authorio 0.8.1 → 0.8.5

data/app/helpers/authorio/tag_helper.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module Authorio
+  # These helpers are provided to the main application
+  module TagHelper
+    extend ActiveSupport::Concern
+
+    included do
+      helper_method :indieauth_tag if respond_to?(:helper_method)
+    end
+
+    def indieauth_tag
+      tag(:link, rel: 'authorization_endpoint', href: URI.join(main_app.root_url, Authorio.authorization_path)) <<
+        tag(:link, rel: 'token_endpoint', href: URI.join(main_app.root_url, Authorio.token_path))
+    end
+  end
+end

data/app/jobs/authorio/application_job.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Authorio
   class ApplicationJob < ActiveJob::Base
   end

data/app/models/authorio/application_record.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Authorio
   class ApplicationRecord < ActiveRecord::Base
     self.abstract_class = true

data/app/models/authorio/request.rb

@@ -1,7 +1,54 @@
+# frozen_string_literal: true
+
 module Authorio
   class Request < ApplicationRecord
-    belongs_to :authorio_user, class_name: "::Authorio::User"
+    belongs_to :authorio_user, class_name: '::Authorio::User'
 
     validates_presence_of :code, :redirect_uri, :client
+
+    before_validation :set_code, on: :create
+    before_create :sweep_requests
+
+    # The IndieAuth spec uses 'client_id' to specify the client in the address, as a URL (eg "https://example.com")
+    # But Rails uses '_id' to tag associations (foreign keys). So we save that as 'client' here, but map
+    # client_id as an alias since that is what the HTTP parameter will be
+    def client_id=(value)
+      self.client = value
+    end
+
+    def validate_oauth(params)
+      redirect_uri == params[:redirect_uri] &&
+        client == params[:client_id] &&
+        created_at > 10.minutes.ago &&
+        code_challenge_matches(params[:code_verifier]) &&
+        self
+    end
+
+    def code_challenge_matches(verifier)
+      # For now, if original request did not have code challenge, then we pass by default
+      return true if code_challenge.blank?
+
+      sha256 = Digest::SHA256.digest verifier
+      Base64.urlsafe_encode64(sha256).sub(/=*$/, '') == code_challenge
+    end
+
+    def self.user_scope_description(scope)
+      USER_SCOPE_DESCRIPTION[scope.to_sym] || scope
+    end
+
+    private
+
+    def set_code
+      self.code = SecureRandom.hex(20)
+    end
+
+    def sweep_requests
+      Request.where(client: client, authorio_user: authorio_user).destroy_all
+    end
+
+    USER_SCOPE_DESCRIPTION = {
+      profile: 'View basic profile information',
+      email: 'View your email address'
+    }.freeze
   end
 end

data/app/models/authorio/session.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+module Authorio
+  class Session < ApplicationRecord
+    # Implement a session cookie store based on best security practices
+    # See: https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence
+    belongs_to :authorio_user, class_name: '::Authorio::User'
+
+    # 1. Protect against having database stolen by only storing token hashes
+    attribute :token # This will not be persisted in the DB
+    has_secure_token
+
+    before_create do
+      self.expires_at = Time.now + Authorio.configuration.token_expiration
+      self.selector = SecureRandom.hex(12)
+      self.hashed_token = Digest::SHA256.hexdigest token
+    end
+
+    # 2. To guard against timing attacks, we lookup tokens based on a separate selector attribute
+    #    and compare them using a secure time-constant comparison method
+    def self.find_by_cookie(cookie)
+      selector, _token = cookie.split(':')
+      session = find_by selector: selector
+      raise Authorio::Exceptions::SessionReplayAttack.new, session unless session.matches_cookie?(cookie)
+
+      session
+    end
+
+    def matches_cookie?(cookie)
+      _selector, token = cookie.split(':')
+      cookie_hashed_token = Digest::SHA256.hexdigest token
+      !expired? && ActiveSupport::SecurityUtils.secure_compare(cookie_hashed_token, hashed_token)
+    end
+
+    def expired?
+      expires_at < Time.now
+    end
+
+    def as_cookie
+      "#{selector}:#{token}"
+    end
+  end
+end

data/app/models/authorio/token.rb

@@ -1,8 +1,30 @@
+# frozen_string_literal: true
+
 module Authorio
   class Token < ApplicationRecord
-    belongs_to :authorio_user, class_name: "::Authorio::User"
+    belongs_to :authorio_user, class_name: '::Authorio::User'
     has_secure_token :auth_token
 
     validates_presence_of :scope, :client
+
+    before_create do
+      self.expires_at = Time.now + Authorio.configuration.token_expiration
+    end
+
+    # The token endpoint can get hit by bots, so short-circut the find if they
+    # don't send a bearer token
+    def self.find_by_auth_token(token)
+      token and find_by auth_token: token
+    end
+
+    def expired?
+      expires_at < Time.now
+    end
+
+    def self.create_from_request(req)
+      raise Exceptions::InvalidGrant, 'missing scope' if req.scope.blank?
+
+      Token.create(authorio_user: req.authorio_user, scope: req.scope, client: req.client)
+    end
   end
 end

