grape_token_auth 0.0.0 → 0.1.0.rc1

data/lib/grape_token_auth/apis/password_api.rb

@@ -0,0 +1,138 @@
+module GrapeTokenAuth
+  # Module that contains the majority of the password reseting functionality.
+  # This module can be included in a Grape::API class that defines a
+  # resource_scope and therefore have all of the functionality with a given
+  # resource (mapping).
+  module PasswordAPICore
+    def self.included(base)
+      base.helpers do
+        def throw_unauthorized(message)
+          throw(:warden, errors: message)
+        end
+
+        def resource_class
+          @rescource_class ||= scope_to_class(resource_scope)
+        end
+
+        def bad_request(messages, code = 422)
+          status(code)
+          { 'status' => 'error', 'error' => messages.join(',') }
+        end
+
+        def validate_redirect_url!(url)
+          white_list = GrapeTokenAuth.configuration.redirect_whitelist
+          return unless white_list
+          url_valid = white_list.include?(url)
+          error!({ errors: 'redirect url is not in whitelist', status: 'error' }, 403) unless url_valid
+        end
+      end
+
+      base.post do
+        email = params[:email]
+        throw_unauthorized('You must provide an email address.') unless email
+
+        redirect_url = params[:redirect_url]
+        validate_redirect_url!(redirect_url)
+        redirect_url ||= GrapeTokenAuth.configuration.default_password_reset_url
+        throw_unauthorized('Missing redirect url.') unless redirect_url
+        resource = ResourceFinder.find(base.resource_scope, params)
+        edit_path = routes[0].route_path.gsub(/\(.*\)/, '') + "/edit"
+        if resource
+          resource.send_reset_password_instructions(
+            provider: 'email',
+            redirect_url: redirect_url,
+            client_config: params[:config_name],
+            edit_path: edit_path
+          )
+
+          if resource.errors.empty?
+            status 200
+            present(success: true,
+                    message: "An email has been sent to #{email} containing " +
+                             'instructions for resetting your password.'
+                   )
+          else
+            return error!({ errors: resource.errors,
+                            status: 'error' }, 400)
+          end
+        else
+          error!({ errors: "Unable to find user with email '#{email}'.",
+                   status: 'error' }, 404)
+        end
+      end
+
+      base.get '/edit' do
+        resource_class = GrapeTokenAuth.configuration.scope_to_class(base.resource_scope)
+        resource = resource_class.find_with_reset_token(
+          reset_password_token: params[:reset_password_token]
+        )
+
+        if resource
+          token = Token.new
+
+          resource.tokens[token.client_id] = {
+            token:  token.to_password_hash,
+            expiry: token.expiry
+          }
+
+          resource.confirm unless resource.confirmed?
+
+          # TODO: ensure that user is confirmed
+          # @resource.skip_confirmation! if @resource.devise_modules.include?(:confirmable) && !@resource.confirmed_at
+
+          resource.save!
+
+          redirect_url = resource.build_auth_url(
+            params[:redirect_url], token: token.to_s, reset_password: true,
+                                   client_id: token.client_id,
+                                   config: params[:config])
+          redirect redirect_url
+        else
+          error!({ success: false }, 404)
+        end
+      end
+
+      base.put do
+        token_authorizer = TokenAuthorizer.new(AuthorizerData.from_env(env))
+        resource = token_authorizer.find_resource(base.resource_scope)
+        throw(:warden) unless resource
+        unless resource.provider == 'email'
+          error!({ errors: 'Password not required.',
+                   status: 'error', success: false }, 422)
+        end
+        # ensure that password params were sent
+        unless params[:password] && params[:password_confirmation]
+          error!({ errors: 'Passwords are missing.',
+                   status: 'error', success: false }, 422)
+        end
+
+        # TODO: previous password confirmation
+        if resource.reset_password(params[:password], params[:password_confirmation])
+          return present json: {
+            success: true,
+            data: {
+              user: resource,
+              message: 'Successfully updated'
+            }
+          }
+        else
+          error!({ success: false,
+            errors: resource.errors.to_hash.merge(full_messages: resource.errors.full_messages)
+          }, 422)
+        end
+      end
+    end
+  end
+
+  # "Empty" Password API where OmniAuthAPICore is mounted, defaults to a :user
+  # resource class
+  class PasswordAPI < Grape::API
+    class << self
+      def resource_scope
+        :user
+      end
+    end
+
+    include PasswordAPICore
+  end
+end

