RubyGems - authrocket - Versions diffs - 2.4.1 → 3.3.0 - Mend

authrocket 2.4.1 → 3.3.0

Files changed (37) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +39 -0
data/LICENSE +1 -1
data/README.md +72 -62
data/app/controllers/auth_rocket/ar_controller.rb +11 -33
data/app/controllers/logins_controller.rb +1 -8
data/authrocket.gemspec +4 -3
data/config/routes.rb +0 -1
data/lib/authrocket.rb +23 -1
data/lib/authrocket/api/api_config.rb +17 -18
data/lib/authrocket/api/client.rb +1 -1
data/lib/authrocket/api/version.rb +1 -1
data/lib/authrocket/auth_provider.rb +48 -49
data/lib/authrocket/client_app.rb +14 -0
data/lib/authrocket/connection.rb +13 -0
data/lib/authrocket/credential.rb +12 -6
data/lib/authrocket/domain.rb +19 -0
data/lib/authrocket/event.rb +2 -3
data/lib/authrocket/hook.rb +42 -0
data/lib/authrocket/hook_state.rb +26 -0
data/lib/authrocket/invitation.rb +35 -0
data/lib/authrocket/membership.rb +1 -1
data/lib/authrocket/named_permission.rb +10 -0
data/lib/authrocket/notification.rb +1 -1
data/lib/authrocket/oauth2_session.rb +26 -0
data/lib/authrocket/org.rb +2 -1
data/lib/authrocket/rails/controller_helper.rb +80 -20
data/lib/authrocket/rails/engine.rb +6 -1
data/lib/authrocket/realm.rb +26 -9
data/lib/authrocket/resource_link.rb +10 -0
data/lib/authrocket/session.rb +104 -33
data/lib/authrocket/token.rb +9 -0
data/lib/authrocket/user.rb +89 -54
metadata +37 -22
data/lib/authrocket/app_hook.rb +0 -28
data/lib/authrocket/login_policy.rb +0 -14
data/lib/authrocket/user_token.rb +0 -9

data/lib/authrocket/rails/engine.rb CHANGED Viewed

@@ -5,7 +5,12 @@ module AuthRocket
       require_relative 'controller_helper'
       ActiveSupport.on_load(:action_controller) do
-        include AuthRocket::ControllerHelper
+        if self == ActionController::Base
+          include AuthRocket::ControllerHelper
+          helper AuthRocket::ControllerHelper
+          before_action :process_inbound_token
+          before_action :process_authorization_header
+        end
       end
     end

data/lib/authrocket/realm.rb CHANGED Viewed

@@ -2,25 +2,42 @@ module AuthRocket
   class Realm < Resource
     crud :all, :find, :create, :update, :delete
-    has_many :app_hooks
     has_many :auth_providers
+    has_many :client_apps
+    has_many :connections
+    has_many :domains
     has_many :events
+    has_many :hooks
+    has_many :invitations
     has_many :jwt_keys
-    has_many :login_policies
+    has_many :named_permissions
     has_many :orgs
+    has_many :resource_links
     has_many :users
-    attr :api_key_minutes, :api_key_policy, :api_key_prefix, :custom, :name
-    attr :jwt_fields, :require_unique_emails, :resource_links, :session_minutes
-    attr :session_type, :state, :username_validation_human
+    attr :custom, :environment, :name, :public_name, :state
+    attr :available_locales, :default_locale
+    attr :email_verification, :org_mode, :signup
+    attr :name_field, :org_name_field, :password_field, :username_field
+    attr :branding, :color_1, :logo, :logo_icon, :privacy_policy, :stylesheet, :terms_of_service
+    attr :access_token_minutes, :jwt_algo, :jwt_minutes, :jwt_scopes, :session_minutes
     attr :jwt_key # readonly
-    attr :jwt_secret # readonly, deprecated
-    attr :jwt_data # deprecated
+    def named_permissions
+      reload unless @attribs[:named_permissions]
+      @attribs[:named_permissions]
+    end
+    def resource_links
+      reload unless @attribs[:resource_links]
+      @attribs[:resource_links]
+    end
     def reset!(params={})
-      params = parse_request_params(params).merge credentials: api_creds
-      parsed, _ = request(:post, "#{url}/reset", params)
+      params = parse_request_params(params).reverse_merge credentials: api_creds
+      parsed, _ = request(:post, "#{resource_path}/reset", params)
       load(parsed)
       errors.empty? ? self : false
     end

data/lib/authrocket/resource_link.rb ADDED Viewed

@@ -0,0 +1,10 @@
+module AuthRocket
+  class ResourceLink < Resource
+    crud :find, :create, :update, :delete
+    belongs_to :realm
+    attr :link_url, :resource_type, :title
+  end
+end

