capcoauth 0.4.0 → 0.5.0

data/lib/capcoauth/rails/helpers.rb

@@ -3,66 +3,55 @@ module Capcoauth
     module Helpers
       extend ActiveSupport::Concern
 
-      def verify_authorized!
+      def current_user
+
+        # Don't return user for options requests
         return if request.method_symbol == :options
-        capcoauth_token.verify
 
-        # Browser client
-        if handle_sessions?
-          session.delete(:previous_url)
-        end
+        # Bypass if already set/verified
+        return @current_user if @_current_user_performed
+        @_current_user_performed = true
 
-        @capcoauth_user_id ||= capcoauth_token.user_id
-      rescue OAuth::TokenVerifier::UnauthorizedError
-        if handle_sessions?
-          session[:previous_url] = request.url
-          session.delete(:capcoauth_access_token)
-          session.delete(:capcoauth_user_id)
-        end
-        handle_unauthorized unless performed?
-      rescue OAuth::TokenVerifier::OtherError
-        if handle_sessions?
-          session.delete(:capcoauth_access_token)
-          session.delete(:capcoauth_user_id)
-        end
-        handle_internal_server_error unless performed?
-      end
+        # Get the token object
+        token, error = verify_token.first
 
-      def current_user
-        verify_authorized!
+        # Skip lookup if application credentials or token invalid
+        return nil if token.blank? or error.present?
 
         # Resolve user ID using configuration resolver unless already found
-        unless @current_user
-          begin
-            @current_user = Capcoauth.configuration.user_resolver.call(@capcoauth_user_id)
-          rescue ActiveRecord::RecordNotFound => e
-            Capcoauth.configuration.logger.warn "[CapcOAuth] Error looking up user - #{e.message}"
-          end
+        begin
+          @current_user = Capcoauth.configuration.user_resolver.call(token.user_id) if token.user_id.present?
+        rescue ActiveRecord::RecordNotFound => e
+          Capcoauth.configuration.logger.info "[CapcOAuth] Error looking up user: #{e.message}"
         end
 
         @current_user
       end
 
-      def capcoauth_token
-        @_capcoauth_token ||= OAuth::AccessToken.new(token_from_request)
-      end
+      def verify_authorized!
 
-      protected
+        # Don't verify options requests
+        return if request.method_symbol == :options
 
-        def handle_unauthorized
-          if handle_sessions?
-            redirect_to :auth_login
-          else
-            render plain: 'Unauthorized', status: :unauthorized
-          end
-        end
+        # Run verification
+        token, error, reason = verify_token
+
+        # Re-raise exceptions with human-readable reason
+        raise Capcoauth::AuthorizationError, reason if error == :unauthorized_error
 
-        def handle_internal_server_error
-          render plain: 'Internal server error', status: :internal_server_error
+        # Raise an error if token has an ID but the user wasn't found
+        if Capcoauth.configuration.require_user and token.user_id.present? and current_user.blank?
+          Capcoauth.configuration.logger.info "[CapcOAuth] Error looking up user: Token returned ID ##{token.user_id} but resolver didn't return user"
+          raise Capcoauth::AuthorizationError, 'Your credentials were valid, but you aren\'t currently active in this system'
         end
+      end
 
       private
 
+        def capcoauth_token_unverified
+          @_capcoauth_token_unverified ||= OAuth::AccessToken.new(token_from_request)
+        end
+
         def token_from_request
           token_from_param || token_from_session || token_from_headers
         end
@@ -80,8 +69,20 @@ module Capcoauth
           (header_parts.length == 2 and header_parts[0].downcase == 'bearer') ? header_parts[1] : header_parts[0]
         end
 
-        def handle_sessions?
-          request.format.html? and Capcoauth.configuration.using_routes
+        def verify_token
+          @_verify_token_response ||= begin
+            [capcoauth_token_unverified.verify, nil, nil]
+          rescue OAuth::TokenVerifier::UnauthorizedError => e
+            session.delete(:capcoauth_access_token)
+            session.delete(:capcoauth_user_id)
+            Capcoauth.configuration.logger.info "[CapcOAuth] Verification unauthorized: #{e.message}"
+            [nil, :unauthorized_error, e.message]
+          rescue OAuth::TokenVerifier::OtherError => e
+            session.delete(:capcoauth_access_token)
+            session.delete(:capcoauth_user_id)
+            Capcoauth.configuration.logger.info "[CapcOAuth] Verification error: #{e.message}"
+            [nil, :other_error, e.message]
+          end
         end
     end
   end

data/lib/capcoauth/version.rb

@@ -1,3 +1,13 @@
 module Capcoauth
-  VERSION = '0.4.0'
+  def self.gem_version
+    Gem::Version.new VERSION::STRING
+  end
+
+  module VERSION
+    MAJOR = 0
+    MINOR = 5
+    PATCH  = 0
+
+    STRING = [MAJOR, MINOR, PATCH].compact.join(".")
+  end
 end

data/lib/capcoauth.rb

@@ -1,5 +1,6 @@
 require 'capcoauth/version'
 require 'capcoauth/engine'
+require 'capcoauth/errors'
 require 'capcoauth/config'
 require 'capcoauth/notifications'
 
@@ -7,17 +8,8 @@ require 'capcoauth/oauth/access_token'
 require 'capcoauth/oauth/token_verifier'
 require 'capcoauth/oauth/ttl_cache'
 
-require 'capcoauth/helpers/controller'
-
 require 'capcoauth/rails/routes'
 require 'capcoauth/rails/helpers'
 
 module Capcoauth
-  def self.configured?
-    @config.present?
-  end
-
-  def self.installed?
-    configured?
-  end
 end

data/lib/generators/capcoauth/templates/initializer.rb

@@ -4,30 +4,41 @@ Capcoauth.configure do |config|
   raise 'CapcOAuth Client secret not found' if ENV['CAPCOAUTH_CLIENT_SECRET'].nil?
 
   # CapcOAuth Client ID
-  config.client_id ENV['CAPCOAUTH_CLIENT_ID']
+  # config.client_id = ENV['CAPCOAUTH_CLIENT_ID']
 
   # CapcOAuth Client Secret
-  config.client_secret ENV['CAPCOAUTH_CLIENT_SECRET']
+  # config.client_secret = ENV['CAPCOAUTH_CLIENT_SECRET']
 
   # Configures how often to check CapcOAuth for access token validity, in seconds.  If this value is too high,
-  # application will continue to serve requests to users even after the token is revoked
-  # config.token_verify_ttl 10
+  # application will continue to serve requests to users after the token is revoked
+  # config.token_verify_ttl = 10
 
   # Configure a cache store to use to cache access token resolutions.
-  # config.cache_store ActiveSupport::Cache::MemoryStore.new
+  # config.cache_store = ActiveSupport::Cache::MemoryStore.new
 
-  # Configure CapcOAuth service URL
-  # config.capcoauth_url ENV['CAPCOAUTH_URL']
+  # CapcOAuth service URL
+  # config.capcoauth_url = ENV['CAPCOAUTH_URL']
 
   # Configure the logger to use for OAuth events
-  config.logger Rails.logger
+  config.logger = Rails.logger
 
   # Configure which ID to identify the user by.  Valid options are :capcoauth, :capco (4-letter), :psoft, :e_number, and :cit
-  # config.user_id_field :capcoauth
+  # config.user_id_field = :capcoauth
 
   # Block to resolve your user from the provided CapcOAuth ID.  If you're using different primary keys than any of the
   # existing services, you might consider looking up by an external ID, e.g. `User.find_by_psoft_id! capcoauth_user_id`
-  config.user_resolver do |capcoauth_user_id|
-    User.find capcoauth_user_id
-  end
+  config.user_resolver = -> capcoauth_user_id {
+    User.find_by! id: capcoauth_user_id # optionally, include `, inactive: false`, `, admin: true`, etc.
+  }
+
+  # When an access token has a user_id, but the user is not found via the above resolver, should an
+  # Capcoauth::AuthorizationException be raised?  Helpful when you're syncing the user database separately and the user
+  # doesn't exist locally.  Application credentials (token without a user_id) will still be allowed regardless.
+  # config.require_user = true
+
+  # Use CapcOAuth URL from config
+  # config.capcoauth_url = ENV['CAPCOAUTH_URL']
+
+  # Don't redirect to last URL on login since we don't want to see API responses
+  # config.perform_login_redirects = true
 end

data/spec/dummy/Rakefile

@@ -0,0 +1,7 @@
+#!/usr/bin/env rake
+# Add your own tasks in files placed in lib/tasks ending in .rake,
+# for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
+
+require File.expand_path('../config/application', __FILE__)
+
+Dummy::Application.load_tasks

data/spec/dummy/app/controllers/application_controller.rb

@@ -0,0 +1,3 @@
+class ApplicationController < ActionController::Base
+  protect_from_forgery
+end

data/spec/dummy/app/controllers/full_protected_resources_controller.rb

@@ -0,0 +1,12 @@
+class FullProtectedResourcesController < ApplicationController
+  before_action :verify_authorized!, only: :show
+  before_action :verify_authorized!, only: :index
+
+  def index
+    render plain: 'index'
+  end
+
+  def show
+    render plain: 'show'
+  end
+end

data/spec/dummy/app/controllers/home_controller.rb

@@ -0,0 +1,17 @@
+class HomeController < ApplicationController
+  def index
+  end
+
+  def sign_in
+    session[:user_id] = if Rails.env.development?
+                          User.first || User.create!(name: 'Joe')
+                        else
+                          User.first
+                        end
+    redirect_to '/'
+  end
+
+  def callback
+    render plain: 'ok'
+  end
+end

data/spec/dummy/app/controllers/metal_controller.rb

@@ -0,0 +1,11 @@
+class MetalController < ActionController::Metal
+  include AbstractController::Callbacks
+  include ActionController::Head
+  include Capcoauth::Rails::Helpers
+
+  before_action :verify_authorized!
+
+  def index
+    self.response_body = { ok: true }.to_json
+  end
+end

data/spec/dummy/app/controllers/semi_protected_resources_controller.rb

@@ -0,0 +1,11 @@
+class SemiProtectedResourcesController < ApplicationController
+  before_action :verify_authorized!, only: :index
+
+  def index
+    render plain: 'protected index'
+  end
+
+  def show
+    render plain: 'non protected show'
+  end
+end

data/spec/dummy/app/models/user.rb

@@ -0,0 +1,3 @@
+class User < ActiveRecord::Base
+  validates_presence_of :name
+end

data/spec/dummy/app/views/layouts/application.html.erb

@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>Dummy</title>
+  <%= csrf_meta_tags %>
+</head>
+<body>
+
+<%= link_to "Sign in", '/auth/login' %>
+
+<%= yield %>
+
+</body>
+</html>

data/spec/dummy/config/application.rb

@@ -0,0 +1,16 @@
+require File.expand_path('../boot', __FILE__)
+
+require 'rails/all'
+
+Bundler.require(*Rails.groups)
+
+require 'yaml'
+require 'active_record/railtie'
+
+module Dummy
+  class Application < Rails::Application
+    # Settings in config/environments/* take precedence over those specified here.
+    # Application configuration should go into files in config/initializers
+    # -- all .rb files in that directory are automatically loaded.
+  end
+end

data/spec/dummy/config/boot.rb

@@ -0,0 +1,6 @@
+require 'rubygems'
+require 'bundler/setup'
+
+orm = ENV['BUNDLE_GEMFILE'].match(/Gemfile\.(.+)\.rb/)
+
+$LOAD_PATH.unshift File.expand_path('../../../../lib', __FILE__)

data/spec/dummy/config/database.yml

@@ -0,0 +1,15 @@
+development:
+  adapter: sqlite3
+  database: db/development.sqlite3
+  pool: 5
+  timeout: 5000
+
+test:
+  adapter: sqlite3
+  database: ":memory:"
+  timeout: 500
+
+production:
+  adapter: sqlite3
+  database: ":memory:"
+  timeout: 500

data/spec/dummy/config/environment.rb

@@ -0,0 +1,5 @@
+# Load the rails application
+require File.expand_path('../application', __FILE__)
+
+# Initialize the rails application
+Rails.application.initialize!

