kinde_sdk 1.6.0 → 1.6.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 83f3ec0e5e4b6f61d409b0a6c6314459917c94fa6109440fda5634e7d2e747f6
-  data.tar.gz: 35dd34872266b28076bf0a9a89f5bb624d6a314d4067fc359a49f901403ef7a2
+  metadata.gz: 8a51e08a86c0ebee1cd68dea496cb049da5d43600f5afb7fe9a536d2697b1640
+  data.tar.gz: ebc062da13f17b1a5556114d7ee2f6182e35a24ed25ad1d2aba38a135cf431e9
 SHA512:
-  metadata.gz: 58130b81b2d67b3c2ef8c4f34b6d87157016270b08af9d19d77bb67cfae9b27b32937bbd8b90891f0590b9ad7a7d4cdb0443cf4a2281983567c1960415f60bb8
-  data.tar.gz: fa2f18f0219dbe76661f9a6809deeb0a1e5fcfde13ea300533d3be8c342c97902143392e1c9991e3b94ad5bfda319eefb042f21de27405e091d7b6fbb2d34c75
+  metadata.gz: 7d285428c93ed0abce5b77e2a90359e54c82d54a1596d4d2177eec28417646ce67c04909aa6b609d0cf4ed0aef7473229c24d2d759c77c20284e8bc653d46009
+  data.tar.gz: 5373b19121f97d843bd085702e1bffde03bd03796384beab6294e88d467c424f2bcfe37322020a872f825ebf0d5d087bc41ccfef4b6f5a61294ca954f121dd28

data/app/assets/stylesheets/kinde/ruby/sdk/application.css

@@ -0,0 +1,15 @@
+/*
+ * This is a manifest file that'll be compiled into application.css, which will include all the files
+ * listed below.
+ *
+ * Any CSS and SCSS file within this directory, lib/assets/stylesheets, vendor/assets/stylesheets,
+ * or any plugin's vendor/assets/stylesheets directory can be referenced here using a relative path.
+ *
+ * You're free to add application-wide styles to this file and they'll appear at the bottom of the
+ * compiled file so the styles you add here take precedence over styles defined in any other CSS/SCSS
+ * files in this directory. Styles in this file should be added after the last require_* statement.
+ * It is generally better to create a new file per style scope.
+ *
+ *= require_tree .
+ *= require_self
+ */

data/app/controllers/kinde_sdk/auth_controller.rb

@@ -0,0 +1,152 @@
+require 'action_controller'
+require 'uri'
+require 'cgi'
+require 'net/http'
+require 'json'
+require 'jwt'
+
+module KindeSdk
+  class AuthController < ActionController::Base
+    # Add before_action to validate nonce in callback
+    before_action :validate_state, only: :callback
+  
+    def auth
+      # Generate a secure random nonce
+      nonce = SecureRandom.urlsafe_base64(16)
+      
+      # Call KindeSdk.auth_url with nonce
+      auth_data = KindeSdk.auth_url(nonce: nonce)
+      
+      # Store in session
+      session[:code_verifier] = auth_data[:code_verifier] if auth_data[:code_verifier].present?
+      session[:auth_nonce] = nonce
+      session[:auth_state] = {
+        requested_at: Time.current.to_i,
+        redirect_url: auth_data[:url]
+      }
+      
+      redirect_to auth_data[:url], allow_other_host: true
+    end
+  
+    def callback
+      tokens = KindeSdk.fetch_tokens(
+        params[:code],
+        code_verifier: KindeSdk.config.pkce_enabled ? session[:code_verifier] : nil
+      ).slice(:access_token, :id_token, :refresh_token, :expires_at)
+  
+
+      # Validate nonce in ID token
+      id_token = tokens[:id_token]
+      issuer = KindeSdk.config.domain
+      client_id = KindeSdk.config.client_id
+      original_nonce = session[:auth_nonce]
+      unless validate_nonce(id_token, original_nonce, issuer, client_id)
+        Rails.logger.warn("Nonce validation failed")
+        redirect_to "/", alert: "Invalid authentication nonce"
+        return
+      end
+
+      # Store tokens and user in session
+      session[:kinde_auth] = OAuth2::AccessToken.from_hash(KindeSdk.config.oauth_client, tokens).to_hash
+        .slice(:access_token, :refresh_token, :expires_at)
+      session[:kinde_user] = KindeSdk.client(tokens).oauth.get_user.to_hash
+      
+      # Clear nonce and state after successful authentication
+      session.delete(:auth_nonce)
+      session.delete(:auth_state)
+      session.delete(:code_verifier)
+      redirect_to "/"
+    rescue StandardError => e
+      Rails.logger.error("Authentication callback failed: #{e.message}")
+      redirect_to "/", alert: "Authentication failed"
+    end
+  
+    def client_credentials_auth
+      result = KindeSdk.client_credentials_access(
+        client_id: ENV["KINDE_MANAGEMENT_CLIENT_ID"],
+        client_secret: ENV["KINDE_MANAGEMENT_CLIENT_SECRET"]
+      )
+  
+      if result["error"].present?
+        Rails.logger.error("Client credentials auth failed: #{result['error']}")
+        raise result["error"]
+      end
+  
+      $redis.set("kinde_m2m_token", result["access_token"], ex: result["expires_in"].to_i)
+      redirect_to mgmt_path
+    end
+  
+    def logout
+      redirect_to KindeSdk.logout_url, allow_other_host: true
+    end
+  
+    def logout_callback
+      reset_session
+      redirect_to "/"
+    end
+  
+    private
+  
+    def validate_state
+      # Check if nonce and state exist in session
+      unless session[:auth_nonce] && session[:auth_state]
+        Rails.logger.warn("Missing session state or nonce [#{session[:auth_nonce]}] [#{session[:auth_state]}]")
+        redirect_to "/", alert: "Invalid authentication state"
+        return
+      end
+  
+      # Verify nonce returned matches stored nonce
+      returned_state = params[:state]
+      stored_state = session[:auth_state]
+      stored_url = stored_state["redirect_url"]
+  
+      # Extract the state from the stored redirect_url
+      parsed_url = URI.parse(stored_url)
+      query_params = CGI.parse(parsed_url.query || "")
+      stored_state_from_url = query_params["state"]&.first
+
+      # Verify returned state matches the state extracted from the redirect_url
+      unless returned_state.present? && returned_state == stored_state_from_url
+        Rails.logger.warn("State validation failed: returned=#{returned_state}, expected=#{stored_state_from_url}")
+        redirect_to "/", alert: "Invalid authentication state"
+        return
+      end
+
+      # Optional: Check state age (e.g., expires after 15 minutes)
+      if Time.current.to_i - stored_state["requested_at"] > 900
+        Rails.logger.warn("Authentication state expired")
+        redirect_to "/", alert: "Authentication session expired"
+        return
+      end
+    end
+
+
+    def validate_nonce(id_token, original_nonce, issuer, client_id)
+      jwks_uri = URI.parse("#{issuer}/.well-known/jwks.json")
+      jwks_response = Net::HTTP.get(jwks_uri)
+      jwks = JSON.parse(jwks_response)
+    
+      decoded_token = JWT.decode(
+        id_token,
+        nil,
+        true,
+        algorithm: 'RS256',
+        iss: issuer,
+        aud: client_id,
+        verify_iss: true,
+        verify_aud: true,
+        jwks: { keys: jwks['keys'] }
+      )
+    
+      payload = decoded_token[0]
+      nonce_from_token = payload['nonce']
+      
+      nonce_from_token == original_nonce
+    rescue StandardError => e
+      Rails.logger.error("Nonce validation error: #{e.message}")
+      false
+    end
+    
+    
+  end
+end

data/config/routes.rb

@@ -0,0 +1,7 @@
+KindeSdk::Engine.routes.draw do
+    get "callback" => "auth#callback"
+    get "auth" => "auth#auth"
+    get "logout" => "auth#logout"
+    get "logout_callback" => "auth#logout_callback"
+    get "client_credentials_auth" => "auth#client_credentials_auth"
+end

data/lib/kinde_sdk/version.rb

@@ -1,3 +1,3 @@
 module KindeSdk
-  VERSION = "1.6.0"
+  VERSION = "1.6.1"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: kinde_sdk
 version: !ruby/object:Gem::Version
-  version: 1.6.0
+  version: 1.6.1
 platform: ruby
 authors:
 - Kinde Australia Pty Ltd
@@ -141,6 +141,9 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- app/assets/stylesheets/kinde/ruby/sdk/application.css
+- app/controllers/kinde_sdk/auth_controller.rb
+- config/routes.rb
 - kinde_api/README.md
 - kinde_api/docs/APIsApi.md
 - kinde_api/docs/AddAPIsRequest.md