linked_rails-auth 0.0.1

data/lib/generators/linked_rails/auth/templates/README

@@ -0,0 +1,2 @@
+You need to set your JWT encryption token.
+Please run `bin/rails credentials:edit` and enter `jwt_encryption_token: [SECRET]``

data/lib/generators/linked_rails/auth/templates/doorkeeper_jwt_initializer.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+Doorkeeper::JWT.configure do
+  # Set the payload for the JWT token. This should contain unique information
+  # about the user.
+  # Defaults to a randomly generated token in a hash
+  # { token: "RANDOM-TOKEN" }
+  token_payload do |opts|
+    user =
+      if opts[:scopes].include?('guest')
+        LinkedRails.guest_user_class.new(id: opts[:resource_owner_id])
+      elsif opts[:resource_owner_id]
+        User.find(opts[:resource_owner_id])
+      end
+
+    user_opts = user && {
+      type: user.guest? ? 'guest' : 'user',
+      '@id': user.iri,
+      id: user.id.to_s,
+      language: I18n.locale
+    }
+    payload = {
+      iat: Time.current.to_i,
+      iss: LinkedRails.iri.to_s,
+      application_id: opts[:application]&.uid,
+      scopes: opts[:scopes].entries,
+      user: user_opts
+    }
+    payload[:exp] = (opts[:created_at] + opts[:expires_in].seconds).to_i if opts[:expires_in].present?
+    payload
+  end
+
+  # Use the application secret specified in the Access Grant token
+  # Defaults to false
+  # If you specify `use_application_secret true`, both secret_key and secret_key_path will be ignored
+  # use_application_secret true
+
+  # Set the encryption secret. This would be shared with any other applications
+  # that should be able to read the payload of the token.
+  # Defaults to "secret"
+  secret_key Rails.application.secrets.jwt_encryption_token || Rails.application.credentials.jwt_encryption_token
+
+  # If you want to use RS* encoding specify the path to the RSA key
+  # to use for signing.
+  # If you specify a secret_key_path it will be used instead of secret_key
+  # secret_key_path 'path/to/file.pem'
+
+  # Specify encryption type. Supports any algorithim in
+  # https://github.com/progrium/ruby-jwt
+  # defaults to nil
+  encryption_method Rails.application.config.jwt_encryption_method
+end

data/lib/generators/linked_rails/auth/templates/locales.yml

@@ -0,0 +1,39 @@
+en:
+  actions:
+    confirmations:
+      create:
+        label: "Send confirmation link again"
+        submit: "Send"
+      update:
+        label: "Confirm email address"
+        submit: "Confirm"
+    otp_attempts:
+      create:
+        submit: "Continue"
+    otp_secrets:
+      create:
+        label: 'Two factor authentication'
+        submit: "Continue"
+      destroy:
+        label: 'Disable two factor authentication'
+        description: "Are you sure you want to disable the two factor authentication of **%{name}**?"
+        submit: "Confirm"
+        success: "Two factor authentication is disabled"
+  devise:
+    failure:
+      invalid_email: 'We couldn''t find a user with this email.'
+      invalid_password: 'Invalid password.'
+  forms:
+    access_tokens:
+      email:
+        label: "Email"
+    otp_attempts:
+      helper_text: 'You can find this in the authentication-application you used earlier.'
+      label: "Authentication code"
+    otp_secrets:
+      provision_image:
+        description: 'Install a authentication-application and scan this QR code.'
+    sessions:
+      email:
+        label: "Email"
+

data/lib/generators/linked_rails/auth/templates/migration.rb.erb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+class CreateDoorkeeperApp < ActiveRecord::Migration<%= migration_version %>
+  def up
+    create_table :otp_secrets do |t|
+      t.timestamps
+      t.integer :owner_id, null: false
+      t.string :otp_secret_key, null: false
+      t.boolean :active, default: false
+      t.index :owner_id, unique: true
+    end
+  end
+
+  def down
+    Doorkeeper::AccessToken.delete_all
+    Doorkeeper::Application.delete_all
+
+    drop_table :otp_secrets
+  end
+end

