kinde_sdk 1.3.0 → 1.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8c359bdcb6d579be388fe1461d4305a5c10dacdc27f1fc06d244db3c042d247c
-  data.tar.gz: e1be276fe179c87fba4060317630cf85e29b91d1f05f52837eaaeaf5a227fb38
+  metadata.gz: bc5ca096d7760fdbb44aad50f80581bedad34c59961401731a46fdcfe12de6e8
+  data.tar.gz: 7c172304b38b70bb4446e25db64cd3ce98c28aadded415d32a776b82885095d5
 SHA512:
-  metadata.gz: fa55ff69411d58b639df64c43f65ed26e10ccc3f54a6e65d5ef421936c3e50759cdaca26003146c0b7f6befa704603304e7488da4112b15e7c5271bdc7f724f7
-  data.tar.gz: 7fc8ada7e5d0a1d958f787898a98f0eeb68b4597dfe4affa66811f5167d04b744cbb2067db0b32b94c6bab96bca50c6813a9697c9b703cd385e3010a3dc3f144
+  metadata.gz: 963aabbb2e5d9ea92c3369d127f21ea3181aa646bbf087a1e4322c7d4721f0c267a8ba0f5f55d5a1c389bdca7d75844193fa039969f6760fd0c59419e6e8897b
+  data.tar.gz: 520cd6180f22cf93041b0de2cd89898d6640c275dd4f9d8e19efa4514969b18dc4a440265ab3a1b35aa81ab0707adad6eeb45c11d7bc8ab68eb978c7bb969616

data/lib/kinde_sdk/controllers/auth_controller.rb

@@ -0,0 +1,152 @@
+require 'action_controller'
+require 'uri'
+require 'cgi'
+require 'net/http'
+require 'json'
+require 'jwt'
+
+module KindeSdk
+  class AuthController < ActionController::Base
+    # Add before_action to validate nonce in callback
+    before_action :validate_state, only: :callback
+  
+    def auth
+      # Generate a secure random nonce
+      nonce = SecureRandom.urlsafe_base64(16)
+      
+      # Call KindeSdk.auth_url with nonce
+      auth_data = KindeSdk.auth_url(nonce: nonce)
+      
+      # Store in session
+      session[:code_verifier] = auth_data[:code_verifier] if auth_data[:code_verifier].present?
+      session[:auth_nonce] = nonce
+      session[:auth_state] = {
+        requested_at: Time.current.to_i,
+        redirect_url: auth_data[:url]
+      }
+  
+      redirect_to auth_data[:url], allow_other_host: true
+    end
+  
+    def callback
+      tokens = KindeSdk.fetch_tokens(
+        params[:code],
+        code_verifier: KindeSdk.config.pkce_enabled ? session[:code_verifier] : nil
+      ).slice(:access_token, :id_token, :refresh_token, :expires_at)
+  
+
+      # Validate nonce in ID token
+      id_token = tokens[:id_token]
+      issuer = KindeSdk.config.domain
+      client_id = KindeSdk.config.client_id
+      original_nonce = session[:auth_nonce]
+      unless validate_nonce(id_token, original_nonce, issuer, client_id)
+        Rails.logger.warn("Nonce validation failed")
+        redirect_to "/", alert: "Invalid authentication nonce"
+        return
+      end
+
+      # Store tokens and user in session
+      session[:kinde_auth] = OAuth2::AccessToken.from_hash(KindeSdk.config.oauth_client, tokens).to_hash
+        .slice(:access_token, :refresh_token, :expires_at)
+      session[:kinde_user] = KindeSdk.client(tokens).oauth.get_user.to_hash
+      
+      # Clear nonce and state after successful authentication
+      session.delete(:auth_nonce)
+      session.delete(:auth_state)
+      session.delete(:code_verifier)
+      redirect_to "/"
+    rescue StandardError => e
+      Rails.logger.error("Authentication callback failed: #{e.message}")
+      redirect_to "/", alert: "Authentication failed"
+    end
+  
+    def client_credentials_auth
+      result = KindeSdk.client_credentials_access(
+        client_id: ENV["KINDE_MANAGEMENT_CLIENT_ID"],
+        client_secret: ENV["KINDE_MANAGEMENT_CLIENT_SECRET"]
+      )
+  
+      if result["error"].present?
+        Rails.logger.error("Client credentials auth failed: #{result['error']}")
+        raise result["error"]
+      end
+  
+      $redis.set("kinde_m2m_token", result["access_token"], ex: result["expires_in"].to_i)
+      redirect_to mgmt_path
+    end
+  
+    def logout
+      redirect_to KindeSdk.logout_url, allow_other_host: true
+    end
+  
+    def logout_callback
+      reset_session
+      redirect_to "/"
+    end
+  
+    private
+  
+    def validate_state
+      # Check if nonce and state exist in session
+      unless session[:auth_nonce] && session[:auth_state]
+        Rails.logger.warn("Missing session state or nonce")
+        redirect_to "/", alert: "Invalid authentication state"
+        return
+      end
+  
+      # Verify nonce returned matches stored nonce
+      returned_state = params[:state]
+      stored_state = session[:auth_state]
+      stored_url = stored_state["redirect_url"]
+  
+      # Extract the state from the stored redirect_url
+      parsed_url = URI.parse(stored_url)
+      query_params = CGI.parse(parsed_url.query || "")
+      stored_state_from_url = query_params["state"]&.first
+
+      # Verify returned state matches the state extracted from the redirect_url
+      unless returned_state.present? && returned_state == stored_state_from_url
+        Rails.logger.warn("State validation failed: returned=#{returned_state}, expected=#{stored_state_from_url}")
+        redirect_to "/", alert: "Invalid authentication state"
+        return
+      end
+
+      # Optional: Check state age (e.g., expires after 15 minutes)
+      if Time.current.to_i - stored_state["requested_at"] > 900
+        Rails.logger.warn("Authentication state expired")
+        redirect_to "/", alert: "Authentication session expired"
+        return
+      end
+    end
+
+
+    def validate_nonce(id_token, original_nonce, issuer, client_id)
+      jwks_uri = URI.parse("#{issuer}/.well-known/jwks.json")
+      jwks_response = Net::HTTP.get(jwks_uri)
+      jwks = JSON.parse(jwks_response)
+    
+      decoded_token = JWT.decode(
+        id_token,
+        nil,
+        true,
+        algorithm: 'RS256',
+        iss: issuer,
+        aud: client_id,
+        verify_iss: true,
+        verify_aud: true,
+        jwks: { keys: jwks['keys'] }
+      )
+    
+      payload = decoded_token[0]
+      nonce_from_token = payload['nonce']
+      
+      nonce_from_token == original_nonce
+    rescue StandardError => e
+      Rails.logger.error("Nonce validation error: #{e.message}")
+      false
+    end
+    
+    
+  end
+end

data/lib/kinde_sdk/version.rb

@@ -1,3 +1,3 @@
 module KindeSdk
-  VERSION = "1.3.0"
+  VERSION = "1.3.1"
 end

data/lib/kinde_sdk.rb

@@ -1,9 +1,10 @@
+require "logger"
 require "kinde_sdk/version"
 require "kinde_sdk/configuration"
 require "kinde_sdk/client/feature_flags"
 require "kinde_sdk/client/permissions"
+require "kinde_sdk/controllers/auth_controller"
 require "kinde_sdk/client"
-
 require 'securerandom'
 require 'oauth2'
 require 'pkce_challenge'
@@ -36,7 +37,7 @@ module KindeSdk
       params = {
         redirect_uri: redirect_uri,
         state: SecureRandom.hex,
-        scope: @config.scope
+        scope: @config.scope,
       }.merge(**kwargs)
       return { url: @config.oauth_client(
         client_id: client_id,
@@ -74,12 +75,21 @@ module KindeSdk
         headers: { 'User-Agent' => "Kinde-SDK: Ruby/#{KindeSdk::VERSION}" }
       }
       params[:code_verifier] = code_verifier if code_verifier
-      @config.oauth_client(
+      token = @config.oauth_client(
         client_id: client_id,
         client_secret: client_secret,
         domain: domain,
         authorize_url: "#{domain}/oauth2/auth",
-        token_url: "#{domain}/oauth2/token").auth_code.get_token(code.to_s, params).to_hash
+        token_url: "#{domain}/oauth2/token").auth_code.get_token(code.to_s, params)
+
+      {
+        access_token: token.token,           # The access token
+        id_token: token.params['id_token'],  # The ID token from params
+        expires_at: token.expires_at,        # Optional: expiration time
+        refresh_token: token.refresh_token,   # Optional: if present
+        scope: token.params['scope'],        # The scopes requested
+        token_type: token.params['token_type'] # The token type
+      }.compact
     end
 
     # tokens_hash #=>
@@ -92,7 +102,7 @@ module KindeSdk
     #
     # @return [KindeSdk::Client]
     def client(tokens_hash)
-      sdk_api_client = api_client(tokens_hash["access_token"])
+      sdk_api_client = api_client(tokens_hash[:access_token] || tokens_hash["access_token"])
       KindeSdk::Client.new(sdk_api_client, tokens_hash, @config.auto_refresh_tokens)
     end
 

data/spec/kinde_sdk_spec.rb

@@ -74,20 +74,20 @@ describe KindeSdk do
         )
         .to_return(
           status: 200,
-          body: { "access_token": "eyJ", "expires_in": 86399, "scope": "", "token_type": "bearer" }.to_json,
+          body: { "access_token": "eyJ", "id_token": "test", "refresh_token": "test","expires_in": 86399, "scope": "", "token_type": "bearer" }.to_json,
           headers: { "content-type" => "application/json;charset=UTF-8" }
         )
     end
 
     it "calls /token url with proper body and headers" do
-      expect(described_class.fetch_tokens(code).keys).to eq(%w[scope token_type access_token refresh_token expires_at])
+      expect(described_class.fetch_tokens(code).keys.map(&:to_s)).to eq(%w[access_token id_token expires_at refresh_token scope token_type])
     end
 
     context "with redefined callback_url" do
       let(:callback_url) { "another-callback" }
 
       it "calls /token url with proper body and headers" do
-        expect(described_class.fetch_tokens(code).keys.size).to eq(5)
+        expect(described_class.fetch_tokens(code).keys.size).to eq(6)
       end
     end
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: kinde_sdk
 version: !ruby/object:Gem::Version
-  version: 1.3.0
+  version: 1.3.1
 platform: ruby
 authors:
 - Kinde Australia Pty Ltd
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-02-18 00:00:00.000000000 Z
+date: 2025-03-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: typhoeus
@@ -422,6 +422,7 @@ files:
 - lib/kinde_sdk/client/feature_flags.rb
 - lib/kinde_sdk/client/permissions.rb
 - lib/kinde_sdk/configuration.rb
+- lib/kinde_sdk/controllers/auth_controller.rb
 - lib/kinde_sdk/version.rb
 - spec/kinde_sdk_spec.rb
 - spec/spec_helper.rb