keratin-authn 0.1.3 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 75d95ac6c9ef32e84ecd20f8f2431c8bc95557f0
-  data.tar.gz: fbd476314716da9dc09efa0c8ad02173902e9c5c
+  metadata.gz: 5bc3dc3a5993e496aa7d4a27460d799b4e3ea600
+  data.tar.gz: 30266ffdffaa188785ce930f0f470a5cde684746
 SHA512:
-  metadata.gz: a051bb2f34386baccab8d922a06fb5e174f61d5030001097872e2d6169092696726e4054e973bdba27e7cc7b36e74481f9ef418455520a30195a48027c3ecfb7
-  data.tar.gz: ed7623eea06f6736fdc4e828200adfe5c78f76a3a59fd9fd440889a2a48fc84073155da385bba01951ff0161bae983c48609efaea868db3cf8041a171856bd2a
+  metadata.gz: 77ac60816689bd685f7ba0e6de2122bcd6e372bccee8b6bb1e1ef6bf660278fd3617ca7e5fe57debbe792db44baa030fc55d721681b535bb2e0de6ad435604ad
+  data.tar.gz: 0814a5099a9b4d7c246c9a9b3dabe05e8d234c6fc86f6022cfd3ba54a3f76df521dad46a1130ef4e422a1e1125c523543d2d22efca6d6067dba15f39589db889

data/README.md

@@ -25,53 +25,77 @@ Keratin::AuthN.config.tap do |config|
 
   # The domain of your application
   config.audience = 'myapp.com'
+
+  # HTTP basic auth for using AuthN's private endpoints
+  config.username = 'secret'
+  config.password = 'secret'
 end
 ```
 
-Use `Keratin::AuthN.subject_from(params[:id_token])` to validate tokens and fetch an `account_id` during signup, login, and session verification.
+### Reading the Session
 
-Send users to `Keratin::AuthN.logout_url(return_to: some_path)` to log them out from the AuthN server.
+Use `Keratin::AuthN.subject_from(params[:authn])` to fetch an `account_id` from the session if and
+only if the session is valid.
 
-### Example: Signup
+### Logging Out
+
+Send users to `Keratin::AuthN.logout_url(return_to: some_path)` to log them out from the AuthN
+server. If you use [keratin/authn-js](https://github.com/keratin/authn-js), you might prefer the
+logout functionality there as it can also take care of deleting the cookie.
+
+### Modifying Accounts
+
+* `Keratin.authn.lock(account_id)`: will lock an account, revoking all sessions (when they time out)
+  and disallowing any new logins. Intended for user moderation actions.
+* `Keratin.authn.unlock(account_id)`: will unlock an account, restoring normal functionality.
+* `Keratin.authn.archive(account_id)`: will wipe all personal information, including username and
+  password. Intended for user deletion routine.
+
+### Example: Sessions
+
+You should store the token in a cookie (the [keratin/authn-js](https://github.com/keratin/authn-js)
+integration can do this automatically) and continue using it to verify a logged-in session:
 
 ```ruby
-class UsersController
-  def create
-    @user = User.new(params.require(:user).permit(:name, :email))
-    @user.account_id = Keratin::AuthN.subject_from(params[:user][:id_token])
+class ApplicationController
+  private
 
-    # ...
+  def logged_in?
+    !! current_account_id
+  end
+
+  def current_user
+    return @current_user if defined? @current_user
+    @current_user = User.find_by_account_id(current_account_id)
+  end
+
+  def current_account_id
+    Keratin::AuthN.subject_from(cookies[:authn])
   end
 end
 ```
 
-### Example: Login
+### Example: Signup
 
 ```ruby
-class SessionsController
+class UsersController
   def create
-    @user = User.find_by_account_id(Keratin::AuthN.subject_from(cookies[:id_token]))
+    @user = User.new(params.require(:user).permit(:name, :email))
+    @user.account_id = current_account_id
 
     # ...
   end
 end
 ```
 
-### Example: Sessions
-
-You should store the token in a cookie and continue using it to verify a logged-in session:
+### Example: Login
 
 ```ruby
-class ApplicationController
-  private
-
-  def logged_in?
-    !! Keratin::AuthN.subject_from(cookies[:id_token])
-  end
+class SessionsController
+  def create
+    @user = current_user
 
-  def current_user
-    return @current_user if defined? @current_user
-    @current_user = User.find_by_account_id(Keratin::AuthN.subject_from(cookies[:id_token])
+    # ...
   end
 end
 ```

data/bin/console

@@ -1,7 +1,7 @@
 #!/usr/bin/env ruby
 
 require "bundler/setup"
-require "auth/rb"
+require "keratin/authn"
 
 # You can add fixtures and/or initialization code here to make experimenting
 # with your gem easier. You can also use a different console, if you like.

data/lib/keratin/authn.rb

@@ -6,52 +6,60 @@ require_relative 'authn/issuer'
 require 'lru_redux'
 require 'json/jwt'
 
-module Keratin::AuthN
-  class Config
-    # the domain (host) of the main application.
-    # e.g. "audience.tech"
-    attr_accessor :audience
-
-    # the base url of the service handling authentication
-    # e.g. "https://issuer.tech"
-    attr_accessor :issuer
-
-    # the path where we can fetch configuration from our issuer.
-    #
-    # default: "/configuration"
-    attr_accessor :configuration_path
-
-    # how long (in seconds) to keep keys in the keychain before refreshing.
-    # default: 3600
-    attr_accessor :keychain_ttl
+module Keratin
+  def self.authn
+    @authn ||= AuthN::Issuer.new(AuthN.config.issuer,
+      username: AuthN.config.username,
+      password: AuthN.config.password
+    )
   end
 
-  def self.config
-    @config ||= Config.new.tap do |config|
-      config.configuration_path = '/configuration'
-      config.keychain_ttl = 3600
+  module AuthN
+    class Config
+      # the domain (host) of the main application.
+      # e.g. "audience.tech"
+      attr_accessor :audience
+
+      # the base url of the service handling authentication
+      # e.g. "https://issuer.tech"
+      attr_accessor :issuer
+
+      # how long (in seconds) to keep keys in the keychain before refreshing.
+      # default: 3600
+      attr_accessor :keychain_ttl
+
+      # the http basic auth username for accessing private endpoints of the authn issuer.
+      attr_accessor :username
+
+      # the http basic auth password for accessing private endpoints of the authn issuer.
+      attr_accessor :password
     end
-  end
 
-  def self.keychain
-    @keychain ||= LruRedux::TTL::ThreadSafeCache.new(25, config.keychain_ttl)
-  end
+    def self.config
+      @config ||= Config.new.tap do |config|
+        config.keychain_ttl = 3600
+      end
+    end
 
-  class << self
-    # safely fetches a subject from the id token after checking relevant claims and
-    # verifying the signature.
-    #
-    # this may involve HTTP requests to fetch the issuer's configuration and JWKs.
-    def subject_from(id_token)
-      verifier = IDTokenVerifier.new(id_token, keychain)
-      verifier.subject if verifier.verified?
+    def self.keychain
+      @keychain ||= LruRedux::TTL::ThreadSafeCache.new(25, config.keychain_ttl)
     end
 
-    def logout_url(return_to: nil)
-      query = {redirect_uri: return_to}.to_param if return_to
+    class << self
+      # safely fetches a subject from the id token after checking relevant claims and
+      # verifying the signature.
+      #
+      # this may involve HTTP requests to fetch the issuer's configuration and JWKs.
+      def subject_from(id_token)
+        verifier = IDTokenVerifier.new(id_token, keychain)
+        verifier.subject if verifier.verified?
+      end
 
-      "#{config.issuer}/sessions/logout#{?? if query}#{query}"
+      def logout_url(return_to: nil)
+        query = {redirect_uri: return_to}.to_param if return_to
+
+        "#{config.issuer}/sessions/logout#{?? if query}#{query}"
+      end
     end
   end
-
 end

data/lib/keratin/authn/issuer.rb

@@ -1,10 +1,18 @@
+require 'keratin/client'
 require 'net/http'
 
 module Keratin::AuthN
-  class Issuer
-    def initialize(str)
-      @uri = str
-      @config_uri = @uri.chomp('/') + Keratin::AuthN.config.configuration_path
+  class Issuer < Keratin::Client
+    def lock(account_id)
+      patch(path: "/accounts/:account_id/lock").result
+    end
+
+    def unlock(account_id)
+      patch(path: "/accounts/:account_id/unlock").result
+    end
+
+    def archive(account_id)
+      delete(path: "/accounts/:account_id").result
     end
 
     def signing_key
@@ -12,16 +20,12 @@ module Keratin::AuthN
     end
 
     def configuration
-      @configuration ||= JSON.parse(
-        Net::HTTP.get(URI.parse(@config_uri))
-      )
+      @configuration ||= get(path: '/configuration').data
     end
 
     def keys
       @keys ||= JSON::JWK::Set.new(
-        JSON.parse(
-          Net::HTTP.get(URI.parse(configuration['jwks_uri']))
-        )
+        get(path: URI.parse(configuration['jwks_uri']).path).data
       )
     end
   end

data/lib/keratin/authn/test/helpers.rb

@@ -26,7 +26,7 @@ module Keratin::AuthN
       # stubs the endpoints necessary to validate a signed JWT
       private def stub_auth_server(issuer: Keratin::AuthN.config.issuer, keypair: jws_keypair)
         Keratin::AuthN.keychain.clear
-        stub_request(:get, "#{issuer}#{Keratin::AuthN.config.configuration_path}").to_return(
+        stub_request(:get, "#{issuer}/configuration").to_return(
           status: 200,
           body: {'jwks_uri' => "#{issuer}/jwks"}.to_json
         )

data/lib/keratin/authn/version.rb

@@ -1,5 +1,5 @@
 module Keratin
   module AuthN
-    VERSION = "0.1.3"
+    VERSION = "0.2.0"
   end
 end

data/lib/keratin/client.rb

@@ -0,0 +1,78 @@
+module Keratin
+  class Error < StandardError; end
+
+  class ServiceResult
+    attr_reader :data
+    attr_reader :result
+
+    def initialize(data)
+      @data = data
+      @result = data['result']
+    end
+  end
+
+  class ClientError < Keratin::Error
+    attr_reader :errors
+
+    def initialize(errors)
+      @errors = errors.map{|e| [e['field'], e['message']] }
+        .group_by(&:first)
+        .map{|k, v| [k, v.map(&:last)] }
+        .to_h
+
+      super(@errors.inspect)
+    end
+  end
+
+  class ServiceError < Keratin::Error
+  end
+
+  class Client
+
+    attr_reader :base
+
+    def initialize(base_url, username: nil, password: nil)
+      @base = base_url.chomp('/')
+      @auth = [username, password] if username && password
+    end
+
+    private def get(**opts)
+      submit(Net::HTTP::Get, **opts)
+    end
+
+    private def patch(**opts)
+      submit(Net::HTTP::Patch, **opts)
+    end
+
+    private def delete(**opts)
+      submit(Net::HTTP::Delete, **opts)
+    end
+
+    private def submit(request_klass, path:)
+      uri = URI.parse("#{base}#{path}")
+
+      request = request_klass.new(uri)
+      request.basic_auth(*@auth) if @auth
+
+      Net::HTTP.start(uri.host, uri.port, use_ssl: uri.scheme == 'https') do |http|
+        http.open_timeout = 0.5
+        http.read_timeout = 2.0
+
+        case response = http.request(request)
+        when Net::HTTPSuccess
+          return ServiceResult.new(JSON.parse(response.body))
+        when Net::HTTPRedirection
+          return ServiceResult.new('result' => {
+            'location' => response['Location']
+          })
+        when Net::HTTPClientError
+          raise ClientError.new(JSON.parse(response.body)['errors'])
+        when Net::HTTPServerError
+          raise ServiceError.new(response.body)
+        end
+      end
+    rescue Net::OpenTimeout, Net::ReadTimeout => e
+      raise ServiceError.new(e.message)
+    end
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: keratin-authn
 version: !ruby/object:Gem::Version
-  version: 0.1.3
+  version: 0.2.0
 platform: ruby
 authors:
 - Lance Ivy
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2016-11-28 00:00:00.000000000 Z
+date: 2016-12-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: json-jwt
@@ -132,6 +132,7 @@ files:
 - lib/keratin/authn/test/helpers.rb
 - lib/keratin/authn/testing.rb
 - lib/keratin/authn/version.rb
+- lib/keratin/client.rb
 homepage: 
 licenses:
 - LGPL-3.0