mais-access 1.1.2 → 2.1.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bc9907ad2cf934f7a61fc086c1b92a75239a76d3f31dd460c27610a33507721f
-  data.tar.gz: 1ec26dfefef621b95ba1234e9f925905bd4231b358372e143e01720bc8215d46
+  metadata.gz: 7a805653b216cf10cc22f5022741c3e1983f281283a079dc3b44288d74826a40
+  data.tar.gz: 69c9cbfb19ce32de6b7a7ba5479454e04c7cc4600b00eb80f84d7c5c89c89575
 SHA512:
-  metadata.gz: ccead31f66c557e86aa9e4d718159e1928d8f8785fb2221d44e9997c010a840fa418b3cac28a3f00915660eae173a284500a328c404028cbafe81e10b773aa45
-  data.tar.gz: 398360da3a38d578c41d0441d36f6f71ea0e6a0ca59b323d4bd97415d66fd17a5594b0683b36c5bf3cfbfb39b73f593d0ed6aedc90c3420c635cffeede4a6298
+  metadata.gz: d661f99ca020d193ff8b55f9ac94b8fc8ed783390812bf9a83a4b2d4042d2361ebeae802ffdc328f6661d2ca9feae36eb47382a86bddcf0b0ae062b5c133cc0b
+  data.tar.gz: 4965b71be71484ae798897f07b84bef6f16d33e8db7e40e97637708b7af2956dbfc9ab32f626100c7ab8b529ce9f5b6ff23b43369389f77d633878e5747ea299

data/lib/mais/access/controller.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+module MaisAccess
+  module Controller
+    require "mais/access/dispatcher"
+    require "mais/access/user"
+
+    include MaisAccess::Dispatcher
+
+    MAIS_CLIENT = (Rails.application.credentials[:client] || "unregistered").freeze
+    PROMPT = "access - MAIS - #{MAIS_CLIENT}"
+    public_constant :MAIS_CLIENT
+    private_constant :PROMPT
+
+    def mais_user
+      @mais_user ||= MaisAccess::User.new(session[:mais_user])
+    end
+
+    private
+
+    def authenticate_mais_user!
+      valid_jwt? || authenticate_or_request_with_http_basic(PROMPT) do |l, p|
+        user?(l, p)
+      end
+    end
+  end
+end

data/lib/mais/access/dispatcher.rb

@@ -0,0 +1,73 @@
+# frozen_string_literal: true
+
+module MaisAccess
+  module Dispatcher
+    AUTH_ENDPOINT = "#{ENV.fetch("MAIS_ACCOUNTS_HOSTNAME")}/api/authenticate"
+    JWT_ENDPOINT = "#{ENV.fetch("MAIS_ACCOUNTS_HOSTNAME")}/api/verify"
+    private_constant :AUTH_ENDPOINT
+    private_constant :JWT_ENDPOINT
+
+    private
+
+    def set_session(user = nil, jwt = nil)
+      reset_session
+      session[:mais_user] = user
+      session[:jwt] = jwt
+    end
+
+    def make_secure_http(endpoint)
+      uri = URI(endpoint)
+
+      begin
+        # Setup and yield an HTTPS connection to the specified endpoint
+        Net::HTTP.start(uri.host, uri.port, use_ssl: true) do |http|
+          yield(uri.path, http)
+        end
+      rescue StandardError => e
+        Rails.logger.error(e)
+        # Something went wrong, so save our butts and don't them in
+        false
+      end
+    end
+
+    def valid_jwt?
+      return false if session[:mais_user].blank? || session[:jwt].blank?
+
+      make_secure_http(JWT_ENDPOINT) do |path, http|
+        # Try to access the verification endpoint with the stored JWT
+        request = Net::HTTP::Get.new(path)
+        request["Authorization"] = session[:jwt]
+        response = http.request(request)
+
+        # If the server returns HTTP 204 No Content, the token is valid.
+        # `next` is required instead of `return` because `return` exits
+        # without finishing the block execution (cleaning up)
+        next true if response.code == "204"
+
+        # invalid token, force a session reset
+        set_session
+        false
+      end
+    end
+
+    def user?(login, password)
+      make_secure_http(AUTH_ENDPOINT) do |path, http|
+        # Post the credentials to the authentication endpoint
+        request = Net::HTTP::Post.new(path, { "Content-Type" => "application/json" })
+        request.body = JSON.generate({ user: { username: login, password: password } })
+        response = http.request(request)
+
+        # Parse the response body as JSON
+        body = JSON.parse(response.body)
+
+        # If the user is valid, reset the session and set the current mais user
+        if response.code == "201" && body["user"]
+          set_session(body["user"], response["Authorization"])
+          next true
+        end
+
+        false
+      end
+    end
+  end
+end

