prx_auth-rails 1.4.1 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6af8c934d225009086d72c5503a3ad3db62b95c073063f019a31277c9eacc5bf
-  data.tar.gz: ab82780e90f78e9a3a31515078c9b7530354ad83bf3fd402a05c78514a0c762d
+  metadata.gz: 76cccc8605691493ace58a976780a69b37bb138d63874eec2a4b1158a316c237
+  data.tar.gz: 121c8ac1bfe90d10d4424030c8472f5f443d5a26a62cf4e4480dae5de356c408
 SHA512:
-  metadata.gz: 7af00c69f65cabbb5da5a1ea9fe0a79d85a3b004d9c437fa5c1a5539be22fc21ac346e2956d3f6cebbf07765e6b988d9d291c1b384bf8a56b78a8782d2f8f6af
-  data.tar.gz: c9a17a75d94bf7158b96147c877020f2093c07eb6e5ba345fb4ba37d6fd51df72fb2d5db4fc22ca04832c6954b5f7b9154252fb40a5de4e5878d006b096f02b6
+  metadata.gz: 1f6e5d4ca1a8590e1f313791d91f08179eff18217671fbc532f5a6a6dcf365f81519e71192dd80257b35af148b53b8b46933c6fd9d3ce47d678329d91919f38c
+  data.tar.gz: 4292c219ad997eea92c2ae81e66db3223e8e4d3cd7f63d521ca0ee59e008e409ba6cf228e97aa5f24765da30dc3defa8e47a9349491d1d5c5885cfb7ca7fad45

data/app/controllers/prx_auth/rails/sessions_controller.rb

@@ -4,13 +4,11 @@ module PrxAuth::Rails
 
     skip_before_action :authenticate!
 
-    before_action :set_nonce!, only: :show
+    before_action :set_nonce!, only: [:new, :show]
 
     ID_NONCE_SESSION_KEY = 'id_prx_openid_nonce'.freeze
 
     def new
-      set_nonce! unless fetch_nonce.present?
-
       config = PrxAuth::Rails.configuration
 
       id_auth_params = {
@@ -27,81 +25,89 @@ module PrxAuth::Rails
     def show
     end
 
+    def destroy
+      sign_out_user
+      redirect_to after_sign_out_path
+    end
+
     def auth_error
       @auth_error_message = params.require(:error)
     end
 
     def create
-      jwt_id_claims = id_claims
-      jwt_access_claims = access_claims
-
-      jwt_access_claims['id_token'] = jwt_id_claims.as_json
-
-      result_path = if valid_nonce?(jwt_id_claims['nonce']) &&
-                        users_match?(jwt_id_claims, jwt_access_claims)
-                      sign_in_user(jwt_access_claims)
-                      lookup_and_register_accounts_names
-                      after_sign_in_path_for(current_user)
-                    else
-                      auth_error_sessions_path(error: 'verification_failed')
-                    end
-      reset_nonce!
-
-      redirect_to result_path
+      if valid_nonce? && users_match?
+        clear_nonce!
+        sign_in_user(access_token)
+        redirect_to after_sign_in_path_for(current_user)
+      else
+        clear_nonce!
+        redirect_to auth_error_sessions_path(error: 'verification_failed')
+      end
     end
 
     private
 
     def after_sign_in_path_for(_)
+      back_path = after_sign_in_user_redirect
+      if back_path.present?
+        back_path
+      elsif defined?(super)
+        super
+      else
+        '/'
+      end
+    end
+
+    def after_sign_out_path
       return super if defined?(super)
 
-      "/"
+      "https://#{id_host}/session/sign_out"
+    end
+
+    def id_token
+      params.require('id_token')
+    end
+
+    def access_token
+      params.require('access_token')
     end
 
     def id_claims
-      id_token = params.require('id_token')
-      validate_token(id_token)
+      @id_claims ||= validate_token(id_token)
     end
 
     def access_claims
-      access_token = params.require('access_token')
-      validate_token(access_token)
+      @access_claims ||= validate_token(access_token)
     end
 
