neeto-jwt-engine 1.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 67424c25f36ea508e8f821f48d9446716df49eb7c7843b472efad9b657dfd3c5
+  data.tar.gz: 5f57e3eddc4fc2ae8fc61684ca8f9b19b2a247dbb7fac36d52f33f3eea74d206
+SHA512:
+  metadata.gz: e48aff6c53b0f16f8368a6d5a237334d40ab8a36de3a495f271167b904aa83a06afed4e75458ec32ae552a599a69721657f6460c4f726f4fd43c2b0227789451
+  data.tar.gz: a3cd885167bdd1c2138fe222c8f48ed9a33ed3cdef38f6b6a6ea53f3a7784ef6680e040e6d06912835b3f6657dc60a1ffdd499f93a66a2adfeefab7f9daf1088

data/README.md

@@ -0,0 +1,89 @@
+# Neeto JWT Engine
+
+Neeto JWT Engine is a Rails engine that provides JWT-based authentication for Neeto products. It is designed to be a flexible and extensible authentication solution that can be easily integrated into any Rails application.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'neeto-jwt-engine'
+```
+
+And then execute:
+
+```bash
+$ bundle install
+```
+
+Or install it yourself as:
+
+```bash
+$ gem install neeto-jwt-engine
+```
+
+## Usage
+
+### 1. Mount the engine
+
+Add the following line to your application's `config/routes.rb` file:
+
+```ruby
+mount NeetoJwtEngine::Engine => "/neeto_jwt"
+```
+
+### 2. Run the migrations
+
+Run the following command to create the necessary tables in your database:
+
+```bash
+$ rails neeto_jwt_engine:install:migrations
+$ rails db:migrate
+```
+
+### How to generate public-private key pairs
+
+Neeto JWT Engine provides a way to generate public-private key pairs for secure authentication.
+
+#### Create a public-private key pair for an organization
+
+To generate a new key pair, you can make a `POST` request to the `/neeto_jwt_engine/configurations` endpoint. This will create a new configuration with a public-private key pair and return a one-time link to download the private key.
+
+You must include a `NEETO-JWT-X-TOKEN` header in the request, and its value should match the `NEETO_JWT_X_TOKEN` environment variable set in your application. Search for "NeetoJWT X-Token" in 1Password to obtain this token.
+
+**Request:**
+
+```bash
+curl \
+  --request POST \
+  --header 'Content-Type: application/json' \
+  --header 'NEETO-JWT-X-TOKEN: <your-token>' \
+  https://<workspace>.neetoauth.com/neeto_jwt/configurations
+```
+
+**Response:**
+
+```json
+{
+  "message": "This is a one-time link. DO NOT click on the link yourself. In case the link is expired, whether by accident or by mis-use, create a fresh public-private key pair using the /neeto-jwt/configurations/create route.",
+  "onetime_link": "http://example.com/neeto_jwt_engine/configurations/your-onetime-token"
+}
+```
+
+#### Download private key using a one-time link
+
+To download the private key, you can make a `GET` request to the one-time link provided in the `create` API response. This will download the private key as a file and expire the link.
+
+**Request:**
+
+```bash
+GET https://<workspace>.neetoauth.com/neeto_jwt/configurations/your-onetime-token
+```
+
+**Response:**
+
+The private key will be downloaded as a file named `neeto-jwt-<subdomain>-private.key`.
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake test` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.

data/Rakefile

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+require "bundler/setup"
+
+APP_RAKEFILE = File.expand_path("test/dummy/Rakefile", __dir__)
+load "rails/tasks/engine.rake"
+
+load "rails/tasks/statistics.rake"
+
+require "bundler/gem_tasks"
+
+require "rake/testtask"
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << "test"
+  t.pattern = "test/**/*_test.rb"
+  t.verbose = false
+end
+
+task default: :test

data/app/controllers/concerns/neeto_jwt_engine/api_exceptions.rb

@@ -0,0 +1,77 @@
+# frozen_string_literal: true
+
+module NeetoJwtEngine
+  module ApiExceptions
+    extend ActiveSupport::Concern
+
+    class ::NotAuthorizedError < StandardError
+    end
+
+    included do
+      protect_from_forgery
+
+      rescue_from StandardError, with: :handle_api_exception
+
+      def handle_api_exception(exception)
+        case exception
+        when -> (e) { e.message.include?("PG::") || e.message.include?("SQLite3::") }
+          handle_database_level_exception(exception)
+
+        when ActionController::ParameterMissing
+          log_exception_to_honeybadger(exception)
+          render_error(exception, :internal_server_error)
+
+        when ActiveRecord::RecordNotFound
+          render_error("#{exception.model} is not found", :not_found)
+
+        when ActionDispatch::Http::Parameters::ParseError
+          render_error("Http::Parameters parse error", :unprocessable_entity)
+
+        when ActiveRecord::RecordNotUnique
+          render_error(exception)
+
+        when ActiveModel::ValidationError, ActiveRecord::RecordInvalid, ArgumentError
+          error_message = exception.message.gsub("Validation failed: ", "")
+          render_error(error_message, :unprocessable_entity)
+
+        else
+          handle_generic_exception(exception)
+        end
+      end
+
+      def handle_database_level_exception(exception)
+        handle_generic_exception(exception, :internal_server_error)
+      end
+
+      def handle_generic_exception(exception, status = :internal_server_error)
+        log_exception_to_honeybadger(exception)
+        log_exception(exception)
+        render_error(exception, status)
+      end
+
+      def log_exception(exception)
+        [exception.class.to_s, exception.to_s, exception.backtrace.join("\n")].each do |str|
+          Rails.env.test? ? puts(str) : Rails.logger.info(str)
+        end
+      end
+
+      def log_exception_to_honeybadger(exception)
+        return if Rails.env.development? || Rails.env.test?
+
+        Honeybadger.notify(exception)
+      end
+
+      def render_error(error, status = :unprocessable_entity, context = {})
+        error_message = error
+        is_exception = error.kind_of?(StandardError)
+        if is_exception
+          is_having_record = error.methods.include? "record"
+          error_message = is_having_record ? error.record.errors_to_sentence : error.message
+        end
+        error_message = error_message.first if error_message.is_a?(Array) && error_message.length == 1
+        key = error_message.is_a?(Array) ? "errors" : "error"
+        render json: { key => error_message }.merge!(context), status:
+      end
+    end
+  end
+end

data/app/controllers/concerns/neeto_jwt_engine/authenticatable.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module NeetoJwtEngine
+  module Authenticatable
+    extend ActiveSupport::Concern
+
+    included do
+      skip_before_action :verify_authenticity_token
+      before_action :authenticate_using_x_token, only: :create
+    end
+
+    private
+
+      def authenticate_using_x_token
+        if request.headers["NEETO-JWT-X-TOKEN"] != ENV["NEETO_JWT_X_TOKEN"]
+          render status: :unauthorized, json: { error: "Invalid NEETO_JWT_X_TOKEN" }
+        end
+      end
+  end
+end

data/app/controllers/neeto_jwt_engine/application_controller.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module NeetoJwtEngine
+  class ApplicationController < ActionController::Base
+    include NeetoJwtEngine::ApiExceptions
+  end
+end

data/app/controllers/neeto_jwt_engine/configurations_controller.rb

@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+
+module NeetoJwtEngine
+  class ConfigurationsController < ApplicationController
+    MESSAGE = <<~EOF
+This is a one-time link. DO NOT click on the link yourself. In case the link
+is expired, whether by accident or by mis-use, create a fresh public-private
+key pair using the /neeto-jwt/configurations/create route.
+    EOF
+
+    include NeetoJwtEngine::Authenticatable
+
+    before_action :load_organization!
+    before_action :load_configuration!, only: :show
+
+    def show
+      filename = "neeto-jwt-#{@organization.subdomain}-private.key"
+      Tempfile.open(filename) do |file|
+        file.write @configuration.private_key
+        file.rewind
+
+        send_data file.read, filename:
+      end
+    end
+
+    def create
+      @organization.jwt_configuration&.onetime_link&.update!(expired: true)
+      configuration = NeetoJwtEngine::Configuration.create!(organization: @organization)
+      onetime_link = configuration.create_onetime_link!
+      onetime_link = "#{request.base_url}/neeto_jwt/configurations/#{onetime_link.link}"
+      render status: :ok, json: { message: MESSAGE, onetime_link: }
+    end
+
+    private
+
+      def load_configuration!
+        onetime_link = NeetoJwtEngine::OnetimeLink.find_by(link: params[:id])
+
+        unless onetime_link.present?
+          render status: :not_found, json: { error: "The onetime link has either expired or is not found." }
+          return
+        end
+
+        @configuration = onetime_link.configuration
+        onetime_link.update!(expired: true)
+      end
+
+      def load_organization!
+        @organization = Rails.env.heroku? ?
+           Organization.active.find_by(subdomain: Rails.application.secrets.app_subdomain)
+          : Organization.active.where.not(subdomain: "app").find_by(subdomain: request.subdomain)
+      end
+  end
+end

data/app/models/concerns/neeto_jwt_engine/incinerable_concern.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+module NeetoJwtEngine
+  module IncinerableConcern
+    extend ActiveSupport::Concern
+
+    MODELS_REQUIRE_DESTROY = []
+    CYCLIC_DEPENDENCIES = {}
+
+    def self.associated_models(org_id)
+      {
+        "NeetoJwtEngine::Configuration": {
+          joins: {},
+          where: ["organization_id = ?", org_id]
+        }
+      }
+    end
+
+    def self.get_uninstalled_skipped_models
+      models = []
+      models
+    end
+
+    SKIPPED_MODELS = [] + get_uninstalled_skipped_models
+  end
+end

data/app/models/neeto_jwt_engine/application_record.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module NeetoJwtEngine
+  class ApplicationRecord < ActiveRecord::Base
+    self.abstract_class = true
+  end
+end

data/app/models/neeto_jwt_engine/configuration.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module NeetoJwtEngine
+  class Configuration < ApplicationRecord
+    belongs_to :organization
+    has_one :onetime_link, class_name: "NeetoJwtEngine::OnetimeLink"
+
+    default_scope -> { where(enabled: true) }
+
+    validates :public_key, presence: true
+    validates :private_key, presence: true
+
+    before_validation :generate_public_and_private_keys!
+
+    private
+
+      def generate_public_and_private_keys!
+        generator = NeetoJwtEngine::EllipticKeyGeneratorService.new("ES256")
+
+        self.private_key = generator.private_key
+        self.public_key = generator.public_key
+      end
+  end
+end

data/app/models/neeto_jwt_engine/onetime_link.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module NeetoJwtEngine
+  class OnetimeLink < ApplicationRecord
+    belongs_to :configuration, class_name: "NeetoJwtEngine::Configuration"
+
+    default_scope -> { where(expired: false) }
+
+    validates :link, presence: true, uniqueness: true
+
+    before_validation :generate_link, only: :create
+
+    private
+
+      def generate_link
+        self.link = SecureRandom.hex(8)
+      end
+  end
+end

data/app/services/neeto_jwt_engine/elliptic_key_generator_service.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+# This service is initially written only to support the `ES256 encryption`.
+# This can be easily extended to support other Elliptic Curve Digital Signature
+# Algorithm (ECDSA) algorithms.
+module NeetoJwtEngine
+  class EllipticKeyGeneratorService
+    CURVES = {
+      ES256: "prime256v1"
+    }.freeze
+
+    attr_reader :curve, :elliptic_curve_key, :private_key, :public_key
+
+    def initialize(algorithm = "ES256")
+      @curve = CURVES[algorithm.to_sym]
+      @elliptic_curve_key = OpenSSL::PKey::EC.generate(curve)
+    end
+
+    def private_key
+      elliptic_curve_key.to_pem
+    end
+
+    def public_key
+      public_key_point = elliptic_curve_key.public_key
+      return nil unless public_key_point
+
+      asn1 = OpenSSL::ASN1::Sequence(
+        [
+          OpenSSL::ASN1::Sequence(
+            [
+              OpenSSL::ASN1::ObjectId("id-ecPublicKey"),
+              OpenSSL::ASN1::ObjectId(curve)
+            ]
+          ),
+          OpenSSL::ASN1::BitString(public_key_point.to_octet_string(elliptic_curve_key.group.point_conversion_form))
+        ]
+      )
+
+      public_elliptic_curve_key = OpenSSL::PKey::EC.new(asn1.to_der)
+
+      public_elliptic_curve_key.to_pem
+    end
+  end
+end

data/app/views/layouts/neeto_jwt_engine/application.html.erb

@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>Neeto JWT</title>
+  <%= csrf_meta_tags %>
+  <%= csp_meta_tag %>
+
+  <%= stylesheet_link_tag    "neeto_jwt_engine/application", media: "all" %>
+</head>
+<body>
+
+<%= yield %>
+
+</body>
+</html>

data/config/brakeman.ignore

@@ -0,0 +1,5 @@
+{
+  "ignored_warnings": [],
+  "updated": "2025-03-29 16:05:18 +0530",
+  "brakeman_version": "5.4.1"
+}

data/config/locales/en.yml

@@ -0,0 +1 @@
+en:

data/config/routes.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+NeetoJwtEngine::Engine.routes.draw do
+  defaults format: :json do
+    resources :configurations, only: %i(show create)
+  end
+end

data/db/migrate/20250329064017_create_neeto_jwt_engine_configurations.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+class CreateNeetoJwtEngineConfigurations < ActiveRecord::Migration[7.1]
+  def change
+    create_table :neeto_jwt_engine_configurations, id: :uuid do |t|
+      t.text :public_key, null: false
+      t.text :private_key, null: false
+      t.boolean :enabled, null: false, default: true
+      t.references :organization, null: false, foreign_key: { on_delete: :cascade }, type: :uuid
+
+      t.timestamps
+    end
+  end
+end

data/db/migrate/20250716075611_create_neeto_jwt_engine_onetime_links.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+class CreateNeetoJwtEngineOnetimeLinks < ActiveRecord::Migration[7.1]
+  def change
+    create_table :neeto_jwt_engine_onetime_links, id: :uuid do |t|
+      t.string :link, null: false, index: { unique: true }
+      t.boolean :expired, null: false, default: false
+      t.references :configuration, null: false, type: :uuid, foreign_key: { to_table: :neeto_jwt_engine_configurations }
+
+      t.timestamps
+    end
+  end
+end

data/lib/neeto-jwt-engine.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+require "neeto_jwt_engine/version"
+require "neeto_jwt_engine/engine"
+require "omniauth/strategies/jwt"

data/lib/neeto_jwt_engine/engine.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module NeetoJwtEngine
+  class Engine < ::Rails::Engine
+    isolate_namespace NeetoJwtEngine
+  end
+end

data/lib/neeto_jwt_engine/exceptions.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module NeetoJwtEngineclass
+  class Error < StandardError; end
+end

data/lib/neeto_jwt_engine/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module NeetoJwtEngine
+  VERSION = "1.1.0"
+end

