nopassword 0.1.2 → 0.1.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 37cca4affe70df1979f4400ae30f646a38667fb82ddeec80d8f52d754fcb822b
-  data.tar.gz: 945cedb9bdf4cdd18ba1059039fa31b9cdff0d190f219dd88276dd6a5954697b
+  metadata.gz: e3eeadfdfeeba40e946b5b38e9c24233eea04c3ab11dd31c1d655fa7ca6a14bc
+  data.tar.gz: e1a66179b3ba519474045b4ddda420596fac477ed2f79b98f70d398fed83952d
 SHA512:
-  metadata.gz: c0e1d90c7ab684fc2db22dead9f0edd8eadd7c91c3e61c5399f2f887fe8e783c0943e8c25717abac702c1110f102774e34af6c1a9444da56038d36217e0705fe
-  data.tar.gz: 7077c5b9919eb2bd59709866fe00f79b6503fd4a265c66d31520948a24baddeedb19f51937a2d55ce3030fc3c8552f526a7ca33e5b570462fa034da34bd508bb
+  metadata.gz: 6cf554d86cd5cd4d8bbaee896854b57b69345db9d6392f04e5b529a26b0388764aac352faa38ecd0c3bc746ac8fb138429c9d0b7f57077466efffd45410977d8
+  data.tar.gz: f5ff439783e2d6f47af1223df5c1fb279c3d0bb284ed950233f40cecdf7f93a21212987b84e039e1e326cb18c261f2d48d094587d57cc098f2ca886a1bc71233

data/README.md

@@ -135,6 +135,60 @@ Because of this modular approach, NoPassword can be used out of the box for many
 
 NoPassword could be extended to work for other side-channel use cases too like login via SMS, QR code, etc.
 
+## OAuth Authorizations
+
+NoPassword has OAuth controllers that are designed to be the smallest possible integration with providers. To use them, create a controller in your Rails project and inherit from `NoPassword::OAuth::GoogleAuthorizationsController`
+
+```ruby
+# ./app/controllers/google_authorizations_controller.rb
+class GoogleAuthorizationsController < NoPassword::OAuth::GoogleAuthorizationsController
+  CLIENT_ID = ENV["GOOGLE_CLIENT_ID"]
+  CLIENT_SECRET = ENV["GOOGLE_CLIENT_SECRET"]
+  SCOPE = "openid email profile"
+
+  protected
+    # Here's what the callback returns.
+    # {"sub"=>"117509553887278399680",
+    #  "name"=>"Brad Gessler",
+    #  "given_name"=>"Brad",
+    #  "family_name"=>"Gessler",
+    #  "picture"=>"https://lh3.googleusercontent.com/a/AAcHTtcA4Mc7yx4ABlghdRp7GzkssdmccudQu6MhlItL259oTiJs=s96-c",
+    #  "email"=>"brad@example.com",
+    #  "email_verified"=>true,
+    #  "locale"=>"en"}
+    def authorization_succeeded(user_info)
+      user = User.find_or_create_by(email: user_info.fetch("email"))
+      user ||= user_info.fetch("name")
+
+      self.current_user = user
+      redirect_to root_url
+    end
+
+    def authorization_failed
+      # Handle the error, perhaps redirect to a different login screen.
+    end
+end
+```
+
+Then in `routes.rb` add the following:
+
+```ruby
+# ./config/routes.rb
+resource :google_authorization
+```
+
+From your application, you'll need to kick off authorization flows by firing a non-Turbo POST request to `/google_authorization`. In this example, I create a `/google_authorization/new` page that is accessible via a `GET` request. In practice you'd probably make this a partial that you'd include on a `/sign-in` page.
+
+```erb
+<!-- ./app/views/google_authorization/new.html.erb -->
+<h1>Login with Google</h1>
+<% form_tag action: google_authorization_path do %>
+  <%= submit_tag "Login with Google" %>
+<% end %>
+```
+
+Don't forget to login to the Google Developer Console at https://code.google.com/apis/console/ and get your API keys for the ENV vars above and add the `/google_authorization` URL to the domains Google is authorized to redirect back to.
+
 ## Motivations
 
 Understanding why something was created is important to understanding it better.
@@ -149,10 +203,14 @@ The gems I evaluated all did more than I wanted them to:
 
 NoPassword only worries about generating codes and creating a secure environment for end-users to validate the codes.
 
+Additionally, as I was using OmniAuth in my projects to handle OAuth authorizations, I noticed it felt more difficult than it should be, so I started creating OAuth controllers to simplify the process. I've included them here in case you find them useful.
+
 ### Why was it not built on devise, warden, or ominauth?
 
 I initially thought this would make for a great OmniAuth strategy, but quickly realized OmniAuth has a goal of being agnostic to rails and ships Rack middleware. I needed something more integrated into Rails controllers and views so that I could more easily extend in various projects.
 
+Additionally, I found OmniAuth was more difficult to configure for OAuth in Rails than it should be. OmniAuth required a `./config/initializers/omniauth.rb` file that builds a Rack middleware. This Rack middleware then had some hard coded URLs that would be intercepted from Rails, which made it difficult to reason between controller routes and Rack middleware routes. The NoPassword::OAuth controllers solve that problem by having both configuration and logic live in a single controller file.
+
 Devise already has [devise-passwordless](https://rubygems.org/gems/devise-passwordless), but it tries to do too much for my purposes by managing user authorization. I needed something that stopped short of managing user authorization.
 
 ## Contributing

data/app/controllers/nopassword/oauth/google_authorizations_controller.rb

@@ -0,0 +1,93 @@
+module NoPassword
+  class OAuth::GoogleAuthorizationsController < ApplicationController
+    CLIENT_ID = ENV["GOOGLE_CLIENT_ID"]
+    CLIENT_SECRET = ENV["GOOGLE_CLIENT_SECRET"]
+    SCOPE = "openid email profile"
+
+    AUTHORIZATION_URL = URI("https://accounts.google.com/o/oauth2/v2/auth")
+    TOKEN_URL = URI("https://www.googleapis.com/oauth2/v4/token")
+    USER_INFO_URL = URI("https://www.googleapis.com/oauth2/v3/userinfo")
+
+    before_action :validate_state_token, only: :show
+
+    def create
+      redirect_to authorization_url.to_s, allow_other_host: true
+    end
+
+    def show
+      access_token = request_access_token.parse.fetch("access_token")
+      user_info = request_user_info(access_token: access_token).parse
+
+      if user_info.any?
+        Rails.logger.info "Authorization #{self.class} succeeded"
+        authorization_succeeded user_info
+      else
+        Rails.logger.info "Authorization #{self.class} failed"
+        authorization_failed
+      end
+    end
+
+    protected
+      def authorization_succeeded(user_info)
+        redirect_to root_url
+      end
+
+      def authorization_failed
+        raise "Implement authorization_failed to handle failed authorizations", NotImplementedError
+      end
+
+      def validate_state_token
+        state_token = params.fetch(:state)
+        unless valid_authenticity_token?(session, state_token)
+          raise ActionController::InvalidAuthenticityToken, "The state=#{state_token} token is inauthentic."
+        end
+      end
+
+      # Generates the OAuth authorization URL that will redirect the user to the OAuth provider.
+      # A Rails `form_authenticity_token` is used as the `state` parameter to prevent CSRF. The
+      # `callback_url` is where the user is sent back to after authenticating with the OAuth provider.
+      def authorization_url
+        AUTHORIZATION_URL.build.query(
+          client_id: client_id,
+          redirect_uri: callback_url,
+          response_type: "code",
+          scope: scope,
+          state: form_authenticity_token
+        )
+      end
+
+      # Requests an OAuth access token from the OAuth provider. The access token is used for subsequent
+      # requests to gather information like a users name, email, address, or whatever other information
+      # The OAuth provider makes available.
+      def request_access_token
+        HTTP.post(TOKEN_URL, form: {
+          client_id: client_id,
+          client_secret: client_secret,
+          code: params.fetch(:code),
+          grant_type: "authorization_code",
+          redirect_uri: callback_url
+        })
+      end
+
+      def client_id
+        self.class::CLIENT_ID
+      end
+
+      def client_secret
+        self.class::CLIENT_SECRET
+      end
+
+      def scope
+        self.class::SCOPE
+      end
+
+      def request_user_info(access_token:)
+        HTTP.auth("Bearer #{access_token}").get(USER_INFO_URL)
+      end
+
+      # The URL the OAuth provider will redirect the user back to after authenticating.
+      def callback_url
+        url_for(action: :show, only_path: false)
+      end
+  end
+end

data/config/initializers/inflections.rb

@@ -1,3 +1,4 @@
 ActiveSupport::Inflector.inflections(:en) do |inflect|
   inflect.acronym "NoPassword"
+  inflect.acronym "OAuth"
 end

data/lib/nopassword/version.rb

@@ -1,3 +1,3 @@
 module NoPassword
-  VERSION = "0.1.2"
+  VERSION = "0.1.3"
 end

data/lib/nopassword.rb

@@ -1,17 +1,17 @@
-require "nopassword/version"
-require "nopassword/encryptor"
-require "nopassword/random_code_generator"
 require "pathname"
+require "zeitwerk"
 
 module NoPassword
+  Loader = Zeitwerk::Loader.for_gem.tap do |loader|
+    loader.ignore "#{__dir__}/generators"
+    loader.inflector.inflect "nopassword" => "NoPassword"
+    loader.inflector.inflect "oauth" => "OAuth"
+    loader.setup
+  end
+
   def self.root
     Pathname.new(__dir__).join("..")
   end
 end
 
-require "nopassword/engine"
-
-# Blurg, without this require, the inflector won't properly inflect the `nopassword_engine:install:migrations`
-# task from the `rails g install nopassword:install` task.
-require_relative "../config/initializers/inflections.rb"
-
+require "nopassword/engine" if defined? Rails

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: nopassword
 version: !ruby/object:Gem::Version
-  version: 0.1.2
+  version: 0.1.3
 platform: ruby
 authors:
 - Brad Gessler
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-01-31 00:00:00.000000000 Z
+date: 2023-09-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -24,6 +24,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 7.0.1
+- !ruby/object:Gem::Dependency
+  name: zeitwerk
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
 - !ruby/object:Gem::Dependency
   name: rspec-rails
   requirement: !ruby/object:Gem::Requirement
@@ -51,6 +65,7 @@ files:
 - Rakefile
 - app/assets/config/nopassword_manifest.js
 - app/controllers/nopassword/email_authentications_controller.rb
+- app/controllers/nopassword/oauth/google_authorizations_controller.rb
 - app/mailers/application_mailer.rb
 - app/mailers/nopassword/email_authentication_mailer.rb
 - app/models/nopassword.rb
@@ -99,7 +114,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.7
+rubygems_version: 3.4.6
 signing_key:
 specification_version: 4
 summary: Passwordless login to Rails applications via email