faye-authentication 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: cfd708e9dbb1900470d238f7d427ba3a6bd4322c
+  data.tar.gz: 5d087943cf31d1ffe01f645039d8c9c034fdeacd
+SHA512:
+  metadata.gz: 7fa639d27c2ce7ecd9876355b241cb3db5c490f8082db95c156410f16bc3ee5790bc88020a2d4055c2a4f341569e3696299794bb52e672514d16390c2f0a5e93
+  data.tar.gz: 4f2d0c80f71e1defc714a0a76da7472390dfb19b300b469c3d71d1f38189b418364912fa3988da35048598db584f55ea0bc6bc6891e464a9f632567e4229e85b

data/.gitignore

@@ -0,0 +1,23 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp
+*.bundle
+*.so
+*.o
+*.a
+mkmf.log
+.DS_Store

data/.rspec

@@ -0,0 +1,3 @@
+--color
+--warnings
+--require spec_helper

data/.travis.yml

@@ -0,0 +1,4 @@
+language: ruby
+rvm:
+  - 2.1.2
+  - 1.9.3

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in faye-authentication.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2014 Adrien Siami
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,106 @@
+# Faye::Authentication [![Build Status](https://travis-ci.org/josevalim/rails-footnotes.svg?branch=master)](https://travis-ci.org/josevalim/rails-footnotes) [![Code Climate](https://codeclimate.com/github/dimelo/faye-authentication.png)](https://codeclimate.com/github/dimelo/faye-authentication)
+
+Authentification implementation for faye
+
+Currently Implemented :
+  - Javascript Client Extention
+  - Ruby Server Extension
+  - Ruby utils for signing messages
+  - **Want another one ? Pull requests are welcome.**
+
+The authentication is performed through an Ajax Call to the webserver (JQuery needed).
+
+For each channel and client id pair, a signature is added to the message.
+
+Thanks to a shared key, the Faye Server will check the signature and reject the
+message if the signature is incorrect or not present.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'faye-authentication'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install faye-authentication
+
+## Usage
+
+### Javascript client extension
+
+Add the extension to your faye client :
+
+````javascript
+var client = new Faye.Client('http://my.server/faye');
+client.add_extension(new FayeAuthentication());
+````
+
+By default, when sending a subscribe request or publishing a message, the extension
+will issue an AJAX request to ``/faye/auth``
+
+If you wish to change the endpoint, you can supply it as the first argument of the extension constructor :
+
+    client.add_extension(new FayeAuthentication('/my_custom_auth_endpoint'));
+
+
+### Ruby utils
+
+The endpoint will a POST request, and shall return a JSON hash with a ``signature`` key.
+
+The parameters sent to the endpoint are the following :
+
+````
+{
+  'message' =>
+    {
+      'channel'   => '/foo/bar',
+      'clientId'  => '123abc'
+    }
+}
+````
+
+If the endpoint returns an error, the message won't be signed and the server will reject it.
+
+You can use ``Faye::Authentication.sign`` to generate the signature from the message and a private key.
+
+Example (For a Rails application)
+
+````ruby
+def auth
+  if current_user.can?(:read, params[:message][:channel])
+    render json: {signature: Faye::Authentication.sign(params[:message], 'your private key')}
+  else
+    render json: {error: 'Not authorized'}, status: 403
+  end
+end
+
+````
+
+A Ruby HTTP Client is also available for publishing messages to your faye server
+without the hassle of using EventMachine :
+
+````ruby
+Faye::Authentication::HTTPClient.publish('/channel', 'data', 'your private key')
+````
+
+### Faye server extension
+
+Instanciate the extension with your secret key and add it to the server :
+
+````ruby
+server = Faye::RackAdapter.new(:mount => '/faye', :timeout => 15)
+server.add_extension Faye::Authentication::Extension.new('your private key')
+````
+
+## Contributing
+
+1. Fork it ( https://github.com/dimelo/faye-authentication/fork )
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create a new Pull Request

data/Rakefile

@@ -0,0 +1,9 @@
+require "bundler/gem_tasks"
+
+require 'jasmine'
+require 'rspec/core/rake_task'
+load 'jasmine/tasks/jasmine.rake'
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => [:spec, 'jasmine:ci']

data/app/assets/javascripts/faye-authentication.js

@@ -0,0 +1,52 @@
+function FayeAuthentication(endpoint) {
+  this._endpoint = endpoint || '/faye/auth';
+  this._signatures = {};
+}
+
+FayeAuthentication.prototype.endpoint = function() {
+  return (this._endpoint);
+};
+
+FayeAuthentication.prototype.signMessage = function(message, callback) {
+  var channel = message.subscription || message.channel;
+  var clientId = message.clientId;
+
+  if (!this._signatures[clientId])
+    this._signatures[clientId] = {};
+  if (this._signatures[clientId][channel]) {
+    this._signatures[clientId][channel].then(function(signature) {
+      message.signature = signature;
+      callback(message);
+    });
+  } else {
+    var self = this;
+    self._signatures[clientId][channel] = new Faye.Promise(function(success, failure) {
+      $.post(self.endpoint(), {message: {channel: channel, clientId: clientId}}, function(response) {
+        success(response.signature);
+      }, 'json').fail(function(xhr, textStatus, e) {
+        success(null);
+      });
+    });
+    self._signatures[clientId][channel].then(function(signature) {
+      message.signature = signature;
+      callback(message);
+    });
+  }
+}
+
+FayeAuthentication.prototype.outgoing = function(message, callback) {
+  if (message.channel === '/meta/subscribe') {
+    this.signMessage(message, callback);
+  }
+  else if (/^\/meta\/(.*)/.exec(message.channel) === null) { // Publish
+    this.signMessage(message, callback);
+  }
+  else
+    callback(message);
+};
+
+FayeAuthentication.prototype.incoming = function(message, callback) {
+  if (message.error === 'Invalid signature')
+    this._signatures = {};
+  callback(message);
+};

data/faye-authentication.gemspec

@@ -0,0 +1,29 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'faye/authentication/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "faye-authentication"
+  spec.version       = Faye::Authentication::VERSION
+  spec.authors       = ["Adrien Siami"]
+  spec.email         = ["adrien.siami@dimelo.com"]
+  spec.summary       =
+  spec.description   = "A faye extension to add authentication mechanisms"
+  spec.homepage      = "https://github.com/dimelo/faye-authentication"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files -z`.split("\x0")
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+
+  spec.add_development_dependency "bundler", "~> 1.5"
+  spec.add_development_dependency "rake", '~> 10.3'
+  spec.add_development_dependency 'rspec', '~> 3.0.0.rc1'
+  spec.add_development_dependency 'jasmine', '~> 2.0'
+  spec.add_development_dependency 'faye', '~> 1.0'
+  spec.add_development_dependency 'rack', '~> 1.5'
+  spec.add_development_dependency 'thin', '~> 1.6'
+  spec.add_development_dependency 'webmock', '~> 1.18'
+end

data/lib/faye/authentication/engine.rb

@@ -0,0 +1,8 @@
+if defined?(Rails)
+  module Faye
+    module Authentication
+      class Engine < Rails::Engine
+      end
+    end
+  end
+end

data/lib/faye/authentication/extension.rb

@@ -0,0 +1,24 @@
+module Faye
+  module Authentication
+    class Extension
+
+      def initialize(secret)
+        @secret = secret
+      end
+
+      def incoming(message, callback)
+        if message['channel'] == '/meta/subscribe' || !(message['channel'] =~ /^\/meta\/.*/)
+          unless Faye::Authentication.valid?({
+            'channel'   => message['subscription'] || message['channel'],
+            'clientId'  => message['clientId'],
+            'signature' => message['signature']
+            }, @secret)
+            message['error'] = 'Invalid signature'
+          end
+        end
+        callback.call(message)
+      end
+
+    end
+  end
+end

data/lib/faye/authentication/http_client.rb

@@ -0,0 +1,18 @@
+require 'json'
+
+module Faye
+  module Authentication
+    class HTTPClient
+
+      def self.publish(url, channel, data, key)
+        uri = URI(url)
+        req = Net::HTTP::Post.new(url)
+        message = {'channel' => channel, 'data' => data, 'clientId' => 'http'}
+        message['signature'] = Faye::Authentication.sign(message, key)
+        req.set_form_data(message: JSON.dump(message))
+        Net::HTTP.start(uri.hostname, uri.port, :use_ssl => uri.scheme == 'https') { |http| http.request(req) }
+      end
+
+    end
+  end
+end

data/lib/faye/authentication/version.rb

@@ -0,0 +1,5 @@
+module Faye
+  module Authentication
+    VERSION = "0.1.0"
+  end
+end

data/lib/faye/authentication.rb

@@ -0,0 +1,32 @@
+require "faye/authentication/version"
+require 'faye/authentication/extension'
+require 'faye/authentication/http_client'
+require 'faye/authentication/engine'
+
+module Faye
+  module Authentication
+
+    def self.sign(message, secret)
+      OpenSSL::HMAC.hexdigest('sha1', secret, "#{message['channel']}-#{message['clientId']}")
+    end
+
+    def self.valid?(message, secret)
+      signature = message.delete('signature')
+      return false unless signature
+      secure_compare(signature, sign(message, secret))
+    end
+
+    # constant-time comparison algorithm to prevent timing attacks
+    # Copied from ActiveSupport::MessageVerifier
+    def self.secure_compare(a, b)
+      return false unless a.bytesize == b.bytesize
+
+      l = a.unpack "C#{a.bytesize}"
+
+      res = 0
+      b.each_byte { |byte| res |= byte ^ l.shift }
+      res == 0
+    end
+
+  end
+end

data/spec/javascripts/faye-authentication_spec.js

@@ -0,0 +1,153 @@
+describe('faye-authentication', function() {
+
+  describe('constructor', function() {
+
+    it('sets endpoint to /faye by default', function() {
+      var auth = new FayeAuthentication();
+      expect(auth.endpoint()).toBe('/faye/auth');
+    });
+
+    it('can specify a custom endpoint', function() {
+      var auth = new FayeAuthentication('/custom');
+      expect(auth.endpoint()).toBe('/custom');
+    });
+
+  });
+
+  describe('extension', function() {
+    beforeEach(function() {
+      jasmine.Ajax.install();
+      this.auth = new FayeAuthentication();
+      this.client = new Faye.Client('http://localhost:9296/faye');
+      this.client.addExtension(this.auth);
+    });
+
+    afterEach(function() {
+      jasmine.Ajax.uninstall();
+    });
+
+    it('should make an ajax request to the extension endpoint', function(done) {
+      this.client.subscribe('/foobar');
+      var self = this;
+      setTimeout(function() {
+        var request = jasmine.Ajax.requests.mostRecent();
+        expect(request.url).toBe(self.auth.endpoint());
+        done();
+      }, 500);
+    });
+
+    it('should make an ajax request with the correct params', function(done) {
+      this.client.subscribe('/foobar');
+      var self = this;
+      setTimeout(function() {
+        var request = jasmine.Ajax.requests.mostRecent();
+        console.log(request);
+        expect(request.data()['message[channel]'][0]).toBe('/foobar');
+        done();
+      }, 500);
+    });
+
+
+    describe('signature', function() {
+
+      beforeEach(function() {
+        jasmine.Ajax.stubRequest('/faye/auth').andReturn({
+          'responseText': '{"signature": "foobarsignature"}'
+        });
+
+        this.fake_transport = {connectionType: "fake", endpoint: {}, send: function() {}};
+        spyOn(this.fake_transport, 'send');
+      });
+
+      it('should add the signature to subscribe message', function(done) {
+        var self = this;
+
+        this.client.handshake(function() {
+          self.client._transport = self.fake_transport
+          self.client.subscribe('/foobar');
+        }, this.client);
+
+        setTimeout(function() {
+          var calls = self.fake_transport.send.calls.all();
+          var last_call = calls[calls.length - 1];
+          var message = last_call.args[0].message;
+          expect(message.channel).toBe('/meta/subscribe');
+          expect(message.signature).toBe('foobarsignature');
+          done();
+        }, 500);
+
+      });
+
+      it('should add the signature to publish message', function(done) {
+        var self = this;
+
+        this.client.handshake(function() {
+          self.client._transport = self.fake_transport
+          self.client.publish('/foobar', {text: 'hallo'});
+        }, this.client);
+
+        setTimeout(function() {
+          var calls = self.fake_transport.send.calls.all();
+          var last_call = calls[calls.length - 1];
+          var message = last_call.args[0].message;
+          expect(message.channel).toBe('/foobar');
+          expect(message.signature).toBe('foobarsignature');
+          done();
+        }, 500);
+      });
+
+      it('preserves messages integrity', function(done) {
+        var self = this;
+
+        this.client.handshake(function() {
+          self.client._transport = self.fake_transport
+          self.client.publish('/foo', {text: 'hallo'});
+          self.client.subscribe('/foo');
+        }, this.client);
+
+        setTimeout(function() {
+          var calls = self.fake_transport.send.calls.all();
+          var subscribe_call = calls[calls.length - 1];
+          var publish_call = calls[calls.length - 2];
+          var subscribe_message = subscribe_call.args[0].message;
+          var publish_message = publish_call.args[0].message;
+          expect(publish_message.channel).toBe('/foo');
+          expect(subscribe_message.channel).toBe('/meta/subscribe');
+          expect(publish_message.signature).toBe('foobarsignature');
+          expect(subscribe_message.signature).toBe('foobarsignature');
+          done();
+        }, 500);
+      });
+
+      it('should make only one ajax call when dealing with one channel', function(done) {
+        this.client.subscribe('/foobar');
+        this.client.publish('/foobar', {text: 'hallo'});
+        this.client.publish('/foobar', {text: 'hallo'});
+
+        setTimeout(function() {
+          expect(jasmine.Ajax.requests.count()).toBe(2); // Handshake + auth
+          done();
+        }, 500);
+
+      })
+
+      it('should make two ajax calls when dealing with two channels', function(done) {
+        this.client.subscribe('/foo');
+        this.client.publish('/foo', {text: 'hallo'});
+        this.client.publish('/foo', {text: 'hallo'});
+
+        this.client.subscribe('/bar');
+        this.client.publish('/bar', {text: 'hallo'});
+        this.client.publish('/bar', {text: 'hallo'});
+
+        setTimeout(function() {
+          expect(jasmine.Ajax.requests.count()).toBe(3); // Handshake + auth * 2
+          done();
+        }, 500);
+      });
+    });
+
+  });
+
+
+})

data/spec/javascripts/faye-extension_spec.js

@@ -0,0 +1,74 @@
+describe('Faye extension', function() {
+  beforeEach(function() {
+    this.client = new Faye.Client('http://localhost:9296/faye');
+    jasmine.Ajax.install();
+  });
+
+  afterEach(function() {
+    jasmine.Ajax.uninstall();
+  });
+
+  describe('Without extension', function() {
+    it('fails to subscribe', function(done) {
+      this.client.subscribe('/foobar').then(undefined, function() {
+        done();
+      });
+    });
+
+    it('fails to publish', function(done) {
+      this.client.publish('/foobar', {text: 'whatever'}).then(undefined, function() {
+        done();
+      });
+    });
+  });
+
+  describe('With extension', function() {
+    beforeEach(function() {
+      this.extension = new FayeAuthentication();
+      this.client.addExtension(this.extension);
+    });
+
+    function stubSignature(context, callback) {
+      var self = context;
+      self.client.handshake(function() {
+        var signature = CryptoJS.HmacSHA1("/foobar-" + self.client._clientId, "macaroni").toString();
+
+        jasmine.Ajax.stubRequest('/faye/auth').andReturn({
+          'responseText': '{"signature": "' + signature + '"}'
+        });
+        callback();
+      }, self.client);
+    }
+
+    it('succeeds to subscribe', function(done) {
+      var self = this;
+      stubSignature(this, function() {
+        self.client.subscribe('/foobar').then(function() {
+          done();
+        });
+      });
+    });
+
+    it('succeeds to publish', function(done) {
+      var self = this;
+      stubSignature(this, function() {
+        self.client.publish('/foobar', {hello: 'world'}).then(function() {
+          done();
+        });
+      });
+    });
+
+    it('clears the signatures when receiving an error from the server', function(done) {
+      this.extension._signatures = {'123': []};
+      jasmine.Ajax.stubRequest('/faye/auth').andReturn({
+        'responseText': '{"signature": "bad"}'
+      });
+      var self = this;
+      this.client.subscribe('/toto').then(undefined, function() {
+        expect(Object.keys(self.extension._signatures).length).toBe(0);
+        done();
+      });
+
+    });
+  });
+});