punk 0.1.4 → 0.2.0

data/lib/punk/models/session.rb

@@ -0,0 +1,89 @@
+# frozen_string_literal: true
+
+module PUNK
+  # @model
+  # @property slug(required) [string] a unique identifier for the session while it is being challenged
+  # @property message(required) [string] a message to be displayed to the user to let them know what to do
+  class Session < PUNK::Model
+    alias to_s state
+
+    many_to_one :identity
+    one_through_one :user, join_table: :identities, left_key: :id, left_primary_key: :identity_id
+
+    symbolize :state
+
+    aasm :state do
+      state :created, initial: true
+      state :pending
+      state :active
+      state :expired
+      state :deleted
+
+      event :challenge do
+        transitions from: :created, to: :pending, guard: :current?
+      end
+
+      event :verify, after: :erase do
+        transitions from: :pending, to: :active, guard: :current?
+      end
+
+      event :timeout, after: :erase do
+        transitions from: [:created, :pending, :active], to: :expired
+      end
+
+      event :clear, after: :erase do
+        transitions from: :active, to: :deleted
+      end
+    end
+
+    dataset_module do
+      def created
+        where(state: 'created')
+      end
+
+      def pending
+        where(state: 'pending')
+      end
+
+      def active
+        where(state: 'active')
+      end
+
+      def expired
+        where(state: 'expired')
+      end
+
+      def deleted
+        where(state: 'deleted')
+      end
+
+      def expiring
+        where { Sequel.&({ state: ['created', 'pending'] }, (created_at < 5.minutes.ago)) }.or { Sequel.&({ state: 'active' }, ((updated_at < 1.month.ago) | (created_at < 1.year.ago))) }
+      end
+    end
+
+    def validate
+      validates_presence :identity
+      validates_includes [:created, :pending, :active, :expired, :deleted], :state
+      validates_integer :attempt_count
+      validates_includes [0, 1, 2, 3], :attempt_count
+    end
+
+    def current?
+      !timeout?
+    end
+
+    def timeout?
+      timeout! if (created? || pending?) && created_at < 5.minutes.ago || active? && (updated_at < 1.month.ago || created_at < 1.year.ago)
+      expired?
+    end
+
+    def erase
+      update(slug: nil, salt: nil, hash: nil)
+    end
+
+    def increment_attempts
+      update(attempt_count: attempt_count + 1)
+    end
+  end
+end

data/lib/punk/models/tenant.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module PUNK
+  # @model
+  # @property id(required) [string] a unique identifier for the tenant
+  # @property name(required) [string] the name of the tenant
+  # @property icon(required) [string] an image URL
+  class Tenant < PUNK::Model
+    alias to_s name
+
+    many_to_many :users
+    one_to_many :groups
+
+    def validate
+      validates_presence :name
+      validates_url :icon, allow_blank: true
+    end
+  end
+end

data/lib/punk/models/tenant_user_metadata.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module PUNK
+  class TenantUserMetadata < PUNK::Model(:tenants_users)
+    many_to_one :tenant
+    many_to_one :user
+
+    def validate
+      validates_presence :tenant
+      validates_presence :user
+    end
+
+    def to_s
+      "#{tenant_id}|#{user_id}"
+    end
+  end
+end

data/lib/punk/models/user.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module PUNK
+  # @model
+  # @property id(required) [string] a unique identifier for the user
+  # @property name(required) [string] the name of the user
+  # @property icon(required) [string] an image URL
+  class User < Model
+    alias to_s name
+
+    many_to_many :tenants
+    many_to_many :groups
+    one_to_many :identities
+    many_through_many :sessions, through: [[:identities, :user_id, :id], [:sessions, :identity_id, :id]]
+
+    def validate
+      validates_presence :name
+      validates_url :icon, allow_blank: true
+      validates_presence :email if phone.blank?
+      validates_presence :phone if email.blank?
+      validates_email :email, allow_blank: true
+      validates_phone :phone, allow_blank: true
+      validates_unique :email, allow_blank: true
+      validates_unique :phone, allow_blank: true
+    end
+
+    def active_sessions
+      sessions_dataset.where(Sequel.lit('"sessions"."state"') => 'active')
+    end
+  end
+end

data/lib/punk/routes/groups.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+# @resource Groups
+#
+# Each tenant can have many groups.
+PUNK.route('groups') do
+  require_session!
+  require_tenant!
+
+  # Retrieve the list of groups visible to the authenticated user for a specific tenant.
+  # @path [GET] /groups
+  # @parameter tenant_id(required) [string] An email address or mobile phone number.
+  # @response [Array<Group>] 200 List of groups
+  # @method get
+  # @example 200
+  #   [{
+  #     "id": "deadbeef-1234-5678-abcd-000000000000",
+  #     "name": "Cool Group",
+  #     "icon": "https://some.image/url"
+  #   }]
+  # @example 401
+  #   {
+  #     "message": "You must specify a tenant.",
+  #     "errors": ["Cannot find tenant"]
+  #   }
+  #
+  # route: GET /groups
+  get do
+    perform PUNK::ListGroupsAction, user: current_user, tenant: current_tenant
+  end
+end

data/lib/punk/routes/plivo.rb

@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+# route: GET /plivo
+PUNK.route('plivo') { present PUNK::PlivoStore }

data/lib/punk/routes/sessions.rb

@@ -0,0 +1,108 @@
+# frozen_string_literal: true
+
+# @resource Sessions
+#
+# Handle the authentication flow.
+PUNK.route('sessions') do
+  # Challenge the claim of someone having a particular email address or phone number.
+  # @path [POST] /sessions
+  # @parameter claim(required) [string] An email address or mobile phone number.
+  # @response [Session] 201 Pending session created
+  # @response [Error] 400 Invalid claim, or the user is already authenticated
+  # @method post
+  # @example 201
+  #   {
+  #     "slug": "deadbeef-1234-5678-abcd-000000000000",
+  #     "message": "A code has been sent to your email address."
+  #   }
+  # @example 400
+  #   {
+  #     "message": "Validation failed",
+  #     "errors": ["Claim is not an email or phone."]
+  #   }
+  #
+  # route: POST /sessions
+  post do
+    require_anonymous!
+    perform PUNK::CreateSessionAction, args.merge(remote_addr: request.ip || PUNK::Session.default_values[:remote_addr].to_s, user_agent: request.env['HTTP_USER_AGENT'] || PUNK::Session.default_values[:user_agent])
+  end
+
+  # route: GET /sessions/current
+  on "current" do
+    require_session!
+    get do
+      perform PUNK::ShowUserAction, user: current_user
+    end
+  end
+
+  # route: PATCH /sessions/:slug
+  on :id do |slug|
+    require_anonymous!
+    user_session = PUNK::Session.find(slug: slug)
+    # Verify a pending session by providing proof of access to the email address or phone number.
+    # @path [PATCH] /sessions/{slug}
+    # @parameter secret(required) [string] The verification code sent by email or sms.
+    # @response [Info] 200 Session verified and cookie created
+    # @response [Error] 400 Invalid secret
+    # @method patch
+    # @example 200
+    #   {
+    #     "message": "You are now logged in."
+    #   }
+    # @example 400
+    #   {
+    #     "message": "Validation failed",
+    #     "errors": ["Secret does not match."]
+    #   }
+    patch do
+      view = perform PUNK::VerifySessionAction, args.merge(session: user_session)
+      request.session[:session_id] = user_session.id if user_session&.active?
+      view
+    end
+  end
+
+  # Allow the current user to access their active sessions.
+  # @path [GET] /sessions
+  # @response [Array<Session>] 200 List of sessions
+  # @response [Error] 401 The user was not authenticated
+  # @method get
+  # @example 200
+  #   [{
+  #     "id": "deadbeef-1234-5678-abcd-000000000000",
+  #     "client": {...}
+  #   }]
+  # @example 401
+  #   {
+  #     "message": "you are not authenticated.",
+  #     "errors": ["cannot find session"]
+  #   }
+  #
+  # route: GET /tenants
+  get do
+    require_session!
+    perform PUNK::ListSessionsAction, user: current_user
+  end
+
+  # Allow the current user to logout.
+  # @path [DELETE] /sessions
+  # @response [Info] 200 Session destroyed and cookie cleared
+  # @response [Error] 401 The user was not authenticated
+  # @method destroy
+  # @example 200
+  #   {
+  #     "message": "You have logged out."
+  #   }
+  # @example 401
+  #   {
+  #     "message": "You are not authenticated.",
+  #     "errors": ["No session exists"]
+  #   }
+  #
+  # route: DELETE /sessions
+  delete do
+    require_session!
+    view = perform PUNK::ClearSessionAction, session: current_session
+    clear_session if current_session&.deleted?
+    view
+  end
+end

