rails-identity 0.2.3 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 13d1f01c0a93ffb9ea2548258bf1b63a261085bf
-  data.tar.gz: 4edfcaca8bc9d151a62799c54c1451fd51592196
+  metadata.gz: 069d960770fb7c3e3d60a2a7a7de61217a3d864c
+  data.tar.gz: f5367277a5aa44adc273009b11bedbf140258eac
 SHA512:
-  metadata.gz: 2acceb4c9f742fd0ea740639f4b316e72d061e09dc56f46a6fe88bcadbfaedea0a9a9ddfbf12fcee5ed9f75d06b146c9c8d2a0ebdab429ec1ad07affd42f1ce5
-  data.tar.gz: e981b7d80ad98a39af5a0ed1d69b2f0cfd488f8914dbaa5e398f70a9438b5bef5a88828fc40cfcb7bf16eb57d3449d7e9ae89029fd2a1c1e76b32e95b4544157
+  metadata.gz: 2c31e81c81d366e0f1b8b59e0e023715779f288899946d7c3ed283a317b66f27f4453270977f8e77e95e54d3f53bbdc08f6f354f021f6e9985ffce2e2353d7cb
+  data.tar.gz: ffca70e53b8d9e4e53ab383c3cfc9752774485b2f4f208a83916bd907e8037c23f8110fcc643685bda025d27be7605ce3a222d67ff51fc50aef15c8a47913c4c

data/app/controllers/rails_identity/sessions_controller.rb

@@ -9,7 +9,7 @@ module RailsIdentity
   #
   class SessionsController < ApplicationController
 
-    prepend_before_action :require_token, except: [:create, :options]
+    prepend_before_action :require_auth, except: [:create, :options]
     before_action :get_session, only: [:show, :destroy]
     before_action :get_user, only: [:index]
 
@@ -38,6 +38,8 @@ module RailsIdentity
     # token based authentication. If the latter doesn't make sense, just use
     # the username and password approach.
     #
+    # A Repia::Errors::Unauthorized is thrown if user is not verified.
+    #
     def create
       @user = User.find_by_username(session_params[:username])
       if (@user && @user.authenticate(session_params[:password])) || get_user()
@@ -70,7 +72,7 @@ module RailsIdentity
         render body: "", status: 204
       else 
         # :nocov:
-        render_error 500, "Something went wrong. Oops!"
+        render_error 400, @session.errors.full_messages
         # :nocov:
       end
     end
@@ -80,15 +82,18 @@ module RailsIdentity
       ##
       # Get the specified or current session.
       # 
-      # An Repia::Errors::NotFound is raised if the session does not
+      # A Repia::Errors::NotFound is raised if the session does not
       # exist (or deleted due to expiration).
       #
-      # An Repia::Errors::Unauthorized is raised if the authenticated user
+      # A Repia::Errors::Unauthorized is raised if the authenticated user
       # does not have authorization for the specified session.
       #
       def get_session
         session_id = params[:id]
         if session_id == "current"
+          if @auth_session.nil?
+            raise Repia::Errors::NotFound
+          end
           session_id = @auth_session.id
         end
         @session = find_object(Session, session_id)

data/app/controllers/rails_identity/users_controller.rb

@@ -9,9 +9,9 @@ module RailsIdentity
 
     # All except user creation requires a session token. Note that reset
     # token is also a legit session token, so :require_token will suffice.
-    prepend_before_action :require_token, only: [:show, :destroy]
-    prepend_before_action :accept_token, only: [:update, :create]
-    prepend_before_action :require_admin_token, only: [:index]
+    prepend_before_action :require_auth, only: [:show, :destroy]
+    prepend_before_action :accept_auth, only: [:update, :create]
+    prepend_before_action :require_admin_auth, only: [:index]
 
     # Some actions must have a user specified.
     before_action :get_user, only: [:show, :destroy]
@@ -34,13 +34,15 @@ module RailsIdentity
       if @user.save
 
         # Save succeeded. Render the response based on the created user.
-        render json: @user, except: [:verification_token, :reset_token, :password_digest], status: 201
+        render json: @user,
+               except: [:verification_token, :reset_token, :password_digest],
+               status: 201
 
