castle_devise 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: c13e653cf7d00df4cdb2436431a031be5c4120d5e667ff2c5feb00effd374011
+  data.tar.gz: 8c4c4fafd623cda48e9f9c125c81cda8071ae81e7ec62cad74bc0476bd89c4ea
+SHA512:
+  metadata.gz: 3066ab56d17f1d3097f4aecaa115162e0e9263016cd4dce602a0491d5071ad5fcb933871d6830147303ca859cd60e5c503cdd30dc23112e0b94c0337e4cabee2
+  data.tar.gz: b8c18958cc92790e26e4e222c8c7f34f4db8be72c1c55d54225ca23dd427bcad7082c1efe7208655dbe43c3d31840fbc4875797e53d7b074eef88e21d1a7d118

data/.github/workflows/lint.yml

@@ -0,0 +1,18 @@
+name: Lint
+
+on: [pull_request]
+
+jobs:
+  standardrb:
+    name: runner / standardrb
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v1
+      - name: standardrb
+        uses: SennaLabs/action-standardrb@v0.0.3
+        with:
+          github_token: ${{ secrets.github_token }}
+          reporter: github-pr-review # Default is github-pr-check
+          rubocop_version: 1.1.1 # note: this actually refers to standardb version, not Rubocop
+          rubocop_flags: --format progress

data/.github/workflows/specs.yml

@@ -0,0 +1,25 @@
+name: Specs
+
+on: [push,pull_request]
+
+jobs:
+  build:
+    environment: tests
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: 2.6.5
+    - name: Run specs
+      run: |
+        gem install bundler -v 2.2.19
+        bundle install
+        bundle exec rake
+      env:
+        CASTLE_API_SECRET: ${{ secrets.CASTLE_API_SECRET }}
+    - name: Simplecov Report
+      uses: aki77/simplecov-report-action@v1
+      with:
+        token: ${{ secrets.GITHUB_TOKEN }}

data/.gitignore

@@ -0,0 +1,18 @@
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+
+# rspec failure tracking
+.rspec_status
+
+# IntelliJ
+.idea/
+
+vendor/
+
+spec/dummy_app/log/

data/.rspec

@@ -0,0 +1,3 @@
+--format documentation
+--color
+--require spec_helper

data/CHANGELOG.md

@@ -0,0 +1,5 @@
+## [Unreleased]
+
+## [0.1.0] - 2021-06-11
+
+- Initial release

data/Gemfile

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+source "https://rubygems.org"
+
+# Specify your gem's dependencies in castle-devise.gemspec
+gemspec
+
+gem "activerecord"
+gem "railties", "~> 5.2"
+gem "rake"
+gem "rspec"
+gem "rspec-rails"
+gem "simplecov"
+gem "standard"
+gem "sqlite3"
+gem "vcr"
+gem "webmock"

