shakha 0.1.3 → 0.1.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7ff145da09437c51afcef947199c0225b2fb557a6e0559e1792e07d7af646250
-  data.tar.gz: d95b3e5a110d49b7defde447935240d27e0faf2a76e3874b4b05dba7f174336e
+  metadata.gz: 2b5eb8fae72d4a779316f8266fc29f1078bf5b31c11a5d90ae922f46d3e37928
+  data.tar.gz: 95bc2e261d8a08c818ad75b4beefc8e5a4fa97802ef5cf28afdfbe7a895cdcc1
 SHA512:
-  metadata.gz: f61b03a6afdb461afde6274f2892b54f1f7979369023a1421b5037f99b333351c5c7bca5194c7f76db22d9f516594c4c737d96f501f82b8663c2ad5fafa472d1
-  data.tar.gz: 344441bf4fcfc2dc8061bb25fab5dfbe64485919405658cbbd16c376ffcdddc685682e0256d7e2fe2401c29e22a8122a157439e111748ccb8d6e0b8c266dc9a4
+  metadata.gz: 0ee17e65c726cb0564e720fb73648b74567fcfb1edae5befbd14a16942ca877d5c007cfc8b622fed8c949211de3bf5b792fdff1190482bfdd414351b451e6204
+  data.tar.gz: 2205e02b9c9ebde26def46da665011571a5071a50bd79eaf6bb2d7075aed353d2d3b52eff1d6986113bf612ce2a6e2244e200e53b4aadf2b4c7fba8020ed354b

data/app/controllers/shakha/application_controller.rb

@@ -4,6 +4,8 @@ module Shakha
   class ApplicationController < ActionController::Base
     include ErrorHandler
     include ControllerHelpers
+    include RateLimiter
+    include Auditable
 
     protect_from_forgery with: :exception
 

data/app/controllers/shakha/auth_controller.rb

@@ -28,6 +28,10 @@ module Shakha
       pkce_result = verify_pkce!(params[:code], params[:state])
       exchange_code_for_tokens(params[:code], pkce_result[:verifier], pkce_result[:return_to])
     rescue PKCEError, GoogleOAuthError => e
+      ActiveSupport::Notifications.instrument("shakha.sign_in_failed", {
+        reason: e.class.name,
+        ip: request.remote_ip
+      })
       Rails.logger.warn("[Shakha] Auth error: #{e.class}: #{e.message}")
       redirect_to "/auth/shakha/error?message=#{URI.encode_www_form_component(user_facing_error(e))}"
     end

data/app/controllers/shakha/session_controller.rb

@@ -4,6 +4,25 @@ module Shakha
   class SessionController < ApplicationController
     skip_before_action :verify_authenticity_token, only: [:check]
 
+    def index
+      return render json: { error: "Authentication required" }, status: :unauthorized unless signed_in?
+
+      sessions = current_user.sessions.active.order(created_at: :desc)
+
+      render json: {
+        current_token: current_session.token,
+        sessions: sessions.map { |s|
+          {
+            id: s.id,
+            token: s.token,
+            created_at: s.created_at.iso8601,
+            expires_at: s.expires_at.iso8601,
+            current: s.token == current_session.token
+          }
+        }
+      }
+    end
+
     def show
       render json: {
         user_id: current_user&.pairwise_sub,
@@ -33,5 +52,22 @@ module Shakha
         format.json { render json: { status: "signed_out" } }
       end
     end
+
+    def revoke
+      return render json: { error: "Authentication required" }, status: :unauthorized unless signed_in?
+
+      session = current_user.sessions.find(params[:id])
+      session.destroy
+
+      cookies.delete(:shakha_session_token) if session.token == current_session&.token
+
+      ActiveSupport::Notifications.instrument("shakha.session_revoked", {
+        session_id: session.id,
+        user_id: current_user.id,
+        ip: request.remote_ip
+      })
+
+      render json: { status: "revoked" }
+    end
   end
 end

