rodauth-oauth 0.5.1 → 0.7.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 366fa7201a8cb26525b2abdfab0c4108a4afbef4fa8697cf57e874919eda2afd
-  data.tar.gz: 958b9fd8b4cd2996a85b96fac6dff6a6b35832adcdaed4d81e20842041a1299e
+  metadata.gz: 0e6a9da692805069b0250b975d86c02f81af6bd1cc80ce24ecbc92ea6d3fef14
+  data.tar.gz: c4996d52e4119f6a2d8fde3f0149f8deadb609324fb894c99d5fbcdf836efd4c
 SHA512:
-  metadata.gz: fb496f7d438c0447ba4ef899f9ec37549cea355fb5c670818cd040970c1316c13442caa58aebc4ea66cd92f2f369d6ff7c39b502190e2d4fec2f95d5e27b4279
-  data.tar.gz: 73048d860285b29056ade97d9092103e2cae18fa9967df603ddce9c83c10fd5c44891e7282f3195d0b79b2d73bf12c748483a811f404d50fb29df40da26a6bf4
+  metadata.gz: d8ec7872e8997019182b04a40c11f5db1e272de0bcceada11f870d706f2646aca911239d1f01876f26126e0936938a6ea233f312304410ce0c35d3964ebe7f1f
+  data.tar.gz: 4a5df07c4da7c30803d7cb513c87ca6296b205dcdae89eb3ab475aa6780a4b37acd0e3b3bae5d43372eb8f9d3a92bd30a761ad7cda269d18d7bc16658f719768

data/CHANGELOG.md

@@ -2,6 +2,55 @@
 
 ## master
 
+### 0.7.1 (05/12/2021)
+
+#### Improvements
+
+* Adapted the `rodauth-i18n` configuration to comply with the guidelines for `v0.2.0` (which is the defacto minimmal supported version).
+
+#### Bugfixes
+
+* `convert_timestamp` was removed from the templates, as it's private API.
+* Several missing or wrong URLs in templates fixed (authorize form was wrongly processing scopes when none was selected).
+
+### 0.7.0 (02/12/2021)
+
+#### Features
+
+* Internationalization (i18n) support by hooking on [rodauth-i18n](https://github.com/janko/rodauth-i18n).
+  * Sets all text using `translatable_method`.
+  * Provides english translations for all `rodauth-oauth` related user facing text.
+
+#### Improvements
+
+* Enable CORS requests for OpenID configuration endpoint (@ianks)
+* Introspect endpoint now exposes the `exp` token property (@gmanley)
+
+#### Bugfixes
+
+*  on rotation policy, although the first refresh token was invalidated, a new one wasn't being provided. This change allows a new refresh token to be generated and exposed in the response (@gmanley)
+
+#### Chore
+
+Setting `rodauth` minimal supported version to `2.0.0`.
+
+### 0.6.1 (08/09/2021)
+
+#### Bugfixes
+
+* Fixed rails view templates escaping.
+* Fixed declaration of authorize template in the generator.
+
+### 0.6.0 (21/05/2021)
+
+### Improvements
+
+* RBS signatures
+
+### Chore
+
+* Ruby 3 and Truffleruby are now officially supported and tested in CI.
+
 ### 0.5.1 (19/03/2021)
 
 #### Improvements

data/README.md

@@ -173,7 +173,7 @@ puts payload #=> {"access_token" => "awr23f3h8f9d2h89...", "token_type" => "Bear
 
 #### Revoking tokens
 
-Token revocation can be done both by the idenntity owner or the application owner, and can therefore be done either online (browser-based form) or server-to-server. Here's an example using server-to-server:
+Token revocation can be done both by the identity owner or the application owner, and can therefore be done either online (browser-based form) or server-to-server. Here's an example using server-to-server:
 
 ```ruby
 require "httpx"
@@ -516,7 +516,7 @@ payload = json.parse(response.to_s)
 puts payload #=> {
 # "access_token" => ....
 # "mac_key" => ....
-# "mac_algorithm" => 
+# "mac_algorithm" =>
 ```
 
 which you'll be able to use to generate the mac signature to send in the "Authorization" header.
@@ -565,7 +565,7 @@ plugin :rodauth do
   enable :oauth_jwt
   oauth_jwt_key rsa_private
   oauth_jwt_public_key rsa_public
-  oauth_jwt_algorithm "RS256" 
+  oauth_jwt_algorithm "RS256"
 end
 ```
 
@@ -581,7 +581,7 @@ plugin :rodauth do
   enable :oauth_jwt
   oauth_jwt_jwk_key rsa_private
   oauth_jwt_jwk_public_key rsa_public
-  oauth_jwt_jwk_algorithm "RS256" 
+  oauth_jwt_jwk_algorithm "RS256"
 end
 ```
 
