idsimple-rack 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 8e96f0e33a7a9ae276cceadb129736372de30090009e65627abb8b265c970441
+  data.tar.gz: '0892d4f0de694a19808e0d86b3cf160e2cb76568abf21c54870f44269f6eb325'
+SHA512:
+  metadata.gz: 179c195156ea7eb3762ae4df5ad1b60dad5894156d78a4b53a65aec1311c67cade941d87c9108df63b3d1e89d7961b34cb23668149afcbe1c0fb0f4cb7c40688
+  data.tar.gz: 1fabbc0f43b36e97a60442aaf5bf055ce570666906df603d0bc5d9bdb9775124aabf837dda661b82ef0041853cd30e1168112ff5491982cee472561501832540

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2021 Ari Summer
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,274 @@
+# Idsimple::Rack
+
+## Overview
+Idsimple works with all [Rack](https://github.com/rack/rack)-based applications.
+This includes:
+- [Ruby on Rails](https://rubyonrails.org/)
+- [Sinatra](http://sinatrarb.com/)
+- [Hanami](https://hanamirb.org/)
+- [Camping](http://www.ruby-camping.com/)
+- [Coset](http://leahneukirchen.org/repos/coset/)
+- [Padrino](http://padrinorb.com/)
+- [Ramaze]()
+- [Roda](https://github.com/jeremyevans/roda)
+- [Rum](https://github.com/leahneukirchen/rum)
+- [Utopia](https://github.com/socketry/utopia)
+- [WABuR](https://github.com/ohler55/wabur)
+
+
+All you need is the [idsimple-rack gem](https://github.com/idsimple/idsimple-rack).
+`idsimple-rack` includes a [Rack app](https://github.com/rack/rack/blob/master/SPEC.rdoc#rack-applications-),
+`Idsimple::Rack::AuthenticatorApp`, for authenticating users and initiating sessions
+and a Rack middleware, `Idsimple::Rack::ValidatorMiddleware`, for validating access tokens and sessions.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem "idsimple-rack"
+```
+
+And then execute:
+
+```bash
+bundle install
+```
+
+Or install it yourself as:
+
+```bash
+gem install idsimple-rack
+```
+
+## Ruby on Rails
+`idsimple-rack` hooks in to Rails automatically using [Rails::Railtie](https://api.rubyonrails.org/classes/Rails/Railtie.html).
+All you need to do is add an initializer with your [configuration options](#configuration):
+
+```ruby
+# config/initializers/idsimple_rack.rb
+
+Idsimple::Rack.configure do |config|
+  config.app_id = ENV["IDSIMPLE_APP_ID"]
+  config.api_key = ENV["IDSIMPLE_API_KEY"]
+  config.signing_secret = ENV["IDSIMPLE_SIGNING_SECRET"]
+end
+```
+
+## Rack
+To add `idsimple-rack` to a Rack application, you need to `run` `Idsimple::Rack::AuthenticatorApp`,
+at `Idsimple::Rack.configuration.authenticate_path`, `use` `Idsimple::Rack::ValidatorMiddleware` in your stack,
+and set your [configuration options](#configuration).
+
+```ruby
+# config.ru
+
+class Application
+  def call(_)
+    status  = 200
+    headers = { "Content-Type" => "text/html" }
+    body    = ["<html><body>yay!!!</body></html>"]
+
+    [status, headers, body]
+  end
+end
+
+Idsimple::Rack.configure do |config|
+  config.app_id = ENV["IDSIMPLE_APP_ID"]
+  config.api_key = ENV["IDSIMPLE_API_KEY"]
+  config.signing_secret = ENV["IDSIMPLE_SIGNING_SECRET"]
+end
+
+App = Rack::Builder.new do
+  use Rack::Reloader, 0
+
+  map Idsimple::Rack.configuration.authenticate_path do
+    run Idsimple::Rack::AuthenticatorApp
+  end
+
+  use Idsimple::Rack::ValidatorMiddleware
+
+  run Application.new
+end.to_app
+
+run App
+```
+
+You can see a working example of this in the
+[`idsimple-rack` repo](https://github.com/idsimple/idsimple-rack/blob/main/example_app/config.ru).
+
+
+## Configuration
+`idsimple-rack` can be configured by calling `Idsimple::Rack.configure` with a block like so:
+
+```ruby
+Idsimple::Rack.configure do |config|
+  config.app_id = ENV["IDSIMPLE_APP_ID"]
+  config.api_key = ENV["IDSIMPLE_API_KEY"]
+  config.signing_secret = ENV["IDSIMPLE_SIGNING_SECRET"]
+end
+```
+
+### Configuration Options
+#### `app_id`
+The idsimple App ID. This can be found in the "Keys & Secrets" tab for your app in idsimple.
+
+- Type: String
+- Optional: No
+
+
+#### `api_key`
+The idsimple App Session API Key. This is generated and shown when you create an idsimple app.
+You can view the prefix of the App Session API Key in the "Keys & Secrets" tab for your app in idsimple.
+
+- Type: String
+- Optional: No
+
+#### `signing_secret`
+The idsimple App signing secret. This is generated and shown when you create an idsimple app.
+You can view the prefix of the signing secret in the "Keys & Secrets" tab for your app in idsimple.
+
+- Type: String
+- Optional: No
+
+#### `get_access_token`
+Function for retrieving the access token from a store.
+By default, the access token is retrieved from an [HTTP cookie](https://en.wikipedia.org/wiki/HTTP_cookie).
+
+- Type: Lambda
+- Optional: Yes
+- Default:
+```ruby
+-> (req) {
+  req.cookies[DEFAULT_COOKIE_NAME]
+}
+```
+
+
+#### `set_access_token`
+Function for setting the access token in a store.
+By default, the access token is stored in an [HTTP cookie](https://en.wikipedia.org/wiki/HTTP_cookie).
+
+- Type: Lambda
+- Optional: Yes
+- Default:
+```ruby
+-> (req, res, access_token, decoded_access_token) {
+  res.set_cookie(DEFAULT_COOKIE_NAME, {
+    value: access_token,
+    expires: Time.at(decoded_access_token[0]["exp"]),
+    httponly: true,
+    path: "/"
+  })
+}
+```
+
+#### `remove_access_token`
+Function for removing the access token from a store.
+
+- Type: Lambda
+- Optional: Yes
+- Default:
+```ruby
+-> (req, res) {
+  res.delete_cookie(DEFAULT_COOKIE_NAME)
+}
+```
+
+#### `authenticate_path`
+Path to initiate a new session with an access token.
+This is the location to which idsimple will redirect the user once a new access token is generated.
+`Idsimple::Rack::AuthenticatorApp` should be mounted at this path.
+
+- Type: String
+- Optional: Yes
+- Default: `/idsimple/session`
+
+#### `after_authenticated_path`
+Path to redirect the user after they've been authenticated.
+
+- Type: String
+- Optional: Yes
+- Default: `/`
+
+#### `skip_on`
+Function used to conditionally skip validation by the middleware.
+By returning `true`, `Idsimple::Rack::ValidatorMiddleware` will skip
+validation for that request.
+
+- Type: Lambda
+- Optional: Yes
+- Default: `nil`
+
+Example:
+
+```ruby
+-> (req) {
+  req.path == "/webhooks"
+}
+```
+
+#### `logger`
+The `logger` option allows you to set your own custom logger.
+
+- Type: Logger
+- Optional: yes
+- Default:
+```ruby
+logger = Logger.new(STDOUT)
+logger.level = Logger::INFO
+default_formatter = Logger::Formatter.new
+logger.formatter = proc do |severity, datetime, progname, msg|
+  "Idsimple::Rack #{default_formatter.call(severity, datetime, progname, msg)}"
+end
+```
+
+#### `enabled`
+Boolean indicating whether the idsimple middleware should be enabled.
+
+- Type: Boolean
+- Optional: true
+- Default: true
+
+#### `unauthorized_response`
+Function for customizing the unauthorized response sent by the middleware.
+
+- Type: Lambda
+- Optional: Yes
+- Default:
+```ruby
+-> (req, res) {
+  res.status = 401
+  res.content_type = "text/html"
+  res.body = ["UNAUTHORIZED"]
+}
+```
+
+#### `redirect_to_authenticate`
+Boolean indicating whether the middleware should redirect users
+to `app.idsimple.io` to authenticate. If set to `false`, unauthorized users
+will receive a `401 UNAUTHORIZED` response when visiting your app
+instead of being redirected to `app.idsimple.io`.
+
+- Type: Boolean
+- Optional: Yes
+- Default: `true`
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake test` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/idsimple/idsimple-rack. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [code of conduct](https://github.com/idsimple/idsimple-rack/blob/master/CODE_OF_CONDUCT.md).
+
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
+
+## Code of Conduct
+
+Everyone interacting in the Idsimple::Rack project's codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/idsimple/idsimple-rack/blob/master/CODE_OF_CONDUCT.md).

data/Rakefile

@@ -0,0 +1,6 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task default: :spec

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "idsimple-rack"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/idsimple-rack.gemspec

@@ -0,0 +1,25 @@
+require_relative 'lib/idsimple/rack/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "idsimple-rack"
+  spec.version       = Idsimple::Rack::VERSION
+  spec.authors       = ["Ari Summer"]
+  spec.email         = ["support@idsimple.io"]
+
+  spec.summary       = "Rack middleware for idsimple integration."
+  spec.homepage      = "https://github.com/idsimple/idsimple-rack"
+  spec.license       = "MIT"
+  spec.required_ruby_version = Gem::Requirement.new(">= 2.3.0")
+
+  spec.metadata["homepage_uri"] = spec.homepage
+  spec.metadata["source_code_uri"] = "https://github.com/idsimple/idsimple-rack"
+  spec.metadata["changelog_uri"] = "https://github.com/idsimple/idsimple-rack/CHANGELOG.md"
+
+  spec.files         = Dir.glob("{bin,lib}/**/*") + %w(Rakefile README.md LICENSE.txt idsimple-rack.gemspec)
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_runtime_dependency "rack", ">= 1.0", "< 3"
+  spec.add_runtime_dependency "jwt", "~> 2.0"
+end

data/lib/idsimple/rack/access_token_helper.rb

@@ -0,0 +1,16 @@
+require "jwt"
+
+module Idsimple
+  module Rack
+    class AccessTokenHelper
+      def self.decode(access_token, signing_secret, options = {})
+        JWT.decode(access_token, signing_secret, true, {
+          algorithm: "HS256",
+          verify_iss: true,
+          verify_aud: true,
+          verify_iat: true
+        }.merge(options))
+      end
+    end
+  end
+end

data/lib/idsimple/rack/access_token_validation_result.rb

@@ -0,0 +1,27 @@
+module Idsimple
+  module Rack
+    class AccessTokenValidationResult
+      attr_reader :errors
+
+      def initialize
+        @errors = []
+      end
+
+      def valid?
+        errors.empty?
+      end
+
+      def invalid?
+        !valid?
+      end
+
+      def add_error(msg)
+        @errors << msg
+      end
+
+      def full_error_message
+        "#{errors.join(". ")}." unless errors.empty?
+      end
+    end
+  end
+end

data/lib/idsimple/rack/access_token_validator.rb

@@ -0,0 +1,55 @@
+require "idsimple/rack/access_token_validation_result"
+
+module Idsimple
+  module Rack
+    class AccessTokenValidator
+      def self.validate_used_token_custom_claims(decoded_token, req)
+        token_payload = decoded_token[0]
+        ip = token_payload["idsimple.ip"]
+        user_agent = token_payload["idsimple.user_agent"]
+        used_at = token_payload["idsimple.used_at"]
+
+        result = AccessTokenValidationResult.new
+
+        if ip && req.ip != ip
+          result.add_error("IP mismatch")
+        end
+
+        if user_agent && req.user_agent != user_agent
+          result.add_error("User agent mismatch")
+        end
+
+        result.add_error("Missing used_at timestamp") if !used_at
+        result.add_error("Invalid used_at timestamp") if used_at && used_at > Time.now.to_i
+
+        result
+      end
+
+      def self.validate_unused_token_custom_claims(decoded_token, req)
+        token_payload = decoded_token[0]
+        use_by = token_payload["idsimple.use_by"]
+        used_at = token_payload["idsimple.used_at"]
+        ip = token_payload["idsimple.ip"]
+        user_agent = token_payload["idsimple.user_agent"]
+
+        result = AccessTokenValidationResult.new
+
+        if ip && req.ip != ip
+          result.add_error("IP mismatch")
+        end
+
+        if user_agent && req.user_agent != user_agent
+          result.add_error("User agent mismatch")
+        end
+
+        if use_by && Time.now.to_i > use_by
+          result.add_error("Token must be used prior to before claim")
+        end
+
+        result.add_error("Token already used") if used_at
+
+        result
+      end
+    end
+  end
+end

data/lib/idsimple/rack/api.rb

@@ -0,0 +1,73 @@
+require "net/http"
+require "json"
+
+module Idsimple
+  module Rack
+    class Api
+      attr_reader :base_url
+
+      def initialize(base_url, api_key)
+        @base_url = base_url
+        @api_key = api_key
+      end
+
+      # TODO:
+      # - incorporate API secret
+      def http_client
+        @http_client ||= begin
+          uri = URI.parse(base_url)
+          client = Net::HTTP.new(uri.host, uri.port)
+          client.use_ssl = base_url.start_with?("https")
+          client
+        end
+      end
+
+      def use_token(token_id)
+        response = http_client.patch("/api/v1/access_tokens/#{token_id}/use", "", headers)
+        Result.new(response)
+      end
+
+      def refresh_token(token_id)
+        response = http_client.patch("/api/v1/access_tokens/#{token_id}/refresh", "", headers)
+        Result.new(response)
+      end
+
+      private
+
+      def headers
+        {
+          "Authorization" => "Bearer #{@api_key}",
+          "Content-Type" => "application/json"
+        }
+      end
+
+      class Result
+        attr_reader :response
+
+        def initialize(response)
+          @response = response
+        end
+
+        def success?
+          response.kind_of?(Net::HTTPSuccess)
+        end
+
+        def fail?
+          !success?
+        end
+
+        def status
+          response.code
+        end
+
+        def body
+          @body ||= JSON.parse(response.body) if response.body
+        end
+
+        def full_error_message
+          "#{body["errors"].join(". ")}." if body && body["errors"]
+        end
+      end
+    end
+  end
+end

data/lib/idsimple/rack/authenticator_app.rb

@@ -0,0 +1,50 @@
+require "rack"
+require "idsimple/rack/access_token_validator"
+require "idsimple/rack/helper"
+
+module Idsimple
+  module Rack
+    class AuthenticatorApp
+      extend Helper
+
+      def self.call(env)
+        return ["404", { "Content-Type" => "text/html" }, ["NOT FOUND"]] unless configuration.enabled?
+
+        req = ::Rack::Request.new(env)
+
+        if (access_token = req.params["access_token"])
+          logger.debug("Found access token")
+
+          decoded_access_token = decode_access_token(access_token, signing_secret)
+          logger.debug("Decoded access token")
+
+          validation_result = AccessTokenValidator.validate_unused_token_custom_claims(decoded_access_token, req)
+          if validation_result.invalid?
+            logger.warn("Attempted to access with invalid token: #{validation_result.full_error_message}")
+            return unauthorized_response(req)
+          end
+
+          use_token_response = api.use_token(decoded_access_token[0]["jti"])
+          if use_token_response.fail?
+            logger.warn("Use token response error. HTTP status #{use_token_response.status}. #{use_token_response.full_error_message}")
+            return unauthorized_response(req)
+          end
+
+          new_access_token = use_token_response.body["access_token"]
+          new_decoded_access_token = decode_access_token(new_access_token, signing_secret)
+
+          res = ::Rack::Response.new
+          return_to = req.params["return_to"]
+          res.redirect(return_to || configuration.after_authenticated_path)
+          set_access_token(req, res, new_access_token, new_decoded_access_token)
+          res.finish
+        else
+          unauthorized_response(req)
+        end
+      rescue JWT::DecodeError => e
+        logger.warn("Error while decoding token: #{e.class} - #{e.message}")
+        unauthorized_response(req)
+      end
+    end
+  end
+end

data/lib/idsimple/rack/configuration.rb

@@ -0,0 +1,73 @@
+require "rack"
+require "logger"
+
+module Idsimple
+  module Rack
+    class Configuration
+      DEFAULT_COOKIE_NAME = "idsimple.access_token"
+
+      attr_accessor :get_access_token, :set_access_token, :remove_access_token, :signing_secret,
+        :authenticate_path, :issuer, :api_base_url, :after_authenticated_path,
+        :app_id, :skip_on, :logger, :enabled, :unauthorized_response, :api_key,
+        :redirect_to_authenticate
+
+      def initialize
+        set_defaults
+      end
+
+      def enabled?
+        enabled
+      end
+
+      private
+
+      def set_defaults
+        @enabled = true
+        @authenticate_path = "/idsimple/session"
+        @after_authenticated_path = "/"
+        @issuer = "https://app.idsimple.com"
+        @api_base_url = "https://api.idsimple.com"
+        @app_id = nil
+        @skip_on = nil
+        @signing_secret = nil
+        @api_key = nil
+        @get_access_token = method(:default_access_token_getter)
+        @set_access_token = method(:default_access_token_setter)
+        @remove_access_token = method(:default_access_token_remover)
+        @unauthorized_response = method(:default_unauthorized_response)
+        @redirect_to_authenticate = true
+
+        logger = Logger.new(STDOUT)
+        logger.level = Logger::INFO
+        default_formatter = Logger::Formatter.new
+        logger.formatter = proc do |severity, datetime, progname, msg|
+          "Idsimple::Rack #{default_formatter.call(severity, datetime, progname, msg)}"
+        end
+        @logger = logger
+      end
+
+      def default_unauthorized_response(req, res)
+        res.status = 401
+        res.content_type = "text/html"
+        res.body = ["UNAUTHORIZED"]
+      end
+
+      def default_access_token_getter(req)
+        req.cookies[DEFAULT_COOKIE_NAME]
+      end
+
+      def default_access_token_setter(req, res, access_token, decoded_access_token)
+        res.set_cookie(DEFAULT_COOKIE_NAME, {
+          value: access_token,
+          expires: Time.at(decoded_access_token[0]["exp"]),
+          httponly: true,
+          path: "/"
+        })
+      end
+
+      def default_access_token_remover(req, res)
+        res.delete_cookie(DEFAULT_COOKIE_NAME)
+      end
+    end
+  end
+end

data/lib/idsimple/rack/helper.rb

@@ -0,0 +1,64 @@
+require "idsimple/rack/access_token_helper"
+require "idsimple/rack/api"
+
+module Idsimple
+  module Rack
+    module Helper
+      def configuration
+        Idsimple::Rack.configuration
+      end
+
+      def logger
+        configuration.logger
+      end
+
+      def signing_secret
+        configuration.signing_secret
+      end
+
+      def unauthorized_response(req, res = ::Rack::Response.new)
+        logger.info("Unauthorized")
+        configuration.unauthorized_response.call(req, res)
+        res.finish
+      end
+
+      def redirect_to_authenticate_or_unauthorized_response(req, res = ::Rack::Response.new)
+        issuer = configuration.issuer
+        app_id = configuration.app_id
+        access_attempt = req.params["idsimple_access_attempt"]
+
+        if configuration.redirect_to_authenticate && issuer && app_id && !access_attempt
+          logger.info("Redirecting to authenticate")
+          access_url = "#{issuer}/apps/#{app_id}/access?return_to=#{req.fullpath}"
+          res.redirect(access_url)
+          res.finish
+        else
+          unauthorized_response(req, res)
+        end
+      end
+
+      def get_access_token(req)
+        configuration.get_access_token.call(req)
+      end
+
+      def set_access_token(req, res, new_access_token, new_decoded_access_token)
+        configuration.set_access_token.call(req, res, new_access_token, new_decoded_access_token)
+      end
+
+      def remove_access_token(req, res)
+        configuration.remove_access_token.call(req, res)
+      end
+
+      def decode_access_token(access_token, signing_secret)
+        AccessTokenHelper.decode(access_token, signing_secret, {
+          iss: configuration.issuer,
+          aud: configuration.app_id
+        })
+      end
+
+      def api
+        @api ||= Idsimple::Rack::Api.new(configuration.api_base_url, configuration.api_key)
+      end
+    end
+  end
+end

data/lib/idsimple/rack/railtie.rb

@@ -0,0 +1,16 @@
+require "idsimple/rack/validator_middleware"
+require "idsimple/rack/authenticator_app"
+
+module Idsimple
+  module Rack
+    class Railtie < ::Rails::Engine
+      initializer "idsimple-rack.configure" do |app|
+        app.routes.append do
+          mount Idsimple::Rack::AuthenticatorApp, at: Idsimple::Rack.configuration.authenticate_path
+        end
+
+        app.middleware.use(Idsimple::Rack::ValidatorMiddleware)
+      end
+    end
+  end
+end

data/lib/idsimple/rack/validator_middleware.rb

@@ -0,0 +1,87 @@
+require "rack"
+require "idsimple/rack/access_token_validator"
+require "idsimple/rack/helper"
+
+module Idsimple
+  module Rack
+    class ValidatorMiddleware
+      include Helper
+
+      DECODED_ACCESS_TOKEN_ENV_KEY = "idsimple.decoded_access_token"
+
+      attr_reader :app
+
+      def initialize(app)
+        @app = app
+      end
+
+      def call(env)
+        return app.call(env) unless configuration.enabled?
+
+        req = ::Rack::Request.new(env)
+
+        if req.path == configuration.authenticate_path
+          logger.debug("Attempting to authenticate. Skipping validation.")
+          return app.call(env)
+        end
+
+        if configuration.skip_on && configuration.skip_on.call(req)
+          logger.debug("Skipping validator due to skip_on rules")
+          return app.call(env)
+        end
+
+        access_token = get_access_token(req)
+
+        return redirect_to_authenticate_or_unauthorized_response(req) unless access_token
+
+        logger.debug("Retrieved access token from store")
+        decoded_access_token = decode_access_token(access_token, signing_secret)
+        logger.debug("Decoded access token")
+
+        validation_result = AccessTokenValidator.validate_used_token_custom_claims(decoded_access_token, req)
+        if validation_result.invalid?
+          logger.warn("Attempted to access with invalid used token: #{validation_result.full_error_message}")
+          return redirect_to_authenticate_or_unauthorized_response(req)
+        end
+
+        if (refresh_at = decoded_access_token[0]["idsimple.refresh_at"]) && refresh_at < Time.now.to_i
+          logger.debug("Refreshing access token")
+          jti = decoded_access_token[0]["jti"]
+          handle_refresh_access_token(jti, req)
+        else
+          env[DECODED_ACCESS_TOKEN_ENV_KEY] = decoded_access_token
+          app.call(env)
+        end
+      rescue JWT::DecodeError => e
+        logger.warn("Error while decoding token: #{e.class} - #{e.message}")
+        redirect_to_authenticate_or_unauthorized_response(req)
+      end
+
+      private
+
+      def handle_refresh_access_token(jti, req)
+        token_refresh_response = api.refresh_token(jti)
+
+        if token_refresh_response.fail?
+          logger.warn("Token refresh failed")
+
+          res = ::Rack::Response.new
+          if token_refresh_response.body["invalid_token"]
+            remove_access_token(req, res)
+          end
+
+          redirect_to_authenticate_or_unauthorized_response(req, res)
+        else
+          logger.debug("Refreshed access token")
+          new_access_token = token_refresh_response.body["access_token"]
+          new_decoded_access_token = decode_access_token(new_access_token, signing_secret)
+          req.env[DECODED_ACCESS_TOKEN_ENV_KEY] = new_decoded_access_token
+          status, headers, body = app.call(req.env)
+          res = ::Rack::Response.new(body, status, headers)
+          set_access_token(req, res, new_access_token, new_decoded_access_token)
+          res.finish
+        end
+      end
+    end
+  end
+end

data/lib/idsimple/rack/version.rb

@@ -0,0 +1,5 @@
+module Idsimple
+  module Rack
+    VERSION = "0.1.0"
+  end
+end

data/lib/idsimple/rack.rb

@@ -0,0 +1,21 @@
+require "idsimple/rack/version"
+require "idsimple/rack/configuration"
+require "idsimple/rack/validator_middleware"
+require "idsimple/rack/authenticator_app"
+require "idsimple/rack/railtie" if defined?(::Rails)
+
+module Idsimple
+  module Rack
+    def self.configuration
+      @configuration ||= Configuration.new
+    end
+
+    def self.reset_configuration
+      @configuration = Configuration.new
+    end
+
+    def self.configure
+      yield(configuration)
+    end
+  end
+end

data/lib/idsimple-rack.rb

@@ -0,0 +1 @@
+require "idsimple/rack"

metadata

@@ -0,0 +1,98 @@
+--- !ruby/object:Gem::Specification
+name: idsimple-rack
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Ari Summer
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2021-12-11 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rack
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3'
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+description: 
+email:
+- support@idsimple.io
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- LICENSE.txt
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- idsimple-rack.gemspec
+- lib/idsimple-rack.rb
+- lib/idsimple/rack.rb
+- lib/idsimple/rack/access_token_helper.rb
+- lib/idsimple/rack/access_token_validation_result.rb
+- lib/idsimple/rack/access_token_validator.rb
+- lib/idsimple/rack/api.rb
+- lib/idsimple/rack/authenticator_app.rb
+- lib/idsimple/rack/configuration.rb
+- lib/idsimple/rack/helper.rb
+- lib/idsimple/rack/railtie.rb
+- lib/idsimple/rack/validator_middleware.rb
+- lib/idsimple/rack/version.rb
+homepage: https://github.com/idsimple/idsimple-rack
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/idsimple/idsimple-rack
+  source_code_uri: https://github.com/idsimple/idsimple-rack
+  changelog_uri: https://github.com/idsimple/idsimple-rack/CHANGELOG.md
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.3.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.1.6
+signing_key: 
+specification_version: 4
+summary: Rack middleware for idsimple integration.
+test_files: []