remark_login_client 0.7

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 261e8a37b92b59bdd8b7cf2a29aa70b04a2d75beec1b6bd86ca432eb7310d5f7
+  data.tar.gz: a45e3d99e963a43466d9a2f079825714550c36a2802f21c1de8d742a473d72e1
+SHA512:
+  metadata.gz: '000590b196484b778fc7e40921b13d7ff856bccb345bef023376326d5439fcda3c1de6cb2d94bf1c5d16b28ee86cb676da5d9aaef46fcf13daa0dbf08a38adb8'
+  data.tar.gz: b0499834a930161b4c76883ec2d6078e96e71edb839fb601164bfb585ef8b834e41d494efba38a9b0bae74adcde8b6b6c6a13a444b5cf062da16c1cd361ac15d

data/README.md

@@ -0,0 +1,216 @@
+# ReMark Login Client
+
+Welcome to the readme of ReMark Login Client. This library is used to connect an application to the Remark Login application. It extends the standard Devise functionality to login via Doorkeeper as an omniauth_provider.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'remark_login_client',
+    git: 'git@bitbucket.org:ivaldi/remark-login-client.git', branch: :development
+```
+
+And then execute:
+
+    $ bundle install
+
+Or install it yourself as:
+
+    $ gem install remark_login_client
+
+### 1. Setup application and roles
+
+In ReMark Login we need to define the application and roles
+
+Example script to run from your rails console:
+
+```ruby
+begin
+  # clean up data from possible outdated seeds.
+  Application.destroy_all
+  Role.destroy_all
+
+  Application.create!(
+    name: 'Demo Tool',
+    key: 'demo',
+    sequence: 3,
+    uid: 'NotSoRandomDemoToolUid',
+    secret: 'NotSoRandomDemoToolSecret',
+    redirect_uri: 'http://localhost:3002/users/auth/doorkeeper/callback',
+    logout_api_url: 'http://localhost:3002/session_timeout',
+    roles: [
+      Role.create(name: 'Superadmin', key: 'superadmin', sequence: 1, admin_rights: true),
+      Role.create(name: 'user', key: 'user', sequence: 2, admin_rights: false)
+    ]
+  )
+  User.all.each do |user|
+    user.update!(roles: Role.all)
+  end
+end
+```
+
+### 2. Configure secrets
+
+Make sure the following keys and their values become available in your client application's Rails.application.secrets.
+
+- **APP_URL** (the url of the client applicaton)
+- **DOORKEEPER_APP_URL** (the url of the ReMark Login application)
+- **DOORKEEPER_INTERNAL_APP_URL** (the url of the ReMark Login application if it's used within a Docker environment)
+- **DOORKEEPER_APP_ID** (The client application ID in ReMark Login)
+- **DOORKEEPER_APP_SECRET** (The client application Secret in ReMark Login)
+
+Locally this can be done by adding setting these key->value pairs in your .env file and include the following line in your environments/development.rb file
+
+```ruby
+  # load .env file in secrets
+  Rails.application.secrets.merge!(Dotenv.load('.env').symbolize_keys)
+```
+
+### 3. Setup Devise
+
+ReMark Login uses the omniauth functionality of Devise with Doorkeeper as provider. Make sure your Devise initializer has the following lines:
+
+```ruby
+
+require 'omniauth/strategies/doorkeeper'
+
+#Devise.setup do |config|
+
+config.omniauth :doorkeeper,
+      ENV.fetch('DOORKEEPER_APP_ID', nil),
+      ENV.fetch('DOORKEEPER_APP_SECRET', nil),
+      scope: 'read',
+      strategy_class: OmniAuth::Strategies::Doorkeeper
+
+  OmniAuth.config.allowed_request_methods = [:post, :get]
+  OmniAuth.config.silence_get_warning = true
+
+#end
+```
+
+What needs to be done in the callbacks controller can vary per application. An example of the required controllers:
+
+```ruby
+# app/controllers/users/omniauth_callbacks_controller.rb
+module Users
+  class OmniauthCallbacksController < Devise::OmniauthCallbacksController
+    def doorkeeper
+      @user = User.from_omniauth(request.env['omniauth.auth'])
+
+      if @user.persisted?
+        @user.update_doorkeeper_credentials(request.env['omniauth.auth'])
+
+        sign_in_and_redirect @user, event: :authentication
+        if is_navigational_format?
+          if request.env['omniauth.auth'].info['locale'].present?
+            I18n.locale = request.env['omniauth.auth'].info['locale']
+          else
+            I18n.locale = I18n.default_locale
+          end
+          set_flash_message(:notice, :success, kind: 'ReMark Login')
+        end
+      else
+        session['devise.doorkeeper_data'] = request.env['omniauth.auth']
+        redirect_to new_user_registration_url
+      end
+    end
+
+    def failure
+      redirect_to root_path
+    end
+  end
+end
+
+# app/controllers/users/sessions_controller.rb
+module Users
+  class SessionsController < Devise::SessionsController
+    # DELETE /resource/sign_out
+    def destroy
+      remark_login_connection.delete '/oauth/authorize',
+          {
+            client_id: Rails.application.secrets.fetch(:DOORKEEPER_APP_ID),
+            access_token: current_user&.doorkeeper_access_token
+          }
+      current_user&.update(doorkeeper_access_token: nil, doorkeeper_refresh_token: nil)
+
+      sign_out current_user
+
+      redirect_to root_path, notice: t('devise.sessions.signed_out')
+    end
+
+    def remark_login_connection
+      strategy = OmniAuth::Strategies::Doorkeeper.new(nil)
+
+      Faraday.new(url: strategy.options.client_options.site)
+    end
+  end
+end
+```
+
+The routes to these controllers need to be defined in the `routes.rb` file:
+
+```ruby
+  devise_for :users,
+    controllers: {
+      omniauth_callbacks: 'users/omniauth_callbacks'
+    }
+  devise_scope :user do
+    delete '/users/sign_out' => 'users/sessions#destroy', as: :destroy_user_session
+  end
+```
+
+### 4. Include ReMark Login in your Controller
+
+When the ReMark Login concern is included in the ApplicationController that protects your secured pages, the user is automatically redirected to the ReMark Login signin page.
+
+Example:
+
+```ruby
+module Admin
+  class ApplicationController < ApplicationController
+    include RemarkLoginClient::Authentication
+  end
+end
+```
+
+Concern can locally be redefined in `app/controllers/concerns/remark_login_client/authentication.rb`
+
+### 5. Include ReMark Login in your Model
+
+Also the model needs a concern to manage the authentication with ReMark Login. `devise` needs to be setup with Doorkeeper as omniauth provider.
+
+```ruby
+class User < ApplicationRecord
+  include RemarkLoginClient::UserMethods
+
+  devise :omniauthable, omniauth_providers: [:doorkeeper]
+```
+
+Concern can locally be redefined in `app/models/concerns/remark_login_client/user_methods.rb`
+
+### 6. Database changes for your Model
+
+For a working connection the Model (to be authorized) should have some extra fields.
+
+Write migrations for your table to have at least the following columns and index. (table and index name can differ based on your Model's name)
+
+```ruby
+create_table "users", force: :cascade do |t|
+    t.string "email", default: "", null: false
+    t.integer "status"
+    t.string "first_name"
+    t.string "last_name"
+    t.string "uid" # unique identifier from ReMark Login
+    t.string "locale", default: "en"
+    t.string "doorkeeper_access_token"
+    t.string "doorkeeper_refresh_token"
+    t.string "session_token"
+    t.jsonb "environment_links", default: {} # can be used for multi application setup
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+
+    t.index ["email"], name: "index_users_on_email", unique: true
+  end
+
+```

