package-installer-cli 1.3.3 → 1.4.0

data/features/auth/auth0/go/backend/main.go

@@ -0,0 +1,60 @@
+package main
+
+import (
+	"01-Authorization-RS256/middleware"
+	"log"
+	"net/http"
+
+	jwtmiddleware "github.com/auth0/go-jwt-middleware/v2"
+	"github.com/auth0/go-jwt-middleware/v2/validator"
+	"github.com/joho/godotenv"
+)
+
+func main() {
+	if err := godotenv.Load(); err != nil {
+		log.Fatalf("Error loading the .env file: %v", err)
+	}
+
+	router := http.NewServeMux()
+
+	// This route is always accessible.
+	router.Handle("/api/public", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(http.StatusOK)
+		w.Write([]byte(`{"message":"Hello from a public endpoint! You don't need to be authenticated to see this."}`))
+	}))
+
+	// This route is only accessible if the user has a valid access_token.
+	router.Handle("/api/private", middleware.EnsureValidToken()(
+		http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			w.Header().Set("Content-Type", "application/json")
+			w.WriteHeader(http.StatusOK)
+			w.Write([]byte(`{"message":"Hello from a private endpoint! You need to be authenticated to see this."}`))
+		}),
+	))
+
+	// This route is only accessible if the user has a
+	// valid access_token with the read:messages scope.
+	router.Handle("/api/private-scoped", middleware.EnsureValidToken()(
+		http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			w.Header().Set("Content-Type", "application/json")
+
+			token := r.Context().Value(jwtmiddleware.ContextKey{}).(*validator.ValidatedClaims)
+
+			claims := token.CustomClaims.(*middleware.CustomClaims)
+			if !claims.HasScope("read:messages") {
+				w.WriteHeader(http.StatusForbidden)
+				w.Write([]byte(`{"message":"Insufficient scope."}`))
+				return
+			}
+
+			w.WriteHeader(http.StatusOK)
+			w.Write([]byte(`{"message":"Hello from a private endpoint! You need to be authenticated to see this."}`))
+		}),
+	))
+
+	log.Print("Server listening on http://localhost:3010")
+	if err := http.ListenAndServe("0.0.0.0:3010", router); err != nil {
+		log.Fatalf("There was an error with the http server: %v", err)
+	}
+}

data/features/auth/auth0/go/backend/middleware/jwt.go

@@ -0,0 +1,81 @@
+package middleware
+
+import (
+	"context"
+	"log"
+	"net/http"
+	"net/url"
+	"os"
+	"strings"
+	"time"
+
+	jwtmiddleware "github.com/auth0/go-jwt-middleware/v2"
+	"github.com/auth0/go-jwt-middleware/v2/jwks"
+	"github.com/auth0/go-jwt-middleware/v2/validator"
+)
+
+// CustomClaims contains custom data we want from the token.
+type CustomClaims struct {
+	Scope string `json:"scope"`
+}
+
+// Validate does nothing for this example, but we need
+// it to satisfy validator.CustomClaims interface.
+func (c CustomClaims) Validate(ctx context.Context) error {
+	return nil
+}
+
+// EnsureValidToken is a middleware that will check the validity of our JWT.
+func EnsureValidToken() func(next http.Handler) http.Handler {
+	issuerURL, err := url.Parse("https://" + os.Getenv("AUTH0_DOMAIN") + "/")
+	if err != nil {
+		log.Fatalf("Failed to parse the issuer url: %v", err)
+	}
+
+	provider := jwks.NewCachingProvider(issuerURL, 5*time.Minute)
+
+	jwtValidator, err := validator.New(
+		provider.KeyFunc,
+		validator.RS256,
+		issuerURL.String(),
+		[]string{os.Getenv("AUTH0_AUDIENCE")},
+		validator.WithCustomClaims(
+			func() validator.CustomClaims {
+				return &CustomClaims{}
+			},
+		),
+		validator.WithAllowedClockSkew(time.Minute),
+	)
+	if err != nil {
+		log.Fatalf("Failed to set up the jwt validator")
+	}
+
+	errorHandler := func(w http.ResponseWriter, r *http.Request, err error) {
+		log.Printf("Encountered error while validating JWT: %v", err)
+
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(http.StatusUnauthorized)
+		w.Write([]byte(`{"message":"Failed to validate JWT."}`))
+	}
+
+	middleware := jwtmiddleware.New(
+		jwtValidator.ValidateToken,
+		jwtmiddleware.WithErrorHandler(errorHandler),
+	)
+
+	return func(next http.Handler) http.Handler {
+		return middleware.CheckJWT(next)
+	}
+}
+
+// HasScope checks whether our claims have a specific scope.
+func (c CustomClaims) HasScope(expectedScope string) bool {
+	result := strings.Split(c.Scope, " ")
+	for i := range result {
+		if result[i] == expectedScope {
+			return true
+		}
+	}
+
+	return false
+}

