grape_token_auth 0.0.0 → 0.1.0.rc1

data/lib/grape_token_auth/orm_integrations/active_record_token_auth.rb

@@ -0,0 +1,310 @@
+require 'bcrypt'
+
+module GrapeTokenAuth
+  module ActiveRecord
+    module TokenAuth
+      attr_accessor :password, :password_confirmation
+
+      def self.included(base)
+        base.serialize :tokens, JSON
+        base.after_initialize { self.tokens ||= {} }
+        base.validates :password, presence: true, on: :create
+        base.validate :password_confirmation_matches,
+                      if: :encrypted_password_changed?
+        base.validates :email, uniqueness: { scope: :provider },
+                               format: { with: Configuration::EMAIL_VALIDATION,
+                                         message: 'invalid email' }, allow_blank: true
+        base.before_update :synchronize_email_and_uid
+
+        class << base
+          def exists_in_column?(column, value)
+            where(column => value).count > 0
+          end
+
+          def find_with_reset_token(attributes)
+            original_token = attributes[:reset_password_token]
+            reset_password_token = LookupToken.digest(:reset_password_token,
+                                                      original_token)
+
+            recoverable = find_or_initialize_by(reset_password_token:
+                                                reset_password_token)
+
+            return nil unless recoverable.persisted?
+
+            recoverable.reset_password_token = original_token
+            recoverable
+          end
+
+          def reset_token_lifespan
+            @reset_token_lifespan || 60 * 60 * 6 # 6 hours
+          end
+
+          def confirmation_token_lifespan
+            @confirmat_token_lifespan || 60 * 60 * 24 * 3 # 3 days
+          end
+
+          def confirm_by_token(token)
+            confirmation_digest = LookupToken.digest(:confirmation_token,
+                                                     token)
+            confirmable = find_or_initialize_by(confirmation_token:
+                                                confirmation_digest)
+
+            return nil unless confirmable.persisted?
+
+            confirmable.confirm
+            confirmable
+          end
+
+          def serialize_into_session(record)
+            [record.to_key, record.authenticatable_salt]
+          end
+
+          def serialize_from_session(key, salt)
+            record = get(key)
+            record if record && record.authenticatable_salt == salt
+          end
+
+          def get(key)
+            find(key).first
+          end
+
+          attr_writer :reset_token_lifespan
+          attr_writer :confirmation_token_lifespan
+          attr_accessor :case_insensitive_keys
+        end
+      end
+
+      def authenticatable_salt
+      end
+
+      def reset_password_period_valid?
+        return false unless reset_password_sent_at
+        expiry = reset_password_sent_at.utc + self.class.reset_token_lifespan
+        Time.now.utc <= expiry
+      end
+
+      def reset_password(password, password_confirmation)
+        self.password = password
+        self.password_confirmation = password_confirmation
+        save
+      end
+
+      def password_confirmation_matches
+        return if password.present? && password_confirmation.present? &&
+                  password == password_confirmation
+        errors.add(:password_confirmation,
+                   'password confirmation does not match')
+      end
+
+      def create_new_auth_token(client_id = nil)
+        self.tokens = {} if tokens.nil?
+        token = Token.new(client_id)
+        last_token = tokens.fetch(client_id, {})['token']
+        tokens[token.client_id] = token.to_h.merge(last_token: last_token)
+        self.save!
+
+        build_auth_header(token)
+      end
+
+      def valid_token?(token, client_id)
+        return false unless tokens && tokens[client_id]
+        return true if token_is_current?(token, client_id)
+        return true if token_can_be_reused?(token, client_id)
+
+        false
+      end
+
+      def password=(new_password)
+        @password = new_password
+        self.encrypted_password = BCrypt::Password.create(new_password)
+      end
+
+      def valid_password?(password)
+        BCrypt::Password.new(encrypted_password) == password
+      end
+
+      def while_record_locked(&block)
+        with_lock(&block)
+      end
+
+      def extend_batch_buffer(token, client_id)
+        token_hash = tokens[client_id]
+        token_hash[:updated_at] = Time.now
+        expiry = token_hash[:expiry] || token_hash['expiry']
+        save!
+        build_auth_header(Token.new(client_id, token, expiry))
+      end
+
+      # Copied out of Devise. Excludes the serialization blacklist.
+      def serializable_hash(options = nil)
+        options ||= {}
+        options[:except] = Array(options[:except])
+
+        if options[:force_except]
+          options[:except].concat Array(options[:force_except])
+        else
+          blacklist = GrapeTokenAuth.configuration.serialization_blacklist
+          options[:except].concat blacklist
+        end
+
+        super(options)
+      end
+
+      def send_reset_password_instructions(opts)
+        token = set_reset_password_token
+
+        opts ||= {}
+        opts[:client_config] ||= 'default'
+        opts[:token] = token
+        opts[:to] = email
+
+        GrapeTokenAuth.send_notification(:reset_password_instructions, opts)
+
+        token
+      end
+
+      def send_confirmation_instructions(opts)
+        opts ||= {}
+        token = generate_confirmation_token!
+        opts[:token] = token
+
+        # fall back to "default" config name
+        opts[:client_config] ||= 'default'
+        opts[:to] = pending_reconfirmation? ? unconfirmed_email : email
+
+        GrapeTokenAuth.send_notification(:confirmation_instructions,  opts)
+        token
+      end
+
+      # devise method
+      def confirm(args = {})
+        pending_any_confirmation do
+          if confirmation_period_expired?
+            errors.add(:email, :confirmation_period_expired)
+            return false
+          end
+
+          self.confirmed_at = Time.now.utc
+
+          #if self.class.reconfirmable && unconfirmed_email.present?
+          #  self.email = unconfirmed_email
+          #  self.unconfirmed_email = nil
+
+          #  # We need to validate in such cases to enforce e-mail uniqueness
+          #  saved = save(validate: true)
+          #else
+          saved = save(validate: args[:ensure_valid] == true)
+
+          after_confirmation if saved
+          saved
+        end
+      end
+
+      def build_auth_url(url, params)
+        url = URI(url)
+        expiry = tokens[params[:client_id]][:expiry]
+        url.query = params.merge(uid: uid, expiry: expiry).to_query
+        url.to_s
+      end
+
+      def pending_reconfirmation?
+        unconfirmed_email.present?
+      end
+
+      def confirmed?
+        !!confirmed_at
+      end
+
+      def skip_confirmation!
+        self.confirmed_at = Time.now.utc
+      end
+
+      def confirmation_period_expired?
+        confirmation_sent_at && (Time.now > confirmation_sent_at + self.class.confirmation_token_lifespan)
+      end
+
+      def after_confirmation
+      end
+
+      def token_validation_response
+        as_json(except: [:tokens, :created_at, :updated_at])
+      end
+
+      private
+
+      # devise method
+      def pending_any_confirmation
+        if (!confirmed? || pending_reconfirmation?)
+          yield
+        else
+          self.errors.add(:email, :already_confirmed)
+          false
+        end
+      end
+
+      def generate_confirmation_token!
+        token, enc = GrapeTokenAuth::LookupToken.generate(self.class,
+                                                          :confirmation_token)
+        self.confirmation_token     = enc
+        self.confirmation_sent_at = Time.now.utc
+        save(validate: false)
+        token
+      end
+
+      def set_reset_password_token
+        token, enc = GrapeTokenAuth::LookupToken.generate(self.class,
+                                                          :reset_password_token)
+
+        self.reset_password_token   = enc
+        self.reset_password_sent_at = Time.now.utc
+        save(validate: false)
+        token
+      end
+
+      def synchronize_email_and_uid
+        self.uid = email if provider == 'email'
+      end
+
+      def token_is_current?(token, client_id)
+        client_id_info = tokens[client_id]
+        expiry     = client_id_info['expiry'] || client_id_info[:expiry]
+        token_hash = client_id_info['token'] || client_id_info[:token]
+        return false unless expiry && token
+        return false unless DateTime.strptime(expiry.to_s, '%s') > Time.now
+        return false unless tokens_match?(token_hash, token)
+        true
+      end
+
+      def fetch_with_indifference(hash, key)
+        hash[key.to_sym] || hash[key.to_s]
+      end
+
+      def token_can_be_reused?(token, client_id)
+        updated_at = fetch_with_indifference(tokens[client_id], :updated_at)
+        last_token = fetch_with_indifference(tokens[client_id], :last_token)
+        return false unless updated_at && last_token
+        return false unless within_batch_window?(Time.parse(updated_at))
+        return false unless tokens_match?(last_token, token)
+        true
+      end
+
+      def tokens_match?(token_hash, token)
+        BCrypt::Password.new(token_hash) == token
+      end
+
+      def within_batch_window?(time)
+        time > Time.now - GrapeTokenAuth.batch_request_buffer_throttle
+      end
+
+      def build_auth_header(token)
+        {
+          'access-token' => token.to_s,
+          'expiry' => token.expiry.to_s,
+          'client' => token.client_id.to_s,
+          'token-type' => 'Bearer',
+          'uid' => uid.to_s
+        }
+      end
+    end
+  end
+end

