rodauth-oauth 0.5.0 → 0.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7324d08b229d4bfdea92df95c769539570565e161d758a38d95bea50f78fda96
-  data.tar.gz: c421e4886baf39eb9ebe04e6919c6ab292d3c85dbc32bc78e5d8992c17a40816
+  metadata.gz: 91f66a3575e9f63b13eac64e44c3ce768fb5904ce5e77e0239e3f1f437c21fbf
+  data.tar.gz: bb80d8836f4ad0b99b8e75458861c36526b9a60e623f6d799ff88a751bfe9bc0
 SHA512:
-  metadata.gz: 4ba7e8a7975260618034285b77d4489416fe368c500b31516e7dd69d89e75863e18bebdb4868a72caa61fa2ed93541f1da6ea1c9c9d4cf15072bf4008209a1a9
-  data.tar.gz: 87e9f031183ede6af4f338f60ff5ae5f7a8581412068abb484b5312de4a6962fcaa68cb95eae8aab7c755adc4e1c0ada6e3e19b009ece35d4902cc84d1ab1e01
+  metadata.gz: '09a5d103d91e13b011456259b255ddd930692e5f50b9ebc892fa86c8ac48006e2815f7339cb10cf1d710eefd5ae18da56a08e43aedd47002bcbaa1cf82c59c6d'
+  data.tar.gz: 745409245789cb8e77a50724192b126e047a5258827bdec765bd2ff07ff3ff4c77bb44463bc513f384f35a3e470f67496a1f12a56777cb27c6af36e903febb7f

data/CHANGELOG.md

@@ -2,6 +2,58 @@
 
 ## master
 
+### 0.7.0 (02/12/2021)
+
+#### Features
+
+* Internationalization (i18n) support by hooking on [rodauth-oauth](https://github.com/janko/rodauth-i18n).
+  * Sets all text using `translatable_method`.
+  * Provides english translations for all `rodauth-oauth` related user facing text.
+
+#### Improvements
+
+* Enable CORS requests for OpenID configuration endpoint (@ianks)
+* Introspect endpoint now exposes the `exp` token property (@gmanley)
+
+#### Bugfixes
+
+*  on rotation policy, although the first refresh token was invalidated, a new one wasn't being provided. This change allows a new refresh token to be generated and exposed in the response (@gmanley)
+
+#### Chore
+
+Setting `rodauth` minimal supported version to `2.0.0`.
+
+### 0.6.1 (08/09/2021)
+
+#### Bugfixes
+
+* Fixed rails view templates escaping.
+* Fixed declaration of authorize template in the generator.
+
+### 0.6.0 (21/05/2021)
+
+### Improvements
+
+* RBS signatures
+
+### Chore
+
+* Ruby 3 and Truffleruby are now officially supported and tested in CI.
+
+### 0.5.1 (19/03/2021)
+
+#### Improvements
+
+* Changing "Callback URL" to "Redirect URL" in default templates;
+
+#### Bugfixes
+
+* (rails integration) Fixed templates location;
+* (rails integration) Fixed migration name from generator;
+* (rails integration) fixed links, html tags, styling and unassigned variables from a few view templates;
+* `oauth_application_path` is now compliant with prefixes and other url helpers, while now having a `oauth_application_url` counterpart;
+* (rails integration) skipping csrf checks for "/userinfo" request (OIDC)
+
 ### 0.5.0 (08/02/2021)
 
 #### RP-Initiated Logout

data/README.md

@@ -516,7 +516,7 @@ payload = json.parse(response.to_s)
 puts payload #=> {
 # "access_token" => ....
 # "mac_key" => ....
-# "mac_algorithm" => 
+# "mac_algorithm" =>
 ```
 
 which you'll be able to use to generate the mac signature to send in the "Authorization" header.
@@ -565,7 +565,7 @@ plugin :rodauth do
   enable :oauth_jwt
   oauth_jwt_key rsa_private
   oauth_jwt_public_key rsa_public
-  oauth_jwt_algorithm "RS256" 
+  oauth_jwt_algorithm "RS256"
 end
 ```
 
@@ -581,7 +581,7 @@ plugin :rodauth do
   enable :oauth_jwt
   oauth_jwt_jwk_key rsa_private
   oauth_jwt_jwk_public_key rsa_public
-  oauth_jwt_jwk_algorithm "RS256" 
+  oauth_jwt_jwk_algorithm "RS256"
 end
 ```
 
@@ -627,17 +627,25 @@ puts payload #=> {
 
 You'll still need the "oauth_tokens" table, however you can remove the "token" column.
 
+#### Internationalization (i18n)
+
+`rodauth-oauth` supports translating all user-facing text found in all pages and forms, by integrating with [rodauth-i18n](https://github.com/janko/rodauth-i18n). Just set it up in your application and `rodauth` configuration.
+
+Default translations shipping with `rodauth-oauth` can be found [in this directory](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/tree/master/locales). If they're not available for the languages you'd like to support, consider getting them translated from the english text, and contributing them to this repository via a Merge Request.
+
+(This feature is available since `v0.7`.)
+
 #### Caveats
 
 Although very handy for the mentioned use case, one can't revoke a JWT token on demand (it must expire first).
 
 ## Ruby support policy
 
-The minimum Ruby version required to run `rodauth-oauth` is 2.3 . Besides that, it should support all rubies that rodauth and roda support, including JRuby and (potentially, I don't know yet) truffleruby.
+The minimum Ruby version required to run `rodauth-oauth` is 2.3 . Besides that, it should support all rubies that rodauth and roda support, including JRuby and truffleruby.
 
-### JRuby
+### Rails
 
-If you're interested in using this library in rails, be sure to check `rodauth-rails` policy, as it supports rails 5.2 upwards.
+If you're interested in using this library with rails, be sure to check `rodauth-rails` policy, as it supports rails 5.2 upwards.
 
 ## Development
 
@@ -646,4 +654,3 @@ After checking out the repo, run `bundle install` to install dependencies. Then,
 ## Contributing
 
 Bug reports and pull requests are welcome on Gitlab at https://gitlab.com/honeyryderchuck/rodauth-oauth.
-

data/lib/generators/{roda → rodauth}/oauth/templates/db/migrate/create_rodauth_oauth.rb

@@ -1,4 +1,4 @@
-class CreateRodauthOAuth < ActiveRecord::Migration<%= migration_version %>
+class CreateRodauthOauth < ActiveRecord::Migration<%= migration_version %>
   def change
     create_table :oauth_applications do |t|
       t.integer :account_id

data/lib/generators/{roda → rodauth}/oauth/views_generator.rb

@@ -9,7 +9,7 @@ module Rodauth::OAuth
         source_root "#{__dir__}/templates"
         namespace "rodauth:oauth:views"
 
-        DEFAULT = %w[oauth_authorize].freeze
+        DEFAULT = %w[authorize].freeze
         VIEWS = {
           oauth_authorize: DEFAULT,
           oauth_applications: %w[oauth_applications oauth_application new_oauth_application]

data/lib/rodauth/features/oauth.rb

@@ -9,7 +9,7 @@ require "rodauth/oauth/ttl_store"
 require "rodauth/oauth/database_extensions"
 
 module Rodauth
-  Feature.define(:oauth) do
+  Feature.define(:oauth, :Oauth) do
     # RUBY EXTENSIONS
     unless Regexp.method_defined?(:match?)
       # If you wonder why this is there: the oauth feature uses a refinement to enhance the
@@ -139,7 +139,15 @@ module Rodauth
     auth_value_method :already_in_use_response_status, 409
 
     # OAuth Applications
-    auth_value_method :oauth_applications_path, "oauth-applications"
+    auth_value_method :oauth_applications_route, "oauth-applications"
+    def oauth_applications_path(opts = {})
+      route_path(oauth_applications_route, opts)
+    end
+
+    def oauth_applications_url(opts = {})
+      route_url(oauth_applications_route, opts)
+    end
+
     auth_value_method :oauth_applications_table, :oauth_applications
 
     auth_value_method :oauth_applications_id_column, :id
@@ -160,24 +168,24 @@ module Rodauth
     auth_value_method :oauth_token_type, "bearer"
     auth_value_method :oauth_refresh_token_protection_policy, "none" # can be: none, sender_constrained, rotation
 
-    auth_value_method :invalid_client_message, "Invalid client"
-    auth_value_method :invalid_grant_type_message, "Invalid grant type"
-    auth_value_method :invalid_grant_message, "Invalid grant"
-    auth_value_method :invalid_scope_message, "Invalid scope"
+    translatable_method :invalid_client_message, "Invalid client"
+    translatable_method :invalid_grant_type_message, "Invalid grant type"
+    translatable_method :invalid_grant_message, "Invalid grant"
+    translatable_method :invalid_scope_message, "Invalid scope"
 