data/Gemfile.lock

@@ -0,0 +1,169 @@
+PATH
+  remote: .
+  specs:
+    castle_devise (0.1.0)
+      activesupport (>= 5.0)
+      castle-rb (>= 7.0, < 8.0)
+      devise (>= 4.3.0, < 5.0)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    actionpack (5.2.6)
+      actionview (= 5.2.6)
+      activesupport (= 5.2.6)
+      rack (~> 2.0, >= 2.0.8)
+      rack-test (>= 0.6.3)
+      rails-dom-testing (~> 2.0)
+      rails-html-sanitizer (~> 1.0, >= 1.0.2)
+    actionview (5.2.6)
+      activesupport (= 5.2.6)
+      builder (~> 3.1)
+      erubi (~> 1.4)
+      rails-dom-testing (~> 2.0)
+      rails-html-sanitizer (~> 1.0, >= 1.0.3)
+    activemodel (5.2.6)
+      activesupport (= 5.2.6)
+    activerecord (5.2.6)
+      activemodel (= 5.2.6)
+      activesupport (= 5.2.6)
+      arel (>= 9.0)
+    activesupport (5.2.6)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      i18n (>= 0.7, < 2)
+      minitest (~> 5.1)
+      tzinfo (~> 1.1)
+    addressable (2.7.0)
+      public_suffix (>= 2.0.2, < 5.0)
+    arel (9.0.0)
+    ast (2.4.2)
+    bcrypt (3.1.16)
+    builder (3.2.4)
+    castle-rb (7.1.1)
+    concurrent-ruby (1.1.9)
+    crack (0.4.5)
+      rexml
+    crass (1.0.6)
+    devise (4.8.0)
+      bcrypt (~> 3.0)
+      orm_adapter (~> 0.1)
+      railties (>= 4.1.0)
+      responders
+      warden (~> 1.2.3)
+    diff-lcs (1.4.4)
+    docile (1.4.0)
+    erubi (1.10.0)
+    hashdiff (1.0.1)
+    i18n (1.8.10)
+      concurrent-ruby (~> 1.0)
+    loofah (2.10.0)
+      crass (~> 1.0.2)
+      nokogiri (>= 1.5.9)
+    method_source (1.0.0)
+    minitest (5.14.4)
+    nokogiri (1.11.7-x86_64-darwin)
+      racc (~> 1.4)
+    orm_adapter (0.5.0)
+    parallel (1.20.1)
+    parser (3.0.1.1)
+      ast (~> 2.4.1)
+    public_suffix (4.0.6)
+    racc (1.5.2)
+    rack (2.2.3)
+    rack-test (1.1.0)
+      rack (>= 1.0, < 3)
+    rails-dom-testing (2.0.3)
+      activesupport (>= 4.2.0)
+      nokogiri (>= 1.6)
+    rails-html-sanitizer (1.3.0)
+      loofah (~> 2.3)
+    railties (5.2.6)
+      actionpack (= 5.2.6)
+      activesupport (= 5.2.6)
+      method_source
+      rake (>= 0.8.7)
+      thor (>= 0.19.0, < 2.0)
+    rainbow (3.0.0)
+    rake (13.0.3)
+    regexp_parser (2.1.1)
+    responders (3.0.1)
+      actionpack (>= 5.0)
+      railties (>= 5.0)
+    rexml (3.2.5)
+    rspec (3.10.0)
+      rspec-core (~> 3.10.0)
+      rspec-expectations (~> 3.10.0)
+      rspec-mocks (~> 3.10.0)
+    rspec-core (3.10.1)
+      rspec-support (~> 3.10.0)
+    rspec-expectations (3.10.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.10.0)
+    rspec-mocks (3.10.2)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.10.0)
+    rspec-rails (5.0.1)
+      actionpack (>= 5.2)
+      activesupport (>= 5.2)
+      railties (>= 5.2)
+      rspec-core (~> 3.10)
+      rspec-expectations (~> 3.10)
+      rspec-mocks (~> 3.10)
+      rspec-support (~> 3.10)
+    rspec-support (3.10.2)
+    rubocop (1.14.0)
+      parallel (~> 1.10)
+      parser (>= 3.0.0.0)
+      rainbow (>= 2.2.2, < 4.0)
+      regexp_parser (>= 1.8, < 3.0)
+      rexml
+      rubocop-ast (>= 1.5.0, < 2.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (>= 1.4.0, < 3.0)
+    rubocop-ast (1.7.0)
+      parser (>= 3.0.1.1)
+    rubocop-performance (1.11.2)
+      rubocop (>= 1.7.0, < 2.0)
+      rubocop-ast (>= 0.4.0)
+    ruby-progressbar (1.11.0)
+    simplecov (0.21.2)
+      docile (~> 1.1)
+      simplecov-html (~> 0.11)
+      simplecov_json_formatter (~> 0.1)
+    simplecov-html (0.12.3)
+    simplecov_json_formatter (0.1.3)
+    sqlite3 (1.4.2)
+    standard (1.1.1)
+      rubocop (= 1.14.0)
+      rubocop-performance (= 1.11.2)
+    thor (1.1.0)
+    thread_safe (0.3.6)
+    tzinfo (1.2.9)
+      thread_safe (~> 0.1)
+    unicode-display_width (2.0.0)
+    vcr (6.0.0)
+    warden (1.2.9)
+      rack (>= 2.0.9)
+    webmock (3.13.0)
+      addressable (>= 2.3.6)
+      crack (>= 0.3.2)
+      hashdiff (>= 0.4.0, < 2.0.0)
+
+PLATFORMS
+  x86_64-darwin-18
+
+DEPENDENCIES
+  activerecord
+  castle_devise!
+  railties (~> 5.2)
+  rake
+  rspec
+  rspec-rails
+  simplecov
+  sqlite3
+  standard
+  vcr
+  webmock
+
+BUNDLED WITH
+   2.2.15