data/lib/grape_token_auth/resource/resource_creator.rb

@@ -0,0 +1,48 @@
+require_relative 'resource_crud_base'
+
+module GrapeTokenAuth
+  class ResourceCreator < ResourceCrudBase
+    def create!
+      validate_scope!
+      validate_params!
+      return false unless errors.empty?
+      create_resource!
+      return false unless errors.empty?
+      resource
+    end
+
+    private
+
+    def create_resource!
+      @resource = resource_class.create(permitted_params.merge(provider: 'email'))
+      return if @resource.valid?
+      pull_validation_messages
+    end
+
+    def permitted_attributes
+      white_list = GrapeTokenAuth.configuration.param_white_list || {}
+      other_attributes = white_list[scope] || []
+      [:email, :password, :password_confirmation] + other_attributes
+    end
+
+    def validate_params!
+      unpack_params.each do |label, value|
+        errors << validation_message(label, value)
+      end
+      errors.compact!
+    end
+
+    def unpack_params
+      [:email, :password_confirmation, :password]
+        .each_with_object({}) do |key, unpacked|
+        unpacked[key] = find_with_indifference(params, key)
+      end
+    end
+
+    def validation_message(label, value)
+      return "#{label} is required" unless value
+      return "#{label} must be a string" unless value.is_a? String
+      nil
+    end
+  end
+end

data/lib/grape_token_auth/resource/resource_crud_base.rb

@@ -0,0 +1,43 @@
+module GrapeTokenAuth
+  class ResourceCrudBase
+    attr_reader :resource, :errors, :scope
+
+    def initialize(params, configuration, scope = :user)
+      @configuration = configuration
+      @params = params
+      @errors = []
+      @scope = scope
+    end
+
+    protected
+
+    attr_reader :configuration, :params, :resource_class
+
+    def validate_scope!
+      @resource_class = configuration.scope_to_class(scope)
+      fail ScopeUndefinedError.new(nil, scope) unless resource_class
+    end
+
+    def pull_validation_messages
+      @resource.errors.messages.map do |k, v|
+        v.each { |e| errors << "#{k} #{e}" }
+      end
+    end
+
+    def permitted_params
+      permitted_attributes.each_with_object({}) do |key, permitted|
+        value = find_with_indifference(params, key)
+        permitted[key] = value if value
+      end
+    end
+
+    def find_with_indifference(hash, key)
+      if hash.key?(key.to_sym)
+        return hash[key.to_sym]
+      elsif hash.key?(key.to_s)
+        return hash[key.to_s]
+      end
+      nil
+    end
+  end
+end

