machina-auth 0.1.3 → 0.1.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3aea4a4e50f2d2700c3e84c0a5c66715d7fad74f6da3f32438da1e372dee3531
-  data.tar.gz: d6f1a257b9fe0dcf868fce3cffeac7c625cba2774d86402e6bf666567c466cc5
+  metadata.gz: ca27cf7dd475d64e5bbf876084d6e7445a56ac65dbf9967d5b9b50a91f04f155
+  data.tar.gz: ad165e21c3628da603b016a7e40911f7efc3e60131cbad506ee1c5cb2dde48c8
 SHA512:
-  metadata.gz: 9d0137c9be1a30603f8cc165d234bf34e99f3325439ddf3aad96ea46ee96a5bedeb67388ede7edf54399391213bb904569f9186c454f5375cf392a3b8f0425f8
-  data.tar.gz: b67d7e820671b4ed7e495853924ad1e8f134030960be3a4c8cfe5bc17a594a662294807b5e058ee3ec45d291b91afc58dec65ca918b29b36251cfff5c0f0e340
+  metadata.gz: 3830bfe8f9b10c30bfedf347d3efa00ecc36feb09a028ed9372512c7c0a3f6817bee27a321c008394c6361b68c85e2aeb5ad0d71b41a72fd779ea8340d7e7fe6
+  data.tar.gz: f6c04f4aea2b6ad6f01c5632c3e49e92291a8341bb01c751f11eb22d6612aaad8e7f9b4c1124d77d9138c34094de00f41195cbabd60d6957293613111fa60bef

data/lib/machina/authorized.rb

@@ -75,8 +75,8 @@ module Machina
     end
 
     def assign_session_attrs(data)
-      @session_id = data.dig('session', 'id') || data['session_id']
       @type       = data.dig('session', 'type')&.to_sym
+      @session_id = data.dig('session', 'id') || data['session_id']
       raw_expires = data.dig('session', 'expires_at') || data['expires_at']
       @expires_at = raw_expires ? Time.zone.parse(raw_expires) : nil
     end

data/lib/machina/controller_helpers.rb

@@ -8,20 +8,11 @@ module Machina
 
     included do
       helper_method :authorized, :logged_in? if respond_to?(:helper_method)
-
-      rescue_from Machina::Unauthorized do |error|
-        if request.format.json?
-          render json: { error: 'forbidden', permission: error.message }, status: :forbidden
-        else
-          redirect_to main_app.respond_to?(:root_path) ? main_app.root_path : '/',
-                      alert: "You don't have permission to do that."
-        end
-      end
+      rescue_from Machina::Unauthorized, with: :respond_unauthorized
     end
 
     def authorized
-      current = defined?(::Current) ? ::Current : Machina::Current
-      current.authorized || Machina::Authorized::EMPTY
+      Machina::Current.authorized || Machina::Authorized::EMPTY
     end
 
     def logged_in?
@@ -58,6 +49,15 @@ module Machina
 
     private
 
+    def respond_unauthorized(error)
+      if request.format.json?
+        render json: { error: 'forbidden', permission: error.message }, status: :forbidden
+      else
+        path = main_app.respond_to?(:root_path) ? main_app.root_path : '/'
+        redirect_to path, alert: "You don't have permission to do that."
+      end
+    end
+
     def extract_bearer_token
       header = request.headers['Authorization'].to_s
       match = header.match(/\ABearer\s+(.+)\z/)

data/lib/machina/current.rb

@@ -1,7 +1,19 @@
 # frozen_string_literal: true
 
 module Machina
-  # Thread-safe per-request store for the currently authenticated Authorized object.
+  # Thread-safe per-request store for the currently authenticated {Authorized} object.
+  #
+  # The middleware writes exclusively to +Machina::Current.authorized+. Host
+  # apps that want +::Current.authorized+ should inherit from this class:
+  #
+  #   class Current < Machina::Current
+  #     # add app-specific attributes here
+  #   end
+  #
+  # Note: each +CurrentAttributes+ subclass has independent thread-local
+  # storage, so +::Current.authorized+ and +Machina::Current.authorized+ hold
+  # separate values even when +::Current < Machina::Current+. The gem always
+  # reads and writes through +Machina::Current+.
   class Current < ActiveSupport::CurrentAttributes
     attribute :authorized
   end

data/lib/machina/identity_client.rb

@@ -42,9 +42,9 @@ module Machina
       ensure_configured!
 
