passageidentity 0.6.2 → 0.7.0

data/lib/openapi_client/models/user_recent_event.rb

@@ -6,7 +6,7 @@
 The version of the OpenAPI document: 1
 Contact: support@passage.id
 Generated by: https://openapi-generator.tech
-OpenAPI Generator version: 7.1.0
+Generator version: 7.11.0-SNAPSHOT
 
 =end
 
@@ -27,8 +27,16 @@ module OpenapiClient
 
     attr_accessor :type
 
+    # The raw user agent value from the originating device
     attr_accessor :user_agent
 
+    # A display-friendly version of the user agent
+    attr_accessor :user_agent_display
+
+    attr_accessor :action
+
+    attr_accessor :social_login_type
+
     class EnumAttributeValidator
       attr_reader :datatype
       attr_reader :allowable_values
@@ -60,7 +68,10 @@ module OpenapiClient
         :'ip_addr' => :'ip_addr',
         :'status' => :'status',
         :'type' => :'type',
-        :'user_agent' => :'user_agent'
+        :'user_agent' => :'user_agent',
+        :'user_agent_display' => :'user_agent_display',
+        :'action' => :'action',
+        :'social_login_type' => :'social_login_type'
       }
     end
 
@@ -78,7 +89,10 @@ module OpenapiClient
         :'ip_addr' => :'String',
         :'status' => :'UserEventStatus',
         :'type' => :'String',
-        :'user_agent' => :'String'
+        :'user_agent' => :'String',
+        :'user_agent_display' => :'String',
+        :'action' => :'UserEventAction',
+        :'social_login_type' => :'SocialConnectionType'
       }
     end
 
@@ -86,6 +100,7 @@ module OpenapiClient
     def self.openapi_nullable
       Set.new([
         :'completed_at',
+        :'social_login_type'
       ])
     end
 
@@ -145,6 +160,24 @@ module OpenapiClient
       else
         self.user_agent = nil
       end
+
+      if attributes.key?(:'user_agent_display')
+        self.user_agent_display = attributes[:'user_agent_display']
+      else
+        self.user_agent_display = nil
+      end
+
+      if attributes.key?(:'action')
+        self.action = attributes[:'action']
+      else
+        self.action = nil
+      end
+
+      if attributes.key?(:'social_login_type')
+        self.social_login_type = attributes[:'social_login_type']
+      else
+        self.social_login_type = nil
+      end
     end
 
     # Show invalid properties with the reasons. Usually used together with valid?
@@ -176,6 +209,14 @@ module OpenapiClient
         invalid_properties.push('invalid value for "user_agent", user_agent cannot be nil.')
       end
 
+      if @user_agent_display.nil?
+        invalid_properties.push('invalid value for "user_agent_display", user_agent_display cannot be nil.')
+      end
+
+      if @action.nil?
+        invalid_properties.push('invalid value for "action", action cannot be nil.')
+      end
+
       invalid_properties
     end
 
@@ -189,6 +230,8 @@ module OpenapiClient
       return false if @status.nil?
       return false if @type.nil?
       return false if @user_agent.nil?
+      return false if @user_agent_display.nil?
+      return false if @action.nil?
       true
     end
 
@@ -203,7 +246,10 @@ module OpenapiClient
           ip_addr == o.ip_addr &&
           status == o.status &&
           type == o.type &&
-          user_agent == o.user_agent
+          user_agent == o.user_agent &&
+          user_agent_display == o.user_agent_display &&
+          action == o.action &&
+          social_login_type == o.social_login_type
     end
 
     # @see the `==` method
@@ -215,7 +261,7 @@ module OpenapiClient
     # Calculates hash code according to all attributes.
     # @return [Integer] Hash code
     def hash
-      [created_at, completed_at, id, ip_addr, status, type, user_agent].hash
+      [created_at, completed_at, id, ip_addr, status, type, user_agent, user_agent_display, action, social_login_type].hash
     end
 
     # Builds the object from hash

data/lib/openapi_client/models/user_response.rb

@@ -6,7 +6,7 @@
 The version of the OpenAPI document: 1
 Contact: support@passage.id
 Generated by: https://openapi-generator.tech
-OpenAPI Generator version: 7.1.0
+Generator version: 7.11.0-SNAPSHOT
 
 =end
 

data/lib/openapi_client/models/user_social_connections.rb

@@ -6,7 +6,7 @@
 The version of the OpenAPI document: 1
 Contact: support@passage.id
 Generated by: https://openapi-generator.tech
-OpenAPI Generator version: 7.1.0
+Generator version: 7.11.0-SNAPSHOT
 