data/lib/shakha/auditable.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+module Shakha
+  module Auditable
+    extend ActiveSupport::Concern
+
+    included do
+      after_action :log_sign_in, only: [:callback]
+      after_action :log_sign_out, only: [:destroy]
+      after_action :log_token_exchange, only: [:token]
+    end
+
+    private
+
+    def log_sign_in
+      return unless response.successful? && @current_user
+
+      ActiveSupport::Notifications.instrument("shakha.sign_in", {
+        user_id: @current_user&.id,
+        pairwise_sub: @current_user&.pairwise_sub,
+        client_id: @current_client&.id,
+        ip: request.remote_ip,
+        user_agent: request.user_agent
+      })
+    end
+
+    def log_sign_out
+      return unless action_name == "destroy"
+
+      ActiveSupport::Notifications.instrument("shakha.sign_out", {
+        session_id: @current_session&.id,
+        user_id: @current_session&.user_id,
+        ip: request.remote_ip
+      })
+    end
+
+    def log_token_exchange
+      return unless action_name == "token"
+
+      ActiveSupport::Notifications.instrument("shakha.token_exchange", {
+        ip: request.remote_ip,
+        user_agent: request.user_agent,
+        success: response.successful?
+      })
+    end
+  end
+end

data/lib/shakha/config.rb

@@ -11,11 +11,13 @@ module Shakha
                   :session_lifetime,
                   :signing_key,
                   :verification_key,
-                  :key_id
+                  :key_id,
+                  :rate_limiting_enabled
 
     def initialize
       @session_lifetime = 30.days
       @issuer = "https://shakha.dev"
+      @rate_limiting_enabled = false
     end
 
     def embedded?

data/lib/shakha/engine.rb

@@ -20,8 +20,10 @@ module Shakha
       get "error" => "auth#error"
 
       get "session" => "session#show"
+      get "sessions" => "session#index"
       post "session/check" => "session#check"
       delete "session" => "session#destroy"
+      delete "sessions/:id" => "session#revoke"
 
       get ".well-known/jwks.json" => "jwks#show"
       get ".well-known/openid-configuration" => "openid#configuration"

data/lib/shakha/rate_limiter.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+module Shakha
+  module RateLimiter
+    extend ActiveSupport::Concern
+
+    included do
+      before_action :check_rate_limit_authorize, only: [:authorize]
+      before_action :check_rate_limit_token, only: [:token]
+    end
+
+    private
+
+    def check_rate_limit_authorize
+      check_rate_limit("authorize", max: 20, period: 1.minute)
+    end
+
+    def check_rate_limit_token
+      check_rate_limit("token", max: 10, period: 1.minute)
+    end
+
+    def check_rate_limit(key, max:, period:)
+      return unless Shakha.config.rate_limiting_enabled?
+
+      cache_key = "shakha-rate:#{key}:#{request.remote_ip}"
+
+      count = Rails.cache.read(cache_key).to_i + 1
+
+      if count == 1
+        Rails.cache.write(cache_key, count, expires_in: period.seconds)
+      elsif count > max
+        render json: { error: "Too many requests. Try again later." }, status: :too_many_requests
+        return
+      else
+        Rails.cache.write(cache_key, count, expires_in: period.seconds)
+      end
+    end
+  end
+end

data/lib/shakha/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Shakha
-  VERSION = "0.1.3"
+  VERSION = "0.1.4"
 end

data/lib/shakha.rb

@@ -6,6 +6,8 @@ require "shakha/config_validator"
 require "shakha/pairwise"
 require "shakha/jwt_handler"
 require "shakha/pkce"
+require "shakha/rate_limiter"
+require "shakha/auditable"
 require "shakha/error_handler"
 require "shakha/controller_helpers"
 require "shakha/middleware"

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: shakha
 version: !ruby/object:Gem::Version
-  version: 0.1.3
+  version: 0.1.4
 platform: ruby
 authors:
 - Asrat
@@ -96,6 +96,7 @@ files:
 - lib/generators/shakha/templates/initializer.rb.erb
 - lib/generators/shakha/templates/migration.rb.erb
 - lib/shakha.rb
+- lib/shakha/auditable.rb
 - lib/shakha/config.rb
 - lib/shakha/config_validator.rb
 - lib/shakha/controller_helpers.rb
@@ -105,6 +106,7 @@ files:
 - lib/shakha/middleware.rb
 - lib/shakha/pairwise.rb
 - lib/shakha/pkce.rb
+- lib/shakha/rate_limiter.rb
 - lib/shakha/version.rb
 homepage: https://shakha.dev
 licenses: