authorio 0.8.0 → 0.8.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9a376e3f8c81fdc53ac6c223c42fedadb43cdc02129713ca6756db1506c07f10
-  data.tar.gz: 761c806afafae95a35e97e97b784ae4271cc09fb7cbb6eb6001571e9319cc6a2
+  metadata.gz: 78659edadab6ff85d24828c318525bac7b62b4a76b9905e0a1d819ec266f9d46
+  data.tar.gz: 817fe77d1c1fd89e68df07a594725997d598e0f0027210d083762da50cb447fd
 SHA512:
-  metadata.gz: 32c86c4be9a8cf949ba616797d0a7b505213687d09435ae7c8e0a5588224076c73b0aab4e7b985af74baa89963dafabdc2db7f562982165886dc8085e2fd88c7
-  data.tar.gz: c9bbaf3bce9c291ddf5619a62caa03962d31c1e57abf0fe45baae96d2325cbd1f0d46f1d6c5477fb9cef6dafa9eb54f4ee2874820e8e74b662dd7e8c9d6aa77d
+  metadata.gz: 8205bfe7bc6798f560da3f56b19f26822653d6f6fb8baac925be38a713f871e1faf90f0492ea25187124cd98db928a7d875da47b53faf14afe1efc6418498dbd
+  data.tar.gz: 3c772c7777f016316911f36573f5d2982ca27a40edb18dcac16782fb380021971feaeea4271adebe411101b39a9bb544d3f27f88dec93d72aae6f0e5adc483fd

data/README.md

@@ -34,13 +34,18 @@ You will need to install the migrations and then run them to add these tables
 $ rails authorio:install:migrations
 Copied migration 20210703002653_create_authorio_users.authorio.rb from authorio
 Copied migration 20210703002654_create_authorio_requests.authorio.rb from authorio
+Copied migration 20210710145519_create_authorio_tokens.authorio.rb from authorio
+
 $ rails db:migrate
 ...
 == 20210703002653 CreateAuthorioUsers: migrated (0.0038s) =====================
 ...
 == 20210703002654 CreateAuthorioRequests: migrated (0.0041s) ==================
+...
+== 20210710145519 CreateAuthorioTokens: migrated (0.0037s) ====================
 ```
 
+
 ### 4. Install Authorio routes
 Add the following line somewhere inside the `Rails.application.routes.draw do` block in your `config/routes.rb` file
 ```ruby
@@ -83,15 +88,58 @@ Now restart your rails app, and you should be all set!
 
 ## Usage
 
-To test your authentication endpoint, find an IndieAuth client you can log in to. A simple test is at [Pin13](pin13.net/login). Enter your site's URL and click Sign In.
+To test your authentication endpoint, find an IndieAuth client you can log in to. A simple test is to try and login
+to the [IndieWeb.org website](https://indieweb.org)
 
-You should be then be redirected back to your own site and the Authorio
-login UI  
+- From the home page, click on *Log In* in the upper right, or visit the [login page](https://sso.indieweb.org/login?url=https%3A%2F%2Findieweb.org%2FMain_Page) directly.
+- Enter your site's URL (or if you put the indieauth tag on a page other than your home page, enter that URL)
+- You should be then be redirected back to your own site and the Authorio login UI
+<p align="center">
 <img src="./auth-ui.png" width="400">
+</p>
 
-Enter the password you set up when you installed Authorio. This should redirect you back to the client where you
+- Enter the password you set up when you installed Authorio. This should redirect you back to the client where you
 will be logged in!
 
