authorio 0.8.3 → 0.8.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a5ecd8cf849002e116b21a3c4f0073fc17988e62791f356ab57a703397edc77c
-  data.tar.gz: 4c0c4908c722b65ccd1559b5fea382231933e2840e5d0b6e08271ed5efd43f15
+  metadata.gz: 78659edadab6ff85d24828c318525bac7b62b4a76b9905e0a1d819ec266f9d46
+  data.tar.gz: 817fe77d1c1fd89e68df07a594725997d598e0f0027210d083762da50cb447fd
 SHA512:
-  metadata.gz: 8bb01ec581f584fe9eadc7d77d477fa2f57e8883101ba51b5f8cb8729bf7486f061bc996a17cab023d476119dda8f37d7676a7f04e281180ad8dda8e649eb16c
-  data.tar.gz: 7d8e0e19113cd7748a64212ee98f514ba953027409adf20a71b47f14c3e1c5ef0db28924bca9afa4fd498ea56a686b1169f2f8ceb7f53297472c6b9cd34d86cf
+  metadata.gz: 8205bfe7bc6798f560da3f56b19f26822653d6f6fb8baac925be38a713f871e1faf90f0492ea25187124cd98db928a7d875da47b53faf14afe1efc6418498dbd
+  data.tar.gz: 3c772c7777f016316911f36573f5d2982ca27a40edb18dcac16782fb380021971feaeea4271adebe411101b39a9bb544d3f27f88dec93d72aae6f0e5adc483fd

data/app/controllers/authorio/auth_controller.rb

@@ -1,181 +1,119 @@
+# frozen_string_literal: true
+
 module Authorio
   class AuthController < AuthorioController
     require 'uri'
     require 'digest'
 
     # These API-only endpoints are protected by code challenge and do not need CSRF protextion
-    protect_from_forgery with: :exception, except: [:send_profile, :issue_token]
+    protect_from_forgery with: :exception, except: %i[send_profile issue_token]
 
     rescue_from 'Authorio::Exceptions::SessionReplayAttack' do |exception|
-      redirect_back_with_error "Session Replay attack detected. This has been logged."
-      logger.info "Session replay attack detected!"
-      Authorio::Session.where(user: exception.session.user).delete_all
+      redirect_back_with_error 'Session Replay attack detected. This has been logged.'
+      logger.info 'Session replay attack detected!'
+      Session.where(user: exception.session.user).delete_all
+    end
+    rescue_from 'Authorio::Exceptions::UserNotFound' do
+      redirect_back_with_error 'User not found'
+    end
+    rescue_from 'Authorio::Exceptions::InvalidPassword' do
+      redirect_back_with_error 'Incorrect password. Try again.'
     end
-
-    helper_method :user_scope_description
 
     # GET /auth
     def authorization_interface
-      %w(client_id redirect_uri state code_challenge).each do |param|
-        raise ::ActionController::ParameterMissing, param unless params[param].present?
-      end
-      @user = User.find_by_url! params[:me]
-
-      # If there are any old requests from this (client, user), delete them now
-      Request.where(authorio_user: @user, client: params[:client_id]).delete_all
-
-      auth_request = Request.create(
-        code: SecureRandom.hex(20),
-        redirect_uri: params[:redirect_uri],
-        client: params[:client_id], # IndieAuth client_id conflicts with Rails' _id foreign key convention
-        scope: params[:scope],
-        authorio_user: @user
-        )
-      session.update request.parameters.slice(*%w(state client_id code_challenge))
-      @rememberable = Authorio.configuration.local_session_lifetime && !@user_logged_in_locally
-      @scope = params[:scope]&.split
-    rescue ActiveRecord::RecordNotFound
-      redirect_back_with_error "Invalid user"
-    rescue ActionController::ParameterMissing => error
-      render oauth_error "invalid_request", "missing parameter #{error}"
+      session.update auth_interface_params.slice(:state, :client_id, :code_challenge, :redirect_uri)
+    rescue ActionController::ParameterMissing, ActionController::UnpermittedParameters => e
+      render oauth_error 'invalid_request', e
     end
 
     # POST /user/:id/authorize
     def authorize_user
-      redirect_to session[:client_id] and return if params[:commit] == "Cancel"
+      redirect_to session[:client_id] and return if params[:commit] == 'Cancel'
 
       user = authenticate_user_from_session_or_password
-      set_session_cookie(user) if auth_user_params[:remember_me]
-
-      auth_req = Request.find_by! client: session[:client_id], authorio_user: user
-      auth_req.update_scope(scope_params[:scope]) if params.has_key? :scope
-      redirect_params = { code: auth_req.code, state: session[:state] }
-      redirect_to "#{auth_req.redirect_uri}?#{redirect_params.to_query}"
-    rescue ActiveRecord::RecordNotFound
-      redirect_back_with_error "Invalid user"
-    rescue Authorio::Exceptions::InvalidPassword
-      redirect_back_with_error "Incorrect password. Try again."
+      write_session_cookie(user) if auth_user_params[:remember_me]
+      redirect_to_client(user)
     end
 
