osso 0.0.6 → 0.1.0

data/lib/osso/graphql/mutations/create_oauth_client.rb

@@ -14,7 +14,10 @@ module Osso
         def resolve(**args)
           oauth_client = Osso::Models::OauthClient.new(args)
 
-          return response_data(oauth_client: oauth_client) if oauth_client.save
+          if oauth_client.save
+            Osso::Analytics.capture(email: context[:email], event: self.class.name.demodulize, properties: args)
+            return response_data(oauth_client: oauth_client)
+          end
 
           response_error(oauth_client.errors)
         end

data/lib/osso/graphql/mutations/delete_enterprise_account.rb

@@ -18,7 +18,10 @@ module Osso
         def resolve(**args)
           customer = enterprise_account(**args)
 
-          return response_data(enterprise_account: nil) if customer.destroy
+          if customer.destroy
+            Osso::Analytics.capture(email: context[:email], event: self.class.name.demodulize, properties: args)
+            return response_data(enterprise_account: nil)
+          end
 
           response_error(customer.errors)
         end

data/lib/osso/graphql/mutations/delete_identity_provider.rb

@@ -14,7 +14,10 @@ module Osso
         def resolve(id:)
           identity_provider = Osso::Models::IdentityProvider.find(id)
 
-          return response_data(identity_provider: nil) if identity_provider.destroy
+          if identity_provider.destroy
+            Osso::Analytics.capture(email: context[:email], event: self.class.name.demodulize, properties: { id: id })
+            return response_data(identity_provider: nil)
+          end
 
           response_error(identity_provider.errors)
         end

data/lib/osso/graphql/mutations/delete_oauth_client.rb

@@ -14,7 +14,10 @@ module Osso
         def resolve(id:)
           oauth_client = Osso::Models::OauthClient.find(id)
 
-          return response_data(oauth_client: nil) if oauth_client.destroy
+          if oauth_client.destroy
+            Osso::Analytics.capture(email: context[:email], event: self.class.name.demodulize, properties: { id: id })
+            return response_data(oauth_client: nil)
+          end
 
           response_error(oauth_client.errors)
         end

data/lib/osso/graphql/mutations/invite_admin_user.rb

@@ -23,6 +23,12 @@ module Osso
           if admin_user.save
             verify_user(email)
 
+            Osso::Analytics.capture(email: context[:email], event: self.class.name.demodulize, properties: {
+              invited_email: email,
+              invited_role: role,
+              invited_oauth_client_id: oauth_client_id,
+            })
+
             return response_data(admin_user: admin_user)
           end
 

data/lib/osso/graphql/mutations/regenerate_oauth_credentials.rb

@@ -15,7 +15,16 @@ module Osso
           oauth_client = Osso::Models::OauthClient.find(id)
           oauth_client.regenerate_secrets!
 
-          return response_data(oauth_client: oauth_client) if oauth_client.save
+          if oauth_client.save
+            Osso::Analytics.capture(
+              email: context[:email],
+              event: self.class.name.demodulize,
+              properties: { 
+                oauth_client_id: id 
+              }
+            )
+            return response_data(oauth_client: oauth_client)
+          end
 
           response_error(oauth_client.errors)
         end

data/lib/osso/graphql/mutations/set_redirect_uris.rb

@@ -18,6 +18,8 @@ module Osso
           update_existing(oauth_client, redirect_uris)
           create_new(oauth_client, redirect_uris)
 
+          Osso::Analytics.capture(email: context[:email], event: self.class.name.demodulize, properties: redirect_uris)
+
           response_data(oauth_client: oauth_client.reload)
         rescue StandardError => e
           response_error(e)

data/lib/osso/graphql/mutations/update_app_config.rb

@@ -15,7 +15,10 @@ module Osso
 
         def resolve(**args)
           app_config = Osso::Models::AppConfig.find
-          return response_data(app_config: app_config) if app_config.update(**args)
+          if app_config.update(**args)
+            Osso::Analytics.capture(email: context[:email], event: self.class.name.demodulize, properties: args)
+            return response_data(app_config: app_config)
+          end
 
           response_error(app_config.errors)
         end

data/lib/osso/graphql/query.rb

@@ -16,44 +16,39 @@ module Osso
 
         field :oauth_clients, null: true, resolver: Resolvers::OAuthClients
 
-        field(
-          :identity_provider,
-          Types::IdentityProvider,
-          null: true,
-          resolve: ->(_obj, args, _context) { Osso::Models::IdentityProvider.find(args[:id]) },
-        ) do
+        field :admin_users, [Types::AdminUser], null: false
+
+        field :app_config, Types::AppConfig, null: false
+
+        field :current_user, Types::AdminUser, null: false
+
+        field :identity_provider, Types::IdentityProvider, null: true do
           argument :id, ID, required: true
         end
 
