authorio 0.8.1 → 0.8.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 415f389a073c49afa82e47fc8caa28fb66d5586cc81758f63e4840f953fb7950
-  data.tar.gz: 6184be72a5c9f999984c33d6b24e4bd09ea6f0a15469512df70c833610477a69
+  metadata.gz: e4cd85ad8ec9b0e70f4d276f7c600d5cc3ebab5b04f0f0313da9f6151e78d680
+  data.tar.gz: 7ec85565cc8fb4ea711836ab8069f7062929d13af6f1520809095bdee7c859b9
 SHA512:
-  metadata.gz: fbfd300b93d372aa86257b484164be9944ce7950ebc91bfff3a1fe585f858e618e9dee0afbca33ea07953a8aea35b9c79f90cbca6b87e2b78e393cd7e1b9d810
-  data.tar.gz: ea5e5f5b850d0c88be5dfe2fbfd75abb747625059d544bfbd1988076a3c259bc69db8781036e4ad33d8a7d00f23577e06cc8402d11d0d126080334156048f9f1
+  metadata.gz: 845bc518d44332a7e71eabd020da0f450979dcf35ec35539850ee40b931c270c7c89f6205fa021b27b78b86c07fbcd1b36354c49c79c28d6e5d2b8ea501aad00
+  data.tar.gz: ca1f67ba7804bd630ce55713cfd1c3f2b542f04781583ec165073c1ad0eea829bef439d362af9e302e530da8ccc650736b00039b1151e7559b1cb8b8cdcc64b2

data/README.md

@@ -106,11 +106,40 @@ will be logged in!
 When you installed Authorio it placed a config file in `config/initializers/authorio.rb`. If you want to change
 one of the defaults you can uncomment it and specify it here.
 
+### Mount Point
+
+Most Rails engines are mounted via `mount Authorio::Engine, at: mount_point`. But Authorio needs to know its own
+mount point (to specify its url in the header tag) so you specify the mount point here. The default `authorio`
+should work for everyone.
+
+### Authorization and Token Endpoint
+
+These endpointd are given to servers via discovery. The default values should suffice.
+
+### Token Expiration
+
+If a client asks for an authentication token, the token will be valid for this length of time, after which
+you will have to re-authenticate. Longer-lasting
+tokens can possibly be a security risk. Default is 4 weeks.
+
+### Local Session Lifetime
+
+Setting this to a time interval will enable you to authenticate without typing in your password. It enables a
+"remember me" chekbox on the authentication form. If you check that, then enter your
+password once, then your session will be saved in a cookie, and any time you are asked to authenticate again,
+you can just click "Sign In" without your password. It can be a security risk if someone else has access to
+the machine you are using to login with (eg your laptop). Obviously you don't want to check "remember me"
+on a public-access computer. Default is *nil* (disabled)
+
 ### TODO
 
 - [ ] Customizing the authentication view/UI
 - [ ] Customizing the authentication method
 
+## User Profile
+
+You can set up your <a href="doc/profile.md">user profile</a> which can be sent to authenticating clients.
+
 ## Contributing
 Send pull requests to [Authorio on GitHub](https://github.com/reiterate-app/authorio)
 

data/app/assets/stylesheets/authorio/auth.css

@@ -27,7 +27,7 @@ div.authorio-auth {
 	margin-left:  1.2em;
 }
 
-.authorio-auth input {
+.authorio-auth input:not([type='checkbox']):not([type='submit']) {
 	margin: 0 1em 1em 1em;
 	width:  90%;
 }
@@ -39,3 +39,57 @@ div.authorio-auth {
 .authorio-auth input.btn {
 	margin-top: 2em;
 }
+
+.auth-btn-row {
+	margin: 1em;
+	width: 90%;
+}
+
+.authorio-auth .auth-btn-row .auth-btn {
+	width: 45%;
+	margin: 0.1em;
+}
+
+.authorio-auth .auth-btn-row .btn-success {
+	float: right;
+}
+
+span.r-m {
+	font-weight: 200;
+}
+
+label.remember {
+	margin-top: -1em;
+}
+
+div.scopes {
+	margin-top: -1.5em;
+}
+
+ul.scope {
+	list-style: none;
+	padding-left: 20px;
+}
+
+ul.scope li label {
+	font-weight: normal;
+}
+
+div.topbar {
+	border-bottom: 1px solid darkgray;
+}
+
+div.topbar li {
+	display: inline-block;
+	padding: 12px;
+}
+
+div.topbar ul {
+	margin: 0 10px;
+	padding: 0;
+	text-align: right;
+}
+
+div.topbar li:first-child {
+	float: left;
+}

