authorio 0.8.2 → 0.8.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b69bae6ee41c0e027922f5bc07b2bc61c72c86026a8e42eee97366453858af43
-  data.tar.gz: 496cb0ada5d2802e789b34e28ed21dc320b4ce76c9b9036b705ea8f7219efa8a
+  metadata.gz: a5ecd8cf849002e116b21a3c4f0073fc17988e62791f356ab57a703397edc77c
+  data.tar.gz: 4c0c4908c722b65ccd1559b5fea382231933e2840e5d0b6e08271ed5efd43f15
 SHA512:
-  metadata.gz: 9a361fbec959948621257d111de2af8256fc23fee38be56660c66b5b68b8f80972660317ac06d997c93cd28b62406387089a67110894d09acdf34d60e2b8635c
-  data.tar.gz: a887161dd53aedea2527d1678db6fc6cd7c7d22aff6631442cde63d61d4f6093f29c08bcab8ef20c278d255e247eb5fcb8c5be549ced931f81ac2954e8d1c7fe
+  metadata.gz: 8bb01ec581f584fe9eadc7d77d477fa2f57e8883101ba51b5f8cb8729bf7486f061bc996a17cab023d476119dda8f37d7676a7f04e281180ad8dda8e649eb16c
+  data.tar.gz: 7d8e0e19113cd7748a64212ee98f514ba953027409adf20a71b47f14c3e1c5ef0db28924bca9afa4fd498ea56a686b1169f2f8ceb7f53297472c6b9cd34d86cf

data/README.md

@@ -136,6 +136,10 @@ on a public-access computer. Default is *nil* (disabled)
 - [ ] Customizing the authentication view/UI
 - [ ] Customizing the authentication method
 
+## User Profile
+
+You can set up your <a href="doc/profile.md">user profile</a> which can be sent to authenticating clients.
+
 ## Contributing
 Send pull requests to [Authorio on GitHub](https://github.com/reiterate-app/authorio)
 

data/app/assets/stylesheets/authorio/auth.css

@@ -61,3 +61,35 @@ span.r-m {
 label.remember {
 	margin-top: -1em;
 }
+
+div.scopes {
+	margin-top: -1.5em;
+}
+
+ul.scope {
+	list-style: none;
+	padding-left: 20px;
+}
+
+ul.scope li label {
+	font-weight: normal;
+}
+
+div.topbar {
+	border-bottom: 1px solid darkgray;
+}
+
+div.topbar li {
+	display: inline-block;
+	padding: 12px;
+}
+
+div.topbar ul {
+	margin: 0 10px;
+	padding: 0;
+	text-align: right;
+}
+
+div.topbar li:first-child {
+	float: left;
+}

data/app/controllers/authorio/auth_controller.rb

@@ -1,8 +1,7 @@
 module Authorio
-  class AuthController < ActionController::Base
+  class AuthController < AuthorioController
     require 'uri'
     require 'digest'
-    layout 'authorio/main'
 
     # These API-only endpoints are protected by code challenge and do not need CSRF protextion
     protect_from_forgery with: :exception, except: [:send_profile, :issue_token]
@@ -13,51 +12,45 @@ module Authorio
       Authorio::Session.where(user: exception.session.user).delete_all
     end
 
+    helper_method :user_scope_description
+
+    # GET /auth
     def authorization_interface
-      p = auth_req_params
-      p[:me] ||= "#{host_with_protocol}/"
-      @user = User.find_by! profile_path: URI(p[:me]).path
+      %w(client_id redirect_uri state code_challenge).each do |param|
+        raise ::ActionController::ParameterMissing, param unless params[param].present?
+      end
+      @user = User.find_by_url! params[:me]
 