     def send_profile
-      request = validate_request
-      render json: profile(request)
-    rescue Authorio::Exceptions::InvalidGrant => error
-      render oauth_error 'invalid_grant', error.message
+      @request = validate_request Request.find_by! code: params[:code]
+    rescue Exceptions::InvalidGrant, ActiveRecord::RecordNotFound => e
+      render oauth_error 'invalid_grant', e.message
     end
 
     def issue_token
-      req = validate_request
-      raise Authorio::Exceptions::InvalidGrant, 'missing scope' if req.scope.blank?
-      token = Token.create(authorio_user: req.authorio_user, scope: req.scope, client: req.client)
-      render json: {
-        'access_token': token.auth_token,
-        'scope': req.scope,
-        'expires_in': Authorio.configuration.token_expiration,
-        'token_type': 'Bearer'
-      }.merge(profile(req))
-    rescue Authorio::Exceptions::InvalidGrant => error
-      render oauth_error, 'invalid_grant', error.message
+      @request = validate_request Request.find_by! code: params[:code]
+      @token = Token.create_from_request(@request)
+    rescue Exceptions::InvalidGrant, ActiveRecord::RecordNotFound => e
+      render oauth_error 'invalid_grant', e.message
     end
 
     def verify_token
-      token = Token.find_by! auth_token: bearer_token
-      if token.expired?
-        token.delete
-        render token_expired
-      else
-        render json: {
-          'me': user_url(token.authorio_user),
-          'client_id': token.client,
-          'scope': 'token.scope'
-        }
-      end
-    rescue ActiveRecord::RecordNotFound
-      head :bad_request
+      @token = Token.find_by_auth_token(bearer_token) or (head :bad_request and return)
+      return unless @token.expired?
+
+      @token.delete
+      render token_expired
     end
 
     private
 
+    def auth_interface_params
+      @auth_interface_params ||= begin
+        required = %w[client_id redirect_uri state code_challenge]
+        permitted = %w[me scope code_challenge_method response_type action controller]
+        missing = required - params.keys
+        raise ::ActionController::ParameterMissing, missing unless missing.empty?
+
+        unpermitted = params.keys - required - permitted
+        raise ::ActionController::UnpermittedParameters, unpermitted unless unpermitted.empty?
+
+        params.permit!
+      end
+    end
+
     def scope_params
       params.require(:scope).permit(scope: [])
     end
 
-    def oauth_error(error, message=nil)
-      resp = { json: {'error': error} }
-      resp[:json]['error_message'] = message unless message.nil?
-      { json: resp, status: :bad_request }
+    def oauth_error(error, message = nil, status = :bad_request)
+      { json: { json: { error: error, error_message: message }.compact },
+        status: status }
     end
 
     def token_expired
-      { json: {'error': 'invalid_token', 'error_message': 'The access token has expired' }, status: :unauthorized }
+      oauth_error('invalid_token', 'The access token has expired', :unauthorized)
     end
 
     def code_challenge_failed?
       # For now, if original request did not have code challenge, then we pass by default
-      return false if session[:code_challenge].nil?
+      return unless session[:code_challenge]
+
       sha256 = Digest::SHA256.hexdigest params[:code_verifier]
-      base64 = Base64.urlsafe_encode64 sha256
-      return base64 != session[:code_challenge]
-    end
-
-    def invalid_request?(req)
-      req.redirect_uri != params[:redirect_uri] \
-      || req.client != params[:client_id] \
-      || req.created_at < Time.now - 10.minutes
-    end
-
-    def validate_request
-      req = Request.find_by code: params[:code]
-      raise Authorio::Exceptions::InvalidGrant, "code not found" if req.nil?
-      req.delete
-      raise Authorio::Exceptions::InvalidGrant, "validation failed" if invalid_request?(req) || code_challenge_failed?
-      req
-    end
-
-    def profile(request)
-      profile = { me: user_url(request.authorio_user) }
-      if request.scope
-        scopes = request.scope.split
-        if scopes.include? 'profile'
-          profile['profile'] = {
-            name: request.authorio_user.full_name,
-            url: request.authorio_user.url,
-            photo: request.authorio_user.photo
-          }.compact
-          if scopes.include? 'email'
-            profile['profile']['email'] = request.authorio_user.email
-          end
-        end
-      end
-      profile
+      Base64.urlsafe_encode64(sha256) != session[:code_challenge]
     end
 
-    def bearer_token
-      bearer = /^Bearer /
-      header = request.headers['Authorization']
-      header.gsub(bearer, '') if header && header.match(bearer)
-    end
+    def validate_request(request)
+      raise Exceptions::InvalidGrant, 'validation failed' if request.invalid?(params) || code_challenge_failed?
 
