henshin-belt 0.0.1

data/CHANGELOG.md

@@ -0,0 +1,5 @@
+## [Unreleased]
+
+## [0.1.0] - 2024-09-02
+
+- Initial release

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2024 kotarominami
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,80 @@
+# Hensin Belt on Grape API
+
+Hensin Belt is a Grape middleware to connect your API resources with your API authenticator.
+
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'henshin-belt'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install henshin-belt
+
+## Usage
+
+### Install generator
+
+On your first install, run this generator :
+
+```ruby
+rails g henshin_belt:install
+```
+
+### Usage with Grape
+
+You will need to use the middleware in your main API :
+
+```ruby
+# use middleware
+use ::HensinBelt::Oauth2
+```
+
+You could also use the helpers :
+
+```ruby
+# use helpers
+helpers ::HensinBelt::Helpers
+```
+
+### Protecting your endpoint
+
+In your endpoint you need to define which protected endpoint by adding this DSL :
+
+1.  `oauth2`
+2.  `oauth2(:email)`
+
+Example :
+
+```ruby
+desc "Your protected endpoint"
+oauth2 
+get :protected do
+    # your code goes here
+end
+```
+
+```ruby
+desc "Your protected endpoint with defined scope"
+oauth2(:email)
+get :protected do
+    # your code goes here
+end
+```
+
+## Nice feature
+
+From your protected endpoint you could get :
+
+1. `resource_token` => Your access token
+2. `resource_credential` => Full credentials
+3. `resource_owner` => Current Object
+4. `me` => Current Object

data/Rakefile

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+require "rubocop/rake_task"
+
+RuboCop::RakeTask.new
+
+task default: %i[spec rubocop]

data/lib/generators/henshin_belt/install_generator.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+module HenshinBelt
+  class InstallGenerator < Rails::Generators::Base
+    source_root File.expand_path('../../templates', __FILE__)
+
+    def copy_initializer
+      template 'initializer.rb', 'config/initializers/henshin_belt.rb'
+    end
+  end
+end

data/lib/generators/templates/initializer.rb

@@ -0,0 +1,5 @@
+HenshinBelt.setup do |config|
+  # your authentication server
+  config.is_custom_scopes  = false
+  config.resources         = "Models::Auth"
+end

data/lib/henshin-belt.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+require 'grape'
+require_relative 'henshin_belt/version'
+
+require 'henshin_belt/configuration'
+
+require 'henshin_belt/oauth2'
+require 'henshin_belt/extension'
+require 'henshin_belt/helpers'
+
+require 'henshin_belt/base_strategy'
+require 'henshin_belt/auth_strategies/hub'
+require 'henshin_belt/auth_methods'
+
+require 'henshin_belt/errors/invalid_token'
+require 'henshin_belt/errors/invalid_scope'
+require 'henshin_belt/errors/expired_token'
+
+module HenshinBelt
+  extend HenshinBelt::Configuration
+  define_setting :auth_strategy, 'hub'
+  define_setting :resources, 'Models::Auth'
+  define_setting :is_custom_scopes, false
+
+  def self.config_resources
+    resources
+  end
+end

data/lib/henshin_belt/auth_methods.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+module HenshinBelt
+  module AuthMethods
+    attr_accessor :me, :resource_token, :resource_owner, :resource_credentials
+
+    # rubocop:disable Lint/DuplicateMethods
+    def protected_endpoint=(protected)
+      @protected_endpoint = protected
+    end
+
+    def protected_endpoint?
+      @protected_endpoint || false
+    end
+
+    def resource_token
+      @_resource_token
+    end
+
+    def resource_token=(token)
+      @_resource_token = token
+    end
+
+    def me=(resource)
+      @_me = resource
+    end
+
+    def me
+      @_me
+    end
+
+    def resource_owner=(resource)
+      @_resource_owner = resource
+    end
+
+    def resource_owner
+      @_resource_owner
+    end
+
+    def resource_credentials=(credentials)
+      @_resource_credentials = credentials
+    end
+
+    def resource_credentials
+      @_resource_credentials
+    end
+
+    # rubocop:enable Lint/DuplicateMethods
+  end
+end

data/lib/henshin_belt/auth_strategies/hub.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+module HenshinBelt
+  module AuthStrategies
+    class Hub < HenshinBelt::BaseStrategy
+      def endpoint_protected?
+        !!endpoint_authorizations
+      end
+
+      def has_auth_scopes?
+        !!endpoint_authorizations &&
+          endpoint_authorizations.key?(:scopes) &&
+          !endpoint_authorizations[:scopes].empty?
+      end
+
+      def auth_scopes
+        endpoint_authorizations[:scopes].map { |s| s.is_a?(String) || s.is_a?(Symbol) ? s.to_sym : s }
+      end
+
+      private
+
+      def endpoint_authorizations
+        api_context.options[:route_options][:auth]
+      end
+    end
+  end
+end

