RubyGems - prx_auth-rails - Versions diffs - 1.4.1 → 2.0.0 - Mend

prx_auth-rails 1.4.1 → 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

checksums.yaml +4 -4
data/app/controllers/prx_auth/rails/sessions_controller.rb +48 -42
data/config/initializers/assets.rb +1 -0
data/lib/prx_auth/rails/engine.rb +5 -1
data/lib/prx_auth/rails/ext/controller.rb +100 -37
data/lib/prx_auth/rails/version.rb +1 -1
data/prx_auth-rails.gemspec +5 -7
data/test/dummy/app/controllers/application_controller.rb +2 -0
data/test/dummy/app/views/application/index.html.erb +1 -0
data/test/dummy/config/routes.rb +2 -0
data/test/prx_auth/rails/ext/controller_test.rb +165 -0
data/test/prx_auth/rails/sessions_controller_test.rb +33 -10
data/test/test_helper.rb +1 -0
metadata +40 -9

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6af8c934d225009086d72c5503a3ad3db62b95c073063f019a31277c9eacc5bf
-  data.tar.gz: ab82780e90f78e9a3a31515078c9b7530354ad83bf3fd402a05c78514a0c762d
+  metadata.gz: 76cccc8605691493ace58a976780a69b37bb138d63874eec2a4b1158a316c237
+  data.tar.gz: 121c8ac1bfe90d10d4424030c8472f5f443d5a26a62cf4e4480dae5de356c408
 SHA512:
-  metadata.gz: 7af00c69f65cabbb5da5a1ea9fe0a79d85a3b004d9c437fa5c1a5539be22fc21ac346e2956d3f6cebbf07765e6b988d9d291c1b384bf8a56b78a8782d2f8f6af
-  data.tar.gz: c9a17a75d94bf7158b96147c877020f2093c07eb6e5ba345fb4ba37d6fd51df72fb2d5db4fc22ca04832c6954b5f7b9154252fb40a5de4e5878d006b096f02b6
+  metadata.gz: 1f6e5d4ca1a8590e1f313791d91f08179eff18217671fbc532f5a6a6dcf365f81519e71192dd80257b35af148b53b8b46933c6fd9d3ce47d678329d91919f38c
+  data.tar.gz: 4292c219ad997eea92c2ae81e66db3223e8e4d3cd7f63d521ca0ee59e008e409ba6cf228e97aa5f24765da30dc3defa8e47a9349491d1d5c5885cfb7ca7fad45