-    def authenticate_user_from_session_or_password
-      session = user_session
-      if session
-        return session.authorio_user
-      else
-        user = User.find_by! profile_path: URI(auth_user_params[:url]).path
-        raise Authorio::Exceptions::InvalidPassword unless user.authenticate(auth_user_params[:password])
-        return user
-      end
+      request
     end
 
-    ScopeDescriptions = {
-      'profile': 'View basic profile information',
-      'email': 'View your email address',
-      'offline_access': 'Keep you logged in permanently (until revoked)'
-    }
-
-    def user_scope_description(scope)
-      ScopeDescriptions.dig(scope.to_sym) || scope
+    def redirect_to_client(user)
+      auth_req = Request.create(client: session[:client_id],
+                                redirect_uri: session[:redirect_uri],
+                                scope: (scope_params[:scope].join(' ') if params.key? :scope),
+                                authorio_user: user)
+      redirect_params = { code: auth_req.code, state: session[:state] }
+      redirect_to "#{auth_req.redirect_uri}?#{redirect_params.to_query}"
     end
 
+    def authenticate_user_from_session_or_password
+      user_session&.authorio_user or
+        User.find_by_username!(auth_user_params[:username])
+            .authenticate(auth_user_params[:password]) or
+        raise Exceptions::InvalidPassword
+    end
   end
 end

data/app/controllers/authorio/authorio_controller.rb

@@ -1,12 +1,15 @@
+# frozen_string_literal: true
+
 module Authorio
   class AuthorioController < ActionController::Base
     layout 'authorio/main'
 
-    helper_method :logged_in?, :rememberable?, :user_url, :current_user
+    helper_method :logged_in?, :rememberable?, :current_user,
+                  :user_scope_description, :profile_url
 
     def index
       if logged_in?
-        redirect_to edit_user_path(1)
+        redirect_to edit_user_path(current_user)
       else
         redirect_to new_session_path
       end
@@ -33,20 +36,28 @@ module Authorio
     end
 
     def current_user
-      user_session&.authorio_user.id
+      user_session&.authorio_user&.id
+    end
+
+    def user_scope_description(scope)
+      Authorio::Request.user_scope_description(scope)
     end
 
-    def user_url(user)
-      "#{host_with_protocol}#{user.profile_path}"
+    def profile_url(user)
+      if Authorio.configuration.multiuser
+        verify_user_url(user)
+      else
+        "#{request.scheme}://#{request.host}"
+      end
     end
 
     protected
 
     def auth_user_params
-      params.require(:user).permit(:password, :url, :remember_me)
+      params.require(:user).permit(:username, :password, :remember_me)
     end
 
-    def set_session_cookie(user)
+    def write_session_cookie(user)
       cookies.encrypted[:user] = {
         value: Authorio::Session.create(authorio_user: user).as_cookie,
         expires: Authorio.configuration.local_session_lifetime
@@ -55,12 +66,13 @@ module Authorio
 
     def redirect_back_with_error(error)
       flash[:alert] = error
-      redirect_back fallback_location: Authorio.authorization_path, allow_other_host: false
+      redirect_back fallback_location: Authorio.authorization_path.prepend('/'), allow_other_host: false
     end
 
-    def host_with_protocol
-      "#{request.scheme}://#{request.host}"
+    def bearer_token
+      bearer = /^Bearer /
+      header = request.headers['Authorization']
+      header.gsub(bearer, '') if header&.match(bearer)
     end
-
   end
 end

data/app/controllers/authorio/sessions_controller.rb

@@ -1,6 +1,7 @@
+# frozen_string_literal: true
+
 module Authorio
   class SessionsController < AuthorioController
-
     # GET /session/new
     def new
       @session = Session.new(authorio_user: User.first)
@@ -8,21 +9,21 @@ module Authorio
 
     # POST /session
     def create
-      user = User.find_by! profile_path: URI(auth_user_params[:url]).path
+      user = User.find_by_username! auth_user_params[:username]
       raise Exceptions::InvalidPassword unless user.authenticate(auth_user_params[:password])
-      set_session_cookie(user) if auth_user_params[:remember_me]
 
+      write_session_cookie(user) if auth_user_params[:remember_me]
       # Even if we don't have a permanent remember-me session, we make a temporary session
       session[:user_id] = user.id
       redirect_to edit_user_path(user)
     rescue Exceptions::InvalidPassword
-      redirect_back_with_error "Incorrect password. Try again."
+      redirect_back_with_error 'Incorrect password. Try again.'
     end
 
     # DELETE /session
     def destroy
       reset_session
-      if (cookie = cookies.encrypted[:user]) && session = Session.find_by_cookie(cookie)
+      if (cookie = cookies.encrypted[:user]) && (session = Session.find_by_cookie(cookie))
         cookies.delete :user
         session.destroy
       end

data/app/controllers/authorio/users_controller.rb

@@ -1,9 +1,15 @@
+# frozen_string_literal: true
+
 module Authorio
   class UsersController < AuthorioController
+    before_action :authorized?, except: :verify
 
-    before_action :authorized?
+    # GET /users/:id
+    def show
+      @user = User.find(params[:id])
+    end
 
-    # GET   /users/:id/edit
+    # GET /users/:id/edit
     def edit
       @user = User.find(params[:id])
     end
@@ -11,10 +17,14 @@ module Authorio
     # PATCH /users/:id
     def update
       User.find(params[:id]).update(user_params)
-      flash[:info] = "Profile Saved"
+      flash[:info] = 'Profile Saved'
       redirect_to edit_user_path
     end
 
+    # This is only called by IndieAuth clients who wish to verify that a
+    # user profile URL we generated is in fact ours.
+    def verify; end
+
     private
 
     def user_params

data/app/helpers/authorio/tag_helper.rb

@@ -1,17 +1,17 @@
+# frozen_string_literal: true
+
 module Authorio
   # These helpers are provided to the main application
   module TagHelper
     extend ActiveSupport::Concern
 
     included do
-      if respond_to?(:helper_method)
-        helper_method :indieauth_tag
-      end
+      helper_method :indieauth_tag if respond_to?(:helper_method)
     end
 
     def indieauth_tag
-      tag(:link, rel: 'authorization_endpoint', href: URI.join(root_url, Authorio.authorization_path)) <<
-      tag(:link, rel: 'token_endpoint', href: URI.join(root_url, Authorio.token_path))
+      tag(:link, rel: 'authorization_endpoint', href: URI.join(main_app.root_url, Authorio.authorization_path)) <<
+        tag(:link, rel: 'token_endpoint', href: URI.join(main_app.root_url, Authorio.token_path))
     end
   end
 end

data/app/jobs/authorio/application_job.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Authorio
   class ApplicationJob < ActiveJob::Base
   end

data/app/models/authorio/application_record.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Authorio
   class ApplicationRecord < ActiveRecord::Base
     self.abstract_class = true

data/app/models/authorio/request.rb

@@ -1,12 +1,45 @@
+# frozen_string_literal: true
+
 module Authorio
   class Request < ApplicationRecord
-    belongs_to :authorio_user, class_name: "::Authorio::User"
+    belongs_to :authorio_user, class_name: '::Authorio::User'
 
     validates_presence_of :code, :redirect_uri, :client
 
-    # User has the right to modify requested scope
-    def update_scope(scope)
-      update(scope: scope.join(' '))
+    before_validation :set_code, on: :create
+    before_create :sweep_requests
+
+    # The IndieAuth spec uses 'client_id' to specify the client in the address, as a URL (eg "https://example.com")
+    # But Rails uses '_id' to tag associations (foreign keys). So we save that as 'client' here, but map
+    # client_id as an alias since that is what the HTTP parameter will be
+    def client_id=(value)
+      self.client = value
+    end
+
+    def invalid?(params)
+      redirect_uri != params[:redirect_uri] ||
+        client != params[:client_id] ||
+        created_at < Time.now - 10.minutes
+    end
+
+    def self.user_scope_description(scope)
+      USER_SCOPE_DESCRIPTION[scope.to_sym] || scope
     end
+
+    private
+
+    def set_code
+      self.code = SecureRandom.hex(20)
+    end
+
+    def sweep_requests
+      Request.where(client: client, authorio_user: authorio_user).destroy_all
+    end
+
+    USER_SCOPE_DESCRIPTION = {
+      profile: 'View basic profile information',
+      email: 'View your email address',
+      offline_access: 'Keep you logged in permanently (until revoked)'
+    }.freeze
   end
 end

data/app/models/authorio/session.rb

@@ -1,34 +1,37 @@
+# frozen_string_literal: true
+
 module Authorio
   class Session < ApplicationRecord
     # Implement a session cookie store based on best security practices
     # See: https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence
-    belongs_to :authorio_user, class_name: "::Authorio::User"
+    belongs_to :authorio_user, class_name: '::Authorio::User'
 
     # 1. Protect against having database stolen by only storing token hashes
-    attribute :token   # This will not be persisted in the DB
+    attribute :token # This will not be persisted in the DB
     has_secure_token
 
     before_create do
       self.expires_at = Time.now + Authorio.configuration.token_expiration
       self.selector = SecureRandom.hex(12)
-      self.hashed_token = Digest::SHA256.hexdigest self.token
+      self.hashed_token = Digest::SHA256.hexdigest token
     end
 
