shakha 0.1.0

data/app/views/shakha/errors/show.html.erb

@@ -0,0 +1,18 @@
+<% content_for :title, "Authentication Error" %>
+
+<div class="shakha-container">
+  <div class="shakha-card shakha-card-error">
+    <div class="shakha-error-icon">
+      <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2">
+        <circle cx="12" cy="12" r="10"/>
+        <line x1="12" y1="8" x2="12" y2="12"/>
+        <line x1="12" y1="16" x2="12.01" y2="16"/>
+      </svg>
+    </div>
+
+    <h1>Authentication Failed</h1>
+    <p class="shakha-error-message"><%= @message %></p>
+
+    <%= link_to "Try Again", shakha.new_auth_path, class: "shakha-button shakha-button-primary" %>
+  </div>
+</div>

data/app/views/shakha/layouts/shakha.html.erb

@@ -0,0 +1,12 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title><%= yield :title %></title>
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <%= stylesheet_link_tag "shakha", "data-turbo-track": "reload" %>
+  <%= csrf_meta_tags %>
+</head>
+<body>
+  <%= yield %>
+</body>
+</html>

data/generators/shakha/install_generator.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+# This generator creates a migration for the Shakha tables
+
+require "rails/generators/active_record/migration"
+require "rails/generators/active_record/migration/migration_generator"
+
+module Shakha
+  class InstallGenerator < Rails::Generators::Base
+    source_root File.expand_path("templates", __dir__)
+
+    class_option :skip_migration, type: :boolean, default: false, desc: "Skip migration generation"
+
+    def copy_initializer
+      template "initializer.rb.erb", "config/initializers/shakha.rb"
+    end
+
+    def create_migration
+      return if options[:skip_migration]
+
+      migration_template(
+        "migration.rb.erb",
+        "db/migrate/create_shakha_tables.rb",
+        migration_version: migration_version
+      )
+    end
+
+    def add_routes
+      route 'mount Shakha::Engine => "/auth/shakha", as: :shakha'
+    end
+
+    private
+
+    def migration_version
+      ">= 7.1" ? "[7.1]" : ""
+    end
+  end
+end

data/generators/shakha/templates/initializer.rb.erb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+# Shakha Auth Configuration
+#
+# Set these environment variables:
+#   SHAKHA_SERVICE_SECRET - Secret key for pairwise subject derivation (HMAC-SHA256)
+#   GOOGLE_CLIENT_ID      - Google OAuth client ID
+#   GOOGLE_CLIENT_SECRET  - Google OAuth client secret
+#   SHAKHA_APP_ORIGIN     - Your application's origin (e.g., http://localhost:3000)
+#   SHAKHA_SERVICE_URL    - Optional: URL of standalone Shakha service (omit for embedded mode)
+#
+# For ES256 JWT signing, set either:
+#   SHAKHA_SIGNING_KEY     - EC P-256 private key in PEM or base64 format
+#   SHAKHA_KEY_ID         - Key ID for JWKS (optional, defaults to "default")
+
+Shakha.setup do |config|
+  config.app_origin = ENV.fetch("SHAKHA_APP_ORIGIN", "http://localhost:3000")
+  config.service_url = ENV["SHAKHA_SERVICE_URL"]
+  config.service_secret = ENV["SHAKHA_SERVICE_SECRET"]
+  config.google_client_id = ENV["GOOGLE_CLIENT_ID"]
+  config.google_client_secret = ENV["GOOGLE_CLIENT_SECRET"]
+  config.issuer = ENV.fetch("SHAKHA_ISSUER", "https://shakha.dev")
+  config.session_lifetime = ENV.fetch("SHAKHA_SESSION_LIFETIME", "30.days")
+
+  # JWT signing keys (required for service mode)
+  config.signing_key = ENV["SHAKHA_SIGNING_KEY"]
+  config.verification_key = ENV["SHAKHA_VERIFICATION_KEY"]
+  config.key_id = ENV["SHAKHA_KEY_ID"] || "default"
+end

data/generators/shakha/templates/migration.rb.erb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+class CreateShakhaTables < ActiveRecord::Migration[7.1]
+  def change
+    create_table :shakha_clients, id: :uuid do |t|
+      t.string :name, null: false
+      t.string :origin, null: false
+      t.string :client_id
+      t.json :metadata, default: {}
+
+      t.timestamps
+    end
+
+    add_index :shakha_clients, :origin, unique: true
+    add_index :shakha_clients, :client_id, unique: true
+
+    create_table :shakha_users, id: :uuid do |t|
+      t.string :pairwise_sub, null: false
+      t.string :email
+      t.string :name
+      t.string :picture
+      t.references :client, type: :uuid, null: false
+
+      t.timestamps
+    end
+
+    add_index :shakha_users, :pairwise_sub, unique: true
+    add_index :shakha_users, :email
+
+    create_table :shakha_sessions, id: :uuid do |t|
+      t.string :token, null: false
+      t.string :jti, null: false
+      t.references :user, type: :uuid, null: false
+      t.references :client, type: :uuid, null: false
+      t.string :ip_address
+      t.string :user_agent
+
+      t.timestamps
+    end
+
+    add_index :shakha_sessions, :token, unique: true
+    add_index :shakha_sessions, :jti, unique: true
+    add_index :shakha_sessions, :created_at
+  end
+end

