rodauth-pat 0.1.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: fa9378550a45520ae988790ca9be8fb99f06a5546dc3ba4bac053956f71a264f
+  data.tar.gz: d6e056f4dedf6d79e8dd1ac9fb89abcbf2db1faa59d0dff8620722851244575e
+SHA512:
+  metadata.gz: 571f8e21905e4350c097c2a8a6d99245c917f7eadc7a57f296a475cd0017ec971668101ec455ba439c4ded466f42ffab4a0f4a4e7dd48743d1cfefc0316b7602
+  data.tar.gz: 7f7b3214370c874608918282f7bc53caff7f09632a3099e4f524dfc0619a5d73aba167ce64f186a452dd31c7f5916767ed68319f027cc33f66997e7a8361d4b9

data/.rspec

@@ -0,0 +1,2 @@
+--require spec_helper
+--color

data/CHANGELOG.md

@@ -0,0 +1,7 @@
+## [0.1.1] - 2023-07-24
+
+- Initial release
+
+## [0.1.0] - 2023-03-25
+
+- Unpublished setup

data/Gemfile

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+source "https://rubygems.org"
+
+gemspec
+
+gem "rake"
+gem "rackup"
+
+gem "rspec"
+gem "capybara"
+gem "bcrypt"
+gem "tilt"
+gem "sqlite3"

data/Gemfile.lock

@@ -0,0 +1,81 @@
+PATH
+  remote: .
+  specs:
+    rodauth-pat (0.1.0)
+      rodauth (~> 2.0)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    addressable (2.8.4)
+      public_suffix (>= 2.0.2, < 6.0)
+    bcrypt (3.1.19)
+    capybara (3.39.2)
+      addressable
+      matrix
+      mini_mime (>= 0.1.3)
+      nokogiri (~> 1.8)
+      rack (>= 1.6.0)
+      rack-test (>= 0.6.3)
+      regexp_parser (>= 1.5, < 3.0)
+      xpath (~> 3.2)
+    diff-lcs (1.5.0)
+    matrix (0.4.2)
+    mini_mime (1.1.2)
+    nokogiri (1.15.3-x86_64-darwin)
+      racc (~> 1.4)
+    nokogiri (1.15.3-x86_64-linux)
+      racc (~> 1.4)
+    public_suffix (5.0.3)
+    racc (1.7.1)
+    rack (3.0.8)
+    rack-test (2.1.0)
+      rack (>= 1.3)
+    rackup (2.1.0)
+      rack (>= 3)
+      webrick (~> 1.8)
+    rake (13.0.6)
+    regexp_parser (2.8.1)
+    roda (3.70.0)
+      rack
+    rodauth (2.30.0)
+      roda (>= 2.6.0)
+      sequel (>= 4)
+    rspec (3.12.0)
+      rspec-core (~> 3.12.0)
+      rspec-expectations (~> 3.12.0)
+      rspec-mocks (~> 3.12.0)
+    rspec-core (3.12.2)
+      rspec-support (~> 3.12.0)
+    rspec-expectations (3.12.3)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.12.0)
+    rspec-mocks (3.12.6)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.12.0)
+    rspec-support (3.12.1)
+    sequel (5.70.0)
+    sqlite3 (1.6.3-x86_64-darwin)
+    sqlite3 (1.6.3-x86_64-linux)
+    tilt (2.2.0)
+    webrick (1.8.1)
+    xpath (3.2.0)
+      nokogiri (~> 1.8)
+
+PLATFORMS
+  x86_64-darwin-19
+  x86_64-linux
+  x86_64-linux-musl
+
+DEPENDENCIES
+  bcrypt
+  capybara
+  rackup
+  rake
+  rodauth-pat!
+  rspec
+  sqlite3
+  tilt
+
+BUNDLED WITH
+   2.4.17

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2023 Jonas Mueller
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,62 @@
+# Personal Access Tokens for Rodauth
+
+This is an extension to the `rodauth` gem which implements Personal
+Access Tokens for an authorization server.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+``` ruby
+gem 'rodauth-pat'
+```
+
+And then execute:
+
+``` sh
+$ bundle install
+```
+
+Or install it yourself as:
+
+``` sh
+$ gem install rodauth-pat
+```
+
+## Usage
+
+After setting up basic `rodauth`, you can enable the feature:
+
+``` ruby
+plugin :rodauth do
+  enable :login, :personal_access_tokens
+end
+
+# then, inside roda
+
+route do |r|
+  r.rodauth
+
+  # This will setup 3 routes for management of the Personal Access Tokens:
+  # There are not strictly required for operation of #require_token_authentication
+  #
+  #   * /personal-access-tokens             Show non-revoked tokens
+  #   * /personal_access_tokens/:id/revoke  Revoke existing tokens
+  #   * /personal_access_tokens/new         Create new tokens
+  rodauth.load_personal_access_token_routes
+
+  r.get "public" do
+    "public!"
+  end
+
+  r.get "protected" do
+    rodauth.require_authentication
+    "secret!"
+  end
+
+  r.get "api" do
+    rodauth.require_token_authentication
+    "secret with api!"
+  end
+end
+```

data/Rakefile

@@ -0,0 +1,8 @@
+require "rake"
+require "rspec/core/rake_task"
+
+require "bundler/gem_tasks"
+
+RSpec::Core::RakeTask.new(:spec) 
+
+task default: :spec

data/example/app.rb

@@ -0,0 +1,64 @@
+require "roda"
+require "sequel/core"
+require "securerandom"
+require "net/http"
+require "bcrypt"
+require "digest/sha1"
+
+$LOAD_PATH.unshift(File.expand_path("../lib", __dir__))
+
+DB = Sequel.connect("sqlite:/", identifier_mangling: false)
+Sequel.extension :migration
+Sequel::Migrator.run(DB, File.expand_path("../spec/migrate", __dir__))
+
+hash = BCrypt::Password.create("password", cost: BCrypt::Engine::MIN_COST)
+DB[:accounts].insert_conflict(target: :email).insert(email: "foo@bar.com", ph: hash)
+
+class PersonalAccessTokenApp < Roda
+  SECRET = SecureRandom.base64(64)
+
+  plugin :flash
+  plugin :common_logger
+  plugin :sessions, secret: SECRET
+  plugin :render, layout_opts: { inline: <<~EOS }
+    <%= flash["notice"] %>
+    <%= flash["error"] %>
+    <%= yield %>
+  EOS
+
+  plugin :rodauth do
+    db DB
+    enable :login
+    enable :personal_access_tokens
+    account_password_hash_column :ph
+    login_return_to_requested_location? true
+    hmac_secret SECRET
+  end
+
+  plugin :not_found do
+    "Not Found: #{request.path_info}"
+  end
+
+  route do |r|
+    r.rodauth
+    rodauth.load_personal_access_token_routes
+
+    r.root do
+      view inline: <<~HTML
+        This is the root path!<br>
+        <a href="/personal-access-tokens">Tokens</a>
+      HTML
+    end
+
+  end
+end
+
+DB.freeze
+
+if $0 == __FILE__
+  require "rackup"
+
+  Rackup::Server.start \
+    app: PersonalAccessTokenApp,
+    Port: 9292
+end

data/lib/rodauth/features/personal_access_tokens/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module Rodauth
+  module PersonalAccessTokens
+    VERSION = "0.1.1"
+  end
+end

data/lib/rodauth/features/personal_access_tokens.rb

@@ -0,0 +1,147 @@
+require "rodauth"
+
+require_relative "personal_access_tokens/version"
+
+module Rodauth
+  Feature.define(:personal_access_tokens, :PersonalAccessTokens) do
+    depends :base, :login
+
+    auth_value_method :personal_access_tokens_table_name, :personal_access_tokens
+    auth_value_method :personal_access_token_name_param, "name"
+    auth_value_method :personal_access_tokens_account_id_column, :account_id
+    auth_value_method :personal_access_tokens_name_column, :name
+    auth_value_method :personal_access_tokens_digest_column, :digest
+    auth_value_method :personal_access_tokens_error_status, 401
+    auth_value_method :personal_access_tokens_route, "personal-access-tokens"
+    auth_value_method :personal_access_tokens_revoke_route, "revoke"
+    auth_value_method :personal_access_tokens_new_route, "new"
+    auth_value_method :personal_access_tokens_error_body, "Unauthorized"
+    auth_value_method :personal_access_tokens_expires_column, :expires_at
+    auth_value_method :personal_access_tokens_revoked_column, :revoked_at
+    auth_value_method :personal_access_tokens_validity, (60 * 60 * 24 * 365)
+    auth_value_method :personal_access_tokens_header_regexp, /\ABearer: (\w+)/
+
+    loaded_templates %w(
+      personal_access_tokens
+      new_personal_access_token
+      revoke_personal_access_token
+    )
+
+    view "personal-access-tokens", "Personal Access Tokens", "personal_access_tokens"
+    view "revoke-personal-access-token", "Revoke Personal Access Token", "revoke_personal_access_token"
+    view "new-personal-access-token", "New Personal Access Token", "new_personal_access_token"
+
+    additional_form_tags
+    button "Create", "new_personal_access_token"
+    button "Revoke", "revoke_personal_access_token"
+    redirect
+
+    def personal_access_tokens_path
+      route_path(personal_access_tokens_route)
+    end
+
+    def revoke_personal_access_token_path(id)
+      "#{personal_access_tokens_path}/#{id}/#{personal_access_tokens_revoke_route}"
+    end
+
+    def new_personal_access_token_path
+      "#{personal_access_tokens_path}/#{personal_access_tokens_new_route}"
+    end
+
+    def load_personal_access_token_routes
+      request.on(personal_access_tokens_route) do
+        check_csrf if check_csrf?
+        require_account
+
+        request.is(true) do
+          personal_access_tokens_view
+        end
+
+        request.is(personal_access_tokens_new_route) do
+          request.get do
+            new_personal_access_token_view
+          end
+
+          request.post do
+            key = create_key
+            name = param(personal_access_token_name_param)
+            insert_token(name, key)
+            set_notice_flash "Success! New token (#{name}): #{key}"
+            redirect personal_access_tokens_path
+          end
+        end
+
+        request.on Integer do |id|
+          next unless token = account_personal_access_tokens_ds.first(id: id)
+
+          scope.instance_variable_set(:@token, token)
+
+          request.is(personal_access_tokens_revoke_route) do
+            request.get do
+              revoke_personal_access_token_view
+            end
+
+            request.post do
+              account_personal_access_tokens_ds
+                .where(id: id)
+                .update(revoked_at: Time.now)
+              set_notice_flash "Success! Token #{token[:name]} revoked"
+              redirect personal_access_tokens_path
+            end
+          end
+        end
+      end
+    end
+
+    def require_token_authentication
+      return if token_valid?(request.env["HTTP_AUTHENTICATION"])
+
+      request.halt [
+        personal_access_tokens_error_status,
+        {},
+        personal_access_tokens_error_body
+      ]
+    end
+
+    def insert_token(name, key)
+      DB[personal_access_tokens_table_name].insert \
+        personal_access_tokens_account_id_column => account_from_session[account_id_column],
+        personal_access_tokens_name_column => name,
+        personal_access_tokens_digest_column => compute_hmac(key),
+        personal_access_tokens_expires_column => Time.now + personal_access_tokens_validity
+    end
+
+    def template_path(page)
+      path = File.join(File.dirname(__FILE__), "../../../templates", "#{page}.str")
+      return super unless File.exist?(path)
+
+      path
+    end
+
+    def account_personal_access_tokens_ds
+      DB[personal_access_tokens_table_name]
+        .where(personal_access_tokens_account_id_column => account_from_session[account_id_column])
+    end
+
+    def create_key
+      SecureRandom.alphanumeric(20)
+    end
+
+    def account_personal_access_tokens
+      account_personal_access_tokens_ds
+        .where(personal_access_tokens_revoked_column => nil)
+        .all
+    end
+
+    def token_valid?(header)
+      return false unless header
+      return false unless key = header[personal_access_tokens_header_regexp, 1]
+
+      !!DB[personal_access_tokens_table_name]
+        .where(Sequel::CURRENT_TIMESTAMP < personal_access_tokens_expires_column)
+        .where(personal_access_tokens_revoked_column => nil)
+        .first(personal_access_tokens_digest_column => compute_hmac(key))
+    end
+
+  end
+end

data/rodauth-pat.gemspec

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+require_relative "lib/rodauth/features/personal_access_tokens/version"
+
+Gem::Specification.new do |spec|
+  spec.name = "rodauth-pat"
+  spec.version = Rodauth::PersonalAccessTokens::VERSION
+  spec.authors = ["Jonas Mueller"]
+  spec.email = ["jonas@tigger.cloud"]
+
+  spec.summary = "Implementation of personal access tokens oon top of rodauth."
+  spec.description = "Implementation of personal access tokens on top of rodauth."
+  spec.homepage = "https://github.com/muellerj/rodauth-pat"
+  spec.license = "MIT"
+  spec.required_ruby_version = ">= 2.7.0"
+
+  spec.metadata["homepage_uri"] = spec.homepage
+  spec.metadata["source_code_uri"] = spec.homepage
+  spec.metadata["changelog_uri"] = spec.homepage + "/blob/master/CHANGELOG.md"
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files = Dir.chdir(__dir__) do
+    `git ls-files -z`.split("\x0").reject do |f|
+      (f == __FILE__) || f.match(%r{\A(?:(?:bin|test|spec|features)/|\.(?:git|travis|circleci)|appveyor)})
+    end
+  end
+
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency "rodauth", "~> 2.0"
+end

data/templates/new-personal-access-token.str

@@ -0,0 +1,13 @@
+<h1>New Personal Access Token</h1>
+
+<form method="POST">
+  #{rodauth.personal_access_tokens_additional_form_tags}
+  #{rodauth.csrf_tag}
+	<div>
+		<label for="name">Name</label>
+		#{rodauth.input_field_string(rodauth.personal_access_token_name_param, 'name')}
+	</div>
+
+  <a href="#{rodauth.personal_access_tokens_path}">Back</a>
+  #{rodauth.button(rodauth.new_personal_access_token_button)}
+</form>

data/templates/personal-access-tokens.str

@@ -0,0 +1,11 @@
+<h1>My Personal Access Tokens</h1>
+
+<ul>
+  #{
+  rodauth.account_personal_access_tokens.map do |token|
+    "<li>" + token.inspect + "<a href='#{rodauth.revoke_personal_access_token_path(token[:id])}'>Revoke</a></li>"
+  end.join("\n")
+  }
+</ul>
+
+<a href="#{rodauth.new_personal_access_token_path}">New Token</a>

data/templates/revoke-personal-access-token.str

@@ -0,0 +1,14 @@
+<h1>Revoke Personal Access Token</h1>
+
+<p>
+  Are you sure you want to revoke token <strong>#{@token[:name]}</strong>?
+  This will immediately terminate all access using this token and cannot be undone.
+</p>
+
+<form method="POST">
+  #{rodauth.personal_access_tokens_additional_form_tags}
+  #{rodauth.csrf_tag}
+
+  <a href="#{rodauth.personal_access_tokens_path}">Back</a>
+  #{rodauth.button(rodauth.revoke_personal_access_token_button)}
+</form>

metadata

@@ -0,0 +1,74 @@
+--- !ruby/object:Gem::Specification
+name: rodauth-pat
+version: !ruby/object:Gem::Version
+  version: 0.1.1
+platform: ruby
+authors:
+- Jonas Mueller
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2023-07-24 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rodauth
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+description: Implementation of personal access tokens on top of rodauth.
+email:
+- jonas@tigger.cloud
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".rspec"
+- CHANGELOG.md
+- Gemfile
+- Gemfile.lock
+- LICENSE.txt
+- README.md
+- Rakefile
+- example/app.rb
+- lib/rodauth/features/personal_access_tokens.rb
+- lib/rodauth/features/personal_access_tokens/version.rb
+- rodauth-pat.gemspec
+- templates/new-personal-access-token.str
+- templates/personal-access-tokens.str
+- templates/revoke-personal-access-token.str
+homepage: https://github.com/muellerj/rodauth-pat
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/muellerj/rodauth-pat
+  source_code_uri: https://github.com/muellerj/rodauth-pat
+  changelog_uri: https://github.com/muellerj/rodauth-pat/blob/master/CHANGELOG.md
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.7.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.4.10
+signing_key:
+specification_version: 4
+summary: Implementation of personal access tokens oon top of rodauth.
+test_files: []