machina-auth 0.1.4 → 0.1.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c8b85487ba807943451cf345d17e7aec7ee18a9b61a233adcdb213f86134cde0
-  data.tar.gz: 49908d36c4fb879354aa6c3b9ae96e33eaed76d98df2cd3dbfb8a51ce72b03a4
+  metadata.gz: 779a01d0ee76aefd789279497b06a5eb82bafc444d783d6f279cf75e31e37b57
+  data.tar.gz: 3533cf0c697aa3698225c9527df313f7d09643cd04e641af597d0b0d874ab518
 SHA512:
-  metadata.gz: 97716d4c519933b65a8410615655adcf7e70a4013d9595e7ef5ca4a96ae2a57c44574640b33de5dc1adcd675b626c2ae39d09ffd0c5cf4fbcbb2932924988be9
-  data.tar.gz: 868b463264e64e8551c938704bcfad481714e0d6a9f4aa8dcc6152eb4d8df1bda0c6a01ff2ab55f89e534ceeb03b1d53abed3792dc2afaa1de660c6726dd2e2c
+  metadata.gz: 4d896e66034311c92ef6b5b99f1ffd6d0adfa8033f78922305d354c5009500e516ebbd49b766f615758cbaee4003246017a2fed1209cdbbb2539b3e614e78d5f
+  data.tar.gz: e7276fa8589250b587754784882592380d20bf30e05b0dcf71b352b7d5664375decc54907c18821d8369e4aa83ae5f6c00d208ff0efe8f1ecd0f8e86873a3c00

data/lib/machina/authorized.rb

@@ -75,8 +75,8 @@ module Machina
     end
 
     def assign_session_attrs(data)
-      @session_id = data.dig('session', 'id') || data['session_id']
       @type       = data.dig('session', 'type')&.to_sym
+      @session_id = data.dig('session', 'id') || data['session_id']
       raw_expires = data.dig('session', 'expires_at') || data['expires_at']
       @expires_at = raw_expires ? Time.zone.parse(raw_expires) : nil
     end

data/lib/machina/controller_helpers.rb

@@ -8,20 +8,11 @@ module Machina
 
     included do
       helper_method :authorized, :logged_in? if respond_to?(:helper_method)
-
-      rescue_from Machina::Unauthorized do |error|
-        if request.format.json?
-          render json: { error: 'forbidden', permission: error.message }, status: :forbidden
-        else
-          redirect_to main_app.respond_to?(:root_path) ? main_app.root_path : '/',
-                      alert: "You don't have permission to do that."
-        end
-      end
+      rescue_from Machina::Unauthorized, with: :respond_unauthorized
     end
 
     def authorized
-      current = defined?(::Current) ? ::Current : Machina::Current
-      current.authorized || Machina::Authorized::EMPTY
+      Machina::Current.authorized || Machina::Authorized::EMPTY
     end
 
     def logged_in?
@@ -58,6 +49,15 @@ module Machina
 
     private
 
+    def respond_unauthorized(error)
+      if request.format.json?
+        render json: { error: 'forbidden', permission: error.message }, status: :forbidden
+      else
+        path = main_app.respond_to?(:root_path) ? main_app.root_path : '/'
+        redirect_to path, alert: "You don't have permission to do that."
+      end
+    end
+
     def extract_bearer_token
       header = request.headers['Authorization'].to_s
       match = header.match(/\ABearer\s+(.+)\z/)

data/lib/machina/current.rb

@@ -1,7 +1,19 @@
 # frozen_string_literal: true
 
 module Machina
-  # Thread-safe per-request store for the currently authenticated Authorized object.
+  # Thread-safe per-request store for the currently authenticated {Authorized} object.
+  #
+  # The middleware writes exclusively to +Machina::Current.authorized+. Host
+  # apps that want +::Current.authorized+ should inherit from this class:
+  #
+  #   class Current < Machina::Current
+  #     # add app-specific attributes here
+  #   end
+  #
+  # Note: each +CurrentAttributes+ subclass has independent thread-local
+  # storage, so +::Current.authorized+ and +Machina::Current.authorized+ hold
+  # separate values even when +::Current < Machina::Current+. The gem always
+  # reads and writes through +Machina::Current+.
   class Current < ActiveSupport::CurrentAttributes
     attribute :authorized
   end

data/lib/machina/identity_client.rb

@@ -42,9 +42,9 @@ module Machina
       ensure_configured!
 
