foobara-auth 0.0.1 → 0.0.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6e3b1336d92a8f2a54bde80403ab435d225b0ae14ff90495c8581ab4659d8817
-  data.tar.gz: 517afe9b1c6eb093991d5e191d741e25eb4d4728ffdfa56bf2c52d610db84710
+  metadata.gz: 29222c9e1b4418b49c88107de989af8ad1f082e26416cb9ce0e51de8f1625b17
+  data.tar.gz: a729451915a9baf22f982f2488677b3695cf7d08b2184a42d11ffaaaafc4b75d
 SHA512:
-  metadata.gz: 9953981b89689108443efd635cf6486f01c6c139f7fb3671167032cca24b5b8c838b102385de5b1588f38d077dae35e3346311843df50c7d41080f297a03b36a
-  data.tar.gz: 05a7d280774e1a66ad2d4572e1870448de8f0421346a330b09938faeca9eb1f275634548d20ba3fa8fd271ca52a559cffdba285c058d2c4a21cf7ef376934ac9
+  metadata.gz: 30b806538de1cd5202fd979cbb10dc235841bb8c9cf358ffacdafcee8f7f3b2f9db5857ff4c54efd70e8002a1b73ccfefc8e1e7876e9327a79113c744240160a
+  data.tar.gz: f17ef76c86bd23b76019b90bcbad937e98719deb896b2e2499e4aa86fc6737cbd8f07240b81018074f75b90e403629aff75ec22bdb15b192e3917725e5ce8435

data/CHANGELOG.md

@@ -1,3 +1,8 @@
+## [0.0.2] - 2025-03-21
+
+- Implement/test lots of basic auth behavior such as
+  registering/login access tokens/login refresh tokens/api keys/passwords
+
 ## [0.0.1] - 2025-03-08
 
 - Release as a gem

data/README.md

@@ -22,3 +22,10 @@ at https://github.com/foobara/auth
 
 This project is dual licensed under your choice of the Apache-2.0 license and the MIT license. 
 Please see LICENSE.txt for more info.
+
+## Concepts
+
+1. token: a string of the form <token_id>-<token_secret>
+2. password: a string
+3. secret: either a password or a token_secret. Never stored in the database
+4. hashed_secret: value stored in the database that can be checked against the secret passed in.

data/src/approve_token.rb

@@ -0,0 +1,21 @@
+module Foobara
+  module Auth
+    class ApproveToken < Foobara::Command
+      inputs do
+        token_record Types::Token, :required
+      end
+
+      result Types::Token
+
+      def execute
+        approve_token
+
+        token_record
+      end
+
+      def approve_token
+        token_record.approve!
+      end
+    end
+  end
+end

data/src/build_secret.rb

@@ -0,0 +1,46 @@
+require "argon2"
+
+module Foobara
+  module Auth
+    class BuildSecret < Foobara::Command
+      inputs do
+        secret :string, :required, :sensitive_exposed
+      end
+      result Types::Secret, :sensitive
+
+      def execute
+        generate_hashed_secret
+        build_secret
+
+        secret_model
+      end
+
+      attr_accessor :hashed_secret, :secret_model
+
+      def generate_hashed_secret
+        self.hashed_secret = Argon2::Password.create(secret, **argon_params)
+      end
+
+      def build_secret
+        self.secret_model = Types::Secret.new(
+          hashed_secret:,
+          parameters: argon_params.merge(other_params),
+          created_at: Time.now
+        )
+      end
+
+      def argon_params
+        {
+          t_cost: 2,
+          m_cost: 16,
+          parallelism: 1,
+          type: :argon2id
+        }
+      end
+
+      def other_params
+        { method: :argon2id }
+      end
+    end
+  end
+end

data/src/create_api_key.rb

@@ -1,77 +1,39 @@
 require "securerandom"
 require "base64"
 
-require_relative "build_password"
+require_relative "build_secret"
+require_relative "create_token"
 
 module Foobara
   module Auth
     class CreateApiKey < Foobara::Command
-      result :string
+      inputs do
+        user Types::User, :required
+        needs_approval :boolean, default: false
+      end
+      result :string, :sensitive_exposed
 