-    auth_value_method :invalid_url_message, "Invalid URL"
-    auth_value_method :unsupported_token_type_message, "Invalid token type hint"
+    translatable_method :invalid_url_message, "Invalid URL"
+    translatable_method :unsupported_token_type_message, "Invalid token type hint"
 
-    auth_value_method :unique_error_message, "is already in use"
-    auth_value_method :null_error_message, "is not filled"
-    auth_value_method :already_in_use_message, "error generating unique token"
+    translatable_method :unique_error_message, "is already in use"
+    translatable_method :null_error_message, "is not filled"
+    translatable_method :already_in_use_message, "error generating unique token"
     auth_value_method :already_in_use_error_code, "invalid_request"
 
     # PKCE
     auth_value_method :code_challenge_required_error_code, "invalid_request"
-    auth_value_method :code_challenge_required_message, "code challenge required"
+    translatable_method :code_challenge_required_message, "code challenge required"
     auth_value_method :unsupported_transform_algorithm_error_code, "invalid_request"
-    auth_value_method :unsupported_transform_algorithm_message, "transform algorithm not supported"
+    translatable_method :unsupported_transform_algorithm_message, "transform algorithm not supported"
 
     # METADATA
     auth_value_method :oauth_metadata_service_documentation, nil
@@ -192,6 +200,7 @@ module Rodauth
     auth_value_method :oauth_unique_id_generation_retries, 3
 
     auth_value_methods(
+      :oauth_application_path,
       :fetch_access_token,
       :oauth_unique_id_generator,
       :secret_matches?,
@@ -363,9 +372,13 @@ module Rodauth
       end
     end
 
+    def oauth_application_path(id)
+      "#{oauth_applications_path}/#{id}"
+    end
+
     # /oauth-applications routes
     def oauth_applications
-      request.on(oauth_applications_path) do
+      request.on(oauth_applications_route) do
         require_account
 
         request.get "new" do
@@ -422,16 +435,20 @@ module Rodauth
         false
       when revoke_path
         !json_request?
-      when authorize_path, %r{/#{oauth_applications_path}}
+      when authorize_path, oauth_applications_path
         only_json? ? false : super
       else
         super
       end
     end
 
-    # Overrides logged_in?, so that a valid authorization token also authnenticates a request
-    def logged_in?
-      super || authorization_token
+    # Overrides session_value, so that a valid authorization token also authenticates a request
+    def session_value
+      super || begin
+        return unless authorization_token
+
+        authorization_token[oauth_tokens_account_id_column]
+      end
     end
 
     def accepts_json?
@@ -449,10 +466,6 @@ module Rodauth
       end
     end
 
-    def initialize(scope)
-      @scope = scope
-    end
-
     def scopes
       scope = request.params["scope"]
       case scope
@@ -551,12 +564,11 @@ module Rodauth
       self.class.__send__(:include, Rodauth::OAuth::ExtendDatabase(db))
 
       # Check whether we can reutilize db entries for the same account / application pair
-      one_oauth_token_per_account = begin
-        db.indexes(oauth_tokens_table).values.any? do |definition|
-          definition[:unique] &&
-            definition[:columns] == oauth_tokens_unique_columns
-        end
+      one_oauth_token_per_account = db.indexes(oauth_tokens_table).values.any? do |definition|
+        definition[:unique] &&
+          definition[:columns] == oauth_tokens_unique_columns
       end
+
       self.class.send(:define_method, :__one_oauth_token_per_account) { one_oauth_token_per_account }
     end
 
@@ -1091,6 +1103,14 @@ module Rodauth
                           oauth_tokens_scopes_column => oauth_token[oauth_tokens_scopes_column]
                         }
 
+                        refresh_token = oauth_unique_id_generator
+
+                        if oauth_tokens_refresh_token_hash_column
+                          insert_params[oauth_tokens_refresh_token_hash_column] = generate_token_hash(refresh_token)
+                        else
+                          insert_params[oauth_tokens_refresh_token_column] = refresh_token
+                        end
+
