rodauth-oauth 0.7.3 → 0.9.0

data/lib/rodauth/features/oauth_client_credentials_grant.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module Rodauth
+  Feature.define(:oauth_client_credentials_grant, :OauthClientCredentialsGrant) do
+    depends :oauth_base
+
+    auth_value_method :use_oauth_client_credentials_grant_type?, false
+
+    private
+
+    def create_oauth_token(grant_type)
+      return super unless grant_type == "client_credentials" && use_oauth_client_credentials_grant_type?
+
+      create_params = {
+        oauth_tokens_oauth_application_id_column => oauth_application[oauth_applications_id_column],
+        oauth_tokens_scopes_column => scopes.join(oauth_scope_separator)
+      }
+      generate_oauth_token(create_params, false)
+    end
+
+    def oauth_server_metadata_body(*)
+      super.tap do |data|
+        data[:grant_types_supported] << "client_credentials" if use_oauth_client_credentials_grant_type?
+      end
+    end
+
+    def check_valid_response_type?
+      return true if use_oauth_implicit_grant_type? && param_or_nil("response_type") == "token"
+
+      super
+    end
+  end
+end

data/lib/rodauth/features/oauth_device_grant.rb

@@ -0,0 +1,220 @@
+# frozen_string_literal: true
+
+module Rodauth
+  Feature.define(:oauth_device_grant, :OauthDeviceGrant) do
+    depends :oauth_base
+
+    auth_value_method :use_oauth_device_code_grant_type?, false
+
+    before "device_authorization"
+    before "device_verification"
+
+    notice_flash "The device is verified", "device_verification"
+    error_flash "No device to authorize with the given user code", "user_code_not_found"
+
+    view "device_verification", "Device Verification", "device_verification"
+    view "device_search", "Device Search", "device_search"
+
+    button "Verify", "oauth_device_verification"
+    button "Search", "oauth_device_search"
+
+    auth_value_method :oauth_grants_user_code_column, :user_code
+    auth_value_method :oauth_grants_last_polled_at_column, :last_polled_at
+
+    translatable_method :expired_token_message, "the device code has expired"
+    translatable_method :access_denied_message, "the authorization request has been denied"
+    translatable_method :authorization_pending_message, "the authorization request is still pending"
+    translatable_method :slow_down_message, "authorization request is still pending but poll interval should be increased"
+
+    auth_value_method :oauth_device_code_grant_polling_interval, 5 # seconds
+    auth_value_method :oauth_device_code_grant_user_code_size, 8 # characters
+    %w[user_code].each do |param|
+      auth_value_method :"oauth_grant_#{param}_param", param
+    end
+    translatable_method :oauth_grant_user_code_label, "User code"
+
+    auth_value_methods(
+      :generate_user_code
+    )
+
+    # /device-authorization
+    route(:device_authorization) do |r|
+      next unless is_authorization_server? && use_oauth_device_code_grant_type?
+
+      before_device_authorization_route
+
+      r.post do
+        require_oauth_application
+
+        user_code = generate_user_code
+        device_code = transaction do
+          before_device_authorization
+          create_oauth_grant(oauth_grants_user_code_column => user_code)
+        end
+
+        json_response_success \
+          "device_code" => device_code,
+          "user_code" => user_code,
+          "verification_uri" => device_url,
+          "verification_uri_complete" => device_url(user_code: user_code),
+          "expires_in" => oauth_grant_expires_in,
+          "interval" => oauth_device_code_grant_polling_interval
+      end
+    end
+
+    # /device
+    route(:device) do |r|
+      next unless is_authorization_server? && use_oauth_device_code_grant_type?
+
+      before_device_route
+      require_authorizable_account
+
+      r.get do
+        if (user_code = param_or_nil("user_code"))
+          oauth_grant = db[oauth_grants_table].where(
+            oauth_grants_user_code_column => user_code,
+            oauth_grants_revoked_at_column => nil
+          ).where(Sequel[oauth_grants_expires_in_column] >= Sequel::CURRENT_TIMESTAMP).first
+
+          unless oauth_grant
+            set_redirect_error_flash user_code_not_found_error_flash
+            redirect device_path
+          end
+
+          scope.instance_variable_set(:@oauth_grant, oauth_grant)
+          device_verification_view
+        else
+          device_search_view
+        end
+      end
+
+      r.post do
+        catch_error do
+          unless param_or_nil("user_code")
+            set_redirect_error_flash invalid_grant_message
+            redirect device_path
+          end
+
+          transaction do
+            before_device_verification
+            create_oauth_token("device_code")
+          end
+        end
+        set_notice_flash device_verification_notice_flash
