authrocket 2.4.1 → 3.0.0

data/lib/authrocket/api/client.rb

@@ -5,7 +5,7 @@ module AuthRocket
     module ClassMethods
 
       def parse_credentials(creds)
-        creds.with_indifferent_access.except :loginrocket_url, :jwt_secret
+        creds.with_indifferent_access.except :loginrocket_url, :jwt_key
       end
 
     end

data/lib/authrocket/api/version.rb

@@ -1,3 +1,3 @@
 module AuthRocket
-  VERSION = '2.4.1'
+  VERSION = '3.0.0'
 end

data/lib/authrocket/auth_provider.rb

@@ -5,68 +5,67 @@ module AuthRocket
     belongs_to :realm
 
     attr :name, :provider_type, :state
-    attr :email_verification, :login, :name_field, :password_field, :signup, :signup_mode, :verify
-    attr :min_complexity, :min_length, :required_chars
+    attr :min_complexity, :min_length
     attr :client_id, :client_secret, :scopes
+    attr :loginrocket_domain
+    attr :authorization_url, :profile_url, :token_url
+    attr :email_field, :email_verified_field, :first_name_field, :id_field, :last_name_field, :name_field
+    attr :auth_url # readonly
 
 
-    # attribs - :redirect_uri - required
-    #         - :nonce        - optional
-    def self.authorize_urls(attribs={})
-      params = parse_request_params(attribs)
-      parsed, creds = request(:get, url+'/authorize', params)
-      if parsed[:errors].any?
-        raise Error, parsed[:errors].inspect
-      end
-      NCore::Collection.new.tap do |coll|
-        coll.metadata = parsed[:metadata]
-        parsed[:data].each do |hash|
-          coll << GenericObject.new(hash.merge(metadata: parsed[:metadata]), creds)
-        end
-      end
-    end
-
-    # attribs - :redirect_uri - required
-    #         - :nonce        - optional
-    def self.authorize_url(auth_provider_id, attribs={})
-      params = parse_request_params(attribs)
-      parsed, creds = request(:get, url+"/#{auth_provider_id}/authorize", params)
-      if parsed[:errors].any?
-        raise Error, parsed[:errors].inspect
-      end
-      parsed[:data][:url]
-    end
-
     # same as self.authorize_url(self.id, ...)
     def authorize_url(attribs={})
-      params = parse_request_params(attribs).merge credentials: api_creds
-      self.class.authorize_url(id, params)
-    end
-
-    # attribs - :code  - required
-    #         - :nonce - optional
-    #         - :state - required
-    # always returns a new object; check .errors? or .valid? to see how it went
-    def self.authorize(attribs={})
-      params = parse_request_params(attribs)
-      parsed, creds = request(:post, url+'/authorize', params)
-      if parsed[:data][:object] == 'user_token'
-        UserToken.new(parsed, creds)
-      else
-        User.new(parsed, creds)
-      end
+      self.class.authorize_url id, attribs.reverse_merge(credentials: api_creds)
     end
 
     # attribs - :access_token - required
+    # returns: Session
     # always returns a new object; check .errors? or .valid? to see how it went
     def authorize_token(attribs={})
       params = parse_request_params(attribs)
-      parsed, creds = request(:post, url+'/authorize', params)
-      if parsed[:data][:object] == 'user_token'
-        UserToken.new(parsed, creds)
-      else
-        User.new(parsed, creds)
+      parsed, creds = request(:post, resource_path+'/authorize', params)
+      self.class.factory(parsed, creds)
+    end
+
+
+    class << self
+
+      # attribs - :redirect_uri - required
+      #         - :nonce        - optional
+      # returns: Array of simplified AuthProviders
+      def authorize_urls(attribs={})
+        params = parse_request_params(attribs)
+        parsed, creds = request(:get, resource_path+'/authorize', params)
+        raise QueryError, parsed[:errors] if parsed[:errors].any?
+        NCore::Collection.new.tap do |coll|
+          coll.metadata = parsed[:metadata]
+          parsed[:data].each do |hash|
+            coll << factory(hash.merge(metadata: parsed[:metadata]), creds)
+          end
+        end
+      end
+
+      # attribs - :redirect_uri - required
+      #         - :nonce        - optional
+      # returns: simplified AuthProvider
+      def authorize_url(auth_provider_id, attribs={})
+        params = parse_request_params(attribs)
+        parsed, creds = request(:get, resource_path+"/#{CGI.escape auth_provider_id}/authorize", params)
+        raise QueryError, parsed[:errors] if parsed[:errors].any?
+        factory(parsed, creds)
       end
+
+      # attribs - :code  - required
+      #         - :nonce - optional
+      #         - :state - required
+      # returns: Session
+      # always returns a new object; check .errors? or .valid? to see how it went
+      def authorize(attribs={})
+        params = parse_request_params(attribs)
+        parsed, creds = request(:post, resource_path+'/authorize', params)
+        factory(parsed, creds)
+      end
+
     end
 
   end

data/lib/authrocket/client_app.rb

@@ -0,0 +1,14 @@
+module AuthRocket
+  class ClientApp < Resource
+    crud :all, :find, :create, :update, :delete
+
+    belongs_to :realm
+
+    attr :client_type, :name, :redirect_uris
+    # standard:
+    attr :state
+    # oauth2:
+    attr :allowed_scopes, :app_type, :logo, :secret, :trusted
+
+  end
+end

data/lib/authrocket/connection.rb

@@ -0,0 +1,12 @@
+module AuthRocket
+  class Connection < Resource
+    crud :all, :find, :create, :update, :delete
+
+    belongs_to :realm
+
+    attr :connection_type
+    attr :email_from, :email_from_name, :state
+    attr :smtp_host, :smtp_password, :smtp_port, :smtp_user
+
+  end
+end

data/lib/authrocket/credential.rb

@@ -3,19 +3,25 @@ module AuthRocket
     crud :find, :create, :update, :delete
 
     belongs_to :auth_provider
+    belongs_to :client_app
     belongs_to :user
 
     attr :credential_type
-    attr :api_key
-    attr :password, :password_confirmation
-    attr :name, :otp_secret, :provisioning_uri, :state
-    attr :access_token, :provider_user_id, :token_expires_at
+    attr :password, :password_confirmation # writeonly
+    attr :name, :otp_secret, :provisioning_svg, :provisioning_uri, :state
+    attr :access_token, :provider_user_id
+    attr_datetime :token_expires_at
+    attr :client_app_name, :approved_scopes
 
 
+    def provisioning_svg
+      self[:provisioning_svg]&.html_safe
+    end
+
     # code - required
     def verify(code, attribs={})
-      params = parse_request_params(attribs.merge(code: code), json_root: json_root).merge credentials: api_creds
-      parsed, _ = request(:post, url+'/verify', params)
+      params = parse_request_params(attribs.merge(code: code), json_root: json_root).reverse_merge credentials: api_creds
+      parsed, _ = request(:post, resource_path+'/verify', params)
       load(parsed)
       errors.empty? ? self : false
     end

data/lib/authrocket/domain.rb

@@ -0,0 +1,19 @@
+module AuthRocket
+  class Domain < Resource
+    crud :all, :find, :create, :update, :delete
+
+    belongs_to :realm
+
+    attr :cert_state, :dns_state, :domain_type, :flags, :fqdn, :state
+    attr :subdomain
+    attr :domain
+
+    def verify(attribs={})
+      params = parse_request_params(attribs, json_root: json_root).reverse_merge credentials: api_creds
+      parsed, _ = request(:post, resource_path+'/verify', params)
+      load(parsed)
+      errors.empty? ? self : false
+    end
+
+  end
+end

data/lib/authrocket/event.rb

@@ -2,16 +2,15 @@ module AuthRocket
   class Event < Resource
     crud :all, :find
 
-    belongs_to :app_hook
     belongs_to :auth_provider
-    belongs_to :login_policy
+    belongs_to :invitation
     belongs_to :membership
     belongs_to :org
     belongs_to :realm
     belongs_to :user
     has_many :notifications
 
-    attr :event_type
+    attr :event_type, :token
     attr_datetime :event_at
 
     def request_data

data/lib/authrocket/hook.rb

@@ -0,0 +1,39 @@
+module AuthRocket
+  class Hook < Resource
+    crud :all, :find, :create, :update, :delete
+
+    belongs_to :realm
+
+    attr :accumulate, :delay, :event_type, :hook_type, :state
+    attr :destination
+    attr :email_renderer, :email_subject, :email_template, :email_to
+
+
+    def self.event_types
+      %w( invitation.org.created  invitation.org.updated  invitation.org.invited  invitation.org.accepted  invitation.org.expired
+          invitation.referral.created  invitation.referral.updated  invitation.referral.invited  invitation.referral.accepted  invitation.referral.expired
+          invitation.request.created  invitation.request.updated  invitation.request.invited  invitation.request.accepted  invitation.request.expired
+          membership.created  membership.updated  membership.deleted
+          org.created  org.updated  org.closed
+          user.created  user.updated  user.deleted
+            user.email.verifying  user.email.verified
+            user.login.succeeded  user.login.failed  user.login.initiated
+            user.password.resetting  user.password.updated
+            user.profile.updated
+        ).sort
+    end
+
+    def self.email_event_types
+      %w( invitation.org.invited  invitation.org.accepted
+            invitation.referral.invited
+            invitation.request.invited
+          user.created
+            user.email.verifying  user.email.verified
+            user.login.succeeded  user.login.failed
+            user.password.resetting  user.password.updated
+            user.profile.updated
+        ).sort
+    end
+
+  end
+end

data/lib/authrocket/invitation.rb

@@ -0,0 +1,35 @@
+module AuthRocket
+  class Invitation < Resource
+    crud :all, :find, :create, :update, :delete
+
+    belongs_to :inviting_user, class_name: 'AuthRocket::User'
+    belongs_to :org
+    belongs_to :realm
+    has_many :events
+
+    attr :email, :invitation_type, :token
+    attr :permissions
+    attr_datetime :created_at, :expires_at, :invited_at
+
+    def any_permission?(*perms)
+      perms.any? do |p|
+        case p
+        when String
+          permissions.include? p
+        when Regexp
+          permissions.any?{|m| p =~ m}
+        else
+          false
+        end
+      end
+    end
+
+    def invite(attribs={})
+      params = parse_request_params(attribs, json_root: json_root).reverse_merge credentials: api_creds
+      parsed, _ = request(:post, resource_path+'/invite', params)
+      load(parsed)
+      errors.empty? ? self : false
+    end
+
+  end
+end

data/lib/authrocket/membership.rb

@@ -6,7 +6,7 @@ module AuthRocket
     belongs_to :user
     has_many :events
 
-    attr :custom, :permissions
+    attr :permissions, :selected
     attr_datetime :expires_at
 
 

data/lib/authrocket/named_permission.rb

@@ -0,0 +1,10 @@
+module AuthRocket
+  class NamedPermission < Resource
+    crud :find, :create, :update, :delete
+
+    belongs_to :realm
+
+    attr :auto_grant, :name, :permission
+
+  end
+end

data/lib/authrocket/notification.rb

@@ -1,8 +1,8 @@
 module AuthRocket
   class Notification < Resource
 
-    belongs_to :app_hook
     belongs_to :event
+    belongs_to :hook
 
     attr :attempts, :hook_type, :last_destination, :last_result, :state
     attr_datetime :last_attempt_at

data/lib/authrocket/oauth2_session.rb

@@ -0,0 +1,26 @@
+module AuthRocket
+  class Oauth2Session < Resource
+    crud :find, :create
+
+    attr :access_token, :code, :id_token, :redirect_uri
+    attr :profile
+    attr :expires_in, :token_type
+    attr_datetime :expires_at
+
+    def self.json_root ; 'session' ; end
+    def self.resource_path ; 'sessions/oauth2' ; end
+
+    class << self
+
+      # params - {client_app_id:, client_app_secret:, code:}
+      # returns: Token - must check .valid? or .errors? for response
+      def code_to_token(params={})
+        params = parse_request_params(params, json_root: json_root)
+        parsed, creds = request(:post, "#{resource_path}/code", params)
+        factory(parsed, creds)
+      end
+
+    end
+
+  end
+end

data/lib/authrocket/org.rb

@@ -4,6 +4,7 @@ module AuthRocket
 
     belongs_to :realm
     has_many :events
+    has_many :invitations
     has_many :memberships
 
     attr :custom, :name, :reference, :state
@@ -11,7 +12,7 @@ module AuthRocket
 
 
     def users
-      memberships.map(&:user).compact
+      memberships.map(&:user)
     end
 
     def find_user(uid)

data/lib/authrocket/rails/controller_helper.rb

@@ -1,20 +1,18 @@
 module AuthRocket::ControllerHelper
   extend ActiveSupport::Concern
 
