authlete_ruby_sdk 0.0.2.beta → 0.0.5.pre.beta

data/lib/authlete/userinfo.rb

@@ -39,117 +39,13 @@ module Authlete
     end
 
 
-    sig { params(userinfo_request: Models::Components::UserinfoRequest, service_id: ::String, timeout_ms: T.nilable(Integer)).returns(Models::Operations::AuthUserinfoApiResponse) }
-    def process_request(userinfo_request:, service_id:, timeout_ms: nil)
+
+
+    sig { params(userinfo_request: Models::Components::UserinfoRequest, service_id: ::String, timeout_ms: T.nilable(Integer), http_headers: T.nilable(T::Hash[T.any(String, Symbol), String])).returns(Models::Operations::AuthUserinfoApiResponse) }
+    def process_request(userinfo_request:, service_id:, timeout_ms: nil, http_headers: nil)
       # process_request - Process UserInfo Request
       # This API gathers information about a user.
-      # ### Description
-      # This API is supposed to be called from within the implementation of the [userinfo endpoint](https://openid.net/specs/openid-connect-core-1\_0.html#UserInfo)
-      # of the authorization server in order to get information about the user that is associated with
-      # an access token.
-      # The response from `/auth/userinfo` API has various parameters. Among them, it is `action` parameter
-      # that the authorization server implementation should check first because it denotes the next action
-      # that the authorization server implementation should take. According to the value of `action`, the
-      # service implementation must take the steps described below.
-      # **INTERNAL\_SERVER\_ERROR**
-      # When the value of `action` is `INTERNAL\_SERVER\_ERROR`, it means that the request from the authorization
-      # server implementation was wrong or that an error occurred in Authlete. In either case, from the
-      # viewpoint of the client application, it is an error on the server side. Therefore, the service
-      # implementation should generate a response to the client application with HTTP status of "500 Internal
-      # Server Error".
-      # The value of `responseContent` is a string which describes the error in the format of [RFC 6750](https://datatracker.ietf.org/doc/html/rfc6750)
-      # (OAuth 2.0 Bearer Token Usage) so the userinfo endpoint implementation can use the value of `responseContent`
-      # as the value of`WWW-Authenticate` header.
-      # The following is an example response which complies with RFC 6750. Note that OpenID Connect Core
-      # 1.0 requires that an error response from userinfo endpoint comply with RFC 6750. See [5.3.3. UserInfo
-      # Response](https://openid.net/specs/openid-connect-core-1\_0.html#UserInfoError) for details.
-      # ```
-      # HTTP/1.1 500 Internal Server Error
-      # WWW-Authenticate: {responseContent}
-      # Cache-Control: no-store
-      # Pragma: no-cache
-      # ```
-      # **BAD\_REQUEST**
-      # When the value of `action` is `BAD\_REQUEST`, it means that the request from the client application
-      # does not contain an access token (= the request from the authorization server implementation to
-      # Authlete does not contain `token` parameter).
-      # The value of `responseContent` is a string which describes the error in the format
-      # of [RFC 6750](https://datatracker.ietf.org/doc/html/rfc6750) (OAuth 2.0 Bearer Token Usage) so the
-      # userinfo endpoint implementation can use the value of `responseContent` as the value of`WWW-Authenticate`
-      # header.
-      # The following is an example response which complies with RFC 6750. Note that OpenID Connect Core
-      # 1.0 requires that an error response from userinfo endpoint comply with RFC 6750. See [5.3.3. UserInfo
-      # Response](https://openid.net/specs/openid-connect-core-1\_0.html#UserInfoError) for details.
-      # ```
-      # HTTP/1.1 400 Bad Request
-      # WWW-Authenticate: {responseContent}
-      # Cache-Control: no-store
-      # Pragma: no-cache
-      # ```
-      # **UNAUTHORIZED**
-      # When the value of `action` is `UNAUTHORIZED`, it means that the access token does not exist, has
-      # expired, or is not associated with any subject (= any user account).