data/lib/punk/routes/swagger.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+# route: GET /swagger.json
+PUNK.route('swagger') do
+  result = PUNK::GenerateSwaggerService.run.result
+  response.status = 200
+  response['Content-Type'] = 'application/json'
+  result
+end

data/lib/punk/routes/tenants.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+# @resource Tenants
+#
+# All resources in the system are relative to a particular tenant application.
+PUNK.route('tenants') do
+  require_session!
+
+  # Retrieve the list of tenants visible to the authenticated user.
+  # @path [GET] /tenants
+  # @response [Array<Tenant>] 200 List of tenants
+  # @method get
+  # @example 200
+  #   [{
+  #     "id": "deadbeef-1234-5678-abcd-000000000000",
+  #     "name": "Cool Tenant",
+  #     "icon": "https://some.image/url"
+  #   }]
+  # @example 401
+  #   {
+  #     "message": "You are not authenticated.",
+  #     "errors": ["Cannot find session"]
+  #   }
+  #
+  # route: GET /tenants
+  get do
+    perform PUNK::ListTenantsAction, user: current_user
+  end
+end

data/lib/punk/routes/users.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+# @resource Users
+#
+# Users can belong to many tenants and many groups.
+PUNK.route('users') do
+  require_session!
+  require_tenant!
+
+  # Retrieve the list of users visible to the authenticated user for a specific tenant or group.
+  # @path [GET] /users
+  # @parameter tenant_id(required) [string] The ID of a tenant visible to the authenticated user.
+  # @parameter group_id [string] The ID of a group that belongs to the tenant.
+  # @response [Array<User>] 200 List of users
+  # @method get
+  # @example 200
+  #   [{
+  #     "id": "deadbeef-1234-5678-abcd-000000000000",
+  #     "name": "John Smith",
+  #     "icon": "https://some.image/url"
+  #   }]
+  # @example 401
+  #   {
+  #     "message": "You must specify a tenant.",
+  #     "errors": ["Cannot find tenant"]
+  #   }
+  #
+  # route: GET /users
+  get do
+    if args[:group_id]
+      perform PUNK::ListGroupUsersAction, group: current_user.groups_dataset[tenant: current_tenant, id: args[:group_id]]
+    else
+      perform PUNK::ListTenantUsersAction, tenant: current_tenant
+    end
+  end
+end

data/lib/punk/services/challenge_claim.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+require 'rbnacl'
+
+module PUNK
+  class ChallengeClaimService < Service
+    args :session
+
+    def validate
+      validates_not_null :session
+      validates_not_empty :session
+      return if session.blank?
+      validates_type Session, :session
+      validates_state :session, :created
+      validates_event :session, :challenge
+    end
+
+    def process
+      secret = SecretService.run.result
+      salt = RbNaCl::Random.random_bytes(RbNaCl::PasswordHash::SCrypt::SALTBYTES)
+      hash = RbNaCl::PasswordHash.scrypt(secret, salt, 1_048_576, 16_777_216)
+      session.update(salt: salt, hash: hash)
+      session.challenge!
+      identity = session.identity
+      case identity.claim_type
+      when :email
+        SendEmailWorker.perform_async(
+          from: 'GroupFire Accounts <noreply@groupfire.com>',
+          to: identity.claim,
+          subject: '[GroupFire] Verification Code',
+          template: 'verify',
+          tags: [:auth],
+          variables: {
+            name: identity.user&.name || 'New User',
+            secret: secret
+          }
+        )
+      when :phone
+        SendSmsWorker.perform_async(
+          to: identity.claim,
+          body: "Your GroupFire verification code is: #{secret}."
+        )
+      end
+    end
+  end
+end

data/lib/punk/services/create_identities.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module PUNK
+  class CreateIdentitiesService < Service
+    def process
+      User.each do |user|
+        if user.email.present?
+          Identity.find_or_create(claim: user.email) do |i|
+            i.claim_type = :email
+            i.user = user
+          end
+        end
+        if user.phone.present?
+          Identity.find_or_create(claim: user.phone) do |i|
+            i.claim_type = :phone
+            i.user = user
+          end
+        end
+      rescue Sequel::ValidationFailed => e
+        logger.warn e.message
+      end
+      nil
+    end
+  end
+end