nulogy_sso 1.0.0 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6cdaf701ea9f2d60f83b4997b098083962e749961bcf5333f7233b0d50c7020e
-  data.tar.gz: 85da856cc70b327a5510484e59f4a8c61b243dd7083ef52b76a6c46f2e27ecb9
+  metadata.gz: 025625d2b1b251f2687e574aeebf1739c94ae6a672580f05164ba7e558ba5fdf
+  data.tar.gz: a987372dba2b6fd08ca877118e024e3e7a10eb16f34cac995d8f493c837dbaaa
 SHA512:
-  metadata.gz: b4e3869377c7f1e3f628de5afb6d15ab365daa7b1bc0da8152efe165a809af0ec360abde1c44dbc9c68bef4c5002f27557809fb0e22634d677e19f6e5ab6a452
-  data.tar.gz: 4b0b29196feb44b86d1b6a67e86c06660d4f9ae27563397a0633bb6e4bf5f47ce93050e2c75a98981fade342266c71b894cab789dd5febff678c2a53338d6a6b
+  metadata.gz: 3481d3605b625db5259b08a210932fac512cf45c7d4a4751c8d41e5229044c44711e53eb083693cd4b8c424579c0609c816eba8299fd07acacef82ab90e786fd
+  data.tar.gz: 54008fdb8cfb1fcfa350cd51f00865f09603517feeb33952fc7032f9f90a63b3aa20c73da19e5703fe7132a155d0dedc705927609a8820cf221755762d98cacb

data/README.md

@@ -2,6 +2,9 @@
 
 [![Gem](https://img.shields.io/gem/v/nulogy_sso?label=nulogy_sso)](https://rubygems.org/gems/nulogy_sso "View this project in Rubygems")
 
+## Auth0
+For more information on Auth0 see the [Auth0 documentation](https://auth0.com/docs/flows/concepts/auth-code#how-it-works).
+
 ## Installation
 
 This gem is a Rails Engine. It follows best practices [documented here](https://guides.rubyonrails.org/engines.html).
@@ -28,7 +31,31 @@ get "login", to: redirect("sso/login")
 get "logout", to: redirect("sso/logout")
 ```
 
-The engine now needs to be configured. First create a YAML config file, perhaps named `config/auth_sso.yml`, to configure your app's Auth0 settings. This assumes that the necessary Auth0 applications have been created in the correct Auth0 tenants. The [CPI auth_sso.yml file](https://github.com/nulogy/Common-Platform-Interface/blob/master/config/auth_sso.yml) is a good starting place.
+The engine now needs to be configured. First create a YAML config file, perhaps named `config/auth_sso.yml`, to configure your app's Auth0 settings. This assumes that the necessary Auth0 applications have been created in the correct Auth0 tenants. An example configuration for local development would look like:
+
+```yaml
+default: &default
+  audience: <%= ENV.fetch("SSO_AUDIENCE", "auth.nulogy.net") %>
+  client_id: <%= ENV.fetch("SSO_CLIENT_ID", "SSO CLIENT ID FROM AUTH0") %>
+  client_secret: <%= ENV.fetch("SSO_CLIENT_SECRET", "SSO CLIENT SECRET FROM AUTH0") %>
+  base_uri: <%= ENV.fetch("SSO_BASE_URI", "") %>
+  cookie_prefix: <%= ENV.fetch("SSO_COOKIE_PREFIX", "") %>
+  login_uri: <%= ENV.fetch("SSO_LOGIN_URI", "") %>
+  redirect_uri: <%= ENV.fetch("SSO_REDIRECT_URI", "") %>
+
+development:
+  <<: *default
+  base_uri: <%= ENV.fetch("SSO_BASE_URI", "https://auth-dev.nulogy.net") %>
+  cookie_prefix: <%= ENV.fetch("SSO_COOKIE_PREFIX", "dev") %>
+  login_uri: <%= ENV.fetch("SSO_LOGIN_URI", "http://localhost:3000/sso/validate_authentication_code") %>
+  redirect_uri: <%= ENV.fetch("SSO_REDIRECT_URI", "http://localhost:3000") %>
+
+test:
+  <<: *default
+
+production:
+  <<: *default
+```
 
 With that available, you can configure the engine with an initializer file. This is where _NulogySSO_ can be customized according to your application's needs. Put the below code into `config/initializers/nulogy_sso.rb`, with the appropriate modifications implemented. For `sso_config`, refer to [nulogy_sso.rb](lib/nulogy_sso.rb) for a list of required keys and [sso_config.yml](spec/dummy/config/sso_config.yml) for an example config file.
 
@@ -43,7 +70,12 @@ NulogySSO.find_user_by_email = ->(email) { nil }
 # Handle errors from the SSO authentication flow, according to the app's design.
 # This includes internal errors from the Auth0 gem (ie, token signature mismatch) and no user from the app DB matching the email from the JWT.
 # The controller is passed as an argument to give the handler access to the "controller context", which is useful for tasks such as rendering a view.
-NulogySSO.handle_sso_error = ->(controller) { } 
+NulogySSO.handle_sso_error = ->(controller: , error:) { }
+
+# Handle how unauthenticated requests should be responded to. The default is to redirect to the defined login page.
+# For API based applications this should be overriden to provide a meaningful error as per your API's contract (i.e. an HTTP 401 error code)
+# Additionally, this could be overriden if an application should bypass SSO when running tests. 
+NulogySSO.handle_unauthenticated_request = ->(controller) { controller.redirect_to sso_engine.login_path } 
 ```
 
 The app is now ready to authenticate a user with Auth0! With NulogySSO and Auth0, the user's identity is maintained across requests (and apps!) via a [JWT](https://auth0.com/docs/jwt) stored as a browser cookie. Add this code to the `ApplicationController`:

data/app/controllers/nulogy_sso/authentication_controller.rb

@@ -16,32 +16,32 @@ module NulogySSO
     end
 
     def login
-      raw_access_token = cookies[NulogySSO.sso_cookie_key]
+      raw_access_token = token_store.fetch
 
       authenticator.validate_token(
         raw_access_token,
         on_success: method(:on_authentication_success),
-        on_invalid_token: -> { redirect_to auth0_authorize_path }
+        on_invalid_token: ->(_e) { redirect_to auth0_authorize_path }
       )
     end
 
-    def code
+    def verify_authentication_code
       code = params.require(:code)
       begin
-        raw_access_token = token_response(code)["access_token"]
+        raw_access_token = fetch_token_from_auth0(code)
       rescue Auth0::Exception => e
-        return sso_error
+        return sso_error(e)
       end
 
       authenticator.validate_token(
         raw_access_token,
         on_success: method(:on_authentication_success),
-        on_invalid_token: -> { sso_error }
+        on_invalid_token: ->(e) { sso_error(e) }
       )
     end
 
     def logout
-      cookies.delete(NulogySSO.sso_cookie_key, domain: :all)
+      token_store.forget!
 
       query_params = {
         returnTo: sso_config.redirect_uri, # Yes, this must be camelCased
@@ -54,37 +54,32 @@ module NulogySSO
 
     delegate :sso_config, to: :NulogySSO
 
-    def sso_error
-      NulogySSO.handle_sso_error.call(self)
+    def sso_error(error)
+      NulogySSO.handle_sso_error.call(controller: self, error: error)
     end
 
     def authenticator
       @authenticator ||= Authenticator.new
     end
 
+    def token_store
+      @token_store ||= CookieTokenStore.new(request, response)
+    end
+
     def on_authentication_success(access_token)
-      respond_with_cookies(access_token)
+      token_store.store!(access_token)
 
       redirect_to params["origin"].presence || sso_config.redirect_uri
     end
 
-    def token_response(code)
-      exchange_auth_code_for_tokens(
+    def fetch_token_from_auth0(code)
+      response = exchange_auth_code_for_tokens(
         code,
         redirect_uri: sso_config.login_uri,
         client_id: sso_config.client_id,
         client_secret: sso_config.client_secret
       )
-    end
-
-    def respond_with_cookies(access_token_value)
-      cookies[NulogySSO.sso_cookie_key] = {
-        value: access_token_value,
-        domain: :all,
-        expires: 36_000.seconds, # TODO: Fetch this value from the JWT
-        httponly: true,
-        secure: request.ssl?
-      }
+      response["access_token"]
     end
 
     def auth0_authorize_path

data/app/services/nulogy_sso/authenticator.rb

@@ -10,6 +10,10 @@ module NulogySSO
       jwks_url: "#{NulogySSO.sso_config.base_uri}/.well-known/jwks.json"
     )
 
+    MissingUserError = Class.new(StandardError)
+    MissingTokenError = Class.new(StandardError)
+    InvalidTokenError = Class.new(StandardError)
+
     def initialize(verifier: ACCESS_TOKEN_VERIFIER, find_user_by_email: NulogySSO.find_user_by_email)
       @verifier = verifier
       @find_user_by_email = find_user_by_email
@@ -17,12 +21,13 @@ module NulogySSO
 
     # Validated the provided JWT, ensuring that an authenticated Auth0 user can be associated to the token and matches an existing app user
     def validate_token(raw_access_token, on_success:, on_invalid_token:)
-      access_token = decoded_validated_access_token(raw_access_token)
+      return on_invalid_token.call(MissingTokenError.new) if raw_access_token.blank?
 
-      return on_invalid_token.call if access_token.nil?
+      access_token = decoded_validated_access_token(raw_access_token)
+      return on_invalid_token.call(InvalidTokenError.new(raw_access_token)) if access_token.nil?
 
       user = fetch_user(access_token)
-      return on_invalid_token.call if user.blank?
+      return on_invalid_token.call(MissingUserError.new(access_token)) if user.blank?
 
       on_success.call(access_token)
     end

data/app/services/nulogy_sso/cookie_token_store.rb

@@ -0,0 +1,57 @@
+module NulogySSO
+  # A class for storing the SSO token in cookies
+  #
+  # This uses the Rack level API instead of going through the Rails API because
+  # we have found that for our GraphQL based applications, using the cookiejar API
+  # has not been working. The cookies are not being set correctly, likely because
+  # the requests are resulting in 302 redirects.
+  class CookieTokenStore
+    def initialize(request, response)
+      @request = request
+      @response = response
+    end
+
+    def fetch
+      @request.cookie_jar[NulogySSO.sso_cookie_key]
+    end
+
+    def store!(access_token_value)
+      @response.set_cookie(
+        NulogySSO.sso_cookie_key,
+        value: access_token_value,
+        path: "/",
+        domain: all_domains,
+        expires: 36_000.seconds.from_now, # TODO: Fetch this value from the JWT
+        httponly: true,
+        secure: @request.ssl?
+      )
+    end
+
+    def forget!
+      @response.delete_cookie(
+        NulogySSO.sso_cookie_key,
+        path: "/",
+        domain: all_domains
+      )
+    end
+
+    private
+
+    DOMAIN_REGEXP = /[^.]*\.([^.]*|..\...|...\...)$/
+
+    ##
+    # This is copied from the Rails Cookie Helper at:
+    # https://github.com/rails/rails/blob/6-0-stable/actionpack/lib/action_dispatch/middleware/cookies.rb#L357
+    #
+    # This simulates the same { domain: :all } option which exists for interacting with the cookie jar
+    # even though not all clients will have access to the same cookie jar API (i.e. if you are building
+    # an API controller).
+    def all_domains
+      # If there is a provided tld length then we use it otherwise default domain regexp.
+      domain_regexp = DOMAIN_REGEXP
+      # If host is not ip and matches domain regexp.
+      # (ip confirms to domain regexp so we explicitly check for ip)
+      ".#{$&}" if (@request.host !~ /^[\d.]+$/) && (@request.host =~ domain_regexp)
+    end
+  end
+end

data/config/routes.rb

@@ -1,5 +1,5 @@
 NulogySSO::Engine.routes.draw do
   get "login", to: "authentication#login"
   get "logout", to: "authentication#logout"
-  get "code", to: "authentication#code"
+  get "verify_authentication_code", to: "authentication#verify_authentication_code"
 end

data/lib/nulogy_sso/controller_helper.rb

@@ -11,16 +11,16 @@ module NulogySSO
       # Makes the commonly used @current_user variable available to controllers and views.
       # This emulates a code pattern popular in Rails apps using Devise.
       attr_reader :current_user
-      helper_method :current_user
+      helper_method :current_user if defined?(helper_method)
       before_action :store_previous_url_in_session
     end
 
     def authenticate_sso_user
-      raw_token = cookies[NulogySSO.sso_cookie_key]
-      return redirect_to nulogy_sso.login_path if raw_token.blank?
+      raw_token = CookieTokenStore.new(request, response).fetch
+      return NulogySSO.handle_unauthenticated_request.call(self) if raw_token.blank?
 
       @current_user = Authenticator.new.authenticated_user(raw_token)
-      return redirect_to nulogy_sso.login_path if @current_user.blank?
+      return NulogySSO.handle_unauthenticated_request.call(self) if @current_user.blank?
     end
 
     def store_previous_url_in_session

data/lib/nulogy_sso/test_utilities/auth0_mock.rb

@@ -40,7 +40,7 @@ module NulogySSO
           httpResponse: {
             statusCode: 302,
             headers: {
-              Location: ["#{capybara_current_host}#{engine_path}/code?#{redirect_query_params}"]
+              Location: ["#{capybara_current_host}#{engine_path}/verify_authentication_code?#{redirect_query_params}"]
             }
           }
         )

data/lib/nulogy_sso/version.rb

@@ -1,3 +1,3 @@
 module NulogySSO
-  VERSION = "1.0.0"
+  VERSION = "2.0.0"
 end

data/lib/nulogy_sso.rb

@@ -1,11 +1,13 @@
 # frozen_string_literal: true
 
 require "nulogy_sso/engine"
-require "immutable-struct"
 
 module NulogySSO
   # Config variables for the engine
   mattr_accessor :sso_config, :find_user_by_email, :handle_sso_error
+  mattr_accessor :handle_unauthenticated_request, default: lambda { |controller|
+    controller.redirect_to NulogySSO::Engine.routes.url_helpers.login_path
+  }
 
   # Public Constants
   JWT_EMAIL_KEY = "https://nulogy.net/email"
@@ -32,7 +34,7 @@ module NulogySSO
   ]
   private_constant :REQUIRED_SSO_CONFIG_KEYS
 
-  SSOConfig = ImmutableStruct.new(*REQUIRED_SSO_CONFIG_KEYS)
+  SSOConfig = Struct.new(*REQUIRED_SSO_CONFIG_KEYS, keyword_init: true)
 
   def self.sso_cookie_key
     "#{sso_config.cookie_prefix}_access_token"

data/spec/dummy/app/controllers/api_controller.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+# This controller is essential for running Capybara feature tests against the NulogySSO engine
+class ApiController < ActionController::API
+  include NulogySSO::ControllerHelper
+
+  before_action :authenticate_sso_user
+
+  def api_endpoint
+    render json: {text: "Hello World"}
+  end
+end

data/spec/dummy/config/application.rb

@@ -35,7 +35,7 @@ module Dummy
     # These functions are mostly used for testing.
     NulogySSO.sso_config = config_for(:sso)
     NulogySSO.find_user_by_email = ->(email) { User.find_by(email: email) }
-    NulogySSO.handle_sso_error = ->(controller) { controller.render plain: "An SSO error has occurred :(" }
+    NulogySSO.handle_sso_error = ->(controller:, **) { controller.render plain: "An SSO error has occurred :(" }
   end
 end
 

data/spec/dummy/config/routes.rb

@@ -3,4 +3,5 @@ Rails.application.routes.draw do
 
   # Essential for Capybara feature tests
   get "/hello_world", to: "application#hello_world"
+  get "/api_endpoint", to: "api#api_endpoint"
 end

data/spec/features/nulogy_sso/sso_login_spec.rb

@@ -74,6 +74,44 @@ module NulogySSO
       end
     end
 
+    describe "authenticated APIs" do
+      let!(:user) { create_user }
+
+      before do
+        auth0_mock.mockserver_reset
+        auth0_mock.setup_jwks
+
+        # have to visit an unauthenticated endpoint in order for capybara to have something to have a tab to set the cookie on
+        visit "/robots.txt"
+      end
+
+      it "allows a user with a valid JWT to visit a secured endpoint" do
+        set_access_token_cookie(jwt_test_helper.jwt(email))
+
+        visit "/api_endpoint"
+
+        expect(page).to have_content("Hello World")
+      end
+
+      it "prevents sessions with invalid JWTs from accessing secured endpoints" do
+        set_access_token_cookie(jwt_test_helper.jwt(email, "exp" => (Time.now - 1.day).to_i))
+
+        visit "/api_endpoint"
+
+        expect(current_path).to eq("/authorize")
+      end
+
+      it "prevents sessions with no JWT from accessing secured endpoints" do
+        visit "/api_endpoint"
+
+        expect(current_path).to eq("/authorize")
+      end
+
+      def set_access_token_cookie(token)
+        page.driver.browser.manage.add_cookie(name: NulogySSO.sso_cookie_key, value: token)
+      end
+    end
+
     def create_user
       User.create!(email: email)
     end

data/spec/integration/services/nulogy_sso/authenticator_spec.rb

@@ -25,7 +25,7 @@ module NulogySSO
       it "calls on_invalid_token when the access token is blank" do
         [nil, "", false].each(&method(:validate_token))
 
-        expect(on_invalid_token).to have_received(:call).exactly(3).times
+        expect(on_invalid_token).to have_received(:call).exactly(3).times.with(NulogySSO::Authenticator::MissingTokenError)
       end
 
       context "JWT passes verification" do
@@ -43,7 +43,7 @@ module NulogySSO
 
           validate_token(valid_signed_token, authenticator: authenticator)
 
-          expect(on_invalid_token).to have_received(:call).once
+          expect(on_invalid_token).to have_received(:call).once.with(NulogySSO::Authenticator::MissingUserError)
         end
       end
 
@@ -51,7 +51,7 @@ module NulogySSO
         it "calls the invalid token handler" do
           validate_token(invalid_signed_token)
 
-          expect(on_invalid_token).to have_received(:call).once
+          expect(on_invalid_token).to have_received(:call).once.with(NulogySSO::Authenticator::InvalidTokenError)
         end
       end
 

data/spec/integration/services/nulogy_sso/cookie_token_store_spec.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+module NulogySSO
+  RSpec.describe CookieTokenStore do
+    let(:request) { double(host: "some_app.nulogy.net", ssl?: false) }
+    let(:response) { double(set_cookie: spy, delete_cookie: spy) }
+
+    subject(:token_store) { CookieTokenStore.new(request, response) }
+
+    before do
+      freeze_time
+    end
+
+    it "extracts the top level domain from a domain name" do
+      allow(request).to receive(:host).and_return("some.app.nulogy.net")
+      token_store.store!("anything")
+      expect(response).to have_received(:set_cookie).with(anything, hash_including(domain: ".nulogy.net"))
+    end
+
+    it "stores the cookie value with the correct settings" do
+      token_store.store!("cookie value")
+
+      expect(response).to have_received(:set_cookie).with(
+        "mock_cookie_prefix_access_token",
+        value: "cookie value",
+        path: "/",
+        domain: ".nulogy.net",
+        expires: 36_000.seconds.from_now,
+        httponly: true,
+        secure: false
+      )
+    end
+
+    it "deletes the cookie matching the path, domain and key" do
+      token_store.forget!
+
+      expect(response).to have_received(:delete_cookie).with(
+        "mock_cookie_prefix_access_token",
+        path: "/",
+        domain: ".nulogy.net",
+      )
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+require 'active_support/testing/time_helpers'
 
 # See http://rubydoc.info/gems/rspec-core/RSpec/Core/Configuration
 RSpec.configure do |config|
@@ -40,4 +41,6 @@ RSpec.configure do |config|
 
   # Seed global randomization in this process using the `--seed` CLI option.
   Kernel.srand config.seed
+
+  config.include ActiveSupport::Testing::TimeHelpers
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: nulogy_sso
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 2.0.0
 platform: ruby
 authors:
 - Nulogy Corporation
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-09-30 00:00:00.000000000 Z
+date: 2019-10-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: auth0
@@ -38,20 +38,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 0.0.2
-- !ruby/object:Gem::Dependency
-  name: immutable-struct
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.4'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.4'
 - !ruby/object:Gem::Dependency
   name: rails
   requirement: !ruby/object:Gem::Requirement
@@ -167,6 +153,7 @@ files:
 - Rakefile
 - app/controllers/nulogy_sso/authentication_controller.rb
 - app/services/nulogy_sso/authenticator.rb
+- app/services/nulogy_sso/cookie_token_store.rb
 - config/initializers/inflections.rb
 - config/routes.rb
 - lib/nulogy_sso.rb
@@ -183,6 +170,7 @@ files:
 - spec/dummy/app/assets/stylesheets/application.css
 - spec/dummy/app/channels/application_cable/channel.rb
 - spec/dummy/app/channels/application_cable/connection.rb
+- spec/dummy/app/controllers/api_controller.rb
 - spec/dummy/app/controllers/application_controller.rb
 - spec/dummy/app/helpers/application_helper.rb
 - spec/dummy/app/jobs/application_job.rb
@@ -327,6 +315,7 @@ files:
 - spec/feature_spec_helper.rb
 - spec/features/nulogy_sso/sso_login_spec.rb
 - spec/integration/services/nulogy_sso/authenticator_spec.rb
+- spec/integration/services/nulogy_sso/cookie_token_store_spec.rb
 - spec/rails_helper.rb
 - spec/spec_helper.rb
 - spec/support/mock_auth0_verifier.rb
@@ -341,7 +330,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: '2.5'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
@@ -358,6 +347,7 @@ test_files:
 - spec/dummy/app/models/user.rb
 - spec/dummy/app/jobs/application_job.rb
 - spec/dummy/app/controllers/application_controller.rb
+- spec/dummy/app/controllers/api_controller.rb
 - spec/dummy/app/views/layouts/application.html.erb
 - spec/dummy/app/assets/config/manifest.js
 - spec/dummy/app/assets/javascripts/application.js
@@ -502,6 +492,7 @@ test_files:
 - spec/dummy/tmp/cache/assets/sprockets/v3.0/qj/qjq5Ug3S2i5pydfGSIfUa7Y0s8s0FwqXzt0kkFijToI.cache
 - spec/examples.txt
 - spec/integration/services/nulogy_sso/authenticator_spec.rb
+- spec/integration/services/nulogy_sso/cookie_token_store_spec.rb
 - spec/features/nulogy_sso/sso_login_spec.rb
 - spec/support/mock_auth0_verifier.rb
 - spec/feature_spec_helper.rb