RubyGems - authrocket - Versions diffs - 2.4.1 → 3.3.0 - Mend

authrocket 2.4.1 → 3.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (37) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +39 -0
data/LICENSE +1 -1
data/README.md +72 -62
data/app/controllers/auth_rocket/ar_controller.rb +11 -33
data/app/controllers/logins_controller.rb +1 -8
data/authrocket.gemspec +4 -3
data/config/routes.rb +0 -1
data/lib/authrocket.rb +23 -1
data/lib/authrocket/api/api_config.rb +17 -18
data/lib/authrocket/api/client.rb +1 -1
data/lib/authrocket/api/version.rb +1 -1
data/lib/authrocket/auth_provider.rb +48 -49
data/lib/authrocket/client_app.rb +14 -0
data/lib/authrocket/connection.rb +13 -0
data/lib/authrocket/credential.rb +12 -6
data/lib/authrocket/domain.rb +19 -0
data/lib/authrocket/event.rb +2 -3
data/lib/authrocket/hook.rb +42 -0
data/lib/authrocket/hook_state.rb +26 -0
data/lib/authrocket/invitation.rb +35 -0
data/lib/authrocket/membership.rb +1 -1
data/lib/authrocket/named_permission.rb +10 -0
data/lib/authrocket/notification.rb +1 -1
data/lib/authrocket/oauth2_session.rb +26 -0
data/lib/authrocket/org.rb +2 -1
data/lib/authrocket/rails/controller_helper.rb +80 -20
data/lib/authrocket/rails/engine.rb +6 -1
data/lib/authrocket/realm.rb +26 -9
data/lib/authrocket/resource_link.rb +10 -0
data/lib/authrocket/session.rb +104 -33
data/lib/authrocket/token.rb +9 -0
data/lib/authrocket/user.rb +89 -54
metadata +37 -22
data/lib/authrocket/app_hook.rb +0 -28
data/lib/authrocket/login_policy.rb +0 -14
data/lib/authrocket/user_token.rb +0 -9

data/lib/authrocket/rails/engine.rb CHANGED Viewed

@@ -5,7 +5,12 @@ module AuthRocket
       require_relative 'controller_helper'
       ActiveSupport.on_load(:action_controller) do
-        include AuthRocket::ControllerHelper
+        if self == ActionController::Base
+          include AuthRocket::ControllerHelper
+          helper AuthRocket::ControllerHelper
+          before_action :process_inbound_token
+          before_action :process_authorization_header
+        end
       end
     end

data/lib/authrocket/realm.rb CHANGED Viewed

@@ -2,25 +2,42 @@ module AuthRocket
   class Realm < Resource
     crud :all, :find, :create, :update, :delete
-    has_many :app_hooks
     has_many :auth_providers
+    has_many :client_apps
+    has_many :connections
+    has_many :domains
     has_many :events
+    has_many :hooks
+    has_many :invitations
     has_many :jwt_keys
-    has_many :login_policies
+    has_many :named_permissions
     has_many :orgs
+    has_many :resource_links
     has_many :users
-    attr :api_key_minutes, :api_key_policy, :api_key_prefix, :custom, :name
-    attr :jwt_fields, :require_unique_emails, :resource_links, :session_minutes
-    attr :session_type, :state, :username_validation_human
+    attr :custom, :environment, :name, :public_name, :state
+    attr :available_locales, :default_locale
+    attr :email_verification, :org_mode, :signup
+    attr :name_field, :org_name_field, :password_field, :username_field
+    attr :branding, :color_1, :logo, :logo_icon, :privacy_policy, :stylesheet, :terms_of_service
+    attr :access_token_minutes, :jwt_algo, :jwt_minutes, :jwt_scopes, :session_minutes
     attr :jwt_key # readonly
-    attr :jwt_secret # readonly, deprecated
-    attr :jwt_data # deprecated
+    def named_permissions
+      reload unless @attribs[:named_permissions]
+      @attribs[:named_permissions]
+    end
+    def resource_links
+      reload unless @attribs[:resource_links]
+      @attribs[:resource_links]
+    end
     def reset!(params={})
-      params = parse_request_params(params).merge credentials: api_creds
-      parsed, _ = request(:post, "#{url}/reset", params)
+      params = parse_request_params(params).reverse_merge credentials: api_creds
+      parsed, _ = request(:post, "#{resource_path}/reset", params)
       load(parsed)
       errors.empty? ? self : false
     end

data/lib/authrocket/resource_link.rb ADDED Viewed

@@ -0,0 +1,10 @@
+module AuthRocket
+  class ResourceLink < Resource
+    crud :find, :create, :update, :delete
+    belongs_to :realm
+    attr :link_url, :resource_type, :title
+  end
+end

data/lib/authrocket/session.rb CHANGED Viewed

@@ -5,73 +5,144 @@ module AuthRocket
   class Session < Resource
     crud :all, :find, :create, :delete
+    belongs_to :client_app
     belongs_to :user
     attr :token # readonly
-    attr_datetime :created_at, :expires_at # readonly
+    attr_datetime :created_at, :expires_at
     def request_data
       self[:request]
     end
-    # options - :within - (in seconds) Maximum time since the token was originally issued
-    #         - credentials: {jwt_secret: StringOrKey} - used to verify the token
-    #         - :algo - one of HS256, RS256 (default: auto-detect based on :jwt_secret)
+    # options - :algo   - one of HS256, RS256 (default: auto-detect based on :jwt_key)
+    #         - :within - (in seconds) Maximum time since the token was (re)issued
+    #         - credentials: {jwt_key: StringOrKey} - used to verify the token
+    # returns Session or nil
     def self.from_token(token, options={})
-      secret = (options[:credentials]||credentials||{})[:jwt_secret]
-      raise Error, "missing :jwt_secret (or AUTHROCKET_JWT_SECRET)" unless secret
-      return unless token
-      algo = options[:algo]
+      if lr_url = options.dig(:credentials, :loginrocket_url) || credentials[:loginrocket_url]
+        lr_url = lr_url.dup
+        lr_url.concat '/' unless lr_url.ends_with?('/')
+        lr_url.concat 'connect/jwks'
+      end
+      secret = options.dig(:credentials, :jwt_key) || credentials[:jwt_key]
       if secret.is_a?(String) && secret.length > 256
+        unless secret.starts_with?('-----BEGIN ')
+          secret = "-----BEGIN PUBLIC KEY-----\n#{secret}\n-----END PUBLIC KEY-----"
+        end
         secret = OpenSSL::PKey.read secret
       end
+      algo = options[:algo]
       algo ||= 'RS256' if secret.is_a?(OpenSSL::PKey::RSA)
-      algo ||= 'HS256'
+      algo ||= 'HS256' if secret
+      jwks_eligible = algo.in?([nil, 'RS256']) && secret.blank? && lr_url
+      raise Error, "Missing jwt_key; set LOGINROCKET_URL, AUTHROCKET_JWT_KEY, or pass in credentials: {loginrocket_url: ...} or {jwt_key: ...}" if secret.blank? && !jwks_eligible
+      return if token.blank?
+      base_params = {token: token, within: options[:within], local_creds: options[:credentials]}
+      if jwks_eligible
+        kid = JSON.parse(JWT::Base64.url_decode(token.split('.')[0]))['kid'] rescue nil
+        return if kid.blank?
+        load_jwk_set(lr_url) unless @_jwks[kid]
+        if key_set = @_jwks[kid]
+          parse_jwt **key_set, **base_params
+        end
+      else
+        parse_jwt secret: secret, algo: algo, **base_params
+      end
+    end
-      jwt, _ = JWT.decode token, secret, true, algorithm: algo
+    # private
+    # returns Session or nil
+    def self.parse_jwt(token:, secret:, algo:, within:, local_creds: nil)
+      opts = {
+        algorithm: algo,
+        leeway: 5,
+        iss: "https://authrocket.com",
+        verify_iss: true,
+      }
-      if within = options.delete(:within)
+      jwt, _ = JWT.decode token, secret, true, opts
+      if within
+        # this ensures token was created recently
+        # :iat is set to Time.now every time a token is created by the AR api
         return if jwt['iat'] < Time.now.to_i - within
       end
       user = User.new({
-          id: jwt['uid'],
-          realm_id: jwt['aud'],
-          username: jwt['un'],
-          first_name: jwt['fn'],
-          last_name: jwt['ln'],
-          name: jwt['n'],
+          id: jwt['sub'],
+          realm_id: jwt['rid'],
+          username: jwt['preferred_username'],
+          first_name: jwt['given_name'],
+          last_name: jwt['family_name'],
+          name: jwt['name'],
+          email: jwt['email'],
+          email_verification: jwt['email_verified'] ? 'verified' : 'none',
+          reference: jwt['ref'],
           custom: jwt['cs'],
-          memberships: jwt['m'] && jwt['m'].map do |m|
+          memberships: jwt['orgs'] && jwt['orgs'].map do |m|
             Membership.new({
-              permissions: m['p'],
-              custom: m['cs'],
-              user_id: jwt['uid'],
+              id: m['mid'],
+              permissions: m['perm'],
+              selected: m['selected'],
+              user_id: jwt['sub'],
               org_id: m['oid'],
-              org: m['o'] && Org.new({
+              org: Org.new({
                 id: m['oid'],
-                realm_id: jwt['aud'],
-                name: m['o'],
-                custom: m['ocs'],
-              }),
-            })
+                realm_id: jwt['rid'],
+                name: m['name'],
+                reference: m['ref'],
+                custom: m['cs'],
+              }, local_creds),
+            }, local_creds)
           end,
-        }, options[:credentials])
+        }, local_creds)
       session = new({
-          id: jwt['tk'],
+          id: jwt['sid'],
           created_at: jwt['iat'],
           expires_at: jwt['exp'],
           token: token,
-          user_id: jwt['uid'],
+          user_id: jwt['sub'],
           user: user
-        }, options[:credentials])
+        }, local_creds)
       session
     rescue JWT::DecodeError
       nil
     end
+    @_jwks ||= {}
+    JWKS_MUTEX = Mutex.new
+    # private
+    def self.load_jwk_set(uri)
+      JWKS_MUTEX.synchronize do
+        path = URI.parse(uri).path
+        headers = build_headers({}, {})
+        rest_opts = {
+          connect_timeout: 8,
+          headers: headers,
+          method: :get,
+          path: path,
+          read_timeout: 15,
+          url: uri,
+          write_timeout: 15,
+        }
+        response = execute_request(rest_opts)
+        parsed = parse_response(response)
+          # => {data: json, errors: errors, metadata: metadata}
+        parsed[:data][:keys].each do |h|
+          crt = "-----BEGIN PUBLIC KEY-----\n#{h['x5c'][0]}\n-----END PUBLIC KEY-----"
+          @_jwks[h['kid']] = {secret: OpenSSL::PKey.read(crt), algo: h['alg']}
+        end
+      end
+      @_jwks
+    end
   end
 end

