osso 0.0.3 → 0.0.3.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c4d6c8de140e9aee1afb784383da381c1fe16eb9816eb1ed0d6439a851e5aef2
-  data.tar.gz: e393a2c08eb2c64f9f151b06174aaf45b9d980081d3bc3a792984cf6e64f3b5f
+  metadata.gz: abe7c30a149dfc3e0b0c457317b07065503bb551e1b93bd9e2a98443460eb426
+  data.tar.gz: 41b7772e2a15c6507104b3ceb4922db9b72f9071ac5d0763bb51334bce324a83
 SHA512:
-  metadata.gz: 331e8828f50de204268d11922a5dc6973b65bb03ba214e7f354f95713e75eb41143554fbbf42903daced8e9bec8bbfd19824e2866673f3a27c6348a62da40992
-  data.tar.gz: 42c3392315313792aa4012a582c395e7b304af4dfb720d0ebbbaa9407841b58924f910bcc963ff10a710f31e1a955f6643edfcb5894a2fe1c04e4d22f9a47dcb
+  metadata.gz: 90647d30bd113058d75d2e958ac6f116fa26a5e1262460795adbeb438e99dc3fe93ab57610dd705c1ca07a3daf7fb52eba1f651e47979fbc8494ca159cfe8712
+  data.tar.gz: 7922ea24bdfff89d21e3f615e8decc4b88c6f672512f5fb04405061c09a178bbe6ab10addec9cd75969e1cec774441d235715c8b4ab631da7bb42a3bd25d8027

data/.buildkite/pipeline.yml

@@ -1,3 +1,3 @@
 steps:
   - name: ":rspec:"
-    command: "bundle install --path vendor/bundle --with development test && RACK_ENV=test bundle exec rake db:migrate && bundle exec rspec"
+    command: "bundle install --path vendor/bundle --with development test && RACK_ENV=test bundle exec rake db:migrate && bundle exec rspec"

data/.gitignore

@@ -7,3 +7,4 @@
 /spec/reports/
 /tmp/
 *.gem
+.DS_Store

data/.rubocop.yml

@@ -1,8 +1,7 @@
 AllCops:
   Exclude:
-    - client/**/*
     - db/**/*
-    - node_modules/**/*
+    - lib/osso/db/**/*
 
 # New rules must be explicitly opted into / out of
 Lint/RaiseException:

data/Gemfile.lock

@@ -1,8 +1,9 @@
 PATH
   remote: .
   specs:
-    osso (0.0.3)
+    osso (0.0.3.5)
       activesupport (>= 6.0.3.2)
+      graphql
       jwt
       omniauth-multi-provider
       omniauth-saml
@@ -48,6 +49,7 @@ GEM
       activesupport (>= 5.0.0)
     faker (2.13.0)
       i18n (>= 1.6, < 2)
+    graphql (1.11.1)
     hashdiff (1.0.1)
     hashie (4.1.0)
     httpclient (2.8.3)

data/bin/console

@@ -1,7 +1,8 @@
 #!/usr/bin/env ruby
+# frozen_string_literal: true
 
-require "bundler/setup"
-require "osso"
+require 'bundler/setup'
+require 'osso'
 
-require "irb"
+require 'irb'
 IRB.start(__FILE__)

data/db/schema.rb

@@ -0,0 +1 @@
+# frozen_string_literal: true

data/lib/osso.rb

@@ -4,6 +4,8 @@ module Osso
   require_relative 'osso/helpers/helpers'
   require_relative 'osso/lib/app_config'
   require_relative 'osso/lib/oauth2_token'
+  require_relative 'osso/lib/route_map'
   require_relative 'osso/models/models'
   require_relative 'osso/routes/routes'
+  require_relative 'osso/graphql/schema'
 end

data/lib/osso/graphql/mutation.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+require_relative 'mutations'
+
+module Osso
+  module GraphQL
+    module Types
+      class MutationType < BaseObject
+        field :configure_identity_provider, mutation: Mutations::ConfigureIdentityProvider
+        field :create_identity_provider, mutation: Mutations::CreateIdentityProvider
+        field :set_saml_provider, mutation: Mutations::SetSamlProvider
+      end
+    end
+  end
+end

data/lib/osso/graphql/mutations.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+module Osso
+  module Mutations
+  end
+end
+
+require_relative 'mutations/base_mutation'
+require_relative 'mutations/configure_identity_provider'
+require_relative 'mutations/create_identity_provider'
+require_relative 'mutations/set_saml_provider'

data/lib/osso/graphql/mutations/base_mutation.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module Osso
+  module GraphQL
+    module Mutations
+      class BaseMutation < ::GraphQL::Schema::RelayClassicMutation
+        # This is used for generating payload types
+        object_class Types::BaseObject
+        # # This is used for return fields on the mutation's payload
+        # field_class Types::BaseField
+        # # This is used for generating the `input: { ... }` object type
+        # input_object_class Types::BaseInputObject
+
+        def return_data(data)
+          data.merge(errors: [])
+        end
+
+        def return_error(error)
+          error.merge(data: nil)
+        end
+      end
+    end
+  end
+end

data/lib/osso/graphql/mutations/configure_identity_provider.rb

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+module Osso
+  module GraphQL
+    module Mutations
+      class ConfigureIdentityProvider < BaseMutation
+        null false
+        argument :id, ID, required: true
+        argument :service, Types::IdentityProviderService, required: true
+        argument :sso_url, String, required: true
+        argument :sso_cert, String, required: true
+
+        field :identity_provider, Types::IdentityProvider, null: true
+        field :errors, [String], null: false
+
+        def resolve(id:, sso_url:, sso_cert:, service:)
+          provider = Osso::Models::SamlProvider.find(id)
+          provider.update(
+            idp_cert: sso_cert,
+            idp_sso_target_url: sso_url,
+          )
+
+          return_data(identity_provider: provider)
+          # rescue StandardError => e
+          #   return_error(errors: e.full_message)
+        end
+      end
+    end
+  end
+end

data/lib/osso/graphql/mutations/create_identity_provider.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module Osso
+  module GraphQL
+    module Mutations
+      class CreateIdentityProvider < BaseMutation
+        null false
+        argument :enterprise_account_id, ID, required: true
+        argument :provider_service, Types::IdentityProviderService, required: true
+
+        field :identity_provider, Types::IdentityProvider, null: false
+        field :errors, [String], null: false
+
+        def resolve(enterprise_account_id:, provider_service:)
+          enterprise_account = Osso::Models::EnterpriseAccount.find(enterprise_account_id)
+          identity_provider = enterprise_account.saml_providers.create!(
+            provider: provider_service || 'OKTA',
+            domain: enterprise_account.domain,
+          )
+
+          return_data(identity_provider: identity_provider)
+        rescue StandardError => e
+          return_error(errors: e.full_message)
+        end
+      end
+    end
+  end
+end

