jwt_auth_cognito 0.1.1 → 1.0.0.pre.beta.1

data/lib/jwt_auth_cognito/jwt_validator.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-require "jwt"
+require 'jwt'
 
 module JwtAuthCognito
   class JwtValidator
@@ -8,44 +8,221 @@ module JwtAuthCognito
       @config = config
       @jwks_service = JwksService.new(config)
       @blacklist_service = TokenBlacklistService.new(config)
+      @api_key_validator = config.enable_api_key_validation ? ApiKeyValidator.new(config) : nil
+      @user_data_service = config.enable_user_data_retrieval ? UserDataService.new(nil, config.user_data_config) : nil
+      @initialized = false
     end
 
-    def validate_token(token, options = {})
+    def initialize!
+      return if @initialized
+
+      begin
+        @jwks_service.initialize!
+        @blacklist_service.initialize! if @blacklist_service.respond_to?(:initialize!)
+        @user_data_service&.initialize!
+        @initialized = true
+      rescue StandardError => e
+        ErrorUtils.log_error(e, 'JWT Validator initialization failed')
+        raise JwtAuthCognito::ConfigurationError, ErrorUtils::JWT_ERROR_MESSAGES['INITIALIZATION_FAILED']
+      end
+    end
+
+    # ========== 🚀 MAIN VALIDATION METHOD ==========
+
+    # Main validation method - use this for most cases
+    # Intelligently validates tokens with all features:
+    # - JWT validation (basic or secure)
+    # - API key validation (if provided)
+    # - Blacklist checking
+    # - Automatic appId verification
+    # - User data enrichment (if enabled)
+    def validate(token, options = {})
       @config.validate!
-      
-      # Check blacklist first
-      if @blacklist_service.is_blacklisted?(token)
-        return { valid: false, error: "Token has been revoked" }
+
+      api_key = options[:api_key]
+      force_secure = options[:force_secure] || false
+      enrich_user_data = options.fetch(:enrich_user_data, true)
+      require_app_access = options[:require_app_access] || false
+
+      # Step 1: Validate API key if provided
+      api_key_data = nil
+      if api_key && @config.enable_api_key_validation && @api_key_validator
+        api_key_result = @api_key_validator.validate_api_key(api_key)
+        return { valid: false, error: api_key_result[:error] || 'API key validation failed' } unless api_key_result[:valid]
+
+        api_key_data = api_key_result[:key_data]
       end
 