       # If there are any old requests from this (client, user), delete them now
-      Request.where(authorio_user: @user, client: p[:client_id]).delete_all
-
-      auth_request = Request.new.tap do |req|
-        req.code = SecureRandom.hex(20)
-        req.redirect_uri = p[:redirect_uri]
-        req.client = p[:client_id] # IndieAuth client_id conflicts with Rails' _id foreign key convention
-        req.scope = p[:scope]
-        req.authorio_user = @user
-      end
-      auth_request.save
-      session[:state] = p[:state]
-      session[:code_challenge] = p[:code_challenge]
-      session[:client_id] = p[:client_id]
-      @user_logged_in_locally = !user_session.nil?
+      Request.where(authorio_user: @user, client: params[:client_id]).delete_all
+
+      auth_request = Request.create(
+        code: SecureRandom.hex(20),
+        redirect_uri: params[:redirect_uri],
+        client: params[:client_id], # IndieAuth client_id conflicts with Rails' _id foreign key convention
+        scope: params[:scope],
+        authorio_user: @user
+        )
+      session.update request.parameters.slice(*%w(state client_id code_challenge))
       @rememberable = Authorio.configuration.local_session_lifetime && !@user_logged_in_locally
-
+      @scope = params[:scope]&.split
     rescue ActiveRecord::RecordNotFound
       redirect_back_with_error "Invalid user"
+    rescue ActionController::ParameterMissing => error
+      render oauth_error "invalid_request", "missing parameter #{error}"
     end
 
+    # POST /user/:id/authorize
     def authorize_user
-      p = auth_user_params
-
-      if params[:commit] == "Cancel"
-        redirect_to session[:client_id] and return
-      end
+      redirect_to session[:client_id] and return if params[:commit] == "Cancel"
 
       user = authenticate_user_from_session_or_password
-      if p[:remember_me]
-        cookies.encrypted[:user] = {
-          value: Authorio::Session.create(authorio_user: user).as_cookie,
-          expires: Authorio.configuration.local_session_lifetime
-        }
-      end
+      set_session_cookie(user) if auth_user_params[:remember_me]
 
       auth_req = Request.find_by! client: session[:client_id], authorio_user: user
-      params = { code: auth_req.code, state: session[:state] }
-      redirect_to "#{auth_req.redirect_uri}?#{params.to_query}"
-
+      auth_req.update_scope(scope_params[:scope]) if params.has_key? :scope
+      redirect_params = { code: auth_req.code, state: session[:state] }
+      redirect_to "#{auth_req.redirect_uri}?#{redirect_params.to_query}"
     rescue ActiveRecord::RecordNotFound
       redirect_back_with_error "Invalid user"
     rescue Authorio::Exceptions::InvalidPassword
@@ -65,24 +58,24 @@ module Authorio
     end
 
     def send_profile
-      render json: { 'me': user_url(validate_request.authorio_user) }
-    rescue Authorio::Exceptions::InvalidGrant
-      render invalid_grant
+      request = validate_request
+      render json: profile(request)
+    rescue Authorio::Exceptions::InvalidGrant => error
+      render oauth_error 'invalid_grant', error.message
     end
 
     def issue_token
       req = validate_request
-      raise Authorio::Exceptions::InvalidGrant.new if req.scope.blank?
+      raise Authorio::Exceptions::InvalidGrant, 'missing scope' if req.scope.blank?
       token = Token.create(authorio_user: req.authorio_user, scope: req.scope, client: req.client)
       render json: {
-        'me': user_url(req.authorio_user),
         'access_token': token.auth_token,
         'scope': req.scope,
         'expires_in': Authorio.configuration.token_expiration,
         'token_type': 'Bearer'
-      }
-    rescue Authorio::Exceptions::InvalidGrant
-      render invalid_grant
+      }.merge(profile(req))
+    rescue Authorio::Exceptions::InvalidGrant => error
+      render oauth_error, 'invalid_grant', error.message
     end
 
     def verify_token
@@ -103,29 +96,14 @@ module Authorio
 
     private
 
-    def auth_req_params
-      %w(client_id redirect_uri state code_challenge).each do |param|
-        unless params.key?(param) && !params[param].empty?
-          raise ::ActionController::ParameterMissing.new(param)
-        end
-      end
-      params.permit(:response_type, :code_challenge, :code_challenge_method, :scope, :me, :redirect_uri, :client_id, :state)
-    end
-
-    def auth_user_params
-      params.require(:user).permit(:password, :url, :remember_me)
+    def scope_params
+      params.require(:scope).permit(scope: [])
     end
 
-    def host_with_protocol
-      "#{request.scheme}://#{request.host}"
-    end
-
-    def user_url(user)
-      "#{host_with_protocol}#{user.profile_path}"
-    end
-
-    def invalid_grant
-      { json: { 'error': 'invalid_grant' }, status: :bad_request }
+    def oauth_error(error, message=nil)
+      resp = { json: {'error': error} }
+      resp[:json]['error_message'] = message unless message.nil?
+      { json: resp, status: :bad_request }
     end
 
     def token_expired
@@ -142,33 +120,42 @@ module Authorio
 
     def invalid_request?(req)
       req.redirect_uri != params[:redirect_uri] \
-        || req.client != params[:client_id] \
-        || req.created_at < Time.now - 10.minutes
+      || req.client != params[:client_id] \
+      || req.created_at < Time.now - 10.minutes
     end
 
     def validate_request
       req = Request.find_by code: params[:code]
-      raise Authorio::Exceptions::InvalidGrant.new if req.nil?
+      raise Authorio::Exceptions::InvalidGrant, "code not found" if req.nil?
       req.delete
-      raise Authorio::Exceptions::InvalidGrant.new if invalid_request?(req) || code_challenge_failed?
+      raise Authorio::Exceptions::InvalidGrant, "validation failed" if invalid_request?(req) || code_challenge_failed?
       req
     end
 
+    def profile(request)
+      profile = { me: user_url(request.authorio_user) }
+      if request.scope
+        scopes = request.scope.split
+        if scopes.include? 'profile'
+          profile['profile'] = {
+            name: request.authorio_user.full_name,
+            url: request.authorio_user.url,
+            photo: request.authorio_user.photo
+          }.compact
+          if scopes.include? 'email'
+            profile['profile']['email'] = request.authorio_user.email
+          end
+        end
+      end
+      profile
+    end
+
     def bearer_token
       bearer = /^Bearer /
       header = request.headers['Authorization']
       header.gsub(bearer, '') if header && header.match(bearer)
     end
 
-    def user_session
-      cookie = cookies.encrypted[:user] and Session.find_by_cookie(cookie)
-    end
-
-    def redirect_back_with_error(error)
-      flash[:alert] = error
-      redirect_back fallback_location: Authorio.authorization_path, allow_other_host: false
-    end
-
     def authenticate_user_from_session_or_password
       session = user_session
       if session
@@ -180,5 +167,15 @@ module Authorio
       end
     end
 
+    ScopeDescriptions = {
+      'profile': 'View basic profile information',
+      'email': 'View your email address',
+      'offline_access': 'Keep you logged in permanently (until revoked)'
+    }
+
+    def user_scope_description(scope)
+      ScopeDescriptions.dig(scope.to_sym) || scope
+    end
+
   end
 end

data/app/controllers/authorio/authorio_controller.rb

@@ -0,0 +1,66 @@
+module Authorio
+  class AuthorioController < ActionController::Base
+    layout 'authorio/main'
+
+    helper_method :logged_in?, :rememberable?, :user_url, :current_user
+
+    def index
+      if logged_in?
+        redirect_to edit_user_path(1)
+      else
+        redirect_to new_session_path
+      end
+    end
+
+    def user_session
+      if session[:user_id]
+        Session.new(authorio_user: Authorio::User.find(session[:user_id]))
+      else
+        cookie = cookies.encrypted[:user] and Session.find_by_cookie(cookie)
+      end
+    end
+
+    def logged_in?
+      !user_session.nil?
+    end
+
+    def rememberable?
+      !logged_in? && Authorio.configuration.local_session_lifetime
+    end
+
+    def authorized?
+      redirect_to new_session_path unless logged_in?
+    end
+
+    def current_user
+      user_session&.authorio_user.id
+    end
+
+    def user_url(user)
+      "#{host_with_protocol}#{user.profile_path}"
+    end
+
+    protected
+
+    def auth_user_params
+      params.require(:user).permit(:password, :url, :remember_me)
+    end
+
+    def set_session_cookie(user)
+      cookies.encrypted[:user] = {
+        value: Authorio::Session.create(authorio_user: user).as_cookie,
+        expires: Authorio.configuration.local_session_lifetime
+      }
+    end
+
+    def redirect_back_with_error(error)
+      flash[:alert] = error
+      redirect_back fallback_location: Authorio.authorization_path, allow_other_host: false
+    end
+
+    def host_with_protocol
+      "#{request.scheme}://#{request.host}"
+    end
+
+  end
+end

