pusher-platform 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: d95d9cc5e0f7c22f8ca7408c9486fb2b464c0572
+  data.tar.gz: 6ea7d2d88d3242661f2a8d1bf4531034a979abaf
+SHA512:
+  metadata.gz: 78c889277b27b346069674ec5555ed3169fde818a39a3c925600eeeb704171e79d47a767bf5662dec3fdb867c220f17e9d5239232f7f71e557ef26ad5ce65227
+  data.tar.gz: 53e074a29c83777a6d47dd346db179ecc68076eeca6da81a1e3cd0854a3dd639cc11f92104cfa0197d0f758fefaaab7927a2c0b6ef4611732808ff1a4f58baec

data/lib/pusher-platform.rb

@@ -0,0 +1 @@
+require 'pusher-platform/app'

data/lib/pusher-platform/app.rb

@@ -0,0 +1,69 @@
+require_relative './authenticator'
+require_relative './base_client'
+require_relative './common'
+require_relative './error_response'
+
+module Pusher
+  class App
+    def initialize(options)
+      raise "Invalid app ID" if options[:app_id].nil?
+      @app_id = options[:app_id]
+
+      app_key_parts = /^([^:]+):(.+)$/.match(options[:app_key])
+      raise "Invalid app key" if app_key_parts.nil?
+
+      @app_key_id = app_key_parts[1]
+      @app_key_secret = app_key_parts[2]
+
+      @client = if options[:client]
+        options[:client]
+      else
+        raise "Invalid cluster" if options[:cluster].nil?
+        BaseClient.new(host: options[:cluster])
+      end
+
+      @authenticator = Authenticator.new(@app_id, @app_key_id, @app_key_secret)
+    end
+
+    def request(options)
+      options = scope_request_options("apps", options)
+      if options[:jwt].nil?
+        options = options.merge({ jwt: generate_superuser_jwt() })
+      end
+      @client.request(options)
+    end
+
+    def config_request(options)
+      options = scope_request_options("config/apps", options)
+      if options[:jwt].nil?
+        options = options.merge({ jwt: generate_superuser_jwt() })
+      end
+      @client.request(options)
+    end
+
+    def authenticate(request, options)
+      @authenticator.authenticate(request, options)
+    end
+
+    private
+
+    def scope_request_options(prefix, options)
+      path = "/#{prefix}/#{@app_id}/#{options[:path]}"
+        .gsub(/\/+/, "/")
+        .gsub(/\/+$/, "")
+      options.merge({ path: path })
+    end
+
+    def generate_superuser_jwt
+      now = Time.now.utc.to_i
+      claims = {
+        app: @app_id,
+        iss: "keys/#{@app_key_id}",
+        su: true,
+        iat: now - 30,   # some leeway for the server
+        exp: now + 60*5, # 5 minutes should be enough for a single request
+      }
+      JWT.encode(claims, @app_key_secret)
+    end
+  end
+end

data/lib/pusher-platform/authenticator.rb

@@ -0,0 +1,136 @@
+require 'jwt'
+require 'rack'
+
+module Pusher
+  TOKEN_LEEWAY = 30
+  TOKEN_EXPIRY = 24*60*60
+
+  class Authenticator
+    def initialize(app_id, app_key_id, app_key_secret)
+      @app_id = app_id
+      @app_key_id = app_key_id
+      @app_key_secret = app_id
+    end
+
+    # Takes a Rack request to the authorization endpoint and and handles it
+    # either returning a new access/refresh token pair, or an error.
+    #
+    # @param request [Rack::Request] the request to authenticate
+    # @return the response object
+    def authenticate(request, options)
+      form_data = Rack::Utils.parse_nested_query request.body.read
+      grant_type = form_data['grant_type']
+
+      if grant_type == "client_credentials"
+        return authenticate_with_client_credentials(options)
+      elsif grant_type == "refresh_token"
+        old_refresh_jwt = form_data['refresh_token']
+        return authenticate_with_refresh_token(old_refresh_jwt, options)
+      else
+        return response(401, {
+          error: "unsupported_grant_type"
+        })
+      end
+    end
+
+    private
+
+    def authenticate_with_client_credentials(options)
+      return respond_with_new_token_pair(options)
+    end
+
+    def authenticate_with_refresh_token(old_refresh_jwt, options)
+      old_refresh_token = begin
+        JWT.decode(old_refresh_jwt, @app_key_secret, true, {
+          iss: "keys/#{@app_key_id}",
+          verify_iss: true,
+          leeway: 30,
+        }).first
+      rescue => e
+        error_description = if e.is_a?(JWT::InvalidIssuerError)
+          "refresh token issuer is invalid"
+        elsif e.is_a?(JWT::ImmatureSignature)
+          "refresh token is not valid yet"
+        elsif e.is_a?(JWT::ExpiredSignature)
+          "refresh tokan has expired"
+        else
+          "refresh token is invalid"
+        end
+
+        return response(401, {
+          error: "invalid_grant",
+          error_description: error_description,
+          # TODO error_uri
+        })
+      end
+
+      if old_refresh_token["refresh"] != true
+        return response(401, {
+          error: "invalid_grant",
+          error_description: "refresh token does not have a refresh claim",
+          # TODO error_uri
+        })
+      end
+
+      if options[:user_id] != old_refresh_token["sub"]
+        return response(401, {
+          error: "invalid_grant",
+          error_description: "refresh token has an invalid user id",
+          # TODO error_uri
+        })
+      end
+
+      return respond_with_new_token_pair(options)
+    end
+
+    # Creates a payload dictionary made out of access and refresh token pair and TTL for the access token.
+    #
+    # @param user_id [String] optional id of the user, ignore for anonymous users
+    # @return [Hash] Payload as a hash
+    def respond_with_new_token_pair(options)
+      access_token = generate_access_token(options)
+      refresh_token = generate_refresh_token(options)
+      return response(200, {
+        access_token: access_token,
+        token_type: "bearer",
+        expires_in: TOKEN_EXPIRY,
+        refresh_token: refresh_token,
+      })
+    end
+
+    def generate_access_token(options)
+      now = Time.now.utc.to_i
+
+      claims = {
+        app: @app_id,
+        iss: "keys/#{@app_key_id}",
+        iat: now - TOKEN_LEEWAY,
+        exp: now + TOKEN_EXPIRY + TOKEN_LEEWAY,
+        sub: options[:user_id],
+      }
+
+      JWT.encode(claims, @app_key_secret, "HS256")
+    end
+
+    def generate_refresh_token(options)
+      now = Time.now.utc.to_i
+
+      claims = {
+        app: @app_id,
+        iss: "keys/#{@app_key_id}",
+        iat: now - TOKEN_LEEWAY,
+        refresh: true,
+        sub: options[:user_id],
+      }
+
+      JWT.encode(claims, @app_key_secret, "HS256")
+    end
+
+    def response(status, body)
+      return {
+        status: status,
+        json: body,
+      }
+    end
+  end
+end

data/lib/pusher-platform/base_client.rb

@@ -0,0 +1,48 @@
+require 'excon'
+require 'json'
+
+module Pusher
+  class BaseClient
+    def initialize(options)
+      raise "Unspecified host" if options[:host].nil?
+      @connection = Excon.new("https://#{options[:host]}")
+    end
+
+    def request(options)
+      raise "Unspecified request method" if options[:method].nil?
+      raise "Unspecified request path" if options[:path].nil?
+
+      headers = if options[:headers]
+        options[:headers].dup
+      else
+        {}
+      end
+
+      if options[:jwt]
+        headers["Authorization"] = "Bearer #{options[:jwt]}"
+      end
+
+      response = @connection.request(
+        method: options[:method],
+        path: options[:path],
+        headers: headers,
+        body: options[:body],
+      )
+
+      if response.status >= 200 && response.status <= 299
+        return response
+      elsif response.status >= 300 && response.status <= 399
+        raise "unsupported redirect response: #{response.status}"
+      elsif response.status >= 400 && response.status <= 599
+        error_body = begin
+          JSON.parse(response.body)
+        rescue
+          response.body
+        end
+        raise ErrorResponse.new(response.status, response.headers, error_body)
+      else
+        raise "unsupported response code: #{response.status}"
+      end
+    end
+  end
+end

data/lib/pusher-platform/common.rb

@@ -0,0 +1,4 @@
+module Pusher
+  class Error < ::StandardError
+  end
+end

data/lib/pusher-platform/error_response.rb

@@ -0,0 +1,15 @@
+module Pusher
+  class ErrorResponse < Error
+    attr_accessor :status, :headers, :body
+
+    def initialize(status, headers, body)
+      @status = status
+      @headers = headers
+      @body = body
+    end
+
+    def to_s
+      "Pusher::ErrorResponse: #{status} #{body}"
+    end
+  end
+end

metadata

@@ -0,0 +1,97 @@
+--- !ruby/object:Gem::Specification
+name: pusher-platform
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Pusher
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2017-01-27 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: excon
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.54.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.54.0
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.5'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.5.6
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.5'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.5.6
+- !ruby/object:Gem::Dependency
+  name: rack
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.0'
+description: 
+email: support@pusher.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/pusher-platform.rb
+- lib/pusher-platform/app.rb
+- lib/pusher-platform/authenticator.rb
+- lib/pusher-platform/base_client.rb
+- lib/pusher-platform/common.rb
+- lib/pusher-platform/error_response.rb
+homepage: 
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.5.2
+signing_key: 
+specification_version: 4
+summary: Pusher Platform Ruby SDK
+test_files: []