prx_auth-rails 4.2.1 → 5.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1852c166da48f2df9481fa8d2343e8e5e378875cd8ceda9b1bb459a78ee91e3a
-  data.tar.gz: b8cdc9d9ef469dbcb7b25ff606842763c3008fa8d33ed9291ad1729c821e6427
+  metadata.gz: bf94b7a4117fd51ed8b81e97822613f25ef10d9cd634b2d5d976809c2e50c281
+  data.tar.gz: 4830822f96f9526bdf828b611ed1d4920a4919f27feed31ac259b51c32777516
 SHA512:
-  metadata.gz: cfe2defaa2d06e944e4926a984140d47c1e7687976843d0c93f44133f6bea5fd7700317128dad8d150fb1cc424ace31700a528d1a24dc1be6b7fec7f8a698c11
-  data.tar.gz: b72915c790ec4d918f388b626704a5996e9afa0c83a52b6d2a4c1d01f217a07c22fad448820b8fc80145a8ba04727e75080fce3a1266f45b8fa6d722e704c9a5
+  metadata.gz: 8cdfcac52bffd86c335598f97fe76d93acceba591d4b709493374f7776eaf2eb7c10c1f4c57de17e0dbb6c40246fbb84c085972bd2d1e9800aacf73b1da0017a
+  data.tar.gz: e28b6dc7e0255a764ca7eb9469b7f28d8727f9804fd6a750e9905c2fe11799935665d6b67bee441c8bb2081bb3c5f4f58e642336e634d55f74d9974ff4d0fd61

data/.github/workflows/check-project-std.yml

@@ -17,7 +17,7 @@ jobs:
       - name: Install Ruby and gems
         uses: ruby/setup-ruby@v1
         with:
-          ruby-version: '3.0'
+          ruby-version: '3.4'
           bundler-cache: true
       - name: Lint Ruby files
         run: bundle exec standardrb

data/app/controllers/prx_auth/rails/sessions_controller.rb

@@ -2,34 +2,31 @@
 
 module PrxAuth::Rails
   class SessionsController < ApplicationController
-    include PrxAuth::Rails::Engine.routes.url_helpers
-
-    skip_before_action :authenticate!, raise: false
+    skip_before_action :set_after_sign_in_path, :authenticate!, raise: false
 
     before_action :set_nonce!, only: [:new, :show]
-    before_action :set_after_sign_in_path
 
     ID_NONCE_SESSION_KEY = "id_prx_openid_nonce"
-    DEFAULT_SCOPES = "openid apps"
+    WILDCARD_SESSION_KEY = "prx.auth.wildcard"
+    DEFAULT_SCOPES = "openid"
 
     def new
       config = PrxAuth::Rails.configuration
 
-      scope =
-        if config.prx_scope.present?
-          "#{DEFAULT_SCOPES} #{config.prx_scope}"
-        else
-          DEFAULT_SCOPES
-        end
-
       id_auth_params = {
         client_id: config.prx_client_id,
         nonce: fetch_nonce,
         response_type: "id_token token",
-        scope: scope,
+        scope: "#{DEFAULT_SCOPES} #{config.prx_scope}".strip,
         prompt: "necessary"
       }
 
+      if session[WILDCARD_SESSION_KEY]
+        id_auth_params[:account] = "*"
+        # TODO: what if they need more than _just_ read-private?
+        id_auth_params[:scope] = "#{DEFAULT_SCOPES} read-private" if session[WILDCARD_SESSION_KEY] == "readonly"
+      end
+
       url = "//" + config.id_host + "/authorize?" + id_auth_params.to_query
 
       redirect_to url, allow_other_host: true
@@ -38,9 +35,7 @@ module PrxAuth::Rails
     def show
     end
 
-    def destroy
-      sign_out_user
-      redirect_to after_sign_out_path
+    def access_error
     end
 
     def auth_error
@@ -55,10 +50,29 @@ module PrxAuth::Rails
         sign_in_user(access_token)
         redirect_to after_sign_in_path_for(current_user)
       else
+        session.delete(WILDCARD_SESSION_KEY)
         redirect_to auth_error_sessions_path(error: params[:error] || "unknown_error")
       end
     end
 
+    def destroy
+      sign_out_user
+      redirect_to after_sign_out_path, allow_other_host: true
+    end
+
+    def logout
+      sign_out_user
+      redirect_to "//#{id_host}/session/sign_out", allow_other_host: true
+    end
+
+    def refresh
+      wildcard = params[:wildcard] if current_user_admin?
+      sign_out_user
+      session[WILDCARD_SESSION_KEY] = wildcard
+
+      redirect_to new_sessions_path
+    end
+
     private
 
     def after_sign_in_path_for(_)

data/app/helpers/prx_auth/rails/sessions_helper.rb

@@ -0,0 +1,27 @@
+module PrxAuth::Rails
+  module SessionsHelper
+    def current_user_app?(name)
+      current_user && current_user_app(name).present?
+    end
+
+    def current_user_app(name)
+      current_user_apps.find { |key, url| key.downcase.include?(name) }&.last
+    end
+
+    def current_user_id_profile
+      "https://#{PrxAuth::Rails.configuration.id_host}/profile"
+    end
+
+    def current_user_id_accounts
+      "https://#{PrxAuth::Rails.configuration.id_host}/accounts"
+    end
+
+    def current_user_image?
+      current_user && current_user_image.present?
+    end
+
+    def current_user_image
+      current_user_info["image_href"]
+    end
+  end
+end

data/app/views/prx_auth/rails/sessions/access_error.html.erb

@@ -0,0 +1,20 @@
+<div class="row">
+
+  <div class="col-lg-3"></div>
+
+  <div class="col-lg-6 my-5">
+    <div class="card">
+      <div class="card-body my-2">
+        <h1 class="card-title text-center">Not Authorized</h1>
+        <p class="card-text text-center">
+          <%= link_to "Your accounts", current_user_id_accounts %> are not authorized to use this PRX application.
+          <br/>
+          If you believe this to be in error, please <a href="https://help.prx.org/hc/en-us">contact PRX support.</a>
+        </p>
+      </div>
+    </div>
+  </div>
+
+  <div class="col-lg-3"></div>
+
+</div>

data/app/views/prx_auth/rails/sessions/auth_error.html.erb

@@ -1,8 +1,20 @@
-<div class='main'>
-  <section>
-    <h3>Not authorized for this application.</h3>
-    <p>
-      <a href="<%= new_sessions_path %>">Try logging in again</a>
-    </p>
-  </section>
+<div class="row">
+
+  <div class="col-lg-3"></div>
+
+  <div class="col-lg-6 my-5">
+    <div class="card">
+      <div class="card-body my-2">
+        <h1 class="card-title text-center"><%= @auth_error_message&.titleize || "Unknown" %> Error</h1>
+        <p class="card-text text-center">
+          Something went terribly wrong - please <%= link_to "try logging in again", new_sessions_path %>.
+          <br/>
+          If the problem persists, <a href="https://help.prx.org/hc/en-us">contact PRX support.</a>
+        </p>
+      </div>
+    </div>
+  </div>
+
+  <div class="col-lg-3"></div>
+
 </div>

data/app/views/prx_auth/rails/sessions/show.html.erb

@@ -1,5 +1,5 @@
 <div style="display:none;">
-  <%= form_for(:sessions, :url => PrxAuth::Rails::Engine.routes.url_helpers.sessions_path) do |f| %>
+  <%= form_for(:sessions, url: sessions_path) do |f| %>
       <%= hidden_field_tag :access_token, '', id: 'access-token-field' %>
       <%= hidden_field_tag :id_token, '', id: 'id-token-field' %>
       <%= hidden_field_tag :error, '', id: 'error-field' %>

data/config/initializers/assets.rb

@@ -1 +1,3 @@
-Rails.application.config.assets.precompile << %w[prx_auth-rails_manifest.js]
+if defined?(Rails.application.config.assets)
+  Rails.application.config.assets.precompile << %w[prx_auth-rails_manifest.js]
+end

data/config/routes.rb

@@ -1,7 +1,10 @@
-PrxAuth::Rails::Engine.routes.draw do
-  scope module: "prx_auth/rails" do
-    resource "sessions", except: :index, defaults: {format: "html"} do
+Rails.application.routes.draw do
+  scope module: "prx_auth/rails", path: "auth" do
+    resource "sessions", except: %w[edit update] do
+      get "access_error", to: "sessions#access_error"
       get "auth_error", to: "sessions#auth_error"
+      get "logout", to: "sessions#logout"
+      get "refresh", to: "sessions#refresh"
     end
   end
 end

data/lib/prx_auth/rails/engine.rb

@@ -4,6 +4,7 @@ module PrxAuth
       config.to_prepare do
         ::ApplicationController.helper_method [
           :current_user, :prx_jwt,
+          :current_user_access?, :current_user_admin?, :current_user_wildcard?,
           :current_user_info, :current_user_name, :current_user_apps,
           :account_name_for, :account_for, :accounts_for
         ]

data/lib/prx_auth/rails/ext/controller/account_info.rb

@@ -0,0 +1,51 @@
+require "open-uri"
+
+module PrxAuth
+  module Rails
+    module AccountInfo
+      PRX_ACCOUNT_MAPPING_SESSION_KEY = "prx.auth.account.mapping".freeze
+
+      def account_name_for(account_id)
+        account_for(account_id).try(:[], "name")
+      end
+
+      def account_for(account_id)
+        lookup_accounts([account_id]).first
+      end
+
+      def accounts_for(account_ids)
+        lookup_accounts(account_ids)
+      end
+
+      private
+
+      def lookup_accounts(ids)
+        return fetch_accounts(ids) unless defined?(session)
+
+        session[PRX_ACCOUNT_MAPPING_SESSION_KEY] ||= {}
+
+        # fetch any accounts we don't have yet
+        missing = ids - session[PRX_ACCOUNT_MAPPING_SESSION_KEY].keys
+        if missing.present?
+          fetch_accounts(missing).each do |account|
+            minimal = account.slice("name", "type")
+            session[PRX_ACCOUNT_MAPPING_SESSION_KEY][account["id"]] = minimal
+          end
+        end
+
+        ids.map { |id| session[PRX_ACCOUNT_MAPPING_SESSION_KEY][id] }
+      end
+
+      def fetch_accounts(ids)
+        ids_param = ids.map(&:to_s).join(",")
+        path = "/api/v1/accounts?account_ids=#{ids_param}"
+        url = "https://#{PrxAuth::Rails.configuration.id_host}#{path}"
+
+        options = {}
+        options[:ssl_verify_mode] = OpenSSL::SSL::VERIFY_NONE if ::Rails.env.development?
+        resp = JSON.parse(URI.open(url, options).read) # standard:disable Security/Open
+        resp.try(:[], "_embedded").try(:[], "prx:items") || []
+      end
+    end
+  end
+end

data/lib/prx_auth/rails/ext/controller/user_info.rb

@@ -0,0 +1,62 @@
+require "open-uri"
+
+module PrxAuth
+  module Rails
+    module UserInfo
+      PRX_USER_INFO_SESSION_KEY = "prx.auth.info".freeze
+      PRX_ADMIN_SCOPE = "prxadmin".freeze
+
+      def current_user
+        prx_auth_token
+      end
+
+      def current_user_access?(scope = :read_private)
+        current_user&.globally_authorized?(scope) || current_user&.authorized_account_ids(scope)&.any?
+      end
+
+      def current_user_info
+        session[PRX_USER_INFO_SESSION_KEY] ||= begin
+          info = fetch_userinfo
+          info.slice("name", "preferred_username", "email", "image_href", "apps")
+        end
+      end
+
+      def current_user_name
+        current_user_info["name"] || current_user_info["preferred_username"] || current_user_info["email"]
+      end
+
+      def current_user_apps
+        apps = (current_user_info.try(:[], "apps") || []).map do |name, url|
+          label = name.sub(/^https?:\/\//, "").sub(/\..+/, "").capitalize
+          ["PRX #{label}", url]
+        end
+
+        # only return entire list in development
+        if ::Rails.env.production? || ::Rails.env.staging?
+          apps.to_h.select { |k, v| v.match?(/\.(org|tech)/) }
+        else
+          apps.to_h
+        end
+      end
+
+      def current_user_admin?
+        current_user&.scopes&.include?(PRX_ADMIN_SCOPE)
+      end
+
+      def current_user_wildcard?
+        current_user&.globally_authorized?(:read_private)
+      end
+
+      private
+
+      def fetch_userinfo
+        path = "/userinfo?scope=apps+email+profile"
+        url = "https://#{PrxAuth::Rails.configuration.id_host}#{path}"
+        options = {}
+        options[:ssl_verify_mode] = OpenSSL::SSL::VERIFY_NONE if ::Rails.env.development?
+        options["Authorization"] = "Bearer #{prx_jwt}"
+        JSON.parse(URI.open(url, options).read) # standard:disable Security/Open
+      end
+    end
+  end
+end

data/lib/prx_auth/rails/ext/controller.rb

@@ -1,19 +1,26 @@
+require "active_support/concern"
 require "prx_auth/rails/token"
-require "open-uri"
+require "prx_auth/rails/ext/controller/account_info"
+require "prx_auth/rails/ext/controller/user_info"
 
 module PrxAuth
   module Rails
     module Controller
+      extend ActiveSupport::Concern
+      include PrxAuth::Rails::AccountInfo
+      include PrxAuth::Rails::UserInfo
+
       class SessionTokenExpiredError < RuntimeError; end
 
       PRX_AUTH_ENV_KEY = "prx.auth".freeze
       PRX_JWT_SESSION_KEY = "prx.auth.jwt".freeze
-      # subtracted from the JWT ttl
-      PRX_JWT_REFRESH_TTL = 300
-      PRX_ACCOUNT_MAPPING_SESSION_KEY = "prx.auth.account.mapping".freeze
-      PRX_USER_INFO_SESSION_KEY = "prx.auth.info".freeze
+      PRX_JWT_REFRESH_TTL = 60
       PRX_REFRESH_BACK_KEY = "prx.auth.back".freeze
 
+      included do
+        before_action :set_after_sign_in_path, :authenticate!
+      end
+
       def prx_auth_token
         env_token || session_token
       rescue SessionTokenExpiredError
@@ -24,8 +31,6 @@ module PrxAuth
       end
 
       def set_after_sign_in_path
-        return if instance_of?(PrxAuth::Rails::SessionsController)
-
         session[PRX_REFRESH_BACK_KEY] = request.fullpath
       end
 
@@ -38,41 +43,23 @@ module PrxAuth
       end
 
       def authenticate!
-        return true if current_user.present?
-
-        redirect_to PrxAuth::Rails::Engine.routes.url_helpers.new_sessions_path
-      end
-
-      def prx_auth_needs_refresh?(jwt_ttl)
-        request.get? && jwt_ttl < PRX_JWT_REFRESH_TTL
-      end
-
-      def current_user
-        prx_auth_token
-      end
-
-      def current_user_info
-        session[PRX_USER_INFO_SESSION_KEY] ||= begin
-          info = fetch_userinfo
-          info.slice("name", "preferred_username", "email", "image_href", "apps")
+        if !current_user
+          redirect_to new_sessions_path
+        elsif !current_user_access?
+          redirect_to access_error_sessions_path
+        else
+          true
         end
       end
 
-      def current_user_name
-        current_user_info["name"] || current_user_info["preferred_username"] || current_user_info["email"]
-      end
-
-      def current_user_apps
-        apps = (current_user_info.try(:[], "apps") || []).map do |name, url|
-          label = name.sub(/^https?:\/\//, "").sub(/\..+/, "").capitalize
-          ["PRX #{label}", url]
-        end
-
-        # only return entire list in development
-        if ::Rails.env.production? || ::Rails.env.staging?
-          apps.to_h.select { |k, v| v.match?(/\.(org|tech)/) }
+      # trigger refresh on a non-turbo GET request, if possible
+      def prx_auth_needs_refresh?(jwt_ttl)
+        if jwt_ttl < 0
+          true
+        elsif jwt_ttl < PRX_JWT_REFRESH_TTL
+          request.get? && !request.headers["Turbo-Frame"]
         else
-          apps.to_h
+          false
         end
       end
 
@@ -89,53 +76,8 @@ module PrxAuth
         reset_session
       end
 
-      def account_name_for(account_id)
-        account_for(account_id).try(:[], "name")
-      end
-
-      def account_for(account_id)
-        lookup_accounts([account_id]).first
-      end
-
-      def accounts_for(account_ids)
-        lookup_accounts(account_ids)
-      end
-
       private
 
-      def lookup_accounts(ids)
-        session[PRX_ACCOUNT_MAPPING_SESSION_KEY] ||= {}
-
-        # fetch any accounts we don't have yet
-        missing = ids - session[PRX_ACCOUNT_MAPPING_SESSION_KEY].keys
-        if missing.present?
-          fetch_accounts(missing).each do |account|
-            minimal = account.slice("name", "type")
-            session[PRX_ACCOUNT_MAPPING_SESSION_KEY][account["id"]] = minimal
-          end
-        end
-
-        ids.map { |id| session[PRX_ACCOUNT_MAPPING_SESSION_KEY][id] }
-      end
-
-      def fetch_accounts(ids)
-        ids_param = ids.map(&:to_s).join(",")
-        resp = fetch("/api/v1/accounts?account_ids=#{ids_param}")
-        resp.try(:[], "_embedded").try(:[], "prx:items") || []
-      end
-
-      def fetch_userinfo
-        fetch("/userinfo?scope=apps+email+profile", prx_jwt)
-      end
-
-      def fetch(path, token = nil)
-        url = "https://#{PrxAuth::Rails.configuration.id_host}#{path}"
-        options = {}
-        options[:ssl_verify_mode] = OpenSSL::SSL::VERIFY_NONE if ::Rails.env.development?
-        options["Authorization"] = "Bearer #{token}" if token
-        JSON.parse(URI.open(url, options).read) # standard:disable Security/Open
-      end
-
       # token from data set by prx_auth rack middleware
       def env_token
         @env_token_data ||= if request.env[PRX_AUTH_ENV_KEY]

data/lib/prx_auth/rails/version.rb

@@ -2,6 +2,6 @@
 
 module PrxAuth
   module Rails
-    VERSION = "4.2.1"
+    VERSION = "5.0.0"
   end
 end

data/prx_auth-rails.gemspec

@@ -26,7 +26,7 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "guard"
   spec.add_development_dependency "guard-minitest"
   spec.add_development_dependency "m", "~> 1.5"
-  spec.add_development_dependency "rails", "~> 6.1.0"
+  spec.add_development_dependency "rails", "~> 8.0.1"
   spec.add_development_dependency "pry"
   spec.add_development_dependency "sqlite3"
   spec.add_development_dependency "webmock"

data/test/dummy/app/controllers/application_controller.rb

@@ -1,6 +1,4 @@
 class ApplicationController < ActionController::Base
-  before_action :authenticate!
-
   def index
   end
 

data/test/dummy/config/initializers/assets.rb

@@ -1,7 +1,7 @@
 # Be sure to restart your server when you modify this file.
 
 # Version of your assets, change this if you want to expire all your assets.
-Rails.application.config.assets.version = "1.0"
+# Rails.application.config.assets.version = "1.0"
 
 # Add additional assets to the asset load path.
 # Rails.application.config.assets.paths << Emoji.images_path

data/test/dummy/config/routes.rb

@@ -1,5 +1,4 @@
 Rails.application.routes.draw do
   get "index", to: "application#index"
   put "index", to: "application#index"
-  mount PrxAuth::Rails::Engine => "/prx_auth-rails"
 end

data/test/prx_auth/rails/ext/controller_test.rb

@@ -7,16 +7,19 @@ module PrxAuth::Rails::Ext
       @jwt_session_key = ApplicationController::PRX_JWT_SESSION_KEY
       @user_info_key = ApplicationController::PRX_USER_INFO_SESSION_KEY
       @account_mapping_key = ApplicationController::PRX_ACCOUNT_MAPPING_SESSION_KEY
-      @stub_claims = {"iat" => Time.now.to_i, "exp" => Time.now.to_i + 3600}
+      @stub_aur = {"1234" => "test_app:read-private"}
+      @stub_claims = {"iat" => Time.now.to_i, "exp" => Time.now.to_i + 3600, "aur" => @stub_aur}
     end
 
     # stub auth and init controller+session by getting a page
     def with_stubbed_auth(jwt)
       session[@jwt_session_key] = "some-jwt"
-      @controller.stub(:prx_auth_needs_refresh?, false) do
-        get :index
-        assert_equal response.code, "200"
-        yield
+      JSON::JWT.stub(:decode, @stub_claims) do
+        @controller.stub(:prx_auth_needs_refresh?, false) do
+          get :index
+          assert_equal response.code, "200"
+          yield
+        end
       end
     end
 
@@ -26,6 +29,16 @@ module PrxAuth::Rails::Ext
       assert response.headers["Location"].ends_with?("/sessions/new")
     end
 
+    test "redirects unless you have read-private in this namespace" do
+      session[@jwt_session_key] = "some-jwt"
+      @stub_claims["aur"]["1234"] = "other_app:read-private"
+      JSON::JWT.stub(:decode, @stub_claims) do
+        get :index
+        assert_equal response.code, "302"
+        assert_includes response.location, "auth/sessions/access_error"
+      end
+    end
+
     test "uses a valid session token" do
       session[@jwt_session_key] = "some-jwt"
       JSON::JWT.stub(:decode, @stub_claims) do

data/test/prx_auth/rails/sessions_controller_test.rb

@@ -3,9 +3,10 @@ require "test_helper"
 module PrxAuth::Rails
   class SessionsControllerTest < ActionController::TestCase
     setup do
-      @routes = PrxAuth::Rails::Engine.routes
+      @jwt_key = SessionsController::PRX_JWT_SESSION_KEY
       @nonce_session_key = SessionsController::ID_NONCE_SESSION_KEY
       @refresh_back_key = SessionsController::PRX_REFRESH_BACK_KEY
+      @wildcard_key = SessionsController::WILDCARD_SESSION_KEY
       @token_params = {id_token: "idtok", access_token: "accesstok"}
       @stub_claims = {"nonce" => "123", "sub" => "1"}
       @stub_token = PrxAuth::Rails::Token.new(Rack::PrxAuth::TokenData.new)
@@ -31,13 +32,30 @@ module PrxAuth::Rails
       assert nonce1 == nonce2
     end
 
+    test "new includes scopes and accounts" do
+      get :new
+      assert response.code == "302"
+      assert_includes response.location, "scope=openid"
+
+      PrxAuth::Rails.configuration.prx_scope = "feeder:*"
+      get :new
+      assert response.code == "302"
+      assert_includes response.location, "scope=openid+feeder%3A%2A"
+
+      session[@wildcard_key] = "true"
+      get :new
+      assert response.code == "302"
+      assert_includes response.location, "scope=openid"
+      assert_includes response.location, "account=%2A"
+    end
+
     test "create should validate a token and set the session variable" do
-      session[SessionsController::PRX_JWT_SESSION_KEY] = nil
+      session[@jwt_key] = nil
       @controller.stub(:validate_token, @stub_claims) do
         @controller.stub(:session_token, @stub_token) do
           session[@nonce_session_key] = "123"
           post :create, params: @token_params, format: :json
-          assert session[SessionsController::PRX_JWT_SESSION_KEY] == "accesstok"
+          assert session[@jwt_key] == "accesstok"
         end
       end
     end
@@ -58,7 +76,7 @@ module PrxAuth::Rails
 
           assert session[@nonce_session_key].nil?
           assert response.code == "302"
-          assert response.body.match?(/after-sign-in-path/)
+          assert response.headers["Location"].match?(/after-sign-in-path/)
         end
       end
     end
@@ -85,14 +103,14 @@ module PrxAuth::Rails
         session[@nonce_session_key] = "nonce-does-not-match"
         post :create, params: @token_params, format: :json
         assert response.code == "302"
-        assert response.body.match(/auth_error\?error=verification_failed/)
+        assert response.headers["Location"].match(/auth_error\?error=verification_failed/)
       end
     end
 
     test "auth_error should return a formatted error message to the user" do
-      get :auth_error, params: {error: "error_message"}
+      get :auth_error, params: {error: "bad_things"}
       assert response.code == "200"
-      assert response.body.match?(/Not authorized/)
+      assert response.body.match?(/Bad Things Error/)
     end
 
     test "auth_error should expect the error param" do
@@ -109,15 +127,42 @@ module PrxAuth::Rails
           post :create, params: @token_params, format: :json
 
           assert response.code == "302"
-          assert response.body.match?(/error=verification_failed/)
+          assert response.headers["Location"].match?(/error=verification_failed/)
         end
       end
     end
 
     test "should clear the user token on sign out" do
-      session[SessionsController::PRX_JWT_SESSION_KEY] = "some-token"
+      session[@jwt_key] = "some-token"
       post :destroy
-      assert session[SessionsController::PRX_JWT_SESSION_KEY].nil?
+      assert session[@jwt_key].nil?
+    end
+
+    test "should clear the user token and send to ID on logout" do
+      session[@jwt_key] = "some-token"
+      get :logout
+      assert session[@jwt_key].nil?
+      assert response.code == "302"
+      assert_equal "//id.prx.test/session/sign_out", response.location
+    end
+
+    test "refreshes auth" do
+      session[@jwt_key] = "some-token"
+      get :refresh
+      assert session[@jwt_key].nil?
+      assert response.code == "302"
+      assert_includes response.location, new_sessions_path
+    end
+
+    test "refreshes wildcard auth for admins" do
+      @controller.stub(:current_user_admin?, true) do
+        session[@jwt_key] = "some-token"
+        get :refresh, params: {wildcard: true}
+        assert session[@jwt_key].nil?
+        assert session[@wildcard_key] = "true"
+        assert response.code == "302"
+        assert_includes response.location, new_sessions_path
+      end
     end
   end
 end

data/test/prx_auth/rails/sessions_helper_test.rb

@@ -0,0 +1,71 @@
+require "test_helper"
+
+class TestHelper
+  attr_accessor :current_user, :current_user_apps, :current_user_info
+  include PrxAuth::Rails::SessionsHelper
+end
+
+describe PrxAuth::Rails::SessionsHelper do
+  let(:helper) { TestHelper.new }
+
+  describe "#current_user_app?" do
+    it "makes sure there is a current user" do
+      helper.current_user = nil
+      refute helper.current_user_app?("foo")
+      refute helper.current_user_app?("bar")
+    end
+
+    it "determines if you have an app or not" do
+      helper.current_user = {}
+      helper.current_user_apps = {
+        "app for BAR" => "https://bar.prx.org",
+        "and then BAZ" => "https://baz.staging.prx.tech"
+      }
+
+      refute helper.current_user_app?("foo")
+      assert helper.current_user_app?("bar")
+      assert helper.current_user_app?("baz")
+    end
+  end
+
+  describe "#current_user_app" do
+    it "returns app urls" do
+      helper.current_user = {}
+      helper.current_user_apps = {
+        "dev domain" => "https://foo.prx.dev",
+        "real Bar domain" => "https://bar.prx.org",
+        "staging Baz domain" => "https://baz.staging.prx.tech"
+      }
+
+      assert_nil helper.current_user_app("foo")
+      assert_equal "https://bar.prx.org", helper.current_user_app("bar")
+      assert_equal "https://baz.staging.prx.tech", helper.current_user_app("baz")
+    end
+  end
+
+  describe "#current_user_id_profile" do
+    it "returns the ID host" do
+      assert_includes helper.current_user_id_profile, PrxAuth::Rails.configuration.id_host
+    end
+  end
+
+  describe "#current_user_image?" do
+    it "checks if the user has an image" do
+      refute helper.current_user_image?
+
+      helper.current_user = {}
+      helper.current_user_info = {"image_href" => ""}
+      refute helper.current_user_image?
+
+      helper.current_user_info = {"image_href" => "http://some.where/img"}
+      assert helper.current_user_image?
+    end
+  end
+
+  describe "#current_user_image" do
+    it "returns the user image url" do
+      helper.current_user_info = {"image_href" => "http://some.where/img"}
+      assert_equal "http://some.where/img", helper.current_user_image
+    end
+  end
+end

data/test/prx_auth/rails_test.rb

@@ -12,7 +12,7 @@ describe PrxAuth::Rails do
   end
 
   it "installs and configures prx_auth middleware" do
-    mw = MiniTest::Mock.new
+    mw = Minitest::Mock.new
     mw.expect :insert_after, nil do |c1, c2, cert_location:, issuer:|
       assert_equal Rack::Head, c1
       assert_equal Rack::PrxAuth, c2
@@ -20,7 +20,7 @@ describe PrxAuth::Rails do
       assert_equal "id.prx.test", issuer
     end
 
-    app = MiniTest::Mock.new
+    app = Minitest::Mock.new
     app.expect :middleware, mw
 
     subject.install_middleware!(app)

metadata

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: prx_auth-rails
 version: !ruby/object:Gem::Version
-  version: 4.2.1
+  version: 5.0.0
 platform: ruby
 authors:
 - Chris Rhoden
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-08-29 00:00:00.000000000 Z
+date: 2025-04-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: actionpack
@@ -114,14 +113,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 6.1.0
+        version: 8.0.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 6.1.0
+        version: 8.0.1
 - !ruby/object:Gem::Dependency
   name: pry
   requirement: !ruby/object:Gem::Requirement
@@ -208,6 +207,8 @@ files:
 - README.md
 - Rakefile
 - app/controllers/prx_auth/rails/sessions_controller.rb
+- app/helpers/prx_auth/rails/sessions_helper.rb
+- app/views/prx_auth/rails/sessions/access_error.html.erb
 - app/views/prx_auth/rails/sessions/auth_error.html.erb
 - app/views/prx_auth/rails/sessions/show.html.erb
 - config/initializers/assets.rb
@@ -216,6 +217,8 @@ files:
 - lib/prx_auth/rails/configuration.rb
 - lib/prx_auth/rails/engine.rb
 - lib/prx_auth/rails/ext/controller.rb
+- lib/prx_auth/rails/ext/controller/account_info.rb
+- lib/prx_auth/rails/ext/controller/user_info.rb
 - lib/prx_auth/rails/railtie.rb
 - lib/prx_auth/rails/token.rb
 - lib/prx_auth/rails/version.rb
@@ -280,6 +283,7 @@ files:
 - test/prx_auth/rails/configuration_test.rb
 - test/prx_auth/rails/ext/controller_test.rb
 - test/prx_auth/rails/sessions_controller_test.rb
+- test/prx_auth/rails/sessions_helper_test.rb
 - test/prx_auth/rails/token_test.rb
 - test/prx_auth/rails_test.rb
 - test/test_helper.rb
@@ -287,7 +291,6 @@ homepage: https://github.com/PRX/prx_auth-rails
 licenses:
 - MIT
 metadata: {}
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -302,8 +305,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.3
-signing_key:
+rubygems_version: 3.6.2
 specification_version: 4
 summary: Rails integration for next generation PRX Authorization system.
 test_files: []