authrocket 2.4.0 → 3.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: '006539bcc19e88ba57fe083333ba916e1c78cf85'
-  data.tar.gz: ced8fb000cdd3228b7682741c2d53a4241574846
+SHA256:
+  metadata.gz: f3a67bcdd15b98343f85c8e8383de3dc49ff18ea1bad87740fe53d28f1d51231
+  data.tar.gz: 778f5ed34745f9f58797215d6b85044922a3484b59bd9f8e7ff431281fd4ae53
 SHA512:
-  metadata.gz: 37784e02f496e49a7c5a5215cc6e4c9affcc9786026c0d8a7283baa1a93506b89c8bac5ddf2b9626883ef85f761c5cb9454ec9b742eff45a31407da09a61a160
-  data.tar.gz: 4406c773bf27963934be6ed067c6993b5ec49e8a93bcb8eafdef5f9dcee7c67cb14777cf016b9081192e62f4524b2e62596625ff7f2c02dae5c3841718438224
+  metadata.gz: 0fb6ffe5a89fa6e78ca750e25f932ded0af82e71e3622434bbcd013ff0c72c9b87f39a8fe66568a5a3cf81d2f6f0116b72258c6bacb7319f8b88a0de02405b62
+  data.tar.gz: e0d284409d955f1c9b4ca225fd364c0770b52f7ea115119673a4586509440faf792cbe705ca6fc4f8e25d463e48d7728e97284f019054ef832e7edd2ee38ff81

data/CHANGELOG.md

@@ -1,3 +1,42 @@
+#### 3.2.1
+
+- Update AuthProvider
+
+#### 3.2.0
+
+- Add HookState
+- Update Connection, Hook
+
+#### 3.1.0
+
+- Automatically handle login tokens in an Authorization header
+  eg: Authorization: Bearer {the-token}
+- Optimize LR JWKS support to match by kid
+
+#### 3.0.0
+
+- NOTE: This version includes breaking changes.
+  It is only compatible with AuthRocket 2. Use gem version '~> 2.0' with AuthRocket 1.
+- Refactor Rails integration
+- Update resources for AuthRocket 2
+  - Add: ClientApp, Connection, Domain, Invitation, NamedPermission, Oauth2Session, ResourceLink, Token
+  - Remove: LoginPolicy, UserToken,
+  - Rename: AppHook -> Hook
+  - Update most others
+- Support LR JWKS - retrieve RS256 key when key not pre-configured
+- Update auth/credentials
+  - Rename ENV AUTHROCKET_JWT_SECRET -> AUTHROCKET_JWT_KEY
+  - Rename ENV AUTHROCKET_LOGIN_URL -> LOGINROCKET_URL
+  - Rename AuthRocket::API.credentials :jwt_secret -> :jwt_key
+- Update ncore to v3
+  - `#errors` is now always an ActiveModel::Errors instance
+  - <exception>#errors is now an ActiveModel::Errors for all applicable exceptions
+- Require Ruby >= 2.3
+
+#### 2.4.1
+
+- Require ncore 2.2.2+
+
 #### 2.4.0
 
 - Add Rails Engine for expedited setup

data/LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2014-2018 Notioneer, Inc.
+Copyright (c) 2014-2020 Notioneer, Inc.
 
 MIT License
 

data/README.md

@@ -8,7 +8,7 @@ This gem works with both Rails and plain Ruby. It will auto-detect Rails and ena
 
 ## Usage - Rails
 
-AuthRocket includes a streamlined Rails integration that automatically provides login and logout actions, and all relevant handling. For a new app, we highly recommend this.
+AuthRocket includes a streamlined Rails integration that automatically handles logins and logouts. For a new app, we highly recommend this.
 
 Note: The streamlined integration requires Rails 4.2+.
 
@@ -16,47 +16,55 @@ To your Gemfile, add:
 
     gem 'authrocket', require: 'authrocket/rails'
 
-Then ensure the following environment variables are set:
+Then ensure the following environment variable is set:
 
-    AUTHROCKET_LOGIN_URL  = https://sample.e1.loginrocket.com/
-    AUTHROCKET_JWT_SECRET = jsk_SAMPLE
+    LOGINROCKET_URL    = https://sample.e2.loginrocket.com/
+
+If you've changed the default JWT key type to HS256, you'll also need this variable:
+
+    AUTHROCKET_JWT_KEY = jsk_SAMPLE
 
 If you plan to access the AuthRocket API as well, you'll need these variables too:
 
-    AUTHROCKET_API_KEY    = ko_SAMPLE
-    AUTHROCKET_URL        = https://api-e1.authrocket.com/v1
-    AUTHROCKET_REALM      = rl_SAMPLE   # optional
+    AUTHROCKET_API_KEY = ks_SAMPLE
+    AUTHROCKET_URL     = https://api-e2.authrocket.com/v2
+    AUTHROCKET_REALM   = rl_SAMPLE   # optional
     
 Finally, add a `before_action` command to any/all controllers or actions that should require a login.
 
 For example, to protect your entire app:
 
     class ApplicationController < ActionController::Base
-      before_action :require_valid_token
+      before_action :require_login
     end
 
 Selectively exempt certain actions or controllers using the standard `skip_before_action` method:
 
-    class ContactUsController < ActionController::Base
-      skip_before_action :require_valid_token, only: [:new, :create]
+    class ContactUsController < ApplicationController
+      skip_before_action :require_login, only: [:new, :create]
     end
 
-Helpers are provided to create login, signup, and logout links:
+Helpers are provided to create login, signup, and logout links, as well as for users to manage their profile:
 
     <%= link_to 'Login', ar_login_url %>
     <%= link_to 'Signup', ar_signup_url %>
     <%= link_to 'Logout', logout_path %>
+    <%= link_to 'Manage Profile', ar_profile_url %>
 
-Both the current session and user are available to your controllers and views:
+Both the current Session and User are available to your controllers and views:
 
     current_session # => AuthRocket::Session
     current_user    # => AuthRocket::User
 
-Membership and Org data is accessible through those helpers as well. Be sure to tell AuthRocket to include Membership and/or Org data in the JWT (Realm -> Settings -> Sessions & JWT).
+The current Membership and Org (account) are accessible through those helpers as well.
+
+    current_membership
+    current_org
 
-    current_user.memberships
-    current_user.memberships.first.org
-    current_user.orgs
+If a user is a member of more than one org (account), `current_membership` and `current_org` will be reflect the currently selected account. Additional helpers are available to provide appropriate links to your users:
+
+    <%= link_to 'Manage current account', ar_account_url %>
+    <%= link_to 'Switch accounts', ar_accounts_url %>
 
 See below for customization details.
 
@@ -73,14 +81,13 @@ In your Gemfile, add:
 Then set the following environment variables:
 
     # If accessing the AuthRocket API:
-    AUTHROCKET_API_KEY    = ko_SAMPLE
-    AUTHROCKET_URL        = https://api-e1.authrocket.com/v1 # must match your account's provisioned cluster
-    AUTHROCKET_REALM      = rl_SAMPLE   # optional
+    AUTHROCKET_API_KEY = ks_SAMPLE
+    AUTHROCKET_URL     = https://api-e2.authrocket.com/v2 # must match your account's provisioned cluster
+    AUTHROCKET_REALM   = rl_SAMPLE   # optional
     #
     # If using JWT-verification of AuthRocket's login tokens:
-    AUTHROCKET_JWT_SECRET = jsk_SAMPLE
+    AUTHROCKET_JWT_KEY = SAMPLE
 
-If you're using either Hosted LoginRocket or authrocket.js to manage logins, see Verifing login tokens below. If you plan to use the API to directly authenticate, see the [API docs](https://authrocket.com/docs/api).
 
 
 
@@ -88,30 +95,30 @@ If you're using either Hosted LoginRocket or authrocket.js to manage logins, see
 
 By default, AuthRocket automatically loads credentials from environment variables. This is optimal for any 12-factor deployment. Supported variables are:
 
-`AUTHROCKET_API_KEY = ko_SAMPLE`
+`AUTHROCKET_API_KEY = ks_SAMPLE`
 Your AuthRocket API key. Required to use the API (but not if only performing JWT verification of login tokens).
 
-`AUTHROCKET_JWT_SECRET = jsk_SAMPLE`
-Used to perform JWT signing verification of login tokens. Not required if validating all tokens using the API instead. This is a realm-specific value, so like `AUTHROCKET_REALM`, set it on a per-use basis if using multiple realms.
-
-`AUTHROCKET_LOGIN_URL = https://sample.e1.loginrocket.com/`
-The LoginRocket URL for your Connected App. Only used by the streamlined Rails integration (for redirects), but still available to use otherwise. If your app uses multiple realms, you'll need to handle this on your own. If you're using a custom domain, this will be that domain and will not contain 'loginrocket.com'.
+`AUTHROCKET_JWT_KEY = SAMPLE`
+Used to perform JWT signing verification of login tokens. Not required if validating all tokens using the API instead. Also not required if LOGINROCKET_URL is set and RS256 keys are being used, as public keys will be auto-retrieved. This is a realm-specific value, so like `AUTHROCKET_REALM`, set it on a per-use basis if using multiple realms.
 
 `AUTHROCKET_REALM = rl_SAMPLE`
 Sets an application-wide default realm ID. If you're using a single realm, this is definitely easiest. Certain multi-tenant apps might using multiple realms. In this case, don't set this globally, but include it as part of the `:credentials` set for each API method.
 
-`AUTHROCKET_URL = https://api-e1.authrocket.com/v1`
-The URL of the AuthRocket API server. This may vary depending on which cluster your account is provisioned on.
+`AUTHROCKET_URL = https://api-e2.authrocket.com/v2`
+The URL of the AuthRocket API server. This may vary depending on which cluster your service is provisioned on.
+
+`LOGINROCKET_URL = https://SAMPLE.e2.loginrocket.com/`
+The LoginRocket URL for your Connected App. Used by the streamlined Rails integration (for redirects) and for auto-retrieval of RS256 JWT keys (if AUTHROCKET_JWT_KEY is not set). If your app uses multiple realms, you'll need to handle this on your own. If you're using a custom domain, this will be that domain and will not contain 'loginrocket.com'.
 
 
 It's also possible to configure AuthRocket using a Rails initializer (or other initialization code). 
 
     AuthRocket::Api.credentials = {
-      api_key: 'ko_SAMPLE',
-      jwt_secret: 'jsk_SAMPLE',
-      loginrocket_url: 'https://sample.e1.loginrocket.com/',
+      api_key: 'ks_SAMPLE',
+      jwt_key: 'SAMPLE',
+      loginrocket_url: 'https://sample.e2.loginrocket.com/',
       realm: 'rl_SAMPLE',
-      url: 'https://api-e1.authrocket.com/v1'
+      url: 'https://api-e2.authrocket.com/v2'
     }
 
 
@@ -121,53 +128,56 @@ It's also possible to configure AuthRocket using a Rails initializer (or other i
 The built-in Rails integration tries to handle as much for you as possible. However, there may be times when you wish to modify the default behavior.
 
 
-#### The default post-login path
+#### Logins
+
+The Rails integration handles logins on any path by detecting the presence of `?token=...`. It will process the login and then immediately redirect back to the same path without `?token=`; this helps prevent browsers and bookmarks from accidentally saving or caching the login token.
+
+Likewise, the built-in handler for `before_action :require_login` will automatically redirect to LoginRocket when the user is not currently logged in. `?redirect_uri=<current_path>` will be automatically included so that the user returns to the same place post-login. You can override this behavior by replacing `before_login`.
 
-After a user logs in (or signs up), they are returned to either the last page they tried to access (if known) or to `'/'` (the default path).
+    # For example, to force the user to always return to "/manage":
+    def require_login
+      unless current_session
+        redirect_to ar_login_url(redirect_uri: "/manage")
+      end
+    end
 
-This default path may be changed using an initializer.
+AuthRocket will verify the domain + path to redirect to. You can configure this at Realm -> Settings -> Connected Apps -> (edit) -> Login URLs. The first URL listed will be the default, so it should generally be the default "just logged in" path.
 
-Create/edit `config/initializers/authrocket.rb` and add:
+Paths are validated as "equal or more specific". That is, if Login URLs contains "https://my.app/manage", then any path starting with "/manage" will be allowed, but "/other" will not be allowed. If you want to allow any path at your domain, add "https://my.app/" (since "/" will match any path).
 
-```ruby
-AuthRocket::Api.default_login_path = '/manage'
-```
 
+#### Logouts
 
-#### /login and /logout routes
+##### The default post-logout path
 
-The default routes for login and logout are `/login` and `/logout`, respectively. To override them, add an initializer for AuthRocket (eg: `config/initializers/authrocket.rb`) and add:
+Upon logout, the user will be returned to the root path ("/").
+
+This default path may be changed using an initializer. Create/edit `config/initializers/authrocket.rb` and add:
+
+    AuthRocket::Api.post_logout_path = '/other'
+
+
+##### /logout route
+
+The default route for logout is `/logout`. To overrideis, add an initializer for AuthRocket (eg: `config/initializers/authrocket.rb`) and add:
 
     AuthRocket::Api.use_default_routes = false
 
 Then add your own routes to `config/routes.rb`:
 
-    get 'mylogin' => 'logins#login'
     get 'mylogout' => 'logins#logout'
 
 
-#### The login controller
+##### The logout action
 
-AuthRocket's default login controller automatically sets up the session (by storing the login token in `session[:ar_token]`) and makes a best effort at returning the user to where they were when the login request was triggered.
+AuthRocket's default login controller automatically sets a logout message using `flash`.
 
