blunt 0.0.2 → 0.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 2c71c52c585bf1704dac5c8b46ded0b13ed651fd
-  data.tar.gz: 9ed0c21e46a12cfe925171a88867dfa1a4993c80
+  metadata.gz: 7dda9fac934e626ea58083ba4ed77bcf97d1f04e
+  data.tar.gz: b80600b6a7b1d798360788c7e3a2e1739e00ce04
 SHA512:
-  metadata.gz: 28683f5d8f9152a5ebf60ae3314266999661ec4ddc55427e93fd5b900eb0e73a4d285092c3090fd4631a7315616f8ea7343ae42864b35c5f6fab3e5b0ea57607
-  data.tar.gz: 62b66de1365600d72e32b029260c206237e12b75dc7cd04753a94b3d66f8151d1aff05ae10bc74e98f09fb985188a8739dd0bfba1376cd68cc8522e73d51ed1d
+  metadata.gz: 3580a3b4252ee6aa22e68de538eccc9807c4d9cbc61e426ff4733102f320dd5db3c3acdd53945b991101af318043c70c9f1708e2b5203eba0bbb89c5dd66554c
+  data.tar.gz: a20e5f4b2ef1644b877c0effa9ad81dd0737099e8fa074615d33a669b72d8a2bebd6937137370b77d47a4b71cb824050e1e52b513cdb695f59c09c81034102c7

data/Gemfile

@@ -1,2 +1,14 @@
 source "https://rubygems.org"
 gemspec
+
+group :development do
+  gem 'pry'
+  gem 'guard'
+  gem 'guard-minitest'
+  gem 'rake-notes'
+end
+
+group :test do
+  gem 'minitest', '~> 5.0'
+  gem 'minitest-reporters'
+end

data/README.md

@@ -1,6 +1,8 @@
 # Blunt
 
-**Blunt** provides framework-agnostic authentication using [JSON Web Tokens](https://jwt.io). It wraps [ruby-jwt](https://github.com/jwt/ruby-jwt) with an easy-to-use interface and some common conventions. Great for APIs.
+[![Gem Version](https://badge.fury.io/rb/blunt.svg)](https://badge.fury.io/rb/blunt)
+
+**Blunt** is a token-based authentication library for Hanami. Its goal is to easily implement a single authentication scheme across multiple interfaces, i.e. both web/multi-page and mobile/SPA/API/async.
 
 ## Installation
 
@@ -19,44 +21,135 @@ Or:
 gem install blunt
 ```
 
-## Usage
+## Setup
+
+### Environment
+
+- `ENV['BLUNT_SECRET']` (String)
+
+### Models
+
+- `User` entity (+ `UserRepository`)
+    + `email`
+    + `password_digest`
+- `RefreshToken` entity (+ `RefreshTokenRepository`)
+    + `user_id`
+    + `valid` (Boolean)
+    + timestamps
+
+### Token Handling
+
+Blunt offers several strategies for token storage. Just include the appropriate module, and Blunt will handle tokens on the back-end - they never need to touch your code!
+
+```ruby
+Hanami::Controller.configure do
+  prepare do
+    include Blunt::Controller::__STRATEGY__
+  end
+end
+```
+
+#### Cookies
+
+`Blunt::Controller::Web`
+
+The ultimate hands-off approach. No setup is required on the front-end. Ideal for multi-page apps.
+
+TODO: incorporate asynchronous JSON responses
+
+#### HTTP Headers
+
+`Blunt::Controller::API`
+
+TODO: develop this
+
+Pass the token from the client in a request header: `'HTTP_AUTHORIZATION' => 'Bearer <TOKEN>'`.
 
-Add a secret key at `ENV['BLUNT_SECRET']`. You can generate one with `Blunt.new_secret`.
+#### Custom Strategy
+
+Define a few methods to govern the access token lifecycle as it gets passed to and from the client. Blunt will use these 3 methods to handle the token. The example below shows a simple implementation for synchronous requests using cookies, but a custom strategy will likely be more complex.
+
+```ruby
+module MyCustomStrategy
+  include Blunt::Controller
+
+  private
+  def set_access_token(token)
+    # Login or renew
+    cookies[:access_token] = token
+  end
+
+  def get_access_token
+    # Authenticate
+    cookies[:access_token]
+  end
+
+  def unset_access_token
+    # Logout
+    cookies[:access_token] = nil
+  end
+end
+```
+
+## Usage
 
 ### Signup
 