data/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2021 Castle
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,197 @@
+**Disclaimer:** CastleDevise is currently in beta. There might be some upcoming breaking changes to the gem before we stabilize the API.
+
+--- 
+
+# CastleDevice
+
+CastleDevise is a [Devise](https://github.com/heartcombo/devise) plugin that integrates [Castle](https://castle.io). 
+
+It currently provides the following features:
+- preventing bots from registration attacks using Castle's [Filter API](https://docs.castle.io/v1/reference/api-reference/#filter)
+- preventing ATO attacks using Castle's [Risk API](https://docs.castle.io/v1/reference/api-reference/#risk)
+
+If you want to learn about all capabilities of Castle, please take a look at [our documentation](https://docs.castle.io/).
+
+## Installation
+
+Include `castle_devise` in your Gemfile:
+
+```ruby
+gem 'castle_devise'
+```
+
+Create `config/initializers/castle_devise.rb` and fill in your API secret and APP_ID from the [Castle Dashboard](https://dashboard.castle.io/settings/general)
+
+```ruby 
+CastleDevise.configure do |config|
+  config.api_secret = ENV.fetch('CASTLE_API_SECRET')
+  config.app_id = ENV.fetch('CASTLE_APP_ID')
+  
+  # When monitoring mode is enabled, CastleDevise sends
+  # requests to Castle but it doesn't act on the "deny" verdicts.
+  #
+  # This is useful when you want to check out how Castle scores
+  # your traffic without blocking any of your users.
+  #
+  # Once you are ready to use Castle as your security provider,
+  # you can set monitoring_mode to false.
+  config.monitoring_mode = true
+end
+```
+
+Add `:castle_protectable` Devise module to your User model:
+
+```ruby 
+class User < ApplicationRecord
+  devise :database_authenticatable, :registerable,
+         :recoverable, :rememberable, :validatable, 
+         :castle_protectable # <--- add this
+end
+```
+
+Add an additional translation to your `config/locales/devise.en.yml`:
+
+```yml
+en:
+  devise:
+    registrations:
+      blocked_by_castle: "Account cannot be created at this moment. Please try again later."
+```
+
+(See [devise.en.yml in our specs](spec/dummy_app/config/locales/devise.en.yml#L40))
+
+#### Further steps if you're not using Webpacker
+
+Include Castle's c.js script in the head section of your layout:
+
+```ruby
+<%= castle_javascript_tag %>
+```
+
+Add the following tag to the the `<form>` tag in both `devise/registrations/new.html.erb` and `devise/sessions/new.html.erb` (if you haven't generated them yet, run `rails generate devise:views`):
+
+```ruby
+<%= form_for @user do |f| %>
+  …
+  <%= castle_request_token %>
+  …
+<% end %>
+```
+
+You're set! Now verify that everything works by logging in to your application as any user. You should be able to see that User on the [Castle Users Page](https://dashboard.castle.io/users)
+
+
+#### Further steps if you're using Webpacker
+
+Add `castle.js` to your package.json file.
+
+TODO: fill this in.
+
+
+## How-Tos
+
+### Customize the login flow
+
+#### Do something after Castle denies a login
+
+We aim to provide sensible defaults, which means that when Castle denies a login, your application
+will behave as if the User has not been authenticated. You might still want to log such an event,
+and you can do this in a Warden hook:
+
+```ruby
+Warden::Manager.before_failure do |env, opts|
+  # The raw Castle response if a request to Castle has been made
+  castle_response = env["castle_devise.risk_response"]
+  # CastleDevise::Context, if a request to Castle has been made
+  castle_context = env["castle_devise.risk_context"]
+
+  if castle_response&.dig(:policy, :action) == "deny"
+    # auth failed because Castle denied
+  end
+end
+
+```
+
+#### Implement your own challenge flow or do something after an "allow" action
+
+In your `SessionsController`:
+
+```ruby
+class SessionsController < Devise::SessionsController
+  def create
+    super do |resource|
+      if castle_challenge?
+        # At this point a User is already authenticated, you might want so sign out:
+        sign_out(resource)
+        # .... write your own MFA flow
+        # You can call #castle_risk_response to access Castle response
+        # see https://docs.castle.io/v1/reference/api-reference/#risk for details
+
+        # Fetch the Device token to use it for user feedback
+        # https://docs.castle.io/v1/tutorials/advanced-features/end-user-feedback
+        device_token = castle_risk_response.dig(:device, :token)
+
+        # You might want to fetch our risk signals as well
+        # https://docs.castle.io/v1/reference/signals/
+        event_signals = castle_risk_response[:signals].keys
+        return
+      end
+
+      # do any other action you'd like to perform after a user has been signed in below
+    end
+  end
+end
+```
+
+Please note that some Devise extensions might completely override `Devise::SessionsController#create`.
+In this case, you have to handle everything manually -  `castle_challenge?` should be called after
+a call to `warden.authenticate!` has been successful.
+
+#### Do not sent login/registration events
+
+You can configure CastleDevise not to send login or registration events for a given Devise model:
+
+```ruby
+class User < ApplicationRecord
+  devise :database_authenticatable, :registerable,
+         :castle_protectable,
+         castle_hooks: {
+           # set it to false to prevent CastleDevise
+           # from sending filter($login)
+           before_registration: true,
+           # set it to false to prevent CastleDevise from
+           # sending risk($login) and log($login, $failed)
+           after_login: true
+         }
+end
+```
+
+#### Intercept request/response
+
+You can register before- and after- request hooks in CastleDevise.
+
+```ruby
+CastleDevise.configure do |config|
+  # Add custom properties to the request but only when sending
+  #   requests to the Risk endpoint
+  # action - Castle API endpoint (eg. :risk, :filter, :log)
+  # context - CastleDevise::Context
+  # payload - Hash (payload passed to the Castle SDK)
+  config.before_request do |action, context, payload|
+    if action == :risk
+      payload[:properties] = {
+        from_eu: context.resource.ip.from_eu?
+      }
+    end
+  end
+
+  config.before_request do |action, context, payload|
+    # you can register multiple before_request hooks
+  end
+
+  # Intercept the response - enrich your logs with Castle signals
+  config.after_request do |action, context, payload, response|
+    Logging.add_tags(response[:signals].keys)
+  end
+end
+```