omniauth-krystal 1.2.0 → 1.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 81124af273cae23b77ab10b6e278bcfe6b2968060949bdc7d13cad9989035afb
-  data.tar.gz: 15556c4d72fbe57dedc461001ea39f5b86ae87b4ca723fbf5fc1756f7480ef6f
+  metadata.gz: f93afa35b415e64d9569aff71d3d19f65b4328fd70001535d26038d63c700aa7
+  data.tar.gz: f9e448d0d49a8f72354f6080881b25131cf1654f599b74bd446d7c16c1a09d1c
 SHA512:
-  metadata.gz: 0e27564482e407b327c7d5744071499b1d8867dfa013b73df5f92304eb9ccf59908d873275a4de533c61c1b8c755107372ca5a5120cc0d8857d01913b475c3a9
-  data.tar.gz: 4914bbd1e8f481e872acb7376499eee17386415d3e33e1314e779551374874ae6aa7cf7a604b6df812b6673fbc758ec1255011316e767431280458c5acefd76e
+  metadata.gz: b1fef42e9a4d45ea8ec48b3a7dc9e25a0beff33f4675ce307a8c90582fc0c53ce9b0d75cf2360dcb818189f0063573bea60e62ccb38a314b63250cb0084e4b95
+  data.tar.gz: c16b6c08c93432a84e70984163984baff7e87a19b92f00f512d60a0b28b19a6344ee75ffc922e10122d9acfaf98f3c813186fe99ff8e825d785de0c92aa687d3

data/lib/omniauth/krystal/initiated_login_middleware.rb

@@ -0,0 +1,96 @@
+# frozen_string_literal: true
+
+require 'jwt'
+require 'omniauth/krystal/signing_keys'
+
+module OmniAuth
+  module Krystal
+    class InitiatedLoginMiddleware
+      class Error < StandardError
+      end
+
+      class JWTDecodeError < Error
+      end
+
+      class JWTExpiredError < Error
+      end
+
+      class AntiReplayTokenAlreadyUsedError < Error
+      end
+
+      JWT_RESERVED_CLAIMS = %w[ar exp nbf iss aud jti iat sub].freeze
+
+      def initialize(app, options = {})
+        @app = app
+        @options = options
+
+        @options[:provider_name] ||= 'krystal'
+        @options[:identity_url] ||= ENV.fetch('KRYSTAL_IDENTITY_URL', 'https://identity.k.io')
+        @options[:anti_replay_expiry_seconds] ||= 60
+
+        @keys = SigningKeys.new("#{@options[:identity_url]}/.well-known/signing.json")
+      end
+
+      # rubocop:disable Metrics/MethodLength
+      # rubocop:disable Metrics/AbcSize
+      def call(env)
+        unless env['PATH_INFO'] == "/auth/#{@options[:provider_name]}/callback"
+          # If it's not a Krystal Identity auth callback then we don't
+          # need to do anything here.
+          return @app.call(env)
+        end
+
+        request = Rack::Request.new(env)
+        state = request.params['state']
+
+        if state.nil? || !state.start_with?('kidil_')
+          # Return to the app if the state is not a Krystal Identity
+          # initiated login.
+          return @app.call(env)
+        end
+
+        # Decode the JWT and ensure that the state is valid. JWT will check
+        # the expiry.
+        data = nil
+        begin
+          data, = JWT.decode(state.sub(/\Akidil_/, ''), nil, true, { algorithm: 'ES256', jwks: @keys })
+        rescue JWT::ExpiredSignature
+          raise JWTExpiredError, 'State parameter has expired'
+        rescue JWT::DecodeError
+          raise JWTDecodeError,
+                'Invalid state parameter provided (either malformed, expired or signed with the wrong key)'
+        end
+
+        # Verify the replay token
+        verify_anti_replay_token(data['ar'])
+
+        # Set the expected omniauth state to the state that we have been given so it
+        # thinks the session is trusted as normal.
+        env['rack.session']['omniauth.state'] = state
+
+        # Set any additional params that were passed in the state.
+        env['rack.session']['omniauth.params'] = data.reject { |key| JWT_RESERVED_CLAIMS.include?(key) }
+
+        @app.call(env)
+      end
+      # rubocop:enable Metrics/AbcSize
+      # rubocop:enable Metrics/MethodLength
+
+      private
+
+      def verify_anti_replay_token(token)
+        return if @options[:redis].nil?
+
+        redis = @options[:redis]
+        key = "kidil-ar:#{token}"
+        if redis.get(key)
+          raise AntiReplayTokenAlreadyUsedError, 'Anti replay token has already been used'
+        end
+
+        redis.set(key,
+                  Time.now.to_i,
+                  nx: true, ex: @options[:anti_replay_expiry_seconds])
+      end
+    end
+  end
+end