data/lib/devise/omniauth.rb

@@ -0,0 +1,25 @@
+begin
+  require 'omniauth'
+rescue LoadError
+  warn "Could not load 'omniauth'. Please ensure you have the " \
+       'omniauth gem >= 1.0.0 installed and listed in your Gemfile.'
+  raise
+end
+
+# Clean up the default path_prefix. It will be automatically set by Devise.
+OmniAuth.config.path_prefix = nil
+
+OmniAuth.config.on_failure = proc do |env|
+  # debugger
+  env['devise.mapping'] = Devise::Mapping.find_by_path!(env['PATH_INFO'], :path)
+  controller_name  = ActiveSupport::Inflector.camelize(env['devise.mapping'].controllers[:omniauth_callbacks])
+  controller_klass = ActiveSupport::Inflector.constantize("#{controller_name}Controller")
+  controller_klass.action(:failure).call(env)
+end
+
+module Devise
+  module OmniAuth
+    autoload :Config,      'devise/omniauth/config'
+    autoload :UrlHelpers,  'devise/omniauth/url_helpers'
+  end
+end

data/lib/omniauth/strategies/doorkeeper.rb

@@ -0,0 +1,36 @@
+module OmniAuth
+  module Strategies
+    class Doorkeeper < OmniAuth::Strategies::OAuth2
+      option :name, :doorkeeper
+
+      option :client_options,
+          site: if ENV['COMPOSE'].present?
+                  ENV.fetch('DOORKEEPER_INTERNAL_APP_URL')
+                else
+                  ENV.fetch('DOORKEEPER_APP_URL')
+                end,
+          authorize_url: "#{ENV.fetch('DOORKEEPER_APP_URL')}/oauth/authorize",
+          redirect_uri: "#{ENV.fetch('APP_URL')}/users/auth/doorkeeper/callback"
+
+      uid do
+        raw_info['login_user_key']
+      end
+
+      info do
+        {
+          email: raw_info['email'],
+          first_name: raw_info['first_name'],
+          last_name: raw_info['last_name'],
+          login_user_key: raw_info['login_user_key'],
+          payload: raw_info['payload'],
+          locale: raw_info['locale'],
+          environment_links: raw_info['environment_links']
+        }
+      end
+
+      def raw_info
+        @raw_info ||= access_token.get('/api/v1/me.json').parsed
+      end
+    end
+  end
+end

data/lib/remark_login_client/controllers/concerns/authentication.rb

@@ -0,0 +1,109 @@
+module RemarkLoginClient
+  module Authentication
+    extend ActiveSupport::Concern
+
+    included do
+      before_action :redirect_to_remark_login, if: :remark_oauth_login_available?
+      before_action :authenticate_user!
+      before_action :doorkeeper_access_token, if: :remark_oauth_login_available?
+    end
+
+    def remark_oauth_login_available?
+      return @remark_oauth_login_available if @remark_oauth_login_available.present?
+
+      @remark_oauth_login_available = false
+      doorkeeper_app_key = if ENV['COMPOSE'].present?
+                            'DOORKEEPER_INTERNAL_APP_URL'
+                          else
+                            'DOORKEEPER_APP_URL'
+                          end
+      remark_login_app_url = ENV.fetch(doorkeeper_app_key).presence
+      return false if remark_login_app_url.blank?
+
+      uri = URI("#{remark_login_app_url}/healthz")
+      res = Net::HTTP.get_response(uri)
+      if res.present?
+        @remark_oauth_login_available = true
+        return true
+      end
+
+      false
+    rescue StandardError => _e
+      false
+    end
+
+    def doorkeeper_oauth_client
+      doorkeeper_app_key = if ENV['COMPOSE'].present?
+                             'DOORKEEPER_INTERNAL_APP_URL'
+                           else
+                             'DOORKEEPER_APP_URL'
+                           end
+      prefix = '' # prefix = 'GROUP_' if ActsAsTenant.current_tenant.group_portal?
+      @doorkeeper_oauth_client = OAuth2::Client.new(
+          ENV.fetch("#{prefix}DOORKEEPER_APP_ID"),
+          ENV.fetch("#{prefix}DOORKEEPER_APP_SECRET"),
+          site: ENV.fetch("#{prefix}#{doorkeeper_app_key}")
+        )
+    end
+
+    def doorkeeper_access_token
+      return unless user_signed_in?
+
+      if @doorkeeper_access_token.nil?
+        @doorkeeper_access_token = OAuth2::AccessToken
+            .new(doorkeeper_oauth_client, current_user.doorkeeper_access_token)
+        store_remote_current_user_info_in_session if session[:remote_current_user].blank?
+      end
+
+      # Login.access_token = @doorkeeper_access_token
+
+      @doorkeeper_access_token
+    end
+
+    def redirect_to_remark_login
+      return if user_signed_in?
+      return if controller_name == 'session_timeouts'
+      return if controller_name == 'omniauth_callbacks'
+
+      # prevent redirects to paths that do not serve html (i.e session_timeouts)
+      store_location_for(:user, @stored_location_for_user.presence || root_path)
+      session[:remote_current_user] = nil
+
+      redirect_to user_doorkeeper_omniauth_authorize_path and return
+    end
+
+    def store_remote_current_user_info_in_session
+      return if controller_name == 'omniauth_callbacks' && action_name == 'failure'
+
+      response = @doorkeeper_access_token.get('api/v1/me')
+      session[:remote_current_user] = response.parsed if response.status == 200
+    rescue OAuth2::Error, StandardError => e
+      # oops, no connection possible
+      # capture for Sentry, clear tokens, logout and redirect to Login
+
+      Sentry.set_user(
+          uid: current_user&.uid,
+          doorkeeper_access_token: current_user&.doorkeeper_access_token,
+          doorkeeper_refresh_token: current_user&.doorkeeper_refresh_token
+        )
+      Sentry.capture_exception(e)
+
+      current_user&.update(doorkeeper_access_token: nil, doorkeeper_refresh_token: nil)
+      sign_out
+
+      redirect_to user_doorkeeper_omniauth_authorize_path and return
+    end
+
+    def clear_user_and_redirect_to_login(exception)
+      Sentry.set_user({
+        uid: current_user&.uid,
+        doorkeeper_access_token: current_user&.doorkeeper_access_token,
+        doorkeeper_refresh_token: current_user&.doorkeeper_refresh_token
+      })
+      Sentry.capture_exception(exception)
+      current_user&.update(doorkeeper_access_token: nil, doorkeeper_refresh_token: nil)
+      sign_out
+      redirect_to user_doorkeeper_omniauth_authorize_path and return
+    end
+  end
+end

data/lib/remark_login_client/errors.rb

@@ -0,0 +1,3 @@
+module RemarkLoginClient
+  class Error < StandardError; end
+end

data/lib/remark_login_client/models/concerns/user_methods.rb

@@ -0,0 +1,45 @@
+module RemarkLoginClient
+  module UserMethods
+    def self.included(klass)
+      klass.extend(ClassMethods)
+    end
+
+    module ClassMethods
+      def from_omniauth(auth)
+        # find existing email first, if not, try on uid for changed address
+        where(uid: [auth.uid, nil], email: auth.info.email)
+            .or(User.where(uid: auth.uid))
+            .first_or_create do |user|
+              user.uid = auth.uid if user.uid.blank?
+              user.email = auth.info.email
+              user.first_name = auth.info.first_name
+              user.last_name = auth.info.last_name
+              if User.method_defined? :locale
+                user.locale = auth.info.locale
+              end
+            end
+      end
+    end
+
+    def update_doorkeeper_credentials(auth)
+      update!(
+          email: auth.info.email,
+          first_name: auth.info.first_name,
+          last_name: auth.info.last_name,
+          doorkeeper_access_token: auth.credentials.token,
+          doorkeeper_refresh_token: auth.credentials.refresh_token,
+          uid: auth.info.login_user_key,
+          environment_links: auth.info.environment_links || {},
+          session_token: SecureRandom.hex
+        )
+    end
+
+    def provider
+      :doorkeeper
+    end
+
+    def authenticatable_salt
+      "#{super}#{session_token}"
+    end
+  end
+end

data/lib/remark_login_client/railtie.rb

@@ -0,0 +1,4 @@
+module RemarkLoginClient
+  class Railtie < ::Rails::Railtie
+  end
+end

data/lib/remark_login_client/version.rb

@@ -0,0 +1,3 @@
+module RemarkLoginClient
+  VERSION = '0.7'.freeze
+end

data/lib/remark_login_client.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+require 'remark_login_client/railtie'
+require 'remark_login_client/version'
+
+require 'remark_login_client/controllers/concerns/authentication'
+require 'remark_login_client/models/concerns/user_methods'

metadata

@@ -0,0 +1,120 @@
+--- !ruby/object:Gem::Specification
+name: remark_login_client
+version: !ruby/object:Gem::Version
+  version: '0.7'
+platform: ruby
+authors:
+- Nick Rockx
+bindir: bin
+cert_chain: []
+date: 2025-10-09 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: devise
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.9'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.9'
+- !ruby/object:Gem::Dependency
+  name: omniauth
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.1'
+- !ruby/object:Gem::Dependency
+  name: omniauth-oauth2
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.8'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.8'
+- !ruby/object:Gem::Dependency
+  name: omniauth-rails_csrf_protection
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: dotenv-rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: This gem/plugin is used in applications that have sections for which
+  users need to login via the ReMark Login application
+email:
+- nick.rockx@scordigitalsolutions.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- README.md
+- lib/devise/omniauth.rb
+- lib/omniauth/strategies/doorkeeper.rb
+- lib/remark_login_client.rb
+- lib/remark_login_client/controllers/concerns/authentication.rb
+- lib/remark_login_client/errors.rb
+- lib/remark_login_client/models/concerns/user_methods.rb
+- lib/remark_login_client/railtie.rb
+- lib/remark_login_client/version.rb
+homepage: https://bitbucket.org/ivaldi/remark-login_client/src/development/
+licenses: []
+metadata:
+  rubygems_mfa_required: 'true'
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '3'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.6.3
+specification_version: 4
+summary: Gem to connect a client application to ReMark Login for authentication
+test_files: []