kingsman 0.0.0.beta → 0.1.0

data/lib/kingsman/failure_app.rb

@@ -0,0 +1,280 @@
+# frozen_string_literal: true
+
+require "action_controller/metal"
+
+module Kingsman
+  # Failure application that will be called every time :warden is thrown from
+  # any strategy or hook. It is responsible for redirecting the user to the sign
+  # in page based on current scope and mapping. If no scope is given, it
+  # redirects to the default_url.
+  class FailureApp < Jets::BareController
+    # include ActionController::UrlFor
+    # include ActionController::Redirecting
+
+    include Jets.application.routes.url_helpers
+    include Jets.application.routes.mounted_helpers
+
+    # include Kingsman::Controllers::StoreLocation
+
+    # delegate :flash, to: :request
+
+    def self.call(env)
+      @respond ||= action(:respond)
+      @respond.call(env)
+    end
+
+    # Try retrieving the URL options from the parent controller (usually
+    # ApplicationController). Instance methods are not supported at the moment,
+    # so only the class-level attribute is used.
+    def self.default_url_options(*args)
+      # if defined?(Kingsman.parent_controller.constantize)
+      #   Kingsman.parent_controller.constantize.try(:default_url_options) || {}
+      # else
+        {}
+      # end
+    end
+
+    def respond
+      if http_auth?
+        http_auth
+      elsif warden_options[:recall]
+        recall
+      else
+        redirect
+      end
+    end
+
+    def http_auth
+      self.status = 401
+      self.headers["WWW-Authenticate"] = %(Basic realm=#{Kingsman.http_authentication_realm.inspect}) if http_auth_header?
+      self.content_type = request.format.to_s
+      self.response_body = http_auth_body
+    end
+
+    def recall
+      header_info = if relative_url_root?
+        base_path = Pathname.new(relative_url_root)
+        full_path = Pathname.new(attempted_path)
+
+        { "SCRIPT_NAME" => relative_url_root,
+          "PATH_INFO" => '/' + full_path.relative_path_from(base_path).to_s }
+      else
+        { "PATH_INFO" => attempted_path }
+      end
+
+      header_info.each do | var, value|
+        if request.respond_to?(:set_header)
+          request.set_header(var, value)
+        else
+          request.env[var]  = value
+        end
+      end
+
+      flash.now[:alert] = i18n_message(:invalid) if is_flashing_format?
+      self.response = recall_app(warden_options[:recall]).call(request.env).tap { |response|
+        response[0] = Rack::Utils.status_code(
+          response[0].in?(300..399) ? Kingsman.responder.redirect_status : Kingsman.responder.error_status
+        )
+      }
+    end
+
+    def redirect
+      store_location!
+      if is_flashing_format?
+        if flash[:timedout] && flash[:alert]
+          flash.keep(:timedout)
+          flash.keep(:alert)
+        else
+          flash[:alert] = i18n_message
+        end
+      end
+      redirect_to redirect_url
+    end
+
+  protected
+
+    def i18n_options(options)
+      options
+    end
+
+    def i18n_message(default = nil)
+      message = warden_message || default || :unauthenticated
+
+      if message.is_a?(Symbol)
+        options = {}
+        options[:resource_name] = scope
+        options[:scope] = "kingsman.failure"
+        options[:default] = [message]
+        auth_keys = scope_class.authentication_keys
+        keys = (auth_keys.respond_to?(:keys) ? auth_keys.keys : auth_keys).map { |key| scope_class.human_attribute_name(key) }
+        options[:authentication_keys] = keys.join(I18n.translate(:"support.array.words_connector"))
+        options = i18n_options(options)
+
+        I18n.t(:"#{scope}.#{message}", **options)
+      else
+        message.to_s
+      end
+    end
+
+    def redirect_url
+      if warden_message == :timeout
+        flash[:timedout] = true if is_flashing_format?
+
+        path = if request.get?
+          attempted_path
+        else
+          request.referrer
+        end
+
+        path || scope_url
+      else
+        scope_url
+      end
+    end
+
+    def route(scope)
+      :"new_#{scope}_session_url"
+    end
+
+    def scope_url
+      opts  = {}
+
+      # Initialize script_name with nil to prevent infinite loops in
+      # authenticated mounted engines in rails 4.2 and 5.0
+      opts[:script_name] = nil
+
+      route = route(scope)
+
+      opts[:format] = request_format unless skip_format?
+
+      router_name = Kingsman.mappings[scope].router_name || Kingsman.available_router_name
+      context = send(router_name)
+
+      if context.respond_to?(route)
+        context.send(route)
+      elsif respond_to?(:root_url)
+        root_url
+      else
+        "/"
+      end
+
+      # if relative_url_root?
+      #   opts[:script_name] = relative_url_root
+      # end
+
+      # if context.respond_to?(route)
+      #   context.send(route, opts)
+      # elsif respond_to?(:root_url)
+      #   root_url(opts)
+      # else
+      #   "/"
+      # end
+    end
+
+    def skip_format?
+      %w(html */* turbo_stream).include? request_format.to_s
+    end
+
+    # Choose whether we should respond in an HTTP authentication fashion,
+    # including 401 and optional headers.
+    #
+    # This method allows the user to explicitly disable HTTP authentication
+    # on AJAX requests in case they want to redirect on failures instead of
+    # handling the errors on their own. This is useful in case your AJAX API
+    # is the same as your public API and uses a format like JSON (so you
+    # cannot mark JSON as a navigational format).
+    def http_auth?
+      if request.xhr?
+        Kingsman.http_authenticatable_on_xhr
+      else
+        !(request_format && is_navigational_format?)
+      end
+    end
+
+    # It doesn't make sense to send authenticate headers in AJAX requests
+    # or if the user disabled them.
+    def http_auth_header?
+      scope_class.http_authenticatable && !request.xhr?
+    end
+
+    def http_auth_body
+      return i18n_message unless request_format
+      method = "to_#{request_format}"
+      if method == "to_xml"
+        { error: i18n_message }.to_xml(root: "errors")
+      elsif {}.respond_to?(method)
+        { error: i18n_message }.send(method)
+      else
+        i18n_message
+      end
+    end
+
+    def recall_app(app)
+      controller, action = app.split("#")
+      controller_name  = ActiveSupport::Inflector.camelize(controller)
+      controller_klass = ActiveSupport::Inflector.constantize("#{controller_name}Controller")
+      controller_klass.action(action)
+    end
+
+    def warden
+      request.respond_to?(:get_header) ? request.get_header("warden") : request.env["warden"]
+    end
+
+    def warden_options
+      request.respond_to?(:get_header) ? request.get_header("warden.options") : request.env["warden.options"]
+    end
+
+    def warden_message
+      @message ||= warden.message || warden_options[:message]
+    end
+
+    def scope
+      @scope ||= warden_options[:scope] || Kingsman.default_scope
+    end
+
+    def scope_class
+      @scope_class ||= Kingsman.mappings[scope].to
+    end
+
+    def attempted_path
+      warden_options[:attempted_path]
+    end
+
+    # Stores requested URI to redirect the user after signing in. We can't use
+    # the scoped session provided by warden here, since the user is not
+    # authenticated yet, but we still need to store the URI based on scope, so
+    # different scopes would never use the same URI to redirect.
+    def store_location!
+      store_location_for(scope, attempted_path) if request.get? && !http_auth?
+    end
+
+    def is_navigational_format?
+      Kingsman.navigational_formats.include?(request_format)
+    end
+
+    # Check if flash messages should be emitted. Default is to do it on
+    # navigational formats
+    def is_flashing_format?
+      request.respond_to?(:flash) && is_navigational_format?
+    end
+
+    def request_format
+      @request_format ||= request.format.try(:ref)
+    end
+
+    def relative_url_root
+      nil
+      # @relative_url_root ||= begin
+      #   config = Rails.application.config
+
+      #   config.try(:relative_url_root) || config.action_controller.try(:relative_url_root)
+      # end
+    end
+
+    def relative_url_root?
+      relative_url_root.present?
+    end
+
+    ActiveSupport.run_load_hooks(:kingsman_failure_app, self)
+  end
+end

data/lib/kingsman/hooks/activatable.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+# Deny user access whenever their account is not active yet.
+# We need this as hook to validate the user activity on each request
+# and in case the user is using other strategies beside Kingsman ones.
+Warden::Manager.after_set_user do |record, warden, options|
+  if record && record.respond_to?(:active_for_authentication?) && !record.active_for_authentication?
+    scope = options[:scope]
+    warden.logout(scope)
+    throw :warden, scope: scope, message: record.inactive_message
+  end
+end

data/lib/kingsman/hooks/csrf_cleaner.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+Warden::Manager.after_authentication do |record, warden, options|
+  clean_up_for_winning_strategy = !warden.winning_strategy.respond_to?(:clean_up_csrf?) ||
+    warden.winning_strategy.clean_up_csrf?
+  if Kingsman.clean_up_csrf_token_on_authentication && clean_up_for_winning_strategy
+    if warden.request.respond_to?(:reset_csrf_token)
+      # Rails 7.1+
+      warden.request.reset_csrf_token
+    else
+      warden.request.session.try(:delete, :_csrf_token)
+    end
+  end
+end

data/lib/kingsman/hooks/forgetable.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+# Before logout hook to forget the user in the given scope, if it responds
+# to forget_me! Also clear remember token to ensure the user won't be
+# remembered again. Notice that we forget the user unless the record is not persisted.
+# This avoids forgetting deleted users.
+Warden::Manager.before_logout do |record, warden, options|
+  if record.respond_to?(:forget_me!)
+    Kingsman::Hooks::Proxy.new(warden).forget_me(record)
+  end
+end

data/lib/kingsman/hooks/lockable.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+# After each sign in, if resource responds to failed_attempts, sets it to 0
+# This is only triggered when the user is explicitly set (with set_user)
+Warden::Manager.after_set_user except: :fetch do |record, warden, options|
+  if record.respond_to?(:reset_failed_attempts!) && warden.authenticated?(options[:scope])
+    record.reset_failed_attempts!
+  end
+end

data/lib/kingsman/hooks/proxy.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module Kingsman
+  module Hooks
+    # A small warden proxy so we can remember, forget and
+    # sign out users from hooks.
+    class Proxy #:nodoc:
+      include Kingsman::Controllers::Rememberable
+      include Kingsman::Controllers::SignInOut
+
+      attr_reader :warden
+      delegate :cookies, :request, to: :warden
+
+      def initialize(warden)
+        @warden = warden
+      end
+
+      def session
+        warden.request.session
+      end
+    end
+  end
+end

data/lib/kingsman/hooks/rememberable.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+Warden::Manager.after_set_user except: :fetch do |record, warden, options|
+  scope = options[:scope]
+  if record.respond_to?(:remember_me) && options[:store] != false &&
+     record.remember_me && warden.authenticated?(scope)
+    Kingsman::Hooks::Proxy.new(warden).remember_me(record)
+  end
+end

data/lib/kingsman/hooks/timeoutable.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+# Each time a record is set we check whether its session has already timed out
+# or not, based on last request time. If so, the record is logged out and
+# redirected to the sign in page. Also, each time the request comes and the
+# record is set, we set the last request time inside its scoped session to
+# verify timeout in the following request.
+Warden::Manager.after_set_user do |record, warden, options|
+  scope = options[:scope]
+  env   = warden.request.env
+
+  if record && record.respond_to?(:timedout?) && warden.authenticated?(scope) &&
+     options[:store] != false && !env['kingsman.skip_timeoutable']
+    last_request_at = warden.session(scope)['last_request_at']
+
+    if last_request_at.is_a? Integer
+      last_request_at = Time.at(last_request_at).utc
+    elsif last_request_at.is_a? String
+      last_request_at = Time.parse(last_request_at)
+    end
+
+    proxy = Kingsman::Hooks::Proxy.new(warden)
+
+    if !env['kingsman.skip_timeout'] &&
+        record.timedout?(last_request_at) &&
+        !proxy.remember_me_is_active?(record)
+      Kingsman.sign_out_all_scopes ? proxy.sign_out : proxy.sign_out(scope)
+      throw :warden, scope: scope, message: :timeout
+    end
+
+    unless env['kingsman.skip_trackable']
+      warden.session(scope)['last_request_at'] = Time.now.utc.to_i
+    end
+  end
+end

data/lib/kingsman/hooks/trackable.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+# After each sign in, update sign in time, sign in count and sign in IP.
+# This is only triggered when the user is explicitly set (with set_user)
+# and on authentication. Retrieving the user from session (:fetch) does
+# not trigger it.
+Warden::Manager.after_set_user except: :fetch do |record, warden, options|
+  if record.respond_to?(:update_tracked_fields!) && warden.authenticated?(options[:scope]) && !warden.request.env['kingsman.skip_trackable']
+    record.update_tracked_fields!(warden.request)
+  end
+end

data/lib/kingsman/hooks.rb

@@ -0,0 +1,6 @@
+module Kingsman
+  module Hooks
+  end
+end
+
+require "kingsman/hooks/proxy"

data/lib/kingsman/jets/routes.rb

@@ -0,0 +1,195 @@
+require "jets/router/dsl"
+
+module Kingsman
+  module Router
+    def finalize!
+      result = super
+      Kingsman.configure_warden!
+      result
+    end
+  end
+end
+
+module Jets
+  module Router
+    class RouteSet
+      # Ensure Kingsman modules are included only after loading routes, because we
+      # need kingsman_for mappings already declared to create filters and helpers.
+      prepend Kingsman::Router
+    end
+  end
+end
+
+module Jets::Router
+  module Dsl
+    def kingsman_for(*resources)
+      options = resources.extract_options!
+
+      # options[:as]          ||= @scope[:as]     if @scope[:as].present?
+      # options[:module]      ||= @scope[:module] if @scope[:module].present?
+      # options[:path_prefix] ||= @scope[:path]   if @scope[:path].present?
+      # options[:path_names]    = (@scope[:path_names] || {}).merge(options[:path_names] || {})
+      # options[:constraints]   = (@scope[:constraints] || {}).merge(options[:constraints] || {})
+      # options[:defaults]      = (@scope[:defaults] || {}).merge(options[:defaults] || {})
+      # options[:options]       = @scope[:options] || {}
+      # options[:options][:format] = false if options[:format] == false
+
+      resources.map!(&:to_sym)
+
+      resources.each do |resource|
+        mapping = Kingsman.add_mapping(resource, options)
+
+        if options[:controllers] && options[:controllers][:omniauth_callbacks]
+          unless mapping.omniauthable?
+            raise ArgumentError, "Mapping omniauth_callbacks on a resource that is not omniauthable\n" \
+              "Please add `kingsman :omniauthable` to the `#{mapping.class_name}` model"
+          end
+        end
+
+        routes = mapping.used_routes
+
+        kingsman_scope mapping.name do
+          with_kingsman_exclusive_scope mapping.fullpath, mapping.name, options do
+            routes.each { |mod| send("kingsman_#{mod}", mapping, mapping.controllers) }
+          end
+        end
+      end
+    end
+
+    def kingsman_session(mapping, controllers) #:nodoc:
+      resource :session, only: [], controller: controllers[:sessions], path: "" do
+        get   :new,     path: mapping.path_names[:sign_in],  as: "new"
+        post  :create,  path: mapping.path_names[:sign_in]
+        match :destroy, path: mapping.path_names[:sign_out], as: "destroy", via: mapping.sign_out_via
+      end
+    end
+
+    def kingsman_password(mapping, controllers) #:nodoc:
+      resource :password, only: [:new, :create, :edit, :update],
+        path: mapping.path_names[:password], controller: controllers[:passwords]
+    end
+
+    def kingsman_confirmation(mapping, controllers) #:nodoc:
+      resource :confirmation, only: [:new, :create, :show],
+        path: mapping.path_names[:confirmation], controller: controllers[:confirmations]
+    end
+
+    def kingsman_unlock(mapping, controllers) #:nodoc:
+      if mapping.to.unlock_strategy_enabled?(:email)
+        resource :unlock, only: [:new, :create, :show],
+          path: mapping.path_names[:unlock], controller: controllers[:unlocks]
+      end
+    end
+
+    def kingsman_registration(mapping, controllers) #:nodoc:
+      path_names = {
+        new: mapping.path_names[:sign_up],
+        edit: mapping.path_names[:edit],
+        cancel: mapping.path_names[:cancel]
+      }
+
+      options = {
+        only: [:new, :create, :edit, :update, :destroy],
+        path: mapping.path_names[:registration],
+        path_names: path_names,
+        controller: controllers[:registrations]
+      }
+
+      resource :registration, options do
+        get :cancel
+      end
+    end
+
+    def kingsman_omniauth_callback(mapping, controllers) #:nodoc:
+      if mapping.fullpath =~ /:[a-zA-Z_]/
+        raise <<-ERROR
+Kingsman does not support scoping OmniAuth callbacks under a dynamic segment
+and you have set #{mapping.fullpath.inspect}. You can work around by passing
+`skip: :omniauth_callbacks` to the `kingsman_for` call and extract omniauth
+options to another `kingsman_for` call outside the scope. Here is an example:
+
+  kingsman_for :users, only: :omniauth_callbacks, controllers: {omniauth_callbacks: 'users/omniauth_callbacks'}
+
+  scope '/(:locale)', locale: /ru|en/ do
+    kingsman_for :users, skip: :omniauth_callbacks
+  end
+ERROR
+      end
+
+      current_scope = @scope.dup
+
+      # Jets routes are all very lazily evaluated.  This is a problem for Kingsman
+      # because devise sets the scope[:path] to nil and expects the call to match
+      # to use it as it's evaluated. And then it restores it to the previous value.
+      # This is a problem for Jets because Jets routes are lazily evaluated and
+      # none of this will matter. Unsure how to handle at the moment.
+
+      if @scope.respond_to? :new
+        @scope = @scope.new path: nil
+      else
+        @scope[:path] = nil
+      end
+
+      path_prefix = Kingsman.omniauth_path_prefix || "/#{mapping.fullpath}/auth".squeeze("/")
+      set_omniauth_path_prefix!(path_prefix)
+      path_prefix = "/auth" # HACK
+
+      mapping.to.omniauth_providers.each do |provider|
+        match "#{path_prefix}/#{provider}",
+          to: "#{controllers[:omniauth_callbacks]}#passthru",
+          as: "#{provider}_omniauth_authorize",
+          via: OmniAuth.config.allowed_request_methods
+          # via: [:get, :post]
+
+        match "#{path_prefix}/#{provider}/callback",
+          to: "#{controllers[:omniauth_callbacks]}##{provider}",
+          as: "#{provider}_omniauth_callback",
+          via: [:get, :post]
+      end
+    ensure
+      @scope = current_scope
+    end
+
+    def set_omniauth_path_prefix!(path_prefix) #:nodoc:
+      if ::OmniAuth.config.path_prefix && ::OmniAuth.config.path_prefix != path_prefix
+        raise "Wrong OmniAuth configuration. If you are getting this exception, it means that either:\n\n" \
+          "1) You are manually setting OmniAuth.config.path_prefix and it doesn't match the Devise one\n" \
+          "2) You are setting :omniauthable in more than one model\n" \
+          "3) You changed your Devise routes/OmniAuth setting and haven't restarted your server"
+      else
+        ::OmniAuth.config.path_prefix = path_prefix
+      end
+    end
+
+
+    def kingsman_scope(scope)
+      constraint = lambda do |request|
+        request.env["kingsman.mapping"] = Kingsman.mappings[scope]
+        true
+      end
+
+      constraints(constraint) do
+        yield
+      end
+    end
+    alias :as :kingsman_scope
+
+    def with_kingsman_exclusive_scope(new_path, new_as, options) #:nodoc:
+      current_scope = @scope.dup
+
+      exclusive = { as: new_as, path: new_path, module: nil }
+      exclusive.merge!(options.slice(:constraints, :defaults, :options))
+
+      if @scope.respond_to? :new
+        @scope = @scope.new exclusive
+      else
+        exclusive.each_pair { |key, value| @scope[key] = value }
+      end
+
+      yield
+    ensure
+      @scope = current_scope
+    end
+
+  end
+end

data/lib/kingsman/jets/warden_compat.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module Warden::Mixins::Common
+  def request
+    env['jets.controller'].request
+  end
+
+  def reset_session!
+    request.reset_session
+  end
+
+  def cookies
+    request.cookie_jar
+  end
+end

data/lib/kingsman/jets.rb

@@ -0,0 +1,39 @@
+require "kingsman/jets/routes"
+require "kingsman/jets/warden_compat"
+
+module Kingsman
+  class Engine < ::Jets::Engine
+    config.kingsman = ActiveSupport::OrderedOptions.new
+
+    config.app_middleware.use Warden::Manager do |manager|
+      Kingsman.warden_config = manager
+    end
+
+    initializer "kingsman.url_helpers" do
+      Kingsman.include_helpers(Kingsman::Controllers)
+    end
+
+    initializer "kingsman.omniauth", after: :load_config_initializers, before: :build_middleware_stack do |app|
+      Kingsman.omniauth_configs.each do |provider, config|
+        app.middleware.use config.strategy_class, *config.args do |strategy|
+          config.strategy = strategy
+        end
+      end
+
+      if Kingsman.omniauth_configs.any?
+        Kingsman.include_helpers(Kingsman::OmniAuth)
+      end
+    end
+
+    initializer "kingsman.secret_key" do |app|
+      Kingsman.secret_key ||= Kingsman::SecretKeyFinder.new(app).find
+
+      Kingsman.token_generator ||=
+        if secret_key = Kingsman.secret_key
+          Kingsman::TokenGenerator.new(
+            ActiveSupport::CachingKeyGenerator.new(ActiveSupport::KeyGenerator.new(secret_key))
+          )
+        end
+    end
+  end
+end