groovestack-auth 0.1.5 → 0.1.6

data/config/initializers/omniauth.rb

@@ -1,24 +1,5 @@
 # frozen_string_literal: true
 
-Rails.application.config.middleware.use OmniAuth::Builder do
-  Groovestack::Auth.configured_providers(ancestor: Groovestack::Auth::Providers::OmniAuth).each do |p|
-    provider(*p.generate_omniauth_args)
-  end
-end
-
-module Groovestack
-  module Auth
-    class OmniauthFailureEndpoint < OmniAuth::FailureEndpoint
-      def call
-        # raise_out! if OmniAuth.config.failure_raise_out_environments.include?(ENV['RACK_ENV'].to_s)
-        redirect_to_failure
-      end
-    end
-  end
-end
-
-OmniAuth.config.on_failure = Groovestack::Auth::OmniauthFailureEndpoint
-
 module OmniAuth
   module Strategies
     class Apple < OmniAuth::Strategies::OAuth2

data/config/locales/devise.en.yml

@@ -0,0 +1,71 @@
+---
+en:
+  devise:
+    confirmations:
+      confirmed: "Your email address has been successfully confirmed."
+      send_instructions: "You will receive an email with instructions for how to confirm your email address in a few minutes."
+      send_paranoid_instructions: "If your email address exists in our database, you will receive an email with instructions for how to confirm your email address in a few minutes."
+    failure:
+      already_authenticated: "You are already signed in."
+      inactive: "Your account is not activated yet."
+      invalid: "Invalid %{authentication_keys} or password."
+      locked: "Your account is locked."
+      last_attempt: "You have one more attempt before your account is locked."
+      not_found_in_database: "Invalid %{authentication_keys} or password."
+      timeout: "Your session expired. Please sign in again to continue."
+      unauthenticated: "You need to sign in or sign up before continuing."
+      unconfirmed: "You have to confirm your email address before continuing."
+      magic_link_invalid: "Invalid or expired login link."
+    mailer:
+      confirmation_instructions:
+        subject: "Confirmation instructions"
+      reset_password_instructions:
+        subject: "Reset password instructions"
+      unlock_instructions:
+        subject: "Unlock instructions"
+      email_changed:
+        subject: "Email Changed"
+      password_change:
+        subject: "Password Changed"
+      magic_link:
+        subject: "Here's your magic login link ✨"
+    omniauth_callbacks:
+      failure: "Could not authenticate you from %{kind} because \"%{reason}\"."
+      success: "Successfully authenticated from %{kind} account."
+    passwords:
+      no_token: "You can't access this page without coming from a password reset email. If you do come from a password reset email, please make sure you used the full URL provided."
+      send_instructions: "You will receive an email with instructions on how to reset your password in a few minutes."
+      send_paranoid_instructions: "If your email address exists in our database, you will receive a password recovery link at your email address in a few minutes."
+      updated: "Your password has been changed successfully. You are now signed in."
+      updated_not_active: "Your password has been changed successfully."
+    registrations:
+      destroyed: "Bye! Your account has been successfully cancelled. We hope to see you again soon."
+      signed_up: "Welcome! You have signed up successfully."
+      signed_up_but_inactive: "You have signed up successfully. However, we could not sign you in because your account is not yet activated."
+      signed_up_but_locked: "You have signed up successfully. However, we could not sign you in because your account is locked."
+      signed_up_but_unconfirmed: "A message with a confirmation link has been sent to your email address. Please follow the link to activate your account."
+      update_needs_confirmation: "You updated your account successfully, but we need to verify your new email address. Please check your email and follow the confirmation link to confirm your new email address."
+      updated: "Your account has been updated successfully."
+      updated_but_not_signed_in: "Your account has been updated successfully, but since your password was changed, you need to sign in again."
+    sessions:
+      signed_in: "Signed in successfully."
+      signed_out: "Signed out successfully."
+      already_signed_out: "Signed out successfully."
+    unlocks:
+      send_instructions: "You will receive an email with instructions for how to unlock your account in a few minutes."
+      send_paranoid_instructions: "If your account exists, you will receive an email with instructions for how to unlock it in a few minutes."
+      unlocked: "Your account has been unlocked successfully. Please sign in to continue."
+    passwordless:
+      not_found_in_database: "Could not find a user for that email address"
+      magic_link_sent: "A login link has been sent to your email address. Please follow the link to log in to your account."
+      magic_link_sent_paranoid: "If your account exists, you will receive an email with a login link. Please follow the link to log in to your account."
+  errors:
+    messages:
+      already_confirmed: "was already confirmed, please try signing in"
+      confirmation_period_expired: "needs to be confirmed within %{period}, please request a new one"
+      expired: "has expired, please request a new one"
+      not_found: "not found"
+      not_locked: "was not locked"
+      not_saved:
+        one: "1 error prohibited this %{resource} from being saved:"
+        other: "%{count} errors prohibited this %{resource} from being saved:"

data/db/migrate/20231103174050_add_devise_to_users_and_identities.rb

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+class AddDeviseToUsersAndIdentities < ActiveRecord::Migration[7.0]
+  def change # rubocop:disable Metrics/MethodLength, Metrics/AbcSize
+    # Add authentication columns to the existing users table
+    change_column_default :users, :email, from: nil, to: ''
+    change_column_null :users, :email, false
+
+    change_table :users do |t|
+      ## Database authenticatable
+      if Groovestack::Auth.devise_modules.include?(:database_authenticatable)
+        t.string :encrypted_password, null: false,
+                                      default: ''
+      end
+
+      ## Recoverable
+      if Groovestack::Auth.devise_modules.include?(:recoverable)
+        t.string   :reset_password_token
+        t.datetime :reset_password_sent_at
+      end
+
+      ## Rememberable
+      t.datetime :remember_created_at if Groovestack::Auth.devise_modules.include?(:rememberable)
+
+      ## Trackable
+      if Groovestack::Auth.devise_modules.include?(:trackable)
+        t.integer  :sign_in_count, default: 0, null: false
+        t.datetime :current_sign_in_at
+        t.datetime :last_sign_in_at
+        t.string   :current_sign_in_ip
+        t.string   :last_sign_in_ip
+      end
+
+      ## Confirmable
+      if Groovestack::Auth.devise_modules.include?(:confirmable)
+        t.string   :confirmation_token
+        t.datetime :confirmed_at
+        t.datetime :confirmation_sent_at
+        t.string   :unconfirmed_email # Only if using reconfirmable
+      end
+
+      ## Lockable
+      if Groovestack::Auth.devise_modules.include?(:lockable)
+        t.integer  :failed_attempts, default: 0, null: false # Only if lock strategy is :failed_attempts
+        t.string   :unlock_token # Only if unlock strategy is :email or :both
+        t.datetime :locked_at
+      end
+    end
+
+    add_index :users, :reset_password_token, unique: true if Groovestack::Auth.devise_modules.include?(:recoverable)
+    add_index :users, :confirmation_token, unique: true if Groovestack::Auth.devise_modules.include?(:confirmable)
+    add_index :users, :unlock_token, unique: true if Groovestack::Auth.devise_modules.include?(:lockable)
+
+    # Add Omniauth-related columns to the existing identities table
+    change_table :identities do |t|
+      t.jsonb :omniauth_data
+    end
+  end
+end

data/groovestack-auth.gemspec

@@ -26,17 +26,17 @@ Gem::Specification.new do |spec|
   spec.files = Dir.chdir(File.expand_path(__dir__)) do
     `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
   end
+  spec.files += Dir['{app}/**/*']
+
   spec.bindir        = 'exe'
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ['lib']
 
-  spec.add_dependency 'groovestack-base', '~> 0.1', '>= 0.1.10'
-  spec.add_dependency 'groovestack-config', '~> 0.1', '>= 0.1.2'
-  spec.add_dependency 'jsonb_accessor', '~>1.4'
-
-  # spec.add_development_dependency 'graphql_devise'
-  spec.add_dependency 'omniauth-apple'
-  spec.add_dependency 'omniauth-google-oauth2'
+  spec.add_dependency 'devise'
+  spec.add_dependency 'devise-passwordless'
+  spec.add_dependency 'groovestack-config', '~> 0.1', '>= 0.1.4'
+  spec.add_dependency 'groovestack-identities', '~> 0.1', '>= 0.1.3'
+  spec.add_dependency 'rotp'
 
   spec.metadata['rubygems_mfa_required'] = 'true'
 end

data/lib/groovestack/auth/{railtie.rb → engine.rb}

@@ -2,10 +2,10 @@
 
 require_relative 'provider'
 