data/app/controllers/prx_auth/rails/sessions_controller.rb CHANGED Viewed

@@ -4,13 +4,11 @@ module PrxAuth::Rails
     skip_before_action :authenticate!
-    before_action :set_nonce!, only: :show
+    before_action :set_nonce!, only: [:new, :show]
     ID_NONCE_SESSION_KEY = 'id_prx_openid_nonce'.freeze
     def new
-      set_nonce! unless fetch_nonce.present?
       config = PrxAuth::Rails.configuration
       id_auth_params = {
@@ -27,81 +25,89 @@ module PrxAuth::Rails
     def show
     end
+    def destroy
+      sign_out_user
+      redirect_to after_sign_out_path
+    end
     def auth_error
       @auth_error_message = params.require(:error)
     end
     def create
-      jwt_id_claims = id_claims
-      jwt_access_claims = access_claims
-      jwt_access_claims['id_token'] = jwt_id_claims.as_json
-      result_path = if valid_nonce?(jwt_id_claims['nonce']) &&
-                        users_match?(jwt_id_claims, jwt_access_claims)
-                      sign_in_user(jwt_access_claims)
-                      lookup_and_register_accounts_names
-                      after_sign_in_path_for(current_user)
-                    else
-                      auth_error_sessions_path(error: 'verification_failed')
-                    end
-      reset_nonce!
-      redirect_to result_path
+      if valid_nonce? && users_match?
+        clear_nonce!
+        sign_in_user(access_token)
+        redirect_to after_sign_in_path_for(current_user)
+      else
+        clear_nonce!
+        redirect_to auth_error_sessions_path(error: 'verification_failed')
+      end
     end
     private
     def after_sign_in_path_for(_)
+      back_path = after_sign_in_user_redirect
+      if back_path.present?
+        back_path
+      elsif defined?(super)
+        super
+      else
+        '/'
+      end
+    end
+    def after_sign_out_path
       return super if defined?(super)
-      "/"
+      "https://#{id_host}/session/sign_out"
+    end
+    def id_token
+      params.require('id_token')
+    end
+    def access_token
+      params.require('access_token')
     end
     def id_claims
-      id_token = params.require('id_token')
-      validate_token(id_token)
+      @id_claims ||= validate_token(id_token)
     end
     def access_claims
-      access_token = params.require('access_token')
-      validate_token(access_token)
+      @access_claims ||= validate_token(access_token)
     end
-    def reset_nonce!
-      session[ID_NONCE_SESSION_KEY] = nil
+    def clear_nonce!
+      session.delete(ID_NONCE_SESSION_KEY)
     end
     def set_nonce!
-      n = session[ID_NONCE_SESSION_KEY]
-      return n if n.present?
-      session[ID_NONCE_SESSION_KEY] = SecureRandom.hex
+      session[ID_NONCE_SESSION_KEY] ||= SecureRandom.hex
     end
     def fetch_nonce
       session[ID_NONCE_SESSION_KEY]
     end
-    def valid_nonce?(nonce)
-      return false if fetch_nonce.nil?
-      fetch_nonce == nonce
+    def valid_nonce?
+      id_claims['nonce'].present? && id_claims['nonce'] == fetch_nonce
     end
-    def users_match?(claims1, claims2)
-      return false if claims1['sub'].nil? || claims2['sub'].nil?
-      claims1['sub'] == claims2['sub']
+    def users_match?
+      id_claims['sub'].present? && id_claims['sub'] == access_claims['sub']
     end
     def validate_token(token)
-      id_host = PrxAuth::Rails.configuration.id_host
       prx_auth_cert = Rack::PrxAuth::Certificate.new("https://#{id_host}/api/v1/certs")
       auth_validator = Rack::PrxAuth::AuthValidator.new(token, prx_auth_cert, id_host)
-      auth_validator.
-        claims.
-        with_indifferent_access
+      auth_validator.claims.with_indifferent_access
+    end
+    def id_host
+      PrxAuth::Rails.configuration.id_host
     end
   end
 end

data/config/initializers/assets.rb ADDED Viewed

	@@ -0,0 +1 @@
1	+ Rails.application.config.assets.precompile << %w(prx_auth-rails_manifest.js)

data/lib/prx_auth/rails/engine.rb CHANGED Viewed

@@ -2,7 +2,11 @@ module PrxAuth
   module Rails
     class Engine < ::Rails::Engine
       config.to_prepare do
-        ::ApplicationController.helper_method [:current_user, :account_name_for]
+        ::ApplicationController.helper_method [
+          :current_user, :prx_jwt,
+          :current_user_info, :current_user_name, :current_user_apps,
+          :account_name_for, :account_for, :accounts_for,
+        ]
       end
     end
   end

