persephone 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: adbd4c65e1c5b3ead009bcae0cd3a9845bc020d2
+  data.tar.gz: 440f0672d16161998c67572f222effe293f214a0
+SHA512:
+  metadata.gz: 6eadd80dc2324addc4b816a9c73f719c4e5662b59507476af6489696f733112d3c5b5a808ba19ef6983c75379ae98bbb2fd72c97337b6ef4c036f0b18abe9e55
+  data.tar.gz: 6052c750ddad0149b8474b117e76210cfd888c23563d9ef0fda588e93481d146920c83431aaa7d24a07824fab5c85554b3531546e6399e876382adadb0b79cb8

data/.gitignore

@@ -0,0 +1,28 @@
+*.gem
+*.rbc
+/.config
+/coverage/
+/InstalledFiles
+/pkg/
+/spec/reports/
+/spec/examples.txt
+/test/tmp/
+/test/version_tmp/
+/tmp/
+
+
+## Documentation cache and generated files:
+/.yardoc/
+/_yardoc/
+/doc/
+/rdoc/
+
+## Environment normalization:
+/.bundle/
+/vendor/bundle
+/lib/bundler/man/
+
+Gemfile.lock
+.ruby-version
+.ruby-gemset
+.rvmrc

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in restful_api_authentication.gemspec
+gemspec

data/LICENSE

@@ -0,0 +1,22 @@
+Copyright (c) 2016 David Sloan
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,134 @@
+# persephone
+This gem provides token based OAuth2 authorization within Rails 4 apps that use Mongoid 5 (commonly referred to as client_credentials authorization). It is named after the Greek goddess of the underworld for no good reason other than I liked the name.
+
+## Installation
+In your Rails app gemfile, add the following:
+
+```
+gem 'persephone', '~> 1.0.0'
+```
+
+You will need to create applications that are allowed to authenticate with your API by doing the following in a rails console:
+
+```
+app = Persephone::App.create(name: 'This is a name.', scopes: ['scope1', 'scope2'])
+```
+
+You'll need your client ID and client secret in order to authenticate.
+
+```
+app.client_id
+app.client_secret
+```
+
+## Authenticating
+
+Persephone automatically provides you with the /oauth/token route. You will authenticate by POSTing a JSON payload containing your client_id and client_secret to the /oauth/token location on your API. A payload should look something like this:
+
+```
+{
+    "client_id": "dcf155afc48376e40efa6173da6bf16a21aaaa89c888c1e730d001c1e58c816e",
+    "client_secret": "da80b20365c221fcc7d0e3e3378ef9c6d6a03c9ea4014f50a94909d3cd395ad5"
+}
+```
+
+If your client ID and secret are correct, you should receive a token as a response. This should look something like:
+
+```
+{
+  "token": "63b27b3502241d75abadf72d607c172ec555216b60d3828aff12151f393e8b05",
+  "expires": "2016-07-07T20:16:38.369+00:00"
+}
+```
+
+All additional calls to the API will add the Authorization header, which should look something like:
+
+```
+Authorization: Bearer 63b27b3502241d75abadf72d607c172ec555216b60d3828aff12151f393e8b05
+```
+
+## Protecting API Resources
+
+You'll need to create a controller concern with the following code:
+
+```
+module Authentication
+  extend ActiveSupport::Concern
+
+  included do
+    before_action :authorize
+
+    def authorize
+      Persephone.authorized? request.headers
+    end
+  end
+end
+```
+
+Then simply add the Authentication concern to any controller:
+
+```
+class SomeController < ApplicationController
+  include Authentication
+
+end
+```
+
+You can also skip authentication using the skip_before_action method:
+
+```
+class SomeController < ApplicationController
+  include Authentication
+  skip_before_action :authorize, only: :some_method
+end
+```
+
+## Scopes
+
+You can add some additional layers of security by locking down various controllers and methods to only allow access to applications with a specific scope. First, you need to set the scope on the application. By default, all applications receive the 'public' scope unless you specifically set the scopes value.
+
+```
+app = Persephone::App.find_by(client_id: 'dcf155afc48376e40efa6173da6bf16a21aaaa89c888c1e730d001c1e58c816e')
+app.scopes = ['public', 'private']
+app.save
+```
+
+Note that scopes must be an array of values.
+
+Make a new concern for each scope:
+
+```
+module PrivateAuthentication
+  extend ActiveSupport::Concern
+
+  included do
+    before_action :authorize_private_scope
+
+    def authorize_private_scope
+      Persephone.authorized? request.headers, ['private']
+    end
+  end
+end
+
+module PublicAuthentication
+  extend ActiveSupport::Concern
+
+  included do
+    before_action :authorize_public_scope
+
+    def authorize_public_scope
+      Persephone.authorized? request.headers
+    end
+  end
+end
+```
+
+Then simply include whichever concern is appropriate for your controller. You can require BOTH scopes if you include both concerns.
+
+##Contributing
+
+* Fork it
+* Create your feature branch (git checkout -b my-new-feature)
+* Commit your changes (git commit -am 'Added some feature')
+* Push to the branch (git push origin my-new-feature)
+* Create new Pull Request