       response = connection.post(path) do |request|
-        request.headers['Authorization'] = "Bearer #{config.service_token}"
-        request.headers['Content-Type'] = 'application/json'
         request.headers['Accept'] = 'application/json'
+        request.headers['Content-Type'] = 'application/json'
+        request.headers['Authorization'] = "Bearer #{config.service_token}"
         request.body = JSON.generate(payload)
       end
 

data/lib/machina/middleware/authentication.rb

@@ -11,24 +11,28 @@ module Machina
 
       def call(env)
         request = ActionDispatch::Request.new(env)
-
+        # Skip paths allow the developer to disable the middleware from validating
+        # any token or headers on any matched URL or Path.
         return @app.call(env) if skip_path?(request)
 
         token = extract_token(request)
-
         return @app.call(env) if token.blank?
 
         session_data = resolve_session(token)
-        return unauthorized_response unless session_data
 
-        authorized = Machina::Authorized.new(session_data)
-        Machina::Current.authorized = authorized
-        ::Current.authorized = authorized if defined?(::Current) && ::Current != Machina::Current
+        # Token present but invalid/expired: clear the stale cache entry and
+        # fall through with nil authorized. API callers get 401 from the
+        # controller; browser users get redirected to login by authenticate!.
+        unless session_data
+          Machina.cache.delete(cache_key(token))
+          return @app.call(env)
+        end
+
+        Machina::Current.authorized = Machina::Authorized.new(session_data)
 
         @app.call(env)
       ensure
         Machina::Current.reset
-        ::Current.reset if defined?(::Current) && ::Current != Machina::Current
       end
 
       private
@@ -53,10 +57,10 @@ module Machina
       end
 
       def extract_token(request)
-        request.cookies['machina_session'] ||
-          extract_bearer(request) ||
-          request.headers['X-Api-Key'] ||
-          request.params['token']
+        request.cookies['machina_session']
+          || extract_bearer(request)
+          || request.headers['X-Api-Key']
+          || request.params['token']
       end
 
       def extract_bearer(request)
@@ -76,7 +80,11 @@ module Machina
 
       def fetch_from_identity_service(token)
         response = Machina.identity_client.resolve_session(token)
-        return nil unless response.success?
+
+        unless response.success?
+          Machina.cache.delete(cache_key(token))
+          return nil
+        end
 
         data = unwrap_payload(response.parsed)
         Machina.cache.write(cache_key(token), data, expires_in: Machina.config.cache_ttl)
@@ -89,15 +97,18 @@ module Machina
       end
 
       def cache_workspace_ref(data)
-        workspace = data['workspace']
+        workspace    = data['workspace']
         organization = data['organization']
+
         return unless workspace.is_a?(Hash) && organization.is_a?(Hash)
         return unless defined?(Machina::WorkspaceRef) && Machina::WorkspaceRef.table_exists?
 
         ref = Machina::WorkspaceRef.find_or_initialize_by(tenant_ref: workspace['id'])
-        ref.organization_id = organization['id']
+
         ref.name = workspace['name']
         ref.cached_at = Time.current
+        ref.organization_id = organization['id']
+
         ref.save!
       rescue StandardError
         nil
@@ -107,10 +118,6 @@ module Machina
         "machina:session:#{token}"
       end
 
