authrocket 2.4.1 → 3.0.0

data/lib/authrocket/rails/engine.rb

@@ -5,7 +5,11 @@ module AuthRocket
       require_relative 'controller_helper'
 
       ActiveSupport.on_load(:action_controller) do
-        include AuthRocket::ControllerHelper
+        if self == ActionController::Base
+          include AuthRocket::ControllerHelper
+          helper AuthRocket::ControllerHelper
+          before_action :process_inbound_token
+        end
       end
     end
 

data/lib/authrocket/realm.rb

@@ -2,25 +2,41 @@ module AuthRocket
   class Realm < Resource
     crud :all, :find, :create, :update, :delete
 
-    has_many :app_hooks
     has_many :auth_providers
+    has_many :client_apps
+    has_many :connections
+    has_many :domains
     has_many :events
+    has_many :hooks
+    has_many :invitations
     has_many :jwt_keys
-    has_many :login_policies
+    has_many :named_permissions
     has_many :orgs
+    has_many :resource_links
     has_many :users
 
-    attr :api_key_minutes, :api_key_policy, :api_key_prefix, :custom, :name
-    attr :jwt_fields, :require_unique_emails, :resource_links, :session_minutes
-    attr :session_type, :state, :username_validation_human
+    attr :custom, :environment, :name, :public_name, :state
+    attr :email_verification, :org_mode, :signup
+    attr :name_field, :org_name_field, :password_field, :username_field
+    attr :branding, :color_1, :logo, :logo_icon, :privacy_policy, :stylesheet, :terms_of_service
+    attr :access_token_minutes, :jwt_algo, :jwt_minutes, :jwt_scopes, :session_minutes
     attr :jwt_key # readonly
-    attr :jwt_secret # readonly, deprecated
-    attr :jwt_data # deprecated
+
+
+    def named_permissions
+      reload unless @attribs[:named_permissions]
+      @attribs[:named_permissions]
+    end
+
+    def resource_links
+      reload unless @attribs[:resource_links]
+      @attribs[:resource_links]
+    end
 
 
     def reset!(params={})
-      params = parse_request_params(params).merge credentials: api_creds
-      parsed, _ = request(:post, "#{url}/reset", params)
+      params = parse_request_params(params).reverse_merge credentials: api_creds
+      parsed, _ = request(:post, "#{resource_path}/reset", params)
       load(parsed)
       errors.empty? ? self : false
     end

data/lib/authrocket/resource_link.rb

@@ -0,0 +1,10 @@
+module AuthRocket
+  class ResourceLink < Resource
+    crud :find, :create, :update, :delete
+
+    belongs_to :realm
+
+    attr :link_url, :resource_type, :title
+
+  end
+end

data/lib/authrocket/session.rb

@@ -5,73 +5,180 @@ module AuthRocket
   class Session < Resource
     crud :all, :find, :create, :delete
 
+    belongs_to :client_app
     belongs_to :user
 
     attr :token # readonly
-    attr_datetime :created_at, :expires_at # readonly
+    attr_datetime :created_at, :expires_at
 
     def request_data
       self[:request]
     end
 
 
-    # options - :within - (in seconds) Maximum time since the token was originally issued
-    #         - credentials: {jwt_secret: StringOrKey} - used to verify the token
-    #         - :algo - one of HS256, RS256 (default: auto-detect based on :jwt_secret)
+    # options - :algo   - one of HS256, RS256 (default: auto-detect based on :jwt_key)
+    #         - :within - (in seconds) Maximum time since the token was (re)issued
+    #         - credentials: {jwt_key: StringOrKey} - used to verify the token
     def self.from_token(token, options={})
-      secret = (options[:credentials]||credentials||{})[:jwt_secret]
-      raise Error, "missing :jwt_secret (or AUTHROCKET_JWT_SECRET)" unless secret
-      return unless token
+      secret = options.dig(:credentials, :jwt_key) || credentials[:jwt_key]
+      if lr_url = options.dig(:credentials, :loginrocket_url) || credentials[:loginrocket_url]
+        lr_url = lr_url.dup
+        lr_url.concat '/' unless lr_url.ends_with?('/')
+        lr_url.concat 'connect/jwks'
+      end
 
       algo = options[:algo]
       if secret.is_a?(String) && secret.length > 256
+        unless secret.starts_with?('-----BEGIN ')
+          secret = "-----BEGIN PUBLIC KEY-----\n#{secret}\n-----END PUBLIC KEY-----"
+        end
         secret = OpenSSL::PKey.read secret
       end
       algo ||= 'RS256' if secret.is_a?(OpenSSL::PKey::RSA)
-      algo ||= 'HS256'
+      algo ||= 'HS256' if secret
+
+      jwks_eligible = algo.in?([nil, 'RS256']) && secret.blank? && lr_url
+
+      raise Error, "Missing jwt_key; set LOGINROCKET_URL, AUTHROCKET_JWT_KEY, or pass in credentials: {loginrocket_url: ...} or {jwt_key: ...}" if secret.blank? && !jwks_eligible
+      return if token.blank?
 
