rack-bacoo 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 3fdf5ceccc9b9ea971009174fc466efd4c6ce6591e5874e07be5de1a0790c1af
+  data.tar.gz: fb3aa483a0bd4bb5dfede0b42222a2e057be8e06e592890ae750208e95575aba
+SHA512:
+  metadata.gz: 61b3d57dd281538ffd9c55096a934d8428a08b006aa24cf913a5107116d088b7726283ff0d276301e4bc2d8fdd7dec59c99b03480aaed3285129e4e375d899d6
+  data.tar.gz: ccb197ead61d53a9ebeb0947e757cd40c4514ecdf5da4dbfb1546754c5df30909d72323ca9370ab3dbdce65583a59de26be7727c4105667b019d115b585b61dc

data/lib/rack/bacoo/authenticator.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+require_relative "basic_auth_request"
+require_relative "session_cookie"
+
+module Rack
+  module Bacoo
+    class Authenticator
+      def initialize(cookie_attributes:, cookie_encryptor:, password_cost:, users:)
+        @cookie_attributes = cookie_attributes
+        @cookie_encryptor = cookie_encryptor
+        @password_cost = password_cost
+        @users = users
+      end
+
+      def with_env(env)
+        @env = env
+        @basic_auth_request = BasicAuthRequest.new(env)
+        @session_cookie = SessionCookie.new(@cookie_attributes, @cookie_encryptor, env)
+        @credentials = Credentials.new(@password_cost, @users)
+        yield
+      end
+
+      def basic_auth_provided?
+        @basic_auth_request.provided?
+      end
+
+      def valid_basic_auth?
+        @basic_auth_request.valid_basic_auth?
+      end
+
+      def basic_authenticated
+        return unless @credentials.basic_authenticated?(@basic_auth_request)
+
+        yield @credentials
+      end
+
+      def cookie_authenticated
+        return unless @credentials.cookie_authenticated?(@session_cookie)
+
+        yield @credentials
+      end
+
+      def persist_session!(credentials, headers)
+        @session_cookie.set(headers, credentials.username, credentials.password)
+      end
+    end
+  end
+end

data/lib/rack/bacoo/basic_auth_request.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module Rack
+  module Bacoo
+    class BasicAuthRequest < Rack::Auth::AbstractRequest
+      def valid_basic_auth?
+        scheme == "basic" && credentials.length == 2
+      end
+
+      def username
+        credentials.first
+      end
+
+      def password
+        credentials.last
+      end
+
+      private
+
+      def credentials
+        @credentials ||= params.unpack1("m").split(":", 2)
+      end
+    end
+  end
+end

data/lib/rack/bacoo/cookie_attributes_parser.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+module Rack
+  module Bacoo
+    class CookieAttributesParser
+      DEFAULTS = {
+        cookie_name: "rack-bacoo",
+        path: "/",
+        max_age: 24 * 60 * 60, # 24 hours
+        secure: true,
+        http_only: true,
+        same_site: "Lax"
+      }.freeze
+
+      def self.call(cookie_attributes)
+        cookie_attributes.each do |pair|
+          case pair
+          in [:secure, nil] | [:secure, false]
+            raise ArgumentError, "secure must be true"
+          in [:http_only, nil] | [:http_only, false]
+            raise ArgumentError, "http_only must be true"
+          in [:httponly, nil] | [:httponly, false]
+            raise ArgumentError, "httponly must be true"
+          in [:same_site, nil] | [:same_site, false]
+            raise ArgumentError, "same_site must be either lax or strict"
+          in [:same_site, val] if val.to_s.downcase == "none"
+            raise ArgumentError, "same_site must be either lax or strict"
+          else
+          end
+        end
+
+        DEFAULTS.merge(cookie_attributes)
+      end
+    end
+  end
+end

data/lib/rack/bacoo/credentials.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+require "bcrypt"
+require "securerandom"
+
+module Rack
+  module Bacoo
+    class Credentials
+      WRONG_USER = [SecureRandom.hex, SecureRandom.hex].freeze
+
+      attr_reader :username, :password
+
+      def initialize(password_cost, users)
+        @password_cost = password_cost
+        @users = users
+      end
+
+      def basic_authenticated?(session)
+        @username = session.username
+        @password = BCrypt::Password.create(session.password, cost: @password_cost)
+        authenticated?(@username, @password)
+      end
+
+      def cookie_authenticated?(session)
+        @username = session.username
+        @password = session.password
+        authenticated?(@username, BCrypt::Password.new(@password))
+      end
+
+      private
+
+      def authenticated?(username, encrypted_password)
+        valid_password = WRONG_USER[1]
+
+        @users.each do |u, p|
+          valid_password = p if Rack::Utils.secure_compare(u, username)
+        end
+
+        encrypted_password == valid_password
+      end
+    end
+  end
+end