-If you require more customization than provided by modifying the default post-login path, as outlined above, you may create your own LoginsController and inherit from AuthRocket's controller:
+You may customize this, or other logout behavior, by creating your own LoginsController and inherit from AuthRocket's controller:
 
     class LoginsController < AuthRocket::ArController
-      def login
-        super
-        if current_session
-          # @redir will be present if the user's previous URL was able to be
-          # saved. If not, then provide a fallback (eg: root_path,
-          # manager_path, etc).
-          redirect_to @redir || dashboard_path
-        end
-        # else if login failed, a redirect to LoginRocket happens automatically
-      end
-
       def logout
         super
-        # Change the path and/or the message.
-        redirect_to root_path, notice: 'You have been logged out.'
+        flash[:notice] = 'You have been logged out.'
       end
     end
 
@@ -185,7 +195,7 @@ If you're not using the streamlined Rails integration, you'll need to verify the
 AuthRocket's login tokens use the JWT standard and are cryptographically signed. Verifying the signature is extremely fast. Here's are a couple examples of using this:
 
     def current_user
-      @_current_user ||= AuthRocket::Session.from_token(session[:ar_token]).try(:user)
+      @_current_user ||= AuthRocket::Session.from_token(session[:ar_token])&.user
     end
 
 `from_token` returns `nil` if the token is missing, expired, or otherwise invalid.
@@ -196,10 +206,10 @@ AuthRocket's login tokens use the JWT standard and are cryptographically signed.
 AuthRocket also supports Managed Sessions, which enables you to enforce logouts, even across apps (single sign-out!). In this instance, the session is regularly verified using the AuthRocket API.
 
     def current_user
-      @_current_user ||= AuthRocket::Session.retrieve(session[:ar_token]).try(:user)
+      @_current_user ||= AuthRocket::Session.retrieve(session[:ar_token])&.user
     end
 
-For better performance (and to avoid API rate limits), you may want to cache the results of the API call for 3-15 minutes.
+For better performance (and to avoid API rate limits), you will want to cache the results of the API call for 3-15 minutes.
 
 
 #### Initial login

data/app/controllers/auth_rocket/ar_controller.rb

@@ -1,44 +1,22 @@
 class AuthRocket::ArController < ::ApplicationController
 
-  before_action :require_valid_token, only: []
-    # ensure :require_valid_token is known so it can be skipped
-  skip_before_action :require_valid_token
+  before_action :require_login, only: []
+    # ensure :require_login is known so it can be skipped
+  skip_before_action :require_login
     # in case it's globally applied to ApplicationController
 
-  def login
-    if params[:token]
-      if s = AuthRocket::Session.from_token(params[:token])
-        @_current_session = s
-        session[:ar_token] = params[:token]
-      end
-    end
-    if current_session
-      @redir = sanitize_redir || session[:last_url]
-      session[:last_url] = nil
-      # redirect in the child
-    else
-      require_valid_token
-    end
-  end
 
   def logout
-    if current_session && current_session.id =~ /^kss_/ && AuthRocket::Api.credentials[:api_key]
-      AuthRocket::Session.delete current_session.id
+    if AuthRocket::Api.post_logout_path
+      uri = Addressable::URI.parse full_url_for
+      uri.path = AuthRocket::Api.post_logout_path
+      redirect_to ar_logout_url(redirect_uri: uri.to_s)
+    else
+      redirect_to ar_logout_url
     end
-    session[:ar_token] = nil
-    # redirect in the child
-  end
-
-
-  private
+    # set flash message in the child
 
-  # sanitize by making it path-only
-  def sanitize_redir(redir=params[:redir])
-    return if redir.blank?
-    u = defined?(Addressable) ? Addressable::URI.parse(redir) : URI.parse(redir)
-    if u
-      [u.path, u.query].compact.join('?')
-    end
+    session[:ar_token] = nil
   end
 
 end

data/app/controllers/logins_controller.rb

@@ -1,15 +1,8 @@
 class LoginsController < AuthRocket::ArController
 
-  def login
-    super
-    if current_session
-      redirect_to @redir || AuthRocket::Api.default_login_path
-    end
-  end
-
   def logout
     super
-    redirect_to '/', notice: 'You have been logged out.'
+    flash[:notice] = 'You have been logged out.'
   end
 
 end

data/authrocket.gemspec

@@ -18,10 +18,11 @@ Gem::Specification.new do |gem|
   gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
   gem.require_paths = ["lib"]
 
