g5_authenticatable_api 0.3.0 → 0.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 1aa117f0b0c46d048619a8b7bffe14b1030b0e67
-  data.tar.gz: bbb88bf02f07f19c095ef2ab23d68df33783a205
+  metadata.gz: 3fab392aec338c014086e508dfc7f257d848f0aa
+  data.tar.gz: 9a034d766e6f79ba7eb9c0e66df420c4665e9d8d
 SHA512:
-  metadata.gz: 4788c4eb67bc7139ffeb7664d68dd6816ed735bcca9fcd7b38f4a20153c9e1cf3b93cfd6c523e191658d4b331b0d2bd64d0b591c571be2d3cd6693f7e470368e
-  data.tar.gz: fb3fd459a31acc154515473e5c0e11734a9929f35c4051f3cf94d18138a4da6c89e03eb9a9b3fb9e4a194540d22ee605d60b872ec022b75400fededeb315ca26
+  metadata.gz: f1b27503517f7a269af86515e56e8c0185572d62b9db6802c75a6248a4e9d29448ccc46fd4bb88f1539c7613bb40acb822d9a60a4cb99948bac36b83fcaae13f
+  data.tar.gz: bdf990ae909d110075ff2ef0ab52ad6a4c2024a42f62501498fd86712293599892c15f5417baa7b62cfd803a19462b59cd27c0e353d314e0e9619670d3c1aa14

data/CHANGELOG.md

@@ -1,3 +1,9 @@
+## v0.3.1 (2015-01-20)
+
+* Disable strict token validation for session-authenticated users by
+  default; enable with `G5AuthenticatableApi.strict_token_validation = true`
+  ([#6](https://github.com/G5/g5_authenticatable_api/pull/6)).
+
 ## v0.3.0 (2014-12-23)
 
 * When there is already an authenticated session, validate the current

data/README.md

@@ -9,7 +9,7 @@ service using token-based authentication.
 
 ## Current Version
 
-0.3.0
+0.3.1
 
 ## Requirements
 
@@ -35,6 +35,8 @@ service using token-based authentication.
 
 ## Configuration
 
+### Auth endpoint
+
 The API helpers need to know the endpoint for the G5 auth server to use when
 validating tokens. This may be configured in one of several ways:
 
@@ -52,6 +54,30 @@ validating tokens. This may be configured in one of several ways:
   end
   ```
 
+### Strict token validation
+
+If your API supports session-based authentication through
+[devise_g5_authenticatable](https://github.com/G5/devise_g5_authenticatable),
+then you have the option of toggling strict token validation.
+
+If strict token validation is disabled (the default), then token validation
+will be bypassed if there is already an authenticated user in warden. This
+is fast, but it means that users with revoked or expired access tokens can
+still access your API as long as the local session remains active.
+
+```ruby
+G5AuthenticatableApi.strict_token_validation = false
+```
+
+If strict token validation is enabled, then the session user's access token
+will be periodically re-validated. Access to your API will be limited
+to users with active access tokens, but there is a performance penalty
+for this level of security.
+
+```ruby
+G5AuthenticatableApi.strict_token_validation = true
+```
+
 ## Usage
 
 ### Rails

data/g5_authenticatable_api.gemspec

@@ -20,4 +20,5 @@ Gem::Specification.new do |spec|
 
   spec.add_dependency 'rack'
   spec.add_dependency 'g5_authentication_client', '~> 0.2'
+  spec.add_dependency 'activesupport', '>= 3.2'
 end

data/lib/g5_authenticatable_api/token_validator.rb

@@ -10,7 +10,7 @@ module G5AuthenticatableApi
 
     def validate!
       begin
-        auth_client.token_info
+        auth_client.token_info unless skip_validation?
       rescue StandardError => @error
         raise error
       end
@@ -66,5 +66,9 @@ module G5AuthenticatableApi
         parts['access_token']
       end
     end
+
+    def skip_validation?
+      @warden.try(:user) && !G5AuthenticatableApi.strict_token_validation
+    end
   end
 end

data/lib/g5_authenticatable_api/version.rb

@@ -1,3 +1,3 @@
 module G5AuthenticatableApi
-  VERSION = '0.3.0'
+  VERSION = '0.3.1'
 end

data/lib/g5_authenticatable_api.rb

@@ -1,3 +1,6 @@
+require 'active_support'
+require 'active_support/core_ext/module/attribute_accessors'
+
 require 'g5_authenticatable_api/version'
 require 'g5_authenticatable_api/helpers/grape'
 require 'g5_authenticatable_api/railtie' if defined?(Rails)
@@ -5,5 +8,9 @@ require 'g5_authenticatable_api/railtie' if defined?(Rails)
 require 'g5_authentication_client'
 
 module G5AuthenticatableApi
-  # Your code goes here...
+  # When enabled, strict token validation will validate the session user's
+  # access_token against the auth server for every request (if there is
+  # an existing session in warden). Disabled by default.
+  @@strict_token_validation = false
+  mattr_accessor :strict_token_validation
 end

data/spec/lib/g5_authenticatable_api/token_validator_spec.rb

@@ -58,37 +58,85 @@ describe G5AuthenticatableApi::TokenValidator do
   describe '#validate!' do
     subject(:validate!) { validator.validate! }
 
-    context 'when token is valid' do
-      include_context 'valid access token'
+    context 'when token is on the request' do
+      context 'when token is valid' do
+        include_context 'valid access token'
 
-      it 'should initialize the auth client with the access token' do
-        validate!
-        expect(a_request(:get, 'auth.g5search.com/oauth/token/info').
-               with(headers: {'Authorization' => "Bearer #{token_value}"})).to have_been_made
-      end
+        it 'should initialize the auth client with the access token' do
+          validate!
+          expect(a_request(:get, 'auth.g5search.com/oauth/token/info').
+                 with(headers: {'Authorization' => "Bearer #{token_value}"})).to have_been_made
+        end
+
+        it 'should not raise errors during validation' do
+          expect { validate! }.to_not raise_error
+        end
 
-      it 'should not raise errors during validation' do
-        expect { validate! }.to_not raise_error
+        it 'should not set an error on the validator' do
+          validate!
+          expect(validator.error).to be_nil
+        end
       end
 
-      it 'should not set an error on the validator' do
-        validate!
-        expect(validator.error).to be_nil
+      context 'when token is invalid' do
+        include_context 'invalid access token'
+
+        it 'should re-raise the OAuth error' do
+          expect { validate! }.to raise_error(OAuth2::Error)
+        end
+
+        it 'should set the error on the validator' do
+          begin
+            validate!
+          rescue StandardError => validation_error
+            expect(validator.error).to eq(validation_error)
+          end
+        end
       end
     end
 
-    context 'when token is invalid' do
-      include_context 'invalid access token'
+    context 'when token is on the warden user' do
+      let(:warden) { double(:warden, user: user) }
+      let(:user) { FactoryGirl.build_stubbed(:user, g5_access_token: token_value) }
+      let(:params) {}
+      let(:headers) {}
+
+      context 'when strict token validation is enabled' do
+        before { G5AuthenticatableApi.strict_token_validation = true }
+
+        context 'when the token is valid' do
+          include_context 'valid access token'
+
+          it 'should validate the access token against the auth server' do
+            validate!
+            expect(a_request(:get, 'auth.g5search.com/oauth/token/info').
+                  with(headers: {'Authorization' => "Bearer #{token_value}"})).to have_been_made
+          end
+
+          it 'should not raise errors during validation' do
+            expect { validate! }.to_not raise_error
+          end
+        end
+
+        context 'when token is invalid' do
+          include_context 'invalid access token'
 
-      it 'should re-raise the OAuth error' do
-        expect { validate! }.to raise_error(OAuth2::Error)
+          it 'should re-raise the error' do
+            expect { validate! }.to raise_error(OAuth2::Error)
+          end
+        end
       end
 
-      it 'should set the error on the validator' do
-        begin
+      context 'when strict token validation is disabled' do
+        before { G5AuthenticatableApi.strict_token_validation = false }
+
+        it 'should not validate the access token against the auth server' do
           validate!
-        rescue StandardError => validation_error
-          expect(validator.error).to eq(validation_error)
+          expect(a_request(:get, 'authg5search.com/oauth/token/info')).to_not have_been_made
+        end
+
+        it 'should not raise errors during validation' do
+          expect { validate! }.to_not raise_error
         end
       end
     end

data/spec/support/shared_examples/warden_authenticatable_api.rb

@@ -8,7 +8,28 @@ shared_examples_for 'a warden authenticatable api' do
     before { login_as(user, scope: :user) }
     after { logout }
 
-    include_examples 'token validation'
+    context 'when strict token validation is enabled' do
+      before do
+        G5AuthenticatableApi.strict_token_validation = true
+      end
+
+      include_examples 'token validation'
+    end
+
+    context 'when strict token validation is disabled' do
+      before do
+        G5AuthenticatableApi.strict_token_validation = false
+        subject
+      end
+
+      it 'should be successful' do
+        expect(response).to be_success
+      end
+
+      it 'should not validate the token against the auth server' do
+        expect(a_request(:get, 'auth.g5search.com/oauth/token/info')).to_not have_been_made
+      end
+    end
   end
 
   context 'when user is not authenticated' do

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: g5_authenticatable_api
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.3.1
 platform: ruby
 authors:
 - Maeve Revels
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-12-23 00:00:00.000000000 Z
+date: 2015-01-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -38,6 +38,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.2'
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '3.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '3.2'
 description: Helpers for securing APIs with G5
 email:
 - maeve.revels@getg5.com
@@ -224,3 +238,4 @@ test_files:
 - spec/support/shared_examples/token_validation.rb
 - spec/support/shared_examples/warden_authenticatable_api.rb
 - spec/support/warden.rb
+has_rdoc: