groovestack-auth 0.1.5 → 0.1.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6334f31e76abf39c1440546651f4dc291093c02b039c7d44bb88d79499cfad42
-  data.tar.gz: b246b2c3d402db429cbb39a110ba33d37825e3f72e4c5bf7cd207f943c7ef8e5
+  metadata.gz: 8adb7a1b84a4b5aded491344181c888900557ce327e15b5d441581c6e3c88146
+  data.tar.gz: 9fef159454b305cc1b4a4a587bfb84a249cf9357e7bf28712b795492d1568dac
 SHA512:
-  metadata.gz: cf1349a5f3a9ac5e766263deb3f3dac46f7b7aa81e3ca12ac98d19e1d339489da14b08f73bd03441dcc74ea44561b6322e788c42f38ce288936cbf1923ad4728
-  data.tar.gz: 4ddab00dd1014608fc1b4ce76b5998c905cef45d0c0981e2ba87220602db810e9bcde4cfb15deda756052f918203a4402d47801ae8189afd5081a0000ee85f87
+  metadata.gz: 54f7df9d82696102e44a34d251322042e030680c5fad56dca3b3c1ee92c6d6bd60e05629bf3cdd5bebe4baab2ddde555cc6e50ef47837b3b0e5d114fadcc3635
+  data.tar.gz: 8215562c42ae838366b9b79048f24d4c263059c017dcf1a0aaae616107d123ad88fb192f88e5a3d2a8f748af7441225ec1d32ed1e87bccb9a1d5fe89306c50a4

data/Gemfile

@@ -5,8 +5,15 @@ source 'https://rubygems.org'
 # Specify your gem's dependencies in groovestack-auth.gemspec
 gemspec
 
+gem 'devise-passwordless'
+gem 'omniauth-apple'
+gem 'omniauth-facebook'
+gem 'omniauth-google-oauth2', '1.1.2'
+
 gem 'fabrication'
 gem 'faker'
 gem 'racksh' # get a console without a full Rails application
 gem 'rspec'
-gem 'rubocop', require: false
+gem 'rubocop'
+gem 'rubocop-graphql', '~> 1.0'
+gem 'rubocop-rails', '~> 2.18'

data/Gemfile.lock

@@ -2,15 +2,32 @@ PATH
   remote: .
   specs:
     groovestack-auth (0.1.5)
-      groovestack-base (~> 0.1, >= 0.1.10)
-      groovestack-config (~> 0.1, >= 0.1.2)
-      jsonb_accessor (~> 1.4)
-      omniauth-apple
-      omniauth-google-oauth2
+      devise
+      devise-passwordless
+      groovestack-config (~> 0.1, >= 0.1.4)
+      groovestack-identities (~> 0.1, >= 0.1.3)
+      rotp
 