-  gem.required_ruby_version = '>= 1.9'
+  gem.required_ruby_version = '>= 2.3'
 
-  gem.add_dependency 'ncore', '~> 2.0'
-  gem.add_dependency 'jwt', '~> 1.5.0'
+  gem.add_dependency 'addressable', '~> 2.5'
+  gem.add_dependency 'ncore', '~> 3.0'
+  gem.add_dependency 'jwt', '~> 2.1'
 
   gem.add_development_dependency "bundler", "~> 1.3"
   gem.add_development_dependency "rake"

data/config/routes.rb

@@ -1,7 +1,6 @@
 Rails.application.routes.draw do
 
   if AuthRocket::Api.use_default_routes
-    get 'login' => 'logins#login'
     get 'logout' => 'logins#logout'
   end
 

data/lib/authrocket.rb

@@ -1,3 +1,4 @@
+require 'addressable/uri'
 require 'ncore'
 require 'jwt'
 
@@ -5,7 +6,28 @@ require 'jwt'
   require "authrocket/api/#{f}"
 end
 
-%w(app_hook auth_provider credential event jwt_key login_policy membership notification org realm session user user_token).each do |f|
+%w(
+  auth_provider
+  client_app
+  connection
+  credential
+  domain
+  event
+  hook
+  hook_state
+  invitation
+  jwt_key
+  membership
+  named_permission
+  notification
+  oauth2_session
+  org
+  realm
+  resource_link
+  session
+  token
+  user
+).each do |f|
   require "authrocket/#{f}"
 end
 

data/lib/authrocket/api/api_config.rb

@@ -14,19 +14,21 @@ module AuthRocket
 
     if ENV['AUTHROCKET_URI']
       self.credentials = parse_credentials ENV['AUTHROCKET_URI']
-    elsif ENV['AUTHROCKET_API_KEY'] || ENV['AUTHROCKET_JWT_SECRET']
+    elsif ENV['AUTHROCKET_API_KEY']
       self.credentials = {
         api_key: ENV['AUTHROCKET_API_KEY'],
-        account: ENV['AUTHROCKET_ACCOUNT'],
         realm:   ENV['AUTHROCKET_REALM'],
-        jwt_secret: ENV['AUTHROCKET_JWT_SECRET']
+        service: ENV['AUTHROCKET_SERVICE'],
       }
     else
       self.credentials = {}
     end
 
-    if ENV['AUTHROCKET_LOGIN_URL']
-      self.credentials[:loginrocket_url] = ENV['AUTHROCKET_LOGIN_URL']
+    if ENV['AUTHROCKET_JWT_KEY']
+      self.credentials[:jwt_key] ||= ENV['AUTHROCKET_JWT_KEY']
+    end
+    if ENV['LOGINROCKET_URL']
+      self.credentials[:loginrocket_url] = ENV['LOGINROCKET_URL']
     end
 
     self.debug = false
@@ -34,29 +36,26 @@ module AuthRocket
     self.strict_attributes = true
 
 
+    self.i18n_scope = :authrocket
+
     self.instrument_key = 'request.authrocket'
 
     self.status_page = 'https://status.authrocket.com/'
 
-    self.auth_header_prefix = 'X-Authrocket'
+    self.auth_header_prefix = 'Authrocket'
 
-    self.credentials_error_message = %Q{Missing API credentials or URL. Set default credentials using "AuthRocket::Api.credentials = {api_key: YOUR_API_KEY, url: AR_REGION_URL}"}
+    self.credentials_error_message = %Q{Missing API credentials or URL. Set default credentials using "AuthRocket::Api.credentials = {api_key: YOUR_API_KEY, url: AR_API_URL}"}
 
 
     mattr_accessor :use_default_routes
     self.use_default_routes = true
 
-    mattr_accessor :default_login_path
-    self.default_login_path = '/'
+    mattr_accessor :post_logout_path
+    self.post_logout_path = '/'
   end
 
 
   class << self
-    # makes AuthRocket::Realm.model_name.param_key do the right thing
-    def use_relative_model_naming?
-      true
-    end
-
 
     private
 
@@ -69,13 +68,13 @@ module AuthRocket
           [url.password, url.user].each do |part|
             case part
             when /^jsk_/
-              o[:jwt_secret] = part
-            when /^k(ey|o)_/
+              o[:jwt_key] = part
+            when /^k(ey|s)_/
               o[:api_key] = part
-            when /^org_/
-              o[:account] = part
             when /^rl_/
               o[:realm] = part
+            when /^svc_/
+              o[:service] = part
             end
           end
           url.user = url.password = nil