data/lib/prx_auth/rails/ext/controller.rb CHANGED Viewed

@@ -4,14 +4,27 @@ require 'open-uri'
 module PrxAuth
   module Rails
     module Controller
+      class SessionTokenExpiredError < RuntimeError; end
-      PRX_ACCOUNT_NAME_MAPPING_KEY = 'prx.account.name.mapping'.freeze
+      PRX_AUTH_ENV_KEY = 'prx.auth'.freeze
+      PRX_JWT_SESSION_KEY = 'prx.auth.jwt'.freeze
+      PRX_JWT_REFRESH_TTL = 300.freeze
+      PRX_ACCOUNT_MAPPING_SESSION_KEY = 'prx.auth.account.mapping'.freeze
+      PRX_USER_INFO_SESSION_KEY = 'prx.auth.info'.freeze
+      PRX_REFRESH_BACK_KEY = 'prx.auth.back'.freeze
       def prx_auth_token
-        rack_auth_token = env_prx_auth_token
-        return rack_auth_token if rack_auth_token.present?
+        env_token || session_token
+      rescue SessionTokenExpiredError
+        session.delete(PRX_JWT_SESSION_KEY)
+        session.delete(PRX_ACCOUNT_MAPPING_SESSION_KEY)
+        session.delete(PRX_USER_INFO_SESSION_KEY)
+        session[PRX_REFRESH_BACK_KEY] = request.fullpath
+        redirect_to PrxAuth::Rails::Engine.routes.url_helpers.new_sessions_path
+      end
-        session['prx.auth'] && Rack::PrxAuth::TokenData.new(session['prx.auth'])
+      def prx_jwt
+        session[PRX_JWT_SESSION_KEY]
       end
       def prx_authenticated?
@@ -24,66 +37,116 @@ module PrxAuth
         redirect_to PrxAuth::Rails::Engine.routes.url_helpers.new_sessions_path
       end
+      def prx_auth_needs_refresh?(jwt_ttl)
+        request.get? && jwt_ttl < PRX_JWT_REFRESH_TTL
+      end
       def current_user
-        return if prx_auth_token.nil?
+        prx_auth_token
+      end
-        PrxAuth::Rails::Token.new(prx_auth_token)
+      def current_user_info
+        session[PRX_USER_INFO_SESSION_KEY] ||= fetch_userinfo
       end
-      def lookup_and_register_accounts_names
-        session[PRX_ACCOUNT_NAME_MAPPING_KEY] =
-          lookup_account_names_mapping
+      def current_user_name
+        current_user_info['name'] || current_user_info['preferred_username'] || current_user_info['email']
       end
-      def account_name_for(id)
-        id = id.to_i
+      def current_user_apps
+        apps = (current_user_info.try(:[], 'apps') || []).map do |name, url|
+          label = name.sub(/^https?:\/\//, '').sub(/\..+/, '').capitalize
+          ["PRX #{label}", url]
+        end
-        session[PRX_ACCOUNT_NAME_MAPPING_KEY] ||= {}
+        # only return entire list in development
+        if ::Rails.env.production? || ::Rails.env.staging?
+          apps.to_h.select { |k, v| v.match?(/\.(org|tech)/) }
+        else
+          apps.to_h
+        end
+      end
-        name =
-          if session[PRX_ACCOUNT_NAME_MAPPING_KEY].has_key?(id)
-            session[PRX_ACCOUNT_NAME_MAPPING_KEY][id]
-          else
-            session[PRX_ACCOUNT_NAME_MAPPING_KEY][id] = lookup_account_name_for(id)
-          end
+      def sign_in_user(token)
+        session[PRX_JWT_SESSION_KEY] = token
+        accounts_for(current_user.resources)
+      end
-        name = "[#{id}] Unknown Account Name" unless name.present?
+      def after_sign_in_user_redirect
+        session.delete(PRX_REFRESH_BACK_KEY)
+      end
-        name
+      def sign_out_user
+        reset_session
       end
-      def sign_in_user(token)
-        session['prx.auth'] = token
+      def account_name_for(account_id)
+        account_for(account_id).try(:[], :name)
+      end
+      def account_for(account_id)
+        lookup_accounts([account_id]).first
+      end
+      def accounts_for(account_ids)
+        lookup_accounts(account_ids)
       end
       private
-      def lookup_account_name_for(id)
-        id = id.to_i
+      def lookup_accounts(ids)
+        session[PRX_ACCOUNT_MAPPING_SESSION_KEY] ||= {}
+        # fetch any accounts we don't have yet
+        missing = ids - session[PRX_ACCOUNT_MAPPING_SESSION_KEY].keys
+        if missing.present?
+          fetch_accounts(missing).each do |account|
+            session[PRX_ACCOUNT_MAPPING_SESSION_KEY][account['id']] = account.with_indifferent_access
+          end
+        end
-        res = lookup_account_names_mapping([id])
-        res[id]
+        ids.map { |id| session[PRX_ACCOUNT_MAPPING_SESSION_KEY][id] }
       end
-      def lookup_account_names_mapping(ids=current_user.resources)
-        id_host = PrxAuth::Rails.configuration.id_host
+      def fetch_accounts(ids)
         ids_param = ids.map(&:to_s).join(',')
+        fetch("/api/v1/accounts?account_ids=#{ids_param}")['accounts']
+      end
+      def fetch_userinfo
+        fetch("/userinfo?scope=apps+email+profile", prx_jwt)
+      end
+      def fetch(path, token = nil)
+        url = "https://#{PrxAuth::Rails.configuration.id_host}#{path}"
         options = {}
         options[:ssl_verify_mode] = OpenSSL::SSL::VERIFY_NONE if ::Rails.env.development?
+        options['Authorization'] = "Bearer #{token}" if token
+        JSON.parse(URI.open(url, options).read)
+      end
-        accounts = URI.open("https://#{id_host}/api/v1/accounts?account_ids=#{ids_param}", options).read
+      # token from data set by prx_auth rack middleware
+      def env_token
+        @env_token_data ||= if request.env[PRX_AUTH_ENV_KEY]
+          token_data = request.env[PRX_AUTH_ENV_KEY]
+          PrxAuth::Rails::Token.new(token_data)
+        end
+      end
-        mapping = JSON.parse(accounts)['accounts'].map { |acct| [acct['id'], acct['display_name']] }.to_h
+      # token from jwt stored in session
+      def session_token
+        @session_prx_auth_token ||= if prx_jwt
+          # NOTE: we already validated this jwt - so just decode it
+          validator = Rack::PrxAuth::AuthValidator.new(prx_jwt)
-        mapping
-      end
+          # does this jwt need to be refreshed?
+          if prx_auth_needs_refresh?(validator.time_to_live)
+            raise SessionTokenExpiredError.new
+          end
-      def env_prx_auth_token
-        if !defined? @_prx_auth_token
-          @_prx_auth_token = request.env['prx.auth'] && PrxAuth::Rails::Token.new(request.env['prx.auth'])
-        else
-          @_prx_auth_token
+          # create new data/token from access claims
+          token_data = Rack::PrxAuth::TokenData.new(validator.claims)
+          PrxAuth::Rails::Token.new(token_data)
         end
       end
     end

data/lib/prx_auth/rails/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 module PrxAuth
   module Rails
-    VERSION = "1.4.1"
+    VERSION = "2.0.0"
   end
 end

data/prx_auth-rails.gemspec CHANGED Viewed

@@ -8,10 +8,8 @@ Gem::Specification.new do |spec|
   spec.version       = PrxAuth::Rails::VERSION
   spec.authors       = ["Chris Rhoden"]
   spec.email         = ["carhoden@gmail.com"]
-  spec.description   = %q{Rails integration for next generation PRX Authorization system.
-}
-  spec.summary       = %q{Rails integration for next generation PRX Authorization system.
-}
+  spec.description   = "Rails integration for next generation PRX Authorization system."
+  spec.summary       = "Rails integration for next generation PRX Authorization system."
   spec.homepage      = "https://github.com/PRX/prx_auth-rails"
   spec.license       = "MIT"
@@ -29,11 +27,11 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'coveralls', '~> 0'
   spec.add_development_dependency 'guard'
   spec.add_development_dependency 'guard-minitest'
+  spec.add_development_dependency 'm', '~> 1.5'
   spec.add_development_dependency "rails", "~> 6.1.0"
   spec.add_development_dependency 'pry'
   spec.add_development_dependency 'sqlite3'
+  spec.add_development_dependency 'webmock'
-  spec.add_runtime_dependency 'prx_auth', "~> 1.2"
+  spec.add_runtime_dependency 'prx_auth', ">= 1.7.0"
 end

data/test/dummy/app/controllers/application_controller.rb CHANGED Viewed

@@ -2,6 +2,8 @@ class ApplicationController < ActionController::Base
   before_action :authenticate!
+  def index; end
   def after_sign_in_path_for(_resource)
     '/after-sign-in-path'
   end

data/test/dummy/app/views/application/index.html.erb ADDED Viewed

	@@ -0,0 +1 @@
1	+ the controller index!

data/test/dummy/config/routes.rb CHANGED Viewed

@@ -1,3 +1,5 @@
 Rails.application.routes.draw do
+  get 'index', to: 'application#index'
+  put 'index', to: 'application#index'
   mount PrxAuth::Rails::Engine => "/prx_auth-rails"
 end

data/test/prx_auth/rails/ext/controller_test.rb ADDED Viewed

@@ -0,0 +1,165 @@
+require 'test_helper'
+module PrxAuth::Rails::Ext
+  class ControllerTest < ActionController::TestCase
+    setup do
+      @controller = ApplicationController.new
+      @jwt_session_key = ApplicationController::PRX_JWT_SESSION_KEY
+      @user_info_key = ApplicationController::PRX_USER_INFO_SESSION_KEY
+      @account_mapping_key = ApplicationController::PRX_ACCOUNT_MAPPING_SESSION_KEY
+      @stub_claims = {'iat' => Time.now.to_i, 'exp' => Time.now.to_i + 3600}
+    end
+    # stub auth and init controller+session by getting a page
+    def with_stubbed_auth(jwt)
+      session[@jwt_session_key] = 'some-jwt'
+      @controller.stub(:prx_auth_needs_refresh?, false) do
+        get :index
+        assert_equal response.code, '200'
+        yield
+      end
+    end
+    test 'redirects unless you are authenticated' do
+      get :index
+      assert_equal response.code, '302'
+      assert response.headers['Location'].ends_with?('/sessions/new')
+    end
+    test 'uses a valid session token' do
+      session[@jwt_session_key] = 'some-jwt'
+      JSON::JWT.stub(:decode, @stub_claims) do
+        get :index
+        assert_equal response.code, '200'
+        assert response.body.include?('the controller index!')
+        assert @controller.current_user.is_a?(PrxAuth::Rails::Token)
+      end
+    end
+    test 'redirects if your token is nearing expiration' do
+      session[@jwt_session_key] = 'some-jwt'
+      @stub_claims['exp'] = Time.now.to_i + 10
+      JSON::JWT.stub(:decode, @stub_claims) do
+        get :index
+        assert_equal response.code, '302'
+        assert response.headers['Location'].ends_with?('/sessions/new')
+      end
+    end
+    test 'does not redirect if your token has expired on a non-GET request' do
+      session[@jwt_session_key] = 'some-jwt'
+      @stub_claims['exp'] = Time.now.to_i + 10
+      JSON::JWT.stub(:decode, @stub_claims) do
+        put :index
+        assert_equal response.code, '200'
+        assert response.body.include?('the controller index!')
+      end
+    end
+    test 'fetches current user info' do
+      with_stubbed_auth('some-jwt') do
+        body = {
+          'name' => 'Some Username',
+          'apps' => {'publish.prx.test' => 'https://publish.prx.test'},
+          'other' => 'stuff'
+        }
+        id_host = PrxAuth::Rails.configuration.id_host
+        stub_request(:get, "https://#{id_host}/userinfo?scope=apps%20email%20profile").
+          with(headers: {'Authorization' => 'Bearer some-jwt'}).
+          to_return(status: 200, body: JSON.generate(body))
+        assert session[@user_info_key] == nil
+        assert_equal @controller.current_user_info, body
+        refute session[@user_info_key] == nil
+        assert_equal @controller.current_user_name, 'Some Username'
+        assert_equal @controller.current_user_apps, {'PRX Publish' => 'https://publish.prx.test'}
+      end
+    end
+    test 'has user name fallbacks' do
+      with_stubbed_auth('some-jwt') do
+        session[@user_info_key] = {'name' => 'one', 'preferred_username' => 'two', 'email' => 'three'}
+        assert_equal @controller.current_user_name, 'one'
+        session[@user_info_key] = {'preferred_username' => 'two', 'email' => 'three'}
+        assert_equal @controller.current_user_name, 'two'
+        session[@user_info_key] = {'email' => 'three'}
+        assert_equal @controller.current_user_name, 'three'
+      end
+    end
+    test 'filters apps displayed in production' do
+      with_stubbed_auth('some-jwt') do
+        Rails.env.stub(:production?, true) do
+          session[@user_info_key] = {
+            'apps' => {
+              'localhost stuff' => 'http://localhost:4000/path1',
+              'publish.prx.test' => 'https://publish.prx.test/path2',
+              'metrics.prx.tech' => 'https://metrics.prx.tech/path3',
+              'augury.prx.org' => 'https://augury.prx.org/path4',
+            }
+          }
+          assert_equal @controller.current_user_apps, {
+            'PRX Metrics' => 'https://metrics.prx.tech/path3',
+            'PRX Augury' => 'https://augury.prx.org/path4',
+          }
+        end
+      end
+    end
+    test 'fetches accounts' do
+      with_stubbed_auth('some-jwt') do
+        one = {'id' => 1, 'type' => 'IndividualAccount', 'name' => 'One'}
+        three = {'id' => 3, 'type' => 'GroupAccount', 'name' => 'Three'}
+        body = {'accounts' => [one, three]}
+        id_host = PrxAuth::Rails.configuration.id_host
+        stub_request(:get, "https://#{id_host}/api/v1/accounts?account_ids=1,2,3").
+          to_return(status: 200, body: JSON.generate(body))
+        assert_nil session[@account_mapping_key]
+        assert_equal @controller.accounts_for([1, 2, 3]), [one, nil, three]
+        refute_nil session[@account_mapping_key]
+        assert_equal @controller.account_for(1), one
+        assert_equal @controller.account_for(3), three
+        assert_equal @controller.account_name_for(1), 'One'
+        assert_equal @controller.account_name_for(3), 'Three'
+      end
+    end
+    test 'handles unknown account ids' do
+      with_stubbed_auth('some-jwt') do
+        id_host = PrxAuth::Rails.configuration.id_host
+        stub_request(:get, "https://#{id_host}/api/v1/accounts?account_ids=2").
+          to_return(status: 200, body: JSON.generate({accounts: []})).
+          times(3)
+        assert_equal @controller.accounts_for([2]), [nil]
+        assert_nil @controller.account_for(2)
+        assert_nil @controller.account_name_for(2)
+      end
+    end
+    test 'only fetches only missing accounts' do
+      with_stubbed_auth('some-jwt') do
+        one = {'name' => 'One'}
+        two = {'id' => 2, 'type' => 'StationAccount', 'name' => 'Two'}
+        three = {'name' => 'Three'}
+        session[@account_mapping_key] = {1 => one, 3 => three}
+        body = {'accounts' => [two]}
+        id_host = PrxAuth::Rails.configuration.id_host
+        stub_request(:get, "https://#{id_host}/api/v1/accounts?account_ids=2").
+          to_return(status: 200, body: JSON.generate(body))
+        assert_equal @controller.accounts_for([1, 2, 3]), [one, two, three]
+        assert_equal @controller.account_for(2), two
+        assert_equal @controller.account_name_for(2), 'Two'
+      end
+    end
+  end
+end

