shakha 0.2.0 → 0.3.0

data/lib/shakha/controller_helpers.rb

@@ -7,15 +7,14 @@ module Shakha
     extend ActiveSupport::Concern
 
     included do
-      helper_method :current_session, :current_user, :signed_in?
+      helper_method :current_user, :current_session, :signed_in?
     end
 
     private
 
     def current_session
       return @current_session if defined?(@current_session)
-
-      @current_session = find_session || authenticate_from_bearer || authenticate_from_cookie
+      @current_session = find_session_from_cookie || find_session_from_bearer
     end
 
     def current_user
@@ -29,42 +28,24 @@ module Shakha
     def authenticate!
       return if signed_in?
 
-      redirect_to shakha.new_auth_path(return_to: request.fullpath)
-    end
-
-    def authenticate_from_bearer
-      return unless (token = bearer_token)
-
-      payload = Shakha.verify_token(token)
-      find_session_by_jti(payload["jti"])
+      respond_to do |format|
+        format.html { redirect_to shakha.new_auth_path(return_to: request.fullpath) }
+        format.json { render json: { error: "Authentication required" }, status: :unauthorized }
+      end
     end
 
-    def authenticate_from_cookie
-      find_session_by_token(session_token)
+    def find_session_from_cookie
+      token = cookies.encrypted[:shakha_session_token]
+      return unless token
+      Shakha::Session.active.find_by(token: token)
     end
 
-    def bearer_token
-      pattern = /^Bearer /
+    def find_session_from_bearer
       header = request.headers["Authorization"]
-      return unless header&.match?(pattern)
-
-      header.gsub(pattern, "")
-    end
-
-    def session_token
-      request.cookie_jar.encrypted[:shakha_session_token]
-    end
-
-    def find_session
-      return unless (token = session_token)
+      return unless header&.start_with?("Bearer ")
 
+      token = header.delete_prefix("Bearer ")
       Shakha::Session.active.find_by(token: token)
     end
-
-    def find_session_by_jti(jti)
-      return unless jti
-
-      Shakha::Session.active.find_by(jti: jti)
-    end
   end
-end
+end

data/lib/shakha/engine.rb

@@ -4,30 +4,20 @@ module Shakha
   class Engine < ::Rails::Engine
     isolate_namespace Shakha
 
-    config.app_middleware.use Shakha::Middleware
-
     config.after_initialize do
       Shakha::ConfigValidator.validate!(Shakha.config)
     end
 
-    # Engine routes - these should be relative paths
     routes do
       root to: "auth#new"
 
-      get "authorize" => "auth#authorize"
-      get "callback" => "auth#callback"
-      post "token" => "auth#token"
-      get "error" => "auth#error"
-
-      get "session" => "session#show"
-      get "sessions" => "session#index"
-      get "sessions/view" => "session#list"
-      post "session/check" => "session#check"
-      delete "session" => "session#destroy"
-      delete "sessions/:id" => "session#revoke"
+      get  ":provider/authorize" => "auth#authorize"
+      get  ":provider/callback"  => "auth#callback"
+      delete "sign_out"           => "auth#destroy"
+      get  "error"                => "auth#error"
 
-      get ".well-known/jwks.json" => "jwks#show"
-      get ".well-known/openid-configuration" => "openid#configuration"
+      get  "session"        => "session#show"
+      get  "session/check"  => "session#check"
     end
   end
 end

data/lib/shakha/error_handler.rb

@@ -8,9 +8,8 @@ module Shakha
 
     included do
       rescue_from ActiveRecord::RecordNotFound, with: :not_found
-      rescue_from Shakha::JWTError, with: :unauthorized
       rescue_from Shakha::PKCEError, with: :bad_request
-      rescue_from Shakha::GoogleOAuthError, with: :bad_gateway
+      rescue_from Shakha::OAuthError, with: :bad_gateway
     end
 
