foobara-auth 0.0.8 → 0.0.9

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e1ba58c561a925a0c68b73d09b35bea08bd1547170c3c5cb947c97b6bbbcd91d
-  data.tar.gz: a9a6ef33b8b8834548034c7852ec4904d1b2161e83c8190b5aacf5c76fe7d38a
+  metadata.gz: 625eea5256db4cac1d98cb6b0483b8cbc9c47d91225f0f0736581df8a5a1636c
+  data.tar.gz: 0a51402e5ec2ce711ad7c62ef18aadbe23ff03f2ecb775516be35514e78ef89f
 SHA512:
-  metadata.gz: de9f66fc29b5d7176198a8b03eb33b2046d0c9cf8c4130d2ecf082a65c7b215996d2c080099b1d7bdffa9f26c89d86513edd5bbab65f9bd9f756eaec983720d2
-  data.tar.gz: 78a8c4c831f5c808cf4f675ecda90e418803a8c6d5f5d63f08679086a3e5693126f1fb4d9216a1bed7d44ef4f7c96a55d178e0dad5d6dca5cb50ff4e91079971
+  metadata.gz: 922de34a2a3343f55152a5d754b0e6a0c1b7e97bc868891e607018f73dcb8aec5dbee9408e3886a100057764de42039676204b5ffac48d2377e2ad5af777695f
+  data.tar.gz: 056a01756020a541633ea7467792079f8841c4c8135f7d84054efbab62c0360888b61e9ddf817c8ad67af4ef7a61e9feefae60e348d7c95cbfd0087a2d31c35f

data/CHANGELOG.md

@@ -1,3 +1,7 @@
+## [0.0.9] - 2025-04-22
+
+- Handle malformed jwt tokens
+
 ## [0.0.8] - 2025-04-11
 
 - Just seeing if we can successfully push new gems since there's an issue pushing foobara

data/src/create_reset_password_token.rb

@@ -0,0 +1,45 @@
+require "securerandom"
+
+require_relative "create_token"
+
+module Foobara
+  module Auth
+    class CreateResetPasswordToken < Foobara::Command
+      depends_on CreateToken
+
+      inputs do
+        user Types::User, :required
+        token_ttl :integer, default: 5 * 60
+      end
+
+      result :string, :sensitive_exposed
+
+      def execute
+        determine_timestamps
+
+        generate_new_reset_password_token
+        save_new_reset_password_token_on_user
+
+        reset_password_token_secret
+      end
+
+      attr_accessor :expires_at, :reset_password_token_record, :reset_password_token_secret
+
+      def determine_timestamps
+        now = Time.now
+        self.expires_at = now + token_ttl
+      end
+
+      def generate_new_reset_password_token
+        result = run_subcommand!(CreateToken, expires_at:)
+
+        self.reset_password_token_record = result[:token_record]
+        self.reset_password_token_secret = result[:token_string]
+      end
+
+      def save_new_reset_password_token_on_user
+        user.reset_password_token = reset_password_token_record
+      end
+    end
+  end
+end

data/src/reset_password.rb

@@ -0,0 +1,123 @@
+module Foobara
+  module Auth
+    class ResetPassword < Foobara::Command
+      class NoPasswordResetTokenOrOldPasswordGivenError < Foobara::RuntimeError
+        context({})
+        message "Must give either a password reset token or an old password"
+      end
+
+      class BothPasswordResetTokenAndOldPasswordGivenError < Foobara::RuntimeError
+        context({})
+        message "Cannot give both a password reset token and an old password"
+      end
+
+      class IncorrectOldPasswordError < Foobara::RuntimeError
+        context({})
+        message "Incorrect old password"
+      end
+
+      class InvalidResetPasswordTokenError < Foobara::RuntimeError
+        context({}) # TODO: make this the default
+        message "Invalid password reset token"
+      end
+
+      class UserNotGivenError < Foobara::RuntimeError
+        context({})
+        message "Must give a user if giving an old password to reset password"
+      end
+
+      class UserNotFoundForResetTokenError < Foobara::RuntimeError
+        context({}) # TODO: make this the default?
+        message "No user found for reset password token"
+      end
+
+      inputs do
+        user Types::User
+        old_password :string, :sensitive_exposed
+        reset_password_token_secret :string, :sensitive_exposed
+        new_password :string, :sensitive, :required
+      end
+      result Types::User
+
+      depends_on BuildSecret, VerifyPassword, VerifyToken
+
+      # TODO: should we enforce certain password requirements?
+      def execute
+        if old_password_given?
+          verify_old_password
+        else
+          verify_and_use_up_password_reset_token
+          load_user
+        end
+
+        build_new_password
+        set_password_on_user
+
+        user
+      end
+
+      def validate
+        if old_password_given?
+          unless user
+            add_runtime_error(UserNotGivenError)
+          end
+          if reset_password_token_given?
+            add_runtime_error(BothPasswordResetTokenAndOldPasswordGivenError)
+          end
+        else
+          unless reset_password_token_given?
+            add_runtime_error(NoPasswordResetTokenOrOldPasswordGivenError)
+          end
+        end
+      end
+
+      attr_accessor :password_secret, :reset_password_token_record
+      attr_writer :user
+
+      def old_password_given?
+        !!old_password
+      end
+
+      def reset_password_token_given?
+        !!reset_password_token_secret
+      end
+
+      def verify_old_password
+        unless run_subcommand!(VerifyPassword, user:, plaintext_password: old_password)
+          add_runtime_error(IncorrectOldPasswordError)
+        end
+      end
+
+      def verify_and_use_up_password_reset_token
+        verified_result = run_subcommand!(VerifyToken, token_string: reset_password_token_secret)
+
+        unless verified_result[:verified]
+          add_runtime_error(InvalidResetPasswordTokenError)
+        end
+
+        self.reset_password_token_record = verified_result[:token_record]
+        reset_password_token_record.use_up!
+      end
+
+      def load_user
+        self.user = Types::User.that_owns(reset_password_token_record, "reset")
+
+        unless user
+          add_runtime_error(UserNotFoundForResetTokenError)
+        end
+      end
+
+      def user
+        @user || inputs[:user]
+      end
+
+      def build_new_password
+        self.password_secret = run_subcommand!(BuildSecret, secret: new_password)
+      end
+
+      def set_password_on_user
+        user.password_secret = password_secret
+      end
+    end
+  end
+end

data/src/types/user.rb

@@ -13,6 +13,7 @@ module Foobara
           api_keys [Types::Token], :sensitive, default: []
           refresh_tokens [Types::Token], :sensitive, default: []
           password_secret Types::Secret, :sensitive, :allow_nil
+          reset_password_token Types::Token, :sensitive, :allow_nil
         end
 
         primary_key :id

data/src/verify_access_token.rb

@@ -10,7 +10,7 @@ module Foobara
 
       result do
         verified :boolean, :required
-        failure_reason :string, :allow_nil, one_of: %w[invalid expired]
+        failure_reason :string, :allow_nil, one_of: %w[invalid expired cannot_verify]
         payload :associative_array, :allow_nil
         headers :associative_array, :allow_nil
       end
@@ -27,9 +27,11 @@ module Foobara
       def decode_access_token
         self.payload, self.headers = JWT.decode(access_token, jwt_secret)
       rescue JWT::VerificationError
-        self.failure_reason = "invalid"
+        self.failure_reason = "cannot_verify"
       rescue JWT::ExpiredSignature
         self.failure_reason = "expired"
+      rescue JWT::DecodeError
+        self.failure_reason = "invalid"
       end
 
       def set_verified_flag

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: foobara-auth
 version: !ruby/object:Gem::Version
-  version: 0.0.8
+  version: 0.0.9
 platform: ruby
 authors:
 - Miles Georgi
@@ -68,6 +68,7 @@ files:
 - src/build_secret.rb
 - src/create_api_key.rb
 - src/create_refresh_token.rb
+- src/create_reset_password_token.rb
 - src/create_role.rb
 - src/create_token.rb
 - src/create_user.rb
@@ -76,6 +77,7 @@ files:
 - src/logout.rb
 - src/refresh_login.rb
 - src/register.rb
+- src/reset_password.rb
 - src/set_password.rb
 - src/types/role.rb
 - src/types/secret.rb