passkeys-rails 0.1.1 → 0.1.2

data/lib/passkeys/rails/interactors/validate_auth_token.rb

@@ -0,0 +1,35 @@
+module Passkeys
+  module Rails
+    class ValidateAuthToken
+      include Interactor
+
+      delegate :auth_token, to: :context
+
+      def call
+        context.fail!(code: :missing_token, message: "X-Auth header is required") if auth_token.blank?
+
+        context.agent = fetch_agent
+      end
+
+      private
+
+      def fetch_agent
+        agent = Agent.find_by(id: payload['agent_id'])
+        context.fail!(code: :invalid_token, message: "Invalid token - no agent exists with agent_id") if agent.blank?
+
+        agent
+      end
+
+      def payload
+        JWT.decode(auth_token,
+                   Passkeys::Rails.auth_token_secret,
+                   true,
+                   { required_claims: %w[exp agent_id], algorithm: Passkeys::Rails.auth_token_algorithm }).first
+      rescue JWT::ExpiredSignature
+        context.fail!(code: :expired_token, message: "The token has expired")
+      rescue StandardError => e
+        context.fail!(code: :token_error, message: e.message)
+      end
+    end
+  end
+end

data/lib/passkeys/rails/railtie.rb

@@ -0,0 +1,19 @@
+require 'passkeys-rails'
+require 'rails'
+
+module Passkeys
+  module Rails
+    class Railtie < ::Rails::Railtie
+      railtie_name :passkeys_rails
+
+      rake_tasks do
+        path = File.expand_path(__dir__)
+        Dir.glob("#{path}/tasks/**/*.rake").each { |f| load f }
+      end
+
+      generators do
+        require "generators/passkeys_rails/install_generator"
+      end
+    end
+  end
+end

data/lib/passkeys/rails/version.rb

@@ -0,0 +1,5 @@
+module Passkeys
+  module Rails
+    VERSION = "0.1.2".freeze
+  end
+end

data/lib/passkeys-rails.rb

@@ -0,0 +1,36 @@
+# rubocop:disable Naming/FileName
+require 'passkeys/rails/engine'
+require 'passkeys/rails/version'
+require_relative "generators/passkeys_rails/install_generator"
+
+module Passkeys
+  module Rails
+    # Secret used to encode the auth token.
+    # Rails.application.secret_key_base is used if none is defined here.
+    # Changing this value will invalidate all tokens that have been fetched
+    # through the API.
+    mattr_accessor(:auth_token_secret)
+
+    # Algorithm used to generate the auth token.
+    # Changing this value will invalidate all tokens that have been fetched
+    # through the API.
+    mattr_accessor :auth_token_algorithm, default: "HS256"
+
+    # How long the auth token is valid before requiring a refresh or new login.
+    # Set it to 0 for no expiration (not recommended in production).
+    mattr_accessor :auth_token_expires_in, default: 30.days
+
+    class << self
+      def config
+        yield self
+      end
+    end
+
+    require 'passkeys/rails/railtie' if defined?(Rails)
+  end
+end
+
+ActiveSupport.on_load(:before_initialize) do
+  Passkeys::Rails.auth_token_secret ||= Rails.application.secret_key_base
+end
+# rubocop:enable Naming/FileName

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: passkeys-rails
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.1.2
 platform: ruby
 authors:
 - Troy Anderson
@@ -338,7 +338,7 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 2.22.0
-description: Devise is awesome, but we don't need all that UI/UX for PassKeys.  This
+description: Devise is awesome, but we don't need all that UI/UX for PassKeys. This
   gem is to make it easy to provide a back end that authenticates a mobile front end
   with PassKeys.
 email:
@@ -347,29 +347,20 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- CHANGELOG.md
 - MIT-LICENSE
 - README.md
 - Rakefile
 - app/assets/config/passkeys_rails_manifest.js
 - app/assets/stylesheets/passkeys_rails/application.css
-- app/controllers/passkeys_rails/application_controller.rb
-- app/controllers/passkeys_rails/passkeys_controller.rb
-- app/helpers/passkeys_rails/application_helper.rb
-- app/helpers/passkeys_rails/passkeys_helper.rb
-- app/interactors/passkeys_rails/begin_authentication.rb
-- app/interactors/passkeys_rails/begin_challenge.rb
-- app/interactors/passkeys_rails/begin_registration.rb
-- app/interactors/passkeys_rails/finish_authentication.rb
-- app/interactors/passkeys_rails/finish_registration.rb
-- app/interactors/passkeys_rails/generate_auth_token.rb
-- app/interactors/passkeys_rails/refresh_token.rb
-- app/interactors/passkeys_rails/validate_auth_token.rb
-- app/models/concerns/passkeys_rails/authenticatable.rb
-- app/models/passkeys_rails/agent.rb
-- app/models/passkeys_rails/application_record.rb
-- app/models/passkeys_rails/error.rb
-- app/models/passkeys_rails/passkey.rb
-- app/views/layouts/passkeys_rails/application.html.erb
+- app/controllers/passkeys/rails/application_controller.rb
+- app/controllers/passkeys/rails/passkeys_controller.rb
+- app/models/concerns/passkeys/rails/authenticatable.rb
+- app/models/passkeys/rails/agent.rb
+- app/models/passkeys/rails/application_record.rb
+- app/models/passkeys/rails/error.rb
+- app/models/passkeys/rails/passkey.rb
+- app/views/layouts/passkeys/rails/application.html.erb
 - config/routes.rb
 - db/migrate/20230620012530_create_passkeys_rails_agents.rb
 - db/migrate/20230620012600_create_passkeys_rails_passkeys.rb
@@ -377,11 +368,19 @@ files:
 - lib/generators/passkeys_rails/install_generator.rb
 - lib/generators/passkeys_rails/templates/README
 - lib/generators/passkeys_rails/templates/passkeys_rails_config.rb
-- lib/passkeys_rails.rb
-- lib/passkeys_rails/engine.rb
-- lib/passkeys_rails/error_middleware.rb
-- lib/passkeys_rails/railtie.rb
-- lib/passkeys_rails/version.rb
+- lib/passkeys-rails.rb
+- lib/passkeys/rails/controllers/helpers.rb
+- lib/passkeys/rails/engine.rb
+- lib/passkeys/rails/interactors/begin_authentication.rb
+- lib/passkeys/rails/interactors/begin_challenge.rb
+- lib/passkeys/rails/interactors/begin_registration.rb
+- lib/passkeys/rails/interactors/finish_authentication.rb
+- lib/passkeys/rails/interactors/finish_registration.rb
+- lib/passkeys/rails/interactors/generate_auth_token.rb
+- lib/passkeys/rails/interactors/refresh_token.rb
+- lib/passkeys/rails/interactors/validate_auth_token.rb
+- lib/passkeys/rails/railtie.rb
+- lib/passkeys/rails/version.rb
 - lib/tasks/passkeys_rails_tasks.rake
 homepage: https://github.com/alliedcode/passkeys-rails
 licenses:

data/app/controllers/passkeys_rails/application_controller.rb

@@ -1,22 +0,0 @@
-module PasskeysRails
-  class ApplicationController < ActionController::Base
-    rescue_from ::Interactor::Failure, with: :handle_interactor_failure
-    rescue_from ActionController::ParameterMissing, with: :handle_missing_parameter
-
-    protected
-
-    def handle_missing_parameter(error)
-      render_error(:authentication, 'missing_parameter', error.message)
-    end
-
-    def handle_interactor_failure(failure)
-      render_error(:authentication, failure.context.code, failure.context.message)
-    end
-
-    private
-
-    def render_error(context, code, message, status: :unprocessable_entity)
-      render json: { error: { context:, code:, message: } }, status:
-    end
-  end
-end