data/lib/omniauth/strategies/jwt.rb

@@ -0,0 +1,93 @@
+# frozen_string_literal: true
+
+require "omniauth"
+require "jwt"
+require "openssl"
+
+module OmniAuth
+  module Strategies
+    class Jwt
+      include ::OmniAuth::Strategy
+
+      ALGORITHM = "ES256"
+      CLAIMS = %w(email workspace iat exp)
+      TWO_MINUTES_IN_SECONDS = 120
+
+      class InvalidClaimError < StandardError; end
+      class TokenReplayError < StandardError; end
+
+      def request_phase
+        session[:redirect_uri] = request.params["redirect_uri"]
+        session[:login_organization_id] = configuration.organization.id
+        session[:client_app_name] = request.params["client_app_name"]
+
+        begin
+          verify_claims!
+          verify_token_replay!
+          redirect callback_url
+        rescue InvalidClaimError => e
+          fail!(:claim_invalid, e)
+        rescue => e
+          fail!(:jwt_invalid, e)
+        end
+      end
+
+      def callback_phase
+        super
+      end
+
+      info do
+        jwt_payload.slice("email")
+      end
+
+      private
+
+        def jwt_payload
+          @_jwt_payload ||= JWT.decode(request.params["jwt"], public_key, false, { algorithm: ALGORITHM })[0]
+        end
+
+        def public_key
+          OpenSSL::PKey::EC.new(configuration.public_key)
+        end
+
+        def configuration
+          return @_configuration if defined?(@_configuration)
+
+          begin
+            subdomain = request.host.split(".").first
+            @_configuration = NeetoJwtEngine::Configuration
+              .joins(:organization)
+              .find_by!({ organization: { subdomain: } })
+          rescue ActiveRecord::RecordNotFound
+            raise InvalidClaimError, "'#{subdomain}' workspace is not registered for JWT authentication."
+          end
+        end
+
+        def verify_claims!
+          CLAIMS.each do |field|
+            raise InvalidClaimError.new("Missing field '#{field}' is required.") if !jwt_payload.key?(field.to_s)
+          end
+
+          organization = configuration.organization
+
+          if (Time.zone.now.to_i - jwt_payload["iat"].to_i).abs > TWO_MINUTES_IN_SECONDS
+            raise InvalidClaimError, "TokenExpired: 'iat' is outside the allowed time window."
+          elsif (jwt_payload["exp"].to_i - Time.zone.now.to_i).abs > TWO_MINUTES_IN_SECONDS
+            raise InvalidClaimError, "TokenExpired: 'exp' is outside the allowed time window."
+          elsif organization.users.exists?(email: jwt_payload["email"]) == false
+            raise InvalidClaimError, "User '#{jwt_payload["email"]}' is not part of the '#{jwt_payload["workspace"]}' workspace."
+          end
+        end
+
+        def verify_token_replay!
+          jwt = request.params["jwt"]
+
+          if Rails.cache.read("jwt_token:#{jwt}")
+            raise TokenReplayError, "The token has already been used."
+          else
+            Rails.cache.write("jwt_token:#{jwt}", true, expires_in: 5.minutes)
+          end
+        end
+    end
+  end
+end

data/test/controllers/neeto_jwt_engine/configurations_controller_test.rb

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+require "test_helper"
+
+module NeetoJwtEngine
+  class ConfigurationsControllerTest < ActionDispatch::IntegrationTest
+    include Engine.routes.url_helpers
+
+    def setup
+      @organization = create(:organization)
+      host! test_domain(@organization.subdomain)
+    end
+
+    def test_should_authenticate_creation_of_key_pairs
+      post configurations_path
+      assert_response :unauthorized
+    end
+
+    def test_should_create_onetime_link
+      post configurations_path, headers: headers
+
+      assert_response :ok
+      assert response_json["onetime_link"]
+    end
+
+    def test_creating_a_new_onetime_link_expires_previous_link
+      configuration = create(:configuration, organization: @organization)
+      onetime_link = create(:onetime_link, configuration:)
+
+      post configurations_path, headers: headers
+
+      assert_response :ok
+      assert onetime_link.reload.expired
+    end
+
+    def test_download_private_key_using_onetime_link
+      onetime_link = create(:onetime_link)
+
+      get configuration_path(onetime_link.link)
+
+      assert_response :ok
+      assert_includes response.body, "-----BEGIN EC PRIVATE KEY-----"
+    end
+
+    def test_cannot_download_private_key_using_expired_onetime_link
+      onetime_link = create(:onetime_link, expired: true)
+
+      get configuration_path(onetime_link.link)
+      assert_response :not_found
+    end
+
+    private
+
+      def headers
+        @_heaaders ||= { "NEETO-JWT-X-TOKEN" => ENV["NEETO_JWT_X_TOKEN"] }
+      end
+  end
+end

data/test/dummy/Rakefile

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+# Add your own tasks in files placed in lib/tasks ending in .rake,
+# for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
+
+require_relative "config/application"
+
+Rails.application.load_tasks

data/test/dummy/app/assets/config/manifest.js

@@ -0,0 +1,3 @@
+//= link_tree ../images
+//= link_directory ../stylesheets .css
+//= link neeto_jwt_manifest.js