data/lib/henshin_belt/base_strategy.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module HenshinBelt
+  class BaseStrategy
+    attr_accessor :api_context
+  end
+end

data/lib/henshin_belt/configuration.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module HenshinBelt
+  module Configuration
+    def setup
+      yield self
+    end
+
+    def define_setting(name, default = nil)
+      class_variable_set("@@#{name}", default)
+
+      define_class_method "#{name}=" do |value|
+        class_variable_set("@@#{name}", value)
+      end
+
+      define_class_method name do
+        class_variable_get("@@#{name}")
+      end
+    end
+
+    private
+
+    def define_class_method(name, &block)
+      (class << self; self; end).instance_eval do
+        define_method name, &block
+      end
+    end
+  end
+end

data/lib/henshin_belt/errors/expired_token.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module HenshinBelt
+  module Errors
+    class ExpiredToken < StandardError
+      def initialize(msg = 'Expired token')
+        @code = 401
+        super
+      end
+      attr_reader :code
+    end
+  end
+end

data/lib/henshin_belt/errors/invalid_scope.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module HenshinBelt
+  module Errors
+    class InvalidScope < StandardError
+      def initialize(msg = 'Invalid scope')
+        @code = 401
+        super
+      end
+      attr_reader :code
+    end
+  end
+end

data/lib/henshin_belt/errors/invalid_token.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module HenshinBelt
+  module Errors
+    class InvalidToken < StandardError
+      def initialize(msg = 'Invalid token')
+        @code = 401
+        super
+      end
+      attr_reader :code
+    end
+  end
+end

data/lib/henshin_belt/extension.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module HenshinBelt
+  module Extension
+    def oauth2(*scopes)
+      scopes = Doorkeeper.configuration.default_scopes.all if scopes.all? { |x| x.nil? }
+      if respond_to?(:route_setting) # >= grape-0.10.0
+        description = route_setting(:description) || route_setting(:description, {})
+      else
+        description = @last_description ||= {}
+      end
+      # case WineBouncer.configuration.auth_strategy
+      # when :default
+      description[:auth] = { scopes: scopes }
+      # when :swagger
+      description[:authorizations] = { oauth2: scopes.map { |x| { scope: x } } }
+      # end
+    end
+
+    # Grape::API::Instance is defined in grape 1.2.0 or above
+    grape_api = defined?(Grape::API::Instance) ? Grape::API::Instance : Grape::API
+    grape_api.extend self
+  end
+end

data/lib/henshin_belt/helpers.rb

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+module HenshinBelt
+  module Helpers
+  end
+end