-      jwt, _ = JWT.decode token, secret, true, algorithm: algo
+      if jwks_eligible
+        base_params = {token: token, algo: 'RS256', within: options[:within], local_creds: options[:credentials]}
+        load_jwk_set(lr_url, use_cached: true).each do |secret|
+          begin
+            return parse_jwt secret: secret, **base_params
+          rescue JWT::DecodeError
+          end
+        end
+        load_jwk_set(lr_url, use_cached: false).each do |secret|
+          begin
+            return parse_jwt secret: secret, **base_params
+          rescue JWT::DecodeError
+          end
+        end
+        nil
+      else
+        begin
+          parse_jwt token: token, secret: secret, algo: algo, within: options[:within], local_creds: options[:credentials]
+        rescue JWT::DecodeError
+          nil
+        end
+      end
+    end
 
-      if within = options.delete(:within)
+    # private
+    # raises an exception if eligible for retry using different token
+    # returns Session on success
+    # returns nil on a definitive token-parsed-but-invalid
+    def self.parse_jwt(token:, secret:, algo:, within:, local_creds: nil)
+      opts = {
+        algorithm: algo,
+        leeway: 5,
+        iss: "https://authrocket.com",
+        verify_iss: true,
+      }
+
+      jwt, _ = JWT.decode token, secret, true, opts
+
+      if within
+        # this ensures token was created recently
+        # :iat is set to Time.now every time a token is created by the AR api
         return if jwt['iat'] < Time.now.to_i - within
       end
 
       user = User.new({
-          id: jwt['uid'],
-          realm_id: jwt['aud'],
-          username: jwt['un'],
-          first_name: jwt['fn'],
-          last_name: jwt['ln'],
-          name: jwt['n'],
+          id: jwt['sub'],
+          realm_id: jwt['rid'],
+          username: jwt['preferred_username'],
+          first_name: jwt['given_name'],
+          last_name: jwt['family_name'],
+          name: jwt['name'],
+          email: jwt['email'],
+          email_verification: jwt['email_verified'] ? 'verified' : 'none',
+          reference: jwt['ref'],
           custom: jwt['cs'],
-          memberships: jwt['m'] && jwt['m'].map do |m|
+          memberships: jwt['orgs'] && jwt['orgs'].map do |m|
             Membership.new({
-              permissions: m['p'],
-              custom: m['cs'],
-              user_id: jwt['uid'],
+              id: m['mid'],
+              permissions: m['perm'],
+              selected: m['selected'],
+              user_id: jwt['sub'],
               org_id: m['oid'],
-              org: m['o'] && Org.new({
+              org: Org.new({
                 id: m['oid'],
-                realm_id: jwt['aud'],
-                name: m['o'],
-                custom: m['ocs'],
-              }),
-            })
+                realm_id: jwt['rid'],
+                name: m['name'],
+                reference: m['ref'],
+                custom: m['cs'],
+              }, local_creds),
+            }, local_creds)
           end,
-        }, options[:credentials])
+        }, local_creds)
       session = new({
-          id: jwt['tk'],
+          id: jwt['sid'],
           created_at: jwt['iat'],
           expires_at: jwt['exp'],
           token: token,
-          user_id: jwt['uid'],
+          user_id: jwt['sub'],
           user: user
-        }, options[:credentials])
-      
+        }, local_creds)
+
       session
-    rescue JWT::DecodeError
+    rescue JWT::ExpiredSignature, JWT::ImmatureSignature, JWT::InvalidAudError,
+        JWT::InvalidIatError, JWT::InvalidIssuerError
+      # successfully parsed, but invalid claims
       nil
     end
 
+    @_jwks ||= {}
+    JWKS_MUTEX = Mutex.new
+    MIN_ATTEMPT_WINDOW = 71 # seconds
+
+    # private
+    # use_cached - if there is a cached result, use it regardless of last cache load time
+    def self.load_jwk_set(uri, use_cached:)
+      keys, last_time = @_jwks.dig(uri, :keys), @_jwks.dig(uri, :time)
+      last_time ||= 0
+
+      return keys if use_cached && last_time > 0
+      return keys if Time.now.to_f - MIN_ATTEMPT_WINDOW < last_time
+
+      JWKS_MUTEX.synchronize do
+        # recheck in case we locked while being loaded in another process
+        newer_keys, newer_time = @_jwks.dig(uri, :keys), @_jwks.dig(uri, :time)
+        newer_time ||= 0
+
+        return newer_keys if newer_time > last_time
+
+        path = URI.parse(uri).path
+        headers = build_headers({}, {})
+        rest_opts = {
+          connect_timeout: 8,
+          headers: headers,
+          method: :get,
+          path: path,
+          read_timeout: 15,
+          url: uri,
+          write_timeout: 15,
+        }
+        response = execute_request(rest_opts)
+        parsed = parse_response(response)
+          # => {data: json, errors: errors, metadata: metadata}
+        certs = parsed[:data][:keys].map do |h|
+          crt = "-----BEGIN PUBLIC KEY-----\n#{h['x5c'][0]}\n-----END PUBLIC KEY-----"
+          OpenSSL::PKey.read crt
+        end
+
+        @_jwks[uri] = {keys: certs, time: Time.now.to_f}
+        keys ||= []
+        just_added = certs - keys
+        if just_added.any?
+          just_added
+        else
+          certs
+        end
+      end
+    end
+
   end
 end

data/lib/authrocket/token.rb

@@ -0,0 +1,9 @@
+module AuthRocket
+  class Token < Resource
+
+    belongs_to :user
+
+    attr :token
+
+  end
+end

data/lib/authrocket/user.rb

@@ -8,9 +8,9 @@ module AuthRocket
     has_many :memberships
     has_many :sessions
 
-    attr :custom, :email, :email_verification, :first_name
-    attr :last_name, :name, :password, :password_confirmation
-    attr :reference, :state, :user_type, :username
+    attr :custom, :email, :email_verification, :first_name, :last_name, :name
+    attr :reference, :state, :username
+    attr :password, :password_confirmation # writeonly
     attr_datetime :created_at, :last_login_at
 
 
@@ -20,93 +20,127 @@ module AuthRocket
     end
 
     def orgs
-      memberships.map(&:org).compact
+      memberships.map(&:org)
     end
 
     def find_org(id)
       orgs.detect{|o| o.id == id } || raise(RecordNotFound)
     end
 
-    def human? ; user_type=='human' ; end
-    def api?   ; user_type=='api'   ; end
-
 
     class << self
+      # id - email|username|id
+
+      # params - {password: '...'}
+      # returns: Session || Token
+      def authenticate(id, params)
+        params = parse_request_params(params, json_root: json_root)
+        parsed, creds = request(:post, "#{resource_path}/#{CGI.escape id}/authenticate", params)
+        obj = factory(parsed, creds)
+        raise RecordInvalid, obj if obj.errors?
+        obj
+      end
 
-      def authenticate(username, password, params={})
-        params = parse_request_params(params).merge password: password
-        parsed, creds = request(:post, "#{url}/#{CGI.escape username}/authenticate", params)
-        if parsed[:errors].any?
-          raise ValidationError, parsed[:errors]
-        end
-        new(parsed, creds)
+      # params - {token: 'kli:...', code: '000000'}
+      # returns: Session
+      def authenticate_token(params)
+        params = parse_request_params(params, json_root: json_root)
+        parsed, creds = request(:post, "#{resource_path}/authenticate_token", params)
+        obj = factory(parsed, creds)
+        raise RecordInvalid, obj if obj.errors?
+        obj
       end
 
-      def authenticate_key(api_key, params={})
-        params = parse_request_params(params).merge api_key: api_key
-        parsed, creds = request(:post, "#{url}/authenticate_key", params)
-        if parsed[:errors].any?
-          raise ValidationError, parsed[:errors]
-        end
-        new(parsed, creds)
+      # returns: Token
+      def generate_password_token(id, params={})
+        params = parse_request_params(params)
+        parsed, creds = request(:post, "#{resource_path}/#{CGI.escape id}/generate_password_token", params)
+        obj = factory(parsed, creds)
+        raise RecordInvalid, obj if obj.errors?
+        obj
       end
 