+        redirect device_path
+      end
+    end
+
+    def check_csrf?
+      case request.path
+      when device_authorization_path
+        false
+      else
+        super
+      end
+    end
+
+    private
+
+    def generate_user_code
+      user_code_size = oauth_device_code_grant_user_code_size
+      SecureRandom.random_number(36**user_code_size)
+                  .to_s(36) # 0 to 9, a to z
+                  .upcase
+                  .rjust(user_code_size, "0")
+    end
+
+    def authorized_oauth_application?(oauth_application, client_secret, _)
+      # skip if using device grant
+      #
+      # requests may be performed by devices with no knowledge of client secret.
+      return true if !client_secret && use_oauth_device_code_grant_type?
+
+      super
+    end
+
+    def create_oauth_token(grant_type)
+      if supported_grant_type?(grant_type, "urn:ietf:params:oauth:grant-type:device_code")
+        throw_json_response_error(invalid_oauth_response_status, "invalid_grant_type") unless use_oauth_device_code_grant_type?
+
+        oauth_grant = db[oauth_grants_table].where(
+          oauth_grants_code_column => param("device_code"),
+          oauth_grants_oauth_application_id_column => oauth_application[oauth_applications_id_column]
+        ).for_update.first
+
+        throw_json_response_error(invalid_oauth_response_status, "invalid_grant") unless oauth_grant
+
+        now = Time.now
+
+        if oauth_grant[oauth_grants_revoked_at_column]
+          oauth_token = db[oauth_tokens_table]
+                        .where(Sequel[oauth_tokens_table][oauth_tokens_expires_in_column] >= Sequel::CURRENT_TIMESTAMP)
+                        .where(Sequel[oauth_tokens_table][oauth_tokens_revoked_at_column] => nil)
+                        .where(oauth_tokens_oauth_grant_id_column => oauth_grant[oauth_grants_id_column])
+                        .first
+
+          throw_json_response_error(invalid_oauth_response_status, "access_denied") unless oauth_token
+        elsif oauth_grant[oauth_grants_expires_in_column] < now
+          throw_json_response_error(invalid_oauth_response_status, "expired_token")
+        else
+          last_polled_at = oauth_grant[oauth_grants_last_polled_at_column]
+          if last_polled_at && convert_timestamp(last_polled_at) + oauth_device_code_grant_polling_interval > now
+            throw_json_response_error(invalid_oauth_response_status, "slow_down")
+          else
+            db[oauth_grants_table].where(oauth_grants_id_column => oauth_grant[oauth_grants_id_column])
+                                  .update(oauth_grants_last_polled_at_column => Sequel::CURRENT_TIMESTAMP)
+            throw_json_response_error(invalid_oauth_response_status, "authorization_pending")
+          end
+        end
+        oauth_token
+      elsif grant_type == "device_code"
+        redirect_response_error("invalid_grant_type") unless use_oauth_device_code_grant_type?
+
+        # fetch oauth grant
+        oauth_grant = db[oauth_grants_table].where(
+          oauth_grants_user_code_column => param("user_code"),
+          oauth_grants_revoked_at_column => nil
+        ).where(Sequel[oauth_grants_expires_in_column] >= Sequel::CURRENT_TIMESTAMP)
+                                            .for_update
+                                            .first
+
+        return unless oauth_grant
+
+        # update ownership
+        db[oauth_grants_table].where(oauth_grants_id_column => oauth_grant[oauth_grants_id_column])
+                              .update(
+                                oauth_grants_user_code_column => nil,
+                                oauth_grants_account_id_column => account_id
+                              )
+
+        create_params = {
+          oauth_tokens_account_id_column => account_id,
+          oauth_tokens_oauth_application_id_column => oauth_grant[oauth_grants_oauth_application_id_column],
+          oauth_tokens_oauth_grant_id_column => oauth_grant[oauth_grants_id_column],
+          oauth_tokens_scopes_column => oauth_grant[oauth_grants_scopes_column]
+        }
+        create_oauth_token_from_authorization_code(oauth_grant, create_params)
+      else
+        super
+      end
+    end
+
+    def validate_oauth_token_params
+      grant_type = param_or_nil("grant_type")
+
+      if grant_type == "urn:ietf:params:oauth:grant-type:device_code" && !param_or_nil("device_code")
+        redirect_response_error("invalid_request")
+      end
+      super
+    end
+
+    def oauth_server_metadata_body(*)
+      super.tap do |data|
+        if use_oauth_device_code_grant_type?
+          data[:grant_types_supported] << "urn:ietf:params:oauth:grant-type:device_code"
+          data[:device_authorization_endpoint] = device_authorization_url
+        end
+      end
+    end
+  end
+end

data/lib/rodauth/features/oauth_dynamic_client_registration.rb

@@ -0,0 +1,252 @@
+# frozen_string_literal: true
+
+module Rodauth
+  Feature.define(:oauth_dynamic_client_registration, :OauthDynamicClientRegistration) do
+    depends :oauth_base
+
+    before "register"
+
+    auth_value_method :oauth_client_registration_required_params, %w[redirect_uris client_name client_uri]
+
+    PROTECTED_APPLICATION_ATTRIBUTES = %i[account_id client_id].freeze
+
+    # /register
+    route(:register) do |r|
+      next unless is_authorization_server?
+
+      before_register_route
+
+      validate_client_registration_params
+
+      r.post do
+        response_params = transaction do
+          before_register
+          do_register
+        end
+
+        response.status = 201
+        response["Content-Type"] = json_response_content_type
+        response["Cache-Control"] = "no-store"
+        response["Pragma"] = "no-cache"
+        response.write(_json_response_body(response_params))
+      end
+    end
+
+    def check_csrf?
+      case request.path
+      when register_path
+        false
+      else
+        super
+      end
+    end
+
+    private
+
+    def registration_metadata
+      oauth_server_metadata_body
+    end
+
+    def validate_client_registration_params
+      oauth_client_registration_required_params.each do |required_param|
+        unless request.params.key?(required_param)
+          register_throw_json_response_error("invalid_client_metadata", register_required_param_message(required_param))
+        end
+      end
+      metadata = registration_metadata
+
+      @oauth_application_params = request.params.each_with_object({}) do |(key, value), params|
+        case key
+        when "redirect_uris"
+          if value.is_a?(Array)
+            value = value.each do |uri|
+              register_throw_json_response_error("invalid_redirect_uri", register_invalid_uri_message(uri)) unless check_valid_uri?(uri)
+            end.join(" ")
+          else
+            register_throw_json_response_error("invalid_redirect_uri", register_invalid_uri_message(value))
+          end
+          key = oauth_applications_redirect_uri_column
+        when "token_endpoint_auth_method"
+          unless oauth_auth_methods_supported.include?(value)
+            register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message(key))
+          end
+          # verify if in range
+          key = oauth_applications_token_endpoint_auth_method_column
+        when "grant_types"
+          if value.is_a?(Array)
+            value = value.each do |grant_type|
+              unless metadata[:grant_types_supported].include?(grant_type)
+                register_throw_json_response_error("invalid_client_metadata", register_invalid_grant_type_message(grant_type))
+              end
+            end.join(" ")
+          else
+            set_field_error(key, invalid_client_metadata_message)
+          end
+          key = oauth_applications_grant_types_column
+        when "response_types"
+          if value.is_a?(Array)
+            grant_types = request.params["grant_types"] || metadata[:grant_types_supported]
+            value = value.each do |response_type|
+              unless metadata[:response_types_supported].include?(response_type)
+                register_throw_json_response_error("invalid_client_metadata",
+                                                   register_invalid_response_type_message(response_type))
+              end
+
+              validate_client_registration_response_type(response_type, grant_types)
+            end.join(" ")
+          else
+            set_field_error(key, invalid_client_metadata_message)
+          end
+          key = oauth_applications_response_types_column
+          # verify if in range and match grant type
+        when "client_uri", "logo_uri", "tos_uri", "policy_uri", "jwks_uri"
+          register_throw_json_response_error("invalid_client_metadata", register_invalid_uri_message(value)) unless check_valid_uri?(value)
+          case key
+          when "client_uri"
+            key = "homepage_url"
+          when "jwks_uri"
+            if request.params.key?("jwks")
+              register_throw_json_response_error("invalid_client_metadata",
+                                                 register_invalid_jwks_param_message(key, "jwks"))
+            end
+          end
+          key = __send__(:"oauth_applications_#{key}_column")
+        when "jwks"
+          register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message(value)) unless value.is_a?(Hash)
+          if request.params.key?("jwks_uri")
+            register_throw_json_response_error("invalid_client_metadata",
+                                               register_invalid_jwks_param_message(key, "jwks_uri"))
+          end
+
+          key = oauth_applications_jwks_column
+          value = JSON.dump(value)
+        when "scope"
+          scopes = value.split(" ") - oauth_application_scopes
+          register_throw_json_response_error("invalid_client_metadata", register_invalid_scopes_message(value)) unless scopes.empty?
+          key = oauth_applications_scopes_column
+          # verify if in range
+        when "contacts"
+          register_throw_json_response_error("invalid_client_metadata", register_invalid_contacts_message(value)) unless value.is_a?(Array)
+          value = value.join(" ")
+          key = oauth_applications_contacts_column
+        when "client_name"
+          key = oauth_applications_name_column
+        else
+          if respond_to?(:"oauth_applications_#{key}_column")
+            property = :"oauth_applications_#{key}_column"
+            if PROTECTED_APPLICATION_ATTRIBUTES.include?(property)
+              register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message(key))
+            end
+            key = __send__(property)
+          elsif !db[oauth_applications_table].columns.include?(key.to_sym)
+            register_throw_json_response_error("invalid_client_metadata", register_invalid_param_message(key))
+          end
+        end
+        params[key] = value
+      end
+    end
+
+    def validate_client_registration_response_type(response_type, grant_types)
+      case response_type
+      when "code"
+        unless grant_types.include?("authorization_code")
+          register_throw_json_response_error("invalid_client_metadata",
+                                             register_invalid_response_type_for_grant_type_message(response_type,
+                                                                                                   "authorization_code"))
+        end
+      when "token"
+        unless grant_types.include?("implicit")
+          register_throw_json_response_error("invalid_client_metadata",
+                                             register_invalid_response_type_for_grant_type_message(response_type, "implicit"))
+        end
+      when "none"
+        if grant_types.include?("implicit") || grant_types.include?("authorization_code")
+          register_throw_json_response_error("invalid_client_metadata", register_invalid_response_type_message(response_type))
+        end
+      end
+    end
+
+    def do_register(return_params = request.params.dup)
+      # set defaults
+      create_params = @oauth_application_params
+      create_params[oauth_applications_scopes_column] ||= return_params["scopes"] = oauth_application_default_scope.join(" ")
+      create_params[oauth_applications_token_endpoint_auth_method_column] ||= begin
+        return_params["token_endpoint_auth_method"] = "client_secret_basic"
+        "client_secret_basic"
+      end
+      create_params[oauth_applications_grant_types_column] ||= begin
+        return_params["grant_types"] = %w[authorization_code]
+        "authorization_code"
+      end
+      create_params[oauth_applications_response_types_column] ||= begin
+        return_params["response_types"] = %w[code]
+        "code"
+      end
+      rescue_from_uniqueness_error do
+        client_id = oauth_unique_id_generator
+        create_params[oauth_applications_client_id_column] = client_id
+        return_params["client_id"] = client_id
+        return_params["client_id_issued_at"] = Time.now.utc.iso8601
+        if create_params.key?(oauth_applications_client_secret_column)
+          create_params[oauth_applications_client_secret_column] = secret_hash(create_params[oauth_applications_client_secret_column])
+          return_params.delete("client_secret")
+        else
+          client_secret = oauth_unique_id_generator
+          create_params[oauth_applications_client_secret_column] = secret_hash(client_secret)
+          return_params["client_secret"] = client_secret
+          return_params["client_secret_expires_at"] = 0
+        end
+        db[oauth_applications_table].insert(create_params)
+      end
+
+      return_params
+    end
+
+    def register_throw_json_response_error(code, message)
+      throw_json_response_error(invalid_oauth_response_status, code, message)
+    end
+
+    def register_required_param_message(key)
+      "The param '#{key}' is required by this server."
+    end
+
+    def register_invalid_param_message(key)
+      "The param '#{key}' is not supported by this server."
+    end
+
+    def register_invalid_contacts_message(contacts)
+      "The contacts '#{contacts}' are not allowed by this server."
+    end
+
+    def register_invalid_uri_message(uri)
+      "The '#{uri}' URL is not allowed by this server."
+    end
+
+    def register_invalid_jwks_param_message(key1, key2)
+      "The param '#{key1}' cannot be accepted together with param '#{key2}'."
+    end
+
+    def register_invalid_scopes_message(scopes)
+      "The given scopes (#{scopes}) are not allowed by this server."
+    end
+
+    def register_invalid_grant_type_message(grant_type)
+      "The grant type #{grant_type} is not allowed by this server."
+    end
+
+    def register_invalid_response_type_message(response_type)
+      "The response type #{response_type} is not allowed by this server."
+    end
+
+    def register_invalid_response_type_for_grant_type_message(response_type, grant_type)
+      "The grant type '#{grant_type}' must be registered for the response " \
+        "type '#{response_type}' to be allowed."
+    end
+
+    def oauth_server_metadata_body(*)
+      super.tap do |data|
+        data[:registration_endpoint] = register_url
+      end
+    end
+  end
+end