data/app/controllers/authorio/auth_controller.rb

@@ -1,141 +1,108 @@
-module Authorio
-  class AuthController < ActionController::Base
-    require 'uri'
-    require 'digest'
+# frozen_string_literal: true
 
-    protect_from_forgery except: [:send_profile, :issue_token, :authorize_user]
+module Authorio
+  class AuthController < AuthorioController
+    # These API-only endpoints are protected by code challenge and do not need CSRF protextion
+    protect_from_forgery with: :exception, except: %i[send_profile issue_token]
+
+    rescue_from 'Authorio::Exceptions::SessionReplayAttack' do |exception|
+      redirect_back_with_error 'Session Replay attack detected. This has been logged.'
+      logger.info 'Session replay attack detected!'
+      Session.where(user: exception.session.user).delete_all
+    end
+    rescue_from 'Authorio::Exceptions::UserNotFound' do
+      redirect_back_with_error 'User not found'
+    end
+    rescue_from 'Authorio::Exceptions::InvalidPassword' do
+      redirect_back_with_error 'Incorrect password. Try again.'
+    end
 
+    # GET /auth
     def authorization_interface
-      p = auth_req_params
-      p[:me] ||= "#{host_with_protocol}/"
-
-      user = User.find_by! profile_path: URI(p[:me]).path
-      @user_url = p[:me] || user_url(user)
-
-      # If there are any old requests from this (client, user), delete them now
-      Request.where(authorio_user: user, client: p[:client_id]).delete_all
-
-      auth_request = Request.new.tap do |req|
-        req.code = SecureRandom.hex(20)
-        req.redirect_uri = p[:redirect_uri]
-        req.client = p[:client_id] # IndieAuth client_id conflicts with Rails' _id foreign key convention
-        req.scope = p[:scope]
-        req.authorio_user = user
-      end
-      auth_request.save
-      session[:state] = p[:state]
-      session[:code_challenge] = p[:code_challenge]
-
-    rescue ActiveRecord::RecordNotFound
-      flash.now[:alert] = "Invalid user"
-      redirect_back fallback_location: Authorio.authorization_path, allow_other_host: false
+      session.update auth_interface_params.slice(:state, :client_id, :code_challenge, :redirect_uri)
+    rescue ActionController::ParameterMissing, ActionController::UnpermittedParameters => e
+      render oauth_error 'invalid_request', e
     end
 
+    # POST /user/:id/authorize
     def authorize_user
-      p = auth_user_params
-      user = User.find_by! profile_path: URI(p[:url]).path
-      auth_req = Request.find_by! client: p[:client], authorio_user: user
-      if user.authenticate(p[:password])
-        params = { code: auth_req.code, state: session[:state] }
-        redirect_to "#{auth_req.redirect_uri}?#{params.to_query}"
-      else
-        flash.now[:alert] = "Incorrect password. Try again."
-        redirect_back fallback_location: Authorio.authorization_path, allow_other_host: false
-      end
-    rescue ActiveRecord::RecordNotFound
-      flash.now[:alert] = "Invlaid user"
-      redirect_back fallback_location: Authorio.authorization_path, allow_other_host: false
+      redirect_to session[:client_id] and return if params[:commit] == 'Cancel'
+
+      @user = authenticate_user_from_session_or_password
+      write_session_cookie(@user) if auth_user_params[:remember_me]
+      create_auth_request
+      redirect_to_client
     end
 
     def send_profile
-      begin
-        render json: { 'me': user_url(validate_request.authorio_user) }
-      rescue Authorio::Exceptions::InvalidGrant
-        render invalid_grant
-      end
+      @auth_request = find_auth_request or (render validation_failed and return)
     end
 