data/app/controllers/authorio/sessions_controller.rb

@@ -0,0 +1,32 @@
+module Authorio
+  class SessionsController < AuthorioController
+
+    # GET /session/new
+    def new
+      @session = Session.new(authorio_user: User.first)
+    end
+
+    # POST /session
+    def create
+      user = User.find_by! profile_path: URI(auth_user_params[:url]).path
+      raise Exceptions::InvalidPassword unless user.authenticate(auth_user_params[:password])
+      set_session_cookie(user) if auth_user_params[:remember_me]
+
+      # Even if we don't have a permanent remember-me session, we make a temporary session
+      session[:user_id] = user.id
+      redirect_to edit_user_path(user)
+    rescue Exceptions::InvalidPassword
+      redirect_back_with_error "Incorrect password. Try again."
+    end
+
+    # DELETE /session
+    def destroy
+      reset_session
+      if (cookie = cookies.encrypted[:user]) && session = Session.find_by_cookie(cookie)
+        cookies.delete :user
+        session.destroy
+      end
+      redirect_to new_session_path
+    end
+  end
+end

data/app/controllers/authorio/users_controller.rb

@@ -0,0 +1,24 @@
+module Authorio
+  class UsersController < AuthorioController
+
+    before_action :authorized?
+
+    # GET   /users/:id/edit
+    def edit
+      @user = User.find(params[:id])
+    end
+
+    # PATCH /users/:id
+    def update
+      User.find(params[:id]).update(user_params)
+      flash[:info] = "Profile Saved"
+      redirect_to edit_user_path
+    end
+
+    private
+
+    def user_params
+      params.require(:user).permit(:url, :photo, :full_name, :email)
+    end
+  end
+end

data/app/models/authorio/request.rb

@@ -3,5 +3,10 @@ module Authorio
     belongs_to :authorio_user, class_name: "::Authorio::User"
 
     validates_presence_of :code, :redirect_uri, :client
+
+    # User has the right to modify requested scope
+    def update_scope(scope)
+      update(scope: scope.join(' '))
+    end
   end
 end

data/app/models/authorio/session.rb

@@ -30,7 +30,7 @@ module Authorio
     end
     
     def expired?
-      return expires_at < Time.now
+      expires_at < Time.now
     end
 
     def as_cookie

data/app/models/authorio/user.rb

@@ -1,5 +1,10 @@
 module Authorio
   class User < ApplicationRecord
     has_secure_password
+
+    def self.find_by_url!(url)
+      find_by! profile_path: URI(url || "/").path
+    end
+
   end
 end

data/app/views/authorio/auth/authorization_interface.html.erb

@@ -1,4 +1,3 @@
-<%= stylesheet_link_tag "authorio/auth" %>
 <% content_for :title, "Authorio Login" %>
 
 <div class="container authorio-auth">
@@ -7,26 +6,10 @@
     <div class="col-md-4 auth-panel">
       <h3>Authorio</h3>
       <div class="client-row">
-        Authenticating with <span class="client"><%= params[:client_id] %>
+        <span class="client"><%= params[:client_id] %></span> wants to authenticate
+        <% if @scope %>and also<% end %>
       </div>
-      <%= form_with(model: @user, url: authorize_user_path(@user), method: :post) do |form| %>
-        <%= form.label(:url, "User URL") %>
-        <%= form.text_field(:url, value: params[:me], readonly: true) %>
-        <% unless @user_logged_in_locally %>
-          <%= form.label(:password, "Password") %>
-          <%= form.password_field(:password, autofocus: true) %>
-          <% if @rememberable %>
-            <%= label_tag(:remember_me, class: 'remember') do %>
-              <%= form.check_box :remember_me %>
-              <span class='r-m'>Remember me for <%= distance_of_time_in_words Authorio.configuration.local_session_lifetime -%></span>
-            <% end %>
-          <% end %>
-        <% end %>
-        <div class='auth-btn-row'>
-          <%= form.submit("Cancel", class: 'btn btn-default auth-btn') %>
-          <%= form.submit("Sign in", class: 'btn btn-success auth-btn') %>
-        </div>
-      <% end %>
+      <%= render 'shared/login_form', target: authorize_user_path(@user), user: @user, scopes: @scope, cancel: true %>
     </div>
     <div class="col-md-4"></div>
   </div>