data/features/auth/auth0/go/web-app/auth.go

@@ -0,0 +1,56 @@
+// Save this file in ./platform/authenticator/auth.go
+
+package authenticator
+
+import (
+	"context"
+	"errors"
+	"os"
+
+	"github.com/coreos/go-oidc/v3/oidc"
+	"golang.org/x/oauth2"
+)
+
+// Authenticator is used to authenticate our users.
+type Authenticator struct {
+	*oidc.Provider
+	oauth2.Config
+}
+
+// New instantiates the *Authenticator.
+func New() (*Authenticator, error) {
+	provider, err := oidc.NewProvider(
+		context.Background(),
+		"https://"+os.Getenv("AUTH0_DOMAIN")+"/",
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	conf := oauth2.Config{
+		ClientID:     os.Getenv("AUTH0_CLIENT_ID"),
+		ClientSecret: os.Getenv("AUTH0_CLIENT_SECRET"),
+		RedirectURL:  os.Getenv("AUTH0_CALLBACK_URL"),
+		Endpoint:     provider.Endpoint(),
+		Scopes:       []string{oidc.ScopeOpenID, "profile"},
+	}
+
+	return &Authenticator{
+		Provider: provider,
+		Config:   conf,
+	}, nil
+}
+
+// VerifyIDToken verifies that an *oauth2.Token is a valid *oidc.IDToken.
+func (a *Authenticator) VerifyIDToken(ctx context.Context, token *oauth2.Token) (*oidc.IDToken, error) {
+	rawIDToken, ok := token.Extra("id_token").(string)
+	if !ok {
+		return nil, errors.New("no id_token field in oauth2 token")
+	}
+
+	oidcConfig := &oidc.Config{
+		ClientID: a.ClientID,
+	}
+
+	return a.Verifier(oidcConfig).Verify(ctx, rawIDToken)
+}

data/features/auth/auth0/go/web-app/callback.go

@@ -0,0 +1,52 @@
+/ Save this file in ./web/app/callback/callback.go
+
+package callback
+
+import (
+	"net/http"
+
+	"github.com/gin-contrib/sessions"
+	"github.com/gin-gonic/gin"
+
+	"01-Login/platform/authenticator"
+)
+
+// Handler for our callback.
+func Handler(auth *authenticator.Authenticator) gin.HandlerFunc {
+	return func(ctx *gin.Context) {
+		session := sessions.Default(ctx)
+		if ctx.Query("state") != session.Get("state") {
+			ctx.String(http.StatusBadRequest, "Invalid state parameter.")
+			return
+		}
+
+		// Exchange an authorization code for a token.
+		token, err := auth.Exchange(ctx.Request.Context(), ctx.Query("code"))
+		if err != nil {
+			ctx.String(http.StatusUnauthorized, "Failed to exchange an authorization code for a token.")
+			return
+		}
+
+		idToken, err := auth.VerifyIDToken(ctx.Request.Context(), token)
+		if err != nil {
+			ctx.String(http.StatusInternalServerError, "Failed to verify ID Token.")
+			return
+		}
+
+		var profile map[string]interface{}
+		if err := idToken.Claims(&profile); err != nil {
+			ctx.String(http.StatusInternalServerError, err.Error())
+			return
+		}
+
+		session.Set("access_token", token.AccessToken)
+		session.Set("profile", profile)
+		if err := session.Save(); err != nil {
+			ctx.String(http.StatusInternalServerError, err.Error())
+			return
+		}
+
+		// Redirect to logged in page.
+		ctx.Redirect(http.StatusTemporaryRedirect, "/user")
+	}
+}

data/features/auth/auth0/go/web-app/go.mod

@@ -0,0 +1,11 @@
+module 01-Login
+
+go 1.21
+
+require (
+	github.com/coreos/go-oidc/v3 v3.8.0
+	github.com/gin-contrib/sessions v0.0.5
+	github.com/gin-gonic/gin v1.9.1
+	github.com/joho/godotenv v1.5.1
+	golang.org/x/oauth2 v0.15.0
+)