         # Then, issue the verification token and send the email for
         # verification.
         @user.issue_token(:verification_token)
         @user.save
-        UserMailer.email_verification(@user).deliver_later
+        user_mailer.email_verification(@user).deliver_later
       else
         render_errors 400, @user.errors.full_messages
       end
@@ -54,28 +56,29 @@ module RailsIdentity
     end
 
     ##
-    # Patches the user. Some overloading operations here. There are five
-    # notable ways to update a user.
+    # Patches the user object. There are four notable operations:
     #
-    #   - Issue a reset token
-    #     If params has :issue_reset_token set to true, the action will
-    #     issue a reset token for the user and returns 204. Yes, 204 No
-    #     Content.
-    #   - Reset the password
-    #     Two ways to reset password:
-    #       - Provide the old password along with the new password and
-    #         confirmation.
-    #       - Provide the reset token as the auth token.
-    #   - Issue a verification token
-    #   - Change other data
+    # - issue reset token
+    # - issue verification token
+    # - change password
+    # - others
+    #
+    # Issuing either reset token or verification token requires NO
+    # authentication. However, for that reason, the request does not get any
+    # meaningful response. Instead, an email is sent out for either request.
+    #
+    # For changing password, there are two ways. One is to use old password
+    # and the other is to use reset token.
+    #
+    # Otherwise, it's a normal update operation.
     #
     def update
       if params[:issue_reset_token] || params[:issue_verification_token]
         # For issuing a reset token, one does not need an auth token. so do
-        # not authorize the request.
+        # not authorize the request. For consistency, we require the id to
+        # be "current".
         raise Repia::Errors::Unauthorized unless params[:id] == "current"
         get_user_for_token()
-        raise Repia::Errors::Unauthorized unless params[:username] == @user.username
         if params[:issue_reset_token]
           update_token(:reset_token)
         else
@@ -83,13 +86,7 @@ module RailsIdentity
         end
       else
         get_user()
-        if params[:password]
-          if params[:old_password]
-            raise Repia::Errors::Unauthorized unless @user.authenticate(params[:old_password])
-          else
-            raise Repia::Errors::Unauthorized unless @token == @user.reset_token
-          end
-        end
+        allow_password_change? if params[:password]
         update_user(user_params)
       end
     end
@@ -102,13 +99,40 @@ module RailsIdentity
         render body: '', status: 204
       else
         # :nocov:
-        render_error 500, "Something went wrong!"
+        render_error 400, @user.errors.full_messages
         # :nocov:
       end
     end
 
     protected
 
+      ##
+      # Override this method to app specific mailer.
+      #
+      def user_mailer
+        return UserMailer
+      end
+
+      ##
+      # Check if password change should be allowed. Two ways to do this: one
+      # is to use old password or to use a valid reset token.
+      #
+      # A Repia::Errors::Unauthorized is thrown for invalid old password or
+      # invalid reset token
+      #
+      def allow_password_change?
+        if params[:old_password]
+          unless @user.authenticate(params[:old_password])
+            raise Repia::Errors::Unauthorized 
+          end
+        else
+          unless @token == @user.reset_token
+            raise Repia::Errors::Unauthorized
+          end
+        end
+        return true
+      end
+
       ## 
       # This method normally updates the user using permitted params.
       #
@@ -128,9 +152,9 @@ module RailsIdentity
         @user.issue_token(kind)
         @user.save
         if kind == :reset_token
-          UserMailer.password_reset(@user).deliver_later
+          user_mailer.password_reset(@user).deliver_later
         else
-          UserMailer.email_verification(@user).deliver_later
+          user_mailer.email_verification(@user).deliver_later
         end
         render body: '', status: 204
       end

