masks 0.3.1 → 0.4.0

data/app/views/masks/sessions/new.html.erb

@@ -41,8 +41,7 @@
               type="radio"
               role="tab"
               class="tab whitespace-nowrap"
-              aria-label="<%= t('.tab.one_time_code') %>"
-            />
+              aria-label="<%= t('.tab.one_time_code') %>">
             <div role="tabpanel" class="tab-content p-4 bg-base-100 rounded-b">
               <p class="flex items-center gap-4 text-sm mb-4">
                 <%= lucide_icon("qr-code") %>
@@ -55,8 +54,7 @@
                   data-session-target="oneTimeCode"
                   placeholder="<%= t('.placeholder.one_time_code') %>"
                   name="session[one_time_code]"
-                  class="input input-bordered w-full"
-                />
+                  class="input input-bordered w-full">
               </label>
             </div>
           <% end %>
@@ -67,8 +65,7 @@
               name="factor2"
               role="tab"
               class="tab whitespace-nowrap"
-              aria-label="<%= t('.tab.backup_code') %>"
-            />
+              aria-label="<%= t('.tab.backup_code') %>">
             <div role="tabpanel" class="tab-content p-4 bg-base-100 rounded-b">
               <p class="flex items-center gap-4 text-sm mb-4">
                 <%= lucide_icon("rotate-cw") %>
@@ -81,8 +78,7 @@
                   data-session-target="backupCode"
                   placeholder="<%= t('.placeholder.backup_code') %>"
                   name="session[backup_code]"
-                  class="input input-bordered w-full"
-                />
+                  class="input input-bordered w-full">
               </label>
             </div>
           <% end %>
@@ -97,31 +93,34 @@
             data-session-target="nickname"
             placeholder="<%= t('.placeholder.nickname') %>"
             name="session[nickname]"
-            class="input input-bordered w-full"
-          />
+            class="input input-bordered w-full">
         </label>
-        <label class="form-control w-full">
+        <label class="form-control input input-bordered w-full flex flex-row items-center gap-2" data-controller="password-visibility">
           <input
             type="password"
             data-action="session#updatePassword"
             data-session-target="password"
+            data-password-visibility-target="input"
+            spellcheck="false"
             placeholder="<%= t('.placeholder.password') %>"
             name="session[password]"
-            class="input input-bordered w-full"
-          />
-          <% if @config.site_links[:recover] %>
-            <div class="label">
-              <span class="label-text-alt opacity-60 hover:opacity-100"><a
-                  class="hover:underline"
-                  href="<%= @config.site_links[:recover] %>"
-                ><%= t(".recover_credentials") %></a></span>
-            </div>
-          <% end %>
+            class="flex-grow">
+
+          <button data-action="password-visibility#toggle" type="button" class="btn btn-sm btn-ghost -mr-2">
+            <span data-password-visibility-target="icon"><%= lucide_icon('eye') %></span>
+            <span data-password-visibility-target="icon" class="hidden"><%= lucide_icon('eye-off') %></span>
+          </button>
         </label>
+        <% if @config.site_links[:recover] %>
+          <div class="label">
+            <span class="label-text-alt opacity-60 hover:opacity-100"><a
+                class="hover:underline"
+                href="<%= @config.site_links[:recover] %>"><%= t(".recover_credentials") %></a></span>
+          </div>
+        <% end %>
       </div>
     <% end %>
 
-
     <% unless logged_in? %>
     <div class="flex items-center gap-4">
       <%= form.submit t(".submit"),
@@ -131,7 +130,7 @@
                   } %>
       <div class="form-control" data-session-target="remember">
         <label class="label cursor-pointer">
-          <input type="checkbox" name="session[remember_me]" class="toggle toggle-sm"/>
+          <input type="checkbox" name="session[remember_me]" class="toggle toggle-sm">
           <span class="label-text pl-2"><%= t(".remember_me") %></span>
         </label>
       </div>

data/config/initializers/inflections.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+ActiveSupport::Inflector.inflections(:en) do |inflect|
+  inflect.acronym "OpenID"
+  inflect.acronym "UserInfo"
+end

data/config/locales/en.yml

@@ -28,6 +28,15 @@
 #       enabled: "ON"
 
 en:
+  scope:
+    openid_name: account
+    openid_desc: your account identifier
+    profile_name: profile
+    profile_desc: your name, email, and other personal details
+    phone_name: phone
+    phone_desc: your phone number
+    address_name: address
+    address_desc: your physical address
   layouts:
     masks:
       application:
@@ -109,7 +118,7 @@ en:
         secret: secret
         submit: enable
         delete: disable
-        delete_div: disable one-time code
+        delete_div: disable one-time codes
         backup_codes: save backup codes...
         reset_codes: view backup codes...
     backup_codes:
@@ -242,7 +251,7 @@ en:
         enter_factor2: enter a secondary credential to continue...
         enter_credentials: "enter your credentials to continue..."
         enter_password: "enter your password to continue..."
-        continue: "press continue to access things..."
+        continue: "press continue to authorize..."
         one_time_code: enter a 6-digit one-time code from your authenticator app...
         backup_code: enter one of your saved 10-digit backup codes...
         logged_in: welcome!
@@ -254,6 +263,18 @@ en:
           password: password...
           one_time_code: one-time code...
           backup_code: backup code...
+    openid:
+      authorizations:
+        new:
+          authorize_client: "authorize %{name}?"
+          authorize_account: "%{name} wants access to your account."
+          authorize_scoped: "%{name} wants access to your account and the following data:"
+          approve: approve
+          deny: deny
+        error:
+          title: authorization failed
+          description: an unrecoverable error occurred during authorization...
+          home: go home
   activerecord:
     attributes:
       masks/rails/actor:

data/config/routes.rb

@@ -39,8 +39,45 @@ Masks::Engine.routes.draw do
   get "backup-codes", to: "backup_codes#new", as: :backup_codes
   post "backup-codes", to: "backup_codes#create"
 
+  # OAuth/OpenID support
+  get "client/:id/.well-known/openid-configuration",
+      to: "openid/discoveries#new",
+      as: :openid_discovery
+  get "client/:id/jwks.json", to: "openid/discoveries#jwks", as: :openid_jwks
+  get "client/:id",
+      to:
+        redirect { |params, _|
+          "client/#{params[:id]}/.well-known/openid-configuration"
+        },
+      as: :openid_issuer
+  get "authorize", to: "openid/authorizations#new", as: :openid_authorization
+  post "authorize", to: "openid/authorizations#create"
+  post "token",
+       to: proc { |env| Masks::OpenID::Token.new.call(env) },
+       as: :openid_token
+  match "userinfo",
+        to: "openid/userinfo#show",
+        via: %i[get post],
+        as: :openid_userinfo
+
   # managers-only section
-  get "actors", to: "manage/actors#index", as: :actors
-  get "actors/:actor", to: "manage/actor#show", as: :actor
-  patch "actors/:actor", to: "manage/actor#update"
+  namespace :manage do
+    get "/", to: "dashboard#index"
+
+    # manage clients
+    get "clients", to: "clients#index", as: :clients
+    post "clients", to: "clients#create"
+    get "clients/:id", to: "clients#show", as: :client
+    patch "clients/:id", to: "clients#update"
+    delete "clients/:id", to: "clients#destroy"
+
+    # manage actors
+    get "actors", to: "actors#index", as: :actors
+    get "actors/:actor", to: "actors#show", as: :actor
+    post "actors", to: "actors#create"
+    patch "actors/:actor", to: "actors#update"
+
+    # manage devices
+    get "devices", to: "devices#index", as: :devices
+  end
 end

data/db/migrate/20240329182422_support_openid.rb

@@ -0,0 +1,64 @@
+# frozen_string_literal: true
+class SupportOpenID < ActiveRecord::Migration[7.1]
+  def change
+    create_table :openid_clients do |t|
+      t.string :name
+      t.string :key
+      t.string :secret
+      t.string :client_type
+      t.text :redirect_uris
+      t.text :scopes
+      t.boolean :consent
+      t.string :subject_type
+      t.string :sector_identifier
+      t.string :code_expires_in
+      t.string :token_expires_in
+      t.string :refresh_expires_in
+      t.text :rsa_private_key
+
+      t.timestamps
+
+      t.index :key, unique: true
+    end
+
+    create_table :openid_authorizations do |t|
+      t.string :code
+      t.string :nonce
+      t.string :redirect_uri
+      t.text :scopes
+
+      t.references :actor
+      t.references :openid_client
+      t.datetime :expires_at
+      t.timestamps
+
+      t.index :code, unique: true
+    end
+
+    create_table :openid_access_tokens do |t|
+      t.string :token
+      t.string :refresh_token
+      t.string :refreshed_token
+      t.text :scopes
+
+      t.references :actor, null: true
+      t.references :openid_client
+      t.datetime :expires_at
+      t.datetime :revoked_at
+      t.timestamps
+
+      t.index :token, unique: true
+      t.index :refresh_token, unique: true
+      t.index :refreshed_token, unique: true
+    end
+
+    create_table :openid_id_tokens do |t|
+      t.string :nonce
+      t.datetime :expires_at
+
+      t.references :actor
+      t.references :openid_client
+      t.timestamps
+    end
+  end
+end

data/lib/generators/masks/install/templates/masks.json

@@ -2,5 +2,8 @@
   "name": "<%= Rails.application.name %>",
   "url": "http://localhost:3000",
   "extend": "masks",
-  "masks": []
+  "masks": [],
+  "openid": {
+    "pairwise_salt": "<%= SecureRandom.uuid %>"
+  }
 }

data/lib/masks/configuration.rb

@@ -20,6 +20,7 @@ module Masks
     attribute :site_links
     attribute :site_logo
     attribute :lifetimes
+    attribute :openid
     attribute :masks
     attribute :models
     attribute :version
@@ -67,6 +68,23 @@ module Masks
       super || data.fetch(:url, nil)
     end
 
+    # Returns a string to use as the "issuer" for various secrets—TOTP, JWT, etc.
+    # @return [String]
+    def openid
+      {
+        scopes: %w[openid profile email address phone],
+        subject_types: %w[nickname email pairwise],
+        response_types: %w[code token id_token],
+        grant_types: %w[
+          client_credentials
+          authorization_code
+          implicit
+          refresh_token
+        ],
+        pairwise_salt: "masks"
+      }.merge(super || data.fetch(:openid, {}))
+    end
+
     # A hash of links—urls to various places on the frontend.
     #
     # These default to generated rails routes, but can be overridden
@@ -103,14 +121,6 @@ module Masks
 
     # A hash of default models the app relies on.
     #
-    # The following keys are available:
-    #
-    #   actor: +Masks::Rails::Actor+
-    #   role: +Masks::Rails::Role+
-    #   scope: +Masks::Rails::Scope+
-    #   email: +Masks::Rails::Email+
-    #   recovery: +Masks::Rails::Recovery+
-    #
     # This makes it easy to provide a substitute for key models
     # while still relying on the base active record implementation.
     #
@@ -124,6 +134,10 @@ module Masks
         recovery: "Masks::Rails::Recovery",
         device: "Masks::Rails::Device",
         key: "Masks::Rails::Key",
+        openid_client: "Masks::Rails::OpenID::Client",
+        openid_access_token: "Masks::Rails::OpenID::AccessToken",
+        openid_id_token: "Masks::Rails::OpenID::IdToken",
+        openid_authorization: "Masks::Rails::OpenID::Authorization",
         session_json: "Masks::SessionResource",
         request: "Masks::Sessions::Request",
         inline: "Masks::Sessions::Inline",
@@ -145,7 +159,6 @@ module Masks
     def mask(type)
       config = data.dig(:types, type.to_sym)
       raise Masks::Error::InvalidConfiguration, type unless config
-
       config
     end
 

data/lib/masks/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Masks
-  VERSION = Gem::Version.new("0.3.1")
+  VERSION = Gem::Version.new("0.4.0")
 end

data/lib/masks.rb

@@ -12,6 +12,7 @@ require "alba"
 require "pagy"
 require "device_detector"
 require "active_model"
+require "chronic_duration"
 
 # Top-level module for masks.
 #

data/lib/tasks/masks_tasks.rake

@@ -37,8 +37,9 @@ namespace :masks do
       exit 1
     end
 
+    scopes = args[:scopes].split(";")
     access = cli_access("actor.scopes", as: args[:actor])
-    access&.assign_scopes(args[:scopes].split(";"))
+    access&.assign_scopes(scopes)
 
     if !access
       puts "could not find actor..."
@@ -46,7 +47,7 @@ namespace :masks do
       puts "failed to assign scopes to '#{access.actor.nickname}'"
       puts "error: #{access.actor.errors.full_messages.join(", ")}"
     else
-      puts "assigned scopes to '#{access.actor.nickname}'"
+      puts "assigned scopes '#{scopes.join(", ")}' to '#{access.actor.nickname}'"
     end
   end
 

data/masks.json

@@ -27,10 +27,31 @@
       "anon": true,
       "fail": false
     },
+    {
+      "type": "access_token",
+      "request": {
+        "method": ["get", "post"],
+        "path": "/userinfo"
+      }
+    },
+    {
+      "skip": true,
+      "request": {
+        "method": "post",
+        "path": "/token"
+      }
+    },
+    {
+      "skip": true,
+      "request": {
+        "method": "get",
+        "path": "/client/*"
+      }
+    },
     {
       "type": "api",
       "request": {
-        "path": ["*"],
+        "path": "*",
         "header": "Authorization"
       }
     },
@@ -48,7 +69,8 @@
         "method": ["get", "delete"],
         "path": "/session"
       },
-      "fail": false
+      "fail": false,
+      "return_to": false
     },
     {
       "type": "recovery",
@@ -146,7 +168,16 @@
     {
       "type": "manage",
       "request": {
-        "path": ["/actors", "/actors/*"]
+        "path": ["/manage", "/manage/*"]
+      },
+      "access": ["actor.password", "actor.signup"],
+      "fail": "/session"
+    },
+    {
+      "type": "session",
+      "request": {
+        "method": "get",
+        "path": "/authorize"
       },
       "fail": false
     },
@@ -167,6 +198,9 @@
     },
     {
       "access": "actor.password"
+    },
+    {
+      "access": "actor.scopes"
     }
   ],
   "types": {
@@ -232,7 +266,7 @@
         },
         "device": {}
       },
-      "credentials": ["Session", "Device"]
+      "credentials": ["Session", "Device", "ReturnTo"]
     },
     "manage": {
       "checks": {
@@ -248,8 +282,8 @@
         },
         "device": {}
       },
-      "credentials": ["Session", "Device"],
-      "scopes": "masks:manager"
+      "credentials": ["Session", "Device", "ReturnTo"],
+      "scopes": ["masks:manage"]
     },
     "recovery": {
       "checks": {
@@ -257,6 +291,13 @@
       },
       "credentials": ["Session", "Recovery", "Device"]
     },
+    "access_token": {
+      "checks": {
+        "access_token": {},
+        "device": {}
+      },
+      "credentials": ["AccessToken", "Device"]
+    },
     "api": {
       "checks": {
         "key": {},

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: masks
 version: !ruby/object:Gem::Version
-  version: 0.3.1
+  version: 0.4.0
 platform: ruby
 authors:
 - geiger-to
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-03-29 00:00:00.000000000 Z
+date: 2024-04-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: alba
@@ -38,6 +38,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.1'
+- !ruby/object:Gem::Dependency
+  name: chronic_duration
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.10'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.10'
 - !ruby/object:Gem::Dependency
   name: cssbundling-rails
   requirement: !ruby/object:Gem::Requirement
@@ -94,6 +108,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.2'
+- !ruby/object:Gem::Dependency
+  name: openid_connect
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.3'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.3'
 - !ruby/object:Gem::Dependency
   name: pagy
   requirement: !ruby/object:Gem::Requirement
@@ -244,16 +272,16 @@ dependencies:
   name: valid_email
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '0.2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '0.2'
 description: masks is a ruby library and rails engine that adds simple, extensible
   auth to most applications. DO NOT USE
 email:
@@ -265,9 +293,6 @@ files:
 - MIT-LICENSE
 - README.md
 - Rakefile
-- app/assets/builds/application.css
-- app/assets/builds/application.js
-- app/assets/builds/application.js.map
 - app/assets/builds/masks/application.css
 - app/assets/builds/masks/application.js
 - app/assets/builds/masks/application.js.map
@@ -280,6 +305,7 @@ files:
 - app/assets/javascripts/controllers/recover_controller.js
 - app/assets/javascripts/controllers/recover_password_controller.js
 - app/assets/javascripts/controllers/session_controller.js
+- app/assets/javascripts/controllers/table_controller.js
 - app/assets/manifest.js
 - app/assets/masks_manifest.js
 - app/assets/stylesheets/application.css
@@ -292,10 +318,16 @@ files:
 - app/controllers/masks/emails_controller.rb
 - app/controllers/masks/error_controller.rb
 - app/controllers/masks/keys_controller.rb
-- app/controllers/masks/manage/actor_controller.rb
 - app/controllers/masks/manage/actors_controller.rb
 - app/controllers/masks/manage/base_controller.rb
+- app/controllers/masks/manage/clients_controller.rb
+- app/controllers/masks/manage/dashboard_controller.rb
+- app/controllers/masks/manage/devices_controller.rb
 - app/controllers/masks/one_time_code_controller.rb
+- app/controllers/masks/openid/authorizations_controller.rb
+- app/controllers/masks/openid/discoveries_controller.rb
+- app/controllers/masks/openid/tokens_controller.rb
+- app/controllers/masks/openid/userinfo_controller.rb
 - app/controllers/masks/passwords_controller.rb
 - app/controllers/masks/recoveries_controller.rb
 - app/controllers/masks/sessions_controller.rb
@@ -320,6 +352,7 @@ files:
 - app/models/masks/application_record.rb
 - app/models/masks/check.rb
 - app/models/masks/credential.rb
+- app/models/masks/credentials/access_token.rb
 - app/models/masks/credentials/backup_code.rb
 - app/models/masks/credentials/device.rb
 - app/models/masks/credentials/email.rb
@@ -331,16 +364,23 @@ files:
 - app/models/masks/credentials/one_time_code.rb
 - app/models/masks/credentials/password.rb
 - app/models/masks/credentials/recovery.rb
+- app/models/masks/credentials/return_to.rb
 - app/models/masks/credentials/session.rb
 - app/models/masks/device.rb
 - app/models/masks/error.rb
 - app/models/masks/event.rb
 - app/models/masks/mask.rb
+- app/models/masks/openid/authorization.rb
+- app/models/masks/openid/token.rb
 - app/models/masks/rails/actor.rb
 - app/models/masks/rails/actor_role.rb
 - app/models/masks/rails/device.rb
 - app/models/masks/rails/email.rb
 - app/models/masks/rails/key.rb
+- app/models/masks/rails/openid/access_token.rb
+- app/models/masks/rails/openid/authorization.rb
+- app/models/masks/rails/openid/client.rb
+- app/models/masks/rails/openid/id_token.rb
 - app/models/masks/rails/recovery.rb
 - app/models/masks/rails/role.rb
 - app/models/masks/rails/scope.rb
@@ -364,17 +404,25 @@ files:
 - app/views/masks/emails/new.html.erb
 - app/views/masks/emails/verify.html.erb
 - app/views/masks/keys/new.html.erb
-- app/views/masks/manage/actor/show.html.erb
 - app/views/masks/manage/actors/index.html.erb
+- app/views/masks/manage/actors/show.html.erb
+- app/views/masks/manage/clients/index.html.erb
+- app/views/masks/manage/clients/show.html.erb
+- app/views/masks/manage/dashboard/index.html.erb
+- app/views/masks/manage/devices/index.html.erb
 - app/views/masks/one_time_code/new.html.erb
+- app/views/masks/openid/authorizations/error.html.erb
+- app/views/masks/openid/authorizations/new.html.erb
 - app/views/masks/passwords/edit.html.erb
 - app/views/masks/recoveries/new.html.erb
 - app/views/masks/recoveries/password.html.erb
 - app/views/masks/sessions/new.html.erb
 - config/brakeman.ignore
+- config/initializers/inflections.rb
 - config/locales/en.yml
 - config/routes.rb
 - db/migrate/20231205173845_create_actors.rb
+- db/migrate/20240329182422_support_openid.rb
 - lib/generators/masks/install/USAGE
 - lib/generators/masks/install/install_generator.rb
 - lib/generators/masks/install/templates/initializer.rb