 =end
 

data/lib/openapi_client/models/user_status.rb

@@ -6,7 +6,7 @@
 The version of the OpenAPI document: 1
 Contact: support@passage.id
 Generated by: https://openapi-generator.tech
-OpenAPI Generator version: 7.1.0
+Generator version: 7.11.0-SNAPSHOT
 
 =end
 

data/lib/openapi_client/models/web_authn_devices.rb

@@ -6,7 +6,7 @@
 The version of the OpenAPI document: 1
 Contact: support@passage.id
 Generated by: https://openapi-generator.tech
-OpenAPI Generator version: 7.1.0
+Generator version: 7.11.0-SNAPSHOT
 
 =end
 

data/lib/openapi_client/models/web_authn_icons.rb

@@ -6,7 +6,7 @@
 The version of the OpenAPI document: 1
 Contact: support@passage.id
 Generated by: https://openapi-generator.tech
-OpenAPI Generator version: 7.1.0
+Generator version: 7.11.0-SNAPSHOT
 
 =end
 

data/lib/openapi_client/models/web_authn_type.rb

@@ -6,7 +6,7 @@
 The version of the OpenAPI document: 1
 Contact: support@passage.id
 Generated by: https://openapi-generator.tech
-OpenAPI Generator version: 7.1.0
+Generator version: 7.11.0-SNAPSHOT
 
 =end
 

data/lib/openapi_client/version.rb

@@ -6,7 +6,7 @@
 The version of the OpenAPI document: 1
 Contact: support@passage.id
 Generated by: https://openapi-generator.tech
-OpenAPI Generator version: 7.1.0
+Generator version: 7.11.0-SNAPSHOT
 
 =end
 

data/lib/openapi_client.rb

@@ -6,7 +6,7 @@
 The version of the OpenAPI document: 1
 Contact: support@passage.id
 Generated by: https://openapi-generator.tech
-OpenAPI Generator version: 7.1.0
+Generator version: 7.11.0-SNAPSHOT
 
 =end
 
@@ -47,12 +47,12 @@ require_relative 'openapi_client/models/nonce'
 require_relative 'openapi_client/models/otp_auth_method'
 require_relative 'openapi_client/models/paginated_links'
 require_relative 'openapi_client/models/passkeys_auth_method'
+require_relative 'openapi_client/models/social_connection_type'
 require_relative 'openapi_client/models/technologies'
+require_relative 'openapi_client/models/theme_type'
 require_relative 'openapi_client/models/ttl_display_unit'
-require_relative 'models/update_magic_link_auth_method'
-require_relative 'models/update_otp_auth_method'
-require_relative 'models/update_passkeys_auth_method'
 require_relative 'openapi_client/models/update_user_request'
+require_relative 'openapi_client/models/user_event_action'
 require_relative 'openapi_client/models/user_event_status'
 require_relative 'openapi_client/models/user_info'
 require_relative 'openapi_client/models/user_metadata_field'

data/lib/passageidentity/auth.rb

@@ -1,43 +1,170 @@
-require "openssl"
-require "base64"
-require "jwt"
-require_relative "client"
-require_relative "../openapi_client"
+# frozen_string_literal: true
+
+require 'active_support'
+require 'jwt'
+require 'rubygems/deprecate'
+require_relative 'client'
+require_relative '../openapi_client'
 
 module Passage
+  # The Passage::Auth class provides methods for authenticating requests and tokens
   class Auth
-    @@app_cache = {}
-    def initialize(app_id, auth_strategy)
+    extend Gem::Deprecate
+
+    def initialize(app_id, api_key, auth_strategy)
+      @app_cache = ActiveSupport::Cache::MemoryStore.new
       @app_id = app_id
+      @api_key = api_key
       @auth_strategy = auth_strategy
 
       fetch_jwks
+
+      header_params = { 'Passage-Version' => "passage-ruby #{Passage::VERSION}" }
+      header_params['Authorization'] = "Bearer #{@api_key}" if @api_key != ''
+
+      @req_opts = {}
+      @req_opts[:header_params] = header_params
+      @req_opts[:debug_auth_names] = ['header']
+
+      @tokens_client = OpenapiClient::TokensApi.new
+      @magic_links_client = OpenapiClient::MagicLinksApi.new
     end
 