-if defined?(Rails)
+if defined?(Rails::Engine)
   module Groovestack
     module Auth
-      class Railtie < ::Rails::Engine
+      class Engine < ::Rails::Engine
         include ::Groovestack::Base::CoreRailtie
 
         def dx_validations
@@ -47,9 +47,20 @@ if defined?(Rails)
           append_initializers app
         end
 
+        initializer :append_locales do |app|
+          append_locales app
+        end
+
         config.after_initialize do
           after_init
         end
+
+        config.to_prepare do
+          # Include Auth concerns after Rails is fully loaded to ensure Devise is loaded
+
+          ::User.include ::Groovestack::Auth::User
+          ::Identity.include ::Groovestack::Auth::Identity
+        end
       end
     end
   end

data/lib/groovestack/auth/graphql/authorized_field.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module Groovestack
+  module Auth
+    module GraphQL
+      class AuthorizedField < ::Groovestack::Base::GraphQL::Base::Field
+        def authorized?(obj, args, ctx)
+          authorized_fields = begin
+            obj.authorized_fields_for_serialization(ctx[:current_user])
+          rescue StandardError
+            []
+          end
+
+          super && authorized_fields.include?(name.to_sym)
+        end
+      end
+    end
+  end
+end

data/lib/groovestack/auth/graphql/authorized_object.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+module Groovestack
+  module Auth
+    module GraphQL
+      class AuthorizedObject < ::Groovestack::Base::GraphQL::Base::Object
+        field_class ::Groovestack::Auth::GraphQL::AuthorizedField
+      end
+    end
+  end
+end

data/lib/groovestack/auth/graphql/schema_visibility.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+module Groovestack
+  module Auth
+    module GraphQL
+      module SchemaVisibility
+        extend ActiveSupport::Concern
+
+        included do
+          use ::GraphQL::Schema::Visibility
+
+          # NOTE: currently, this is user role based
+          # visibility_profiles enumerate the permissions each
+          # role has access to
+
+          @visibility_profiles = [
+            { key: :anon,               permissions: [:public] },
+            { key: :user,               permissions: %i[public basic] },
+            { key: ::User::Role::STAFF, permissions: [:public, :basic, ::User::Role::STAFF] },
+            { key: ::User::Role::EXEC,  permissions: [:public, :basic, ::User::Role::STAFF, ::User::Role::EXEC] },
+            { key: ::User::Role::ADMIN,
+              permissions: [:public, :basic, ::User::Role::STAFF, ::User::Role::EXEC, ::User::Role::ADMIN] }
+          ].each_with_object({}) do |profile, acc|
+            acc[profile[:key].to_sym] = profile[:permissions].map(&:to_sym)
+          end.freeze
+
+          class << self
+            attr_reader :visibility_profiles
+
+            def visibility_profile_for_context(context)
+              return [] if context[:visibility_profile].blank?
+
+              visibility_profiles[context[:visibility_profile].to_sym] || []
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/groovestack/auth/graphql/visible_field.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module Groovestack
+  module Auth
+    module GraphQL
+      class VisibleField < ::Groovestack::Base::GraphQL::Base::Field
+        def visible?(context)
+          return super unless @visibility_permission
+
+          # visibility profile are the visibility levels the
+          # current user is authorized for
+          visibility_profile = context.schema.visibility_profile_for_context(context).map(&:to_sym)
+
+          return super unless visibility_profile
+
+          super && visibility_profile.include?(@visibility_permission.to_sym)
+        end
+      end
+    end
+  end
+end

data/lib/groovestack/auth/graphql/visible_object.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module Groovestack
+  module Auth
+    module GraphQL
+      class VisibleObject < ::Groovestack::Base::GraphQL::Base::Object
+        field_class ::Groovestack::Auth::GraphQL::VisibleField
+
+        def self.visible?(context)
+          any_visible_fields = fields.values.any? { |field| field.visible?(context) }
+
+          super && any_visible_fields
+        end
+      end
+    end
+  end
+end