data/lib/{mais-access → mais/access}/user.rb

@@ -1,16 +1,17 @@
-# frozen_string_literal: true
-
-module MaisAccess
-  # An abstract class used to store the currently authenticated MAIS user. An instance of
-  # this class is initialized every time `authenticate_mais_user!` completes successfully.
-  # The current MAIS user can be accessed anytime via the `mais_user` method.
-  class User
-    attr_reader :username, :full_name
-
-    def initialize(*params)
-      params = params[0]
-      @username = params["username"]
-      @full_name = params["full_name"]
-    end
-  end
-end
+# frozen_string_literal: true
+
+module MaisAccess
+  # An abstract class used to store the currently authenticated MAIS user. An instance
+  # of this class is initialized every time `authenticate_mais_user!` completes
+  # successfully. The current MAIS user can be accessed anytime via the `mais_user`
+  # method.
+  class User
+    attr_reader :username, :full_name
+
+    def initialize(*params)
+      params = params[0]
+      @username = params["username"]
+      @full_name = params["full_name"]
+    end
+  end
+end

data/lib/mais/access.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module MaisAccess
+  class Railtie < ::Rails::Railtie
+    initializer("mais.middleware") do |_app|
+      # Hook into ActionController's loading process
+      ActiveSupport.on_load(:action_controller) do
+        require "mais/access/controller"
+
+        include MaisAccess::Controller
+
+        # Mark the `mais_user` reader method as a helper so that it can be accessed
+        # from a view
+        helper_method :mais_user
+
+        # Force a MAIS user authentication check on every request
+        before_action :authenticate_mais_user!
+
+        # "Cross-Site Request Forgery (CSRF) is an attack that allows a malicious user
+        # to spoof legitimate requests to your server, masquerading as an authenticated
+        # user. Rails protects against this kind of attack by generating unique tokens
+        # and validating their authenticity with each submission."
+        #
+        # https://link.medium.com/q1U60lAYm7
+        #
+        # If Rails detects an invalid authentication token, reset the current session.
+        # Prepend forgery protection to the beginning of the request action chain to
+        # ensure that it is the first thing to run.
+        protect_from_forgery with: :reset_session, prepend: true
+      end
+    end
+  end
+end

metadata

@@ -1,79 +1,135 @@
 --- !ruby/object:Gem::Specification
 name: mais-access
 version: !ruby/object:Gem::Version
-  version: 1.1.2
+  version: 2.1.2
 platform: ruby
 authors:
 - Elias Gabriel
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-05-31 00:00:00.000000000 Z
+date: 2023-02-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.2'
+- !ruby/object:Gem::Dependency
+  name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 4.0.2
+        version: 12.3.3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 4.0.2
+        version: 12.3.3
 - !ruby/object:Gem::Dependency
-  name: bundler
+  name: practical-pig
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '1.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '1.0'
 - !ruby/object:Gem::Dependency
-  name: rake
+  name: rubocop
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '10.0'
-description: A simple gem that provides HTTP Basic Authentication for users registered
-  with the MAIS(tm) accounts application.
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubocop-minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubocop-performance
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubocop-rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: mais-access provides a simple yet secure HTTP(S) authentication barrier
+  for applications developed within the MAIS system. After initial connection, sessions
+  for authenticated clients are validated by JSON Web Tokens for reduced overhead
+  and improved security.
 email: me@eliasfgabriel.com
 executables: []
 extensions: []
-extra_rdoc_files:
-- README.md
+extra_rdoc_files: []
 files:
-- ".gitattributes"
-- ".gitignore"
-- Gemfile
-- README.md
-- lib/mais-access.rb
-- lib/mais-access/dispatcher.rb
-- lib/mais-access/user.rb
-- mais-access.gemspec
-homepage: https://github.com/sdbase/mais-access
+- lib/mais/access.rb
+- lib/mais/access/controller.rb
+- lib/mais/access/dispatcher.rb
+- lib/mais/access/user.rb
+homepage: https://github.com/metabronx/mais-access
 licenses:
 - CC-BY-NC-SA-4.0
 metadata:
-  source_code_uri: https://github.com/sdbase/mais-access
-  homepage_uri: https://github.com/sdbase/mais-access
+  homepage_uri: https://www.metabronx.com
+  source_code_uri: https://github.com/metabronx/mais-access
+  bug_tracker_uri: https://github.com/metabronx/mais-access/issues
+  rubygems_mfa_required: 'true'
+  funding_uri: https://www.metabronx.com/invest
 post_install_message: 
 rdoc_options: []
 require_paths:
@@ -82,15 +138,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 2.4.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.3
+rubygems_version: 3.4.6
 signing_key: 
 specification_version: 4
-summary: A MAIS(tm) authentication middleware.
+summary: Provides an HTTP/JWT authentication middleware.
 test_files: []

data/.gitattributes

@@ -1,2 +0,0 @@
-# Auto detect text files and perform LF normalization
-* text=auto

data/.gitignore

@@ -1,2 +0,0 @@
-/node_modules
-*.gem

data/Gemfile

@@ -1,4 +0,0 @@
-source "https://rubygems.org"
-
-# Specify your gem's dependencies in parceler.gemspec
-gemspec

data/README.md

@@ -1,11 +0,0 @@
-# MAIS Access
-
-A simple gem that enforces HTTP Basic Authentication for account holders in the MAIS business management and information system.
-
-## License
-
-Copyright � 2019 [Elias Gabriel](https://eliasfgabriel.com/), [sdbase](http://sdbase.com/)
-
-This work is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
-
-To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/4.0/ or send a letter to Creative Commons, PO Box 1866, Mountain View, CA 94042, USA.

data/lib/mais-access/dispatcher.rb

@@ -1,61 +0,0 @@
-# frozen_string_literal: true
-
-module MaisAccess
-  module Dispatcher
-    require 'net/https'
-    require 'uri'
-    require 'json'
-    require 'mais-access/user'
-
-    attr_reader :mais_user
-
-    MAIS_CLIENT = ENV['MAIS_CLIENT']
-    APP_TITLE = "access - MAIS - #{MAIS_CLIENT}"
-
-    def authenticate_mais_user!
-      # Prompt the user for HTTP Basic credentials or authenticate if they are
-      # cached in the browser session
-      authenticate_or_request_with_http_basic(APP_TITLE) { |l, p| user?(l, p) }
-    end
-
-    private
-
-    def user?(login, password)
-      begin
-        url = URI("#{ENV['MAIS_ACCOUNTS_HOSTNAME']}/authenticate")
-
-        # Setup https connection and specify certificate bundle if enabled
-        if (ENV.fetch("USE_HTTPS") { false })
-          http = Net::HTTP.new(url.host, 443)
-          http.use_ssl = true
-          http.verify_mode = OpenSSL::SSL::VERIFY_PEER
-          http.cert_store = OpenSSL::X509::Store.new
-          http.cert_store.set_default_paths
-          http.cert_store.add_file("/etc/pki/tls/certs/server.crt")
-        else
-          http = Net::HTTP.new(url.host, url.port)
-        end
-
-        # Get the credentials and POST them to `accounts.scenycwork.net/authenticate`
-        request = Net::HTTP::Post.new(url.path, {'Content-Type' => 'application/json'})
-        request.set_form_data({ "username" => login, "password" => password })
-        response = http.request(request)
-
-        # Parse the response body as JSON
-        body = JSON.parse(response.body)
-
-        # If the user is valid, set the current mais user
-        if response.code == '200' && body["authenticated"]
-          @mais_user = MaisAccess::User.new(body["user"])
-          # let them in
-          return true
-        end
-      rescue => e
-        Rails.logger.error(e)
-      end
-
-      # Something went wrong, so save our butts and don't them in.
-      return false
-    end
-  end
-end

data/lib/mais-access.rb

@@ -1,20 +0,0 @@
-# frozen_string_literal: true
-
-module MaisAccess
-	class Railtie < ::Rails::Railtie
-		initializer('mais.middleware') do |app|
-			# Hook into ActionController's loading process
-			ActiveSupport.on_load(:action_controller) do
-				require 'mais-access/dispatcher'
-				include MaisAccess::Dispatcher
-
-				# Mark the `mais_user` reader method (defined in Mais::Dispatcher) as a
-				# helper so that it can be accessed from a view
-				helper_method :mais_user
-
-				# Force a MAIS user authentication check on every request
-				before_action :authenticate_mais_user!
-			end
-		end
-	end
-end

data/mais-access.gemspec

@@ -1,28 +0,0 @@
-# frozen_string_literal: true
-
-lib = File.expand_path("lib", __dir__)
-$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
-
-Gem::Specification.new do |spec|
-	spec.name          = "mais-access"
-	spec.version       = "1.1.2"
-	spec.author        = "Elias Gabriel"
-	spec.email         = "me@eliasfgabriel.com"
-	spec.summary       = "A MAIS(tm) authentication middleware."
-	spec.description   = "A simple gem that provides HTTP Basic Authentication for users registered with the MAIS(tm) accounts application."
-	spec.homepage      = "https://github.com/sdbase/mais-access"
-	spec.license       = "CC-BY-NC-SA-4.0"
-
-	spec.metadata["homepage_uri"] = spec.metadata["source_code_uri"] = spec.homepage
-	spec.extra_rdoc_files = ["README.md"]
-
-	spec.require_paths = ["lib"]
-	spec.files = Dir.chdir(File.expand_path('..', __FILE__)) do
-		`git ls-files -z`.split("\x0")
-	end
-
-	spec.add_dependency "rails", '>= 4.0.2'
-
-	spec.add_development_dependency "bundler", '~> 2.0'
-  spec.add_development_dependency "rake", '~> 10.0'
-end