osso 0.0.7 → 0.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3557c5b1128c7a026fa1ddb14cb570b6d247231f3dc7ef22c4ef60af427ec3a2
-  data.tar.gz: fa59daf216455edc141fc1c1dd20b965cb90122dfa7e0e30ad3d3fc46a348951
+  metadata.gz: 8304c085cb599d56e9da71e5b30d8eec9096bf51f026f5f1bd2ac328b71600d7
+  data.tar.gz: e1d36cd4b70b19d7952c1d0e6f196c8bb608ca9b9431bdf376cacd632797d5d9
 SHA512:
-  metadata.gz: 4089820668fa27aa45e7dbb92bf58713202657ec71e6bb2ca24d79b19176e9e444f9c114119489c08417909b7b6403c7e3a1342bf4caa3174d0d5dca77d822f3
-  data.tar.gz: 41f3deba4a448aa35c03cf5630b1eeb9784fa200b5bdd020a2c5e29d4b8f8df95da1af0d6dea942d71cdfff2c691948412053a834fd249f8e4b66116e4d025f5
+  metadata.gz: 1f24f85bff86b6728a42cac1a421e8a93a2c1b3d529a668bf6935698b0d509733626677d4922febc45b6fcb88690e6a67f86c49ce69e9ed37d6e026da72a3543
+  data.tar.gz: 52a7d82d04e5073502c06e83b6a42bf31036a083e210f0683ce9d115ad88dbd97cf09e246a85b2d31a7cd419a8ca6b5460113a22d44e39130134cacf3cfff458

data/.buildkite/pipeline.yml

@@ -12,6 +12,7 @@ steps:
       - coverage/*
   
   - name: ":codeclimate:"
+    soft_fail: true
     plugins:
       - jobready/codeclimate-test-reporter#v2.0:
           artifact: "coverage/.resultset.json"

data/.rubocop.yml

@@ -1,25 +1,10 @@
 AllCops:
+  NewCops: enable
   TargetRubyVersion: 2.6.0
   Exclude:
     - db/**/*
     - lib/osso/db/**/*
 
-# New rules must be explicitly opted into / out of
-Lint/RaiseException:
-  Enabled: true
-Lint/StructNewOverride:
-  Enabled: true
-Style/HashEachMethods:
-  Enabled: true
-Style/HashTransformKeys:
-  Enabled: true
-Style/HashTransformValues:
-  Enabled: true
-Layout/SpaceAroundMethodCallOperator:
-  Enabled: true
-Style/ExponentialNotation:
-  Enabled: true
-
 Style/TrailingCommaInArguments:
   Description: "Checks for trailing comma in argument lists."
   StyleGuide: "https://github.com/bbatsov/ruby-style-guide#no-trailing-array-commas"
@@ -50,6 +35,9 @@ Style/TrailingCommaInHashLiteral:
     - no_comma
   Enabled: true
 
+Layout/FirstHashElementIndentation:
+  EnforcedStyle: consistent
+
 Layout/MultilineMethodCallIndentation:
   EnforcedStyle: indented
 

data/Gemfile

@@ -12,8 +12,8 @@ group :test do
   gem 'rack-test'
   gem 'rspec', '~> 3.10'
   gem 'rubocop'
-  gem 'simplecov', '= 0.17', require: false
-  gem 'webmock', '~> 3.10'
+  gem 'simplecov', '0.21.2', require: false
+  gem 'webmock', '~> 3.11'
 end
 
 gemspec

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    osso (0.0.7)
+    osso (0.1.1)
       activesupport (>= 6.0.3.2)
       bcrypt (~> 3.1.13)
       graphql
@@ -9,31 +9,33 @@ PATH
       mail (~> 2.7.1)
       omniauth-multi-provider
       omniauth-saml
+      posthog-ruby
       rack (>= 2.1.4)
       rack-contrib
       rack-oauth2
+      rack-protection (~> 2.1.0)
       rake
-      rodauth (~> 2.6.0)
-      sequel (>= 5.37, < 5.40)
+      rodauth (~> 2.9)
+      sequel (~> 5.40)
       sequel-activerecord_connection (>= 0.3, < 2.0)
       sinatra
-      sinatra-activerecord
+      sinatra-activerecord (>= 2.0.22)
       sinatra-contrib
 