+## Configuration
+
+When you installed Authorio it placed a config file in `config/initializers/authorio.rb`. If you want to change
+one of the defaults you can uncomment it and specify it here.
+
+### Mount Point
+
+Most Rails engines are mounted via `mount Authorio::Engine, at: mount_point`. But Authorio needs to know its own
+mount point (to specify its url in the header tag) so you specify the mount point here. The default `authorio`
+should work for everyone.
+
+### Authorization and Token Endpoint
+
+These endpointd are given to servers via discovery. The default values should suffice.
+
+### Token Expiration
+
+If a client asks for an authentication token, the token will be valid for this length of time, after which
+you will have to re-authenticate. Longer-lasting
+tokens can possibly be a security risk. Default is 4 weeks.
+
+### Local Session Lifetime
+
+Setting this to a time interval will enable you to authenticate without typing in your password. It enables a
+"remember me" chekbox on the authentication form. If you check that, then enter your
+password once, then your session will be saved in a cookie, and any time you are asked to authenticate again,
+you can just click "Sign In" without your password. It can be a security risk if someone else has access to
+the machine you are using to login with (eg your laptop). Obviously you don't want to check "remember me"
+on a public-access computer. Default is *nil* (disabled)
+
+### TODO
+
+- [ ] Customizing the authentication view/UI
+- [ ] Customizing the authentication method
+
+## User Profile
+
+You can set up your <a href="doc/profile.md">user profile</a> which can be sent to authenticating clients.
+
 ## Contributing
 Send pull requests to [Authorio on GitHub](https://github.com/reiterate-app/authorio)
 

data/app/assets/stylesheets/authorio/auth.css

@@ -27,7 +27,7 @@ div.authorio-auth {
 	margin-left:  1.2em;
 }
 
-.authorio-auth input {
+.authorio-auth input:not([type='checkbox']):not([type='submit']) {
 	margin: 0 1em 1em 1em;
 	width:  90%;
 }
@@ -39,3 +39,57 @@ div.authorio-auth {
 .authorio-auth input.btn {
 	margin-top: 2em;
 }
+
+.auth-btn-row {
+	margin: 1em;
+	width: 90%;
+}
+
+.authorio-auth .auth-btn-row .auth-btn {
+	width: 45%;
+	margin: 0.1em;
+}
+
+.authorio-auth .auth-btn-row .auth-btn:last-child {
+	float: right;
+}
+
+span.r-m {
+	font-weight: 200;
+}
+
+label.remember {
+	margin-top: -1em;
+}
+
+div.scopes {
+	margin-top: -1.5em;
+}
+
+ul.scope {
+	list-style: none;
+	padding-left: 20px;
+}
+
+ul.scope li label {
+	font-weight: normal;
+}
+
+div.topbar {
+	border-bottom: 1px solid darkgray;
+}
+
+div.topbar li {
+	display: inline-block;
+	padding: 12px;
+}
+
+div.topbar ul {
+	margin: 0 10px;
+	padding: 0;
+	text-align: right;
+}
+
+div.topbar li:first-child {
+	float: left;
+}

data/app/controllers/authorio/auth_controller.rb

@@ -1,134 +1,119 @@
+# frozen_string_literal: true
+
 module Authorio
-  class AuthController < ActionController::Base
+  class AuthController < AuthorioController
     require 'uri'
     require 'digest'
 
-    protect_from_forgery except: [:send_profile, :issue_token, :authorize_user]
-
-    def authorization_interface
-      p = auth_req_params
-
-      path = if p[:me]
-        URI(p[:me]).path
-      else
-        '/'
-      end
-
-      user = User.find_by! profile_path: path
-      @user_url = p[:me] || user_url(user)
+    # These API-only endpoints are protected by code challenge and do not need CSRF protextion
+    protect_from_forgery with: :exception, except: %i[send_profile issue_token]
 
-      # If there are any old requests from this (client, user), delete them now
-      Request.where(authorio_user: user, client: p[:client_id]).delete_all
+    rescue_from 'Authorio::Exceptions::SessionReplayAttack' do |exception|
+      redirect_back_with_error 'Session Replay attack detected. This has been logged.'
+      logger.info 'Session replay attack detected!'
+      Session.where(user: exception.session.user).delete_all
+    end
+    rescue_from 'Authorio::Exceptions::UserNotFound' do
+      redirect_back_with_error 'User not found'
+    end
+    rescue_from 'Authorio::Exceptions::InvalidPassword' do
+      redirect_back_with_error 'Incorrect password. Try again.'
+    end
 
-      auth_request = Request.new.tap do |req|
-        req.code = SecureRandom.hex(20)
-        req.redirect_uri = p[:redirect_uri]
-        req.client = p[:client_id] # IndieAuth client_id conflicts with Rails' _id foreign key convention
-        req.scope = p[:scope]
-        req.authorio_user = user
-      end
-      auth_request.save
-      session[:state] = p[:state]
-      session[:code_challenge] = p[:code_challenge]
+    # GET /auth
+    def authorization_interface
+      session.update auth_interface_params.slice(:state, :client_id, :code_challenge, :redirect_uri)
+    rescue ActionController::ParameterMissing, ActionController::UnpermittedParameters => e
+      render oauth_error 'invalid_request', e
     end
 
+    # POST /user/:id/authorize
     def authorize_user
-      p = auth_user_params
-      user = User.find_by! profile_path: URI(p[:url]).path
-      auth_req = Request.find_by! client: p[:client], authorio_user: user
-      if user.authenticate(p[:password])
-        params = { code: auth_req.code, state: session[:state] }
-        redirect_to "#{auth_req.redirect_uri}?#{params.to_query}"
-      else
-        flash.now[:alert] = "Incorrect password. Try again."
-        redirect_back fallback_location: Authorio.authorization_path, allow_other_host: false
-      end
+      redirect_to session[:client_id] and return if params[:commit] == 'Cancel'
+
+      user = authenticate_user_from_session_or_password
+      write_session_cookie(user) if auth_user_params[:remember_me]
+      redirect_to_client(user)
     end
 
     def send_profile
-      begin
-        render json: { 'me': user_url(validate_request.authorio_user) }
-      rescue Authorio::Exceptions::InvalidGrant
-        render invalid_grant
-      end
+      @request = validate_request Request.find_by! code: params[:code]
+    rescue Exceptions::InvalidGrant, ActiveRecord::RecordNotFound => e
+      render oauth_error 'invalid_grant', e.message
     end
 
     def issue_token
-      begin
-        req = validate_request
-        raise Authorio::Exceptions::InvalidGrant.new if req.scope.blank?
-        token = Token.create(authorio_user: req.authorio_user, scope: req.scope, client: req.client)
-        render json: {
-          'me': user_url(req.authorio_user),
-          'access_token': token.auth_token,
-          'scope': req.scope,
-          'token_type': 'Bearer'
-        }
-      rescue Authorio::Exceptions::InvalidGrant
-        render invalid_grant
-      end
+      @request = validate_request Request.find_by! code: params[:code]
+      @token = Token.create_from_request(@request)
+    rescue Exceptions::InvalidGrant, ActiveRecord::RecordNotFound => e
+      render oauth_error 'invalid_grant', e.message
     end
 
     def verify_token
-      token = Token.find_by auth_token: bearer_token
-      head :bad_request and return if token.nil?
-      render json: {
-        'me': user_url(token.authorio_user),
-        'client_id': token.client,
-        'scope': 'token.scope'
-      }
+      @token = Token.find_by_auth_token(bearer_token) or (head :bad_request and return)
+      return unless @token.expired?
+
+      @token.delete
+      render token_expired
     end
 
     private
 
-    def auth_req_params
-      %w(client_id redirect_uri state code_challenge).each do |param|
-        unless params.key?(param) && !params[param].empty?
-          raise ::ActionController::ParameterMissing.new(param)
-        end
+    def auth_interface_params
+      @auth_interface_params ||= begin
+        required = %w[client_id redirect_uri state code_challenge]
+        permitted = %w[me scope code_challenge_method response_type action controller]
+        missing = required - params.keys
+        raise ::ActionController::ParameterMissing, missing unless missing.empty?
+
+        unpermitted = params.keys - required - permitted
+        raise ::ActionController::UnpermittedParameters, unpermitted unless unpermitted.empty?
+
+        params.permit!
       end
-      params.permit(:response_type, :code_challenge, :code_challenge_method, :scope, :me, :redirect_uri, :client_id, :state)
     end
 
-    def auth_user_params
-      params.permit(:password, :url, :client)
+    def scope_params
+      params.require(:scope).permit(scope: [])
     end
 
-    def user_url(user)
-      "#{request.scheme}://#{request.host}#{user.profile_path}"
+    def oauth_error(error, message = nil, status = :bad_request)
+      { json: { json: { error: error, error_message: message }.compact },
+        status: status }
     end
 
