himari 0.3.0 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9ef5f3bac5f8a375751669378420729ab8dbe9ce40c1e1dec0fb5a3ac938b304
-  data.tar.gz: ed87e0922bc863813624c34d217f02fd9f06fec442fd01a8b0c1daf760b6ca48
+  metadata.gz: d532b382f36d5465772fc09e18feebf0a29db47365e2f5fbd3e83cec7eaa6c4b
+  data.tar.gz: cf9632d941835355bea9cde2435ad6e9993cb278d306e8d5888fc804053cce32
 SHA512:
-  metadata.gz: 97c69604496c88d5b6e0f38cf0693cdd07ee6dd15b73d12e724efcea058a2f44492fcbe57ed5ece878f36e7bc2631a028c1464f9bc17d33f519eb2f17b8ff576
-  data.tar.gz: 3a9fff6c67bec527df79527f9e436c5703d95e822e0b0d3bc4cc460e003205d238a9e8ea965f2fbb931a18389282dfa2b770e60b931eaadc82dd683b413f841a
+  metadata.gz: bb564663bea0c6c39cc0a81d4db848f1e7142b9e2d89ddc34d4b2550d99c44dfc6340dddc239d701ac53d53f762519388095a7806b68d29b675215785cbaf90a
+  data.tar.gz: db75ed71b1daef3ae8d3ebbcdf85518c27b9be0fea0a3cc18ca7906271253ac16abc6635c44c5f1b03d3e2a6c3354d02611133e6d71ac4a3e5d6019f756bce47

data/lib/himari/access_token.rb

@@ -1,32 +1,11 @@
-require 'securerandom'
-require 'base64'
-require 'digest/sha2'
-require 'rack/utils'
-
 require 'rack/oauth2'
 require 'openid_connect'
 
+require 'himari/token_string'
+
 module Himari
   class AccessToken
-    class SecretMissing < StandardError; end
-    class SecretIncorrect < StandardError; end
-    class TokenExpired < StandardError; end
-    class InvalidFormat < StandardError; end
-
-    Format = Struct.new(:handler, :secret, keyword_init: true) do
-      HEADER = 'hmat'
-
-      def self.parse(str)
-        parts = str.split('.')
-        raise InvalidFormat unless parts.size == 3
-        raise InvalidFormat unless parts[0] == HEADER
-        new(handler: parts[1], secret: parts[2])
-      end
-
-      def to_s
-        "#{HEADER}.#{handler}.#{secret}"
-      end
-    end
+    include TokenString
 
     class Bearer < Rack::OAuth2::AccessToken::Bearer
       def token_response(options = {})
@@ -36,13 +15,12 @@ module Himari
       end
     end
 
-    def self.make(**kwargs)
-      new(
-        handler: SecureRandom.urlsafe_base64(32),
-        secret: SecureRandom.urlsafe_base64(32),
-        expiry: Time.now.to_i + 3600,
-        **kwargs
-      )
+    def self.magic_header
+      'hmat'
+    end
+
+    def self.default_lifetime
+      3600
     end
 
     # @param authz [Himari::AuthorizationCode]
@@ -50,11 +28,12 @@ module Himari
       make(
         client_id: authz.client_id,
         claims: authz.claims,
+        lifetime: authz.lifetime.access_token,
       )
     end
 
-    def initialize(handler:, client_id:, claims:, expiry:, secret: nil, secret_hash: nil)
-      @handler = handler
+    def initialize(handle:, client_id:, claims:, expiry:, secret: nil, secret_hash: nil)
+      @handle = handle
       @client_id = client_id
       @claims = claims
       @expiry = expiry
@@ -63,32 +42,8 @@ module Himari
       @secret_hash = secret_hash
     end
 
-    attr_reader :handler, :client_id, :claims, :expiry
-
-    def secret
-      raise SecretMissing unless @secret
-      @secret
-    end
-
-    def secret_hash
-      @secret_hash ||= Base64.urlsafe_encode64(Digest::SHA384.digest(secret), padding: false)
-    end
-
-    def verify_secret!(given_secret)
-      dgst = Base64.urlsafe_decode64(secret_hash)
-      given_dgst = Digest::SHA384.digest(given_secret)
-      raise SecretIncorrect unless Rack::Utils.secure_compare(dgst, given_dgst)
-      @secret = given_secret
-      true
-    end
+    attr_reader :handle, :client_id, :claims, :expiry
 
-    def verify_expiry!(now = Time.now)
-      raise TokenExpired if @expiry <= now.to_i
-    end
-
-    def format
-      Format.new(handler: handler, secret: secret)
-    end
 
     def to_bearer
       Bearer.new(
@@ -99,7 +54,7 @@ module Himari
 
     def as_log
       {
-        handler_dgst: Digest::SHA256.hexdigest(handler),
+        handle: handle,
         client_id: client_id,
         claims: claims,
         expiry: expiry,
@@ -108,7 +63,7 @@ module Himari
 
     def as_json
       {
-        handler: handler,
+        handle: handle,
         secret_hash: secret_hash,
         client_id: client_id,
         claims: claims,

data/lib/himari/app.rb

@@ -6,8 +6,11 @@ require 'himari/version'
 
 require 'himari/log_line'
 
+require 'himari/token_string'
 require 'himari/provider_chain'
+
 require 'himari/authorization_code'
+require 'himari/session_data'
 
 require 'himari/middlewares/client'
 require 'himari/middlewares/config'
@@ -26,14 +29,33 @@ module Himari
   class App < Sinatra::Base
     set :root, File.expand_path(File.join(__dir__, '..', '..'))
 
-    set :protection, use: %i(authenticity_token), except: %i(remote_token)
+    # remote_token: disabled in favor of authenticity_token (more stricter)
+    # json_csrf: can be prevented using x-content-type-options:nosniff
+    set :protection, use: %i(authenticity_token), except: %i(remote_token json_csrf)
+
     set :logging, nil
 
     ProviderCandidate = Struct.new(:name, :button, :action, keyword_init: true)
 
+    class InvalidSessionToken < StandardError; end
+
     helpers do
       def current_user
-        session[:session_data]
+        return @current_user if defined? @current_user
+        given_token = session[:himari_session]
+        return nil unless given_token
+
+        given_parsed_token = Himari::SessionData.parse(given_token)
+
+        token = config.storage.find_session(given_parsed_token.handle)
+        raise InvalidSessionToken, "no session found in storage (possibly expired)" unless token
+        token.verify!(secret: given_parsed_token.secret)
+
+        @current_user = token
+      rescue InvalidSessionToken, Himari::TokenString::Error => e
+        logger&.warn(Himari::LogLine.new('invalid session token given', req: request_as_log, err: e.class.inspect))
+        session.delete(:himari_session)
+        nil
       end
 
       def config
@@ -49,7 +71,15 @@ module Himari
       end
 
       def known_providers
-        query = Addressable::URI.form_encode(back_to: request.fullpath)
+        back_to = if request.query_string.empty?
+          request.path
+        else
+          Addressable::URI.parse(request.fullpath).tap do |u|
+            u.query_values = u.query_values.reject { |k,_v| k == 'prompt' }
+          end.to_s
+        end
+        query = Addressable::URI.form_encode(back_to: back_to)
+
         config.providers.map do |pr|
           name = pr.fetch(:name)
           ProviderCandidate.new(
@@ -109,7 +139,7 @@ module Himari
 
     get '/' do
       content_type :text
-      "Himari\n"
+      "Himari #{release_code}\n"
     end
 
     get '/oidc/authorize' do
@@ -118,10 +148,11 @@ module Himari
         logger&.warn(Himari::LogLine.new('authorize: no client registration found', req: request_as_log, client_id: params[:client_id]))
         next halt 401, 'unknown client' 
       end
+
       if current_user
         # do downstream authz and process oidc request
         decision = Himari::Services::DownstreamAuthorization.from_request(session: current_user, client: client, request: request).perform
-        logger&.info(Himari::LogLine.new('authorize: downstream authorized', req: request_as_log, allowed: decision.authz_result.allowed, result: decision.as_log))
+        logger&.info(Himari::LogLine.new('authorize: downstream authorized', req: request_as_log, session: current_user.as_log, allowed: decision.authz_result.allowed, result: decision.as_log))
         raise unless decision.authz_result.allowed # sanity check
 
         authz = AuthorizationCode.make(
@@ -138,10 +169,15 @@ module Himari
         ).call(env)
       else
         logger&.info(Himari::LogLine.new('authorize: prompt login', req: request_as_log, client_id: params[:client_id]))
-        erb config.custom_templates[:login] || :login
+        erb(config.custom_templates[:login] || :login)
       end
+
+    rescue Himari::Services::OidcAuthorizationEndpoint::ReauthenticationRequired
+      logger&.warn(Himari::LogLine.new('authorize: prompt login to reauthenticate (demanded by oidc request)',  req: request_as_log, session: current_user&.as_log, allowed: decision&.authz_result&.allowed, result: decision&.as_log))
+      next erb(config.custom_templates[:login] || :login)
+
     rescue Himari::Services::DownstreamAuthorization::ForbiddenError => e
-      logger&.warn(Himari::LogLine.new('authorize: downstream forbidden', req: request_as_log, allowed: e.result.authz_result.allowed, err: e.class.inspect, result: e.as_log))
+      logger&.warn(Himari::LogLine.new('authorize: downstream forbidden', req: request_as_log, session: current_user&.as_log, allowed: e.result.authz_result.allowed, err: e.class.inspect, result: e.as_log))
 
       @notice = message_human = e.result.authz_result&.user_facing_message
 
@@ -149,8 +185,8 @@ module Himari
       when nil
         # do nothing
       when :reauthenticate
-        logger&.warn(Himari::LogLine.new('authorize: prompt login to reauthenticate', req: request_as_log, allowed: e.result.authz_result.allowed, err: e.class.inspect, result: e.as_log))
-        next erb(:login)
+        logger&.warn(Himari::LogLine.new('authorize: prompt login to reauthenticate (suggested by decision)', req: request_as_log, session: current_user&.as_log, allowed: e.result.authz_result.allowed, err: e.class.inspect, result: e.as_log))
+        next erb(config.custom_templates[:login] || :login)
       else
         raise ArgumentError, "Unknown suggestion value for DownstreamAuthorization denial; #{e.as_log.inspect}"
       end
@@ -178,7 +214,8 @@ module Himari
     end
     get '/oidc/userinfo', &userinfo_ep
     get '/public/oidc/userinfo', &userinfo_ep
-
+    post '/oidc/userinfo', &userinfo_ep
+    post '/public/oidc/userinfo', &userinfo_ep
 
     jwks_ep = proc do
       Himari::Services::JwksEndpoint.new(
@@ -201,12 +238,16 @@ module Himari
 
       # do upstream auth
       authn = Himari::Services::UpstreamAuthentication.from_request(request).perform
-      logger&.info(Himari::LogLine.new('authentication allowed', req: request_as_log, allowed: authn.authn_result.allowed, uid: authhash[:uid], provider: authhash[:provider], result: authn.as_log))
+      logger&.info(Himari::LogLine.new('authentication allowed', req: request_as_log, allowed: authn.authn_result.allowed, uid: authhash[:uid], provider: authhash[:provider], result: authn.as_log, existing_session: current_user&.as_log))
       raise unless authn.authn_result.allowed # sanity check
 
       given_back_to = request.env['omniauth.params']&.fetch('back_to', nil)
       back_to = if given_back_to
-        uri = Addressable::URI.parse(given_back_to)
+        uri = begin
+          Addressable::URI.parse(given_back_to)
+        rescue Addressable::URI::InvalidURIError
+          nil
+        end
         if uri && uri.host.nil? && uri.scheme.nil? && uri.path.start_with?('/')
           given_back_to
         else
@@ -216,10 +257,14 @@ module Himari
       end || '/'
 
