groovestack-auth 0.1.1

data/config/initializers/devise_token_auth.rb

@@ -0,0 +1,72 @@
+# frozen_string_literal: true
+
+if defined?(DeviseTokenAuth)
+  DeviseTokenAuth.setup do |config|
+    # By default the authorization headers will change after each request. The
+    # client is responsible for keeping track of the changing tokens. Change
+    # this to false to prevent the Authorization header from changing after
+    # each request.
+    config.change_headers_on_each_request = false
+
+    # By default, users will need to re-authenticate after 2 weeks. This setting
+    # determines how long tokens will remain valid after they are issued.
+    # config.token_lifespan = 2.weeks
+
+    # Limiting the token_cost to just 4 in testing will increase the performance of
+    # your test suite dramatically. The possible cost value is within range from 4
+    # to 31. It is recommended to not use a value more than 10 in other environments.
+    config.token_cost = Rails.env.test? ? 4 : 10
+
+    # Sets the max number of concurrent devices per user, which is 10 by default.
+    # After this limit is reached, the oldest tokens will be removed.
+    # config.max_number_of_devices = 10
+
+    # Sometimes it's necessary to make several requests to the API at the same
+    # time. In this case, each request in the batch will need to share the same
+    # auth token. This setting determines how far apart the requests can be while
+    # still using the same auth token.
+    # config.batch_request_buffer_throttle = 5.seconds
+
+    # This route will be the prefix for all oauth2 redirect callbacks. For
+    # example, using the default '/omniauth', the github oauth2 provider will
+    # redirect successful authentications to '/omniauth/github/callback'
+    config.omniauth_prefix = '/users/auth'
+
+    config.cookie_attributes = {
+      expires: 10.seconds
+    }
+
+    # By default sending current password is not needed for the password update.
+    # Uncomment to enforce current_password param to be checked before all
+    # attribute updates. Set it to :password if you want it to be checked only if
+    # password is updated.
+    # config.check_current_password_before_update = :attributes
+
+    # By default we will use callbacks for single omniauth.
+    # It depends on fields like email, provider and uid.
+    config.default_callbacks = false
+
+    # Makes it possible to change the headers names
+    config.headers_names = {
+      authorization: 'Authorization',
+      'access-token': 'access-token',
+      client: 'client',
+      expiry: 'expiry',
+      id: 'id',
+      'token-type': 'token-type'
+    }
+
+    # Makes it possible to use custom uid column
+    config.other_uid = 'id'
+
+    # By default, only Bearer Token authentication is implemented out of the box.
+    # If, however, you wish to integrate with legacy Devise authentication, you can
+    # do so by enabling this flag. NOTE: This feature is highly experimental!
+    # config.enable_standard_devise_support = false
+
+    # By default DeviseTokenAuth will not send confirmation email, even when including
+    # devise confirmable module. If you want to use devise confirmable module and
+    # send email, set it to true. (This is a setting for compatibility)
+    # config.send_confirmation_email = true
+  end
+end

data/config/initializers/graphql_devise.rb

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+if defined?(GraphqlDevise)
+  ActiveSupport.on_load(:after_initialize) do # rubocop:disable Metrics/BlockLength
+    module DeviseTokenAuth
+      module Concerns
+        module ActiveRecordSupport
+          extend ActiveSupport::Concern
+
+          class_methods do
+            # Override to remove provider from attrs b/c use identity model
+            def dta_find_by(attrs = {})
+              attrs.delete(:provider)
+              attrs.delete('provider')
+              find_by(attrs)
+            end
+          end
+        end
+      end
+    end
+
+    class User < ActiveRecord::Base
+      # Override to remove provider from attrs b/c use identity model
+      def self.dta_find_by(attrs = {})
+        attrs.delete(:provider)
+        attrs.delete('provider')
+        find_by(attrs)
+      end
+    end
+
+    User.include ::GraphqlDevise::Authenticatable
+
+    module AugmentedGraphqlDeviseRegisterArgs
+      extend ActiveSupport::Concern
+
+      included do
+        argument :name, String, required: true
+      end
+    end
+
+    GraphqlDevise::Mutations::Register.include AugmentedGraphqlDeviseRegisterArgs
+
+    GraphqlDevise::Mutations::Register.class_eval do
+      private
+
+      def build_resource(attrs)
+        # NOTE: remove provider from attrs b/c use identity model
+        attrs.delete(:provider)
+        attrs[:roles] = [Users::Roles::Role::ADMIN] unless Core::Config::App.generate_config[:has_admins]
+        resource_class.new(attrs)
+      end
+    end
+
+    GraphqlDevise::Types::AuthenticatableType.class_eval do
+      field :id, GraphQL::Types::ID, null: false
+    end
+  end
+end

data/config/initializers/omniauth.rb

@@ -0,0 +1,69 @@
+# frozen_string_literal: true
+
+Rails.application.config.middleware.use OmniAuth::Builder do
+  Groovestack::Auth.configured_providers(ancestor: Groovestack::Auth::Providers::OmniAuth).each do |p|
+    provider(*p.generate_omniauth_args)
+  end
+end
+
+module Groovestack
+  module Auth
+    class OmniauthFailureEndpoint < OmniAuth::FailureEndpoint
+      def call
+        # raise_out! if OmniAuth.config.failure_raise_out_environments.include?(ENV['RACK_ENV'].to_s)
+        redirect_to_failure
+      end
+    end
+  end
+end
+
+OmniAuth.config.on_failure = Groovestack::Auth::OmniauthFailureEndpoint
+
+module OmniAuth
+  module Strategies
+    class Apple < OmniAuth::Strategies::OAuth2
+      def request_phase
+        # https://github.com/omniauth/omniauth/issues/975
+
+        # since apple uses POST to callback, can't store in session
+        # need to store omniauth params as a cookie
+
+        auth_params = authorize_params # add state & nonce to session values to persisted cookies
+
+        cookies.encrypted['apple_omniauth_params'] = {
+          same_site: :none,
+          expires: 1.minute.from_now,
+          secure: true,
+          value: JSON.generate({ origin: session['omniauth.origin'] || request.env['HTTP_REFERER'],
+                                 state: auth_params[:state], nonce: auth_params[:nonce] })
+        }
+
+        super
+      end
+
+      def callback_phase # rubocop:disable Metrics/AbcSize
+        # add omniauth params back to session
+
+        apple_omniauth_params = JSON.parse(cookies.encrypted['apple_omniauth_params'])
+        cookies.delete('apple_omniauth_params')
+        env['omniauth.origin'] = apple_omniauth_params['origin']
+        session['omniauth.origin'] = apple_omniauth_params['origin']
+        session['omniauth.state'] = apple_omniauth_params['state']
+        session['omniauth.nonce'] = apple_omniauth_params['nonce']
+
+        super
+      end
+
+      def authorize_params
+        # memoize so they aren't regenerated in the request_phase super call
+        @authorize_params ||= super.merge(nonce: new_nonce)
+      end
+
+      private
+
+      def cookies
+        request.env['action_dispatch.cookies']
+      end
+    end
+  end
+end

data/config/routes.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+Groovestack::Auth::Railtie.routes.draw do
+  if defined?(Devise)
+    devise_scope :user do
+      match '/users/auth/:provider/callback', to: 'groovestack/auth/omniauth_callbacks#verified', via: %i[get post],
+                                              as: :omniauth_callback
+      get '/users/auth/failure', to: 'groovestack/auth/omniauth_callbacks#omniauth_failure', as: :omniauth_failure
+    end
+  end
+end

data/config.ru

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+require 'rubygems'
+require 'bundler'
+
+Bundler.require :default, :development
+
+Combustion.schema_format = :sql
+Combustion.initialize! :active_record
+
+# Combustion.initialize! :all
+run Combustion::Application

data/db/migrate/20231103172517_create_users.rb

@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+
+# dynamic rails major version as recommended by perplexity
+class CreateUsers < ActiveRecord::Migration[Gem::Version.new(Rails.version).segments.first.to_f]
+  def change # rubocop:disable Metrics/MethodLength, Metrics/AbcSize
+    create_table :users, id: :uuid do |t|
+      ## Database authenticatable
+      t.string :encrypted_password, null: false, default: ''
+
+      ## Recoverable
+      t.string   :reset_password_token
+      t.datetime :reset_password_sent_at
+      t.boolean  :allow_password_change, default: false, null: false
+
+      ## Rememberable
+      t.datetime :remember_created_at
+
+      ## Trackable
+      t.integer  :sign_in_count, default: 0, null: false
+      t.datetime :current_sign_in_at
+      t.datetime :last_sign_in_at
+      t.inet     :current_sign_in_ip
+      t.inet     :last_sign_in_ip
+
+      ## Confirmable
+      t.string   :confirmation_token
+      t.datetime :confirmed_at
+      t.datetime :confirmation_sent_at
+      t.string   :unconfirmed_email # Only if using reconfirmable
+
+      # Lockable
+      # t.integer  :failed_attempts, :default => 0, :null => false # Only if lock strategy is :failed_attempts
+      # t.string   :unlock_token # Only if unlock strategy is :email or :both
+      # t.datetime :locked_at
+
+      ## User Info
+      t.string :name
+      t.string :email
+      t.jsonb  :roles, null: false, default: []
+      t.string :language
+      t.string :image
+
+      ## Tokens
+      t.json :tokens
+
+      t.timestamps
+    end
+
+    add_index :users, :email,                unique: true
+    add_index :users, :reset_password_token, unique: true
+    add_index :users, :confirmation_token,   unique: true
+    # add_index :users, :unlock_token,         unique: true
+  end
+end

data/db/migrate/20231103174037_create_identities.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+# dynamic rails major version as recommended by perplexity
+class CreateIdentities < ActiveRecord::Migration[Gem::Version.new(Rails.version).segments.first.to_f]
+  def change
+    create_table :identities, id: :uuid do |t|
+      t.string :provider
+      t.string :uid
+      t.jsonb :omniauth_data
+
+      t.references :user, foreign_key: true, index: false, null: false, type: :uuid
+
+      t.timestamps
+    end
+
+    add_index :identities, %i[user_id provider], unique: true
+    add_index :identities, %i[provider uid], unique: true
+  end
+end

data/docs/apple-oauth-local-dev.adoc

@@ -0,0 +1,67 @@
+= Local Development with Apple OAuth & create-groovestack
+
+Sign-In with Apple does not allow `localhost` as a valid callback URL. It also requires SSL. This means that you won't be able to test your Apple OAuth integration out of the box. To enable local development with Apple OAuth in your bootstrapped Groovestack app, you have a few options.
+
+== ngrok (or similar)
+Use a tool like https://ngrok.com/[ngrok] to create a temporary public https:// URL for your local development environment. Add this URL to your Apple OAuth config as well as the callback url ending with `/users/auth/apple/callback`. For example, if your ngrok URL is `https://12345678.ngrok.io`, your Apple OAuth domain would be `12345678.ngrok.io` and your callback URL would be `https://12345678.ngrok.io/users/auth/apple/callback.`
+
+== Custom Host Entry
+Add a custom host entry to your `/etc/hosts` file for a testing URL and point it to your local machine. For example, you could add the following to your `/etc/hosts` file:
+
+[source,shell]
+----
+127.0.0.1	local.groovestack-demo.com
+----
+
+Register the custom host with your Apple OAuth config. I.e. set the domain to `local.groovestack-demo.com` and the callback URL to `https://local.groovestack-demo.com:3000/users/auth/apple/callback`. (create-groovestack runs on port 3000 out of the box so be sure to include this in your callback URL).
+
+Now generate a self-signed certificate for `local.groovestack-demo.com` using https://github.com/FiloSottile/mkcert[mkcert].
+
+[source,shell]
+----
+mkcert local.groovestack-demo.com
+----
+This will generate a `local.groovestack-demo.com.pem` and `local.groovestack-demo.com-key.pem` file in your current directory. Make sure the new cert is marked as trusted.
+
+Finally, enable SSL in your rails vite app.
+
+=== Procfile.dev
+
+Update your Procfile.dev web command to serve ssl
+[source,ruby]
+----
+web: bin/rails s -b 'ssl://localhost:3000?key=local.groovestack-demo.com-key.pem&cert=local.groovestack-demo.com.pem&verify_mode=none'
+----
+
+=== Vite
+
+Add the following development options in your `vite.json` file.
+[source, ts]
+----
+"host": "local.groovestack-demo.com",
+"https": true,
+----
+
+Add the following server options to your `vite.config.ts` file.
+[source, ts]
+----
+import { existsSync, readFileSync } from "fs";
+import { resolve } from "path";
+
+// resolve your certificate
+const certPath = resolve('.', "local.groovestack-demo.com.pem");
+const keyPath = resolve('.', "local.groovestack-demo.com-key.pem");
+const https = existsSync(certPath) ? { key: readFileSync(keyPath), cert: readFileSync(certPath) } : {};
+
+// add the server config options
+server: { 
+  host: 'local.groovestack-demo.com',
+  https 
+},
+----
+
+Finally, don't forget to add your new host to your `development.rb` file.
+[source,ruby]
+----
+config.hosts << "local.groovestack-demo.com"
+----