data/lib/authrocket/session.rb CHANGED Viewed

@@ -5,73 +5,144 @@ module AuthRocket
   class Session < Resource
     crud :all, :find, :create, :delete
+    belongs_to :client_app
     belongs_to :user
     attr :token # readonly
-    attr_datetime :created_at, :expires_at # readonly
+    attr_datetime :created_at, :expires_at
     def request_data
       self[:request]
     end
-    # options - :within - (in seconds) Maximum time since the token was originally issued
-    #         - credentials: {jwt_secret: StringOrKey} - used to verify the token
-    #         - :algo - one of HS256, RS256 (default: auto-detect based on :jwt_secret)
+    # options - :algo   - one of HS256, RS256 (default: auto-detect based on :jwt_key)
+    #         - :within - (in seconds) Maximum time since the token was (re)issued
+    #         - credentials: {jwt_key: StringOrKey} - used to verify the token
+    # returns Session or nil
     def self.from_token(token, options={})
-      secret = (options[:credentials]||credentials||{})[:jwt_secret]
-      raise Error, "missing :jwt_secret (or AUTHROCKET_JWT_SECRET)" unless secret
-      return unless token
-      algo = options[:algo]
+      if lr_url = options.dig(:credentials, :loginrocket_url) || credentials[:loginrocket_url]
+        lr_url = lr_url.dup
+        lr_url.concat '/' unless lr_url.ends_with?('/')
+        lr_url.concat 'connect/jwks'
+      end
+      secret = options.dig(:credentials, :jwt_key) || credentials[:jwt_key]
       if secret.is_a?(String) && secret.length > 256
+        unless secret.starts_with?('-----BEGIN ')
+          secret = "-----BEGIN PUBLIC KEY-----\n#{secret}\n-----END PUBLIC KEY-----"
+        end
         secret = OpenSSL::PKey.read secret
       end
+      algo = options[:algo]
       algo ||= 'RS256' if secret.is_a?(OpenSSL::PKey::RSA)
-      algo ||= 'HS256'
+      algo ||= 'HS256' if secret
+      jwks_eligible = algo.in?([nil, 'RS256']) && secret.blank? && lr_url
+      raise Error, "Missing jwt_key; set LOGINROCKET_URL, AUTHROCKET_JWT_KEY, or pass in credentials: {loginrocket_url: ...} or {jwt_key: ...}" if secret.blank? && !jwks_eligible
+      return if token.blank?
+      base_params = {token: token, within: options[:within], local_creds: options[:credentials]}
+      if jwks_eligible
+        kid = JSON.parse(JWT::Base64.url_decode(token.split('.')[0]))['kid'] rescue nil
+        return if kid.blank?
+        load_jwk_set(lr_url) unless @_jwks[kid]
+        if key_set = @_jwks[kid]
+          parse_jwt **key_set, **base_params
+        end
+      else
+        parse_jwt secret: secret, algo: algo, **base_params
+      end
+    end
-      jwt, _ = JWT.decode token, secret, true, algorithm: algo
+    # private
+    # returns Session or nil
+    def self.parse_jwt(token:, secret:, algo:, within:, local_creds: nil)
+      opts = {
+        algorithm: algo,
+        leeway: 5,
+        iss: "https://authrocket.com",
+        verify_iss: true,
+      }
-      if within = options.delete(:within)
+      jwt, _ = JWT.decode token, secret, true, opts
+      if within
+        # this ensures token was created recently
+        # :iat is set to Time.now every time a token is created by the AR api
         return if jwt['iat'] < Time.now.to_i - within
       end
       user = User.new({
-          id: jwt['uid'],
-          realm_id: jwt['aud'],
-          username: jwt['un'],
-          first_name: jwt['fn'],
-          last_name: jwt['ln'],
-          name: jwt['n'],
+          id: jwt['sub'],
+          realm_id: jwt['rid'],
+          username: jwt['preferred_username'],
+          first_name: jwt['given_name'],
+          last_name: jwt['family_name'],
+          name: jwt['name'],
+          email: jwt['email'],
+          email_verification: jwt['email_verified'] ? 'verified' : 'none',
+          reference: jwt['ref'],
           custom: jwt['cs'],
-          memberships: jwt['m'] && jwt['m'].map do |m|
+          memberships: jwt['orgs'] && jwt['orgs'].map do |m|
             Membership.new({
-              permissions: m['p'],
-              custom: m['cs'],
-              user_id: jwt['uid'],
+              id: m['mid'],
+              permissions: m['perm'],
+              selected: m['selected'],
+              user_id: jwt['sub'],
               org_id: m['oid'],
-              org: m['o'] && Org.new({
+              org: Org.new({
                 id: m['oid'],
-                realm_id: jwt['aud'],
-                name: m['o'],
-                custom: m['ocs'],
-              }),
-            })
+                realm_id: jwt['rid'],
+                name: m['name'],
+                reference: m['ref'],
+                custom: m['cs'],
+              }, local_creds),
+            }, local_creds)
           end,
-        }, options[:credentials])
+        }, local_creds)
       session = new({
-          id: jwt['tk'],
+          id: jwt['sid'],
           created_at: jwt['iat'],
           expires_at: jwt['exp'],
           token: token,
-          user_id: jwt['uid'],
+          user_id: jwt['sub'],
           user: user
-        }, options[:credentials])
+        }, local_creds)
       session
     rescue JWT::DecodeError
       nil
     end
+    @_jwks ||= {}
+    JWKS_MUTEX = Mutex.new
+    # private
+    def self.load_jwk_set(uri)
+      JWKS_MUTEX.synchronize do
+        path = URI.parse(uri).path
+        headers = build_headers({}, {})
+        rest_opts = {
+          connect_timeout: 8,
+          headers: headers,
+          method: :get,
+          path: path,
+          read_timeout: 15,
+          url: uri,
+          write_timeout: 15,
+        }
+        response = execute_request(rest_opts)
+        parsed = parse_response(response)
+          # => {data: json, errors: errors, metadata: metadata}
+        parsed[:data][:keys].each do |h|
+          crt = "-----BEGIN PUBLIC KEY-----\n#{h['x5c'][0]}\n-----END PUBLIC KEY-----"
+          @_jwks[h['kid']] = {secret: OpenSSL::PKey.read(crt), algo: h['alg']}
+        end
+      end
+      @_jwks
+    end
   end
 end

