RubyGems - kinde_sdk - Versions diffs - 1.4.0 → 1.6.0 - Mend

kinde_sdk 1.4.0 → 1.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

checksums.yaml +4 -4
data/kinde_api/spec/spec_helper.rb +1 -0
data/lib/kinde_sdk/client.rb +1 -1
data/lib/kinde_sdk/configuration.rb +8 -0
data/lib/kinde_sdk/engine.rb +5 -0
data/lib/kinde_sdk/version.rb +1 -1
data/lib/kinde_sdk.rb +72 -1
data/spec/kinde_sdk_spec.rb +44 -5
data/spec/spec_helper.rb +3 -0
metadata +45 -3
data/lib/kinde_sdk/controllers/auth_controller.rb +0 -152

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4393bedaa94f9f37bcdf785519f34d2a563a812953e9a79172b386dc70b1bdf1
-  data.tar.gz: c6ed0c2101f8bdde09679b1354f92106180ac9842c79899ff4991af80e207006
+  metadata.gz: 83f3ec0e5e4b6f61d409b0a6c6314459917c94fa6109440fda5634e7d2e747f6
+  data.tar.gz: 35dd34872266b28076bf0a9a89f5bb624d6a314d4067fc359a49f901403ef7a2
 SHA512:
-  metadata.gz: 3a66add0908092ef798854740ebabaa033e21565386dd6724915c2a494bc393c2ad8f52b04e29d26c92df93ffb2fbc133d5749f3e514e98e3e015a2246bc4f22
-  data.tar.gz: 70a0439d8b50580546a9e2d4cad90a32eda4bbe276425653be46fd38975918a8aaaab9842261e690dfb7df8962995cb23a064c8629f540e28acd6c334799c348
+  metadata.gz: 58130b81b2d67b3c2ef8c4f34b6d87157016270b08af9d19d77bb67cfae9b27b32937bbd8b90891f0590b9ad7a7d4cdb0443cf4a2281983567c1960415f60bb8
+  data.tar.gz: fa2f18f0219dbe76661f9a6809deeb0a1e5fcfde13ea300533d3be8c342c97902143392e1c9991e3b94ad5bfda319eefb042f21de27405e091d7b6fbb2d34c75

data/kinde_api/spec/spec_helper.rb CHANGED Viewed

@@ -9,6 +9,7 @@
 # Generated by: https://openapi-generator.tech
 # OpenAPI Generator version: 7.0.0-SNAPSHOT
 #
+$LOAD_PATH.unshift File.expand_path('../lib', __dir__)
 # load the gem
 require 'kinde_api'

data/lib/kinde_sdk/client.rb CHANGED Viewed

@@ -1,4 +1,4 @@
-require "kinde_api"
+require_relative '../../kinde_api/lib/kinde_api'
 module KindeSdk
   class Client

data/lib/kinde_sdk/configuration.rb CHANGED Viewed

@@ -10,6 +10,11 @@ module KindeSdk
     attr_accessor :authorize_url
     attr_accessor :token_url
+    attr_accessor :jwks_url
+    attr_accessor :jwks
+    attr_accessor :expected_issuer
+    attr_accessor :expected_audience
     attr_accessor :logger
     attr_accessor :debugging
     attr_accessor :oauth_client
@@ -19,6 +24,9 @@ module KindeSdk
     def initialize
       @authorize_url = '/oauth2/auth'
       @token_url = '/oauth2/token'
+      @jwks_url = '/.well-known/jwks.json'
+      @expected_audience = nil
+      @expected_issuer = nil
       @debugging = false
       @logger = defined?(Rails) ? Rails.logger : Logger.new(STDOUT)
       @scope = 'openid offline email profile'

data/lib/kinde_sdk/engine.rb ADDED Viewed

@@ -0,0 +1,5 @@
+module KindeSdk
+  class Engine < ::Rails::Engine
+    isolate_namespace KindeSdk # Optional, for mountable engines
+  end
+end

data/lib/kinde_sdk/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module KindeSdk
-  VERSION = "1.4.0"
+  VERSION = "1.6.0"
 end