data/groovestack-auth.gemspec

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+require_relative 'lib/groovestack/auth/version'
+
+Gem::Specification.new do |spec|
+  spec.name = 'groovestack-auth'
+  spec.version = Groovestack::Auth::VERSION
+  spec.authors = ['Max Schridde']
+  spec.email = ['maxjschridde@gmail.com']
+
+  spec.summary = 'Groovestack extension for application authentication'
+  spec.description = 'Groovestack::Auth is an authentication extension for the Groovestack Platform.'
+  spec.post_install_message = 'Groovestack::Auth installed'
+
+  spec.homepage = 'https://github.com/talysto/groovestack-core/'
+  spec.required_ruby_version = '>= 3.1.0'
+
+  spec.metadata['allowed_push_host'] = 'https://rubygems.org'
+
+  spec.metadata['homepage_uri'] = spec.homepage
+  spec.metadata['source_code_uri'] = 'https://github.com/talysto/groovestack-core/'
+  spec.metadata['changelog_uri'] = 'https://github.com/talysto/groovestack-core/'
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files = Dir.chdir(File.expand_path(__dir__)) do
+    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  end
+  spec.bindir        = 'exe'
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ['lib']
+
+  spec.add_dependency 'groovestack-base', '>= 0.1.7'
+  spec.add_dependency 'jsonb_accessor', '~>1.4'
+
+  # spec.add_development_dependency 'graphql_devise'
+  spec.add_dependency 'omniauth-apple'
+  spec.add_dependency 'omniauth-google-oauth2'
+
+  spec.metadata['rubygems_mfa_required'] = 'true'
+end

data/lib/fabricators/user_fabricator.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+require 'fabrication'
+require 'faker'
+
+Fabricator(:user) do
+  name { Faker::Name.name }
+  password { Devise.friendly_token[0, 20] }
+end
+
+Fabricator(:user_with_email, from: :user) do
+  email { Faker::Internet.email }
+end
+
+Fabricator(:admin_user, from: :user_with_email) do
+  roles [User::Role::ADMIN]
+end

data/lib/graphql/identity/filter.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module GraphQL
+  module Identity
+    class Filter < ::Groovestack::Base::GraphQL::BaseInputObject
+      description 'Identity filter props'
+
+      argument :ids, [ID], required: false
+
+      argument :user_id, ID, required: false
+    end
+  end
+end

data/lib/graphql/identity/mutations.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+module GraphQL
+  module Identity
+    module Mutations
+      class Delete < ::Groovestack::Base::GraphQL::BaseMutation
+        argument :id, ID, required: true
+
+        type ::GraphQL::Identity::Type
+
+        def perform(id:)
+          identity = ::Identity.find(id)
+
+          identity.destroy!
+
+          identity
+        end
+      end
+
+      extend ActiveSupport::Concern
+
+      included do
+        field :delete_identity, mutation: ::GraphQL::Identity::Mutations::Delete, description: 'delete identity'
+      end
+    end
+  end
+end

data/lib/graphql/identity/queries.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module GraphQL
+  module Identity
+    module Queries
+      extend ActiveSupport::Concern
+
+      included do
+        include ::Groovestack::Base::GraphQL::Providers::ReactAdmin::Resource
+
+        react_admin_resource :identities, graphql_path: 'GraphQL'
+      end
+
+      def identities_scope(base_scope:, sort_field: nil, sort_order: nil, filter: {})
+        scope = base_scope
+        scope = scope.where(id: filter.ids) if filter.ids.present?
+        scope = scope.where(user_id: filter.user_id) if filter.user_id.present?
+
+        return scope if sort_field.blank?
+
+        scope.order({ sort_field.underscore => sort_order || 'desc' })
+      end
+    end
+  end
+end

data/lib/graphql/identity/type.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module GraphQL
+  module Identity
+    class Type < ::Groovestack::Base::GraphQL::Types::BaseObject
+      description 'An identity'
+
+      graphql_name 'Identity'
+
+      field :created_at, ::GraphQL::Types::ISO8601DateTime, null: false, description: 'created at'
+      field :id, ID, null: false, description: 'id'
+      field :uid, String, null: false, description: 'uid'
+      field :updated_at, ::GraphQL::Types::ISO8601DateTime, null: false, description: 'updated at'
+
+      field :provider, String, null: true, description: 'provider'
+
+      # associations
+
+      field :user_id, ID, null: false, description: 'user id of the user the identity is associated with'
+    end
+  end
+end

data/lib/graphql/user/filter.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module GraphQL
+  module User
+    class Filter < ::Groovestack::Base::GraphQL::BaseInputObject
+      description 'User filter props'
+
+      argument :ids, [ID], required: false
+      argument :q, String, required: false
+
+      argument :name, String, required: false
+      argument :roles, [String], required: false
+    end
+  end
+end