     # 2. To guard against timing attacks, we lookup tokens based on a separate selector attribute
     #    and compare them using a secure time-constant comparison method
     def self.find_by_cookie(cookie)
-      _selector, _token = cookie.split(':')
-      session = find_by selector: _selector
-      raise Authorio::Exceptions::SessionReplayAttack.new(session) unless session.matches_cookie?(cookie)
+      selector, _token = cookie.split(':')
+      session = find_by selector: selector
+      raise Authorio::Exceptions::SessionReplayAttack.new, session unless session.matches_cookie?(cookie)
+
       session
     end
 
     def matches_cookie?(cookie)
-      _selector, _token = cookie.split(':')
-      _hashed_token = Digest::SHA256.hexdigest _token
-      !expired? && ActiveSupport::SecurityUtils.secure_compare(_hashed_token, hashed_token)
+      _selector, token = cookie.split(':')
+      cookie_hashed_token = Digest::SHA256.hexdigest token
+      !expired? && ActiveSupport::SecurityUtils.secure_compare(cookie_hashed_token, hashed_token)
     end
-    
+
     def expired?
       expires_at < Time.now
     end

data/app/models/authorio/token.rb

@@ -1,6 +1,8 @@
+# frozen_string_literal: true
+
 module Authorio
   class Token < ApplicationRecord
-    belongs_to :authorio_user, class_name: "::Authorio::User"
+    belongs_to :authorio_user, class_name: '::Authorio::User'
     has_secure_token :auth_token
 
     validates_presence_of :scope, :client
@@ -9,8 +11,20 @@ module Authorio
       self.expires_at = Time.now + Authorio.configuration.token_expiration
     end
 
+    # The token endpoint can get hit by bots, so short-circut the find if they
+    # don't send a bearer token
+    def self.find_by_auth_token(token)
+      token and find_by auth_token: token
+    end
+
     def expired?
-      return expires_at < Time.now
+      expires_at < Time.now
+    end
+
+    def self.create_from_request(req)
+      raise Exceptions::InvalidGrant, 'missing scope' if req.scope.blank?
+
+      Token.create(authorio_user: req.authorio_user, scope: req.scope, client: req.client)
     end
   end
 end

data/app/models/authorio/user.rb

@@ -1,10 +1,19 @@
+# frozen_string_literal: true
+
 module Authorio
   class User < ApplicationRecord
     has_secure_password
 
-    def self.find_by_url!(url)
-      find_by! profile_path: URI(url || "/").path
-    end
+    class << self
+      def find_by_url!(url)
+        find_by_username!(URI(url).path)
+      end
 
+      def find_by_username!(name)
+        return first unless Authorio.configuration.multiuser
+
+        find_by(username: name) or raise Exceptions::UserNotFound
+      end
+    end
   end
 end

data/app/views/authorio/auth/authorization_interface.html.erb

@@ -7,9 +7,9 @@
       <h3>Authorio</h3>
       <div class="client-row">
         <span class="client"><%= params[:client_id] %></span> wants to authenticate
-        <% if @scope %>and also<% end %>
+        <% if params[:scope] %>and also<% end %>
       </div>
-      <%= render 'shared/login_form', target: authorize_user_path(@user), user: @user, scopes: @scope, cancel: true %>
+      <%= render 'shared/login_form', target: authorize_user_path, cancel: true %>
     </div>
     <div class="col-md-4"></div>
   </div>

data/app/views/authorio/auth/issue_token.json.jbuilder

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+json.access_token @token.auth_token
+json.expires_in Authorio.configuration.token_expiration
+json.token_type 'Bearer'
+json.scope @token.scope
+json.partial! 'authorio/users/profile', request: @request

data/app/views/authorio/auth/send_profile.json.jbuilder

@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+
+json.partial! 'authorio/users/profile', request: @request

data/app/views/authorio/auth/verify_token.json.jbuilder

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+json.me url_for(@token.authorio_user)
+json.client_id @token.client
+json.scope @token.scope

data/app/views/authorio/sessions/new.html.erb

@@ -7,8 +7,7 @@
     <div class="col-md-4 auth-panel">
       <h3>Authorio</h3>
       <div class="client-row">Local Login</div>
-      <%= render 'shared/login_form', target: session_path(@session),
-       user: @session.authorio_user, scopes: nil, cancel: false %>
+      <%= render 'shared/login_form', target: session_path(@session), cancel: false %>
     </div>
     <div class="col-md-4"></div>
   </div>

data/app/views/authorio/users/_profile.json.jbuilder

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+json.me profile_url(request.authorio_user)
+if request.scope&.include? 'profile'
+  json.profile do
+    json.name(request.authorio_user.full_name)
+    json.call(request.authorio_user, :url, :photo)
+    json.email(request.authorio_user.email) if request.scope.include?('email')
+  end
+end

data/app/views/authorio/users/show.html.erb

@@ -0,0 +1,18 @@
+<%= stylesheet_link_tag "authorio/auth" %>
+<% content_for :title, "User Account" %>
+
+<%= indieauth_tag %>
+
+<div class="container authorio-auth">
+  <div class="row">
+    <div class="col-md-4"></div>
+    <div class="col-md-4 auth-panel">
+      <h3>IndieAuth Account</h3>
+        Full Name <%= @user.full_name %>
+        URL <%= @user.url %>
+        Photo <%= image_tag @user.photo %>
+        Email <%= @user.email %>
+    </div>
+    <div class="col-md-4"></div>
+  </div>
+</div>

