propelauth 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 0a7cc390a774dbb31aff77f68ecfd1e070a8dc2d510c2e401c5bb9a8562b191b
+  data.tar.gz: d9008aedbfd21019624a3ca5ca043d54646cb52db87e1e9b391dd1b7e60be928
+SHA512:
+  metadata.gz: 5175acc0f03eeb540dd378ddb2dfd52f7a0594701cba8801872ed0538b6c147c48ada8e28314c7c9a136dbfb0dca47ca9eb5215ff6224dfaf8751cf85792ae77
+  data.tar.gz: 9c156a6ec7d1741af3d5980069b67552863832524bb908f27f01eaa14fa5205f09d6e1b4a0377efefa9a4e617284d9229314b9047b251ac4a16aa027e7a54c87

data/Gemfile

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+source "https://rubygems.org"
+
+# Specify your gem's dependencies in propelauth.gemspec
+gemspec
+
+gem "rake", "~> 13.0"

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2022 Andrew Israel
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,19 @@
+<p align="center">
+  <a href="https://www.propelauth.com?ref=github" target="_blank" align="center">
+    <img src="https://propelauth-logos.s3.us-west-2.amazonaws.com/logo-only.png" width="100">
+  </a>
+</p>
+
+# PropelAuth Rails Gem
+
+A gem for managing authentication, backed by [PropelAuth](https://www.propelauth.com?ref=github).
+
+[PropelAuth](https://www.propelauth.com?ref=github) is a prebuilt, hosted authentication solution focused on a great developer experience.
+
+## Documentation
+
+- Getting started guides for PropelAuth are [here](https://docs.propelauth.com/)
+
+## Questions?
+
+Feel free to reach out at support@propelauth.com

data/Rakefile

@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+require "bundler/gem_tasks"
+task default: %i[]

data/lib/propelauth/client.rb

@@ -0,0 +1,216 @@
+require "faraday"
+require "uri"
+
+module PropelAuth
+  module Client
+    class << self
+      def fetch_user_metadata_by_user_id(user_id, include_orgs: false)
+        fetch_user_metadata_by_query(user_id, { include_orgs: include_orgs })
+      end
+
+      def fetch_user_metadata_by_email(email, include_orgs: false)
+        fetch_user_metadata_by_query("email", { email: email, include_orgs: include_orgs })
+      end
+
+      def fetch_user_metadata_by_username(username, include_orgs: false)
+        fetch_user_metadata_by_query("username", { username: username, include_orgs: include_orgs })
+      end
+
+      def fetch_batch_user_metadata_by_user_ids(user_ids, include_orgs: false)
+        fetch_batch_user_metadata("user_ids", user_ids, -> (x) { x["user_id"] }, include_orgs)
+      end
+
+      def fetch_batch_user_metadata_by_emails(emails, include_orgs: false)
+        fetch_batch_user_metadata("emails", emails, -> (x) { x["email"] }, include_orgs)
+      end
+
+      def fetch_batch_user_metadata_by_usernames(usernames, include_orgs: false)
+        fetch_batch_user_metadata("usernames", usernames, -> (x) { x["username"] }, include_orgs)
+      end
+
+      def fetch_org(org_id)
+        response = connection.get("/api/backend/v1/org/#{org_id}", {}, { "Authorization" => "Bearer #{api_key}" })
+        if response.status == 200
+          response.body
+        elsif response.status == 404
+          nil
+        elsif response.status == 401
+          raise PropelAuth::InvalidApiKey.new
+        elsif response.status == 426
+          raise PropelAuth::B2BSupportDisabled.new
+        else
+          raise PropelAuth::UnexpectedError.new
+        end
+      end
+
+      def fetch_orgs_by_query(page_size: 10, page_number: 0, order_by: OrgOrderBy::CREATED_AT_ASC)
+        json_body = {
+          page_size: page_size,
+          page_number: page_number,
+          order_by: order_by,
+        }.to_json
+        response = connection.post "/api/backend/v1/org/query", json_body, {
+          "Authorization" => "Bearer #{api_key}",
+          "Content-Type" => "application/json",
+        }
+        if response.status == 200
+          response.body
+        elsif response.status == 400
+          raise PropelAuth::BadRequest.new response.body
+        elsif response.status == 401
+          raise PropelAuth::InvalidApiKey.new
+        elsif response.status == 426
+          raise PropelAuth::B2BSupportDisabled.new
+        else
+          raise PropelAuth::UnexpectedError.new
+        end
+      end
+
+      def fetch_users_by_query(page_size: 10, page_number: 0, order_by: UserOrderBy::CREATED_AT_ASC, email_or_username: nil, include_orgs: false)
+        params = {
+          page_size: page_size,
+          page_number: page_number,
+          order_by: order_by,
+          email_or_username: email_or_username,
+          include_orgs: include_orgs,
+        }
+        response = connection.get "/api/backend/v1/user/query", params, { "Authorization" => "Bearer #{api_key}" }
+        if response.status == 200
+          response.body
+        elsif response.status == 400
+          raise PropelAuth::BadRequest.new response.body
+        elsif response.status == 401
+          raise PropelAuth::InvalidApiKey.new
+        elsif response.status == 426
+          raise PropelAuth::B2BSupportDisabled.new
+        else
+          raise PropelAuth::UnexpectedError.new
+        end
+      end
+
+      def fetch_users_in_org(org_id, page_size: 10, page_number: 0, include_orgs: false)
+        params = {
+          page_size: page_size,
+          page_number: page_number,
+          include_orgs: include_orgs,
+        }
+        response = connection.get "/api/backend/v1/user/org/#{org_id}", params, { "Authorization" => "Bearer #{api_key}" }
+        if response.status == 200
+          response.body
+        elsif response.status == 400
+          raise PropelAuth::BadRequest.new response.body
+        elsif response.status == 401
+          raise PropelAuth::InvalidApiKey.new
+        elsif response.status == 426
+          raise PropelAuth::B2BSupportDisabled.new
+        else
+          raise PropelAuth::UnexpectedError.new
+        end
+      end
+
+      def create_user(email, email_confirmed: false, send_email_to_confirm_email_address: false, password: nil,
+                      username: nil, first_name: nil, last_name: nil)
+        json_body = {
+          email: email,
+          email_confirmed: email_confirmed,
+          send_email_to_confirm_email_address: send_email_to_confirm_email_address,
+          password: password,
+          username: username,
+          first_name: first_name,
+          last_name: last_name,
+        }.to_json
+
+        response = connection.post "/api/backend/v1/user/", json_body, {
+          "Authorization" => "Bearer #{api_key}",
+          "Content-Type" => "application/json",
+        }
+        if response.status >= 200 && response.status < 300
+          response.body
+        elsif response.status == 400
+          raise PropelAuth::BadRequest.new response.body
+        elsif response.status == 401
+          raise PropelAuth::InvalidApiKey.new
+        else
+          raise PropelAuth::UnexpectedError.new
+        end
+      end
+
+      private def connection
+        @connection ||= Faraday.new do |conn|
+          auth_url = PropelAuth.configuration.auth_url
+          if auth_url.nil? || PropelAuth.configuration.api_key.nil?
+              raise PropelAuth::PropelAuthNotConfigured.new
+          end
+
+          conn.url_prefix = auth_url
+          conn.request :json
+          conn.response :json, content_type: "application/json"
+        end
+      end
+
+      private def api_key
+        PropelAuth.configuration.api_key
+      end
+
+      private def fetch_user_metadata_by_query(path_param, query)
+        response = connection.get("/api/backend/v1/user/#{path_param}", query, { "Authorization" => "Bearer #{api_key}" })
+        if response.status == 200
+          response.body
+        elsif response.status == 404
+          nil
+        elsif response.status == 401
+          raise PropelAuth::InvalidApiKey.new
+        else
+          raise PropelAuth::UnexpectedError.new
+        end
+      end
+
+      private def fetch_batch_user_metadata(type, values, key_function, include_orgs)
+        json_body = {}
+        json_body[type] = values
+        json_body = json_body.to_json
+        response = connection.post "/api/backend/v1/user/#{type}" do |req|
+          req.body = json_body
+          req.headers[:authorization] = "Bearer #{api_key}"
+          req.headers[:content_type] = "application/json"
+          req.params[:include_orgs] = include_orgs
+        end
+
+        if response.status == 401
+          raise PropelAuth::InvalidApiKey.new
+        elsif response.status == 400
+          raise PropelAuth::BadRequest.new response.body
+        elsif response.status == 200
+          user_by_key = {}
+
+          response.body.each { |user|
+            key = key_function.call(user)
+            unless key.nil?
+              user_by_key[key_function.call(user)] = user
+            end
+          }
+
+          user_by_key
+        else
+          raise PropelAuth::UnexpectedError.new
+        end
+      end
+
+    end
+  end
+
+  module OrgOrderBy
+    CREATED_AT_ASC = "CREATED_AT_ASC"
+    CREATED_AT_DESC = "CREATED_AT_DESC"
+    NAME = "NAME"
+  end
+
+  module UserOrderBy
+    CREATED_AT_ASC = "CREATED_AT_ASC"
+    CREATED_AT_DESC = "CREATED_AT_DESC"
+    LAST_ACTIVE_AT_ASC = "LAST_ACTIVE_AT_ASC"
+    LAST_ACTIVE_AT_DESC = "LAST_ACTIVE_AT_DESC"
+    EMAIL = "EMAIL"
+    USERNAME = "USERNAME"
+  end
+end