 ```ruby
-# inside your signup interactor
-if digest = Blunt.signup(password, password_confirmation)
-  # create user
+# your signup interactor
+class MySignupClass < Thalamus::Interactor
+  validations do
+    # password length, complexity, etc
+    # ...
+  end
+  def call
+    @user = Blunt.signup(params)
+  end
+  expose :user
+end
+# inside your signup controller
+if user = MySignupClass.call(params).user
+  login!(user)
+  # ...
 else
-  # trigger an error
+  # ...
 end
 ```
 
-Pretty straightforward: returns an encrypted password if the unencrypted inputs match, otherwise nil. You may want to validate the password first, e.g. minimum length.
+`Blunt.signup` compares a `:password` and `:password_confirmation` field. If they match, it creates a new `User` and saves it to the database with a `:password_digest`. If they don't match, it returns nil.
+
+If you don't use the interactor pattern, You can also use the shortcut `#signup!` directly from your controller. However, you may wish to validate user data and password complexity yourself.
+
+```ruby
+# inside your signup controller
+if signup!(params)
+  # Blunt calls #login! under the hood
+  # ...
+else
+  # ...
+end
+```
 
 ### Login
 
 ```ruby
 # inside your login controller
-token = Blunt.login(expected, attempted, claims)
+token = login!(params)
+# ...
 ```
 
-- `expected` is the user's encrypted password as stored in the database.
-- `attempted` is the unencrypted password attempt as sent by the client.
-- `claims` is a hash of JWT claims. It _must_ contain a `:sub` key whose value is any unique way to identify the user. You can also send optional JWT claims with the payload, such as `:exp`. Refer to the [ruby-jwt docs](https://github.com/jwt/ruby-jwt) for more information.
-
-If the passwords match and a `:sub` claim is present, a token will be generated for the claims. If the login attempt fails, the token will be nil. Have your controller return the token to the client and store it somewhere (cookies, local storage, etc).
+`#login!` finds a user with `:email` and checks that `:password` is correct. Returns an access token if successful, otherwise nil.
 
 ### Request Authentication
 
-Pass the token from the client in a request header: `'HTTP_AUTHORIZATION' => 'Bearer <TOKEN>`.
-
-`include Blunt::Controller` in your controller class. `current_user` will memoize whatever is in `:sub` in the token's payload, or nil if there are any errors.
-
-If the hash of request headers is not at `request.env`, you will need to override `#_blunt_request_env` to return it. (This works out of the box for Rails and Hanami.)
+All strategies provide `#current_user` (`User` entity or nil) and `#authenticated?` (Boolean) instance methods to the controller. The token will not be checked until one of these methods is called.
 
 ### Logout
 
-To logout, simply have the controller respond to the client with instructions to unset the token, wherever it is stored.
+```ruby
+# inside your logout controller
+logout!
+# ...
+```
+
+That's it!

data/TODO.md

@@ -1,7 +1,7 @@
 # TODO
 
-- Error handling
-- Defaults for important reserved claims (exp, iss, iat)
+- Configurable (access & refresh expiry times, etc)
 - Devise-esque modules (rememberable, confirmable, reset password, etc)
-- Multiple credentials (Omniauth)
-- Adapters for common implementation patterns
+- Separate credentials from user business concerns, multiple credentials (Omniauth)
+- Increased security features (user agent checking, etc)
+- Hard hanami-model dependency, or adapt gem to different stacks?

data/blunt.gemspec

@@ -1,11 +1,11 @@
