rails-identity 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: f8999b0f579047f638bec461d6b469bc46b85319
+  data.tar.gz: 3412103b78681075aef4c59610db1a2bb17db352
+SHA512:
+  metadata.gz: 120410b35e89556e779f13cae65aad0c68c57e0d3353094297ad8b7eb1e32c5ced2ae6ebd6bf5b6dbe158b587e8bcb08a0d73ae0ab5993c77e48d2c529dd3658
+  data.tar.gz: efe61e96f68ceefd497de74573a5b75c8d8ddcbe6a5c5273aec7bbd4dc6d071c4a98ba91dd060ed5bafe4170d9ffe6f81220b0b2234773a6d04334f6c715ccf2

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2016 
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/Rakefile

@@ -0,0 +1,37 @@
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+
+require 'rdoc/task'
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'RailsIdentity'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.rdoc')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+APP_RAKEFILE = File.expand_path("../test/dummy/Rakefile", __FILE__)
+load 'rails/tasks/engine.rake'
+
+
+load 'rails/tasks/statistics.rake'
+
+
+
+Bundler::GemHelper.install_tasks
+
+require 'rake/testtask'
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib'
+  t.libs << 'test'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = false
+end
+
+
+task default: :test

data/app/assets/javascripts/rails_identity/application.js

@@ -0,0 +1,13 @@
+// This is a manifest file that'll be compiled into application.js, which will include all the files
+// listed below.
+//
+// Any JavaScript/Coffee file within this directory, lib/assets/javascripts, vendor/assets/javascripts,
+// or any plugin's vendor/assets/javascripts directory can be referenced here using a relative path.
+//
+// It's not advisable to add code directly here, but if you do, it'll appear at the bottom of the
+// compiled file.
+//
+// Read Sprockets README (https://github.com/rails/sprockets#sprockets-directives) for details
+// about supported directives.
+//
+//= require_tree .

data/app/assets/javascripts/rails_identity/sessions.js

@@ -0,0 +1,2 @@
+// Place all the behaviors and hooks related to the matching controller here.
+// All this logic will automatically be available in application.js.

data/app/assets/javascripts/rails_identity/users.js

@@ -0,0 +1,2 @@
+// Place all the behaviors and hooks related to the matching controller here.
+// All this logic will automatically be available in application.js.

data/app/assets/stylesheets/rails_identity/application.css

@@ -0,0 +1,15 @@
+/*
+ * This is a manifest file that'll be compiled into application.css, which will include all the files
+ * listed below.
+ *
+ * Any CSS and SCSS file within this directory, lib/assets/stylesheets, vendor/assets/stylesheets,
+ * or any plugin's vendor/assets/stylesheets directory can be referenced here using a relative path.
+ *
+ * You're free to add application-wide styles to this file and they'll appear at the bottom of the
+ * compiled file so the styles you add here take precedence over styles defined in any styles
+ * defined in the other CSS/SCSS files in this directory. It is generally better to create a new
+ * file per style scope.
+ *
+ *= require_tree .
+ *= require_self
+ */

data/app/assets/stylesheets/rails_identity/sessions.css

@@ -0,0 +1,4 @@
+/*
+  Place all the styles related to the matching controller here.
+  They will automatically be included in application.css.
+*/

data/app/assets/stylesheets/rails_identity/users.css

@@ -0,0 +1,4 @@
+/*
+  Place all the styles related to the matching controller here.
+  They will automatically be included in application.css.
+*/