data/features/auth/auth0/go/web-app/isAuthenticated.go

@@ -0,0 +1,20 @@
+// Save this file in ./platform/middleware/isAuthenticated.go
+
+package middleware
+
+import (
+	"net/http"
+
+	"github.com/gin-contrib/sessions"
+	"github.com/gin-gonic/gin"
+)
+
+// IsAuthenticated is a middleware that checks if
+// the user has already been authenticated previously.
+func IsAuthenticated(ctx *gin.Context) {
+	if sessions.Default(ctx).Get("profile") == nil {
+		ctx.Redirect(http.StatusSeeOther, "/")
+	} else {
+		ctx.Next()
+	}
+}

data/features/auth/auth0/go/web-app/login.go

@@ -0,0 +1,47 @@
+// Save this file in ./web/app/login/login.go
+
+package login
+
+import (
+	"crypto/rand"
+	"encoding/base64"
+	"net/http"
+
+	"github.com/gin-contrib/sessions"
+	"github.com/gin-gonic/gin"
+
+	"01-Login/platform/authenticator"
+)
+
+// Handler for our login.
+func Handler(auth *authenticator.Authenticator) gin.HandlerFunc {
+	return func(ctx *gin.Context) {
+		state, err := generateRandomState()
+		if err != nil {
+			ctx.String(http.StatusInternalServerError, err.Error())
+			return
+		}
+
+		// Save the state inside the session.
+		session := sessions.Default(ctx)
+		session.Set("state", state)
+		if err := session.Save(); err != nil {
+			ctx.String(http.StatusInternalServerError, err.Error())
+			return
+		}
+
+		ctx.Redirect(http.StatusTemporaryRedirect, auth.AuthCodeURL(state))
+	}
+}
+
+func generateRandomState() (string, error) {
+	b := make([]byte, 32)
+	_, err := rand.Read(b)
+	if err != nil {
+		return "", err
+	}
+
+	state := base64.StdEncoding.EncodeToString(b)
+
+	return state, nil
+}

data/features/auth/auth0/go/web-app/logout.go

@@ -0,0 +1,38 @@
+// Save this file in ./web/app/logout/logout.go
+
+package logout
+
+import (
+	"net/http"
+	"net/url"
+	"os"
+
+	"github.com/gin-gonic/gin"
+)
+
+// Handler for our logout.
+func Handler(ctx *gin.Context) {
+	logoutUrl, err := url.Parse("https://" + os.Getenv("AUTH0_DOMAIN") + "/v2/logout")
+	if err != nil {
+		ctx.String(http.StatusInternalServerError, err.Error())
+		return
+	}
+
+	scheme := "http"
+	if ctx.Request.TLS != nil {
+		scheme = "https"
+	}
+
+	returnTo, err := url.Parse(scheme + "://" + ctx.Request.Host)
+	if err != nil {
+		ctx.String(http.StatusInternalServerError, err.Error())
+		return
+	}
+
+	parameters := url.Values{}
+	parameters.Add("returnTo", returnTo.String())
+	parameters.Add("client_id", os.Getenv("AUTH0_CLIENT_ID"))
+	logoutUrl.RawQuery = parameters.Encode()
+
+	ctx.Redirect(http.StatusTemporaryRedirect, logoutUrl.String())
+}

data/features/auth/auth0/go/web-app/main.go

@@ -0,0 +1,31 @@
+// Save this file in ./main.go
+
+package main
+
+import (
+	"log"
+	"net/http"
+
+	"github.com/joho/godotenv"
+
+	"01-Login/platform/authenticator"
+	"01-Login/platform/router"
+)
+
+func main() {
+	if err := godotenv.Load(); err != nil {
+		log.Fatalf("Failed to load the env vars: %v", err)
+	}
+
+	auth, err := authenticator.New()
+	if err != nil {
+		log.Fatalf("Failed to initialize the authenticator: %v", err)
+	}
+
+	rtr := router.New(auth)
+
+	log.Print("Server listening on http://localhost:3000/")
+	if err := http.ListenAndServe("0.0.0.0:3000", rtr); err != nil {
+		log.Fatalf("There was an error with the http server: %v", err)
+	}
+}

data/features/auth/auth0/go/web-app/router.go

@@ -0,0 +1,44 @@
+// Save this file in ./platform/router/router.go
+
+package router
+
+import (
+	"encoding/gob"
+	"net/http"
+
+	"github.com/gin-contrib/sessions"
+	"github.com/gin-contrib/sessions/cookie"
+	"github.com/gin-gonic/gin"
+
+	"01-Login/platform/authenticator"
+	"01-Login/platform/middleware"
+	"01-Login/web/app/callback"
+	"01-Login/web/app/login"
+	"01-Login/web/app/logout"
+	"01-Login/web/app/user"
+)
+
+// New registers the routes and returns the router.
+func New(auth *authenticator.Authenticator) *gin.Engine {
+	router := gin.Default()
+
+	// To store custom types in our cookies,
+	// we must first register them using gob.Register
+	gob.Register(map[string]interface{}{})
+
+	store := cookie.NewStore([]byte("secret"))
+	router.Use(sessions.Sessions("auth-session", store))
+
+	router.Static("/public", "web/static")
+	router.LoadHTMLGlob("web/template/*")
+
+	router.GET("/", func(ctx *gin.Context) {
+		ctx.HTML(http.StatusOK, "home.html", nil)
+	})
+	router.GET("/login", login.Handler(auth))
+	router.GET("/callback", callback.Handler(auth))
+	router.GET("/user", user.Handler)
+	router.GET("/logout", logout.Handler)
+
+	return router
+}

data/features/auth/auth0/go/web-app/user.go

@@ -0,0 +1,18 @@
+// Save this file in ./web/app/user/user.go
+
+package user
+
+import (
+	"net/http"
+
+	"github.com/gin-contrib/sessions"
+	"github.com/gin-gonic/gin"
+)
+
+// Handler for our logged-in user page.
+func Handler(ctx *gin.Context) {
+	session := sessions.Default(ctx)
+	profile := session.Get("profile")
+
+	ctx.HTML(http.StatusOK, "user.html", profile)
+}

data/features/auth/auth0/ruby-on-rails/backend/Gemfile

@@ -0,0 +1 @@
+gem 'jwt'

data/features/auth/auth0/ruby-on-rails/backend/app/controllers/application_controller.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+    class ApplicationController < ActionController::API
+      include Secured
+    end

data/features/auth/auth0/ruby-on-rails/backend/app/controllers/concern/secured.rb

@@ -0,0 +1,60 @@
+# frozen_string_literal: true
+
+    module Secured
+      extend ActiveSupport::Concern
+
+      REQUIRES_AUTHENTICATION = { message: 'Requires authentication' }.freeze
+      BAD_CREDENTIALS = {
+message: 'Bad credentials'
+      }.freeze
+      MALFORMED_AUTHORIZATION_HEADER = {
+error: 'invalid_request',
+error_description: 'Authorization header value must follow this format: Bearer access-token',
+message: 'Bad credentials'
+      }.freeze
+      INSUFFICIENT_PERMISSIONS = {
+error: 'insufficient_permissions',
+error_description: 'The access token does not contain the required permissions',
+message: 'Permission denied'
+      }.freeze
+
+      def authorize
+token = token_from_request
+
+return if performed?
+
+validation_response = Auth0Client.validate_token(token)
+
+@decoded_token = validation_response.decoded_token
+
+return unless (error = validation_response.error)
+
+render json: { message: error.message }, status: error.status
+      end
+
+      def validate_permissions(permissions)
+raise 'validate_permissions needs to be called with a block' unless block_given?
+return yield if @decoded_token.validate_permissions(permissions)
+
+render json: INSUFFICIENT_PERMISSIONS, status: :forbidden
+      end
+
+      private
+
+      def token_from_request
+authorization_header_elements = request.headers['Authorization']&.split
+
+render json: REQUIRES_AUTHENTICATION, status: :unauthorized and return unless authorization_header_elements
+
+unless authorization_header_elements.length == 2
+  render json: MALFORMED_AUTHORIZATION_HEADER,
+         status: :unauthorized and return
+end
+
+scheme, token = authorization_header_elements
+
+render json: BAD_CREDENTIALS, status: :unauthorized and return unless scheme.downcase == 'bearer'
+
+token
+      end
+    end

data/features/auth/auth0/ruby-on-rails/backend/app/controllers/private_controller.rb

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+    class PublicController < ApplicationController
+      def public
+render json: { message: 'All good. You don\'t need to be authenticated to call this.' }
+      end
+end

data/features/auth/auth0/ruby-on-rails/backend/app/controllers/public-controller.rb