-    def reset_nonce!
-      session[ID_NONCE_SESSION_KEY] = nil
+    def clear_nonce!
+      session.delete(ID_NONCE_SESSION_KEY)
     end
 
     def set_nonce!
-      n = session[ID_NONCE_SESSION_KEY]
-      return n if n.present?
-
-      session[ID_NONCE_SESSION_KEY] = SecureRandom.hex
+      session[ID_NONCE_SESSION_KEY] ||= SecureRandom.hex
     end
 
     def fetch_nonce
       session[ID_NONCE_SESSION_KEY]
     end
 
-    def valid_nonce?(nonce)
-      return false if fetch_nonce.nil?
-
-      fetch_nonce == nonce
+    def valid_nonce?
+      id_claims['nonce'].present? && id_claims['nonce'] == fetch_nonce
     end
 
-    def users_match?(claims1, claims2)
-      return false if claims1['sub'].nil? || claims2['sub'].nil?
-
-      claims1['sub'] == claims2['sub']
+    def users_match?
+      id_claims['sub'].present? && id_claims['sub'] == access_claims['sub']
     end
 
     def validate_token(token)
-      id_host = PrxAuth::Rails.configuration.id_host
       prx_auth_cert = Rack::PrxAuth::Certificate.new("https://#{id_host}/api/v1/certs")
       auth_validator = Rack::PrxAuth::AuthValidator.new(token, prx_auth_cert, id_host)
-      auth_validator.
-        claims.
-        with_indifferent_access
+      auth_validator.claims.with_indifferent_access
+    end
+
+    def id_host
+      PrxAuth::Rails.configuration.id_host
     end
   end
 end

data/config/initializers/assets.rb

@@ -0,0 +1 @@
+Rails.application.config.assets.precompile << %w(prx_auth-rails_manifest.js)

data/lib/prx_auth/rails/engine.rb

@@ -2,7 +2,11 @@ module PrxAuth
   module Rails
     class Engine < ::Rails::Engine
       config.to_prepare do
-        ::ApplicationController.helper_method [:current_user, :account_name_for]
+        ::ApplicationController.helper_method [
+          :current_user, :prx_jwt,
+          :current_user_info, :current_user_name, :current_user_apps,
+          :account_name_for, :account_for, :accounts_for,
+        ]
       end
     end
   end

data/lib/prx_auth/rails/ext/controller.rb

@@ -4,14 +4,27 @@ require 'open-uri'
 module PrxAuth
   module Rails
     module Controller
+      class SessionTokenExpiredError < RuntimeError; end
 
-      PRX_ACCOUNT_NAME_MAPPING_KEY = 'prx.account.name.mapping'.freeze
+      PRX_AUTH_ENV_KEY = 'prx.auth'.freeze
+      PRX_JWT_SESSION_KEY = 'prx.auth.jwt'.freeze
+      PRX_JWT_REFRESH_TTL = 300.freeze
+      PRX_ACCOUNT_MAPPING_SESSION_KEY = 'prx.auth.account.mapping'.freeze
+      PRX_USER_INFO_SESSION_KEY = 'prx.auth.info'.freeze
+      PRX_REFRESH_BACK_KEY = 'prx.auth.back'.freeze
 
       def prx_auth_token
-        rack_auth_token = env_prx_auth_token
-        return rack_auth_token if rack_auth_token.present?
+        env_token || session_token
+      rescue SessionTokenExpiredError
+        session.delete(PRX_JWT_SESSION_KEY)
+        session.delete(PRX_ACCOUNT_MAPPING_SESSION_KEY)
+        session.delete(PRX_USER_INFO_SESSION_KEY)
+        session[PRX_REFRESH_BACK_KEY] = request.fullpath
+        redirect_to PrxAuth::Rails::Engine.routes.url_helpers.new_sessions_path
+      end
 
-        session['prx.auth'] && Rack::PrxAuth::TokenData.new(session['prx.auth'])
+      def prx_jwt
+        session[PRX_JWT_SESSION_KEY]
       end
 
       def prx_authenticated?
@@ -24,66 +37,116 @@ module PrxAuth
         redirect_to PrxAuth::Rails::Engine.routes.url_helpers.new_sessions_path
       end
 
+      def prx_auth_needs_refresh?(jwt_ttl)
+        request.get? && jwt_ttl < PRX_JWT_REFRESH_TTL
+      end
+
       def current_user
-        return if prx_auth_token.nil?
+        prx_auth_token
+      end
 
-        PrxAuth::Rails::Token.new(prx_auth_token)
+      def current_user_info
+        session[PRX_USER_INFO_SESSION_KEY] ||= fetch_userinfo
       end
 
-      def lookup_and_register_accounts_names
-        session[PRX_ACCOUNT_NAME_MAPPING_KEY] =
-          lookup_account_names_mapping
+      def current_user_name
+        current_user_info['name'] || current_user_info['preferred_username'] || current_user_info['email']
       end
 
-      def account_name_for(id)
-        id = id.to_i
+      def current_user_apps
+        apps = (current_user_info.try(:[], 'apps') || []).map do |name, url|
+          label = name.sub(/^https?:\/\//, '').sub(/\..+/, '').capitalize
+          ["PRX #{label}", url]
+        end
 
-        session[PRX_ACCOUNT_NAME_MAPPING_KEY] ||= {}
+        # only return entire list in development
+        if ::Rails.env.production? || ::Rails.env.staging?
+          apps.to_h.select { |k, v| v.match?(/\.(org|tech)/) }
+        else
+          apps.to_h
+        end
+      end
 
-        name =
-          if session[PRX_ACCOUNT_NAME_MAPPING_KEY].has_key?(id)
-            session[PRX_ACCOUNT_NAME_MAPPING_KEY][id]
-          else
-            session[PRX_ACCOUNT_NAME_MAPPING_KEY][id] = lookup_account_name_for(id)
-          end
+      def sign_in_user(token)
+        session[PRX_JWT_SESSION_KEY] = token
+        accounts_for(current_user.resources)
+      end
 
-        name = "[#{id}] Unknown Account Name" unless name.present?
+      def after_sign_in_user_redirect
+        session.delete(PRX_REFRESH_BACK_KEY)
+      end
 
-        name
+      def sign_out_user
+        reset_session
       end
 
-      def sign_in_user(token)
-        session['prx.auth'] = token
+      def account_name_for(account_id)
+        account_for(account_id).try(:[], :name)
+      end
+
+      def account_for(account_id)
+        lookup_accounts([account_id]).first
+      end
+
+      def accounts_for(account_ids)
+        lookup_accounts(account_ids)
       end
 
       private
 
-      def lookup_account_name_for(id)
-        id = id.to_i
+      def lookup_accounts(ids)
+        session[PRX_ACCOUNT_MAPPING_SESSION_KEY] ||= {}
+
+        # fetch any accounts we don't have yet
+        missing = ids - session[PRX_ACCOUNT_MAPPING_SESSION_KEY].keys
+        if missing.present?
+          fetch_accounts(missing).each do |account|
+            session[PRX_ACCOUNT_MAPPING_SESSION_KEY][account['id']] = account.with_indifferent_access
+          end
+        end
 
-        res = lookup_account_names_mapping([id])
-        res[id]
+        ids.map { |id| session[PRX_ACCOUNT_MAPPING_SESSION_KEY][id] }
       end
 
-      def lookup_account_names_mapping(ids=current_user.resources)
-        id_host = PrxAuth::Rails.configuration.id_host
+      def fetch_accounts(ids)
         ids_param = ids.map(&:to_s).join(',')
+        fetch("/api/v1/accounts?account_ids=#{ids_param}")['accounts']
+      end
 
+      def fetch_userinfo
+        fetch("/userinfo?scope=apps+email+profile", prx_jwt)
+      end
+
+      def fetch(path, token = nil)
+        url = "https://#{PrxAuth::Rails.configuration.id_host}#{path}"
         options = {}
         options[:ssl_verify_mode] = OpenSSL::SSL::VERIFY_NONE if ::Rails.env.development?
+        options['Authorization'] = "Bearer #{token}" if token
+        JSON.parse(URI.open(url, options).read)
+      end
 
-        accounts = URI.open("https://#{id_host}/api/v1/accounts?account_ids=#{ids_param}", options).read
+      # token from data set by prx_auth rack middleware
+      def env_token
+        @env_token_data ||= if request.env[PRX_AUTH_ENV_KEY]
+          token_data = request.env[PRX_AUTH_ENV_KEY]
+          PrxAuth::Rails::Token.new(token_data)
+        end
+      end
 
-        mapping = JSON.parse(accounts)['accounts'].map { |acct| [acct['id'], acct['display_name']] }.to_h
+      # token from jwt stored in session
+      def session_token
+        @session_prx_auth_token ||= if prx_jwt
+          # NOTE: we already validated this jwt - so just decode it
+          validator = Rack::PrxAuth::AuthValidator.new(prx_jwt)
 
-        mapping
-      end
+          # does this jwt need to be refreshed?
+          if prx_auth_needs_refresh?(validator.time_to_live)
+            raise SessionTokenExpiredError.new
+          end
 
-      def env_prx_auth_token
-        if !defined? @_prx_auth_token
-          @_prx_auth_token = request.env['prx.auth'] && PrxAuth::Rails::Token.new(request.env['prx.auth'])
-        else
-          @_prx_auth_token
+          # create new data/token from access claims
+          token_data = Rack::PrxAuth::TokenData.new(validator.claims)
+          PrxAuth::Rails::Token.new(token_data)
         end
       end
     end

data/lib/prx_auth/rails/version.rb

@@ -1,5 +1,5 @@
 module PrxAuth
   module Rails
-    VERSION = "1.4.1"
+    VERSION = "2.0.0"
   end
 end

data/prx_auth-rails.gemspec

@@ -8,10 +8,8 @@ Gem::Specification.new do |spec|
   spec.version       = PrxAuth::Rails::VERSION
   spec.authors       = ["Chris Rhoden"]
   spec.email         = ["carhoden@gmail.com"]
-  spec.description   = %q{Rails integration for next generation PRX Authorization system.
-}
-  spec.summary       = %q{Rails integration for next generation PRX Authorization system.
-}
+  spec.description   = "Rails integration for next generation PRX Authorization system."
+  spec.summary       = "Rails integration for next generation PRX Authorization system."
   spec.homepage      = "https://github.com/PRX/prx_auth-rails"
   spec.license       = "MIT"
 
@@ -29,11 +27,11 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'coveralls', '~> 0'
   spec.add_development_dependency 'guard'
   spec.add_development_dependency 'guard-minitest'
+  spec.add_development_dependency 'm', '~> 1.5'  
   spec.add_development_dependency "rails", "~> 6.1.0"
   spec.add_development_dependency 'pry'
   spec.add_development_dependency 'sqlite3'
+  spec.add_development_dependency 'webmock'
 
-
-
-  spec.add_runtime_dependency 'prx_auth', "~> 1.2"
+  spec.add_runtime_dependency 'prx_auth', ">= 1.7.0"
 end

data/test/dummy/app/controllers/application_controller.rb

@@ -2,6 +2,8 @@ class ApplicationController < ActionController::Base
 
   before_action :authenticate!
 
+  def index; end
+
   def after_sign_in_path_for(_resource)
     '/after-sign-in-path'
   end

data/test/dummy/app/views/application/index.html.erb

@@ -0,0 +1 @@
+the controller index!

data/test/dummy/config/routes.rb

@@ -1,3 +1,5 @@
 Rails.application.routes.draw do
+  get 'index', to: 'application#index'
+  put 'index', to: 'application#index'
   mount PrxAuth::Rails::Engine => "/prx_auth-rails"
 end

