oauth_im 0.7.0 → 0.7.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 49173e12b6a9dd53124b3ecb56a5f71411a819daacd7a1d2e914dd911e4157a1
-  data.tar.gz: 1c7e47395be3b93a95604aa880cacc2f84edf6d45cd516e0e036e86068d67feb
+  metadata.gz: f4b28f51bcd7b2893dd52780a267678fab317eb70feefa6d3ab9d714cad45834
+  data.tar.gz: c605bb66ede19ea12e1e124f12164d3cee63358d24a0bd0971693732e96b380f
 SHA512:
-  metadata.gz: b376f8f3b03157df81d18c56d34dd9c9f58d4f5577a308ad75fb709e02ed0b6dbec3d51f9733ad2897402b9bfe2d0c5fed639e861c25a80975dc89db1a3abd4a
-  data.tar.gz: c81f6b6aad610aa99f800f00023c0478e25b39afb56abcf8dbedd9affe08a2fdd16cd4ee5101d2c896d5243b8d2996d6311b3d9accd69626c2df354a8c6d1d9a
+  metadata.gz: a61461548d89152f21df67bdafc810ff7e38826e070a61185a5b557c28c42d3477fc92acf1de2e256d0a6349a1a8c6923248bda1586c7303fe5f77aa5d1a2c4f
+  data.tar.gz: 3c4db160ded76f36e56ed22791f404741b43cc1b204c8221f09852c0ab3ca71b7c9cbd0ed28a5a0d298b7d855becc841efb768e5578359057db8d8cc062208d3

data/README.md

@@ -23,29 +23,47 @@ Once the gem is installed, add an initializer. Here is an example:
 # config/initializers/oauth_im.rb
 module OauthIm
   configure do |config|
-    config.api_key       = ENV['FUSION_AUTH_API_KEY']
-    config.callback_path = ENV['FUSION_CALLBACK_PATH'] || DEFAULT_CALLBACK_PATH
-    config.client_id     = ENV['FUSION_AUTH_CLIENT_ID']
-    config.client_secret = ENV['FUSION_AUTH_CLIENT_SECRET']
-    config.domain        = ENV['FUSION_AUTH_DOMAIN']
-    config.hmac          = ENV['FUSION_AUTH_HMAC']
-    config.iss_domain    = ENV['FUSION_AUTH_ISS_DOMAIN']
-    config.tenant_id     = ENV['FUSION_AUTH_TENANT_ID']
-    config.authorize_url = ENV['FUSION_AUTH_AUTHORIZE_URL'] || DEFAULT_AUTHORIZE_URL
-    config.token_url     = ENV['FUSION_AUTH_TOKEN_URL']     || DEFAULT_TOKEN_URL
+    #####################################
+    # these routes are local to the app #
+    #####################################
+    config.authorize_url  = ENV.fetch 'FUSION_AUTH_AUTHORIZE_URL', DEFAULT_AUTHORIZE_URL
+    config.callback_route = ENV.fetch 'FUSION_CALLBACK_ROUTE',     DEFAULT_CALLBACK_ROUTE
+    config.token_url      = ENV.fetch 'FUSION_AUTH_TOKEN_URL',     DEFAULT_TOKEN_URL
+
+    ##############################################
+    # identity provider url (e.g., fusion auth): #
+    ##############################################
+    config.idp_url        = ENV.fetch 'FUSION_AUTH_IDP_URL',       DEFAULT_IDP_URL
+
+    ################################################
+    # Issuer domain: find on FA tenant General tab #
+    ################################################
+    config.iss_domain     = ENV.fetch 'FUSION_AUTH_ISS_DOMAIN',    DEFAULT_ISS_DOMAIN
+
+    ###############################
+    # on FA application OAuth tab #
+    ###############################
+    config.client_id      = ENV['FUSION_AUTH_CLIENT_ID']
+    config.client_secret  = ENV['FUSION_AUTH_CLIENT_SECRET']
+
+    ###################################################################################
+    # View default signing key: https://illustrativemath-dev.fusionauth.io/admin/key/ #
+    ###################################################################################
+    config.hmac           = ENV['FUSION_AUTH_HMAC']
   end
 end
 ```
 
 * The `ENV` variable values can be obtained from the OAuth provider.
-* The `callback_path` setting is used in two related ways:
+* Here is [an article at FusionAuth](https://fusionauth.io/blog/2020/12/14/how-to-securely-implement-oauth-rails) describing many of these settings.
+* The `callback_route` setting is used in two related ways:
   * It [defines a route](https://github.com/illustrativemathematics/oauth_im/blob/main/config/routes.rb#L4) to the [`OAuthIm::ClientController#callback`
     action](https://github.com/illustrativemathematics/oauth_im/blob/main/app/controllers/oauth_im/client_controller.rb#L7-L12).
   * It defines a [callback URL](https://github.com/illustrativemathematics/oauth_im/blob/main/app/controllers/oauth_im/client_controller.rb#L69) used by the OAuth provider.
 * Note that this callback URL must be whitelisted at the provider.
   At FusionAuth, this is done under the `Applications|OAuth` tab.
   * For instance, for the app `staging-kh-iiab.herokuapp.com`, if
-    `config.callback_path` is set to `callback` (the default), then
+    `config.callback_route` is set to `callback` (the default), then
     the URL `https://staging-kh-iiab.herokuapp.com/oauth_im/callback`
     must be entered in the OAuth provider's list of authorized
     redirect URLs.
@@ -55,9 +73,9 @@ end
 The engine provides [two endpoints](https://github.com/illustrativemathematics/oauth_im/blob/main/config/routes.rb#L5-L6) for logging in and out, and exposes
 corresponding view helpers. These are accessible from the main app as:
 
-| path | url |
-|------|-----|
-| `oauth_im.login_path` | `oauth_im.login_url` |
+| path                   | url                   |
+|------------------------|-----------------------|
+| `oauth_im.login_path`  | `oauth_im.login_url`  |
 | `oauth_im.logout_path` | `oauth_im.logout_url` |
 
 * Note that the helpers are namespaced to the engine.
@@ -125,6 +143,15 @@ After many false starts, this repo includes two (seemingly functional) github wo
 
 ## Version History
 
+### 0.7.3
+* Cleaned up configuration
+
+### 0.7.2
+* Using :http protocol in tests (not https)
+
+### 0.7.1
+* Improving separation of concerns by way of a separate service object to manage oauth client.
+
 ### 0.6.0
 * Remove coupling between gem and `iiab` app via the `AppContext`
   module. Added default `AppContext` settings to be overridden in

data/app/controllers/oauth_im/client_controller.rb

@@ -5,72 +5,46 @@ require 'oauth2'
 module OauthIm
   class ClientController < OauthIm::ApplicationController
     def callback
-      session[:user_jwt] = { value: decoded_token, httponly: true }
+      session[:user_jwt] = user_jwt
       redirect_to main_app.root_path
     rescue StandardError
       head :forbidden
     end
 
     def login
-      redirect_to oauth_client.auth_code.authorize_url
+      redirect_to oauth_client.login_url
     end
 
     def logout
       reset_session
-      redirect_to logout_uri
+      redirect_to logout_url
     end
 
     def local_login
-      raise 'Disallowed' if Rails.env.production?
+      head :forbidden if Rails.env.production?
 
-      session[:userinfo] = { info: { email: 'local_login@example.com' } }
-      redirect_back(fallback_location: main_app.root_path)
+      session[:userinfo] = local_login_userinfo
+      redirect_back fallback_location: main_app.root_path
     end
 
     def local_logout
+      head :forbidden if Rails.env.production?
+
       reset_session
-      redirect_back(fallback_location: main_app.root_path)
+      redirect_back fallback_location: main_app.root_path
     end
 
     private
 
-    def logout_uri
-      @logout_uri ||= "#{configuration.domain}/oauth2/logout" \
-                      "?post_logout_redirect_uri=#{post_logout_redirect_uri}" \
-                      "&client_id=#{configuration.client_id}"
-    end
-
-    def post_logout_redirect_uri
-      @post_logout_redirect_uri ||= params[:return_to]
-    end
-
-    def decoded_token
-      @decoded_token ||= TokenDecoder.new(access_token, oauth_client.id).decode
-    end
-
-    def access_token
-      @access_token ||= response_hash[:access_token]
-    end
-
-    def response_hash
-      @response_hash ||= auth_code.get_token(params[:code]).to_hash
-    end
-
-    def auth_code
-      @auth_code ||= oauth_client.auth_code
-    end
+    delegate :logout_url, :user_jwt,
+             to: :oauth_client
 
     def oauth_client
-      @oauth_client = ::OAuth2::Client.new configuration.client_id,
-                                           configuration.client_secret,
-                                           authorize_url: configuration.authorize_url,
-                                           site: configuration.domain,
-                                           token_url: configuration.token_url,
-                                           redirect_uri: callback_url
+      @oauth_client ||= OauthIm::Client.new request: request
     end
 
-    def configuration
-      OauthIm.configuration
+    def local_login_userinfo
+      { info: { email: 'local_login@example.com' } }.freeze
     end
   end
 end

data/app/helpers/oauth_im/application_helper.rb

@@ -1,4 +1,5 @@
+# frozen_string_literal: true
+
 module OauthIm
-  module ApplicationHelper
-  end
+  module ApplicationHelper; end
 end

data/app/services/oauth_im/client.rb

@@ -0,0 +1,76 @@
+# frozen_string_literal: true
+
+module OauthIm
+  class Client
+    attr_reader :request
+
+    def initialize(request:)
+      @request = request
+    end
+
+    def login_url
+      @login_url ||= auth_code.authorize_url
+    end
+
+    def logout_url
+      @logout_url ||= "#{idp_url}/oauth2/logout" \
+                      "?post_logout_redirect_uri=#{return_to_url}" \
+                      "&client_id=#{client_id}"
+    end
+
+    def user_jwt
+      @user_jwt ||= { value: decoded_token, httponly: httponly? }
+    end
+
+    private
+
+    delegate :host_with_port, :params, to: :request
+    delegate :configuration, to: OauthIm
+    delegate :authorize_url, :token_url, :idp_url, :client_id, :client_secret,
+             to: :configuration
+    delegate :auth_code, to: :oauth_client
+
+    def httponly?
+      true
+    end
+
+    def return_to_url
+      @return_to_url ||= params.fetch :return_to
+    end
+
+    def redirect_url
+      @redirect_url ||=
+        Engine.routes.url_helpers.callback_url callback_url_params
+    end
+
+    def callback_url_params
+      @callback_url_params ||= { host: host_with_port,
+                                 protocol: protocol }.freeze
+    end
+
+    def protocol
+      @protocol ||= Rails.env.test? ? :http : :https
+    end
+
+    def decoded_token
+      @decoded_token ||= TokenDecoder.new(access_token, oauth_client.id).decode
+    end
+
+    def access_token
+      @access_token ||= response_hash[:access_token]
+    end
+
+    def oauth_client
+      @oauth_client ||= ::OAuth2::Client.new client_id,
+                                             client_secret,
+                                             authorize_url: authorize_url,
+                                             site: idp_url,
+                                             token_url: token_url,
+                                             redirect_uri: redirect_url
+    end
+
+    def response_hash
+      @response_hash ||= auth_code.get_token(params[:code]).to_hash
+    end
+  end
+end

data/app/services/oauth_im/token_decoder.rb

@@ -6,7 +6,7 @@ module OauthIm
   class TokenDecoder
     attr_reader :token, :aud
 
-    DECODE_ALGORITHM = 'HS256'
+    DEFAULT_DECODE_ALGORITHM = 'HS256'
 
     def initialize(token, aud)
       @token = token
@@ -19,20 +19,31 @@ module OauthIm
 
     private
 
-    def configuration
-      @configuration ||= OauthIm.configuration
-    end
+    delegate :configuration, to: OauthIm
+    delegate :hmac, :iss_domain, to: :configuration
 
     def decoded_token
-      @decoded_token ||= JWT.decode token, configuration.hmac, true, decode_params
+      @decoded_token ||= JWT.decode token, hmac, true, decode_params
+    end
+
+    def decode_algorithm
+      DEFAULT_DECODE_ALGORITHM
+    end
+
+    def verify_iss?
+      true
+    end
+
+    def verify_aud?
+      true
     end
 
     def decode_params
-      @decode_params ||= { verify_iss: true,
-                           iss: configuration.iss_domain,
-                           verify_aud: true,
+      @decode_params ||= { verify_iss: verify_iss?,
+                           iss: iss_domain,
+                           verify_aud: verify_aud?,
                            aud: aud,
-                           algorithm: DECODE_ALGORITHM }.freeze
+                           algorithm: decode_algorithm }.freeze
     end
   end
 end

data/config/initializers/app_context.rb

@@ -9,15 +9,21 @@ module AppContext
     @authenticated_for_specs
   end
 
-  def self.authenticate_for_specs(current_user: nil)
-    @current_user = current_user
-    @authenticated_for_specs = true
-    yield
-    @authenticated_for_specs = false
-    @current_user = nil
+  def self.privileged?
+    @privileged
   end
 
   def self.current_user
     @current_user
   end
+
+  def self.authenticate_for_specs(current_user: nil, privileged: false)
+    @authenticated_for_specs = true
+    @current_user            = current_user
+    @privileged              = privileged
+    yield
+    @privileged              = false
+    @current_user            = nil
+    @authenticated_for_specs = false
+  end
 end

data/config/routes.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 OauthIm::Engine.routes.draw do
-  get OauthIm.callback_path, to: 'client#callback'
+  get OauthIm.callback_route, to: 'client#callback'
   get 'login', to: 'client#login'
   get 'logout', to: 'client#logout'
 

data/lib/oauth_im/configuration.rb

@@ -1,17 +1,21 @@
 # frozen_string_literal: true
 
+########################################################################################
+# edc: see https://fusionauth.io/blog/2020/12/14/how-to-securely-implement-oauth-rails #
+########################################################################################
+
 module OauthIm
   CONFIGURABLE_FIELDS =
-    %i[api_key
-       authorize_url
-       callback_path
-       client_id
-       client_secret
-       domain
-       hmac
-       iss_domain
-       tenant_id
-       token_url].freeze
+    %i[
+      authorize_url
+      callback_route
+      token_url
+      idp_url
+      iss_domain
+      client_id
+      client_secret
+      hmac
+    ].freeze
 
   class Configuration
     attr_reader(* CONFIGURABLE_FIELDS)

data/lib/oauth_im/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module OauthIm
-  VERSION = '0.7.0'
+  VERSION = '0.7.3'
 end

data/lib/oauth_im.rb

@@ -1,13 +1,19 @@
 # frozen_string_literal: true
 
+########################################################################################
+# edc: see https://fusionauth.io/blog/2020/12/14/how-to-securely-implement-oauth-rails #
+########################################################################################
+
 require 'oauth_im/version'
 require 'oauth_im/engine'
 require 'oauth_im/configuration'
 
 module OauthIm
-  DEFAULT_AUTHORIZE_URL = '/oauth2/authorize'
-  DEFAULT_TOKEN_URL     = '/oauth2/token'
-  DEFAULT_CALLBACK_PATH = 'callback'
+  DEFAULT_AUTHORIZE_URL  = '/oauth2/authorize'
+  DEFAULT_CALLBACK_ROUTE = 'callback'
+  DEFAULT_TOKEN_URL      = '/oauth2/token'
+  DEFAULT_IDP_URL        = 'https://illustrativemath-dev.fusionauth.io'
+  DEFAULT_ISS_DOMAIN     = 'illustrativemathematics.org'
 
   class << self
     attr_reader :configuration
@@ -22,7 +28,7 @@ module OauthIm
     end
   end
 
-  def self.callback_path
-    configuration&.callback_path || DEFAULT_CALLBACK_PATH
+  def self.callback_route
+    configuration&.callback_route || DEFAULT_CALLBACK_ROUTE
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: oauth_im
 version: !ruby/object:Gem::Version
-  version: 0.7.0
+  version: 0.7.3
 platform: ruby
 authors:
 - Eric Connally
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-05-04 00:00:00.000000000 Z
+date: 2022-05-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jwt
@@ -125,6 +125,7 @@ files:
 - app/controllers/oauth_im/application_controller.rb
 - app/controllers/oauth_im/client_controller.rb
 - app/helpers/oauth_im/application_helper.rb
+- app/services/oauth_im/client.rb
 - app/services/oauth_im/token_decoder.rb
 - app/views/layouts/oauth_im/application.html.erb
 - config/initializers/app_context.rb