rapitapir 0.1.0

data/lib/rapitapir/auth/middleware.rb

@@ -0,0 +1,324 @@
+# frozen_string_literal: true
+
+require 'json'
+require 'uri'
+require 'ostruct'
+require_relative 'context'
+require_relative 'errors'
+
+module RapiTapir
+  module Auth
+    module Middleware
+      # Middleware for handling authentication
+      # Processes incoming requests and attempts to authenticate them using configured schemes
+      class AuthenticationMiddleware
+        def initialize(app, auth_schemes = {})
+          @app = app
+          @auth_schemes = auth_schemes
+        end
+
+        def call(env)
+          request = create_request(env)
+          auth_context = authenticate_request(request)
+
+          # Store context for the request
+          ContextStore.with_context(auth_context) do
+            @app.call(env)
+          end
+        end
+
+        private
+
+        def create_request(env)
+          # Create a simple request object
+          Struct.new(:env, :params, :headers).new(
+            env,
+            parse_query_params(env['QUERY_STRING']),
+            extract_headers(env)
+          )
+        end
+
+        def parse_query_params(query_string)
+          return {} if query_string.nil? || query_string.empty?
+
+          URI.decode_www_form(query_string).to_h
+        end
+
+        def extract_headers(env)
+          headers = {}
+          env.each do |key, value|
+            if key.start_with?('HTTP_')
+              header_name = key[5..].downcase.tr('_', '-')
+              headers[header_name] = value
+            end
+          end
+          headers
+        end
+
+        def authenticate_request(request)
+          @auth_schemes.each_value do |scheme|
+            context = scheme.authenticate(request)
+            return context if context&.authenticated?
+          end
+
+          # Return empty context if no authentication succeeded
+          Context.new
+        end
+      end
+
+      # Middleware for handling authorization
+      # Checks if authenticated users have required permissions/scopes
+      class AuthorizationMiddleware
+        def initialize(app, required_scopes: [], require_all: true)
+          @app = app
+          @required_scopes = Array(required_scopes)
+          @require_all = require_all
+        end
+
+        def call(env)
+          context = ContextStore.current
+
+          return unauthorized_response('Authentication required') unless context&.authenticated?
+
+          return forbidden_response('Insufficient permissions') unless authorized?(context)
+
+          @app.call(env)
+        end
+
+        private
+
+        def authorized?(context)
+          return true if @required_scopes.empty?
+
+          if @require_all
+            context.has_all_scopes?(*@required_scopes)
+          else
+            context.has_any_scope?(*@required_scopes)
+          end
+        end
+
+        def unauthorized_response(message)
+          [
+            401,
+            { 'Content-Type' => 'application/json' },
+            [JSON.generate({ error: 'Unauthorized', message: message })]
+          ]
+        end
+
+        def forbidden_response(message)
+          [
+            403,
+            { 'Content-Type' => 'application/json' },
+            [JSON.generate({ error: 'Forbidden', message: message })]
+          ]
+        end
+      end
+
+      # Middleware for rate limiting requests
+      # Limits the number of requests per client based on configurable rules
+      class RateLimitingMiddleware
+        def initialize(app, config = {})
+          @app = app
+          @requests_per_minute = config[:requests_per_minute] || 60
+          @requests_per_hour = config[:requests_per_hour] || 1000
+          @storage = config[:storage] || MemoryStorage.new
+          @key_generator = config[:key_generator] || method(:default_key_generator)
+        end
+
+        def call(env)
+          key = @key_generator.call(env)
+
+          return rate_limit_exceeded_response unless rate_limit_allowed?(key)
+
+          record_request(key)
+          @app.call(env)
+        end
+
+        private
+
+        def rate_limit_allowed?(key)
+          minute_key = "#{key}:minute:#{Time.now.to_i / 60}"
+          hour_key = "#{key}:hour:#{Time.now.to_i / 3600}"
+
+          minute_count = @storage.get(minute_key) || 0
+          hour_count = @storage.get(hour_key) || 0
+
+          minute_count < @requests_per_minute && hour_count < @requests_per_hour
+        end
+
+        def record_request(key)
+          minute_key = "#{key}:minute:#{Time.now.to_i / 60}"
+          hour_key = "#{key}:hour:#{Time.now.to_i / 3600}"
+
+          @storage.increment(minute_key, expires_in: 60)
+          @storage.increment(hour_key, expires_in: 3600)
+        end
+
+        def default_key_generator(env)
+          # Use IP address and user ID if available
+          ip = env['REMOTE_ADDR'] || env['HTTP_X_FORWARDED_FOR']
+          context = ContextStore.current
+          user_id = context&.user_id
+
+          user_id ? "user:#{user_id}" : "ip:#{ip}"
+        end
+
+        def rate_limit_exceeded_response
+          [
+            429,
+            {
+              'Content-Type' => 'application/json',
+              'Retry-After' => '60'
+            },
+            [JSON.generate({
+                             error: 'Rate Limit Exceeded',
+                             message: 'Too many requests. Please try again later.'