data/lib/osso/graphql/mutations/set_saml_provider.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+module Osso
+  module GraphQL
+    module Mutations
+      class SetSamlProvider < BaseMutation
+        null false
+
+        argument :provider, Types::IdentityProviderService, required: true
+        argument :id, ID, required: true
+
+        field :identity_provider, Types::IdentityProvider, null: false
+        field :errors, [String], null: false
+
+        def resolve(provider:, id:)
+          saml_provider = Osso::Models::SamlProvider.find(id)
+          saml_provider.provider = provider
+          saml_provider.save!
+          {
+            saml_provider: saml_provider,
+            errors: [],
+          }
+        end
+      end
+    end
+  end
+end

data/lib/osso/graphql/query.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module Osso
+  module GraphQL
+    module Types
+      class QueryType < ::GraphQL::Schema::Object
+        field :enterprise_accounts, null: true, resolver: Resolvers::EnterpriseAccounts
+        field :oauth_clients, null: true, resolver: Resolvers::OAuthClients
+
+        field :enterprise_account, null: false, resolver: Resolvers::EnterpriseAccount do
+          argument :domain, String, required: true
+        end
+
+        field(
+          :identity_provider,
+          Types::IdentityProvider,
+          null: true,
+          resolve: ->(_obj, args, _context) { Osso::Models::SamlProvider.find(args[:id]) },
+        ) do
+          argument :id, ID, required: true
+        end
+      end
+    end
+  end
+end

data/lib/osso/graphql/resolvers.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+module Osso
+  module GraphQL
+    module Resolvers
+    end
+  end
+end
+
+require_relative 'resolvers/enterprise_account'
+require_relative 'resolvers/enterprise_accounts'
+require_relative 'resolvers/oauth_clients'

data/lib/osso/graphql/resolvers/enterprise_account.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module Osso
+  module GraphQL
+    module Resolvers
+      class EnterpriseAccount < ::GraphQL::Schema::Resolver
+        type Types::EnterpriseAccount, null: false
+
+        def resolve(args)
+          return unless admin? || enterprise_authorized?(args[:domain])
+
+          Osso::Models::EnterpriseAccount.find_by(domain: args[:domain])
+        end
+
+        def admin?
+          context[:scope] == :admin
+        end
+
+        def enterprise_authorized?(domain)
+          context[:scope] == domain
+        end
+      end
+    end
+  end
+end

data/lib/osso/graphql/resolvers/enterprise_accounts.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module Osso
+  module GraphQL
+    module Resolvers
+      class EnterpriseAccounts < ::GraphQL::Schema::Resolver
+        type [Types::EnterpriseAccount], null: true
+
+        def resolve
+          return Osso::Models::EnterpriseAccount.all if context[:scope] == :admin
+
+          Array(Osso::Models::EnterpriseAccount.find_by(domain: context[:scope]))
+        end
+      end
+    end
+  end
+end

data/lib/osso/graphql/resolvers/oauth_clients.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module Osso
+  module GraphQL
+    module Resolvers
+      class OAuthClients < ::GraphQL::Schema::Resolver
+        type [Types::OAuthClient], null: true
+
+        def resolve
+          return Osso::Models::OAuthClient.all if context[:scope] == :admin
+        end
+      end
+    end
+  end
+end

data/lib/osso/graphql/schema.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+require 'graphql'
+require_relative 'types'
+require_relative 'resolvers'
+require_relative 'mutation'
+require_relative 'query'
+
+GraphQL::Relay::BaseConnection.register_connection_implementation(
+  ActiveRecord::Relation,
+  GraphQL::Relay::RelationConnection,
+)
+
+module Osso
+  module GraphQL
+    class Schema < ::GraphQL::Schema
+      use ::GraphQL::Pagination::Connections
+      query Types::QueryType
+      mutation Types::MutationType
+
+      def self.id_from_object(object, _type_definition = nil, _query_ctx = nil)
+        GraphQL::Schema::UniqueWithinType.encode(object.class.name, object.id)
+      end
+
+      def self.object_from_id(id, _query_ctx = nil)
+        class_name, item_id = GraphQL::Schema::UniqueWithinType.decode(id)
+        Object.const_get(class_name).find(item_id)
+      end
+
+      def self.resolve_type(_type, obj, _ctx)
+        case obj
+        when Osso::Models::EnterpriseAccount
+          Types::EnterpriseAccount
+        when Osso::Models::SamlProvider
+          Types::IdentityProvider
+        else
+          raise("Unexpected object: #{obj}")
+        end
+      end
+    end
+  end
+end

data/lib/osso/graphql/types.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module Osso
+  module Types
+  end
+end
+
+require_relative 'types/base_object'
+require_relative 'types/base_enum'
+require_relative 'types/identity_provider_service'
+require_relative 'types/identity_provider'
+require_relative 'types/enterprise_account'
+require_relative 'types/oauth_client'
+require_relative 'types/user'

data/lib/osso/graphql/types/base_enum.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+module Osso
+  module GraphQL
+    module Types
+      class BaseEnum < ::GraphQL::Schema::Enum
+      end
+    end
+  end
+end

data/lib/osso/graphql/types/base_object.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+require 'graphql'
+
+module Osso
+  module GraphQL
+    module Types
+      class BaseObject < ::GraphQL::Schema::Object
+      end
+    end
+  end
+end

data/lib/osso/graphql/types/enterprise_account.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+require 'graphql'
+
+module Osso
+  module GraphQL
+    module Types
+      class EnterpriseAccount < Types::BaseObject
+        description 'An Account for a company that wishes to use SAML via Osso'
+        implements ::GraphQL::Types::Relay::Node
+
+        global_id_field :gid
+        field :id, ID, null: false
+        field :name, String, null: false
+        field :domain, String, null: false
+        field :identity_providers, [Types::IdentityProvider], null: true
+        field :status, String, null: false
+
+        def name
+          object.domain.gsub('.com', '')
+        end
+
+        def status
+          'active'
+        end
+
+        def identity_providers
+          object.saml_providers
+        end
+      end
+    end
+  end
+end

data/lib/osso/graphql/types/identity_provider.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+require 'graphql'
+
+module Osso
+  module GraphQL
+    module Types
+      class IdentityProvider < Types::BaseObject
+        description 'Represents a SAML based IDP instance for an EnterpriseAccount'
+        implements ::GraphQL::Types::Relay::Node
+
+        global_id_field :gid
+        field :id, ID, null: false
+        field :enterprise_account_id, ID, null: false
+        field :service, Types::IdentityProviderService, null: true
+        field :domain, String, null: false
+        field :acs_url, String, null: false
+        field :sso_url, String, null: true
+        field :sso_cert, String, null: true
+        field :configured, Boolean, null: false
+
+        def service
+          @object.provider
+        end
+
+        def configured
+          @object.idp_sso_target_url && @object.idp_cert
+        end
+
+        def sso_cert
+          @object.idp_cert
+        end
+
+        def sso_url
+          @object.idp_sso_target_url
+        end
+      end
+    end
+  end
+end

data/lib/osso/graphql/types/identity_provider_service.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+module Osso
+  module GraphQL
+    module Types
+      class IdentityProviderService < BaseEnum
+        value('AZURE', 'Microsoft Azure Identity Provider', value: 'Osso::Models::AzureSamlProvider')
+        value('OKTA', 'Okta Identity Provider', value: 'Osso::Models::OktaSamlProvider')
+      end
+    end
+  end
+end

data/lib/osso/graphql/types/oauth_client.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+require 'graphql'
+
+module Osso
+  module GraphQL
+    module Types
+      class OAuthClient < Types::BaseObject
+        description 'An OAuth client used to consume Osso SAML users'
+        implements ::GraphQL::Types::Relay::Node
+
+        global_id_field :gid
+        field :id, ID, null: false
+        field :name, String, null: false
+        field :client_id, String, null: false
+        field :client_secret, String, null: false
+      end
+    end
+  end
+end

data/lib/osso/graphql/types/user.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+require 'graphql'
+require_relative 'base_object'
+
+module Osso
+  module GraphQL
+    module Types
+      class User < Types::BaseObject
+        description 'A User of the application'
+
+        field :id, ID, null: false
+        field :name, String, null: true
+      end
+    end
+  end
+end

data/lib/osso/helpers/auth.rb

@@ -1,67 +1,71 @@
 # frozen_string_literal: true
 
-module Helpers
-  module Auth
-    attr_accessor :current_scope
-    
-    def enterprise_protected!(domain = nil)
-      return if admin_authorized?
-      return if enterprise_authorized?(domain)
-
-      redirect ENV['JWT_URL']
-    end
+module Osso
+  module Helpers
+    module Auth
+      attr_accessor :current_scope
 
-    def enterprise_authorized?(domain)
-      payload, _args = JWT.decode(
-        token,
-        ENV['JWT_HMAC_SECRET'],
-        true,
-        { algorithm: 'HS256' },
-      )
+      def enterprise_protected!(domain = nil)
+        return if admin_authorized?
+        return if enterprise_authorized?(domain)
 
-      @current_scope = payload['scope']
+        halt 401 if request.post?
 
-      true
-    rescue JWT::DecodeError
-      false
-    end
+        redirect ENV['JWT_URL']
+      end
 
-    def admin_protected!
-      return if admin_authorized?
+      def enterprise_authorized?(_domain)
+        payload, _args = JWT.decode(
+          token,
+          ENV['JWT_HMAC_SECRET'],
+          true,
+          { algorithm: 'HS256' },
+        )
 
-      redirect ENV['JWT_URL']
-    end
+        @current_scope = payload['scope']
 
-    def admin_authorized?
-      payload, _args = JWT.decode(
-        token,
-        ENV['JWT_HMAC_SECRET'],
-        true,
-        { algorithm: 'HS256' },
-      )
-
-      if payload['scope'] == 'admin'
-        @current_scope = :admin
-        return true
+        true
+      rescue JWT::DecodeError
+        false
       end
 
-      false
-    rescue JWT::DecodeError
-      false
-    end
+      def admin_protected!
+        return if admin_authorized?
 
-    def token
-      request.env['admin_token'] || session['admin_token'] || request['admin_token']
-    end
+        redirect ENV['JWT_URL']
+      end
 
-    def chomp_token
-      return unless request['admin_token'].present?
+      def admin_authorized?
+        payload, _args = JWT.decode(
+          token,
+          ENV['JWT_HMAC_SECRET'],
+          true,
+          { algorithm: 'HS256' },
+        )
 
-      session['admin_token'] = request['admin_token']
+        if payload['scope'] == 'admin'
+          @current_scope = :admin
+          return true
+        end
 
-      return if request.post?
+        false
+      rescue JWT::DecodeError
+        false
+      end
+
+      def token
+        request.env['admin_token'] || session['admin_token'] || request['admin_token']
+      end
+
+      def chomp_token
+        return unless request['admin_token'].present?
 
-      redirect request.path
+        session['admin_token'] = request['admin_token']
+
+        return if request.post?
+
+        redirect request.path
+      end
     end
   end
 end

data/lib/osso/helpers/helpers.rb

@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
-module Helpers
+module Osso
+  module Helpers
+  end
 end
 
 require_relative 'auth'

data/lib/osso/lib/route_map.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+# rubocop:disable Metrics/MethodLength
+
+module Osso
+  module RouteMap
+    def self.included(klass)
+      klass.class_eval do
+        use Osso::Admin
+        use Osso::Auth
+        use Osso::Oauth
+
+        post '/graphql' do
+          enterprise_protected!
+
+          result = Osso::GraphQL::Schema.execute(
+            params[:query],
+            variables: params[:variables],
+            context: { scope: current_scope },
+          )
+
+          json result
+        end
+      end
+    end
+  end
+end
+# rubocop:enable Metrics/MethodLength

data/lib/osso/models/oauth_client.rb

@@ -29,4 +29,4 @@ module Osso
       end
     end
   end
-end
+end

data/lib/osso/models/saml_providers/azure_saml_provider.rb

@@ -19,4 +19,4 @@ module Osso
       end
     end
   end
-end
+end

data/lib/osso/routes/admin.rb

@@ -6,37 +6,36 @@ module Osso
   class Admin < Sinatra::Base
     include AppConfig
     helpers Helpers::Auth
+    register Sinatra::Namespace
 
     before do
       chomp_token
     end
 
-    get '/' do
-      admin_protected!
+    namespace '/admin' do
+      get '' do
+        admin_protected!
 
-      erb :'public/index'
-    end
-
-    get '/enterprise' do
-      admin_protected!
+        erb :admin
+      end
 
-      erb :admin
-    end
+      get '/enterprise' do
+        admin_protected!
 
-    get '/enterprise/:domain' do
-      enterprise_protected!(params[:domain])
+        erb :admin
+      end
 
-      @enterprise = Models::EnterpriseAccount.where(
-        domain: params[:domain],
-      ).first_or_create
+      get '/enterprise/:domain' do
+        enterprise_protected!(params[:domain])
 
-      erb :admin
-    end
+        erb :admin
+      end
 
-    get '/config' do
-      admin_protected!
+      get '/config' do
+        admin_protected!
 
-      erb :admin
+        erb :admin
+      end
     end
   end
 end

data/lib/osso/routes/auth.rb

@@ -8,6 +8,7 @@ require 'omniauth-saml'
 module Osso
   class Auth < Sinatra::Base
     include AppConfig
+    register Sinatra::Namespace
 
     UUID_REGEXP =
       /[0-9a-f]{8}-[0-9a-f]{3,4}-[0-9a-f]{4}-[0-9a-f]{3,4}-[0-9a-f]{12}/.
@@ -30,35 +31,37 @@ module Osso
       end
     end
 
-    # Enterprise users are sent here after authenticating against
-    # their Identity Provider. We find or create a user record,
-    # and then create an authorization code for that user. The user
-    # is redirected back to your application with this code
-    # as a URL query param, which you then exhange for an access token
-    post '/saml/:id/callback' do
-      provider = Models::SamlProvider.find(params[:id])
-      oauth_client = provider.oauth_client
-      redirect_uri = env['redirect_uri'] || oauth_client.default_redirect_uri.uri
+    namespace '/auth' do
+      # Enterprise users are sent here after authenticating against
+      # their Identity Provider. We find or create a user record,
+      # and then create an authorization code for that user. The user
+      # is redirected back to your application with this code
+      # as a URL query param, which you then exhange for an access token
+      post '/saml/:id/callback' do
+        provider = Models::SamlProvider.find(params[:id])
+        oauth_client = provider.oauth_client
+        redirect_uri = env['redirect_uri'] || oauth_client.default_redirect_uri.uri
 
-      attributes = env['omniauth.auth']&.
-        extra&.
-        response_object&.
-        attributes
+        attributes = env['omniauth.auth']&.
+          extra&.
+          response_object&.
+          attributes
 
-      user = Models::User.where(
-        email: attributes[:email],
-        idp_id: attributes[:id],
-      ).first_or_create! do |new_user|
-        new_user.enterprise_account_id = provider.enterprise_account_id
-        new_user.saml_provider_id = provider.id
-      end
+        user = Models::User.where(
+          email: attributes[:email],
+          idp_id: attributes[:id],
+        ).first_or_create! do |new_user|
+          new_user.enterprise_account_id = provider.enterprise_account_id
+          new_user.saml_provider_id = provider.id
+        end
 
-      authorization_code = user.authorization_codes.create!(
-        oauth_client: oauth_client,
-        redirect_uri: redirect_uri,
-      )
+        authorization_code = user.authorization_codes.create!(
+          oauth_client: oauth_client,
+          redirect_uri: redirect_uri,
+        )
 
-      redirect(redirect_uri + "?code=#{CGI.escape(authorization_code.token)}&state=#{session[:oauth_state]}")
+        redirect(redirect_uri + "?code=#{CGI.escape(authorization_code.token)}&state=#{session[:oauth_state]}")
+      end
     end
   end
 end

data/lib/osso/routes/oauth.rb

@@ -5,53 +5,59 @@ require 'rack/oauth2'
 module Osso
   class Oauth < Sinatra::Base
     include AppConfig
-    # Send your users here in order to being an authentication
-    # flow. This flow follows the authorization grant oauth
-    # spec with one exception - you must also pass the domain
-    # of the user who wants to sign in.
-    get '/authorize' do
-      @enterprise = Models::EnterpriseAccount.
-        includes(:saml_providers).
-        find_by!(domain: params[:domain])
-
-      Rack::OAuth2::Server::Authorize.new do |req, _res|
-        client = Models::OauthClient.find_by!(identifier: req.client_id)
-        req.verify_redirect_uri!(client.redirect_uri_values)
-      end.call(env)
-
-      if @enterprise.single_provider?
-        session[:oauth_state] = params[:state]
-        redirect "/auth/saml/#{@enterprise.provider.id}"
+    register Sinatra::Namespace
+    # rubocop:disable Metrics/BlockLength
+    namespace '/oauth' do
+      # Send your users here in order to being an authentication
+      # flow. This flow follows the authorization grant oauth
+      # spec with one exception - you must also pass the domain
+      # of the user who wants to sign in.
+      get '/authorize' do
+        @enterprise = Models::EnterpriseAccount.
+          includes(:saml_providers).
+          find_by!(domain: params[:domain])
+
+        Rack::OAuth2::Server::Authorize.new do |req, _res|
+          client = Models::OauthClient.find_by!(identifier: req.client_id)
+          req.verify_redirect_uri!(client.redirect_uri_values)
+        end.call(env)
+
+        if @enterprise.single_provider?
+          session[:oauth_state] = params[:state]
+          redirect "/auth/saml/#{@enterprise.provider.id}"
+        end
+
+        # TODO: multiple provider support
+        # erb :multiple_providers
+
+      rescue Rack::OAuth2::Server::Authorize::BadRequest => e
+        @error = e
+        return erb :error
       end
 
-      erb :multiple_providers
-
-    rescue Rack::OAuth2::Server::Authorize::BadRequest => e
-      @error = e
-      return erb :error
-    end
-
-    # Exchange an authorization code token for an access token.
-    # In addition to the token, you must include all paramaters
-    # required by Oauth spec: redirect_uri, client ID, and client secret
-    post '/token' do
-      Rack::OAuth2::Server::Token.new do |req, res|
-        code = Models::AuthorizationCode.
-          find_by_token!(params[:code])
-        client = Models::OauthClient.find_by!(identifier: req.client_id)
-        req.invalid_client! if client.secret != req.client_secret
-        req.invalid_grant! if code.redirect_uri != req.redirect_uri
-        res.access_token = code.access_token.to_bearer_token
-      end.call(env)
-    end
+      # Exchange an authorization code token for an access token.
+      # In addition to the token, you must include all paramaters
+      # required by Oauth spec: redirect_uri, client ID, and client secret
+      post '/token' do
+        Rack::OAuth2::Server::Token.new do |req, res|
+          code = Models::AuthorizationCode.
+            find_by_token!(params[:code])
+          client = Models::OauthClient.find_by!(identifier: req.client_id)
+          req.invalid_client! if client.secret != req.client_secret
+          req.invalid_grant! if code.redirect_uri != req.redirect_uri
+          res.access_token = code.access_token.to_bearer_token
+        end.call(env)
+      end
 
-    # Use the access token to request a user profile
-    get '/me' do
-      json Models::AccessToken.
-        includes(:user).
-        valid.
-        find_by_token!(params[:access_token]).
-        user
+      # Use the access token to request a user profile
+      get '/me' do
+        json Models::AccessToken.
+          includes(:user).
+          valid.
+          find_by_token!(params[:access_token]).
+          user
+      end
     end
   end
 end
+# rubocop:enable Metrics/BlockLength

data/lib/osso/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Osso
-  VERSION = '0.0.3'
+  VERSION = '0.0.3.5'
 end

data/osso-rb.gemspec

@@ -2,6 +2,7 @@
 
 require_relative 'lib/osso/version'
 
+# rubocop:disable Metrics/BlockLength
 Gem::Specification.new do |spec|
   spec.name          = 'osso'
   spec.version       = Osso::VERSION
@@ -15,6 +16,7 @@ Gem::Specification.new do |spec|
   spec.license = 'MIT'
 
   spec.add_runtime_dependency 'activesupport', '>= 6.0.3.2'
+  spec.add_runtime_dependency 'graphql'
   spec.add_runtime_dependency 'jwt'
   spec.add_runtime_dependency 'omniauth-multi-provider'
   spec.add_runtime_dependency 'omniauth-saml'
@@ -29,12 +31,10 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'bundler', '~> 2.1'
   spec.add_development_dependency 'pry'
 