data/test/prx_auth/rails/sessions_controller_test.rb CHANGED Viewed

@@ -6,8 +6,10 @@ module PrxAuth::Rails
     setup do
       @routes = PrxAuth::Rails::Engine.routes
       @nonce_session_key = SessionsController::ID_NONCE_SESSION_KEY
-      @token_params = {id_token: 'sometok', access_token: 'othertok'}
+      @refresh_back_key = SessionsController::PRX_REFRESH_BACK_KEY
+      @token_params = {id_token: 'idtok', access_token: 'accesstok'}
       @stub_claims = {'nonce' => '123', 'sub' => '1'}
+      @stub_token = PrxAuth::Rails::Token.new(Rack::PrxAuth::TokenData.new())
     end
     test "new creates nonce" do
@@ -31,11 +33,12 @@ module PrxAuth::Rails
     end
     test 'create should validate a token and set the session variable' do
+      session[SessionsController::PRX_JWT_SESSION_KEY] = nil
       @controller.stub(:validate_token, @stub_claims) do
-        @controller.stub(:lookup_and_register_accounts_names, nil) do
+        @controller.stub(:session_token, @stub_token) do
           session[@nonce_session_key] = '123'
           post :create, params: @token_params, format: :json
-          assert session['prx.auth']['id_token']['nonce'] == '123'
+          assert session[SessionsController::PRX_JWT_SESSION_KEY] == 'accesstok'
         end
       end
     end
@@ -50,7 +53,7 @@ module PrxAuth::Rails
     test 'create should reset the nonce after consumed' do
       @controller.stub(:validate_token, @stub_claims) do
-        @controller.stub(:lookup_and_register_accounts_names, nil) do
+        @controller.stub(:session_token, @stub_token) do
           session[@nonce_session_key] = '123'
           post :create, params: @token_params, format: :json
@@ -61,7 +64,21 @@ module PrxAuth::Rails
       end
     end
-    test 'should respond with aredirect to the auth error page / code if the nonce does not match' do
+    test 'redirects to a back-path after refresh' do
+      @controller.stub(:validate_token, @stub_claims) do
+        @controller.stub(:session_token, @stub_token) do
+          session[@nonce_session_key] = '123'
+          session[@refresh_back_key] = '/lets/go/here?okay'
+          post :create, params: @token_params, format: :json
+          assert session[@refresh_back_key] == nil
+          assert response.code == '302'
+          assert response.headers['Location'].ends_with?('/lets/go/here?okay')
+        end
+      end
+    end
+    test 'should respond with redirect to the auth error page / code if the nonce does not match' do
       @controller.stub(:validate_token, @stub_claims) do
         session[@nonce_session_key] = 'nonce-does-not-match'
         post :create, params: @token_params, format: :json
@@ -86,13 +103,19 @@ module PrxAuth::Rails
       @controller.stub(:id_claims, @stub_claims) do
         @controller.stub(:access_claims, @stub_claims.merge('sub' => '444')) do
-        session[@nonce_session_key] = '123'
-        post :create, params: @token_params, format: :json
+          session[@nonce_session_key] = '123'
+          post :create, params: @token_params, format: :json
-        assert response.code == '302'
-        assert response.body.match?(/error=verification_failed/)
-      end
+          assert response.code == '302'
+          assert response.body.match?(/error=verification_failed/)
+        end
       end
     end
+    test 'should clear the user token on sign out' do
+      session[SessionsController::PRX_JWT_SESSION_KEY] = 'some-token'
+      post :destroy
+      assert session[SessionsController::PRX_JWT_SESSION_KEY] == nil
+    end
   end
 end

data/test/test_helper.rb CHANGED Viewed

@@ -5,6 +5,7 @@ Coveralls.wear!
 require 'minitest/autorun'
 require 'minitest/spec'
 require 'minitest/pride'
+require 'webmock/minitest'
 require 'action_pack'
 require 'action_controller'
 require 'action_view'

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: prx_auth-rails
 version: !ruby/object:Gem::Version
-  version: 1.4.1
+  version: 2.0.0
 platform: ruby
 authors:
 - Chris Rhoden
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-02-18 00:00:00.000000000 Z
+date: 2021-05-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: actionpack
@@ -94,6 +94,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: m
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.5'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.5'
 - !ruby/object:Gem::Dependency
   name: rails
   requirement: !ruby/object:Gem::Requirement
@@ -136,23 +150,35 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: prx_auth
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.2'
+        version: 1.7.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.2'
-description: 'Rails integration for next generation PRX Authorization system.
-  '
+        version: 1.7.0
+description: Rails integration for next generation PRX Authorization system.
 email:
 - carhoden@gmail.com
 executables: []
@@ -168,6 +194,7 @@ files:
 - app/controllers/prx_auth/rails/sessions_controller.rb
 - app/views/prx_auth/rails/sessions/auth_error.html.erb
 - app/views/prx_auth/rails/sessions/show.html.erb
+- config/initializers/assets.rb
 - config/routes.rb
 - lib/prx_auth/rails.rb
 - lib/prx_auth/rails/configuration.rb
@@ -191,6 +218,7 @@ files:
 - test/dummy/app/mailers/application_mailer.rb
 - test/dummy/app/models/application_record.rb
 - test/dummy/app/models/concerns/.keep
+- test/dummy/app/views/application/index.html.erb
 - test/dummy/app/views/layouts/application.html.erb
 - test/dummy/app/views/layouts/mailer.html.erb
 - test/dummy/app/views/layouts/mailer.text.erb
@@ -234,6 +262,7 @@ files:
 - test/dummy/storage/.keep
 - test/log/development.log
 - test/prx_auth/rails/configuration_test.rb
+- test/prx_auth/rails/ext/controller_test.rb
 - test/prx_auth/rails/sessions_controller_test.rb
 - test/prx_auth/rails/token_test.rb
 - test/test_helper.rb
@@ -275,6 +304,7 @@ test_files:
 - test/dummy/app/mailers/application_mailer.rb
 - test/dummy/app/models/application_record.rb
 - test/dummy/app/models/concerns/.keep
+- test/dummy/app/views/application/index.html.erb
 - test/dummy/app/views/layouts/application.html.erb
 - test/dummy/app/views/layouts/mailer.html.erb
 - test/dummy/app/views/layouts/mailer.text.erb
@@ -318,6 +348,7 @@ test_files:
 - test/dummy/storage/.keep
 - test/log/development.log
 - test/prx_auth/rails/configuration_test.rb
+- test/prx_auth/rails/ext/controller_test.rb
 - test/prx_auth/rails/sessions_controller_test.rb
 - test/prx_auth/rails/token_test.rb
 - test/test_helper.rb