securelogin 0.0.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (3) hide show
  1. checksums.yaml +7 -0
  2. data/lib/securelogin.rb +64 -0
  3. metadata +44 -0
checksums.yaml ADDED
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA1:
3
+ metadata.gz: 3ac49372f8e124a6ac2e3a5076789f46730710f9
4
+ data.tar.gz: 41b636a5f060c432e2a458c6ccb731a2e4432b37
5
+ SHA512:
6
+ metadata.gz: 0b1893e6600c50c5df61261d53952de1a0ae154565791c73e04d150f7f10d89216de3b4ccfe1f928aa82b1f0a5bf08fa9831b7504898f370f101060e4bdf9b05
7
+ data.tar.gz: f42a08e9ded4613b708491699bba45ca852c1785fb3752b2c6f9cea1e2c47980ae26d2fbfc76e0513a3764dff4453081e17cfbdcd333a200088f015463730b95
@@ -0,0 +1,64 @@
1
+ require 'rack'
2
+ require 'uri'
3
+ require 'base64'
4
+
5
+ class SecureLogin
6
+ def self.csv(str)
7
+ str.to_s.split(',').map{|f| URI.decode(f) }
8
+ end
9
+
10
+ def self.hmac(secret, message)
11
+ # HMAC-SHA-512-256 (first 256 bits) https://nacl.cr.yp.to/auth.html
12
+ Base64.encode64(OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha512'), Base64.decode64(secret), message).slice(0,32)).strip
13
+ end
14
+
15
+ def self.verify(sltoken, opts={})
16
+ message, signatures, authkeys, email = csv(sltoken)
17
+
18
+ signature, hmac_signature = csv(signatures)
19
+ pubkey, secret = csv(authkeys)
20
+ #if not set, use pubkey provided inside sltoken
21
+
22
+ pubkey = opts[:pubkey] || pubkey
23
+ secret = opts[:secret] || secret
24
+ origins = opts[:origins]
25
+
26
+ # You don't have to implement shared secret verification, it's extra check for the future if public crypto fails
27
+ #error = "Invalid HMAC #{hmac_signature}" if self.hmac(secret, message) != hmac_signature
28
+ RbNaCl::VerifyKey.new(Base64.decode64(pubkey)).verify(Base64.decode64(signature), message) rescue error = 'Invalid signature'
29
+
30
+ provider, client, scope, expire_at = csv(message)
31
+
32
+ scope = Rack::Utils.parse_query(scope)
33
+
34
+
35
+ error = "Invalid provider" unless origins.include? provider
36
+
37
+ # for Connect client verification is skipped
38
+ error = "Invalid client" unless origins.include?(client) && !opts[:connect]
39
+
40
+ # we don't mind old tokens
41
+ error = "Expired token" unless expire_at.to_i + 86400 > Time.now.to_i
42
+
43
+ if opts[:change] == true
44
+ # "to" is new sltoken to change to
45
+ error = "Not mode=change token" unless scope["mode"] == 'change' && scope["to"] && scope.size == 2
46
+ else
47
+ error = "Invalid scope" unless scope == (opts[:scope] || {})
48
+ end
49
+
50
+ if error
51
+ return {error: error}
52
+ else
53
+ return {
54
+ provider: provider,
55
+ client: client,
56
+ scope: scope,
57
+ expire_at: expire_at,
58
+ email: email,
59
+ securelogin_pubkey: pubkey,
60
+ securelogin_secret: secret
61
+ }
62
+ end
63
+ end
64
+ end
metadata ADDED
@@ -0,0 +1,44 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: securelogin
3
+ version: !ruby/object:Gem::Version
4
+ version: 0.0.1
5
+ platform: ruby
6
+ authors:
7
+ - Sakurity
8
+ autorequire:
9
+ bindir: bin
10
+ cert_chain: []
11
+ date: 2017-06-29 00:00:00.000000000 Z
12
+ dependencies: []
13
+ description: SecureLogin helpers for Ruby
14
+ email: info@sakurity.com
15
+ executables: []
16
+ extensions: []
17
+ extra_rdoc_files: []
18
+ files:
19
+ - lib/securelogin.rb
20
+ homepage: https://securelogin.pw
21
+ licenses:
22
+ - MIT
23
+ metadata: {}
24
+ post_install_message:
25
+ rdoc_options: []
26
+ require_paths:
27
+ - lib
28
+ required_ruby_version: !ruby/object:Gem::Requirement
29
+ requirements:
30
+ - - ">="
31
+ - !ruby/object:Gem::Version
32
+ version: '0'
33
+ required_rubygems_version: !ruby/object:Gem::Requirement
34
+ requirements:
35
+ - - ">="
36
+ - !ruby/object:Gem::Version
37
+ version: '0'
38
+ requirements: []
39
+ rubyforge_project:
40
+ rubygems_version: 2.6.8
41
+ signing_key:
42
+ specification_version: 4
43
+ summary: SecureLogin Authentication Protocol
44
+ test_files: []