data/app/controllers/rails_identity/application_controller.rb

@@ -0,0 +1,200 @@
+module RailsIdentity
+
+  ##
+  # The root application controller class in rails-identity.
+  #
+  class ApplicationController < ActionController::Base
+    include ApplicationHelper
+
+    # This is a catch-all.
+    rescue_from StandardError do |exception|
+      # :nocov:
+      logger.error exception.message
+      render_error 500, "Unknown error occurred: #{exception.message}"
+      # :nocov:
+    end
+
+    # Most actions require a session token. If token is invalid, rescue the
+    # exception and throw an HTTP 401 response.
+    rescue_from Errors::InvalidTokenError do |exception|
+      logger.error exception.message
+      render_error 401, "Invalid token"
+    end
+
+    # Some actions require a resource object via id. If no such object
+    # exists, throw an HTTP 404 response.
+    rescue_from Errors::ObjectNotFoundError do |exception|
+      logger.error exception.message
+      render_error 404, exception.message
+    end
+
+    # The request is authenticated but not authorized for the specified
+    # action. Throw an HTTP 401 response.
+    #
+    rescue_from Errors::UnauthorizedError do |exception|
+      logger.error exception.message
+      render_error 401, "Unauthorized request"
+    end
+
+    ##
+    # Renders a generic OPTIONS response. The actual controller must
+    # override this action if desired to have specific OPTIONS handling
+    # logic.
+    #
+    def options()
+      # echo back access-control-request-headers
+      if request.headers["Access-Control-Request-Headers"]
+        response["Access-Control-Allow-Headers"] = request.headers["Access-Control-Request-Headers"]
+      end
+      render body: "", status: 200
+    end
+
+    protected
+
+      ##
+      # Helper method to get the user object in the request context. There
+      # are two ways to specify the user id--one in the routing or the auth
+      # context. Only admin can actually specify the user id in the routing.
+      #
+      # A Errors::UnauthorizedError is raised if the authenticated user
+      # is not authorized for the specified user information.
+      #
+      # A Errors::ObjectNotFoundError is raised if the specified user cannot
+      # be found.
+      # 
+      def get_user(fallback: true)
+        user_id = params[:user_id]
+        logger.debug("Attempting to get user #{user_id}")
+        if !user_id.nil? && user_id != "current"
+          @user = find_object(User, params[:user_id])  # will throw error if nil
+          unless authorized?(@user)
+            raise Errors::UnauthorizedError, "Not authorized to access user #{user_id}"
+          end
+        elsif fallback || user_id == "current"
+          @user = @auth_user
+        else
+          # :nocov:
+          raise Errors::ObjectNotFoundError, "User #{user_id} does not exist"
+          # :nocov:
+        end
+      end
+
+      ##
+      # Finds an object by model and UUID and throws an error (which will be
+      # caught and re-thrown as an HTTP error.)
+      #
+      # A Errors::ObjectNotFoundError is raised if specified to do so when
+      # the object could not be found using the uuid.
+      #
+      def find_object(model, uuid, error: Errors::ObjectNotFoundError)
+        logger.debug("Attempting to get #{model.name} #{uuid}")
+        obj = model.find_by_uuid(uuid)
+        if obj.nil? && !error.nil?
+          raise error, "#{model.name} #{uuid} cannot be found" 
+        end
+        return obj
+      end
+
+      ##
+      # Attempt to get a token for the session. Token must be specified in query
+      # string or part of the JSON object.
+      #
+      # A Errors::InvalidTokenError is raised if the JWT is malformed or not
+      # valid against its secret.
+      #
+      def get_token(required_role: Roles::PUBLIC)
+        token = params[:token]
+
+        # Attempt to decode token w/o secret first to see if well-formed and
+        # not expired.
+        begin
+          decoded = JWT.decode token, nil, false
+        rescue JWT::DecodeError => e
+          logger.error("Token decode error: #{e.message}")
+          raise Errors::InvalidTokenError, "Invalid token: #{token}"
+        end
+
+        # At this point, we know that the token is not expired and
+        # well formatted. Find out if the payload is well defined.
+        payload = decoded[0]
+        if payload.nil?
+          logger.error("Token payload is nil: #{token}")
+          raise Errors::InvalidTokenError, "Invalid token payload: #{token}"
+        end
+
+        user_uuid = payload["user_uuid"]
+        session_uuid = payload["session_uuid"]
+        if user_uuid.nil? || session_uuid.nil?
+          logger.error("User UUID or session UUID is nil")
+          raise Errors::InvalidTokenError, "Invalid token payload content: #{token}"
+        end
+        logger.debug("Token well formatted for user #{user_uuid}, session #{session_uuid}")
+
+        # Look up the cache. If present, use it and skip the verification.
+        @auth_session = Rails.cache.fetch("#{CACHE_PREFIX}-session-#{session_uuid}")
+        if @auth_session.nil?
+          logger.debug("Cache miss. Try database.")
+          auth_user = User.find_by_uuid(user_uuid)
+          if auth_user.nil? || auth_user.role < required_role
+            raise Errors::InvalidTokenError, "Well-formed but invalid user token: #{token}"
+          end
+          @auth_session = Session.find_by_uuid(session_uuid)
+          if @auth_session.nil?
+            raise Errors::InvalidTokenError, "Well-formed but invalid session token: #{token}"
+          end
+          JWT.decode token, @auth_session.secret, true
+          logger.debug("Token well formatted and verified. Set cache.")
+          Rails.cache.write("#{CACHE_PREFIX}-session-#{session_uuid}", @auth_session)
+        end
+        @auth_user = @auth_session.user
+        @token = @auth_session.token
+      end
+
+      ## 
+      # Requires a token.
+      #
+      def require_token
+        logger.debug("Requires a token")
+        get_token
+      end
+
+      ##
+      # Accepts a token if present. If not, it's still ok.
+      #
+      def accept_token()
+        logger.debug("Accepts a token")
+        begin
+          get_token()
+        rescue StandardError => e
+          logger.error("Suppressing error: #{e.message}")
+        end
+      end
+
+      ##
+      # Requires an admin session. All this means is that the session is
+      # issued for an admin user (role == 1000).
+      #
+      def require_admin_token
+        logger.debug("Requires an admin token")
+        get_token(required_role: Roles::ADMIN)
+      end
+
+      ##
+      # Determines if the user is authorized for the object.
+      #
+      def authorized?(obj)
+        logger.debug("Checking to see if authorized to access object")
+        if !@auth_user
+          # :nocov:
+          return false
+          # :nocov:
+        elsif @auth_user.role >= Roles::ADMIN
+          return true
+        elsif obj.is_a? User
+          return obj == @auth_user
+        else
+          return obj.user == @auth_user
+        end
+      end
+  end
+end