data/lib/grape_token_auth/apis/registration_api.rb

@@ -0,0 +1,88 @@
+module GrapeTokenAuth
+  module RegistrationAPICore
+    def self.included(base)
+      base.helpers do
+        def bad_request(messages, code = 422)
+          status(code)
+          { 'status' => 'error', 'error' => messages.join(',') }
+        end
+
+        def validate_redirect_url!
+          white_list = GrapeTokenAuth.configuration.redirect_whitelist
+          return unless white_list
+          url_valid = white_list.include?(params['confirm_success_url'])
+          errors = ['redirect url is not in whitelist']
+          bad_request(errors, 403) unless url_valid
+        end
+
+        def validate_not_empty!
+          if params.empty?
+            errors = ['email, password, password_confirmation \
+                      params are required']
+            bad_request errors, 422
+          else
+            false
+          end
+        end
+
+        def find_resource(env, mapping)
+          token_authorizer = TokenAuthorizer.new(AuthorizerData.from_env(env))
+          token_authorizer.find_resource(mapping)
+        end
+      end
+
+      base.post '/' do
+        empty_params_error = validate_not_empty!
+        return present(empty_params_error) if empty_params_error
+        redirect_error = validate_redirect_url!
+        return present(redirect_error) if redirect_error
+        mapping = base.resource_scope
+        configuration = GrapeTokenAuth.configuration
+        creator = ResourceCreator.new(params, configuration, mapping)
+        if creator.create!
+          status 200
+          present(data: creator.resource)
+        else
+          present bad_request(creator.errors, 403)
+        end
+      end
+
+      base.delete do
+        user = find_resource(env, base.resource_scope)
+        return present bad_request(['resource not found.'], 404) unless user
+        user.delete
+        status 200
+      end
+
+      base.put do
+        empty_params_error = validate_not_empty!
+        return present(empty_params_error) if empty_params_error
+        resource = find_resource(env, base.resource_scope)
+        return present bad_request(['resource not found.'], 404) unless resource
+
+        updater = ResourceUpdater.new(resource,
+                                      params,
+                                      GrapeTokenAuth.configuration,
+                                      base.resource_scope)
+        if updater.update!
+          status 200
+          present(data: updater.resource)
+        else
+          present bad_request(updater.errors, 403)
+        end
+      end
+
+      base.format :json
+    end
+  end
+
+  class RegistrationAPI < Grape::API
+    class << self
+      def resource_scope
+        :user
+      end
+    end
+
+    include RegistrationAPICore
+  end
+end

data/lib/grape_token_auth/apis/session_api.rb

@@ -0,0 +1,60 @@
+module GrapeTokenAuth
+  module SessionsAPICore
+    def self.included(base)
+      base.helpers do
+        def find_resource(env, mapping)
+          token_authorizer = TokenAuthorizer.new(AuthorizerData.from_env(env))
+          token_authorizer.find_resource(mapping)
+        end
+      end
+
+      base.post '/sign_in' do
+        start_time = Time.now
+        resource = ResourceFinder.find(base.resource_scope, params)
+        unless resource && resource.valid_password?(params[:password])
+          message = 'Invalid login credentials. Please try again.'
+          throw(:warden, errors: { errors: [message], status: 'error' })
+        end
+        unless resource.confirmed?
+          error_message = 'A confirmation email was sent to your account at ' +
+                          "#{resource.email}. You must follow the " +
+                          'instructions in the email before your account can be ' +
+                          'activated'
+          throw(:warden, errors: { errors: [error_message], status: 'error' })
+        end
+
+        data = AuthorizerData.from_env(env)
+        env['rack.session'] ||= {}
+        data.store_resource(resource, base.resource_scope)
+        auth_header = AuthenticationHeader.new(data, start_time)
+        auth_header.headers.each do |key, value|
+          header key.to_s, value.to_s
+        end
+        status 200
+        present data: resource
+      end
+
+      base.delete '/sign_out' do
+        resource = find_resource(env, base.resource_scope)
+
+        if resource
+          resource.tokens.delete(env[Configuration::CLIENT_KEY])
+          resource.save
+          status 200
+        else
+          status 404
+        end
+      end
+    end
+  end
+
+  class SessionsAPI < Grape::API
+    class << self
+      def resource_scope
+        :user
+      end
+    end
+
+    include SessionsAPICore
+  end
+end

data/lib/grape_token_auth/apis/token_validation_api.rb

@@ -0,0 +1,29 @@
+module GrapeTokenAuth
+  # Contains the major functionality of TokenValidation
+  module TokenValidationAPICore
+    def self.included(base)
+      base.get '/validate_token' do
+        token_authorizer = TokenAuthorizer.new(AuthorizerData.from_env(env))
+        resource = token_authorizer.find_resource(base.resource_scope)
+        if resource
+          status 200
+          present data: resource.token_validation_response
+        else
+          throw(:warden, 'errors' => 'Invalid login credentials')
+        end
+      end
+    end
+  end
+
+  # Stub class for TokenValidation where TokenValidationAPICore gets included
+  # which in turn confers the major functionality of the TokenValidationAPI
+  class TokenValidationAPI < Grape::API
+    class << self
+      def resource_scope
+        :user
+      end
+    end
+
+    include TokenValidationAPICore
+  end
+end

data/lib/grape_token_auth/authentication_header.rb

@@ -0,0 +1,52 @@
+module GrapeTokenAuth
+  class AuthenticationHeader
+    extend Forwardable
+
+    def initialize(data, start_time)
+      @resource = data.first_authenticated_resource
+      @request_start = start_time
+      @data = data
+    end
+
+    def headers
+      return {} unless resource && resource.valid? && client_id
+      auth_headers_from_resource
+    end
+
+    private
+
+    def_delegators :@data, :token, :client_id
+    attr_reader :request_start, :resource
+
+    def auth_headers_from_resource
+      auth_headers = {}
+      resource.while_record_locked do
+        if !GrapeTokenAuth.change_headers_on_each_request
+          auth_headers = resource.extend_batch_buffer(token, client_id)
+        elsif batch_request?
+          resource.extend_batch_buffer(token, client_id)
+        else
+          auth_headers = resource.create_new_auth_token(client_id)
+        end
+      end
+      coerce_headers_to_strings(auth_headers)
+    end
+
+    def coerce_headers_to_strings(auth_headers)
+      auth_headers.each { |k, v|  auth_headers[k] = v.to_s }
+    end
+
+    def batch_request?
+      @batch_request ||= resource.tokens[client_id] &&
+                         resource.tokens[client_id]['updated_at'] &&
+                         within_batch_request_window?
+    end
+
+    def within_batch_request_window?
+      end_of_window = Time.parse(resource.tokens[client_id]['updated_at']) +
+                      GrapeTokenAuth.batch_request_buffer_throttle
+
+      request_start < end_of_window
+    end
+  end
+end

data/lib/grape_token_auth/authorizer_data.rb

@@ -0,0 +1,58 @@
+module GrapeTokenAuth
+  class AuthorizerData
+    attr_reader :uid, :client_id, :token, :expiry, :warden
+
+    def initialize(uid = nil, client_id = nil, token = nil,
+                   expiry = nil, warden = nil)
+      @uid = uid
+      @client_id = client_id || 'default'
+      @token = token
+      @expiry = expiry
+      @warden = warden
+    end
+
+    def self.from_env(env)
+      new(
+        *data_from_env(env),
+        env['warden']
+      )
+    end
+
+    def self.data_from_env(env)
+      [Configuration::UID_KEY,
+      Configuration::CLIENT_KEY,
+      Configuration::ACCESS_TOKEN_KEY,
+      Configuration::EXPIRY_KEY].map do |key|
+        env[key] || env['HTTP_' + key.gsub('-', '_').upcase]
+      end
+    end
+
+    def exisiting_warden_user(scope)
+      warden_user =  warden.user(scope)
+      return unless warden_user && warden_user.tokens[client_id].nil?
+      resource = warden_user
+      resource.create_new_auth_token
+      resource
+    end
+
+    def token_prerequisites_present?
+      !token.nil? && !uid.nil?
+    end
+
+    def fetch_stored_resource(scope)
+      warden.session_serializer.fetch(scope)
+    end
+
+    def store_resource(resource, scope)
+      warden.session_serializer.store(resource, scope)
+    end
+
+    def first_authenticated_resource
+      GrapeTokenAuth.configuration.mappings.each do |scope, _class|
+        resource = fetch_stored_resource(scope)
+        return resource if resource
+      end
+      nil
+    end
+  end
+end

data/lib/grape_token_auth/configuration.rb

@@ -0,0 +1,81 @@
+module GrapeTokenAuth
+  class Configuration
+    ACCESS_TOKEN_KEY = 'access-token'
+    EXPIRY_KEY = 'expiry'
+    UID_KEY = 'uid'
+    CLIENT_KEY = 'client'
+    EMAIL_VALIDATION = /\A[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]+\z/
+    SERIALIZATION_BLACKLIST = %i(encrypted_password
+                                 reset_password_token
+                                 reset_password_sent_at
+                                 remember_created_at
+                                 sign_in_count
+                                 current_sign_in_at
+                                 last_sign_in_at
+                                 current_sign_in_ip
+                                 last_sign_in_ip
+                                 password_salt
+                                 confirmation_token
+                                 confirmed_at
+                                 confirmation_sent_at
+                                 remember_token
+                                 unconfirmed_email
+                                 failed_attempts
+                                 unlock_token
+                                 locked_at
+                                 tokens)
+
+    attr_accessor :token_lifespan,
+                  :batch_request_buffer_throttle,
+                  :change_headers_on_each_request,
+                  :mappings,
+                  :redirect_whitelist,
+                  :param_white_list,
+                  :authentication_keys,
+                  :omniauth_prefix,
+                  :additional_serialization_blacklist,
+                  :ignore_default_serialization_blacklist,
+                  :default_password_reset_url,
+                  :smtp_configuration,
+                  :secret,
+                  :digest,
+                  :messages,
+                  :from_address,
+                  :default_url_options,
+                  :mailer
+
+    def initialize
+      @token_lifespan                         = 60 * 60 * 24 * 7 * 2 # 2 weeks
+      @batch_request_buffer_throttle          = 5 # seconds
+      @change_headers_on_each_request         = true
+      @mappings                               = {}
+      @authentication_keys                    = [:email]
+      @omniauth_prefix                        = '/omniauth'
+      @additional_serialization_blacklist     = []
+      @ignore_default_serialization_blacklist = false
+      @default_password_reset_url             = nil
+      @smtp_configuration                     = {}
+      @secret                                 = nil
+      @digest                                 = 'SHA256'
+      @messages                               = Mail::DEFAULT_MESSAGES
+      @from_address                           = nil
+      @default_url_options                    = {}
+      @mailer                                 = GrapeTokenAuth::Mail::SMTPMailer
+    end
+
+    def key_generator
+      fail SecretNotSet unless secret
+      @key_generator ||= CachingKeyGenerator.new(KeyGenerator.new(secret))
+    end
+
+    def serialization_blacklist
+      additional_serialization_blacklist.map(&:to_sym).concat(
+        ignore_default_serialization_blacklist ? [] : SERIALIZATION_BLACKLIST)
+    end
+
+    def scope_to_class(scope = nil)
+      fail MappingsUndefinedError if mappings.empty?
+      mappings[scope]
+    end
+  end
+end

data/lib/grape_token_auth/exceptions.rb

@@ -0,0 +1,29 @@
+module GrapeTokenAuth
+  # Error when an undefined scope was attempted to be used
+  class ScopeUndefinedError < StandardError
+    def initialize(msg, scope = nil)
+      msg ||= "Trying to use an undefined scope #{scope}. A proper \
+               scope to resource class mapping must be set up in the \
+               GrapeTokenAuth configuration."
+      super(msg)
+    end
+  end
+
+  # Error when end-user has not configured any mappings
+  class MappingsUndefinedError < StandardError
+    def message
+      'GrapeTokenAuth mapping are undefined. Define your mappings' +
+        ' within the GrapeTokenAuth configuration'
+    end
+  end
+
+  class Unauthorized < StandardError
+  end
+
+  class SecretNotSet < StandardError
+    def message
+      'GrapeTokenAuth secret is not set, define your secret with a' +
+        ' safe random key in the GrapeTokenAuth configuration'
+    end
+  end
+end

data/lib/grape_token_auth/key_generator.rb

@@ -0,0 +1,44 @@
+require 'thread_safe'
+require 'openssl'
+require 'securerandom'
+
+# Copied from devise
+module GrapeTokenAuth
+  # KeyGenerator is a simple wrapper around OpenSSL's implementation of PBKDF2
+  # It can be used to derive a number of keys for various purposes from a given
+  # secret. This lets Rails applications have a single secure secret, but avoid
+  # reusing that key in multiple incompatible contexts.
+  class KeyGenerator
+    def initialize(secret, options = {})
+      @secret = secret
+      # The default iterations are higher than required for our key derivation
+      # uses on the off chance someone uses this for password storage
+      @iterations = options[:iterations] || 2**16
+    end
+
+    # Returns a derived key suitable for use.  The default key_size is chosen
+    # to be compatible with the default settings
+    # OpenSSL::Digest::SHA1#block_length
+    def generate_key(salt, key_size = 64)
+      OpenSSL::PKCS5.pbkdf2_hmac_sha1(@secret, salt, @iterations, key_size)
+    end
+  end
+
+  # CachingKeyGenerator is a wrapper around KeyGenerator which allows users to
+  # avoid re-executing the key generation process when it's called using the
+  # same salt and key_size
+  class CachingKeyGenerator
+    def initialize(key_generator)
+      @key_generator = key_generator
+      @cache_keys = ThreadSafe::Cache.new
+    end
+
+    # Returns a derived key suitable for use.  The default key_size is chosen
+    # to be compatible with the default settings of
+    # OpenSSL::Digest::SHA1#block_length
+    def generate_key(salt, key_size = 64)
+      key = "#{salt}#{key_size}"
+      @cache_keys[key] ||= @key_generator.generate_key(salt, key_size)
+    end
+  end
+end

data/lib/grape_token_auth/lookup_token.rb

@@ -0,0 +1,46 @@
+module GrapeTokenAuth
+  # Look up tokens are a type of token that allows searching by that token. This
+  # is useful in use cases such as confirmation tokens. These type of tokens are
+  # not appropriate for auth. In auth, look up is done via uid and
+  # verification/persitance with BCrypt. In short, this is a utility class that
+  # should not be used unless you are sure of your need.
+  class LookupToken
+    module ClassMethods
+      # copied from devise, creates a token that is url safe without ambigous
+      # characters
+      def friendly_token(length = 20)
+        rlength = (length * 3) / 4
+        SecureRandom.urlsafe_base64(rlength).tr('lIO0', 'sxyz')
+      end
+
+      def generate(authenticatable_klass, column)
+        loop do
+          raw = friendly_token
+          enc = digest(column, raw)
+          unless authenticatable_klass.exists_in_column?(column, enc)
+            break [raw, enc]
+          end
+        end
+      end
+
+      def digest(column, value)
+        return unless value.present?
+        key = key_for(column)
+        OpenSSL::HMAC.hexdigest(open_ssl_digest, key, value)
+      end
+
+      def open_ssl_digest
+        GrapeTokenAuth.configuration.digest
+      end
+
+      private
+
+      def key_for(column)
+        GrapeTokenAuth.configuration.key_generator
+          .generate_key("GTA column #{column}")
+      end
+    end
+
+    extend ClassMethods
+  end
+end

data/lib/grape_token_auth/mail/mail.rb

@@ -0,0 +1,28 @@
+require_relative 'message_base'
+require_relative 'messages/password_reset/password_reset_email'
+require_relative 'messages/confirmation/confirmation_email'
+
+module GrapeTokenAuth
+  module Mail
+    DEFAULT_MESSAGES = {
+      reset_password_instructions: PasswordResetEmail,
+      confirmation_instructions: ConfirmationEmail
+    }
+
+    class << self
+      def initialize_message(message_type, opts)
+        messages = GrapeTokenAuth.configuration.messages
+        return nil unless messages.key?(message_type)
+        messages[message_type].new(opts)
+      end
+
+      private
+
+      def valid_email_options?(opts)
+        to_address = opts[:to] || opts['to']
+        return false unless to_address
+        true
+      end
+    end
+  end
+end

data/lib/grape_token_auth/mail/message_base.rb

@@ -0,0 +1,34 @@
+module GrapeTokenAuth
+  module Mail
+    class MessageBase
+      attr_accessor :text_body, :html_body, :url_options, :subject, :opts
+
+      def initialize(opts)
+        @opts = opts
+        @to_address = opts[:to]
+      end
+
+      def text_body
+        text_template.result(binding)
+      end
+
+      def html_body
+        html_template.result(binding)
+      end
+
+      protected
+
+      def url_options
+        @url_options || GrapeTokenAuth.configuration.default_url_options
+      end
+
+      def text_template
+        ERB.new(File.read(self.class::TEXT_TEMPLATE))
+      end
+
+      def html_template
+        ERB.new(File.read(self.class::HTML_TEMPLATE))
+      end
+    end
+  end
+end