devise-rownd 1.0.3 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d54df50c4a7815d8fe0ee291891134f7e1fbb9f9afebb935b48e6f34ec649467
-  data.tar.gz: 24410b4335a8e44ed8d1bb62215ce43ec8215e5d3ef949565c022ce533188f6b
+  metadata.gz: 965501f9c7bd20e9f907772de92d1718011e48c035e10fc2d936b797a201e434
+  data.tar.gz: 9365b48fe108cde601e190bbbdd182ed8b65928f0b904c9429af78aceb4a3980
 SHA512:
-  metadata.gz: 4323c21cdf8ba62dc8d11c4c95016064987ca2d256cef7e525cc635286ad57d2fd40fc2d52708677d5d6a970ad335800cd728326befdfbc34dc9e9d8dbd535d9
-  data.tar.gz: c835bc2862a1338fb379c0578a4dc9493a372ff0aadf1ec4f1aebb011a383a595b401b5e1868ea53a0584cf8118c5ff3d543525216ff9d20f1148d958205780a
+  metadata.gz: c33282e8619f37a4e2c28e6c2b4967e0c88a6f9c204eeeecd19a407e8e9f97f9c343c4581ca995256113443a78f8f946b7ad58d12d1c9a6c78fa34e2639d92dd
+  data.tar.gz: b4a53ed34ccdc5769837fc8d4dfcdd6edf67c9f73acdf5bc48b4b7a90141aa633019e5ed01d638f07846dba16ed8580a20d570c80ffaedf2154ae183cdb2f022

data/README.md

@@ -2,13 +2,13 @@
 
 [![Gem Version](https://badge.fury.io/rb/devise-rownd.svg)](https://badge.fury.io/rb/devise-jwt)
 
-`devise-rownd` is a [devise](https://github.com/heartcombo/devise) extension that auuthenticates users with Rownd's passwordless authentication strategies. It works in-tandem with the Rownd Hub, a javascript snippet embedded in your website. With this Gem installed, Rownd handles all aspects of user authentication and gives you the tools to customize the user experience on your site.
+`devise-rownd` is a [devise](https://github.com/heartcombo/devise) extension that authenticates users with Rownd's passwordless authentication strategies. It works in-tandem with the Rownd Hub, a javascript snippet embedded in your website. With this Gem installed, Rownd handles all aspects of user authentication and gives you the tools to customize the user experience on your site.
 
 ## Installation
 Add this line to your application's Gemfile:
 
 ```ruby
-gem 'devise-rownd'
+gem 'devise-rownd', '~> 2.0.0'
 ```
 
 And then execute:
@@ -32,7 +32,7 @@ mount Devise::Rownd::Engine, at: '/api/auth/rownd'
 ### Rownd Hub
 Follow [these instructions](https://docs.rownd.io/rownd/sdk-reference/web/javascript-browser) to install the Rownd Hub. You'll want to ensure it runs on every page of your application, so be sure to add it as a common in your Rails JS packs. Here's the easiest way to do that:
 
-1. Create a new file in your JS packs director called `rph.js` and paste the JS snippet that you obtained from the instructions listed above.
+1. Create a new file in your JS packs directory called `rph.js` and paste the JS snippet that you obtained from the instructions listed above.
 
 3. Add the following API callbacks to your Javascript:
 ```javascript
@@ -62,7 +62,7 @@ _rphConfig.push(['setPostUserDataUpdateApi', {
   <%= javascript_pack_tag 'rph', 'data-turbolinks-track': 'reload' %>
 </body>
 ```
-There are two key pieces that you musut include in the layout:
+There are two key pieces that you must include in the layout:
 
 `<%= show_rownd_signin_if_required %>`
 This renders the Rownd sign in modal to prompt the user for authentication when your app explicitly requires it in a controller
@@ -74,7 +74,6 @@ Tells Rails to include the rph Javascript pack. We also tell Turbolinks to inclu
 
 For this to work, you need to define these key environment variables:
 
-* `ROWND_APP_ID` - This is the ID of your Rownd application
 * `ROWND_APP_KEY` - Your Rownd application key
 * `ROWND_APP_SECRET` - Your Rownd application secret
 
@@ -130,9 +129,9 @@ The `current_user` object has all of the fields specified in your Rownd applicat
 
 ### Extending the `current_user` model
 
-You can extend the `current_user` object by modifying the `Devise::Rownd::User` class. This can be very helpful if you want to have additionanl functions that aggregate data accross multiple fields, or perform some logic and return the result.
+You can extend the `current_user` object by modifying the `Devise::Rownd::User` class. This can be very helpful if you want to have additional functions that aggregate data accross multiple fields, or perform some logic and return the result.
 
-For instance, you might want a function called `admin?` that will return if the current user is has an `admin` role. To extend the `current_user` object, add a new initializer in `config/initializers` called `devise_rownd.rb`. In there you can modify the `Devise::Rownd::User` like this:
+For instance, you might want a function called `admin?` that will return if the current user has an `'admin'` role. To extend the `current_user` object, add a new initializer in `config/initializers` called `devise_rownd.rb`. In there you can modify the `Devise::Rownd::User` like this:
 
 ```ruby
 Devise::Rownd::User.class_eval do

data/app/controllers/devise/rownd/auth_controller.rb

@@ -3,34 +3,42 @@
 # # ONLY NEEDED IN `classic` MODE.
 # require_dependency 'devise/rownd/application_controller'
 
+require 'devise/rownd/log'
+
 module Devise::Rownd
   class AuthController < ApplicationController
     # Skip authenticity token verification
-    skip_before_action :verify_authenticity_token
+    skip_before_action :verify_authenticity_token, raise: false
 
     def authenticate
-      @access_token = params[:access_token]
-
-      new_access_token = session[:rownd_user_access_token] != @access_token
+      Devise::Rownd::Log.debug('handle /authenticate')
+      access_token = params[:access_token]
+      session_token = session['warden.user.user.key']
+      new_access_token = session_token != access_token
 
-      session[:rownd_user_access_token] = @access_token if new_access_token
+      Devise::Rownd::Log.debug("/authenticate: new_access_token = #{new_access_token}")
 
-      if new_access_token || session[:rownd_stale_data] == true
+      if !session_token.nil? && new_access_token
+        # We have to log the user out otherwise warden will just serialize the user from session,
+        # which currently holds the old access token
         warden.logout(:user)
-        warden.authenticate!(scope: :user)
       end
 
       warden.authenticate!(scope: :user)
 
+      should_refresh_page = new_access_token
+      Devise::Rownd::Log.debug("/authenticate: success, refresh = #{should_refresh_page}")
+
       render json: {
         message: 'Successfully authenticated user',
-        should_refresh_page: new_access_token || session[:rownd_stale_data] == true
+        should_refresh_page:
       }, status: :ok
     end
 
     def sign_out
-      session.delete(:rownd_user_access_token)
+      Devise::Rownd::Log.debug('handling /sign_out')
       warden.logout(:user)
+      Devise::Rownd::Log.debug('/sign_out: success')
       render json: {
         message: 'Successfully signed out user',
         return_to: return_to_after_sign_out
@@ -38,10 +46,26 @@ module Devise::Rownd
     end
 
     def update_data
-      session[:rownd_stale_data] = true
-      warden.logout(:user)
-      warden.authenticate!(scope: :user)
-      session[:rownd_stale_data] = false
+      Devise::Rownd::Log.debug('handling /update_data')
+
+      request_body = JSON.parse request.body.read
+      profile = {
+        'data' => request_body['user_data']
+      }
+      new_user = Devise::Rownd::User.new(profile, session['warden.user.user.key'])
+
+      Devise::Rownd::Log.debug("/update_data: instantiated user: #{new_user}")
+
+      warden.set_user(new_user)
+
+      Devise::Rownd::Log.debug('/update_data: set user in warden')
+
+      # Remove the cached user profile data so that the next next time its accessed, it will be
+      # fetched from the API Server
+      cache_key = "rownd_user_#{new_user.data['user_id']}"
+      Rails.cache.delete(cache_key)
+      Devise::Rownd::Log.debug("/update_data: removed cache key: #{cache_key}")
+
       render json: {
         # should_refresh_page: true
       }, status: :ok

data/config/initializers/app_config.rb

@@ -1,5 +1,6 @@
 require 'devise/rownd/api'
 require 'devise/rownd/caching'
+require 'devise/rownd/log'
 
 module Devise
   module Rownd
@@ -18,7 +19,7 @@ module Devise
                                                         headers: { 'x-rownd-app-key' => app_key } })
       return response.body['app'] if response.success?
 
-      Rails.logger.error("Failed to fetch app config from Rownd: #{response.body['message']}")
+      Devise::Rownd::Log.error("Failed to fetch app config from Rownd: #{response.body['message']}")
       nil
     end
 

data/lib/devise/rownd/caching.rb

@@ -1,4 +1,5 @@
 require 'async'
+require 'devise/rownd/log'
 
 module Devise::Rownd
   module Caching
@@ -7,17 +8,27 @@ module Devise::Rownd
 
       # If there's nothing in the cache, yield the value and write it to cache
       if cache_val.nil?
+        Devise::Rownd::Log.debug("cache: key not found '#{cache_key}'")
         return_value = yield
-        Rails.cache.write(cache_key, [return_value, Time.now]) if return_value
+        if return_value
+          Devise::Rownd::Log.debug("cache: updating cache. '#{cache_key}' value: #{return_value}")
+          Rails.cache.write(cache_key, [return_value, Time.now]) if return_value
+        end
       else
+        Devise::Rownd::Log.debug("cache: key found: '#{cache_key}'")
         return_value = cache_val[0]
         last_fetch_time = cache_val[1]
 
         # Start a new thread to update the cached value if the TTL is exceeded
         Async do
-          if Time.now - last_fetch_time > ttl
-            new_value = yield
-            Rails.cache.write(cache_key, [new_value, Time.now]) if new_value
+          begin
+            if Time.now - last_fetch_time > ttl
+              new_value = yield
+              Devise::Rownd::Log.debug("cache: updating cache. '#{cache_key}' value: #{new_value}")
+              Rails.cache.write(cache_key, [new_value, Time.now]) if new_value
+            end
+          rescue StandardError => e
+            Devise::Rownd::Log.error("cache: failed updating cache: #{e.message}")
           end
         end
       end

data/lib/devise/rownd/log.rb

@@ -0,0 +1,17 @@
+module Devise::Rownd
+  module Log
+    @logger ||= ActiveSupport::TaggedLogging.new(Logger.new(($stdout))) if (ENV['rownd_debug'] || ENV['ROWND_DEBUG']) == 'true'
+
+    def self.debug(message)
+      return unless @logger
+
+      @logger.tagged('Rownd') { @logger.debug(message) }
+    end
+
+    def self.error(message)
+      return unless @logger
+
+      @logger.tagged('Rownd') { @logger.error(message) }
+    end
+  end
+end

data/lib/devise/rownd/models/rownd_authenticatable.rb

@@ -1,4 +1,5 @@
 require 'active_support/concern'
+require 'devise/rownd/log'
 
 module Devise
   module Models
@@ -8,21 +9,35 @@ module Devise
       # TODO: What if we don't interact with the database at all?
       class_methods do
         def find_or_create_with_authentication_profile(profile)
-          result = where(user_id: profile['user_id']).first_or_create({ email: profile['email'] })
-          result
+          where(user_id: profile['user_id']).first_or_create({ email: profile['email'] })
         end
 
-        def serialize_from_session(data)
-          result = Devise::Rownd::User.new(data)
-          # result = find_by_user_id_or_email(user_id, email)
-          result
+        def serialize_from_session(access_token)
+          Devise::Rownd::Log.debug("serialize_from_session: #{access_token}")
+          return nil if access_token.nil?
+
+          begin
+            profile = Devise::Rownd::User.fetch_user(access_token)
+          rescue StandardError => e
+            Devise::Rownd::Log.debug("serialize_from_session: session has invalid access token #{e.message}")
+            return nil
+          end
+
+          if profile.nil?
+            Devise::Rownd::Log.debug('serialize_from_session: could not fetch user profile')
+            return nil
+          end
+
+          # initialize user with fetched data
+          user = Devise::Rownd::User.new(profile, access_token)
+          Devise::Rownd::Log.debug("serialize_from_session result: #{user}")
+          user
         end
 
-        def serialize_into_session(resource)
-          # result = [resource.data]
-          result = [resource]
-          # result = [resource['user_id'], resource['email']]
-          result
+        def serialize_into_session(user)
+          Devise::Rownd::Log.debug("serialize_into_session: #{user}")
+
+          user.access_token
         end
 
         # def find_by_user_id_or_email(user_id, email)

data/lib/devise/rownd/strategies/rownd_authenticatable.rb

@@ -1,44 +1,63 @@
 require 'devise'
 require 'devise/strategies/authenticatable'
 require 'devise/rownd/user'
-require 'devise/rownd/api'
-require 'devise/rownd/caching'
-require 'jose'
+require 'devise/rownd/token'
+require 'devise/rownd/log'
 
 require_relative '../../../../config/initializers/app_creds'
 
+
+# jose prefers to use libsodium for EdDSA to work. This next line tells jose to fallback to the ruby
+# crypto library in the event that libsodium is not installed
+JOSE.crypto_fallback = '1'
+
 module Devise
   module Strategies
-    include ::Devise::Rownd::API
+    include Devise::Rownd::Token
 
     class RowndAuthenticatable < Authenticatable
       def valid?
-        session[:rownd_user_access_token].present?
+        valid_for_auth = params[:access_token].present?
+        Devise::Rownd::Log.debug("valid for authentication?: #{valid_for_auth}")
+        valid_for_auth
       end
 
       # All Strategies must define this method.
       def authenticate!
-        @access_token = session[:rownd_user_access_token]
-        return fail!('No Access Token') unless @access_token
+        Devise::Rownd::Log.debug('authenticate!')
+        access_token = params[:access_token]
+
+        Devise::Rownd::Log.error('authenticate! could not proceed. no access token') unless access_token
+        return fail!('No Access Token') unless access_token
 
         begin
-          @decoded_jwt = verify_token(@access_token)
+          decoded_jwt = ::Devise::Rownd::Token.verify_token(access_token)
 
-          @app_id = @decoded_jwt['aud'].find(/^app:.+/).first.split(':').last
+          @app_id = decoded_jwt['aud'].find(/^app:.+/).first.split(':').last
 
           configured_app_id = Devise::Rownd.app_id
           ok = @app_id == configured_app_id
-          return fail!('JWT not authorized for app') unless ok
+          unless ok
+            Devise::Rownd::Log.error('authenticate! failed: JWT not authorized for app')
+            return fail!('JWT not authorized for app')
+          end
 
-          user_data = fetch_user
-          return fail!('Failed to fetch user') unless user_data
+          profile = Devise::Rownd::User.fetch_user(access_token)
+          unless profile
+            Devise::Rownd::Log.error('authenticate! failed: Failed to fetch user')
+            fail!('Failed to fetch user')
+          end
 
-          rownd_user = Devise::Rownd::User.new(user_data)
+          rownd_user = Devise::Rownd::User.new(profile, access_token)
 
-          return fail!('Failed to initialize user') unless rownd_user
+          unless rownd_user
+            Devise::Rownd::Log.error('authenticate! failed: failed to initialize user')
+            return fail!('Failed to initialize user')
+          end
 
           success!(rownd_user)
         rescue StandardError => e
+          Devise::Rownd::Log.error("authenticate! failed #{e.message}")
           fail!("Unable to authenticate: #{e.message}")
         end
       end
@@ -46,58 +65,6 @@ module Devise
       def return_to_after_sign_out
         '/'
       end
-
-      def fetch_user
-        cache_key = "rownd_user_#{@decoded_jwt['jti']}"
-        if session[:rownd_stale_data] == true
-          data = fetch_user_from_api
-          return nil unless data
-
-          Rails.cache.write(cache_key, data, expires_in: 1.minute)
-          session.delete(:rownd_stale_data) if session[:rownd_stale_data]
-          return data
-        end
-
-        Devise::Rownd::Caching.fetch(cache_key, 1.minute) { fetch_user_from_api }
-      end
-
-      def fetch_user_from_api
-        response = ::Devise::Rownd::API.make_api_call(
-          "/me/applications/#{@app_id}/data",
-          {
-            method: 'GET',
-            headers: { 'Authorization' => "Bearer #{@access_token}" }
-          }
-        )
-        return response.body['data'] if response.success?
-
-        Rails.logger.error("Failed to fetch user: #{response.body['message']}")
-        nil
-      end
-
-      def verify_token(access_token)
-        raise StandardError, 'No JWKs' unless jwks
-
-        jwks.each do |jwk|
-          response = JOSE::JWT.verify_strict(jwk, ['EdDSA'], access_token)
-          return response[1].fields if response[0]
-        rescue StandardError
-          next
-        end
-        raise StandardError, 'Failed to verify JWT. No matching JWKs'
-      end
-
-      def jwks
-        Devise::Rownd::Caching.fetch('rownd_jwks', 15.minutes) { fetch_jwks_from_api }
-      end
-
-      def fetch_jwks_from_api
-        response = ::Devise::Rownd::API.make_api_call('/hub/auth/keys')
-        return response.body['keys'] if response.success?
-
-        Rails.logger.error("Failed to fetch JWKs: #{response.body['message']}")
-        nil
-      end
     end
   end
 end

data/lib/devise/rownd/token.rb

@@ -0,0 +1,39 @@
+require 'devise/rownd/api'
+require 'devise/rownd/caching'
+require 'devise/rownd/log'
+require 'jose'
+
+# jose prefers to use libsodium for EdDSA to work. This next line tells jose to fallback to the ruby
+# crypto library in the event that libsodium is not installed
+JOSE.crypto_fallback = '1'
+
+module Devise::Rownd
+  module Token
+    def verify_token(access_token)
+      raise StandardError, 'No JWKs' unless jwks
+
+      jwks.each do |jwk|
+        response = JOSE::JWT.verify_strict(jwk, ['EdDSA'], access_token)
+        return response[1].fields if response[0]
+      rescue StandardError => e
+        Devise::Rownd::Log.debug("jwt not validated: #{e.message}")
+        next
+      end
+      raise StandardError, 'Failed to verify JWT. No matching JWKs'
+    end
+
+    def jwks
+      Devise::Rownd::Caching.fetch('rownd_jwks', 15.minutes) { fetch_jwks_from_api }
+    end
+
+    def fetch_jwks_from_api
+      response = ::Devise::Rownd::API.make_api_call('/hub/auth/keys')
+      return response.body['keys'] if response.success?
+
+      Devise::Rownd::Log.error("Failed to fetch JWKs: #{response.body['message']}")
+      nil
+    end
+
+    module_function :jwks, :fetch_jwks_from_api, :verify_token
+  end
+end

data/lib/devise/rownd/user.rb

@@ -1,15 +1,72 @@
+require 'devise/rownd/api'
+require 'devise/rownd/caching'
+require 'devise/rownd/token'
+require 'devise/rownd/log'
+
 module Devise
   module Rownd
+    extend ActiveSupport::Concern
+
     class User
-      attr_reader :data
+      attr_reader :user_id, :auth_level, :data, :is_verified_user, :access_token
 
-      def initialize(data)
-        @data = data
+      def initialize(profile, access_token)
+        Devise::Rownd::Log.debug("initialize user: #{profile} - #{access_token}")
+        @user_id = profile['data']['user_id']
+        @data = profile
         Devise::Rownd.app_schema.each do |key, _value|
           self.class.send :attr_accessor, key
-          instance_variable_value = data.is_a?(Hash) && data.key?(key) ? data[key] : nil
+          instance_variable_value = profile['data'].is_a?(Hash) && profile['data'].key?(key) ? profile['data'][key] : nil
           instance_variable_set("@#{key}", instance_variable_value)
         end
+
+        @access_token = access_token
+        @auth_level = profile['auth_level']
+        @is_verified_user = profile['auth_level'] == 'verified'
+
+        Devise::Rownd::Log.debug('successfully initialized user')
+      end
+
+      def verified?
+        @is_verified_user
+      end
+
+      def self.fetch_user(access_token, bypass_cache = false)
+        Devise::Rownd::Log.debug("fetch_user: #{self}")
+        begin
+          decoded_jwt = ::Devise::Rownd::Token.verify_token(access_token)
+          app_id = decoded_jwt['aud'].find(/^app:.+/).first.split(':').last
+
+          cache_key = "rownd_user_#{decoded_jwt['https://auth.rownd.io/app_user_id']}"
+          if bypass_cache == true
+            Devise::Rownd::Log.debug('fetch_user bypassing cache')
+            profile = fetch_user_from_api(access_token, app_id)
+            return nil unless profile
+
+            Rails.cache.write(cache_key, profile, expires_in: 1.minute)
+            return profile
+          end
+
+          Devise::Rownd::Log.debug('fetch_user from cache if possible')
+          Devise::Rownd::Caching.fetch(cache_key, 1.minute) { fetch_user_from_api(access_token, app_id) }
+        rescue StandardError => e
+          Devise::Rownd::Log.error("fetch_user failed: #{e.message}")
+          nil
+        end
+      end
+
+      def self.fetch_user_from_api(access_token, app_id)
+        response = ::Devise::Rownd::API.make_api_call(
+          "/me/applications/#{app_id}/data",
+          {
+            method: 'GET',
+            headers: { 'Authorization' => "Bearer #{access_token}" }
+          }
+        )
+        return response.body if response.success?
+
+        Devise::Rownd::Log.error("Failed to fetch user: #{response.body}")
+        nil
       end
     end
   end

data/lib/devise/rownd/version.rb

@@ -1,5 +1,5 @@
 module Devise
   module Rownd
-    VERSION = '1.0.3'
+    VERSION = '2.0.0'
   end
 end

data/lib/devise/rownd.rb

@@ -6,12 +6,12 @@ require 'devise/rownd/api'
 require 'devise/rownd/user'
 require 'devise/rownd/caching'
 
-module Devise
-  module Rownd
-  end
-end
-
 require_relative '../../config/config'
 require_relative '../../config/initializers/app_creds'
 require_relative '../../config/initializers/app_config'
 # require_relative '../../config/initializers/devise'
+
+module Devise
+  module Rownd
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: devise-rownd
 version: !ruby/object:Gem::Version
-  version: 1.0.3
+  version: 2.0.0
 platform: ruby
 authors:
 - Bobby Radford
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-05-19 00:00:00.000000000 Z
+date: 2024-06-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: async
@@ -208,10 +208,12 @@ files:
 - lib/devise/rownd/caching.rb
 - lib/devise/rownd/custom_failure.rb
 - lib/devise/rownd/engine.rb
+- lib/devise/rownd/log.rb
 - lib/devise/rownd/models.rb
 - lib/devise/rownd/models/rownd_authenticatable.rb
 - lib/devise/rownd/strategies.rb
 - lib/devise/rownd/strategies/rownd_authenticatable.rb
+- lib/devise/rownd/token.rb
 - lib/devise/rownd/user.rb
 - lib/devise/rownd/version.rb
 - lib/tasks/devise/rownd_tasks.rake