-      def unauthorized_response
-        body = JSON.generate(error: 'unauthorized')
-        [401, { 'Content-Type' => 'application/json', 'Content-Length' => body.bytesize.to_s }, [body]]
-      end
     end
   end
 end

data/lib/machina/permission_sync.rb

@@ -16,14 +16,13 @@ module Machina
 
       product_id = manifest[:product_id] || Machina.config.product_id
       if product_id.blank?
-        raise Machina::ConfigurationError,
-              'product_id is required for permission sync (set in machina.yml or Machina.config)'
+        raise Machina::ConfigurationError, 'product_id is required for permission sync (set in machina.yml or Machina.config)'
       end
 
       Machina.identity_client.sync_permissions(
         product_id:,
-        permissions: manifest.fetch(:permissions),
         policies: manifest.fetch(:policies, []),
+        permissions: manifest.fetch(:permissions),
       )
     end
 

data/lib/machina/test_helpers.rb

@@ -63,10 +63,10 @@ module Machina
       data = default_session_data
 
       data['user'].merge!(stringify(user))
-      data['organization'].merge!(stringify(organization))
+      data['session'].merge!(stringify(session))
       data['workspace'].merge!(stringify(workspace))
+      data['organization'].merge!(stringify(organization))
       data['workspace']['id'] = tenant_ref.to_s if tenant_ref
-      data['session'].merge!(stringify(session))
       data['permissions'] = permissions.map(&:to_s) if permissions
 
       authorized = Machina::Authorized.new(data)
@@ -87,9 +87,9 @@ module Machina
     def default_session_data
       {
         'user' => fake_user_data,
-        'organization' => fake_organization_data,
-        'workspace' => fake_workspace_data,
         'session' => fake_session_data,
+        'workspace' => fake_workspace_data,
+        'organization' => fake_organization_data,
         'permissions' => []
       }
     end

data/lib/machina/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Machina
-  VERSION = '0.1.3'
+  VERSION = '0.1.5'
 end

data/lib/machina/webhook_receiver.rb

@@ -5,13 +5,15 @@ module Machina
   # invalidating or marking cached sessions as stale when permissions change.
   class WebhookReceiver
     def initialize(request, cache: Machina.cache)
-      @request = request
       @cache = cache
+      @request = request
       @raw_body = request.body.read
+
       request.body.rewind if request.body.respond_to?(:rewind)
-      @payload = @raw_body.present? ? JSON.parse(@raw_body) : {}
+
       @event = request.headers['X-Machina-Event']
       @signature = request.headers['X-Machina-Signature'].to_s
+      @payload = @raw_body.present? ? JSON.parse(@raw_body) : {}
     end
 
     def valid?

data/lib/machina/workspace_scoped.rb

@@ -12,8 +12,7 @@ module Machina
       validates :tenant_ref, presence: true
 
       scope :in_current_workspace, lambda {
-        current = defined?(::Current) ? ::Current : Machina::Current
-        where(tenant_ref: current.authorized&.workspace_id)
+        where(tenant_ref: Machina::Current.authorized&.workspace_id)
       }
     end
   end

data/lib/machina.rb

@@ -32,6 +32,7 @@ module Machina
 
   # Test helpers are opt-in; load with `require "machina/test_helpers"` or autoload
   autoload :TestHelpers, 'machina/test_helpers'
+
   class << self
     def configure
       yield(config)
@@ -56,26 +57,28 @@ module Machina
 
     # Builds the Console authorize URL.
     #
-    # @param redirect_to [String, nil] explicit redirect URL (backwards compat)
+    # The Console's +/authorize+ endpoint requires a +redirect_to+ query param
+    # so it knows where to send the user after workspace selection. This method
+    # always produces that param — the two keyword arguments control how:
+    #
+    # 1. *Callback-based (preferred)* — uses the configured
+    #    +identity_callback_uri+ as the redirect target. Pass +return_to+ to
+    #    append the user's intended destination as a query param on the callback.
+    # 2. *Explicit* — pass +redirect_to+ directly to bypass callback resolution.
+    #    Intended for backwards compatibility only.
+    #
+    # @param redirect_to [String, nil] explicit product redirect URL; when
+    #   present the callback URI config is ignored
     # @param return_to [String, nil] user's intended destination, appended to
-    #   the configured +identity_callback_uri+ as a query param
-    # @return [String] the full authorize URL
-    # @raise [ConfigurationError] when neither +redirect_to+ nor
-    #   +identity_callback_uri+ is available
+    #   +identity_callback_uri+ so the product app can restore it after auth
+    # @return [String] the full Console authorize URL
+    # @raise [ConfigurationError] when +redirect_to+ is omitted and
+    #   +identity_callback_uri+ is not configured
     def authorize_url(redirect_to: nil, return_to: nil)
-      base = config.identity_service_url.to_s.sub(%r{/\z}, '')
-
-      return "#{base}/authorize?redirect_to=#{CGI.escape(redirect_to)}" if redirect_to.present?
-
-      callback = config.identity_callback_uri
-      if callback.blank?
-        raise ConfigurationError,
-              'identity_callback_uri must be configured to use authorize_url without an explicit redirect_to'
-      end
-
-      target = return_to.present? ? "#{callback}?return_to=#{CGI.escape(return_to)}" : callback
+      redirect_target = redirect_to.presence || callback_redirect_target(return_to)
 
-      "#{base}/authorize?redirect_to=#{CGI.escape(target)}"
+      base = config.identity_service_url.to_s.sub(%r{/\z}, '')
+      "#{base}/authorize?redirect_to=#{CGI.escape(redirect_target)}"
     end
 
     # Convenience wrapper that delegates to {authorize_url} with +return_to+.
@@ -85,5 +88,23 @@ module Machina
     def login_url(return_to:)
       authorize_url(return_to:)
     end
+
+    private
+
+    # Resolves the redirect target from +identity_callback_uri+ config,
+    # optionally appending a +return_to+ query param.
+    #
+    # @param return_to [String, nil] path or URL the user wants after auth
+    # @return [String] the callback URI (with optional +return_to+)
+    # @raise [ConfigurationError] when +identity_callback_uri+ is blank
+    def callback_redirect_target(return_to)
+      callback = config.identity_callback_uri
+
+      if callback.blank?
+        raise ConfigurationError, 'identity_callback_uri must be configured to use authorize_url without an explicit redirect_to'
+      end
+
+      return_to.present? ? "#{callback}?return_to=#{CGI.escape(return_to)}" : callback
+    end
   end
 end

data/spec/machina/current_spec.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+require_relative '../rails_helper'
+require_relative '../support/mock_responses'
+
+RSpec.describe Machina::Current do
+  let(:data) { MockResponses.session_resolution['data'] }
+  let(:authorized) { Machina::Authorized.new(data) }
+
+  describe '.authorized' do
+    it 'returns the value set on Machina::Current' do
+      described_class.authorized = authorized
+
+      expect(described_class.authorized).to eq(authorized)
+    end
+
+    it 'is independent from host ::Current even when it inherits' do
+      # The dummy app's ::Current inherits from Machina::Current,
+      # but each CurrentAttributes subclass has its own thread-local storage.
+      described_class.authorized = authorized
+
+      expect(::Current.authorized).to be_nil
+      expect(described_class.authorized).to eq(authorized)
+    ensure
+      ::Current.reset
+    end
+
+    it 'returns nil when nothing is set' do
+      expect(described_class.authorized).to be_nil
+    end
+  end
+end

data/spec/machina/middleware/authentication_spec.rb

@@ -42,7 +42,7 @@ RSpec.describe Machina::Middleware::Authentication do
     expect(workspace_ref).to have_attributes(name: 'Primary')
   end
 
