rockauth 0.0.1.pre2

data/lib/rockauth/authenticator/response.rb

@@ -0,0 +1,32 @@
+module Rockauth
+  class Authenticator::Response < Struct.new(:success, :resource_owner, :authentication)
+    alias_method :success?, :success
+
+    def apply
+      self.success = authentication.save
+      self.resource_owner = authentication.resource_owner # owner is set before_validation
+    end
+
+    def error
+      unless success
+        @error ||= Errors::ControllerError.new 400, I18n.t("rockauth.errors.authentication_failed"), authentication.try(:errors).as_json
+      end
+    end
+
+    def render
+      if success?
+        render_success
+      else
+        render_error
+      end
+    end
+
+    def render_success
+      { json: authentication, status: 200 }
+    end
+
+    def render_error
+      Rockauth::Configuration.error_renderer.call(error)
+    end
+  end
+end

data/lib/rockauth/client.rb

@@ -0,0 +1,4 @@
+module Rockauth
+  Client = Struct.new(:id, :secret, :title) do
+  end
+end

data/lib/rockauth/configuration.rb

@@ -0,0 +1,51 @@
+module Rockauth
+  Configuration = Struct.new(*%i(allowed_password_length email_regexp token_time_to_live clients
+                                 resource_owner_class warn_missing_social_auth_gems providers jwt
+                                 serializers generate_active_admin_resources active_admin_menu_name error_renderer)) do
+    def resource_owner_class= arg
+      @constantized_resource_owner_class = nil
+      @resource_owner_class = arg
+    end
+    def resource_owner_class
+      @constantized_resource_owner_class ||= (@resource_owner_class.respond_to?(:constantize) ?  @resource_owner_class.constantize : @resource_owner_class)
+    end
+  end.new.tap do |config|
+    config.allowed_password_length = 8..72
+    config.email_regexp = /\A[^@\s]+@([^@\s]+\.)+[^@\W]+\z/
+    config.token_time_to_live = 365 * 24 * 60 * 60
+    config.clients = []
+    config.resource_owner_class = 'Rockauth::User'
+    config.warn_missing_social_auth_gems = true
+
+    config.providers = Struct.new(*%i(twitter instagram google_plus)).new.tap do |providers|
+      %i(twitter instagram google_plus).each do |provider|
+        providers.public_send("#{provider}=", {})
+      end
+    end
+
+    config.jwt = Struct.new(*%i(secret issuer signing_method)).new.tap do |jwt_config|
+      jwt_config.secret = ''
+      jwt_config.issuer = ''
+      jwt_config.signing_method = 'HS256'
+    end
+
+    config.serializers = Struct.new(*%i(error user authentication provider_authentication)).new.tap do |serializers|
+      serializers.error                   = "Rockauth::ErrorSerializer"
+      serializers.user                    = "Rockauth::UserSerializer"
+      serializers.authentication          = "Rockauth::AuthenticationSerializer"
+      serializers.provider_authentication = "Rockauth::ProviderAuthenticationSerializer"
+    end
+
+    config.generate_active_admin_resources = nil
+    config.active_admin_menu_name = 'Authentication'
+
+    config.error_renderer = -> error do
+      { json: error, serializer: Rockauth::Configuration.serializers.error.safe_constantize, status: error.status_code }
+    end
+  end
+
+  def self.configure
+    yield Configuration if block_given?
+    Configuration
+  end
+end

data/lib/rockauth/controllers.rb

@@ -0,0 +1,5 @@
+module Rockauth
+  module Controllers
+    autoload :Authentication, 'rockauth/controllers/authentication'
+  end
+end

data/lib/rockauth/controllers/authentication.rb

@@ -0,0 +1,36 @@
+module Rockauth
+  module Controllers::Authentication
+    extend ActiveSupport::Concern
+
+    def render_error status_code=500, message=I18n.t("rockauth.errors.server_error"), validation_errors=nil
+      error = Errors::ControllerError.new(status_code, message, validation_errors)
+      render Rockauth::Configuration.error_renderer.call(error)
+    end
+
+    def render_unauthorized
+      render_error 401, I18n.t("rockauth.errors.unauthorized")
+    end
+
+    def authenticate_resource_owner!
+      render_unauthorized unless current_authentication.try(:active?)
+    end
+
+    def current_resource_owner
+      @current_resource_owner ||= current_authentication.try(:resource_owner)
+    end
+
+    def current_authentication
+      if @_authentication_checked
+        @current_authentication
+      else
+        @_authentication_checked = true
+        @current_authentication = Authenticator.verified_authentication_for_request request, self
+      end
+    end
+    included do
+      include ActionController::Helpers # TODO: we dont want to force apis to have helpers if we can avoid it.....
+      helper_method :current_resource_owner
+      helper_method :current_authentication
+    end
+  end
+end