data/lib/groovestack/auth/passwordless/t_otp_tokenizer.rb

@@ -0,0 +1,89 @@
+# frozen_string_literal: true
+
+require 'rotp'
+# require 'base32'  # You can use any Base32 encoder
+
+module Groovestack
+  module Auth
+    module Passwordless
+      module TOtpTokenizer
+        module_function
+
+        # Validity period (in seconds)
+        def token_validity_seconds
+          Devise.passwordless_login_within.seconds
+        end
+
+        # Generate a TOTP instance for the resource.
+        #
+        # We derive a per‑resource secret from a combination of the resource’s id and Rails’ secret.
+        def totp_for(resource, digits: 4, interval: token_validity_seconds)
+          # add last sign in at to prevent same otp being generated multiple times
+          identifier = resource.id
+          identifier += ":#{resource.current_sign_in_at.to_i}" if resource.current_sign_in_at.present?
+
+          raw_secret = OpenSSL::HMAC.digest('sha1', Rails.application.secret_key_base, identifier)
+          base32_secret = ROTP::Base32.encode raw_secret
+
+          # Create a TOTP object configured for 4 digits and the given time interval.
+          ROTP::TOTP.new(base32_secret, digits: digits, interval: interval)
+        end
+
+        # Generates the token for the current time window.
+        def encode(resource, _extra: nil, _expires_at: nil)
+          # otp = totp_for(resource).now
+
+          # otp_as_formatted_code(otp)
+          totp_for(resource).now
+        end
+
+        # Verifies that the provided token is valid (i.e. within the current time window).
+        #
+        # Since the token is time‐dependent, expiration is enforced by the TOTP algorithm.
+        def decode(code, email, resource_class, _as_of: nil, _expire_duration: nil)
+          raise ::Devise::Passwordless::InvalidTokenError if code.blank?
+
+          # For TOTP, we look up the resource and then verify the code.
+          # Note: How you locate the resource is up to your application.
+          # For example, if your code is combined with an email or user id in the URL, you would look it up there.
+          #
+          resource = resource_class.find_by(email: email)
+
+          raise 'Resource not found' if resource.blank?
+
+          # # Remove the hyphen to get the plain digits.
+          # otp = otp_from_formatted_code(code)
+          otp = code
+
+          verify_opts = {}
+          # by default, ROTP is fixed window interval. This code enables a sliding window
+          now = Time.zone.now
+          verify_opts[:at] = now
+          verify_opts[:drift_behind] = token_validity_seconds / 2 # (now.sec % token_validity_seconds) - 1
+          if resource_class.passwordless_expire_old_tokens_on_sign_in && resource.current_sign_in_at.present?
+            # support login / logout / login again within same token validity period
+            verify_opts[:after] = (resource.current_sign_in_at - token_validity_seconds).to_i
+          end
+          # end sliding window logic
+          decrypted_data = totp_for(resource).verify(otp, **verify_opts)
+
+          raise ::Devise::Passwordless::InvalidOrExpiredTokenError if decrypted_data.blank?
+
+          [resource, { data: decrypted_data }]
+        end
+
+        # # Helper: Formats an 4‑digit code as "xxxx".
+        # def otp_as_formatted_code(otp)
+        #   otp = otp.to_s
+        #   code = otp.length == 4 ? otp.dup.insert(2, '-') : otp
+        #   code
+        # end
+
+        # def otp_from_formatted_code(formatted_code)
+        #   otp = formatted_code.delete('-')
+        #   otp
+        # end
+      end
+    end
+  end
+end

data/lib/groovestack/auth/provider.rb

@@ -54,6 +54,13 @@ module Groovestack
 
         verbose.slice(*keys)
       end
+
+      def self.credential_for(key)
+        provider_credentials = Rails.application.credentials.groovestack.auth.send(k)
+        return if provider_credentials.blank?
+
+        provider_credentials.send(key)
+      end
     end
   end
 end

data/lib/groovestack/auth/providers/apple.rb

@@ -5,17 +5,17 @@ module Groovestack
     module Providers
       class Apple < OmniAuth
         PROVIDER = :apple
-        REQUIRED_CREDENTIALS = %i[APPLE_CLIENT_ID APPLE_TEAM_ID APPLE_KEY_ID APPLE_PEM_CONTENT].freeze
+        REQUIRED_CREDENTIALS = %i[client_id team_id key_id pem_content].freeze
 
         def self.generate_omniauth_args
           [
             provider,
-            Rails.application.credentials.APPLE_CLIENT_ID,
+            credential_for(:client_id),
             '',
             {
-              team_id: Rails.application.credentials.APPLE_TEAM_ID,
-              key_id: Rails.application.credentials.APPLE_KEY_ID,
-              pem: Rails.application.credentials.APPLE_PEM_CONTENT,
+              team_id: credential_for(:team_id),
+              key_id: credential_for(:key_id),
+              pem: credential_for(:pem_content),
               origin_param: 'return_to'
             }
           ]

data/lib/groovestack/auth/providers/facebook.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module Groovestack
+  module Auth
+    module Providers
+      class Facebook < OmniAuth
+        PROVIDER = :facebook
+        K = :facebook
+        REQUIRED_CREDENTIALS = %i[app_id app_secret].freeze
+
+        def self.generate_omniauth_args
+          [*super, { client_options: { site: 'https://graph.facebook.com/v22.0' } }]
+        end
+      end
+    end
+  end
+end

data/lib/groovestack/auth/providers/google.rb

@@ -6,7 +6,7 @@ module Groovestack
       class Google < OmniAuth
         PROVIDER = :google_oauth2
         K = :google
-        REQUIRED_CREDENTIALS = %i[GOOGLE_CLIENT_ID GOOGLE_CLIENT_SECRET].freeze
+        REQUIRED_CREDENTIALS = %i[client_id client_secret].freeze
 
         def self.generate_omniauth_args
           super << { name: k, origin_param: 'return_to' }

data/lib/groovestack/auth/providers/omni_auth.rb

@@ -11,7 +11,7 @@ module Groovestack
         end
 
         def self.required_credentials_present?
-          required_credentials.all? { |credential| Rails.application.credentials.send(credential).present? }
+          required_credentials.all? { |credential| credential_for(credential).present? }
         end
 
         def self.configured?
@@ -22,7 +22,7 @@ module Groovestack
           # different providers require different arguments
           [
             provider,
-            *required_credentials.map { |c| Rails.application.credentials.send(c) }
+            *required_credentials.map { |credential| credential_for(credential) }
           ]
         end
 

data/lib/groovestack/auth/routes.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+module Groovestack
+  module Auth
+    module Routes
+      extend ActiveSupport::Concern
+
+      class_methods do
+        def draw_routes(mapper)
+          mapper.instance_exec do
+            devise_for :users, ::Groovestack::Auth.devise_for_routes_kwargs
+
+            devise_scope :user do
+              post 'users/magic_link', to: 'groovestack/auth/passwordless/magic_links#show'
+
+              if defined?(OmniAuth)
+                match '/users/auth/:provider/callback', to: 'groovestack/auth/omniauth_callbacks#verified', via: %i[get post],
+                                                        as: :omniauth_callback
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/groovestack/auth/settings.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+module Groovestack
+  module Auth
+    module Settings
+      extend ActiveSupport::Concern
+
+      included do
+        extend Dry::Configurable
+
+        # NOTE: this impact user devise migration changes. Be sure
+        # to set / override this when initialling integrating with groovestack-auth
+        setting :devise_modules, default: [
+          :database_authenticatable,
+          :registerable,
+          :recoverable,
+          :rememberable,
+          :validatable,
+          :confirmable,
+          :lockable,
+          :timeoutable,
+          :trackable,
+          :magic_link_authenticatable,
+          :omniauthable,
+          { omniauth_providers: %i[apple facebook google] }
+        ], reader: true
+
+        setting :devise_for_routes_kwargs, default: {
+          controllers: {
+            omniauth_callbacks: 'groovestack/auth/omniauth_callbacks',
+            sessions: 'groovestack/auth/passwordless/sessions'
+          }
+        }, reader: true
+
+        setting :disabled_providers, default: [], reader: true
+
+        setting :omniauth_origin_url, default: nil, reader: true
+        setting :after_sign_in_path, default: nil, reader: true
+        setting :allow_other_host_redirects, default: false, reader: true
+      end
+    end
+  end
+end

data/lib/groovestack/auth/version.rb

@@ -2,6 +2,6 @@
 
 module Groovestack
   module Auth
-    VERSION = '0.1.5'
+    VERSION = '0.1.6'
   end
 end