+                           })]
+          ]
+        end
+
+        # Simple in-memory storage for rate limiting
+        class MemoryStorage
+          def initialize
+            @storage = {}
+            @mutex = Mutex.new
+          end
+
+          def get(key)
+            @mutex.synchronize do
+              entry = @storage[key]
+              return nil unless entry
+              return nil if entry[:expires_at] && Time.now > entry[:expires_at]
+
+              entry[:value]
+            end
+          end
+
+          def increment(key, expires_in: nil)
+            @mutex.synchronize do
+              entry = @storage[key]
+              current_value = 0
+
+              current_value = entry[:value] if entry && (!entry[:expires_at] || Time.now <= entry[:expires_at])
+
+              expires_at = expires_in ? Time.now + expires_in : nil
+
+              @storage[key] = {
+                value: current_value + 1,
+                expires_at: expires_at
+              }
+            end
+          end
+
+          def cleanup_expired
+            @mutex.synchronize do
+              now = Time.now
+              @storage.reject! do |_key, entry|
+                entry[:expires_at] && now > entry[:expires_at]
+              end
+            end
+          end
+        end
+      end
+
+      # Middleware for handling Cross-Origin Resource Sharing (CORS)
+      # Adds CORS headers to enable cross-origin requests from browsers
+      class CorsMiddleware
+        def initialize(app, config = {})
+          @app = app
+          @allowed_origins = config[:allowed_origins] || ['*']
+          @allowed_methods = config[:allowed_methods] || %w[GET POST PUT DELETE OPTIONS]
+          @allowed_headers = config[:allowed_headers] || %w[Authorization Content-Type X-API-Key]
+          @max_age = config[:max_age] || 86_400
+          @allow_credentials = config[:allow_credentials] || false
+        end
+
+        def call(env)
+          origin = env['HTTP_ORIGIN']
+
+          # Handle preflight requests
+          return preflight_response(origin) if env['REQUEST_METHOD'] == 'OPTIONS'
+
+          status, headers, body = @app.call(env)
+
+          # Add CORS headers to actual requests
+          headers = add_cors_headers(headers, origin)
+
+          [status, headers, body]
+        end
+
+        private
+
+        def preflight_response(origin)
+          headers = {
+            'Content-Type' => 'text/plain',
+            'Content-Length' => '0'
+          }
+
+          headers = add_cors_headers(headers, origin)
+          headers['Access-Control-Max-Age'] = @max_age.to_s
+
+          [200, headers, ['']]
+        end
+
+        def add_cors_headers(headers, origin)
+          headers = headers.dup
+
+          if @allowed_origins.include?('*')
+            headers['Access-Control-Allow-Origin'] = '*'
+          elsif origin_allowed?(origin)
+            headers['Access-Control-Allow-Origin'] = origin
+          end
+
+          headers['Access-Control-Allow-Methods'] = @allowed_methods.join(', ')
+          headers['Access-Control-Allow-Headers'] = @allowed_headers.join(', ')
+
+          headers['Access-Control-Allow-Credentials'] = 'true' if @allow_credentials
+
+          headers
+        end
+
+        def origin_allowed?(origin)
+          return false unless origin
+          return true if @allowed_origins.include?('*')
+
+          @allowed_origins.any? do |allowed|
+            if allowed.include?('*')
+              # Simple wildcard matching
+              pattern = allowed.gsub('*', '.*')
+              origin.match?(/\A#{pattern}\z/)
+            else
+              origin == allowed
+            end
+          end
+        end
+      end
+
+      # Middleware for adding security headers
+      # Adds common security headers to HTTP responses for protection
+      class SecurityHeadersMiddleware
+        def initialize(app, config = {})
+          @app = app
+          @headers = {
+            'X-Content-Type-Options' => 'nosniff',
+            'X-Frame-Options' => 'DENY',
+            'X-XSS-Protection' => '1; mode=block',