       session.destroy
-      session[:session_data] = authn.session_data
+
+      new_session = authn.session_data
+      config.storage.put_session(new_session)
+      session[:himari_session] = new_session.format.to_s
+
       redirect back_to
     rescue Himari::Services::UpstreamAuthentication::UnauthorizedError => e
-      logger&.warn(Himari::LogLine.new('authentication denied', req: request_as_log, err: e.class.inspect, allowed: e.result.authn_result.allowed, uid: request.env.fetch('omniauth.auth')[:uid], provider: request.env.fetch('omniauth.auth')[:provider], result: e.as_log))
+      logger&.warn(Himari::LogLine.new('authentication denied', req: request_as_log, err: e.class.inspect, allowed: e.result.authn_result.allowed, uid: request.env.fetch('omniauth.auth')[:uid], provider: request.env.fetch('omniauth.auth')[:provider], result: e.as_log, existing_session: current_user&.as_log))
       message_human = e.result.authn_result&.user_facing_message
       halt(401, "Unauthorized#{message_human ? "; #{message_human}" : nil}")
     end

data/lib/himari/authorization_code.rb

@@ -1,4 +1,5 @@
 require 'digest/sha2'
+require 'himari/lifetime_value'
 
 module Himari
   authz_attrs = %i(
@@ -23,10 +24,23 @@ module Himari
       )
     end
 
+    alias _lifetime_raw lifetime
+    private :_lifetime_raw
+    def lifetime
+      case _lifetime_raw
+      when Hash
+        self.lifetime = LifetimeValue.new(**_lifetime_raw)
+      when Integer #compat
+        self.lifetime = LifetimeValue.from_integer(_lifetime_raw)
+      else
+        _lifetime_raw
+      end
+    end
+
     alias _expiry_raw expiry
     private :_expiry_raw
     def expiry
-      self._expiry_raw || (self.expiry = created_at + (lifetime || 900))
+      self._expiry_raw || (self.expiry = created_at + (lifetime&.code || 900))
     end
 
     def valid_redirect_uri?(given_uri)
@@ -68,7 +82,7 @@ module Himari
         nonce: nonce,
         openid: openid,
         created_at: created_at.to_i,
-        lifetime: lifetime.to_i,
+        lifetime: lifetime.as_log,
         expiry: expiry.to_i,
         pkce: pkce?,
         pkce_method: code_challenge_method,
@@ -87,7 +101,7 @@ module Himari
         code_challenge: code_challenge,
         code_challenge_method: code_challenge_method,
         created_at: created_at.to_i,
-        lifetime: lifetime.to_i,
+        lifetime: lifetime.as_json,
         expiry: expiry.to_i,
       }
     end

data/lib/himari/client_registration.rb

@@ -10,6 +10,7 @@ module Himari
       @redirect_uris = redirect_uris
       @preferred_key_group = preferred_key_group
 
+      raise ArgumentError, "name starts with '_' is reserved" if @name&.start_with?('_')
       raise ArgumentError, "either secret or secret_hash must be present" if !@secret && !@secret_hash
     end
 

data/lib/himari/decisions/authorization.rb

@@ -1,4 +1,5 @@
 require 'himari/decisions/base'
+require 'himari/lifetime_value'
 
 module Himari
   module Decisions
@@ -23,22 +24,31 @@ module Himari
         super()
         @claims = claims
         @allowed_claims = allowed_claims
-        @lifetime = lifetime
+        self.lifetime = lifetime
       end
 
       attr_reader :claims, :allowed_claims
-      attr_accessor :lifetime
+      attr_reader :lifetime
+
+      def lifetime=(x)
+        case x
+        when LifetimeValue
+          @lifetime = x
+        else
+          @lifetime = LifetimeValue.from_integer(x)
+        end
+      end
 
       def to_evolve_args
         {
           claims: @claims.dup,
           allowed_claims: @allowed_claims.dup,
-          lifetime: @lifetime&.to_i,
+          lifetime: @lifetime,
         }
       end
 
       def as_log
-        to_h.merge(claims: output_claims, lifetime: @lifetime&.to_i)
+        to_h.merge(claims: output_claims, lifetime: @lifetime.to_h)
       end
 
       def output_claims

data/lib/himari/decisions/claims.rb

@@ -13,16 +13,20 @@ module Himari
 
       allow_effects(:continue, :skip)
 
-      def initialize(claims: nil, user_data: nil)
+      def initialize(claims: nil, user_data: nil, lifetime: nil)
         super()
         @claims = claims
         @user_data = user_data
+        @lifetime = lifetime
       end
 
+      attr_accessor :lifetime
+
       def to_evolve_args
         {
           claims: @claims.dup,
           user_data: @user_data.dup,
+          lifetime: @lifetime&.to_i,
         }
       end
 
@@ -31,7 +35,7 @@ module Himari
       end
 
       def output
-        Himari::SessionData.new(claims: claims, user_data: user_data)
+        Himari::SessionData.make(claims: claims, user_data: user_data, lifetime: lifetime)
       end
 
       def initialize_claims!(claims = {})

data/lib/himari/id_token.rb

@@ -7,11 +7,12 @@ module Himari
   class IdToken
     # @param authz [Himari::AuthorizationCode]
     def self.from_authz(authz, **kwargs)
+      
       new(
         claims: authz.claims,
         client_id: authz.client_id,
         nonce: authz.nonce,
-        lifetime: authz.lifetime,
+        lifetime: authz.lifetime.is_a?(Integer) ? authz.lifetime : authz.lifetime.id_token, # compat
         **kwargs
       )
     end

data/lib/himari/lifetime_value.rb

@@ -0,0 +1,15 @@
+module Himari
+  LifetimeValue = Struct.new(:access_token, :id_token, :code, keyword_init: true) do
+    def self.from_integer(i)
+      new(access_token: i, id_token: i, code: nil)
+    end
+
+    def as_log
+      as_json&.compact
+    end
+
+    def as_json
+      {access_token: access_token, id_token: id_token, code: code}
+    end
+  end
+end

data/lib/himari/services/oidc_authorization_endpoint.rb

@@ -5,6 +5,8 @@ require 'openid_connect'
 module Himari
   module Services
     class OidcAuthorizationEndpoint
+      class ReauthenticationRequired < StandardError; end
+
       SUPPORTED_RESPONSE_TYPES = ['code'] # TODO: share with oidc metadata
 
       # @param authz [Himari::AuthorizationCode] pending (unpersisted) authz data
@@ -39,6 +41,8 @@ module Himari
 
           req.unsupported_response_type! if res.protocol_params_location == :fragment
           req.bad_request!(:request_uri_not_supported, "Request Object is not implemented") if req.request_uri || req.request
+          req.bad_request!(:invalid_request, 'prompt=none should not contain any other value') if req.prompt.include?('none') && req.prompt.any? { |x| x != 'none' }
+          raise ReauthenticationRequired if req.prompt.include?('login') || req.prompt.include?('select_account')
 
           requested_response_types = [*req.response_type]
           unless SUPPORTED_RESPONSE_TYPES.include?(requested_response_types.map(&:to_s).join(' '))

data/lib/himari/services/oidc_userinfo_endpoint.rb

@@ -1,4 +1,5 @@
 require 'himari/access_token'
+require 'himari/token_string'
 require 'himari/log_line'
 
 module Himari
@@ -33,9 +34,9 @@ module Himari
           return [404, {'Content-Type' => 'application/json'}, ['{"error": "not_found"}']] unless %w(GET POST).include?(@env['REQUEST_METHOD'])
 
           raise InvalidToken unless given_token
-          given_parsed_token = Himari::AccessToken::Format.parse(given_token)
+          given_parsed_token = Himari::AccessToken.parse(given_token)
 