data/lib/shakha/config.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+module Shakha
+  class Config
+    attr_accessor :app_origin,
+                  :service_url,
+                  :service_secret,
+                  :google_client_id,
+                  :google_client_secret,
+                  :issuer,
+                  :session_lifetime
+
+    def initialize
+      @session_lifetime = 30.days
+      @issuer = "https://shakha.dev"
+    end
+
+    def embedded?
+      service_url.blank?
+    end
+
+    def service_base_url
+      return app_origin if embedded?
+
+      service_url.chomp("/")
+    end
+
+    def client_id
+      return @client_id if defined?(@client_id)
+
+      origin = URI.parse(app_origin).origin
+      @client_id = "origin:#{origin}"
+    end
+
+    def audience
+      client_id
+    end
+  end
+end

data/lib/shakha/controller_helpers.rb

@@ -0,0 +1,70 @@
+# frozen_string_literal: true
+
+require "active_support/concern"
+
+module Shakha
+  module ControllerHelpers
+    extend ActiveSupport::Concern
+
+    included do
+      helper_method :current_session, :current_user, :signed_in?
+    end
+
+    private
+
+    def current_session
+      return @current_session if defined?(@current_session)
+
+      @current_session = find_session || authenticate_from_bearer || authenticate_from_cookie
+    end
+
+    def current_user
+      current_session&.user
+    end
+
+    def signed_in?
+      current_session.present?
+    end
+
+    def authenticate!
+      return if signed_in?
+
+      redirect_to shakha.new_auth_path(return_to: request.fullpath)
+    end
+
+    def authenticate_from_bearer
+      return unless (token = bearer_token)
+
+      payload = Shakha.verify_token(token)
+      find_session_by_jti(payload["jti"])
+    end
+
+    def authenticate_from_cookie
+      find_session_by_token(session_token)
+    end
+
+    def bearer_token
+      pattern = /^Bearer /
+      header = request.headers["Authorization"]
+      return unless header&.match?(pattern)
+
+      header.gsub(pattern, "")
+    end
+
+    def session_token
+      request.cookie_jar.encrypted[:shakha_session_token]
+    end
+
+    def find_session
+      return unless (token = session_token)
+
+      Shakha::Session.active.find_by(token: token)
+    end
+
+    def find_session_by_jti(jti)
+      return unless jti
+
+      Shakha::Session.active.find_by(jti: jti)
+    end
+  end
+end

data/lib/shakha/engine.rb

@@ -0,0 +1,93 @@
+# frozen_string_literal: true
+
+require "ostruct"
+
+module Shakha
+  class Engine < ::Rails::Engine
+    isolate_namespace Shakha
+
+    config.app_middleware.use Shakha::Middleware
+
+    config.after_initialize do
+      if Shakha.config.app_origin.blank?
+        raise ConfigurationError, "Shakha.app_origin must be set"
+      end
+    end
+
+    class EngineRouter
+      def self.draw
+        Drawer.new
+      end
+
+      class Drawer
+        def initialize
+          @routes = []
+        end
+
+        def resources(*args, &block)
+          resource_options = args.last.is_a?(Hash) ? args.pop : {}
+          resource_name = args.first
+
+          @routes << { type: :resources, name: resource_name, options: resource_options, block: block }
+        end
+
+        def resource(*args, &block)
+          resource_options = args.last.is_a?(Hash) ? args.pop : {}
+          resource_name = args.first
+
+          @routes << { type: :resource, name: resource_name, options: resource_options, block: block }
+        end
+
+        def get(path, to:, as: nil)
+          @routes << { type: :get, path: path, to: to, as: as }
+        end
+
+        def post(path, to:, as: nil)
+          @routes << { type: :post, path: path, to: to, as: as }
+        end
+
+        def match(path, to:, via:, as: nil)
+          @routes << { type: :match, path: path, to: to, via: via, as: as }
+        end
+
+        def routes
+          @routes
+        end
+      end
+    end
+
+    initializer "shakha.routes" do |app|
+      Shakha::EngineRouter.draw do
+        get "/auth/shakha", to: "auth#new", as: :new_auth
+        get "/auth/shakha/authorize", to: "auth#authorize", as: :authorize
+        get "/auth/shakha/callback", to: "auth#callback", as: :callback
+        post "/auth/shakha/token", to: "auth#token", as: :token
+        get "/auth/shakha/error", to: "auth#error", as: :error
+
+        get "/auth/shakha/session", to: "session#show", as: :session
+        post "/auth/shakha/session/check", to: "session#check", as: :check_session
+        delete "/auth/shakha/session", to: "session#destroy", as: :destroy_session
+
+        get "/.well-known/jwks.json", to: "jwks#show"
+        get "/.well-known/openid-configuration", to: "openid#configuration"
+      end
+
+      Shakha::EngineRouter.routes.each do |route|
+        case route[:type]
+        when :get
+          app.routes.append do
+            get route[:path], to: route[:to], as: route[:as]
+          end
+        when :post
+          app.routes.append do
+            post route[:path], to: route[:to], as: route[:as]
+          end
+        when :match
+          app.routes.append do
+            match route[:path], to: route[:to], as: route[:as], via: route[:via]
+          end
+        end
+      end
+    end
+  end
+end