 GEM
   remote: https://rubygems.org/
   specs:
-    activemodel (6.0.3.4)
-      activesupport (= 6.0.3.4)
-    activerecord (6.0.3.4)
-      activemodel (= 6.0.3.4)
-      activesupport (= 6.0.3.4)
-    activesupport (6.0.3.4)
+    activemodel (6.1.1)
+      activesupport (= 6.1.1)
+    activerecord (6.1.1)
+      activemodel (= 6.1.1)
+      activesupport (= 6.1.1)
+    activesupport (6.1.1)
       concurrent-ruby (~> 1.0, >= 1.0.2)
-      i18n (>= 0.7, < 2)
-      minitest (~> 5.1)
-      tzinfo (~> 1.1)
-      zeitwerk (~> 2.2, >= 2.2.2)
+      i18n (>= 1.6, < 2)
+      minitest (>= 5.1)
+      tzinfo (~> 2.0)
+      zeitwerk (~> 2.3)
     addressable (2.7.0)
       public_suffix (>= 2.0.2, < 5.0)
     aes_key_wrap (1.1.0)
@@ -42,30 +44,30 @@ GEM
     annotate (3.1.1)
       activerecord (>= 3.2, < 7.0)
       rake (>= 10.4, < 14.0)
-    ast (2.4.1)
+    ast (2.4.2)
     attr_required (1.0.1)
     bcrypt (3.1.16)
     bindata (2.4.8)
     coderay (1.1.3)
-    concurrent-ruby (1.1.7)
-    crack (0.4.4)
+    concurrent-ruby (1.1.8)
+    crack (0.4.5)
+      rexml
     database_cleaner (1.8.5)
     database_cleaner-active_record (1.8.0)
       activerecord
       database_cleaner (~> 1.8.0)
     diff-lcs (1.4.4)
-    docile (1.3.2)
+    docile (1.3.5)
     factory_bot (6.1.0)
       activesupport (>= 5.0.0)
     faker (2.15.1)
       i18n (>= 1.6, < 2)
-    graphql (1.11.6)
+    graphql (1.12.3)
     hashdiff (1.0.1)
     hashie (4.1.0)
     httpclient (2.8.3)
-    i18n (1.8.5)
+    i18n (1.8.7)
       concurrent-ruby (~> 1.0)
-    json (2.3.1)
     json-jwt (1.13.0)
       activesupport (>= 4.2)
       aes_key_wrap
@@ -75,29 +77,31 @@ GEM
       mini_mime (>= 0.1.1)
     method_source (1.0.0)
     mini_mime (1.0.2)
-    mini_portile2 (2.4.0)
-    minitest (5.14.2)
+    minitest (5.14.3)
     multi_json (1.15.0)
     mustermann (1.1.1)
       ruby2_keywords (~> 0.0.1)
-    nokogiri (1.10.10)
-      mini_portile2 (~> 2.4.0)
-    omniauth (1.9.1)
+    nokogiri (1.11.1-x86_64-darwin)
+      racc (~> 1.4)
+    omniauth (2.0.1)
       hashie (>= 3.4.6)
       rack (>= 1.6.2, < 3)
+      rack-protection
     omniauth-multi-provider (0.2.1)
       omniauth
-    omniauth-saml (1.10.3)
-      omniauth (~> 1.3, >= 1.3.2)
+    omniauth-saml (2.0.0)
+      omniauth (~> 2.0)
       ruby-saml (~> 1.9)
     parallel (1.20.1)
-    parser (2.7.2.0)
+    parser (3.0.0.0)
       ast (~> 2.4.1)
     pg (1.2.3)
+    posthog-ruby (1.1.0)
     pry (0.13.1)
       coderay (~> 1.1)
       method_source (~> 1.0)
     public_suffix (4.0.6)
+    racc (1.5.2)
     rack (2.2.3)
     rack-contrib (2.3.0)
       rack (~> 2.0)
@@ -112,58 +116,59 @@ GEM
     rack-test (1.1.0)
       rack (>= 1.0, < 3)
     rainbow (3.0.0)
-    rake (13.0.1)
-    regexp_parser (2.0.0)
+    rake (13.0.3)
+    regexp_parser (2.0.3)
     rexml (3.2.4)
-    roda (3.38.0)
+    roda (3.40.0)
       rack
-    rodauth (2.6.0)
+    rodauth (2.9.0)
       roda (>= 2.6.0)
       sequel (>= 4)
     rspec (3.10.0)
       rspec-core (~> 3.10.0)
       rspec-expectations (~> 3.10.0)
       rspec-mocks (~> 3.10.0)
-    rspec-core (3.10.0)
+    rspec-core (3.10.1)
       rspec-support (~> 3.10.0)
-    rspec-expectations (3.10.0)
+    rspec-expectations (3.10.1)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.10.0)
-    rspec-mocks (3.10.0)
+    rspec-mocks (3.10.1)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.10.0)
-    rspec-support (3.10.0)
-    rubocop (1.5.2)
+    rspec-support (3.10.1)
+    rubocop (1.8.1)
       parallel (~> 1.10)
-      parser (>= 2.7.1.5)
+      parser (>= 3.0.0.0)
       rainbow (>= 2.2.2, < 4.0)
       regexp_parser (>= 1.8, < 3.0)
       rexml
       rubocop-ast (>= 1.2.0, < 2.0)
       ruby-progressbar (~> 1.7)
-      unicode-display_width (>= 1.4.0, < 2.0)
-    rubocop-ast (1.3.0)
+      unicode-display_width (>= 1.4.0, < 3.0)
+    rubocop-ast (1.4.1)
       parser (>= 2.7.1.5)
-    ruby-progressbar (1.10.1)
+    ruby-progressbar (1.11.0)
     ruby-saml (1.11.0)
       nokogiri (>= 1.5.10)
-    ruby2_keywords (0.0.2)
-    sequel (5.39.0)
-    sequel-activerecord_connection (1.2.0)
+    ruby2_keywords (0.0.4)
+    sequel (5.40.0)
+    sequel-activerecord_connection (1.2.2)
       activerecord (>= 4.2, < 7)
       after_commit_everywhere (~> 0.1.5)
       sequel (~> 5.16)
-    simplecov (0.17.0)
+    simplecov (0.21.2)
       docile (~> 1.1)
-      json (>= 1.8, < 3)
-      simplecov-html (~> 0.10.0)
-    simplecov-html (0.10.2)
+      simplecov-html (~> 0.11)
+      simplecov_json_formatter (~> 0.1)
+    simplecov-html (0.12.3)
+    simplecov_json_formatter (0.1.2)
     sinatra (2.1.0)
       mustermann (~> 1.0)
       rack (~> 2.2)
       rack-protection (= 2.1.0)
       tilt (~> 2.0)
-    sinatra-activerecord (2.0.21)
+    sinatra-activerecord (2.0.22)
       activerecord (>= 4.1)
       sinatra (>= 1.0)
     sinatra-contrib (2.1.0)
@@ -172,16 +177,15 @@ GEM
       rack-protection (= 2.1.0)
       sinatra (= 2.1.0)
       tilt (~> 2.0)
-    thread_safe (0.3.6)
     tilt (2.0.10)
-    tzinfo (1.2.8)
-      thread_safe (~> 0.1)
-    unicode-display_width (1.7.0)
-    webmock (3.10.0)
+    tzinfo (2.0.4)
+      concurrent-ruby (~> 1.0)
+    unicode-display_width (2.0.0)
+    webmock (3.11.1)
       addressable (>= 2.3.6)
       crack (>= 0.3.2)
       hashdiff (>= 0.4.0, < 2.0.0)
-    zeitwerk (2.4.1)
+    zeitwerk (2.4.2)
 
