machina-auth 0.1.2 → 0.1.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 72016a1f127a752307bd3351a7179bd514a07f01257141b5976c24512f9a58ab
-  data.tar.gz: 49e3d3a871defaf71cc93405268d6935afdbe97131b5f565fcf74fa7d336c8fa
+  metadata.gz: c8b85487ba807943451cf345d17e7aec7ee18a9b61a233adcdb213f86134cde0
+  data.tar.gz: 49908d36c4fb879354aa6c3b9ae96e33eaed76d98df2cd3dbfb8a51ce72b03a4
 SHA512:
-  metadata.gz: 1b1ca73243c466e604fd6922c9f60ea716d264e7dac913093fdbcaca1fa4e18b5aea6318eae5d5f04fc5809644680c6b39147339f2fa95358da4e74238efee88
-  data.tar.gz: 78582e31a57898eacd0a5abfb4c4bb812eb6683420549590a88ffbe8ffa0ded22e091cdf093f76ef3db75675719d81b4dc7de05482a7babc5d364f03e56d4b2f
+  metadata.gz: 97716d4c519933b65a8410615655adcf7e70a4013d9595e7ef5ca4a96ae2a57c44574640b33de5dc1adcd675b626c2ae39d09ffd0c5cf4fbcbb2932924988be9
+  data.tar.gz: 868b463264e64e8551c938704bcfad481714e0d6a9f4aa8dcc6152eb4d8df1bda0c6a01ff2ab55f89e534ceeb03b1d53abed3792dc2afaa1de660c6726dd2e2c

data/lib/machina/configuration.rb

@@ -11,7 +11,8 @@ module Machina
                   :cache_store,
                   :cache_ttl,
                   :manifest,
-                  :skip_paths
+                  :skip_paths,
+                  :identity_callback_uri
 
     def initialize
       @cache_ttl = 5.minutes

data/lib/machina/controller_helpers.rb

@@ -34,7 +34,7 @@ module Machina
       if request.format.json?
         render json: { error: 'unauthorized' }, status: :unauthorized
       else
-        redirect_to Machina.authorize_url(redirect_to: request.original_url), allow_other_host: true
+        redirect_to Machina.authorize_url(return_to: request.original_url), allow_other_host: true
       end
     end
 

data/lib/machina/middleware/authentication.rb

@@ -11,11 +11,11 @@ module Machina
 
       def call(env)
         request = ActionDispatch::Request.new(env)
-
+        # Skip paths allow the developer to disable the middleware from validating
+        # any token or headers on any matched URL or Path.
         return @app.call(env) if skip_path?(request)
 
         token = extract_token(request)
-
         return @app.call(env) if token.blank?
 
         session_data = resolve_session(token)
@@ -53,10 +53,7 @@ module Machina
       end
 
       def extract_token(request)
-        request.cookies['machina_session'] ||
-          extract_bearer(request) ||
-          request.headers['X-Api-Key'] ||
-          request.params['token']
+        request.cookies['machina_session'] || extract_bearer(request) || request.headers['X-Api-Key'] || request.params['token']
       end
 
       def extract_bearer(request)
@@ -76,7 +73,11 @@ module Machina
 
       def fetch_from_identity_service(token)
         response = Machina.identity_client.resolve_session(token)
-        return nil unless response.success?
+
+        unless response.success?
+          Machina.cache.delete(cache_key(token))
+          return nil
+        end
 
         data = unwrap_payload(response.parsed)
         Machina.cache.write(cache_key(token), data, expires_in: Machina.config.cache_ttl)
@@ -91,6 +92,7 @@ module Machina
       def cache_workspace_ref(data)
         workspace = data['workspace']
         organization = data['organization']
+
         return unless workspace.is_a?(Hash) && organization.is_a?(Hash)
         return unless defined?(Machina::WorkspaceRef) && Machina::WorkspaceRef.table_exists?
 

data/lib/machina/permission_sync.rb

@@ -16,7 +16,8 @@ module Machina
 
       product_id = manifest[:product_id] || Machina.config.product_id
       if product_id.blank?
-        raise Machina::ConfigurationError, 'product_id is required for permission sync (set in machina.yml or Machina.config)'
+        raise Machina::ConfigurationError,
+              'product_id is required for permission sync (set in machina.yml or Machina.config)'
       end
 
       Machina.identity_client.sync_permissions(

data/lib/machina/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Machina
-  VERSION = '0.1.2'
+  VERSION = '0.1.4'
 end

data/lib/machina.rb

@@ -32,6 +32,7 @@ module Machina
 
   # Test helpers are opt-in; load with `require "machina/test_helpers"` or autoload
   autoload :TestHelpers, 'machina/test_helpers'
+
   class << self
     def configure
       yield(config)
@@ -54,15 +55,36 @@ module Machina
       config.cache_store || Rails.cache
     end
 
