rodauth-oauth 0.7.3 → 0.9.0

data/lib/rodauth/features/oauth_application_management.rb

@@ -0,0 +1,225 @@
+# frozen_string_literal: true
+
+module Rodauth
+  Feature.define(:oauth_application_management, :OauthApplicationManagement) do
+    depends :oauth_management_base
+
+    before "create_oauth_application"
+    after "create_oauth_application"
+
+    error_flash "There was an error registering your oauth application", "create_oauth_application"
+    notice_flash "Your oauth application has been registered", "create_oauth_application"
+
+    view "oauth_applications", "Oauth Applications", "oauth_applications"
+    view "oauth_application", "Oauth Application", "oauth_application"
+    view "new_oauth_application", "New Oauth Application", "new_oauth_application"
+    view "oauth_application_oauth_tokens", "Oauth Application Tokens", "oauth_application_oauth_tokens"
+
+    auth_value_method :oauth_valid_uri_schemes, %w[https]
+
+    # Application
+    APPLICATION_REQUIRED_PARAMS = %w[name scopes homepage_url redirect_uri client_secret].freeze
+    auth_value_method :oauth_application_required_params, APPLICATION_REQUIRED_PARAMS
+
+    (APPLICATION_REQUIRED_PARAMS + %w[description client_id]).each do |param|
+      auth_value_method :"oauth_application_#{param}_param", param
+      configuration_module_eval do
+        define_method :"#{param}_label" do
+          warn "#{__method__} is deprecated, switch to oauth_applications_#{__method__}_label"
+          __send__(:"oauth_applications_#{param}_label")
+        end
+      end
+    end
+
+    translatable_method :oauth_applications_name_label, "Name"
+    translatable_method :oauth_applications_description_label, "Description"
+    translatable_method :oauth_applications_scopes_label, "Scopes"
+    translatable_method :oauth_applications_contacts_label, "Contacts"
+    translatable_method :oauth_applications_tos_uri_label, "Terms of service"
+    translatable_method :oauth_applications_policy_uri_label, "Policy"
+    translatable_method :oauth_applications_jwks_label, "JSON Web Keys"
+    translatable_method :oauth_applications_jwks_uri_label, "JSON Web Keys URI"
+    translatable_method :oauth_applications_homepage_url_label, "Homepage URL"
+    translatable_method :oauth_applications_redirect_uri_label, "Redirect URI"
+    translatable_method :oauth_applications_client_secret_label, "Client Secret"
+    translatable_method :oauth_applications_client_id_label, "Client ID"
+    button "Register", "oauth_application"
+    button "Revoke", "oauth_token_revoke"
+
+    auth_value_method :oauth_applications_oauth_tokens_path, "oauth-tokens"
+    auth_value_method :oauth_applications_route, "oauth-applications"
+    auth_value_method :oauth_applications_per_page, 20
+    auth_value_method :oauth_applications_id_pattern, Integer
+    auth_value_method :oauth_tokens_per_page, 20
+
+    translatable_method :invalid_url_message, "Invalid URL"
+    translatable_method :null_error_message, "is not filled"
+
+    def oauth_applications_path(opts = {})
+      route_path(oauth_applications_route, opts)
+    end
+
+    def oauth_applications_url(opts = {})
+      route_url(oauth_applications_route, opts)
+    end
+    auth_value_methods(
+      :oauth_application_path
+    )
+
+    def oauth_application_path(id)
+      "#{oauth_applications_path}/#{id}"
+    end
+
+    # /oauth-applications routes
+    def oauth_applications
+      request.on(oauth_applications_route) do
+        require_account
+
+        request.get "new" do
+          new_oauth_application_view
+        end
+
+        request.on(oauth_applications_id_pattern) do |id|
+          oauth_application = db[oauth_applications_table]
+                              .where(oauth_applications_id_column => id)
+                              .where(oauth_applications_account_id_column => account_id)
+                              .first
+          next unless oauth_application
+
+          scope.instance_variable_set(:@oauth_application, oauth_application)
+
+          request.is do
+            request.get do