-      depends_on BuildPassword
-      depends_on_entity Types::ApiKey
+      depends_on CreateToken
+      depends_on_entity Types::Token
 
       def execute
-        generate_prefix
-        generate_raw_key
-        generate_key_for_user
-        generate_hashed_key
-        create_api_key
-        prepend_prefix
+        create_token
+        associate_token_with_user
 
         key_for_user
       end
 
-      attr_accessor :raw_key, :key_for_user, :hashed_key, :prefix, :build_password_params
-
-      def generate_prefix
-        bytes = SecureRandom.hex(prefix_bytes)
-        self.prefix = Base64.strict_encode64(bytes)[0..prefix_length - 1]
-      end
-
-      def generate_raw_key
-        self.raw_key = SecureRandom.hex(bytes)
-      end
-
-      def bytes
-        24
-      end
-
-      def generate_key_for_user
-        self.key_for_user = Base64.strict_encode64(raw_key)
-      end
-
-      def generate_hashed_key
-        password = run_subcommand!(BuildPassword, plaintext_password: key_for_user)
-        self.hashed_key = password.hashed_password
-        self.build_password_params = password.parameters
-      end
-
-      def create_api_key
-        Types::ApiKey.create(
-          hashed_token: hashed_key,
-          prefix: prefix,
-          token_length: key_for_user.length,
-          token_parameters: build_password_params.merge(other_params),
-          expires_at: nil,
-          created_at: Time.now
-        )
-      end
-
-      def prepend_prefix
-        self.key_for_user = "#{prefix}#{key_for_user}"
-      end
+      attr_accessor :token, :key_for_user
 
-      def other_params
-        { bytes:, prefix_length:, prefix_bytes: }
-      end
+      def create_token
+        result = run_subcommand!(CreateToken, needs_approval:)
 
-      def prefix_length
-        5
+        self.token = result[:token_record]
+        self.key_for_user = result[:token_string]
       end
 
-      def prefix_bytes
-        4
+      def associate_token_with_user
+        user.api_keys = [*user.api_keys, token]
       end
     end
   end

data/src/create_token.rb

@@ -0,0 +1,111 @@
+require "securerandom"
+require "base64"
+
+require_relative "build_secret"
+
+module Foobara
+  module Auth
+    class CreateToken < Foobara::Command
+      inputs do
+        expires_at :datetime
+        token_group :string
+        needs_approval :boolean, default: false
+      end
+
+      result do
+        token_string :string, :required, :sensitive
+        token_record Types::Token, :required, :sensitive
+      end
+
+      depends_on BuildSecret
+      depends_on_entity Types::Token
+
+      def execute
+        generate_token_secret
+        generate_hashed_secret
+        generate_token_id
+        construct_token_string
+        create_token_record
+
+        unless needs_approval?
+          activate_token
+        end
+
+        token_string_and_record
+      end
+
+      attr_accessor :token_id, :token_secret, :token_string, :hashed_secret, :build_password_params, :token_record
+
+      def generate_token_id
+        bytes = SecureRandom.random_bytes(token_id_bytes)
+
+        begin
+          token_id = Base64.strict_encode64(bytes)
+        end while Types::Token.exists?(token_id)
+
+        self.token_id = token_id
+      end
+
+      def generate_token_secret
+        bytes = SecureRandom.random_bytes(secret_bytes)
+        self.token_secret = Base64.strict_encode64(bytes)
+      end
+
+      def secret_bytes
+        32
+      end
+
+      def generate_hashed_secret
+        secret = run_subcommand!(BuildSecret, secret: token_secret)
+        self.hashed_secret = secret.hashed_secret
+        self.build_password_params = secret.parameters
+      end
+
+      def create_token_record
+        attributes = {
+          hashed_secret:,
+          id: token_id,
+          token_parameters: build_password_params.merge(other_params),
+          created_at: Time.now
+        }
+
+        if expires_at
+          attributes[:expires_at] = expires_at
+        end
+
+        if token_group
+          attributes[:token_group] = token_group
+        end
+
+        self.token_record = Types::Token.create(attributes)
+      end
+
+      def needs_approval?
+        needs_approval
+      end
+
+      def activate_token
+        token_record.approve!
+      end
+
+      def construct_token_string
+        self.token_string = "#{token_id}_#{token_secret}"
+      end
+
+      def token_string_and_record
+        {
+          token_string:,
+          token_record:
+        }
+      end
+
+      def other_params
+        { secret_bytes:, token_id_bytes: }
+      end
+
+      def token_id_bytes
+        6
+      end
+    end
+  end
+end

data/src/create_user.rb

@@ -3,18 +3,36 @@ module Foobara
     class CreateUser < Foobara::Command
       inputs Types::User.attributes_for_create
 
+      add_inputs do
+        plaintext_password :string, :sensitive_exposed
+      end
+
       result Types::User
 
+      depends_on SetPassword
+
       def execute
         create_user
 
+        if password_present?
+          set_password
+        end
+
         user
       end
 
       attr_accessor :user
 
       def create_user
-        self.user = Types::User.create(inputs)
+        self.user = Types::User.create(inputs.except(:plaintext_password))
+      end
+
+      def password_present?
+        plaintext_password && !plaintext_password.empty?
+      end
+
+      def set_password
+        run_subcommand!(SetPassword, user:, plaintext_password:)
       end
     end
   end

data/src/find_user.rb

@@ -0,0 +1,41 @@
+module Foobara
+  module Auth
+    class FindUser < Foobara::Command
+      class UserNotFoundError < Foobara::RuntimeError
+        context do
+          id :integer
+          username :string
+          email :email
+        end
+
+        def message
+          "No user found for #{context}"
+        end
+      end
+
+      inputs do
+        id :integer
+        username :string
+        email :email
+      end
+
+      result Types::User
+
+      def execute
+        load_user
+
+        user
+      end
+
+      attr_accessor :user
+
+      def load_user
+        self.user = Types::User.find_by(inputs)
+
+        unless user
+          add_runtime_error(UserNotFoundError.new(context: inputs))
+        end
+      end
+    end
+  end
+end

data/src/login.rb

@@ -0,0 +1,130 @@
+require "jwt"
+require "securerandom"
+
+require_relative "create_token"
+require_relative "verify_password"
+require_relative "verify_token"
+
+module Foobara
+  module Auth
+    class Login < Foobara::Command
+      class InvalidPasswordError < Foobara::RuntimeError
+        context({})
+        message "Invalid password"
+      end
+
+      class NoUserIdEmailOrUsernameGivenError < Foobara::RuntimeError
+        context({})
+        message "No user id, email, or username given"
+      end
+
+      depends_on CreateToken, VerifyPassword, FindUser
+
+      inputs do
+        user Types::User, :allow_nil
+        username :string, :allow_nil
+        email :string, :allow_nil
+        username_or_email :string, :allow_nil
+        plaintext_password :string, :required, :sensitive_exposed
+        # Configure these instead of defaulting them here?
+        token_ttl :integer, default: 30 * 60
+        refresh_token_ttl :integer, default: 7 * 24 * 60 * 60
+      end
+
+      result do
+        access_token :string, :required, :sensitive_exposed
+        refresh_token :string, :required, :sensitive_exposed
+      end
+
+      def execute
+        find_user_to_login
+        verify_password
+        # TODO: DRY these 5 up
+        determine_timestamps
+        generate_access_token
+        determine_token_group
+        generate_new_refresh_token
+        save_new_refresh_token_on_user
+
+        tokens
+      end
+
+      attr_accessor :access_token, :new_refresh_token, :now, :expires_at, :token_group, :user_to_login
+
+      def find_user_to_login
+        if user
+          self.user_to_login = user
+        elsif username
+          self.user_to_login = run_subcommand!(FindUser, username:)
+        elsif email
+          self.user_to_login = run_subcommand!(FindUser, email:)
+        elsif username_or_email
+          begin
+            self.user_to_login = run_subcommand!(FindUser, username: username_or_email)
+          rescue Halt
+            # I'm a bit nervous about rescuing Halt and clearing the errors, but I'm more nervous bout
+            # introducing a #run_subcommand method.
+            if error_collection.size == 1 && error_collection.errors.first.is_a?(FindUser::UserNotFoundError) &&
+               username_or_email.include?("@")
+              error_collection.clear
+              self.user_to_login = run_subcommand!(FindUser, email: username_or_email)
+            else
+              raise
+            end
+          end
+        else
+          add_runtime_error(NoUserIdEmailOrUsernameGivenError)
+        end
+      end
+
+      def verify_password
+        unless run_subcommand!(VerifyPassword, user: user_to_login, plaintext_password:)
+          add_runtime_error(InvalidPasswordError)
+        end
+      end
+
+      def determine_timestamps
+        self.now = Time.now
+        self.expires_at = now + token_ttl
+      end
+
+      def generate_access_token
+        payload = { sub: user_to_login.id, exp: expires_at.to_i }
+
+        self.access_token = JWT.encode(payload, jwt_secret, "HS256")
+      end
+
+      def jwt_secret
+        jwt_secret_text = ENV.fetch("JWT_SECRET", nil)
+
+        unless jwt_secret_text
+          # :nocov:
+          raise "You must set the JWT_SECRET environment variable"
+          # :nocov:
+        end
+
+        jwt_secret_text
+      end
+
+      def determine_token_group
+        self.token_group = SecureRandom.uuid
+      end
+
+      def generate_new_refresh_token
+        self.new_refresh_token = run_subcommand!(CreateToken, expires_at:, token_group:)
+      end
+
+      def save_new_refresh_token_on_user
+        # TODO: maybe override #<< on these objects to dirty the entity??
+        user_to_login.refresh_tokens += [*user_to_login.refresh_tokens, new_refresh_token[:token_record]]
+      end
+
+      def tokens
+        {
+          access_token:,
+          refresh_token: new_refresh_token[:token_string]
+        }
+      end
+    end
+  end
+end