data/lib/rack/bacoo/encryptor.rb

@@ -0,0 +1,97 @@
+# frozen_string_literal: true
+
+require "base64"
+require "openssl"
+
+module Rack
+  module Bacoo
+    class Encryptor
+      DecryptionError = Class.new(StandardError)
+
+      AUTH_TAG_LENGTH = 16
+      CIPHER = "aes-256-gcm"
+      SALT = "entropy comes from the password"
+      SEPARATOR = "--"
+
+      def initialize(password)
+        key_len = new_cipher.key_len
+        digest = OpenSSL::Digest.new("SHA256")
+        # Rationale on how the key is generated: https://github.com/rails/rails/pull/6952
+        @key = OpenSSL::PKCS5.pbkdf2_hmac(password, SALT, 1000, key_len, digest)
+      end
+
+      def encrypt(data)
+        cipher = new_cipher
+        cipher.encrypt
+        cipher.key = @key
+        iv = cipher.random_iv
+        cipher.auth_data = ""
+        encrypted_data = cipher.update(data) + cipher.final
+        parts = [encrypted_data, iv, cipher.auth_tag(AUTH_TAG_LENGTH)]
+        parts.map { ::Base64.strict_encode64(_1) }.join(SEPARATOR)
+      end
+
+      def decrypt(encrypted_message)
+        cipher = new_cipher
+        encrypted_data, iv, auth_tag = extract_parts(encrypted_message)
+
+        # Currently the OpenSSL bindings do not raise an error if auth_tag is
+        # truncated, which would allow an attacker to easily forge it:
+        # https://github.com/ruby/openssl/issues/63
+        raise DecryptionError, "truncated auth_tag" if auth_tag.bytesize != AUTH_TAG_LENGTH
+
+        cipher.decrypt
+        cipher.key = @key
+        cipher.iv  = iv
+        cipher.auth_tag = auth_tag
+        cipher.auth_data = ""
+        cipher.update(encrypted_data) + cipher.final
+      end
+
+      private
+
+      # Base64 encodes with a 6-bit alphabet plus padding:
+      # https://en.wikipedia.org/wiki/Base64
+      def length_after_base64(length_before_base64)
+        4 * (length_before_base64 / 3.0).ceil
+      end
+
+      def length_of_encoded_iv
+        @length_of_encoded_iv ||= length_after_base64(new_cipher.iv_len)
+      end
+
+      def length_of_encoded_auth_tag
+        @length_of_encoded_auth_tag ||= length_after_base64(AUTH_TAG_LENGTH)
+      end
+
+      def extract_parts(encrypted_message)
+        parts = []
+        rindex = encrypted_message.length
+
+        parts << extract_part(encrypted_message, rindex, length_of_encoded_auth_tag)
+        rindex -= SEPARATOR.length + length_of_encoded_auth_tag
+
+        parts << extract_part(encrypted_message, rindex, length_of_encoded_iv)
+        rindex -= SEPARATOR.length + length_of_encoded_iv
+
+        parts << encrypted_message[0, rindex]
+
+        parts.reverse!.map! { ::Base64.strict_decode64(_1) }
+      end
+
+      def extract_part(encrypted_message, rindex, length)
+        index = rindex - length
+
+        unless encrypted_message[index - SEPARATOR.length, SEPARATOR.length] == SEPARATOR
+          raise DecryptionError, "missing separator"
+        end
+
+        encrypted_message[index, length]
+      end
+
+      def new_cipher
+        OpenSSL::Cipher.new(CIPHER)
+      end
+    end
+  end
+end

data/lib/rack/bacoo/session_cookie.rb

@@ -0,0 +1,61 @@
+# frozen_string_literal: true
+
+require "bcrypt"
+require "securerandom"
+
+module Rack
+  module Bacoo
+    class SessionCookie
+      WRONG_USERNAME = SecureRandom.hex
+      WRONG_PASSWORD = BCrypt::Password.create(SecureRandom.hex, cost: 1)
+
+      def initialize(cookie_attributes, encryptor, env)
+        @cookie_attributes = cookie_attributes.dup
+        @cookie_name = @cookie_attributes.delete(:cookie_name)
+        @encryptor = encryptor
+        @env = env
+      end
+
+      def username
+        get.nil? ? WRONG_USERNAME : get.first
+      end
+
+      def password
+        get.nil? ? WRONG_PASSWORD : get.last
+      end
+
+      def set(headers, username, encrypted_password)
+        value = @encryptor.encrypt("#{username}:#{encrypted_password}:#{expires_at}")
+        value = @cookie_attributes.merge(value: value)
+        Utils.set_cookie_header!(headers, @cookie_name, value)
+      end
+
+      private
+
+      def get
+        value = Utils.parse_cookies(@env).fetch(@cookie_name, nil)
+        return nil if value.nil?
+
+        username, password, expires_at = @encryptor.decrypt(value).split(":")
+        return nil if expires_at.to_i < Time.now.to_i
+
+        [username, password]
+      end
+
+      # If a cookie has both the Max-Age and the Expires attribute, the
+      # Max-Age attribute has precedence and controls the expiration date
+      # of the cookie.
+      # https://datatracker.ietf.org/doc/html/rfc6265#section-4.1.2.2
+      def expires_at
+        case @cookie_attributes
+        in { max_age: max_age }
+          Time.now.to_i + max_age.to_i
+        in { expires: expires }
+          expires.to_i
+        else
+          Time.now.to_i
+        end
+      end
+    end
+  end
+end

data/lib/rack/bacoo/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module Rack
+  module Bacoo
+    VERSION = "0.1.0"
+  end
+end

data/lib/rack-bacoo.rb

@@ -0,0 +1,82 @@
+# frozen_string_literal: true
+
+require "rack"
+
+require_relative "rack/bacoo/version"
+require_relative "rack/bacoo/credentials"
+require_relative "rack/bacoo/authenticator"
+require_relative "rack/bacoo/cookie_attributes_parser"
+require_relative "rack/bacoo/encryptor"
+
+module Rack
+  module Bacoo
+    class Middleware
+      DEFAULTS = {
+        cookie_attributes: {},
+        password_cost: BCrypt::Engine.cost,
+        paths: [Regexp.new(".*")],
+        realm: nil
+      }.freeze
+
+      attr_accessor :realm
+
+      def initialize(app, config)
+        config = DEFAULTS.merge(config)
+
+        @app = app
+        @paths, @realm = config.fetch_values(:paths, :realm)
+        @authenticator = Authenticator.new(
+          cookie_attributes: CookieAttributesParser.call(config.fetch(:cookie_attributes)),
+          cookie_encryptor: Encryptor.new(config.fetch(:encrypt_cookie_with)),
+          password_cost: config.fetch(:password_cost),
+          users: config.fetch(:users)
+        )
+      end
+
+      def call(env)
+        @authenticator.with_env(env) do
+          actual_path = Utils.clean_path_info(Utils.unescape_path(env["PATH_INFO"]))
+          return @app.call(env) if @paths.none? { _1.match? actual_path }
+          @authenticator.cookie_authenticated { |credentials| return call_app(credentials, env) }
+          return unauthorized unless @authenticator.basic_auth_provided?
+          return bad_request unless @authenticator.valid_basic_auth?
+          @authenticator.basic_authenticated { |credentials| return call_app(credentials, env) }
+
+          unauthorized
+        end
+      end
+
+      private
+
+      def call_app(credentials, env)
+        env["REMOTE_USER"] = credentials.username
+        @app.call(env).tap do |_, headers, _|
+          @authenticator.persist_session!(credentials, headers)
+        end
+      end
+
+      def unauthorized
+        [
+          401,
+          {
+            CONTENT_TYPE => "text/plain",
+            CONTENT_LENGTH => "0",
+            "www-authenticate" => "Basic realm=\"#{realm}\""
+          },
+          []
+        ]
+      end
+
+      def bad_request
+        [
+          400,
+          {
+            CONTENT_TYPE => "text/plain",
+            CONTENT_LENGTH => "0"
+          },
+          []
+        ]
+      end
+    end
+  end
+end

metadata

@@ -0,0 +1,96 @@
+--- !ruby/object:Gem::Specification
+name: rack-bacoo
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- 3v0k4
+bindir: exe
+cert_chain: []
+date: 1980-01-02 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: base64
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: bcrypt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.1'
+- !ruby/object:Gem::Dependency
+  name: rack
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.2'
+description: Rack::Bacoo combines HTTP Basic Authentication with a session cookie
+  so that you don't have to input username and password on each visit. The session
+  cookie is encrypted (aes-256-gcm), and the password inside is hashed (bcrypt).
+email:
+- riccardo.odone@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/rack-bacoo.rb
+- lib/rack/bacoo/authenticator.rb
+- lib/rack/bacoo/basic_auth_request.rb
+- lib/rack/bacoo/cookie_attributes_parser.rb
+- lib/rack/bacoo/credentials.rb
+- lib/rack/bacoo/encryptor.rb
+- lib/rack/bacoo/session_cookie.rb
+- lib/rack/bacoo/version.rb
+homepage: https://github.com/3v0k4/rack-bacoo
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/3v0k4/rack-bacoo
+  source_code_uri: https://github.com/3v0k4/rack-bacoo
+  changelog_uri: https://github.com/3v0k4/rack-bacoo/blob/main/CHANGELOG.md
+  rubygems_mfa_required: 'true'
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 3.1.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.6.9
+specification_version: 4
+summary: Combine HTTP Basic Authentication with a session cookie
+test_files: []