 PLATFORMS
   ruby
@@ -198,8 +202,8 @@ DEPENDENCIES
   rack-test
   rspec (~> 3.10)
   rubocop
-  simplecov (= 0.17)
-  webmock (~> 3.10)
+  simplecov (= 0.21.2)
+  webmock (~> 3.11)
 
 BUNDLED WITH
    2.1.4

data/Rakefile

@@ -5,6 +5,7 @@
 # schema and migrations
 
 ENV['SESSION_SECRET'] ||= 'rake-secret'
+ENV['BASE_URL'] ||= 'https://example.com'
 
 require 'bundler/gem_tasks'
 require 'sinatra/activerecord/rake'

data/bin/console

@@ -1,6 +1,9 @@
 #!/usr/bin/env ruby
 # frozen_string_literal: true
 
+ENV['SESSION_SECRET'] ||= 'irb-secret'
+ENV['BASE_URL'] ||= 'https://example.com'
+
 require 'bundler/setup'
 require 'osso'
 

data/lib/osso.rb

@@ -2,6 +2,7 @@
 
 module Osso
   require_relative 'osso/error/error'
+  require_relative 'osso/lib/analytics'
   require_relative 'osso/lib/app_config'
   require_relative 'osso/lib/oauth2_token'
   require_relative 'osso/lib/route_map'

data/lib/osso/graphql/mutations/configure_identity_provider.rb

@@ -15,7 +15,10 @@ module Osso
         def resolve(**args)
           provider = identity_provider(**args)
 
-          return response_data(identity_provider: provider) if provider.update(args)
+          if provider.update(args)
+            Osso::Analytics.capture(email: context[:email], event: self.class.name.demodulize, properties: args)
+            return response_data(identity_provider: provider)
+          end
 
           response_error(provider.errors)
         end

data/lib/osso/graphql/mutations/create_enterprise_account.rb

@@ -15,7 +15,10 @@ module Osso
         def resolve(**args)
           enterprise_account = Osso::Models::EnterpriseAccount.new(args)
 
-          return response_data(enterprise_account: enterprise_account) if enterprise_account.save
+          if enterprise_account.save
+            Osso::Analytics.capture(email: context[:email], event: self.class.name.demodulize, properties: args)
+            return response_data(enterprise_account: enterprise_account)
+          end
 
           response_error(enterprise_account.errors)
         end

data/lib/osso/graphql/mutations/create_identity_provider.rb

@@ -13,7 +13,7 @@ module Osso
         field :identity_provider, Types::IdentityProvider, null: false
         field :errors, [String], null: false
 
-        def resolve(service: nil, enterprise_account_id:, oauth_client_id:)
+        def resolve(enterprise_account_id:, oauth_client_id:, service: nil)
           customer = enterprise_account(enterprise_account_id: enterprise_account_id)
 
           identity_provider = customer.identity_providers.build(
@@ -22,12 +22,17 @@ module Osso
             oauth_client_id: oauth_client_id,
           )
 
-          return response_data(identity_provider: identity_provider) if identity_provider.save
+          if identity_provider.save
+            Osso::Analytics.capture(email: context[:email], event: self.class.name.demodulize, properties: {
+              service: service, enterprise_account_id: enterprise_account_id, oauth_client_id: oauth_client_id
+            })
+            return response_data(identity_provider: identity_provider)
+          end
 
           response_error(identity_provider.errors)
         end
 
-        def domain(enterprise_account_id:, **args)
+        def domain(enterprise_account_id:, **_args)
           enterprise_account(enterprise_account_id: enterprise_account_id)&.domain
         end
 

data/lib/osso/graphql/mutations/create_oauth_client.rb

@@ -14,7 +14,10 @@ module Osso
         def resolve(**args)
           oauth_client = Osso::Models::OauthClient.new(args)
 