data/spec/dummy/config/environments/development.rb

@@ -0,0 +1,29 @@
+Dummy::Application.configure do
+  # Settings specified here will take precedence over those in config/application.rb
+
+  # In the development environment your application's code is reloaded on
+  # every request.  This slows down response time but is perfect for development
+  # since you don't have to restart the web server when you make code changes.
+  config.cache_classes = false
+
+  # Show full error reports and disable caching
+  config.consider_all_requests_local       = true
+  config.action_controller.perform_caching = false
+
+  # Don't care if the mailer can't send
+  # config.action_mailer.raise_delivery_errors = false
+
+  # Print deprecation notices to the Rails logger
+  config.active_support.deprecation = :log
+
+  # Only use best-standards-support built into browsers
+  config.action_dispatch.best_standards_support = :builtin
+
+  # Do not compress assets
+  config.assets.compress = false
+
+  # Expands the lines which load the assets
+  config.assets.debug = true
+
+  config.eager_load = false
+end

data/spec/dummy/config/environments/production.rb

@@ -0,0 +1,62 @@
+Dummy::Application.configure do
+  # Settings specified here will take precedence over those in config/application.rb
+
+  # Code is not reloaded between requests
+  config.cache_classes = true
+
+  # Full error reports are disabled and caching is turned on
+  config.consider_all_requests_local       = false
+  config.action_controller.perform_caching = true
+
+  # Disable Rails's static asset server (Apache or nginx will already do this)
+  config.serve_static_assets = false
+
+  # Compress JavaScripts and CSS
+  config.assets.compress = true
+
+  # Don't fallback to assets pipeline if a precompiled asset is missed
+  config.assets.compile = false
+
+  # Generate digests for assets URLs
+  config.assets.digest = true
+
+  # Defaults to Rails.root.join("public/assets")
+  # config.assets.manifest = YOUR_PATH
+
+  # Specifies the header that your server uses for sending files
+  # config.action_dispatch.x_sendfile_header = "X-Sendfile" # for apache
+  # config.action_dispatch.x_sendfile_header = 'X-Accel-Redirect' # for nginx
+
+  # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
+  # config.force_ssl = true
+
+  # See everything in the log (default is :info)
+  # config.log_level = :debug
+
+  # Use a different logger for distributed setups
+  # config.logger = SyslogLogger.new
+
+  # Use a different cache store in production
+  # config.cache_store = :mem_cache_store
+
+  # Enable serving of images, stylesheets, and JavaScripts from an asset server
+  # config.action_controller.asset_host = "http://assets.example.com"
+
+  # Precompile additional assets (application.js, application.css, and all non-JS/CSS are already added)
+  # config.assets.precompile += %w( search.js )
+
+  # Disable delivery errors, bad email addresses will be ignored
+  # config.action_mailer.raise_delivery_errors = false
+
+  # Enable threaded mode
+  # config.threadsafe!
+
+  # Enable locale fallbacks for I18n (makes lookups for any locale fall back to
+  # the I18n.default_locale when a translation can not be found)
+  config.i18n.fallbacks = true
+
+  # Send deprecation notices to registered listeners
+  config.active_support.deprecation = :notify
+
+  config.eager_load = true
+end