data/lib/rodauth/features/oauth_http_mac.rb

@@ -1,28 +1,10 @@
 # frozen-string-literal: true
 
+require "rodauth/oauth/refinements"
+
 module Rodauth
   Feature.define(:oauth_http_mac, :OauthHttpMac) do
-    unless String.method_defined?(:delete_prefix)
-      module PrefixExtensions
-        refine(String) do
-          def delete_suffix(suffix)
-            suffix = suffix.to_s
-            len = suffix.length
-            return dup unless len.positive? && index(suffix, -len)
-
-            self[0...-len]
-          end
-
-          def delete_prefix(prefix)
-            prefix = prefix.to_s
-            return dup unless rindex(prefix, 0)
-
-            self[prefix.length..-1]
-          end
-        end
-      end
-      using(PrefixExtensions)
-    end
+    using PrefixExtensions
 
     depends :oauth
 

data/lib/rodauth/features/oauth_implicit_grant.rb

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+module Rodauth
+  Feature.define(:oauth_implicit_grant, :OauthImplicitGrant) do
+    depends :oauth_base
+
+    auth_value_method :use_oauth_implicit_grant_type?, false
+
+    private
+
+    def do_authorize(response_params = {}, response_mode = param_or_nil("response_mode"))
+      return super unless param("response_type") == "token" && use_oauth_implicit_grant_type?
+
+      response_mode ||= "fragment"
+      response_params.replace(_do_authorize_token)
+
+      response_params["state"] = param("state") if param_or_nil("state")
+
+      [response_params, response_mode]
+    end
+
+    def _do_authorize_token
+      create_params = {
+        oauth_tokens_account_id_column => account_id,
+        oauth_tokens_oauth_application_id_column => oauth_application[oauth_applications_id_column],
+        oauth_tokens_scopes_column => scopes
+      }
+      oauth_token = generate_oauth_token(create_params, false)
+
+      json_access_token_payload(oauth_token)
+    end
+
+    def authorize_response(params, mode)
+      return super unless mode == "fragment"
+
+      redirect_url = URI.parse(redirect_uri)
+      params = params.map { |k, v| "#{k}=#{v}" }
+      params << redirect_url.query if redirect_url.query
+      redirect_url.fragment = params.join("&")
+      redirect(redirect_url.to_s)
+    end
+
+    def oauth_server_metadata_body(*)
+      super.tap do |data|
+        if use_oauth_implicit_grant_type?
+          data[:response_types_supported] << "token"
+          data[:response_modes_supported] << "fragment"
+          data[:grant_types_supported] << "implicit"
+        end
+      end
+    end
+
+    def check_valid_response_type?
+      return true if use_oauth_implicit_grant_type? && param_or_nil("response_type") == "token"
+
+      super
+    end
+  end
+end