-    def authorize_url(redirect_to:)
+    # Builds the Console authorize URL.
+    #
+    # @param redirect_to [String, nil] explicit redirect URL (backwards compat)
+    # @param return_to [String, nil] user's intended destination, appended to
+    #   the configured +identity_callback_uri+ as a query param
+    # @return [String] the full authorize URL
+    # @raise [ConfigurationError] when neither +redirect_to+ nor
+    #   +identity_callback_uri+ is available
+    def authorize_url(redirect_to: nil, return_to: nil)
       base = config.identity_service_url.to_s.sub(%r{/\z}, '')
-      return "#{base}/authorize" if redirect_to.blank?
 
-      "#{base}/authorize?redirect_to=#{CGI.escape(redirect_to)}"
+      return "#{base}/authorize?redirect_to=#{CGI.escape(redirect_to)}" if redirect_to.present?
+
+      callback = config.identity_callback_uri
+      if callback.blank?
+        raise ConfigurationError,
+              'identity_callback_uri must be configured to use authorize_url without an explicit redirect_to'
+      end
+
+      target = return_to.present? ? "#{callback}?return_to=#{CGI.escape(return_to)}" : callback
+
+      "#{base}/authorize?redirect_to=#{CGI.escape(target)}"
     end
 
+    # Convenience wrapper that delegates to {authorize_url} with +return_to+.
+    #
+    # @param return_to [String] the user's intended destination
+    # @return [String] the full authorize URL
     def login_url(return_to:)
-      authorize_url(redirect_to: return_to)
+      authorize_url(return_to:)
     end
   end
 end

data/spec/machina/authorize_url_spec.rb

@@ -0,0 +1,61 @@
+# frozen_string_literal: true
+
+require_relative '../rails_helper'
+
+RSpec.describe 'Machina.authorize_url' do
+  let(:base_url) { 'https://machina.example.test' }
+
+  context 'when identity_callback_uri is configured' do
+    before do
+      Machina.config.identity_callback_uri = 'http://localhost:3000/auth/machina/callback'
+    end
+
+    it 'uses the callback URI as redirect_to' do
+      url = Machina.authorize_url
+
+      expect(url).to eq("#{base_url}/authorize?redirect_to=#{CGI.escape('http://localhost:3000/auth/machina/callback')}")
+    end
+
+    it 'appends return_to as a query param on the callback URI' do
+      url = Machina.authorize_url(return_to: '/dashboard')
+
+      callback_with_return = 'http://localhost:3000/auth/machina/callback?return_to=%2Fdashboard'
+      expect(url).to eq("#{base_url}/authorize?redirect_to=#{CGI.escape(callback_with_return)}")
+    end
+
+    it 'encodes a full return_to URL' do
+      url = Machina.authorize_url(return_to: 'http://localhost:3000/inquiries?page=2')
+
+      callback_with_return = 'http://localhost:3000/auth/machina/callback?return_to=http%3A%2F%2Flocalhost%3A3000%2Finquiries%3Fpage%3D2'
+      expect(url).to eq("#{base_url}/authorize?redirect_to=#{CGI.escape(callback_with_return)}")
+    end
+  end
+
+  context 'when identity_callback_uri is not configured' do
+    it 'raises a configuration error when called without redirect_to' do
+      expect { Machina.authorize_url }.to raise_error(
+        Machina::ConfigurationError,
+        /identity_callback_uri/,
+      )
+    end
+
+    it 'still works with an explicit redirect_to for backwards compatibility' do
+      url = Machina.authorize_url(redirect_to: 'http://localhost:3000/login')
+
+      expect(url).to eq("#{base_url}/authorize?redirect_to=#{CGI.escape('http://localhost:3000/login')}")
+    end
+  end
+
+  describe '.login_url' do
+    before do
+      Machina.config.identity_callback_uri = 'http://localhost:3000/auth/machina/callback'
+    end
+
+    it 'delegates to authorize_url with return_to' do
+      url = Machina.login_url(return_to: '/settings')
+
+      callback_with_return = 'http://localhost:3000/auth/machina/callback?return_to=%2Fsettings'
+      expect(url).to eq("#{base_url}/authorize?redirect_to=#{CGI.escape(callback_with_return)}")
+    end
+  end
+end

data/spec/machina/configuration_spec.rb

@@ -12,4 +12,10 @@ RSpec.describe Machina::Configuration do
     config.product_id = 'a1b2c3d4-e5f6-7890-abcd-ef1234567890'
     expect(config.product_id).to eq('a1b2c3d4-e5f6-7890-abcd-ef1234567890')
   end
+
+  it 'supports identity_callback_uri configuration' do
+    config = described_class.new
+    config.identity_callback_uri = 'http://localhost:3000/auth/machina/callback'
+    expect(config.identity_callback_uri).to eq('http://localhost:3000/auth/machina/callback')
+  end
 end

data/spec/machina/controller_helpers_spec.rb

@@ -29,12 +29,15 @@ RSpec.describe Machina::ControllerHelpers, type: :controller do
     end
   end
 
-  it 'redirects browser requests to authorize when unauthenticated' do
+  it 'redirects browser requests to authorize using identity_callback_uri when unauthenticated' do
+    Machina.config.identity_callback_uri = 'http://localhost:3000/auth/machina/callback'
+
     get :index
 
     expect(response).to have_http_status(:redirect)
     expect(response.location).to include('https://machina.example.test/authorize')
     expect(response.location).to include('redirect_to=')
+    expect(CGI.unescape(response.location)).to include('http://localhost:3000/auth/machina/callback?return_to=')
   end
 
   it 'returns json unauthorized for api-style requests' do

data/spec/machina/middleware/authentication_spec.rb

@@ -54,6 +54,52 @@ RSpec.describe Machina::Middleware::Authentication do
     expect(JSON.parse(body.first)).to eq('error' => 'unauthorized')
   end
 
+  it 'evicts cached session when Console returns non-200 on stale re-fetch' do
+    token = 'ps_stale_token'
+    cache_key = "machina:session:#{token}"
+    stale_data = MockResponses.session_resolution_minimal['data'].merge(stale: true)
+
+    Machina.cache.write(cache_key, stale_data, expires_in: 5.minutes)
+
+    allow(identity_client).to receive(:resolve_session).with(token).and_return(
+      Machina::IdentityClient::Response.new(status: 404, body: '{}'),
+    )
+
+    env = Rack::MockRequest.env_for('/resource', 'HTTP_AUTHORIZATION' => "Bearer #{token}")
+    status, = middleware.call(env)
+
+    expect(status).to eq(401)
+    expect(Machina.cache.read(cache_key)).to be_nil
+  end
+
+  it 'evicts cached session when Console returns non-200 after cache expires' do
+    token = 'ps_expired_cache'
+    cache_key = "machina:session:#{token}"
+
+    # First request: populate cache via successful resolution
+    allow(identity_client).to receive(:resolve_session).with(token).and_return(
+      Machina::IdentityClient::Response.new(status: 200, body: MockResponses.session_resolution_minimal),
+    )
+
+    env = Rack::MockRequest.env_for('/resource', 'HTTP_AUTHORIZATION' => "Bearer #{token}")
+    status, = middleware.call(env)
+    expect(status).to eq(200)
+
+    # Simulate cache expiry
+    Machina.cache.delete(cache_key)
+
+    # Console now rejects the token
+    allow(identity_client).to receive(:resolve_session).with(token).and_return(
+      Machina::IdentityClient::Response.new(status: 404, body: '{}'),
+    )
+
+    env = Rack::MockRequest.env_for('/resource', 'HTTP_AUTHORIZATION' => "Bearer #{token}")
+    status, = middleware.call(env)
+
+    expect(status).to eq(401)
+    expect(Machina.cache.read(cache_key)).to be_nil
+  end
+
   it 'uses the cache on subsequent requests' do
     response = Machina::IdentityClient::Response.new(
       status: 200,

data/spec/machina/permission_sync_spec.rb

@@ -106,7 +106,7 @@ RSpec.describe Machina::PermissionSync do
   context 'with an ERB manifest' do
     let(:tmpfile) do
       file = Tempfile.new(['machina', '.yml'])
-      file.write(<<~'YAML')
+      file.write(<<~YAML)
         product_id: <%= "erb-product-id" %>
 
         permissions:

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: machina-auth
 version: !ruby/object:Gem::Version
-  version: 0.1.2
+  version: 0.1.4
 platform: ruby
 authors:
 - ZAR
@@ -174,6 +174,7 @@ files:
 - spec/dummy/config/routes.rb
 - spec/dummy/db/schema.rb
 - spec/fixtures/machina.yml
+- spec/machina/authorize_url_spec.rb
 - spec/machina/authorized_spec.rb
 - spec/machina/configuration_spec.rb
 - spec/machina/controller_helpers_spec.rb