hanko-ruby 0.1.4 → 0.1.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d356c77086f8405e77f5d44376ba9ec93a84888d0a34205c682c4861134ebdf2
-  data.tar.gz: 2f4863a050500f0caede6de8d9e4bd74a10314eeb4c482046368279225520af3
+  metadata.gz: 67831cf7bac615f17229e1d326efc82c4cfc46ae431b95cbc085069e63b8f4cf
+  data.tar.gz: 1b409320ba0a9db76e4076b193deb145c42f92b49669e13d8735464bb27df425
 SHA512:
-  metadata.gz: 749becb96adbd06cb8e57e9b63227452459535b92d2637595e5f8772e15af87acbe0ed3dabac9c616f525e8a0377fd0a29b12ffddcaf5bb360c78fbe9700c5bc
-  data.tar.gz: dbf7dedd41d916df414b8239898d48c1f4534301ec920410006bfbc6a40f4745951bb1c3d585cd1f1e334ac9905d0499a752354b0900f4466ac5225c6d8c1cde
+  metadata.gz: c36b02e8c618559ee176c9ef4953bfb88e980cdf705da5f304d7f70a452a1bb59f42829f5c68c31afd7811531e9f4b195b54f1bd386ee6a4f2cdf967cd84d2e3
+  data.tar.gz: '0180da35d71c1991b35f3efa776a77e2a58728b9beee0ab95298e01c479d62605d779602b8b0acb6b553a0b23ac833b185055bca7d0f1020499e28aa39ac46a2'

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2026 Fernando Ruiz
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,325 @@
+# hanko-ruby
+
+[![CI](https://github.com/fruizg0302/hanko-ruby/actions/workflows/ci.yml/badge.svg)](https://github.com/fruizg0302/hanko-ruby/actions)
+[![Gem Version](https://badge.fury.io/rb/hanko-ruby.svg)](https://rubygems.org/gems/hanko-ruby)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+
+Framework-agnostic Ruby SDK for the [Hanko](https://www.hanko.io/) authentication platform. Verify sessions, manage users via the Admin API, drive login/registration flows, and handle webhooks.
+
+> **Looking for Rails integration?** See [hanko-rails](https://rubygems.org/gems/hanko-rails) for middleware, controller helpers, and generators.
+
+## Installation
+
+```ruby
+# Gemfile
+gem 'hanko-ruby'
+```
+
+```sh
+bundle install
+```
+
+## Quick Start
+
+Verify a Hanko session token in three lines:
+
+```ruby
+require 'hanko'
+
+Hanko.configure do |config|
+  config.api_url = 'https://your-instance.hanko.io'
+end
+
+client = Hanko::Client.new
+result = client.public.sessions.validate_token(session_token)
+puts result['user_id']
+```
+
+## Configuration
+
+### Global configuration
+
+Set defaults that apply to every `Hanko::Client` instance:
+
+```ruby
+Hanko.configure do |config|
+  config.api_url        = ENV.fetch('HANKO_API_URL')
+  config.api_key        = ENV.fetch('HANKO_API_KEY')  # required for Admin API
+  config.timeout        = 5       # request timeout in seconds (default: 5)
+  config.open_timeout   = 2       # connection open timeout (default: 2)
+  config.retry_count    = 1       # number of retries (default: 1)
+  config.clock_skew     = 0       # allowed JWT clock skew in seconds (default: 0)
+  config.jwks_cache_ttl = 3600    # JWKS cache lifetime in seconds (default: 3600)
+  config.logger         = Logger.new($stdout)
+  config.log_level      = :info   # default: :info
+end
+```
+
+### Per-client overrides
+
+Override any setting on a specific client instance:
+
+```ruby
+admin_client = Hanko::Client.new(
+  api_url: 'https://your-instance.hanko.io',
+  api_key: ENV.fetch('HANKO_API_KEY'),
+  timeout: 10
+)
+```
+
+Global and per-client settings can be mixed; per-client values take precedence.
+
+## Session Verification
+
+### Via the Public API
+
+```ruby
+client = Hanko::Client.new
+
+# Validate using a session token string
+result = client.public.sessions.validate_token(session_token)
+
+# Validate using cookie/header (server-side forwarding)
+result = client.public.sessions.validate
+```
+
+### Via WebhookVerifier (standalone)
+
+For lightweight verification without a full client:
+
+```ruby
+payload = Hanko::WebhookVerifier.verify(
+  token,
+  jwks_url: 'https://your-instance.hanko.io/.well-known/jwks.json'
+)
+
+puts payload['sub']  # user ID
+```
+
+The verifier pins to RS256 and raises `Hanko::InvalidTokenError` or `Hanko::ExpiredTokenError` on failure.
+
+## Admin API
+
+The Admin API requires an API key. All responses are wrapped in `Hanko::Resource` objects that support both hash-style (`resource['field']`) and method-style (`resource.field`) access.
+
+### Users
+
+```ruby
+client = Hanko::Client.new
+
+# List users
+users = client.admin.users.list
+users.each { |u| puts u.id }
+
+# Get a specific user
+user = client.admin.users.get('user-uuid')
+
+# Create a user
+user = client.admin.users.create(email: 'alice@example.com')
+
+# Delete a user
+client.admin.users.delete('user-uuid')
+```
+
+### User-scoped resources
+
+Access emails, passwords, sessions, WebAuthn credentials, and metadata through a user context:
+
+```ruby
+user_ctx = client.admin.users('user-uuid')
+
+# Emails
+emails = user_ctx.emails.list
+user_ctx.emails.create(address: 'new@example.com')
+user_ctx.emails.make_primary('email-uuid')
+user_ctx.emails.delete('email-uuid')
+
+# Passwords
+user_ctx.passwords.create(password: 'new-password')
+user_ctx.passwords.get
+user_ctx.passwords.update(password: 'updated-password')
+user_ctx.passwords.delete
+
+# Sessions
+sessions = user_ctx.sessions.list
+user_ctx.sessions.delete('session-uuid')
+
+# WebAuthn credentials
+creds = user_ctx.webauthn_credentials.list
+user_ctx.webauthn_credentials.delete('credential-uuid')
+
+# Metadata
+meta = user_ctx.metadata.get
+user_ctx.metadata.update(custom_key: 'custom_value')
+```
+
+### Webhooks
+
+```ruby
+# List webhooks
+webhooks = client.admin.webhooks.list
+
+# Create a webhook
+webhook = client.admin.webhooks.create(
+  callback: 'https://example.com/webhooks/hanko',
+  events: ['user.create', 'user.delete']
+)
+
+# Delete a webhook
+client.admin.webhooks.delete('webhook-uuid')
+```
+
+### Audit Logs
+
+```ruby
+logs = client.admin.audit_logs.list
+logs.each { |log| puts "#{log.type} at #{log.created_at}" }
+```
+
+## Flow API
+
+Drive Hanko login and registration flows server-side. Returns `Hanko::FlowResponse` objects.
+
+```ruby
+client = Hanko::Client.new
+
+# Start a login flow
+response = client.public.flow.login
+puts response.status   # :completed, :error, etc.
+puts response.actions  # available next actions
+
+# Start a registration flow
+response = client.public.flow.registration
+
+# Profile flow
+response = client.public.flow.profile
+
+# Check flow state
+if response.completed?
+  puts "User ID: #{response.user_id}"
+  puts "Session token: #{response.session_token}"
+elsif response.error?