     def issue_token
-      begin
-        req = validate_request
-        raise Authorio::Exceptions::InvalidGrant.new if req.scope.blank?
-        token = Token.create(authorio_user: req.authorio_user, scope: req.scope, client: req.client)
-        render json: {
-          'me': user_url(req.authorio_user),
-          'access_token': token.auth_token,
-          'scope': req.scope,
-          'token_type': 'Bearer'
-        }
-      rescue Authorio::Exceptions::InvalidGrant
-        render invalid_grant
-      end
+      @auth_request = find_auth_request or (render validation_failed and return)
+      @token = Token.create_from_request(@auth_request)
     end
 
     def verify_token
-      token = Token.find_by! auth_token: bearer_token
-      render json: {
-        'me': user_url(token.authorio_user),
-        'client_id': token.client,
-        'scope': 'token.scope'
-      }
-      rescue ActiveRecord::RecordNotFound
-        head :bad_request
+      @token = Token.find_by_auth_token(bearer_token) or (head :bad_request and return)
+      return unless @token.expired?
+
+      @token.delete
+      render token_expired
     end
 
     private
 
-    def auth_req_params
-      %w(client_id redirect_uri state code_challenge).each do |param|
-        unless params.key?(param) && !params[param].empty?
-          raise ::ActionController::ParameterMissing.new(param)
-        end
+    def auth_interface_params
+      @auth_interface_params ||= begin
+        required = %w[client_id redirect_uri state]
+        permitted = %w[me scope code_challenge_method response_type code_challenge dummy]
+        params.require(required)
+        params.permit(permitted + required)
+        params.permit!
       end
-      params.permit(:response_type, :code_challenge, :code_challenge_method, :scope, :me, :redirect_uri, :client_id, :state)
     end
 
-    def auth_user_params
-      params.permit(:password, :url, :client)
+    def scope_params
+      params.require(:scope).permit(scope: [])
     end
 
-    def host_with_protocol
-      "#{request.scheme}://#{request.host}"
+    def oauth_error(error, message = nil, status = :bad_request)
+      { json: { json: { error: error, error_message: message }.compact },
+        status: status }
     end
 
-    def user_url(user)
-      "#{host_with_protocol}#{user.profile_path}"
+    def token_expired
+      oauth_error('invalid_token', 'The access token has expired', :unauthorized)
     end
 
-    def invalid_grant
-      { json: { 'error': 'invalid_grant' }, status: :bad_request }
+    def validation_failed
+      oauth_error('invalid_grant', 'validation failed')
     end
 
-    def code_challenge_failed?
-      # For now, if original request did not have code challenge, then we pass by default
-      return false if session[:code_challenge].nil?
-      sha256 = Digest::SHA256.hexdigest params[:code_verifier]
-      base64 = Base64.urlsafe_encode64 sha256
-      return base64 != session[:code_challenge]
+    def find_auth_request
+      auth_request = Request.find_by code: params[:code]
+      auth_request&.validate_oauth params
     end
 
-    def invalid_request?(req)
-      req.redirect_uri != params[:redirect_uri] \
-        || req.client != params[:client_id] \
-        || req.created_at < Time.now - 10.minutes
+    def create_auth_request
+      @auth_req = Request.create(client: session[:client_id],
+                                 redirect_uri: session[:redirect_uri],
+                                 code_challenge: (session[:code_challenge] if session.key? :code_challenge),
+                                 scope: (scope_params[:scope].join(' ') if params.key? :scope),
+                                 authorio_user: @user)
     end
 
-    def validate_request
-      req = Request.find_by code: params[:code]
-      raise Authorio::Exceptions::InvalidGrant.new if req.nil?
-      req.delete
-      raise Authorio::Exceptions::InvalidGrant.new if invalid_request?(req) || code_challenge_failed?
-      req
+    def redirect_to_client
+      redirect_params = { code: @auth_req.code, state: session[:state] }
+      redirect_to "#{@auth_req.redirect_uri}?#{redirect_params.to_query}"
     end
 