+            'Strict-Transport-Security' => 'max-age=31536000; includeSubDomains',
+            'Referrer-Policy' => 'strict-origin-when-cross-origin'
+          }.merge(config[:headers] || {})
+        end
+
+        def call(env)
+          status, headers, body = @app.call(env)
+
+          # Add security headers
+          @headers.each do |name, value|
+            headers[name] = value unless headers.key?(name)
+          end
+
+          [status, headers, body]
+        end
+      end
+    end
+  end
+end

data/lib/rapitapir/auth/oauth2.rb

@@ -0,0 +1,350 @@
+# frozen_string_literal: true
+
+require 'net/http'
+require 'uri'
+require 'json'
+
+module RapiTapir
+  module Auth
+    module OAuth2
+      # Enhanced OAuth2 authentication scheme with Auth0 support
+      # Based on the Auth0 Sinatra integration patterns
+      class Auth0Scheme < Schemes::Base
+        attr_reader :domain, :audience, :algorithm, :jwks_cache_ttl
+        
+        def jwks_url
+          "https://#{@domain}/.well-known/jwks.json"
+        end
+
+        def initialize(name = :oauth2_auth0, config = {})
+          super(name, config)
+          
+          @domain = config[:domain] || raise(ArgumentError, 'Auth0 domain is required')
+          @audience = config[:audience] || raise(ArgumentError, 'Auth0 audience is required')
+          @algorithm = config[:algorithm] || 'RS256'
+          @jwks_cache_ttl = config[:jwks_cache_ttl] || 300 # 5 minutes
+          @realm = config[:realm] || 'API'
+          
+          # Cache for JWKS to avoid frequent requests
+          @jwks_cache = nil
+          @jwks_cache_time = nil
+        end
+
+        def authenticate(request)
+          auth_header = request.env['HTTP_AUTHORIZATION']
+          return nil unless auth_header
+
+          token = extract_bearer_token(auth_header)
+          if token.nil?
+            raise AuthenticationError, "Invalid authorization header format"
+          end
+          
+          if token.strip.empty?
+            raise AuthenticationError, "Token cannot be empty"
+          end
+
+          begin
+            decoded_token = validate_auth0_token(token)
+            return nil unless decoded_token
+
+            # Extract user info and scopes from the token
+            payload = decoded_token.first
+            
+            create_context(
+              user: extract_user_from_token(payload),
+              scopes: extract_scopes_from_token(payload),
+              token: token,
+              metadata: {
+                token_type: 'oauth2_auth0',
+                issuer: payload['iss'],
+                subject: payload['sub'],
+                audience: payload['aud'],
+                expires_at: payload['exp'] ? Time.at(payload['exp']) : nil,
+                issued_at: payload['iat'] ? Time.at(payload['iat']) : nil
+              }
+            )
+          rescue JWT::VerificationError, JWT::DecodeError => e
+            raise InvalidTokenError, "Invalid Auth0 token: #{e.message}"
+          rescue StandardError => e
+            raise AuthenticationError, "Auth0 authentication failed: #{e.message}"
+          end
+        end
+
+        def challenge
+          "Bearer realm=\"#{@realm}\", error=\"invalid_token\", error_description=\"The access token provided is expired, revoked, malformed, or invalid\""
+        end
+
+        # Public method to verify token (useful for testing)
+        def verify_token(token)
+          validate_auth0_token(token)
+        end
+
+        private
+
+        def extract_bearer_token(auth_header)
+          match = auth_header.match(/\ABearer\s+(.+)\z/i)
+          match ? match[1] : nil
+        end
+
+        def validate_auth0_token(token)
+          require 'jwt' # Ensure JWT gem is available
+          
+          jwks = fetch_jwks
+          
+          JWT.decode(
+            token,
+            nil,
+            true,
+            {
+              algorithm: @algorithm,
+              iss: domain_url,
+              verify_iss: true,
+              aud: @audience,
+              verify_aud: true,
+              jwks: jwks
+            }
+          )