data/app/models/authorio/user.rb

@@ -1,5 +1,19 @@
+# frozen_string_literal: true
+
 module Authorio
   class User < ApplicationRecord
     has_secure_password
+
+    class << self
+      def find_by_url!(url)
+        find_by_username!(URI(url).path)
+      end
+
+      def find_by_username!(name)
+        return first unless Authorio.configuration.multiuser
+
+        find_by(username: name) or raise Exceptions::UserNotFound
+      end
+    end
   end
 end

data/app/views/authorio/auth/authorization_interface.html.erb

@@ -1,37 +1,16 @@
-<!DOCTYPE html>
-<html lang="en-GB">
-  <head>
-    <meta charset="utf-8">
-    <title>Authorio Login</title>
-    <meta name="viewport" content="width=device-width, initial-scale=1">
-    <link rel="stylesheet"
-      href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css"
-      integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u"
-      crossorigin="anonymous">
-    <%= stylesheet_link_tag "authorio/auth" %>
-  </head>
-  <body>
-    <div class="container authorio-auth">
-      <div class="row">
-        <div class="col-md-4">
-        </div>
-        <div class="col-md-4 auth-panel">
-          <h3>Authorio</h3>
-          <div class="client-row">
-            Authenticating with <span class="client"><%= params[:client_id] %>
-          </div>
-          <%= form_with(url: "authorize_user", method: :post) do |form| %>
-          <%= form.label(:url, "User URL") %>
-          <%= form.text_field(:url, value: @user_url, readonly: true) %>
-          <%= form.label(:password, "Password") %>
-          <%= form.password_field(:password, autofocus: true) %>
-          <%= form.hidden_field(:client, value: params[:client_id]) %>
-          <%= form.submit("Sign in", class: 'btn btn-success') %>
-          <% end %>
-        </div>
-        <div class="col-md-4">
-        </div>
+<% content_for :title, "Authorio Login" %>
+
+<div class="container authorio-auth">
+  <div class="row">
+    <div class="col-md-4"></div>
+    <div class="col-md-4 auth-panel">
+      <h3>Authorio</h3>
+      <div class="client-row">
+        <span class="client"><%= params[:client_id] %></span> wants to authenticate
+        <% if params[:scope] %>and also<% end %>
       </div>
+      <%= render 'shared/login_form', target: authorize_user_path, cancel: true %>
     </div>
-  </body>
-</html>
+    <div class="col-md-4"></div>
+  </div>
+</div>

data/app/views/authorio/auth/issue_token.json.jbuilder

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+json.access_token @token.auth_token
+json.expires_in Authorio.configuration.token_expiration
+json.token_type 'Bearer'
+json.scope @token.scope
+json.partial! 'authorio/users/profile', request: @auth_request

data/app/views/authorio/auth/send_profile.json.jbuilder

@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+
+json.partial! 'authorio/users/profile', request: @request

data/app/views/authorio/auth/verify_token.json.jbuilder

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+json.me url_for(@token.authorio_user)
+json.client_id @token.client
+json.scope @token.scope

data/app/views/authorio/sessions/new.html.erb

@@ -0,0 +1,14 @@
+<%= stylesheet_link_tag "authorio/auth" %>
+<% content_for :title, "Authorio Local Login" %>
+
+<div class="container authorio-auth">
+  <div class="row">
+    <div class="col-md-4"></div>
+    <div class="col-md-4 auth-panel">
+      <h3>Authorio</h3>
+      <div class="client-row">Local Login</div>
+      <%= render 'shared/login_form', target: session_path(@session), cancel: false %>
+    </div>
+    <div class="col-md-4"></div>
+  </div>
+</div>

data/app/views/authorio/users/_profile.json.jbuilder

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+json.me profile_url(@auth_request.authorio_user)
+if @auth_request.scope&.include? 'profile'
+  json.profile do
+    json.name(@auth_request.authorio_user.full_name)
+    json.call(@auth_request.authorio_user, :url, :photo)
+    json.email(@auth_request.authorio_user.email) if @auth_request.scope.include?('email')
+  end
+end

data/app/views/authorio/users/edit.html.erb

@@ -0,0 +1,25 @@
+<%= stylesheet_link_tag "authorio/auth" %>
+<% content_for :title, "Account Settings" %>
+
+<div class="container authorio-auth">
+  <div class="row">
+    <div class="col-md-4"></div>
+    <div class="col-md-4 auth-panel">
+      <h3>Account Settings</h3>
+      <%= form_with model: @user do |form| %>
+        <%= form.label(:full_name, "Full Name") %>
+        <%= form.text_field(:full_name) %>
+        <%= form.label(:url, "URL") %>
+        <%= form.text_field(:url) %>
+        <%= form.label(:photo, "Photo URL") %>
+        <%= form.text_field(:photo) %>
+        <%= form.label(:email, "Email") %>
+        <%= form.text_field(:email) %>
+        <div class='auth-btn-row'>
+          <%= form.submit("Save Changes", class: 'btn btn-success auth-btn') %>
+        </div>
+      <% end -%>
+    </div>
+    <div class="col-md-4"></div>
+  </div>
+</div>