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+    class PublicController < ApplicationController
+      def public
+render json: { message: 'All good. You don\'t need to be authenticated to call this.' }
+      end
+    end

data/features/auth/auth0/ruby-on-rails/backend/app/lib/auth0_client.rb

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+    require 'jwt'
+    require 'net/http'
+
+    # Auth0Client class to handle JWT token validation
+    class Auth0Client
+      # Auth0 Client Objects 
+      Error = Struct.new(:message, :status)
+      Response = Struct.new(:decoded_token, :error)
+      Token = Struct.new(:token) do
+def validate_permissions(permissions)
+  required_permissions = Set.new permissions
+  scopes = token[0]['scope']
+  token_permissions = scopes.present? ? Set.new(scopes.split(" ")) : Set.new
+  required_permissions <= token_permissions
+end
+      end
+
+      # Helper Functions 
+      def self.domain_url
+"https://#{Rails.configuration.auth0.domain}/"
+      end
+
+      def self.decode_token(token, jwks_hash)
+JWT.decode(token, nil, true, {
+             algorithm: 'RS256',
+             iss: domain_url,
+             verify_iss: true,
+             aud: Rails.configuration.auth0.audience,
+             verify_aud: true,
+             jwks: { keys: jwks_hash[:keys] }
+           })
+      end
+
+      def self.get_jwks
+jwks_uri = URI("#{domain_url}.well-known/jwks.json")
+Net::HTTP.get_response jwks_uri
+      end
+
+      # Token Validation 
+      def self.validate_token(token)
+jwks_response = get_jwks
+
+unless jwks_response.is_a? Net::HTTPSuccess
+  error = Error.new(message: 'Unable to verify credentials', status: :internal_server_error)
+  return Response.new(nil, error)
+end
+
+jwks_hash = JSON.parse(jwks_response.body).deep_symbolize_keys
+
+decoded_token = decode_token(token, jwks_hash)
+
+Response.new(Token.new(decoded_token), nil)
+      rescue JWT::VerificationError, JWT::DecodeError => e
+error = Error.new('Bad credentials', :unauthorized)
+Response.new(nil, error)
+      end
+    end

data/features/auth/auth0/ruby-on-rails/web-app/Gemfile

@@ -0,0 +1,2 @@
+gem 'omniauth-auth0', '~> 3.0'
+gem 'omniauth-rails_csrf_protection', '~> 1.0' # prevents forged authentication requests

data/features/auth/auth0/ruby-on-rails/web-app/auth0_controller.rb

@@ -0,0 +1,41 @@
+class Auth0Controller < ApplicationController
+  def callback
+    # OmniAuth stores the informatin returned from
+    # Auth0 and the IdP in request.env['omniauth.auth'].
+    # In this code, you will pull the raw_info supplied 
+    # from the id_token and assign it to the session.
+    # Refer to https://github.com/auth0/omniauth-auth0/blob/master/EXAMPLES.md#example-of-the-resulting-authentication-hash 
+    # for complete information on 'omniauth.auth' contents.
+    auth_info = request.env['omniauth.auth']
+    session[:userinfo] = auth_info['extra']['raw_info']
+
+    # Redirect to the URL you want after successful auth
+    redirect_to '/dashboard'
+  end
+
+  def failure
+    # Handles failed authentication
+    @error_msg = request.params['message']
+  end
+
+  def logout
+    reset_session
+    redirect_to logout_url
+  end
+
+  private
+  AUTH0_CONFIG = Rails.application.config_for(:auth0)
+
+  def logout_url
+    request_params = {
+      returnTo: root_url,
+      client_id: AUTH0_CONFIG['auth0_client_id']
+    }
+
+    URI::HTTPS.build(host: AUTH0_CONFIG['auth0_domain'], path: '/v2/logout', query: to_query(request_params)).to_s
+  end
+
+  def to_query(hash)
+    hash.map { |k, v| "#{k}=#{CGI.escape(v)}" unless v.nil? }.reject(&:nil?).join('&')
+  end
+end

data/features/auth/auth0/ruby-on-rails/web-app/config/auth0.yml

@@ -0,0 +1,4 @@
+development:
+  auth0_domain: {yourDomain}
+  auth0_client_id: {yourClientId}
+  auth0_client_secret: {yourClientSecret}

data/features/auth/auth0/ruby-on-rails/web-app/config/initializers/auth0.rb

@@ -0,0 +1,14 @@
+AUTH0_CONFIG = Rails.application.config_for(:auth0)
+
+Rails.application.config.middleware.use OmniAuth::Builder do
+  provider(
+    :auth0,
+    AUTH0_CONFIG['auth0_client_id'],
+    AUTH0_CONFIG['auth0_client_secret'],
+    AUTH0_CONFIG['auth0_domain'],
+    callback_path: '/auth/auth0/callback',
+    authorize_params: {
+      scope: 'openid profile'
+    }
+  )
+end