-      # The value of `responseContent` is a string which describes the error in the format of [RFC
-      # 6750](https://datatracker.ietf.org/doc/html/rfc6750) (OAuth 2.0 Bearer Token Usage) so the userinfo
-      # endpoint implementation can use the value of `responseContent` as the value of`WWW-Authenticate`
-      # header.
-      # The following is an example response which complies with RFC 6750. Note that OpenID Connect Core
-      # 1.0 requires that an error response from userinfo endpoint comply with RFC 6750. See [5.3.3. UserInfo
-      # Response](https://openid.net/specs/openid-connect-core-1\_0.html#UserInfoError) for details.
-      # ```
-      # HTTP/1.1 401 Unauthorized
-      # WWW-Authenticate: {responseContent}
-      # Cache-Control: no-store
-      # Pragma: no-cache
-      # ```
-      # **FORBIDDEN**
-      # When the value of `action` is `FORBIDDEN`, it means that the access token does not include the
-      # `openid` scope.
-      # The value of `responseContent` is a string which describes the error in the format of [RFC 6750](https://datatracker.ietf.org/doc/html/rfc6750)
-      # (OAuth 2.0 Bearer Token Usage) so the userinfo endpoint implementation can use the value of `responseContent`
-      # as the value of`WWW-Authenticate` header.
-      # The following is an example response which complies with RFC 6750. Note that OpenID Connect Core
-      # 1.0 requires that an error response from userinfo endpoint comply with RFC 6750. See [5.3.3. UserInfo
-      # Response](https://openid.net/specs/openid-connect-core-1\_0.html#UserInfoError) for details.
-      # ```
-      # HTTP/1.1 403 Forbidden
-      # WWW-Authenticate: {responseContent}
-      # Cache-Control: no-store
-      # Pragma: no-cache
-      # ```
-      # **OK**
-      # When the value of `action` is `OK`, it means that the access token which the client application
-      # presented is valid. To be concrete, it means that the access token exists, has not expired, includes
-      # the openid scope, and is associated with a subject (= a user account).
-      # What the userinfo endpoint implementation should do next is to collect information about the subject
-      # (user) from your database. The value of the `subject` is contained in the subject parameter in the
-      # response from this API and the names of data, i.e., the claims names are contained in the claims
-      # parameter in the response. For example, if the `subject` parameter is `joe123` and the claims
-      # parameter is `[ "given\_name", "email" ]`, you need to extract information about joe123's given name
-      # and email from your database.
-      # Then, call Authlete's `/auth/userinfo/issue` API with the collected information and the access token
-      # in order to make Authlete generate an ID token.
-      # If an error occurred during the above steps, generate an error response to the client. The response
-      # should comply with [RFC 6750](https://datatracker.ietf.org/doc/html/rfc6750). For example, if the
-      # subject associated with the access token does not exist in your database any longer, you may feel
-      # like generating a response like below.
-      # ```
-      # HTTP/1.1 400 Bad Request
-      # WWW-Authenticate: Bearer error="invalid\_token",
-      # error\_description="The subject associated with the access token does not exist."
-      # Cache-Control: no-store
-      # Pragma: no-cache
-      # ```
-      # Also, an error might occur on database access. If you treat the error as an internal server error,
-      # then the response would be like the following.
-      # ```
-      # HTTP/1.1 500 Internal Server Error
-      # WWW-Authenticate: Bearer error="server\_error",
-      # error\_description="Failed to extract information about the subject from the database."
-      # Cache-Control: no-store
-      # Pragma: no-cache
-      # ```
-      # 
+      #
       request = Models::Operations::AuthUserinfoApiRequest.new(
         service_id: service_id,
         userinfo_request: userinfo_request
@@ -168,7 +64,7 @@ module Authlete
       headers['content-type'] = req_content_type
       raise StandardError, 'request body is required' if data.nil? && form.nil?
 
