kinde_sdk 1.6.2 → 1.6.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2c65c1b91fb94f9002ee2ce815a2455b7185db3ca91c7babfb7d2c8bc557eb5d
-  data.tar.gz: 6ca01f15fba17e280a8f3708ffa08ac86b613a2cf7de0ada9e9111eefb43d813
+  metadata.gz: 897c5732757f381a16e53865635495a790a1d892f016711f5826a3b9e78a67e8
+  data.tar.gz: 34d03ded031c86085e03265fd4af1f427e7a0f7ba2e5d0d61ba215905f2acc43
 SHA512:
-  metadata.gz: 5cbb3e4d0d6b473a0a8037b944e463526f58264557ff8963958baeacf586ee33823c79a5d47ee8221cd468e5128f5e9fe36f59070fd80f09e8a4af061261115f
-  data.tar.gz: cbdb9bea2bb157d69c818a2e41e95bd47b47e69bab9aa60189549130cdb4fd86610b8df0b9d266e2924f9c0cf1006f8ba5c7b59be37e7775ee1aba5d31caeb46
+  metadata.gz: 98e37a1e37548d2729a839e14cfc1294b356e05eb1ba412ffb065a9bc1bf5c21e1e7b68691e76329ab32011df1b13187421223bcd5d835b44790456338b3b514
+  data.tar.gz: 2c92398e168a07de932144e38a80edd9504466b5b6ca3459962a7756dc1b264d5bf29eda81ab40a651fa5106dcc04f7c26c00c0d6ac9f3d36b35e3543ca301cf

data/app/controllers/kinde_sdk/auth_controller.rb

@@ -6,18 +6,25 @@ require 'json'
 require 'jwt'
 
 module KindeSdk
+  # AuthController handles all authentication-related actions for the Kinde SDK
+  # including OAuth2 flows, token management, and session handling
   class AuthController < ActionController::Base
-    # Add before_action to validate nonce in callback
+    include AuthHelper
+    
     before_action :validate_state, only: :callback
+    before_action :clear_auth_session, only: [:logout_callback, :logout]
   
+    # Initiates the OAuth2 authorization flow
+    # Generates a secure nonce and redirects to Kinde's authorization endpoint
+    # @return [void] Redirects to Kinde's authorization URL
     def auth
-      # Generate a secure random nonce
+      # Generate a secure random nonce for CSRF protection
       nonce = SecureRandom.urlsafe_base64(16)
       
-      # Call KindeSdk.auth_url with nonce
+      # Get authorization URL and PKCE code verifier from SDK
       auth_data = KindeSdk.auth_url(nonce: nonce)
       
-      # Store in session
+      # Store PKCE code verifier and nonce in session for validation
       session[:code_verifier] = auth_data[:code_verifier] if auth_data[:code_verifier].present?
       session[:auth_nonce] = nonce
       session[:auth_state] = {
@@ -26,41 +33,31 @@ module KindeSdk
       }
       
       redirect_to auth_data[:url], allow_other_host: true
+    rescue StandardError => e
+      handle_error("Auth initialization failed", e)
     end
   
+    # Handles the OAuth2 callback from Kinde
+    # Validates the response, exchanges code for tokens, and sets up the session
+    # @return [void] Redirects to root path on success
     def callback
-      tokens = KindeSdk.fetch_tokens(
-        params[:code],
-        code_verifier: KindeSdk.config.pkce_enabled ? session[:code_verifier] : nil
-      ).slice(:access_token, :id_token, :refresh_token, :expires_at)
-  
-
-      # Validate nonce in ID token
-      id_token = tokens[:id_token]
-      issuer = KindeSdk.config.domain
-      client_id = KindeSdk.config.client_id
-      original_nonce = session[:auth_nonce]
-      unless validate_nonce(id_token, original_nonce, issuer, client_id)
-        Rails.logger.warn("Nonce validation failed")
-        redirect_to "/", alert: "Invalid authentication nonce"
-        return
-      end
+      tokens = fetch_and_validate_tokens
+      return if performed?
 
-      # Store tokens and user in session
-      session[:kinde_auth] = OAuth2::AccessToken.from_hash(KindeSdk.config.oauth_client, tokens).to_hash
-        .slice(:access_token, :refresh_token, :expires_at)
-      session[:kinde_user] = KindeSdk.client(tokens).oauth.get_user.to_hash
+      # Store tokens and user information in session
+      set_session_tokens(tokens)
+      
+      # Clean up temporary auth session data
+      clear_auth_session
       
-      # Clear nonce and state after successful authentication
-      session.delete(:auth_nonce)
-      session.delete(:auth_state)
-      session.delete(:code_verifier)
       redirect_to "/"
     rescue StandardError => e
-      Rails.logger.error("Authentication callback failed: #{e.message}")
-      redirect_to "/", alert: "Authentication failed"
+      handle_error("Authentication callback failed", e)
     end
   
+    # Handles machine-to-machine (M2M) authentication using client credentials
+    # Stores the access token in Redis for subsequent API calls
+    # @return [void] Redirects to management path on success
     def client_credentials_auth
       result = KindeSdk.client_credentials_access(
         client_id: ENV["KINDE_MANAGEMENT_CLIENT_ID"],
@@ -68,30 +65,113 @@ module KindeSdk
       )
   
       if result["error"].present?
-        Rails.logger.error("Client credentials auth failed: #{result['error']}")
         raise result["error"]
       end
   
+      # Store M2M token in Redis with expiration
       $redis.set("kinde_m2m_token", result["access_token"], ex: result["expires_in"].to_i)
       redirect_to mgmt_path
+    rescue StandardError => e
+      handle_error("Client credentials authentication failed", e)
+    end
+
+    # Refreshes the access token using the refresh token
+    # @return [void] Redirects to root path on success
+    def refresh_token
+      return redirect_with_error("No valid session found") unless session[:kinde_token_store].present?
+
+      if refresh_session_tokens
+        redirect_to "/"
+      else
+        redirect_with_error("Failed to refresh token")
+      end
+    rescue StandardError => e
+      handle_error("Token refresh failed", e)
     end
   
+    # Initiates the logout process by redirecting to Kinde's logout endpoint
+    # @return [void] Redirects to Kinde's logout URL
     def logout
-      redirect_to KindeSdk.logout_url, allow_other_host: true
+      # Ensure we have a valid logout URL configured
+      unless KindeSdk.config.logout_url.present?
+        redirect_with_error("Logout URL not configured")
+        return
+      end
+
+      # Get the logout URL with our callback URL
+      logout_url = KindeSdk.logout_url(
+        logout_url: KindeSdk.config.logout_url,
+        domain: KindeSdk.config.domain
+      )
+
+      # Clear local session before redirecting to Kinde
+      session.delete(:kinde_token_store)
+      session.delete(:kinde_user)
+      clear_auth_session
+
+      # Redirect to Kinde's logout endpoint
+      redirect_to logout_url, allow_other_host: true
+    rescue StandardError => e
+      handle_error("Logout initialization failed", e)
     end
   
+    # Handles the callback after successful logout
+    # @return [void] Redirects to root path
     def logout_callback
-      reset_session
+      # Session is already cleared in logout method
+      # Just redirect to home page
       redirect_to "/"
     end
   
     private
+
+    # Fetches and validates tokens from the authorization code
+    # @return [Hash] The validated tokens or nil if validation fails
+    def fetch_and_validate_tokens
+      tokens = KindeSdk.fetch_tokens(
+        params[:code],
+        code_verifier: KindeSdk.config.pkce_enabled ? session[:code_verifier] : nil,
+        redirect_uri: KindeSdk.config.callback_url
+      )
+
+      if tokens[:error].present?
+        redirect_with_error("Token exchange failed: #{tokens[:error]}")
+        return nil
+      end
+
+      # Validate tokens using SDK's built-in validation
+      begin
+        KindeSdk.validate_jwt_token(tokens)
+        
+        # Validate nonce in ID token to prevent replay attacks
+        decoded_token = JWT.decode(tokens[:id_token], nil, false)[0]
+        unless decoded_token['nonce'] == session[:auth_nonce]
+          redirect_with_error("Invalid authentication nonce")
+          return nil
+        end
+
+        tokens
+      rescue JWT::DecodeError => e
+        redirect_with_error("Token validation failed: #{e.message}")
+        nil
+      end
+    end
+
+    # Clears temporary authentication data from the session
+    # @return [void]
+    def clear_auth_session
+      session.delete(:auth_nonce)
+      session.delete(:auth_state)
+      session.delete(:code_verifier)
+    end
   
+    # Validates the state parameter to prevent CSRF attacks
+    # Checks state existence, matches returned state with stored state, and validates expiration
+    # @return [void]
     def validate_state
       # Check if nonce and state exist in session
-      unless session[:auth_nonce] && session[:auth_state]
-        Rails.logger.warn("Missing session state or nonce [#{session[:auth_nonce]}] [#{session[:auth_state]}]")
-        redirect_to "/", alert: "Invalid authentication state"
+      unless session[:auth_state]
+        redirect_with_error("Invalid authentication state")
         return
       end
   
@@ -107,46 +187,30 @@ module KindeSdk
 
       # Verify returned state matches the state extracted from the redirect_url
       unless returned_state.present? && returned_state == stored_state_from_url
-        Rails.logger.warn("State validation failed: returned=#{returned_state}, expected=#{stored_state_from_url}")
-        redirect_to "/", alert: "Invalid authentication state"
+        redirect_with_error("Invalid authentication state")
         return
       end
 
-      # Optional: Check state age (e.g., expires after 15 minutes)
+      # Check state age (expires after 15 minutes)
       if Time.current.to_i - stored_state["requested_at"] > 900
-        Rails.logger.warn("Authentication state expired")
-        redirect_to "/", alert: "Authentication session expired"
+        redirect_with_error("Authentication session expired")
         return
       end
     end
 
+    # Handles errors during authentication
+    # @param message [String] The error message
+    # @param error [Exception] The exception that occurred
+    # @return [void]
+    def handle_error(message, error)
+      redirect_with_error(message)
+    end
 
-    def validate_nonce(id_token, original_nonce, issuer, client_id)
-      jwks_uri = URI.parse("#{issuer}/.well-known/jwks.json")
-      jwks_response = Net::HTTP.get(jwks_uri)
-      jwks = JSON.parse(jwks_response)
-    
-      decoded_token = JWT.decode(
-        id_token,
-        nil,
-        true,
-        algorithm: 'RS256',
-        iss: issuer,
-        aud: client_id,
-        verify_iss: true,
-        verify_aud: true,
-        jwks: { keys: jwks['keys'] }
-      )
-    
-      payload = decoded_token[0]
-      nonce_from_token = payload['nonce']
-      
-      nonce_from_token == original_nonce
-    rescue StandardError => e
-      Rails.logger.error("Nonce validation error: #{e.message}")
-      false
+    # Redirects to root path with an error message
+    # @param message [String] The error message
+    # @return [void]
+    def redirect_with_error(message)
+      redirect_to "/", alert: message
     end
-    
-    
   end
 end

data/app/helpers/auth_helper.rb

@@ -0,0 +1,88 @@
+module AuthHelper
+  # Sets up session tokens and user information after successful authentication
+  # @param tokens [Hash] The authentication tokens received from Kinde
+  # @return [void]
+  def set_session_tokens(tokens)
+    # Create token store from tokens
+    token_store = KindeSdk::TokenManager.create_store(tokens)
+    
+    # Store minimal token data in session
+    session[:kinde_token_store] = {
+      access_token: token_store.bearer_token,
+      refresh_token: token_store.tokens[:refresh_token],
+      expires_at: token_store.expires_at
+    }
+    
+    # Get and store minimal user info
+    client = KindeSdk.client(tokens)
+    user_info = client.oauth.get_user.to_hash
+    
+    # Validate user info before storing
+    raise ArgumentError, "Invalid user info received" unless user_info[:id].present?
+    
+    session[:kinde_user] = {
+      id: user_info[:id],
+      email: user_info[:preferred_email],
+      first_name: user_info[:first_name],
+      last_name: user_info[:last_name]
+    }
+  end
+  
+  # Checks if the user is currently logged in
+  # @return [Boolean] true if the user is logged in and token is valid
+  def logged_in?
+    !token_expired?
+  end
+
+  # Checks if the session contains token data
+  # @return [Boolean] true if session contains token data
+  def session_present_in?
+    session[:kinde_token_store].present?
+  end
+
+  # Checks if the current token has expired
+  # @return [Boolean] true if token is expired or invalid
+  def token_expired?
+    return true unless session[:kinde_token_store].present?
+    
+    client = get_client
+    return true unless client
+    
+    client.token_expired?
+  rescue JWT::DecodeError => e
+    Rails.logger.error("JWT decode error: #{e.message}")
+    true
+  rescue StandardError => e
+    Rails.logger.error("Error checking token expiration: #{e.message}")
+    true
+  end
+
+  # Attempts to refresh the session tokens
+  # @return [Boolean] true if refresh was successful
+  def refresh_session_tokens
+    return false unless session[:kinde_token_store].present?
+    
+    # Create token store from session data
+    token_store = KindeSdk::TokenStore.new(session[:kinde_token_store])
+    
+    # Attempt to refresh tokens
+    new_tokens = KindeSdk::TokenManager.refresh_tokens(token_store, session)
+    if new_tokens
+      set_session_tokens(new_tokens)
+      true
+    else
+      false
+    end
+  rescue StandardError => e
+    Rails.logger.error("Error refreshing tokens: #{e.message}")
+    session.delete(:kinde_token_store)
+    false
+  end
+
+  # Gets a Kinde client instance for the current session
+  # @return [KindeSdk::Client, nil] The client instance or nil if no valid session
+  def get_client
+    return nil unless session[:kinde_token_store].present?
+    KindeSdk.client(session[:kinde_token_store])
+  end
+end

data/config/routes.rb

@@ -1,7 +1,9 @@
 KindeSdk::Engine.routes.draw do
-    get "callback" => "auth#callback"
+    # Authentication routes
     get "auth" => "auth#auth"
+    get "callback" => "auth#callback"
     get "logout" => "auth#logout"
     get "logout_callback" => "auth#logout_callback"
+    get "refresh_token" => "auth#refresh_token"
     get "client_credentials_auth" => "auth#client_credentials_auth"
 end

data/lib/kinde_sdk/client.rb

@@ -1,26 +1,52 @@
 require_relative '../../kinde_api/lib/kinde_api'
+require_relative 'token_manager'
+require_relative 'token_store'
+require_relative 'current'
 
 module KindeSdk
   class Client
     include FeatureFlags
     include Permissions
 
-    attr_accessor :kinde_api_client, :auto_refresh_tokens, :bearer_token, :tokens_hash, :expires_at
+    attr_accessor :kinde_api_client, :auto_refresh_tokens, :token_store
 
     def initialize(sdk_api_client, tokens_hash, auto_refresh_tokens)
       @kinde_api_client = sdk_api_client
       @auto_refresh_tokens = auto_refresh_tokens
-      set_hash_related_data(tokens_hash)
+      @token_store = TokenManager.create_store(tokens_hash)
+
+      # refresh the token if it's expired and auto_refresh_tokens is enabled
+      refresh_token if auto_refresh_tokens && TokenManager.token_expired?(@token_store)
+    end
+
+    # Returns the bearer token for backwards compatibility
+    # @return [String]
+    def bearer_token
+      @token_store.bearer_token
+    end
+
+    # Returns the tokens hash for backwards compatibility
+    # @return [Hash]
+    def tokens_hash
+      @token_store.tokens
+    end
+
+    # Returns the token expiration time for backwards compatibility
+    # @return [Integer]
+    def expires_at
+      @token_store.expires_at
     end
 
     def token_expired?
-      expires_at.to_i > 0 && (expires_at <= Time.now.to_i)
+      TokenManager.token_expired?(@token_store)
     end
 
     def refresh_token
-      new_tokens_hash = KindeSdk.refresh_token(tokens_hash)
-      set_hash_related_data(new_tokens_hash)
-      @kinde_api_client = KindeSdk.api_client(tokens_hash["access_token"])
+      new_tokens_hash = TokenManager.refresh_tokens(@token_store, Current.session)
+      return nil unless new_tokens_hash
+
+      @token_store.set_tokens(new_tokens_hash)
+      @kinde_api_client = KindeSdk.api_client(@token_store.bearer_token)
       new_tokens_hash
     end
 
@@ -29,7 +55,9 @@ module KindeSdk
     # @return [Hash]
     # @example {name: "scp", value: ["openid", "offline"]}
     def get_claim(claim, token_type = :access_token)
-      token = tokens_hash[token_type]
+      refresh_token if auto_refresh_tokens && token_expired?
+
+      token = @token_store.tokens[token_type.to_sym]
       return unless token
 
       value = JWT.decode(token, nil, false)[0][claim]
@@ -48,13 +76,6 @@ module KindeSdk
 
     private
 
-    def set_hash_related_data(tokens_hash)
-      @tokens_hash = tokens_hash.transform_keys(&:to_sym)
-      @bearer_token = @tokens_hash[:access_token]
-      @expires_at = @tokens_hash[:expires_at]
-    end
-
-    # going from another side: prepending each api_client's public method to check token for expiration
     def init_instance_api(api_klass)
       instance = api_klass.new(kinde_api_client)
       main_client = self

data/lib/kinde_sdk/current.rb

@@ -0,0 +1,16 @@
+module KindeSdk
+  class Current < ActiveSupport::CurrentAttributes
+    attribute :session
+    attribute :token_store
+
+    def self.set_session(session)
+      self.session = session
+      self.token_store = TokenStore.from_session(session[:kinde_token_store]) if session[:kinde_token_store]
+    end
+
+    def self.clear_session
+      self.session = nil
+      self.token_store = nil
+    end
+  end
+end 

data/lib/kinde_sdk/engine.rb

@@ -1,5 +1,11 @@
+require "kinde_sdk/version"
+require "kinde_sdk/configuration"
+require "kinde_sdk/current"
+require "kinde_sdk/middleware"
+
 module KindeSdk
   class Engine < ::Rails::Engine
     isolate_namespace KindeSdk # Optional, for mountable engines
+    config.app_middleware.use KindeSdk::Middleware
   end
 end

data/lib/kinde_sdk/middleware.rb

@@ -0,0 +1,16 @@
+module KindeSdk
+  class Middleware
+    def initialize(app)
+      @app = app
+    end
+
+    def call(env)
+      request = ActionDispatch::Request.new(env)
+      Current.set_session(request.session)
+      
+      @app.call(env)
+    ensure
+      Current.clear_session
+    end
+  end
+end 

data/lib/kinde_sdk/token_manager.rb

@@ -0,0 +1,85 @@
+module KindeSdk
+  class TokenManager
+    attr_reader :tokens, :bearer_token, :expires_at
+
+    def initialize(tokens = nil)
+      set_tokens(tokens) if tokens
+    end
+
+    def set_tokens(tokens)
+      @tokens = tokens.transform_keys(&:to_sym).freeze
+      @bearer_token = @tokens[:access_token]
+      @expires_at = @tokens[:expires_at]
+      @tokens
+    end
+
+    def token_expired?
+      return true unless @tokens.present?
+      begin
+        KindeSdk.validate_jwt_token(@tokens)
+        @expires_at.to_i > 0 && (@expires_at <= Time.now.to_i)
+      rescue Exception => e
+        Rails.logger.error("Error checking token expiration: #{e.message}")
+        true
+      end
+    end
+
+    def clear_tokens
+      @tokens = nil
+      @bearer_token = nil
+      @expires_at = nil
+    end
+
+    class << self
+      def create_store(tokens = nil)
+        TokenStore.new(tokens)
+      end
+
+      def refresh_tokens(store, session = nil)
+        return nil unless store&.tokens
+        new_tokens = safe_refresh(store.tokens)
+        return nil unless new_tokens
+        store.set_tokens(new_tokens)
+        sync_session(store, session)
+        new_tokens
+      end
+
+      def validate_tokens(store)
+        return false unless store&.tokens
+        begin
+          KindeSdk.validate_jwt_token(store.tokens)
+          true
+        rescue JWT::DecodeError, StandardError
+          false
+        end
+      end
+
+      def token_expired?(store)
+        return true unless store&.tokens
+        return true unless validate_tokens(store)
+        store.expires_at.to_i > 0 && (store.expires_at <= Time.now.to_i)
+      end
+
+      def clear_tokens(store, session = nil)
+        store.set_tokens(nil)
+        target_session = session || Current.session
+        target_session&.delete(:kinde_token_store)
+      end
+
+      private
+
+      def safe_refresh(tokens)
+        KindeSdk.refresh_token(tokens)
+      rescue StandardError => e
+        Rails.logger.error("Token refresh failed: #{e.message}")
+        nil
+      end
+
+      def sync_session(store, session)
+        return unless (session || Current.session) && store.tokens
+        target_session = session || Current.session
+        target_session[:kinde_token_store] = store.to_session
+      end
+    end
+  end
+end 

data/lib/kinde_sdk/token_store.rb

@@ -0,0 +1,29 @@
+module KindeSdk
+  class TokenStore
+    attr_reader :tokens, :bearer_token, :expires_at
+
+    def initialize(tokens = nil)
+      set_tokens(tokens) if tokens
+    end
+
+    def set_tokens(tokens)
+      @tokens = (tokens || {}).transform_keys(&:to_sym)
+      @bearer_token = @tokens[:access_token]
+      @expires_at = @tokens[:expires_at]
+      @tokens
+    end
+
+    def to_session
+      {
+        access_token: @bearer_token,
+        refresh_token: @tokens[:refresh_token],
+        expires_at: @expires_at
+      }
+    end
+
+    def self.from_session(session_data)
+      return nil unless session_data
+      new(session_data)
+    end
+  end
+end 

data/lib/kinde_sdk/version.rb

@@ -1,3 +1,3 @@
 module KindeSdk
-  VERSION = "1.6.2"
+  VERSION = "1.6.4"
 end