-  # Specify which files should be added to the gem when it is released.
-  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
   spec.executables   = `git ls-files -- bin/*`.split("\n").map { |f| File.basename(f) }
   spec.files         = `git ls-files`.split("\n")
   spec.test_files    = `git ls-files -- {spec}/*`.split("\n")
   spec.bindir        = 'bin'
-  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
   spec.require_paths = ['lib']
 end
+# rubocop:enable Metrics/BlockLength

data/spec/routes/admin_spec.rb

@@ -9,6 +9,7 @@ describe Osso::Admin do
   before do
     ENV['JWT_URL'] = jwt_url
     ENV['JWT_HMAC_SECRET'] = jwt_hmac_secret
+    described_class.set(:views, spec_views)
   end
 
   describe 'get /admin' do
@@ -24,7 +25,9 @@ describe Osso::Admin do
       get('/admin', token: SecureRandom.hex(32))
 
       expect(last_response).to be_redirect
+
       follow_redirect!
+
       expect(last_request.url).to eq(jwt_url)
     end
 

data/spec/spec_helper.rb

@@ -14,15 +14,13 @@ ENV['SESSION_SECRET'] = 'supersecret'
 
 require File.expand_path '../lib/osso.rb', __dir__
 
+require File.expand_path 'support/spec_app', __dir__
+
 module RSpecMixin
   include Rack::Test::Methods
 
   def app
-    Rack::URLMap.new(
-      '/admin' => Osso::Admin,
-      '/auth' => Osso::Auth,
-      '/oauth' => Osso::Oauth,
-    )
+    SpecApp
   end
 
   def mock_saml_omniauth(email: 'user@enterprise.com', id: SecureRandom.uuid)
@@ -40,6 +38,10 @@ module RSpecMixin
   def last_json_response
     JSON.parse(last_response.body, symbolize_names: true)
   end
+
+  def spec_views
+    File.dirname(__FILE__) + '/support/views'
+  end
 end
 
 RSpec.configure do |config|

data/spec/support/spec_app.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+class SpecApp < Sinatra::Base
+  include Osso::RouteMap
+
+  get '/health' do
+    'ok'
+  end
+end

data/spec/support/views/admin.erb

@@ -0,0 +1,5 @@
+<%# 
+    NB: this file exists so that the admin routes have something to render in spec.
+    In real-world usage, those routes render an index.html file that includes the
+    React app.
+ %>

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: osso
 version: !ruby/object:Gem::Version
-  version: 0.0.3
+  version: 0.0.3.5
 platform: ruby
 authors:
 - Sam Bauch
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-07-04 00:00:00.000000000 Z
+date: 2020-07-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -24,6 +24,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 6.0.3.2
+- !ruby/object:Gem::Dependency
+  name: graphql
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: jwt
   requirement: !ruby/object:Gem::Requirement
@@ -218,6 +232,7 @@ files:
 - bin/console
 - bin/setup
 - config/database.yml
+- db/schema.rb
 - lib/.DS_Store
 - lib/osso.rb
 - lib/osso/Rakefile
@@ -237,10 +252,32 @@ files:
 - lib/osso/db/migrate/20200502135008_add_oauth_client_id_to_enterprise_account.rb
 - lib/osso/db/migrate/20200601131227_drop_null_constraint_from_saml_providers_provider.rb
 - lib/osso/db/schema.rb
+- lib/osso/graphql/.DS_Store
+- lib/osso/graphql/mutation.rb
+- lib/osso/graphql/mutations.rb
+- lib/osso/graphql/mutations/base_mutation.rb
+- lib/osso/graphql/mutations/configure_identity_provider.rb
+- lib/osso/graphql/mutations/create_identity_provider.rb
+- lib/osso/graphql/mutations/set_saml_provider.rb
+- lib/osso/graphql/query.rb
+- lib/osso/graphql/resolvers.rb
+- lib/osso/graphql/resolvers/enterprise_account.rb
+- lib/osso/graphql/resolvers/enterprise_accounts.rb
+- lib/osso/graphql/resolvers/oauth_clients.rb
+- lib/osso/graphql/schema.rb
+- lib/osso/graphql/types.rb
+- lib/osso/graphql/types/base_enum.rb
+- lib/osso/graphql/types/base_object.rb
+- lib/osso/graphql/types/enterprise_account.rb
+- lib/osso/graphql/types/identity_provider.rb
+- lib/osso/graphql/types/identity_provider_service.rb
+- lib/osso/graphql/types/oauth_client.rb
+- lib/osso/graphql/types/user.rb
 - lib/osso/helpers/auth.rb
 - lib/osso/helpers/helpers.rb
 - lib/osso/lib/app_config.rb
 - lib/osso/lib/oauth2_token.rb
+- lib/osso/lib/route_map.rb
 - lib/osso/models/access_token.rb
 - lib/osso/models/authorization_code.rb
 - lib/osso/models/enterprise_account.rb
@@ -275,7 +312,8 @@ files:
 - spec/routes/auth_spec.rb
 - spec/routes/oauth_spec.rb
 - spec/spec_helper.rb
-- spec/support/vcr_cassettes/okta_saml_callback.yml
+- spec/support/spec_app.rb
+- spec/support/views/admin.erb
 homepage: https://github.com/enterprise-oss/osso-rb
 licenses:
 - MIT

