hmac-auth-rails 0.0.3

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 16b4a6bbc4ad9534420cc8ad5832034243d3270f
+  data.tar.gz: 26a5452d6f16b798cbceb6a5c9da2af853887eff
+SHA512:
+  metadata.gz: 0828664d24a83a56a423e7d02c0fdf82ab07041f0c53a8787ad52674fedc674e2944cab1bb38cb00bd9d34a06f096ef37c8bdb36eb62d89793560759c8f0239b
+  data.tar.gz: 34225f01299554f461b6d02f8f50db28e2af12fd28ff8d7bce537dc7cec2ef917e5c9b5f82085de2730feacd2542f4682777342f9f14cba4a9df1d9a51ab1d84

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2016 Justin Pye
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,216 @@
+# hmac-auth-rails
+
+#### Disclaimer: Although this is covered in the MIT license agreement, please be aware that in no way will the authors be responsible for any security issues or loss of income that may arise from using this code. Use this code at your own risk.
+
+## Overview
+
+This application integrates with Rails and provides in-built SHA1 HMAC authentication. It was originally built to be used with [angular-hmac-auth](https://github.com/todopagos/angular-hmac-auth) an open-source Angular module. Currently it only supports SHA1 encryption. If you require better encryption methods please contribute.
+
+## Installation
+
+### Install the Gemfile
+
+Add the following line to your Rails Gemfile:
+
+`gem 'hmac-auth-rails'`
+
+### Make your authentication model authenticatable
+
+Add the line below to your applications model that handles the authentication:
+
+```
+class User < ActiveRecord::Base
+
+  hmac_authenticatable
+```  
+
+### Built-in authentication fields
+
+To use built-in fields you will need to ensure that your authentication model has the `auth_token` and `secret_key` string fields defined: 
+
+```
+class User < ActiveRecord::Base
+
+  hmac_authenticatable
+  
+  field :auth_token, type: String
+  field :secret_key, type: String
+```
+
+### Custom authentication fields
+
+If you do not wish to use the built-in fields you can specifiy your own custom fields in the model:
+
+```
+class User < ActiveRecord::Base
+
+  hmac_authenticatable
+  
+  self.auth_token_field = :custom_auth_token
+  self.secret_key_field = :custom_secret_key
+  
+  field :custom_auth_token, type: String
+  field : custom_secret_key, type: String
+```
+
+### Auto-generating auth tokens and secret keys
+
+The following snippet can help you in setting up your model to auto-generate the `auth_token` and `secret_key` when a new record is initialised.
+
+```
+  after_initialize :generate_key, :generate_token
+
+  protected
+  def generate_token
+    self.auth_token ||= loop do
+      random_token = SecureRandom.hex(32)
+      break random_token unless User.exists?(auth_token: random_token)
+    end
+  end
+
+  def generate_key
+    self.secret_key  ||= SecureRandom.base64(64)
+  end
+```
+
+### When using devise
+
+To ensure that you validate HMAC authentication before the `:authenticate_user!` method is called. You will want the following line.
+
+`prepend_before_filter :hmac_auth`
+
+To exclude certain actions from being `hmac_authenticatable` you could use the following exclude parameter.
+
+`prepend_before_filter :hmac_auth, :except => :my_action`
+
+### Applying HMAC authentication globaly
+
+A good way to apply HMAC authentication globaly is to add `:hmac_auth` to your `ApplicationController` and inherit the controller for all other sub-controllers.
+
+```
+module Api::V1
+  class ApiController < ApplicationController
+    prepend_before_filter :hmac_auth