data/Rakefile

@@ -0,0 +1,2 @@
+#!/usr/bin/env rake
+require "bundler/gem_tasks"

data/app/controllers/persephone/tokens_controller.rb

@@ -0,0 +1,16 @@
+module Persephone
+  class TokensController < ActionController::Base
+
+    def create
+      app = ::Persephone.authenticate(params['client_id'], params['client_secret'])
+      if app
+        response = { token: app.auth.token, expires: app.auth.expires }
+        code = 201
+      else
+        response = { error: 'unable to authenticate' }
+        code = 401
+      end
+      render json: response, status: code
+    end
+  end
+end

data/app/models/persephone/app.rb

@@ -0,0 +1,33 @@
+module Persephone
+  class App
+    include ::Mongoid::Document
+    include ::Mongoid::Timestamps
+
+    embeds_one :auth, class_name: 'Persephone::Auth'
+
+    field :name, type: String
+    field :scopes, type: Array
+    field :client_id, type: String
+    field :client_secret, type: String
+    field :rate_limit, type: Boolean, default: true
+    field :app_id, type: Integer, default: 0
+    field :app_slug, type: String
+
+    validates :name, presence: true, uniqueness: true
+    validates :client_id, presence: true, uniqueness: true
+    validates :client_secret, presence: true
+
+    index({ client_id: 1 }, { unique: true })
+    index({ client_secret: 1 })
+    index({ app_id: 1 })
+    index({ app_slug: 1 })
+
+    default_scope -> { ascending(:name) }
+
+    before_validation do
+      self.client_id ||= Digest::SHA256.hexdigest(UUID.new.generate(:compact))
+      self.client_secret ||= Digest::SHA256.hexdigest(UUID.new.generate(:compact))
+      self.scopes ||= [Persephone::DEFAULT_SCOPE]
+    end
+  end
+end

data/app/models/persephone/auth.rb

@@ -0,0 +1,29 @@
+module Persephone
+  class Auth
+    include ::Mongoid::Document
+    include ::Mongoid::Timestamps
+
+    embedded_in :app, class_name: 'Persephone::App'
+
+    field :expires, type: DateTime
+    field :token, type: String
+
+    validates :expires, presence: true
+    validates :token, presence: true, uniqueness: true
+
+    index({ token: 1 }, { unique: true })
+    index({ app_id: 1 })
+
+    before_validation :generate_token, :generate_expires
+
+    private
+
+    def generate_token
+      self.token ||= Digest::SHA256.hexdigest UUID.new.generate(:compact)
+    end
+
+    def generate_expires
+      self.expires ||= Time.now.utc + 1.hour
+    end
+  end
+end

data/lib/persephone/engine.rb

@@ -0,0 +1,5 @@
+module Persephone
+  class Engine < ::Rails::Engine
+    isolate_namespace Persephone
+  end
+end

data/lib/persephone/routes.rb

@@ -0,0 +1,10 @@
+require 'action_dispatch/routing'
+require 'active_support/concern'
+
+module ActionDispatch::Routing
+  class Mapper
+    def persephone
+      match "oauth/token" => 'persephone/tokens#create', via: :post
+    end
+  end
+end

data/lib/persephone/unauthorized_error.rb

@@ -0,0 +1,7 @@
+module Persephone
+  class UnauthorizedError < StandardError
+    def initialize(message)
+      super(message)
+    end
+  end
+end