 GEM
   remote: https://rubygems.org/
   specs:
+    actionpack (7.2.2.1)
+      actionview (= 7.2.2.1)
+      activesupport (= 7.2.2.1)
+      nokogiri (>= 1.8.5)
+      racc
+      rack (>= 2.2.4, < 3.2)
+      rack-session (>= 1.0.1)
+      rack-test (>= 0.6.3)
+      rails-dom-testing (~> 2.2)
+      rails-html-sanitizer (~> 1.6)
+      useragent (~> 0.16)
+    actionview (7.2.2.1)
+      activesupport (= 7.2.2.1)
+      builder (~> 3.1)
+      erubi (~> 1.11)
+      rails-dom-testing (~> 2.2)
+      rails-html-sanitizer (~> 1.6)
     activemodel (7.2.2.1)
       activesupport (= 7.2.2.1)
     activerecord (7.2.2.1)
@@ -32,12 +49,25 @@ GEM
     aes_key_wrap (1.1.0)
     ast (2.4.3)
     base64 (0.2.0)
+    bcrypt (3.1.20)
     benchmark (0.4.0)
     bigdecimal (3.1.9)
     bindata (2.5.0)
+    builder (3.3.0)
     concurrent-ruby (1.3.5)
     connection_pool (2.5.0)
-    diff-lcs (1.6.1)
+    crass (1.0.6)
+    date (3.4.1)
+    devise (4.9.4)
+      bcrypt (~> 3.0)
+      orm_adapter (~> 0.1)
+      railties (>= 4.1.0)
+      responders
+      warden (~> 1.2.3)
+    devise-passwordless (1.1.0)
+      devise
+      globalid
+    diff-lcs (1.6.2)
     drb (2.2.1)
     dry-configurable (1.3.0)
       dry-core (~> 1.1)
@@ -46,6 +76,7 @@ GEM
       concurrent-ruby (~> 1.0)
       logger
       zeitwerk (~> 2.6)
+    erubi (1.13.1)
     fabrication (2.31.0)
     faker (3.5.1)
       i18n (>= 1.8.11, < 2)
@@ -58,21 +89,30 @@ GEM
     faraday-net_http (3.4.0)
       net-http (>= 0.5.0)
     fiber-storage (1.0.0)
+    globalid (1.2.1)
+      activesupport (>= 6.1)
     graphql (2.3.22)
       base64
       fiber-storage
-    groovestack-base (0.1.10)
+    groovestack-base (0.1.12)
       activerecord (~> 7.0)
       dry-configurable (~> 1.0)
       graphql (>= 1.8, < 2.4)
       pg (~> 1.0)
       pg_lock (~> 1.0)
-      puma (~> 5.0)
-    groovestack-config (0.1.2)
-      groovestack-base (~> 0.1.10)
+      puma (>= 5.0, < 7)
+    groovestack-config (0.1.4)
+      groovestack-base (~> 0.1, >= 0.1.12)
+    groovestack-identities (0.1.3)
+      groovestack-base (~> 0.1, >= 0.1.12)
     hashie (5.0.0)
     i18n (1.14.7)
       concurrent-ruby (~> 1.0)
+    io-console (0.8.0)
+    irb (1.15.2)
+      pp (>= 0.6.0)
+      rdoc (>= 4.0.0)
+      reline (>= 0.4.2)
     json (2.10.2)
     json-jwt (1.16.7)
       activesupport (>= 4.2)
@@ -81,21 +121,22 @@ GEM
       bindata
       faraday (~> 2.0)
       faraday-follow_redirects
-    jsonb_accessor (1.4)
-      activerecord (>= 6.1)
-      activesupport (>= 6.1)
-      pg (>= 0.18.1)
     jwt (2.10.1)
       base64
     language_server-protocol (3.17.0.4)
     lint_roller (1.1.0)
     logger (1.7.0)
+    loofah (2.24.0)
+      crass (~> 1.0.2)
+      nokogiri (>= 1.12.0)
     minitest (5.25.5)
     multi_xml (0.7.1)
       bigdecimal (~> 3.1)
     net-http (0.6.0)
       uri
     nio4r (2.7.4)
+    nokogiri (1.18.8-arm64-darwin)
+      racc (~> 1.4)
     oauth2 (2.0.9)
       faraday (>= 0.17.3, < 3.0)
       jwt (>= 1.0, < 3.0)
@@ -110,21 +151,31 @@ GEM
     omniauth-apple (1.3.0)
       json-jwt
       omniauth-oauth2
-    omniauth-google-oauth2 (1.2.1)