data/app/controllers/rails_identity/sessions_controller.rb

@@ -0,0 +1,108 @@
+require_dependency "rails_identity/application_controller"
+
+module RailsIdentity
+
+  ##
+  # This class is sessions controller that performs CRD on session objects.
+  # Note that a token includes its session ID. Use "current" to look up a
+  # session in the current context.
+  #
+  class SessionsController < ApplicationController
+
+    prepend_before_action :require_token, except: [:create, :options]
+    before_action :get_session, only: [:show, :destroy]
+    before_action :get_user, only: [:index]
+
+    ##
+    # Lists all sessions that belong to the specified or authenticated user. 
+    #
+    def index
+      @sessions = Session.where(user: @user)
+      expired = []
+      active = []
+      @sessions.each do |session|
+        if session.expired?
+          expired << session.uuid
+        else
+          active << session
+        end
+      end
+      SessionsCleanupJob.perform_later(*expired)
+      render json: active, except: [:secret]
+    end
+
+    ##
+    # This action is essentially the login action. Note that get_user is not
+    # triggered for this action because we will look at username first. That
+    # would be the "normal" way to login. The alternative would be with the
+    # token based authentication. If the latter doesn't make sense, just use
+    # the username and password approach.
+    #
+    def create
+      @user = User.find_by_username(session_params[:username])
+      if (@user && @user.authenticate(session_params[:password])) || get_user()
+        raise Errors::UnauthorizedError unless @user.verified
+        @session = Session.new(user: @user)
+        if @session.save
+          render json: @session, except: [:secret], status: 201
+        else
+          # :nocov:
+          render_errors 400, @session.full_error_messages
+          # :nocov:
+        end
+      else
+        render_error 401, "Invalid username or password"
+      end
+    end
+
+    ##
+    # Shows a session information.
+    #
+    def show
+      render json: @session, except: [:secret]
+    end
+
+    ##
+    # Deletes a session.
+    #
+    def destroy
+      if @session.destroy
+        render body: "", status: 204
+      else 
+        # :nocov:
+        render_error 500, "Something went wrong. Oops!"
+        # :nocov:
+      end
+    end
+
+    private
+
+      ##
+      # Get the specified or current session.
+      # 
+      # An Errors::ObjectNotFoundError is raised if the session does not
+      # exist (or deleted due to expiration).
+      #
+      # An Errors::UnauthorizedError is raised if the authenticated user
+      # does not have authorization for the specified session.
+      #
+      def get_session
+        session_id = params[:id]
+        if session_id == "current"
+          session_id = @auth_session.id
+        end
+        @session = find_object(Session, session_id)
+        if !authorized?(@session)
+          raise Errors::UnauthorizedError
+        elsif @session.expired?
+          @session.destroy
+          raise Errors::ObjectNotFoundError
+        end
+      end
+
+      def session_params
+        params.permit(:username, :password)
+      end
+
+  end
+end

data/app/controllers/rails_identity/users_controller.rb

@@ -0,0 +1,168 @@
+require_dependency "rails_identity/application_controller"
+
+module RailsIdentity
+  
+  ##
+  # Users controller that performs CRUD on users.
+  #
+  class UsersController < ApplicationController
+
+    # All except user creation requires a session token. Note that reset
+    # token is also a legit session token, so :require_token will suffice.
+    prepend_before_action :require_token, only: [:show, :destroy]
+    prepend_before_action :accept_token, only: [:update, :create]
+    prepend_before_action :require_admin_token, only: [:index]
+
+    # Some actions must have a user specified.
+    before_action :get_user, only: [:show, :destroy]
+
+    ##
+    # List all users (but only works for admin user).
+    #
+    def index
+      @users = User.all
+      render json: @users, except: [:password_digest]
+    end
+
+    ##
+    # Creates a new user. This action does not require any auth although it
+    # is optional.
+    #
+    def create
+      @user = User.new(user_params)
+      if @user.save
+        render json: @user, except: [:verification_token, :reset_token, :password_digest], status: 201
+        UserMailer.email_verification(@user).deliver_later
+      else
+        render_errors 400, @user.errors.full_messages
+      end
+    end
+
+    ## 
+    # Renders a user data.
+    #
+    def show
+      render json: @user, except: [:password_digest], methods: [:role]
+    end
+
+    ##
+    # Patches the user. Some overloading operations here. There are five
+    # notable ways to update a user.
+    #
+    #   - Issue a reset token
+    #     If params has :issue_reset_token set to true, the action will
+    #     issue a reset token for the user and returns 204. Yes, 204 No
+    #     Content. TODO: in the future, the action will trigger an email.
+    #   - Reset the password
+    #     Two ways to reset password:
+    #       - Provide the old password along with the new password and
+    #         confirmation.
+    #       - Provide the reset token as the auth token.
+    #   - Issue a verification token
+    #   - Change other data
+    #
+    def update
+      if params[:issue_reset_token] || params[:issue_verification_token]
+        # For issuing a reset token, one does not need an auth token. so do
+        # not authorize the request.
+        raise Errors::UnauthorizedError unless params[:id] == "current"
+        get_user_for_token()
+        raise Errors::UnauthorizedError unless params[:username] == @user.username
+        if params[:issue_reset_token]
+          update_token(:reset_token)
+        else
+          update_token(:verification_token)
+        end
+      else
+        get_user()
+        if params[:password]
+          if params[:old_password]
+            raise Errors::UnauthorizedError unless @user.authenticate(params[:old_password])
+          else
+            raise Errors::UnauthorizedError unless @token == @user.reset_token
+          end
+        end
+        update_user(user_params)
+      end
+    end
+
+    ##
+    # Deletes a user.
+    #
+    def destroy
+      if @user.destroy
+        render body: '', status: 204
+      else
+        # :nocov:
+        render_error 500, "Something went wrong!"
+        # :nocov:
+      end
+    end
+
+    protected
+
+      ## 
+      # This method normally updates the user using permitted params.
+      #
+      def update_user(update_user_params)
+        if @user.update_attributes(update_user_params)
+          render json: @user, except: [:password_digest]
+        else
+          render_errors 400, @user.errors.full_messages
+        end
+      end
+
+      ##
+      # This method updates user with a new reset token. Only used for this
+      # operation.
+      #
+      def update_token(kind)
+        @user.issue_token(kind)
+        @user.save
+        if kind == :reset_token
+          UserMailer.password_reset(@user).deliver_later
+        else
+          UserMailer.email_verification(@user).deliver_later
+        end
+        render body: '', status: 204
+      end
+
+    private
+
+      ##
+      # This overrides the application controller's get_user method. Since
+      # resource object of this users controller is user, the id is
+      # specified in :id param.
+      #
+      def get_user
+        if params[:id] == "current"
+          raise Errors::UnauthorizedError if @auth_user.nil?
+          params[:id] = @auth_user.uuid
+        end
+        @user = find_object(User, params[:id])
+        raise Errors::UnauthorizedError unless authorized?(@user)
+        return @user
+      end
+
+      ##
+      # For issuing a new reset or for re-issuing a verification token, use
+      # this method to get user.
+      #
+      def get_user_for_token
+        @user = User.find_by_username(params[:username])
+        raise Errors::ObjectNotFoundError if @user.nil?
+        return @user
+      end
+
+      def user_params
+        # Only ADMIN can assign the attribute role. The attribute value will
+        # be ignored if the user is not an ADMIN.
+        if @auth_user.try(:role).try(:>=, Roles::ADMIN)
+          params.permit(:username, :password, :password_confirmation, :role, :verified)
+        else
+          params.permit(:username, :password, :password_confirmation, :verified)
+        end
+      end 
+
+  end
+end

