oauth_im 0.7.3 → 0.8.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f4b28f51bcd7b2893dd52780a267678fab317eb70feefa6d3ab9d714cad45834
-  data.tar.gz: c605bb66ede19ea12e1e124f12164d3cee63358d24a0bd0971693732e96b380f
+  metadata.gz: 8208d820c7e100554ecce30e7059fd4d082679a90875a6345a19cb072c010f2c
+  data.tar.gz: 4210b53980b4d73a75bd4a48ec5318d2369e22e7d3db15253b5d706dd4c46821
 SHA512:
-  metadata.gz: a61461548d89152f21df67bdafc810ff7e38826e070a61185a5b557c28c42d3477fc92acf1de2e256d0a6349a1a8c6923248bda1586c7303fe5f77aa5d1a2c4f
-  data.tar.gz: 3c4db160ded76f36e56ed22791f404741b43cc1b204c8221f09852c0ab3ca71b7c9cbd0ed28a5a0d298b7d855becc841efb768e5578359057db8d8cc062208d3
+  metadata.gz: 38d9767641f6b8b691cfc1ceaabac18db7bfdade8f04d4110d669c3c5b48f9e0a501931c859650d7976f458225233e97eb475f92b8dcb2ca9b2b66488c596cfc
+  data.tar.gz: 2ed159a29e9164d3aec610e20559a65fe6386e065945b942f7b1dded21a4aac0bc7f38ac2333b2a0a529134273286700dff636a65ba75518ee1586cd677ff0cb

data/README.md

@@ -40,16 +40,23 @@ module OauthIm
     ################################################
     config.iss_domain     = ENV.fetch 'FUSION_AUTH_ISS_DOMAIN',    DEFAULT_ISS_DOMAIN
 
-    ###############################
-    # on FA application OAuth tab #
-    ###############################
+    ####################################
+    # find on FA application OAuth tab #
+    ####################################
     config.client_id      = ENV['FUSION_AUTH_CLIENT_ID']
     config.client_secret  = ENV['FUSION_AUTH_CLIENT_SECRET']
 
-    ###################################################################################
-    # View default signing key: https://illustrativemath-dev.fusionauth.io/admin/key/ #
-    ###################################################################################
+    #################################################################################
+    # 1. Find signing key name on the app details name.                             #
+    # 2. Look up the key (by name) under Key Master tab under Settings:             #
+    #    https://illustrativemath-dev.fusionauth.io/admin/key/                      #
+    # 3. The key should be either HMAC or RSA.                                      #
+    #   - If HMAC, view the Secret under Details. You will need to click to reveal. #
+    #   - If RSA, copy the PEM encoded public key as-is.                            #
+    # Note: You don't need both keys --- TokenDecoder will use the one available.   #
+    #################################################################################
     config.hmac           = ENV['FUSION_AUTH_HMAC']
+    config.rsa_public     = ENV['FUSION_AUTH_RSA_PUBLIC]
   end
 end
 ```
@@ -104,12 +111,16 @@ end
 ### Initializer
 * The gem provides a single initializer, `AppContext`.
 * This module is **not** name-spaced.
-* It provides a single method, `provide_authentication?`, which by
-  default is `true`.
-* Client apps can override this initializer method.
+
+#### Methods
+* `AppContext#provide_authentication?` method defaults to `true` and
+  can be overridden as required.
   * For example, `iiab` overrides this initializer so that the
-    `provide_authentication?` method returns `false` unless the app is
-    `kh_iiab` (not `demo_im`).
+    `provide_authentication?` method returns `false` unless the app
+    is `kh_iiab` (not `demo_im`).
+* `AppContext#privileged?` defaults to `nil` and can be overridden as required.
+* `AppContext#authenticate_for_specs` offers a way to mock
+  authentication and privilege in specs. It accepts a block.
 
 ## Gem Maintenance
 After many false starts, this repo includes two (seemingly functional) github workflows.
@@ -143,6 +154,16 @@ After many false starts, this repo includes two (seemingly functional) github wo
 
 ## Version History
 
+### 0.8.1
+* Tightened up test environment helpers.
+
+### 0.8.0
+* Allow RSA signing keys in addition to HMAC.
+  This is because Terraform creates RSA keys during runs.
+
+### 0.7.4
+* Use https protocol for callback in production; http otherwise
+
 ### 0.7.3
 * Cleaned up configuration
 

data/app/controllers/concerns/oauth_im/authenticable.rb

@@ -35,13 +35,9 @@ module OauthIm
     def current_user
       @current_user ||=
         if user_jwt.present?
-          if email_verified?
-            email
-          else
-            head :forbidden
-          end
-        else
-          AppContext.current_user
+          email if email_verified?
+        elsif Rails.env.test?
+          AppContext.spec_user
         end
     end
 

data/app/controllers/oauth_im/client_controller.rb

@@ -7,8 +7,6 @@ module OauthIm
     def callback
       session[:user_jwt] = user_jwt
       redirect_to main_app.root_path
-    rescue StandardError
-      head :forbidden
     end
 
     def login

data/app/services/oauth_im/client.rb

@@ -49,7 +49,7 @@ module OauthIm
     end
 
     def protocol
-      @protocol ||= Rails.env.test? ? :http : :https
+      @protocol ||= Rails.env.production? ? :https : :http
     end
 
     def decoded_token

data/app/services/oauth_im/token_decoder.rb

@@ -20,14 +20,30 @@ module OauthIm
     private
 
     delegate :configuration, to: OauthIm
-    delegate :hmac, :iss_domain, to: :configuration
+    delegate :hmac, :rsa_public, :iss_domain, to: :configuration
 
     def decoded_token
-      @decoded_token ||= JWT.decode token, hmac, true, decode_params
+      @decoded_token ||= JWT.decode token, key, verify?, decode_params
     end
 
-    def decode_algorithm
-      DEFAULT_DECODE_ALGORITHM
+    def decode_using_hmac?
+      hmac.present?
+    end
+
+    def key
+      @key ||= decode_using_hmac? ? hmac : rsa_public_key
+    end
+
+    def rsa_public_key
+      @rsa_public_key ||= OpenSSL::PKey::RSA.new rsa_public
+    end
+
+    def algorithm
+      @algorithm ||= decode_using_hmac? ? 'HS256' : 'RS256'
+    end
+
+    def verify?
+      true
     end
 
     def verify_iss?
@@ -43,7 +59,7 @@ module OauthIm
                            iss: iss_domain,
                            verify_aud: verify_aud?,
                            aud: aud,
-                           algorithm: decode_algorithm }.freeze
+                           algorithm: algorithm }.freeze
     end
   end
 end

data/config/initializers/app_context.rb

@@ -5,25 +5,28 @@ module AppContext
     true
   end
 
-  def self.authenticated_for_specs?
-    @authenticated_for_specs
+  def self.privileged?
+    @privileged if provide_authentication?
   end
 
-  def self.privileged?
-    @privileged
+  def self.spec_user
+    @spec_user if Rails.env.test? && provide_authentication?
   end
 
-  def self.current_user
-    @current_user
+  def self.authenticated_for_specs?
+    @authenticated_for_specs if Rails.env.test? && provide_authentication?
   end
 
-  def self.authenticate_for_specs(current_user: nil, privileged: false)
+  def self.authenticate_for_specs(spec_user: nil, privileged: false)
+    return unless provide_authentication?
+    raise 'Use only in test environment!!' unless Rails.env.test?
+
     @authenticated_for_specs = true
-    @current_user            = current_user
+    @spec_user               = spec_user
     @privileged              = privileged
     yield
     @privileged              = false
-    @current_user            = nil
+    @spec_user               = nil
     @authenticated_for_specs = false
   end
 end

data/lib/oauth_im/configuration.rb

@@ -15,6 +15,7 @@ module OauthIm
       client_id
       client_secret
       hmac
+      rsa_public
     ].freeze
 
   class Configuration

data/lib/oauth_im/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module OauthIm
-  VERSION = '0.7.3'
+  VERSION = '0.8.1'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: oauth_im
 version: !ruby/object:Gem::Version
-  version: 0.7.3
+  version: 0.8.1
 platform: ruby
 authors:
 - Eric Connally
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-05-24 00:00:00.000000000 Z
+date: 2022-05-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jwt