 # coding: utf-8
 lib = File.expand_path("../lib", __FILE__)
-$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+$:.unshift(lib) unless $:.include?(lib)
 require "blunt/version"
 
 Gem::Specification.new do |spec|
   spec.name          = "blunt"
-  spec.version       = Blunt::VERSION
+  spec.version       = Blunt.version
   spec.authors       = ["Josh Greenberg"]
   spec.email         = ["joshgreenberg91@gmail.com"]
   spec.homepage      = "https://github.com/joshgreenberg/blunt"
@@ -22,14 +22,9 @@ Gem::Specification.new do |spec|
   spec.require_paths = ["lib"]
 
   spec.add_development_dependency "bundler", "~> 1.15"
-  spec.add_development_dependency "rake", "~> 10.0"
-  spec.add_development_dependency "minitest", "~> 5.0"
-  spec.add_development_dependency "minitest-reporters"
-  spec.add_development_dependency "pry"
-  spec.add_development_dependency "guard"
-  spec.add_development_dependency "guard-minitest"
-  spec.add_development_dependency "rake-notes"
+  spec.add_development_dependency "rake", "~> 12.0"
 
-  spec.add_runtime_dependency "jwt"
-  spec.add_runtime_dependency "bcrypt", ">= 3.1.11"
+  spec.add_dependency "jwt", "~> 2.0"
+  spec.add_dependency "bcrypt", "3.1.11"
+  spec.add_dependency "hanami-model", "~> 1.0"
 end

data/lib/blunt.rb

@@ -1,23 +1,10 @@
-require "blunt/version"
-require "blunt/token"
-require "blunt/controller"
-
 module Blunt
-  extend self
-
-  def new_secret(n = 64)
+  def self.new_secret(n = 64)
     require 'securerandom'
     SecureRandom.urlsafe_base64(n)
   end
-
-  def signup(a, b)
-    require 'bcrypt'
-    BCrypt::Password.create(a) if a == b
-  end
-
-  def login(expected, attempted, claims = {})
-    return unless claims[:sub]
-    require 'bcrypt'
-    Token.issue(claims) if BCrypt::Password.new(expected) == attempted
-  end
 end
+
+require 'blunt/signup'
+require 'blunt/login'
+require 'blunt/controller'

data/lib/blunt/controller.rb

@@ -4,21 +4,59 @@ module Blunt
   module Controller
     private
 
-    def current_user
-      @current_user ||= Blunt::Token.decode(token)[:sub]
+    def signup!(params = {})
+      if user = Blunt.signup(params)
+        login!(user)
+      end
     end
 
-    def logged_in?
-      !!current_user
+    def login!(params = {})
+      if token = Blunt.login(params)
+        set_access_token(token.to_s)
+      else
+        unset_access_token
+      end
+    end
+
+    def logout!
+      access_token && access_token.invalidate!
+      @current_user = nil
+      unset_access_token
+    end
+
+    def authenticate!
+      redirect_to '/login' unless authenticated?
     end
 
-    def token
-      _blunt_request_env.fetch("HTTP_AUTHORIZATION", "").scan(/Bearer (.*)$/).flatten.last
+    def authenticated?
+      !!current_user
     end
 
-    def _blunt_request_env
-      request.env
+    def current_user
+      @current_user ||= begin
+        user = begin
+          if access_token && access_token.valid?
+            UserRepository.new.find(access_token.sub)
+          end
+        rescue
+          nil
+        end
+        set_access_token(access_token.to_s)
+        user
+      end
     end
 
-  end
+    def access_token
+      @access_token ||= begin
+        encoded_jwt = get_access_token
+        if encoded_jwt.nil? || encoded_jwt.empty?
+          nil
+        else
+          Token.new(encoded_jwt)
+        end
+      end
+    end
+  end # module Controller
 end
+
+require 'blunt/controller/web'

data/lib/blunt/controller/web.rb

@@ -0,0 +1,24 @@
+module Blunt
+  module Controller
+    module Web
+      include Controller
+
+      private
+
+      def set_access_token(token)
+        # Login or renew