data/app/views/authorio/users/verify.html.erb

@@ -0,0 +1 @@
+<%= indieauth_tag %>

data/app/views/shared/_login_form.html.erb

@@ -1,9 +1,9 @@
-<%= form_with(model: user, url: target, method: :post) do |form| %>
-  <% if scopes %>
+<%= form_with(url: target, method: :post) do |form| %>
+  <% if params[:scope] %>
     <%= fields_for :scope do |req_scope| %>
       <div class="scopes">
         <ul class="scope">
-          <% for scope in scopes %>
+          <% for scope in params[:scope].split %>
             <li>
               <%= label_tag(:scope, class: 'scope-label') do %>
                 <%= req_scope.check_box(:scope, {multiple: true, checked: true}, scope, nil) %>
@@ -15,18 +15,23 @@
       </div>
     <% end %>
   <% end -%>
-  <%= form.label(:url, "User URL") %>
-  <%= form.text_field(:url, value: params[:me] || user_url(user), readonly: true) %>
-  <% unless logged_in? %>
-    <%= form.label(:password, "Password") %>
-    <%= form.password_field(:password, autofocus: true) %>
-    <% if rememberable? %>
-      <%= label_tag(:remember_me, class: 'remember') do %>
-        <%= form.check_box :remember_me %>
-        <span class='r-m'>Remember me for <%= distance_of_time_in_words Authorio.configuration.local_session_lifetime -%></span>
+  <%= fields_for :user do |user_scope| %>
+    <%= user_scope.hidden_field :dummy, value: 42 %>
+    <% if Authorio.configuration.multiuser %>
+      <%= user_scope.label(:username, "Username") %>
+      <%= user_scope.text_field(:username) %>
+    <% end -%>
+    <% unless logged_in? %>
+      <%= user_scope.label(:password, "Password") %>
+      <%= user_scope.password_field(:password, autofocus: true) %>
+      <% if rememberable? %>
+        <%= label_tag(:remember_me, class: 'remember') do %>
+          <%= user_scope.check_box :remember_me %>
+          <span class='r-m'>Remember me for <%= distance_of_time_in_words Authorio.configuration.local_session_lifetime -%></span>
+        <% end %>
       <% end %>
     <% end %>
-  <% end %>
+  <% end -%>
   <div class='auth-btn-row'>
     <% if cancel %>
       <%= form.submit("Cancel", class: 'btn btn-default auth-btn') %>

data/config/routes.rb

@@ -1,12 +1,17 @@
+# frozen_string_literal: true
+
 Authorio::Engine.routes.draw do
-	get Authorio.configuration.authorization_endpoint, controller: 'auth', action: 'authorization_interface'
-	post Authorio.configuration.authorization_endpoint, controller: 'auth', action: 'send_profile'
-	resources :users, only: [:edit, :update] do
-		post 'authorize', on: :member, to: 'auth#authorize_user'
-	end
-	resource :session, only: [:new, :create]
-	get 'session' => 'sessions#destroy', as: 'logout'
-	get Authorio.configuration.token_endpoint, controller: 'auth', action: 'verify_token'
-	post Authorio.configuration.token_endpoint, controller: 'auth', action: 'issue_token'
-	root to: 'authorio#index'
-end
+  root to: 'authorio#index'
+
+  get Authorio.configuration.authorization_endpoint, controller: 'auth', action: 'authorization_interface'
+  resources :users, only: %i[show edit update]
+  post 'user/authorize', to: 'auth#authorize_user', as: 'authorize_user'
+  resource :session, only: %i[new create]
+  get 'session', to: 'sessions#destroy', as: 'logout'
+  get 'user/(:id)/verify', to: 'users#verify', as: 'verify_user'
+  defaults format: :json do
+    post Authorio.configuration.authorization_endpoint, controller: 'auth', action: 'send_profile'
+    get Authorio.configuration.token_endpoint, controller: 'auth', action: 'verify_token'
+    post Authorio.configuration.token_endpoint, controller: 'auth', action: 'issue_token'
+  end
+end

data/db/migrate/20210817010101_change_path_to_username_in_users.rb

@@ -0,0 +1,7 @@
+class ChangePathToUsernameInUsers < ActiveRecord::Migration[6.1]
+  def change
+    change_table :authorio_users do |t|
+      t.rename :profile_path, :username
+    end
+  end
+end

data/lib/authorio/configuration.rb

@@ -1,15 +1,17 @@
-module Authorio
-	class Configuration
+# frozen_string_literal: true
 
-		attr_accessor :authorization_endpoint, :token_endpoint, :mount_point, :token_expiration,
-			:local_session_lifetime
+module Authorio
+  class Configuration
+    attr_accessor :authorization_endpoint, :token_endpoint, :mount_point, :token_expiration,
+                  :local_session_lifetime, :multiuser
 