-    def fetch_app()
-      begin
-        client = OpenapiClient::AppsApi.new
-        response = client.get_app(@app_id)
-        
-        return response.app
-      rescue Faraday::Error => e
+    def authenticate_request(request)
+      # Get the token based on the strategy
+      if @auth_strategy == Passage::COOKIE_STRATEGY
+        unless request.cookies.key?('psg_auth_token')
+          raise PassageError.new(
+            status_code: 401,
+            body: {
+              error: 'missing authentication token: expected "psg_auth_token" cookie',
+              code: 'invalid_access_token'
+            }
+          )
+        end
+        @token = request.cookies['psg_auth_token']
+      else
+        headers = request.headers
+        unless headers.key?('Authorization')
+          raise PassageError.new(
+            status_code: 401,
+            body: {
+              error: 'no authentication token in header',
+              code: 'invalid_access_token'
+            }
+          )
+        end
+
+        @token = headers['Authorization'].split(' ').last
+      end
+
+      validate_jwt(@token)
+    end
+
+    def validate_jwt(token)
+      raise ArgumentError, 'jwt is required.' unless token && !token.empty?
+
+      unless get_cache(@app_id)
         raise PassageError.new(
-                message: "failed to fetch passage app",
-                status_code: e.response[:status],
-                body: e.response[:body]
-              )
+          status_code: 401,
+          body: {
+            error: 'invalid JWKs',
+            code: 'invalid_access_token'
+          }
+        )
       end
+
+      audiences = [@auth_origin, @app_id]
+
+      claims =
+        JWT.decode(
+          token,
+          nil,
+          true,
+          {
+            aud: audiences,
+            verify_aud: true,
+            algorithms: ['RS256'],
+            jwks: @jwks
+          }
+        )
+
+      claims[0]['sub']
+    rescue JWT::InvalidIssuerError, JWT::InvalidAudError, JWT::ExpiredSignature, JWT::IncorrectAlgorithm,
+           JWT::DecodeError => e
+      raise PassageError.new(
+        status_code: 401,
+        body: {
+          error: e.message,
+          code: 'invalid_access_token'
+        }
+      )
     end
 
-    def fetch_jwks()
-      if @@app_cache[@app_id]
-        @jwks, @auth_origin = @@app_cache[@app_id]
+    def revoke_user_refresh_tokens(user_id)
+      warn 'NOTE: Passage::Auth#revoke_user_refresh_tokens is deprecated;
+        use Passage::User#revoke_refresh_tokens instead. It will be removed on or after 2024-12.'
+      user_exists?(user_id)
+
+      @tokens_client.revoke_user_refresh_tokens(@app_id, user_id, @req_opts)
+    rescue Faraday::Error => e
+      raise PassageError.new(
+        status_code: e.response[:status],
+        body: e.response[:body]
+      )
+    end
+
+    def create_magic_link_with_email(email, type, send, opts = {})
+      args = {}
+      args['email'] = email
+      args['channel'] = EMAIL_CHANNEL
+      args['type'] = type
+      args['send'] = send
+
+      create_magic_link(args, opts)
+    end
+
+    def create_magic_link_with_phone(phone, type, send, opts = {})
+      args = {}
+      args['phone'] = phone
+      args['channel'] = PHONE_CHANNEL
+      args['type'] = type
+      args['send'] = send
+
+      create_magic_link(args, opts)
+    end
+
+    def create_magic_link_with_user(user_id, channel, type, send, opts = {})
+      args = {}
+      args['user_id'] = user_id
+      args['channel'] = channel
+      args['type'] = type
+      args['send'] = send
+
+      create_magic_link(args, opts)
+    end
+
+    def fetch_app
+      client = OpenapiClient::AppsApi.new
+      response = client.get_app(@app_id)
+
+      response.app
+    rescue Faraday::Error => e
+      raise PassageError.new(
+        status_code: e.response[:status],
+        body: e.response[:body]
+      )
+    end
+
+    def fetch_jwks
+      app_cache = get_cache(@app_id)
+
+      if app_cache
+        @jwks, @auth_origin = app_cache
       else
-        app = fetch_app
         auth_gw_connection =
-          Faraday.new(url: "https://auth.passage.id") do |f|
+          Faraday.new(url: 'https://auth.passage.id') do |f|
             f.request :json
-            f.request :retry
             f.response :raise_error
             f.response :json
             f.adapter :net_http
@@ -49,97 +176,71 @@ module Passage
         @auth_origin = app.auth_origin
         response =
           auth_gw_connection.get("/v1/apps/#{@app_id}/.well-known/jwks.json")
-        @jwks = response.body
-        @@app_cache[@app_id] ||= [@jwks, @auth_origin]
+
+        if response.success?
+          @jwks = response.body
+          set_cache(key: @app_id, jwks: @jwks)
+        end
       end
     end
 
