prx_auth-rails 4.0.0 → 4.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1eed8329985438f59a1adc529c8e33748cbfca9becbd285475385c16b25639e6
-  data.tar.gz: 0a065d8fdf1e4d077fdd43da82cc37c3110ada401d31e6eadb5e154ae7001c6f
+  metadata.gz: 297ff153a8884223afeca8d74d809f965e297e1766acf522ef442070d35682ab
+  data.tar.gz: 97af5447b5a9d5449a289f055680c42b7c213503f3ba3fa4af4825f9083da479
 SHA512:
-  metadata.gz: 9f45b17435edca7e49910164e330eea45df6c466514b700af6f04182e7df99748d3978911cd777325fb9142e4e9f0e1723bec10917eeea8c04b54b4c98c521b1
-  data.tar.gz: 1dffecbaef3bf75a75759f6312a9acfb3442e5a6ff7b4354abc9e8b19816618f5fe57fd515317cfa03eaf7da0b231c2489b30c3a1f1aab2eca93f9a3e3b17d6b
+  metadata.gz: 32017811c9336ecdfc7e93196918ebbed6fa04c6616c0f36453319c3bdc2c4caa309fe47b3fc40573ab206efee375193867ca36a0466b0366a6980d0d2761e1f
+  data.tar.gz: 578ed2609ec2213d5bbb8397cdf2fabc82b71e43e59b26128df26bd6075a219712ecd15ec23143f4ef54903cfb02f5bd7afb8140cb8ff35323213880c5b3d95b

data/.git-blame-ignore-revs

@@ -0,0 +1,2 @@
+# 2023-04-12 Auto-fix all Ruby files with standardrb
+3da043d8a33e29223834fa3d7a05b013e490ce62

data/.github/workflows/check-project-std.yml

@@ -0,0 +1,23 @@
+name: Check project standards
+
+on:
+  push
+
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    env:
+      RAILS_ENV: test
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - name: Install Ruby and gems
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: '3.0'
+          bundler-cache: true
+      - name: Lint Ruby files
+        run: bundle exec standardrb

data/Gemfile

@@ -1,4 +1,4 @@
-source 'https://rubygems.org'
+source "https://rubygems.org"
 
 # Specify your gem's dependencies in prx_auth-rails.gemspec
 gemspec

data/Guardfile

@@ -1,8 +1,8 @@
 guard :minitest, all_after_pass: true do
-  watch(%r{^test/(.*)\/?test_(.*)\.rb})
-  watch(%r{^lib/(.*/)?([^/]+)\.rb})                      { |m| "test/#{m[1]}test_#{m[2]}.rb" }
-  watch(%r{^lib/(.+)\.rb})                               { |m| "test/#{m[1]}_test.rb" }
-  watch(%r{^lib/(.+)\.rb})                                    { |m| "test/#{m[1]}_test.rb" }
+  watch(%r{^test/(.*)/?test_(.*)\.rb})
+  watch(%r{^lib/(.*/)?([^/]+)\.rb}) { |m| "test/#{m[1]}test_#{m[2]}.rb" }
+  watch(%r{^lib/(.+)\.rb}) { |m| "test/#{m[1]}_test.rb" }
+  watch(%r{^lib/(.+)\.rb}) { |m| "test/#{m[1]}_test.rb" }
   watch(%r{^test/.+_test\.rb})
-  watch(%r{^test/test_helper\.rb})                            { 'test' }
+  watch(%r{^test/test_helper\.rb}) { "test" }
 end

data/Rakefile

@@ -6,12 +6,12 @@ load "rails/tasks/engine.rake"
 load "rails/tasks/statistics.rake"
 
 require "bundler/gem_tasks"
-require 'rake'
+require "rake"
 require "rake/testtask"
 
 Rake::TestTask.new(:test) do |t|
-  t.libs << 'test'
-  t.pattern = 'test/**/*_test.rb'
+  t.libs << "test"
+  t.pattern = "test/**/*_test.rb"
   t.verbose = false
 end
 

data/app/controllers/prx_auth/rails/sessions_controller.rb

@@ -9,20 +9,30 @@ module PrxAuth::Rails
     before_action :set_nonce!, only: [:new, :show]
     before_action :set_after_sign_in_path
 