data/app/helpers/rails_identity/application_helper.rb

@@ -31,11 +31,69 @@ module RailsIdentity
       end
     end
 
+    ##
+    # Requires authentication. Either token or api key must be present.
+    #
+    def require_auth
+      logger.debug("Requiring any authentication")
+      get_auth
+    end
+
+    ##
+    # Requires admin authentication. Either token or api key must be present
+    # and it should be an admin's.
+    #
+    def require_admin_auth
+      logger.debug("Requiring any admin authentication")
+      get_auth(required_role: Roles::ADMIN)
+    end
+
+    ##
+    # Accepts authentication if present. Either token or api key is
+    # accepted.
+    #
+    def accept_auth
+      logger.debug("Accepting any authentication")
+      begin
+        get_auth
+      rescue StandardError => e
+        logger.error("Suppressing error: #{e.message}")
+      end
+    end
+
+    ##
+    # Requires API key for authentication.
+    #
+    def require_api_key
+      logger.debug("Requiring api key")
+      get_api_key
+    end
+
+    ##
+    # Requires admin API key for authentication.
+    #
+    def require_admin_api_key
+      logger.debug("Requiring admin api key")
+      get_api_key(required_role: Roles::ADMIN)
+    end
+
+    ##
+    # Accepts API key for authentication if one is present.
+    #
+    def accept_api_key
+      logger.debug("Accepting api key")
+      begin
+        get_api_key
+      rescue StandardError => e
+        logger.error("Suppressing error: #{e.message}")
+      end
+    end
+
     ## 
     # Requires a token.
     #
     def require_token
-      logger.debug("Requires a token")
+      logger.debug("Requiring token")
       get_token
     end
 
@@ -44,7 +102,7 @@ module RailsIdentity
     # suppressed.
     #
     def accept_token()
-      logger.debug("Accepts a token")
+      logger.debug("Accepting token")
       begin
         get_token()
       rescue StandardError => e
@@ -57,7 +115,7 @@ module RailsIdentity
     # issued for an admin user (role == 1000).
     #
     def require_admin_token
-      logger.debug("Requires an admin token")
+      logger.debug("Requiring admin token")
       get_token(required_role: Roles::ADMIN)
     end
 
@@ -151,6 +209,9 @@ module RailsIdentity
       # Attempt to get a token for the session. Token must be specified in
       # query string or part of the JSON object.
       #
+      # Raises a Repia::Errors::Unauthorized if cached session has less role
+      # than what's required.
+      #
       def get_token(required_role: Roles::PUBLIC)
         token = params[:token]
         payload = get_token_payload(token)
@@ -160,11 +221,48 @@ module RailsIdentity
         if @auth_session.nil?
           @auth_session = verify_token_payload(token, payload,
                                                required_role: required_role)
+          @auth_session.role  # NOTE: no-op
           Rails.cache.write("#{CACHE_PREFIX}-session-#{token}", @auth_session)
+        elsif @auth_session.role < required_role
+          raise Repia::Errors::Unauthorized
         end
         @auth_user = @auth_session.user
         @token = @auth_session.token
       end
 
+      ##
+      # Get API key from the request.
+      #
+      # Raises a Repia::Errors::Unauthorized if API key is not valid (or not
+      # provided).
+      #
+      def get_api_key(required_role: Roles::PUBLIC)
+        api_key = params[:api_key]
+        if api_key.nil?
+          # This case is not likely, but as a safeguard in case migration
+          # has not gone well.
+          # :nocov:
+          raise Repia::Errors::Unauthorized, "Invalid api key"
+          # :nocov:
+        end
+        auth_user = User.find_by_api_key(api_key)
+        if auth_user.nil? || auth_user.role < required_role
+          raise Repia::Errors::Unauthorized, "Invalid api key"
+        end
+        @auth_user = auth_user
+        @auth_session = nil
+        @token = nil
+      end
+
+      ##
+      # Get auth data from the request. The token takes the precedence.
+      #
+      def get_auth(required_role: Roles::USER)
+        if params[:token]
+          get_token(required_role: required_role)
+        else
+          get_api_key(required_role: required_role)
+        end
+      end
   end
 end

data/app/models/rails_identity/session.rb

@@ -40,5 +40,12 @@ module RailsIdentity
       return false
     end
 
+    def role
+      if @role.nil?
+        @role = user.role
+      end
+      return @role
+    end
+
   end
 end

data/app/models/rails_identity/user.rb

@@ -18,6 +18,7 @@ module RailsIdentity
     # re-issue the verification token.
     #
     def initialize(attributes = {})
+      attributes[:api_key] = SecureRandom.hex(32)
       super
     end
 

