RubyGems - omniauth-krystal - Versions diffs - 1.1.3 → 1.3.0 - Mend

omniauth-krystal 1.1.3 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

checksums.yaml +4 -4
data/lib/omniauth/krystal/initiated_login_middleware.rb +91 -0
data/lib/omniauth/krystal/signing_keys.rb +54 -0
data/lib/omniauth/krystal/version.rb +1 -6
data/lib/omniauth/strategies/krystal.rb +21 -4
data/lib/omniauth-krystal.rb +1 -0
metadata +32 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f64140c4b23240abc668a188f8a6ea105859459f097cfb2aa99db58ef527e20b
-  data.tar.gz: 7c157cc63737b8ca5f2d96261f0724adf195921c35477cf6d6bbedd0993abd1c
+  metadata.gz: ff1b48f554292417ddac46a620f11567455881410467ab639f74fa5eb87e2628
+  data.tar.gz: 0dfc2595766ef70626614953fcd08539dbe594e457ed5fcdc8efb336f5f1fce9
 SHA512:
-  metadata.gz: 8a2f572a95e3f70fd85c5441253ad44fac34c6ece74e90ab61ae02f4171d8f925c019d683e9c833d56de36c1a743af3eb00fdd7ee61f72c358da69cbf450a121
-  data.tar.gz: 606e3760ab86c72f57df206a93624a1d48b7a666714dcd8199a20befd5bc56d5eab1a2e746f21704e9034d95ed5ffafb0d0e731c5a4a1fe776bfd49713e921c6
+  metadata.gz: 95ed948cb99326e1b8917b06ce87d25133570d1162206eac4310975e7271b033f7b4e7a734a86a6a9949d2e06737e84c77b14fc841ea58f76a5bc703e509d1b8
+  data.tar.gz: 2970ce91eaa7e31c94a877f734fe5413ad21b1f5166c7c3628b7a1b0489315088c776b50e6b3fd0bf367db7928fa1ea63d58521661567954fdfa195bedfe5106

data/lib/omniauth/krystal/initiated_login_middleware.rb ADDED Viewed

@@ -0,0 +1,91 @@
+# frozen_string_literal: true
+require 'jwt'
+require 'omniauth/krystal/signing_keys'
+module OmniAuth
+  module Krystal
+    class InitiatedLoginMiddleware
+      class Error < StandardError
+      end
+      class JWTDecodeError < Error
+      end
+      class JWTExpiredError < Error
+      end
+      class AntiReplayTokenAlreadyUsedError < Error
+      end
+      def initialize(app, options = {})
+        @app = app
+        @options = options
+        @options[:provider_name] ||= 'krystal'
+        @options[:identity_url] ||= ENV.fetch('KRYSTAL_IDENTITY_URL', 'https://identity.k.io')
+        @options[:anti_replay_expiry_seconds] ||= 60
+        @keys = SigningKeys.new("#{@options[:identity_url]}/.well-known/signing.json")
+      end
+      # rubocop:disable Metrics/MethodLength
+      # rubocop:disable Metrics/AbcSize
+      def call(env)
+        unless env['PATH_INFO'] == "/auth/#{@options[:provider_name]}/callback"
+          # If it's not a Krystal Identity auth callback then we don't
+          # need to do anything here.
+          return @app.call(env)
+        end
+        request = Rack::Request.new(env)
+        state = request.params['state']
+        if state.nil? || !state.start_with?('kidil_')
+          # Return to the app if the state is not a Krystal Identity
+          # initiated login.
+          return @app.call(env)
+        end
+        # Decode the JWT and ensure that the state is valid. JWT will check
+        # the expiry.
+        data = nil
+        begin
+          data, = JWT.decode(state.sub(/\Akidil_/, ''), nil, true, { algorithm: 'ES256', jwks: @keys })
+        rescue JWT::ExpiredSignature
+          raise JWTExpiredError, 'State parameter has expired'
+        rescue JWT::DecodeError
+          raise JWTDecodeError,
+                'Invalid state parameter provided (either malformed, expired or signed with the wrong key)'
+        end
+        # Verify the replay token
+        verify_anti_replay_token(data['ar'])
+        # Set the expected omniauth state to the state that we have been given so it
+        # thinks the session is trusted as normal.
+        env['rack.session']['omniauth.state'] = state
+        @app.call(env)
+      end
+      # rubocop:enable Metrics/AbcSize
+      # rubocop:enable Metrics/MethodLength
+      private
+      def verify_anti_replay_token(token)
+        return if @options[:redis].nil?
+        redis = @options[:redis]
+        key = "kidil-ar:#{token}"
+        if redis.get(key)
+          raise AntiReplayTokenAlreadyUsedError, 'Anti replay token has already been used'
+        end
+        redis.set(key,
+                  Time.now.to_i,
+                  nx: true, ex: @options[:anti_replay_expiry_seconds])
+      end
+    end
+  end
+end

data/lib/omniauth/krystal/signing_keys.rb ADDED Viewed

@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+require 'uri'
+require 'net/http'
+require 'json'
+module OmniAuth
+  module Krystal
+    class SigningKeys
+      attr_reader :cache, :cache_set_at
+      def initialize(url)
+        @url = url
+        @cache = nil
+      end
+      def call(_options)
+        invalidate_cache_if_appropriate
+        return @cache if @cache
+        download_jwks
+        @cache_set_at = Time.now.to_i
+        @cache
+      end
+      private
+      # Invalidate the cache if it's been more than 5 minutes since we last
+      # cached the data.
+      def invalidate_cache_if_appropriate
+        return if @cache_set_at && @cache_set_at >= (Time.now.to_i - 300)
+        @cache = nil
+      end
+      # rubocop:disable Metrics/AbcSize
+      def download_jwks
+        uri = URI.parse(@url)
+        http = Net::HTTP.new(uri.host, uri.port)
+        http.use_ssl = true if uri.scheme == 'https'
+        request = Net::HTTP::Get.new(uri.request_uri)
+        response = http.request(request)
+        raise Error, "Failed to download signing keys from #{@url}" if response.code != '200'
+        body = JSON.parse(response.body)
+        @cache = JWT::JWK::Set.new(body)
+        @cache.select! { |key| key[:use] == 'sig' }
+        @cache
+      end
+      # rubocop:enable Metrics/AbcSize
+    end
+  end
+end

data/lib/omniauth/krystal/version.rb CHANGED Viewed

@@ -2,11 +2,6 @@
 module OmniAuth
   module Krystal
-    VERSION_FILE = File.expand_path('../../../VERSION', __dir__)
-    VERSION = if File.file?(VERSION_FILE)
-                File.read(VERSION_FILE).strip
-              else
-                '0.0.0'
-              end
+    VERSION = '1.3.0'
   end
 end

data/lib/omniauth/strategies/krystal.rb CHANGED Viewed

@@ -8,9 +8,10 @@ module OmniAuth
       option :name, 'krystal'
       option :client_options,
-             site: ENV.fetch('KRYSTAL_IDENTITY_API_URL', 'https://identity.k.io/api/v1'),
-             authorize_url: ENV.fetch('KRYSTAL_IDENTITY_OAUTH_AUTHORIZE_URL', 'https://identity.k.io/oauth2/auth'),
-             token_url: ENV.fetch('KRYSTAL_IDENTITY_OAUTH_TOKEN_URL', 'https://identity.k.io/oauth2/token')
+             url: ENV.fetch('KRYSTAL_IDENTITY_URL', 'https://identity.k.io'),
+             site: ENV.fetch('KRYSTAL_IDENTITY_API_URL', nil),
+             authorize_url: ENV.fetch('KRYSTAL_IDENTITY_OAUTH_AUTHORIZE_URL', nil),
+             token_url: ENV.fetch('KRYSTAL_IDENTITY_OAUTH_TOKEN_URL', nil)
       option :authorize_params,
              scope: 'user.profile'
@@ -27,10 +28,26 @@ module OmniAuth
       extra do
         {
           raw_info: raw_info,
-          scope: scope
+          scope: scope,
+          session_id: raw_info['session_id'],
+          first_name: raw_info['user']['first_name'],
+          last_name: raw_info['user']['last_name'],
+          email_addresses: raw_info['user']['email_addresses'],
+          roles: raw_info['user']['roles'],
+          two_factor_auth_enabled: raw_info['user']['two_factor_auth_enabled']
         }
       end
+      # rubocop:disable Metrics/AbcSize
+      def initialize(app, *args, &block)
+        super
+        options.client_options.site ||= "#{options.client_options.url}/api/v1"
+        options.client_options.authorize_url ||= "#{options.client_options.url}/oauth2/auth"
+        options.client_options.token_url ||= "#{options.client_options.url}/oauth2/token"
+      end
+      # rubocop:enable Metrics/AbcSize
       def scope
         access_token['scope']
       end

data/lib/omniauth-krystal.rb CHANGED Viewed

@@ -1,3 +1,4 @@
 # frozen_string_literal: true
 require 'omniauth/strategies/krystal'
+require 'omniauth/krystal/initiated_login_middleware'

metadata CHANGED Viewed

@@ -1,15 +1,43 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-krystal
 version: !ruby/object:Gem::Version
-  version: 1.1.3
+  version: 1.3.0
 platform: ruby
 authors:
 - Adam Cooke
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-04-18 00:00:00.000000000 Z
+date: 2023-05-29 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: json
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: omniauth
   requirement: !ruby/object:Gem::Requirement
@@ -46,6 +74,8 @@ extensions: []
 extra_rdoc_files: []
 files:
 - lib/omniauth-krystal.rb
+- lib/omniauth/krystal/initiated_login_middleware.rb
+- lib/omniauth/krystal/signing_keys.rb
 - lib/omniauth/krystal/version.rb
 - lib/omniauth/strategies/krystal.rb
 homepage: https://github.com/krystal/omniauth-krystal