-    def bearer_token
-      bearer = /^Bearer /
-      header = request.headers['Authorization']
-      header.gsub(bearer, '') if header && header.match(bearer)
+    def authenticate_user_from_session_or_password
+      user_session&.authorio_user or
+        User.find_by_username!(auth_user_params[:username])
+            .authenticate(auth_user_params[:password]) or
+        raise Exceptions::InvalidPassword
     end
-
   end
 end

data/app/controllers/authorio/authorio_controller.rb

@@ -0,0 +1,78 @@
+# frozen_string_literal: true
+
+module Authorio
+  class AuthorioController < ActionController::Base
+    layout 'authorio/main'
+
+    helper_method :logged_in?, :rememberable?, :current_user,
+                  :user_scope_description, :profile_url
+
+    def index
+      if logged_in?
+        redirect_to edit_user_path(current_user)
+      else
+        redirect_to new_session_path
+      end
+    end
+
+    def user_session
+      if session[:user_id]
+        Session.new(authorio_user: Authorio::User.find(session[:user_id]))
+      else
+        cookie = cookies.encrypted[:user] and Session.find_by_cookie(cookie)
+      end
+    end
+
+    def logged_in?
+      !user_session.nil?
+    end
+
+    def rememberable?
+      !logged_in? && Authorio.configuration.local_session_lifetime
+    end
+
+    def authorized?
+      redirect_to new_session_path unless logged_in?
+    end
+
+    def current_user
+      user_session&.authorio_user&.id
+    end
+
+    def user_scope_description(scope)
+      Authorio::Request.user_scope_description(scope)
+    end
+
+    def profile_url(user)
+      if Authorio.configuration.multiuser
+        verify_user_url(user)
+      else
+        "#{request.scheme}://#{request.host}"
+      end
+    end
+
+    protected
+
+    def auth_user_params
+      params.require(:user).permit(:username, :password, :remember_me)
+    end
+
+    def write_session_cookie(user)
+      cookies.encrypted[:user] = {
+        value: Authorio::Session.create(authorio_user: user).as_cookie,
+        expires: Authorio.configuration.local_session_lifetime
+      }
+    end
+
+    def redirect_back_with_error(error)
+      flash[:alert] = error
+      redirect_back fallback_location: Authorio.authorization_path.prepend('/'), allow_other_host: false
+    end
+
+    def bearer_token
+      bearer = /^Bearer /
+      header = request.headers['Authorization']
+      header.gsub(bearer, '') if header&.match(bearer)
+    end
+  end
+end

data/app/controllers/authorio/sessions_controller.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module Authorio
+  class SessionsController < AuthorioController
+    # GET /session/new
+    def new
+      @session = Session.new(authorio_user: User.first)
+    end
+
+    # POST /session
+    def create
+      user = User.find_by_username! auth_user_params[:username]
+      raise Exceptions::InvalidPassword unless user.authenticate(auth_user_params[:password])
+
+      write_session_cookie(user) if auth_user_params[:remember_me]
+      # Even if we don't have a permanent remember-me session, we make a temporary session
+      session[:user_id] = user.id
+      redirect_to edit_user_path(user)
+    rescue Exceptions::InvalidPassword
+      redirect_back_with_error 'Incorrect password. Try again.'
+    end
+
+    # DELETE /session
+    def destroy
+      reset_session
+      if (cookie = cookies.encrypted[:user]) && (session = Session.find_by_cookie(cookie))
+        cookies.delete :user
+        session.destroy
+      end
+      redirect_to new_session_path
+    end
+  end
+end

data/app/controllers/authorio/users_controller.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+module Authorio
+  class UsersController < AuthorioController
+    before_action :authorized?, except: :verify
+
+    # GET /users/:id
+    def show
+      @user = User.find(params[:id])
+    end
+
+    # GET /users/:id/edit
+    def edit
+      @user = User.find(params[:id])
+    end
+
+    # PATCH /users/:id
+    def update
+      User.find(params[:id]).update(user_params)
+      flash[:info] = 'Profile Saved'
+      redirect_to edit_user_path
+    end
+
+    # This is only called by IndieAuth clients who wish to verify that a
+    # user profile URL we generated is in fact ours.
+    def verify; end
+
+    private
+
+    def user_params
+      params.require(:user).permit(:url, :photo, :full_name, :email)
+    end
+  end
+end