prx_auth-rails 1.4.0 → 1.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 16f02bc649e6a16709b4a504649a925d3ead05209f8b3bd5c5e4aa28416bc57e
-  data.tar.gz: fbc0d03cd674fa514541f23d9c6da6ac46db9031c110ddc3f604e66e073c9a8e
+  metadata.gz: 5a687c733815e035f361fbfd4981e3673480311c6d760206b9b1edd4903e084b
+  data.tar.gz: 5b04a0584489415a7b0223342c85e638c8c3ca01c141e4ff46db9269c192f6be
 SHA512:
-  metadata.gz: 0d16efe0713bb453b5a4238f0ff6983898b5b5872d07396be5c66cf88ca7f4e2f23834a1abc8462c9a2cf0e8f40f1416d7e8cf82ec48611492deddcd52b8812c
-  data.tar.gz: d3eacf2afcc2b9af1a741988bdb8e70c7c664672c487c6515ca336e65ac5f3db42adf63fc05b6fe89b39ef2ff6c45ad1e8dccaa0e5204b3bfba50d2388e6a07f
+  metadata.gz: 71573dd4f1303e7e2b5fc4ca908c502c74aa986845ddb685613b6e8422c05e136c1952f5bfc2989a607b1a5020f708a06190ebe084a199a46aeefab1f7168706
+  data.tar.gz: dc5685c9e2908ea56c10f577eb2a457167087345f07b09927e8c36c1b0d2df513e2f2367436fe4f637aac648311c75a44ee3f845c63124be7ab4009c45dccb57

data/app/assets/config/prx_auth-rails_manifest.js

@@ -0,0 +1,3 @@
+//= link_directory ../javascripts .js
+//= link_directory ../stylesheets .css
+//= link_tree ../images

data/app/assets/images/prx_auth-rails/user.svg

@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg width="100%" height="100%" viewBox="0 0 51 51" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xml:space="preserve" xmlns:serif="http://www.serif.com/" style="fill-rule:evenodd;clip-rule:evenodd;stroke-linejoin:round;stroke-miterlimit:1.41421;">
+    <path d="M51,25.5C51,11.44 39.56,0 25.5,0C11.44,0 0,11.44 0,25.5C0,32.927 3.194,39.621 8.277,44.285L8.253,44.306L9.08,45.003C9.134,45.049 9.192,45.086 9.246,45.13C9.685,45.495 10.141,45.841 10.604,46.175C10.755,46.284 10.905,46.392 11.058,46.498C11.553,46.839 12.061,47.163 12.58,47.47C12.693,47.537 12.807,47.602 12.922,47.666C13.49,47.99 14.07,48.295 14.665,48.575C14.708,48.596 14.753,48.614 14.796,48.635C16.734,49.535 18.801,50.196 20.964,50.586C21.02,50.597 21.077,50.607 21.134,50.617C21.806,50.733 22.485,50.826 23.172,50.888C23.255,50.895 23.339,50.9 23.423,50.907C24.107,50.964 24.799,51 25.5,51C26.195,51 26.88,50.964 27.56,50.909C27.647,50.902 27.733,50.897 27.819,50.89C28.501,50.828 29.174,50.738 29.839,50.624C29.896,50.613 29.955,50.603 30.012,50.592C32.142,50.21 34.18,49.564 36.092,48.686C36.163,48.654 36.234,48.623 36.305,48.59C36.877,48.321 37.436,48.031 37.984,47.722C38.12,47.645 38.256,47.567 38.391,47.487C38.89,47.194 39.38,46.887 39.857,46.56C40.029,46.443 40.196,46.32 40.366,46.198C40.773,45.905 41.173,45.602 41.561,45.286C41.648,45.217 41.74,45.156 41.825,45.085L42.673,44.376L42.648,44.355C47.776,39.689 51,32.965 51,25.5ZM1.855,25.5C1.855,12.462 12.462,1.855 25.5,1.855C38.538,1.855 49.145,12.462 49.145,25.5C49.145,32.526 46.062,38.843 41.181,43.177C40.908,42.988 40.634,42.82 40.353,42.679L32.502,38.754C31.797,38.401 31.359,37.693 31.359,36.905L31.359,34.164C31.541,33.939 31.733,33.685 31.932,33.406C32.948,31.971 33.763,30.374 34.357,28.656C35.532,28.097 36.291,26.927 36.291,25.606L36.291,22.319C36.291,21.515 35.996,20.735 35.468,20.122L35.468,15.794C35.516,15.312 35.687,12.597 33.722,10.357C32.013,8.406 29.247,7.418 25.5,7.418C21.753,7.418 18.987,8.406 17.278,10.356C15.313,12.596 15.484,15.313 15.532,15.793L15.532,20.121C15.005,20.734 14.709,21.514 14.709,22.318L14.709,25.605C14.709,26.626 15.167,27.578 15.952,28.221C16.703,31.163 18.249,33.39 18.82,34.145L18.82,36.828C18.82,37.585 18.407,38.281 17.742,38.644L10.41,42.643C10.177,42.77 9.945,42.919 9.713,43.085C4.892,38.753 1.855,32.475 1.855,25.5Z" style="fill:white;fill-rule:nonzero;"/>
+</svg>

data/app/assets/javascripts/prx_auth-rails/user_widget.js.erb

@@ -0,0 +1,46 @@
+// https://stackoverflow.com/questions/8578617/inject-a-script-tag-with-remote-src-and-wait-for-it-to-execute
+function prxInjectScript(src, callback) {
+  const script = document.createElement('script');
+
+  script.type = 'text/javascript';
+  script.async = false;
+  script.src = src;
+
+  script.onload = function () { script.onload = null; callback(); }
+
+  document.getElementsByTagName('head')[0].appendChild(script);
+}
+
+document.addEventListener('DOMContentLoaded', function () {
+
+  const widget = document.getElementById('prx-user-widget');
+  const account = document.getElementById('prx-user-widget-menu-account');
+
+  const idHost = 'https://' + widget.getAttribute('data-id-host');;
+  const scriptUrl = idHost + '/widget.js';
+
+  prxInjectScript(scriptUrl, function () {
+    const signIn = new PRXSignIn(idHost);
+
+    signIn.signedIn(function (prx) {
+
+      if (!prx.userinfo) {
+        // Not logged in
+        widget.classList.add('no-user-info');
+
+        const url = idHost + '/session?return_to=' + encodeURIComponent(window.location);
+
+        account.innerHTML = '<a class=sign-in href="' + url + '">Sign in</a>';
+      } else {
+        // Logged in
+        widget.classList.add('user-info');
+
+        const account = document.getElementById('prx-user-widget-menu-account');
+        account.innerText = prx.userinfo.email;
+
+        signIn.listApps('prx-user-widget-menu-apps');
+      }
+    });
+  });
+});
+

data/app/assets/stylesheets/prx_auth-rails/user_widget.css

@@ -0,0 +1,69 @@
+#prx-user-widget {
+  display: flex;
+  flex-direction: column;
+  height: 100%;
+  justify-content: center;
+  padding: 0 20px;
+  position: absolute;
+  right: 0;
+  transition-property: opacity;
+  transition-duration: 0.2s;
+}
+@media (max-width: ) {
+  #prx-user-widget {
+    height: auto;
+    top: 0;
+  }
+}
+#prx-user-widget:hover {
+}
+#prx-user-widget:hover .user-icon {
+  opacity: 1;
+}
+#prx-user-widget:hover #prx-user-widget-menu {
+  display: block;
+}
+#prx-user-widget .user-icon {
+  cursor: pointer;
+  height: 2em;
+  opacity: 0.7;
+  width: 2em;
+}
+#prx-user-widget #prx-user-widget-menu {
+  background-color: #1a1a1a;
+  display: none;
+  right: 0;
+  padding: 10px 20px;
+  position: absolute;
+  top: 100%;
+  z-index: 999;
+  display: none;
+}
+
+#prx-user-widget #prx-user-widget-menu h1 {
+  color: white;
+  font-size: .9em;
+  font-weight: 700;
+}
+
+#prx-user-widget #prx-user-widget-menu-apps {
+  padding: 0;
+}
+#prx-user-widget #prx-user-widget-menu-apps ul {
+  border-top: 1px solid #ddd;
+  padding: 15px 0 0;
+}
+
+#prx-user-widget #prx-user-widget-menu-apps ul li a {
+  display: block;
+  font-weight: normal;
+  opacity: 0.7;
+  padding: 5px 0;
+  text-transform: none;
+}
+#prx-user-widget #prx-user-widget-menu-apps ul li a:hover {
+  opacity: 1;
+}
+.prx-home #prx-user-widget.loaded:hover {
+  background: transparent;
+}

data/app/controllers/prx_auth/rails/sessions_controller.rb

@@ -4,13 +4,11 @@ module PrxAuth::Rails
 
     skip_before_action :authenticate!
 