-    def invalid_grant
-      { json: { 'error': 'invalid_grant' }, status: :bad_request }
+    def token_expired
+      oauth_error('invalid_token', 'The access token has expired', :unauthorized)
     end
 
     def code_challenge_failed?
       # For now, if original request did not have code challenge, then we pass by default
-      return false if session[:code_challenge].nil?
+      return unless session[:code_challenge]
+
       sha256 = Digest::SHA256.hexdigest params[:code_verifier]
-      base64 = Base64.urlsafe_encode64 sha256
-      return base64 != session[:code_challenge]
+      Base64.urlsafe_encode64(sha256) != session[:code_challenge]
     end
 
-    def invalid_request?(req)
-      req.redirect_uri != params[:redirect_uri] \
-        || req.client != params[:client_id] \
-        || req.created_at < Time.now - 10.minutes
-    end
+    def validate_request(request)
+      raise Exceptions::InvalidGrant, 'validation failed' if request.invalid?(params) || code_challenge_failed?
 
-    def validate_request
-      req = Request.find_by code: params[:code]
-      raise Authorio::Exceptions::InvalidGrant.new if req.nil?
-      req.delete
-      raise Authorio::Exceptions::InvalidGrant.new if invalid_request?(req) || code_challenge_failed?
-      req
+      request
     end
 
-    def bearer_token
-      bearer = /^Bearer /
-      header = request.headers['Authorization']
-      header.gsub(bearer, '') if header && header.match(bearer)
+    def redirect_to_client(user)
+      auth_req = Request.create(client: session[:client_id],
+                                redirect_uri: session[:redirect_uri],
+                                scope: (scope_params[:scope].join(' ') if params.key? :scope),
+                                authorio_user: user)
+      redirect_params = { code: auth_req.code, state: session[:state] }
+      redirect_to "#{auth_req.redirect_uri}?#{redirect_params.to_query}"
     end
 
+    def authenticate_user_from_session_or_password
+      user_session&.authorio_user or
+        User.find_by_username!(auth_user_params[:username])
+            .authenticate(auth_user_params[:password]) or
+        raise Exceptions::InvalidPassword
+    end
   end
 end

data/app/controllers/authorio/authorio_controller.rb

@@ -0,0 +1,78 @@
+# frozen_string_literal: true
+
+module Authorio
+  class AuthorioController < ActionController::Base
+    layout 'authorio/main'
+
+    helper_method :logged_in?, :rememberable?, :current_user,
+                  :user_scope_description, :profile_url
+
+    def index
+      if logged_in?
+        redirect_to edit_user_path(current_user)
+      else
+        redirect_to new_session_path
+      end
+    end
+
+    def user_session
+      if session[:user_id]
+        Session.new(authorio_user: Authorio::User.find(session[:user_id]))
+      else
+        cookie = cookies.encrypted[:user] and Session.find_by_cookie(cookie)
+      end
+    end
+
+    def logged_in?
+      !user_session.nil?
+    end
+
+    def rememberable?
+      !logged_in? && Authorio.configuration.local_session_lifetime
+    end
+
+    def authorized?
+      redirect_to new_session_path unless logged_in?
+    end
+
+    def current_user
+      user_session&.authorio_user&.id
+    end
+
+    def user_scope_description(scope)
+      Authorio::Request.user_scope_description(scope)
+    end
+
+    def profile_url(user)
+      if Authorio.configuration.multiuser
+        verify_user_url(user)
+      else
+        "#{request.scheme}://#{request.host}"
+      end
+    end
+
+    protected
+
+    def auth_user_params
+      params.require(:user).permit(:username, :password, :remember_me)
+    end
+
+    def write_session_cookie(user)
+      cookies.encrypted[:user] = {
+        value: Authorio::Session.create(authorio_user: user).as_cookie,
+        expires: Authorio.configuration.local_session_lifetime
+      }
+    end
+
+    def redirect_back_with_error(error)
+      flash[:alert] = error
+      redirect_back fallback_location: Authorio.authorization_path.prepend('/'), allow_other_host: false
+    end
+
+    def bearer_token
+      bearer = /^Bearer /
+      header = request.headers['Authorization']
+      header.gsub(bearer, '') if header&.match(bearer)
+    end
+  end
+end