prx_auth-rails 1.7.0 → 1.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9a692b8cc459acfdf888599245ff2db7d7ed92a3c967fbccacdd871aa4e78cd7
-  data.tar.gz: 17439da5ec7e7cc7f85d00083a47aaebb6d6bd495db25fa75581bf0758726d6c
+  metadata.gz: 5a687c733815e035f361fbfd4981e3673480311c6d760206b9b1edd4903e084b
+  data.tar.gz: 5b04a0584489415a7b0223342c85e638c8c3ca01c141e4ff46db9269c192f6be
 SHA512:
-  metadata.gz: 2a185d858e8a50a33e1f18c85e7dabf5f01a46fbc068dd74d222bb48ab03732ced79c60affd45f7e70efd628cfaaf259e9d4781c390470de86a06dd46158bf0c
-  data.tar.gz: d8f2b9c1c1367c2954575950f1ddc731f329f59d111efcb11282d78651a06cf22c74557f834d51ff6fa3ca7360d1cb06ad4736cd2a41d0ff28c5554913fcc193
+  metadata.gz: 71573dd4f1303e7e2b5fc4ca908c502c74aa986845ddb685613b6e8422c05e136c1952f5bfc2989a607b1a5020f708a06190ebe084a199a46aeefab1f7168706
+  data.tar.gz: dc5685c9e2908ea56c10f577eb2a457167087345f07b09927e8c36c1b0d2df513e2f2367436fe4f637aac648311c75a44ee3f845c63124be7ab4009c45dccb57

data/app/controllers/prx_auth/rails/sessions_controller.rb

@@ -4,13 +4,11 @@ module PrxAuth::Rails
 
     skip_before_action :authenticate!
 
-    before_action :set_nonce!, only: :show
+    before_action :set_nonce!, only: [:new, :show]
 
     ID_NONCE_SESSION_KEY = 'id_prx_openid_nonce'.freeze
 
     def new
-      set_nonce! unless fetch_nonce.present?
-
       config = PrxAuth::Rails.configuration
 
       id_auth_params = {
@@ -37,30 +35,27 @@ module PrxAuth::Rails
     end
 
     def create
-      jwt_id_claims = id_claims
-      jwt_access_claims = access_claims
-
-      jwt_access_claims['id_token'] = jwt_id_claims.as_json
-
-      result_path = if valid_nonce?(jwt_id_claims['nonce']) &&
-                        users_match?(jwt_id_claims, jwt_access_claims)
-                      sign_in_user(jwt_access_claims)
-                      lookup_and_register_accounts_names
-                      after_sign_in_path_for(current_user)
-                    else
-                      auth_error_sessions_path(error: 'verification_failed')
-                    end
-      reset_nonce!
-
-      redirect_to result_path
+      if valid_nonce? && users_match?
+        clear_nonce!
+        sign_in_user(access_token)
+        redirect_to after_sign_in_path_for(current_user)
+      else
+        clear_nonce!
+        redirect_to auth_error_sessions_path(error: 'verification_failed')
+      end
     end
 
     private
 
     def after_sign_in_path_for(_)
-      return super if defined?(super)
-
-      "/"
+      back_path = after_sign_in_user_redirect
+      if back_path.present?
+        back_path
+      elsif defined?(super)
+        super
+      else
+        '/'
+      end
     end
 
     def after_sign_out_path
@@ -69,49 +64,46 @@ module PrxAuth::Rails
       "https://#{id_host}/session/sign_out"
     end
 
+    def id_token
+      params.require('id_token')
+    end
+
+    def access_token
+      params.require('access_token')
+    end
+
     def id_claims
-      id_token = params.require('id_token')
-      validate_token(id_token)
+      @id_claims ||= validate_token(id_token)
     end
 
     def access_claims
-      access_token = params.require('access_token')
-      validate_token(access_token)
+      @access_claims ||= validate_token(access_token)
     end
 
-    def reset_nonce!
-      session[ID_NONCE_SESSION_KEY] = nil
+    def clear_nonce!
+      session.delete(ID_NONCE_SESSION_KEY)
     end
 
     def set_nonce!
-      n = session[ID_NONCE_SESSION_KEY]
-      return n if n.present?
-
-      session[ID_NONCE_SESSION_KEY] = SecureRandom.hex
+      session[ID_NONCE_SESSION_KEY] ||= SecureRandom.hex
     end
 
     def fetch_nonce
       session[ID_NONCE_SESSION_KEY]
     end
 
-    def valid_nonce?(nonce)
-      return false if fetch_nonce.nil?
-
-      fetch_nonce == nonce
+    def valid_nonce?
+      id_claims['nonce'].present? && id_claims['nonce'] == fetch_nonce
     end
 
-    def users_match?(claims1, claims2)
-      return false if claims1['sub'].nil? || claims2['sub'].nil?
-
-      claims1['sub'] == claims2['sub']
+    def users_match?
+      id_claims['sub'].present? && id_claims['sub'] == access_claims['sub']
     end
 
     def validate_token(token)
       prx_auth_cert = Rack::PrxAuth::Certificate.new("https://#{id_host}/api/v1/certs")
       auth_validator = Rack::PrxAuth::AuthValidator.new(token, prx_auth_cert, id_host)
-      auth_validator.
-        claims.
-        with_indifferent_access
+      auth_validator.claims.with_indifferent_access
     end
 
     def id_host

data/lib/prx_auth/rails/engine.rb

@@ -2,7 +2,10 @@ module PrxAuth
   module Rails
     class Engine < ::Rails::Engine
       config.to_prepare do
-        ::ApplicationController.helper_method [:current_user, :account_name_for]
+        ::ApplicationController.helper_method [
+          :current_user, :prx_jwt,
+          :account_name_for, :account_for, :accounts_for,
+        ]
       end
     end
   end

data/lib/prx_auth/rails/ext/controller.rb

@@ -4,15 +4,24 @@ require 'open-uri'
 module PrxAuth
   module Rails
     module Controller
+      class SessionTokenExpiredError < RuntimeError; end
 
-      PRX_ACCOUNT_NAME_MAPPING_KEY = 'prx.account.name.mapping'.freeze
-      PRX_TOKEN_SESSION_KEY = 'prx.auth'.freeze
+      PRX_AUTH_ENV_KEY = 'prx.auth'.freeze
+      PRX_JWT_SESSION_KEY = 'prx.auth.jwt'.freeze
+      PRX_JWT_REFRESH_TTL = 300.freeze
+      PRX_ACCOUNT_MAPPING_SESSION_KEY = 'prx.auth.account.mapping'.freeze
+      PRX_REFRESH_BACK_KEY = 'prx.auth.back'.freeze
 
       def prx_auth_token
-        rack_auth_token = env_prx_auth_token
-        return rack_auth_token if rack_auth_token.present?
+        env_token || session_token
+      rescue SessionTokenExpiredError
+        reset_session
+        session[PRX_REFRESH_BACK_KEY] = request.fullpath
+        redirect_to PrxAuth::Rails::Engine.routes.url_helpers.new_sessions_path
+      end
 
-        session[PRX_TOKEN_SESSION_KEY] && Rack::PrxAuth::TokenData.new(session[PRX_TOKEN_SESSION_KEY])
+      def prx_jwt
+        session[PRX_JWT_SESSION_KEY]
       end
 
       def prx_authenticated?
@@ -26,51 +35,51 @@ module PrxAuth
       end
 
       def current_user
-        return if prx_auth_token.nil?
-
-        PrxAuth::Rails::Token.new(prx_auth_token)
+        prx_auth_token
       end
 
-      def lookup_and_register_accounts_names
-        session[PRX_ACCOUNT_NAME_MAPPING_KEY] =
-          lookup_account_names_mapping
+      def sign_in_user(token)
+        session[PRX_JWT_SESSION_KEY] = token
+        accounts_for(current_user.resources)
       end
 
-      def account_name_for(id)
-        id = id.to_i
-
-        session[PRX_ACCOUNT_NAME_MAPPING_KEY] ||= {}
-
-        name =
-          if session[PRX_ACCOUNT_NAME_MAPPING_KEY].has_key?(id)
-            session[PRX_ACCOUNT_NAME_MAPPING_KEY][id]
-          else
-            session[PRX_ACCOUNT_NAME_MAPPING_KEY][id] = lookup_account_name_for(id)
-          end
+      def after_sign_in_user_redirect
+        session.delete(PRX_REFRESH_BACK_KEY)
+      end
 
-        name = "[#{id}] Unknown Account Name" unless name.present?
+      def sign_out_user
+        reset_session
+      end
 
-        name
+      def account_name_for(account_id)
+        account_for(account_id)[:name]
       end
 
-      def sign_in_user(token)
-        session[PRX_TOKEN_SESSION_KEY] = token
+      def account_for(account_id)
+        lookup_accounts([account_id]).first
       end
 
-      def sign_out_user
-        session.delete(PRX_TOKEN_SESSION_KEY)
+      def accounts_for(account_ids)
+        lookup_accounts(account_ids)
       end
 
       private
 
-      def lookup_account_name_for(id)
-        id = id.to_i
+      def lookup_accounts(ids)
+        session[PRX_ACCOUNT_MAPPING_SESSION_KEY] ||= {}
+
+        # fetch any accounts we don't have yet
+        missing = ids - session[PRX_ACCOUNT_MAPPING_SESSION_KEY].keys
+        if missing.present?
+          fetch_accounts(missing).each do |account|
+            session[PRX_ACCOUNT_MAPPING_SESSION_KEY][account['id']] = account.with_indifferent_access
+          end
+        end
 
-        res = lookup_account_names_mapping([id])
-        res[id]
+        ids.map { |id| session[PRX_ACCOUNT_MAPPING_SESSION_KEY][id] }
       end
 
-      def lookup_account_names_mapping(ids=current_user.resources)
+      def fetch_accounts(ids)
         id_host = PrxAuth::Rails.configuration.id_host
         ids_param = ids.map(&:to_s).join(',')
 
@@ -79,16 +88,31 @@ module PrxAuth
 
         accounts = URI.open("https://#{id_host}/api/v1/accounts?account_ids=#{ids_param}", options).read
 
-        mapping = JSON.parse(accounts)['accounts'].map { |acct| [acct['id'], acct['display_name']] }.to_h
+        JSON.parse(accounts)['accounts']
+      end
 
-        mapping
+      # token from data set by prx_auth rack middleware
+      def env_token
+        @env_token_data ||= if request.env[PRX_AUTH_ENV_KEY]
+          token_data = request.env[PRX_AUTH_ENV_KEY]
+          PrxAuth::Rails::Token.new(token_data)
+        end
       end
 
-      def env_prx_auth_token
-        if !defined? @_prx_auth_token
-          @_prx_auth_token = request.env['prx.auth'] && PrxAuth::Rails::Token.new(request.env['prx.auth'])
-        else
-          @_prx_auth_token
+      # token from jwt stored in session
+      def session_token
+        @session_prx_auth_token ||= if prx_jwt
+          # NOTE: we already validated this jwt - so just decode it
+          validator = Rack::PrxAuth::AuthValidator.new(prx_jwt)
+
+          # try to refresh auth session on GET requests
+          if request.get? && validator.time_to_live < PRX_JWT_REFRESH_TTL
+            raise SessionTokenExpiredError.new
+          end
+
+          # create new data/token from access claims
+          token_data = Rack::PrxAuth::TokenData.new(validator.claims)
+          PrxAuth::Rails::Token.new(token_data)
         end
       end
     end

data/lib/prx_auth/rails/version.rb

@@ -1,5 +1,5 @@
 module PrxAuth
   module Rails
-    VERSION = "1.7.0"
+    VERSION = "1.8.0"
   end
 end

data/prx_auth-rails.gemspec

@@ -8,10 +8,8 @@ Gem::Specification.new do |spec|
   spec.version       = PrxAuth::Rails::VERSION
   spec.authors       = ["Chris Rhoden"]
   spec.email         = ["carhoden@gmail.com"]
-  spec.description   = %q{Rails integration for next generation PRX Authorization system.
-}
-  spec.summary       = %q{Rails integration for next generation PRX Authorization system.
-}
+  spec.description   = "Rails integration for next generation PRX Authorization system."
+  spec.summary       = "Rails integration for next generation PRX Authorization system."
   spec.homepage      = "https://github.com/PRX/prx_auth-rails"
   spec.license       = "MIT"
 
@@ -33,7 +31,5 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'pry'
   spec.add_development_dependency 'sqlite3'
 
-
-
-  spec.add_runtime_dependency 'prx_auth', "~> 1.2"
+  spec.add_runtime_dependency 'prx_auth', ">= 1.7.0"
 end

data/test/dummy/app/controllers/application_controller.rb

@@ -2,6 +2,8 @@ class ApplicationController < ActionController::Base
 
   before_action :authenticate!
 