data/app/views/authorio/users/show.html.erb

@@ -0,0 +1,18 @@
+<%= stylesheet_link_tag "authorio/auth" %>
+<% content_for :title, "User Account" %>
+
+<%= indieauth_tag %>
+
+<div class="container authorio-auth">
+  <div class="row">
+    <div class="col-md-4"></div>
+    <div class="col-md-4 auth-panel">
+      <h3>IndieAuth Account</h3>
+        Full Name <%= @user.full_name %>
+        URL <%= @user.url %>
+        Photo <%= image_tag @user.photo %>
+        Email <%= @user.email %>
+    </div>
+    <div class="col-md-4"></div>
+  </div>
+</div>

data/app/views/authorio/users/verify.html.erb

@@ -0,0 +1 @@
+<%= indieauth_tag %>

data/app/views/layouts/authorio/main.html.erb

@@ -0,0 +1,38 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title><%= yield(:title) %></title>
+  <%= csrf_meta_tags %>
+  <%= csp_meta_tag %>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <link rel="stylesheet"
+    href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css"
+    integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u"
+    crossorigin="anonymous">
+
+  <%= stylesheet_link_tag "authorio/application", media: "all" %>
+  <%= stylesheet_link_tag "authorio/auth" %>
+</head>
+<body>
+
+<% if logged_in? %>
+  <div class="topbar">
+    <ul>
+      <li>Authorio</li>
+      <li><a href="<%= edit_user_path(current_user) -%>">Account Settings</a></li>
+      <li><a href="<%= logout_path(method: :delete) -%>">Log Out</a></li>
+    </ul>
+  </div>
+<% end -%>
+
+<% flash.each do |key, value| %>
+      <div class="alert alert-warning">
+            <p><%= value %></p>
+      </div>
+<% end %>
+
+<%= yield %>
+
+</body>
+</html>

data/app/views/shared/_login_form.html.erb

@@ -0,0 +1,41 @@
+<%= form_with(url: target, method: :post) do |form| %>
+  <% if params[:scope] %>
+    <%= fields_for :scope do |req_scope| %>
+      <div class="scopes">
+        <ul class="scope">
+          <% for scope in params[:scope].split %>
+            <li>
+              <%= label_tag(:scope, class: 'scope-label') do %>
+                <%= req_scope.check_box(:scope, {multiple: true, checked: true}, scope, nil) %>
+                <%= user_scope_description scope %>
+              <% end -%>
+            </li>
+          <%- end %>
+        </ul>
+      </div>
+    <% end %>
+  <% end -%>
+  <%= fields_for :user do |user_scope| %>
+    <%= user_scope.hidden_field :dummy, value: 42 %>
+    <% if Authorio.configuration.multiuser %>
+      <%= user_scope.label(:username, "Username") %>
+      <%= user_scope.text_field(:username) %>
+    <% end -%>
+    <% unless logged_in? %>
+      <%= user_scope.label(:password, "Password") %>
+      <%= user_scope.password_field(:password, autofocus: true) %>
+      <% if rememberable? %>
+        <%= label_tag(:remember_me, class: 'remember') do %>
+          <%= user_scope.check_box :remember_me %>
+          <span class='r-m'>Remember me for <%= distance_of_time_in_words Authorio.configuration.local_session_lifetime -%></span>
+        <% end %>
+      <% end %>
+    <% end %>
+  <% end -%>
+  <div class='auth-btn-row'>
+    <%= form.submit("Sign in", class: 'btn btn-success auth-btn') %>
+    <% if cancel %>
+      <%= form.submit("Cancel", class: 'btn btn-default auth-btn') %>
+    <% end %>
+  </div>
+<% end %>

data/config/routes.rb

@@ -1,7 +1,17 @@
+# frozen_string_literal: true
+
 Authorio::Engine.routes.draw do
-	get Authorio.configuration.authorization_endpoint, controller: 'auth', action: 'authorization_interface'
-	post Authorio.configuration.authorization_endpoint, controller: 'auth', action: 'send_profile'
-	post '/authorize_user', controller: 'auth', action: 'authorize_user'
-	get Authorio.configuration.token_endpoint, controller: 'auth', action: 'verify_token'
-	post Authorio.configuration.token_endpoint, controller: 'auth', action: 'issue_token'
+  root to: 'authorio#index'
+
+  get Authorio.configuration.authorization_endpoint, controller: 'auth', action: 'authorization_interface'
+  resources :users, only: %i[show edit update]
+  post 'user/authorize', to: 'auth#authorize_user', as: 'authorize_user'
+  resource :session, only: %i[new create]
+  get 'session', to: 'sessions#destroy', as: 'logout'
+  get 'user/(:id)/verify', to: 'users#verify', as: 'verify_user'
+  defaults format: :json do
+    post Authorio.configuration.authorization_endpoint, controller: 'auth', action: 'send_profile'
+    get Authorio.configuration.token_endpoint, controller: 'auth', action: 'verify_token'
+    post Authorio.configuration.token_endpoint, controller: 'auth', action: 'issue_token'
+  end
 end