data/lib/authrocket/token.rb ADDED Viewed

@@ -0,0 +1,9 @@
+module AuthRocket
+  class Token < Resource
+    belongs_to :user
+    attr :token
+  end
+end

data/lib/authrocket/user.rb CHANGED Viewed

@@ -5,12 +5,13 @@ module AuthRocket
     belongs_to :realm
     has_many :credentials
     has_many :events
+    has_many :hook_states
     has_many :memberships
     has_many :sessions
-    attr :custom, :email, :email_verification, :first_name
-    attr :last_name, :name, :password, :password_confirmation
-    attr :reference, :state, :user_type, :username
+    attr :custom, :email, :email_verification, :first_name, :last_name, :locale, :name
+    attr :reference, :state, :username
+    attr :password, :password_confirmation # writeonly
     attr_datetime :created_at, :last_login_at
@@ -20,93 +21,127 @@ module AuthRocket
     end
     def orgs
-      memberships.map(&:org).compact
+      memberships.map(&:org)
     end
     def find_org(id)
       orgs.detect{|o| o.id == id } || raise(RecordNotFound)
     end
-    def human? ; user_type=='human' ; end
-    def api?   ; user_type=='api'   ; end
     class << self
+      # id - email|username|id
+      # params - {password: '...'}
+      # returns: Session || Token
+      def authenticate(id, params)
+        params = parse_request_params(params, json_root: json_root)
+        parsed, creds = request(:post, "#{resource_path}/#{CGI.escape id}/authenticate", params)
+        obj = factory(parsed, creds)
+        raise RecordInvalid, obj if obj.errors?
+        obj
+      end
-      def authenticate(username, password, params={})
-        params = parse_request_params(params).merge password: password
-        parsed, creds = request(:post, "#{url}/#{CGI.escape username}/authenticate", params)
-        if parsed[:errors].any?
-          raise ValidationError, parsed[:errors]
-        end
-        new(parsed, creds)
+      # params - {token: 'kli:...', code: '000000'}
+      # returns: Session
+      def authenticate_token(params)
+        params = parse_request_params(params, json_root: json_root)
+        parsed, creds = request(:post, "#{resource_path}/authenticate_token", params)
+        obj = factory(parsed, creds)
+        raise RecordInvalid, obj if obj.errors?
+        obj
       end
-      def authenticate_key(api_key, params={})
-        params = parse_request_params(params).merge api_key: api_key
-        parsed, creds = request(:post, "#{url}/authenticate_key", params)
-        if parsed[:errors].any?
-          raise ValidationError, parsed[:errors]
-        end
-        new(parsed, creds)
+      # returns: Token
+      def generate_password_token(id, params={})
+        params = parse_request_params(params)
+        parsed, creds = request(:post, "#{resource_path}/#{CGI.escape id}/generate_password_token", params)
+        obj = factory(parsed, creds)
+        raise RecordInvalid, obj if obj.errors?
+        obj
       end
-      # params - {username: '...', token: 'kli_...', code: '000000'}
-      def authenticate_code(params)
+      # params - {token: '...', password: '...', password_confirmation: '...'}
+      # returns: Session || Token
+      def reset_password_with_token(params)
         params = parse_request_params(params, json_root: json_root)
-        username = params[json_root].delete(:username) || '--'
-        parsed, creds = request(:post, "#{url}/#{CGI.escape username}/authenticate_code", params)
-        if parsed[:errors].any?
-          raise ValidationError, parsed[:errors]
-        end
-        new(parsed, creds)
+        parsed, creds = request(:post, "#{resource_path}/reset_password_with_token", params)
+        obj = factory(parsed, creds)
+        raise RecordInvalid, obj if obj.errors?
+        obj
       end
-      def generate_password_token(username, params={})
+      # returns: Token
+      def request_email_verification(id, params={})
         params = parse_request_params(params)
-        parsed, creds = request(:post, "#{url}/#{CGI.escape username}/generate_password_token", params)
-        if parsed[:errors].any?
-          raise ValidationError, parsed[:errors]
-        end
-        new(parsed, creds)
+        parsed, creds = request(:post, "#{resource_path}/#{CGI.escape id}/request_email_verification", params)
+        obj = factory(parsed, creds)
+        raise RecordInvalid, obj if obj.errors?
+        obj
       end
-      # params - {username: '...', token: '...', password: '...', password_confirmation: '...'}
-      def reset_password_with_token(params)
+      # params - {token: '...'}
+      # returns: User
+      def verify_email(params)
         params = parse_request_params(params, json_root: json_root)
-        username = params[json_root].delete(:username) || '--'
-        parsed, creds = request(:post, "#{url}/#{CGI.escape username}/reset_password_with_token", params)
-        if parsed[:errors].any?
-          raise ValidationError, parsed[:errors]
-        end
-        new(parsed, creds)
+        parsed, creds = request(:post, "#{resource_path}/verify_email", params)
+        obj = factory(parsed, creds)
+        raise RecordInvalid, obj if obj.errors?
+        obj
       end
     end
-    # params - {current_password: 'old', password: 'new', password_confirmation: 'new'}
-    def update_password(params)
-      params = parse_request_params(params, json_root: json_root).merge credentials: api_creds
-      parsed, _ = request(:put, "#{url}/update_password", params)
+    # params - {token: '...'}
+    def accept_invitation(params)
+      params = parse_request_params(params, json_root: json_root).reverse_merge credentials: api_creds
+      parsed, _ = request(:post, "#{resource_path}/accept_invitation", params)
       load(parsed)
       errors.empty? ? self : false
     end
-    def request_email_verification(params={})
-      params = parse_request_params(params).merge credentials: api_creds
-      parsed, _ = request(:post, "#{url}/request_email_verification", params)
+    # params - {current_password: 'old', password: 'new', password_confirmation: 'new'}
+    def update_password(params)
+      params = parse_request_params(params, json_root: json_root).reverse_merge credentials: api_creds
+      parsed, _ = request(:put, "#{resource_path}/update_password", params)
       load(parsed)
       errors.empty? ? self : false
     end
-    # params - {token: '...'}
-    def verify_email(params)
-      params = parse_request_params(params, json_root: json_root).merge credentials: api_creds
-      parsed, _ = request(:post, "#{url}/verify_email", params)
+    # params - {email:, first_name:, last_name:, password:, password_confirmation:, username:}
+    def update_profile(params)
+      params = parse_request_params(params, json_root: json_root).reverse_merge credentials: api_creds
+      parsed, _ = request(:put, "#{resource_path}/profile", params)
       load(parsed)
       errors.empty? ? self : false
     end
+    # returns: Session || Token
+    #   (Session.user !== self)
+    def authenticate(params)
+      self.class.authenticate id, params.reverse_merge(credentials: api_creds)
+    rescue RecordInvalid => ex
+      errors.merge! ex.errors
+      false
+    end
+    # returns: Token
+    def generate_password_token(params={})
+      self.class.generate_password_token id, params.reverse_merge(credentials: api_creds)
+    rescue RecordInvalid => ex
+      errors.merge! ex.errors
+      false
+    end
+    # returns: Token
+    def request_email_verification(params={})
+      self.class.request_email_verification id, params.reverse_merge(credentials: api_creds)
+    rescue RecordInvalid => ex
+      errors.merge! ex.errors
+      false
+    end
   end
 end