data/lib/grape_token_auth/resource/resource_finder.rb

@@ -0,0 +1,53 @@
+module GrapeTokenAuth
+  class ResourceFinder
+    def initialize(scope, params)
+      @scope = scope
+      @params = params
+      set_resource_class
+      set_finder_key
+    end
+
+    def self.find(scope, params)
+      new(scope, params).find_resource
+    end
+
+    def find_resource
+      return unless finder_key
+      find_resource_by_key
+    end
+
+    private
+
+    attr_reader :scope, :params, :resource_class, :finder_key
+
+    def set_finder_key
+      auth_keys = configuration.authentication_keys
+      @finder_key = (params.keys.map(&:to_sym) & auth_keys).first
+    end
+
+    def find_resource_by_key
+      query_value = params[finder_key] || params[finder_key.to_s]
+      query = "#{finder_key} = ? AND provider='email'"
+
+      insensitive_keys = resource_class.case_insensitive_keys
+      if insensitive_keys && insensitive_keys.include?(finder_key)
+        query_value.downcase!
+      end
+
+      resource_class.where(query, query_value).first
+
+#      if ActiveRecord::Base.connection.adapter_name.downcase.starts_with? 'mysql'
+#        q = "BINARY " + q
+#      end
+    end
+
+    def configuration
+      GrapeTokenAuth.configuration
+    end
+
+    def set_resource_class
+      @resource_class = configuration.scope_to_class(scope)
+      fail(ScopeUndefinedError.new(scope)) unless resource_class
+    end
+  end
+end

data/lib/grape_token_auth/resource/resource_updater.rb

@@ -0,0 +1,40 @@
+module GrapeTokenAuth
+  class ResourceUpdater < ResourceCrudBase
+    def initialize(resource, params, configuration, scope = :user)
+      @resource = resource
+      super(params, configuration, scope)
+    end
+
+    def update!
+      validate_scope!
+      return false unless errors.empty?
+      update_resource!
+      return false unless errors.empty?
+      resource
+    end
+
+    private
+
+    def case_fix_params
+      insensitive_keys = resource_class.case_insensitive_keys || []
+      params = permitted_params
+      insensitive_keys.each do |k|
+        value = params[k]
+        params[k] = value.downcase if value
+      end
+      params
+    end
+
+    def update_resource!
+      resource.update(case_fix_params)
+      return if resource.valid?
+      pull_validation_messages
+    end
+
+    def permitted_attributes
+      white_list = GrapeTokenAuth.configuration.param_white_list || {}
+      other_attributes = white_list[scope] || []
+      [:email] + other_attributes
+    end
+  end
+end

data/lib/grape_token_auth/token.rb

@@ -0,0 +1,23 @@
+module GrapeTokenAuth
+  class Token
+    attr_reader :token, :client_id, :expiry
+
+    def initialize(client_id = nil, token = nil, expiry = nil)
+      @client_id = client_id || SecureRandom.urlsafe_base64(nil, false)
+      @token = token || SecureRandom.urlsafe_base64(nil, false)
+      @expiry = expiry || (Time.now + GrapeTokenAuth.token_lifespan).to_i
+    end
+
+    def to_s
+      @token
+    end
+
+    def to_h
+      { expiry: expiry, token: to_password_hash, updated_at: Time.now }
+    end
+
+    def to_password_hash
+      @password_hash ||= BCrypt::Password.create(@token)
+    end
+  end
+end

data/lib/grape_token_auth/token_authentication.rb

@@ -0,0 +1,8 @@
+module GrapeTokenAuth
+  module TokenAuthentication
+    def self.included(base)
+      base.auth :grape_devise_token_auth
+      base.helpers GrapeTokenAuth::ApiHelpers
+    end
+  end
+end

data/lib/grape_token_auth/token_authorizer.rb

@@ -0,0 +1,60 @@
+module GrapeTokenAuth
+  class TokenAuthorizer
+    attr_reader :data
+
+    def initialize(authorizer_data)
+      @data = authorizer_data
+    end
+
+    def authenticate_from_token(scope)
+      initialize_resource_class(scope)
+      return nil unless resource_class
+
+      resource_from_existing_warden_user(scope)
+      return resource if correct_resource_type_logged_in?
+
+      find_resource(scope)
+    end
+
+    def find_resource(scope)
+      initialize_resource_class(scope)
+      return nil unless resource_class
+
+      return nil unless data.token_prerequisites_present?
+
+      load_user_from_uid
+      return nil unless user_authenticated?
+
+      user
+    end
+
+    private
+
+    attr_reader :resource_class, :user, :resource
+
+    def initialize_resource_class(scope)
+      @resource_class =  GrapeTokenAuth.configuration.scope_to_class(scope)
+    end
+
+    def load_user_from_uid
+      @user = resource_class.find_by_uid(data.uid)
+    # TODO: hacky solution to the fact that this statement can fail sporadically
+      # with multiple requests. Nil returned from the statement. but
+      # re-executing the request causes it to pass?
+    rescue ::ActiveRecord::StatementInvalid
+      @user = resource_class.find_by_uid(data.uid)
+    end
+
+    def resource_from_existing_warden_user(scope)
+      @resource = data.exisiting_warden_user(scope)
+    end
+
+    def correct_resource_type_logged_in?
+      resource && resource.class == resource_class
+    end
+
+    def user_authenticated?
+      user && user.valid_token?(data.token, data.client_id)
+    end
+  end
+end

data/lib/grape_token_auth/unauthorized_middleware.rb

@@ -0,0 +1,20 @@
+module GrapeTokenAuth
+  class UnauthorizedMiddleware
+    def self.call(env)
+      warden_opts = env.fetch('warden.options', {})
+      errors = warden_opts['errors'] || warden_opts[:errors]
+      [401,
+       { 'Content-Type' => 'application/json'
+       },
+       prepare_errors(errors)
+      ]
+    end
+
+    def self.prepare_errors(errors)
+      return [] unless errors
+      return [errors.to_json] if errors.class == Hash
+      return [{ 'errors' => errors }.to_json] if errors.class == String
+      []
+    end
+  end
+end

data/lib/grape_token_auth/version.rb

@@ -1,3 +1,3 @@
 module GrapeTokenAuth
-  VERSION = '0.0.0'
+  VERSION = '0.1.0.rc1'
 end

data/lib/grape_token_auth.rb

@@ -1,5 +1,68 @@
-require "grape_token_auth/version"
+require 'grape_token_auth/version'
+require 'forwardable'
+require 'grape'
+Dir.glob(File.expand_path('../**/*.rb', __FILE__)).each { |path| require path }
 
 module GrapeTokenAuth
-  # Your code goes here...
+  class << self
+    extend Forwardable
+
+    attr_writer :configuration
+
+    def configure
+      yield configuration if block_given?
+    end
+
+    def configuration
+      @configuration ||= Configuration.new
+    end
+
+    def_delegators :configuration, :token_lifespan,
+                   :batch_request_buffer_throttle,
+                   :change_headers_on_each_request
+
+    def setup!(&block)
+      add_auth_strategy
+      configure(&block) if block_given?
+    end
+
+    def configure_warden(warden_manager)
+      configuration.mappings.each do |scope, klass|
+        warden_manager.serialize_into_session(scope) do |record|
+          klass.serialize_into_session(record)
+        end
+
+        warden_manager.serialize_from_session(scope) do |key|
+          klass.serialize_from_session(*key)
+        end
+      end
+    end
+
+    def setup_warden!(builder)
+      builder.use Warden::Manager do |manager|
+        manager.failure_app = GrapeTokenAuth::UnauthorizedMiddleware
+        manager.default_scope = :user
+        GrapeTokenAuth.configure_warden(manager)
+      end
+    end
+
+    def set_omniauth_path_prefix!
+      ::OmniAuth.config.path_prefix = configuration.omniauth_prefix
+    end
+
+    def send_notification(notification_type, opts)
+      message = GrapeTokenAuth::Mail.initialize_message(notification_type, opts)
+      configuration.mailer.send!(message, opts)
+    end
+
+    private
+
+    def add_auth_strategy
+      Grape::Middleware::Auth::Strategies.add(
+        :grape_devise_token_auth,
+        GrapeTokenAuth::Middleware,
+        ->(options) { [options] }
+      )
+    end
+  end
 end