+  puts "Flow failed"
+end
+```
+
+## Well-Known Endpoints
+
+```ruby
+client = Hanko::Client.new
+
+# Fetch JWKS
+jwks = client.public.well_known.jwks
+
+# Fetch Hanko configuration
+config = client.public.well_known.config
+```
+
+## Webhook Verification
+
+Verify incoming webhook payloads from Hanko:
+
+```ruby
+token = request.headers['X-Hanko-Webhook-Token']
+payload = Hanko::WebhookVerifier.verify(
+  token,
+  jwks_url: "#{ENV.fetch('HANKO_API_URL')}/.well-known/jwks.json"
+)
+
+case payload['evt']
+when 'user.create'
+  User.create!(hanko_id: payload['sub'])
+when 'user.delete'
+  User.find_by(hanko_id: payload['sub'])&.destroy
+end
+```
+
+## Testing
+
+The test helper is **opt-in** — require it explicitly:
+
+```ruby
+require 'hanko/test_helper'
+```
+
+### Available helpers
+
+```ruby
+# Generate a signed JWT for testing
+token = Hanko::TestHelper.generate_test_token(
+  sub: 'user-uuid',
+  exp: Time.now.to_i + 3600
+)
+
+# Get a JWKS response body (matches the test signing key)
+jwks_json = Hanko::TestHelper.test_jwks_response
+
+# Stub the JWKS endpoint (requires WebMock)
+Hanko::TestHelper.stub_jwks(api_url: 'https://your-instance.hanko.io')
+
+# Create a stub verifier (no HTTP calls)
+verifier = Hanko::TestHelper.stub_session(
+  sub: 'user-uuid',
+  exp: Time.now.to_i + 3600
+)
+payload = verifier.verify('any-token')
+puts payload['sub']  # => 'user-uuid'
+```
+
+## Error Handling
+
+All errors inherit from `Hanko::Error`:
+
+```
+Hanko::Error
+├── Hanko::ConfigurationError    # missing or invalid configuration
+├── Hanko::InvalidTokenError     # JWT signature invalid or malformed
+├── Hanko::ExpiredTokenError     # JWT has expired
+├── Hanko::JwksError             # failed to fetch or parse JWKS
+├── Hanko::ConnectionError       # network-level failure
+└── Hanko::ApiError              # HTTP 4xx/5xx response
+    ├── Hanko::AuthenticationError   # 401 Unauthorized
+    ├── Hanko::NotFoundError         # 404 Not Found
+    └── Hanko::RateLimitError        # 429 Too Many Requests
+```
+
+```ruby
+begin
+  client.admin.users.get('nonexistent-uuid')
+rescue Hanko::NotFoundError => e
+  puts "User not found (HTTP #{e.status})"
+rescue Hanko::RateLimitError => e
+  puts "Rate limited. Retry after #{e.retry_after} seconds"
+rescue Hanko::AuthenticationError
+  puts "Invalid API key"
+rescue Hanko::ApiError => e
+  puts "API error: #{e.message} (HTTP #{e.status})"
+rescue Hanko::Error => e
+  puts "Hanko error: #{e.message}"
+end
+```
+
+## Security
+
+- **Algorithm pinning** — All JWT verification is pinned to RS256. No algorithm negotiation or `none` algorithm is accepted.
+- **Credential redaction** — `Hanko::Client#inspect` and `Hanko::Configuration#inspect` redact the API key so credentials are never leaked to logs.
+- **JWKS trust** — The SDK only fetches JWKS from the configured `api_url` domain. Webhook verification requires an explicit `jwks_url` parameter.
+
+## Requirements
+
+- Ruby >= 3.1
+
+## Contributing
+
+1. Fork the repository
+2. Create your feature branch (`git checkout -b feature/my-feature`)
+3. Write tests for your changes
+4. Ensure all tests pass: `bundle exec rspec`
+5. Ensure linting passes: `bundle exec rubocop`
+6. Commit your changes (`git commit -m 'Add my feature'`)
+7. Push to the branch (`git push origin feature/my-feature`)
+8. Open a Pull Request
+
+## License
+
+Released under the [MIT License](LICENSE.txt).

data/lib/hanko/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Hanko
-  VERSION = '0.1.4'
+  VERSION = '0.1.5'
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: hanko-ruby
 version: !ruby/object:Gem::Version
-  version: 0.1.4
+  version: 0.1.5
 platform: ruby
 authors:
 - Fernando Ruiz
@@ -59,6 +59,8 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- LICENSE.txt
+- README.md
 - lib/hanko.rb
 - lib/hanko/api/admin.rb
 - lib/hanko/api/admin/audit_logs.rb
@@ -91,6 +93,8 @@ metadata:
   homepage_uri: https://github.com/fruizg0302/hanko-ruby
   source_code_uri: https://github.com/fruizg0302/hanko-ruby/tree/main/hanko
   changelog_uri: https://github.com/fruizg0302/hanko-ruby/blob/main/CHANGELOG.md
+  bug_tracker_uri: https://github.com/fruizg0302/hanko-ruby/issues
+  documentation_uri: https://rubydoc.info/gems/hanko-ruby
   rubygems_mfa_required: 'true'
 rdoc_options: []
 require_paths: