shakha 0.1.7 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 97e30df4b475b7c45fa0d75ef31ebe049760c19f6a65df602996b6aa2edd3ebe
-  data.tar.gz: 5e1b4b6cdc4897e74e289411fae040a9ba31e8aedb800460e776011ee4fbfac1
+  metadata.gz: 366829b83286435b8a3ff8a9b74cdfe319e072768efabbbfa0777d3ce7a9bb6b
+  data.tar.gz: 5aafc4d8d1db8bf6287c40ffea5dbb614903e288ddfeb35ae4d1c1e0b0ecff34
 SHA512:
-  metadata.gz: 1569eafa9f6f7054dd8457301815f6676cb29ba0b3658e5c00edb06896ed4cb700f4e6be3f2daaedc582519d9af12603fc08229170df1e162cd255f60b8bf3d4
-  data.tar.gz: 2e92274af426cb8eb2ba1ed6279a6ebc89cee3c67d4c3085ad623015df5e8d2ed0756a023a74cb396a133fd4bbcd6ea2ed8058ba94132d0439078293d9451c61
+  metadata.gz: 6a7982ee421c97e9f66eb5eceb29dddd2159806d37d37bb759e84c80686390f395703adfd8b881c7a0d5eafa3c5e2bc969844ad6375ce4a04572b5e4758b5f75
+  data.tar.gz: f41c800d89c409fbcea81ab122d7f9e59028777b15643ec006ff0b6e0cddb7adcc621c463cdc538b088e171f9f4eb460cf5197b48b361700a041373c5899b2f7

data/README.md

@@ -42,6 +42,8 @@ class CreateShakhaTables < ActiveRecord::Migration[7.1]
       t.references :client, null: false, foreign_key: { to_table: :shakha_clients }
       t.string :token, null: false
       t.string :jti, null: false
+      t.string :ip_address
+      t.string :user_agent
       t.timestamps
       t.index :token, unique: true
       t.index :jti, unique: true

data/app/controllers/shakha/auth_controller.rb

@@ -26,8 +26,8 @@ module Shakha
     end
 
     def callback
-      pkce_result = verify_pkce!(params[:code], params[:state])
-      exchange_code_for_tokens(params[:code], pkce_result[:verifier], pkce_result[:return_to])
+      pkce_result = verify_pkce!(params[:state])
+      exchange_code_for_tokens(params[:code], pkce_result[:verifier], pkce_result[:return_to], pkce_result[:nonce])
     rescue PKCEError, GoogleOAuthError => e
       ActiveSupport::Notifications.instrument("shakha.sign_in_failed", {
         reason: e.class.name,
@@ -65,14 +65,25 @@ module Shakha
       return "/" if raw.blank?
 
       uri = URI.parse(raw)
-      return "/" if uri.host.present? && ![app_origin_host, client_origin_host].include?(uri.host)
+      app_host = URI.parse(Shakha.config.app_origin).host
+
+      # Must have a path
       return "/" unless uri.path.present? && uri.path.start_with?("/")
 
-      uri.path
+      # If external host, must be in allowed origins
+      if uri.host.present? && uri.host != app_host && !allowed_origin?(uri.origin)
+        return "/"
+      end
+
+      raw
     rescue URI::InvalidURIError
       "/"
     end
 
+    def allowed_origin?(origin)
+      Shakha.config.allowed_redirect_origins&.include?(origin) || false
+    end
+
     def app_origin_host
       URI.parse(Shakha.config.app_origin).host
     end
@@ -125,6 +136,7 @@ module Shakha
         code_challenge: pkce[:challenge],
         code_challenge_method: "S256",
         state: pkce[:state],
+        nonce: pkce[:nonce],
         access_type: "offline",
         prompt: "consent"
       }
@@ -134,7 +146,7 @@ module Shakha
       end.to_s
     end
 
-    def exchange_code_for_tokens(code, verifier, return_to = "/")
+    def exchange_code_for_tokens(code, verifier, return_to = "/", expected_nonce = nil)
       client_id = Shakha.config.google_client_id || ENV["GOOGLE_CLIENT_ID"]
       client_secret = Shakha.config.google_client_secret || ENV["GOOGLE_CLIENT_SECRET"]
       base_url = Shakha.config.service_base_url || "http://localhost:3000"
@@ -161,6 +173,11 @@ module Shakha
       payload = decode_id_token(id_token)
       google_sub = payload["sub"]
 
+      # Verify nonce (OIDC replay protection)
+      if expected_nonce && payload["nonce"] != expected_nonce
+        raise GoogleOAuthError, "Nonce mismatch"
+      end
+
       client = find_or_create_client
       pairwise_sub = Shakha.derive_pairwise_sub(google_sub, client.client_id)
 
@@ -178,7 +195,6 @@ module Shakha
       session_record = Shakha::Session.create!(
         user: user,
         client: client,
-        jti: SecureRandom.uuid,
         ip_address: request.remote_ip,
         user_agent: request.user_agent
       )
@@ -227,12 +243,24 @@ module Shakha
       uri = URI.parse(url)
       http = Net::HTTP.new(uri.host, uri.port)
       http.use_ssl = uri.scheme == "https"
+      http.open_timeout = 5
+      http.read_timeout = 10
 
       request = Net::HTTP::Post.new(uri.request_uri)
       request["Content-Type"] = "application/x-www-form-urlencoded"
       request.body = URI.encode_www_form(body)
 