-    ID_NONCE_SESSION_KEY = 'id_prx_openid_nonce'
+    ID_NONCE_SESSION_KEY = "id_prx_openid_nonce"
+    DEFAULT_SCOPES = "openid"
 
     def new
       config = PrxAuth::Rails.configuration
 
+      scope =
+        if config.prx_scope.present?
+          "#{DEFAULT_SCOPES} #{config.prx_scope}"
+        else
+          DEFAULT_SCOPES
+        end
+
       id_auth_params = {
         client_id: config.prx_client_id,
         nonce: fetch_nonce,
-        response_type: 'id_token token',
-        scope: 'openid apps',
-        prompt: 'necessary'
+        response_type: "id_token token",
+        scope: scope,
+        prompt: "necessary"
       }
 
-      redirect_to '//' + config.id_host + '/authorize?' + id_auth_params.to_query
+      url = "//" + config.id_host + "/authorize?" + id_auth_params.to_query
+
+      redirect_to url, allow_other_host: true
     end
 
     def show
@@ -38,13 +48,14 @@ module PrxAuth::Rails
     end
 
     def create
-      if valid_nonce? && users_match?
-        clear_nonce!
+      valid_and_matching = valid_nonce? && users_match?
+      clear_nonce!
+
+      if valid_and_matching
         sign_in_user(access_token)
         redirect_to after_sign_in_path_for(current_user)
       else
-        clear_nonce!
-        redirect_to auth_error_sessions_path(error: 'verification_failed')
+        redirect_to auth_error_sessions_path(error: params[:error] || "unknown_error")
       end
     end
 
@@ -57,7 +68,7 @@ module PrxAuth::Rails
       elsif defined?(super)
         super
       else
-        '/'
+        "/"
       end
     end
 
@@ -68,11 +79,11 @@ module PrxAuth::Rails
     end
 
     def id_token
-      params.require('id_token')
+      params.require("id_token")
     end
 
     def access_token
-      params.require('access_token')
+      params.require("access_token")
     end
 
     def id_claims
@@ -96,11 +107,11 @@ module PrxAuth::Rails
     end
 
     def valid_nonce?
-      id_claims['nonce'].present? && id_claims['nonce'] == fetch_nonce
+      id_claims["nonce"].present? && id_claims["nonce"] == fetch_nonce
     end
 
     def users_match?
-      id_claims['sub'].present? && id_claims['sub'] == access_claims['sub']
+      id_claims["sub"].present? && id_claims["sub"] == access_claims["sub"]
     end
 
     def validate_token(token)

data/app/views/prx_auth/rails/sessions/auth_error.html.erb

@@ -1,13 +1,6 @@
 <div class='main'>
   <section>
     <h3>Not authorized for this application.</h3>
-
-    <p>Message was: <pre><%= @auth_error_message %></pre>
-    <% if  @auth_error_message == 'invalid_scope' %>
-      Did you add a row in the account_applications table on id.prx?
-    <% end %>
-    </p>
-
     <p>
       <a href="<%= new_sessions_path %>">Try logging in again</a>
     </p>

data/app/views/prx_auth/rails/sessions/show.html.erb

@@ -2,6 +2,7 @@
   <%= form_for(:sessions, :url => PrxAuth::Rails::Engine.routes.url_helpers.sessions_path) do |f| %>
       <%= hidden_field_tag :access_token, '', id: 'access-token-field' %>
       <%= hidden_field_tag :id_token, '', id: 'id-token-field' %>
+      <%= hidden_field_tag :error, '', id: 'error-field' %>
       <%= f.submit id: 'sessions-form-submit' %>
   <% end %>
 </div>
@@ -23,14 +24,16 @@
   }
 
 window.addEventListener("load", () => {
-  var idToken = document.querySelector("#id-token-field");
   var accessToken = document.querySelector("#access-token-field");
+  var idToken = document.querySelector("#id-token-field");
+  var error = document.querySelector("#error-field");
   var submit = document.querySelector("input#sessions-form-submit[type=submit]");
 
   var hashParams = parseURLFragment();
 
   accessToken.value = hashParams['access_token'];
   idToken.value = hashParams['id_token'];
+  error.value = hashParams['error'];
 
   submit.click();
 });

data/config/initializers/assets.rb

@@ -1 +1 @@
-Rails.application.config.assets.precompile << %w(prx_auth-rails_manifest.js)
+Rails.application.config.assets.precompile << %w[prx_auth-rails_manifest.js]

data/config/routes.rb

@@ -1,7 +1,7 @@
 PrxAuth::Rails::Engine.routes.draw do
-  scope module: 'prx_auth/rails' do
-    resource 'sessions', except: :index, :defaults => { :format => 'html' } do
-      get 'auth_error', to: 'sessions#auth_error'
+  scope module: "prx_auth/rails" do
+    resource "sessions", except: :index, defaults: {format: "html"} do
+      get "auth_error", to: "sessions#auth_error"
     end
   end
 end

data/lib/prx_auth/rails/configuration.rb

@@ -1,16 +1,18 @@
 class PrxAuth::Rails::Configuration
   attr_accessor :install_middleware,
-                :namespace,
-                :prx_client_id,
-                :id_host,
-                :cert_path
+    :namespace,
+    :prx_client_id,
+    :prx_scope,
+    :id_host,
+    :cert_path
 
-  DEFAULT_ID_HOST = 'id.prx.org'
-  DEFAULT_CERT_PATH = 'api/v1/certs'
+  DEFAULT_ID_HOST = "id.prx.org"
+  DEFAULT_CERT_PATH = "api/v1/certs"
 
   def initialize
     @install_middleware = true
     @prx_client_id = nil
+    @prx_scope = nil
     @id_host = DEFAULT_ID_HOST
     @cert_path = DEFAULT_CERT_PATH
 
@@ -19,15 +21,15 @@ class PrxAuth::Rails::Configuration
       if defined?(::Rails)
         klass = ::Rails.application.class
         parent_name = if ::Rails::VERSION::MAJOR >= 6
-                        klass.module_parent_name
-                      else
-                        klass.parent_name
-                      end
+          klass.module_parent_name
+        else
+          klass.parent_name
+        end
         klass_name = if parent_name.present?
-                       parent_name
-                     else
-                       klass.name
-                     end
+          parent_name
+        else
+          klass.name
+        end
 
         klass_name.underscore.intern
       end

data/lib/prx_auth/rails/engine.rb

@@ -5,7 +5,7 @@ module PrxAuth
         ::ApplicationController.helper_method [
           :current_user, :prx_jwt,
           :current_user_info, :current_user_name, :current_user_apps,
-          :account_name_for, :account_for, :accounts_for,
+          :account_name_for, :account_for, :accounts_for
         ]
       end
     end

data/lib/prx_auth/rails/ext/controller.rb

@@ -1,18 +1,18 @@
-require 'prx_auth/rails/token'
-require 'open-uri'
+require "prx_auth/rails/token"
+require "open-uri"
 
 module PrxAuth
   module Rails
     module Controller
       class SessionTokenExpiredError < RuntimeError; end
 
-      PRX_AUTH_ENV_KEY = 'prx.auth'.freeze
-      PRX_JWT_SESSION_KEY = 'prx.auth.jwt'.freeze
+      PRX_AUTH_ENV_KEY = "prx.auth".freeze
+      PRX_JWT_SESSION_KEY = "prx.auth.jwt".freeze
       # subtracted from the JWT ttl
-      PRX_JWT_REFRESH_TTL = 300.freeze
-      PRX_ACCOUNT_MAPPING_SESSION_KEY = 'prx.auth.account.mapping'.freeze
-      PRX_USER_INFO_SESSION_KEY = 'prx.auth.info'.freeze
-      PRX_REFRESH_BACK_KEY = 'prx.auth.back'.freeze
+      PRX_JWT_REFRESH_TTL = 300
+      PRX_ACCOUNT_MAPPING_SESSION_KEY = "prx.auth.account.mapping".freeze
+      PRX_USER_INFO_SESSION_KEY = "prx.auth.info".freeze
+      PRX_REFRESH_BACK_KEY = "prx.auth.back".freeze
 
       def prx_auth_token
         env_token || session_token
@@ -24,7 +24,7 @@ module PrxAuth
       end
 
       def set_after_sign_in_path
-        return if self.class == PrxAuth::Rails::SessionsController
+        return if instance_of?(PrxAuth::Rails::SessionsController)
 
         session[PRX_REFRESH_BACK_KEY] = request.fullpath
       end
@@ -52,16 +52,19 @@ module PrxAuth
       end
 
       def current_user_info
-        session[PRX_USER_INFO_SESSION_KEY] ||= fetch_userinfo
+        session[PRX_USER_INFO_SESSION_KEY] ||= begin
+          info = fetch_userinfo
+          info.slice("name", "preferred_username", "email", "image_href", "apps")
+        end
       end
 
       def current_user_name
-        current_user_info['name'] || current_user_info['preferred_username'] || current_user_info['email']
+        current_user_info["name"] || current_user_info["preferred_username"] || current_user_info["email"]
       end
 
       def current_user_apps
-        apps = (current_user_info.try(:[], 'apps') || []).map do |name, url|
-          label = name.sub(/^https?:\/\//, '').sub(/\..+/, '').capitalize
+        apps = (current_user_info.try(:[], "apps") || []).map do |name, url|
+          label = name.sub(/^https?:\/\//, "").sub(/\..+/, "").capitalize
           ["PRX #{label}", url]
         end
 
@@ -87,7 +90,7 @@ module PrxAuth
       end
 
       def account_name_for(account_id)
-        account_for(account_id).try(:[], :name)
+        account_for(account_id).try(:[], "name")
       end
 
       def account_for(account_id)
@@ -107,7 +110,8 @@ module PrxAuth
         missing = ids - session[PRX_ACCOUNT_MAPPING_SESSION_KEY].keys
         if missing.present?
           fetch_accounts(missing).each do |account|
-            session[PRX_ACCOUNT_MAPPING_SESSION_KEY][account['id']] = account.with_indifferent_access
+            minimal = account.slice("name", "type")
+            session[PRX_ACCOUNT_MAPPING_SESSION_KEY][account["id"]] = minimal
           end
         end
 
@@ -115,9 +119,9 @@ module PrxAuth
       end
 
       def fetch_accounts(ids)
-        ids_param = ids.map(&:to_s).join(',')
+        ids_param = ids.map(&:to_s).join(",")
         resp = fetch("/api/v1/accounts?account_ids=#{ids_param}")
-        resp.try(:[], '_embedded').try(:[], 'prx:items') || []
+        resp.try(:[], "_embedded").try(:[], "prx:items") || []
       end
 
       def fetch_userinfo
@@ -128,8 +132,8 @@ module PrxAuth
         url = "https://#{PrxAuth::Rails.configuration.id_host}#{path}"
         options = {}
         options[:ssl_verify_mode] = OpenSSL::SSL::VERIFY_NONE if ::Rails.env.development?
-        options['Authorization'] = "Bearer #{token}" if token
-        JSON.parse(URI.open(url, options).read)
+        options["Authorization"] = "Bearer #{token}" if token
+        JSON.parse(URI.open(url, options).read) # standard:disable Security/Open
       end
 
       # token from data set by prx_auth rack middleware

data/lib/prx_auth/rails/railtie.rb

@@ -1,6 +1,6 @@
-require 'rails/railtie'
-require 'prx_auth/rails/ext/controller'
-require 'rack/prx_auth'
+require "rails/railtie"
+require "prx_auth/rails/ext/controller"
+require "rack/prx_auth"
 
 module PrxAuth::Rails
   class Railtie < ::Rails::Railtie

data/lib/prx_auth/rails/token.rb

@@ -1,4 +1,4 @@
-require 'rack/prx_auth'
+require "rack/prx_auth"
 
 class PrxAuth::Rails::Token
   def initialize(token_data)
@@ -6,17 +6,17 @@ class PrxAuth::Rails::Token
     @namespace = PrxAuth::Rails.configuration.namespace
   end
 
-  def authorized?(resource, namespace=nil, scope=nil)
+  def authorized?(resource, namespace = nil, scope = nil)
     namespace, scope = @namespace, namespace if scope.nil? && !namespace.nil?
     @token_data.authorized?(resource, namespace, scope)
   end
 
-  def globally_authorized?(namespace, scope=nil)
+  def globally_authorized?(namespace, scope = nil)
     namespace, scope = @namespace, namespace if scope.nil?
     @token_data.globally_authorized?(namespace, scope)
   end
 
-  def resources(namespace=nil, scope=nil)
+  def resources(namespace = nil, scope = nil)
     namespace, scope = @namespace, namespace if scope.nil? && !namespace.nil?
     @token_data.resources(namespace, scope)
   end
@@ -32,4 +32,17 @@ class PrxAuth::Rails::Token
   def authorized_account_ids(scope)
     @token_data.authorized_account_ids(scope)
   end
+
+  def except!(*resources)
+    @token_data = @token_data.except(*resources)
+    self
+  end
+
+  def except(*resources)
+    dup.except!(*resources)
+  end
+
+  def empty_resources?
+    @token_data.empty_resources?
+  end
 end

data/lib/prx_auth/rails/version.rb

@@ -2,6 +2,6 @@
 
 module PrxAuth
   module Rails
-    VERSION = '4.0.0'
+    VERSION = "4.2.0"
   end
 end

data/lib/prx_auth/rails.rb

@@ -27,10 +27,10 @@ module PrxAuth
         host = configuration.id_host
         path = configuration.cert_path
         protocol =
-          if host.include?('localhost') || host.include?('127.0.0.1')
-            'http'
+          if host.include?("localhost") || host.include?("127.0.0.1")
+            "http"
           else
-            'https'
+            "https"
           end
 
         app.middleware.insert_after Rack::Head, Rack::PrxAuth,

data/prx_auth-rails.gemspec

@@ -1,37 +1,36 @@
-# coding: utf-8
-lib = File.expand_path('../lib', __FILE__)
+lib = File.expand_path("../lib", __FILE__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
-require 'prx_auth/rails/version'
+require "prx_auth/rails/version"
 
 Gem::Specification.new do |spec|
-  spec.name          = "prx_auth-rails"
-  spec.version       = PrxAuth::Rails::VERSION
-  spec.authors       = ["Chris Rhoden"]
-  spec.email         = ["carhoden@gmail.com"]
-  spec.description   = "Rails integration for next generation PRX Authorization system."
-  spec.summary       = "Rails integration for next generation PRX Authorization system."
-  spec.homepage      = "https://github.com/PRX/prx_auth-rails"
-  spec.license       = "MIT"
+  spec.name = "prx_auth-rails"
+  spec.version = PrxAuth::Rails::VERSION
+  spec.authors = ["Chris Rhoden"]
+  spec.email = ["carhoden@gmail.com"]
+  spec.description = "Rails integration for next generation PRX Authorization system."
+  spec.summary = "Rails integration for next generation PRX Authorization system."
+  spec.homepage = "https://github.com/PRX/prx_auth-rails"
+  spec.license = "MIT"
 
-  spec.required_ruby_version = '>= 2.3'
+  spec.required_ruby_version = ">= 2.3"
 
-  spec.files         = `git ls-files`.split($/)
-  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
-  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.files = `git ls-files`.split($/)
+  spec.executables = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
 
-  spec.add_runtime_dependency 'actionpack'
+  spec.add_runtime_dependency "actionpack"
 
-  spec.add_development_dependency 'bundler'
-  spec.add_development_dependency 'rake'
-  spec.add_development_dependency 'coveralls', '~> 0'
-  spec.add_development_dependency 'guard'
-  spec.add_development_dependency 'guard-minitest'
-  spec.add_development_dependency 'm', '~> 1.5'  
+  spec.add_development_dependency "bundler"
+  spec.add_development_dependency "rake"
+  spec.add_development_dependency "coveralls", "~> 0"
+  spec.add_development_dependency "guard"
+  spec.add_development_dependency "guard-minitest"
+  spec.add_development_dependency "m", "~> 1.5"
   spec.add_development_dependency "rails", "~> 6.1.0"
-  spec.add_development_dependency 'pry'
-  spec.add_development_dependency 'sqlite3'
-  spec.add_development_dependency 'webmock'
+  spec.add_development_dependency "pry"
+  spec.add_development_dependency "sqlite3"
+  spec.add_development_dependency "webmock"
+  spec.add_development_dependency "standard"
 