+  def index; end
+
   def after_sign_in_path_for(_resource)
     '/after-sign-in-path'
   end

data/test/dummy/app/views/application/index.html.erb

@@ -0,0 +1 @@
+the controller index!

data/test/dummy/config/routes.rb

@@ -1,3 +1,5 @@
 Rails.application.routes.draw do
+  get 'index', to: 'application#index'
+  put 'index', to: 'application#index'
   mount PrxAuth::Rails::Engine => "/prx_auth-rails"
 end

data/test/prx_auth/rails/ext/controller_test.rb

@@ -0,0 +1,49 @@
+require 'test_helper'
+
+module PrxAuth::Rails::Ext
+  class ControllerTest < ActionController::TestCase
+
+    setup do
+      @controller = ApplicationController.new
+      @jwt_session_key = ApplicationController::PRX_JWT_SESSION_KEY
+      @stub_claims = {'iat' => Time.now.to_i, 'exp' => Time.now.to_i + 3600}
+    end
+
+    test 'redirects unless you are authenticated' do
+      get :index
+      assert_equal response.code, '302'
+      assert response.headers['Location'].ends_with?('/sessions/new')
+    end
+
+    test 'uses a valid session token' do
+      session[@jwt_session_key] = 'some-jwt'
+      JSON::JWT.stub(:decode, @stub_claims) do
+        get :index
+        assert_equal response.code, '200'
+        assert response.body.include?('the controller index!')
+        assert @controller.current_user.is_a?(PrxAuth::Rails::Token)
+      end
+    end
+
+    test 'redirects if your token is nearing expiration' do
+      session[@jwt_session_key] = 'some-jwt'
+      @stub_claims['exp'] = Time.now.to_i + 10
+      JSON::JWT.stub(:decode, @stub_claims) do
+        get :index
+        assert_equal response.code, '302'
+        assert response.headers['Location'].ends_with?('/sessions/new')
+      end
+    end
+
+    test 'does not redirect if your token has expired on a non-GET request' do
+      session[@jwt_session_key] = 'some-jwt'
+      @stub_claims['exp'] = Time.now.to_i + 10
+      JSON::JWT.stub(:decode, @stub_claims) do
+        put :index
+        assert_equal response.code, '200'
+        assert response.body.include?('the controller index!')
+      end
+    end
+
+  end
+end

data/test/prx_auth/rails/sessions_controller_test.rb

@@ -6,8 +6,10 @@ module PrxAuth::Rails
     setup do
       @routes = PrxAuth::Rails::Engine.routes
       @nonce_session_key = SessionsController::ID_NONCE_SESSION_KEY
-      @token_params = {id_token: 'sometok', access_token: 'othertok'}
+      @refresh_back_key = SessionsController::PRX_REFRESH_BACK_KEY
+      @token_params = {id_token: 'idtok', access_token: 'accesstok'}
       @stub_claims = {'nonce' => '123', 'sub' => '1'}
+      @stub_token = PrxAuth::Rails::Token.new(Rack::PrxAuth::TokenData.new())
     end
 
     test "new creates nonce" do
@@ -31,11 +33,12 @@ module PrxAuth::Rails
     end
 
     test 'create should validate a token and set the session variable' do
+      session[SessionsController::PRX_JWT_SESSION_KEY] = nil
       @controller.stub(:validate_token, @stub_claims) do
-        @controller.stub(:lookup_and_register_accounts_names, nil) do
+        @controller.stub(:session_token, @stub_token) do
           session[@nonce_session_key] = '123'
           post :create, params: @token_params, format: :json
-          assert session['prx.auth']['id_token']['nonce'] == '123'
+          assert session[SessionsController::PRX_JWT_SESSION_KEY] == 'accesstok'
         end
       end
     end
@@ -50,7 +53,7 @@ module PrxAuth::Rails
 
     test 'create should reset the nonce after consumed' do
       @controller.stub(:validate_token, @stub_claims) do
-        @controller.stub(:lookup_and_register_accounts_names, nil) do
+        @controller.stub(:session_token, @stub_token) do
           session[@nonce_session_key] = '123'
           post :create, params: @token_params, format: :json
 
@@ -61,6 +64,20 @@ module PrxAuth::Rails
       end
     end
 
+    test 'redirects to a back-path after refresh' do
+      @controller.stub(:validate_token, @stub_claims) do
+        @controller.stub(:session_token, @stub_token) do
+          session[@nonce_session_key] = '123'
+          session[@refresh_back_key] = '/lets/go/here?okay'
+          post :create, params: @token_params, format: :json
+
+          assert session[@refresh_back_key] == nil
+          assert response.code == '302'
+          assert response.headers['Location'].ends_with?('/lets/go/here?okay')
+        end
+      end
+    end
+
     test 'should respond with redirect to the auth error page / code if the nonce does not match' do
       @controller.stub(:validate_token, @stub_claims) do
         session[@nonce_session_key] = 'nonce-does-not-match'
@@ -96,9 +113,9 @@ module PrxAuth::Rails
     end
 
     test 'should clear the user token on sign out' do
-      session[PrxAuth::Rails::Controller::PRX_TOKEN_SESSION_KEY] = 'some-token'
+      session[SessionsController::PRX_JWT_SESSION_KEY] = 'some-token'
       post :destroy
-      assert session[PrxAuth::Rails::Controller::PRX_TOKEN_SESSION_KEY] == nil
+      assert session[SessionsController::PRX_JWT_SESSION_KEY] == nil
     end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: prx_auth-rails
 version: !ruby/object:Gem::Version
-  version: 1.7.0
+  version: 1.8.0
 platform: ruby
 authors:
 - Chris Rhoden
-autorequire:
+autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-03-01 00:00:00.000000000 Z
+date: 2021-03-31 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: actionpack
@@ -140,19 +140,17 @@ dependencies:
   name: prx_auth
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.2'
+        version: 1.7.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.2'
-description: 'Rails integration for next generation PRX Authorization system.
-
-  '
+        version: 1.7.0
+description: Rails integration for next generation PRX Authorization system.
 email:
 - carhoden@gmail.com
 executables: []
@@ -196,6 +194,7 @@ files:
 - test/dummy/app/mailers/application_mailer.rb
 - test/dummy/app/models/application_record.rb
 - test/dummy/app/models/concerns/.keep
+- test/dummy/app/views/application/index.html.erb
 - test/dummy/app/views/layouts/application.html.erb
 - test/dummy/app/views/layouts/mailer.html.erb
 - test/dummy/app/views/layouts/mailer.text.erb
@@ -239,6 +238,7 @@ files:
 - test/dummy/storage/.keep
 - test/log/development.log
 - test/prx_auth/rails/configuration_test.rb
+- test/prx_auth/rails/ext/controller_test.rb
 - test/prx_auth/rails/sessions_controller_test.rb
 - test/prx_auth/rails/token_test.rb
 - test/test_helper.rb
@@ -246,7 +246,7 @@ homepage: https://github.com/PRX/prx_auth-rails
 licenses:
 - MIT
 metadata: {}
-post_install_message:
+post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -261,9 +261,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project:
-rubygems_version: 2.7.6.2
-signing_key:
+rubygems_version: 3.0.3
+signing_key: 
 specification_version: 4
 summary: Rails integration for next generation PRX Authorization system.
 test_files:
@@ -281,6 +280,7 @@ test_files:
 - test/dummy/app/mailers/application_mailer.rb
 - test/dummy/app/models/application_record.rb
 - test/dummy/app/models/concerns/.keep
+- test/dummy/app/views/application/index.html.erb
 - test/dummy/app/views/layouts/application.html.erb
 - test/dummy/app/views/layouts/mailer.html.erb
 - test/dummy/app/views/layouts/mailer.text.erb
@@ -324,6 +324,7 @@ test_files:
 - test/dummy/storage/.keep
 - test/log/development.log
 - test/prx_auth/rails/configuration_test.rb
+- test/prx_auth/rails/ext/controller_test.rb
 - test/prx_auth/rails/sessions_controller_test.rb
 - test/prx_auth/rails/token_test.rb
 - test/test_helper.rb