clavis 0.7.1

data/lib/clavis/controllers/concerns/authentication.rb

@@ -0,0 +1,232 @@
+# frozen_string_literal: true
+
+require "active_support/concern"
+
+module Clavis
+  module Controllers
+    module Concerns
+      module Authentication
+        extend ActiveSupport::Concern
+
+        def oauth_authorize
+          provider_name = params[:provider]
+
+          # Check if provider is specified
+          if provider_name.blank?
+            error_message = "No provider specified for OAuth authentication"
+            Clavis::Logging.log_error(error_message)
+
+            # Return a meaningful error to the user
+            flash[:alert] = "Authentication provider not specified. Please try again or contact support."
+            redirect_to main_app.respond_to?(:root_path) ? main_app.root_path : "/"
+            return
+          end
+
+          begin
+            # Explicitly validate provider - this will raise Clavis::ProviderNotConfigured if not configured
+            Clavis.configuration.validate_provider!(provider_name)
+
+            # Initialize the provider - if it fails, let the exception bubble up
+            provider = Clavis.provider(provider_name)
+
+            # Validate and store redirect URI if provided
+            if params[:redirect_uri].present?
+              Clavis::Security::SessionManager.store_redirect_uri(session, params[:redirect_uri])
+            end
+
+            # Generate and store state and nonce in session
+            state = Clavis::Security::SessionManager.generate_and_store_state(session)
+            nonce = Clavis::Security::SessionManager.generate_and_store_nonce(session)
+
+            # Log parameters safely
+            Clavis::Security::ParameterFilter.log_parameters(
+              { provider: provider_name, scope: params[:scope] },
+              level: :info,
+              message: "Starting OAuth flow"
+            )
+
+            # Validate inputs
+            scope = params[:scope] || Clavis.configuration.default_scopes
+            Clavis::Security::InputValidator.sanitize(scope)
+
+            # Generate the authorization URL and redirect
+            auth_url = provider.authorize_url(
+              state: state,
+              nonce: nonce,
+              scope: scope
+            )
+
+            redirect_to auth_url, allow_other_host: true
+          rescue StandardError => e
+            # Only rescue non-configuration errors
+            raise if e.is_a?(Clavis::ProviderNotConfigured) || e.is_a?(Clavis::ConfigurationError)
+
+            # Re-raise configuration errors to make them visible
+
+            Clavis::Logging.log_error("OAuth flow error: #{e.class.name} - #{e.message}")
+            Clavis::Logging.log_error(e.backtrace.join("\n"))
+
+            flash[:alert] = "An error occurred while setting up authentication. Please try again or contact support."
+            redirect_to main_app.respond_to?(:root_path) ? main_app.root_path : "/"
+          end
+        end
+
+        def oauth_callback
+          provider_name = params[:provider]
+
+          # Log parameters safely
+          Clavis::Security::ParameterFilter.log_parameters(
+            params.to_unsafe_h,
+            level: :debug,
+            message: "OAuth callback received"
+          )
+
+          # Check for error response from provider
+          if params[:error].present?
+            handle_oauth_error(params[:error], params[:error_description])
+            return
+          end
+
+          # Verify state parameter to prevent CSRF
+          unless Clavis::Security::SessionManager.valid_state?(session, params[:state], clear_after_validation: true)
+            raise Clavis::InvalidState, "Invalid state parameter"
+          end
+
+          # Validate code parameter
+          unless Clavis::Security::InputValidator.valid_code?(params[:code])
+            raise Clavis::InvalidGrant, "Invalid authorization code"
+          end
+
+          provider = Clavis.provider(provider_name)
+
+          begin
+            # Exchange code for tokens
+            auth_hash = provider.process_callback(params[:code])
+
+            # Find or create the user using the configured class and method
+            user_class = Clavis.configuration.user_class.constantize
+            finder_method = Clavis.configuration.user_finder_method
+
+            # Ensure the configured method exists
+            unless user_class.respond_to?(finder_method)
+              raise Clavis::ConfigurationError,
+                    "The method '#{finder_method}' is not defined on the #{user_class.name} class. " \
+                    "Please implement this method to handle user creation from OAuth, or " \
+                    "configure a different user_finder_method in your Clavis configuration."
+            end
+
+            # Call the configured method to find or create the user
+            user = user_class.public_send(finder_method, auth_hash)
+
+            # Rotate session ID for security
+            Clavis::Security::SessionManager.rotate_session(request) if Clavis.configuration.rotate_session_after_login
+
+            # Store additional information in the session
+            Clavis::Security::SessionManager.store_auth_info(session, auth_hash)
+
+            # Invoke custom claims processor if configured
+            if Clavis.configuration.claims_processor.respond_to?(:call)
+              Clavis.configuration.claims_processor.call(auth_hash, user)
+            end
+
+            # Yield to block for custom processing
+            yield(user, auth_hash) if block_given?
+          rescue StandardError => e
+            raise Clavis::AuthenticationError, e.message
+          end
+        end
+
+        private
+
+        def handle_oauth_error(error, description = nil)
+          # Sanitize error parameters
+          error = Clavis::Security::InputValidator.sanitize(error)
+          description = Clavis::Security::InputValidator.sanitize(description) if description
+
+          case error
+          when "access_denied"
+            raise Clavis::AuthorizationDenied, description
+          when "invalid_request", "unauthorized_client",
+               "unsupported_response_type", "invalid_scope",
+               "server_error", "temporarily_unavailable"
+            raise Clavis::AuthenticationError, description || error
+          else
+            raise Clavis::AuthenticationError, description || "Unknown error: #{error}"
+          end
+        end
+
+        def find_or_create_user_from_oauth(auth_hash)
+          # If the User class has the find_for_oauth method, use it
+          if defined?(User) && User.respond_to?(:find_for_oauth)
+            User.find_for_oauth(auth_hash)
+          # If there's a User class that includes OauthAuthenticatable, use the module's method
+          elsif defined?(User) && User.include?(Clavis::Models::Concerns::OauthAuthenticatable)
+            # Find or create the identity
+            identity = Clavis::OauthIdentity.find_or_initialize_by(
+              provider: auth_hash[:provider],
+              uid: auth_hash[:uid]
+            )
+
+            user = if identity.user.present?
+                     identity.user
+                   elsif auth_hash.dig(:info, :email).present?
+                     # Try to find user by email
+                     user_email_field = User.new.respond_to?(:email) ? :email : :email_address
+                     User.find_by(user_email_field => auth_hash.dig(:info, :email)) ||
+                       begin
+                         new_user = User.new
+                         if new_user.respond_to?(user_email_field)
+                           new_user.send(:"#{user_email_field}=", auth_hash.dig(:info, :email))
+                         end
+
+                         # Set password if applicable
+                         if new_user.respond_to?(:password=) && new_user.respond_to?(:password_confirmation=)
+                           password = SecureRandom.hex(16)
+                           new_user.password = password
+                           new_user.password_confirmation = password if new_user.respond_to?(:password_confirmation=)
+                         end
+
+                         # Set name if applicable
+                         set_user_name_from_auth_hash(new_user, auth_hash) if auth_hash.dig(:info, :name).present?
+
+                         new_user.save!
+                         new_user
+                       end
+                   else
+                     # No email found, create a new user without email
+                     User.create!(password: SecureRandom.hex(16))
+                   end
+
+            # Update the identity with the latest auth data
+            identity.user = user
+            identity.auth_data = auth_hash[:info]
+            identity.token = auth_hash.dig(:credentials, :token)
+            identity.refresh_token = auth_hash.dig(:credentials, :refresh_token)
+            identity.expires_at = if auth_hash.dig(:credentials, :expires_at)
+                                    Time.at(auth_hash.dig(:credentials, :expires_at))
+                                  end
+            identity.store_standardized_user_info!
+            identity.save!
+
+            user
+          else
+            # No User class or not proper configuration, just return the auth hash
+            auth_hash
+          end
+        end
+
+        # Helper method to set user name from auth hash
+        def set_user_name_from_auth_hash(user, auth_hash)
+          return unless auth_hash.dig(:info, :name).present?
+
+          name_parts = auth_hash.dig(:info, :name).split
+          user.first_name = name_parts.first if user.respond_to?(:first_name=)
+
+          return unless name_parts.size > 1 && user.respond_to?(:last_name=)
+
+          user.last_name = name_parts.drop(1).join(" ")
+        end
+      end
+    end
+  end
+end

data/lib/clavis/controllers/concerns/session_management.rb

@@ -0,0 +1,117 @@
+# frozen_string_literal: true
+
+require "active_support/concern"
+
+module Clavis
+  module Controllers
+    module Concerns
+      # SessionManagement provides methods for handling user sessions after OAuth authentication
+      # This concern is designed to be included in ApplicationController and provides
+      # a simple, Rails-friendly way to handle user sessions.
+      module SessionManagement
+        extend ActiveSupport::Concern
+
+        included do
+          helper_method :current_user, :authenticated? if respond_to?(:helper_method)
+        end
+
+        # Check if a user is currently authenticated
+        # @return [Boolean] Whether the user is authenticated
+        def authenticated?
+          current_user.present?
+        end
+
+        # Get the current authenticated user, if any
+        # @return [User, nil] The current user or nil if not authenticated
+        def current_user
+          return @current_user if defined?(@current_user)
+
+          @current_user = find_user_by_cookie
+        end
+
+        # Sign in a user by setting a signed cookie
+        # @param user [User] The user to sign in
+        def sign_in_user(user)
+          # First try to use Devise if it's available
+          if respond_to?(:sign_in) && !method("sign_in").owner.is_a?(Method)
+            sign_in(user)
+          else
+            # Use our secure cookie-based approach
+            cookies.signed.permanent[:user_id] = {
+              value: user.id,
+              httponly: true,
+              same_site: :lax,
+              secure: Rails.env.production?
+            }
+          end
+        end
+
+        # Sign out the current user by clearing the cookie
+        # @return [void]
+        def sign_out_user
+          # First try to use Devise if it's available
+          if respond_to?(:sign_out) && !method("sign_out").owner.is_a?(Method)
+            sign_out(current_user)
+          else
+            # Use our cookie-based approach
+            cookies.delete(:user_id)
+          end
+        end
+
+        # Store the current URL to return to after authentication
+        # @return [void]
+        def store_location
+          session[:return_to] = request.url if request.get?
+        end
+
+        # Default path to redirect to after successful login
+        # @return [String] The path to redirect to
+        def after_login_path
+          stored_location || default_path
+        end
+
+        # Default path to redirect to after logout
+        # @return [String] The path to redirect to
+        def after_logout_path
+          if respond_to?(:login_path)
+            login_path
+          else
+            default_path
+          end
+        end
+
+        private
+
+        # Get the stored location for redirection
+        # @return [String, nil] The stored location or nil
+        def stored_location
+          location = session.delete(:return_to)
+
+          # Don't return auth paths to avoid redirect loops
+          return unless location.present? && !location.to_s.include?("/auth/")
+
+          location
+        end
+
+        # Default path when no stored location is available
+        # @return [String] The default path
+        def default_path
+          if defined?(main_app) && main_app.respond_to?(:root_path)
+            main_app.root_path
+          else
+            "/"
+          end
+        end
+
+        # Find a user by the signed cookie
+        # @return [User, nil] The user or nil if not found
+        def find_user_by_cookie
+          return nil unless cookies.signed[:user_id]
+
+          user_class = Clavis.configuration.user_class.constantize
+          user_class.find_by(id: cookies.signed[:user_id])
+        end
+      end
+    end
+  end
+end

data/lib/clavis/engine.rb

@@ -0,0 +1,191 @@
+# frozen_string_literal: true
+
+require "rails"
+require_relative "controllers/concerns/authentication"
+require_relative "controllers/concerns/session_management"
+require_relative "security/rate_limiter"
+
+module Clavis
+  class Engine < ::Rails::Engine
+    isolate_namespace Clavis
+
+    # Allow the routes to be namespaced with a unique identifier for each mount point
+    # This prevents route name collisions when the engine is mounted multiple times
+    mattr_accessor :route_namespace_id
+    self.route_namespace_id = "clavis"
+
+    # Minimum TLS version for secure requests
+    # At the application level, this is handled by Rails 7+ directly
+    # At the engine level, we need to set it manually for Net::HTTP
+    config.before_initialize do |_app|
+      require "net/http"
+      # Set minimum TLS version to 1.2 for security
+      # Can be upgraded to TLS 1.3 when supported by all platforms
+      begin
+        # Use min_version instead of ssl_version for better compatibility
+        if defined?(OpenSSL::SSL::TLS1_2_VERSION)
+          OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:min_version] = OpenSSL::SSL::TLS1_2_VERSION
+        end
+      rescue StandardError => e
+        # Log the error but don't crash
+        Clavis.logger.warn("Could not set minimum TLS version: #{e.message}")
+      end
+    end
+
+    # Expose Clavis view helpers to the host application
+    class << self
+      attr_accessor :include_view_helpers
+    end
+
+    # Default to true - can be changed in configuration
+    self.include_view_helpers = true
+
+    # Setup routes lambda - will be called if auto_install_routes is true
+    # Takes a single argument (app) which is the Rails application
+    # Define this before the initializer so it can be overridden if needed
+    mattr_accessor :setup_routes, default: lambda { |app|
+      # Mount the engine routes at /auth by default
+      app.routes.draw do
+        # Add mount point to the application routes
+        mount Clavis::Engine => "/auth"
+      end
+    }
+
+    # Whether to automatically install routes
+    mattr_accessor :auto_install_routes, default: true
+
+    # Setup Rack::Attack middleware for rate limiting
+    initializer "clavis.rack_attack", before: :load_config_initializers do |app|
+      # Install Rack::Attack if available
+      Clavis::Security::RateLimiter.install(app)
+    end
+
+    initializer "clavis.assets" do |app|
+      # Add Clavis assets to the asset pipeline
+      app.config.assets.paths << root.join("app", "assets", "stylesheets") if app.config.respond_to?(:assets)
+      app.config.assets.paths << root.join("app", "assets", "javascripts") if app.config.respond_to?(:assets)
+
+      # Explicitly precompile clavis assets if precompile array is available
+      if app.config.respond_to?(:assets) && app.config.assets.respond_to?(:precompile)
+        app.config.assets.precompile += %w[clavis.css clavis.js]
+      end
+
+      # For Rails 7+ with propshaft or jsbundling
+      if defined?(Propshaft) || defined?(Jsbundling)
+        app.config.assets.precompile << "clavis.css" if app.config.respond_to?(:assets)
+        app.config.importmap.pin "clavis", to: "clavis" if app.config.respond_to?(:importmap)
+      end
+    end
+
+    initializer "clavis.routes", after: :add_routing_paths do |app|
+      # Only install routes automatically if enabled
+      if auto_install_routes && setup_routes.respond_to?(:call)
+        # Call the setup_routes lambda to add routes to the parent application
+        setup_routes.call(app)
+      end
+    end
+
+    initializer "clavis.helpers" do
+      ActiveSupport.on_load(:action_controller) do
+        include Clavis::Controllers::Concerns::Authentication
+        include Clavis::Controllers::Concerns::SessionManagement
+      end
+
+      # Include view helpers based on configuration (default: true)
+      ActiveSupport.on_load(:action_view) do
+        include Clavis::ViewHelpers
+      end
+
+      # Make ViewHelpers available to ApplicationHelper
+      ActiveSupport.on_load(:after_initialize) do
+        if defined?(ApplicationHelper) && ApplicationHelper.included_modules.exclude?(Clavis::ViewHelpers)
+          ApplicationHelper.include(Clavis::ViewHelpers)
+        end
+      end
+    end
+
+    initializer "clavis.logger" do
+      config.after_initialize do
+        Clavis::Logging.logger = Rails.logger if defined?(Rails) && Rails.respond_to?(:logger)
+      end
+    end
+
+    initializer "clavis.security" do |_app|
+      # Install parameter filters
+      Clavis::Security::ParameterFilter.install_rails_filter
+
+      # Set default allowed redirect hosts from Rails application host
+      if Clavis.configuration.allowed_redirect_hosts.empty? && Rails.application.config.respond_to?(:hosts)
+        Clavis.configuration.allowed_redirect_hosts = Array(Rails.application.config.hosts)
+      end
+
+      # Only log critical security warnings
+      if Clavis.configuration.allowed_redirect_hosts.empty?
+        Clavis::Logging.security_warning("No allowed redirect hosts configured. All redirect URIs will be rejected.")
+      end
+
+      # Check for insecure redirect URIs in production
+      if Rails.env.production?
+        Clavis.configuration.providers.each do |provider_name, config|
+          next unless config[:redirect_uri] && !Clavis::Security::HttpsEnforcer.https?(config[:redirect_uri])
+
+          message = "Non-HTTPS redirect URI detected for #{provider_name}: "
+          message += config[:redirect_uri].to_s
+          Clavis::Logging.security_warning(message)
+        end
+      end
+    end
+
+    initializer "clavis.parameter_filter" do |app|
+      if Clavis.configuration.parameter_filter_enabled
+        # Add sensitive parameters to the filter parameters
+        app.config.filter_parameters += %i[
+          code token access_token refresh_token id_token
+          client_secret private_key encryption_key
+        ]
+      end
+    end
+
+    initializer "clavis.security_warnings" do
+      # Only log critical security warnings
+      if !Clavis.configuration.encrypt_tokens && Rails.env.production?
+        Clavis::Logging.security_warning("Token encryption disabled in production (not recommended)")
+      end
+
+      if Clavis.configuration.encrypt_tokens &&
+         !Clavis.configuration.use_rails_credentials &&
+         !Clavis.configuration.encryption_key.present?
+        Clavis::Logging.security_warning("Token encryption enabled but no encryption key provided")
+      end
+
+      if !Clavis.configuration.enforce_https && Rails.env.production?
+        Clavis::Logging.security_warning("HTTPS enforcement disabled in production (not recommended)")
+      end
+
+      if !Clavis.configuration.verify_ssl && Rails.env.production?
+        Clavis::Logging.security_warning("SSL certificate verification disabled in production (not recommended)")
+      end
+
+      if !Clavis.configuration.validate_inputs && Rails.env.production?
+        Clavis::Logging.security_warning("Input validation disabled in production (not recommended)")
+      end
+
+      if !Clavis.configuration.sanitize_inputs && Rails.env.production?
+        Clavis::Logging.security_warning("Input sanitization disabled in production (not recommended)")
+      end
+
+      if !Clavis.configuration.rotate_session_after_login && Rails.env.production?
+        Clavis::Logging.security_warning("Session rotation after login disabled in production (not recommended)")
+      end
+
+      if !Clavis.configuration.rate_limiting_enabled && Rails.env.production?
+        Clavis::Logging.security_warning("Rate limiting disabled in production (not recommended)")
+      end
+    end
+
+    config.to_prepare do
+      # Make the view helpers available to the application
+      ApplicationController.helper(Clavis::ViewHelpers) if defined?(ApplicationController)
+    end
+  end
+end