+  end
+end
+```
+
+Your sub-controller would look similar to the following:
+
+```
+module Api::V1
+  class UsersController < ApiController
+  end
+end
+```
+
+## Testing with Rspec
+
+Set into the `spec/dummy` folder and run the following:
+
+```
+bundle exec rspec
+```
+
+## Plays nice with
+
+### todopagos/angular-hmac-auth
+
+[https://github.com/todopagos/angular-hmac-auth](https://github.com/todopagos/angular-hmac-auth)
+
+### plataformatec/devise
+
+[https://github.com/plataformatec/devise](https://github.com/plataformatec/devise)
+
+## Putting all the "plays nice with" together
+
+Create an API Application Controller that excludes the `auth` action:
+
+```
+module Api::V1
+  class ApiController < ApplicationController
+    prepend_before_filter :hmac_auth, :except => :auth
+  end
+end
+```
+
+Setup the `auth` action to set the user as the `current_user`:
+
+```
+def auth
+  @user = current_user
+end
+```    
+
+The `auth` jbuilder view will look like the following:
+
+```
+json.auth do
+  json.auth_token @user[@user.auth_token_field]
+  json.secret_key @user[@user.secret_key_field]
+end
+```
+
+And when rendered:
+
+```
+{
+    "auth": {
+      "auth_token": "39e75f277f2edb7d9f547a8b3e21fa4c1c5fd5e213909e7c93a87539e12e60ea",
+      "secret_key": "wrlM6KWL0SgyCM0sBbhXfXdwKxqDxC3Df3/wmOwiw2HZOIMvi4L1m51/fhowUz5Ys8BL2vr2GezS4lK4deXGJQ=="
+    }
+}
+```
+
+The following is an example of how you load the `auth` details via the `angular-hmac-auth` module and intercept all `$http` calls in order to add the HMAC authencation headers:
+
+```
+var hmacAuthApp = angular.module("hmac-auth-demo",['hmacAuthInterceptor'])
+
+    .constant('REST_PATH', "/api/v1")
+
+    .provider('configService', ['REST_PATH',function(REST_PATH) {
+        var loadConfig = ['$http','$q', function($http,$q) {
+            var deferred = $q.defer();
+            $http.get(REST_PATH + '/users/auth').then(function(response) {
+                deferred.resolve(response["data"]["auth"]);
+            });
+            return deferred.promise;
+        }];
+        this.$get = loadConfig;
+    }])
+
+    .config(['$httpProvider', function($httpProvider) {
+        $httpProvider.interceptors.push('hmacInterceptor');
+    }])
+
+    .run(['hmacInterceptor','REST_PATH', function(hmacInterceptor,REST_PATH){
+        hmacInterceptor.whitelist = REST_PATH + '/usrs/auth';
+    }])
+
+    .controller('DemoController', [ '$scope','$http','configService','hmacInterceptor','REST_PATH', function($scope,$http, configService, hmacInterceptor, REST_PATH){
+        var demo = $scope;
+
+        configService.then(function(config){
+            hmacInterceptor.accessId =  config["auth_token"];
+            hmacInterceptor.secretKey =  config["secret_key"];
+            $http.get(REST_PATH + '/users').then(function(response){
+                demo.users = response.data.users;
+            });
+        });
+    }]);
+```  
+
+An example of the headers that gets appended to the Angular HTTP requests:
+
+```
+X_HMAC_AUTHORIZATION:APIAuth 39e75f277f2edb7d9f547a8b3e21fa4c1c5fd5e213909e7c93a87539e12e60ea:l+f5GfID1ABZm6W7zAaf+5lb9N4=
+X_HMAC_CONTENT_MD5:1B2M2Y8AsgTpgAmY7PhCfg==
+X_HMAC_CONTENT_TYPE:
+X_HMAC_DATE:Sun, 24 Jan 2016 09:00:06 GMT
+```
+The `spec/dummy` application actually has working version of the above and can be run by setting into the folder and calling `rails s`
+
+# More information
+
+For any more information please contact Bernie Lomax. Bernie!, Bernie!, Bernie!

data/Rakefile

@@ -0,0 +1,23 @@
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+
+require 'rdoc/task'
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'AngularHmacAuthRails'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.rdoc')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+
+
+
+
+
+Bundler::GemHelper.install_tasks
+

data/lib/hmac-auth-rails.rb

@@ -0,0 +1 @@
+require 'hmac_auth_rails'

data/lib/hmac_auth_rails.rb

@@ -0,0 +1,105 @@
+require 'active_record'
+
+module HmacAuthRails
+
+  class HmacRailtie < Rails::Railtie
+    initializer "hmacauthrails.configure_rails_initialization" do |app|
+      Mongoid::Document.send :include, HmacAuthenticatable if defined? Mongoid::Document
+      ActiveRecord::Base.send :include, HmacAuthenticatable if defined? ActiveRecord::Base
+      ActionController::Base.send :include, HmacController
+      ActionController::Base.helper_method :hmac_auth
+    end
+  end
+
+  module HmacAuthenticatable
+
+    extend ActiveSupport::Concern
+
+    included do; end
+
+    module ClassMethods
+      def hmac_authenticatable(options = {})
+        cattr_accessor :secret_key_field
+        cattr_accessor :auth_token_field
+        self.secret_key_field = (options[:secret_key_field] || :secret_key).to_s
+        self.auth_token_field = (options[:auth_token_field] || :auth_token).to_s
+        include HmacAuthRails::HmacAuthenticatable::LocalInstanceMethods
+      end
+    end
+
+    module LocalInstanceMethods; end
+
+  end
+
+  module HmacController
+
+    def hmac_auth model="User"
+      @my_user
+      begin
+        raise 'Missing X_HMAC_AUTHORIZATION header' unless header_exists? :HTTP_X_HMAC_AUTHORIZATION
+        raise 'Missing header HTTP_X_HMAC_CONTENT_MD5 header' unless header_exists? :HTTP_X_HMAC_CONTENT_MD5
+        raise 'Missing header HTTP_X_HMAC_CONTENT_TYPE header' unless header_exists? :HTTP_X_HMAC_CONTENT_TYPE
+        raise 'Missing header HTTP_X_HMAC_DATE header' unless header_exists? :HTTP_X_HMAC_DATE
+        raise 'Could not determine Devise model name' unless model = Object.const_get(model)
+        credentials = load_header
+        raise "Invalid #{model.auth_token_field}" unless user = model.where("#{model.auth_token_field}" => credentials[:auth_token] ).first
+        raise "Invalid #{model.secret_key_field}" unless secret_key = user[model.secret_key_field]
+        @my_user = user
+        if credentials[:signature] == HmacAuthRails::HmacController.encrypt(secret_key, canonical_string)
+          sign_in(user, store: false)
+        else
+          raise 'Authentication failed.'
+        end
+      rescue => e
+        Rails.logger.error e.to_s
+        head :unauthorized
+      rescue => e
+        Rails.logger.error e
+        head :unauthorized
+      end
+    end
+
+    def self.encrypt(secret_key,string)
+      digest = OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha1'), secret_key, string)
+      if Base64.respond_to?(:strict_encode64)
+        Base64.strict_encode64(digest)
+      else
+        Base64.encode64(digest).gsub(/\n/, '')
+      end
+    end
+
+    private
+    def header_exists? header
+      if request.headers.env.has_key? header.to_s
+        true
+      else
+        false
+      end
+    end
+
+    def canonical_string
+      [
+          ( request.headers.env["HTTP_X_HMAC_CONTENT_TYPE"] != "null" ? request.headers.env["HTTP_X_HMAC_CONTENT_TYPE"] : "" ),
+          ( request.headers.env["HTTP_X_HMAC_CONTENT_MD5"] != "null" ? request.headers.env["HTTP_X_HMAC_CONTENT_MD5"] : "" ),
+          request.headers.env["PATH_INFO"],
+          request.headers.env["HTTP_X_HMAC_DATE"]
+      ].join(",")
+    end
+
+    def load_header
+      data = request.headers.env["HTTP_X_HMAC_AUTHORIZATION"].gsub(/APIAuth /, '').split(':')
+      raise 'Invalid HMAC auth header' if data.size != 2
+      raise 'Invalid token inside HMAC auth header' if data.first.empty? or data.first.nil?
+      raise 'Invalid secret inside HMAC auth header' if data.last.empty? or data.last.nil?
+      return {
+          :auth_token => data.first,
+          :signature => data.last
+      }
+    end
+
+  end
+
+end
+
+
+

data/lib/hmac_auth_rails/version.rb

@@ -0,0 +1,3 @@
+module HmacAuthRails
+  VERSION = "0.0.3"
+end

data/lib/tasks/angular_hmac_auth_rails_tasks.rake

@@ -0,0 +1,4 @@
+# desc "Explaining what the task does"
+# task :hmac_auth_rails do
+#   # Task goes here
+# end

metadata

@@ -0,0 +1,134 @@
+--- !ruby/object:Gem::Specification
+name: hmac-auth-rails
+version: !ruby/object:Gem::Version
+  version: 0.0.3
+platform: ruby
+authors:
+- Justin Pye
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2016-05-09 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.2'
+- !ruby/object:Gem::Dependency
+  name: devise
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.4'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.4'
+- !ruby/object:Gem::Dependency
+  name: sqlite3
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+- !ruby/object:Gem::Dependency
+  name: jbuilder
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: rspec-rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: factory_girl_rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.0'
+description: Provides HMAC authentication to your Rails controllers
+email: 
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- MIT-LICENSE
+- README.md
+- Rakefile
+- lib/hmac-auth-rails.rb
+- lib/hmac_auth_rails.rb
+- lib/hmac_auth_rails/version.rb
+- lib/tasks/angular_hmac_auth_rails_tasks.rake
+homepage: https://github.com/bernielomax/hmac-auth-rails
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.8
+signing_key: 
+specification_version: 4
+summary: Provides HMAC authentication to your Rails controllers
+test_files: []