foobara-auth 0.0.8 → 0.0.10

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e1ba58c561a925a0c68b73d09b35bea08bd1547170c3c5cb947c97b6bbbcd91d
-  data.tar.gz: a9a6ef33b8b8834548034c7852ec4904d1b2161e83c8190b5aacf5c76fe7d38a
+  metadata.gz: 45cdb3b28235c09c136eb81a09662517dd017afef86cb5fd11b1c966a264685d
+  data.tar.gz: 65b323560c3469fa6b1c29e20d39f4ecf4c6e42011da3a7244876863f87057ab
 SHA512:
-  metadata.gz: de9f66fc29b5d7176198a8b03eb33b2046d0c9cf8c4130d2ecf082a65c7b215996d2c080099b1d7bdffa9f26c89d86513edd5bbab65f9bd9f756eaec983720d2
-  data.tar.gz: 78a8c4c831f5c808cf4f675ecda90e418803a8c6d5f5d63f08679086a3e5693126f1fb4d9216a1bed7d44ef4f7c96a55d178e0dad5d6dca5cb50ff4e91079971
+  metadata.gz: 48db1658d6fa78ae0cfe733c7bb58288519399311007851d03c5253f2ebd44f089027820f788c1bfe7af012372520639a56594471d6f50269e75e75c47c884a7
+  data.tar.gz: c6c486c5f4a408177e6a534169bea9d0a77068d8208ed99f5c4217ca37d6f247ffc00743041ff4306f858c5963592ebf9bbd857b6422412a8618cb4157d29df6

data/CHANGELOG.md

@@ -1,3 +1,11 @@
+## [0.0.10] - 2025-04-28
+
+- Add AuthenticateWithApiKey command
+
+## [0.0.9] - 2025-04-22
+
+- Handle malformed jwt tokens
+
 ## [0.0.8] - 2025-04-11
 
 - Just seeing if we can successfully push new gems since there's an issue pushing foobara

data/src/authenticate_with_api_key.rb

@@ -0,0 +1,59 @@
+require_relative "verify_token"
+
+module Foobara
+  module Auth
+    class AuthenticateWithApiKey < Foobara::Command
+      class InvalidApiKeyError < Foobara::RuntimeError
+        context api_key_id: :string
+        message "Invalid api key"
+      end
+
+      depends_on VerifyToken
+      depends_on_entities Types::Token
+
+      inputs do
+        api_key :string, :required, :sensitive
+        access_token_ttl :integer, default: 30 * 60
+        api_key_ttl :integer, default: 7 * 24 * 60 * 60
+      end
+
+      result [Types::User, Types::Token]
+
+      def execute
+        determine_api_key_id_and_secret
+        load_api_key_record
+        verify_api_key
+
+        load_user
+
+        user_and_credential
+      end
+
+      attr_accessor :expires_at, :api_key_record, :api_key_id, :api_key_secret, :user
+
+      def determine_api_key_id_and_secret
+        self.api_key_id, self.api_key_secret = api_key.split("_")
+      end
+
+      def load_api_key_record
+        self.api_key_record = Types::Token.load(api_key_id)
+      end
+
+      def verify_api_key
+        valid = run_subcommand!(VerifyToken, token_string: api_key)
+
+        unless valid[:verified]
+          add_runtime_error(InvalidApiKeyError.new(context: { api_key_id: }))
+        end
+      end
+
+      def load_user
+        self.user ||= Types::User.that_owns(api_key_record, "api_keys")
+      end
+
+      def user_and_credential
+        [user, api_key_record]
+      end
+    end
+  end
+end

data/src/create_reset_password_token.rb

@@ -0,0 +1,45 @@
+require "securerandom"
+
+require_relative "create_token"
+
+module Foobara
+  module Auth
+    class CreateResetPasswordToken < Foobara::Command
+      depends_on CreateToken
+
+      inputs do
+        user Types::User, :required
+        token_ttl :integer, default: 5 * 60
+      end
+
+      result :string, :sensitive_exposed
+
+      def execute
+        determine_timestamps
+
+        generate_new_reset_password_token
+        save_new_reset_password_token_on_user
+
+        reset_password_token_secret
+      end
+
+      attr_accessor :expires_at, :reset_password_token_record, :reset_password_token_secret
+
+      def determine_timestamps
+        now = Time.now
+        self.expires_at = now + token_ttl
+      end
+
+      def generate_new_reset_password_token
+        result = run_subcommand!(CreateToken, expires_at:)
+
+        self.reset_password_token_record = result[:token_record]
+        self.reset_password_token_secret = result[:token_string]
+      end
+
+      def save_new_reset_password_token_on_user
+        user.reset_password_token = reset_password_token_record
+      end
+    end
+  end
+end

data/src/refresh_login.rb

@@ -6,11 +6,6 @@ module Foobara
         message "Invalid refresh token"
       end
 
-      class RefreshTokenNotOwnedByUser < Foobara::RuntimeError
-        context refresh_token_id: :string
-        message "This refresh token is not owned by this user"
-      end
-
       depends_on CreateRefreshToken, VerifyToken, BuildAccessToken
       depends_on_entities Types::Token
 
@@ -32,6 +27,8 @@ module Foobara
         # Delete it instead maybe?
         mark_refresh_token_as_used
 
+        load_user
+
         generate_access_token
         generate_new_refresh_token
 
@@ -39,7 +36,7 @@ module Foobara
       end
 
       attr_accessor :access_token, :new_refresh_token, :expires_at, :refresh_token_record,
-                    :refresh_token_id, :refresh_token_secret
+                    :refresh_token_id, :refresh_token_secret, :user
 
       def determine_refresh_token_id_and_secret
         self.refresh_token_id, self.refresh_token_secret = refresh_token.split("_")
@@ -65,8 +62,8 @@ module Foobara
         self.access_token = run_subcommand!(BuildAccessToken, user:, token_ttl: access_token_ttl)
       end
 
-      def user
-        @user ||= Types::User.that_owns(refresh_token_record, "refresh_tokens")
+      def load_user
+        self.user ||= Types::User.that_owns(refresh_token_record, "refresh_tokens")
       end
 
       def generate_new_refresh_token

data/src/register.rb

@@ -2,6 +2,7 @@ require_relative "types/user"
 
 module Foobara
   module Auth
+    # TODO: should raise error if username or email already in use!
     class Register < Foobara::Command
       depends_on CreateUser, SetPassword
 

data/src/reset_password.rb

@@ -0,0 +1,123 @@
+module Foobara
+  module Auth
+    class ResetPassword < Foobara::Command
+      class NoPasswordResetTokenOrOldPasswordGivenError < Foobara::RuntimeError
+        context({})
+        message "Must give either a password reset token or an old password"
+      end
+
+      class BothPasswordResetTokenAndOldPasswordGivenError < Foobara::RuntimeError
+        context({})
+        message "Cannot give both a password reset token and an old password"
+      end
+
+      class IncorrectOldPasswordError < Foobara::RuntimeError
+        context({})
+        message "Incorrect old password"
+      end
+
+      class InvalidResetPasswordTokenError < Foobara::RuntimeError
+        context({}) # TODO: make this the default
+        message "Invalid password reset token"
+      end
+
+      class UserNotGivenError < Foobara::RuntimeError
+        context({})
+        message "Must give a user if giving an old password to reset password"
+      end
+
+      class UserNotFoundForResetTokenError < Foobara::RuntimeError
+        context({}) # TODO: make this the default?
+        message "No user found for reset password token"
+      end
+
+      inputs do
+        user Types::User
+        old_password :string, :sensitive_exposed
+        reset_password_token_secret :string, :sensitive_exposed
+        new_password :string, :sensitive, :required
+      end
+      result Types::User
+
+      depends_on BuildSecret, VerifyPassword, VerifyToken
+
+      # TODO: should we enforce certain password requirements?
+      def execute
+        if old_password_given?
+          verify_old_password
+        else
+          verify_and_use_up_password_reset_token
+          load_user
+        end
+
+        build_new_password
+        set_password_on_user
+
+        user
+      end
+
+      def validate
+        if old_password_given?
+          unless user
+            add_runtime_error(UserNotGivenError)
+          end
+          if reset_password_token_given?
+            add_runtime_error(BothPasswordResetTokenAndOldPasswordGivenError)
+          end
+        else
+          unless reset_password_token_given?
+            add_runtime_error(NoPasswordResetTokenOrOldPasswordGivenError)
+          end
+        end
+      end
+
+      attr_accessor :password_secret, :reset_password_token_record
+      attr_writer :user
+
+      def old_password_given?
+        !!old_password
+      end
+
+      def reset_password_token_given?
+        !!reset_password_token_secret
+      end
+
+      def verify_old_password
+        unless run_subcommand!(VerifyPassword, user:, plaintext_password: old_password)
+          add_runtime_error(IncorrectOldPasswordError)
+        end
+      end
+
+      def verify_and_use_up_password_reset_token
+        verified_result = run_subcommand!(VerifyToken, token_string: reset_password_token_secret)
+
+        unless verified_result[:verified]
+          add_runtime_error(InvalidResetPasswordTokenError)
+        end
+
+        self.reset_password_token_record = verified_result[:token_record]
+        reset_password_token_record.use_up!
+      end
+
+      def load_user
+        self.user = Types::User.that_owns(reset_password_token_record, "reset")
+
+        unless user
+          add_runtime_error(UserNotFoundForResetTokenError)
+        end
+      end
+
+      def user
+        @user || inputs[:user]
+      end
+
+      def build_new_password
+        self.password_secret = run_subcommand!(BuildSecret, secret: new_password)
+      end
+
+      def set_password_on_user
+        user.password_secret = password_secret
+      end
+    end
+  end
+end

data/src/types/user.rb

@@ -13,6 +13,7 @@ module Foobara
           api_keys [Types::Token], :sensitive, default: []
           refresh_tokens [Types::Token], :sensitive, default: []
           password_secret Types::Secret, :sensitive, :allow_nil
+          reset_password_token Types::Token, :sensitive, :allow_nil
         end
 
         primary_key :id

data/src/verify_access_token.rb

@@ -10,7 +10,7 @@ module Foobara
 
       result do
         verified :boolean, :required
-        failure_reason :string, :allow_nil, one_of: %w[invalid expired]
+        failure_reason :string, :allow_nil, one_of: %w[invalid expired cannot_verify]
         payload :associative_array, :allow_nil
         headers :associative_array, :allow_nil
       end
@@ -27,9 +27,11 @@ module Foobara
       def decode_access_token
         self.payload, self.headers = JWT.decode(access_token, jwt_secret)
       rescue JWT::VerificationError
-        self.failure_reason = "invalid"
+        self.failure_reason = "cannot_verify"
       rescue JWT::ExpiredSignature
         self.failure_reason = "expired"
+      rescue JWT::DecodeError
+        self.failure_reason = "invalid"
       end
 
       def set_verified_flag

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: foobara-auth
 version: !ruby/object:Gem::Version
-  version: 0.0.8
+  version: 0.0.10
 platform: ruby
 authors:
 - Miles Georgi
 bindir: bin
 cert_chain: []
-date: 1980-01-02 00:00:00.000000000 Z
+date: 2025-05-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: argon2
@@ -64,10 +64,12 @@ files:
 - README.md
 - lib/foobara/auth.rb
 - src/approve_token.rb
+- src/authenticate_with_api_key.rb
 - src/build_access_token.rb
 - src/build_secret.rb
 - src/create_api_key.rb
 - src/create_refresh_token.rb
+- src/create_reset_password_token.rb
 - src/create_role.rb
 - src/create_token.rb
 - src/create_user.rb
@@ -76,6 +78,7 @@ files:
 - src/logout.rb
 - src/refresh_login.rb
 - src/register.rb
+- src/reset_password.rb
 - src/set_password.rb
 - src/types/role.rb
 - src/types/secret.rb
@@ -109,7 +112,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.7
+rubygems_version: 3.6.2
 specification_version: 4
 summary: Provides various auth domain commands and models
 test_files: []