data/app/views/authorio/sessions/new.html.erb

@@ -0,0 +1,15 @@
+<%= stylesheet_link_tag "authorio/auth" %>
+<% content_for :title, "Authorio Local Login" %>
+
+<div class="container authorio-auth">
+  <div class="row">
+    <div class="col-md-4"></div>
+    <div class="col-md-4 auth-panel">
+      <h3>Authorio</h3>
+      <div class="client-row">Local Login</div>
+      <%= render 'shared/login_form', target: session_path(@session),
+       user: @session.authorio_user, scopes: nil, cancel: false %>
+    </div>
+    <div class="col-md-4"></div>
+  </div>
+</div>

data/app/views/authorio/users/edit.html.erb

@@ -0,0 +1,25 @@
+<%= stylesheet_link_tag "authorio/auth" %>
+<% content_for :title, "Account Settings" %>
+
+<div class="container authorio-auth">
+  <div class="row">
+    <div class="col-md-4"></div>
+    <div class="col-md-4 auth-panel">
+      <h3>Account Settings</h3>
+      <%= form_with model: @user do |form| %>
+        <%= form.label(:full_name, "Full Name") %>
+        <%= form.text_field(:full_name) %>
+        <%= form.label(:url, "URL") %>
+        <%= form.text_field(:url) %>
+        <%= form.label(:photo, "Photo URL") %>
+        <%= form.text_field(:photo) %>
+        <%= form.label(:email, "Email") %>
+        <%= form.text_field(:email) %>
+        <div class='auth-btn-row'>
+          <%= form.submit("Save Changes", class: 'btn btn-success auth-btn') %>
+        </div>
+      <% end -%>
+    </div>
+    <div class="col-md-4"></div>
+  </div>
+</div>

data/app/views/layouts/authorio/main.html.erb

@@ -11,9 +11,20 @@
     integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u"
     crossorigin="anonymous">
 
-  <%= stylesheet_link_tag    "authorio/application", media: "all" %>
+  <%= stylesheet_link_tag "authorio/application", media: "all" %>
+  <%= stylesheet_link_tag "authorio/auth" %>
 </head>
-<body data-no-turbolinks="true" data-turbolinks="false">
+<body>
+
+<% if logged_in? %>
+  <div class="topbar">
+    <ul>
+      <li>Authorio</li>
+      <li><a href="<%= edit_user_path(current_user) -%>">Account Settings</a></li>
+      <li><a href="<%= logout_path(method: :delete) -%>">Log Out</a></li>
+    </ul>
+  </div>
+<% end -%>
 
 <% flash.each do |key, value| %>
       <div class="alert alert-warning">

data/app/views/shared/_login_form.html.erb

@@ -0,0 +1,36 @@
+<%= form_with(model: user, url: target, method: :post) do |form| %>
+  <% if scopes %>
+    <%= fields_for :scope do |req_scope| %>
+      <div class="scopes">
+        <ul class="scope">
+          <% for scope in scopes %>
+            <li>
+              <%= label_tag(:scope, class: 'scope-label') do %>
+                <%= req_scope.check_box(:scope, {multiple: true, checked: true}, scope, nil) %>
+                <%= user_scope_description scope %>
+              <% end -%>
+            </li>
+          <%- end %>
+        </ul>
+      </div>
+    <% end %>
+  <% end -%>
+  <%= form.label(:url, "User URL") %>
+  <%= form.text_field(:url, value: params[:me] || user_url(user), readonly: true) %>
+  <% unless logged_in? %>
+    <%= form.label(:password, "Password") %>
+    <%= form.password_field(:password, autofocus: true) %>
+    <% if rememberable? %>
+      <%= label_tag(:remember_me, class: 'remember') do %>
+        <%= form.check_box :remember_me %>
+        <span class='r-m'>Remember me for <%= distance_of_time_in_words Authorio.configuration.local_session_lifetime -%></span>
+      <% end %>
+    <% end %>
+  <% end %>
+  <div class='auth-btn-row'>
+    <% if cancel %>
+      <%= form.submit("Cancel", class: 'btn btn-default auth-btn') %>
+    <% end %>
+    <%= form.submit("Sign in", class: 'btn btn-success auth-btn') %>
+  </div>
+<% end %>