-      if form
+      if form && !form.empty?
         body = Utils.encode_form(form)
       elsif Utils.match_content_type(req_content_type, 'application/x-www-form-urlencoded')
         body = URI.encode_www_form(T.cast(data, T::Hash[Symbol, Object]))
@@ -204,6 +100,9 @@ module Authlete
           req.headers.merge!(headers)
           req.options.timeout = timeout unless timeout.nil?
           Utils.configure_request_security(req, security)
+          http_headers&.each do |key, value|
+            req.headers[key.to_s] = value
+          end
 
           @sdk_configuration.hooks.before_request(
             hook_ctx: SDKHooks::BeforeRequestHookContext.new(
@@ -301,120 +200,11 @@ module Authlete
     end
 
 
-    sig { params(userinfo_issue_request: Models::Components::UserinfoIssueRequest, service_id: ::String, timeout_ms: T.nilable(Integer)).returns(Models::Operations::AuthUserinfoIssueApiResponse) }
-    def issue_response(userinfo_issue_request:, service_id:, timeout_ms: nil)
+    sig { params(userinfo_issue_request: Models::Components::UserinfoIssueRequest, service_id: ::String, timeout_ms: T.nilable(Integer), http_headers: T.nilable(T::Hash[T.any(String, Symbol), String])).returns(Models::Operations::AuthUserinfoIssueApiResponse) }
+    def issue_response(userinfo_issue_request:, service_id:, timeout_ms: nil, http_headers: nil)
       # issue_response - Issue UserInfo Response
       # This API generates an ID token.
-      # ### Description
-      # This API is supposed to be called from within the implementation of the [userinfo endpoint](https://openid.net/specs/openid-connect-core-1\_0.html#UserInfo)
-      # of the authorization server in order to generate an ID token. Before calling this API, a valid
-      # response from `/auth/userinfo` API must be obtained. Then, call this API with the access token
-      # contained in the response and the claims values of the user (subject) associated with the access
-      # token. See **OK** written in the description of `/auth/userinfo` API for details.
-      # The response from `/auth/userinfo/issue` API has various parameters. Among them, it is `action`
-      # parameter that the authorization server implementation should check first because it denotes the
-      # next action that the authorization server implementation should take. According to the value of
-      # `action`, the service implementation must take the steps described below.
-      # **INTERNAL\_SERVER\_ERROR**
-      # When the value of `action` is `INTERNAL\_SERVER\_ERROR`, it means that the request from the authorization
-      # server implementation was wrong or that an error occurred in Authlete. In either case, from the
-      # viewpoint of the client application, it is an error on the server side. Therefore, the service
-      # implementation should generate a response to the client application with HTTP status of "500 Internal
-      # Server Error".
-      # The parameter `responseContent` returns a string which describes the error in the format of [RFC
-      # 6750](https://datatracker.ietf.org/doc/html/rfc6750) (OAuth 2.0 Bearer Token Usage) so the userinfo
-      # endpoint implementation can use the value of `responseContent` as the value of`WWW-Authenticate`
-      # header.
-      # The following is an example response which complies with RFC 6750. Note that OpenID Connect Core
-      # 1.0 requires that an error response from userinfo endpoint comply with RFC 6750. See [5.3.3. UserInfo
-      # Response](https://openid.net/specs/openid-connect-core-1\_0.html#UserInfoError) for details.
-      # ```
-      # HTTP/1.1 500 Internal Server Error
-      # WWW-Authenticate: {responseContent}
-      # Cache-Control: no-store
-      # Pragma: no-cache
-      # ```
-      # **BAD\_REQUEST**
-      # When the value of `action` is `BAD\_REQUEST`, it means that the request from the client application
-      # does not contain an access token (= the request from the authorization server implementation to
-      # Authlete does not contain `token` parameter).
-      # The parameter `responseContent` returns a string which describes the error in the format of [RFC
-      # 6750](https://datatracker.ietf.org/doc/html/rfc6750) (OAuth 2.0 Bearer Token Usage) so the userinfo
-      # endpoint implementation can use the value of `responseContent` as the value of`WWW-Authenticate`
-      # header.
-      # The following is an example response which complies with RFC 6750. Note that OpenID Connect Core
