033_add_verified_to_user.rb
+- db/migrate/20170711151033_add_handle_to_user.rb
+- db/migrate/20170712101155_add_unique_index_to_groups.rb
+- db/migrate/20170712101438_add_unique_index_to_identities.rb
+- db/migrate/20170712103319_add_unique_index_to_organizations.rb
+- db/migrate/20170712103320_add_unique_index_to_users.rb
+- db/migrate/20170714051226_set_default_handle_on_users.rb
 - db/schema.rb
 - lib/authify/api.rb
 - lib/authify/api/controllers/apikey.rb
 - lib/authify/api/controllers/group.rb
 - lib/authify/api/controllers/identity.rb
 - lib/authify/api/controllers/organization.rb
+- lib/authify/api/controllers/trusted_delegate.rb
 - lib/authify/api/controllers/user.rb
 - lib/authify/api/helpers/api_user.rb
 - lib/authify/api/helpers/jwt_encryption.rb
@@ -411,6 +432,7 @@ files:
 - lib/authify/api/serializers/group_serializer.rb
 - lib/authify/api/serializers/identity_serializer.rb
 - lib/authify/api/serializers/organization_serializer.rb
+- lib/authify/api/serializers/trusted_delegate_serializer.rb
 - lib/authify/api/serializers/user_serializer.rb
 - lib/authify/api/service.rb
 - lib/authify/api/services/api.rb