+              oauth_application_view
+            end
+          end
+
+          request.on(oauth_applications_oauth_tokens_path) do
+            page = Integer(param_or_nil("page") || 1)
+            per_page = per_page_param(oauth_tokens_per_page)
+            oauth_tokens = db[oauth_tokens_table]
+                           .where(oauth_tokens_oauth_application_id_column => id)
+                           .order(Sequel.desc(oauth_tokens_id_column))
+            scope.instance_variable_set(:@oauth_tokens, oauth_tokens.paginate(page, per_page))
+            request.get do
+              oauth_application_oauth_tokens_view
+            end
+          end
+        end
+
+        request.get do
+          page = Integer(param_or_nil("page") || 1)
+          per_page = per_page_param(oauth_applications_per_page)
+          scope.instance_variable_set(:@oauth_applications, db[oauth_applications_table]
+            .where(oauth_applications_account_id_column => account_id)
+            .order(Sequel.desc(oauth_applications_id_column))
+            .paginate(page, per_page))
+
+          oauth_applications_view
+        end
+
+        request.post do
+          catch_error do
+            validate_oauth_application_params
+
+            transaction do
+              before_create_oauth_application
+              id = create_oauth_application
+              after_create_oauth_application
+              set_notice_flash create_oauth_application_notice_flash
+              redirect "#{request.path}/#{id}"
+            end
+          end
+          set_error_flash create_oauth_application_error_flash
+          new_oauth_application_view
+        end
+      end
+    end
+
+    def check_csrf?
+      case request.path
+      when oauth_applications_path
+        only_json? ? false : super
+      else
+        super
+      end
+    end
+
+    private
+
+    def oauth_application_params
+      @oauth_application_params ||= oauth_application_required_params.each_with_object({}) do |param, params|
+        value = request.params[__send__(:"oauth_application_#{param}_param")]
+        if value && !value.empty?
+          params[param] = value
+        else
+          set_field_error(param, null_error_message)
+        end
+      end
+    end
+
+    def validate_oauth_application_params
+      oauth_application_params.each do |key, value|
+        if key == oauth_application_homepage_url_param
+
+          set_field_error(key, invalid_url_message) unless check_valid_uri?(value)
+
+        elsif key == oauth_application_redirect_uri_param
+
+          if value.respond_to?(:each)
+            value.each do |uri|
+              next if uri.empty?
+
+              set_field_error(key, invalid_url_message) unless check_valid_uri?(uri)
+            end
+          else
+            set_field_error(key, invalid_url_message) unless check_valid_uri?(value)
+          end
+        elsif key == oauth_application_scopes_param
+
+          value.each do |scope|
+            set_field_error(key, invalid_scope_message) unless oauth_application_scopes.include?(scope)
+          end
+        end
+      end
+
+      throw :rodauth_error if @field_errors && !@field_errors.empty?
+    end
+
+    def create_oauth_application
+      create_params = {
+        oauth_applications_account_id_column => account_id,
+        oauth_applications_name_column => oauth_application_params[oauth_application_name_param],
+        oauth_applications_description_column => oauth_application_params[oauth_application_description_param],
+        oauth_applications_scopes_column => oauth_application_params[oauth_application_scopes_param],
+        oauth_applications_homepage_url_column => oauth_application_params[oauth_application_homepage_url_param]
+      }
+
+      redirect_uris = oauth_application_params[oauth_application_redirect_uri_param]
+      redirect_uris = redirect_uris.to_a.reject(&:empty?).join(" ") if redirect_uris.respond_to?(:each)
+      create_params[oauth_applications_redirect_uri_column] = redirect_uris unless redirect_uris.empty?