data/db/migrate/20160507014709_add_api_key_to_users.rb

@@ -0,0 +1,10 @@
+class AddApiKeyToUsers < ActiveRecord::Migration
+  def change
+    add_column :rails_identity_users, :api_key, :string
+    add_index :rails_identity_users, :api_key
+
+    RailsIdentity::User.find_each do |user|
+      user.update(api_key: SecureRandom.hex(32))
+    end
+  end
+end

data/lib/rails_identity/version.rb

@@ -1,3 +1,3 @@
 module RailsIdentity
-  VERSION = "0.2.3"
+  VERSION = "0.3.0"
 end

data/test/controllers/rails_identity/application_controller_test.rb

@@ -0,0 +1,124 @@
+require 'test_helper'
+
+module RailsIdentity
+
+  class TestsController < ApplicationController
+    def index
+      render json: {}, status: 200
+    end
+  end
+
+  class TestsControllerTest < ActionController::TestCase
+    setup do 
+      Rails.cache.clear
+      @session = rails_identity_sessions(:one)
+      @token = @session.token
+      @admin_session = rails_identity_sessions(:admin_one)
+      @admin_token = @admin_session.token
+      @api_key = rails_identity_users(:one).api_key
+      @admin_api_key = rails_identity_users(:admin_one).api_key
+      # Rails.application.routes.draw do
+      RailsIdentity::Engine.routes.draw do
+        match "tests" => "tests#index", via: [:get]
+      end
+      @routes = Engine.routes
+    end
+
+    teardown do
+      RailsIdentity::Engine.routes.draw do
+        resources :sessions
+        match 'sessions(/:id)' => 'sessions#options', via: [:options]
+
+        resources :users
+        match 'users(/:id)' => 'users#options', via: [:options]
+      end
+    end
+
+    test "require only token" do
+      class ::RailsIdentity::TestsController < ApplicationController
+        reset_callbacks :process_action
+        before_action :require_token, only: [:index]
+        def index
+          render json: {}, status: 200
+        end
+      end
+      get :index, token: @token
+      assert_response :success
+      get :index
+      assert_response 401
+    end
+
+    test "require only admin token" do
+      class ::RailsIdentity::TestsController < ApplicationController
+        reset_callbacks :process_action
+        before_action :require_admin_token, only: [:index]
+        def index
+          render json: {}, status: 200
+        end
+      end
+      get :index, token: @admin_token
+      assert_response :success
+      Rails.cache.write("#{CACHE_PREFIX}-session-#{@token}", @session)
+      get :index, token: @token
+      assert_response 401
+    end
+
+    test "accept only token" do
+      class ::RailsIdentity::TestsController < ApplicationController
+        reset_callbacks :process_action
+        before_action :accept_token, only: [:index]
+        def index
+          render json: {}, status: 200
+        end
+      end
+      get :index, token: @token
+      assert_response :success
+      get :index
+      assert_response :success
+    end
+
+    test "require only api key" do
+      class ::RailsIdentity::TestsController < ApplicationController
+        reset_callbacks :process_action
+        before_action :require_api_key, only: [:index]
+        def index
+          render json: {}, status: 200
+        end
+      end
+      get :index, api_key: @api_key
+      assert_response :success
+      get :index, token: @token
+      assert_response 401
+      get :index
+      assert_response 401
+    end
+
+    test "require only admin api key" do
+      class ::RailsIdentity::TestsController < ApplicationController
+        reset_callbacks :process_action
+        before_action :require_admin_api_key, only: [:index]
+        def index
+          render json: {}, status: 200
+        end
+      end
+      get :index, api_key: @admin_api_key
+      assert_response :success
+      get :index, api_key: @api_key
+      assert_response 401
+    end
+
+    test "accept only api key" do
+      class ::RailsIdentity::TestsController < ApplicationController
+        reset_callbacks :process_action
+        before_action :accept_api_key, only: [:index]
+        def index
+          render json: {}, status: 200
+        end
+      end
+      get :index, api_key: @api_key
+      assert_response :success
+      get :index
+      assert_response :success
+    end
+  end
+end