-      jwt (>= 2.9.2)
+    omniauth-facebook (10.0.0)
+      bigdecimal
+      omniauth-oauth2 (>= 1.2, < 3)
+    omniauth-google-oauth2 (1.1.2)
+      jwt (>= 2.0)
       oauth2 (~> 2.0)
       omniauth (~> 2.0)
       omniauth-oauth2 (~> 1.8)
     omniauth-oauth2 (1.8.0)
       oauth2 (>= 1.4, < 3)
       omniauth (~> 2.0)
+    orm_adapter (0.5.0)
     parallel (1.26.3)
     parser (3.3.7.4)
       ast (~> 2.4.1)
       racc
     pg (1.5.9)
     pg_lock (1.0.0)
+    pp (0.6.2)
+      prettyprint
+    prettyprint (0.2.0)
     prism (1.4.0)
+    psych (5.2.3)
+      date
+      stringio
     puma (5.6.9)
       nio4r (~> 2.0)
     racc (1.8.1)
@@ -133,26 +184,55 @@ GEM
       base64 (>= 0.1.0)
       logger (>= 1.6.0)
       rack (>= 3.0.0, < 4)
+    rack-session (2.1.0)
+      base64 (>= 0.1.0)
+      rack (>= 3.0.0)
     rack-test (2.2.0)
       rack (>= 1.3)
     racksh (1.0.1)
       rack (>= 1.0)
       rack-test (>= 0.5)
+    rackup (2.2.1)
+      rack (>= 3)
+    rails-dom-testing (2.2.0)
+      activesupport (>= 5.0.0)
+      minitest
+      nokogiri (>= 1.6)
+    rails-html-sanitizer (1.6.2)
+      loofah (~> 2.21)
+      nokogiri (>= 1.15.7, != 1.16.7, != 1.16.6, != 1.16.5, != 1.16.4, != 1.16.3, != 1.16.2, != 1.16.1, != 1.16.0.rc1, != 1.16.0)
+    railties (7.2.2.1)
+      actionpack (= 7.2.2.1)
+      activesupport (= 7.2.2.1)
+      irb (~> 1.13)
+      rackup (>= 1.0.0)
+      rake (>= 12.2)
+      thor (~> 1.0, >= 1.2.2)
+      zeitwerk (~> 2.6)
     rainbow (3.1.1)
+    rake (13.2.1)
+    rdoc (6.13.1)
+      psych (>= 4.0.0)
     regexp_parser (2.10.0)
+    reline (0.6.1)
+      io-console (~> 0.5)
+    responders (3.1.1)
+      actionpack (>= 5.2)
+      railties (>= 5.2)
+    rotp (6.3.0)
     rspec (3.13.0)
       rspec-core (~> 3.13.0)
       rspec-expectations (~> 3.13.0)
       rspec-mocks (~> 3.13.0)
     rspec-core (3.13.3)
       rspec-support (~> 3.13.0)
-    rspec-expectations (3.13.3)
+    rspec-expectations (3.13.4)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.13.0)
-    rspec-mocks (3.13.2)
+    rspec-mocks (3.13.4)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.13.0)
-    rspec-support (3.13.2)
+    rspec-support (3.13.3)
     rubocop (1.75.2)
       json (~> 2.3)
       language_server-protocol (~> 3.17.0.2)
@@ -167,11 +247,22 @@ GEM
     rubocop-ast (1.44.0)
       parser (>= 3.3.7.2)
       prism (~> 1.4)
+    rubocop-graphql (1.5.5)
+      lint_roller (~> 1.1)
+      rubocop (>= 1.72.1, < 2)
+    rubocop-rails (2.31.0)
+      activesupport (>= 4.2.0)
+      lint_roller (~> 1.1)
+      rack (>= 1.1)
+      rubocop (>= 1.75.0, < 2.0)
+      rubocop-ast (>= 1.38.0, < 2.0)
     ruby-progressbar (1.13.0)
     securerandom (0.4.1)
     snaky_hash (2.0.1)
       hashie
       version_gem (~> 1.1, >= 1.1.1)
+    stringio (3.1.7)
+    thor (1.3.2)
     timeout (0.4.3)
     tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
@@ -179,19 +270,28 @@ GEM
       unicode-emoji (~> 4.0, >= 4.0.4)
     unicode-emoji (4.0.4)
     uri (1.0.3)
+    useragent (0.16.11)
     version_gem (1.1.6)
+    warden (1.2.9)
+      rack (>= 2.0.9)
     zeitwerk (2.6.18)
 