-		def initialize
-			@authorization_endpoint = "auth"
-			@token_endpoint = "token"
-			@mount_point = "authorio"
-			@token_expiration = 4.weeks
-			@local_session_lifetime = nil
-		end
-	end
+    def initialize
+      @authorization_endpoint = 'auth'
+      @token_endpoint = 'token'
+      @mount_point = 'authorio'
+      @token_expiration = 4.weeks
+      @local_session_lifetime = nil
+      @multiuser = false
+    end
+  end
 end

data/lib/authorio/engine.rb

@@ -1,15 +1,17 @@
+# frozen_string_literal: true
+
 module Authorio
-	class Engine < ::Rails::Engine
-		isolate_namespace Authorio
+  class Engine < ::Rails::Engine
+    isolate_namespace Authorio
 
-		initializer "authorio.load_helpers" do |app|
-			Rails.application.reloader.to_prepare do
-				ActionView::Base.send :include, Authorio::TagHelper
-			end
-		end
+    initializer 'authorio.load_helpers' do
+      Rails.application.reloader.to_prepare do
+        ActionView::Base.send :include, Authorio::TagHelper
+      end
+    end
 
-		initializer "authorio.assets.precompile" do |app|
-			app.config.assets.precompile += %w( authorio/auth.css authorio/application.css )
-		end
-	end
+    initializer 'authorio.assets.precompile' do |app|
+      app.config.assets.precompile += %w[authorio/auth.css authorio/application.css]
+    end
+  end
 end

data/lib/authorio/exceptions.rb

@@ -1,14 +1,22 @@
+# frozen_string_literal: true
+
 module Authorio
-	module Exceptions
-		class InvalidGrant < RuntimeError; end
-		class InvalidPassword < RuntimeError; end
-
-		class SessionReplayAttack < StandardError
-			attr_accessor :session
-
-			def initialize(session)
-				@session = session
-			end
-		end
-	end
+  module Exceptions
+    class InvalidGrant < RuntimeError; end
+
+    class InvalidPassword < RuntimeError; end
+
+    class SessionReplayAttack < StandardError
+      attr_accessor :session
+
+      def initialize(session)
+        super("Session replay attack on user account #{session.authorio_user.id}")
+        @session = session
+      end
+    end
+
+    class UserNotFound < StandardError; end
+
+    class TokenExpired < StandardError; end
+  end
 end

data/lib/authorio/routes.rb

@@ -1,9 +1,12 @@
-module ActionDispatch::Routing
-	class Mapper
+# frozen_string_literal: true
 
-		# Provide a custom mounting command, just so we can track our own mount point
-		def authorio_routes
-			mount Authorio::Engine, at: Authorio.configuration.mount_point
-		end
-	end
+module ActionDispatch
+  module Routing
+    class Mapper
+      # Provide a custom mounting command, just so we can track our own mount point
+      def authorio_routes
+        mount Authorio::Engine, at: Authorio.configuration.mount_point
+      end
+    end
+  end
 end

data/lib/authorio/version.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module Authorio
-  VERSION = '0.8.3'
+  VERSION = '0.8.4'
 end

data/lib/authorio.rb

@@ -1,27 +1,21 @@
-require "authorio/version"
-require "authorio/engine"
-require "authorio/configuration"
-require "authorio/routes"
-require "authorio/exceptions"
+# frozen_string_literal: true
 
-module Authorio
-	class << self
-		attr_accessor :configuration, :authorization_path
-	end
+Dir[File.join(__dir__, 'authorio', '*.rb')].sort.each { |f| require f }
 
-	def self.configuration
-		@configuration ||= Configuration.new
- 	end
+module Authorio
+  def self.configuration
+    @configuration ||= Configuration.new
+  end
 
-  	def self.configure
-		yield configuration
-	end
+  def self.configure
+    yield configuration
+  end
 
-	def self.authorization_path
-		return [Authorio.configuration.mount_point, Authorio.configuration.authorization_endpoint].join("/")
-	end
+  def self.authorization_path
+    [Authorio.configuration.mount_point, Authorio.configuration.authorization_endpoint].join('/')
+  end
 
-	def self.token_path
-		return [Authorio.configuration.mount_point, Authorio.configuration.token_endpoint].join("/")
-	end
+  def self.token_path
+    [Authorio.configuration.mount_point, Authorio.configuration.token_endpoint].join('/')
+  end
 end

data/lib/generators/authorio/install/install_generator.rb

@@ -1,17 +1,17 @@
+# frozen_string_literal: true
+
 module Authorio
   class InstallGenerator < Rails::Generators::Base
-
     def self.source_paths
       paths = []
       paths << File.expand_path('../templates', "../../#{__FILE__}")
       paths << File.expand_path('../templates', "../#{__FILE__}")
-      paths << File.expand_path('../templates', __FILE__)
+      paths << File.expand_path('templates', __dir__)
       paths.flatten
     end
 
     def add_files
       template 'authorio.rb', 'config/initializers/authorio.rb'
     end
-
   end
 end

data/lib/generators/authorio/install/templates/authorio.rb

@@ -1,24 +1,29 @@
+# frozen_string_literal: true
+
 # Configuration for Authorio IndieAuth authentication
 
