authonomy 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 4eb4be2ddf04609cecbcc0529726a09b46ae722b3df4efe8874267f44031dd52
+  data.tar.gz: 9de066f4e9797ae65a60487abfdec9ee310bb76ef2f2e1b54e0ef1dbc23f48c1
+SHA512:
+  metadata.gz: b3376fc1684ced643e417534f6b1c48d867800619521cdfdb20e8d4d146c502486a900ae45e3e9103a673a23ab2fdc4981eb6f7e4a73b8893c3d9fe1201aec4d
+  data.tar.gz: 8815a23de14bfd2646b1ff1c34650b436bf55c1c957b37b0cdd5ae0e605b8a85fd6fd9fb7ad4d3cebae01729b57dbb4e650a0919240c357010e32e8f70243dc2

data/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2022 Ilya Konyukhov
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,2 @@
+# authonomy
+The authentication library for Rails framework

data/lib/authonomy/authenticator.rb

@@ -0,0 +1,117 @@
+# frozen_string_literal: true
+
+require 'jwt'
+
+module Authonomy
+  class Authenticator
+    ALGO = 'HS256'
+    LEEWAY = 30.seconds
+
+    class << self
+      # Returns access_token and refresh_token for user authentication
+      def tokens(subject, refresh_exp = nil)
+        now = Time.now.utc.to_i
+
+        access_payload = {
+          sub: subject,
+          iat: now,
+          exp: now + Authonomy.access_token_ttl.to_i
+        }
+        refresh_payload = {
+          acc: payload_digest(access_payload),
+          iat: now
+        }
+        if refresh_exp
+          refresh_payload[:exp] = refresh_exp.is_a?(Integer) ? refresh_exp : now + Authonomy.refresh_token_ttl.to_i
+        end
+
+        [encode(access_payload), encode(refresh_payload)]
+      end
+
+      # Based on given access and refresh tokens authenticates user or not
+      def authenticate(klass, access_token, refresh_token)
+        now = Time.now.utc.to_i
+
+        generate_response_tokens = false
+        refresh_payload = nil
+        refresh_exp = nil
+
+        access_opts = {
+          verify_sub:        true,
+          verify_iat:        true,
+          verify_expiration: true
+        }
+
+        if refresh_token
+          refresh_opts = {
+            verify_iat:        true,
+            verify_expiration: false
+          }
+
+          refresh_payload = decode(refresh_token, refresh_opts)
+          refresh_exp = refresh_payload['exp']
+
+          if refresh_exp && refresh_exp > now
+            # don't verify access token expiration if refresh token has an exp timestamp and not expired yet
+            access_opts[:verify_expiration] = false
+          else
+            # sliding expiration
+            refresh_exp = nil
+          end
+        end
+
+        access_payload = decode(access_token, access_opts)
+
+        if refresh_payload
+          if refresh_payload['acc'] && refresh_payload['acc'] != payload_digest(access_payload)
+            # puts 'Refresh token mismatch'
+            return nil
+          end
+
+          # to avoid tokens mismatch for multiple simultaneous calls
+          generate_response_tokens = true # if now - access_payload['iat'] > 60
+        end
+
+        user = klass.find_by(id: access_payload['sub'])
+
+        unless user
+          # puts 'User not found'
+          return nil
+        end
+
+        if user.respond_to?(:access_expired_at) && user.access_expired_at.to_i > access_payload['iat']
+          # puts 'User access expired'
+          return nil
+        end
+
+        if generate_response_tokens
+          [user] + tokens(user.id, refresh_exp)
+        else
+          user
+        end
+
+      rescue ::JWT::DecodeError
+        nil
+      end
+
+      private
+
+      def encode(payload)
+        ::JWT.encode(payload, hmac_secret, ALGO)
+      end
+
+      def decode(token, opts = {})
+        ::JWT.decode(token, hmac_secret, true, opts.merge(leeway: LEEWAY, algorithms: [ALGO])).first
+        # can throw JWT::IncorrectAlgorithm, JWT::VerificationError, JWT::ExpiredSignature, JWT::InvalidIatError, JWT::InvalidSubError
+      end
+
+      def payload_digest(payload)
+        Digest::MD5.hexdigest(payload.to_json)
+      end
+
+      def hmac_secret
+        Authonomy.jwt_secret_key
+      end
+    end
+  end
+end

data/lib/authonomy/encryptor.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+require 'bcrypt'
+
+module Authonomy
+  class Encryptor
+    class << self
+      def digest(password)
+        password = "#{password}#{Authonomy.pepper.presence}"
+
+        ::BCrypt::Password.create(password, cost: Authonomy.stretches).to_s
+      end
+
+      def compare(hashed_password, password)
+        return false if hashed_password.blank?
+
+        bcrypt = ::BCrypt::Password.new(hashed_password)
+
+        password = "#{password}#{Authonomy.pepper.presence}"
+        password = ::BCrypt::Engine.hash_secret(password, bcrypt.salt)
+
+        secure_compare(password, hashed_password)
+      end
+
+      private
+
+      # Constant-time comparison algorithm to prevent timing attacks
+      def secure_compare(abc, xyz)
+        return false if abc.blank? || xyz.blank? || abc.bytesize != xyz.bytesize
+
+        l = abc.unpack "C#{abc.bytesize}"
+
+        res = 0
+        xyz.each_byte { |byte| res |= byte ^ l.shift }
+        res.zero?
+      end
+    end
+  end
+end

data/lib/authonomy/token_generator.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+require 'openssl'
+require 'securerandom'
+
+module Authonomy
+  class TokenGenerator
+    ALGO = 'SHA256'
+
+    class << self
+      def generator
+        @generator ||= new(
+          ActiveSupport::CachingKeyGenerator.new(
+            ActiveSupport::KeyGenerator.new(Authonomy.secret_key)
+          )
+        )
+      end
+    end
+
+    def initialize(key_generator)
+      @key_generator = key_generator
+    end
+
+    def digest(column, token)
+      key = key_for(column)
+      token.present? && OpenSSL::HMAC.hexdigest(ALGO, key, token.to_s)
+    end
+
+    def generate(klass, column, length)
+      key = key_for(column)
+
+      loop do
+        token = friendly_token(length)
+        encoded_token = OpenSSL::HMAC.hexdigest(ALGO, key, token)
+        break [token, encoded_token] unless klass.find_by(column => encoded_token)
+      end
+    end
+
+    private
+
+    def key_for(column)
+      @key_generator.generate_key("Authonomy #{column}")
+    end
+
+    def friendly_token(length)
+      rlength = (length * 3) / 4
+      SecureRandom.urlsafe_base64(rlength).tr('lIO0', 'sxyz')
+    end
+  end
+end

data/lib/authonomy/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module Authonomy
+  VERSION = '1.0.0'
+end

data/lib/authonomy.rb

@@ -0,0 +1,136 @@
+# frozen_string_literal: true
+
+require 'active_support'
+require 'active_support/time'
+require 'active_support/key_generator'
+
+require_relative 'authonomy/encryptor'
+require_relative 'authonomy/token_generator'
+require_relative 'authonomy/authenticator'
+
+require 'uri/mailto'
+
+module Authonomy
+  class << self
+    WRITER_METHODS = %i[
+      pepper
+      stretches
+      password_length
+      phone_length
+      access_token_ttl
+      refresh_token_ttl
+      invite_token_ttl
+      invite_token_length
+      confirm_email_token_ttl
+      confirm_email_token_length
+      reset_password_token_ttl
+      reset_password_token_length
+      secret_key
+      jwt_secret_key
+    ].freeze
+    attr_writer(*WRITER_METHODS)
+
+    READER_METHODS = %i[
+      pepper
+      secret_key
+      jwt_secret_key
+    ].freeze
+    attr_reader(*READER_METHODS)
+
+    def configure
+      yield self if block_given?
+    end
+
+    def stretches
+      @stretches || 11
+    end
+
+    def password_regexp
+      %r{
+        \A
+        (?=.*\d)                                      # Must contain a digit
+        (?=.*[a-z])                                   # Must contain a lowercase character
+        (?=.*[A-Z])                                   # Must contain an uppercase character
+        (?=.*[!"#$%&'()*+,\-./:;<=>?@\[\\\]^_`{|}~])  # Must contain a special character
+      }x
+    end
+
+    def password_length
+      @password_length || (8..128)
+    end
+
+    def email_regexp
+      # /\A[^@\s]+@([^@\s]+\.)+[^@\W]+\z/
+      URI::MailTo::EMAIL_REGEXP
+    end
+
+    def phone_regexp
+      /\A[\d\s+\-#*@&.,()]+\z/
+    end
+
+    def phone_length
+      @phone_length || (3..40)
+    end
+
+    def money_regexp
+      /[+\-]?[\d.,]+/
+    end
+
+    def url_regexp
+      %r{
+        \A
+        (?:(?:https?|ftp)://)                                         # scheme
+        (?:\S+(?::\S*)?@)?                                            # user:pass authentication
+        (?:
+          (?!10(?:\.\d{1,3}){3})                                      # IP address exclusion
+          (?!127(?:\.\d{1,3}){3})                                     # private & local networks
+          (?!169\.254(?:\.\d{1,3}){2})
+          (?!192\.168(?:\.\d{1,3}){2})
+          (?!172\.(?:1[6-9]|2\d|3[0-1])(?:\.\d{1,3}){2})
+          (?:[1-9]\d?|1\d\d|2[01]\d|22[0-3])                          # IP address dotted notation octets
+          (?:\.(?:1?\d{1,2}|2[0-4]\d|25[0-5])){2}                     # excludes loopback network 0.0.0.0, reserved space >= 224.0.0.0, network & broacast addresses
+          (?:\.(?:[1-9]\d?|1\d\d|2[0-4]\d|25[0-4]))                   # (first & last IP address of each class)
+        |
+          (?:(?:[a-z\u00a1-\uffff0-9]+-?)*[a-z\u00a1-\uffff0-9]+)     # host name
+          (?:\.(?:[a-z\u00a1-\uffff0-9]+-?)*[a-z\u00a1-\uffff0-9]+)*  # domain name
+          (?:\.(?:[a-z\u00a1-\uffff]{2,}))                            # TLD identifier
+        )
+        (?::\d{2,5})?                                                 # port number
+        (?:/\S*)?                                                     # resource path
+        \z
+      }xi
+    end
+
+    def access_token_ttl
+      @access_token_ttl || 30.minutes
+    end
+
+    def refresh_token_ttl
+      @refresh_token_ttl || 1.week
+    end
+
+    def invite_token_ttl
+      @invite_token_ttl || 24.hours
+    end
+
+    def invite_token_length
+      @invite_token_length || 48
+    end
+
+    def confirm_email_token_ttl
+      @confirm_email_token_ttl || 24.hours
+    end
+
+    def confirm_email_token_length
+      @confirm_email_token_length || 48
+    end
+
+    def reset_password_token_ttl
+      @reset_password_token_ttl || 60.minutes
+    end
+
+    def reset_password_token_length
+      @reset_password_token_length || 48
+    end
+  end
+end

metadata

@@ -0,0 +1,98 @@
+--- !ruby/object:Gem::Specification
+name: authonomy
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Ilya Konyukhov
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2022-09-09 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: bcrypt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Flexible authentication solution for Rails
+email: ilya@konyukhov.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- LICENSE
+- README.md
+- lib/authonomy.rb
+- lib/authonomy/authenticator.rb
+- lib/authonomy/encryptor.rb
+- lib/authonomy/token_generator.rb
+- lib/authonomy/version.rb
+homepage: https://github.com/ilkon/authonomy
+licenses:
+- MIT
+metadata:
+  rubygems_mfa_required: 'true'
+  homepage_uri: https://github.com/ilkon/authonomy
+  documentation_uri: https://rubydoc.info/github/ilkon/authonomy
+  changelog_uri: https://github.com/ilkon/authonomy/blob/main/CHANGELOG.md
+  source_code_uri: https://github.com/ilkon/authonomy
+  bug_tracker_uri: https://github.com/ilkon/authonomy/issues
+  wiki_uri: https://github.com/ilkon/authonomy/wiki
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.1.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.3.7
+signing_key: 
+specification_version: 4
+summary: Flexible authentication solution for Rails
+test_files: []