 PLATFORMS
   arm64-darwin-23
 
 DEPENDENCIES
+  devise-passwordless
   fabrication
   faker
   groovestack-auth!
+  omniauth-apple
+  omniauth-facebook
+  omniauth-google-oauth2 (= 1.1.2)
   racksh
   rspec
   rubocop
+  rubocop-graphql (~> 1.0)
+  rubocop-rails (~> 2.18)
 
 BUNDLED WITH
-   2.6.7
+   2.6.2

data/{lib/groovestack/auth/action_cable.rb → app/channels/groovestack/auth/action_cable/connection.rb}

@@ -7,11 +7,11 @@ module Groovestack
         extend ActiveSupport::Concern
 
         included do
-          identified_by :current_resource
+          identified_by :current_user
         end
 
         def connect
-          self.current_resource = find_verified_resource
+          self.current_user = find_verified_resource
         end
 
         private

data/app/controllers/concerns/groovestack/auth/graphql/controllers/auth_helpers.rb

@@ -0,0 +1,69 @@
+# frozen_string_literal: true
+
+module Groovestack
+  module Auth
+    module GraphQL
+      module Controllers
+        module AuthHelpers
+          extend ActiveSupport::Concern
+
+          included do
+            include Pundit::Authorization if defined?(::Pundit)
+
+            before_action :authenticate_request!, unless: :graphiql?
+
+            private
+
+            def context
+              {
+                visibility_profile: visibility_profile,
+                current_user: current_user
+              }.tap do |ctx|
+                ctx[:authorize] = method(:authorize) if defined?(::Pundit)
+              end
+            end
+
+            def graphiql?
+              return false unless defined?(::GraphiQL)
+
+              Rails.env.development? && request.referer == ::Rails.application.routes.url_helpers.graphiql_rails_url
+            end
+
+            def graphiql_visibility_profile
+              @graphiql_visibility_profile ||= request.headers['HTTP_GRAPHIQL_VISIBILITY_PROFILE']
+            end
+
+            def visibility_profile
+              @visibility_profile ||= if graphiql?
+                                        if graphiql_visibility_profile.blank?
+                                          raise 'must set GRAPHIQL_VISIBILITY_PROFILE header in graphiql initializer '
+                                        end
+
+                                        graphiql_visibility_profile.to_sym
+                                      elsif current_user.nil?
+                                        :anon
+                                      elsif current_user.admin?
+                                        ::User::Role::ADMIN.to_sym
+                                      elsif current_user.exec?
+                                        ::User::Role::EXEC.to_sym
+                                      elsif current_user.staff?
+                                        ::User::Role::STAFF.to_sym
+                                      else
+                                        :user
+                                      end
+            end
+
+            def authenticate_request!
+              # skip authentication for AppConfig queries
+              # introspection query is public. fields will be visible/not based on visibility_profile
+
+              return if %w[AppConfig IntrospectionQuery].include?(operation_name)
+
+              authenticate_user!
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/app/controllers/concerns/groovestack/auth/graphql/controllers/authed_execute.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+module Groovestack
+  module Auth
+    module GraphQL
+      module Controllers
+        module AuthedExecute
+          extend ActiveSupport::Concern
+
+          include ::Groovestack::Base::GraphQL::Controllers::Execute
+          include ::Groovestack::Auth::GraphQL::Controllers::AuthHelpers
+        end
+      end
+    end
+  end
+end

data/app/controllers/groovestack/auth/authenticated_api_controller.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+module Groovestack
+  module Auth
+    class AuthenticatedApiController < ApplicationController
+      prepend_before_action :authenticate_user!
+      protect_from_forgery prepend: true, with: :reset_session unless -> { Rails.env.test? }
+    end
+  end
+end

data/app/controllers/groovestack/auth/omniauth_callbacks_controller.rb

@@ -0,0 +1,138 @@
+# frozen_string_literal: true
+
+module Groovestack
+  module Auth
+    class OmniauthCallbacksController < ::Devise::OmniauthCallbacksController
+      include ::Devise::Controllers::Rememberable
+
+      skip_before_action :verify_authenticity_token
+      before_action :set_auth_hash
+
+      Groovestack::Auth.configured_providers(ancestor: Groovestack::Auth::Providers::OmniAuth).each do |p|
+        define_method(p.k) do
+          handle_oauth(provider: p.k.to_s.capitalize)
+        end
+      end
+
+      def failure
+        # override for error notifications & to support custom origin redirects
+
+        known_reasons = %w[user_cancelled_authorize user_denied]
+
+        handled = known_reasons.any? do |reason|
+          request.params&.dig('error_reason') == reason || request.params&.dig('error') == reason
+        end
+
+        if !handled && Rails.env.production?
+          failure_kind = OmniAuth::Utils.camelize(failed_strategy.name)
+          blob = {
+            kind: failure_kind,
+            reason: failure_message,
+            params: request.params,
+            omniauth: request.env['omniauth.auth']
+          }
+
+          exception = OmniauthFailureError.new(blob.to_s)
+
+          ::Groovestack::Base.notify_error('Groovestack::Auth::OmniauthCallbacksController.omniauth_failure', exception)
+        end
+
+        set_flash_message! :alert, :failure, kind: failure_kind, reason: failure_message
+        redirect_to after_omniauth_failure_path_for(resource_name),
+                    allow_other_host: ::Groovestack::Auth.allow_other_host_redirects
+      end
+
+      protected
+
+      def set_auth_hash
+        # set omniauth.auth for /callback requests (that skip the request phase)
+        return if params['omniauth'].blank?
+
+        # only set if not already set (i.e. no override)
+        request.env['omniauth.auth'] ||= JSON.parse(params['omniauth'].to_json, object_class: OmniAuth::AuthHash)
+      end
+
+      def after_omniauth_failure_path_for(scope)
+        if (origin_url = omniauth_request_origin)
+          return origin_url
+        end
+
+        super
+      end
+
+      def omniauth_request_origin
+        return ::Groovestack::Auth.omniauth_origin_url if ::Groovestack::Auth.omniauth_origin_url.present?
+        return ::Rails.application.routes.url_helpers.root_url if same_origin_request?
+
+        request.env['omniauth.origin']
+      end
+
+      private
+
+      def json_format?
+        # WHY necessary?
+        # request.format.json? may not be set correctly for FE auth that handles the
+        # request phase and only hits /callback
+        # request.path_parameters[:format] is set to 'json' in the same case
+        request.format.json? || request.path_parameters[:format] == 'json'
+      end
+
+      def same_origin_request?
+        return true if request.env['omniauth.origin'].blank?
+
+        request.env['omniauth.origin'].starts_with?(request.base_url)
+      end
+
+      def add_search_params(url, params)
+        uri = URI.parse(url)
+        existing_params = Rack::Utils.parse_nested_query(uri.query)
+        merged_params = existing_params.merge(params.deep_stringify_keys)
+        uri.query = Rack::Utils.build_nested_query(merged_params)
+        uri.to_s
+      end
+
+      def handle_oauth(provider:)
+        auth = request.env['omniauth.auth']
+
+        identity_params = {
+          auth: auth,
+          user_attrs: {
+            defaults: {
+              password: ::Devise.friendly_token[0, 20]
+            }
+          }
+        }
+
+        @user = ::Identity.find_or_create_from_omniauth!(**identity_params).user
+
+        begin
+          unless @user.confirmed?
+            @user.skip_confirmation_notification! # skip sending confirmation email
+            @user.confirm
+          end
+        rescue StandardError => e
+          msg = "OmniAuth Callback Confirmation Failure: #{e}"
+          ::Groovestack::Base.notify_error(e.class, msg)
+        end
+
+        remember_me @user
+        sign_in(:user, @user)
+
+        if json_format?
+          # return connected identity info for FE user hydration
+          render json: @user.slice(:id, :email, :name), status: :ok
+        elsif same_origin_request?
+          redirect_to after_sign_in_path_for(@user)
+        else
+          redirect_to omniauth_request_origin, allow_other_host: ::Groovestack::Auth.allow_other_host_redirects
+        end
+      rescue ActiveRecord::RecordInvalid => e
+        # let FE handle missing email gracefully
+        raise e unless e.record.errors[:email].present? && e.record.errors[:email].include?("can't be blank")
+
+        redirect_to add_search_params(after_omniauth_failure_path_for(resource_name), { errors: { email_missing: true } }),
+                    allow_other_host: ::Groovestack::Auth.allow_other_host_redirects
+      end
+    end
+  end
+end