-          return response_data(oauth_client: oauth_client) if oauth_client.save
+          if oauth_client.save
+            Osso::Analytics.capture(email: context[:email], event: self.class.name.demodulize, properties: args)
+            return response_data(oauth_client: oauth_client)
+          end
 
           response_error(oauth_client.errors)
         end

data/lib/osso/graphql/mutations/delete_enterprise_account.rb

@@ -18,7 +18,10 @@ module Osso
         def resolve(**args)
           customer = enterprise_account(**args)
 
-          return response_data(enterprise_account: nil) if customer.destroy
+          if customer.destroy
+            Osso::Analytics.capture(email: context[:email], event: self.class.name.demodulize, properties: args)
+            return response_data(enterprise_account: nil)
+          end
 
           response_error(customer.errors)
         end

data/lib/osso/graphql/mutations/delete_identity_provider.rb

@@ -14,7 +14,10 @@ module Osso
         def resolve(id:)
           identity_provider = Osso::Models::IdentityProvider.find(id)
 
-          return response_data(identity_provider: nil) if identity_provider.destroy
+          if identity_provider.destroy
+            Osso::Analytics.capture(email: context[:email], event: self.class.name.demodulize, properties: { id: id })
+            return response_data(identity_provider: nil)
+          end
 
           response_error(identity_provider.errors)
         end

data/lib/osso/graphql/mutations/delete_oauth_client.rb

@@ -14,7 +14,10 @@ module Osso
         def resolve(id:)
           oauth_client = Osso::Models::OauthClient.find(id)
 
-          return response_data(oauth_client: nil) if oauth_client.destroy
+          if oauth_client.destroy
+            Osso::Analytics.capture(email: context[:email], event: self.class.name.demodulize, properties: { id: id })
+            return response_data(oauth_client: nil)
+          end
 
           response_error(oauth_client.errors)
         end

data/lib/osso/graphql/mutations/invite_admin_user.rb

@@ -23,6 +23,12 @@ module Osso
           if admin_user.save
             verify_user(email)
 
+            Osso::Analytics.capture(email: context[:email], event: self.class.name.demodulize, properties: {
+              invited_email: email,
+              invited_role: role,
+              invited_oauth_client_id: oauth_client_id,
+            })
+
             return response_data(admin_user: admin_user)
           end
 

data/lib/osso/graphql/mutations/regenerate_oauth_credentials.rb

@@ -15,7 +15,16 @@ module Osso
           oauth_client = Osso::Models::OauthClient.find(id)
           oauth_client.regenerate_secrets!
 
-          return response_data(oauth_client: oauth_client) if oauth_client.save
+          if oauth_client.save
+            Osso::Analytics.capture(
+              email: context[:email],
+              event: self.class.name.demodulize,
+              properties: { 
+                oauth_client_id: id 
+              }
+            )
+            return response_data(oauth_client: oauth_client)
+          end
 
           response_error(oauth_client.errors)
         end

data/lib/osso/graphql/mutations/set_redirect_uris.rb

@@ -18,6 +18,8 @@ module Osso
           update_existing(oauth_client, redirect_uris)
           create_new(oauth_client, redirect_uris)
 
+          Osso::Analytics.capture(email: context[:email], event: self.class.name.demodulize, properties: redirect_uris)
+
           response_data(oauth_client: oauth_client.reload)
         rescue StandardError => e
           response_error(e)

data/lib/osso/graphql/mutations/update_app_config.rb

@@ -15,7 +15,10 @@ module Osso
 
         def resolve(**args)
           app_config = Osso::Models::AppConfig.find
-          return response_data(app_config: app_config) if app_config.update(**args)
+          if app_config.update(**args)
+            Osso::Analytics.capture(email: context[:email], event: self.class.name.demodulize, properties: args)
+            return response_data(app_config: app_config)
+          end
 
           response_error(app_config.errors)
         end

data/lib/osso/graphql/query.rb

@@ -16,44 +16,39 @@ module Osso
 
         field :oauth_clients, null: true, resolver: Resolvers::OAuthClients
 
-        field(
-          :identity_provider,
-          Types::IdentityProvider,
-          null: true,
-          resolve: ->(_obj, args, _context) { Osso::Models::IdentityProvider.find(args[:id]) },
-        ) do
+        field :admin_users, [Types::AdminUser], null: false
+
+        field :app_config, Types::AppConfig, null: false
+
+        field :current_user, Types::AdminUser, null: false
+
+        field :identity_provider, Types::IdentityProvider, null: true do
           argument :id, ID, required: true
         end
 
-        field(
-          :app_config,
-          Types::AppConfig,
-          null: false,
-          resolve: ->(_obj, _args, _context) { Osso::Models::AppConfig.find },
-        )
-
-        field(
-          :oauth_client,
-          Types::OauthClient,
-          null: true,
-          resolve: ->(_obj, args, _context) { Osso::Models::OauthClient.find(args[:id]) },
-        ) do
+        field :oauth_client, Types::OauthClient, null: true do
           argument :id, ID, required: true
         end
 
-        field(
-          :admin_users,
-          [Types::AdminUser],
-          null: false,
-          resolve: ->(_obj, _args, _context) { Osso::Models::Account.all },
-        )
+        def admin_users
+          Osso::Models::Account.all
+        end
+
+        def app_config
+          Osso::Models::AppConfig.find
+        end
+
+        def current_user
+          context.to_h
+        end
 
-        field(
-          :current_user,
-          Types::AdminUser,
-          null: false,
-          resolve: ->(_obj, _args, context) { context.to_h },
-        )
+        def identity_provider(id:)
+          Osso::Models::IdentityProvider.find(id)
+        end
+
+        def oauth_client(id:)
+          Osso::Models::OauthClient.find(id)
+        end
       end
     end
   end

data/lib/osso/graphql/schema.rb

@@ -14,7 +14,6 @@ GraphQL::Relay::BaseConnection.register_connection_implementation(
 module Osso
   module GraphQL
     class Schema < ::GraphQL::Schema
-      use ::GraphQL::Pagination::Connections
       query Types::QueryType
       mutation Types::MutationType
 

data/lib/osso/lib/analytics.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+require 'posthog-ruby'
+
+module Osso
+  # Osso::Analytics provides an interface to track product analytics for any provider.
+  # Osso recommends PostHog as an open source solution for your product analytics needs.
+  # If you want to use another product analytics provider, you can patch the Osso::Analytics
+  # class yourself in your parent application. Be sure to implement the public
+  # .identify and .capture class methods with the required method signatures and require
+  # your class after requiring Osso.
+  class Analytics
+    class << self
+      def identify(email:, properties: {})
+        return unless configured?
+
+        client.identify({
+          distinct_id: email,
+          properties: properties.merge(instance_properties),
+        })
+      end
+
+      def capture(email:, event:, properties: {})
+        return unless configured?
+
+        client.capture(
+          distinct_id: email,
+          event: event,
+          properties: properties.merge(instance_properties),
+        )
+      end
+
+      private
+
+      def configured?
+        ENV['POSTHOG_API_KEY'].present?
+      end
+
+      def client
+        @client ||= PostHog::Client.new({
+          api_key: ENV['POSTHOG_API_KEY'],
+          api_host: ENV['POSTHOG_HOST'],
+          on_error: proc { |_status, msg| print msg },
+        })
+      end
+
+      def instance_properties
+        {
+          instance_url: ENV['BASE_URL'],
+          osso_plan: ENV['OSSO_PLAN'],
+        }
+      end
+    end
+  end
+end

data/lib/osso/lib/route_map.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require 'rack/protection'
+
 module Osso
   module RouteMap
     def self.included(klass)

data/lib/osso/models/account.rb

@@ -3,7 +3,7 @@
 module Osso
   module Models
     class Account < ::ActiveRecord::Base
-      enum status_id: { 1 => :Unverified, 2 => :Verified, 3 => :Closed }
+      enum status_id: { Unverified: 1, Verified: 2, Closed: 3 }
 
       def context
         {

data/lib/osso/models/identity_provider.rb

@@ -18,7 +18,7 @@ module Osso
 
       ENTITY_ID_URI_REQUIRED = [
         'PING',
-      ]
+      ].freeze
 
       def name
         service.titlecase
@@ -30,6 +30,7 @@ module Osso
           idp_sso_target_url: sso_url,
           idp_cert: sso_cert,
           issuer: sso_issuer,
+          name_identifier_format: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
         }
       end
 
@@ -55,7 +56,7 @@ module Osso
 
       def set_sso_issuer
         parts = [domain, oauth_client_id]
-        
+
         parts.unshift('https:/') if ENTITY_ID_URI_REQUIRED.any?(service)
 
         self.sso_issuer = parts.join('/')

data/lib/osso/routes/admin.rb

@@ -10,16 +10,46 @@ module Osso
     DB = Sequel.postgres(extensions: :activerecord_connection)
     use Rack::Session::Cookie, secret: ENV.fetch('SESSION_SECRET')
 
+    plugin :json
+    plugin :json_parser
     plugin :middleware
     plugin :render, engine: 'erb', views: ENV['RODAUTH_VIEWS'] || DEFAULT_VIEWS_DIR
     plugin :route_csrf
 
     plugin :rodauth do
-      enable :login, :verify_account
+      enable :login, :verify_account, :jwt
+
+      base_uri = URI.parse(ENV.fetch('BASE_URL'))
+      base_url base_uri
+      domain base_uri.host
+
+      jwt_secret ENV.fetch('SESSION_SECRET')
+      only_json? false
+
+      email_from { "Osso <no-reply@#{domain}>" }
       verify_account_set_password? true
-      already_logged_in { redirect login_redirect }
       use_database_authentication_functions? false
 
+      after_login do
+        Osso::Analytics.identify(email: account[:email], properties: account)
+      end
+
+      verify_account_view do
+        render :admin
+      end
+
+      login_view do
+        render :admin
+      end
+
+      verify_account_email_subject do
+        DB[:accounts].one? ? 'Your Osso instance is ready' : 'You\'ve been invited to start using Osso'
+      end
+
+      verify_account_email_body do
+        DB[:accounts].one? ? render('verify-first-account-email') : render('verify-account-email')
+      end
+
       before_create_account_route do
         request.halt unless DB[:accounts].empty?
       end
@@ -31,16 +61,28 @@ module Osso
       r.rodauth
 
       def current_account
-        Osso::Models::Account.find(rodauth.session['account_id']).
-          context.
+        Osso::Models::Account.find(
+          rodauth.
+          session.
+          to_hash.
+          stringify_keys['account_id'],
+        ).context.
           merge({ rodauth: rodauth })
       end
 
       r.on 'admin' do
-        rodauth.require_authentication
         erb :admin, layout: false
       end
 
+      r.post 'idp' do
+        onboarded = Osso::Models::IdentityProvider.
+          not_pending.
+          where(domain: r.params['domain']).
+          exists?
+
+        { onboarded: onboarded }.to_json
+      end
+
       r.post 'graphql' do
         rodauth.require_authentication
 

data/lib/osso/routes/auth.rb

@@ -14,6 +14,8 @@ module Osso
       /[0-9a-f]{8}-[0-9a-f]{3,4}-[0-9a-f]{4}-[0-9a-f]{3,4}-[0-9a-f]{12}/.
         freeze
 
+    use Rack::Protection, allow_if: ->(env) { Rack::Request.new(env)&.path&.end_with?('callback') }
+
     use OmniAuth::Builder do
       OmniAuth::MultiProvider.register(
         self,

data/lib/osso/routes/oauth.rb

@@ -16,13 +16,14 @@ module Osso
       # Once they complete IdP login, they will be returned to the
       # redirect_uri with an authorization code parameter.
       get '/authorize' do
-        identity_providers = find_providers
-
         validate_oauth_request(env)
 
-        redirect "/auth/saml/#{identity_providers.first.id}" if identity_providers.one?
+        return erb :hosted_login if render_hosted_login?
+
+        @providers = find_providers
+
+        return erb :saml_login_form if @providers.one?
 
-        @providers = identity_providers.not_pending
         return erb :multiple_providers if @providers.count > 1
 
         raise Osso::Error::MissingConfiguredIdentityProvider.new(domain: params[:domain])
@@ -61,6 +62,10 @@ module Osso
 
     private
 
+    def render_hosted_login?
+      [params[:email], params[:domain]].all?(&:nil?)
+    end
+
     def find_providers
       if params[:email]
         user = Osso::Models::User.
@@ -71,6 +76,7 @@ module Osso
 
       Osso::Models::IdentityProvider.
         joins(:oauth_client).
+        not_pending.
         where(
           domain: domain_from_params,
           oauth_clients: { identifier: params[:client_id] },

data/lib/osso/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Osso
-  VERSION = '0.0.7'
+  VERSION = '0.1.1'
 end

data/lib/tasks/bootstrap.rake

@@ -8,9 +8,11 @@ namespace :osso do
   desc 'Bootstrap Osso data for a deployment'
   task :bootstrap do
     %w[Production Staging Development].each do |environment|
+      next if Osso::Models::OauthClient.find_by_name(environment)
+
       Osso::Models::OauthClient.create!(
         name: environment,
-      ) unless Osso::Models::OauthClient.find_by_name(environment)
+      )
     end
 
     Osso::Models::AppConfig.create
@@ -18,7 +20,7 @@ namespace :osso do
     admin_email = ENV['ADMIN_EMAIL']
 
     if admin_email
-      admin = Osso::Models::Account.create(
+      Osso::Models::Account.create(
         email: admin_email,
         status_id: 1,
         role: 'admin',
@@ -29,10 +31,10 @@ namespace :osso do
       rodauth = Osso::Admin.rodauth.new(Osso::Admin.new({
         'HTTP_HOST' => base_uri.host,
         'SERVER_NAME' => base_uri.to_s,
-        'rack.url_scheme' => base_uri.scheme
+        'rack.url_scheme' => base_uri.scheme,
       }))
 
-      account = rodauth.account_from_login(admin_email)
+      rodauth.account_from_login(admin_email)
       rodauth.setup_account_verification
     end
   end

data/osso-rb.gemspec

@@ -22,15 +22,17 @@ Gem::Specification.new do |spec|
   spec.add_runtime_dependency 'mail', '~> 2.7.1'
   spec.add_runtime_dependency 'omniauth-multi-provider'
   spec.add_runtime_dependency 'omniauth-saml'
+  spec.add_runtime_dependency 'posthog-ruby'
   spec.add_runtime_dependency 'rack', '>= 2.1.4'
   spec.add_runtime_dependency 'rack-contrib'
   spec.add_runtime_dependency 'rack-oauth2'
+  spec.add_runtime_dependency 'rack-protection', '~> 2.1.0'
   spec.add_runtime_dependency 'rake'
-  spec.add_runtime_dependency 'rodauth', '~> 2.6.0'
-  spec.add_runtime_dependency 'sequel', '>= 5.37', '< 5.40'
+  spec.add_runtime_dependency 'rodauth', '~> 2.9'
+  spec.add_runtime_dependency 'sequel', '~> 5.40'
   spec.add_runtime_dependency 'sequel-activerecord_connection', '>= 0.3', '< 2.0'
   spec.add_runtime_dependency 'sinatra'
-  spec.add_runtime_dependency 'sinatra-activerecord'
+  spec.add_runtime_dependency 'sinatra-activerecord', '>= 2.0.22'
   spec.add_runtime_dependency 'sinatra-contrib'
 
   spec.add_development_dependency 'annotate', '~> 3.1'

data/spec/graphql/mutations/create_identity_provider_spec.rb

@@ -91,7 +91,7 @@ describe Osso::GraphQL::Schema do
               },
           }
         end
-        
+
         it 'creates an identity provider' do
           expect { subject }.to change { enterprise_account.identity_providers.count }.by(1)
           expect(subject.dig('data', 'createIdentityProvider', 'identityProvider', 'domain')).

data/spec/models/identity_provider_spec.rb

@@ -66,6 +66,7 @@ describe Osso::Models::IdentityProvider do
           idp_cert: subject.sso_cert,
           idp_sso_target_url: subject.sso_url,
           issuer: subject.sso_issuer,
+          name_identifier_format: 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
         )
     end
   end

data/spec/routes/admin_spec.rb

@@ -4,23 +4,68 @@ require 'spec_helper'
 
 describe Osso::Admin do
   describe 'get /admin' do
-    it 'redirects to /login without a session' do
+    it 'renders the admin layout' do
       get('/admin')
 
-      expect(last_response).to be_redirect
-      follow_redirect!
-      expect(last_request.url).to match('/login')
+      expect(last_response).to be_ok
     end
+  end
 
-    xit 'renders the admin page for a valid session token' do
-      password = SecureRandom.urlsafe_base64(16)
-      account = create(:verified_account, password: password)
+  describe 'post /graphql' do
+    let(:account) { create(:account) }
 
-      post('/login', { email: account.email, password: password })
+    it 'runs a GraphQL query with a valid jwt' do
+      allow_any_instance_of(described_class.rodauth).to receive(:logged_in?).and_return(true)
+      allow(Osso::Models::Account).to receive(:find).and_return(account)
+      allow(Osso::GraphQL::Schema).to receive(:execute).and_return({ graphql: true })
 
-      get('/admin')
+      header 'Content-Type', 'application/json'
+      post('/graphql')
+
+      expect(last_response).to be_ok
+      expect(last_json_response).to eq({ graphql: true })
+    end
+
+    it 'returns a 400 for an invalid jwt' do
+      header 'Content-Type', 'application/json'
+      header 'Authorization', 'Bearer bad-token'
+      post('/graphql')
+
+      expect(last_response.status).to eq 400
+    end
+
+    it 'returns a 401 without a jwt' do
+      header 'Content-Type', 'application/json'
+      post('/graphql')
+
+      expect(last_response.status).to eq 401
+    end
+  end
+
+  describe 'post /idp' do
+    let(:domain) { Faker::Internet.domain_name }
+    
+    before do
+      create(:configured_identity_provider, domain: domain)
+    end
+
+    it 'returns true when an available IDP is found' do
+      header 'Content-Type', 'application/json'
+      header 'Accept', 'application/json'
+      post('/idp', { domain: domain }.to_json)
+
+      expect(last_response).to be_ok
+      expect(last_json_response).to eq({ onboarded: true })
+    end
+
+    it 'returns false when an available IDP is not found' do
+      header 'Content-Type', 'application/json'
+      header 'Accept', 'application/json'
+
+      post('/idp', { domain: domain.reverse}.to_json)
 
       expect(last_response).to be_ok
+      expect(last_json_response).to eq({ onboarded: false })
     end
   end
 end

data/spec/routes/auth_spec.rb

@@ -6,12 +6,13 @@ describe Osso::Auth do
   before do
     described_class.set(:views, spec_views)
   end
-  describe 'get /auth/saml/:uuid' do
+
+  describe 'post /auth/saml/:uuid' do
     describe 'for an Okta SAML provider' do
       let(:enterprise) { create(:enterprise_with_okta) }
       let(:okta_provider) { enterprise.identity_providers.first }
       it 'uses omniauth saml' do
-        get("/auth/saml/#{okta_provider.id}")
+        post("/auth/saml/#{okta_provider.id}")
 
         expect(last_response).to be_redirect
         follow_redirect!
@@ -23,7 +24,7 @@ describe Osso::Auth do
       let(:enterprise) { create(:enterprise_with_okta) }
       let(:azure_provider) { enterprise.identity_providers.first }
       it 'uses omniauth saml' do
-        get("/auth/saml/#{azure_provider.id}")
+        post("/auth/saml/#{azure_provider.id}")
 
         expect(last_response).to be_redirect
         follow_redirect!
@@ -31,6 +32,7 @@ describe Osso::Auth do
       end
     end
   end
+
   describe 'post /auth/saml/:uuid/callback' do
     describe 'for an Okta SAML provider' do
       let(:enterprise) { create(:enterprise_with_okta) }