+        end
+
+        def fetch_jwks
+          # Return cached JWKS if still valid
+          if @jwks_cache && @jwks_cache_time && (Time.now - @jwks_cache_time) < @jwks_cache_ttl
+            return @jwks_cache
+          end
+
+          # Fetch fresh JWKS from Auth0
+          jwks_response = get_jwks_from_auth0
+          
+          unless jwks_response.is_a?(Net::HTTPSuccess)
+            raise AuthenticationError, 'Unable to fetch JWKS from Auth0'
+          end
+
+          jwks_data = JSON.parse(jwks_response.body)
+          
+          # Cache the JWKS
+          @jwks_cache = { keys: jwks_data['keys'] }
+          @jwks_cache_time = Time.now
+          
+          @jwks_cache
+        end
+
+        def get_jwks_from_auth0
+          jwks_uri = URI("#{base_domain_url}/.well-known/jwks.json")
+          
+          http = Net::HTTP.new(jwks_uri.host, jwks_uri.port)
+          http.use_ssl = true
+          http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+          http.read_timeout = 10
+          
+          request = Net::HTTP::Get.new(jwks_uri.request_uri)
+          request['User-Agent'] = 'RapiTapir OAuth2 Client'
+          
+          http.request(request)
+        end
+
+        def domain_url
+          url = @domain.start_with?('https://') ? @domain : "https://#{@domain}"
+          # Auth0 issuer always includes trailing slash for JWT validation
+          @domain_url ||= url.end_with?('/') ? url : "#{url}/"
+        end
+
+        def base_domain_url
+          @base_domain_url ||= @domain.start_with?('https://') ? @domain : "https://#{@domain}"
+        end
+
+        def extract_user_from_token(payload)
+          {
+            id: payload['sub'],
+            email: payload['email'],
+            name: payload['name'] || payload['nickname'],
+            picture: payload['picture'],
+            email_verified: payload['email_verified']
+          }.compact
+        end
+
+        def extract_scopes_from_token(payload)
+          scope_string = payload['scope']
+          return [] unless scope_string
+
+          scope_string.split(' ')
+        end
+      end
+
+      # Generic OAuth2 scheme with token introspection support
+      class GenericScheme < Schemes::Base
+        attr_reader :introspection_endpoint, :client_id, :client_secret, :token_cache_ttl
+        
+        def initialize(name = :oauth2, config = {})
+          super(name, config)
+          
+          @introspection_endpoint = config[:introspection_endpoint]
+          @client_id = config[:client_id]
+          @client_secret = config[:client_secret]
+          @token_validator = config[:token_validator]
+          @realm = config[:realm] || 'API'
+          @cache_tokens = config.fetch(:cache_tokens, true)
+          @token_cache_ttl = config[:token_cache_ttl] || 300 # 5 minutes
+          
+          # Token cache to avoid repeated introspection calls
+          @token_cache = {} if @cache_tokens
+        end
+
+        def authenticate(request)
+          auth_header = request.env['HTTP_AUTHORIZATION']
+          return nil unless auth_header
+
+          token = extract_bearer_token(auth_header)
+          return nil unless token
+
+          begin
+            token_info = validate_oauth2_token(token)
+            
+            # Check if token is active
+            unless token_info && token_info[:active]
+              raise AuthenticationError, "Token is not active"
+            end
+
+            create_context(
+              user: token_info[:user],
+              scopes: token_info[:scopes] || [],
+              token: token,
+              metadata: {
+                token_type: 'oauth2',
+                client_id: token_info[:client_id],
+                expires_at: token_info[:expires_at],
+                token_type_hint: token_info[:token_type]
+              }
+            )
+          rescue AuthenticationError
+            raise # Re-raise authentication errors
+          rescue StandardError => e
+            raise AuthenticationError, "OAuth2 authentication failed: #{e.message}"
+          end
+        end
+
+        def challenge