+      # set client ID/secret pairs
+
+      create_params.merge! \
+        oauth_applications_client_secret_column => \
+          secret_hash(oauth_application_params[oauth_application_client_secret_param])
+
+      create_params[oauth_applications_scopes_column] = if create_params[oauth_applications_scopes_column]
+                                                          create_params[oauth_applications_scopes_column].join(oauth_scope_separator)
+                                                        else
+                                                          oauth_application_default_scope
+                                                        end
+
+      rescue_from_uniqueness_error do
+        create_params[oauth_applications_client_id_column] = oauth_unique_id_generator
+        db[oauth_applications_table].insert(create_params)
+      end
+    end
+
+    def oauth_server_metadata_body(*)
+      super.tap do |data|
+        data[:registration_endpoint] = oauth_applications_url
+      end
+    end
+  end
+end

data/lib/rodauth/features/oauth_assertion_base.rb

@@ -0,0 +1,96 @@
+# frozen-string-literal: true
+
+require "rodauth/oauth/refinements"
+
+module Rodauth
+  Feature.define(:oauth_assertion_base, :OauthAssertionBase) do
+    using PrefixExtensions
+
+    depends :oauth_base
+
+    auth_value_methods(
+      :assertion_grant_type?,
+      :client_assertion_type?,
+      :assertion_grant_type,
+      :client_assertion_type
+    )
+
+    private
+
+    def validate_oauth_token_params
+      return super unless assertion_grant_type?
+
+      redirect_response_error("invalid_grant") unless param_or_nil("assertion")
+    end
+
+    def require_oauth_application
+      if assertion_grant_type?
+        @oauth_application = __send__(:"require_oauth_application_from_#{assertion_grant_type}_assertion_issuer", param("assertion"))
+      elsif client_assertion_type?
+        @oauth_application = __send__(:"require_oauth_application_from_#{client_assertion_type}_assertion_subject",
+                                      param("client_assertion"))
+      else
+        return super
+      end
+
+      redirect_response_error("invalid_grant") unless @oauth_application
+
+      if client_assertion_type? &&
+         (client_id = param_or_nil("client_id")) &&
+         client_id != @oauth_application[oauth_applications_client_id_column]
+        # If present, the value of the
+        # "client_id" parameter MUST identify the same client as is
+        # identified by the client assertion.
+        redirect_response_error("invalid_grant")
+      end
+    end
+
+    def account_from_bearer_assertion_subject(subject)
+      __insert_or_do_nothing_and_return__(
+        db[accounts_table],
+        account_id_column,
+        [login_column],
+        login_column => subject
+      )
+    end
+
+    def create_oauth_token(grant_type)
+      return super unless assertion_grant_type?(grant_type) && supported_grant_type?(grant_type)
+
+      account = __send__(:"account_from_#{assertion_grant_type}_assertion", param("assertion"))
+
+      redirect_response_error("invalid_grant") unless account
+
+      grant_scopes = if param_or_nil("scope")
+                       redirect_response_error("invalid_grant") unless check_valid_scopes?
+                       scopes
+                     else
+                       @oauth_application[oauth_applications_scopes_column]
+                     end
+
+      create_params = {
+        oauth_tokens_account_id_column => account[account_id_column],
+        oauth_tokens_oauth_application_id_column => @oauth_application[oauth_applications_id_column],
+        oauth_tokens_scopes_column => grant_scopes
+      }
+
+      generate_oauth_token(create_params, false)
+    end
+
+    def assertion_grant_type?(grant_type = param("grant_type"))
+      grant_type.start_with?("urn:ietf:params:oauth:grant-type:")
+    end
+
+    def client_assertion_type?(client_assertion_type = param("client_assertion_type"))
+      client_assertion_type.start_with?("urn:ietf:params:oauth:client-assertion-type:")
+    end
+
+    def assertion_grant_type(grant_type = param("grant_type"))
+      grant_type.delete_prefix("urn:ietf:params:oauth:grant-type:").tr("-", "_")
+    end
+
+    def client_assertion_type(assertion_type = param("client_assertion_type"))
+      assertion_type.delete_prefix("urn:ietf:params:oauth:client-assertion-type:").tr("-", "_")
+    end
+  end
+end

data/lib/rodauth/features/oauth_authorization_code_grant.rb

@@ -0,0 +1,252 @@
+# frozen_string_literal: true
+
+module Rodauth
+  Feature.define(:oauth_authorization_code_grant, :OauthAuthorizationCodeGrant) do
+    depends :oauth_base
+
+    before "authorize"
+    after "authorize"
+
+    view "authorize", "Authorize", "authorize"
+
+    button "Authorize", "oauth_authorize"
+    button "Back to Client Application", "oauth_authorize_post"
+
+    auth_value_method :use_oauth_access_type?, true
+
+    # OAuth Grants
+    auth_value_method :oauth_grants_table, :oauth_grants
+    auth_value_method :oauth_grants_id_column, :id
+    %i[
+      account_id oauth_application_id
+      redirect_uri code scopes access_type
+      expires_in revoked_at
+    ].each do |column|
+      auth_value_method :"oauth_grants_#{column}_column", column
+    end
+
+    translatable_method :oauth_tokens_scopes_label, "Scopes"
+    translatable_method :oauth_applications_contacts_label, "Contacts"
+    translatable_method :oauth_applications_tos_uri_label, "Terms of service URL"
+    translatable_method :oauth_applications_policy_uri_label, "Policy URL"
+
+    # /authorize
+    route(:authorize) do |r|
+      next unless is_authorization_server?
+
+      before_authorize_route
+      require_authorizable_account
+
+      validate_oauth_grant_params
+      try_approval_prompt if use_oauth_access_type? && request.get?
+
+      r.get do
+        authorize_view
+      end
+
+      r.post do
+        params, mode = transaction do
+          before_authorize
+          do_authorize
+        end
+
+        authorize_response(params, mode)
+      end
+    end
+
+    def check_csrf?
+      case request.path
+      when authorize_path
+        only_json? ? false : super
+      else
+        super
+      end
+    end
+
+    private
+
+    def validate_oauth_grant_params
+      redirect_response_error("invalid_request", request.referer || default_redirect) unless oauth_application && check_valid_redirect_uri?
+
+      unless oauth_application && check_valid_redirect_uri? && check_valid_access_type? &&
+             check_valid_approval_prompt? && check_valid_response_type?
+        redirect_response_error("invalid_request")
+      end
+      redirect_response_error("invalid_scope") unless check_valid_scopes?
+
+      return unless (response_mode = param_or_nil("response_mode")) && response_mode != "form_post"
+
+      redirect_response_error("invalid_request")
+    end
+
+    def validate_oauth_token_params
+      redirect_response_error("invalid_request") if param_or_nil("grant_type") == "authorization_code" && !param_or_nil("code")
+      super
+    end
+
+    def try_approval_prompt
+      approval_prompt = param_or_nil("approval_prompt")
+
+      return unless approval_prompt && approval_prompt == "auto"
+
+      return if db[oauth_grants_table].where(
+        oauth_grants_account_id_column => account_id,
+        oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column],
+        oauth_grants_redirect_uri_column => redirect_uri,
+        oauth_grants_scopes_column => scopes.join(oauth_scope_separator),
+        oauth_grants_access_type_column => "online"
+      ).count.zero?
+
+      # if there's a previous oauth grant for the params combo, it means that this user has approved before.
+      request.env["REQUEST_METHOD"] = "POST"
+    end
+
+    def create_oauth_grant(create_params = {})
+      create_params.merge!(
+        oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column],
+        oauth_grants_redirect_uri_column => redirect_uri,
+        oauth_grants_expires_in_column => Sequel.date_add(Sequel::CURRENT_TIMESTAMP, seconds: oauth_grant_expires_in),
+        oauth_grants_scopes_column => scopes.join(oauth_scope_separator)
+      )
+
+      # Access Type flow
+      if use_oauth_access_type? && (access_type = param_or_nil("access_type"))
+        create_params[oauth_grants_access_type_column] = access_type
+      end
+
+      ds = db[oauth_grants_table]
+
+      rescue_from_uniqueness_error do
+        create_params[oauth_grants_code_column] = oauth_unique_id_generator
+        __insert_and_return__(ds, oauth_grants_id_column, create_params)
+      end
+      create_params[oauth_grants_code_column]
+    end
+
+    def do_authorize(response_params = {}, response_mode = param_or_nil("response_mode"))
+      case param("response_type")
+
+      when "code"
+        response_mode ||= "query"
+        response_params.replace(_do_authorize_code)
+      when "none"
+        response_mode ||= "none"
+      when "", nil
+        response_mode ||= oauth_response_mode
+        response_params.replace(_do_authorize_code)
+      end
+
+      response_params["state"] = param("state") if param_or_nil("state")
+
+      [response_params, response_mode]
+    end
+
+    def _do_authorize_code
+      { "code" => create_oauth_grant(oauth_grants_account_id_column => account_id) }
+    end
+
+    def authorize_response(params, mode)
+      redirect_url = URI.parse(redirect_uri)
+      case mode
+      when "query"
+        params = params.map { |k, v| "#{k}=#{v}" }
+        params << redirect_url.query if redirect_url.query
+        redirect_url.query = params.join("&")
+        redirect(redirect_url.to_s)
+      when "form_post"
+        scope.view layout: false, inline: <<-FORM
+          <html>
+            <head><title>Authorized</title></head>
+            <body onload="javascript:document.forms[0].submit()">
+              <form method="post" action="#{redirect_uri}">
+                #{
+                  params.map do |name, value|
+                    "<input type=\"hidden\" name=\"#{name}\" value=\"#{scope.h(value)}\" />"
+                  end.join
+                }
+                <input type="submit" class="btn btn-outline-primary" value="#{scope.h(oauth_authorize_post_button)}"/>
+              </form>
+            </body>
+          </html>
+        FORM
+      when "none"
+        redirect(redirect_url.to_s)
+      end
+    end
+
+    def create_oauth_token(grant_type)
+      return super unless supported_grant_type?(grant_type, "authorization_code")
+
+      # fetch oauth grant
+      oauth_grant = db[oauth_grants_table].where(
+        oauth_grants_code_column => param("code"),
+        oauth_grants_redirect_uri_column => param("redirect_uri"),
+        oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column],
+        oauth_grants_revoked_at_column => nil
+      ).where(Sequel[oauth_grants_expires_in_column] >= Sequel::CURRENT_TIMESTAMP)
+                                          .for_update
+                                          .first
+
+      redirect_response_error("invalid_grant") unless oauth_grant
+
+      create_params = {
+        oauth_tokens_account_id_column => oauth_grant[oauth_grants_account_id_column],
+        oauth_tokens_oauth_application_id_column => oauth_grant[oauth_grants_oauth_application_id_column],
+        oauth_tokens_oauth_grant_id_column => oauth_grant[oauth_grants_id_column],
+        oauth_tokens_scopes_column => oauth_grant[oauth_grants_scopes_column]
+      }
+      create_oauth_token_from_authorization_code(oauth_grant, create_params)
+    end
+
+    def create_oauth_token_from_authorization_code(oauth_grant, create_params)
+      # revoke oauth grant
+      db[oauth_grants_table].where(oauth_grants_id_column => oauth_grant[oauth_grants_id_column])
+                            .update(oauth_grants_revoked_at_column => Sequel::CURRENT_TIMESTAMP)
+
+      should_generate_refresh_token = !use_oauth_access_type? ||
+                                      oauth_grant[oauth_grants_access_type_column] == "offline"
+
+      generate_oauth_token(create_params, should_generate_refresh_token)
+    end
+
+    ACCESS_TYPES = %w[offline online].freeze
+
+    def check_valid_access_type?
+      return true unless use_oauth_access_type?
+
+      access_type = param_or_nil("access_type")
+      !access_type || ACCESS_TYPES.include?(access_type)
+    end
+
+    APPROVAL_PROMPTS = %w[force auto].freeze
+
+    def check_valid_approval_prompt?
+      return true unless use_oauth_access_type?
+
+      approval_prompt = param_or_nil("approval_prompt")
+      !approval_prompt || APPROVAL_PROMPTS.include?(approval_prompt)
+    end
+
+    def check_valid_response_type?
+      response_type = param_or_nil("response_type")
+
+      response_type.nil? || response_type == "code"
+    end
+
+    def check_valid_redirect_uri?
+      oauth_application[oauth_applications_redirect_uri_column].split(" ").include?(redirect_uri)
+    end
+
+    def oauth_server_metadata_body(*)
+      super.tap do |data|
+        data[:authorization_endpoint] = authorize_url
+        data[:response_types_supported] << "code"
+
+        data[:response_modes_supported] << "query"
+        data[:response_modes_supported] << "form_post"
+
+        data[:grant_types_supported] << "authorization_code"
+      end
+    end
+  end
+end