-      http.request(request)
+      response = http.request(request)
+
+      unless response.is_a?(Net::HTTPSuccess)
+        Rails.logger.error("[Shakha] Google API error: HTTP #{response.code} — #{response.body.truncate(500)}")
+        raise GoogleOAuthError, "Google returned HTTP #{response.code}"
+      end
+
+      response
+    rescue Net::OpenTimeout, Net::ReadTimeout, Errno::ECONNREFUSED, SocketError => e
+      Rails.logger.error("[Shakha] Network error contacting Google: #{e.message}")
+      raise GoogleOAuthError, "Unable to reach Google authentication service"
     end
   end
 end

data/lib/shakha/config.rb

@@ -12,7 +12,8 @@ module Shakha
                   :signing_key,
                   :verification_key,
                   :key_id,
-                  :rate_limiting_enabled
+                  :rate_limiting_enabled,
+                  :allowed_redirect_origins
 
     def initialize
       @session_lifetime = 30.days

data/lib/shakha/jwt_handler.rb

@@ -89,7 +89,7 @@ module Shakha
         return signing_key&.public_key if signing_key
 
         public_material = Shakha.config.verification_key
-        return nil unless public_material
+        return nil unless public_materiall
 
         if public_material.start_with?("-----BEGIN")
           OpenSSL::PKey::EC.new(public_material)

data/lib/shakha/pkce.rb

@@ -14,9 +14,7 @@ module Shakha
 
     class << self
       def generate_code_verifier
-        SecureRandom.urlsafe_base64(CODE_VERIFIER_LENGTH)
-          .tr("-_", "+/")
-          .slice(0, CODE_VERIFIER_LENGTH)
+        SecureRandom.urlsafe_base64(CODE_VERIFIER_LENGTH, padding: false)
       end
 
       def generate_code_challenge(verifier)
@@ -33,14 +31,16 @@ module Shakha
       verifier = PKCEMixin.generate_code_verifier
       challenge = PKCEMixin.generate_code_challenge(verifier)
       state = SecureRandom.urlsafe_base64(32)
+      nonce = SecureRandom.urlsafe_base64(32)
       return_to = params[:return_to] || "/"
 
       pkce_record = {
         verifier: verifier,
-        return_to: return_to
+        return_to: return_to,
+        nonce: nonce
       }
 
-      cookies[PKCE_COOKIE_NAME] = {
+      cookies.encrypted[PKCE_COOKIE_NAME] = {
         value: pkce_record.merge(state: state).to_json,
         httponly: true,
         secure: Rails.env.production?,
@@ -48,11 +48,11 @@ module Shakha
         expires: Time.now.utc + PKCE_COOKIE_EXPIRY_SECONDS
       }
 
-      { challenge: challenge, state: state }
+      { challenge: challenge, state: state, nonce: nonce }
     end
 
-    def verify_pkce!(code_verifier, state_param)
-      pkce_json = cookies[PKCE_COOKIE_NAME]
+    def verify_pkce!(state_param)
+      pkce_json = cookies.encrypted[PKCE_COOKIE_NAME]
 
       raise PKCEError, "No PKCE session found" unless pkce_json
 
@@ -63,23 +63,17 @@ module Shakha
       stored_state = pkce_data[:state]
       stored_verifier = pkce_data[:verifier]
       stored_return_to = pkce_data[:return_to]
+      stored_nonce = pkce_data[:nonce]
 
       cookies.delete(PKCE_COOKIE_NAME)
 
-      raise PKCEError, "State mismatch" unless stored_state == state_param
+      raise PKCEError, "State mismatch" unless ActiveSupport::SecurityUtils.secure_compare(stored_state.to_s, state_param.to_s)
 
-      computed = PKCEMixin.generate_code_challenge(code_verifier)
-      code_challenge = params[:code_challenge]
-
-      if code_challenge.present?
-        raise PKCEError, "Invalid code verifier" unless computed == code_challenge
-      end
-
-      { verifier: stored_verifier, return_to: stored_return_to }
+      { verifier: stored_verifier, return_to: stored_return_to, nonce: stored_nonce }
     end
 
     def pkce_state
-      pkce_json = cookies[PKCE_COOKIE_NAME]
+      pkce_json = cookies.encrypted[PKCE_COOKIE_NAME]
       return nil unless pkce_json
 
       JSON.parse(pkce_json).with_indifferent_access

data/lib/shakha/rate_limiter.rb

@@ -23,16 +23,10 @@ module Shakha
       return unless Shakha.config.rate_limiting_enabled
 
       cache_key = "shakha-rate:#{key}:#{request.remote_ip}"
+      count = Rails.cache.increment(cache_key, 1, expires_in: period.seconds)
 
-      count = Rails.cache.read(cache_key).to_i + 1
-
-      if count == 1
-        Rails.cache.write(cache_key, count, expires_in: period.seconds)
-      elsif count > max
+      if count > max
         render json: { error: "Too many requests. Try again later." }, status: :too_many_requests
-        return
-      else
-        Rails.cache.write(cache_key, count, expires_in: period.seconds)
       end
     end
   end

data/lib/shakha/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Shakha
-  VERSION = "0.1.7"
+  VERSION = "0.2.0"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: shakha
 version: !ruby/object:Gem::Version
-  version: 0.1.7
+  version: 0.2.0
 platform: ruby
 authors:
 - Asrat