padlock_auth 0.1.1 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 59dffd185c05709fa2e69aff4bdd49ca4fa74c5ed8e88e830e6e04a9b4b6e02c
-  data.tar.gz: d1e64abd17f3b8a134e14c8e641f5bafedb7988d1a2e33a33664d28c3aafc0a4
+  metadata.gz: d8d0c8061b83de8516e459e26ef96d6e6565f419045c64e7730c4736e7c7c344
+  data.tar.gz: 69972dfbcda669fd154c109ef4512d1719e6dafcc52dba780ce1ec80dd4efbeb
 SHA512:
-  metadata.gz: 7dad9b84433640976cea93223f1617bf3d508792b216d3668b4393593aada478499edcd7cfb100d37a08c889e231633646f62403aa2d983641f2bc80e00bb995
-  data.tar.gz: 71ac26355ff515992e6e72075defcddcc7cf42b5db82c71903fd762b053a8fe765e28fcd5d0827deb18c95a1229878a200f54a31b28e8884e7a379c10a428c37
+  metadata.gz: 63297a7bbed887a8120b3c2d7ddd6e33d8d23ddc83352d3d6141d92d23af6271f5c0d866061524649122e90cb67032f995126e5174a7cf7469f583f66674b0ce
+  data.tar.gz: f9d820e5872e376d05b5724bfbf675bf6597cc72065cff1ac56605cfec0a6de9bbd89f38b2e29b6bfcbd4784cac5095351f434a23d51ac60424da4b7a45ce93a

data/README.md

@@ -239,6 +239,94 @@ puts response.body
 
 PadlockAuth will extract the username and password using the `from_basic_authorization` method and use them to generate an access token.
 
+### Securing an Action Cable Connection
+
+You can use PadlockAuth to secure your Action Cable connections by verifying an access token during the connection process. The access token can be provided via the `"access_token"` or `"bearer_token"` parameters.
+
+Not all access tokens provide a `subject` method, it is entirely dependent on the implementation.
+
+Here’s an example implementation:
+
+```ruby
+module ApplicationCable
+  class Connection < ActionCable::Connection::Base
+    identified_by :access_token_subject
+
+    def connect
+      self.access_token_subject = find_verified_subject
+    end
+
+    private
+
+    def find_verified_subject
+      if padlock_authorized? "websocket"
+        padlock_auth_token.subject
+      else
+        reject_unauthorized_connection
+      end
+    end
+  end
+end
+```
+
+#### Explanation
+
+- `padlock_authorized?`: Checks if the access token is valid and optionally verifies the required scope (`"websocket"` in this example).
+- `padlock_auth_token`: Provides access to the verified token, allowing you to retrieve attributes such as `subject`.
+
+This ensures that only clients with valid access tokens can establish a WebSocket connection. The access token `sub` can then be used to identify the connected client throughout the session.
+
+#### Example: Connecting to the Action Cable Connection via JS
+
+```js
+import { createConsumer } from "@rails/actioncable"
+
+// Use a function to dynamically generate the URL
+createConsumer(getWebSocketURL)
+
+function getWebSocketURL() {
+  const token = localStorage.get('access-token')
+  return `wss://example.com/cable?token=${token}`
+}
+```
+
+### Securing an ActionCable Channel
+
+PadlockAuth can secure individual Action Cable channels by verifying an access token when a client subscribes. The access token can be provided via the `"access_token"` or `"bearer_token"` parameters.
+
+Here’s an example implementation:
+
+```ruby
+class AuthorizedChannel < ApplicationCable::Channel
+  def subscribed
+    if padlock_authorized? "channel"
+      stream_from "authorized_stream"
+    else
+      reject
+    end
+  end
+
+  def unsubscribed
+    # Any cleanup needed when channel is unsubscribed
+  end
+end
+```
+
+#### Explanation
+
+- `padlock_authorized?`: Validates the access token and ensures it includes the required scope (`"channel"` in this example).
+
+By leveraging these features, PadlockAuth ensures only authenticated users with the proper access scope can subscribe and receive messages on the channel.
+
+#### Example: Connecting to the Action Cable Channel via JS
+
+```js
+import consumer from "./consumer"
+
+const token = localStorage.get('access-token')
+consumer.subscriptions.create({ channel: "AuthorizedChannel", access_token: token })
+```
+
 ## Installation
 
 Add this line to your application's Gemfile:

data/lib/padlock_auth/config.rb

@@ -94,6 +94,10 @@ module PadlockAuth
         config.instance_variable_set(:@access_token_methods, methods.flatten.compact)
       end
 
+      def action_cable_methods(*methods)
+        config.instance_variable_set(:@action_cable_methods, methods.flatten.compact)
+      end
+
       # Calls to `padlock_authorize!` will raise an exception when authentication fails.
       #
       def raise_on_errors!
@@ -167,6 +171,13 @@ module PadlockAuth
       ]
     end
 