data/test/prx_auth/rails/ext/controller_test.rb

@@ -0,0 +1,165 @@
+require 'test_helper'
+
+module PrxAuth::Rails::Ext
+  class ControllerTest < ActionController::TestCase
+
+    setup do
+      @controller = ApplicationController.new
+      @jwt_session_key = ApplicationController::PRX_JWT_SESSION_KEY
+      @user_info_key = ApplicationController::PRX_USER_INFO_SESSION_KEY
+      @account_mapping_key = ApplicationController::PRX_ACCOUNT_MAPPING_SESSION_KEY
+      @stub_claims = {'iat' => Time.now.to_i, 'exp' => Time.now.to_i + 3600}
+    end
+
+    # stub auth and init controller+session by getting a page
+    def with_stubbed_auth(jwt)
+      session[@jwt_session_key] = 'some-jwt'
+      @controller.stub(:prx_auth_needs_refresh?, false) do
+        get :index
+        assert_equal response.code, '200'
+        yield
+      end
+    end
+
+    test 'redirects unless you are authenticated' do
+      get :index
+      assert_equal response.code, '302'
+      assert response.headers['Location'].ends_with?('/sessions/new')
+    end
+
+    test 'uses a valid session token' do
+      session[@jwt_session_key] = 'some-jwt'
+      JSON::JWT.stub(:decode, @stub_claims) do
+        get :index
+        assert_equal response.code, '200'
+        assert response.body.include?('the controller index!')
+        assert @controller.current_user.is_a?(PrxAuth::Rails::Token)
+      end
+    end
+
+    test 'redirects if your token is nearing expiration' do
+      session[@jwt_session_key] = 'some-jwt'
+      @stub_claims['exp'] = Time.now.to_i + 10
+      JSON::JWT.stub(:decode, @stub_claims) do
+        get :index
+        assert_equal response.code, '302'
+        assert response.headers['Location'].ends_with?('/sessions/new')
+      end
+    end
+
+    test 'does not redirect if your token has expired on a non-GET request' do
+      session[@jwt_session_key] = 'some-jwt'
+      @stub_claims['exp'] = Time.now.to_i + 10
+      JSON::JWT.stub(:decode, @stub_claims) do
+        put :index
+        assert_equal response.code, '200'
+        assert response.body.include?('the controller index!')
+      end
+    end
+
+    test 'fetches current user info' do
+      with_stubbed_auth('some-jwt') do
+        body = {
+          'name' => 'Some Username',
+          'apps' => {'publish.prx.test' => 'https://publish.prx.test'},
+          'other' => 'stuff'
+        }
+
+        id_host = PrxAuth::Rails.configuration.id_host
+        stub_request(:get, "https://#{id_host}/userinfo?scope=apps%20email%20profile").
+          with(headers: {'Authorization' => 'Bearer some-jwt'}).
+          to_return(status: 200, body: JSON.generate(body))
+
+        assert session[@user_info_key] == nil
+        assert_equal @controller.current_user_info, body
+        refute session[@user_info_key] == nil
+        assert_equal @controller.current_user_name, 'Some Username'
+        assert_equal @controller.current_user_apps, {'PRX Publish' => 'https://publish.prx.test'}
+      end
+    end
+
+    test 'has user name fallbacks' do
+      with_stubbed_auth('some-jwt') do
+        session[@user_info_key] = {'name' => 'one', 'preferred_username' => 'two', 'email' => 'three'}
+        assert_equal @controller.current_user_name, 'one'
+
+        session[@user_info_key] = {'preferred_username' => 'two', 'email' => 'three'}
+        assert_equal @controller.current_user_name, 'two'
+
+        session[@user_info_key] = {'email' => 'three'}
+        assert_equal @controller.current_user_name, 'three'
+      end
+    end
+
+    test 'filters apps displayed in production' do
+      with_stubbed_auth('some-jwt') do
+        Rails.env.stub(:production?, true) do
+          session[@user_info_key] = {
+            'apps' => {
+              'localhost stuff' => 'http://localhost:4000/path1',
+              'publish.prx.test' => 'https://publish.prx.test/path2',
+              'metrics.prx.tech' => 'https://metrics.prx.tech/path3',
+              'augury.prx.org' => 'https://augury.prx.org/path4',
+            }
+          }
+
+          assert_equal @controller.current_user_apps, {
+            'PRX Metrics' => 'https://metrics.prx.tech/path3',
+            'PRX Augury' => 'https://augury.prx.org/path4',
+          }
+        end
+      end
+    end
+
+    test 'fetches accounts' do
+      with_stubbed_auth('some-jwt') do
+        one = {'id' => 1, 'type' => 'IndividualAccount', 'name' => 'One'}
+        three = {'id' => 3, 'type' => 'GroupAccount', 'name' => 'Three'}
+        body = {'accounts' => [one, three]}
+
+        id_host = PrxAuth::Rails.configuration.id_host
+        stub_request(:get, "https://#{id_host}/api/v1/accounts?account_ids=1,2,3").
+          to_return(status: 200, body: JSON.generate(body))
+
+        assert_nil session[@account_mapping_key]
+        assert_equal @controller.accounts_for([1, 2, 3]), [one, nil, three]
+        refute_nil session[@account_mapping_key]
+        assert_equal @controller.account_for(1), one
+        assert_equal @controller.account_for(3), three
+        assert_equal @controller.account_name_for(1), 'One'
+        assert_equal @controller.account_name_for(3), 'Three'
+      end
+    end
+
+    test 'handles unknown account ids' do
+      with_stubbed_auth('some-jwt') do
+        id_host = PrxAuth::Rails.configuration.id_host
+        stub_request(:get, "https://#{id_host}/api/v1/accounts?account_ids=2").
+          to_return(status: 200, body: JSON.generate({accounts: []})).
+          times(3)
+
+        assert_equal @controller.accounts_for([2]), [nil]
+        assert_nil @controller.account_for(2)
+        assert_nil @controller.account_name_for(2)
+      end
+    end
+
+    test 'only fetches only missing accounts' do
+      with_stubbed_auth('some-jwt') do
+        one = {'name' => 'One'}
+        two = {'id' => 2, 'type' => 'StationAccount', 'name' => 'Two'}
+        three = {'name' => 'Three'}
+        session[@account_mapping_key] = {1 => one, 3 => three}
+        body = {'accounts' => [two]}
+
+        id_host = PrxAuth::Rails.configuration.id_host
+        stub_request(:get, "https://#{id_host}/api/v1/accounts?account_ids=2").
+          to_return(status: 200, body: JSON.generate(body))
+
+        assert_equal @controller.accounts_for([1, 2, 3]), [one, two, three]
+        assert_equal @controller.account_for(2), two
+        assert_equal @controller.account_name_for(2), 'Two'
+      end
+    end
+  end
+end

data/test/prx_auth/rails/sessions_controller_test.rb

@@ -6,8 +6,10 @@ module PrxAuth::Rails
     setup do
       @routes = PrxAuth::Rails::Engine.routes
       @nonce_session_key = SessionsController::ID_NONCE_SESSION_KEY
-      @token_params = {id_token: 'sometok', access_token: 'othertok'}
+      @refresh_back_key = SessionsController::PRX_REFRESH_BACK_KEY
+      @token_params = {id_token: 'idtok', access_token: 'accesstok'}
       @stub_claims = {'nonce' => '123', 'sub' => '1'}
+      @stub_token = PrxAuth::Rails::Token.new(Rack::PrxAuth::TokenData.new())
     end
 
     test "new creates nonce" do
@@ -31,11 +33,12 @@ module PrxAuth::Rails
     end
 
     test 'create should validate a token and set the session variable' do
+      session[SessionsController::PRX_JWT_SESSION_KEY] = nil
       @controller.stub(:validate_token, @stub_claims) do
-        @controller.stub(:lookup_and_register_accounts_names, nil) do
+        @controller.stub(:session_token, @stub_token) do
           session[@nonce_session_key] = '123'
           post :create, params: @token_params, format: :json
-          assert session['prx.auth']['id_token']['nonce'] == '123'
+          assert session[SessionsController::PRX_JWT_SESSION_KEY] == 'accesstok'
         end
       end
     end
@@ -50,7 +53,7 @@ module PrxAuth::Rails
 
     test 'create should reset the nonce after consumed' do
       @controller.stub(:validate_token, @stub_claims) do
-        @controller.stub(:lookup_and_register_accounts_names, nil) do
+        @controller.stub(:session_token, @stub_token) do
           session[@nonce_session_key] = '123'
           post :create, params: @token_params, format: :json
 
@@ -61,7 +64,21 @@ module PrxAuth::Rails
       end
     end
 
-    test 'should respond with aredirect to the auth error page / code if the nonce does not match' do
+    test 'redirects to a back-path after refresh' do
+      @controller.stub(:validate_token, @stub_claims) do
+        @controller.stub(:session_token, @stub_token) do
+          session[@nonce_session_key] = '123'
+          session[@refresh_back_key] = '/lets/go/here?okay'
+          post :create, params: @token_params, format: :json
+
+          assert session[@refresh_back_key] == nil
+          assert response.code == '302'
+          assert response.headers['Location'].ends_with?('/lets/go/here?okay')
+        end
+      end
+    end
+
+    test 'should respond with redirect to the auth error page / code if the nonce does not match' do
       @controller.stub(:validate_token, @stub_claims) do
         session[@nonce_session_key] = 'nonce-does-not-match'
         post :create, params: @token_params, format: :json
@@ -86,13 +103,19 @@ module PrxAuth::Rails
       @controller.stub(:id_claims, @stub_claims) do
         @controller.stub(:access_claims, @stub_claims.merge('sub' => '444')) do
 
-        session[@nonce_session_key] = '123'
-        post :create, params: @token_params, format: :json
+          session[@nonce_session_key] = '123'
+          post :create, params: @token_params, format: :json
 
-        assert response.code == '302'
-        assert response.body.match?(/error=verification_failed/)
-      end
+          assert response.code == '302'
+          assert response.body.match?(/error=verification_failed/)
+        end
       end
     end
+
+    test 'should clear the user token on sign out' do
+      session[SessionsController::PRX_JWT_SESSION_KEY] = 'some-token'
+      post :destroy
+      assert session[SessionsController::PRX_JWT_SESSION_KEY] == nil
+    end
   end
 end

data/test/test_helper.rb

@@ -5,6 +5,7 @@ Coveralls.wear!
 require 'minitest/autorun'
 require 'minitest/spec'
 require 'minitest/pride'
+require 'webmock/minitest'
 require 'action_pack'
 require 'action_controller'
 require 'action_view'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: prx_auth-rails
 version: !ruby/object:Gem::Version
-  version: 1.4.1
+  version: 2.0.0
 platform: ruby
 authors:
 - Chris Rhoden
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-02-18 00:00:00.000000000 Z
+date: 2021-05-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: actionpack
@@ -94,6 +94,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: m
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.5'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.5'
 - !ruby/object:Gem::Dependency
   name: rails
   requirement: !ruby/object:Gem::Requirement
@@ -136,23 +150,35 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: prx_auth
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.2'
+        version: 1.7.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.2'
-description: 'Rails integration for next generation PRX Authorization system.
-
-  '
+        version: 1.7.0
+description: Rails integration for next generation PRX Authorization system.
 email:
 - carhoden@gmail.com
 executables: []
@@ -168,6 +194,7 @@ files:
 - app/controllers/prx_auth/rails/sessions_controller.rb
 - app/views/prx_auth/rails/sessions/auth_error.html.erb
 - app/views/prx_auth/rails/sessions/show.html.erb
+- config/initializers/assets.rb
 - config/routes.rb
 - lib/prx_auth/rails.rb
 - lib/prx_auth/rails/configuration.rb
@@ -191,6 +218,7 @@ files:
 - test/dummy/app/mailers/application_mailer.rb
 - test/dummy/app/models/application_record.rb
 - test/dummy/app/models/concerns/.keep
+- test/dummy/app/views/application/index.html.erb
 - test/dummy/app/views/layouts/application.html.erb
 - test/dummy/app/views/layouts/mailer.html.erb
 - test/dummy/app/views/layouts/mailer.text.erb
@@ -234,6 +262,7 @@ files:
 - test/dummy/storage/.keep
 - test/log/development.log
 - test/prx_auth/rails/configuration_test.rb
+- test/prx_auth/rails/ext/controller_test.rb
 - test/prx_auth/rails/sessions_controller_test.rb
 - test/prx_auth/rails/token_test.rb
 - test/test_helper.rb
@@ -275,6 +304,7 @@ test_files:
 - test/dummy/app/mailers/application_mailer.rb
 - test/dummy/app/models/application_record.rb
 - test/dummy/app/models/concerns/.keep
+- test/dummy/app/views/application/index.html.erb
 - test/dummy/app/views/layouts/application.html.erb
 - test/dummy/app/views/layouts/mailer.html.erb
 - test/dummy/app/views/layouts/mailer.text.erb
@@ -318,6 +348,7 @@ test_files:
 - test/dummy/storage/.keep
 - test/log/development.log
 - test/prx_auth/rails/configuration_test.rb
+- test/prx_auth/rails/ext/controller_test.rb
 - test/prx_auth/rails/sessions_controller_test.rb
 - test/prx_auth/rails/token_test.rb
 - test/test_helper.rb