-        field(
-          :app_config,
-          Types::AppConfig,
-          null: false,
-          resolve: ->(_obj, _args, _context) { Osso::Models::AppConfig.find },
-        )
-
-        field(
-          :oauth_client,
-          Types::OauthClient,
-          null: true,
-          resolve: ->(_obj, args, _context) { Osso::Models::OauthClient.find(args[:id]) },
-        ) do
+        field :oauth_client, Types::OauthClient, null: true do
           argument :id, ID, required: true
         end
 
-        field(
-          :admin_users,
-          [Types::AdminUser],
-          null: false,
-          resolve: ->(_obj, _args, _context) { Osso::Models::Account.all },
-        )
+        def admin_users
+          Osso::Models::Account.all
+        end
+
+        def app_config
+          Osso::Models::AppConfig.find
+        end
+
+        def current_user
+          context.to_h
+        end
 
-        field(
-          :current_user,
-          Types::AdminUser,
-          null: false,
-          resolve: ->(_obj, _args, context) { context.to_h },
-        )
+        def identity_provider(id:)
+          Osso::Models::IdentityProvider.find(id)
+        end
+
+        def oauth_client(id:)
+          Osso::Models::OauthClient.find(id)
+        end
       end
     end
   end

data/lib/osso/graphql/schema.rb

@@ -14,7 +14,6 @@ GraphQL::Relay::BaseConnection.register_connection_implementation(
 module Osso
   module GraphQL
     class Schema < ::GraphQL::Schema
-      use ::GraphQL::Pagination::Connections
       query Types::QueryType
       mutation Types::MutationType
 

data/lib/osso/graphql/types/identity_provider_service.rb

@@ -9,6 +9,7 @@ module Osso
         value('OKTA', 'Okta Identity Provider', value: 'OKTA')
         value('ONELOGIN', 'OneLogin Identity Provider', value: 'ONELOGIN')
         value('PING', 'PingID Identity Provider', value: 'PING')
+        value('SALESFORCE', 'Salesforce Identity Provider', value: 'SALESFORCE')
       end
     end
   end

data/lib/osso/lib/analytics.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+require 'posthog-ruby'
+
+module Osso
+  # Osso::Analytics provides an interface to track product analytics for any provider.
+  # Osso recommends PostHog as an open source solution for your product analytics needs.
+  # If you want to use another product analytics provider, you can patch the Osso::Analytics
+  # class yourself in your parent application. Be sure to implement the public
+  # .identify and .capture class methods with the required method signatures and require
+  # your class after requiring Osso.
+  class Analytics
+    class << self
+      def identify(email:, properties: {})
+        return unless configured?
+
+        client.identify({
+          distinct_id: email,
+          properties: properties.merge(instance_properties),
+        })
+      end
+
+      def capture(email:, event:, properties: {})
+        return unless configured?
+
+        client.capture(
+          distinct_id: email,
+          event: event,
+          properties: properties.merge(instance_properties),
+        )
+      end
+
+      private
+
+      def configured?
+        ENV['POSTHOG_API_KEY'].present?
+      end
+
+      def client
+        @client ||= PostHog::Client.new({
+          api_key: ENV['POSTHOG_API_KEY'],
+          api_host: ENV['POSTHOG_HOST'],
+          on_error: proc { |_status, msg| print msg },
+        })
+      end
+
+      def instance_properties
+        {
+          instance_url: ENV['BASE_URL'],
+          osso_plan: ENV['OSSO_PLAN'],
+        }
+      end
+    end
+  end
+end

data/lib/osso/lib/route_map.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require 'rack/protection'
+
 module Osso
   module RouteMap
     def self.included(klass)

data/lib/osso/models/account.rb

@@ -3,7 +3,7 @@
 module Osso
   module Models
     class Account < ::ActiveRecord::Base
-      enum status_id: { 1 => :Unverified, 2 => :Verified, 3 => :Closed }
+      enum status_id: { Unverified: 1, Verified: 2, Closed: 3 }
 
       def context
         {

data/lib/osso/models/identity_provider.rb

@@ -18,7 +18,7 @@ module Osso
 
       ENTITY_ID_URI_REQUIRED = [
         'PING',
-      ]
+      ].freeze
 
       def name
         service.titlecase
@@ -30,6 +30,7 @@ module Osso
           idp_sso_target_url: sso_url,
           idp_cert: sso_cert,
           issuer: sso_issuer,
+          name_identifier_format: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
         }
       end
 
@@ -55,7 +56,7 @@ module Osso
 
       def set_sso_issuer
         parts = [domain, oauth_client_id]
-        
+
         parts.unshift('https:/') if ENTITY_ID_URI_REQUIRED.any?(service)
 
         self.sso_issuer = parts.join('/')

data/lib/osso/routes/admin.rb

@@ -10,16 +10,45 @@ module Osso
     DB = Sequel.postgres(extensions: :activerecord_connection)
     use Rack::Session::Cookie, secret: ENV.fetch('SESSION_SECRET')
 
+    plugin :json
     plugin :middleware
     plugin :render, engine: 'erb', views: ENV['RODAUTH_VIEWS'] || DEFAULT_VIEWS_DIR
     plugin :route_csrf
 
     plugin :rodauth do
-      enable :login, :verify_account
+      enable :login, :verify_account, :jwt
+
+      base_uri = URI.parse(ENV.fetch('BASE_URL'))
+      base_url base_uri
+      domain base_uri.host
+
+      jwt_secret ENV.fetch('SESSION_SECRET')
+      only_json? false
+
+      email_from { "Osso <no-reply@#{domain}>" }
       verify_account_set_password? true
-      already_logged_in { redirect login_redirect }
       use_database_authentication_functions? false
 
+      after_login do
+        Osso::Analytics.identify(email: account[:email], properties: account)
+      end
+
+      verify_account_view do
+        render :admin
+      end
+
+      login_view do
+        render :admin
+      end
+
+      verify_account_email_subject do
+        DB[:accounts].one? ? 'Your Osso instance is ready' : 'You\'ve been invited to start using Osso'
+      end
+
+      verify_account_email_body do
+        DB[:accounts].one? ? render('verify-first-account-email') : render('verify-account-email')
+      end
+
       before_create_account_route do
         request.halt unless DB[:accounts].empty?
       end
@@ -31,13 +60,16 @@ module Osso
       r.rodauth
 
       def current_account
-        Osso::Models::Account.find(rodauth.session['account_id']).
-          context.
+        Osso::Models::Account.find(
+          rodauth.
+          session.
+          to_hash.
+          stringify_keys['account_id'],
+        ).context.
           merge({ rodauth: rodauth })
       end
 
       r.on 'admin' do
-        rodauth.require_authentication
         erb :admin, layout: false
       end
 

data/lib/osso/routes/auth.rb

@@ -14,6 +14,8 @@ module Osso
       /[0-9a-f]{8}-[0-9a-f]{3,4}-[0-9a-f]{4}-[0-9a-f]{3,4}-[0-9a-f]{12}/.
         freeze
 
+    use Rack::Protection, allow_if: ->(env) { Rack::Request.new(env)&.path&.end_with?('callback') }
+
     use OmniAuth::Builder do
       OmniAuth::MultiProvider.register(
         self,

data/lib/osso/routes/oauth.rb

@@ -16,13 +16,14 @@ module Osso
       # Once they complete IdP login, they will be returned to the
       # redirect_uri with an authorization code parameter.
       get '/authorize' do
-        identity_providers = find_providers
-
         validate_oauth_request(env)
 
-        redirect "/auth/saml/#{identity_providers.first.id}" if identity_providers.one?
+        return erb :hosted_login if render_hosted_login?
+
+        @providers = find_providers
+
+        return erb :saml_login_form if @providers.one?
 
-        @providers = identity_providers.not_pending
         return erb :multiple_providers if @providers.count > 1
 
         raise Osso::Error::MissingConfiguredIdentityProvider.new(domain: params[:domain])
@@ -61,6 +62,10 @@ module Osso
 
     private
 
+    def render_hosted_login?
+      [params[:email], params[:domain]].all?(&:nil?)
+    end
+
     def find_providers
       if params[:email]
         user = Osso::Models::User.
@@ -71,6 +76,7 @@ module Osso
 
       Osso::Models::IdentityProvider.
         joins(:oauth_client).
+        not_pending.
         where(
           domain: domain_from_params,
           oauth_clients: { identifier: params[:client_id] },

data/lib/osso/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Osso
-  VERSION = '0.0.6'
+  VERSION = '0.1.0'
 end

data/lib/tasks/bootstrap.rake

@@ -8,9 +8,11 @@ namespace :osso do
   desc 'Bootstrap Osso data for a deployment'
   task :bootstrap do
     %w[Production Staging Development].each do |environment|
+      next if Osso::Models::OauthClient.find_by_name(environment)
+
       Osso::Models::OauthClient.create!(
         name: environment,
-      ) unless Osso::Models::OauthClient.find_by_name(environment)
+      )
     end
 
     Osso::Models::AppConfig.create
@@ -18,7 +20,7 @@ namespace :osso do
     admin_email = ENV['ADMIN_EMAIL']
 
     if admin_email
-      admin = Osso::Models::Account.create(
+      Osso::Models::Account.create(
         email: admin_email,
         status_id: 1,
         role: 'admin',
@@ -29,10 +31,10 @@ namespace :osso do
       rodauth = Osso::Admin.rodauth.new(Osso::Admin.new({
         'HTTP_HOST' => base_uri.host,
         'SERVER_NAME' => base_uri.to_s,
-        'rack.url_scheme' => base_uri.scheme
+        'rack.url_scheme' => base_uri.scheme,
       }))
 
-      account = rodauth.account_from_login(admin_email)
+      rodauth.account_from_login(admin_email)
       rodauth.setup_account_verification
     end
   end