-  it 'returns unauthorized when resolution fails' do
+  it 'passes through with nil authorized when resolution fails' do
     allow(identity_client).to receive(:resolve_session).and_return(
       Machina::IdentityClient::Response.new(status: 404, body: '{}'),
     )
@@ -50,8 +50,54 @@ RSpec.describe Machina::Middleware::Authentication do
     env = Rack::MockRequest.env_for('/resource', 'HTTP_AUTHORIZATION' => 'Bearer ps_123')
     status, _headers, body = middleware.call(env)
 
-    expect(status).to eq(401)
-    expect(JSON.parse(body.first)).to eq('error' => 'unauthorized')
+    expect(status).to eq(200)
+    expect(JSON.parse(body.first)).to eq('user_id' => nil, 'permissions' => nil)
+  end
+
+  it 'evicts cached session and passes through when Console returns non-200 on stale re-fetch' do
+    token = 'ps_stale_token'
+    cache_key = "machina:session:#{token}"
+    stale_data = MockResponses.session_resolution_minimal['data'].merge(stale: true)
+
+    Machina.cache.write(cache_key, stale_data, expires_in: 5.minutes)
+
+    allow(identity_client).to receive(:resolve_session).with(token).and_return(
+      Machina::IdentityClient::Response.new(status: 404, body: '{}'),
+    )
+
+    env = Rack::MockRequest.env_for('/resource', 'HTTP_AUTHORIZATION' => "Bearer #{token}")
+    status, = middleware.call(env)
+
+    expect(status).to eq(200)
+    expect(Machina.cache.read(cache_key)).to be_nil
+  end
+
+  it 'evicts cached session when Console returns non-200 after cache expires' do
+    token = 'ps_expired_cache'
+    cache_key = "machina:session:#{token}"
+
+    # First request: populate cache via successful resolution
+    allow(identity_client).to receive(:resolve_session).with(token).and_return(
+      Machina::IdentityClient::Response.new(status: 200, body: MockResponses.session_resolution_minimal),
+    )
+
+    env = Rack::MockRequest.env_for('/resource', 'HTTP_AUTHORIZATION' => "Bearer #{token}")
+    status, = middleware.call(env)
+    expect(status).to eq(200)
+
+    # Simulate cache expiry
+    Machina.cache.delete(cache_key)
+
+    # Console now rejects the token
+    allow(identity_client).to receive(:resolve_session).with(token).and_return(
+      Machina::IdentityClient::Response.new(status: 404, body: '{}'),
+    )
+
+    env = Rack::MockRequest.env_for('/resource', 'HTTP_AUTHORIZATION' => "Bearer #{token}")
+    status, = middleware.call(env)
+
+    expect(status).to eq(200)
+    expect(Machina.cache.read(cache_key)).to be_nil
   end
 
   it 'uses the cache on subsequent requests' do

data/spec/machina/workspace_scoped_spec.rb

@@ -19,7 +19,7 @@ RSpec.describe Machina::WorkspaceScoped do
   end
 
   it 'filters records to the current workspace' do
-    Current.authorized = Machina::Authorized.new(
+    Machina::Current.authorized = Machina::Authorized.new(
       'user' => { 'id' => 'u1' },
       'organization' => { 'id' => 'o1' },
       'workspace' => { 'id' => 'ws-1', 'name' => 'Test' },

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: machina-auth
 version: !ruby/object:Gem::Version
-  version: 0.1.3
+  version: 0.1.5
 platform: ruby
 authors:
 - ZAR
@@ -178,6 +178,7 @@ files:
 - spec/machina/authorized_spec.rb
 - spec/machina/configuration_spec.rb
 - spec/machina/controller_helpers_spec.rb
+- spec/machina/current_spec.rb
 - spec/machina/identity_client_spec.rb
 - spec/machina/middleware/authentication_spec.rb
 - spec/machina/middleware/skip_paths_spec.rb