gamora 0.8.0 → 0.10.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d898db3b0a39bb00099a8912953f6dcdfda11cddbb38eccfe72a798986a4dbb9
-  data.tar.gz: 943a549def5cc2b014fe7200cb72cfdfd00acef025b2db74731cce0eecfa5927
+  metadata.gz: 62fcee90396875db0256e297c90dda80546c3268cfecdd4f0e53b7f3c4e68ba8
+  data.tar.gz: '093571bfd8706530b474c1bf9d046db56cd5a0a53820546afc88f274f528a6a6'
 SHA512:
-  metadata.gz: a71915324e16d094db423133defdfa83f21a4451eb32ac468d4d2be35eb0768493e6cba8ed48c2efea746f4219e406751159c3d5eac500fe3e52f1e7c94c99d9
-  data.tar.gz: 86a1b5282d7bfc407264f971bc3f5ba2c6f756028d5afdb857e069ede7cc9787c9ad4b291b9e4fcf9365bc9a4f4e26e977a3b13f4a870b1c32c0b24bd6ba95e4
+  metadata.gz: '0888b96495e6e55f0cc49512a9ec0c8d73d67e839a2dae0207bdb81728032e46436b8a3ce0cdf1daa1352d5ae849a4a723a28fe29d9c6c615b5efbf6dd33cc8c'
+  data.tar.gz: 3c00a26cce8ad257170853ffc0c6c9fd3a355372f401881b470cb9cdb86d0a94e43b401e5ac94024979faa3636969fc33ec7429f033287d006a6ff5bfa8360aa

data/README.md

@@ -115,6 +115,38 @@ Optionally, if you want to do something different when authentication
 fails, you just need to override the `user_authentication_failed!`
 method in you controller and customize it as you wish.
 
+## Cross-Client Identity
+
+By default, gamora will accept only access tokens that were generating
+with the `client_id` in the configuration. If access tokens coming from
+other clients have to be accepted, make sure to add their client ids to
+the `whitelisted_clients` config option.
+
+```ruby
+Gamora.setup do |config|
+  ...
+
+  config.whitelisted_clients = ["OTHER_CLIENT_ID"]
+end
+```
+
+## Caching
+
+In order to avoid performing requests to the IDP on each request in the
+application, it is possible to set a caching time for introspection and
+userinfo endpoints. Make sure to not have a too long expiration time for
+`introspect_cache_expires_in` but not too short to impact the application
+performance, it is a balance.
+
+```ruby
+Gamora.setup do |config|
+  ...
+
+  config.userinfo_cache_expires_in = 10.minute
+  config.introspect_cache_expires_in = 5.seconds
+end
+```
+
 ## Development
 
 After checking out the repo, run `bin/setup` to install dependencies. Then,

data/lib/gamora/authentication/base.rb

@@ -7,6 +7,7 @@ module Gamora
         sub: :id,
         roles: :roles,
         email: :email,
+        username: :username,
         given_name: :first_name,
         family_name: :last_name,
         phone_number: :phone_number,
@@ -15,9 +16,15 @@ module Gamora
       }.freeze
 
       def authenticate_user!
+        return authentication_failed! unless access_token.present?
+
+        token_data = introspect_access_token(access_token)
+        return authentication_failed! unless valid_token_data?(token_data)
+
         claims = resource_owner_claims(access_token)
-        assign_current_user_from_claims(claims) if claims.present?
-        validate_authentication!
+        return authentication_failed! unless claims.present?
+
+        assign_current_user_from_claims(claims)
       end
 
       def current_user
@@ -26,21 +33,29 @@ module Gamora
 
       private
 
-      def validate_authentication!
+      def access_token
         raise NotImplementedError
       end
 
-      def access_token
+      def authentication_failed!
         raise NotImplementedError
       end
 
-      def user_authentication_failed!
-        raise NotImplementedError
+      def valid_token_data?(token_data)
+        token_data[:active] && whitelisted_client?(token_data[:client_id])
+      end
+
+      def whitelisted_client?(client_id)
+        whitelisted_clients.include?(client_id)
+      end
+
+      def whitelisted_clients
+        Configuration.whitelisted_clients | [Configuration.client_id]
       end
 
       def assign_current_user_from_claims(claims)
-        attrs = user_attributes_from_claims(claims)
-        @current_user = User.new(attrs)
+        attributes = user_attributes_from_claims(claims)
+        @current_user = User.new(attributes)
       end
 
       def user_attributes_from_claims(claims)
@@ -48,27 +63,29 @@ module Gamora
       end
 
       def resource_owner_claims(access_token)
-        return {} if access_token.blank?
-
-        resource_owner_claims!(access_token)
-      end
+        cache_key = cache_key(:userinfo, access_token)
+        expires_in = Configuration.userinfo_cache_expires_in
 
-      def resource_owner_claims!(access_token)
-        Rails.cache.fetch(cache_key(access_token), cache_options) do
+        Rails.cache.fetch(cache_key, { expires_in: expires_in }) do
           oauth_client.userinfo(access_token)
         end
       end
 
-      def oauth_client
-        Client.from_config
+      def introspect_access_token(access_token)
+        cache_key = cache_key(:introspect, access_token)
+        expires_in = Configuration.introspect_cache_expires_in
+
+        Rails.cache.fetch(cache_key, { expires_in: expires_in }) do
+          oauth_client.introspect(access_token)
+        end
       end
 
-      def cache_options
-        { expires_in: Configuration.userinfo_cache_expires_in }
+      def cache_key(context, access_token)
+        "gamora:#{context}:#{Digest::SHA256.hexdigest(access_token)}"
       end
 
-      def cache_key(access_token)
-        "userinfo:#{Digest::SHA256.hexdigest(access_token)}"
+      def oauth_client
+        Client.from_config
       end
     end
   end

data/lib/gamora/authentication/headers.rb

@@ -7,12 +7,6 @@ module Gamora
 
       private
 
-      def validate_authentication!
-        return if current_user.present?
-
-        user_authentication_failed!
-      end
-
       def access_token
         pattern = /^Bearer /
         header = request.headers["Authorization"]
@@ -21,7 +15,7 @@ module Gamora
         header.gsub(pattern, "")
       end
 
-      def user_authentication_failed!
+      def authentication_failed!
         render json: { error: "Access token invalid" }, status: :unauthorized
       end
     end

data/lib/gamora/authentication/session.rb

@@ -11,18 +11,12 @@ module Gamora
 
       private
 
-      def validate_authentication!
-        return if current_user.present?
-
-        session["gamora.origin"] = request.original_url
-        user_authentication_failed!
-      end
-
       def access_token
         session[:access_token]
       end
 
-      def user_authentication_failed!
+      def authentication_failed!
+        session["gamora.origin"] = request.original_url
         redirect_to gamora.authentication_path
       end
     end

data/lib/gamora/client.rb

@@ -20,13 +20,25 @@ module Gamora
           token_method: Configuration.token_method,
           redirect_uri: Configuration.redirect_uri,
           userinfo_url: Configuration.userinfo_url,
-          authorize_url: Configuration.authorize_url
+          authorize_url: Configuration.authorize_url,
+          introspect_url: Configuration.introspect_url
         }
       end
     end
 
     def userinfo(access_token)
-      response = userinfo_request(access_token)
+      params = userinfo_params(access_token)
+      opts = request_options(params)
+      response = request(:post, options[:userinfo_url], opts)
+      JSON.parse(response.body).symbolize_keys
+    rescue OAuth2::Error
+      {}
+    end
+
+    def introspect(access_token)
+      params = introspect_params(access_token)
+      opts = request_options(params)
+      response = request(:post, options[:introspect_url], opts)
       JSON.parse(response.body).symbolize_keys
     rescue OAuth2::Error
       {}
@@ -34,15 +46,22 @@ module Gamora
 
     private
 
-    def userinfo_request(access_token)
-      opts = userinfo_request_options(access_token)
-      request(:post, options[:userinfo_url], opts)
+    def request_options(params)
+      {
+        body: params.to_json,
+        headers: { "Content-Type": "application/json" }
+      }
     end
 
-    def userinfo_request_options(access_token)
+    def userinfo_params(access_token)
+      { access_token: access_token }
+    end
+
+    def introspect_params(access_token)
       {
-        body: { access_token: access_token }.to_json,
-        headers: { "Content-Type": "application/json" }
+        token: access_token,
+        client_id: Configuration.client_id,
+        client_secret: Configuration.client_secret
       }
     end
   end

data/lib/gamora/configuration.rb

@@ -6,8 +6,9 @@ module Gamora
     mattr_accessor :client_secret, default: nil
     mattr_accessor :site, default: nil
     mattr_accessor :token_url, default: "/oauth2/token"
-    mattr_accessor :authorize_url, default: "/oauth2/authorize"
     mattr_accessor :userinfo_url, default: "/oauth2/userinfo"
+    mattr_accessor :authorize_url, default: "/oauth2/authorize"
+    mattr_accessor :introspect_url, default: "/oauth2/introspect"
     mattr_accessor :token_method, default: :post
     mattr_accessor :redirect_uri, default: nil
     mattr_accessor :default_scope, default: "openid profile email"
@@ -16,7 +17,9 @@ module Gamora
     mattr_accessor :default_branding, default: "amco"
     mattr_accessor :default_theme, default: "default"
     mattr_accessor :ui_locales, default: -> { I18n.locale }
-    mattr_accessor :userinfo_cache_expires_in, default: 0.seconds
+    mattr_accessor :userinfo_cache_expires_in, default: 1.minute
+    mattr_accessor :introspect_cache_expires_in, default: 0.seconds
+    mattr_accessor :whitelisted_clients, default: []
 
     def setup
       yield(self) if block_given?

data/lib/gamora/user.rb

@@ -7,6 +7,7 @@ module Gamora
     attr_accessor :id,
                   :roles,
                   :email,
+                  :username,
                   :last_name,
                   :first_name,
                   :phone_number,

data/lib/gamora/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Gamora
-  VERSION = "0.8.0"
+  VERSION = "0.10.0"
 end

data/lib/generators/gamora/templates/gamora.rb

@@ -8,8 +8,9 @@ Gamora.setup do |config|
 
   # ===> Optional OAuth2 configuration options and its defaults.
   # config.token_url = "/oauth2/token"
-  # config.authorize_url = "/oauth2/authorize"
   # config.userinfo_url = "/oauth2/userinfo"
+  # config.authorize_url = "/oauth2/authorize"
+  # config.introspect_url = "/oauth2/introspect"
   # config.token_method = :post
   # config.redirect_uri = nil
   # config.default_scope = "openid profile email"
@@ -18,5 +19,7 @@ Gamora.setup do |config|
   # config.default_branding = "amco"
   # config.default_theme = "default"
   # config.ui_locales = -> { I18n.locale }
-  # config.userinfo_cache_expires_in = 0.seconds
+  # config.userinfo_cache_expires_in = 1.minute
+  # config.introspect_cache_expires_in = 0.seconds
+  # config.whitelisted_clients = []
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: gamora
 version: !ruby/object:Gem::Version
-  version: 0.8.0
+  version: 0.10.0
 platform: ruby
 authors:
 - Alejandro Gutiérrez
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-11-21 00:00:00.000000000 Z
+date: 2023-12-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: oauth2