data/app/controllers/passkeys_rails/passkeys_controller.rb

@@ -1,61 +0,0 @@
-module PasskeysRails
-  class PasskeysController < ApplicationController
-    def challenge
-      result = PasskeysRails::BeginChallenge.call!(username: challenge_params[:username])
-
-      # Store the challenge so we can verify the future register or authentication request
-      session[:passkeys_rails] = result.session_data
-
-      render json: result.response.as_json
-    end
-
-    def register
-      result = PasskeysRails::FinishRegistration.call!(credential: attestation_credential_params.to_h,
-                                                       authenticatable_class:,
-                                                       username: session.dig(:passkeys_rails, :username),
-                                                       challenge: session.dig(:passkeys_rails, :challenge))
-
-      render json: { username: result.username, auth_token: result.auth_token }
-    end
-
-    def authenticate
-      result = PasskeysRails::FinishAuthentication.call!(credential: authentication_params.to_h,
-                                                         challenge: session.dig(:passkeys_rails, :challenge))
-
-      render json: { username: result.username, auth_token: result.auth_token }
-    end
-
-    def refresh
-      result = PasskeysRails::RefreshToken.call!(token: refresh_params[:auth_token])
-      render json: { username: result.username, auth_token: result.auth_token }
-    end
-
-    protected
-
-    def challenge_params
-      params.permit(:username)
-    end
-
-    def attestation_credential_params
-      credential = params.require(:credential)
-      credential.require(%i[id rawId type response])
-      credential.require(:response).require(%i[attestationObject clientDataJSON])
-      credential.permit(:id, :rawId, :type, { response: %i[attestationObject clientDataJSON] })
-    end
-
-    def authenticatable_class
-      params[:authenticatable_class]
-    end
-
-    def authentication_params
-      params.require(%i[id rawId type response])
-      params.require(:response).require(%i[authenticatorData clientDataJSON signature userHandle])
-      params.permit(:id, :rawId, :type, { response: %i[authenticatorData clientDataJSON signature userHandle] })
-    end
-
-    def refresh_params
-      params.require(:auth_token)
-      params.permit(:auth_token)
-    end
-  end
-end

data/app/helpers/passkeys_rails/application_helper.rb

@@ -1,21 +0,0 @@
-module PasskeysRails
-  module ApplicationHelper
-    def current_agent
-      return nil if request.headers['HTTP_X_AUTH'].blank?
-
-      @current_agent ||= validated_auth_token&.success? && validated_auth_token&.agent
-    end
-
-    def authenticate!
-      return if validated_auth_token.success?
-
-      raise PasskeysRails::Error.new(:authentication,
-                                     code: :unauthorized,
-                                     message: "You are not authorized to access this resource.")
-    end
-
-    def validated_auth_token
-      @validated_auth_token ||= ValidateAuthToken.call(auth_token: request.headers['HTTP_X_AUTH'])
-    end
-  end
-end

data/app/helpers/passkeys_rails/passkeys_helper.rb

@@ -1,4 +0,0 @@
-module PasskeysRails
-  module PasskeysHelper
-  end
-end

data/app/interactors/passkeys_rails/begin_authentication.rb

@@ -1,9 +0,0 @@
-module PasskeysRails
-  class BeginAuthentication
-    include Interactor
-
-    def call
-      context.options = WebAuthn::Credential.options_for_get
-    end
-  end
-end

data/app/interactors/passkeys_rails/begin_challenge.rb

@@ -1,35 +0,0 @@
-module PasskeysRails
-  class BeginChallenge
-    include Interactor
-
-    delegate :username, to: :context
-
-    def call
-      result = generate_challenge!
-
-      options = result.options
-
-      context.response = options
-      context.session_data = session_data(options)
-    rescue Interactor::Failure => e
-      context.fail! code: e.context.code, message: e.context.message
-    end
-
-    private
-
-    def generate_challenge!
-      if username.present?
-        BeginRegistration.call!(username:)
-      else
-        BeginAuthentication.call!
-      end
-    end
-
-    def session_data(options)
-      {
-        username:,
-        challenge: WebAuthn.standard_encoder.encode(options.challenge)
-      }
-    end
-  end
-end

data/app/interactors/passkeys_rails/begin_registration.rb

@@ -1,23 +0,0 @@
-module PasskeysRails
-  class BeginRegistration
-    include Interactor
-
-    delegate :username, to: :context
-
-    def call
-      agent = create_unregistered_agent
-
-      context.options = WebAuthn::Credential.options_for_create(user: { id: agent.webauthn_identifier, name: agent.username })
-    end
-
-    private
-
-    def create_unregistered_agent
-      agent = Agent.create(username:, webauthn_identifier: WebAuthn.generate_user_id)
-
-      context.fail!(code: :validation_errors, message: agent.errors.full_messages.to_sentence) unless agent.valid?
-
-      agent
-    end
-  end
-end