-      # params - {username: '...', token: 'kli_...', code: '000000'}
-      def authenticate_code(params)
+      # params - {token: '...', password: '...', password_confirmation: '...'}
+      # returns: Session || Token
+      def reset_password_with_token(params)
         params = parse_request_params(params, json_root: json_root)
-        username = params[json_root].delete(:username) || '--'
-        parsed, creds = request(:post, "#{url}/#{CGI.escape username}/authenticate_code", params)
-        if parsed[:errors].any?
-          raise ValidationError, parsed[:errors]
-        end
-        new(parsed, creds)
+        parsed, creds = request(:post, "#{resource_path}/reset_password_with_token", params)
+        obj = factory(parsed, creds)
+        raise RecordInvalid, obj if obj.errors?
+        obj
       end
 
-      def generate_password_token(username, params={})
+      # returns: Token
+      def request_email_verification(id, params={})
         params = parse_request_params(params)
-        parsed, creds = request(:post, "#{url}/#{CGI.escape username}/generate_password_token", params)
-        if parsed[:errors].any?
-          raise ValidationError, parsed[:errors]
-        end
-        new(parsed, creds)
+        parsed, creds = request(:post, "#{resource_path}/#{CGI.escape id}/request_email_verification", params)
+        obj = factory(parsed, creds)
+        raise RecordInvalid, obj if obj.errors?
+        obj
       end
 
-      # params - {username: '...', token: '...', password: '...', password_confirmation: '...'}
-      def reset_password_with_token(params)
+      # params - {token: '...'}
+      # returns: User
+      def verify_email(params)
         params = parse_request_params(params, json_root: json_root)
-        username = params[json_root].delete(:username) || '--'
-        parsed, creds = request(:post, "#{url}/#{CGI.escape username}/reset_password_with_token", params)
-        if parsed[:errors].any?
-          raise ValidationError, parsed[:errors]
-        end
-        new(parsed, creds)
+        parsed, creds = request(:post, "#{resource_path}/verify_email", params)
+        obj = factory(parsed, creds)
+        raise RecordInvalid, obj if obj.errors?
+        obj
       end
 
     end
 
-    # params - {current_password: 'old', password: 'new', password_confirmation: 'new'}
-    def update_password(params)
-      params = parse_request_params(params, json_root: json_root).merge credentials: api_creds
-      parsed, _ = request(:put, "#{url}/update_password", params)
+
+    # params - {token: '...'}
+    def accept_invitation(params)
+      params = parse_request_params(params, json_root: json_root).reverse_merge credentials: api_creds
+      parsed, _ = request(:post, "#{resource_path}/accept_invitation", params)
       load(parsed)
       errors.empty? ? self : false
     end
 
-    def request_email_verification(params={})
-      params = parse_request_params(params).merge credentials: api_creds
-      parsed, _ = request(:post, "#{url}/request_email_verification", params)
+    # params - {current_password: 'old', password: 'new', password_confirmation: 'new'}
+    def update_password(params)
+      params = parse_request_params(params, json_root: json_root).reverse_merge credentials: api_creds
+      parsed, _ = request(:put, "#{resource_path}/update_password", params)
       load(parsed)
       errors.empty? ? self : false
     end
 
-    # params - {token: '...'}
-    def verify_email(params)
-      params = parse_request_params(params, json_root: json_root).merge credentials: api_creds
-      parsed, _ = request(:post, "#{url}/verify_email", params)
+    # params - {email:, first_name:, last_name:, password:, password_confirmation:, username:}
+    def update_profile(params)
+      params = parse_request_params(params, json_root: json_root).reverse_merge credentials: api_creds
+      parsed, _ = request(:put, "#{resource_path}/profile", params)
       load(parsed)
       errors.empty? ? self : false
     end
 
 
+    # returns: Session || Token
+    #   (Session.user !== self)
+    def authenticate(params)
+      self.class.authenticate id, params.reverse_merge(credentials: api_creds)
+    rescue RecordInvalid => ex
+      errors.merge! ex.errors
+      false
+    end
+
+    # returns: Token
+    def generate_password_token(params={})
+      self.class.generate_password_token id, params.reverse_merge(credentials: api_creds)
+    rescue RecordInvalid => ex
+      errors.merge! ex.errors
+      false
+    end
+
+    # returns: Token
+    def request_email_verification(params={})
+      self.class.request_email_verification id, params.reverse_merge(credentials: api_creds)
+    rescue RecordInvalid => ex
+      errors.merge! ex.errors
+      false
+    end
+
   end
 end