data/lib/persephone/version.rb

@@ -0,0 +1,3 @@
+module Persephone
+  VERSION = '1.0.0'
+end

data/lib/persephone.rb

@@ -0,0 +1,68 @@
+require 'uuid'
+require 'digest'
+
+require File.expand_path('../persephone/version.rb', __FILE__)
+require File.expand_path('../persephone/unauthorized_error.rb', __FILE__)
+require File.expand_path('../persephone/routes.rb', __FILE__)
+require File.expand_path('../persephone/engine.rb', __FILE__)
+
+module Persephone
+  DEFAULT_SCOPE = 'public'.freeze
+
+  def self.authorized?(headers, scopes = [DEFAULT_SCOPE])
+    auth = self.authorization(headers)
+    auth && self.in_scope?(auth.app, scopes) && !self.expired?(auth)
+  end
+
+  def self.authorization(headers)
+    token = auth_token(headers)
+    if token
+      app = App.where('auth.token' => token).first
+      raise UnauthorizedError.new('token not found') if app.nil?
+      app.auth
+    else
+      raise UnauthorizedError.new('invalid token')
+    end
+  end
+
+  def self.current_application(headers)
+    token = auth_token(headers)
+    if token
+      app = App.where('auth.token' => token).first
+    else
+      nil
+    end
+  end
+
+  def self.expired?(auth)
+    if auth.expires < Time.now.utc
+      raise UnauthorizedError.new('token has expired; please get a new one')
+    else
+      false
+    end
+  end
+
+  def self.authenticate(client_id, client_secret)
+    app = App.where(client_id: client_id, client_secret: client_secret).first
+    if app
+      app.auth&.destroy
+      app.auth = Persephone::Auth.create(app: app)
+      app.save
+    end
+    app
+  end
+
+  def self.in_scope?(app, scopes)
+    if !(app.scopes & scopes).empty?
+      true
+    else
+      raise UnauthorizedError.new('application does not have access (scope)')
+    end
+  end
+
+  def self.auth_token(headers)
+    return headers['Authorization'].split[1] unless headers.nil? || headers['Authorization'].nil?
+    return false
+  end
+
+end

data/persephone.gemspec

@@ -0,0 +1,22 @@
+# -*- encoding: utf-8 -*-
+require File.expand_path('../lib/persephone/version.rb', __FILE__)
+
+Gem::Specification.new do |gem|
+  gem.required_rubygems_version = Gem::Requirement.new(">= 0") if gem.respond_to? :required_rubygems_version=
+  gem.authors       = ["Dave Sloan"]
+  gem.email         = ["daveksloan@gmail.com"]
+  gem.description   = %q{Persephone is a gem which implements simple OAuth2 token based API authentication for Rails 4 and Mongoid 5.}
+  gem.summary       = %q{This gem implements the OAuth2 client credentials token based authentication for applications. The client requests a token with their ID and secret key and the server responds with a token that can be used on subsequent API requests.}
+  gem.homepage      = "https://github.com/davesloan/persephone"
+
+  #gem.files         = `git ls-files`.split($\)
+  gem.files         = `git ls-files`.split("\n")
+  gem.test_files    = `git ls-files -- spec/*`.split("\n")
+  gem.name          = "persephone"
+  gem.require_paths = ["lib"]
+  gem.version       = Persephone::VERSION
+
+  gem.add_runtime_dependency(%q<rails>, ["~> 4.2.5"])
+  gem.add_runtime_dependency(%q<uuid>, ["~> 2.3.5"])
+  gem.add_runtime_dependency(%q<mongoid>, ["~> 5.1.0"])
+end

metadata

@@ -0,0 +1,102 @@
+--- !ruby/object:Gem::Specification
+name: persephone
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Dave Sloan
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2016-07-07 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 4.2.5
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 4.2.5
+- !ruby/object:Gem::Dependency
+  name: uuid
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.3.5
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.3.5
+- !ruby/object:Gem::Dependency
+  name: mongoid
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 5.1.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 5.1.0
+description: Persephone is a gem which implements simple OAuth2 token based API authentication
+  for Rails 4 and Mongoid 5.
+email:
+- daveksloan@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- Gemfile
+- LICENSE
+- README.md
+- Rakefile
+- app/controllers/persephone/tokens_controller.rb
+- app/models/persephone/app.rb
+- app/models/persephone/auth.rb
+- lib/persephone.rb
+- lib/persephone/engine.rb
+- lib/persephone/routes.rb
+- lib/persephone/unauthorized_error.rb
+- lib/persephone/version.rb
+- persephone.gemspec
+homepage: https://github.com/davesloan/persephone
+licenses: []
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.5.1
+signing_key: 
+specification_version: 4
+summary: This gem implements the OAuth2 client credentials token based authentication
+  for applications. The client requests a token with their ID and secret key and the
+  server responds with a token that can be used on subsequent API requests.
+test_files: []