data/lib/propelauth/error.rb

@@ -0,0 +1,15 @@
+module PropelAuth
+  class InvalidAuthUrl < StandardError; end
+  class InvalidApiKey < StandardError; end
+  class PropelAuthNotConfigured < StandardError; end
+  class B2BSupportDisabled < StandardError; end
+  class UnexpectedError < StandardError; end
+
+  class BadRequest < StandardError
+    def initialize(errors_by_field)
+      @errors_by_field = errors_by_field
+      super("Bad request #{errors_by_field}")
+    end
+  end
+
+end

data/lib/propelauth/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module PropelAuth
+  VERSION = "0.1.0"
+end

data/lib/propelauth.rb

@@ -0,0 +1,185 @@
+# frozen_string_literal: true
+
+require_relative "propelauth/version"
+require 'active_support/concern'
+require 'jwt'
+
+module PropelAuth
+  autoload :Client, "propelauth/client"
+  autoload :InvalidAuthUrl, "propelauth/error"
+  autoload :InvalidApiKey, "propelauth/error"
+  autoload :UnexpectedError, "propelauth/error"
+  autoload :B2BSupportDisabled, "propelauth/error"
+  autoload :PropelAuthNotConfigured, "propelauth/error"
+  autoload :BadRequest, "propelauth/error"
+
+  module AuthMethods
+    extend ActiveSupport::Concern
+
+    class UnauthorizedException < StandardError; end
+    class ForbiddenException < StandardError; end
+
+    def require_user
+      begin
+        @user = extract_and_validate_user_from_access_token
+      rescue UnauthorizedException
+        render status: 401
+      end
+    end
+
+    def optional_user
+      begin
+        @user = extract_and_validate_user_from_access_token
+      rescue UnauthorizedException
+        @user = nil
+      end
+    end
+
+    def require_org_member(required_org_id, minimum_required_role: nil)
+      begin
+        @org = require_org_member_inner(required_org_id, minimum_required_role: minimum_required_role)
+      rescue UnauthorizedException
+        render status: 401
+      rescue ForbiddenException
+        render status: 403
+      end
+    end
+
+    private def extract_and_validate_user_from_access_token
+      token = extract_token_from_authorization_header(request.headers['Authorization'])
+      user = validate_access_token(token)
+      if user.nil?
+        raise UnauthorizedException
+      else
+        user
+      end
+    end
+
+    private def require_org_member_inner(required_org_id, minimum_required_role: nil)
+      @user = extract_and_validate_user_from_access_token
+
+      if required_org_id.nil?
+        logger.info "Required org is unspecified"
+        raise ForbiddenException
+      end
+
+      org_id_to_org_member_info = @user["org_id_to_org_member_info"]
+      if org_id_to_org_member_info.nil?
+        logger.info "User is not a member of required org"
+        raise ForbiddenException
+      end
+
+      org_member_info = org_id_to_org_member_info[required_org_id]
+      if org_member_info.nil?
+        logger.info "User is not a member of required org"
+        raise ForbiddenException
+      end
+
+      if !minimum_required_role.nil?
+        minimum_required_role = UserRole.to_user_role(minimum_required_role)
+        user_role = UserRole.to_user_role(org_member_info["user_role"])
+        if user_role < minimum_required_role
+          logger.info "User's role in org doesn't meet minimum required role"
+          raise ForbiddenException
+        end
+      end
+
+      org_member_info
+    end
+
+    private def validate_access_token(token)
+      rsa_public = PropelAuth.configuration.public_key
+      iss = PropelAuth.configuration.auth_url
+
+      if rsa_public.nil? || iss.nil?
+        raise PropelAuth::PropelAuthNotConfigured.new
+      end
+
+      begin
+        decoded_token = JWT.decode token, rsa_public, true, { iss: iss, verify_iss: true, verify_iat: true, algorithm: 'RS256' }
+        decoded_token_body = decoded_token[0]
+        HashWithIndifferentAccess.new({
+          user_id: decoded_token_body["user_id"],
+          org_id_to_org_member_info: decoded_token_body["org_id_to_org_member_info"],
+        })
+      rescue StandardError => e
+        logger.info e
+        nil
+      end
+    end
+
+    private def extract_token_from_authorization_header(header)
+      if header.nil?
+        nil
+      else
+        split_header = header.split(" ", 2)
+        if split_header.length != 2 || split_header[0].casecmp("bearer") != 0
+          nil
+        else
+          return split_header[1]
+        end
+      end
+    end
+  end
+
+  module UserRole
+    Member = 0
+    Admin = 1
+    Owner = 2
+
+    def UserRole.to_user_role(user_role)
+      if user_role == Member
+        Member
+      elsif user_role == Admin
+        Admin
+      elsif user_role == Owner
+        Owner
+      elsif user_role == "Member"
+        Member
+      elsif user_role == "Admin"
+        Admin
+      elsif user_role == "Owner"
+        Owner
+      else
+        raise("Invalid user role")
+      end
+    end
+  end
+
+  class Configuration
+    attr_accessor :api_key
+    attr_reader :auth_url, :public_key
+
+    def auth_url=(auth_url)
+      @auth_url = validate_auth_url(auth_url)
+    end
+
+    def public_key=(public_key_pem)
+      @public_key = OpenSSL::PKey::RSA.new(public_key_pem)
+    end
+
+    private def validate_auth_url(auth_url)
+      uri = URI(auth_url)
+      if uri.scheme.nil? || uri.scheme.casecmp("https") != 0
+        raise PropelAuth::InvalidAuthUrl.new
+      end
+
+      if uri.host.nil?
+        raise PropelAuth::InvalidAuthUrl.new
+      end
+
+      "#{uri.scheme}://#{uri.host}"
+    end
+  end
+
+  class << self
+    def configuration
+      @configuration ||= Configuration.new
+    end
+
+    def configure
+      yield(configuration)
+    end
+  end
+end
+

metadata

@@ -0,0 +1,95 @@
+--- !ruby/object:Gem::Specification
+name: propelauth
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Andrew Israel
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2022-04-20 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.3'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.3'
+- !ruby/object:Gem::Dependency
+  name: faraday
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: railties
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 4.1.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 4.1.0
+description: 
+email:
+- support@propelauth.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- lib/propelauth.rb
+- lib/propelauth/client.rb
+- lib/propelauth/error.rb
+- lib/propelauth/version.rb
+homepage: https://github.com/PropelAuth/propelauth-rb
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/PropelAuth/propelauth-rb
+  source_code_uri: https://github.com/PropelAuth/propelauth-rb
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.3.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.3.7
+signing_key: 
+specification_version: 4
+summary: A ruby gem for managing authentication, backed by PropelAuth
+test_files: []