groovestack-auth 0.1.1

data/lib/groovestack/auth/action_cable.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module Groovestack
+  module Auth
+    module ActionCable
+      module Connection
+        extend ActiveSupport::Concern
+
+        included do
+          identified_by :current_resource
+        end
+
+        def connect
+          self.current_resource = find_verified_resource
+        end
+
+        private
+
+        def find_verified_resource
+          if (verified_user = env['warden'].user)
+            verified_user
+          else
+            reject_unauthorized_connection
+          end
+        end
+      end
+    end
+  end
+end

data/lib/groovestack/auth/authenticated_api_controller.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+require 'devise_token_auth/concerns/resource_finder'
+require 'devise_token_auth/concerns/set_user_by_token'
+
+module Groovestack
+  module Auth
+    class AuthenticatedApiController < ApplicationController
+      include GraphqlDevise::SetUserByToken
+      include Devise::Controllers::Helpers
+    end
+  end
+end

data/lib/groovestack/auth/omniauth_callbacks_controller.rb

@@ -0,0 +1,111 @@
+# frozen_string_literal: true
+
+require 'devise_helper'
+require 'devise_controller'
+require 'devise_token_auth/concerns/resource_finder'
+require 'devise_token_auth/concerns/set_user_by_token'
+require 'devise_token_auth/application_controller'
+require 'devise_token_auth/omniauth_callbacks_controller'
+
+module Groovestack
+  module Auth
+    class OmniauthCallbacksController < DeviseTokenAuth::OmniauthCallbacksController
+      def verified_request?
+        # required b/c apple uses POST to callback and resets the origin header
+        # source: https://github.com/rails/rails/blob/6b93fff8af32ef5e91f4ec3cfffb081d0553faf0/actionpack/lib/action_controller/metal/request_forgery_protection.rb#L442C11-L442C27
+
+        apple_success_callback_request? || super
+      end
+
+      def apple_success_callback_request?
+        params[:action] == 'verified' && params[:provider] == 'apple' && request.headers['Origin'] == 'https://appleid.apple.com'
+      end
+
+      def auth_hash
+        @auth_hash ||= request.env['omniauth.auth'] # goes through plain old omniauth so need to override
+      end
+
+      def resource_class(_mapping = nil)
+        # TODO: this is required b/c their code relies on the resource_class
+        # method which expects access to the 'dta.omniauth.params' which we
+        # don't currently have access through b/c we are going directly
+        # through omniauth
+
+        return @resource_class if defined?(@resource_class)
+
+        raise 'No resource_class found' if @resource.blank?
+
+        @resource_class = @resource.class
+
+        @resource_class
+      end
+
+      def create_auth_params
+        @auth_params = {
+          auth_token: @token.token,
+          client_id: @token.client,
+          # uid:        @resource.uid,
+          expiry: @token.expiry,
+          config: @config,
+          id: @resource.id
+        }
+        @auth_params.merge!(oauth_registration: true) if @oauth_registration
+        @auth_params
+      end
+
+      def get_resource_from_auth_hash # rubocop:disable Naming/AccessorMethodName
+        # invitation_token = request.env.dig('omniauth.params', 'invitation_token')
+        language = request.env.dig('omniauth.params', 'language')
+
+        c_user = begin
+          current_user
+        rescue StandardError
+          nil
+        end
+
+        identity_params = {
+          auth: auth_hash,
+          current_user: c_user,
+          user_attrs: {
+            defaults: {
+              roles: Core::Config::App.generate_config[:has_admins] ? [] : [Users::Roles::Role::ADMIN]
+            },
+            priority: {
+              language: language
+            }
+          }
+        }
+
+        @resource = Identity.find_or_create_from_omniauth!(**identity_params).user
+
+        @resource
+      end
+
+      def verified # rubocop:disable Metrics/AbcSize
+        omniauth_success do
+          set_token_in_cookie(@resource, @token)
+
+          redirect_url = if redirect_options.present? || request.env['omniauth.origin'].split('?').size > 1
+                           DeviseTokenAuth::Url.generate(request.env['omniauth.origin'], redirect_options)
+                         else
+                           request.env['omniauth.origin'].split('?').first # get rid of occasional trailing ?
+                         end
+
+          redirect_to redirect_url
+
+          return
+        end
+      end
+
+      def omniauth_failure
+        @error = params[:message]
+        # render_data_or_redirect('authFailure', omniauth_failure_error: @error)
+
+        ::Groovestack::Base.notify_error('Groovestack::Auth::OmniauthCallbacksController.omniauth_failure', @error)
+
+        data = { omniauth_failure_error: @error }.merge(redirect_options)
+        redirect_to DeviseTokenAuth::Url.generate(session['omniauth.origin'], data)
+      end
+    end
+  end
+end

data/lib/groovestack/auth/provider.rb

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+module Groovestack
+  module Auth
+    def self.available_providers(ancestor: nil)
+      # ensure all providers are loaded
+      ::Groovestack::Auth::Providers.eager_load!
+
+      root = ancestor || ::Groovestack::Auth::Provider
+
+      root.descendants.select(&:available?)
+    end
+
+    def self.enabled_providers(ancestor: nil)
+      available_providers(ancestor: ancestor).select(&:enabled?)
+    end
+
+    def self.configured_providers(ancestor: nil)
+      enabled_providers(ancestor: ancestor).select(&:configured?)
+    end
+
+    def self.enabled_providers_sans_configuration(ancestor: nil)
+      enabled_providers(ancestor: ancestor) - configured_providers(ancestor: ancestor)
+    end
+
+    class Provider
+      def self.provider
+        const_defined?(:PROVIDER) ? self::PROVIDER : nil
+      end
+
+      def self.k
+        const_defined?(:K) ? self::K : provider
+      end
+
+      def self.available?
+        provider.present?
+      end
+
+      def self.enabled?
+        available? && ::Groovestack::Auth.disabled_providers.exclude?(provider)
+      end
+
+      def self.configured?
+        false
+      end
+
+      def self.as_json(keys = nil)
+        verbose = {
+          provider: provider,
+          k: k || provider
+        }
+
+        return verbose if keys.nil?
+
+        verbose.slice(*keys)
+      end
+    end
+  end
+end

data/lib/groovestack/auth/providers/apple.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+module Groovestack
+  module Auth
+    module Providers
+      class Apple < OmniAuth
+        PROVIDER = :apple
+        REQUIRED_CREDENTIALS = %i[APPLE_CLIENT_ID APPLE_TEAM_ID APPLE_KEY_ID APPLE_PEM_CONTENT].freeze
+
+        def self.generate_omniauth_args
+          [
+            provider,
+            Rails.application.credentials.APPLE_CLIENT_ID,
+            '',
+            {
+              team_id: Rails.application.credentials.APPLE_TEAM_ID,
+              key_id: Rails.application.credentials.APPLE_KEY_ID,
+              pem: Rails.application.credentials.APPLE_PEM_CONTENT,
+              origin_param: 'return_to'
+            }
+          ]
+        end
+      end
+    end
+  end
+end

data/lib/groovestack/auth/providers/email.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module Groovestack
+  module Auth
+    module Providers
+      class Email < Groovestack::Auth::Provider
+        PROVIDER = :email
+
+        def self.configured?
+          true
+        end
+      end
+    end
+  end
+end

data/lib/groovestack/auth/providers/google.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module Groovestack
+  module Auth
+    module Providers
+      class Google < OmniAuth
+        PROVIDER = :google_oauth2
+        K = :google
+        REQUIRED_CREDENTIALS = %i[GOOGLE_CLIENT_ID GOOGLE_CLIENT_SECRET].freeze
+
+        def self.generate_omniauth_args
+          super << { name: k, origin_param: 'return_to' }
+        end
+      end
+    end
+  end
+end