data/app/interactors/passkeys_rails/finish_authentication.rb

@@ -1,53 +0,0 @@
-# Finish authentication ceremony
-module PasskeysRails
-  class FinishAuthentication
-    include Interactor
-
-    delegate :credential, :challenge, to: :context
-
-    def call
-      verify_credential!
-
-      context.username = agent.username
-      context.auth_token = GenerateAuthToken.call!(agent:).auth_token
-    rescue Interactor::Failure => e
-      context.fail! code: e.context.code, message: e.context.message
-    end
-
-    private
-
-    def verify_credential!
-      webauthn_credential.verify(
-        challenge,
-        public_key: passkey.public_key,
-        sign_count: passkey.sign_count
-      )
-
-      passkey.update!(sign_count: webauthn_credential.sign_count)
-      agent.update!(last_authenticated_at: Time.current)
-    rescue WebAuthn::SignCountVerificationError
-      # Cryptographic verification of the authenticator data succeeded, but the signature counter was less than or equal
-      # to the stored value. This can have several reasons and depending on your risk tolerance you can choose to fail or
-      # pass authentication. For more information see https://www.w3.org/TR/webauthn/#sign-counter
-    rescue WebAuthn::Error => e
-      context.fail!(code: :webauthn_error, message: e.message)
-    end
-
-    def webauthn_credential
-      @webauthn_credential ||= WebAuthn::Credential.from_get(credential)
-    end
-
-    def passkey
-      @passkey ||= begin
-        passkey = Passkey.find_by(identifier: webauthn_credential.id)
-        context.fail!(code: :passkey_not_found, message: "Unable to find the specified passkey") if passkey.blank?
-
-        passkey
-      end
-    end
-
-    def agent
-      passkey.agent
-    end
-  end
-end

data/app/interactors/passkeys_rails/finish_registration.rb

@@ -1,77 +0,0 @@
-# Finish registration ceremony
-module PasskeysRails
-  class FinishRegistration
-    include Interactor
-
-    delegate :credential, :username, :challenge, :authenticatable_class, to: :context
-
-    def call
-      verify_credential!
-      store_passkey_and_register_agent!
-
-      context.username = agent.username
-      context.auth_token = GenerateAuthToken.call!(agent:).auth_token
-    rescue Interactor::Failure => e
-      context.fail! code: e.context.code, message: e.context.message
-    end
-
-    private
-
-    def verify_credential!
-      webauthn_credential.verify(challenge)
-    rescue WebAuthn::Error => e
-      context.fail!(code: :webauthn_error, message: e.message)
-    rescue StandardError => e
-      context.fail!(code: :error, message: e.message)
-    end
-
-    def store_passkey_and_register_agent!
-      agent.transaction do
-        begin
-          # Store Credential ID, Credential Public Key and Sign Count for future authentications
-          agent.passkeys.create!(
-            identifier: webauthn_credential.id,
-            public_key: webauthn_credential.public_key,
-            sign_count: webauthn_credential.sign_count
-          )
-
-          agent.update! registered_at: Time.current
-        rescue StandardError => e
-          context.fail! code: :passkey_error, message: e.message
-        end
-
-        create_authenticatable! if authenticatable_class.present?
-      end
-    end
-
-    def create_authenticatable!
-      klass = begin
-        authenticatable_class.constantize
-      rescue StandardError
-        context.fail!(code: :invalid_authenticatable_class, message: "authenticatable_class (#{authenticatable_class}) is not defined")
-      end
-
-      begin
-        authenticatable = klass.create! do |obj|
-          obj.registering_with(agent) if obj.respond_to?(:registering_with)
-        end
-        agent.update!(authenticatable:)
-      rescue ActiveRecord::RecordInvalid => e
-        context.fail!(code: :record_invalid, message: e.message)
-      end
-    end
-
-    def webauthn_credential
-      @webauthn_credential ||= WebAuthn::Credential.from_create(credential)
-    end
-
-    def agent
-      @agent ||= begin
-        agent = Agent.find_by(username:)
-        context.fail!(code: :agent_not_found, message: "Agent not found for session value: \"#{username}\"") if agent.blank?
-
-        agent
-      end
-    end
-  end
-end

data/app/interactors/passkeys_rails/generate_auth_token.rb

@@ -1,27 +0,0 @@
-module PasskeysRails
-  class GenerateAuthToken
-    include Interactor
-
-    delegate :agent, to: :context
-
-    def call
-      context.auth_token = generate_auth_token
-    end
-
-    private
-
-    def generate_auth_token
-      JWT.encode(jwt_payload,
-                 PasskeysRails.auth_token_secret,
-                 PasskeysRails.auth_token_algorithm)
-    end
-
-    def jwt_payload
-      expiration = (Time.current + PasskeysRails.auth_token_expires_in).to_i
-
-      payload = { agent_id: agent.id }
-      payload[:exp] = expiration unless expiration.zero?
-      payload
-    end
-  end
-end

data/app/interactors/passkeys_rails/refresh_token.rb

@@ -1,17 +0,0 @@
-# Finish authentication ceremony
-module PasskeysRails
-  class RefreshToken
-    include Interactor
-
-    delegate :token, to: :context
-
-    def call
-      agent = ValidateAuthToken.call!(auth_token: token).agent
-
-      context.username = agent.username
-      context.auth_token = GenerateAuthToken.call!(agent:).auth_token
-    rescue Interactor::Failure => e
-      context.fail! code: e.context.code, message: e.context.message
-    end
-  end
-end

data/app/interactors/passkeys_rails/validate_auth_token.rb

@@ -1,33 +0,0 @@
-module PasskeysRails
-  class ValidateAuthToken
-    include Interactor
-
-    delegate :auth_token, to: :context
-
-    def call
-      context.fail!(code: :missing_token, message: "X-Auth header is required") if auth_token.blank?
-
-      context.agent = fetch_agent
-    end
-
-    private
-
-    def fetch_agent
-      agent = Agent.find_by(id: payload['agent_id'])
-      context.fail!(code: :invalid_token, message: "Invalid token - no agent exists with agent_id") if agent.blank?
-
-      agent
-    end
-
-    def payload
-      JWT.decode(auth_token,
-                 PasskeysRails.auth_token_secret,
-                 true,
-                 { required_claims: %w[exp agent_id], algorithm: PasskeysRails.auth_token_algorithm }).first
-    rescue JWT::ExpiredSignature
-      context.fail!(code: :expired_token, message: "The token has expired")
-    rescue StandardError => e
-      context.fail!(code: :token_error, message: e.message)
-    end
-  end
-end

data/app/models/concerns/passkeys_rails/authenticatable.rb

@@ -1,17 +0,0 @@
-require 'active_support/concern'
-
-module PasskeysRails
-  module Authenticatable
-    extend ActiveSupport::Concern
-
-    included do
-      has_one :agent, as: :authenticatable
-
-      delegate :registered?, to: :agent, allow_nil: true
-
-      def registering_with(_agent)
-        # initialize required attributes
-      end
-    end
-  end
-end

data/app/models/passkeys_rails/agent.rb

@@ -1,15 +0,0 @@
-module PasskeysRails
-  class Agent < ApplicationRecord
-    belongs_to :authenticatable, polymorphic: true, optional: true
-    has_many :passkeys
-
-    scope :registered, -> { where.not registered_at: nil }
-    scope :unregistered, -> { where registered_at: nil }
-
-    validates :username, presence: true, uniqueness: true
-
-    def registered?
-      registered_at.present?
-    end
-  end
-end

data/app/models/passkeys_rails/application_record.rb

@@ -1,5 +0,0 @@
-module PasskeysRails
-  class ApplicationRecord < ActiveRecord::Base
-    self.abstract_class = true
-  end
-end

data/app/models/passkeys_rails/error.rb

@@ -1,14 +0,0 @@
-module PasskeysRails
-  class Error < StandardError
-    attr_reader :hash
-
-    def initialize(message, hash = {})
-      @hash = hash
-      super(message)
-    end
-
-    def to_h
-      { error: hash.merge(context: message) }
-    end
-  end
-end

data/app/models/passkeys_rails/passkey.rb

@@ -1,8 +0,0 @@
-module PasskeysRails
-  class Passkey < ApplicationRecord
-    belongs_to :agent
-    validates :identifier, presence: true, uniqueness: true
-    validates :public_key, presence: true
-    validates :sign_count, presence: true
-  end
-end

data/lib/passkeys_rails/engine.rb

@@ -1,24 +0,0 @@
-require_relative 'error_middleware'
-module PasskeysRails
-  class Engine < ::Rails::Engine
-    isolate_namespace PasskeysRails
-
-    config.generators do |g|
-      g.test_framework :rspec
-      g.fixture_replacement :factory_bot
-      g.factory_bot dir: 'spec/factories'
-      g.assets false
-      g.helper false
-    end
-
-    config.to_prepare do
-      # include our helper methods in the host application's ApplicationController
-      ::ApplicationController.include ApplicationHelper
-    end
-
-    # provide a way to bail out of the render flow if needed
-    initializer 'passkeys_rails.configure.middleware' do |app|
-      app.middleware.use ErrorMiddleware
-    end
-  end
-end