data/app/controllers/groovestack/auth/passwordless/magic_links_controller.rb

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+module Groovestack
+  module Auth
+    module Passwordless
+      class MagicLinksController < ::DeviseController
+        skip_before_action :verify_authenticity_token
+        prepend_before_action :require_no_authentication, only: :show
+        prepend_before_action :allow_params_authentication!, only: :show
+        prepend_before_action(only: [:show]) { request.env['devise.skip_timeout'] = true }
+
+        def show
+          self.resource = warden.authenticate!(auth_options)
+
+          begin
+            unless resource.confirmed?
+              resource.skip_confirmation_notification! # skip sending confirmation email
+              resource.confirm
+            end
+          rescue StandardError => e
+            msg = "Passwordless Magic Link Confirmation Failure: #{e}"
+            ::Groovestack::Base.notify_error(e.class, msg)
+          end
+
+          set_flash_message!(:notice, :signed_in)
+          sign_in(resource_name, resource, event: :authentication)
+          yield resource if block_given?
+
+          respond_to do |format|
+            format.html { redirect_to after_sign_in_path_for(resource) }
+            format.json { render json: { success: true, resource: resource.as_json, status: :ok } }
+          end
+        end
+
+        protected
+
+        def auth_options
+          mapping = ::Devise.mappings[resource_name]
+          { scope: resource_name, recall: "#{mapping.controllers[:sessions]}#new" }
+        end
+
+        def translation_scope
+          'devise.sessions'
+        end
+
+        private
+
+        def resource_params
+          params.permit({ user: %i[email remember_me token] })
+        end
+
+        def create_params
+          resource_params.permit({ user: %i[email remember_me] })
+        end
+      end
+    end
+  end
+end

data/app/controllers/groovestack/auth/passwordless/sessions_controller.rb

@@ -0,0 +1,75 @@
+# frozen_string_literal: true
+
+module Groovestack
+  module Auth
+    module Passwordless
+      class SessionsController < ::Devise::SessionsController
+        skip_before_action :verify_authenticity_token # , only: :destroy
+
+        def create
+          self.resource = resource_class.find_for_authentication(email: create_params[:email])
+
+          if resource.blank?
+            # register a new account
+
+            u = ::User.new(email: create_params[:email], password: ::Devise.friendly_token[0, 20])
+            # u.skip_confirmation_notification!
+            u.save!
+
+            self.resource = u
+          end
+
+          send_magic_link(resource)
+
+          respond_to do |format|
+            format.html { redirect_to(after_magic_link_sent_path_for(resource), status: devise_redirect_status) }
+            format.json do
+              render json: { success: true, resource: resource.as_json, message: 'Magic link sent.' }, status: :ok
+            end
+          end
+        rescue StandardError => e
+          msg = "Passwordless Magic Link Send Failure for #{create_params[:email]}: #{e}"
+          ::Groovestack::Base.notify_error('Groovestack::Auth::Passwordless::SessionsController', msg)
+
+          respond_to do |format|
+            format.html { render :new, status: devise_error_status }
+            format.json do
+              render json: { error: 'User not found or unable to register account. Our team has been notified.' },
+                     status: :not_found
+            end
+          end
+        end
+
+        protected
+
+        def send_magic_link(resource)
+          resource.send_magic_link(remember_me: create_params[:remember_me])
+        end
+
+        def translation_scope
+          if action_name == 'create'
+            'devise.passwordless'
+          else
+            super
+          end
+        end
+
+        private
+
+        def create_params
+          resource_params.permit(:email, :remember_me)
+        end
+
+        # Devise < 4.9 fallback support
+        # See: https://github.com/heartcombo/devise/wiki/How-To:-Upgrade-to-Devise-4.9.0-%5BHotwire-Turbo-integration%5D
+        def devise_redirect_status
+          ::Devise.try(:responder).try(:redirect_status) || :found
+        end
+
+        def devise_error_status
+          ::Devise.try(:responder).try(:error_status) || :ok
+        end
+      end
+    end
+  end
+end