+    def action_cable_methods
+      @action_cable_methods ||= %i[
+        from_access_token_param
+        from_bearer_param
+      ]
+    end
+
     # @!attribute [r] handle_auth_errors
     #
     # How to handle authentication errors.

data/lib/padlock_auth/rails/action_cable_channel_helpers.rb

@@ -0,0 +1,71 @@
+module PadlockAuth
+  module Rails
+    module ActionCableChannelHelpers
+      module TokenFactory
+        module_function
+
+        # Retreives the access token from the request using the configured methods.
+        def from_params(params, *methods)
+          methods.inject(nil) do |_, method|
+            method = self.method(method) if method.is_a?(Symbol)
+            credentials = method.call(params)
+            break credentials if credentials.present?
+          end
+        end
+
+        # Retreives the access token from the params, and builds an access token object.
+        def authenticate(params)
+          if (token = from_params(params, *PadlockAuth.config.action_cable_methods))
+            PadlockAuth.build_access_token(token)
+          end
+        end
+
+        # Extracts the access token from the `access_token` parameter.
+        #
+        # @param params [ActionDispatch::Request] params
+        #
+        # @return [String, nil] Access token
+        #
+        def from_access_token_param(params)
+          params[:access_token]
+        end
+
+        # Extracts the access token from the `bearer_token` parameter.
+        #
+        # @param params [ActiveSupport::HashWithIndifferentAccess] params
+        #
+        # @return [String, nil] Access token
+        #
+        def from_bearer_param(params)
+          params[:bearer_token]
+        end
+      end
+
+      # @!visibility public
+      #
+      # Authorize the request with the given scopes.
+      #
+      # If the request is not authorized, an error response will be rendered
+      # or an exception will be raised, depending on the configuration.
+      #
+      # @param scopes [Array<String>] Scopes required for the request, defaults to the default scopes.
+      # @return [Boolean] Whether the request is authorized.
+      #
+      def padlock_authorized?(*scopes)
+        padlock_auth_token&.acceptable?(scopes.presence || PadlockAuth.config.default_scopes)
+      end
+
+      # @!visibility public
+      #
+      # Retrieve the access token from the request.
+      #
+      # Does not check if the token is valid or matches the required scopes.
+      #
+      # @return [PadlockAuth::AbstractToken, nil] Access token
+      #
+      def padlock_auth_token
+        @padlock_auth_token ||= TokenFactory.authenticate(params)
+      end
+    end
+  end
+end

data/lib/padlock_auth/rails/helpers.rb

@@ -16,10 +16,14 @@ module PadlockAuth
       #
       # @param scopes [Array<String>] Scopes required for the request, defaults to the default scopes.
       #
-      def padlock_authorize!(*scopes)
+      def padlock_authorize!(...)
+        padlock_render_error unless padlock_authorized?(...)
+      end
+
+      def padlock_authorized?(*scopes)
         @_padlock_auth_scopes = scopes.presence || PadlockAuth.config.default_scopes
 
-        padlock_render_error unless valid_padlock_auth_token?
+        valid_padlock_auth_token?
       end
 
       # Default render options for unauthorized requests.

data/lib/padlock_auth/railtie.rb

@@ -11,6 +11,10 @@ module PadlockAuth
       ActiveSupport.on_load(:action_controller) do
         include PadlockAuth::Rails::Helpers
       end
+      ActiveSupport.on_load(:action_cable) do
+        ActionCable::Connection::Base.include PadlockAuth::Rails::Helpers
+        ActionCable::Channel::Base.include PadlockAuth::Rails::ActionCableChannelHelpers
+      end
     end
 
     initializer "padlock_auth.i18n" do

data/lib/padlock_auth/version.rb

@@ -1,4 +1,4 @@
 module PadlockAuth
   # PadlockAuth version.
-  VERSION = "0.1.1"
+  VERSION = "0.2.0"
 end

data/lib/padlock_auth.rb

@@ -40,7 +40,7 @@ module PadlockAuth
 
   # Rails-specific classes
   module Rails
-    autoload :ConnectionHelpers, "padlock_auth/rails/connection_helpers"
+    autoload :ActionCableChannelHelpers, "padlock_auth/rails/action_cable_channel_helpers"
     autoload :Helpers, "padlock_auth/rails/helpers"
     autoload :TokenFactory, "padlock_auth/rails/token_factory"
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: padlock_auth
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.2.0
 platform: ruby
 authors:
 - Ben Morrall
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-12-10 00:00:00.000000000 Z
+date: 2024-12-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -104,6 +104,7 @@ files:
 - lib/padlock_auth/http/invalid_token_response.rb
 - lib/padlock_auth/mixins/build_with.rb
 - lib/padlock_auth/mixins/hide_attribute.rb
+- lib/padlock_auth/rails/action_cable_channel_helpers.rb
 - lib/padlock_auth/rails/helpers.rb
 - lib/padlock_auth/rails/token_factory.rb
 - lib/padlock_auth/railtie.rb