kinde_sdk 1.0.0

data/lib/kinde_sdk/client.rb

@@ -0,0 +1,49 @@
+require "kinde_api"
+
+module KindeSdk
+  class Client
+    attr_accessor :kinde_api_client
+    attr_accessor :bearer_token
+
+    def initialize(sdk_api_client, bearer_token)
+      @kinde_api_client = sdk_api_client
+      @bearer_token = bearer_token
+      @decoded_token = JWT.decode(bearer_token, nil, false)
+    end
+
+    def get_claim(*args)
+      @decoded_token[0].dig(*args)
+    end
+
+    def get_permissions
+      get_claim("permissions")
+    end
+
+    def get_permission(permission)
+      {
+        org_code: get_claim("org_code"),
+        is_granted: permission_granted?(permission)
+      }
+    end
+
+    def permission_granted?(permission)
+      get_claim("permissions").include?(permission)
+    end
+
+    def logout
+      KindeSdk.logout(bearer_token, kinde_api_client)
+    end
+
+    ::KindeApi.constants.filter { |klass| klass.to_s.end_with?("Api") }.each do |klass|
+      api_klass = Kernel.const_get("KindeApi::#{klass}")
+
+      define_method(klass.to_s.downcase.split("api")[0]) { init_instance_api(api_klass) }
+    end
+
+    private
+
+    def init_instance_api(api_klass)
+      api_klass.new(kinde_api_client)
+    end
+  end
+end

data/lib/kinde_sdk/configuration.rb

@@ -0,0 +1,50 @@
+module KindeSdk
+  class Configuration
+    attr_accessor :domain
+    attr_accessor :client_id
+    attr_accessor :client_secret
+    attr_accessor :callback_url
+    attr_accessor :logout_url
+    attr_accessor :scope
+
+    attr_accessor :authorize_url
+    attr_accessor :token_url
+
+    attr_accessor :logger
+    attr_accessor :debugging
+    attr_accessor :oauth_client
+    attr_accessor :pkce_enabled
+    attr_accessor :business_name
+
+    def initialize
+      @authorize_url = '/oauth2/auth'
+      @token_url = '/oauth2/token'
+      @debugging = false
+      @logger = defined?(Rails) ? Rails.logger : Logger.new(STDOUT)
+      @scope = 'openid offline email profile'
+      @pkce_enabled = true
+      @business_name = nil
+
+      yield(self) if block_given?
+    end
+
+    def self.default
+      @@default ||= Configuration.new
+    end
+
+    def configure
+      yield(self) if block_given?
+    end
+
+    def oauth_client
+      ::OAuth2::Client.new(
+        client_id,
+        client_secret,
+        site: domain,
+        authorize_url: authorize_url,
+        token_url: token_url,
+        logger: logger
+      )
+    end
+  end
+end

data/lib/kinde_sdk/version.rb

@@ -0,0 +1,3 @@
+module KindeSdk
+  VERSION = "1.0.0"
+end

data/lib/kinde_sdk.rb

@@ -0,0 +1,109 @@
+require "kinde_sdk/version"
+require "kinde_sdk/configuration"
+require "kinde_sdk/client"
+
+require 'securerandom'
+require 'oauth2'
+require 'pkce_challenge'
+require 'faraday/follow_redirects'
+
+module KindeSdk
+  class << self
+    attr_accessor :config
+
+    def configure
+      if block_given?
+        yield(Configuration.default)
+      else
+        Configuration.default
+      end
+
+      @config = Configuration.default
+    end
+
+    # receive url for authorization in Kinde itself
+    #
+    # @return [Hash]
+    def auth_url(**kwargs)
+      params = {
+        redirect_uri: @config.callback_url,
+        state: SecureRandom.hex,
+        scope: @config.scope
+      }.merge(**kwargs)
+      return { url: @config.oauth_client.auth_code.authorize_url(params) } unless @config.pkce_enabled
+
+      pkce_challenge = PkceChallenge.challenge(char_length: 128)
+      params.merge!(code_challenge_method: 'S256', code_challenge: pkce_challenge.code_challenge)
+      {
+        url: @config.oauth_client.auth_code.authorize_url(params),
+        code_verifier: pkce_challenge.code_verifier
+      }
+    end
+
+    # when callback processor receives code, it needs to be used for fetching bearer token
+    #
+    # @return [Hash]
+    def fetch_tokens(params_or_code, code_verifier = nil)
+      code = params_or_code.kind_of?(Hash) ? params.fetch("code") : params_or_code
+      params = { redirect_uri: @config.callback_url }
+      params[:code_verifier] = code_verifier if code_verifier
+      @config.oauth_client.auth_code.get_token(code.to_s, params).to_hash
+    end
+
+    # @return [KindeSdk::Client]
+    def client(bearer_token)
+      sdk_api_client = api_client(bearer_token)
+      KindeSdk::Client.new(sdk_api_client, bearer_token)
+    end
+
+    def logout(bearer_token, sdk_api_client = nil)
+      (sdk_api_client || api_client(bearer_token))
+        .call_api(
+          :get, '/logout',
+          query_params: { 'redirect' => @config.logout_url },
+          header_params: { 'Authorization' => "Bearer #{bearer_token}" }
+        )
+    end
+
+    def client_credentials_access(
+      client_id: @config.client_id,
+      client_secret: @config.client_secret,
+      audience: "#{@config.domain}/api"
+    )
+      Faraday.new(url: @config.domain) do |faraday|
+        faraday.response :json
+        faraday.use Faraday::FollowRedirects::Middleware
+      end
+        .post(@config.token_url) do |req|
+        req.headers[:content_type] = 'application/x-www-form-urlencoded'
+        req.body =
+          "grant_type=client_credentials&client_id=#{client_id}&client_secret=#{client_secret}&audience=#{audience}"
+      end.body
+    end
+
+    def token_expired?(hash)
+      OAuth2::AccessToken.from_hash(@config.oauth_client, hash).expired?
+    end
+
+    # @return [Hash]
+    def refresh_token(hash)
+      OAuth2::AccessToken.from_hash(@config.oauth_client, hash).refresh.to_hash
+    end
+
+    # init sdk api client by bearer token
+    #
+    # @return [KindeApi::ApiClient]
+    def api_client(bearer_token)
+      config = KindeApi::Configuration.default
+      config.configure do |c|
+        c.access_token = bearer_token
+        c.server_variables = { businessName: @config.business_name || @config.domain.split("//")[1].split(".")[0] }
+        c.host = @config.domain
+        c.debugging = @config.debugging
+        c.logger = @config.logger
+      end
+
+      KindeApi::ApiClient.new(config)
+    end
+  end
+end