       response = connection.post(path) do |request|
-        request.headers['Authorization'] = "Bearer #{config.service_token}"
-        request.headers['Content-Type'] = 'application/json'
         request.headers['Accept'] = 'application/json'
+        request.headers['Content-Type'] = 'application/json'
+        request.headers['Authorization'] = "Bearer #{config.service_token}"
         request.body = JSON.generate(payload)
       end
 

data/lib/machina/middleware/authentication.rb

@@ -19,16 +19,20 @@ module Machina
         return @app.call(env) if token.blank?
 
         session_data = resolve_session(token)
-        return unauthorized_response unless session_data
 
-        authorized = Machina::Authorized.new(session_data)
-        Machina::Current.authorized = authorized
-        ::Current.authorized = authorized if defined?(::Current) && ::Current != Machina::Current
+        # Token present but invalid/expired: clear the stale cache entry and
+        # fall through with nil authorized. API callers get 401 from the
+        # controller; browser users get redirected to login by authenticate!.
+        unless session_data
+          Machina.cache.delete(cache_key(token))
+          return @app.call(env)
+        end
+
+        Machina::Current.authorized = Machina::Authorized.new(session_data)
 
         @app.call(env)
       ensure
         Machina::Current.reset
-        ::Current.reset if defined?(::Current) && ::Current != Machina::Current
       end
 
       private
@@ -53,7 +57,10 @@ module Machina
       end
 
       def extract_token(request)
-        request.cookies['machina_session'] || extract_bearer(request) || request.headers['X-Api-Key'] || request.params['token']
+        request.cookies['machina_session']
+          || extract_bearer(request)
+          || request.headers['X-Api-Key']
+          || request.params['token']
       end
 
       def extract_bearer(request)
@@ -90,16 +97,18 @@ module Machina
       end
 
       def cache_workspace_ref(data)
-        workspace = data['workspace']
+        workspace    = data['workspace']
         organization = data['organization']
 
         return unless workspace.is_a?(Hash) && organization.is_a?(Hash)
         return unless defined?(Machina::WorkspaceRef) && Machina::WorkspaceRef.table_exists?
 
         ref = Machina::WorkspaceRef.find_or_initialize_by(tenant_ref: workspace['id'])
-        ref.organization_id = organization['id']
+
         ref.name = workspace['name']
         ref.cached_at = Time.current
+        ref.organization_id = organization['id']
+
         ref.save!
       rescue StandardError
         nil
@@ -108,11 +117,6 @@ module Machina
       def cache_key(token)
         "machina:session:#{token}"
       end
-
-      def unauthorized_response
-        body = JSON.generate(error: 'unauthorized')
-        [401, { 'Content-Type' => 'application/json', 'Content-Length' => body.bytesize.to_s }, [body]]
-      end
     end
   end
 end

data/lib/machina/permission_sync.rb

@@ -14,16 +14,14 @@ module Machina
     def call!
       manifest = load_manifest
 
-      product_id = manifest[:product_id] || Machina.config.product_id
-      if product_id.blank?
-        raise Machina::ConfigurationError,
-              'product_id is required for permission sync (set in machina.yml or Machina.config)'
+      if Machina.config.product_id.blank?
+        raise Machina::ConfigurationError, 'product_id is required for permission sync (set Machina.config.product_id)'
       end
 
       Machina.identity_client.sync_permissions(
-        product_id:,
-        permissions: manifest.fetch(:permissions),
+        product_id: Machina.config.product_id,
         policies: manifest.fetch(:policies, []),
+        permissions: manifest.fetch(:permissions),
       )
     end
 

data/lib/machina/test_helpers.rb

@@ -63,10 +63,10 @@ module Machina
       data = default_session_data
 
       data['user'].merge!(stringify(user))
-      data['organization'].merge!(stringify(organization))
+      data['session'].merge!(stringify(session))
       data['workspace'].merge!(stringify(workspace))
+      data['organization'].merge!(stringify(organization))
       data['workspace']['id'] = tenant_ref.to_s if tenant_ref
-      data['session'].merge!(stringify(session))
       data['permissions'] = permissions.map(&:to_s) if permissions
 
       authorized = Machina::Authorized.new(data)
@@ -87,9 +87,9 @@ module Machina
     def default_session_data
       {
         'user' => fake_user_data,
-        'organization' => fake_organization_data,
-        'workspace' => fake_workspace_data,
         'session' => fake_session_data,
+        'workspace' => fake_workspace_data,
+        'organization' => fake_organization_data,
         'permissions' => []
       }
     end

data/lib/machina/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Machina
-  VERSION = '0.1.4'
+  VERSION = '0.1.6'
 end

data/lib/machina/webhook_receiver.rb

@@ -5,13 +5,15 @@ module Machina
   # invalidating or marking cached sessions as stale when permissions change.
   class WebhookReceiver
     def initialize(request, cache: Machina.cache)
-      @request = request
       @cache = cache
+      @request = request
       @raw_body = request.body.read
+
       request.body.rewind if request.body.respond_to?(:rewind)
-      @payload = @raw_body.present? ? JSON.parse(@raw_body) : {}
+
       @event = request.headers['X-Machina-Event']
       @signature = request.headers['X-Machina-Signature'].to_s
+      @payload = @raw_body.present? ? JSON.parse(@raw_body) : {}
     end
 
     def valid?

