shakha 0.2.0 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 366829b83286435b8a3ff8a9b74cdfe319e072768efabbbfa0777d3ce7a9bb6b
-  data.tar.gz: 5aafc4d8d1db8bf6287c40ffea5dbb614903e288ddfeb35ae4d1c1e0b0ecff34
+  metadata.gz: 7f2fb69e4f483c981312b4211c9205e9ae5d0d100a0d3d8f0d61f693478c8369
+  data.tar.gz: 6dfb50d826c90ea54ed5453d7eebad7a94bf93cea02a1bb407fbd69a61da421e
 SHA512:
-  metadata.gz: 6a7982ee421c97e9f66eb5eceb29dddd2159806d37d37bb759e84c80686390f395703adfd8b881c7a0d5eafa3c5e2bc969844ad6375ce4a04572b5e4758b5f75
-  data.tar.gz: f41c800d89c409fbcea81ab122d7f9e59028777b15643ec006ff0b6e0cddb7adcc621c463cdc538b088e171f9f4eb460cf5197b48b361700a041373c5899b2f7
+  metadata.gz: 1bac5c8e1d92fb2997713d5ad19d7b16327fc21ec7e7520adf09d736bbe2c15c1cb72ef7c859798cba62a8a012819a1fb4863bd6c49830cd10d98f3082d4afc9
+  data.tar.gz: 8e9ae9652bb51b48bc30623305113e75c2a1c56676ec17a4e9503f4dc9694f55cf87d1d58fa9a2aaee956e47fa8ee1ecdc35024f3500c616e228942f42efbfac

data/README.md

@@ -28,12 +28,13 @@ class CreateShakhaTables < ActiveRecord::Migration[7.1]
 
     create_table :shakha_users do |t|
       t.references :client, null: false, foreign_key: { to_table: :shakha_clients }
-      t.string :pairwise_sub, null: false
+      t.string :provider, null: false
+      t.string :uid, null: false
       t.string :email
       t.string :name
       t.string :picture
       t.timestamps
-      t.index :pairwise_sub, unique: true
+      t.index [:provider, :uid], unique: true
       t.index :email
     end
 
@@ -41,12 +42,10 @@ class CreateShakhaTables < ActiveRecord::Migration[7.1]
       t.references :user, foreign_key: { to_table: :shakha_users }
       t.references :client, null: false, foreign_key: { to_table: :shakha_clients }
       t.string :token, null: false
-      t.string :jti, null: false
       t.string :ip_address
       t.string :user_agent
       t.timestamps
       t.index :token, unique: true
-      t.index :jti, unique: true
       t.index :created_at
     end
   end

data/app/controllers/shakha/application_controller.rb

@@ -14,7 +14,7 @@ module Shakha
 
     private
 
-    def invalid_csrf_token(exception)
+    def invalid_csrf_token(_exception)
       render json: { error: "Invalid CSRF token" }, status: :unprocessable_entity
     end
   end

data/app/controllers/shakha/auth_controller.rb

@@ -6,199 +6,92 @@ require "uri"
 module Shakha
   class AuthController < ApplicationController
     include PKCEMixin
-    include Auditable
 
-    skip_before_action :verify_authenticity_token, only: [:callback, :token]
+    skip_before_action :verify_authenticity_token, only: [:callback]
 
     def new
       @client = find_or_create_client
       @return_to = sanitize_return_to(params[:return_to])
+      @providers = Shakha.config.providers
     end
 
     def authorize
-      params[:return_to] = sanitize_return_to(params[:return_to])
+      provider = resolve_provider
       pkce = create_pkce_bundle
-      @client = find_or_create_client
 
-      google_auth_url = build_google_auth_url(pkce)
+      redirect_uri = "#{Shakha.config.app_origin}/auth/shakha/#{provider.provider_name}/callback"
+      auth_url = provider.authorize_url(
+        state: pkce[:state],
+        code_challenge: pkce[:challenge],
+        redirect_uri: redirect_uri
+      )
 
-      redirect_to google_auth_url, allow_other_host: true
+      redirect_to auth_url, allow_other_host: true
     end
 
     def callback
+      provider = resolve_provider
       pkce_result = verify_pkce!(params[:state])
-      exchange_code_for_tokens(params[:code], pkce_result[:verifier], pkce_result[:return_to], pkce_result[:nonce])
-    rescue PKCEError, GoogleOAuthError => e
-      ActiveSupport::Notifications.instrument("shakha.sign_in_failed", {
-        reason: e.class.name,
-        ip: request.remote_ip
-      })
-      Rails.logger.warn("[Shakha] Auth error: #{e.class}: #{e.message}")
-      redirect_to "/auth/shakha/error?message=#{URI.encode_www_form_component(user_facing_error(e))}"
-    end
-
-    def token
-      code = params[:code]
-      verifier = params[:code_verifier]
 
-      raise PKCEError, "Missing code" unless code
-      raise PKCEError, "Missing code_verifier" unless verifier
-
-      id_token = exchange_code_for_id_token(code, verifier)
+      token_response = provider.exchange_code(
+        code: params[:code],
+        code_verifier: pkce_result[:verifier],
+        redirect_uri: "#{Shakha.config.app_origin}/auth/shakha/#{provider.provider_name}/callback"
+      )
 
-      render json: {
-        id_token: id_token,
-        pairwise_sub: id_token_payload(id_token)[:sub],
-        expires_in: 24.hours.to_i
-      }
-    rescue PKCEError, JWTError, GoogleOAuthError => e
-      render json: { error: e.message }, status: :unauthorized
-    end
+      identity = provider.identity_from_response(token_response)
+      user = find_or_create_user(provider.provider_name, identity)
+      session_record = create_session(user)
+      set_session_cookie(session_record)
+      redirect_to build_return_url(pkce_result[:return_to], session_record)
 
-    def error
-      @message = params[:message] || "Authentication failed"
+    rescue PKCEError, OAuthError => e
+      handle_auth_failure(e, pkce_result)
     end
 
-    private
-
-    def sanitize_return_to(raw)
-      return "/" if raw.blank?
-
-      uri = URI.parse(raw)
-      app_host = URI.parse(Shakha.config.app_origin).host
-
-      # Must have a path
-      return "/" unless uri.path.present? && uri.path.start_with?("/")
+    def destroy
+      current_session&.destroy
+      cookies.delete(:shakha_session_token)
 
-      # If external host, must be in allowed origins
-      if uri.host.present? && uri.host != app_host && !allowed_origin?(uri.origin)
-        return "/"
+      respond_to do |format|
+        format.html { redirect_to params[:return_to].presence || "/" }
+        format.json { render json: { status: "signed_out" } }
       end
-
-      raw
-    rescue URI::InvalidURIError
-      "/"
-    end
-
-    def allowed_origin?(origin)
-      Shakha.config.allowed_redirect_origins&.include?(origin) || false
     end
 
-    def app_origin_host
-      URI.parse(Shakha.config.app_origin).host
+    def error
+      @message = params[:message] || "Authentication failed"
     end
 
-    def client_origin_host
-      URI.parse(Shakha.config.service_base_url).host
-    rescue URI::InvalidURIError
-      nil
-    end
+    private
 
-    def user_facing_error(exception)
-      case exception
-      when PKCEError
-        "Authentication failed. Please try again."
-      when GoogleOAuthError
-        "Unable to sign in with Google. Please try again later."
-      else
-        "An unexpected error occurred. Please try again."
-      end
+    def resolve_provider
+      provider_name = (params[:provider] || :google).to_sym
+      Shakha::Providers.resolve(provider_name)
     end
 
-    def find_or_create_client
-      origin = request.origin || Shakha.config.app_origin
-      origin_uri = URI.parse(origin).origin
-
-      if Shakha.config.embedded?
-        Shakha::Client.find_or_create_by!(origin: origin_uri) do |client|
-          client.name = URI.parse(origin).host
-        end
-      else
-        Shakha::Client.find_by!(origin: origin_uri)
+    def find_or_create_user(provider_name, identity)
+      Shakha::User.find_or_create_by!(
+        provider: provider_name.to_s,
+        uid: identity[:uid]
+      ) do |user|
+        user.client = find_or_create_client
+        user.email = identity[:email]
+        user.name = identity[:name]
+        user.picture = identity[:picture]
       end
-    rescue ActiveRecord::RecordNotFound
-      raise ConfigurationError, "Unknown client origin: #{origin_uri}. Register this origin in shakha_clients first."
-    end
-
-    def build_google_auth_url(pkce)
-      client_id = Shakha.config.google_client_id || ENV["GOOGLE_CLIENT_ID"]
-      base_url = Shakha.config.service_base_url || "http://localhost:3000"
-      redirect_uri = "#{base_url}/auth/shakha/callback"
-
-      scopes = ["openid", "email", "profile"].join(" ")
-      scopes += " https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile" if params[:request_pii]
-
-      params = {
-        client_id: client_id,
-        redirect_uri: redirect_uri,
-        response_type: "code",
-        scope: scopes,
-        code_challenge: pkce[:challenge],
-        code_challenge_method: "S256",
-        state: pkce[:state],
-        nonce: pkce[:nonce],
-        access_type: "offline",
-        prompt: "consent"
-      }
-
-      URI.parse("https://accounts.google.com/o/oauth2/v2/auth").tap do |uri|
-        uri.query = URI.encode_www_form(params)
-      end.to_s
     end
 
