devise_g5_authenticatable 0.1.3 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 647e697e95fa5a4f468529c0c016c5e9a8f2a8bd
-  data.tar.gz: 5795af637ed1ba2bce1bc36eae8fc765ea9ce88b
+  metadata.gz: 7b68a3deae4616dbf188a936d77e442d39dd761d
+  data.tar.gz: d615bdc6cbce1fec5ba81cdcd2a3bf5454beda29
 SHA512:
-  metadata.gz: 6a17aa3b3d6cdb0a1e3b2c93aa973df48e6b6a13d6ed923cc2da1b1be813c14e110e7dcebc4ffbdc6449c7224b099bd305234a3f1024b16efb3fe79b5ed788a1
-  data.tar.gz: a59a344ee27a3927e89bae41de06c72a654b9a12acd62e36c7ddfc7e5a05743a07bbeb237e6cab70cf8637c6be1b6ea3bef4b2c95dcef241b72ff05bf6a140bf
+  metadata.gz: c3f7e0ca76d585d91942ea3f98b285e153ed6d49e2cb26369112507d28f7e7c562b742408f224c02525c44c519e6c07399bba6b51bbf251380da5831d1729c47
+  data.tar.gz: 43b89ca19bc3938df96be0861492767277cc1d96f2ecff341b9e2571e9a0277f8d129c1635fbbb9f0f3c116af1a436837c6a4c58aa2bac4378eb5561e51901ab

data/CHANGELOG.md

@@ -1,3 +1,8 @@
+## v0.2.0 (2015-01-08)
+
+* Add support for strict token validation, disabled by default
+  ([#17](https://github.com/G5/devise_g5_authenticatable/pull/17))
+
 ## v0.1.3 (2014-12-19)
 
 * Fix sign out when there isn't a locally authenticated user

data/README.md

@@ -10,7 +10,7 @@ G5 users.
 
 ## Current Version
 
-0.1.3
+0.2.0
 
 ## Requirements
 
@@ -66,7 +66,7 @@ environment variables for your client application:
 
 ### Configuration
 
-In `config/initializers/devise.rb`, add the following:
+In `config/initializers/devise.rb`, add the following to enable authentication:
 
 ```ruby
 Devise.setup do |config|
@@ -182,6 +182,29 @@ will need to insert the following in your `config/initializers/devise.rb`:
 require 'devise_g5_authenticatable/models/protected_attributes'
 ```
 
+### Token validation
+
+After a user authenticates, their access token will be stored on the G5
+Authenticatable model. By default, this token will not be validated against
+the auth server again until the local session is destroyed, either because
+it times out, or because the user explicitly logs out of the local application.
+
+In order to implement single sign-out, you can enable strict token validation.
+This will validate the token against the auth server on every request, and
+automatically destroy the local session if the token is no longer valid.
+
+In your `config/initializers/devise.rb':
+
+```ruby
+Devise.setup do |config|
+  # ...
+  config.g5_strict_token_validation = true
+end
+```
+
+Note that strict token validation incurs a non-trivial amount of performance
+overhead, which is why it is disabled by default.
+
 ## Examples
 
 Currently, the best source of example code is in the [test Rails

data/lib/devise_g5_authenticatable.rb

@@ -9,6 +9,14 @@ require 'devise_g5_authenticatable/controllers/url_helpers'
 
 require 'devise_g5_authenticatable/engine'
 
+module Devise
+  # Should devise_g5_authenticatable validate the user's access token
+  # against the auth server for every request? Default is false
+  @@g5_strict_token_validation = false
+
+  mattr_accessor :g5_strict_token_validation
+end
+
 Devise.add_module(:g5_authenticatable,
                   strategy: false,
                   route: {session: [nil, :new, :destroy]},

data/lib/devise_g5_authenticatable/hooks/g5_authenticatable.rb

@@ -0,0 +1,16 @@
+Warden::Manager.after_set_user only: :fetch do |record, warden, options|
+  if Devise.g5_strict_token_validation
+    scope = options[:scope]
+
+    auth_client = G5AuthenticationClient::Client.new(allow_password_credentials: 'false',
+                                                     access_token: record.g5_access_token)
+    begin
+      auth_client.token_info
+    rescue StandardError => error
+      proxy = Devise::Hooks::Proxy.new(warden)
+      proxy.sign_out(record)
+      record.revoke_g5_credentials!
+      throw :warden, scope: scope
+    end
+  end
+end