     private
@@ -28,7 +27,7 @@ module Shakha
     end
 
     def bad_gateway(exception)
-      Rails.logger.error("[Shakha] Google OAuth error: #{exception.message}")
+      Rails.logger.error("[Shakha] OAuth error: #{exception.message}")
       render json: { error: "Authentication service unavailable" }, status: :bad_gateway
     end
   end

data/lib/shakha/providers/base.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+module Shakha
+  module Providers
+    class Base
+      def authorize_url(state:, code_challenge:, redirect_uri:)
+        raise NotImplementedError
+      end
+
+      def exchange_code(code:, code_verifier:, redirect_uri:)
+        raise NotImplementedError
+      end
+
+      def identity_from_response(token_response)
+        raise NotImplementedError
+      end
+
+      def provider_name
+        raise NotImplementedError
+      end
+
+      def scopes
+        []
+      end
+    end
+  end
+end

data/lib/shakha/providers/github.rb

@@ -0,0 +1,99 @@
+# frozen_string_literal: true
+
+require "net/http"
+require "uri"
+
+module Shakha
+  module Providers
+    class GitHub < Base
+      AUTHORIZE_URL = "https://github.com/login/oauth/authorize"
+      TOKEN_URL = "https://github.com/login/oauth/access_token"
+      USER_API_URL = "https://api.github.com/user"
+
+      def provider_name
+        :github
+      end
+
+      def authorize_url(state:, code_challenge:, redirect_uri:)
+        params = {
+          client_id: Shakha.config.github_client_id,
+          redirect_uri: redirect_uri,
+          scope: scopes.join(" "),
+          state: state
+        }
+
+        "#{AUTHORIZE_URL}?#{URI.encode_www_form(params)}"
+      end
+
+      def exchange_code(code:, code_verifier:, redirect_uri:)
+        response = http_post(TOKEN_URL, {
+          code: code,
+          client_id: Shakha.config.github_client_id,
+          client_secret: Shakha.config.github_client_secret,
+          redirect_uri: redirect_uri
+        }, accept: :json)
+
+        JSON.parse(response.body)
+      end
+
+      def identity_from_response(token_response)
+        access_token = token_response["access_token"]
+        raise OAuthError, "No access_token received" unless access_token
+
+        user_data = fetch_user(access_token)
+
+        {
+          provider: :github,
+          uid: user_data["id"].to_s,
+          email: user_data["email"],
+          name: user_data["name"] || user_data["login"],
+          picture: user_data["avatar_url"]
+        }
+      end
+
+      def scopes
+        %w[user:email]
+      end
+
+      private
+
+      def fetch_user(access_token)
+        uri = URI.parse(USER_API_URL)
+        http = Net::HTTP.new(uri.host, uri.port)
+        http.use_ssl = true
+        http.open_timeout = 5
+        http.read_timeout = 10
+
+        request = Net::HTTP::Get.new(uri.request_uri)
+        request["Authorization"] = "Bearer #{access_token}"
+        request["Accept"] = "application/json"
+
+        response = http.request(request)
+        JSON.parse(response.body)
+      end
+
+      def http_post(url, body, accept: :json)
+        uri = URI.parse(url)
+        http = Net::HTTP.new(uri.host, uri.port)
+        http.use_ssl = true
+        http.open_timeout = 5
+        http.read_timeout = 10
+
+        request = Net::HTTP::Post.new(uri.request_uri)
+        request["Accept"] = "application/json" if accept == :json
+        request["Content-Type"] = "application/x-www-form-urlencoded"
+        request.body = URI.encode_www_form(body)
+
+        response = http.request(request)
+
+        unless response.is_a?(Net::HTTPSuccess)
+          raise OAuthError, "GitHub returned HTTP #{response.code}"
+        end
+
+        response
+      rescue Net::OpenTimeout, Net::ReadTimeout, Errno::ECONNREFUSED, SocketError => e
+        raise OAuthError, "Unable to reach GitHub: #{e.message}"
+      end
+    end
+  end
+end