-          token = @storage.find_token(given_parsed_token.handler)
+          token = @storage.find_token(given_parsed_token.handle)
           raise InvalidToken unless token
           token.verify_expiry!()
           token.verify_secret!(given_parsed_token.secret)
@@ -46,7 +47,7 @@ module Himari
             {'Content-Type' => 'application/json; charset=utf-8'},
             [JSON.pretty_generate(token.claims), "\n"],
           ]
-        rescue InvalidToken, Himari::AccessToken::SecretIncorrect, Himari::AccessToken::InvalidFormat, Himari::AccessToken::TokenExpired => e
+        rescue InvalidToken, Himari::TokenString::SecretIncorrect, Himari::TokenString::InvalidFormat, Himari::TokenString::TokenExpired => e
           @logger&.warn(Himari::LogLine.new('OidcUserinfoEndpoint: invalid_token', req: @env['himari.request_as_log'], err: e.class.inspect, token: token&.as_log))
           [
             401,

data/lib/himari/services/upstream_authentication.rb

@@ -27,7 +27,7 @@ module Himari
       Result = Struct.new(:claims_result, :authn_result, :session_data) do
         def as_log
           {
-            claims: session_data&.claims,
+            session: session_data&.as_log,
             decision: {
               claims: claims_result&.as_log&.reject{ |k,_v| %i(allowed explicit_deny).include?(k) },
               authentication: authn_result&.as_log,

data/lib/himari/session_data.rb

@@ -1,7 +1,46 @@
+require 'himari/token_string'
+
 module Himari
-  SessionData = Struct.new(:claims, :user_data, keyword_init: true) do
+  class SessionData
+    include Himari::TokenString
+
+    def initialize(claims: {}, user_data: {}, handle:, secret: nil, secret_hash: nil, expiry: nil)
+      @claims = claims
+      @user_data = user_data
+
+      @handle = handle
+      @secret = secret
+      @secret_hash = secret_hash
+      @expiry = expiry
+    end
+
+    def self.magic_header
+      'hmas'
+    end
+
+    def self.default_lifetime
+      3600
+    end
+
+    attr_reader :claims, :user_data
+
     def as_log
-      {claims: claims}
+      {
+        handle: handle,
+        claims: claims,
+        expiry: expiry,
+      }
+    end
+
+    def as_json
+      {
+        handle: handle,
+        secret_hash: secret_hash,
+        expiry: expiry,
+
+        claims: claims,
+        user_data: user_data,
+      }
     end
   end
 end

data/lib/himari/storages/base.rb

@@ -1,5 +1,6 @@
 require 'himari/authorization_code'
 require 'himari/access_token'
+require 'himari/session_data'
 
 module Himari
   module Storages
@@ -23,23 +24,40 @@ module Himari
         delete('authz', code)
       end
 
-      def find_token(handler)
-        content = read('token', handler)
+      def find_token(handle)
+        content = read('token', handle)
+        content[:handle] = content.delete(:handle) if content.key?(:handler) # compat
         content && AccessToken.new(**content)
       end
 
       def put_token(token, overwrite: false)
-        write('token', token.handler, token.as_json, overwrite: overwrite)
+        write('token', token.handle, token.as_json, overwrite: overwrite)
       end
 
       def delete_token(token)
-        delete_authorization_by_token(token.handler)
+        delete_authorization_by_token(token.handle)
       end
 
-      def delete_token_by_handler(handler)
-        delete('token', handler)
+      def delete_token_by_handle(handle)
+        delete('token', handle)
       end
 
+      def find_session(handle)
+        content = read('session', handle)
+        content && SessionData.new(**content)
+      end
+
+      def put_session(session, overwrite: false)
+        write('session', session.handle, session.as_json, overwrite: overwrite)
+      end
+
+      def delete_session(session)
+        delete_session_by_handle(session.handle)
+      end
+
+      def delete_session_by_handle(handle)
+        delete('session', handle)
+      end
 
       private def write(kind, key, content, overwrite: false)
         raise NotImplementedError

data/lib/himari/token_string.rb

@@ -0,0 +1,96 @@
+require 'securerandom'
+require 'base64'
+require 'digest/sha2'
+require 'rack/utils'
+
+module Himari
+  module TokenString
+    class Error < StandardError; end
+    class SecretMissing < Error; end
+    class SecretIncorrect < Error; end
+    class TokenExpired < Error; end
+    class InvalidFormat < Error; end
+
+    module ClassMethods
+      def magic_header
+        raise NotImplementedError
+      end
+
+      def default_lifetime
+        raise NotImplementedError
+      end
+
+      def make(lifetime: nil, **kwargs)
+        new(
+          handle: SecureRandom.urlsafe_base64(32),
+          secret: SecureRandom.urlsafe_base64(48),
+          expiry: Time.now.to_i + (lifetime || default_lifetime),
+          **kwargs
+        )
+      end
+
+      def parse(str)
+        Format.parse(magic_header, str)
+      end
+    end
+
+    def self.included(k)
+      k.extend(ClassMethods)
+    end
+
+    def handle
+      @handle
+    end
+
+    def expiry
+      @expiry
+    end
+
+    def secret
+      raise SecretMissing unless @secret
+      @secret
+    end
+
+    def secret_hash
+      @secret_hash ||= Base64.urlsafe_encode64(Digest::SHA384.digest(secret), padding: false)
+    end
+
+    def verify!(secret:, now: Time.now)
+      verify_expiry!(now)
+      verify_secret!(secret)
+    end
+
+    def verify_secret!(given_secret)
+      dgst = Base64.urlsafe_decode64(secret_hash) # TODO: rescue errors
+      given_dgst = Digest::SHA384.digest(given_secret)
+      raise SecretIncorrect unless Rack::Utils.secure_compare(dgst, given_dgst)
+      @secret = given_secret
+      true
+    end
+
+    def verify_expiry!(now = Time.now)
+      raise TokenExpired if @expiry <= now.to_i
+    end
+
+    Format = Struct.new(:header, :handle, :secret, keyword_init: true) do
+      def self.parse(header, str)
+        parts = str.split('.')
+        raise InvalidFormat unless parts.size == 3
+        raise InvalidFormat unless parts[0] == header
+        new(header: header, handle: parts[1], secret: parts[2])
+      end
+
+      def to_s
+        "#{header}.#{handle}.#{secret}"
+      end
+    end
+
+    def magic_header
+      self.class.magic_header
+    end
+
+    def format
+      Format.new(header: magic_header, handle: handle, secret: secret)
+    end
+  end
+end

data/lib/himari/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Himari
-  VERSION = "0.3.0"
+  VERSION = "0.4.0"
 end

data/public/public/index.css

@@ -1,5 +1,7 @@
-body {
+body, button, select {
   font-family: "Segoe UI", Helvetica, sans-serif;
+}
+body {
   font-size: 16px;
   background-color: #FDF7EF;
   text-align: center;
@@ -67,6 +69,10 @@ main > header img, main > footer img {
   margin-bottom: 24px;
 }
 
+footer, footer a, footer a:visited {
+  color: #5e5e6b;
+}
+
 .d-none {
   display: none;
 }

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: himari
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.4.0
 platform: ruby
 authors:
 - Sorah Fukumori
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2023-03-21 00:00:00.000000000 Z
+date: 2023-03-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sinatra
@@ -117,6 +117,7 @@ files:
 - lib/himari/id_token.rb
 - lib/himari/item_provider.rb
 - lib/himari/item_providers/static.rb
+- lib/himari/lifetime_value.rb
 - lib/himari/log_line.rb
 - lib/himari/middlewares/authentication_rule.rb
 - lib/himari/middlewares/authorization_rule.rb
@@ -139,6 +140,7 @@ files:
 - lib/himari/storages/base.rb
 - lib/himari/storages/filesystem.rb
 - lib/himari/storages/memory.rb
+- lib/himari/token_string.rb
 - lib/himari/version.rb
 - public/public/index.css
 - sig/himari.rbs