data/lib/devise_g5_authenticatable/models/g5_authenticatable.rb

@@ -1,4 +1,5 @@
 require 'devise_g5_authenticatable/g5'
+require 'devise_g5_authenticatable/hooks/g5_authenticatable'
 
 module Devise
   module Models

data/lib/devise_g5_authenticatable/version.rb

@@ -1,3 +1,3 @@
 module DeviseG5Authenticatable
-  VERSION = '0.1.3'
+  VERSION = '0.2.0'
 end

data/spec/features/token_validation_spec.rb

@@ -0,0 +1,82 @@
+require 'spec_helper'
+
+describe 'Token validation per request' do
+  let(:user) { create(:user) }
+  let(:protected_path) { edit_user_registration_path }
+  let(:token_info_url) { 'http://auth.g5search.com/oauth/token/info' }
+
+  before do
+    stub_request(:get, token_info_url).
+      with(headers: {'Authorization'=>"Bearer #{user.g5_access_token}"}).
+      to_return(status: 200, body: '', headers: {})
+  end
+
+  before do
+    visit_path_and_login_with(protected_path, user)
+
+    # Now that we're logged in, any subsequent attempts to
+    # authenticate with the auth server will trigger an omniauth
+    # failure, which is a condition we can test for
+    stub_g5_invalid_credentials
+  end
+
+  context 'when token validation is disabled' do
+    before do
+      Devise.g5_strict_token_validation = false
+      visit protected_path
+    end
+
+    it 'should not valid the token against the auth server' do
+      expect(a_request(:get, token_info_url)).to_not have_been_made
+    end
+
+    it 'should allow the user to access the protected page' do
+      expect(current_path).to eq(protected_path)
+    end
+  end
+
+  context 'when token validation is enabled' do
+    before { Devise.g5_strict_token_validation = true }
+
+    context 'when the access_token is valid' do
+      before { visit protected_path }
+
+      it 'should validate the token against the auth server' do
+        expect(a_request(:get, token_info_url).
+               with(headers: {'Authorization' => "Bearer #{user.g5_access_token}"})).to have_been_made
+      end
+
+      it 'should allow the user to access the protected page' do
+        expect(current_path).to eq(protected_path)
+      end
+    end
+
+    context 'when the access_token has been invalidated' do
+      before do
+        stub_request(:get, token_info_url).
+          with(headers: {'Authorization'=>"Bearer #{user.g5_access_token}"}).
+          to_return(status: 401,
+                    headers: {'Content-Type' => 'application/json; charset=utf-8',
+                              'Cache-Control' => 'no-cache'},
+                    body: {'error' => 'invalid_token',
+                           'error_description' => 'The access token expired'}.to_json)
+        visit protected_path
+      end
+
+      it 'should force the user to re-authenticate' do
+        expect(page).to have_content('Invalid credentials')
+      end
+    end
+
+    context 'when there is some other error from the auth server' do
+      before do
+        stub_request(:get, token_info_url).to_raise(StandardError)
+        visit protected_path
+      end
+
+      it 'should force the user to re-authenticate' do
+        expect(page).to have_content('Invalid credentials')
+      end
+    end
+  end
+end

data/spec/support/devise.rb

@@ -1,3 +1,4 @@
 RSpec.configure do |config|
+  config.before(:each) { Devise.g5_strict_token_validation = false }
   config.include Devise::TestHelpers, type: :controller
 end

data/spec/support/user_feature_methods.rb

@@ -19,7 +19,10 @@ module UserFeatureMethods
 end
 
 RSpec.configure do |config|
-  config.before(:each) { OmniAuth.config.test_mode = true }
+  config.before(:each) do
+    OmniAuth.config.test_mode = true
+    OmniAuth.config.mock_auth[:g5] = nil
+  end
   config.after(:each) { OmniAuth.config.test_mode = false }
 
   config.include UserFeatureMethods, type: :feature

data/spec/tasks/export_users_spec.rb

@@ -6,20 +6,30 @@ describe 'g5:export_users' do
   let(:user_exporter) { double(:user_exporter, export: nil) }
   before { allow(G5::UserExporter).to receive(:new).and_return(user_exporter) }
 
-  before { ENV['G5_AUTH_CLIENT_ID'] = default_client_id }
+  let!(:old_client_id) { ENV['G5_AUTH_CLIENT_ID'] }
   let(:default_client_id) { 'default_client_id' }
+  before { ENV['G5_AUTH_CLIENT_ID'] = default_client_id }
+  after { ENV['G5_AUTH_CLIENT_ID'] = old_client_id }
 
-  before { ENV['G5_AUTH_CLIENT_SECRET'] = default_client_secret }
+  let!(:old_client_secret) { ENV['G5_AUTH_CLIENT_SECRET'] }
   let(:default_client_secret) { 'default_client_secret' }
+  before { ENV['G5_AUTH_CLIENT_SECRET'] = default_client_secret }
+  after { ENV['G5_AUTH_CLIENT_SECRET'] = old_client_secret }
 
-  before { ENV['G5_AUTH_REDIRECT_URI'] = default_redirect_uri }
+  let!(:old_redirect_uri) { ENV['G5_AUTH_REDIRECT_URI'] }
   let(:default_redirect_uri) { 'http://test.host/default' }
+  before { ENV['G5_AUTH_REDIRECT_URI'] = default_redirect_uri }
+  after { ENV['G5_AUTH_REDIRECT_URI'] = old_redirect_uri }
 
-  before { ENV['G5_AUTH_ENDPOINT'] = default_endpoint }
+  let!(:old_endpoint) { ENV['G5_AUTH_ENDPOINT'] }
   let(:default_endpoint) { 'https://my.g5auth.host' }
+  before { ENV['G5_AUTH_ENDPOINT'] = default_endpoint }
+  after { ENV['G5_AUTH_ENDPOINT'] = old_endpoint }
 
-  before { ENV['G5_AUTH_AUTHORIZATION_CODE'] = default_auth_code }
+  let!(:old_auth_code) { ENV['G5_AUTH_AUTHORIZATION_CODE'] }
   let(:default_auth_code) { 'default_auth_code' }
+  before { ENV['G5_AUTH_AUTHORIZATION_CODE'] = default_auth_code }
+  after { ENV['G5_AUTH_AUTHORIZATION_CODE'] = old_auth_code }
 
   def expect_init_user_exporter_with(option_name, expected_value)
     expect(G5::UserExporter).to receive(:new) do |args|

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: devise_g5_authenticatable
 version: !ruby/object:Gem::Version
-  version: 0.1.3
+  version: 0.2.0
 platform: ruby
 authors:
 - Maeve Revels
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-12-19 00:00:00.000000000 Z
+date: 2015-01-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: devise
@@ -82,6 +82,7 @@ files:
 - lib/devise_g5_authenticatable/g5/auth_user_creator.rb
 - lib/devise_g5_authenticatable/g5/auth_user_updater.rb
 - lib/devise_g5_authenticatable/g5/user_exporter.rb
+- lib/devise_g5_authenticatable/hooks/g5_authenticatable.rb
 - lib/devise_g5_authenticatable/models/g5_authenticatable.rb
 - lib/devise_g5_authenticatable/models/protected_attributes.rb
 - lib/devise_g5_authenticatable/omniauth.rb
@@ -160,6 +161,7 @@ files:
 - spec/features/registration_spec.rb
 - spec/features/sign_in_spec.rb
 - spec/features/sign_out_spec.rb
+- spec/features/token_validation_spec.rb
 - spec/g5/auth_password_validator_spec.rb
 - spec/g5/auth_user_creator_spec.rb
 - spec/g5/auth_user_updater_spec.rb
@@ -273,6 +275,7 @@ test_files:
 - spec/features/registration_spec.rb
 - spec/features/sign_in_spec.rb
 - spec/features/sign_out_spec.rb
+- spec/features/token_validation_spec.rb
 - spec/g5/auth_password_validator_spec.rb
 - spec/g5/auth_user_creator_spec.rb
 - spec/g5/auth_user_updater_spec.rb