                         # revoke the refresh token
                         oauth_tokens_ds.where(oauth_tokens_id_column => oauth_token[oauth_tokens_id_column])
                                        .update(oauth_tokens_revoked_at_column => Sequel::CURRENT_TIMESTAMP)
@@ -1104,6 +1124,7 @@ module Rodauth
                       end
 
         oauth_token[oauth_tokens_token_column] = token
+        oauth_token[oauth_tokens_refresh_token_column] = refresh_token if refresh_token
         oauth_token
       end
     end
@@ -1129,7 +1150,8 @@ module Rodauth
         scope: token[oauth_tokens_scopes_column],
         client_id: oauth_application[oauth_applications_client_id_column],
         # username
-        token_type: oauth_token_type
+        token_type: oauth_token_type,
+        exp: token[oauth_tokens_expires_in_column].to_i
       }
     end
 
@@ -1350,7 +1372,7 @@ module Rodauth
         issuer: issuer,
         authorization_endpoint: authorize_url,
         token_endpoint: token_url,
-        registration_endpoint: route_url(oauth_applications_path),
+        registration_endpoint: oauth_applications_url,
         scopes_supported: oauth_application_scopes,
         response_types_supported: responses_supported,
         response_modes_supported: response_modes_supported,

data/lib/rodauth/features/oauth_http_mac.rb

@@ -1,7 +1,7 @@
 # frozen-string-literal: true
 
 module Rodauth
-  Feature.define(:oauth_http_mac) do
+  Feature.define(:oauth_http_mac, :OauthHttpMac) do
     unless String.method_defined?(:delete_prefix)
       module PrefixExtensions
         refine(String) do

data/lib/rodauth/features/oauth_jwt.rb

@@ -3,7 +3,7 @@
 require "rodauth/oauth/ttl_store"
 
 module Rodauth
-  Feature.define(:oauth_jwt) do
+  Feature.define(:oauth_jwt, :OauthJwt) do
     depends :oauth
 
     JWKS = OAuth::TtlStore.new
@@ -33,8 +33,8 @@ module Rodauth
     auth_value_method :oauth_jwt_jwe_copyright, nil
     auth_value_method :oauth_jwt_audience, nil
 
-    auth_value_method :request_uri_not_supported_message, "request uri is unsupported"
-    auth_value_method :invalid_request_object_message, "request object is invalid"
+    translatable_method :request_uri_not_supported_message, "request uri is unsupported"
+    translatable_method :invalid_request_object_message, "request object is invalid"
 
     auth_value_methods(
       :jwt_encode,
@@ -62,6 +62,15 @@ module Rodauth
       authorization_required unless scopes.any? { |scope| token_scopes.include?(scope) }
     end
 
+    # Overrides session_value, so that a valid authorization token also authenticates a request
+    def session_value
+      super || begin
+        return unless authorization_token
+
+        authorization_token["sub"]
+      end
+    end
+
     private
 
     unless method_defined?(:last_account_login_at)

data/lib/rodauth/features/oauth_saml.rb

@@ -3,7 +3,7 @@
 require "onelogin/ruby-saml"
 
 module Rodauth
-  Feature.define(:oauth_saml) do
+  Feature.define(:oauth_saml, :OauthSaml) do
     depends :oauth
 
     auth_value_method :oauth_saml_cert_fingerprint, "9E:65:2E:03:06:8D:80:F2:86:C7:6C:77:A1:D9:14:97:0A:4D:F4:4D"

data/lib/rodauth/features/oidc.rb

@@ -1,7 +1,7 @@
 # frozen-string-literal: true
 
 module Rodauth
-  Feature.define(:oidc) do
+  Feature.define(:oidc, :Oidc) do
     # https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
     OIDC_SCOPES_MAP = {
       "profile" => %i[name family_name given_name middle_name nickname preferred_username
@@ -68,7 +68,7 @@ module Rodauth
     auth_value_method :oauth_grants_nonce_column, :nonce
     auth_value_method :oauth_tokens_nonce_column, :nonce
 
-    auth_value_method :invalid_scope_message, "The Access Token expired"
+    translatable_method :invalid_scope_message, "The Access Token expired"
 
     auth_value_method :webfinger_relation, "http://openid.net/specs/connect/1.0/issuer"
 
@@ -186,6 +186,8 @@ module Rodauth
 
     def openid_configuration(alt_issuer = nil)
       request.on(".well-known/openid-configuration") do
+        allow_cors(request)
+
         request.get do
           json_response_success(openid_configuration_body(alt_issuer), cache: true)
         end
@@ -215,6 +217,15 @@ module Rodauth
       end
     end
 
+    def check_csrf?
+      case request.path
+      when userinfo_path
+        false
+      else
+        super
+      end
+    end
+
     private
 
     def require_authorizable_account
@@ -484,5 +495,15 @@ module Rodauth
           (val.respond_to?(:empty?) && val.empty?)
       end
     end
+
+    def allow_cors(request)
+      return unless request.request_method == "OPTIONS"
+
+      response["Access-Control-Allow-Origin"] = "*"
+      response["Access-Control-Allow-Methods"] = "GET, OPTIONS"
+      response["Access-Control-Max-Age"] = "3600"
+      response.status = 200
+      request.halt
+    end
   end
 end

data/lib/rodauth/oauth/version.rb

@@ -2,6 +2,6 @@
 
 module Rodauth
   module OAuth
-    VERSION = "0.5.0"
+    VERSION = "0.7.0"
   end
 end

data/lib/rodauth/oauth.rb

@@ -5,3 +5,5 @@ require "rodauth"
 require "rodauth/oauth/version"
 
 require "rodauth/oauth/railtie" if defined?(Rails)
+
+Rodauth::I18n.directories << File.expand_path(File.join(__dir__, "..", "..", "locales")) if defined?(Rodauth::I18n)

data/locales/en.yml

@@ -0,0 +1,34 @@
+en:
+  rodauth:
+    require_authorization_error_flash: "Please authorize to continue"
+    create_oauth_application_error_flash: "There was an error registering your oauth application"
+    create_oauth_application_notice_flash: "Your oauth application has been registered"
+    revoke_oauth_token_notice_flash: "The oauth token has been revoked"
+    oauth_authorize_title: "Authorize"
+    oauth_oauth_applications_page_title: "Oauth Applications"
+    oauth_oauth_application_page_title: "Oauth Application"
+    oauth_new_oauth_application_page_title: "New Oauth Application"
+    oauth_oauth_tokens_page_title: "Oauth Tokens"
+    name_label: "Name"
+    description_label: "Description"
+    scopes_label: "Scopes"
+    homepage_url_label: "Homepage URL"
+    redirect_uri_label: "Redirect URL"
+    client_secret_label: "Client Secret"
+    client_id_label: "Client ID"
+    oauth_applications_button: "Register"
+    oauth_authorize_button: "Authorize"
+    oauth_token_revoke_button: "Revoke"
+    oauth_authorize_post_button: "Back to Client Application"
+    invalid_grant_message: "Invalid grant"
+    invalid_scope_message: "Invalid scope"
+    invalid_url_message: "Invalid URL"
+    unsupported_token_type_message: "Invalid token type hint"
+    unique_error_message: "is already in use"
+    null_error_message: "is not filled"
+    already_in_use_message: "error generating unique token"
+    code_challenge_required_message: "code challenge required"
+    unsupported_transform_algorithm_message: "transform algorithm not supported"
+    request_uri_not_supported_message: "request uri is unsupported"
+    invalid_request_object_message: "request object is invalid"
+    invalid_scope_message: "The Access Token expired"

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth-oauth
 version: !ruby/object:Gem::Version
-  version: 0.5.0
+  version: 0.7.0
 platform: ruby
 authors:
 - Tiago Cardoso
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-02-08 00:00:00.000000000 Z
+date: 2021-12-02 00:00:00.000000000 Z
 dependencies: []
 description: Implementation of the OAuth 2.0 protocol on top of rodauth.
 email:
@@ -23,12 +23,12 @@ files:
 - CHANGELOG.md
 - LICENSE.txt
 - README.md
-- lib/generators/roda/oauth/install_generator.rb
-- lib/generators/roda/oauth/templates/app/models/oauth_application.rb
-- lib/generators/roda/oauth/templates/app/models/oauth_grant.rb
-- lib/generators/roda/oauth/templates/app/models/oauth_token.rb
-- lib/generators/roda/oauth/templates/db/migrate/create_rodauth_oauth.rb
-- lib/generators/roda/oauth/views_generator.rb
+- lib/generators/rodauth/oauth/install_generator.rb
+- lib/generators/rodauth/oauth/templates/app/models/oauth_application.rb
+- lib/generators/rodauth/oauth/templates/app/models/oauth_grant.rb
+- lib/generators/rodauth/oauth/templates/app/models/oauth_token.rb
+- lib/generators/rodauth/oauth/templates/db/migrate/create_rodauth_oauth.rb
+- lib/generators/rodauth/oauth/views_generator.rb
 - lib/rodauth/features/oauth.rb
 - lib/rodauth/features/oauth_http_mac.rb
 - lib/rodauth/features/oauth_jwt.rb
@@ -39,6 +39,7 @@ files:
 - lib/rodauth/oauth/railtie.rb
 - lib/rodauth/oauth/ttl_store.rb
 - lib/rodauth/oauth/version.rb
+- locales/en.yml
 - templates/authorize.str
 - templates/client_secret_field.str
 - templates/description_field.str
@@ -71,7 +72,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.3
+rubygems_version: 3.2.22
 signing_key:
 specification_version: 4
 summary: Implementation of the OAuth 2.0 protocol on top of rodauth.