data/lib/henshin_belt/oauth2.rb

@@ -0,0 +1,167 @@
+# frozen_string_literal: true
+
+require 'rack/auth/abstract/request'
+
+module HenshinBelt
+  class Oauth2 < Grape::Middleware::Base
+    attr_reader :auth_strategy
+
+    def context
+      env['api.endpoint']
+    end
+
+    def the_request=(env)
+      @_the_request = ActionDispatch::Request.new(env)
+    end
+
+    def request
+      @_the_request
+    end
+
+    def token
+      if request.headers['Authorization'].present?
+        if request.headers['Authorization'].include?('bearer')
+          token = request.headers['Authorization'].try('split', 'bearer').try(:last).try(:strip)
+        elsif request.headers['Authorization'].include?('Bearer')
+          token = request.headers['Authorization'].try('split', 'Bearer').try(:last).try(:strip)
+        else
+          token = request.headers['Authorization']
+        end
+      else
+        token = request.parameters['access_token']
+      end
+      token
+    end
+
+    ############
+    # Authorization control.
+    ############
+    def endpoint_protected?
+      auth_strategy.endpoint_protected?
+    end
+
+    def args
+      results = {}
+      auth_strategy.auth_scopes.map { |s| (results = results.merge(s)) if s.is_a?(Hash) }
+      results
+    end
+
+    def sync_scopes_from(resource, to:)
+      to.update(scopes: resource.scopes.join(',')) rescue nil
+    end
+
+    def scopes
+      results = []
+      auth_strategy.auth_scopes.map { |s| (results << s) unless s.is_a?(Hash) }
+      results.map!(&:to_sym)
+    end
+
+    def access_scopes(access)
+      if HenshinBelt.is_custom_scopes
+        access.scopes.map!(&:to_sym) rescue []
+      else
+        access.scopes.all[0].split(',').map!(&:to_sym) rescue []
+      end
+    end
+
+    def is_args_include_validate?
+      if args.key?(:validate) && ![true, false].include?(args[:validate])
+        raise HenshinBelt::Errors::InvalidScope.new("Not valid scope '#{args[:validate]}' in `oauth2 scope`")
+      end
+      args.key?(:validate)
+    end
+
+    def scope_authorize!(access)
+      if scopes.present? && access
+        unless (scopes & (access_scopes access)).present?
+          raise HenshinBelt::Errors::InvalidScope.new('OAuth Scope is disallowed')
+        end
+      end
+    end
+
+    def token_optional?
+      is_args_include_validate? && [true, false].include?(args[:validate]) && args[:validate].eql?(false)
+    end
+
+    def token_required?
+      is_args_include_validate? && [true, false].include?(args[:validate]) && args[:validate].eql?(true) || is_args_include_validate?.blank?
+    end
+
+    def authorize!
+      access = Doorkeeper::AccessToken.find_by(token: token)
+      if access.present?
+        if access.expired?
+          raise HenshinBelt::Errors::ExpiredToken
+        end
+        if access.revoked?
+          raise HenshinBelt::Errors::InvalidToken
+        end
+      else
+        raise HenshinBelt::Errors::InvalidToken
+      end
+      # rubocop:disable Security/Eval
+      resource = eval(HenshinBelt.resources).where(id: access.resource_owner_id).last rescue nil
+      # rubocop:enable Security/Eval
+
+      sync_scopes_from(resource, to: access)
+      if HenshinBelt.is_custom_scopes
+        scope_authorize! resource
+      else
+        scope_authorize! access
+      end
+      {
+        token:               access.token,
+        resource_owner:      resource,
+        resource_credential: {
+          access_token:  access.token,
+          scopes:        access_scopes(access),
+          token_type:    'bearer',
+          expires_in:    access.expires_in,
+          refresh_token: access.refresh_token,
+          created_at:    access.created_at.to_i
+        }
+      }
+    end
+
+    ############
+    # Grape middleware methods
+    ############
+
+    def before
+      set_auth_strategy(HenshinBelt.auth_strategy)
+      auth_strategy.api_context = context
+      context.extend(HenshinBelt::AuthMethods)
+      context.protected_endpoint = endpoint_protected?
+
+      return unless context.protected_endpoint?
+
+      self.the_request = env
+      if token_optional? && context.protected_endpoint?
+        context.resource_token       = nil
+        context.resource_owner       = nil
+        context.resource_credentials = nil
+        response = authorize! rescue nil
+        if response.present?
+          context.resource_owner = response[:resource_owner] rescue nil
+          context.resource_credentials = nil
+        end
+      elsif token.present? && token_required? && context.protected_endpoint?
+        response               = authorize!
+        context.resource_token = response[:token]
+        context.resource_owner = response[:resource_owner] rescue nil
+        context.me = response[:resource_owner] rescue nil
+        context.resource_credentials = response[:resource_credential] rescue nil
+      elsif context.resource_owner.nil? && context.protected_endpoint?
+        raise HenshinBelt::Errors::InvalidToken
+      else
+        raise HenshinBelt::Errors::InvalidToken
+      end
+    end
+
+    private
+
+    def set_auth_strategy(strategy)
+      @auth_strategy = HenshinBelt::AuthStrategies.const_get(strategy.to_s.capitalize.to_s).new
+    end
+  end
+end

data/lib/henshin_belt/version.rb

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+module HenshinBelt
+  VERSION = '0.0.1'
+  public_constant :VERSION
+end

metadata

@@ -0,0 +1,107 @@
+--- !ruby/object:Gem::Specification
+name: henshin-belt
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- kotarominami
+autorequire:
+bindir: exe
+cert_chain: []
+date: 2024-09-03 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.5.18
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.5.18
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 13.2.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 13.2.1
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.13.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.13.0
+description: Hensin Belt is a Grape middleware to connect your API resources with
+  your API authenticator.
+email:
+- kotaroisme@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".rspec"
+- ".rubocop.yml"
+- CHANGELOG.md
+- LICENSE.txt
+- README.md
+- Rakefile
+- lib/generators/henshin_belt/install_generator.rb
+- lib/generators/templates/initializer.rb
+- lib/henshin-belt.rb
+- lib/henshin_belt/auth_methods.rb
+- lib/henshin_belt/auth_strategies/hub.rb
+- lib/henshin_belt/base_strategy.rb
+- lib/henshin_belt/configuration.rb
+- lib/henshin_belt/errors/expired_token.rb
+- lib/henshin_belt/errors/invalid_scope.rb
+- lib/henshin_belt/errors/invalid_token.rb
+- lib/henshin_belt/extension.rb
+- lib/henshin_belt/helpers.rb
+- lib/henshin_belt/oauth2.rb
+- lib/henshin_belt/version.rb
+homepage: https://github.com/kotaroisme/henshin-belt
+licenses:
+- MIT
+metadata:
+  source_code_uri: https://github.com/kotaroisme/henshin-belt
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 3.0.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.5.18
+signing_key:
+specification_version: 4
+summary: Hensin Belt is a Grape middleware to connect your API.
+test_files: []