@@ -627,17 +627,25 @@ puts payload #=> {
 
 You'll still need the "oauth_tokens" table, however you can remove the "token" column.
 
+#### Internationalization (i18n)
+
+`rodauth-oauth` supports translating all user-facing text found in all pages and forms, by integrating with [rodauth-i18n](https://github.com/janko/rodauth-i18n). Just set it up in your application and `rodauth` configuration.
+
+Default translations shipping with `rodauth-oauth` can be found [in this directory](https://gitlab.com/honeyryderchuck/rodauth-oauth/-/tree/master/locales). If they're not available for the languages you'd like to support, consider getting them translated from the english text, and contributing them to this repository via a Merge Request.
+
+(This feature is available since `v0.7`.)
+
 #### Caveats
 
 Although very handy for the mentioned use case, one can't revoke a JWT token on demand (it must expire first).
 
 ## Ruby support policy
 
-The minimum Ruby version required to run `rodauth-oauth` is 2.3 . Besides that, it should support all rubies that rodauth and roda support, including JRuby and (potentially, I don't know yet) truffleruby.
+The minimum Ruby version required to run `rodauth-oauth` is 2.3 . Besides that, it should support all rubies that rodauth and roda support, including JRuby and truffleruby.
 
-### JRuby
+### Rails
 
-If you're interested in using this library in rails, be sure to check `rodauth-rails` policy, as it supports rails 5.2 upwards.
+If you're interested in using this library with rails, be sure to check `rodauth-rails` policy, as it supports rails 5.2 upwards.
 
 ## Development
 
@@ -646,4 +654,3 @@ After checking out the repo, run `bundle install` to install dependencies. Then,
 ## Contributing
 
 Bug reports and pull requests are welcome on Gitlab at https://gitlab.com/honeyryderchuck/rodauth-oauth.
-

data/lib/generators/rodauth/oauth/views_generator.rb

@@ -9,7 +9,7 @@ module Rodauth::OAuth
         source_root "#{__dir__}/templates"
         namespace "rodauth:oauth:views"
 
-        DEFAULT = %w[oauth_authorize].freeze
+        DEFAULT = %w[authorize].freeze
         VIEWS = {
           oauth_authorize: DEFAULT,
           oauth_applications: %w[oauth_applications oauth_application new_oauth_application]

data/lib/rodauth/features/oauth.rb

@@ -9,7 +9,7 @@ require "rodauth/oauth/ttl_store"
 require "rodauth/oauth/database_extensions"
 
 module Rodauth
-  Feature.define(:oauth) do
+  Feature.define(:oauth, :Oauth) do
     # RUBY EXTENSIONS
     unless Regexp.method_defined?(:match?)
       # If you wonder why this is there: the oauth feature uses a refinement to enhance the
@@ -168,24 +168,24 @@ module Rodauth
     auth_value_method :oauth_token_type, "bearer"
     auth_value_method :oauth_refresh_token_protection_policy, "none" # can be: none, sender_constrained, rotation
 
-    auth_value_method :invalid_client_message, "Invalid client"
-    auth_value_method :invalid_grant_type_message, "Invalid grant type"
-    auth_value_method :invalid_grant_message, "Invalid grant"
-    auth_value_method :invalid_scope_message, "Invalid scope"
+    translatable_method :invalid_client_message, "Invalid client"
+    translatable_method :invalid_grant_type_message, "Invalid grant type"
+    translatable_method :invalid_grant_message, "Invalid grant"
+    translatable_method :invalid_scope_message, "Invalid scope"
 
-    auth_value_method :invalid_url_message, "Invalid URL"
-    auth_value_method :unsupported_token_type_message, "Invalid token type hint"
+    translatable_method :invalid_url_message, "Invalid URL"
+    translatable_method :unsupported_token_type_message, "Invalid token type hint"
 
-    auth_value_method :unique_error_message, "is already in use"
-    auth_value_method :null_error_message, "is not filled"
-    auth_value_method :already_in_use_message, "error generating unique token"
+    translatable_method :unique_error_message, "is already in use"
+    translatable_method :null_error_message, "is not filled"
+    translatable_method :already_in_use_message, "error generating unique token"
     auth_value_method :already_in_use_error_code, "invalid_request"
 
     # PKCE
     auth_value_method :code_challenge_required_error_code, "invalid_request"
-    auth_value_method :code_challenge_required_message, "code challenge required"
+    translatable_method :code_challenge_required_message, "code challenge required"
     auth_value_method :unsupported_transform_algorithm_error_code, "invalid_request"
-    auth_value_method :unsupported_transform_algorithm_message, "transform algorithm not supported"
+    translatable_method :unsupported_transform_algorithm_message, "transform algorithm not supported"
 
     # METADATA
     auth_value_method :oauth_metadata_service_documentation, nil
@@ -466,10 +466,6 @@ module Rodauth
       end
     end
 
-    def initialize(scope)
-      @scope = scope
-    end
-
     def scopes
       scope = request.params["scope"]
       case scope
@@ -568,13 +564,14 @@ module Rodauth
       self.class.__send__(:include, Rodauth::OAuth::ExtendDatabase(db))
 
       # Check whether we can reutilize db entries for the same account / application pair
-      one_oauth_token_per_account = begin
-        db.indexes(oauth_tokens_table).values.any? do |definition|
-          definition[:unique] &&
-            definition[:columns] == oauth_tokens_unique_columns
-        end
+      one_oauth_token_per_account = db.indexes(oauth_tokens_table).values.any? do |definition|
+        definition[:unique] &&
+          definition[:columns] == oauth_tokens_unique_columns
       end
+
       self.class.send(:define_method, :__one_oauth_token_per_account) { one_oauth_token_per_account }
+
+      i18n_register(File.expand_path(File.join(__dir__, "..", "..", "..", "locales"))) if features.include?(:i18n)
     end
 
     def use_date_arithmetic?
@@ -1108,6 +1105,14 @@ module Rodauth
                           oauth_tokens_scopes_column => oauth_token[oauth_tokens_scopes_column]
                         }
 
+                        refresh_token = oauth_unique_id_generator
+
+                        if oauth_tokens_refresh_token_hash_column
+                          insert_params[oauth_tokens_refresh_token_hash_column] = generate_token_hash(refresh_token)
+                        else
+                          insert_params[oauth_tokens_refresh_token_column] = refresh_token
+                        end
+
                         # revoke the refresh token
                         oauth_tokens_ds.where(oauth_tokens_id_column => oauth_token[oauth_tokens_id_column])
                                        .update(oauth_tokens_revoked_at_column => Sequel::CURRENT_TIMESTAMP)
@@ -1121,6 +1126,7 @@ module Rodauth
                       end
 
         oauth_token[oauth_tokens_token_column] = token
+        oauth_token[oauth_tokens_refresh_token_column] = refresh_token if refresh_token
         oauth_token
       end
     end
@@ -1146,7 +1152,8 @@ module Rodauth
         scope: token[oauth_tokens_scopes_column],
         client_id: oauth_application[oauth_applications_client_id_column],
         # username
-        token_type: oauth_token_type
+        token_type: oauth_token_type,
+        exp: token[oauth_tokens_expires_in_column].to_i
       }
     end
 

data/lib/rodauth/features/oauth_http_mac.rb

@@ -1,7 +1,7 @@
 # frozen-string-literal: true
 
 module Rodauth
-  Feature.define(:oauth_http_mac) do
+  Feature.define(:oauth_http_mac, :OauthHttpMac) do
     unless String.method_defined?(:delete_prefix)
       module PrefixExtensions
         refine(String) do

data/lib/rodauth/features/oauth_jwt.rb

@@ -3,7 +3,7 @@
 require "rodauth/oauth/ttl_store"
 
 module Rodauth
-  Feature.define(:oauth_jwt) do
+  Feature.define(:oauth_jwt, :OauthJwt) do
     depends :oauth
 
     JWKS = OAuth::TtlStore.new
@@ -33,8 +33,8 @@ module Rodauth
     auth_value_method :oauth_jwt_jwe_copyright, nil
     auth_value_method :oauth_jwt_audience, nil
 
-    auth_value_method :request_uri_not_supported_message, "request uri is unsupported"
-    auth_value_method :invalid_request_object_message, "request object is invalid"
+    translatable_method :request_uri_not_supported_message, "request uri is unsupported"
+    translatable_method :invalid_request_object_message, "request object is invalid"
 
     auth_value_methods(
       :jwt_encode,

data/lib/rodauth/features/oauth_saml.rb

@@ -3,7 +3,7 @@
 require "onelogin/ruby-saml"
 
 module Rodauth
-  Feature.define(:oauth_saml) do
+  Feature.define(:oauth_saml, :OauthSaml) do
     depends :oauth
 
     auth_value_method :oauth_saml_cert_fingerprint, "9E:65:2E:03:06:8D:80:F2:86:C7:6C:77:A1:D9:14:97:0A:4D:F4:4D"

data/lib/rodauth/features/oidc.rb

@@ -1,7 +1,7 @@
 # frozen-string-literal: true
 
 module Rodauth
-  Feature.define(:oidc) do
+  Feature.define(:oidc, :Oidc) do
     # https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
     OIDC_SCOPES_MAP = {
       "profile" => %i[name family_name given_name middle_name nickname preferred_username
@@ -68,7 +68,7 @@ module Rodauth
     auth_value_method :oauth_grants_nonce_column, :nonce
     auth_value_method :oauth_tokens_nonce_column, :nonce
 
-    auth_value_method :invalid_scope_message, "The Access Token expired"
+    translatable_method :invalid_scope_message, "The Access Token expired"
 
     auth_value_method :webfinger_relation, "http://openid.net/specs/connect/1.0/issuer"
 
@@ -186,6 +186,8 @@ module Rodauth
 
     def openid_configuration(alt_issuer = nil)
       request.on(".well-known/openid-configuration") do
+        allow_cors(request)
+
         request.get do
           json_response_success(openid_configuration_body(alt_issuer), cache: true)
         end
@@ -493,5 +495,15 @@ module Rodauth
           (val.respond_to?(:empty?) && val.empty?)
       end
     end
+
+    def allow_cors(request)
+      return unless request.request_method == "OPTIONS"
+
+      response["Access-Control-Allow-Origin"] = "*"
+      response["Access-Control-Allow-Methods"] = "GET, OPTIONS"
+      response["Access-Control-Max-Age"] = "3600"
+      response.status = 200
+      request.halt
+    end
   end
 end

data/lib/rodauth/oauth/version.rb

@@ -2,6 +2,6 @@
 
 module Rodauth
   module OAuth
-    VERSION = "0.5.1"
+    VERSION = "0.7.1"
   end
 end

data/locales/en.yml

@@ -0,0 +1,34 @@
+en:
+  rodauth:
+    require_authorization_error_flash: "Please authorize to continue"
+    create_oauth_application_error_flash: "There was an error registering your oauth application"
+    create_oauth_application_notice_flash: "Your oauth application has been registered"
+    revoke_oauth_token_notice_flash: "The oauth token has been revoked"
+    oauth_authorize_title: "Authorize"
+    oauth_oauth_applications_page_title: "Oauth Applications"
+    oauth_oauth_application_page_title: "Oauth Application"
+    oauth_new_oauth_application_page_title: "New Oauth Application"
+    oauth_oauth_tokens_page_title: "Oauth Tokens"
+    name_label: "Name"
+    description_label: "Description"
+    scopes_label: "Scopes"
+    homepage_url_label: "Homepage URL"
+    redirect_uri_label: "Redirect URL"
+    client_secret_label: "Client Secret"
+    client_id_label: "Client ID"
+    oauth_applications_button: "Register"
+    oauth_authorize_button: "Authorize"
+    oauth_token_revoke_button: "Revoke"
+    oauth_authorize_post_button: "Back to Client Application"
+    invalid_grant_message: "Invalid grant"
+    invalid_scope_message: "Invalid scope"
+    invalid_url_message: "Invalid URL"
+    unsupported_token_type_message: "Invalid token type hint"
+    unique_error_message: "is already in use"
+    null_error_message: "is not filled"
+    already_in_use_message: "error generating unique token"
+    code_challenge_required_message: "code challenge required"
+    unsupported_transform_algorithm_message: "transform algorithm not supported"
+    request_uri_not_supported_message: "request uri is unsupported"
+    invalid_request_object_message: "request object is invalid"
+    invalid_scope_message: "The Access Token expired"