data/spec/routes/oauth_spec.rb

@@ -27,8 +27,22 @@ describe Osso::Oauth do
         end
       end
 
+      describe 'for a request without email or domain' do
+        it 'renders the hosted login page' do
+          get(
+            '/oauth/authorize',
+            client_id: client.identifier,
+            response_type: 'code',
+            redirect_uri: client.redirect_uri_values.sample,
+          )
+
+          expect(last_response).to be_ok
+          expect(last_response.body).to eq('HOSTED LOGIN')
+        end
+      end
+
       describe 'for an enterprise domain with one SAML provider' do
-        it 'redirects to /auth/saml/:provider_id' do
+        it 'renders the saml login form' do
           enterprise = create(:enterprise_with_okta, oauth_client: client)
 
           get(
@@ -41,9 +55,7 @@ describe Osso::Oauth do
 
           provider_id = enterprise.identity_providers.first.id
 
-          expect(last_response).to be_redirect
-          follow_redirect!
-          expect(last_request.url).to match("auth/saml/#{provider_id}")
+          expect(last_response.body).to match(provider_id)
         end
       end
 
@@ -65,7 +77,7 @@ describe Osso::Oauth do
       end
 
       describe "for an existing user's email address" do
-        it 'redirects to /auth/saml/:provider_id' do
+        it 'renders the saml login form' do
           enterprise = create(:enterprise_with_okta, oauth_client: client)
           provider_id = enterprise.identity_providers.first.id
           user = create(:user, email: "user@#{enterprise.domain}", identity_provider_id: provider_id)
@@ -78,14 +90,12 @@ describe Osso::Oauth do
             redirect_uri: client.redirect_uri_values.sample,
           )
 
-          expect(last_response).to be_redirect
-          follow_redirect!
-          expect(last_request.url).to match("auth/saml/#{provider_id}")
+          expect(last_response.body).to match(provider_id)
         end
       end
 
       describe "for a new user's email address belonging to an enterprise with one SAML provider" do
-        it 'redirects to /auth/saml/:provider_id' do
+        it 'renders the saml login form' do
           enterprise = create(:enterprise_with_okta, oauth_client: client)
 
           get(
@@ -98,9 +108,7 @@ describe Osso::Oauth do
 
           provider_id = enterprise.identity_providers.first.id
 
-          expect(last_response).to be_redirect
-          follow_redirect!
-          expect(last_request.url).to match("auth/saml/#{provider_id}")
+          expect(last_response.body).to match(provider_id)
         end
       end
 

data/spec/spec_helper.rb

@@ -80,5 +80,7 @@ RSpec.configure do |config|
 
   OmniAuth.config.test_mode = true
   OmniAuth.config.logger = Logger.new('/dev/null')
+  OmniAuth.config.request_validation_phase = proc {}
+
   WebMock.disable_net_connect!(allow_localhost: true)
 end

data/spec/support/views/hosted_login.erb

@@ -0,0 +1 @@
+HOSTED LOGIN

data/spec/support/views/saml_login_form.erb

@@ -0,0 +1 @@
+<%= @providers.first.id %>

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: osso
 version: !ruby/object:Gem::Version
-  version: 0.0.7
+  version: 0.1.1
 platform: ruby
 authors:
 - Sam Bauch
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-12-08 00:00:00.000000000 Z
+date: 2021-01-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -108,6 +108,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: posthog-ruby
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
@@ -150,6 +164,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: rack-protection
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.1.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.1.0
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -170,32 +198,26 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.6.0
+        version: '2.9'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.6.0
+        version: '2.9'
 - !ruby/object:Gem::Dependency
   name: sequel
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '5.37'
-    - - "<"
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '5.40'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '5.37'
-    - - "<"
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '5.40'
 - !ruby/object:Gem::Dependency
@@ -238,14 +260,14 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 2.0.22
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 2.0.22
 - !ruby/object:Gem::Dependency
   name: sinatra-contrib
   requirement: !ruby/object:Gem::Requirement
@@ -407,6 +429,7 @@ files:
 - lib/osso/graphql/types/oauth_client.rb
 - lib/osso/graphql/types/redirect_uri.rb
 - lib/osso/graphql/types/redirect_uri_input.rb
+- lib/osso/lib/analytics.rb
 - lib/osso/lib/app_config.rb
 - lib/osso/lib/oauth2_token.rb
 - lib/osso/lib/route_map.rb
@@ -455,7 +478,6 @@ files:
 - spec/models/enterprise_account_spec.rb
 - spec/models/identity_provider_spec.rb
 - spec/routes/admin_spec.rb
-- spec/routes/app_spec.rb
 - spec/routes/auth_spec.rb
 - spec/routes/oauth_spec.rb
 - spec/spec_helper.rb
@@ -463,8 +485,10 @@ files:
 - spec/support/spec_app.rb
 - spec/support/views/admin.erb
 - spec/support/views/error.erb
+- spec/support/views/hosted_login.erb
 - spec/support/views/layout.erb
 - spec/support/views/multiple_providers.erb
+- spec/support/views/saml_login_form.erb
 homepage: https://github.com/enterprise-oss/osso-rb
 licenses:
 - MIT

data/spec/routes/app_spec.rb

@@ -1,6 +0,0 @@
-# frozen_string_literal: true
-
-require 'spec_helper'
-
-describe 'App' do
-end