-  included do
-    if respond_to?(:helper_method)
-      helper_method :current_session
-      helper_method :current_user
-      helper_method :ar_login_url
-      helper_method :ar_signup_url
+  private
+
+  def process_inbound_token
+    # if GET (the only method LR uses), redirect to remove ?token=
+    if request.get? && conditional_login
+      redirect_to safe_this_uri
     end
   end
 
-
-  def require_valid_token
+  def require_login
     unless current_session
-      session[:last_url] = request.get? ? url_for(params.to_unsafe_h.except(:domain, :host, :port, :prototcol, :subdomain, :token)) : url_for
-      redirect_to ar_login_url + "?redir=#{ERB::Util.url_encode(session[:last_url])}"
+      redirect_to ar_login_url(redirect_uri: safe_this_uri)
     end
   end
 
@@ -24,24 +22,78 @@ module AuthRocket::ControllerHelper
   end
 
   def current_user
-    current_session.try(:user)
+    current_session&.user
+  end
+
+  def current_membership
+    # LR always sends a JWT with exactly one membership/org
+    # other API generated JWTs may vary
+    return unless current_user
+    current_user.memberships.each{|m| return m if m.selected }.first
+  end
+
+  def current_org
+    current_membership&.org
+  end
+
+
+  def ar_account_url(**params)
+    if id = params.delete(:id) || current_org&.id
+      loginrocket_url(path: "/accounts/#{id}", **params)
+    else
+      ar_accounts_url(**params)
+    end
+  end
+
+  # force - if false/nil, does not add ?force; else does add it
+  def ar_accounts_url(**params)
+    if params[:force] || !params.key?(:force)
+      params[:force] = nil
+    else
+      params.delete(:force)
+    end
+    loginrocket_url(path: '/accounts', **params)
+  end
+
+  def ar_login_url(**params)
+    loginrocket_url(path: '/login', **params)
   end
 
+  def ar_logout_url(**params)
+    params[:session] = current_session.id if current_session
+    loginrocket_url(path: '/logout', **params)
+  end
 
-  def ar_login_url
-    @_login_url = loginrocket_url('login')
+  def ar_profile_url(**params)
+    loginrocket_url(path: '/profile', **params)
   end
 
-  def ar_signup_url
-    @_signup_url = loginrocket_url('signup')
+  def ar_signup_url(**params)
+    loginrocket_url(path: '/signup', **params)
+  end
+
+  def loginrocket_url(path: nil, **params)
+    raise "Missing env LOGINROCKET_URL or credentials[:loginrocket_url]" if AuthRocket::Api.credentials[:loginrocket_url].blank?
+    uri = Addressable::URI.parse AuthRocket::Api.credentials[:loginrocket_url]
+    uri.path = path if path
+    uri.path = '/' if uri.path.blank?
+    uri.query_values = (uri.query_values||{}).merge(params).stringify_keys if params.present?
+    uri.to_s
+  end
+
+
+  # returns: bool -- whether session was updated/replaced
+  def conditional_login
+    return unless params[:token]
+    if s = AuthRocket::Session.from_token(params[:token])
+      @_current_session = s
+      session[:ar_token] = params[:token]
+      true
+    end
   end
 
-  def loginrocket_url(path=nil)
-    raise "Missing env AUTHROCKET_LOGIN_URL or credentials[:loginrocket_url]" if AuthRocket::Api.credentials[:loginrocket_url].blank?
-    s = AuthRocket::Api.credentials[:loginrocket_url].dup
-    s.concat('/') unless s.ends_with?('/')
-    s.concat(path) if path
-    s.freeze
+  def safe_this_uri
+    full_url_for(request.get? ? params.to_unsafe_h.except(:account, :session, :token) : {})
   end
 
 end