data/lib/kinde_sdk.rb CHANGED Viewed

@@ -1,20 +1,28 @@
 require "logger"
+require "rails"
 require "kinde_sdk/version"
 require "kinde_sdk/configuration"
 require "kinde_sdk/client/feature_flags"
 require "kinde_sdk/client/permissions"
-require "kinde_sdk/controllers/auth_controller"
 require "kinde_sdk/client"
 require 'securerandom'
 require 'oauth2'
 require 'pkce_challenge'
 require 'faraday/follow_redirects'
 require 'uri'
+require 'httparty'
+require 'jwt'
+require 'openssl'
+require 'base64'
 module KindeSdk
   class << self
     attr_accessor :config
+    if defined?(Rails)
+      require "kinde_sdk/engine"
+    end
     def configure
       if block_given?
         yield(Configuration.default)
@@ -102,6 +110,8 @@ module KindeSdk
     #
     # @return [KindeSdk::Client]
     def client(tokens_hash)
+      validate_jwt_token(tokens_hash)
       sdk_api_client = api_client(tokens_hash[:access_token] || tokens_hash["access_token"])
       KindeSdk::Client.new(sdk_api_client, tokens_hash, @config.auto_refresh_tokens)
     end
@@ -135,6 +145,8 @@ module KindeSdk
       audience: "#{@config.domain}/api",
       domain: @config.domain
     )
+      validate_jwt_token(hash)
       OAuth2::AccessToken.from_hash(@config.oauth_client(
         client_id: client_id,
         client_secret: client_secret,
@@ -150,6 +162,8 @@ module KindeSdk
       audience: "#{@config.domain}/api",
       domain: @config.domain
     )
+      validate_jwt_token(hash)
       OAuth2::AccessToken.from_hash(@config.oauth_client(
         client_id: client_id,
         client_secret: client_secret,
@@ -182,5 +196,62 @@ module KindeSdk
     rescue URI::InvalidURIError
       default_scheme
     end
+    def validate_jwt_token(token_hash)
+      token_hash.each do |key, token|
+        next unless %w[access_token id_token].include?(key.to_s.downcase)
+        begin
+          jwt_validation(token, "#{@config.domain}#{@config.jwks_url}", @config.expected_issuer, @config.expected_audience)
+        rescue JWT::DecodeError
+          Rails.logger.error("Invalid JWT token: #{key}")
+          raise JWT::DecodeError, "Invalid #{key.to_s.capitalize.gsub('_', ' ')}"
+        end
+      end
+    end
+    # Method to validate a JWT token with caching for JWKS
+    def jwt_validation(jwt_token, jwks_url, expected_issuer, expected_audience)
+      @cached_jwks ||= fetch_jwks(jwks_url)
+      begin
+        validate_token(jwt_token, @cached_jwks, expected_issuer, expected_audience)
+      rescue JWT::DecodeError, StandardError
+        # If validation fails, fetch JWKS again and retry validation
+        @cached_jwks = fetch_jwks(jwks_url)
+        validate_token(jwt_token, @cached_jwks, expected_issuer, expected_audience)
+      end
+    end
+    private
+    # Fetch JWKS from the URL
+    def fetch_jwks(jwks_url)
+      jwks_response = HTTParty.get(jwks_url)
+      JSON.parse(jwks_response.body)
+    end
+    # Validate the JWT token using the provided JWKS
+    def validate_token(jwt_token, jwks_hash, expected_issuer, expected_audience)
+      # Decode token header to get 'kid'
+      decoded_token = JWT.decode(jwt_token, nil, false) # [payload, header]
+      header = decoded_token[1]
+      kid = header['kid']
+      # Find the matching JWK
+      jwks = JWT::JWK::Set.new(jwks_hash)
+      jwks.filter! {|key| key[:use] == 'sig' }
+      algorithms = jwks.map { |key| key[:alg] }.compact.uniq
+      payload, _header = JWT.decode(jwt_token, nil, true, algorithms: algorithms, jwks: jwks)
+      { valid: true, payload: payload }
+    rescue JWT::DecodeError => e
+      Rails.logger.error("Token validation failed: #{e.message}")
+      raise JWT::DecodeError, "Token validation failed: #{e.message}"
+    rescue StandardError => e
+      Rails.logger.error("Unexpected error: #{e.message}")
+      raise StandardError, "Unexpected error: #{e.message}"
+    end
   end
 end

data/spec/kinde_sdk_spec.rb CHANGED Viewed

@@ -1,4 +1,8 @@
 require 'spec_helper'
+require 'jwt'
+require 'openssl'
+require 'webmock/rspec'
 describe KindeSdk do
   let(:domain) { "http://example.com" }
@@ -8,6 +12,13 @@ describe KindeSdk do
   let(:logout_url) { "http://localhost/logout-callback" }
   let(:auto_refresh_tokens) { true }
+  let(:optional_parameters) { { kid: 'my-kid', use: 'sig', alg: 'RS512' } }
+  let(:rsa_key) { OpenSSL::PKey::RSA.new(2048) }
+  let(:jwk) { JWT::JWK.new(rsa_key, optional_parameters) }
+  let(:payload) { { data: 'data' } }
+  let(:token) { JWT.encode(payload, jwk.signing_key, jwk[:alg], kid: jwk[:kid]) }
+  let(:jwks_hash) { JWT::JWK::Set.new(jwk).export }
   before do
     KindeSdk.configure do |c|
       c.domain = domain
@@ -74,7 +85,19 @@ describe KindeSdk do
         )
         .to_return(
           status: 200,
-          body: { "access_token": "eyJ", "id_token": "test", "refresh_token": "test","expires_in": 86399, "scope": "", "token_type": "bearer" }.to_json,
+          body: { "access_token" => "eyJ", "id_token" => "test", "refresh_token" => "test", "expires_in" => 86399, "scope" => "", "token_type" => "bearer" }.to_json,
+          headers: { "content-type" => "application/json;charset=UTF-8" }
+        )
+      stub_request(:get, "#{domain}/.well-known/jwks.json")
+        .with(
+          headers: {
+       	  'Accept'=>'*/*',
+       	  'Accept-Encoding'=>'gzip;q=1.0,deflate;q=0.6,identity;q=0.3',
+       	  'User-Agent'=>'Ruby'
+           })
+        .to_return(
+          status: 200,
+          body: jwks_hash.to_json,
           headers: { "content-type" => "application/json;charset=UTF-8" }
         )
     end
@@ -123,13 +146,13 @@ describe KindeSdk do
     let(:hash_to_encode) do
       { "aud" => [],
         "azp" => "19ebb687cd2f405c9f2daf645a8db895",
-        "exp" => 1679600554,
         "feature_flags" => {
           "asd" => { "t" => "b", "v" => true },
           "eeeeee" => { "t" => "i", "v" => 111 },
           "qqq" => { "t" => "s", "v" => "aa" }
         },
-        "iat" => 1679514154,
+        "iat": Time.now.to_i,           # Issued at: current time
+        "exp": Time.now.to_i + 3600,  # Expiration time: 1 hour from now
         "iss" => "https://example.kinde.com",
         "jti" => "22c48b2c-da46-4661-a7ff-425c23eceab5",
         "org_code" => "org_cb4544175bc",
@@ -137,9 +160,23 @@ describe KindeSdk do
         "scp" => ["openid", "offline"],
         "sub" => "kp:b17adf719f7d4b87b611d1a88a09fd15" }
     end
-    let(:token) { JWT.encode(hash_to_encode, nil, "none") }
+    before do
+      stub_request(:get, "#{domain}/.well-known/jwks.json")
+        .with(
+          headers: {
+       	  'Accept'=>'*/*',
+       	  'Accept-Encoding'=>'gzip;q=1.0,deflate;q=0.6,identity;q=0.3',
+       	  'User-Agent'=>'Ruby'
+           })
+        .to_return(
+          status: 200,
+          body: jwks_hash.to_json,
+          headers: { "content-type" => "application/json;charset=UTF-8" }
+        )
+    end
+    let(:token) { JWT.encode(hash_to_encode, jwk.signing_key, jwk[:alg], kid: jwk[:kid]) }
     let(:expires_at) { Time.now.to_i + 10000000 }
-    let(:client) { described_class.client({ "access_token": token, "expires_at": expires_at }) }
+    let(:client) { described_class.client({ access_token: token, expires_at: expires_at }) }
     context "with feature flags" do
       it "returns existing flags", :aggregate_failures do
@@ -229,3 +266,5 @@ describe KindeSdk do
     end
   end
 end

data/spec/spec_helper.rb CHANGED Viewed

@@ -1,3 +1,6 @@
+$LOAD_PATH.unshift File.expand_path('../lib', __dir__)              # For kinde_sdk
+$LOAD_PATH.unshift File.expand_path('../kinde_api/lib', __dir__)    # For kinde_api
 require "kinde_sdk"
 require "webmock/rspec"

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: kinde_sdk
 version: !ruby/object:Gem::Version
-  version: 1.4.0
+  version: 1.6.0
 platform: ruby
 authors:
 - Kinde Australia Pty Ltd
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-03-20 00:00:00.000000000 Z
+date: 2025-03-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: typhoeus
@@ -72,6 +72,48 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 7.0.4
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 7.0.4
+- !ruby/object:Gem::Dependency
+  name: httparty
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.19.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.19.0
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.2'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -422,7 +464,7 @@ files:
 - lib/kinde_sdk/client/feature_flags.rb
 - lib/kinde_sdk/client/permissions.rb
 - lib/kinde_sdk/configuration.rb
-- lib/kinde_sdk/controllers/auth_controller.rb
+- lib/kinde_sdk/engine.rb
 - lib/kinde_sdk/version.rb
 - spec/kinde_sdk_spec.rb
 - spec/spec_helper.rb

data/lib/kinde_sdk/controllers/auth_controller.rb DELETED Viewed

@@ -1,152 +0,0 @@
-require 'action_controller'
-require 'uri'
-require 'cgi'
-require 'net/http'
-require 'json'
-require 'jwt'
-module KindeSdk
-  class AuthController < ActionController::Base
-    # Add before_action to validate nonce in callback
-    before_action :validate_state, only: :callback
-    def auth
-      # Generate a secure random nonce
-      nonce = SecureRandom.urlsafe_base64(16)
-      # Call KindeSdk.auth_url with nonce
-      auth_data = KindeSdk.auth_url(nonce: nonce)
-      # Store in session
-      session[:code_verifier] = auth_data[:code_verifier] if auth_data[:code_verifier].present?
-      session[:auth_nonce] = nonce
-      session[:auth_state] = {
-        requested_at: Time.current.to_i,
-        redirect_url: auth_data[:url]
-      }
-      redirect_to auth_data[:url], allow_other_host: true
-    end
-    def callback
-      tokens = KindeSdk.fetch_tokens(
-        params[:code],
-        code_verifier: KindeSdk.config.pkce_enabled ? session[:code_verifier] : nil
-      ).slice(:access_token, :id_token, :refresh_token, :expires_at)
-      # Validate nonce in ID token
-      id_token = tokens[:id_token]
-      issuer = KindeSdk.config.domain
-      client_id = KindeSdk.config.client_id
-      original_nonce = session[:auth_nonce]
-      unless validate_nonce(id_token, original_nonce, issuer, client_id)
-        Rails.logger.warn("Nonce validation failed")
-        redirect_to "/", alert: "Invalid authentication nonce"
-        return
-      end
-      # Store tokens and user in session
-      session[:kinde_auth] = OAuth2::AccessToken.from_hash(KindeSdk.config.oauth_client, tokens).to_hash
-        .slice(:access_token, :refresh_token, :expires_at)
-      session[:kinde_user] = KindeSdk.client(tokens).oauth.get_user.to_hash
-      # Clear nonce and state after successful authentication
-      session.delete(:auth_nonce)
-      session.delete(:auth_state)
-      session.delete(:code_verifier)
-      redirect_to "/"
-    rescue StandardError => e
-      Rails.logger.error("Authentication callback failed: #{e.message}")
-      redirect_to "/", alert: "Authentication failed"
-    end
-    def client_credentials_auth
-      result = KindeSdk.client_credentials_access(
-        client_id: ENV["KINDE_MANAGEMENT_CLIENT_ID"],
-        client_secret: ENV["KINDE_MANAGEMENT_CLIENT_SECRET"]
-      )
-      if result["error"].present?
-        Rails.logger.error("Client credentials auth failed: #{result['error']}")
-        raise result["error"]
-      end
-      $redis.set("kinde_m2m_token", result["access_token"], ex: result["expires_in"].to_i)
-      redirect_to mgmt_path
-    end
-    def logout
-      redirect_to KindeSdk.logout_url, allow_other_host: true
-    end
-    def logout_callback
-      reset_session
-      redirect_to "/"
-    end
-    private
-    def validate_state
-      # Check if nonce and state exist in session
-      unless session[:auth_nonce] && session[:auth_state]
-        Rails.logger.warn("Missing session state or nonce")
-        redirect_to "/", alert: "Invalid authentication state"
-        return
-      end
-      # Verify nonce returned matches stored nonce
-      returned_state = params[:state]
-      stored_state = session[:auth_state]
-      stored_url = stored_state["redirect_url"]
-      # Extract the state from the stored redirect_url
-      parsed_url = URI.parse(stored_url)
-      query_params = CGI.parse(parsed_url.query || "")
-      stored_state_from_url = query_params["state"]&.first
-      # Verify returned state matches the state extracted from the redirect_url
-      unless returned_state.present? && returned_state == stored_state_from_url
-        Rails.logger.warn("State validation failed: returned=#{returned_state}, expected=#{stored_state_from_url}")
-        redirect_to "/", alert: "Invalid authentication state"
-        return
-      end
-      # Optional: Check state age (e.g., expires after 15 minutes)
-      if Time.current.to_i - stored_state["requested_at"] > 900
-        Rails.logger.warn("Authentication state expired")
-        redirect_to "/", alert: "Authentication session expired"
-        return
-      end
-    end
-    def validate_nonce(id_token, original_nonce, issuer, client_id)
-      jwks_uri = URI.parse("#{issuer}/.well-known/jwks.json")
-      jwks_response = Net::HTTP.get(jwks_uri)
-      jwks = JSON.parse(jwks_response)
-      decoded_token = JWT.decode(
-        id_token,
-        nil,
-        true,
-        algorithm: 'RS256',
-        iss: issuer,
-        aud: client_id,
-        verify_iss: true,
-        verify_aud: true,
-        jwks: { keys: jwks['keys'] }
-      )
-      payload = decoded_token[0]
-      nonce_from_token = payload['nonce']
-      nonce_from_token == original_nonce
-    rescue StandardError => e
-      Rails.logger.error("Nonce validation error: #{e.message}")
-      false
-    end
-  end
-end