data/lib/rockauth/engine.rb

@@ -0,0 +1,15 @@
+require 'rails-api'
+
+module Rockauth
+  class Engine < ::Rails::Engine
+    initializer "rockauth.inject.controller_concern" do
+      ActionController::API.send :include, Rockauth::Controllers::Authentication
+    end
+
+    initializer "rockauth.load_active_admin_resources" do
+      if Rockauth::Configuration.generate_active_admin_resources || Rockauth::Configuration.generate_active_admin_resources.nil? && defined?(ActiveAdmin)
+        ActiveAdmin.application.load_paths += [File.expand_path(File.dirname(__FILE__) + '../../../app/admin')]
+      end
+    end
+  end
+end

data/lib/rockauth/errors.rb

@@ -0,0 +1,18 @@
+require 'active_model'
+
+module Rockauth
+  module Errors
+    ControllerError = Struct.new(:status_code, :message, :validation_errors) do
+      extend ActiveModel::Naming
+      include ActiveModel::Serialization
+
+      def self.model_name
+        'Error'
+      end
+
+      def self.active_model_serializer
+        Rockauth::Configuration.serializers.error.safe_constantize
+      end
+    end
+  end
+end

data/lib/rockauth/models.rb

@@ -0,0 +1,9 @@
+module Rockauth
+  module Models
+    autoload :Authentication,         'rockauth/models/authentication'
+    autoload :ProviderAuthentication, 'rockauth/models/provider_authentication'
+    autoload :ProviderValidation,     'rockauth/models/provider_validation'
+    autoload :ResourceOwner,          'rockauth/models/resource_owner'
+    autoload :User,                   'rockauth/models/user'
+  end
+end

data/lib/rockauth/models/authentication.rb

@@ -0,0 +1,151 @@
+require 'jwt'
+
+module Rockauth
+  module Models::Authentication
+    extend ActiveSupport::Concern
+
+    def client
+      @client ||= if client_id.present?
+                    Configuration.clients.find { |c| c.id == client_id }
+                  end
+    end
+
+    def password?
+      auth_type == 'password'
+    end
+
+    def assertion?
+      auth_type == 'assertion'
+    end
+
+    def registration?
+      auth_type == 'registration'
+    end
+
+    def time_to_live= t
+      @time_to_live = t
+    end
+
+    def time_to_live
+      @time_to_live ||= Configuration.token_time_to_live
+    end
+
+    def generate_token_id
+      self.token_id ||= SecureRandom.base64(24)
+    end
+
+    def hash_token_id
+      self.hashed_token_id ||= self.class.hash_token_id token_id
+    end
+
+    def active?
+      Time.at(expiration) > Time.now
+    end
+
+    def valid_payload? payload
+      active? && payload['iat'] == issued_at && payload['exp'] == expiration
+    end
+
+    def generate_token
+      self.token ||= JWT.encode jwt_payload, Configuration.jwt.secret, Configuration.jwt.signing_method
+    end
+
+    def jwt_payload
+      {
+        iss: Configuration.jwt.issuer,
+        iat: issued_at,
+        exp: expiration,
+        aud: client_id,
+        sub: resource_owner_id,
+        jti: token_id
+      }
+    end
+
+    module ClassMethods
+      def rockauth_authentication include_associations: true, provider_authentication_class_name: "Rockauth::ProviderAuthentication"
+        if include_associations
+          belongs_to :resource_owner, polymorphic: true, inverse_of: :authentications
+          belongs_to :provider_authentication, class_name: provider_authentication_class_name
+
+          accepts_nested_attributes_for :provider_authentication
+        end
+
+        scope :expired, -> { where('expiration <= ?', Time.now.to_i) }
+        scope :unexpired, -> { where('expiration > ?', Time.now.to_i) }
+
+        %i(resource_owner_class password username token_id token client_secret).each do |key|
+          attr_accessor key
+        end
+
+        validates_presence_of  :auth_type
+        validates_inclusion_of :auth_type,     in: %w(password assertion registration)
+        validates_presence_of  :client_id
+        validates_presence_of  :client_secret, on: :create
+        validates_presence_of  :resource_owner
+        validates_presence_of  :expiration
+        validates_presence_of  :issued_at
+        validates_presence_of  :auth_type
+
+        before_validation on: :create do
+          self.expiration ||= Time.now.to_i + time_to_live
+          self.issued_at ||= Time.now.to_i
+
+          if password?
+            self.resource_owner = resource_owner_class.with_username(username).first
+          elsif assertion?
+            build_provider_authentication unless self.provider_authentication.present?
+            provider_authentication.authentication = self
+            self.provider_authentication = provider_authentication.exchange
+            self.resource_owner = provider_authentication.resource_owner
+          end
+
+          true
+        end
+
+        validates_presence_of :username, if: :password?, on: :create
+        validates_presence_of :password, if: :password?, on: :create
+        validate on: :create, if: :password? do
+          if resource_owner.present? && !resource_owner.authenticate(password)
+            errors.add :password, :invalid
+          end
+        end
+
+        validates_presence_of :provider_authentication, if: :assertion?, on: :create
+
+        validate on: :create do
+          if client.blank?
+            errors.add :client_id, :invalid
+          elsif client.secret != client_secret
+            errors.add :client_secret, :invalid
+          end
+        end
+
+        before_create do
+          generate_token_id
+          generate_token
+          hash_token_id
+          true
+        end
+
+        class << self
+          def for_token token
+            begin
+              payload = JWT.decode(token, Configuration.jwt.secret).first
+              authentication = where(hashed_token_id: hash_token_id(payload['jti'])).first
+              authentication if authentication.present? && authentication.valid_payload?(payload)
+            rescue JWT::VerificationError => e
+              Rails.logger.error "[Rockauth] Possible Forgery Attempt: #{e}"
+              nil
+            rescue JWT::DecodeError
+              nil
+            end
+          end
+
+          def hash_token_id jti
+            Digest::SHA2.hexdigest jti
+          end
+        end
+      end
+    end
+  end
+end

data/lib/rockauth/models/provider_authentication.rb

@@ -0,0 +1,59 @@
+module Rockauth
+  module Models::ProviderAuthentication
+    extend ActiveSupport::Concern
+
+    module ClassMethods
+      def provider_authentication include_associations: true, authentication_class_name: 'Rockauth::Authentication'
+
+        if include_associations
+          belongs_to :resource_owner, polymorphic: true, inverse_of: :provider_authentications
+          has_many :authentications, class_name: authentication_class_name, dependent: :nullify
+        end
+
+        attr_accessor :authentication
+
+        validates_presence_of   :resource_owner
+        validates_uniqueness_of :provider_user_id, scope: :provider
+        validates_presence_of   :provider
+        validates_presence_of   :provider_user_id
+        validates_presence_of   :provider_access_token
+
+        validate :validate_attributes_unchangable
+
+        delegate :resource_owner_class, to: :authentication
+
+        define_method :validate_attributes_unchangable do
+          %i(resource_owner_id resource_owner_type provider provider_user_id).each do |key|
+            errors.add key, :rockauth_cannot_be_changed if !new_record? && public_send(:"#{key}_changed?")
+          end
+        end
+
+        define_method :exchange do
+          result = self
+
+          configure_from_provider
+
+          if provider_user_id.present? && provider.present?
+            result = self.class.where(provider: provider, provider_user_id: provider_user_id).first
+            if result.present?
+              result.provider_user_information = provider_user_information
+              result.assign_attributes_from_provider
+              result
+            else
+              handle_missing_resource_owner_on_valid_assertion
+              result = self
+            end
+          end
+
+          result
+        end
+
+        define_method :handle_missing_resource_owner_on_valid_assertion do
+          self.resource_owner = resource_owner_class.new
+          resource_owner.assign_attributes_from_provider_user(provider_user_information)
+          resource_owner.provider_authentications << self
+        end
+      end
+    end
+  end
+end

data/lib/rockauth/models/provider_validation.rb

@@ -0,0 +1,61 @@
+module Rockauth
+  module Models::ProviderValidation
+    extend ActiveSupport::Concern
+    attr_accessor :provider_user_information
+
+    included do
+      validates_inclusion_of :provider, in: ->(instance) { instance.class.valid_networks }
+      attr_accessor :skip_provider_authentication
+      before_validation :configure_from_provider, unless: :skip_provider_authentication
+
+      def configure_from_provider
+        if provider.present? && self.class.valid_networks.include?(provider)
+          self.provider_user_information = instance_exec &self.class.network_validator(provider)
+          assign_attributes_from_provider
+        end
+
+        true
+      end
+
+      def assign_attributes_from_provider
+        return unless provider_user_information.present?
+        self.provider_user_id = provider_user_information.user_id
+      end
+
+      { facebook: 'fb_graph2', instagram: 'instagram', twitter: 'twitter', google_plus: nil }.each do |key, value|
+        begin
+          require value if value.present?
+          provider_network key do
+            ProviderUserInformation.for_provider(provider, provider_access_token, provider_access_token_secret)
+          end
+        rescue LoadError
+          if Rockauth::Configuration.warn_missing_social_auth_gems
+            warn "Rockauth: Could not load the #{value} gem, #{key.to_s.humanize} provider authentication disabled"
+          end
+        end
+      end
+    end
+
+
+    module ClassMethods
+      def inherited subclass
+        super
+        subclass.instance_variable_set :@network_validator_configuration, (@network_validator_configuration || {}).dup
+      end
+
+      def provider_network provider, &block
+        fail ArgumentError, "no block given" unless block_given?
+        @network_validator_configuration ||= {}
+        @network_validator_configuration[provider.to_s] = block
+      end
+
+      def valid_networks
+        @network_validator_configuration.keys
+      end
+
+      def network_validator provider
+        @network_validator_configuration[provider.to_s]
+      end
+    end
+  end
+end