data/lib/omniauth/krystal/signing_keys.rb

@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+
+require 'uri'
+require 'net/http'
+require 'json'
+
+module OmniAuth
+  module Krystal
+    class SigningKeys
+      attr_reader :cache, :cache_set_at
+
+      def initialize(url)
+        @url = url
+        @cache = nil
+      end
+
+      def call(_options)
+        invalidate_cache_if_appropriate
+        return @cache if @cache
+
+        download_jwks
+        @cache_set_at = Time.now.to_i
+        @cache
+      end
+
+      private
+
+      # Invalidate the cache if it's been more than 5 minutes since we last
+      # cached the data.
+      def invalidate_cache_if_appropriate
+        return if @cache_set_at && @cache_set_at >= (Time.now.to_i - 300)
+
+        @cache = nil
+      end
+
+      # rubocop:disable Metrics/AbcSize
+      def download_jwks
+        uri = URI.parse(@url)
+        http = Net::HTTP.new(uri.host, uri.port)
+        http.use_ssl = true if uri.scheme == 'https'
+        request = Net::HTTP::Get.new(uri.request_uri)
+        response = http.request(request)
+        raise Error, "Failed to download signing keys from #{@url}" if response.code != '200'
+
+        body = JSON.parse(response.body)
+
+        @cache = JWT::JWK::Set.new(body)
+        @cache.select! { |key| key[:use] == 'sig' }
+        @cache
+      end
+      # rubocop:enable Metrics/AbcSize
+    end
+  end
+end

data/lib/omniauth/krystal/version.rb

@@ -2,11 +2,6 @@
 
 module OmniAuth
   module Krystal
-    VERSION_FILE = File.expand_path('../../../VERSION', __dir__)
-    VERSION = if File.file?(VERSION_FILE)
-                File.read(VERSION_FILE).strip
-              else
-                '0.0.0'
-              end
+    VERSION = '1.4.0'
   end
 end

data/lib/omniauth/strategies/krystal.rb

@@ -38,6 +38,7 @@ module OmniAuth
         }
       end
 
+      # rubocop:disable Metrics/AbcSize
       def initialize(app, *args, &block)
         super
 
@@ -45,6 +46,7 @@ module OmniAuth
         options.client_options.authorize_url ||= "#{options.client_options.url}/oauth2/auth"
         options.client_options.token_url ||= "#{options.client_options.url}/oauth2/token"
       end
+      # rubocop:enable Metrics/AbcSize
 
       def scope
         access_token['scope']

data/lib/omniauth-krystal.rb

@@ -1,3 +1,4 @@
 # frozen_string_literal: true
 
 require 'omniauth/strategies/krystal'
+require 'omniauth/krystal/initiated_login_middleware'

metadata

@@ -1,15 +1,43 @@
 --- !ruby/object:Gem::Specification
 name: omniauth-krystal
 version: !ruby/object:Gem::Version
-  version: 1.2.0
+  version: 1.4.0
 platform: ruby
 authors:
 - Adam Cooke
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-05-22 00:00:00.000000000 Z
+date: 2023-07-05 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: json
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: omniauth
   requirement: !ruby/object:Gem::Requirement
@@ -46,6 +74,8 @@ extensions: []
 extra_rdoc_files: []
 files:
 - lib/omniauth-krystal.rb
+- lib/omniauth/krystal/initiated_login_middleware.rb
+- lib/omniauth/krystal/signing_keys.rb
 - lib/omniauth/krystal/version.rb
 - lib/omniauth/strategies/krystal.rb
 homepage: https://github.com/krystal/omniauth-krystal