-      # Choose validation method based on configuration
-      case @config.validation_mode
-      when :secure
-        validate_token_secure(token, options)
-      when :basic
-        validate_token_basic(token, options)
-      else
-        raise ConfigurationError, "Invalid validation_mode: #{@config.validation_mode}"
+      # Step 2: Check blacklist first
+      return { valid: false, error: 'Token has been revoked' } if @blacklist_service.is_blacklisted?(token)
+
+      # Step 3: Validate JWT token
+      validation_mode = force_secure ? :secure : @config.validation_mode
+      token_result = case validation_mode
+                     when :secure
+                       validate_token_secure(token, options)
+                     when :basic
+                       validate_token_basic(token, options)
+                     else
+                       raise ConfigurationError, "Invalid validation_mode: #{validation_mode}"
+                     end
+
+      return token_result unless token_result[:valid] && token_result[:payload]
+
+      # Step 4: Verify appId access if API key has one
+      if api_key_data
+        app_validation = verify_app_access(api_key_data, token_result[:payload], require_app_access)
+        return app_validation unless app_validation[:valid]
+      end
+
+      # Step 5: Enrich with user data if requested
+      enriched_result = token_result.dup
+      enriched_result[:api_key] = api_key_data if api_key_data
+
+      if enrich_user_data && @config.enable_user_data_retrieval && @user_data_service
+        user_id = token_result[:payload]['sub']
+        if user_id
+          begin
+            user_data = @user_data_service.get_comprehensive_user_data(user_id)
+            enriched_result[:user_permissions] = user_data['permissions']
+            enriched_result[:user_organizations] = user_data['organizations']
+            enriched_result[:applications] = user_data['applications']
+          rescue StandardError => e
+            ErrorUtils.log_error(e, 'User data retrieval failed')
+            # Continue with basic validation if user data service fails
+          end
+        end
+      end
+
+      enriched_result
+    end
+
+    # ========== SIMPLIFIED PUBLIC API ==========
+
+    # Quick validation for simple use cases
+    # Just validates the JWT token (includes blacklist check)
+    def validate_token(token, options = {})
+      result = validate(token, options.merge(enrich_user_data: false))
+      {
+        valid: result[:valid],
+        payload: result[:payload],
+        sub: result[:sub],
+        username: result[:username],
+        token_use: result[:token_use],
+        error: result[:error]
+      }
+    end
+
+    # Validate with API key (automatic appId verification)
+    # Use this when you have an API key and want automatic security
+    def validate_with_api_key(token, api_key, options = {})
+      validate(token, options.merge(api_key: api_key))
+    end
+
+    # Validate with strict appId requirement
+    # Use this when you MUST ensure user has access to a specific app
+    def validate_with_app_access(token, api_key, options = {})
+      validate(token, options.merge(api_key: api_key, require_app_access: true))
+    end
+
+    # Get enriched validation (user data included)
+    # Use this when you need user permissions, organizations, apps
+    def validate_enriched(token, api_key = nil, options = {})
+      validate(token, options.merge(api_key: api_key, enrich_user_data: true))
+    end
+
+    # ========== LEGACY METHODS (DEPRECATED) ==========
+
+    # @deprecated Use validate() or validate_with_api_key() instead
+    def validate_token_with_api_key(token, api_key = nil, options = {})
+      puts 'WARNING: validate_token_with_api_key is deprecated. Use validate() or validate_with_api_key() instead.'
+      result = validate(token, options.merge(api_key: api_key, enrich_user_data: false))
+      {
+        valid: result[:valid],
+        payload: result[:payload],
+        sub: result[:sub],
+        username: result[:username],
+        token_use: result[:token_use],
+        api_key: result[:api_key],
+        error: result[:error]
+      }
+    end
+
+    # @deprecated Use validate_with_app_access() instead
+    def validate_token_with_app_id(token, api_key, options = {})
+      puts 'WARNING: validate_token_with_app_id is deprecated. Use validate_with_app_access() instead.'
+      validate_with_app_access(token, api_key, options.merge(enrich_user_data: false))
+    end
+
+    # @deprecated Use validate() instead
+    def validate_token_enhanced(token, api_key = nil, options = {})
+      puts 'WARNING: validate_token_enhanced is deprecated. Use validate() instead.'
+      result = validate(token, options.merge(api_key: api_key, enrich_user_data: false))
+      {
+        valid: result[:valid],
+        payload: result[:payload],
+        sub: result[:sub],
+        username: result[:username],
+        token_use: result[:token_use],
+        api_key: result[:api_key],
+        error: result[:error]
+      }
+    end
+
+    # @deprecated Use validate_enriched() instead
+    def validate_token_enriched(token, api_key = nil, options = {})
+      puts 'WARNING: validate_token_enriched is deprecated. Use validate_enriched() instead.'
+      validate_enriched(token, api_key, options)
+    end
+
+    def old_validate_token_enriched(token, api_key = nil, options = {})
+      # First, perform standard token validation
+      basic_result = validate_token_with_api_key(token, api_key, options)
+
+      # If basic validation fails, return early
+      return basic_result unless basic_result[:valid] && basic_result[:payload]
+
+      # If user data retrieval is not enabled, return basic result
+      return basic_result unless @config.enable_user_data_retrieval && @user_data_service
+
+      # Extract user ID from the token
+      user_id = basic_result[:payload]['sub']
+      unless user_id
+        puts 'Token does not contain sub claim, cannot retrieve user data'
+        return basic_result
+      end
+
+      begin
+        # Get comprehensive user data from Redis
+        user_data = @user_data_service.get_comprehensive_user_data(user_id)
+
+        # Add user data to the result
+        enriched_result = basic_result.dup
+        enriched_result[:user_permissions] = user_data['permissions']
+        enriched_result[:user_organizations] = user_data['organizations']
+        enriched_result[:applications] = user_data['applications']
+
+        enriched_result
+      rescue StandardError => e
+        ErrorUtils.log_error(e, 'User data retrieval failed')
+        # Return basic result even if user data retrieval fails
+        basic_result
       end
     end
 
     def validate_access_token(token)
       result = validate_token(token)
-      
-      if result[:valid] && result[:payload]["token_use"] != "access"
-        return { valid: false, error: "Token is not an access token" }
-      end
-      
+
+      return { valid: false, error: 'Token is not an access token' } if result[:valid] && result[:payload]['token_use'] != 'access'
+
       result
     end
 
     def validate_id_token(token)
       result = validate_token(token)
-      
-      if result[:valid] && result[:payload]["token_use"] != "id"
-        return { valid: false, error: "Token is not an ID token" }
-      end
-      
+
+      return { valid: false, error: 'Token is not an ID token' } if result[:valid] && result[:payload]['token_use'] != 'id'
+
       result
     end
 
@@ -64,11 +241,34 @@ module JwtAuthCognito
     # Utility methods inspired by Node.js package
     def extract_token_from_header(authorization_header)
       return nil unless authorization_header
-      
+
       match = authorization_header.match(/\ABearer (.+)\z/)
       match ? match[1] : nil
     end
 
+    def extract_api_key_from_header(api_key_header)
+      # Support common API key header formats
+      return nil unless api_key_header
+
+      api_key_header.strip
+    end
+
+    def extract_api_key_from_headers(headers)
+      # Check various common API key header names (case insensitive)
+      api_key_headers = %w[x-api-key X-API-Key X-API-KEY X-Api-Key]
+
+      api_key_headers.each do |header_name|
+        # Convert headers to a case-insensitive hash for lookup
+        header_key = headers.keys.find { |key| key.downcase == header_name.downcase }
+        next unless header_key
+
+        value = headers[header_key]
+        return extract_api_key_from_header(value) if value
+      end
+
+      nil
+    end
+
     def decode_token(token)
       JWT.decode(token, nil, false).first
     rescue JWT::DecodeError => e
@@ -80,15 +280,15 @@ module JwtAuthCognito
       return payload if payload.is_a?(Hash) && payload[:error]
 
       {
-        sub: payload["sub"],
-        username: payload["cognito:username"] || payload["username"],
-        email: payload["email"],
-        token_use: payload["token_use"],
-        client_id: payload["aud"],
-        issued_at: payload["iat"] ? Time.at(payload["iat"]) : nil,
-        expires_at: payload["exp"] ? Time.at(payload["exp"]) : nil,
-        not_before: payload["nbf"] ? Time.at(payload["nbf"]) : nil,
-        jti: payload["jti"],
+        sub: payload['sub'],
+        username: payload['cognito:username'] || payload['username'],
+        email: payload['email'],
+        token_use: payload['token_use'],
+        client_id: payload['aud'],
+        issued_at: payload['iat'] ? Time.at(payload['iat']) : nil,
+        expires_at: payload['exp'] ? Time.at(payload['exp']) : nil,
+        not_before: payload['nbf'] ? Time.at(payload['nbf']) : nil,
+        jti: payload['jti'],
         has_client_secret: @config.has_client_secret?
       }
     end
@@ -107,7 +307,7 @@ module JwtAuthCognito
       payload = decode_token(token)
       return true if payload.is_a?(Hash) && payload[:error]
 
-      exp = payload["exp"]
+      exp = payload['exp']
       return false unless exp
 
       Time.now.to_i >= exp
@@ -117,18 +317,18 @@ module JwtAuthCognito
       payload = decode_token(token)
       return nil if payload.is_a?(Hash) && payload[:error]
 
-      exp = payload["exp"]
+      exp = payload['exp']
       return nil unless exp
 
       seconds = exp - Time.now.to_i
-      seconds > 0 ? seconds : 0
+      seconds.positive? ? seconds : 0
     end
 
     # Create a convenience factory method
     def self.create_cognito_validator(config = nil)
       if config
         old_config = JwtAuthCognito.configuration
-        JwtAuthCognito.configure { |c| c = config }
+        JwtAuthCognito.configure { |_c| config }
         validator = new
         JwtAuthCognito.instance_variable_set(:@configuration, old_config)
         validator
@@ -142,84 +342,111 @@ module JwtAuthCognito
     def validate_token_secure(token, options = {})
       # Use JWKS validation for production
       result = @jwks_service.validate_token_with_jwks(token)
-      
+
       if result[:valid]
         # Additional custom validations
         validate_custom_claims(result[:payload], options)
       end
-      
+
       result
     end
 
     def validate_token_basic(token, options = {})
       # Basic validation without signature verification (development only)
-      begin
-        payload, header = JWT.decode(token, nil, false)
-        
-        # Basic claim validation
-        validate_basic_claims(payload)
-        validate_custom_claims(payload, options)
-        
-        {
-          valid: true,
-          payload: payload,
-          sub: payload["sub"],
-          username: payload["cognito:username"] || payload["username"],
-          token_use: payload["token_use"]
-        }
-      rescue JWT::DecodeError => e
-        { valid: false, error: "JWT decode error: #{e.message}" }
-      rescue ValidationError => e
-        { valid: false, error: e.message }
-      rescue StandardError => e
-        { valid: false, error: "Validation error: #{e.message}" }
-      end
+
+      payload, = JWT.decode(token, nil, false)
+
+      # Basic claim validation
+      validate_basic_claims(payload)
+      validate_custom_claims(payload, options)
+
+      {
+        valid: true,
+        payload: payload,
+        sub: payload['sub'],
+        username: payload['cognito:username'] || payload['username'],
+        token_use: payload['token_use']
+      }
+    rescue JWT::DecodeError => e
+      { valid: false, error: "JWT decode error: #{e.message}" }
+    rescue ValidationError => e
+      { valid: false, error: e.message }
+    rescue StandardError => e
+      { valid: false, error: "Validation error: #{e.message}" }
     end
 
     def validate_basic_claims(payload)
       now = Time.now.to_i
-      
+
       # Check expiration
-      raise ValidationError, "Token has expired" if payload["exp"] && payload["exp"] < now
-      
+      raise ValidationError, 'Token has expired' if payload['exp'] && payload['exp'] < now
+
       # Check issuer
       expected_issuer = @config.cognito_issuer
-      if payload["iss"] != expected_issuer
-        raise ValidationError, "Invalid issuer. Expected: #{expected_issuer}, got: #{payload["iss"]}"
-      end
-      
+      raise ValidationError, "Invalid issuer. Expected: #{expected_issuer}, got: #{payload['iss']}" if payload['iss'] != expected_issuer
+
       # Check token use
-      unless %w[access id].include?(payload["token_use"])
-        raise ValidationError, "Invalid token_use claim"
-      end
+      return if %w[access id].include?(payload['token_use'])
+
+      raise ValidationError, 'Invalid token_use claim'
     end
 
     def validate_custom_claims(payload, options)
       # Validate specific user ID if provided
-      if options[:user_id] && payload["sub"] != options[:user_id]
-        raise ValidationError, "Token subject does not match expected user ID"
-      end
-      
+      raise ValidationError, 'Token subject does not match expected user ID' if options[:user_id] && payload['sub'] != options[:user_id]
+
       # Validate specific client ID if provided
-      if options[:client_id] && payload["aud"] != options[:client_id]
-        raise ValidationError, "Token audience does not match expected client ID"
-      end
-      
+      raise ValidationError, 'Token audience does not match expected client ID' if options[:client_id] && payload['aud'] != options[:client_id]
+
       # Validate token type if specified
-      if options[:token_use] && payload["token_use"] != options[:token_use]
-        raise ValidationError, "Token use does not match expected type"
-      end
-      
+      raise ValidationError, 'Token use does not match expected type' if options[:token_use] && payload['token_use'] != options[:token_use]
+
       # Custom scope validation
-      if options[:required_scopes]
-        token_scopes = payload["scope"]&.split(" ") || []
-        required_scopes = Array(options[:required_scopes])
-        
-        missing_scopes = required_scopes - token_scopes
-        if missing_scopes.any?
-          raise ValidationError, "Token missing required scopes: #{missing_scopes.join(", ")}"
-        end
+      return unless options[:required_scopes]
+
+      token_scopes = payload['scope']&.split || []
+      required_scopes = Array(options[:required_scopes])
+
+      missing_scopes = required_scopes - token_scopes
+      return unless missing_scopes.any?
+
+      raise ValidationError, "Token missing required scopes: #{missing_scopes.join(', ')}"
+    end
+
+    def verify_app_access(api_key_data, payload, require_app_access)
+      app_id = api_key_data['appId'] || api_key_data['metadata']&.[]('appId')
+
+      return { valid: false, error: 'API key is not associated with an application' } if !app_id && require_app_access
+
+      return { valid: true } unless app_id
+
+      user_id = payload['sub']
+      return { valid: false, error: 'Token missing user ID (sub claim)' } unless user_id
+
+      verify_user_app_access(user_id, app_id, require_app_access)
+    end
+
+    def verify_user_app_access(user_id, app_id, require_app_access)
+      if require_app_access && (!@config.enable_user_data_retrieval || !@user_data_service)
+        return { valid: false,
+                 error: 'User data service not available for application access verification' }
+      end
+
+      return { valid: true } unless @config.enable_user_data_retrieval && @user_data_service
+
+      begin
+        user_applications = @user_data_service.get_user_applications(user_id)
+        has_access = user_applications.any? { |app| app['appId'] == app_id }
+
+        return { valid: false, error: "User does not have access to application #{app_id}" } unless has_access
+
+        { valid: true }
+      rescue StandardError => e
+        return { valid: false, error: 'Could not verify application access' } if require_app_access
+
+        ErrorUtils.log_error(e, 'User application access verification failed')
+        { valid: true } # Continue with basic validation if user data service fails
       end
     end
   end
-end
+end

data/lib/jwt_auth_cognito/railtie.rb

@@ -3,11 +3,11 @@
 module JwtAuthCognito
   class Railtie < Rails::Railtie
     rake_tasks do
-      load "tasks/jwt_auth_cognito.rake"
+      load 'tasks/jwt_auth_cognito.rake'
     end
 
     generators do
-      require "generators/jwt_auth_cognito/install_generator"
+      require 'generators/jwt_auth_cognito/install_generator'
     end
   end
-end
+end