data/spec/support/vcr_cassettes/okta_saml_callback.yml

@@ -1,59 +0,0 @@
----
-http_interactions:
-- request:
-    method: post
-    uri: http://localhost:9292/auth/saml/:uuid/callback
-    body:
-      encoding: ASCII-8BIT
-      string: SAMLResponse=PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDJwOlJlc3BvbnNlIERlc3RpbmF0aW9uPSJodHRwOi8vbG9jYWxob3N0OjkyOTIvYXV0aC9zYW1sLzY4ZTkwNTdjLTQ2MmYtNDM3Zi04NDRkLTk4NzI0ZmVmOWQ0My9jYWxsYmFjayIgSUQ9ImlkMTgyOTI5NzEwODgzMjU2OTIyMDE3Nzc0NDUyIiBJblJlc3BvbnNlVG89Il81NGM0ZjE5MS0xYmY3LTRiMDItOTZlYS0zNGQ4NTU1YWVjYWEiIElzc3VlSW5zdGFudD0iMjAyMC0wNC0xMVQxNjozMjoxOC40MjRaIiBWZXJzaW9uPSIyLjAiIHhtbG5zOnNhbWwycD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiPjxzYW1sMjpJc3N1ZXIgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6bmFtZWlkLWZvcm1hdDplbnRpdHkiIHhtbG5zOnNhbWwyPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5odHRwOi8vd3d3Lm9rdGEuY29tL2V4azUxMzI2YjNVMTk0MUhmNHg2PC9zYW1sMjpJc3N1ZXI%2BPGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI%2BPGRzOlNpZ25lZEluZm8%2BPGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxkc2lnLW1vcmUjcnNhLXNoYTI1NiIvPjxkczpSZWZlcmVuY2UgVVJJPSIjaWQxODI5Mjk3MTA4ODMyNTY5MjIwMTc3NzQ0NTIiPjxkczpUcmFuc2Zvcm1zPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPjxkczpUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiPjxlYzpJbmNsdXNpdmVOYW1lc3BhY2VzIFByZWZpeExpc3Q9InhzIiB4bWxuczplYz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8%2BPC9kczpUcmFuc2Zvcm0%2BPC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGVuYyNzaGEyNTYiLz48ZHM6RGlnZXN0VmFsdWU%2BZEpWb0Z6Y01zTjV3TmNJRWtJWkxqb1JjWDRpMzVYekI3RGg4ZE0wU1pMZz08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU%2BdnFES0RhVk8vYlRkRW5hNlMwNHdQV0hicXdNQ1JHdStjRVRxOE9FR2pzK1drTUVBQVYzeEFnNitUZTB2Z0haSjlTWnhwSW9iWEdadVQvVFFnbnAyczNMM1FvaUx5UVFwOExXQnl0b1A0UWhSV1dNY1N3UHlUYWI5TmRUT1RWeXJBckJxZHFFVXN0M0Z5cVpLSVFlbUpocWU4ckk4cmJwQTI2YUFqc2xNZkRIZHNMTFlFMjUwTXpPdG9wdVppNHpvdDZDSTl1NFVRK2dsOWdqSUJyai9sZ3BQME5mZ3RXM01QNVRQOGxsaEpmVXJ4MjhLWGZjSHpOa1RDU1BxVTRwLzZCRTV5dm5QcmJVTE1EWWZQWG5aV0t5d0JpRkNyaTgydmNOdElXVHUvcmkrejNRT0p6dFRiTkdKU0ZjWHdkWHpheG8xdS9SN3ZUQlJPOCtuZEFsL1VBPT08L2RzOlNpZ25hdHVyZVZhbHVlPjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSURwRENDQW95Z0F3SUJBZ0lHQVhFaUQ0TGxNQTBHQ1NxR1NJYjNEUUVCQ3dVQU1JR1NNUXN3Q1FZRFZRUUdFd0pWVXpFVE1CRUcKQTFVRUNBd0tRMkZzYVdadmNtNXBZVEVXTUJRR0ExVUVCd3dOVTJGdUlFWnlZVzVqYVhOamJ6RU5NQXNHQTFVRUNnd0VUMnQwWVRFVQpNQklHQTFVRUN3d0xVMU5QVUhKdmRtbGtaWEl4RXpBUkJnTlZCQU1NQ21SbGRpMHhOakl3TWpReEhEQWFCZ2txaGtpRzl3MEJDUUVXCkRXbHVabTlBYjJ0MFlTNWpiMjB3SGhjTk1qQXdNekk0TVRZMU1UVTBXaGNOTXpBd016STRNVFkxTWpVMFdqQ0JrakVMTUFrR0ExVUUKQmhNQ1ZWTXhFekFSQmdOVkJBZ01Da05oYkdsbWIzSnVhV0V4RmpBVUJnTlZCQWNNRFZOaGJpQkdjbUZ1WTJselkyOHhEVEFMQmdOVgpCQW9NQkU5cmRHRXhGREFTQmdOVkJBc01DMU5UVDFCeWIzWnBaR1Z5TVJNd0VRWURWUVFEREFwa1pYWXRNVFl5TURJME1Sd3dHZ1lKCktvWklodmNOQVFrQkZnMXBibVp2UUc5cmRHRXVZMjl0TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUEKd3NuUDRVVGZ2M2J4UjVKaDBhdDUxRHFqaitmS3hGem56RlczWEE1TmJGMlNsUkxqZVljdmozKzQ3VEMwZVA2eE9zTFdmbnZkbng0dgpkZDlVZm43akRDbzVwTDNKeWtNVkVoMkkwc3pGM1JMQythNTMyQXJjd2dVOVB4NDgrcldWd1BrQVNTN2w0TkhBTTQrZ09CSEpNUXQyCkFNb2hQVDBrVTQxUDhCRVB6ZndoTnlpRVhSNjZKTlpJSlVFOGZNM1ZwZ254bS9WU3dZekpmME5mT3lmeHY4SmN6RjB6a0RicEU3VGsKM1d3L1BGRkxvTXhXemFuV0dKUStibG5odjZVVjZINGZjZkFiY3dBcGxPZElWSGpTMmdoWUJ2WU5HYWh1RnhqaWEwKzZjc3laR3J0OApINFhtUjVEcitqWFk1SzFiMVZPQTBrMTkvRkNuSEhOL3NtbjI1d0lEQVFBQk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQmdEOU5FCjRPQ3VSMSt2dWNWOFMxVDZYWElMMmhCN2JYQkFaRVZIWjFhRXJSemt0Z1hBTWdWd0cyNjd2SWtENVZPWEJpVHk5eU5VNUxLNkczazIKemV3VTE5MHNMMWRNZnlQbm9WWnluOTRudndlOUErb24wdG1aZG1rMDB4aXJLazNGSmRhY25aTkU5RGwvYWZJcmNOZjZ4QW0wV3NVOQprYk1pUnd3dmpPNFRBaXlnRFF6YnJSQzhaZm1UM2hwQmEzYVRVekFjY3J2RVFjZ2FyTGs0cjdValhQN2EybUNOM1VJSWgrc25OMk1zCnZYSEwwcjZmTTN4Ym5peis1bGxlV3RQRnc3M3l5U0JjOHpua1daNFRuOExoMHI2bzVuQ1JZYnIyUkVVQjdaSWZpSXlCYlp4SXA0a3YKYStoYWJiblFERmlOVnpFZDhPUFhIaDRFcUx4T1BEUlc8L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVyZT48c2FtbDJwOlN0YXR1cyB4bWxuczpzYW1sMnA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCI%2BPHNhbWwycDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz48L3NhbWwycDpTdGF0dXM%2BPHNhbWwyOkFzc2VydGlvbiBJRD0iaWQxODI5Mjk3MTA4ODQyMDg3MzY4MzU5Njg1MiIgSXNzdWVJbnN0YW50PSIyMDIwLTA0LTExVDE2OjMyOjE4LjQyNFoiIFZlcnNpb249IjIuMCIgeG1sbnM6c2FtbDI9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSI%2BPHNhbWwyOklzc3VlciBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OmVudGl0eSIgeG1sbnM6c2FtbDI9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPmh0dHA6Ly93d3cub2t0YS5jb20vZXhrNTEzMjZiM1UxOTQxSGY0eDY8L3NhbWwyOklzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48ZHM6U2lnbmVkSW5mbz48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzA0L3htbGRzaWctbW9yZSNyc2Etc2hhMjU2Ii8%2BPGRzOlJlZmVyZW5jZSBVUkk9IiNpZDE4MjkyOTcxMDg4NDIwODczNjgzNTk2ODUyIj48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIj48ZWM6SW5jbHVzaXZlTmFtZXNwYWNlcyBQcmVmaXhMaXN0PSJ4cyIgeG1sbnM6ZWM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvZHM6VHJhbnNmb3JtPjwvZHM6VHJhbnNmb3Jtcz48ZHM6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjc2hhMjU2Ii8%2BPGRzOkRpZ2VzdFZhbHVlPjJ0ekZZTktpNTRBVTV0L3R1UUZJS0Q2aHdlWlRqc1FYSTFzWmFreUE3Y0k9PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48L2RzOlNpZ25lZEluZm8%2BPGRzOlNpZ25hdHVyZVZhbHVlPkxJakdOK0RRRExldUE4clF4Q0Yvblp2c3ZCM0VLWjFaUHA3cUU4ZXZZVGY3R01lWGlVa3hXaTkvbGQ1d2p2YWFjaG5ZOXBMV0FObStFRGo4aUhGcnI1a1dINWJZZUI3b0JybVY1NDlTMmpJWW5pbmJBT055T2d3TVRpWXJUQkZ3czg1dHVYb2h0N3JBcVRrWVBjY2FnanJyQW5sYnNyK3BVb3FZYzZMOHZUczR3d2x0MzJiVXF0TThCOG5XS1NmWFBMTEo3VlVGeFhFQm1iV1JsbjJBcjgyN2dhT1dGemoyQXcxWGw2bUZFTllscDVib3hoSlVkRHJDMHNkaW01YXZmQU5jSXFrMjJFQkc5aFRZNUdnbzlrTjBSYkgvYm15MTc5K0lDaWo5R2hlZ2xmWGVpV3pVaWlLUkF1WS8zbEVLZnBYQ2lpaVRVbGdUcHFxdzhnNjNvZz09PC9kczpTaWduYXR1cmVWYWx1ZT48ZHM6S2V5SW5mbz48ZHM6WDUwOURhdGE%2BPGRzOlg1MDlDZXJ0aWZpY2F0ZT5NSUlEcERDQ0FveWdBd0lCQWdJR0FYRWlENExsTUEwR0NTcUdTSWIzRFFFQkN3VUFNSUdTTVFzd0NRWURWUVFHRXdKVlV6RVRNQkVHCkExVUVDQXdLUTJGc2FXWnZjbTVwWVRFV01CUUdBMVVFQnd3TlUyRnVJRVp5WVc1amFYTmpiekVOTUFzR0ExVUVDZ3dFVDJ0MFlURVUKTUJJR0ExVUVDd3dMVTFOUFVISnZkbWxrWlhJeEV6QVJCZ05WQkFNTUNtUmxkaTB4TmpJd01qUXhIREFhQmdrcWhraUc5dzBCQ1FFVwpEV2x1Wm05QWIydDBZUzVqYjIwd0hoY05NakF3TXpJNE1UWTFNVFUwV2hjTk16QXdNekk0TVRZMU1qVTBXakNCa2pFTE1Ba0dBMVVFCkJoTUNWVk14RXpBUkJnTlZCQWdNQ2tOaGJHbG1iM0p1YVdFeEZqQVVCZ05WQkFjTURWTmhiaUJHY21GdVkybHpZMjh4RFRBTEJnTlYKQkFvTUJFOXJkR0V4RkRBU0JnTlZCQXNNQzFOVFQxQnliM1pwWkdWeU1STXdFUVlEVlFRRERBcGtaWFl0TVRZeU1ESTBNUnd3R2dZSgpLb1pJaHZjTkFRa0JGZzFwYm1adlFHOXJkR0V1WTI5dE1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBCndzblA0VVRmdjNieFI1SmgwYXQ1MURxamorZkt4RnpuekZXM1hBNU5iRjJTbFJMamVZY3ZqMys0N1RDMGVQNnhPc0xXZm52ZG54NHYKZGQ5VWZuN2pEQ281cEwzSnlrTVZFaDJJMHN6RjNSTEMrYTUzMkFyY3dnVTlQeDQ4K3JXVndQa0FTUzdsNE5IQU00K2dPQkhKTVF0MgpBTW9oUFQwa1U0MVA4QkVQemZ3aE55aUVYUjY2Sk5aSUpVRThmTTNWcGdueG0vVlN3WXpKZjBOZk95Znh2OEpjekYwemtEYnBFN1RrCjNXdy9QRkZMb014V3phbldHSlErYmxuaHY2VVY2SDRmY2ZBYmN3QXBsT2RJVkhqUzJnaFlCdllOR2FodUZ4amlhMCs2Y3N5WkdydDgKSDRYbVI1RHIralhZNUsxYjFWT0EwazE5L0ZDbkhITi9zbW4yNXdJREFRQUJNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUJnRDlORQo0T0N1UjErdnVjVjhTMVQ2WFhJTDJoQjdiWEJBWkVWSFoxYUVyUnprdGdYQU1nVndHMjY3dklrRDVWT1hCaVR5OXlOVTVMSzZHM2syCnpld1UxOTBzTDFkTWZ5UG5vVlp5bjk0bnZ3ZTlBK29uMHRtWmRtazAweGlyS2szRkpkYWNuWk5FOURsL2FmSXJjTmY2eEFtMFdzVTkKa2JNaVJ3d3ZqTzRUQWl5Z0RRemJyUkM4WmZtVDNocEJhM2FUVXpBY2NydkVRY2dhckxrNHI3VWpYUDdhMm1DTjNVSUloK3NuTjJNcwp2WEhMMHI2Zk0zeGJuaXorNWxsZVd0UEZ3NzN5eVNCYzh6bmtXWjRUbjhMaDByNm81bkNSWWJyMlJFVUI3WklmaUl5QmJaeElwNGt2CmEraGFiYm5RREZpTlZ6RWQ4T1BYSGg0RXFMeE9QRFJXPC9kczpYNTA5Q2VydGlmaWNhdGU%2BPC9kczpYNTA5RGF0YT48L2RzOktleUluZm8%2BPC9kczpTaWduYXR1cmU%2BPHNhbWwyOlN1YmplY3QgeG1sbnM6c2FtbDI9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPjxzYW1sMjpOYW1lSUQgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjE6bmFtZWlkLWZvcm1hdDp1bnNwZWNpZmllZCI%2Bc2FtQHZjYXJkbWUuY29tPC9zYW1sMjpOYW1lSUQ%2BPHNhbWwyOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgSW5SZXNwb25zZVRvPSJfNTRjNGYxOTEtMWJmNy00YjAyLTk2ZWEtMzRkODU1NWFlY2FhIiBOb3RPbk9yQWZ0ZXI9IjIwMjAtMDQtMTFUMTY6Mzc6MTguNDI0WiIgUmVjaXBpZW50PSJodHRwOi8vbG9jYWxob3N0OjkyOTIvYXV0aC9zYW1sLzY4ZTkwNTdjLTQ2MmYtNDM3Zi04NDRkLTk4NzI0ZmVmOWQ0My9jYWxsYmFjayIvPjwvc2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWwyOlN1YmplY3Q%2BPHNhbWwyOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDIwLTA0LTExVDE2OjI3OjE4LjQyNFoiIE5vdE9uT3JBZnRlcj0iMjAyMC0wNC0xMVQxNjozNzoxOC40MjRaIiB4bWxuczpzYW1sMj0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI%2BPHNhbWwyOkF1ZGllbmNlUmVzdHJpY3Rpb24%2BPHNhbWwyOkF1ZGllbmNlPjY4ZTkwNTdjLTQ2MmYtNDM3Zi04NDRkLTk4NzI0ZmVmOWQ0Mzwvc2FtbDI6QXVkaWVuY2U%2BPC9zYW1sMjpBdWRpZW5jZVJlc3RyaWN0aW9uPjwvc2FtbDI6Q29uZGl0aW9ucz48c2FtbDI6QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDIwLTA0LTExVDE2OjMyOjE4LjQyNFoiIFNlc3Npb25JbmRleD0iXzU0YzRmMTkxLTFiZjctNGIwMi05NmVhLTM0ZDg1NTVhZWNhYSIgeG1sbnM6c2FtbDI9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPjxzYW1sMjpBdXRobkNvbnRleHQ%2BPHNhbWwyOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkUHJvdGVjdGVkVHJhbnNwb3J0PC9zYW1sMjpBdXRobkNvbnRleHRDbGFzc1JlZj48L3NhbWwyOkF1dGhuQ29udGV4dD48L3NhbWwyOkF1dGhuU3RhdGVtZW50PjxzYW1sMjpBdHRyaWJ1dGVTdGF0ZW1lbnQgeG1sbnM6c2FtbDI9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPjxzYW1sMjpBdHRyaWJ1dGUgTmFtZT0iZW1haWwiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dW5zcGVjaWZpZWQiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHhzaTp0eXBlPSJ4czpzdHJpbmciPnNhbUB2Y2FyZG1lLmNvbTwvc2FtbDI6QXR0cmlidXRlVmFsdWU%2BPC9zYW1sMjpBdHRyaWJ1dGU%2BPHNhbWwyOkF0dHJpYnV0ZSBOYW1lPSJpZCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1bnNwZWNpZmllZCI%2BPHNhbWwyOkF0dHJpYnV0ZVZhbHVlIHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI%2BMDB1NTEwd2pwNDRmdDNEUm80eDY8L3NhbWwyOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDI6QXR0cmlidXRlPjwvc2FtbDI6QXR0cmlidXRlU3RhdGVtZW50Pjwvc2FtbDI6QXNzZXJ0aW9uPjwvc2FtbDJwOlJlc3BvbnNlPg%3D%3D&RelayState=
-    headers:
-      Host:
-      - localhost:9292
-      Connection:
-      - keep-alive
-      Cache-Control:
-      - max-age=0
-      Upgrade-Insecure-Requests:
-      - '1'
-      Origin:
-      - 'null'
-      User-Agent:
-      - Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML,
-        like Gecko) Chrome/80.0.3987.163 Safari/537.36
-      Sec-Fetch-Dest:
-      - document
-      Accept:
-      - text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
-      Sec-Fetch-Site:
-      - cross-site
-      Sec-Fetch-Mode:
-      - navigate
-      Accept-Encoding:
-      - gzip, deflate, br
-      Accept-Language:
-      - en-US,en;q=0.9,fr;q=0.8
-      Cookie:
-      - _vcardme-api_session=YmdCdkxYdTlLWkhhWWNnZTQ5Yjdxc0gweWJjKys4TUtSWWVBd3c1U2tUT2E1b2t0MFQxd3lZQTJwSVcyZVFCOHZxaHRtTVZjVGYyay9ReVc0WElxR0hlVGM0MW5qQUxVZE8zYytTaXBlcDZraWRLSllkYjlvYUNMVkx6S3Aremh4ODB5eVBzMmFwS3dHOHNZaFFBYnJnPT0tLVRKUEdSMFV1SGRCZSt1LzNiYjRSZnc9PQ%3D%3D--4e212108b448172e97b0e205f75976780e843bd7;
-        mp_321622acf650be9cac3978565e73be1a_mixpanel=%7B%22distinct_id%22%3A%20%2217122c6e1421dd-0fd311181d4582-396f7f07-384000-17122c6e14935d%22%2C%22%24device_id%22%3A%20%2217122c6e1421dd-0fd311181d4582-396f7f07-384000-17122c6e14935d%22%2C%22%24initial_referrer%22%3A%20%22%24direct%22%2C%22%24initial_referring_domain%22%3A%20%22%24direct%22%7D;
-        rack.session=BAh7CUkiD3Nlc3Npb25faWQGOgZFVEkiRTdkYWNhMWRhNjc3MTY4OTY0ZWVj%0AZjg2YmIyOTM1M2EzOTcxZWIzN2ZjMzAxZGUxNmIyZGNiNDdhMGU0ZDdiMmQG%0AOwBGSSINc2FtbF91aWQGOwBUSSIUc2FtQHZjYXJkbWUuY29tBjsAVEkiF3Nh%0AbWxfc2Vzc2lvbl9pbmRleAY7AFRJIipfOTBjYjc4NjItYTc5My00M2ZjLWFh%0AOWItZDdiMjY0ZWE4NmM2BjsAVEkiFG9tbmlhdXRoLnBhcmFtcwY7AFR7AA%3D%3D%0A--429d063c69188264011d1384cbf24a4b486d2d3a
-      Version:
-      - HTTP/1.1
-      Content-Type:
-      - application/x-www-form-urlencoded
-      Content-Length:
-      - '10749'
-  response:
-    status:
-      code: 200
-      message: null
-    headers:
-      Content-Type:
-      - application/json
-      Content-Length:
-      - '112'
-    body:
-      encoding: UTF-8
-      string: '{"user":{"id":"2077ee4f-9e7d-46c2-bbf3-98c49c312281","email":"sam@vcardme.com","idp_id":"00u510wjp44ft3DRo4x6"}}'
-    http_version: null
-  recorded_at: Sat, 11 Apr 2020 16:32:18 GMT
-recorded_with: VCR 5.1.0