-    before_action :set_nonce!, only: :show
+    before_action :set_nonce!, only: [:new, :show]
 
     ID_NONCE_SESSION_KEY = 'id_prx_openid_nonce'.freeze
 
     def new
-      set_nonce! unless fetch_nonce.present?
-
       config = PrxAuth::Rails.configuration
 
       id_auth_params = {
@@ -27,81 +25,89 @@ module PrxAuth::Rails
     def show
     end
 
+    def destroy
+      sign_out_user
+      redirect_to after_sign_out_path
+    end
+
     def auth_error
       @auth_error_message = params.require(:error)
     end
 
     def create
-      jwt_id_claims = id_claims
-      jwt_access_claims = access_claims
-
-      jwt_access_claims['id_token'] = jwt_id_claims.as_json
-
-      result_path = if valid_nonce?(jwt_id_claims['nonce']) &&
-                        users_match?(jwt_id_claims, jwt_access_claims)
-                      sign_in_user(jwt_access_claims)
-                      lookup_and_register_accounts_names
-                      after_sign_in_path_for(current_user)
-                    else
-                      auth_error_sessions_path(error: 'verification_failed')
-                    end
-      reset_nonce!
-
-      redirect_to result_path
+      if valid_nonce? && users_match?
+        clear_nonce!
+        sign_in_user(access_token)
+        redirect_to after_sign_in_path_for(current_user)
+      else
+        clear_nonce!
+        redirect_to auth_error_sessions_path(error: 'verification_failed')
+      end
     end
 
     private
 
     def after_sign_in_path_for(_)
+      back_path = after_sign_in_user_redirect
+      if back_path.present?
+        back_path
+      elsif defined?(super)
+        super
+      else
+        '/'
+      end
+    end
+
+    def after_sign_out_path
       return super if defined?(super)
 
-      "/"
+      "https://#{id_host}/session/sign_out"
+    end
+
+    def id_token
+      params.require('id_token')
+    end
+
+    def access_token
+      params.require('access_token')
     end
 
     def id_claims
-      id_token = params.require('id_token')
-      validate_token(id_token)
+      @id_claims ||= validate_token(id_token)
     end
 
     def access_claims
-      access_token = params.require('access_token')
-      validate_token(access_token)
+      @access_claims ||= validate_token(access_token)
     end
 
-    def reset_nonce!
-      session[ID_NONCE_SESSION_KEY] = nil
+    def clear_nonce!
+      session.delete(ID_NONCE_SESSION_KEY)
     end
 
     def set_nonce!
-      n = session[ID_NONCE_SESSION_KEY]
-      return n if n.present?
-
-      session[ID_NONCE_SESSION_KEY] = SecureRandom.hex
+      session[ID_NONCE_SESSION_KEY] ||= SecureRandom.hex
     end
 
     def fetch_nonce
       session[ID_NONCE_SESSION_KEY]
     end
 
-    def valid_nonce?(nonce)
-      return false if fetch_nonce.nil?
-
-      fetch_nonce == nonce
+    def valid_nonce?
+      id_claims['nonce'].present? && id_claims['nonce'] == fetch_nonce
     end
 
-    def users_match?(claims1, claims2)
-      return false if claims1['sub'].nil? || claims2['sub'].nil?
-
-      claims1['sub'] == claims2['sub']
+    def users_match?
+      id_claims['sub'].present? && id_claims['sub'] == access_claims['sub']
     end
 
     def validate_token(token)
-      id_host = PrxAuth::Rails.configuration.id_host
       prx_auth_cert = Rack::PrxAuth::Certificate.new("https://#{id_host}/api/v1/certs")
       auth_validator = Rack::PrxAuth::AuthValidator.new(token, prx_auth_cert, id_host)
-      auth_validator.
-        claims.
-        with_indifferent_access
+      auth_validator.claims.with_indifferent_access
+    end
+
+    def id_host
+      PrxAuth::Rails.configuration.id_host
     end
   end
 end

data/config/initializers/assets.rb

@@ -0,0 +1 @@
+Rails.application.config.assets.precompile << %w(prx_auth-rails_manifest.js)

data/lib/prx_auth/rails/engine.rb

@@ -2,7 +2,10 @@ module PrxAuth
   module Rails
     class Engine < ::Rails::Engine
       config.to_prepare do
-        ::ApplicationController.helper_method [:current_user, :account_name_for]
+        ::ApplicationController.helper_method [
+          :current_user, :prx_jwt,
+          :account_name_for, :account_for, :accounts_for,
+        ]
       end
     end
   end

data/lib/prx_auth/rails/ext/controller.rb

@@ -4,14 +4,24 @@ require 'open-uri'
 module PrxAuth
   module Rails
     module Controller
+      class SessionTokenExpiredError < RuntimeError; end
 
-      PRX_ACCOUNT_NAME_MAPPING_KEY = 'prx.account.name.mapping'.freeze
+      PRX_AUTH_ENV_KEY = 'prx.auth'.freeze
+      PRX_JWT_SESSION_KEY = 'prx.auth.jwt'.freeze
+      PRX_JWT_REFRESH_TTL = 300.freeze
+      PRX_ACCOUNT_MAPPING_SESSION_KEY = 'prx.auth.account.mapping'.freeze
+      PRX_REFRESH_BACK_KEY = 'prx.auth.back'.freeze
 
       def prx_auth_token
-        rack_auth_token = env_prx_auth_token
-        return rack_auth_token if rack_auth_token.present?
+        env_token || session_token
+      rescue SessionTokenExpiredError
+        reset_session
+        session[PRX_REFRESH_BACK_KEY] = request.fullpath
+        redirect_to PrxAuth::Rails::Engine.routes.url_helpers.new_sessions_path
+      end
 
-        session['prx.auth'] && Rack::PrxAuth::TokenData.new(session['prx.auth'])
+      def prx_jwt
+        session[PRX_JWT_SESSION_KEY]
       end
 
       def prx_authenticated?
@@ -25,45 +35,51 @@ module PrxAuth
       end
 
       def current_user
-        return if prx_auth_token.nil?
-
-        PrxAuth::Rails::Token.new(prx_auth_token)
+        prx_auth_token
       end
 
-      def lookup_and_register_accounts_names
-        session[PRX_ACCOUNT_NAME_MAPPING_KEY] =
-          lookup_account_names_mapping
+      def sign_in_user(token)
+        session[PRX_JWT_SESSION_KEY] = token
+        accounts_for(current_user.resources)
       end
 
-      def account_name_for(id)
-        id = id.to_i
+      def after_sign_in_user_redirect
+        session.delete(PRX_REFRESH_BACK_KEY)
+      end
 
-        name =
-          if session[PRX_ACCOUNT_NAME_MAPPING_KEY].has_key?(id)
-            session[PRX_ACCOUNT_NAME_MAPPING_KEY][id]
-          else
-            session[PRX_ACCOUNT_NAME_MAPPING_KEY][id] = lookup_account_name_for(id)
-          end
+      def sign_out_user
+        reset_session
+      end
 
-        name = "[#{id}] Unknown Account Name" unless name.present?
+      def account_name_for(account_id)
+        account_for(account_id)[:name]
+      end
 
-        name
+      def account_for(account_id)
+        lookup_accounts([account_id]).first
       end
 
-      def sign_in_user(token)
-        session['prx.auth'] = token
+      def accounts_for(account_ids)
+        lookup_accounts(account_ids)
       end
 
       private
 
-      def lookup_account_name_for(id)
-        id = id.to_i
+      def lookup_accounts(ids)
+        session[PRX_ACCOUNT_MAPPING_SESSION_KEY] ||= {}
 
-        res = lookup_account_names_mapping([id])
-        res[id]
+        # fetch any accounts we don't have yet
+        missing = ids - session[PRX_ACCOUNT_MAPPING_SESSION_KEY].keys
+        if missing.present?
+          fetch_accounts(missing).each do |account|
+            session[PRX_ACCOUNT_MAPPING_SESSION_KEY][account['id']] = account.with_indifferent_access
+          end
+        end
+
+        ids.map { |id| session[PRX_ACCOUNT_MAPPING_SESSION_KEY][id] }
       end
 
-      def lookup_account_names_mapping(ids=current_user.resources)
+      def fetch_accounts(ids)
         id_host = PrxAuth::Rails.configuration.id_host
         ids_param = ids.map(&:to_s).join(',')
 
@@ -72,16 +88,31 @@ module PrxAuth
 
         accounts = URI.open("https://#{id_host}/api/v1/accounts?account_ids=#{ids_param}", options).read
 
-        mapping = JSON.parse(accounts)['accounts'].map { |acct| [acct['id'], acct['display_name']] }.to_h
+        JSON.parse(accounts)['accounts']
+      end
 
-        mapping
+      # token from data set by prx_auth rack middleware
+      def env_token
+        @env_token_data ||= if request.env[PRX_AUTH_ENV_KEY]
+          token_data = request.env[PRX_AUTH_ENV_KEY]
+          PrxAuth::Rails::Token.new(token_data)
+        end
       end
 
-      def env_prx_auth_token
-        if !defined? @_prx_auth_token
-          @_prx_auth_token = request.env['prx.auth'] && PrxAuth::Rails::Token.new(request.env['prx.auth'])
-        else
-          @_prx_auth_token
+      # token from jwt stored in session
+      def session_token
+        @session_prx_auth_token ||= if prx_jwt
+          # NOTE: we already validated this jwt - so just decode it
+          validator = Rack::PrxAuth::AuthValidator.new(prx_jwt)
+
+          # try to refresh auth session on GET requests
+          if request.get? && validator.time_to_live < PRX_JWT_REFRESH_TTL
+            raise SessionTokenExpiredError.new
+          end
+
+          # create new data/token from access claims
+          token_data = Rack::PrxAuth::TokenData.new(validator.claims)
+          PrxAuth::Rails::Token.new(token_data)
         end
       end
     end

data/lib/prx_auth/rails/version.rb

@@ -1,5 +1,5 @@
 module PrxAuth
   module Rails
-    VERSION = "1.4.0"
+    VERSION = "1.8.0"
   end
 end

data/prx_auth-rails.gemspec

@@ -8,10 +8,8 @@ Gem::Specification.new do |spec|
   spec.version       = PrxAuth::Rails::VERSION
   spec.authors       = ["Chris Rhoden"]
   spec.email         = ["carhoden@gmail.com"]
-  spec.description   = %q{Rails integration for next generation PRX Authorization system.
-}
-  spec.summary       = %q{Rails integration for next generation PRX Authorization system.
-}
+  spec.description   = "Rails integration for next generation PRX Authorization system."
+  spec.summary       = "Rails integration for next generation PRX Authorization system."
   spec.homepage      = "https://github.com/PRX/prx_auth-rails"
   spec.license       = "MIT"
 
@@ -33,7 +31,5 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'pry'
   spec.add_development_dependency 'sqlite3'
 
-
-
-  spec.add_runtime_dependency 'prx_auth', "~> 1.2"
+  spec.add_runtime_dependency 'prx_auth', ">= 1.7.0"
 end

data/test/dummy/app/controllers/application_controller.rb

@@ -2,6 +2,8 @@ class ApplicationController < ActionController::Base
 
   before_action :authenticate!
 
+  def index; end
+
   def after_sign_in_path_for(_resource)
     '/after-sign-in-path'
   end

data/test/dummy/app/views/application/index.html.erb

@@ -0,0 +1 @@
+the controller index!

data/test/dummy/config/routes.rb

@@ -1,3 +1,5 @@
 Rails.application.routes.draw do
+  get 'index', to: 'application#index'
+  put 'index', to: 'application#index'
   mount PrxAuth::Rails::Engine => "/prx_auth-rails"
 end