data/app/helpers/rails_identity/application_helper.rb

@@ -0,0 +1,19 @@
+module RailsIdentity
+  module ApplicationHelper
+
+    ##
+    # Renders a single error.
+    #
+    def render_error(status, msg)
+      render json: {errors: [msg]}, status: status
+    end
+
+    ##
+    # Renders multiple errors
+    #
+    def render_errors(status, msgs)
+      render json: {errors: msgs}, status: status
+    end
+
+  end
+end

data/app/helpers/rails_identity/sessions_helper.rb

@@ -0,0 +1,4 @@
+module RailsIdentity
+  module SessionsHelper
+  end
+end

data/app/helpers/rails_identity/users_helper.rb

@@ -0,0 +1,4 @@
+module RailsIdentity
+  module UsersHelper
+  end
+end

data/app/jobs/rails_identity/sessions_cleanup_job.rb

@@ -0,0 +1,13 @@
+module RailsIdentity
+  class SessionsCleanupJob < ActiveJob::Base
+    queue_as :default
+
+    def perform(*args)
+      # Do something later
+      args.each do |uuid|
+        session = Session.find_by_uuid(uuid)
+        session.destroy()
+      end
+    end
+  end
+end

data/app/mailers/application_mailer.rb

@@ -0,0 +1,4 @@
+class ApplicationMailer < ActionMailer::Base
+  default from: RailsIdentity::MAILER_EMAIL
+  layout 'mailer'
+end

data/app/mailers/rails_identity/user_mailer.rb

@@ -0,0 +1,14 @@
+module RailsIdentity
+  class UserMailer < ApplicationMailer
+
+    def email_verification(user)
+      @user = user
+      mail(to: @user.username, subject: "[rails-identity] Email Confirmation")
+    end
+
+    def password_reset(user)
+      @user = user
+      mail(to: @user.username, subject: "[rails-identity] Password Reset")
+    end
+  end
+end