data/src/refresh_login.rb

@@ -0,0 +1,129 @@
+require "jwt"
+require "securerandom"
+
+require_relative "create_token"
+require_relative "verify_token"
+
+module Foobara
+  module Auth
+    class RefreshLogin < Foobara::Command
+      class InvalidRefreshTokenError < Foobara::RuntimeError
+        context refresh_token_id: :string
+        message "Invalid refresh token"
+      end
+
+      class RefreshTokenNotOwnedByUser < Foobara::RuntimeError
+        context refresh_token_id: :string
+        message "This refresh token is not owned by this user"
+      end
+
+      depends_on CreateToken, VerifyToken
+
+      inputs do
+        user Types::User, :required
+        refresh_token_text :string, :required, :sensitive
+        # Can we get these TTLs off of the refresh token?
+        token_ttl :integer, default: 30 * 60
+        refresh_token_ttl :integer, default: 7 * 24 * 60 * 60
+      end
+
+      result do
+        access_token :string, :required, :sensitive_exposed
+        refresh_token :string, :required, :sensitive_exposed
+      end
+
+      def execute
+        determine_refresh_token_id_and_secret
+        load_refresh_token
+        validate_refresh_token_belongs_to_user
+        verify_refresh_token
+        # Delete it instead maybe?
+        mark_refresh_token_as_used
+        determine_timestamps
+        determine_token_group
+
+        generate_access_token
+        generate_new_refresh_token
+        save_new_refresh_token_on_user
+
+        tokens
+      end
+
+      attr_accessor :access_token, :new_refresh_token, :now, :expires_at, :refresh_token,
+                    :refresh_token_id, :refresh_token_secret, :token_group
+
+      def determine_refresh_token_id_and_secret
+        self.refresh_token_id, self.refresh_token_secret = refresh_token_text.split("_")
+      end
+
+      def load_refresh_token
+        self.refresh_token = Types::Token.load(refresh_token_id)
+      end
+
+      def validate_refresh_token_belongs_to_user
+        unless user.refresh_tokens.any? { |token| token.id == refresh_token_id }
+          add_runtime_error(RefreshTokenNotOwnedByUser.new(context: { refresh_token_id: }))
+        end
+      end
+
+      def verify_refresh_token
+        valid = run_subcommand!(VerifyToken, token_string: refresh_token_text)
+
+        unless valid[:verified]
+          add_runtime_error(InvalidRefreshTokenError.new(context: { refresh_token_id: }))
+        end
+      end
+
+      def mark_refresh_token_as_used
+        refresh_token.use_up!
+      end
+
+      def determine_timestamps
+        self.now = Time.now
+        self.expires_at = now + token_ttl
+      end
+
+      def generate_access_token
+        payload = {
+          user_id: user.id,
+          username: user.username,
+          exp: expires_at.to_i
+        }
+
+        self.access_token = JWT.encode(payload, jwt_secret, "HS256")
+      end
+
+      def jwt_secret
+        jwt_secret_text = ENV.fetch("JWT_SECRET", nil)
+
+        unless jwt_secret_text
+          # :nocov:
+          raise "You must set the JWT_SECRET environment variable"
+          # :nocov:
+        end
+
+        jwt_secret_text
+      end
+
+      def determine_token_group
+        self.token_group = refresh_token&.token_group || SecureRandom.uuid
+      end
+
+      def generate_new_refresh_token
+        self.new_refresh_token = run_subcommand!(CreateToken, expires_at:, token_group:)
+      end
+
+      def save_new_refresh_token_on_user
+        # TODO: maybe override #<< on these objects to dirty the entity??
+        user.refresh_tokens += [*user.refresh_tokens, new_refresh_token[:token_record]]
+      end
+
+      def tokens
+        {
+          access_token:,
+          refresh_token: new_refresh_token[:token_string]
+        }
+      end
+    end
+  end
+end

data/src/register.rb

@@ -0,0 +1,40 @@
+require_relative "types/user"
+
+module Foobara
+  module Auth
+    class Register < Foobara::Command
+      depends_on CreateUser, SetPassword
+
+      inputs do
+        username :string, :required
+        email :email, :required
+        plaintext_password :string, :allow_nil, :sensitive_exposed
+      end
+
+      result Types::User
+
+      def execute
+        create_user
+        if password?
+          set_password
+        end
+
+        user
+      end
+
+      attr_accessor :user
+
+      def create_user
+        self.user = run_subcommand!(CreateUser, username:, email:)
+      end
+
+      def password?
+        plaintext_password && !plaintext_password.empty?
+      end
+
+      def set_password
+        run_subcommand!(SetPassword, user:, plaintext_password:)
+      end
+    end
+  end
+end

data/src/set_password.rb

@@ -1,15 +1,13 @@
-require "argon2"
-
 module Foobara
   module Auth
     class SetPassword < Foobara::Command
       inputs do
         user Types::User
-        plaintext_password :string, :required
+        plaintext_password :string, :required, :sensitive_exposed
       end
       result Types::User
 
-      depends_on BuildPassword
+      depends_on BuildSecret
 
       # TODO: should we enforce certain password requirements?
       def execute
@@ -19,14 +17,14 @@ module Foobara
         user
       end
 
-      attr_accessor :password
+      attr_accessor :password_secret
 
       def build_password
-        self.password = run_subcommand!(BuildPassword, plaintext_password:)
+        self.password_secret = run_subcommand!(BuildSecret, secret: plaintext_password)
       end
 
       def set_password_on_user
-        user.password = password
+        user.password_secret = password_secret
       end
     end
   end

data/src/types/{password.rb → secret.rb}

@@ -1,9 +1,9 @@
 module Foobara
   module Auth
     module Types
-      class Password < Foobara::Model
+      class Secret < Foobara::Model
         attributes do
-          hashed_password :string, :required
+          hashed_secret :string, :required, :sensitive
           parameters :duck, :required
           created_at :datetime, :required
         end

data/src/types/token/state.rb

@@ -0,0 +1,11 @@
+module Foobara
+  module Auth
+    module Types
+      class Token < Foobara::Entity
+        State = Foobara::Enumerated.make_module(StateMachine.states)
+      end
+    end
+
+    foobara_register_type(:token_state, :symbol, one_of: Types::Token::State)
+  end
+end

data/src/types/{api_key → token}/state_machine.rb

@@ -1,15 +1,17 @@
 module Foobara
   module Auth
     module Types
-      class ApiKey < Foobara::Entity
+      class Token < Foobara::Entity
         class StateMachine < Foobara::StateMachine
           set_transition_map({
                                needs_approval: {
-                                 approve: :approved,
+                                 approve: :active,
                                  reject: :rejected
                                },
-                               approved: {
-                                 revoke: :revoked
+                               active: {
+                                 revoke: :revoked,
+                                 use_up: :inactive,
+                                 expire: :expired
                                }
                              })
         end

data/src/types/token.rb

@@ -0,0 +1,43 @@
+module Foobara
+  module Auth
+    module Types
+      class Token < Foobara::Entity
+        attributes do
+          id :string, :required
+          hashed_secret :string, :required, :sensitive
+          state :token_state, :required, default: :needs_approval
+          token_parameters :duck, :required
+          token_group :string, :allow_nil
+          expires_at :datetime, :allow_nil
+          created_at :datetime, :required
+        end
+
+        primary_key :id
+
+        def state_machine
+          @state_machine ||= StateMachine.new(owner: self, target_attribute: :state)
+        end
+
+        def approve!
+          state_machine.approve!
+        end
+
+        def use_up!
+          state_machine.use_up!
+        end
+
+        def expire!
+          state_machine.expire!
+        end
+
+        def inactive?
+          state_machine.current_state == State::INACTIVE
+        end
+
+        def active?
+          state_machine.current_state == State::ACTIVE
+        end
+      end
+    end
+  end
+end

data/src/types/user.rb

@@ -1,5 +1,5 @@
 require_relative "role"
-require_relative "password"
+require_relative "secret"
 
 module Foobara
   module Auth
@@ -10,8 +10,9 @@ module Foobara
           username :string, :required
           email :email, :required
           roles [Types::Role], default: []
-          api_key [Types::ApiKey], default: []
-          password Types::Password, :allow_nil
+          api_keys [Types::Token], :sensitive, default: []
+          refresh_tokens [Types::Token], :sensitive, default: []
+          password_secret Types::Secret, :sensitive, :allow_nil
         end
 
         primary_key :id

data/src/verify_access_token.rb

@@ -0,0 +1,61 @@
+require "jwt"
+
+module Foobara
+  module Auth
+    class VerifyAccessToken < Foobara::Command
+      inputs do
+        # TODO: we should add a processor that flags an attribute as sensitive so we can scrub
+        access_token :string, :required, :sensitive
+      end
+
+      result do
+        verified :boolean, :required
+        failure_reason :string, :allow_nil, one_of: %w[invalid expired]
+        payload :associative_array, :allow_nil
+        headers :associative_array, :allow_nil
+      end
+
+      def execute
+        decode_access_token
+        set_verified_flag
+
+        verified_flag_payload_and_headers
+      end
+
+      attr_accessor :verified, :payload, :headers, :failure_reason
+
+      def decode_access_token
+        self.payload, self.headers = JWT.decode(access_token, jwt_secret)
+      rescue JWT::VerificationError
+        self.failure_reason = "invalid"
+      rescue JWT::ExpiredSignature
+        self.failure_reason = "expired"
+      end
+
+      def set_verified_flag
+        self.verified = !failure_reason
+      end
+
+      def verified_flag_payload_and_headers
+        {
+          verified:,
+          failure_reason:,
+          payload:,
+          headers:
+        }
+      end
+
+      def jwt_secret
+        jwt_secret_text = ENV.fetch("JWT_SECRET", nil)
+
+        unless jwt_secret_text
+          # :nocov:
+          raise "You must set the JWT_SECRET environment variable"
+          # :nocov:
+        end
+
+        jwt_secret_text
+      end
+    end
+  end
+end

data/src/verify_password.rb

@@ -1,4 +1,4 @@
-require "argon2"
+require_relative "verify_token"
 
 module Foobara
   module Auth
@@ -6,11 +6,11 @@ module Foobara
       inputs do
         user Types::User, :required
         # TODO: we should add a processor that flags an attribute as sensitive so we can scrub
-        plaintext_password :string, :required
+        plaintext_password :string, :required, :sensitive
       end
       result :boolean
 
-      depends_on_entity Types::ApiKey
+      depends_on VerifySecret
 
       def execute
         # TODO: result in error if no password set yet?
@@ -26,9 +26,10 @@ module Foobara
       end
 
       def check_for_valid_password
-        hashed_password = user.password.hashed_password
-        self.valid_password = if hashed_password
-                                Argon2::Password.verify_password(plaintext_password, user.password.hashed_password)
+        hashed_secret = user.password_secret.hashed_secret
+
+        self.valid_password = if hashed_secret
+                                run_subcommand!(VerifySecret, secret: plaintext_password, hashed_secret:)
                               end
       end
     end

data/src/verify_secret.rb

@@ -0,0 +1,30 @@
+require "argon2"
+
+module Foobara
+  module Auth
+    class VerifySecret < Foobara::Command
+      inputs do
+        secret :string, :required # TODO: we should add a processor that flags an attribute as sensitive so we can scrub
+        hashed_secret :string, :required, :sensitive
+      end
+
+      result :boolean
+
+      def execute
+        verify_secret_against_hashed_secret
+
+        verified?
+      end
+
+      attr_accessor :verified
+
+      def verified?
+        !!verified
+      end
+
+      def verify_secret_against_hashed_secret
+        self.verified = Argon2::Password.verify_password(secret, hashed_secret)
+      end
+    end
+  end
+end

data/src/verify_token.rb

@@ -0,0 +1,104 @@
+require_relative "verify_secret"
+
+module Foobara
+  module Auth
+    class VerifyToken < Foobara::Command
+      class InactiveTokenError < Foobara::RuntimeError
+        context do
+          state :token_state, :required
+        end
+
+        def message
+          "Expected token to be active but it is #{context[:state]}"
+        end
+      end
+
+      class ExpiredTokenError < Foobara::RuntimeError
+        context({})
+        message "Token is expired"
+      end
+
+      inputs do
+        # TODO: we should add a processor that flags an attribute as sensitive so we can scrub
+        token_string :string, :required, :sensitive
+        token_record Types::Token, "Instead of finding a persisted token, check against a specific token record"
+      end
+
+      result do
+        verified :boolean, :required
+        token_record Types::Token, :required
+      end
+
+      depends_on VerifySecret
+
+      def execute
+        determine_token_id_and_hashed_secret
+
+        unless token_record?
+          load_token_record
+        end
+
+        validate_token_is_active
+        validate_token_is_not_expired
+        verify_hashed_secret_against_token_record
+
+        verified_and_token_record
+      end
+
+      attr_accessor :verified, :token_id, :secret
+      attr_writer :token_record_to_verify_against
+
+      def token_record_to_verify_against
+        @token_record_to_verify_against || token_record
+      end
+
+      def token_record?
+        !!token_record
+      end
+
+      def determine_token_id_and_hashed_secret
+        self.token_id, self.secret = token_string.split("_")
+      end
+
+      def load_token_record
+        self.token_record_to_verify_against = Types::Token.load(token_id)
+        # TODO: handle no record found...
+      end
+
+      def verify_hashed_secret_against_token_record
+        hashed_secret = token_record_to_verify_against.hashed_secret
+
+        self.verified = run_subcommand!(VerifySecret, secret:, hashed_secret:)
+      end
+
+      def validate_token_is_not_expired
+        if token_record_to_verify_against.expires_at&.<(Time.now)
+          Types::Token.transaction(mode: :open_nested) do
+            token = Types::Token.load(token_record_to_verify_against.id)
+            token.expire!
+          end
+          add_runtime_error(ExpiredTokenError)
+        end
+      end
+
+      def validate_token_is_active
+        unless token_record_to_verify_against.active?
+          add_runtime_error(
+            InactiveTokenError.new(
+              context: {
+                state: token_record_to_verify_against.state_machine.current_state
+              }
+            )
+          )
+        end
+      end
+
+      def verified_and_token_record
+        {
+          verified:,
+          token_record: token_record_to_verify_against
+        }
+      end
+    end
+  end
+end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: foobara-auth
 version: !ruby/object:Gem::Version
-  version: 0.0.1
+  version: 0.0.2
 platform: ruby
 authors:
 - Miles Georgi
 bindir: bin
 cert_chain: []
-date: 2025-03-08 00:00:00.000000000 Z
+date: 2025-03-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: argon2
@@ -23,6 +23,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: foobara
   requirement: !ruby/object:Gem::Requirement
@@ -49,20 +63,27 @@ files:
 - LICENSE.txt
 - README.md
 - lib/foobara/auth.rb
-- src/approve_api_key.rb
-- src/build_password.rb
+- src/approve_token.rb
+- src/build_secret.rb
 - src/create_api_key.rb
 - src/create_role.rb
+- src/create_token.rb
 - src/create_user.rb
+- src/find_user.rb
+- src/login.rb
+- src/refresh_login.rb
+- src/register.rb
 - src/set_password.rb
-- src/types/api_key.rb
-- src/types/api_key/state.rb
-- src/types/api_key/state_machine.rb
-- src/types/password.rb
 - src/types/role.rb
+- src/types/secret.rb
+- src/types/token.rb
+- src/types/token/state.rb
+- src/types/token/state_machine.rb
 - src/types/user.rb
-- src/verify_api_key.rb
+- src/verify_access_token.rb
 - src/verify_password.rb
+- src/verify_secret.rb
+- src/verify_token.rb
 homepage: https://github.com/foobara/auth
 licenses:
 - Apache-2.0 OR MIT
@@ -85,7 +106,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.5
+rubygems_version: 3.6.6
 specification_version: 4
 summary: Provides various auth domain commands and models
 test_files: []

data/src/approve_api_key.rb

@@ -1,21 +0,0 @@
-module Foobara
-  module Auth
-    class ApproveApiKey < Foobara::Command
-      inputs do
-        api_key Types::ApiKey, :required
-      end
-
-      result Types::ApiKey
-
-      def execute
-        approve_api_key
-
-        api_key
-      end
-
-      def approve_api_key
-        api_key.approve!
-      end
-    end
-  end
-end

data/src/build_password.rb

@@ -1,46 +0,0 @@
-require "argon2"
-
-module Foobara
-  module Auth
-    class BuildPassword < Foobara::Command
-      inputs do
-        plaintext_password :string, :required
-      end
-      result Types::Password
-
-      def execute
-        generate_hashed_password
-        build_password
-
-        password
-      end
-
-      attr_accessor :hashed_password, :password
-
-      def generate_hashed_password
-        self.hashed_password = Argon2::Password.create(plaintext_password, **argon_params)
-      end
-
-      def build_password
-        self.password = Types::Password.new(
-          hashed_password:,
-          parameters: argon_params.merge(other_params),
-          created_at: Time.now
-        )
-      end
-
-      def argon_params
-        {
-          t_cost: 2,
-          m_cost: 16,
-          parallelism: 1,
-          type: :argon2id
-        }
-      end
-
-      def other_params
-        { method: :argon2id }
-      end
-    end
-  end
-end

data/src/types/api_key/state.rb

@@ -1,11 +0,0 @@
-module Foobara
-  module Auth
-    module Types
-      class ApiKey < Foobara::Entity
-        State = Foobara::Enumerated.make_module(%i[needs_approval approved rejected revoked])
-      end
-    end
-
-    foobara_register_type(:state, :symbol, one_of: Types::ApiKey::State)
-  end
-end

data/src/types/api_key.rb

@@ -1,28 +0,0 @@
-module Foobara
-  module Auth
-    module Types
-      class ApiKey < Foobara::Entity
-        attributes do
-          id :integer
-          hashed_token :string, :required
-          prefix :string, :required
-          token_length :integer, :required
-          state :state, :required, default: :needs_approval
-          token_parameters :duck, :required
-          expires_at :datetime, :allow_nil
-          created_at :datetime, :required
-        end
-
-        primary_key :id
-
-        def state_machine
-          @state_machine ||= ApiKey::StateMachine.new(owner: self, target_attribute: :state)
-        end
-
-        def approve!
-          state_machine.approve!
-        end
-      end
-    end
-  end
-end

data/src/verify_api_key.rb

@@ -1,38 +0,0 @@
-require "argon2"
-
-module Foobara
-  module Auth
-    class VerifyApiKey < Foobara::Command
-      inputs do
-        token :string, :required # TODO: we should add a processor that flags an attribute as sensitive so we can scrub
-      end
-      result :boolean
-
-      depends_on_entity Types::ApiKey
-
-      def execute
-        check_for_valid_key
-
-        valid_key?
-      end
-
-      attr_accessor :valid_key
-
-      def valid_key?
-        !!valid_key
-      end
-
-      def check_for_valid_key
-        prefix = token[..4]
-        hash_for_user = token[5..]
-
-        Types::ApiKey.find_all_by_attribute(:prefix, prefix).each do |key|
-          if Argon2::Password.verify_password(hash_for_user, key.hashed_token)
-            self.valid_key = true
-            break
-          end
-        end
-      end
-    end
-  end
-end