data/lib/graphql/user/mutations.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+module GraphQL
+  module User
+    module Mutations
+      class Update < ::Groovestack::Base::GraphQL::BaseMutation
+        argument :current_password, String, required: false
+        argument :email, String, required: false
+        argument :id, ID, required: true
+        argument :image, String, required: false
+        argument :language, String, required: false
+        argument :name, String, required: false
+        argument :password, String, required: false
+        argument :roles, [String], required: false
+
+        type ::GraphQL::User::Type
+
+        def current_user
+          context[:current_resource]
+        end
+
+        def perform(id:, **attrs)
+          obj = id == current_user&.id ? current_user : ::User.find(id)
+
+          return update_with_password!(obj, **attrs) if attrs.keys.intersect?(%i[password current_password])
+
+          if !current_user.admin? && attrs[:roles].present?
+            raise GraphQL::ExecutionError,
+                  'Validation Failed: only admins can update user roles'
+          end
+
+          obj.update!(attrs)
+
+          obj
+        end
+
+        def update_with_password!(user, **attrs) # rubocop:disable Metrics/AbcSize
+          unless current_user&.id == user.id
+            raise GraphQL::ExecutionError,
+                  'Validation Failed: user can only update their own password'
+          end
+
+          ::User.transaction do
+            # if password isn't set yet, allow them to set it
+            user.password = attrs[:current_password] = attrs[:password] unless user.email_provider?
+
+            raise GraphQL::ExecutionError, user.errors.full_messages.join(' ') unless user.update_with_password(attrs)
+
+            context[:bypass_sign_in].call user.reload, scope: :user
+          end
+
+          user
+        end
+      end
+
+      extend ActiveSupport::Concern
+
+      included do
+        field :update_user, mutation: ::GraphQL::User::Mutations::Update, description: 'update user'
+      end
+    end
+  end
+end

data/lib/graphql/user/queries.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+module GraphQL
+  module User
+    module Queries
+      extend ActiveSupport::Concern
+
+      included do
+        include ::Groovestack::Base::GraphQL::Providers::ReactAdmin::Resource
+
+        react_admin_resource :users, graphql_path: 'GraphQL'
+
+        def User(id:) # rubocop:disable Naming/MethodName
+          id == 'me' ? current_user : ::User.find(id)
+        end
+      end
+
+      def current_user
+        context[:current_resource]
+      end
+
+      def users_scope(base_scope:, sort_field: nil, sort_order: nil, filter: {}) # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity
+        scope = base_scope
+        scope = scope.where(id: filter.ids) if filter.ids.present?
+
+        if filter.q.present?
+          scope = scope.where(id: scope.fuzzysearch(filter.q)).or(scope.where(id: scope.emailsearch(filter.q)))
+        end
+        scope = scope.fuzzysearch(filter.name) if filter.name.present?
+        scope = scope.with_roles(filter.roles) if filter.roles.present?
+
+        return scope if sort_field.blank?
+
+        sort_field = 'last_sign_in_at' if sort_field == 'last_login_at'
+
+        scope.order({ sort_field.underscore => sort_order || 'desc' })
+      end
+    end
+  end
+end

data/lib/graphql/user/type.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+module GraphQL
+  module User
+    class Type < ::Groovestack::Base::GraphQL::Types::BaseObject
+      include ::Groovestack::Base::GraphQL::Helpers::Types::Typified
+
+      description 'An user'
+
+      field :created_at, ::GraphQL::Types::ISO8601DateTime, null: false, description: 'created at'
+      field :id, ID, null: false, description: 'id'
+      field :updated_at, ::GraphQL::Types::ISO8601DateTime, null: false, description: 'updated at'
+
+      field :email, String, null: true, description: 'email'
+      field :has_email_provider, Boolean, null: true, description: 'user has email provider',
+                                          method: :email_provider?
+      field :image, String, null: true, description: 'user image url'
+      field :language, String, null: true, description: 'user language'
+      field :name, String, null: true, description: 'name'
+      field :roles, [String], null: true, description: 'roles'
+
+      # devise fields
+      field :last_login_at, ::GraphQL::Types::ISO8601DateTime, null: true, description: 'last login in at',
+                                                               method: :last_sign_in_at
+      field :sign_in_count, Integer, null: true, description: 'sign in count'
+
+      field :identities, [::GraphQL::Identity::Type], null: false, description: 'identities'
+    end
+  end
+end