data/config/routes.rb

@@ -1,9 +1,12 @@
 Authorio::Engine.routes.draw do
 	get Authorio.configuration.authorization_endpoint, controller: 'auth', action: 'authorization_interface'
 	post Authorio.configuration.authorization_endpoint, controller: 'auth', action: 'send_profile'
-	resources :users do
+	resources :users, only: [:edit, :update] do
 		post 'authorize', on: :member, to: 'auth#authorize_user'
 	end
+	resource :session, only: [:new, :create]
+	get 'session' => 'sessions#destroy', as: 'logout'
 	get Authorio.configuration.token_endpoint, controller: 'auth', action: 'verify_token'
 	post Authorio.configuration.token_endpoint, controller: 'auth', action: 'issue_token'
-end
+	root to: 'authorio#index'
+end

data/db/migrate/20210801184120_add_profile_to_users.rb

@@ -0,0 +1,8 @@
+class AddProfileToUsers < ActiveRecord::Migration[6.1]
+  def change
+    add_column :authorio_users, :email, :string
+    add_column :authorio_users, :full_name, :string
+    add_column :authorio_users, :url, :string
+    add_column :authorio_users, :photo, :string
+  end
+end

data/lib/authorio/engine.rb

@@ -9,7 +9,7 @@ module Authorio
 		end
 
 		initializer "authorio.assets.precompile" do |app|
-			app.config.assets.precompile += %w( authorio/auth.css )
+			app.config.assets.precompile += %w( authorio/auth.css authorio/application.css )
 		end
 	end
 end

data/lib/authorio/version.rb

@@ -1,3 +1,3 @@
 module Authorio
-  VERSION = '0.8.2'
+  VERSION = '0.8.3'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: authorio
 version: !ruby/object:Gem::Version
-  version: 0.8.2
+  version: 0.8.3
 platform: ruby
 authors:
 - Michael Meckler
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-07-26 00:00:00.000000000 Z
+date: 2021-08-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -114,6 +114,9 @@ files:
 - app/assets/stylesheets/authorio/application.css
 - app/assets/stylesheets/authorio/auth.css
 - app/controllers/authorio/auth_controller.rb
+- app/controllers/authorio/authorio_controller.rb
+- app/controllers/authorio/sessions_controller.rb
+- app/controllers/authorio/users_controller.rb
 - app/helpers/authorio/tag_helper.rb
 - app/jobs/authorio/application_job.rb
 - app/models/authorio/application_record.rb
@@ -122,13 +125,17 @@ files:
 - app/models/authorio/token.rb
 - app/models/authorio/user.rb
 - app/views/authorio/auth/authorization_interface.html.erb
+- app/views/authorio/sessions/new.html.erb
+- app/views/authorio/users/edit.html.erb
 - app/views/layouts/authorio/main.html.erb
+- app/views/shared/_login_form.html.erb
 - config/routes.rb
 - db/migrate/20210627230156_create_authorio_users.rb
 - db/migrate/20210627230416_create_authorio_requests.rb
 - db/migrate/20210707230416_create_authorio_tokens.rb
 - db/migrate/20210723161041_add_expiry_to_tokens.rb
 - db/migrate/20210726164625_create_authorio_sessions.rb
+- db/migrate/20210801184120_add_profile_to_users.rb
 - lib/authorio.rb
 - lib/authorio/configuration.rb
 - lib/authorio/engine.rb