-      # 1.0 requires that an error response from userinfo endpoint comply with RFC 6750. See [5.3.3. UserInfo
-      # Response](https://openid.net/specs/openid-connect-core-1\_0.html#UserInfoError) for details.
-      # ```
-      # HTTP/1.1 400 Bad Request
-      # WWW-Authenticate: {responseContent}
-      # Cache-Control: no-store
-      # Pragma: no-cache
-      # ```
-      # **UNAUTHORIZED**
-      # When the value of `action` is `UNAUTHORIZED`, it means that the access token does not exist, has
-      # expired, or is not associated with any subject (= any user account).
-      # The parameter `responseContent` returns a string which describes the error in the format of [RFC
-      # 6750](https://datatracker.ietf.org/doc/html/rfc6750) (OAuth 2.0 Bearer Token Usage) so the userinfo
-      # endpoint implementation can use the value of `responseContent` as the value of`WWW-Authenticate`
-      # header.
-      # The following is an example response which complies with RFC 6750. Note that OpenID Connect Core
-      # 1.0 requires that an error response from userinfo endpoint comply with RFC 6750. See [5.3.3. UserInfo
-      # Response](https://openid.net/specs/openid-connect-core-1\_0.html#UserInfoError) for details.
-      # ```
-      # HTTP/1.1 401 Unauthorized
-      # WWW-Authenticate: {responseContent}
-      # Cache-Control: no-store
-      # Pragma: no-cache
-      # ```
-      # **FORBIDDEN**
-      # When the value of `action` is `FORBIDDEN`, it means that the access token does not include the
-      # `openid` scope.
-      # The parameter `responseContent` returns a string which describes the error in the format of [RFC
-      # 6750](https://datatracker.ietf.org/doc/html/rfc6750) (OAuth 2.0 Bearer Token Usage) so the userinfo
-      # endpoint implementation can use the value of `responseContent` as the value of`WWW-Authenticate`
-      # header.
-      # The following is an example response which complies with RFC 6750. Note that OpenID Connect Core
-      # 1.0 requires that an error response from userinfo endpoint comply with RFC 6750. See [5.3.3. UserInfo
-      # Response](https://openid.net/specs/openid-connect-core-1\_0.html#UserInfoError) for details.
-      # ```
-      # HTTP/1.1 403 Forbidden
-      # WWW-Authenticate: {responseContent}
-      # Cache-Control: no-store
-      # Pragma: no-cache
-      # ```
-      # **JSON**
-      # When the value of `action` is `JSON`, it means that the access token which the client application
-      # presented is valid and an ID token was successfully generated in the format of JSON.
-      # The userinfo endpoint implementation is expected to generate a response to the client application.
-      # The content type of the response must be `application/json` and the response body must be an ID
-      # token in JSON format.
-      # The value of `responseContent` is the ID token in JSON format when `action` is `JSON`, so
-      # a response to the client can be built like below.
-      # ```
-      # HTTP/1.1 200 OK
-      # Cache-Control: no-store
-      # Pragma: no-cache
-      # Content-Type: application/json;charset=UTF-8
-      # {responseContent}
-      # ```
-      # **JWT**
-      # When the value of `action` is `JWT`, it means that the access token which the client application
-      # presented is valid and an ID token was successfully generated in the format of JWT (JSON Web Token)
-      # ([RFC 7519](https://datatracker.ietf.org/doc/html/rfc7519)).
-      # The userinfo endpoint implementation is expected to generate a response to the client application.
-      # The content type of the response must be `application/jwt` and the response body must be an ID
-      # token in JWT format.
-      # The value of `responseContent` is the ID token in JSON format when `action` is `JWT`, so a response
-      # to the client can be built like below.
-      # ```
-      # HTTP/1.1 200 OK
-      # Cache-Control: no-store
-      # Pragma: no-cache
-      # Content-Type: application/jwt
-      # {responseContent}
-      # ```
-      # 
+      #
       request = Models::Operations::AuthUserinfoIssueApiRequest.new(
         service_id: service_id,
         userinfo_issue_request: userinfo_issue_request
@@ -433,7 +223,7 @@ module Authlete
       headers['content-type'] = req_content_type
       raise StandardError, 'request body is required' if data.nil? && form.nil?
 
-      if form
+      if form && !form.empty?
         body = Utils.encode_form(form)
       elsif Utils.match_content_type(req_content_type, 'application/x-www-form-urlencoded')
         body = URI.encode_www_form(T.cast(data, T::Hash[Symbol, Object]))
@@ -469,6 +259,9 @@ module Authlete
           req.headers.merge!(headers)
           req.options.timeout = timeout unless timeout.nil?
           Utils.configure_request_security(req, security)
+          http_headers&.each do |key, value|
+            req.headers[key.to_s] = value
+          end
 
           @sdk_configuration.hooks.before_request(
             hook_ctx: SDKHooks::BeforeRequestHookContext.new(
@@ -564,5 +357,5 @@ module Authlete
 
       end
     end
-  end
+end
 end

data/lib/authlete/utils/request_bodies.rb

@@ -29,8 +29,6 @@ module Authlete
 
       return serialize_content_type(SERIALIZATION_METHOD_TO_CONTENT_TYPE[serialization_method], request) if !request.respond_to?(:fields) || !request.respond_to?(request_field_name)
 
-      request_val = request.send(request_field_name)
-
       request_metadata = T.let(nil, T.nilable(T::Array[T::Array[T.any(T::Array[T.nilable(String)], String)]]))
       T.unsafe(request).fields.each do |f|
         if f.name == request_field_name
@@ -38,7 +36,14 @@ module Authlete
           break
         end
       end
-      raise StandardError, 'invalid request type' if request_metadata.nil?
+      if request_metadata.nil?
+        # Field name collision: model has a field matching request_field_name but without :request metadata.
+        # Serialize the entire object as the request body.
+        return serialize_content_type(SERIALIZATION_METHOD_TO_CONTENT_TYPE[serialization_method], request)
+      end
+
+      request_val = request.send(request_field_name)
+      return ['', nil, nil] if request_val.nil?
 
       serialize_content_type(
         request_metadata.fetch(:media_type, 'application/octet-stream'), request_val

data/lib/authlete/utils/security.rb

@@ -37,6 +37,16 @@ module Authlete
 
     sig { params(req: Faraday::Request, option: Object).void }
     def self._parse_security_option(req, option)
+      # Check if this option uses basic auth (needs the whole object, not individual fields)
+      first_field = T.unsafe(option).fields.first
+      if first_field
+        first_meta = first_field.metadata[:security]
+        if first_meta && first_meta[:type] == 'http' && first_meta[:sub_type] == 'basic'
+          _parse_security_scheme(req, first_meta, option)
+          return
+        end
+      end
+
       T.unsafe(option).fields.each do |opt_field|
         metadata = opt_field.metadata[:security]
         next if metadata.nil? || !metadata.include?(:scheme)

data/lib/authlete/utils/url.rb

@@ -24,7 +24,7 @@ module Authlete
         if serialization != ''
           serialized_params = _get_serialized_params(param_metadata, f_name, param)
           serialized_params.each do |k, v|
-            path = path.sub("{#{k}}", v.join(', '))
+            path = path.gsub("{#{k}}", v.join(', '))
           end
         else
           if param.is_a? Array
@@ -32,7 +32,7 @@ module Authlete
             param.each do |pp_val|
               pp_vals.append(pp_val.to_s)
             end
-            path = path.sub("{#{param_metadata.fetch(:field_name, f.name)}}", pp_vals.join(','))
+            path = path.gsub("{#{param_metadata.fetch(:field_name, f.name)}}", pp_vals.join(','))
           elsif param.is_a? Hash
             pp_vals = []
             param.each do |pp_key, pp_val|
@@ -44,7 +44,7 @@ module Authlete
                 pp_vals.append("#{pp_key},#{value}")
               end
             end
-            path = path.sub("{#{param_metadata.fetch(:field_name, f.name)}}", pp_vals.join(','))
+            path = path.gsub("{#{param_metadata.fetch(:field_name, f.name)}}", pp_vals.join(','))
           elsif param.class.include?(::Crystalline::MetadataFields)
             pp_vals = []
             attrs = T.unsafe(param).fields.filter { |field| field.name && param.respond_to?(field.name.to_sym) }.map(&:name)
@@ -72,9 +72,9 @@ module Authlete
                 pp_vals.append("#{parm_name},#{param_field_val}")
               end
             end
-            path = path.sub("{#{param_metadata.fetch(:field_name, f.name)}}", pp_vals.join(','))
+            path = path.gsub("{#{param_metadata.fetch(:field_name, f.name)}}", pp_vals.join(','))
           else
-            path = path.sub("{#{param_metadata.fetch(:field_name, f.name)}}", param.to_s)
+            path = path.gsub("{#{param_metadata.fetch(:field_name, f.name)}}", _encode_path_param(val_to_string(param)))
           end
         end
       end
@@ -82,6 +82,12 @@ module Authlete
       server_url.delete_suffix('/') + path
     end
 
+    # Percent-encode characters that are invalid in URI path segments
+    sig { params(value: String).returns(String) }
+    def self._encode_path_param(value)
+      value.gsub(/[<>{}\[\]|\\^`\s?#%]/) { |c| format('%%%02X', c.ord) }
+    end
+
     sig { params(url_with_params: String, params: T::Hash[Symbol, T.any(String, T::Enum)]).returns(String) }
     def self.template_url(url_with_params, params)
       params.each do |key, value|

data/lib/authlete/utils/utils.rb

@@ -19,13 +19,43 @@ module Authlete
       if val.class.respond_to?(:enums)
         T.unsafe(val).serialize.to_s
       elsif val.is_a? DateTime
-        val.strftime('%Y-%m-%dT%H:%M:%S.%NZ')
+        val.strftime('%Y-%m-%dT%H:%M:%S.%NZ').sub(/(\.\d*[1-9])0+Z\z/, '\1Z').sub(/\.0+Z\z/, 'Z')
       else
         val.to_s
 
       end
     end
 
+    MIME_TYPES = {
+      '.json' => 'application/json',
+      '.xml' => 'application/xml',
+      '.pdf' => 'application/pdf',
+      '.zip' => 'application/zip',
+      '.gz' => 'application/gzip',
+      '.csv' => 'text/csv',
+      '.txt' => 'text/plain',
+      '.html' => 'text/html',
+      '.htm' => 'text/html',
+      '.css' => 'text/css',
+      '.js' => 'application/javascript',
+      '.png' => 'image/png',
+      '.jpg' => 'image/jpeg',
+      '.jpeg' => 'image/jpeg',
+      '.gif' => 'image/gif',
+      '.svg' => 'image/svg+xml',
+      '.webp' => 'image/webp',
+      '.mp3' => 'audio/mpeg',
+      '.mp4' => 'video/mp4',
+      '.yaml' => 'application/yaml',
+      '.yml' => 'application/yaml',
+    }.freeze
+
+    sig { params(filename: String).returns(String) }
+    def self.mime_type_for_filename(filename)
+      ext = File.extname(filename).downcase
+      MIME_TYPES.fetch(ext, 'application/octet-stream')
+    end
+
     sig do
       params(metadata: T::Hash[Symbol, String], field_name: String, obj: Object)
         .returns(T::Hash[Symbol, T::Array[String]])
@@ -102,6 +132,18 @@ module Authlete
       end
     end
 
+    sig do
+      params(enum_type: Module, optional: T::Boolean)
+        .returns(T.proc.params(s: String).returns(T.untyped))
+    end
+    def self.open_enum_from_string(enum_type, optional)
+      Kernel.lambda do |s|
+        return nil if optional && s.nil?
+
+        return T.unsafe(enum_type).deserialize(s)
+      end
+    end
+
     sig { params(name: String).returns(T.proc.returns(String)) }
     def self.field_name(name)
       T.let(proc { name }, T.proc.returns(String))
@@ -143,7 +185,7 @@ module Authlete
             # Handle file uploads
             file_part = Faraday::Multipart::FilePart.new(
               StringIO.new(T.must(field[1])),
-              'application/octet-stream',
+              mime_type_for_filename(T.must(field[0])),
               field[0]
             )
             
@@ -158,7 +200,7 @@ module Authlete
             end
           end
         elsif field.length == 3
-          param_part = Faraday::Multipart::ParamPart.new(field[1].to_json, field[2])
+          param_part = Faraday::Multipart::ParamPart.new(field[1], field[2])
           
           # Handle multiple values for the same field name (arrays)
           if payload.key?(field_name)