shakha 0.1.0 → 0.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: dab553b64eb62de5d3a4225c5a4aa4fb470f8c6cf4aeea518f549dd664b7e67a
-  data.tar.gz: 0206f67ee329e747bad7da7cd3082c6be17811e19ef97ec67843d61bf50922de
+  metadata.gz: 82e8c2eda1b9b817ce681d22f4e5a331d15e0c59588c972067d1fa432db03b62
+  data.tar.gz: 979e1a3513ac57e1b1d6a81fffd954c1fb911fbb8d0cca729b65ce161bbe9f44
 SHA512:
-  metadata.gz: 1704c398b0c6cdfa415a08f0662574eab25acb72b28ac9d8e8b83658750793111aeb9f24248ba22641ebc566500d6fbef2e63b250a895f43d6c7eb451c877d07
-  data.tar.gz: 9eab6f79cb46672c4df6dfc26507e91518616ac67ae7119bd07bfe7a177e7488f97918c09280eafcf8192953014d264bbc5beacc9c6bd5ced23fbb2e885f1e26
+  metadata.gz: 80529b985eb5d490eada76a0829a9aa3311ec30af375c83b4f33ef0cb5e2399e4b1f75242bb8d5ee843e8b49d583da36ac84f53d0953b33d96868bf80dd9bb33
+  data.tar.gz: 15777157e9a5fb3746019943f760b57ef92a9b10680056d0178f65d42392ed0391da8f1c3bf72c90e5c32d2c6110dac3420a8e1062cc0cf3d999b50309888c3d

data/app/controllers/shakha/application_controller.rb

@@ -9,7 +9,7 @@ module Shakha
 
     layout -> { false if request.format == :json }
 
-    rescue_from ActiveSupport::ActionController::InvalidAuthenticityToken, with: :invalid_csrf_token
+    rescue_from ActionController::InvalidAuthenticityToken, with: :invalid_csrf_token
 
     private
 

data/app/controllers/shakha/auth_controller.rb

@@ -20,15 +20,14 @@ module Shakha
 
       google_auth_url = build_google_auth_url(pkce)
 
-      redirect_to google_auth_url
+      redirect_to google_auth_url, allow_other_host: true
     end
 
     def callback
-      verifier = verify_pkce!(params[:code])
-
-      exchange_code_for_tokens(params[:code], verifier)
+      pkce_result = verify_pkce!(params[:code], params[:state])
+      exchange_code_for_tokens(params[:code], pkce_result[:verifier], pkce_result[:return_to])
     rescue PKCEError, GoogleOAuthError => e
-      redirect_to shakha.error_path(message: e.message)
+      redirect_to "/auth/shakha/error?message=#{URI.encode_www_form_component(e.message)}"
     end
 
     def token
@@ -56,16 +55,18 @@ module Shakha
     private
 
     def find_or_create_client
-      origin = URI.parse(request.origin).origin
+      origin = request.origin || Shakha.config.app_origin
+      origin_uri = URI.parse(origin).origin
 
-      Shakha::Client.find_or_create_by!(origin: origin) do |client|
-        client.name = URI.parse(request.origin).host
+      Shakha::Client.find_or_create_by!(origin: origin_uri) do |client|
+        client.name = URI.parse(origin).host
       end
     end
 
     def build_google_auth_url(pkce)
       client_id = Shakha.config.google_client_id || ENV["GOOGLE_CLIENT_ID"]
-      redirect_uri = "#{Shakha.config.service_base_url}/auth/shakha/callback"
+      base_url = Shakha.config.service_base_url || "http://localhost:3000"
+      redirect_uri = "#{base_url}/auth/shakha/callback"
 
       scopes = ["openid", "email", "profile"].join(" ")
       scopes += " https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile" if params[:request_pii]
@@ -87,10 +88,11 @@ module Shakha
       end.to_s
     end
 
-    def exchange_code_for_tokens(code, verifier)
+    def exchange_code_for_tokens(code, verifier, return_to = "/")
       client_id = Shakha.config.google_client_id || ENV["GOOGLE_CLIENT_ID"]
       client_secret = Shakha.config.google_client_secret || ENV["GOOGLE_CLIENT_SECRET"]
-      redirect_uri = "#{Shakha.config.service_base_url}/auth/shakha/callback"
+      base_url = Shakha.config.service_base_url || "http://localhost:3000"
+      redirect_uri = "#{base_url}/auth/shakha/callback"
 
       response = http_post(
         "https://oauth2.googleapis.com/token",
@@ -115,7 +117,7 @@ module Shakha
       pairwise_sub = Shakha.derive_pairwise_sub(google_sub)
 
       client = find_or_create_client
-      user = Shakha::User.find_or_initialize_by(pairwise_sub: pairwise_sub)
+      user = Shakha::User.find_or_initialize_by(pairwise_sub: pairwise_sub, client: client)
 
       if params[:request_pii] && payload["email"]
         user.assign_attributes(
@@ -140,8 +142,6 @@ module Shakha
         expires: Shakha.config.session_lifetime.from_now
       }
 