data/lib/groovestack/auth/providers/omni_auth.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+module Groovestack
+  module Auth
+    module Providers
+      class OmniAuth < Groovestack::Auth::Provider
+        BASE_PATH = '/users/auth'
+
+        def self.required_credentials
+          const_defined?(:REQUIRED_CREDENTIALS) ? self::REQUIRED_CREDENTIALS : []
+        end
+
+        def self.required_credentials_present?
+          required_credentials.all? { |credential| Rails.application.credentials.send(credential).present? }
+        end
+
+        def self.configured?
+          required_credentials_present?
+        end
+
+        def self.generate_omniauth_args
+          # different providers require different arguments
+          [
+            provider,
+            *required_credentials.map { |c| Rails.application.credentials.send(c) }
+          ]
+        end
+
+        def self.path
+          "#{BASE_PATH}/#{k}"
+        end
+
+        def self.as_json(keys = nil)
+          verbose = super.merge({
+                                  required_credentials: required_credentials,
+                                  path: path,
+                                  generate_omniauth_args: generate_omniauth_args
+                                })
+
+          return verbose if keys.nil?
+
+          verbose.slice(*keys)
+        end
+      end
+    end
+  end
+end

data/lib/groovestack/auth/railtie.rb

@@ -0,0 +1,64 @@
+# frozen_string_literal: true
+
+require_relative 'provider'
+
+if defined?(Rails)
+  module Groovestack
+    module Auth
+      class Railtie < ::Rails::Engine
+        include ::Groovestack::Base::CoreRailtie
+
+        def dx_validations
+          [
+            {
+              eval: proc { raise unless defined?(::Groovestack::Base) },
+              message: "Error: 'core-base' gem is required, add it your your gemfile"
+            },
+            {
+              eval: proc { raise unless defined?(::Core::Config) },
+              message: "Error: 'core-config' gem is required, add it your your gemfile"
+            },
+            {
+              eval: proc {
+                raise if ::Groovestack::Auth.enabled_providers_sans_configuration.present?
+              },
+              message: missing_configuration_msg
+            }
+          ]
+        end
+
+        def providers_missing_configuration
+          ::Groovestack::Auth.enabled_providers_sans_configuration.map do |h|
+            "#{h.provider.to_s.titleize} - #{h.required_credentials.join(', ')}"
+          end
+        end
+
+        def missing_configuration_msg
+          msg = "\n\tWarning: enabled providers are missing required credentials:\n\t\t"
+          msg += providers_missing_configuration.join("\n\t\t")
+          "#{msg}\n\tAdd them to your credentials file or disable the providers by adding them to Groovestack::Auth.disabled_providers." # rubocop:disable Layout/LineLength
+        end
+
+        def module_description
+          avail = ::Groovestack::Auth.available_providers.map(&:k).map(&:to_s).map(&:titleize)
+          descr = "\n\tAvailable auth providers: #{avail.join(', ')}"
+          enabled = ::Groovestack::Auth.enabled_providers.map(&:k).map(&:to_s).map(&:titleize)
+          descr += "\n\tEnabled auth providers: #{enabled.join(', ')}"
+          descr
+        end
+
+        initializer :append_migrations do |app|
+          append_migrations app
+        end
+
+        initializer :append_initializers do |app|
+          append_initializers app
+        end
+
+        config.after_initialize do
+          after_init
+        end
+      end
+    end
+  end
+end

data/lib/groovestack/auth/schema_plugin.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module Groovestack
+  module Auth
+    module SchemaPlugin
+      extend ActiveSupport::Concern
+
+      included do
+        use GraphqlDevise::SchemaPlugin.new(
+          query: Types::QueryType,
+          mutation: Types::MutationType,
+          resource_loaders: [
+            GraphqlDevise::ResourceLoader.new(User)
+          ]
+        )
+      end
+    end
+  end
+end

data/lib/groovestack/auth/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module Groovestack
+  module Auth
+    VERSION = '0.1.1'
+  end
+end

data/lib/groovestack/auth.rb

@@ -0,0 +1,108 @@
+# frozen_string_literal: true
+
+require 'groovestack/base'
+
+require 'graphql_devise' if defined?(GraphqlDevise)
+require 'omniauth-google-oauth2'
+require 'omniauth-apple'
+
+require 'groovestack/auth/version'
+require 'groovestack/auth/railtie' if defined?(Rails::Railtie)
+
+if defined?(GraphqlDevise)
+  # add devise and devise_token_auth app/ dirs to load path
+  Dir[File.join(Gem::Specification.find_by_name('devise').gem_dir, 'app', '*')].each do |sub_dir|
+    $LOAD_PATH.push(sub_dir)
+  end
+  Dir[File.join(Gem::Specification.find_by_name('devise_token_auth').gem_dir, 'app', '*')].each do |sub_dir|
+    $LOAD_PATH.push(sub_dir)
+  end
+
+  unless defined?(ApplicationController)
+    class ApplicationController < ActionController::Base
+    end
+  end
+
+  unless defined?(DeviseTokenAuth::Concerns)
+    module DeviseTokenAuth
+      module Concerns
+      end
+    end
+  end
+end
+
+require 'users/roles'
+require 'user'
+require 'identity'
+
+module GraphQL
+  module Identity
+    autoload :Type, 'graphql/identity/type'
+    autoload :Filter, 'graphql/identity/filter'
+    autoload :Queries, 'graphql/identity/queries'
+    autoload :Mutations, 'graphql/identity/mutations'
+  end
+
+  module User
+    autoload :Filter, 'graphql/user/filter'
+    autoload :Type, 'graphql/user/type'
+    autoload :Queries, 'graphql/user/queries'
+    autoload :Mutations, 'graphql/user/mutations'
+  end
+end
+
+module Groovestack
+  module Auth
+    autoload :Provider, 'groovestack/auth/provider'
+
+    if defined?(GraphqlDevise)
+      autoload :AuthenticatedApiController, 'groovestack/auth/authenticated_api_controller'
+      autoload :OmniauthCallbacksController, 'groovestack/auth/omniauth_callbacks_controller'
+      autoload :ActionCable, 'groovestack/auth/action_cable'
+      autoload :SchemaPlugin, 'groovestack/auth/schema_plugin'
+    end
+
+    module Providers
+      extend ActiveSupport::Autoload
+
+      eager_autoload do
+        autoload :Email, 'groovestack/auth/providers/email'
+        autoload :OmniAuth, 'groovestack/auth/providers/omni_auth'
+        autoload :Apple, 'groovestack/auth/providers/apple'
+        autoload :Google, 'groovestack/auth/providers/google'
+      end
+    end
+
+    extend Dry::Configurable
+
+    setting :disabled_providers, default: [], reader: true
+  end
+end
+
+require 'fabricators/user_fabricator' if defined?(Fabrication) && defined?(Faker)
+
+# TODO: remove aliases after all core modules have been updated
+# to reference Groovestack::Auth
+module Core
+  module Auth
+    Provider = ::Groovestack::Auth::Provider
+
+    if defined?(GraphqlDevise)
+      AuthenticatedApiController = ::Groovestack::Auth::AuthenticatedApiController
+      OmniauthCallbacksController = ::Groovestack::Auth::OmniauthCallbacksController
+      ActionCable = ::Groovestack::Auth::ActionCable
+      SchemaPlugin = ::Groovestack::Auth::SchemaPlugin
+    end
+
+    module Providers
+      Email = ::Groovestack::Auth::Providers::Email
+      OmniAuth = ::Groovestack::Auth::Providers::OmniAuth
+      Apple = ::Groovestack::Auth::Providers::Apple
+      Google = ::Groovestack::Auth::Providers::Google
+    end
+
+    extend Dry::Configurable
+
+    setting :disabled_providers, default: [], reader: true
+  end
+end

data/lib/identity.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+class Identity < ActiveRecord::Base
+  belongs_to :user
+
+  def self.find_or_create_from_omniauth!(auth:, current_user: nil, user_attrs: {}) # rubocop:disable Metrics/AbcSize
+    where(provider: auth.provider, uid: auth.uid).first_or_create! do |identity|
+      # TODO
+      # possible cases
+      # 1. user exists in the system (i.e. we found an email for them)
+      # 2. user does not exist in the system (i.e. oauth email doesn't match anything in the system
+
+      user = current_user || User.find_by(email: auth.info.email)
+      user_attrs_to_assign = user_attrs[:priority] || {}
+
+      if user.nil?
+        user_attrs_to_assign = user_attrs_to_assign.merge(user_attrs[:defaults] || {})
+        user = User.new
+      end
+
+      attrs = auth['info'].to_hash.slice(*user.attribute_names)
+      user.assign_attributes(attrs.merge(user_attrs_to_assign))
+
+      # user.skip_confirmation!
+      user.save!
+
+      identity.omniauth_data = auth
+      identity.user = user
+    end
+  end
+end

data/lib/user.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+require 'jsonb_accessor'
+
+class User < ActiveRecord::Base
+  include Users::Roles
+
+  if defined?(Devise)
+    extend ::Devise::Models
+
+    # Include default devise modules. Others available are:
+    # :confirmable, :lockable, :timeoutable
+
+    devise :database_authenticatable, :registerable,
+           :recoverable, :rememberable, :trackable, :validatable
+  end
+
+  has_many :identities, dependent: :destroy
+
+  scope :fuzzysearch, ->(q) { where('name::text ilike ?', "%#{q}%".gsub(/\s/, '%').squeeze('%')) }
+  scope :emailsearch, ->(qemail) { where('email::text ilike ?', "#{qemail}%") }
+
+  # GraphqlDevise overrides (due to omniauthable relying on new Identity model)
+  # NOTE: DeviseTokenAuth User.provider & User.uid columns are removed
+  # TODO: can we remove this overrides?
+
+  def provider
+    # will probably need to pick from identities eventually
+    nil
+  end
+
+  def uid
+    nil
+  end
+
+  def email_provider?
+    encrypted_password.present?
+  end
+
+  def build_auth_headers(token, client = 'default') # rubocop:disable Metrics/AbcSize
+    # client may use expiry to prevent validation request if expired
+    # must be cast as string or headers will break
+    expiry = tokens[client]['expiry'] || tokens[client][:expiry]
+    headers = {
+      DeviseTokenAuth.headers_names[:'access-token'] => token,
+      DeviseTokenAuth.headers_names[:'token-type'] => 'Bearer',
+      DeviseTokenAuth.headers_names[:client] => client,
+      DeviseTokenAuth.headers_names[:expiry] => expiry.to_s,
+      DeviseTokenAuth.headers_names[:id] => id
+    }
+    headers.merge(build_bearer_token(headers))
+  end
+end

data/lib/users/roles.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+module Users
+  module Roles
+    extend ActiveSupport::Concern
+
+    included do
+      scope :with_roles, ->(roles) { jsonb_contains(:roles, roles) }
+      scope :admins, -> { with_roles(:admin) }
+
+      module Role
+        ADMIN = 'admin'
+      end
+
+      ROLES = [
+        Role::ADMIN
+      ].freeze
+
+      def add_roles(roles)
+        self.roles |= roles
+      end
+
+      def add_role(role)
+        add_roles([role])
+      end
+
+      def admin!
+        add_role(User::Role::ADMIN)
+        save!
+      end
+
+      def admin?
+        roles.include? User::Role::ADMIN
+      end
+
+      # TODO: rname role?
+      def has_role?(role) # rubocop:disable Naming/PredicateName
+        roles.include? role.to_s
+      end
+    end
+  end
+end