data/spec/dummy/config/environments/test.rb

@@ -0,0 +1,42 @@
+Dummy::Application.configure do
+  # Settings specified here will take precedence over those in config/application.rb
+
+  # The test environment is used exclusively to run your application's
+  # test suite.  You never need to work with it otherwise.  Remember that
+  # your test database is "scratch space" for the test suite and is wiped
+  # and recreated between test runs.  Don't rely on the data there!
+  config.cache_classes = true
+
+  # Do not eager load code on boot. This avoids loading your whole application
+  # just for the purpose of running a single test. If you are using a tool that
+  # preloads Rails for running tests, you may have to set it to true.
+  config.eager_load = false
+
+  # Show full error reports and disable caching
+  config.consider_all_requests_local       = true
+  config.action_controller.perform_caching = false
+
+  # Raise exceptions instead of rendering exception templates
+  config.action_dispatch.show_exceptions = false
+
+  # Disable request forgery protection in test environment
+  config.action_controller.allow_forgery_protection    = false
+
+  # Tell Action Mailer not to deliver emails to the real world.
+  # The :test delivery method accumulates sent emails in the
+  # ActionMailer::Base.deliveries array.
+  # config.action_mailer.delivery_method = :test
+
+  # Use SQL instead of Active Record's schema dumper when creating the test database.
+  # This is necessary if your schema can't be completely dumped by the schema dumper,
+  # like if you have constraints or database-specific column types
+  # config.active_record.schema_format = :sql
+
+  # Print deprecation notices to the stderr
+  config.active_support.deprecation = :stderr
+
+  config.eager_load = true
+
+  config.active_record.table_name_prefix = TABLE_NAME_PREFIX.to_s
+  config.active_record.table_name_suffix = TABLE_NAME_SUFFIX.to_s
+end

data/spec/dummy/config/initializers/active_record_belongs_to_required_by_default.rb

@@ -0,0 +1,6 @@
+# Require `belongs_to` associations by default. This is a new Rails 5.0
+# default, so it is introduced as a configuration option to ensure that apps
+# made on earlier versions of Rails are not affected when upgrading.
+if Rails.version.to_i >= 5
+  Rails.application.config.active_record.belongs_to_required_by_default = true
+end

data/spec/dummy/config/initializers/backtrace_silencers.rb

@@ -0,0 +1,7 @@
+# Be sure to restart your server when you modify this file.
+
+# You can add backtrace silencers for libraries that you're using but don't wish to see in your backtraces.
+# Rails.backtrace_cleaner.add_silencer { |line| line =~ /my_noisy_library/ }
+
+# You can also remove all the silencers if you're trying to debug a problem that might stem from framework code.
+# Rails.backtrace_cleaner.remove_silencers!

data/spec/dummy/config/initializers/capcoauth.rb

@@ -0,0 +1,41 @@
+Capcoauth.configure do |config|
+
+  # CapcOAuth Client ID
+  config.client_id = 'client_id_123'
+
+  # CapcOAuth Client Secret
+  config.client_secret = 'client_secret_456'
+
+  # Configures how often to check CapcOAuth for access token validity, in seconds.  If this value is too high,
+  # application will continue to serve requests to users after the token is revoked
+  # config.token_verify_ttl = 10
+
+  # Configure a cache store to use to cache access token resolutions.
+  # config.cache_store = ActiveSupport::Cache::MemoryStore.new
+
+  # CapcOAuth service URL
+  # config.capcoauth_url = ENV['CAPCOAUTH_URL']
+
+  # Configure the logger to use for OAuth events
+  config.logger = Rails.logger
+
+  # Configure which ID to identify the user by.  Valid options are :capcoauth, :capco (4-letter), :psoft, :e_number, and :cit
+  # config.user_id_field = :capcoauth
+
+  # Block to resolve your user from the provided CapcOAuth ID.  If you're using different primary keys than any of the
+  # existing services, you might consider looking up by an external ID, e.g. `User.find_by_psoft_id! capcoauth_user_id`
+  config.user_resolver = -> capcoauth_user_id {
+    User.find_by! id: capcoauth_user_id # optionally, include `, inactive: false`, `, admin: true`, etc.
+  }
+
+  # When an access token has a user_id, but the user is not found via the above resolver, should an
+  # Capcoauth::AuthorizationException be raised?  Helpful when you're syncing the user database separately and the user
+  # doesn't exist locally.  Application credentials (token without a user_id) will still be allowed regardless.
+  # config.require_user = true
+
+  # Use CapcOAuth URL from config
+  # config.capcoauth_url = ENV['CAPCOAUTH_URL']
+
+  # Don't redirect to last URL on login since we don't want to see API responses
+  # config.perform_login_redirects = true
+end