-      return_to = pkce_state&.dig(:return_to) || "/"
-
       redirect_to return_to
     end
 

data/app/models/shakha/user.rb

@@ -4,10 +4,11 @@ module Shakha
   class User < ::ApplicationRecord
     self.table_name = "shakha_users"
 
+    belongs_to :client, class_name: "Shakha::Client"
     has_many :sessions, class_name: "Shakha::Session", dependent: :destroy
 
-    validates :pairwise_sub, presence: true, uniqueness: true
-    validates :email, uniqueness: true, allow_blank: true
+    validates :pairwise_sub, presence: true
+    validates :email, uniqueness: { scope: :client_id }, allow_blank: true
 
     def can_access?(resource)
       true

data/app/views/shakha/auth/error.html.erb

@@ -0,0 +1,18 @@
+<% content_for :title, "Authentication Error" %>
+
+<div class="shakha-container">
+  <div class="shakha-card shakha-card-error">
+    <div class="shakha-error-icon">
+      <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2">
+        <circle cx="12" cy="12" r="10"/>
+        <line x1="12" y1="8" x2="12" y2="12"/>
+        <line x1="12" y1="16" x2="12.01" y2="16"/>
+      </svg>
+    </div>
+
+    <h1>Authentication Failed</h1>
+    <p class="shakha-error-message"><%= params[:message] || "An error occurred" %></p>
+
+    <%= link_to "Try Again", "/auth/shakha", class: "shakha-button shakha-button-primary" %>
+  </div>
+</div>

data/{generators → lib/generators}/shakha/install_generator.rb

@@ -1,8 +1,4 @@
 # frozen_string_literal: true
-# This generator creates a migration for the Shakha tables
-
-require "rails/generators/active_record/migration"
-require "rails/generators/active_record/migration/migration_generator"
 
 module Shakha
   class InstallGenerator < Rails::Generators::Base
@@ -17,21 +13,13 @@ module Shakha
     def create_migration
       return if options[:skip_migration]
 
-      migration_template(
-        "migration.rb.erb",
-        "db/migrate/create_shakha_tables.rb",
-        migration_version: migration_version
-      )
+      sleep 1
+      migration_number = Time.now.strftime("%Y%m%d%H%M%S")
+      template "migration.rb.erb", "db/migrate/#{migration_number}_create_shakha_tables.rb"
     end
 
     def add_routes
       route 'mount Shakha::Engine => "/auth/shakha", as: :shakha'
     end
-
-    private
-
-    def migration_version
-      ">= 7.1" ? "[7.1]" : ""
-    end
   end
 end

data/{generators → lib/generators}/shakha/templates/initializer.rb.erb

@@ -20,7 +20,7 @@ Shakha.setup do |config|
   config.google_client_id = ENV["GOOGLE_CLIENT_ID"]
   config.google_client_secret = ENV["GOOGLE_CLIENT_SECRET"]
   config.issuer = ENV.fetch("SHAKHA_ISSUER", "https://shakha.dev")
-  config.session_lifetime = ENV.fetch("SHAKHA_SESSION_LIFETIME", "30.days")
+  config.session_lifetime = 30.days
 
   # JWT signing keys (required for service mode)
   config.signing_key = ENV["SHAKHA_SIGNING_KEY"]

data/{generators → lib/generators}/shakha/templates/migration.rb.erb

@@ -2,7 +2,7 @@
 
 class CreateShakhaTables < ActiveRecord::Migration[7.1]
   def change
-    create_table :shakha_clients, id: :uuid do |t|
+    create_table :shakha_clients do |t|
       t.string :name, null: false
       t.string :origin, null: false
       t.string :client_id
@@ -14,12 +14,12 @@ class CreateShakhaTables < ActiveRecord::Migration[7.1]
     add_index :shakha_clients, :origin, unique: true
     add_index :shakha_clients, :client_id, unique: true
 
-    create_table :shakha_users, id: :uuid do |t|
+    create_table :shakha_users do |t|
       t.string :pairwise_sub, null: false
       t.string :email
       t.string :name
       t.string :picture
-      t.references :client, type: :uuid, null: false
+      t.references :client, null: false
 
       t.timestamps
     end
@@ -27,11 +27,11 @@ class CreateShakhaTables < ActiveRecord::Migration[7.1]
     add_index :shakha_users, :pairwise_sub, unique: true
     add_index :shakha_users, :email
 
-    create_table :shakha_sessions, id: :uuid do |t|
+    create_table :shakha_sessions do |t|
       t.string :token, null: false
       t.string :jti, null: false
-      t.references :user, type: :uuid, null: false
-      t.references :client, type: :uuid, null: false
+      t.references :user, null: false
+      t.references :client, null: false
       t.string :ip_address
       t.string :user_agent
 

data/lib/shakha/config.rb

@@ -8,7 +8,10 @@ module Shakha
                   :google_client_id,
                   :google_client_secret,
                   :issuer,
-                  :session_lifetime
+                  :session_lifetime,
+                  :signing_key,
+                  :verification_key,
+                  :key_id
 
     def initialize
       @session_lifetime = 30.days

data/lib/shakha/engine.rb

@@ -1,93 +1,26 @@
 # frozen_string_literal: true
 
-require "ostruct"
-
 module Shakha
   class Engine < ::Rails::Engine
     isolate_namespace Shakha
 
     config.app_middleware.use Shakha::Middleware
 
-    config.after_initialize do
-      if Shakha.config.app_origin.blank?
-        raise ConfigurationError, "Shakha.app_origin must be set"
-      end
-    end
-
-    class EngineRouter
-      def self.draw
-        Drawer.new
-      end
-
-      class Drawer
-        def initialize
-          @routes = []
-        end
-
-        def resources(*args, &block)
-          resource_options = args.last.is_a?(Hash) ? args.pop : {}
-          resource_name = args.first
-
-          @routes << { type: :resources, name: resource_name, options: resource_options, block: block }
-        end
-
-        def resource(*args, &block)
-          resource_options = args.last.is_a?(Hash) ? args.pop : {}
-          resource_name = args.first
-
-          @routes << { type: :resource, name: resource_name, options: resource_options, block: block }
-        end
-
-        def get(path, to:, as: nil)
-          @routes << { type: :get, path: path, to: to, as: as }
-        end
-
-        def post(path, to:, as: nil)
-          @routes << { type: :post, path: path, to: to, as: as }
-        end
-
-        def match(path, to:, via:, as: nil)
-          @routes << { type: :match, path: path, to: to, via: via, as: as }
-        end
-
-        def routes
-          @routes
-        end
-      end
-    end
-
-    initializer "shakha.routes" do |app|
-      Shakha::EngineRouter.draw do
-        get "/auth/shakha", to: "auth#new", as: :new_auth
-        get "/auth/shakha/authorize", to: "auth#authorize", as: :authorize
-        get "/auth/shakha/callback", to: "auth#callback", as: :callback
-        post "/auth/shakha/token", to: "auth#token", as: :token
-        get "/auth/shakha/error", to: "auth#error", as: :error
+    # Engine routes - these should be relative paths
+    routes do
+      root to: "auth#new"
 
-        get "/auth/shakha/session", to: "session#show", as: :session
-        post "/auth/shakha/session/check", to: "session#check", as: :check_session
-        delete "/auth/shakha/session", to: "session#destroy", as: :destroy_session
+      get "authorize" => "auth#authorize"
+      get "callback" => "auth#callback"
+      post "token" => "auth#token"
+      get "error" => "auth#error"
 
-        get "/.well-known/jwks.json", to: "jwks#show"
-        get "/.well-known/openid-configuration", to: "openid#configuration"
-      end
+      get "session" => "session#show"
+      post "session/check" => "session#check"
+      delete "session" => "session#destroy"
 