data/lib/machina/workspace_scoped.rb

@@ -12,8 +12,7 @@ module Machina
       validates :tenant_ref, presence: true
 
       scope :in_current_workspace, lambda {
-        current = defined?(::Current) ? ::Current : Machina::Current
-        where(tenant_ref: current.authorized&.workspace_id)
+        where(tenant_ref: Machina::Current.authorized&.workspace_id)
       }
     end
   end

data/lib/machina.rb

@@ -57,26 +57,28 @@ module Machina
 
     # Builds the Console authorize URL.
     #
-    # @param redirect_to [String, nil] explicit redirect URL (backwards compat)
+    # The Console's +/authorize+ endpoint requires a +redirect_to+ query param
+    # so it knows where to send the user after workspace selection. This method
+    # always produces that param — the two keyword arguments control how:
+    #
+    # 1. *Callback-based (preferred)* — uses the configured
+    #    +identity_callback_uri+ as the redirect target. Pass +return_to+ to
+    #    append the user's intended destination as a query param on the callback.
+    # 2. *Explicit* — pass +redirect_to+ directly to bypass callback resolution.
+    #    Intended for backwards compatibility only.
+    #
+    # @param redirect_to [String, nil] explicit product redirect URL; when
+    #   present the callback URI config is ignored
     # @param return_to [String, nil] user's intended destination, appended to
-    #   the configured +identity_callback_uri+ as a query param
-    # @return [String] the full authorize URL
-    # @raise [ConfigurationError] when neither +redirect_to+ nor
-    #   +identity_callback_uri+ is available
+    #   +identity_callback_uri+ so the product app can restore it after auth
+    # @return [String] the full Console authorize URL
+    # @raise [ConfigurationError] when +redirect_to+ is omitted and
+    #   +identity_callback_uri+ is not configured
     def authorize_url(redirect_to: nil, return_to: nil)
-      base = config.identity_service_url.to_s.sub(%r{/\z}, '')
-
-      return "#{base}/authorize?redirect_to=#{CGI.escape(redirect_to)}" if redirect_to.present?
-
-      callback = config.identity_callback_uri
-      if callback.blank?
-        raise ConfigurationError,
-              'identity_callback_uri must be configured to use authorize_url without an explicit redirect_to'
-      end
-
-      target = return_to.present? ? "#{callback}?return_to=#{CGI.escape(return_to)}" : callback
+      redirect_target = redirect_to.presence || callback_redirect_target(return_to)
 
-      "#{base}/authorize?redirect_to=#{CGI.escape(target)}"
+      base = config.identity_service_url.to_s.sub(%r{/\z}, '')
+      "#{base}/authorize?redirect_to=#{CGI.escape(redirect_target)}"
     end
 
     # Convenience wrapper that delegates to {authorize_url} with +return_to+.
@@ -86,5 +88,24 @@ module Machina
     def login_url(return_to:)
       authorize_url(return_to:)
     end
+
+    private
+
+    # Resolves the redirect target from +identity_callback_uri+ config,
+    # optionally appending a +return_to+ query param.
+    #
+    # @param return_to [String, nil] path or URL the user wants after auth
+    # @return [String] the callback URI (with optional +return_to+)
+    # @raise [ConfigurationError] when +identity_callback_uri+ is blank
+    def callback_redirect_target(return_to)
+      callback = config.identity_callback_uri
+
+      if callback.blank?
+        raise ConfigurationError,
+              'identity_callback_uri must be configured to use authorize_url without an explicit redirect_to'
+      end
+
+      return_to.present? ? "#{callback}?return_to=#{CGI.escape(return_to)}" : callback
+    end
   end
 end

data/spec/machina/current_spec.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+require_relative '../rails_helper'
+require_relative '../support/mock_responses'
+
+RSpec.describe Machina::Current do
+  let(:data) { MockResponses.session_resolution['data'] }
+  let(:authorized) { Machina::Authorized.new(data) }
+
+  describe '.authorized' do
+    it 'returns the value set on Machina::Current' do
+      described_class.authorized = authorized
+
+      expect(described_class.authorized).to eq(authorized)
+    end
+
+    it 'is independent from host ::Current even when it inherits' do
+      # The dummy app's ::Current inherits from Machina::Current,
+      # but each CurrentAttributes subclass has its own thread-local storage.
+      described_class.authorized = authorized
+
+      expect(Current.authorized).to be_nil
+      expect(described_class.authorized).to eq(authorized)
+    ensure
+      Current.reset
+    end
+
+    it 'returns nil when nothing is set' do
+      expect(described_class.authorized).to be_nil
+    end
+  end
+end

data/spec/machina/middleware/authentication_spec.rb

@@ -42,7 +42,7 @@ RSpec.describe Machina::Middleware::Authentication do
     expect(workspace_ref).to have_attributes(name: 'Primary')
   end
 
-  it 'returns unauthorized when resolution fails' do
+  it 'passes through with nil authorized when resolution fails' do
     allow(identity_client).to receive(:resolve_session).and_return(
       Machina::IdentityClient::Response.new(status: 404, body: '{}'),
     )
@@ -50,11 +50,11 @@ RSpec.describe Machina::Middleware::Authentication do
     env = Rack::MockRequest.env_for('/resource', 'HTTP_AUTHORIZATION' => 'Bearer ps_123')
     status, _headers, body = middleware.call(env)
 
-    expect(status).to eq(401)
-    expect(JSON.parse(body.first)).to eq('error' => 'unauthorized')
+    expect(status).to eq(200)
+    expect(JSON.parse(body.first)).to eq('user_id' => nil, 'permissions' => nil)
   end
 
-  it 'evicts cached session when Console returns non-200 on stale re-fetch' do
+  it 'evicts cached session and passes through when Console returns non-200 on stale re-fetch' do
     token = 'ps_stale_token'
     cache_key = "machina:session:#{token}"
     stale_data = MockResponses.session_resolution_minimal['data'].merge(stale: true)
@@ -68,7 +68,7 @@ RSpec.describe Machina::Middleware::Authentication do
     env = Rack::MockRequest.env_for('/resource', 'HTTP_AUTHORIZATION' => "Bearer #{token}")
     status, = middleware.call(env)
 
-    expect(status).to eq(401)
+    expect(status).to eq(200)
     expect(Machina.cache.read(cache_key)).to be_nil
   end
 
@@ -96,7 +96,7 @@ RSpec.describe Machina::Middleware::Authentication do
     env = Rack::MockRequest.env_for('/resource', 'HTTP_AUTHORIZATION' => "Bearer #{token}")
     status, = middleware.call(env)
 
-    expect(status).to eq(401)
+    expect(status).to eq(200)
     expect(Machina.cache.read(cache_key)).to be_nil
   end
 

data/spec/machina/permission_sync_spec.rb

@@ -4,9 +4,10 @@ require_relative '../rails_helper'
 
 RSpec.describe Machina::PermissionSync do
   let(:client) { instance_double(Machina::IdentityClient) }
+  let(:config_product_id) { 'a1b2c3d4-e5f6-7890-abcd-ef1234567890' }
 
   before do
-    Machina.config.product_id = 'a1b2c3d4-e5f6-7890-abcd-ef1234567890'
+    Machina.config.product_id = config_product_id
     allow(Machina).to receive(:identity_client).and_return(client)
     allow(client).to receive(:sync_permissions)
   end
@@ -15,7 +16,7 @@ RSpec.describe Machina::PermissionSync do
     described_class.call!
 
     expect(client).to have_received(:sync_permissions).with(
-      product_id: 'a1b2c3d4-e5f6-7890-abcd-ef1234567890',
+      product_id: config_product_id,
       permissions: [{ key: 'sessions.view', description: 'View sessions' }],
       policies: [{ name: 'Viewer', api_name: 'viewer', permissions: ['sessions.view'] }],
     )
@@ -31,8 +32,6 @@ RSpec.describe Machina::PermissionSync do
     let(:tmpfile) do
       file = Tempfile.new(['machina', '.yml'])
       file.write(<<~YAML)
-        product_id: flat-product-id
-
         permissions:
           - key: items.view
             description: View items
@@ -54,7 +53,7 @@ RSpec.describe Machina::PermissionSync do
       described_class.call!
 