data/lib/shakha/providers/google.rb

@@ -0,0 +1,90 @@
+# frozen_string_literal: true
+
+require "net/http"
+require "uri"
+
+module Shakha
+  module Providers
+    class Google < Base
+      AUTHORIZE_URL = "https://accounts.google.com/o/oauth2/v2/auth"
+      TOKEN_URL = "https://oauth2.googleapis.com/token"
+
+      def provider_name
+        :google
+      end
+
+      def authorize_url(state:, code_challenge:, redirect_uri:)
+        params = {
+          client_id: Shakha.config.google_client_id,
+          redirect_uri: redirect_uri,
+          response_type: "code",
+          scope: scopes.join(" "),
+          code_challenge: code_challenge,
+          code_challenge_method: "S256",
+          state: state,
+          access_type: "offline",
+          prompt: "consent",
+          nonce: SecureRandom.urlsafe_base64(32)
+        }
+
+        "#{AUTHORIZE_URL}?#{URI.encode_www_form(params)}"
+      end
+
+      def exchange_code(code:, code_verifier:, redirect_uri:)
+        response = http_post(TOKEN_URL, {
+          code: code,
+          client_id: Shakha.config.google_client_id,
+          client_secret: Shakha.config.google_client_secret,
+          redirect_uri: redirect_uri,
+          grant_type: "authorization_code",
+          code_verifier: code_verifier
+        })
+
+        JSON.parse(response.body)
+      end
+
+      def identity_from_response(token_response)
+        id_token = token_response["id_token"]
+        raise OAuthError, "No id_token received" unless id_token
+
+        payload = JWT.decode(id_token, nil, false)[0]
+
+        {
+          provider: :google,
+          uid: payload["sub"],
+          email: payload["email"],
+          name: payload["name"],
+          picture: payload["picture"]
+        }
+      end
+
+      def scopes
+        %w[openid email profile]
+      end
+
+      private
+
+      def http_post(url, body)
+        uri = URI.parse(url)
+        http = Net::HTTP.new(uri.host, uri.port)
+        http.use_ssl = true
+        http.open_timeout = 5
+        http.read_timeout = 10
+
+        request = Net::HTTP::Post.new(uri.request_uri)
+        request["Content-Type"] = "application/x-www-form-urlencoded"
+        request.body = URI.encode_www_form(body)
+
+        response = http.request(request)
+
+        unless response.is_a?(Net::HTTPSuccess)
+          raise OAuthError, "Google returned HTTP #{response.code}"
+        end
+
+        response
+      rescue Net::OpenTimeout, Net::ReadTimeout, Errno::ECONNREFUSED, SocketError => e
+        raise OAuthError, "Unable to reach Google: #{e.message}"
+      end
+    end
+  end
+end

data/lib/shakha/providers.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require "shakha/providers/base"
+require "shakha/providers/google"
+require "shakha/providers/github"
+
+module Shakha
+  module Providers
+    PROVIDER_MAP = {
+      google: "Shakha::Providers::Google",
+      github: "Shakha::Providers::GitHub"
+    }.freeze
+
+    def self.resolve(name)
+      class_name = PROVIDER_MAP[name.to_sym] || raise(ConfigurationError, "Unknown provider: #{name}")
+      class_name.constantize.new
+    end
+  end
+end

data/lib/shakha/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Shakha
-  VERSION = "0.2.0"
+  VERSION = "0.3.0"
 end

data/lib/shakha.rb

@@ -3,14 +3,11 @@
 require "shakha/version"
 require "shakha/config"
 require "shakha/config_validator"
-require "shakha/pairwise"
-require "shakha/jwt_handler"
 require "shakha/pkce"
 require "shakha/rate_limiter"
-require "shakha/auditable"
 require "shakha/error_handler"
 require "shakha/controller_helpers"
-require "shakha/middleware"
+require "shakha/providers"
 require "shakha/engine"
 
 module Shakha
@@ -22,32 +19,9 @@ module Shakha
     def config
       @config ||= Config.new
     end
-
-    def verify_token(id_token, audience: nil)
-      JwtHandler.verify(id_token, audience: audience || default_audience)
-    end
-
-    def sign_token(payload, exp: 24.hours.from_now)
-      JwtHandler.encode(payload, exp: exp)
-    end
-
-    def derive_pairwise_sub(google_sub, client_id = nil)
-      Pairwise.derive(google_sub, client_id || default_client_id)
-    end
-
-    private
-
-    def default_audience
-      "origin:#{config.app_origin&.then { |url| URI.parse(url).origin }}"
-    end
-
-    def default_client_id
-      "origin:#{URI.parse(config.app_origin).origin}"
-    end
   end
 
   class ConfigurationError < StandardError; end
-  class JWTError < StandardError; end
   class PKCEError < StandardError; end
-  class GoogleOAuthError < StandardError; end
+  class OAuthError < StandardError; end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: shakha
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.3.0
 platform: ruby
 authors:
 - Asrat
@@ -81,8 +81,6 @@ files:
 - app/assets/stylesheets/shakha.css
 - app/controllers/shakha/application_controller.rb
 - app/controllers/shakha/auth_controller.rb
-- app/controllers/shakha/jwks_controller.rb
-- app/controllers/shakha/openid_controller.rb
 - app/controllers/shakha/session_controller.rb
 - app/models/shakha/client.rb
 - app/models/shakha/session.rb
@@ -90,23 +88,22 @@ files:
 - app/views/shakha/auth/callback.html.erb
 - app/views/shakha/auth/error.html.erb
 - app/views/shakha/auth/new.html.erb
-- app/views/shakha/auth/sessions.html.erb
 - app/views/shakha/errors/show.html.erb
 - app/views/shakha/layouts/shakha.html.erb
 - lib/generators/shakha/install_generator.rb
 - lib/generators/shakha/templates/initializer.rb.erb
 - lib/generators/shakha/templates/migration.rb.erb
 - lib/shakha.rb
-- lib/shakha/auditable.rb
 - lib/shakha/config.rb
 - lib/shakha/config_validator.rb
 - lib/shakha/controller_helpers.rb
 - lib/shakha/engine.rb
 - lib/shakha/error_handler.rb
-- lib/shakha/jwt_handler.rb
-- lib/shakha/middleware.rb
-- lib/shakha/pairwise.rb
 - lib/shakha/pkce.rb
+- lib/shakha/providers.rb
+- lib/shakha/providers/base.rb
+- lib/shakha/providers/github.rb
+- lib/shakha/providers/google.rb
 - lib/shakha/rate_limiter.rb
 - lib/shakha/version.rb
 homepage: https://shakha.dev

data/app/controllers/shakha/jwks_controller.rb

@@ -1,10 +0,0 @@
-# frozen_string_literal: true
-
-module Shakha
-  class JwksController < ApplicationController
-    def show
-      render json: Shakha::JwtHandler.jwks,
-             content_type: "application/json"
-    end
-  end
-end

data/app/controllers/shakha/openid_controller.rb

@@ -1,21 +0,0 @@
-# frozen_string_literal: true
-
-module Shakha
-  class OpenidController < ApplicationController
-    def configuration
-      render json: {
-        issuer: Shakha.config.issuer,
-        authorization_endpoint: "#{Shakha.config.service_base_url}/auth/shakha/authorize",
-        token_endpoint: "#{Shakha.config.service_base_url}/auth/shakha/token",
-        userinfo_endpoint: "#{Shakha.config.service_base_url}/auth/shakha/session",
-        jwks_uri: "#{Shakha.config.service_base_url}/.well-known/jwks.json",
-        response_types_supported: ["code"],
-        grant_types_supported: ["authorization_code"],
-        code_challenge_methods_supported: ["S256"],
-        subject_types_supported: ["pairwise"],
-        id_token_signing_alg_values_supported: ["ES256"],
-        scopes_supported: ["openid", "email", "profile"]
-      }, content_type: "application/json"
-    end
-  end
-end

data/app/views/shakha/auth/sessions.html.erb

@@ -1,66 +0,0 @@
-<% content_for :title, "Active Sessions" %>
-
-<div class="sh-layout sh-animate-fade">
-  <div class="sh-card sh-animate-slide" style="max-width: 560px;">
-    <div class="sh-card__header">
-      <div class="sh-brand">
-        <div class="sh-brand__icon">S</div>
-        <div>
-          <div class="sh-brand__name">Active Sessions</div>
-          <div class="sh-brand__subtitle">Manage your signed-in devices</div>
-        </div>
-      </div>
-    </div>
-
-    <div class="sh-sessions">
-      <div class="sh-sessions__header">
-        <span class="sh-sessions__title">Devices</span>
-        <span class="sh-sessions__count"><%= @sessions&.size || 0 %> active</span>
-      </div>
-
-      <% if @sessions&.any? %>
-        <% @sessions.each do |session| %>
-          <div class="sh-session <%= 'sh-session--current' if session.token == @current_token %>">
-            <div class="sh-session__info">
-              <div style="display: flex; align-items: center; gap: var(--sh-space-2);">
-                <% if session.token == @current_token %>
-                  <span class="sh-session__badge">Current</span>
-                <% end %>
-                <span class="sh-session__device">Web Browser</span>
-              </div>
-              <div class="sh-session__meta">
-                <%= session.ip_address || "Unknown IP" %> ·
-                <%= session.created_at.strftime("%b %d, %Y at %I:%M %p") %>
-              </div>
-            </div>
-
-            <% if session.token != @current_token %>
-              <%= button_to revoke_session_path(session.id),
-                  method: :delete,
-                  class: "sh-session__btn",
-                  data: { turbo: false, confirm: "Revoke this session?" } do %>
-                Revoke
-              <% end %>
-            <% end %>
-          </div>
-        <% end %>
-      <% else %>
-        <div class="sh-empty">
-          <div class="sh-empty__icon">
-            <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="1.5">
-              <rect x="3" y="11" width="18" height="11" rx="2" ry="2"/>
-              <path d="M7 11V7a5 5 0 0 1 10 0v4"/>
-            </svg>
-          </div>
-          <p>No active sessions found.</p>
-        </div>
-      <% end %>
-    </div>
-
-    <div class="sh-card__footer">
-      <%= link_to "/", class: "sh-link" do %>
-        ← Back to app
-      <% end %>
-    </div>
-  </div>
-</div>

data/lib/shakha/auditable.rb

@@ -1,47 +0,0 @@
-# frozen_string_literal: true
-
-module Shakha
-  module Auditable
-    extend ActiveSupport::Concern
-
-    included do
-      after_action :log_sign_in
-      after_action :log_sign_out
-      after_action :log_token_exchange
-    end
-
-    private
-
-    def log_sign_in
-      return unless action_name == "callback" && response.successful? && @current_user
-
-      ActiveSupport::Notifications.instrument("shakha.sign_in", {
-        user_id: @current_user&.id,
-        pairwise_sub: @current_user&.pairwise_sub,
-        client_id: @current_client&.id,
-        ip: request.remote_ip,
-        user_agent: request.user_agent
-      })
-    end
-
-    def log_sign_out
-      return unless action_name == "destroy"
-
-      ActiveSupport::Notifications.instrument("shakha.sign_out", {
-        session_id: @current_session&.id,
-        user_id: @current_session&.user_id,
-        ip: request.remote_ip
-      })
-    end
-
-    def log_token_exchange
-      return unless action_name == "token"
-
-      ActiveSupport::Notifications.instrument("shakha.token_exchange", {
-        ip: request.remote_ip,
-        user_agent: request.user_agent,
-        success: response.successful?
-      })
-    end
-  end
-end