+          "Bearer realm=\"#{@realm}\""
+        end
+
+        # Public method for token validation (useful for testing)
+        def validate_token(token)
+          validate_oauth2_token(token)
+        end
+
+        private
+
+        def extract_bearer_token(auth_header)
+          match = auth_header.match(/\ABearer\s+(.+)\z/i)
+          match ? match[1] : nil
+        end
+
+        def validate_oauth2_token(token)
+          # Check cache first
+          if @cache_tokens && @token_cache
+            cached = @token_cache[token]
+            if cached && (Time.now - cached[:cached_at]) < @token_cache_ttl
+              return cached[:data]
+            end
+          end
+
+          # Validate token
+          token_info = if @introspection_endpoint
+                        introspect_token_via_endpoint(token)
+                      elsif @token_validator
+                        @token_validator.call(token)
+                      else
+                        default_token_validation(token)
+                      end
+
+          # Cache the result
+          if @cache_tokens && @token_cache && token_info
+            @token_cache[token] = {
+              data: token_info,
+              cached_at: Time.now
+            }
+          end
+
+          token_info
+        end
+
+        def introspect_token_via_endpoint(token)
+          uri = URI(@introspection_endpoint)
+          
+          http = Net::HTTP.new(uri.host, uri.port)
+          http.use_ssl = (uri.scheme == 'https')
+          
+          request = Net::HTTP::Post.new(uri.request_uri)
+          request['Content-Type'] = 'application/x-www-form-urlencoded'
+          request['Accept'] = 'application/json'
+          
+          # Add client authentication
+          if @client_id && @client_secret
+            credentials = Base64.strict_encode64("#{@client_id}:#{@client_secret}")
+            request['Authorization'] = "Basic #{credentials}"
+          end
+          
+          # Set form data
+          request.set_form_data(
+            'token' => token,
+            'token_type_hint' => 'access_token'
+          )
+          
+          response = http.request(request)
+          
+          unless response.is_a?(Net::HTTPSuccess)
+            raise AuthenticationError, "Token introspection failed: #{response.code} #{response.message}"
+          end
+          
+          begin
+            introspection_data = JSON.parse(response.body)
+          rescue JSON::ParserError => e
+            raise AuthenticationError, "Invalid introspection response: #{e.message}"
+          end
+          
+          return { active: false } unless introspection_data['active']
+          
+          {
+            active: true,
+            user: extract_user_from_introspection(introspection_data),
+            scopes: extract_scopes_from_introspection(introspection_data),
+            client_id: introspection_data['client_id'],
+            expires_at: introspection_data['exp'] ? Time.at(introspection_data['exp']) : nil,
+            token_type: introspection_data['token_type'] || 'Bearer'
+          }
+        end
+
+        def extract_user_from_introspection(data)
+          {
+            id: data['sub'] || data['user_id'],
+            username: data['username'],
+            email: data['email'],
+            name: data['name']
+          }.compact
+        end
+
+        def extract_scopes_from_introspection(data)
+          if data['scope'].is_a?(String)
+            data['scope'].split(' ')
+          elsif data['scope'].is_a?(Array)
+            data['scope']
+          else
+            []
+          end
+        end
+
+        def default_token_validation(token)
+          # Simple default validation - should be overridden in production
+          return { active: false } if token.nil? || token.empty?
+
+          {
+            active: true,
+            user: { id: 'default_user', name: 'Default User' },
+            scopes: %w[read],
+            client_id: 'default_client',
+            expires_at: Time.now + 3600
+          }
+        end
+      end
+    end
+  end
+end