data/spec/dummy/config/initializers/secret_token.rb

@@ -0,0 +1,9 @@
+# Be sure to restart your server when you modify this file.
+
+# Your secret key for verifying the integrity of signed cookies.
+# If you change this key, all old signed cookies will become invalid!
+# Make sure the secret is at least 30 characters and all random,
+# no regular words or you'll be exposed to dictionary attacks.
+Dummy::Application.config.secret_key_base =
+  Dummy::Application.config.secret_token =
+  'c00157b5a1bb6181792f0f4a8a080485de7bab9987e6cf159dc74c4f0573345c1bfa713b5d756e1491fc0b098567e8a619e2f8d268eda86a20a720d05d633780'

data/spec/dummy/config/initializers/session_store.rb

@@ -0,0 +1,8 @@
+# Be sure to restart your server when you modify this file.
+
+Dummy::Application.config.session_store :cookie_store, key: '_dummy_session'
+
+# Use the database for sessions instead of the cookie-based default,
+# which shouldn't be used to store highly confidential information
+# (create the session table with "rails generate session_migration")
+# Dummy::Application.config.session_store :active_record_store

data/spec/dummy/config/initializers/wrap_parameters.rb

@@ -0,0 +1,14 @@
+# Be sure to restart your server when you modify this file.
+#
+# This file contains settings for ActionController::ParamsWrapper which
+# is enabled by default.
+
+# Enable parameter wrapping for JSON. You can disable this by setting :format to an empty array.
+ActiveSupport.on_load(:action_controller) do
+  wrap_parameters format: [:json]
+end
+
+# Disable root element in JSON by default.
+ActiveSupport.on_load(:active_record) do
+  self.include_root_in_json = false
+end

data/spec/dummy/config/routes.rb

@@ -0,0 +1,50 @@
+Rails.application.routes.draw do
+  use_capcoauth
+  use_capcoauth scope: 'scope'
+
+  scope 'inner_space' do
+    use_capcoauth scope: 'scope' do
+      controllers login: 'custom_login',
+                  logout: 'custom_logout',
+                  callback: 'custom_callback'
+
+      as login: 'custom_in',
+         logout: 'custom_out',
+         callback: 'custom_cb'
+    end
+  end
+
+  scope 'space' do
+    use_capcoauth do
+      controllers login: 'custom_login',
+                  logout: 'custom_logout',
+                  callback: 'custom_callback'
+
+      as login: 'custom_in',
+         logout: 'custom_out',
+         callback: 'custom_cb'
+    end
+  end
+
+  scope 'outer_space' do
+    use_capcoauth do
+      controllers login: 'custom_login',
+                  logout: 'custom_logout',
+                  callback: 'custom_callback'
+
+      as login: 'custom_in',
+         logout: 'custom_out',
+         callback: 'custom_cb'
+
+      skip_controllers :login, :logout, :callback
+    end
+  end
+
+  get 'metal.json' => 'metal#index'
+
+  get '/callback', to: 'home#callback'
+  get '/sign_in',  to: 'home#sign_in'
+  resources :semi_protected_resources
+  resources :full_protected_resources
+  root to: 'home#index'
+end

data/spec/dummy/config.ru

@@ -0,0 +1,4 @@
+# This file is used by Rack-based servers to start the application.
+
+require ::File.expand_path('../config/environment',  __FILE__)
+run Dummy::Application

data/spec/dummy/db/migrate/20111122132257_create_users.rb

@@ -0,0 +1,9 @@
+class CreateUsers < ActiveRecord::Migration
+  def change
+    create_table :users do |t|
+      t.string :name
+
+      t.timestamps
+    end
+  end
+end