-    def authenticate_request(request)
-      warn "[DEPRECATION] `auth.authenticate_request()` is deprecated.  Please use `auth.validate_jwt()` instead."
+    def authenticate_token(token)
+      validate_jwt(token)
+    end
 
-      # Get the token based on the strategy
-      if @auth_strategy === Passage::COOKIE_STRATEGY
-        unless request.cookies.key?("psg_auth_token")
-          raise PassageError.new(
-                  message:
-                    "missing authentication token: expected \"psg_auth_token\" cookie"
-                )
-        end
-        @token = request.cookies["psg_auth_token"]
-      else
-        headers = request.headers
-        unless headers.key?("Authorization")
-          raise PassageError.new(message: "no authentication token in header")
-        end
-        @token = headers["Authorization"].split(" ").last
-      end
+    private
 
-      # authenticate the token
-      if @token
-        return authenticate_token(@token)
-      else
-        raise PassageError.new(message: "no authentication token")
-      end
-      nil
+    def create_magic_link(args, opts)
+      args['language'] = opts['language']
+      args['magic_link_path'] = opts['magic_link_path']
+      args['redirect_url'] = opts['redirect_url']
+      args['ttl'] = opts['ttl']
+
+      handle_magic_link_creation(args)
     end
 
-    def validate_jwt(token)
-      if token
-        return authenticate_token(token)
-      else
-        raise PassageError.new(message: "no authentication token")
-      end
+    def handle_magic_link_creation(args)
+      @magic_links_client.create_magic_link(@app_id, args, @req_opts).magic_link
+    rescue Faraday::Error => e
+      raise PassageError.new(
+        status_code: e.response[:status],
+        body: e.response[:body]
+      )
+    rescue OpenapiClient::ApiError => e
+      raise PassageError.new(
+        status_code: e.code,
+        body: try_parse_json_string(e.response_body)
+      )
     end
 
-    def authenticate_token(token)
-      begin
-        kid = JWT.decode(token, nil, false)[1]["kid"]
-        exists = false
-        for jwk in @jwks["keys"]
-          if jwk["kid"] == kid
-            exists = true
-            break
-          end
-        end
-        fetch_jwks unless exists
-        claims =
-          JWT.decode(
-            token,
-            nil,
-            true,
-            {
-              aud: @auth_origin,
-              verify_aud: true,
-              algorithms: ["RS256"],
-              jwks: @jwks
-            }
-          )
-        return claims[0]["sub"]
-      rescue JWT::InvalidIssuerError => e
-        raise PassageError.new(message: e.message)
-      rescue JWT::InvalidAudError => e
-        raise PassageError.new(message: e.message)
-      rescue JWT::ExpiredSignature => e
-        raise PassageError.new(message: e.message)
-      rescue JWT::IncorrectAlgorithm => e
-        raise PassageError.new(message: e.message)
-      rescue JWT::DecodeError => e
-        raise PassageError.new(message: e.message)
-      end
+    def try_parse_json_string(string)
+      JSON.parse(string)
+    rescue JSON::ParserError
+      string
     end
 
-    def revoke_user_refresh_tokens(user_id)
-      begin
-        client = OpenapiClient::TokensApi.new
-        response = client.revoke_user_refresh_tokens(@app_id, user_id)
-        return true
-      rescue Faraday::Error => e
-        raise PassageError.new(
-                message: "failed to revoke user's refresh tokens",
-                status_code: e.response[:status],
-                body: e.response[:body]
-              )
-      end
+    def user_exists?(user_id)
+      return unless user_id.to_s.empty?
+
+      raise PassageError.new(
+        status_code: 400,
+        body: {
+          error: 'Must supply a valid user_id',
+          code: 'invalid_request'
+        }
+      )
+    end
+
+    def get_cache(key)
+      @app_cache.read(key)
+    end
+
+    def set_cache(key:, jwks:)
+      @app_cache.write(key, jwks, expires_in: 86_400)
     end
+    deprecate(:authenticate_request, :validate_jwt, 2025, 1)
+    deprecate(:authenticate_token, :validate_jwt, 2025, 1)
+    deprecate(:fetch_app, :none, 2025, 1)
+    deprecate(:fetch_jwks, :none, 2025, 1)
   end
 end