       expect(client).to have_received(:sync_permissions).with(
-        product_id: 'flat-product-id',
+        product_id: config_product_id,
         permissions: [{ key: 'items.view', description: 'View items' }],
         policies: [{ name: 'Reader', api_name: 'reader', permissions: ['items.view'] }],
       )
@@ -66,14 +65,12 @@ RSpec.describe Machina::PermissionSync do
       file = Tempfile.new(['machina', '.yml'])
       file.write(<<~YAML)
         test:
-          product_id: test-product-id
           permissions:
             - key: reports.view
               description: View reports
           policies: []
 
         production:
-          product_id: prod-product-id
           permissions:
             - key: reports.view
               description: View reports
@@ -85,18 +82,14 @@ RSpec.describe Machina::PermissionSync do
       file
     end
 
-    before do
-      Machina.config.manifest = tmpfile.path
-      Machina.config.product_id = nil
-    end
-
+    before { Machina.config.manifest = tmpfile.path }
     after { tmpfile.unlink }
 
     it 'loads the manifest scoped to the current Rails environment' do
       described_class.call!
 
       expect(client).to have_received(:sync_permissions).with(
-        product_id: 'test-product-id',
+        product_id: config_product_id,
         permissions: [{ key: 'reports.view', description: 'View reports' }],
         policies: [],
       )
@@ -107,8 +100,6 @@ RSpec.describe Machina::PermissionSync do
     let(:tmpfile) do
       file = Tempfile.new(['machina', '.yml'])
       file.write(<<~YAML)
-        product_id: <%= "erb-product-id" %>
-
         permissions:
           - key: tasks.view
             description: View tasks
@@ -119,51 +110,20 @@ RSpec.describe Machina::PermissionSync do
       file
     end
 
-    before do
-      Machina.config.manifest = tmpfile.path
-      Machina.config.product_id = nil
-    end
-
+    before { Machina.config.manifest = tmpfile.path }
     after { tmpfile.unlink }
 
     it 'evaluates ERB before parsing YAML' do
       described_class.call!
 
       expect(client).to have_received(:sync_permissions).with(
-        product_id: 'erb-product-id',
+        product_id: config_product_id,
         permissions: [{ key: 'tasks.view', description: 'View tasks' }],
         policies: [],
       )
     end
   end
 
-  context 'when manifest product_id is absent but config product_id is set' do
-    let(:tmpfile) do
-      file = Tempfile.new(['machina', '.yml'])
-      file.write(<<~YAML)
-        permissions:
-          - key: items.view
-            description: View items
-        policies: []
-      YAML
-      file.close
-      file
-    end
-
-    before { Machina.config.manifest = tmpfile.path }
-    after { tmpfile.unlink }
-
-    it 'falls back to Machina.config.product_id' do
-      described_class.call!
-
-      expect(client).to have_received(:sync_permissions).with(
-        product_id: 'a1b2c3d4-e5f6-7890-abcd-ef1234567890',
-        permissions: [{ key: 'items.view', description: 'View items' }],
-        policies: [],
-      )
-    end
-  end
-
   context 'when policies key is omitted from manifest' do
     let(:tmpfile) do
       file = Tempfile.new(['machina', '.yml'])
@@ -183,7 +143,7 @@ RSpec.describe Machina::PermissionSync do
       described_class.call!
 
       expect(client).to have_received(:sync_permissions).with(
-        product_id: 'a1b2c3d4-e5f6-7890-abcd-ef1234567890',
+        product_id: config_product_id,
         permissions: [{ key: 'items.view', description: 'View items' }],
         policies: [],
       )

data/spec/machina/workspace_scoped_spec.rb

@@ -19,7 +19,7 @@ RSpec.describe Machina::WorkspaceScoped do
   end
 
   it 'filters records to the current workspace' do
-    Current.authorized = Machina::Authorized.new(
+    Machina::Current.authorized = Machina::Authorized.new(
       'user' => { 'id' => 'u1' },
       'organization' => { 'id' => 'o1' },
       'workspace' => { 'id' => 'ws-1', 'name' => 'Test' },

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: machina-auth
 version: !ruby/object:Gem::Version
-  version: 0.1.4
+  version: 0.1.6
 platform: ruby
 authors:
 - ZAR
@@ -178,6 +178,7 @@ files:
 - spec/machina/authorized_spec.rb
 - spec/machina/configuration_spec.rb
 - spec/machina/controller_helpers_spec.rb
+- spec/machina/current_spec.rb
 - spec/machina/identity_client_spec.rb
 - spec/machina/middleware/authentication_spec.rb
 - spec/machina/middleware/skip_paths_spec.rb