data/openapitools.json

@@ -0,0 +1,7 @@
+{
+  "$schema": "./node_modules/@openapitools/openapi-generator-cli/config.schema.json",
+  "spaces": 2,
+  "generator-cli": {
+    "version": "6.4.0"
+  }
+}

data/spec/kinde_sdk_spec.rb

@@ -0,0 +1,105 @@
+require 'spec_helper'
+
+describe KindeSdk do
+  let(:domain) { "http://example.com" }
+  let(:client_id) { "client_id" }
+  let(:client_secret) { "client_secret" }
+  let(:callback_url) { "http://localhost:3000/callback" }
+
+  before do
+    KindeSdk.configure do |c|
+      c.domain = domain
+      c.client_id = client_id
+      c.client_secret = client_secret
+      c.callback_url = callback_url
+    end
+  end
+
+  describe "#auth_url" do
+    it "returns prepared authorize url", :aggregate_failures do
+      auth_obj = described_class.auth_url
+      expect(auth_obj[:code_verifier]).not_to be_nil
+      expect(auth_obj[:url]).to start_with("#{domain}/oauth2/auth?client_id=#{client_id}&")
+    end
+  end
+
+  describe "#api_client" do
+    it "returns initialized api_client instance of KindeApi" do
+      expect(described_class.api_client("bearer-token")).to be_instance_of(KindeApi::ApiClient)
+    end
+  end
+
+  describe "#client_credentials_access" do
+    let(:audience) { "#{domain}/api" }
+    let(:request_body) do
+      "grant_type=client_credentials&client_id=#{client_id}&client_secret=#{client_secret}&audience=#{audience}"
+    end
+    let(:response_body) do
+      { "access_token" => "eyJhbGciO", "expires_in" => 86399, "scope" => "", "token_type" => "bearer" }.to_json
+    end
+    before { stub_request(:post, "#{domain}/oauth2/token").with(body: request_body).to_return(body: response_body) }
+
+    it "calls oauth2/token url with configured credentials" do
+      expect(described_class.client_credentials_access).to eq(response_body)
+    end
+
+    context "with params override" do
+      let(:client_id) { 'other_id' }
+      let(:client_secret) { 'other_secret' }
+      let(:audience) { 'some-audience' }
+
+      it "calls oauth2/token url with passed credentials" do
+        expect(described_class.client_credentials_access(
+                 client_id: client_id, client_secret: client_secret, audience: audience
+        )).to eq(response_body)
+      end
+    end
+  end
+
+  describe "client" do
+    let(:hash_to_encode) do
+      { "aud" => [],
+       "azp" => "19ebb687cd2f405c9f2daf645a8db895",
+       "exp" => 1679600554,
+       "feature_flags" => nil,
+       "iat" => 1679514154,
+       "iss" => "https://qwv2.kinde.com",
+       "jti" => "22c48b2c-da46-4661-a7ff-425c23eceab5",
+       "org_code" => "org_cb4544175bc",
+       "permissions" => ["read:todos", "create:todos"],
+       "scp" => ["openid", "offline"],
+       "sub" => "kp:b17adf719f7d4b87b611d1a88a09fd15" }
+    end
+    let(:token) { JWT.encode(hash_to_encode, nil, "none") }
+    let(:client) { described_class.client(token) }
+
+    it "returns requested claim from bearer", :aggregate_failures do
+      expect(client.get_claim("scp")).to eq(hash_to_encode["scp"])
+      expect(client.get_claim("aaa")).to be_nil
+    end
+
+    it "returns permissions from bearer", :aggregate_failures do
+      expect(client.get_permissions).to eq(hash_to_encode["permissions"])
+      expect(client.get_permission(hash_to_encode["permissions"][0]))
+        .to eq({ org_code: hash_to_encode["org_code"], is_granted: true })
+      expect(client.permission_granted?(hash_to_encode["permissions"][0])).to be(true)
+      expect(client.get_permission("asd"))
+        .to eq({ org_code: hash_to_encode["org_code"], is_granted: false })
+      expect(client.permission_granted?("asd")).to be(false)
+    end
+
+    describe "api instances" do
+      it 'initializes client by passing the bearer' do
+        expect(client).to be_instance_of(KindeSdk::Client)
+      end
+
+      it "initializes oauth instance api" do
+        expect(client.oauth).to be_instance_of(KindeApi::OAuthApi)