data/lib/linked_rails/auth/auth_helper.rb

@@ -0,0 +1,101 @@
+# frozen_string_literal: true
+
+module LinkedRails
+  module Auth
+    module AuthHelper
+      include Doorkeeper::Rails::Helpers
+      include Doorkeeper::Helpers::Controller
+
+      SAFE_METHODS = %w[GET HEAD OPTIONS CONNECT TRACE].freeze
+      UNSAFE_METHODS = %w[POST PUT PATCH DELETE].freeze
+
+      def current_user
+        return request.env['Current-User'] if request.env['Current-User']
+        return @current_user if instance_variable_defined?(:@current_user)
+
+        @current_user ||= current_resource_owner || create_guest_user
+
+        handle_invalid_token unless valid_token?
+
+        @current_user
+      end
+
+      def doorkeeper_token
+        request.env['Doorkeeper-Token'] || super
+      end
+
+      private
+
+      def create_guest_user
+        LinkedRails.guest_user_class.new
+      end
+
+      def doorkeeper_scopes
+        doorkeeper_token&.scopes || []
+      end
+
+      def doorkeeper_token_payload
+        @doorkeeper_token_payload ||= JWT.decode(
+          doorkeeper_token.token,
+          Doorkeeper::JWT.configuration.secret_key,
+          true,
+          algorithms: [Doorkeeper::JWT.configuration.encryption_method.to_s.upcase]
+        )[0]
+      end
+
+      def doorkeeper_unauthorized_render_options(error: nil)
+        {
+          json: {
+            error: :invalid_token,
+            error_description: error&.description
+          }
+        }
+      end
+
+      def generate_access_token(resource_owner)
+        Doorkeeper::AccessToken.find_or_create_for(
+          application: doorkeeper_token&.application,
+          resource_owner: resource_owner,
+          scopes: resource_owner.guest? ? :guest : :user,
+          expires_in: Doorkeeper.configuration.access_token_expires_in,
+          use_refresh_token: true
+        )
+      end
+
+      def handle_invalid_token
+        @current_user = create_guest_user
+      end
+
+      def sign_in(resource, *_args)
+        @current_user = resource
+        update_oauth_token(generate_access_token(resource))
+
+        return if request.env['warden'].blank? || warden.user(:user) == resource
+
+        warden.set_user(resource, scope: :user, store: false)
+      end
+
+      def sign_out(*args)
+        super
+
+        doorkeeper_token.revoke if doorkeeper_token&.resource_owner_id
+        update_oauth_token(generate_access_token(create_guest_user))
+      end
+
+      def update_oauth_token(token)
+        response.headers['New-Refresh-Token'] = token.refresh_token
+        response.headers['New-Authorization'] = token.token
+      end
+
+      def require_doorkeeper_token?
+        UNSAFE_METHODS.include?(request.method)
+      end
+
+      def valid_token?
+        return !require_doorkeeper_token? if doorkeeper_token.blank?
+
+        doorkeeper_token&.accessible?
+      end
+    end
+  end
+end

data/lib/linked_rails/auth/controller/error_handling.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module LinkedRails
+  module Auth
+    module Controller
+      module ErrorHandling
+        extend ActiveSupport::Concern
+
+        included do
+          rescue_from LinkedRails::Auth::Errors::Unauthorized, with: :handle_error
+          rescue_from LinkedRails::Auth::Errors::UnknownEmail, with: :handle_error
+          rescue_from LinkedRails::Auth::Errors::Expired, with: :handle_error
+        end
+      end
+    end
+  end
+end

data/lib/linked_rails/auth/controller.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require_relative 'controller/error_handling'
+
+module LinkedRails
+  module Auth
+    module Controller
+      extend ActiveSupport::Concern
+
+      included do
+        include LinkedRails::Auth::AuthHelper
+        include LinkedRails::Auth::Controller::ErrorHandling
+      end
+    end
+  end
+end

data/lib/linked_rails/auth/engine.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+module LinkedRails
+  module Auth
+    class Engine < ::Rails::Engine
+    end
+  end
+end

data/lib/linked_rails/auth/errors/account_locked.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+module LinkedRails
+  module Auth
+    module Errors
+      class AccountLocked < StandardError
+      end
+    end
+  end
+end

data/lib/linked_rails/auth/errors/expired.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+module LinkedRails
+  module Auth
+    module Errors
+      class Expired < StandardError
+      end
+    end
+  end
+end

data/lib/linked_rails/auth/errors/unauthorized.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+module LinkedRails
+  module Auth
+    module Errors
+      class Unauthorized < StandardError
+      end
+    end
+  end
+end

data/lib/linked_rails/auth/errors/unknown_email.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module LinkedRails
+  module Auth
+    module Errors
+      class UnknownEmail < Doorkeeper::Errors::InvalidGrantReuse
+        def initialize(_options = {})
+          message = I18n.t('devise.failure.invalid_email')
+          super(message)
+        end
+      end
+    end
+  end
+end

data/lib/linked_rails/auth/errors/wrong_password.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module LinkedRails
+  module Auth
+    module Errors
+      class WrongPassword < Doorkeeper::Errors::InvalidGrantReuse
+        def initialize(_options = {})
+          message = I18n.t('devise.failure.invalid_password')
+          super(message)
+        end
+      end
+    end
+  end
+end

data/lib/linked_rails/auth/errors.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+require_relative 'errors/account_locked'
+require_relative 'errors/expired'
+require_relative 'errors/unauthorized'
+require_relative 'errors/unknown_email'
+require_relative 'errors/wrong_password'

data/lib/linked_rails/auth/routes.rb

@@ -0,0 +1,86 @@
+# frozen_string_literal: true
+
+module LinkedRails
+  module Auth
+    module Routes
+      DOORKEEPER_CONTROLLERS = {
+        access_tokens: :tokens,
+        applications: :applications,
+        authorizations: :authorizations,
+        authorized_applications: :authorized_applications,
+        token_info: :token_info
+      }.freeze
+      DEVISE_CONTROLLERS = %i[omniauth_callbacks].freeze
+      LINKED_RAILS_CONTROLLERS = {
+        access_tokens: 'linked_rails/auth/access_tokens',
+        confirmations: 'linked_rails/auth/confirmations',
+        otp_attempts: 'linked_rails/auth/otp_attempts',
+        otp_secrets: 'linked_rails/auth/otp_secrets',
+        passwords: 'linked_rails/auth/passwords',
+        registrations: 'linked_rails/auth/registrations',
+        sessions: 'linked_rails/auth/sessions',
+        unlocks: 'linked_rails/auth/unlocks'
+      }.freeze
+
+      def use_linked_rails_auth(opts = {}) # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
+        linked_rails_doorkeeper_routes(opts)
+        linked_rails_device_routes(opts)
+
+        scope 'u' do
+          get 'sign_in', to: redirect('/u/session/new')
+        end
+        devise_scope :user do
+          auth_resource(AccessToken, opts)
+          auth_resource(Confirmation, opts)
+          auth_resource(OtpAttempt, opts)
+          auth_resource(OtpSecret, opts)
+          linked_resource(
+            OtpSecret,
+            controller: opts[:otp_secrets] || LINKED_RAILS_CONTROLLERS[:otp_secrets],
+            nested: false
+          )
+          auth_resource(Password, opts)
+          auth_resource(Registration, opts)
+          auth_resource(Session, opts)
+          auth_resource(Unlock, opts)
+        end
+      end
+
+      private
+
+      def auth_resource(klass, opts)
+        key = klass.name.demodulize.tableize.to_sym
+
+        singular_linked_resource(
+          klass,
+          controller: opts[key] || LINKED_RAILS_CONTROLLERS[key],
+          nested: false
+        )
+      end
+
+      def linked_rails_device_routes(opts)
+        devise_for(
+          opts[:devise_scope] || :users,
+          path: :u,
+          controllers: {
+            omniauth_callbacks: opts[:omniauth_callbacks]
+          },
+          only: %i[omniauth_callbacks]
+        )
+      end
+
+      def linked_rails_doorkeeper_routes(opts)
+        use_doorkeeper do
+          DOORKEEPER_CONTROLLERS.each do |linked_rails_key, doorkeeper_key|
+            if opts.key?(linked_rails_key)
+              controllers(doorkeeper_key => opts[linked_rails_key])
+            elsif LINKED_RAILS_CONTROLLERS.key?(linked_rails_key)
+              controllers(doorkeeper_key => LINKED_RAILS_CONTROLLERS[linked_rails_key])
+            end
+          end
+        end
+      end
+    end
+  end
+end
+ActionDispatch::Routing::Mapper.include LinkedRails::Auth::Routes

data/lib/linked_rails/auth/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module LinkedRails
+  module Auth
+    VERSION = '0.0.1'
+  end
+end

data/lib/linked_rails/auth.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+require 'active_model_otp'
+require 'devise'
+require 'doorkeeper'
+require 'doorkeeper/jwt'
+
+require 'linked_rails/auth/engine'
+require 'linked_rails/auth/routes'
+require 'linked_rails/auth/errors'
+require 'linked_rails/auth/auth_helper'
+require 'linked_rails/auth/controller'
+
+module LinkedRails
+  module Auth
+    mattr_accessor :otp_drift, default: 60
+  end
+end
+
+LinkedRails.configurable_class(nil, :user, default: 'User')
+LinkedRails.configurable_class(nil, :guest_user, default: 'LinkedRails::Auth::GuestUser')
+LinkedRails.configurable_class(nil, :access_token, default: 'LinkedRails::Auth::AccessToken')
+LinkedRails.configurable_class(nil, :access_token_action_list, default: 'LinkedRails::Auth::AccessTokenActionList')
+LinkedRails.configurable_class(nil, :access_token_form, default: 'LinkedRails::Auth::AccessTokenForm')
+LinkedRails.configurable_class(nil, :confirmation, default: 'LinkedRails::Auth::Confirmation')
+LinkedRails.configurable_class(nil, :confirmation_action_list, default: 'LinkedRails::Auth::ConfirmationActionList')
+LinkedRails.configurable_class(nil, :confirmation_form, default: 'LinkedRails::Auth::ConfirmationForm')
+LinkedRails.configurable_class(nil, :password, default: 'LinkedRails::Auth::Password')
+LinkedRails.configurable_class(nil, :password_action_list, default: 'LinkedRails::Auth::PasswordActionList')
+LinkedRails.configurable_class(nil, :password_form, default: 'LinkedRails::Auth::PasswordForm')
+LinkedRails.configurable_class(nil, :registration, default: 'LinkedRails::Auth::Registration')
+LinkedRails.configurable_class(nil, :registration_action_list, default: 'LinkedRails::Auth::RegistrationActionList')
+LinkedRails.configurable_class(nil, :registration_form, default: 'LinkedRails::Auth::RegistrationForm')
+LinkedRails.configurable_class(nil, :session, default: 'LinkedRails::Auth::Session')
+LinkedRails.configurable_class(nil, :session_action_list, default: 'LinkedRails::Auth::SessionActionList')
+LinkedRails.configurable_class(nil, :session_form, default: 'LinkedRails::Auth::SessionForm')
+LinkedRails.configurable_class(nil, :unlock, default: 'LinkedRails::Auth::Unlock')
+LinkedRails.configurable_class(nil, :unlock_action_list, default: 'LinkedRails::Auth::UnlockActionList')
+LinkedRails.configurable_class(nil, :unlock_form, default: 'LinkedRails::Auth::UnlockForm')
+LinkedRails.configurable_class(nil, :otp_attempt, default: 'LinkedRails::Auth::OtpAttempt')
+LinkedRails.configurable_class(nil, :otp_attempt_action_list, default: 'LinkedRails::Auth::OtpAttemptActionList')
+LinkedRails.configurable_class(nil, :otp_attempt_form, default: 'LinkedRails::Auth::OtpAttemptForm')
+LinkedRails.configurable_class(nil, :otp_owner, default: 'User')
+LinkedRails.configurable_class(nil, :otp_secret, default: 'LinkedRails::Auth::OtpSecret')
+LinkedRails.configurable_class(nil, :otp_secret_action_list, default: 'LinkedRails::Auth::OtpSecretActionList')
+LinkedRails.configurable_class(nil, :otp_secret_form, default: 'LinkedRails::Auth::OtpSecretForm')