data/lib/shakha/error_handler.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+require "active_support/concern"
+
+module Shakha
+  module ErrorHandler
+    extend ActiveSupport::Concern
+
+    included do
+      rescue_from ActiveRecord::RecordNotFound, with: :not_found
+      rescue_from Shakha::JWTError, with: :unauthorized
+      rescue_from Shakha::PKCEError, with: :bad_request
+      rescue_from Shakha::GoogleOAuthError, with: :bad_gateway
+    end
+
+    private
+
+    def not_found(exception)
+      render json: { error: exception.message }, status: :not_found
+    end
+
+    def unauthorized(exception)
+      render json: { error: "Unauthorized" }, status: :unauthorized
+    end
+
+    def bad_request(exception)
+      render json: { error: exception.message }, status: :bad_request
+    end
+
+    def bad_gateway(exception)
+      render json: { error: exception.message }, status: :bad_gateway
+    end
+  end
+end

data/lib/shakha/jwt_handler.rb

@@ -0,0 +1,127 @@
+# frozen_string_literal: true
+
+require "jwt"
+
+module Shakha
+  class ConfigurationError < StandardError; end
+  class JWTError < StandardError; end
+
+  class JwtHandler
+    ALGORITHM = "ES256"
+
+    class << self
+      def encode(payload, exp: 24.hours.from_now)
+        secret = signing_key || raise(ConfigurationError, "RSA/EC private key required for signing")
+
+        header = {
+          alg: ALGORITHM,
+          typ: "JWT",
+          kid: key_id
+        }
+
+        payload = payload.with_indifferent_access.merge(
+          iss: Shakha.config.issuer,
+          aud: Shakha.config.audience,
+          iat: Time.current.to_i,
+          exp: exp.to_i,
+          jti: SecureRandom.uuid
+        )
+
+        JWT.encode(payload, secret, ALGORITHM, header)
+      end
+
+      def verify(token, audience: nil)
+        public_key = verification_key || raise(ConfigurationError, "RSA/EC public key required for verification")
+
+        decoded = JWT.decode(
+          token,
+          public_key,
+          true,
+          {
+            algorithm: ALGORITHM,
+            iss: Shakha.config.issuer,
+            aud: audience || Shakha.config.audience,
+            verify_iss: true,
+            verify_aud: true,
+            verify_expiration: true
+          }
+        )
+
+        decoded[0].with_indifferent_access
+      rescue JWT::DecodeError => e
+        raise JWTError, e.message
+      end
+
+      def jwks
+        {
+          keys: [
+            {
+              kty: "EC",
+              crv: "P-256",
+              x: Base64.urlsafe_encode64(public_key_point&.x || public_key_raw_point[0..31], padding: false),
+              y: Base64.urlsafe_encode64(public_key_point&.y || public_key_raw_point[32..63], padding: false),
+              use: "sig",
+              alg: ALGORITHM,
+              kid: key_id
+            }
+          ]
+        }.to_json
+      end
+
+      private
+
+      def signing_key
+        return @signing_key if defined?(@signing_key)
+
+        key_material = Shakha.config.signing_key
+        return @signing_key = nil unless key_material
+
+        if key_material.is_a?(OpenSSL::PKey::EC)
+          @signing_key = key_material
+        elsif key_material.start_with?("-----BEGIN")
+          @signing_key = OpenSSL::PKey::EC.new(key_material)
+        else
+          @signing_key = OpenSSL::PKey::EC.new(Base64.decode64(key_material))
+        end
+      end
+
+      def verification_key
+        return signing_key&.public_key if signing_key
+
+        public_material = Shakha.config.verification_key
+        return nil unless public_material
+
+        if public_material.start_with?("-----BEGIN")
+          OpenSSL::PKey::EC.new(public_material)
+        else
+          OpenSSL::PKey::EC.new(Base64.decode64(public_material))
+        end
+      end
+
+      def public_key_point
+        @public_key_point ||= begin
+          key = verification_key || signing_key&.public_key
+          return nil unless key
+
+          group = key.group
+          point = key.public_key
+          { x: point.x, y: point.y }
+        end
+      end
+
+      def public_key_raw_point
+        @public_key_raw_point ||= begin
+          key = verification_key || signing_key&.public_key
+          return nil unless key
+
+          point = key.public_key
+          [point.x, point.y].map { |n| n.to_s(16).rjust(64, "0") }.join.scan(/../).map { |b| b.to_i(16).chr }.join
+        end
+      end
+
+      def key_id
+        Shakha.config.key_id || "default"
+      end
+    end
+  end
+end

data/lib/shakha/middleware.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+module Shakha
+  class Middleware
+    def initialize(app)
+      @app = app
+    end
+
+    def call(env)
+      @env = env
+      @request = ActionDispatch::Request.new(env)
+
+      if verify_token_request?
+        verify_token!
+      else
+        @app.call(env)
+      end
+    end
+
+    private
+
+    attr_reader :request
+
+    def verify_token_request?
+      request.path == "/auth/shakha/token" && request.post?
+    end
+
+    def verify_token!
+      token = extract_token || raise(JWTError, "Missing token")
+      payload = Shakha.verify_token(token)
+
+      @env["shakha.user_id"] = payload[:pairwise_sub]
+      @env["shakha.email"] = payload[:email]
+      @env["shakha.name"] = payload[:name]
+
+      @app.call(@env)
+    rescue JWTError => e
+      [401, { "Content-Type" => "application/json" }, [{ error: e.message }.to_json]]
+    end
+
+    def extract_token
+      if request.content_type == "application/json"
+        JSON.parse(request.body.read)["id_token"]
+      elsif request.params["id_token"].present?
+        request.params["id_token"]
+      end
+    end
+  end
+end

data/lib/shakha/pairwise.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+require "base64"
+require "openssl"
+require "jwt"
+
+module Shakha
+  module Pairwise
+    HMAC_DIGEST = OpenSSL::Digest::SHA256.new
+
+    class << self
+      def derive(google_sub, client_id)
+        secret = secret_key
+        input = "#{google_sub}:#{client_id}"
+        digest = OpenSSL::HMAC.hexdigest(HMAC_DIGEST, secret, input)
+        "ps_#{digest}"
+      end
+
+      private
+
+      def secret_key
+        Shakha.config.service_secret || raise(Shakha::ConfigurationError, "SHAKHA_SECRET not set")
+      end
+    end
+  end
+end

data/lib/shakha/pkce.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+require "active_support/concern"
+
+module Shakha
+  module PKCEMixin
+    extend ActiveSupport::Concern
+
+    CODE_VERIFIER_LENGTH = 64
+    CODE_CHALLENGE_METHOD = "S256"
+
+    class << self
+      def generate_code_verifier
+        SecureRandom.urlsafe_base64(CODE_VERIFIER_LENGTH)
+          .tr("-_", "+/")
+          .slice(0, CODE_VERIFIER_LENGTH)
+      end
+
+      def generate_code_challenge(verifier)
+        Base64.urlsafe_encode64(
+          OpenSSL::Digest::SHA256.digest(verifier),
+          padding: false
+        )
+      end
+    end
+
+    private
+
+    def create_pkce_bundle
+      verifier = PKCEMixin.generate_code_verifier
+      challenge = PKCEMixin.generate_code_challenge(verifier)
+      state = SecureRandom.urlsafe_base64(32)
+
+      session[:shakha_pkce] = {
+        verifier: verifier,
+        state: state,
+        return_to: params[:return_to] || request.referer || "/"
+      }
+
+      { challenge: challenge, state: state }
+    end
+
+    def verify_pkce!(code_verifier)
+      stored = session[:shakha_pkce]
+
+      raise PKCEError, "No PKCE session found" unless stored
+      raise PKCEError, "State mismatch" unless stored[:state] == params[:state]
+
+      computed = PKCEMixin.generate_code_challenge(code_verifier)
+      raise PKCEError, "Invalid code verifier" unless computed == params[:code_challenge]
+
+      session.delete(:shakha_pkce)
+      stored[:verifier]
+    end
+
+    def pkce_state
+      session[:shakha_pkce]
+    end
+  end
+
+  class PKCEError < StandardError; end
+  class GoogleOAuthError < StandardError; end
+end

data/lib/shakha/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module Shakha
+  VERSION = "0.1.0"
+end