+        cookies[:access_token] = token
+      end
+
+      def get_access_token
+        # Authenticate
+        cookies[:access_token]
+      end
+
+      def unset_access_token
+        # Logout
+        cookies[:access_token] = nil
+      end
+    end
+  end
+end

data/lib/blunt/login.rb

@@ -0,0 +1,17 @@
+require 'bcrypt'
+
+module Blunt
+  def self.login(params = {})
+    user = case params
+    when Hash
+      UserRepository.new.find_by_email(params[:email])
+    else
+      params
+    end
+    if user && BCrypt::Password.new(user.password_digest) == params[:password]
+      Token.create(user.id)
+    else
+      nil
+    end
+  end
+end

data/lib/blunt/signup.rb

@@ -0,0 +1,16 @@
+require 'bcrypt'
+
+module Blunt
+  def self.signup(params = {})
+    password, password_confirmation = params[:password], params[:password_confirmation]
+    if password && password == password_confirmation
+      digest = BCrypt::Password.create(password)
+      params.delete(:password)
+      params.delete(:password_confirmation)
+      params[:password_digest] = digest
+      UserRepository.new.create(params)
+    else
+      nil
+    end
+  end
+end

data/lib/blunt/token.rb

@@ -1,25 +1,137 @@
-require "json"
-require "jwt"
+require 'jwt'
+require 'openssl'
+require 'base64'
 
 module Blunt
-  module Token
-    extend self
+  class Token
+    ALGORITHM = 'HS256'.freeze
+    EXPIRY_TIME = 3600.freeze
 
-    ALGORITHM = 'HS256'
+    def initialize(token)
+      if token.is_a? String
+        @payload = begin
+          decode(token)
+        rescue
+          nil
+        end
+      else
+        @payload = {
+          sub: token.user_id,
+          jti: encrypt(token.id),
+          exp: token.created_at.to_i + EXPIRY_TIME
+        }
+      end
+    end
 
-    def issue(claims)
-      JWT.encode(claims, secret, ALGORITHM)
+    def self.create(sub)
+      new(repo.create(user_id: sub))
     end
 
-    def decode(token)
-      JWT.decode(token, secret, true, {algorithm: ALGORITHM}).first.map{|k,v|[k.to_sym,v]}.to_h
+    def inspect
+      "\#<Blunt::Token #{to_s}>"
+    end
+
+    def to_s
+      to_h ? encode : nil
+    end
+
+    def to_h
+      @payload
+    end
+
+    def sub
+      @payload[:sub]
+    end
+
+    def valid?
+      if @payload.nil?
+        # Invalid token format
+        false
+      elsif @payload[:exp].to_i <= Time.now.to_i
+        # Access token expired
+        record = repo.find(jti)
+        if record && record.valid?
+          # Refresh token valid
+          @payload[:exp] = Time.now.to_i + EXPIRY_TIME
+          repo.update(record, {}) if record.respond_to?(:updated_at)
+          @encoded = nil
+          encode
+        else
+          # Refresh token expired
+          false
+        end
+      else
+        # Access token valid
+        true
+      end
+    end
+
+    def invalidate!
+      # Destroy refresh token
+      repo.delete(jti)
+    rescue
+      nil
+    ensure
+      @payload = nil
     end
 
     private
 
+    def repo
+      self.class.repo
+    end
+
+    def self.repo
+      @repo ||= RefreshTokenRepository.new
+    end
+
+    def jti
+      decrypt(@payload[:jti])
+    end
+
     def secret
-      ENV["BLUNT_SECRET"]
+      @secret ||= ENV['BLUNT_SECRET']
+    end
+
+    def encode
+      @encoded ||= JWT::Encode.new(@payload, secret, ALGORITHM, {}).segments
     end
 
-  end
+    def decode(token)
+      raise JWT::DecodeError, 'Nil JSON web token' unless token
+      decoder = JWT::Decode.new(token, true)
+      header, payload, signature, signing_input = decoder.decode_segments
+
+      # Verify signature