data/templates/authorize.str

@@ -1,4 +1,4 @@
-<form method="post" class="form-horizontal" role="form" id="authorize-form">
+<form method="post" action="#{rodauth.authorize_path}" class="form-horizontal" role="form" id="authorize-form">
   #{csrf_tag(rodauth.authorize_path) if respond_to?(:csrf_tag)}
   <p class="lead">The application #{rodauth.oauth_application[rodauth.oauth_applications_name_column]} would like to access your data.</p>
 

data/templates/oauth_application.str

@@ -7,5 +7,5 @@
       end.join
     }
   </dl>
-  <a href="/#{"#{rodauth.oauth_applications_path}/#{@oauth_application[:id]}/#{rodauth.oauth_tokens_path}"}" class="btn btn-outline-secondary">Oauth Tokens</a>
-</div>
+  <a href="#{rodauth.oauth_applications_path}/#{@oauth_application[:id]}/#{rodauth.oauth_tokens_path}" class="btn btn-outline-secondary">Oauth Tokens</a>
+</div>

data/templates/oauth_tokens.str

@@ -21,14 +21,14 @@
                   <tr>
                     <td>#{oauth_token[rodauth.oauth_tokens_token_column]}</td>
                     <td>#{oauth_token[rodauth.oauth_tokens_refresh_token_column]}</td>
-                    <td>#{rodauth.convert_timestamp(oauth_token[rodauth.oauth_tokens_expires_in_column])}</td>
-                    <td>#{rodauth.convert_timestamp(oauth_token[rodauth.oauth_tokens_revoked_at_column])}</td>
+                    <td>#{oauth_token[rodauth.oauth_tokens_expires_in_column]}</td>
+                    <td>#{oauth_token[rodauth.oauth_tokens_revoked_at_column]}</td>
                     <td>
                       #{
                         if !oauth_token[rodauth.oauth_tokens_revoked_at_param] && !oauth_token[rodauth.oauth_tokens_token_hash_column]
                           <<-HTML
                             <form method="post" action="#{rodauth.revoke_path}" class="form-horizontal" role="form" id="revoke-form">
-                              #{csrf_tag(rodauth.oauth_revoke_path) if respond_to?(:csrf_tag)}
+                              #{csrf_tag(rodauth.revoke_path) if respond_to?(:csrf_tag)}
                               #{rodauth.input_field_string("token_type_hint", "revoke-token-type-hint", :value => "access_token", :type=>"hidden")}
                               #{rodauth.input_field_string("token", "revoke-token", :value => oauth_token[rodauth.oauth_tokens_token_column], :type=>"hidden")}
                               #{rodauth.button(rodauth.oauth_token_revoke_button)}

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rodauth-oauth
 version: !ruby/object:Gem::Version
-  version: 0.5.1
+  version: 0.7.1
 platform: ruby
 authors:
 - Tiago Cardoso
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-03-19 00:00:00.000000000 Z
+date: 2021-12-05 00:00:00.000000000 Z
 dependencies: []
 description: Implementation of the OAuth 2.0 protocol on top of rodauth.
 email:
@@ -39,6 +39,7 @@ files:
 - lib/rodauth/oauth/railtie.rb
 - lib/rodauth/oauth/ttl_store.rb
 - lib/rodauth/oauth/version.rb
+- locales/en.yml
 - templates/authorize.str
 - templates/client_secret_field.str
 - templates/description_field.str
@@ -71,7 +72,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.3
+rubygems_version: 3.1.6
 signing_key:
 specification_version: 4
 summary: Implementation of the OAuth 2.0 protocol on top of rodauth.