clavis 0.7.1

data/lib/generators/clavis/templates/initializer.rb.tt

@@ -0,0 +1,76 @@
+# frozen_string_literal: true
+
+Clavis.configure do |config|
+  # Configure your OAuth providers here
+  config.providers = {
+    # Google example:
+    # google: {
+    #   client_id: ENV['GOOGLE_CLIENT_ID'],
+    #   client_secret: ENV['GOOGLE_CLIENT_SECRET'],
+    #   redirect_uri: 'https://your-app.com/auth/google/callback'
+    # },
+    
+    # GitHub example:
+    # github: {
+    #   client_id: ENV['GITHUB_CLIENT_ID'],
+    #   client_secret: ENV['GITHUB_CLIENT_SECRET'],
+    #   redirect_uri: 'https://your-app.com/auth/github/callback'
+    # },
+    
+    # Apple example:
+    # apple: {
+    #   client_id: ENV['APPLE_CLIENT_ID'], # Your Services ID
+    #   team_id: ENV['APPLE_TEAM_ID'],
+    #   key_id: ENV['APPLE_KEY_ID'],
+    #   private_key: ENV['APPLE_PRIVATE_KEY'],
+    #   redirect_uri: 'https://your-app.com/auth/apple/callback'
+    # }
+  }
+  
+  # Optional: Configure logging
+  # config.logger = Rails.logger
+  # config.verbose_logging = false
+  
+  # Security configuration
+  
+  # Token encryption (disabled by default)
+  # config.encrypt_tokens = true
+  # config.encryption_key = ENV['CLAVIS_ENCRYPTION_KEY'] # Must be at least 32 bytes
+  # config.use_rails_credentials = true # Use Rails credentials for encryption key and provider config
+  
+  # Parameter filtering (enabled by default)
+  # config.parameter_filter_enabled = true
+  
+  # Redirect URI validation
+  # config.allowed_redirect_hosts = ['your-app.com'] # Add your app's domain(s)
+  # config.exact_redirect_uri_matching = false # Set to true for exact matching
+  # config.allow_localhost_in_development = true
+  # config.raise_on_invalid_redirect = true
+  
+  # HTTPS enforcement (enabled by default)
+  # config.enforce_https = true # Force HTTPS for all OAuth URLs
+  # config.allow_http_localhost = true # Allow HTTP for localhost in development
+  # config.verify_ssl = true # Verify SSL certificates
+  # config.minimum_tls_version = :TLS1_2 # Minimum TLS version
+  
+  # Input validation (enabled by default)
+  # config.validate_inputs = true # Validate all inputs
+  # config.sanitize_inputs = true # Sanitize all inputs
+  
+  # Session management (enabled by default)
+  # config.rotate_session_after_login = true # Rotate session ID after login
+  # config.session_key_prefix = 'clavis' # Prefix for session keys
+  
+  # Rate limiting (enabled by default)
+  # Requires rack-attack gem to be installed in your application
+  # config.rate_limiting_enabled = true # Enable rate limiting for OAuth endpoints
+  
+  # Custom throttle rules (optional)
+  # config.custom_throttles = {
+  #   "auth_page_views": {
+  #     limit: 30,
+  #     period: 1.minute,
+  #     block: ->(req) { req.path == "/login" ? req.ip : nil }
+  #   }
+  # }
+end 

data/lib/generators/clavis/templates/migration.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+class CreateClavisOauthIdentities < ActiveRecord::Migration[8.0]
+  def change
+    create_table :clavis_oauth_identities do |t|
+      t.references :authenticatable, polymorphic: true, null: false, index: true
+      t.string :provider, null: false
+      t.string :uid, null: false
+      t.json :auth_data
+      t.string :token
+      t.string :refresh_token
+      t.datetime :expires_at
+      t.timestamps
+      
+      t.index [:provider, :uid], unique: true
+    end
+  end
+end

data/lib/generators/clavis/templates/migration.rb.tt

@@ -0,0 +1,16 @@
+class CreateClavisOauthIdentities < ActiveRecord::Migration[<%= migration_version %>]
+  def change
+    create_table :clavis_oauth_identities do |t|
+      t.references :authenticatable, polymorphic: true, null: false, index: true
+      t.string :provider, null: false
+      t.string :uid, null: false
+      t.json :auth_data
+      t.string :token
+      t.string :refresh_token
+      t.datetime :expires_at
+      t.timestamps
+      
+      t.index [:provider, :uid], unique: true
+    end
+  end
+end

data/lib/generators/clavis/user_method/user_method_generator.rb

@@ -0,0 +1,219 @@
+# frozen_string_literal: true
+
+require "rails/generators"
+
+module Clavis
+  module Generators
+    class UserMethodGenerator < Rails::Generators::Base
+      source_root File.expand_path("templates", __dir__)
+
+      desc "Adds Clavis OAuth user methods to your application"
+
+      def create_concern
+        # Create directory structure if it doesn't exist
+        directory_path = "app/models/concerns"
+        FileUtils.mkdir_p(directory_path) unless File.directory?(directory_path)
+
+        # Create the concern file
+        create_file "app/models/concerns/clavis_user_methods.rb", <<~RUBY
+          # frozen_string_literal: true
+
+          # This concern provides methods for finding or creating users from OAuth data
+          # It is intended to be included in your User model
+          module ClavisUserMethods
+            extend ActiveSupport::Concern
+          #{"  "}
+            # Include the OauthAuthenticatable module to get helper methods
+            included do
+              include Clavis::Models::OauthAuthenticatable if defined?(Clavis::Models::OauthAuthenticatable)
+          #{"    "}
+              # Add a temporary attribute to track OAuth authentication during user creation
+              # This can be used to conditionally skip password validation for OAuth users
+              attr_accessor :skip_password_validation
+          #{"    "}
+              # IMPORTANT: If your User model uses has_secure_password, you need to handle
+              # password validation. Uncomment and modify ONE of these approaches:
+              #
+              # APPROACH 1: Skip password validation for OAuth users (recommended)
+              # validates :password, presence: true, length: { minimum: 8 },
+              #           unless: -> { skip_password_validation }, on: :create
+              #
+              # APPROACH 2: Set a random secure password for OAuth users
+              # before_validation :set_random_password, if: -> { skip_password_validation && respond_to?(:password=) }
+              #
+              # APPROACH 3: Use validate: false for OAuth users (less recommended)
+              # See the #find_or_create_from_clavis method below
+          #{"    "}
+              # For approach 2, add this method
+              # def set_random_password
+              #   self.password = SecureRandom.hex(16)
+              #   self.password_confirmation = password if respond_to?(:password_confirmation=)
+              # end
+            end
+
+            class_methods do
+              # Find or create a user from OAuth authentication
+              # This method is called by Clavis when authenticating via OAuth
+              def find_or_create_from_clavis(auth_hash)
+                # First try to find an existing identity
+                # For OpenID Connect providers like Google, we use the sub claim as the identifier
+                # For other providers, we use the uid
+                identity = if auth_hash[:id_token_claims]&.dig(:sub)
+                            Clavis::OauthIdentity.find_by(
+                              provider: auth_hash[:provider],
+                              uid: auth_hash[:id_token_claims][:sub]
+                            )
+                          else
+                            Clavis::OauthIdentity.find_by(
+                              provider: auth_hash[:provider],
+                              uid: auth_hash[:uid]
+                            )
+                          end
+                return identity.user if identity&.user
+
+                # Extract email from auth_hash (try various possible locations)
+                email = extract_email_from_auth_hash(auth_hash)
+          #{"      "}
+                # Try to find existing user by email if available
+                user = find_by(email: email) if email.present?
+          #{"      "}
+                # Create a new user if none found
+                if user.nil?
+                  # Convert to HashWithIndifferentAccess for reliable key access
+                  info = auth_hash[:info].with_indifferent_access if auth_hash[:info]
+                  claims = auth_hash[:id_token_claims].with_indifferent_access if auth_hash[:id_token_claims]
+          #{"        "}
+                  user = new(
+                    email: email
+                    # Add other required fields for your User model here, for example:
+                    ##{" "}
+                    # With HashWithIndifferentAccess, access is reliable regardless of key type:
+                    # first_name: info&.dig(:given_name) || info&.dig(:first_name),
+                    # last_name: info&.dig(:family_name) || info&.dig(:last_name),
+                    # name: info&.dig(:name),
+                    # username: info&.dig(:nickname),
+                    # avatar_url: info&.dig(:picture) || info&.dig(:image),
+                    # terms_accepted: true # for required boolean fields
+                  )
+          #{"        "}
+                  # Mark this user as coming from OAuth to skip password validation
+                  # This works with the validation conditionals defined above
+                  user.skip_password_validation = true
+          #{"        "}
+                  # APPROACH 1 & 2: Use standard save with conditional validation
+                  user.save!
+          #{"        "}
+                  # APPROACH 3: Bypass validations entirely - use with caution, and only if approaches 1 & 2 don't work
+                  # If your User model has complex validations that are incompatible with OAuth users,
+                  # you might need to bypass validations. Uncomment this if needed:
+                  # user.save(validate: false)
+                end
+          #{"  "}
+                # Create or update the OAuth identity
+                identity = Clavis::OauthIdentity.find_or_initialize_by(
+                  provider: auth_hash[:provider],
+                  uid: auth_hash[:id_token_claims]&.dig(:sub) || auth_hash[:uid]
+                )
+                identity.user = user
+                identity.auth_data = auth_hash[:info]
+                identity.token = auth_hash.dig(:credentials, :token)
+                identity.refresh_token = auth_hash.dig(:credentials, :refresh_token)
+                identity.expires_at = auth_hash.dig(:credentials, :expires_at) ? Time.at(auth_hash.dig(:credentials, :expires_at)) : nil
+                identity.save!
+          #{"  "}
+                # Set the oauth_user flag if available
+                user.update(oauth_user: true) if user.respond_to?(:oauth_user=)
+          #{"      "}
+                # Optional: Update any fields on the User model that you want to keep in sync
+                # user.update(
+                #   avatar_url: auth_hash.dig(:info, :image),
+                #   last_oauth_login_at: Time.current,
+                #   last_oauth_provider: auth_hash[:provider]
+                # )
+          #{"  "}
+                user
+              end
+          #{"    "}
+              private
+          #{"    "}
+              # Helper method to extract email from various locations in the auth hash
+              def extract_email_from_auth_hash(auth_hash)
+                return nil unless auth_hash
+          #{"      "}
+                # Try to get email from various possible locations
+                if auth_hash[:info]&.with_indifferent_access
+                  info = auth_hash[:info].with_indifferent_access
+                  return info[:email] if info[:email].present?
+                end
+          #{"      "}
+                if auth_hash[:id_token_claims]&.with_indifferent_access
+                  claims = auth_hash[:id_token_claims].with_indifferent_access
+                  return claims[:email] if claims[:email].present?
+                end
+          #{"      "}
+                if auth_hash[:extra]&.dig(:raw_info)&.with_indifferent_access
+                  raw_info = auth_hash[:extra][:raw_info].with_indifferent_access
+                  return raw_info[:email] if raw_info[:email].present?
+                end
+          #{"      "}
+                nil
+              end
+            end
+          end
+        RUBY
+
+        say_status :create, "Created ClavisUserMethods concern", :green
+      end
+
+      def update_user_model
+        user_file = "app/models/user.rb"
+
+        if File.exist?(user_file)
+          # Check if the concern is already included
+          user_content = File.read(user_file)
+          if user_content.include?("include ClavisUserMethods")
+            say_status :skip, "ClavisUserMethods already included in User model", :yellow
+            return
+          end
+
+          # Add the concern include to the User model
+          inject_into_file user_file, after: "class User < ApplicationRecord\n" do
+            "  include ClavisUserMethods\n"
+          end
+
+          say_status :inject, "Added ClavisUserMethods include to User model", :green
+        else
+          # Create a User model with the concern included
+          create_file user_file, <<~RUBY
+            class User < ApplicationRecord
+              include ClavisUserMethods
+            #{"  "}
+              # Add your User model code here
+            end
+          RUBY
+
+          say_status :create, "Created User model with ClavisUserMethods included", :green
+        end
+      end
+
+      def show_instructions
+        say "\nThe ClavisUserMethods concern has been created and included in your User model."
+        say "This gives your User model the ability to find or create users from OAuth data."
+
+        say "\n⚠️  IMPORTANT: You must customize the user creation code to match your User model!"
+        say "The default implementation only sets the email field, which may not be sufficient."
+
+        say "\n⚠️  IMPORTANT: If your User model uses has_secure_password, you need to handle password validation!"
+        say "Look for the password validation section in app/models/concerns/clavis_user_methods.rb and"
+        say "uncomment one of the approaches described there."
+
+        say "\nTo customize:"
+        say "  1. Edit app/models/concerns/clavis_user_methods.rb"
+        say "  2. Add required fields to the user creation in find_or_create_from_clavis"
+        say "  3. Handle password validation if your model uses has_secure_password"
+
+        say "\nFor more information, see the documentation at https://github.com/clayton/clavis"
+      end
+    end
+  end
+end

data/lib/tasks/provider_verification.rake

@@ -0,0 +1,77 @@
+# frozen_string_literal: true
+
+namespace :clavis do
+  desc "Verify all providers implement required methods"
+  task verify_providers: :environment do
+    require "clavis"
+
+    # Define the methods all providers must implement
+    required_methods = %i[
+      process_callback
+      authorize_url
+      token_exchange
+      get_user_info
+      refresh_token
+      provider_name
+      authorization_endpoint
+      token_endpoint
+      userinfo_endpoint
+      default_scopes
+      openid_provider?
+    ]
+
+    # Get all provider classes
+    providers = [
+      Clavis::Providers::Google,
+      Clavis::Providers::Github,
+      Clavis::Providers::Microsoft,
+      Clavis::Providers::Facebook,
+      Clavis::Providers::Apple,
+      Clavis::Providers::Generic
+    ]
+
+    # Initialize a provider with fake credentials
+    args = {
+      client_id: "fake-client-id",
+      client_secret: "fake-client-secret",
+      redirect_uri: "http://localhost:3000/callback"
+    }
+
+    missing_methods = []
+    errors = []
+
+    # Check each provider
+    providers.each do |provider_class|
+      Rails.logger.debug { "Checking #{provider_class.name}..." }
+
+      begin
+        provider = provider_class.new(args)
+
+        required_methods.each do |method|
+          missing_methods << "#{provider_class.name} is missing method: #{method}" unless provider.respond_to?(method)
+        end
+      rescue StandardError => e
+        errors << "Error initializing #{provider_class.name}: #{e.message}"
+      end
+    end
+
+    # Report results
+    if missing_methods.any? || errors.any?
+      Rails.logger.debug "FAILURES:"
+
+      if missing_methods.any?
+        Rails.logger.debug "\nMissing Methods:"
+        Rails.logger.debug missing_methods.join("\n")
+      end
+
+      if errors.any?
+        Rails.logger.debug "\nInitialization Errors:"
+        Rails.logger.debug errors.join("\n")
+      end
+
+      exit 1
+    else
+      Rails.logger.debug "✅ All providers implement required methods."
+    end
+  end
+end