-  spec.add_runtime_dependency 'prx_auth', ">= 1.7.0"
+  spec.add_runtime_dependency "prx_auth", ">= 1.8.0"
 end

data/test/dummy/app/controllers/application_controller.rb

@@ -1,10 +1,10 @@
 class ApplicationController < ActionController::Base
-
   before_action :authenticate!
 
-  def index; end
+  def index
+  end
 
   def after_sign_in_path_for(_resource)
-    '/after-sign-in-path'
+    "/after-sign-in-path"
   end
 end

data/test/dummy/app/mailers/application_mailer.rb

@@ -1,4 +1,4 @@
 class ApplicationMailer < ActionMailer::Base
-  default from: 'from@example.com'
-  layout 'mailer'
+  default from: "from@example.com"
+  layout "mailer"
 end

data/test/dummy/bin/rails

@@ -1,5 +1,5 @@
 #!/usr/bin/env ruby
 load File.expand_path("spring", __dir__)
-APP_PATH = File.expand_path('../config/application', __dir__)
+APP_PATH = File.expand_path("../config/application", __dir__)
 require_relative "../config/boot"
 require "rails/commands"

data/test/dummy/bin/setup

@@ -2,7 +2,7 @@
 require "fileutils"
 
 # path to your application root.
-APP_ROOT = File.expand_path('..', __dir__)
+APP_ROOT = File.expand_path("..", __dir__)
 
 def system!(*args)
   system(*args) || abort("\n== Command #{args} failed ==")
@@ -13,9 +13,9 @@ FileUtils.chdir APP_ROOT do
   # This script is idempotent, so that you can run it at any time and get an expectable outcome.
   # Add necessary setup steps to this file.
 
-  puts '== Installing dependencies =='
-  system! 'gem install bundler --conservative'
-  system('bundle check') || system!('bundle install')
+  puts "== Installing dependencies =="
+  system! "gem install bundler --conservative"
+  system("bundle check") || system!("bundle install")
 
   # puts "\n== Copying sample files =="
   # unless File.exist?('config/database.yml')
@@ -23,11 +23,11 @@ FileUtils.chdir APP_ROOT do
   # end
 
   puts "\n== Preparing database =="
-  system! 'bin/rails db:prepare'
+  system! "bin/rails db:prepare"
 
   puts "\n== Removing old logs and tempfiles =="
-  system! 'bin/rails log:clear tmp:clear'
+  system! "bin/rails log:clear tmp:clear"
 
   puts "\n== Restarting application server =="
-  system! 'bin/rails restart'
+  system! "bin/rails restart"
 end

data/test/dummy/config/boot.rb

@@ -1,5 +1,5 @@
 # Set up gems listed in the Gemfile.
-ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../../Gemfile', __dir__)
+ENV["BUNDLE_GEMFILE"] ||= File.expand_path("../../../Gemfile", __dir__)
 
 require "bundler/setup" if File.exist?(ENV["BUNDLE_GEMFILE"])
-$LOAD_PATH.unshift File.expand_path('../../../lib', __dir__)
+$LOAD_PATH.unshift File.expand_path("../../../lib", __dir__)

data/test/dummy/config/environments/development.rb

@@ -16,13 +16,13 @@ Rails.application.configure do
 
   # Enable/disable caching. By default caching is disabled.
   # Run rails dev:cache to toggle caching.
-  if Rails.root.join('tmp', 'caching-dev.txt').exist?
+  if Rails.root.join("tmp", "caching-dev.txt").exist?
     config.action_controller.perform_caching = true
     config.action_controller.enable_fragment_cache_logging = true
 
     config.cache_store = :memory_store
     config.public_file_server.headers = {
-      'Cache-Control' => "public, max-age=#{2.days.to_i}"
+      "Cache-Control" => "public, max-age=#{2.days.to_i}"
     }
   else
     config.action_controller.perform_caching = false