+      JWT.decode_verify_signature(secret, header, payload, signature, signing_input, algorithm: ALGORITHM)
+
+      # Verify JWT format
+      raise JWT::DecodeError, 'Incorrect number of segments' unless header && payload
+      payload = payload.map{ |k,v| [k.to_sym, v] }.to_h
+
+      # Verify Blunt format
+      raise JWT::DecodeError, 'JWT claims do not meet Blunt specifications' unless payload.key?(:sub) && payload.key?(:exp) && payload.key?(:jti)
+
+      payload
+    end
+
+    # Two-way encryption methods for JTI
+    def encrypt(string)
+      cipher = OpenSSL::Cipher::AES256.new(:CBC)
+      cipher.encrypt
+      cipher.key = Digest::SHA256.digest(secret)
+      cipher.iv = iv = cipher.random_iv
+      encrypted = iv + cipher.update(string.to_s) + cipher.final
+      Base64.encode64(encrypted).gsub(/\s/, '')
+    end
+
+    def decrypt(encrypted)
+      string = Base64.decode64(encrypted)
+      cipher = OpenSSL::Cipher::AES256.new(:CBC)
+      cipher.decrypt
+      cipher.key = Digest::SHA256.digest(secret)
+      cipher.iv = string.slice!(0, 16)
+      cipher.update(string) + cipher.final
+    end
+  end # class Token
 end

data/lib/blunt/version.rb

@@ -1,3 +1,14 @@
 module Blunt
-  VERSION = "0.0.2"
+  def self.version
+    Gem::Version.new VERSION::STRING
+  end
+
+  module VERSION
+    MAJOR = 0
+    MINOR = 1
+    TINY  = 0
+    PRE   = nil
+
+    STRING = [MAJOR, MINOR, TINY, PRE].compact.join('.')
+  end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: blunt
 version: !ruby/object:Gem::Version
-  version: 0.0.2
+  version: 0.1.0
 platform: ruby
 authors:
 - Josh Greenberg
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2017-07-04 00:00:00.000000000 Z
+date: 2017-09-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -30,126 +30,56 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '12.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '12.0'
 - !ruby/object:Gem::Dependency
-  name: minitest
+  name: jwt
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '5.0'
-  type: :development
+        version: '2.0'
+  type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '5.0'
+        version: '2.0'
 - !ruby/object:Gem::Dependency
-  name: minitest-reporters
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: pry
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: guard
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: guard-minitest
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: rake-notes
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-- !ruby/object:Gem::Dependency
-  name: jwt
+  name: bcrypt
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - '='
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 3.1.11
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - '='
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 3.1.11
 - !ruby/object:Gem::Dependency
-  name: bcrypt
+  name: hanami-model
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.1.11
+        version: '1.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.1.11
+        version: '1.0'
 description: Token authentication
 email:
 - joshgreenberg91@gmail.com
@@ -166,10 +96,12 @@ files:
 - Rakefile
 - TODO.md
 - bin/console
-- bin/setup
 - blunt.gemspec
 - lib/blunt.rb
 - lib/blunt/controller.rb
+- lib/blunt/controller/web.rb
+- lib/blunt/login.rb
+- lib/blunt/signup.rb
 - lib/blunt/token.rb
 - lib/blunt/version.rb
 homepage: https://github.com/joshgreenberg/blunt

data/bin/setup

@@ -1,8 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-IFS=$'\n\t'
-set -vx
-
-bundle install
-
-# Do any other automated setup that you need to do here