data/lib/authrocket/token.rb ADDED Viewed

@@ -0,0 +1,9 @@
+module AuthRocket
+  class Token < Resource
+    belongs_to :user
+    attr :token
+  end
+end

data/lib/authrocket/user.rb CHANGED Viewed

@@ -5,12 +5,13 @@ module AuthRocket
     belongs_to :realm
     has_many :credentials
     has_many :events
+    has_many :hook_states
     has_many :memberships
     has_many :sessions
-    attr :custom, :email, :email_verification, :first_name
-    attr :last_name, :name, :password, :password_confirmation
-    attr :reference, :state, :user_type, :username
+    attr :custom, :email, :email_verification, :first_name, :last_name, :locale, :name
+    attr :reference, :state, :username
+    attr :password, :password_confirmation # writeonly
     attr_datetime :created_at, :last_login_at
@@ -20,93 +21,127 @@ module AuthRocket
     end
     def orgs
-      memberships.map(&:org).compact
+      memberships.map(&:org)
     end
     def find_org(id)
       orgs.detect{|o| o.id == id } || raise(RecordNotFound)
     end
-    def human? ; user_type=='human' ; end
-    def api?   ; user_type=='api'   ; end
     class << self
+      # id - email|username|id
+      # params - {password: '...'}
+      # returns: Session || Token
+      def authenticate(id, params)
+        params = parse_request_params(params, json_root: json_root)
+        parsed, creds = request(:post, "#{resource_path}/#{CGI.escape id}/authenticate", params)
+        obj = factory(parsed, creds)
+        raise RecordInvalid, obj if obj.errors?
+        obj
+      end
-      def authenticate(username, password, params={})
-        params = parse_request_params(params).merge password: password
-        parsed, creds = request(:post, "#{url}/#{CGI.escape username}/authenticate", params)
-        if parsed[:errors].any?
-          raise ValidationError, parsed[:errors]
-        end
-        new(parsed, creds)
+      # params - {token: 'kli:...', code: '000000'}
+      # returns: Session
+      def authenticate_token(params)
+        params = parse_request_params(params, json_root: json_root)
+        parsed, creds = request(:post, "#{resource_path}/authenticate_token", params)
+        obj = factory(parsed, creds)
+        raise RecordInvalid, obj if obj.errors?
+        obj
       end
-      def authenticate_key(api_key, params={})
-        params = parse_request_params(params).merge api_key: api_key
-        parsed, creds = request(:post, "#{url}/authenticate_key", params)
-        if parsed[:errors].any?
-          raise ValidationError, parsed[:errors]
-        end
-        new(parsed, creds)
+      # returns: Token
+      def generate_password_token(id, params={})
+        params = parse_request_params(params)
+        parsed, creds = request(:post, "#{resource_path}/#{CGI.escape id}/generate_password_token", params)
+        obj = factory(parsed, creds)
+        raise RecordInvalid, obj if obj.errors?
+        obj
       end
-      # params - {username: '...', token: 'kli_...', code: '000000'}
-      def authenticate_code(params)
+      # params - {token: '...', password: '...', password_confirmation: '...'}
+      # returns: Session || Token
+      def reset_password_with_token(params)
         params = parse_request_params(params, json_root: json_root)
-        username = params[json_root].delete(:username) || '--'
-        parsed, creds = request(:post, "#{url}/#{CGI.escape username}/authenticate_code", params)
-        if parsed[:errors].any?
-          raise ValidationError, parsed[:errors]
-        end
-        new(parsed, creds)
+        parsed, creds = request(:post, "#{resource_path}/reset_password_with_token", params)
+        obj = factory(parsed, creds)
+        raise RecordInvalid, obj if obj.errors?
+        obj
       end
-      def generate_password_token(username, params={})
+      # returns: Token
+      def request_email_verification(id, params={})
         params = parse_request_params(params)
-        parsed, creds = request(:post, "#{url}/#{CGI.escape username}/generate_password_token", params)
-        if parsed[:errors].any?
-          raise ValidationError, parsed[:errors]
-        end
-        new(parsed, creds)
+        parsed, creds = request(:post, "#{resource_path}/#{CGI.escape id}/request_email_verification", params)
+        obj = factory(parsed, creds)
+        raise RecordInvalid, obj if obj.errors?
+        obj
       end
-      # params - {username: '...', token: '...', password: '...', password_confirmation: '...'}
-      def reset_password_with_token(params)
+      # params - {token: '...'}
+      # returns: User
+      def verify_email(params)
         params = parse_request_params(params, json_root: json_root)
-        username = params[json_root].delete(:username) || '--'
-        parsed, creds = request(:post, "#{url}/#{CGI.escape username}/reset_password_with_token", params)
-        if parsed[:errors].any?
-          raise ValidationError, parsed[:errors]
-        end
-        new(parsed, creds)
+        parsed, creds = request(:post, "#{resource_path}/verify_email", params)
+        obj = factory(parsed, creds)
+        raise RecordInvalid, obj if obj.errors?
+        obj
       end
     end
-    # params - {current_password: 'old', password: 'new', password_confirmation: 'new'}
-    def update_password(params)
-      params = parse_request_params(params, json_root: json_root).merge credentials: api_creds
-      parsed, _ = request(:put, "#{url}/update_password", params)
+    # params - {token: '...'}
+    def accept_invitation(params)
+      params = parse_request_params(params, json_root: json_root).reverse_merge credentials: api_creds
+      parsed, _ = request(:post, "#{resource_path}/accept_invitation", params)
       load(parsed)
       errors.empty? ? self : false
     end
-    def request_email_verification(params={})
-      params = parse_request_params(params).merge credentials: api_creds
-      parsed, _ = request(:post, "#{url}/request_email_verification", params)
+    # params - {current_password: 'old', password: 'new', password_confirmation: 'new'}
+    def update_password(params)
+      params = parse_request_params(params, json_root: json_root).reverse_merge credentials: api_creds
+      parsed, _ = request(:put, "#{resource_path}/update_password", params)
       load(parsed)
       errors.empty? ? self : false
     end
-    # params - {token: '...'}
-    def verify_email(params)
-      params = parse_request_params(params, json_root: json_root).merge credentials: api_creds
-      parsed, _ = request(:post, "#{url}/verify_email", params)
+    # params - {email:, first_name:, last_name:, password:, password_confirmation:, username:}
+    def update_profile(params)
+      params = parse_request_params(params, json_root: json_root).reverse_merge credentials: api_creds
+      parsed, _ = request(:put, "#{resource_path}/profile", params)
       load(parsed)
       errors.empty? ? self : false
     end
+    # returns: Session || Token
+    #   (Session.user !== self)
+    def authenticate(params)
+      self.class.authenticate id, params.reverse_merge(credentials: api_creds)
+    rescue RecordInvalid => ex
+      errors.merge! ex.errors
+      false
+    end
+    # returns: Token
+    def generate_password_token(params={})
+      self.class.generate_password_token id, params.reverse_merge(credentials: api_creds)
+    rescue RecordInvalid => ex
+      errors.merge! ex.errors
+      false
+    end
+    # returns: Token
+    def request_email_verification(params={})
+      self.class.request_email_verification id, params.reverse_merge(credentials: api_creds)
+    rescue RecordInvalid => ex
+      errors.merge! ex.errors
+      false
+    end
   end
 end