-      Shakha::EngineRouter.routes.each do |route|
-        case route[:type]
-        when :get
-          app.routes.append do
-            get route[:path], to: route[:to], as: route[:as]
-          end
-        when :post
-          app.routes.append do
-            post route[:path], to: route[:to], as: route[:as]
-          end
-        when :match
-          app.routes.append do
-            match route[:path], to: route[:to], as: route[:as], via: route[:via]
-          end
-        end
-      end
+      get ".well-known/jwks.json" => "jwks#show"
+      get ".well-known/openid-configuration" => "openid#configuration"
     end
   end
 end

data/lib/shakha/pkce.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
+require "json"
 require "active_support/concern"
 
 module Shakha
@@ -8,6 +9,8 @@ module Shakha
 
     CODE_VERIFIER_LENGTH = 64
     CODE_CHALLENGE_METHOD = "S256"
+    PKCE_COOKIE_NAME = "shakha_pkce"
+    PKCE_COOKIE_EXPIRY_SECONDS = 600
 
     class << self
       def generate_code_verifier
@@ -30,31 +33,56 @@ module Shakha
       verifier = PKCEMixin.generate_code_verifier
       challenge = PKCEMixin.generate_code_challenge(verifier)
       state = SecureRandom.urlsafe_base64(32)
+      return_to = params[:return_to] || "/"
 
-      session[:shakha_pkce] = {
+      pkce_record = {
         verifier: verifier,
-        state: state,
-        return_to: params[:return_to] || request.referer || "/"
+        return_to: return_to
+      }
+
+      cookies[PKCE_COOKIE_NAME] = {
+        value: pkce_record.merge(state: state).to_json,
+        httponly: true,
+        secure: Rails.env.production?,
+        same_site: :lax,
+        expires: Time.now.utc + PKCE_COOKIE_EXPIRY_SECONDS
       }
 
       { challenge: challenge, state: state }
     end
 
-    def verify_pkce!(code_verifier)
-      stored = session[:shakha_pkce]
+    def verify_pkce!(code_verifier, state_param)
+      pkce_json = cookies[PKCE_COOKIE_NAME]
+
+      raise PKCEError, "No PKCE session found" unless pkce_json
+
+      pkce_data = JSON.parse(pkce_json).with_indifferent_access
+
+      raise PKCEError, "No PKCE session found" unless pkce_data
 
-      raise PKCEError, "No PKCE session found" unless stored
-      raise PKCEError, "State mismatch" unless stored[:state] == params[:state]
+      stored_state = pkce_data[:state]
+      stored_verifier = pkce_data[:verifier]
+      stored_return_to = pkce_data[:return_to]
+
+      cookies.delete(PKCE_COOKIE_NAME)
+
+      raise PKCEError, "State mismatch" unless stored_state == state_param
 
       computed = PKCEMixin.generate_code_challenge(code_verifier)
-      raise PKCEError, "Invalid code verifier" unless computed == params[:code_challenge]
+      code_challenge = params[:code_challenge]
 
-      session.delete(:shakha_pkce)
-      stored[:verifier]
+      if code_challenge.present?
+        raise PKCEError, "Invalid code verifier" unless computed == code_challenge
+      end
+
+      { verifier: stored_verifier, return_to: stored_return_to }
     end
 
     def pkce_state
-      session[:shakha_pkce]
+      pkce_json = cookies[PKCE_COOKIE_NAME]
+      return nil unless pkce_json
+
+      JSON.parse(pkce_json).with_indifferent_access
     end
   end
 

data/lib/shakha/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Shakha
-  VERSION = "0.1.0"
+  VERSION = "0.1.1"
 end

data/lib/shakha.rb

@@ -2,6 +2,12 @@
 
 require "shakha/version"
 require "shakha/config"
+require "shakha/pairwise"
+require "shakha/jwt_handler"
+require "shakha/pkce"
+require "shakha/error_handler"
+require "shakha/controller_helpers"
+require "shakha/middleware"
 require "shakha/engine"
 
 module Shakha

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: shakha
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.1.1
 platform: ruby
 authors:
 - Asrat
@@ -27,14 +27,14 @@ dependencies:
   name: activesupport
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '7.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '7.1'
 description: |
@@ -58,12 +58,13 @@ files:
 - app/models/shakha/session.rb
 - app/models/shakha/user.rb
 - app/views/shakha/auth/callback.html.erb
+- app/views/shakha/auth/error.html.erb
 - app/views/shakha/auth/new.html.erb
 - app/views/shakha/errors/show.html.erb
 - app/views/shakha/layouts/shakha.html.erb
-- generators/shakha/install_generator.rb
-- generators/shakha/templates/initializer.rb.erb
-- generators/shakha/templates/migration.rb.erb
+- lib/generators/shakha/install_generator.rb
+- lib/generators/shakha/templates/initializer.rb.erb
+- lib/generators/shakha/templates/migration.rb.erb
 - lib/shakha.rb
 - lib/shakha/config.rb
 - lib/shakha/controller_helpers.rb