 Authorio.configure do |config|
+  # Mount point for Authorio URLs. Typically you would call this in your routes.rb
+  # as mount Authorio::Engine, at: mount_point
+  # But Authorio needs to know its own mount point, so we define it here and use a custom mount command in the config
+  # config.mount_point = "authorio"
 
-	# Mount point for Authorio URLs. Typically you would call this in your routes.rb
-	# as mount Authorio::Engine, at: mount_point
-	# But Authorio needs to know its own mount point, so we define it here and use a custom mount command in the config
-	# config.mount_point = "authorio"
+  # The path where clients will be redirected to provide authentication
+  # config.authorization_endpoint = "auth"
 
-	# The path where clients will be redirected to provide authentication
-	# config.authorization_endpoint = "auth"
+  # The path for token requests
+  # config.token_endpoint = "token"
 
-	# The path for token requests
-	# config.token_endpoint = "token"
+  # Set to true to enable multiple user accounts. By default (in single user mode)
+  # there is only one user, and therefore you do not need to enter a username
+  # config.multiuser = false
 
-	# How long tokens will last before expiring
-	# config.token_expiration = 4.weeks
+  # How long tokens will last before expiring
+  # config.token_expiration = 4.weeks
 
-	# Enable local session lifetime to keep yourself "logged in" to your own server
-	# If set to eg:
-	#  config.local_session_lifetime = 30.days
-	# then you will only have to enter your password every 30 days. Default is off (nil)
-	# config.local_session_lifetime = nil
+  # Enable local session lifetime to keep yourself "logged in" to your own server
+  # If set to eg:
+  #  config.local_session_lifetime = 30.days
+  # then you will only have to enter your password every 30 days. Default is off (nil)
+  # config.local_session_lifetime = nil
 end

data/lib/tasks/authorio_tasks.rake

@@ -1,18 +1,19 @@
+# frozen_string_literal: true
+
 namespace :authorio do
-	desc "Set password for initial Authorio user"
-	require 'io/console'
+  desc 'Set password for initial Authorio user'
+  require 'io/console'
 
-	def input_no_echo(prompt)
-		print("\n#{prompt}")
-		STDIN.noecho(&:gets).chop
-	end
+  def input_no_echo(prompt)
+    print("\n#{prompt}")
+    $stdin.noecho(&:gets).chop
+  end
 
-	task :password => :environment do
-		passwd = input_no_echo("Enter new password: ")
-		passwd_confirm = input_no_echo("Confirm password: ")
-		user = Authorio::User.
-			create_with(password: passwd, password_confirmation:passwd_confirm).
-			find_or_create_by!(profile_path: '/')
-		puts("\nPassword set")
-	end
+  task password: :environment do
+    passwd = input_no_echo('Enter new password: ')
+    passwd_confirm = input_no_echo('Confirm password: ')
+    Authorio::User.create_with(password: passwd, password_confirmation: passwd_confirm)
+                  .find_or_create_by!(profile_path: '/')
+    puts("\nPassword set")
+  end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: authorio
 version: !ruby/object:Gem::Version
-  version: 0.8.3
+  version: 0.8.4
 platform: ruby
 authors:
 - Michael Meckler
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-08-09 00:00:00.000000000 Z
+date: 2021-08-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -44,6 +44,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: jbuilder
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: factory_bot_rails
   requirement: !ruby/object:Gem::Requirement
@@ -125,8 +139,14 @@ files:
 - app/models/authorio/token.rb
 - app/models/authorio/user.rb
 - app/views/authorio/auth/authorization_interface.html.erb
+- app/views/authorio/auth/issue_token.json.jbuilder
+- app/views/authorio/auth/send_profile.json.jbuilder
+- app/views/authorio/auth/verify_token.json.jbuilder
 - app/views/authorio/sessions/new.html.erb
+- app/views/authorio/users/_profile.json.jbuilder
 - app/views/authorio/users/edit.html.erb
+- app/views/authorio/users/show.html.erb
+- app/views/authorio/users/verify.html.erb
 - app/views/layouts/authorio/main.html.erb
 - app/views/shared/_login_form.html.erb
 - config/routes.rb
@@ -136,6 +156,7 @@ files:
 - db/migrate/20210723161041_add_expiry_to_tokens.rb
 - db/migrate/20210726164625_create_authorio_sessions.rb
 - db/migrate/20210801184120_add_profile_to_users.rb
+- db/migrate/20210817010101_change_path_to_username_in_users.rb
 - lib/authorio.rb
 - lib/authorio/configuration.rb
 - lib/authorio/engine.rb
@@ -150,6 +171,7 @@ licenses:
 - MIT
 metadata:
   source_code_uri: https://github.com/reiterate-app/authorio
+  changelog_uri: https://github.com/reiterate-app/authorio/blob/master/CHANGELOG.md
 post_install_message: 
 rdoc_options: []
 require_paths: