gds-sso 13.4.0 → 13.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 4c393c1d9c9bba89a0d99faa3c8bc93d3288865c
-  data.tar.gz: 43137c891d2a30c618b7c73294378b422b5abd37
+  metadata.gz: 72fc2354ba2f54ba192293b50861f8aff690edca
+  data.tar.gz: eeaa7c1c30baa2bec9190cf962dd7c83ac042d63
 SHA512:
-  metadata.gz: 17c5755ed0581e06fb11ca975372b962d3b62d1521c724753c16e7502c3236c7f52056bd8e871aef13eb5df7c1a2f49e8d23a777f16bcc144660b188372141aa
-  data.tar.gz: 5e60cbaa4fe46ab34429aa1213afa9c9ba6c6caa9f1940d99abce10dec9d9aa344b6640bddfbeede3a1209f1902321d9d3a6b932b4cd302583cb4158943dae85
+  metadata.gz: 149b0ebb611792c93e615537564092f9f4d5fb212f552a9b041134be095a1769643ca4e02a9ec49117dc74f2965b4ad2c53adf9c4a16574425040ed4a63edd48
+  data.tar.gz: f9f0a816379772d203bc9171ff523dd9fe2bb0918c60920879820823dad4204823048de7b9d3f78fe87a9ae5bab7b0371c1bcabc9278037628efa9a494590b46

data/README.md

@@ -12,7 +12,7 @@ Some of the applications that use this gem:
 
 ## Usage
 
-### Integration with a Rails 3+ app
+### Integration with a Rails 4+ app
 
 To use gds-sso you will need an oAuth client ID and secret for Signon or a compatible system.
 These can be provided by one of the team with admin access to Signon.
@@ -130,6 +130,18 @@ GDS::SSO.config do |config|
 end
 ```
 
+If you are using a Rails 5 app in
+[api_only](http://guides.rubyonrails.org/api_app.html) mode this gem will
+automatically disable the oauth layers which use session persistence. You can
+configure this gem to be in api_only mode (or not) with:
+
+```ruby
+GDS::SSO.config do |config|
+  # ...
+  # Only support bearer token authentication and send responses in JSON
+  config.api_only = true
+end
+```
 
 ### Use in development mode
 

data/config/routes.rb

@@ -1,4 +1,5 @@
 Rails.application.routes.draw do
+  next if GDS::SSO::Config.api_only?
   get '/auth/gds/callback',               to: 'authentications#callback', as: :gds_sign_in
   get '/auth/gds/sign_out',               to: 'authentications#sign_out', as: :gds_sign_out
   get  '/auth/failure',                   to: 'authentications#failure',  as: :auth_failure

data/lib/gds-sso/config.rb

@@ -23,6 +23,8 @@ module GDS
       mattr_accessor :cache
       @@cache = ActiveSupport::Cache::NullStore.new
 
+      mattr_writer :api_only
+
       def self.user_klass
         user_model.to_s.constantize
       end
@@ -36,6 +38,12 @@ module GDS
 
         ENV.fetch("GDS_SSO_STRATEGY", default_strategy) == "mock"
       end
+
+      def self.api_only?
+        config = Rails.configuration
+        default = config.respond_to?(:api_only) ? config.api_only : false
+        @@api_only.nil? ? default : @@api_only
+      end
     end
   end
 end

data/lib/gds-sso/controller_methods.rb

@@ -6,10 +6,17 @@ module GDS
 
       def self.included(base)
         base.rescue_from PermissionDeniedException do |e|
-          render "authorisations/unauthorised", layout: "unauthorised", status: :forbidden, locals: { message: e.message }
+          if GDS::SSO::Config.api_only?
+            render json: { message: e.message }, status: :forbidden
+          else
+            render "authorisations/unauthorised", layout: "unauthorised", status: :forbidden, locals: { message: e.message }
+          end
+        end
+
+        unless GDS::SSO::Config.api_only?
+          base.helper_method :user_signed_in?
+          base.helper_method :current_user
         end
-        base.helper_method :user_signed_in?
-        base.helper_method :current_user
       end
 
 

data/lib/gds-sso/failure_app.rb

@@ -8,11 +8,18 @@ module GDS
     class FailureApp < ActionController::Metal
       include ActionController::UrlFor
       include ActionController::Redirecting
+      include AbstractController::Rendering
+      include ActionController::Rendering
+      include ActionController::Renderers
+      use_renderers :json
+
       include Rails.application.routes.url_helpers
 
       def self.call(env)
-        if ::GDS::SSO::ApiAccess.api_call?(env)
-          [ 401, {'WWW-Authenticate' => %(Bearer error="invalid_token") }, [] ]
+        if GDS::SSO::ApiAccess.api_call?(env)
+          action(:api_invalid_token).call(env)
+        elsif GDS::SSO::Config.api_only?
+          action(:api_missing_token).call(env)
         else
           action(:redirect).call(env)
         end
@@ -23,6 +30,14 @@ module GDS
         redirect_to '/auth/gds'
       end
 
+      def api_invalid_token
+        api_unauthorized('Bearer token does not appear to be valid', 'invalid_token')
+      end
+
+      def api_missing_token
+        api_unauthorized('No bearer token was provided', 'invalid_request')
+      end
+
       # Stores requested uri to redirect the user after signing in. We cannot use
       # scoped session provided by warden here, since the user is not authenticated
       # yet, but we still need to store the uri based on scope, so different scopes
@@ -33,6 +48,12 @@ module GDS
         session["return_to"] = request.env['warden.options'][:attempted_path] if request.get?
       end
 
+      private
+
+      def api_unauthorized(message, bearer_error)
+        headers['WWW-Authenticate'] = %(Bearer error="#{bearer_error}")
+        render json: { message: message }, status: :unauthorized
+      end
     end
   end
 end

data/lib/gds-sso/version.rb

@@ -1,5 +1,5 @@
 module GDS
   module SSO
-    VERSION = "13.4.0"
+    VERSION = "13.5.0"
   end
 end

data/lib/gds-sso.rb

@@ -25,6 +25,7 @@ module GDS
       config.before_eager_load { |app| app.reload_routes! }
 
       config.app_middleware.use ::OmniAuth::Builder do
+        next if GDS::SSO::Config.api_only?
         provider :gds, GDS::SSO::Config.oauth_id, GDS::SSO::Config.oauth_secret,
           client_options: {
             site: GDS::SSO::Config.oauth_root_url,