data/test/prx_auth/rails/ext/controller_test.rb

@@ -0,0 +1,49 @@
+require 'test_helper'
+
+module PrxAuth::Rails::Ext
+  class ControllerTest < ActionController::TestCase
+
+    setup do
+      @controller = ApplicationController.new
+      @jwt_session_key = ApplicationController::PRX_JWT_SESSION_KEY
+      @stub_claims = {'iat' => Time.now.to_i, 'exp' => Time.now.to_i + 3600}
+    end
+
+    test 'redirects unless you are authenticated' do
+      get :index
+      assert_equal response.code, '302'
+      assert response.headers['Location'].ends_with?('/sessions/new')
+    end
+
+    test 'uses a valid session token' do
+      session[@jwt_session_key] = 'some-jwt'
+      JSON::JWT.stub(:decode, @stub_claims) do
+        get :index
+        assert_equal response.code, '200'
+        assert response.body.include?('the controller index!')
+        assert @controller.current_user.is_a?(PrxAuth::Rails::Token)
+      end
+    end
+
+    test 'redirects if your token is nearing expiration' do
+      session[@jwt_session_key] = 'some-jwt'
+      @stub_claims['exp'] = Time.now.to_i + 10
+      JSON::JWT.stub(:decode, @stub_claims) do
+        get :index
+        assert_equal response.code, '302'
+        assert response.headers['Location'].ends_with?('/sessions/new')
+      end
+    end
+
+    test 'does not redirect if your token has expired on a non-GET request' do
+      session[@jwt_session_key] = 'some-jwt'
+      @stub_claims['exp'] = Time.now.to_i + 10
+      JSON::JWT.stub(:decode, @stub_claims) do
+        put :index
+        assert_equal response.code, '200'
+        assert response.body.include?('the controller index!')
+      end
+    end
+
+  end
+end

data/test/prx_auth/rails/sessions_controller_test.rb

@@ -6,8 +6,10 @@ module PrxAuth::Rails
     setup do
       @routes = PrxAuth::Rails::Engine.routes
       @nonce_session_key = SessionsController::ID_NONCE_SESSION_KEY
-      @token_params = {id_token: 'sometok', access_token: 'othertok'}
+      @refresh_back_key = SessionsController::PRX_REFRESH_BACK_KEY
+      @token_params = {id_token: 'idtok', access_token: 'accesstok'}
       @stub_claims = {'nonce' => '123', 'sub' => '1'}
+      @stub_token = PrxAuth::Rails::Token.new(Rack::PrxAuth::TokenData.new())
     end
 
     test "new creates nonce" do
@@ -31,10 +33,13 @@ module PrxAuth::Rails
     end
 
     test 'create should validate a token and set the session variable' do
+      session[SessionsController::PRX_JWT_SESSION_KEY] = nil
       @controller.stub(:validate_token, @stub_claims) do
-        session[@nonce_session_key] = '123'
-        post :create, params: @token_params, format: :json
-        assert session['prx.auth']['id_token']['nonce'] == '123'
+        @controller.stub(:session_token, @stub_token) do
+          session[@nonce_session_key] = '123'
+          post :create, params: @token_params, format: :json
+          assert session[SessionsController::PRX_JWT_SESSION_KEY] == 'accesstok'
+        end
       end
     end
 
@@ -48,16 +53,32 @@ module PrxAuth::Rails
 
     test 'create should reset the nonce after consumed' do
       @controller.stub(:validate_token, @stub_claims) do
-        session[@nonce_session_key] = '123'
-        post :create, params: @token_params, format: :json
+        @controller.stub(:session_token, @stub_token) do
+          session[@nonce_session_key] = '123'
+          post :create, params: @token_params, format: :json
+
+          assert session[@nonce_session_key] == nil
+          assert response.code == '302'
+          assert response.body.match?(/after-sign-in-path/)
+        end
+      end
+    end
 
-        assert session[@nonce_session_key] == nil
-        assert response.code == '302'
-        assert response.body.match?(/after-sign-in-path/)
+    test 'redirects to a back-path after refresh' do
+      @controller.stub(:validate_token, @stub_claims) do
+        @controller.stub(:session_token, @stub_token) do
+          session[@nonce_session_key] = '123'
+          session[@refresh_back_key] = '/lets/go/here?okay'
+          post :create, params: @token_params, format: :json
+
+          assert session[@refresh_back_key] == nil
+          assert response.code == '302'
+          assert response.headers['Location'].ends_with?('/lets/go/here?okay')
+        end
       end
     end
 
-    test 'should respond with aredirect to the auth error page / code if the nonce does not match' do
+    test 'should respond with redirect to the auth error page / code if the nonce does not match' do
       @controller.stub(:validate_token, @stub_claims) do
         session[@nonce_session_key] = 'nonce-does-not-match'
         post :create, params: @token_params, format: :json
@@ -82,13 +103,19 @@ module PrxAuth::Rails
       @controller.stub(:id_claims, @stub_claims) do
         @controller.stub(:access_claims, @stub_claims.merge('sub' => '444')) do
 
-        session[@nonce_session_key] = '123'
-        post :create, params: @token_params, format: :json
+          session[@nonce_session_key] = '123'
+          post :create, params: @token_params, format: :json
 
-        assert response.code == '302'
-        assert response.body.match?(/error=verification_failed/)
-      end
+          assert response.code == '302'
+          assert response.body.match?(/error=verification_failed/)
+        end
       end
     end
+
+    test 'should clear the user token on sign out' do
+      session[SessionsController::PRX_JWT_SESSION_KEY] = 'some-token'
+      post :destroy
+      assert session[SessionsController::PRX_JWT_SESSION_KEY] == nil
+    end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: prx_auth-rails
 version: !ruby/object:Gem::Version
-  version: 1.4.0
+  version: 1.8.0
 platform: ruby
 authors:
 - Chris Rhoden
-autorequire:
+autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-02-16 00:00:00.000000000 Z
+date: 2021-03-31 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: actionpack
@@ -140,19 +140,17 @@ dependencies:
   name: prx_auth
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.2'
+        version: 1.7.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.2'
-description: 'Rails integration for next generation PRX Authorization system.
-
-  '
+        version: 1.7.0
+description: Rails integration for next generation PRX Authorization system.
 email:
 - carhoden@gmail.com
 executables: []
@@ -165,9 +163,14 @@ files:
 - LICENSE.txt
 - README.md
 - Rakefile
+- app/assets/config/prx_auth-rails_manifest.js
+- app/assets/images/prx_auth-rails/user.svg
+- app/assets/javascripts/prx_auth-rails/user_widget.js.erb
+- app/assets/stylesheets/prx_auth-rails/user_widget.css
 - app/controllers/prx_auth/rails/sessions_controller.rb
 - app/views/prx_auth/rails/sessions/auth_error.html.erb
 - app/views/prx_auth/rails/sessions/show.html.erb
+- config/initializers/assets.rb
 - config/routes.rb
 - lib/prx_auth/rails.rb
 - lib/prx_auth/rails/configuration.rb
@@ -191,6 +194,7 @@ files:
 - test/dummy/app/mailers/application_mailer.rb
 - test/dummy/app/models/application_record.rb
 - test/dummy/app/models/concerns/.keep
+- test/dummy/app/views/application/index.html.erb
 - test/dummy/app/views/layouts/application.html.erb
 - test/dummy/app/views/layouts/mailer.html.erb
 - test/dummy/app/views/layouts/mailer.text.erb
@@ -234,6 +238,7 @@ files:
 - test/dummy/storage/.keep
 - test/log/development.log
 - test/prx_auth/rails/configuration_test.rb
+- test/prx_auth/rails/ext/controller_test.rb
 - test/prx_auth/rails/sessions_controller_test.rb
 - test/prx_auth/rails/token_test.rb
 - test/test_helper.rb
@@ -241,7 +246,7 @@ homepage: https://github.com/PRX/prx_auth-rails
 licenses:
 - MIT
 metadata: {}
-post_install_message:
+post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -256,9 +261,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project:
-rubygems_version: 2.7.6.2
-signing_key:
+rubygems_version: 3.0.3
+signing_key: 
 specification_version: 4
 summary: Rails integration for next generation PRX Authorization system.
 test_files:
@@ -276,6 +280,7 @@ test_files:
 - test/dummy/app/mailers/application_mailer.rb
 - test/dummy/app/models/application_record.rb
 - test/dummy/app/models/concerns/.keep
+- test/dummy/app/views/application/index.html.erb
 - test/dummy/app/views/layouts/application.html.erb
 - test/dummy/app/views/layouts/mailer.html.erb
 - test/dummy/app/views/layouts/mailer.text.erb
@@ -319,6 +324,7 @@ test_files:
 - test/dummy/storage/.keep
 - test/log/development.log
 - test/prx_auth/rails/configuration_test.rb
+- test/prx_auth/rails/ext/controller_test.rb
 - test/prx_auth/rails/sessions_controller_test.rb
 - test/prx_auth/rails/token_test.rb
 - test/test_helper.rb