securelogin 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 3ac49372f8e124a6ac2e3a5076789f46730710f9
+  data.tar.gz: 41b636a5f060c432e2a458c6ccb731a2e4432b37
+SHA512:
+  metadata.gz: 0b1893e6600c50c5df61261d53952de1a0ae154565791c73e04d150f7f10d89216de3b4ccfe1f928aa82b1f0a5bf08fa9831b7504898f370f101060e4bdf9b05
+  data.tar.gz: f42a08e9ded4613b708491699bba45ca852c1785fb3752b2c6f9cea1e2c47980ae26d2fbfc76e0513a3764dff4453081e17cfbdcd333a200088f015463730b95

data/lib/securelogin.rb

@@ -0,0 +1,64 @@
+require 'rack'
+require 'uri'
+require 'base64'
+
+class SecureLogin
+  def self.csv(str)
+    str.to_s.split(',').map{|f| URI.decode(f) }
+  end
+
+  def self.hmac(secret, message)
+    # HMAC-SHA-512-256 (first 256 bits) https://nacl.cr.yp.to/auth.html    
+    Base64.encode64(OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha512'), Base64.decode64(secret), message).slice(0,32)).strip
+  end
+
+  def self.verify(sltoken, opts={})
+    message, signatures, authkeys, email = csv(sltoken)
+
+    signature, hmac_signature = csv(signatures)
+    pubkey, secret = csv(authkeys)
+    #if not set, use pubkey provided inside sltoken
+
+    pubkey = opts[:pubkey] || pubkey
+    secret = opts[:secret] || secret
+    origins = opts[:origins]
+
+    # You don't have to implement shared secret verification, it's extra check for the future if public crypto fails 
+    #error = "Invalid HMAC #{hmac_signature}" if self.hmac(secret, message) != hmac_signature
+    RbNaCl::VerifyKey.new(Base64.decode64(pubkey)).verify(Base64.decode64(signature), message) rescue error = 'Invalid signature' 
+
+    provider, client, scope, expire_at = csv(message)
+
+    scope = Rack::Utils.parse_query(scope)
+
+
+    error = "Invalid provider" unless origins.include? provider
+
+    # for Connect client verification is skipped
+    error = "Invalid client" unless origins.include?(client) && !opts[:connect] 
+    
+    # we don't mind old tokens
+    error = "Expired token" unless expire_at.to_i + 86400 > Time.now.to_i 
+    
+    if opts[:change] == true
+      # "to" is new sltoken to change to
+      error = "Not mode=change token" unless scope["mode"] == 'change' && scope["to"] && scope.size == 2
+    else
+      error = "Invalid scope" unless scope == (opts[:scope] || {})
+    end
+
+    if error
+      return {error: error}
+    else
+      return {
+        provider: provider,
+        client: client,
+        scope: scope,
+        expire_at: expire_at,
+        email: email,
+        securelogin_pubkey: pubkey,
+        securelogin_secret: secret
+      }
+    end
+  end
+end

metadata

@@ -0,0 +1,44 @@
+--- !ruby/object:Gem::Specification
+name: securelogin
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Sakurity
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2017-06-29 00:00:00.000000000 Z
+dependencies: []
+description: SecureLogin helpers for Ruby
+email: info@sakurity.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/securelogin.rb
+homepage: https://securelogin.pw
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.6.8
+signing_key: 
+specification_version: 4
+summary: SecureLogin Authentication Protocol
+test_files: []