+      end
+
+      it "initializes users instance api" do
+        expect(client.users).to be_instance_of(KindeApi::UsersApi)
+      end
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,82 @@
+require "kinde_sdk"
+require "webmock/rspec"
+
+# See http://rubydoc.info/gems/rspec-core/RSpec/Core/Configuration
+RSpec.configure do |config|
+  # rspec-expectations config goes here. You can use an alternate
+  # assertion/expectation library such as wrong or the stdlib/minitest
+  # assertions if you prefer.
+  config.expect_with :rspec do |expectations|
+    # This option will default to `true` in RSpec 4. It makes the `description`
+    # and `failure_message` of custom matchers include text for helper methods
+    # defined using `chain`, e.g.:
+    #     be_bigger_than(2).and_smaller_than(4).description
+    #     # => "be bigger than 2 and smaller than 4"
+    # ...rather than:
+    #     # => "be bigger than 2"
+    expectations.include_chain_clauses_in_custom_matcher_descriptions = true
+  end
+
+  # rspec-mocks config goes here. You can use an alternate test double
+  # library (such as bogus or mocha) by changing the `mock_with` option here.
+  config.mock_with :rspec do |mocks|
+    # Prevents you from mocking or stubbing a method that does not exist on
+    # a real object. This is generally recommended, and will default to
+    # `true` in RSpec 4.
+    mocks.verify_partial_doubles = true
+  end
+
+# The settings below are suggested to provide a good initial experience
+# with RSpec, but feel free to customize to your heart's content.
+=begin
+  # These two settings work together to allow you to limit a spec run
+  # to individual examples or groups you care about by tagging them with
+  # `:focus` metadata. When nothing is tagged with `:focus`, all examples
+  # get run.
+  config.filter_run :focus
+  config.run_all_when_everything_filtered = true
+
+  # Allows RSpec to persist some state between runs in order to support
+  # the `--only-failures` and `--next-failure` CLI options. We recommend
+  # you configure your source control system to ignore this file.
+  config.example_status_persistence_file_path = "spec/examples.txt"
+
+  # Limits the available syntax to the non-monkey patched syntax that is
+  # recommended. For more details, see:
+  #   - http://rspec.info/blog/2012/06/rspecs-new-expectation-syntax/
+  #   - http://www.teaisaweso.me/blog/2013/05/27/rspecs-new-message-expectation-syntax/
+  #   - http://rspec.info/blog/2014/05/notable-changes-in-rspec-3/#zero-monkey-patching-mode
+  config.disable_monkey_patching!
+
+  # This setting enables warnings. It's recommended, but in some cases may
+  # be too noisy due to issues in dependencies.
+  config.warnings = true
+
+  # Many RSpec users commonly either run the entire suite or an individual
+  # file, and it's useful to allow more verbose output when running an
+  # individual spec file.
+  if config.files_to_run.one?
+    # Use the documentation formatter for detailed output,
+    # unless a formatter has already been configured
+    # (e.g. via a command-line flag).
+    config.default_formatter = 'doc'
+  end
+
+  # Print the 10 slowest examples and example groups at the
+  # end of the spec run, to help surface which specs are running
+  # particularly slow.
+  config.profile_examples = 10
+
+  # Run specs in random order to surface order dependencies. If you find an
+  # order dependency and want to debug it, you can fix the order by providing
+  # the seed, which is printed after each run.
+  #     --seed 1234
+  config.order = :random
+
+  # Seed global randomization in this process using the `--seed` CLI option.
+  # Setting this allows you to use `--seed` to deterministically reproduce
+  # test failures related to randomization by passing the same `--seed` value
+  # as the one that triggered the failure.
+  Kernel.srand config.seed
+=end
+end