-    def exchange_code_for_tokens(code, verifier, return_to = "/", expected_nonce = nil)
-      client_id = Shakha.config.google_client_id || ENV["GOOGLE_CLIENT_ID"]
-      client_secret = Shakha.config.google_client_secret || ENV["GOOGLE_CLIENT_SECRET"]
-      base_url = Shakha.config.service_base_url || "http://localhost:3000"
-      redirect_uri = "#{base_url}/auth/shakha/callback"
-
-      response = http_post(
-        "https://oauth2.googleapis.com/token",
-        {
-          code: code,
-          client_id: client_id,
-          client_secret: client_secret,
-          redirect_uri: redirect_uri,
-          grant_type: "authorization_code",
-          code_verifier: verifier
-        }
-      )
-
-      tokens = JSON.parse(response.body)
-      id_token = tokens["id_token"]
-      access_token = tokens["access_token"]
-
-      raise GoogleOAuthError, "No id_token received" unless id_token
-
-      payload = decode_id_token(id_token)
-      google_sub = payload["sub"]
-
-      # Verify nonce (OIDC replay protection)
-      if expected_nonce && payload["nonce"] != expected_nonce
-        raise GoogleOAuthError, "Nonce mismatch"
-      end
-
-      client = find_or_create_client
-      pairwise_sub = Shakha.derive_pairwise_sub(google_sub, client.client_id)
-
-      user = Shakha::User.find_or_initialize_by(pairwise_sub: pairwise_sub, client: client)
-
-      if payload["email"]
-        user.assign_attributes(
-          email: payload["email"],
-          name: payload["name"],
-          picture: payload["picture"]
-        )
-      end
-      user.save!
-
-      session_record = Shakha::Session.create!(
+    def create_session(user)
+      Shakha::Session.create!(
         user: user,
-        client: client,
+        client: find_or_create_client,
         ip_address: request.remote_ip,
         user_agent: request.user_agent
       )
+    end
 
+    def set_session_cookie(session_record)
       cookies.encrypted[:shakha_session_token] = {
         value: session_record.token,
         httponly: true,
@@ -206,61 +99,66 @@ module Shakha
         same_site: :lax,
         expires: Shakha.config.session_lifetime.from_now
       }
-
-      redirect_to sanitize_return_to(return_to)
     end
 
-    def exchange_code_for_id_token(code, verifier)
-      client_id = Shakha.config.google_client_id || ENV["GOOGLE_CLIENT_ID"]
-      client_secret = Shakha.config.google_client_secret || ENV["GOOGLE_CLIENT_SECRET"]
-      redirect_uri = "#{Shakha.config.service_base_url}/auth/shakha/callback"
+    def build_return_url(return_to, session_record)
+      uri = URI.parse(return_to || "/")
+      existing = URI.decode_www_form(uri.query || "").to_h
+      existing["token"] = session_record.token
+      existing["expires_at"] = session_record.expires_at.iso8601
+      uri.query = URI.encode_www_form(existing)
+      uri.to_s
+    end
 
-      response = http_post(
-        "https://oauth2.googleapis.com/token",
-        {
-          code: code,
-          client_id: client_id,
-          client_secret: client_secret,
-          redirect_uri: redirect_uri,
-          grant_type: "authorization_code",
-          code_verifier: verifier
-        }
-      )
+    def handle_auth_failure(exception, pkce_result)
+      return_to = pkce_result&.dig(:return_to) || "/"
 
-      tokens = JSON.parse(response.body)
-      tokens["id_token"] || raise(GoogleOAuthError, "No id_token in response")
+      if request.format.json? || api_request?
+        render json: { error: user_facing_error(exception) }, status: :unauthorized
+      else
+        redirect_to "#{return_to}?error=#{URI.encode_www_form_component(user_facing_error(exception))}"
+      end
     end
 
-    def id_token_payload(id_token)
-      JWT.decode(id_token, nil, false)[0]
+    def api_request?
+      request.headers["Accept"]&.include?("application/json")
     end
 
-    def decode_id_token(id_token)
-      JWT.decode(id_token, nil, false)[0]
-    end
+    def sanitize_return_to(raw)
+      return "/" if raw.blank?
+
+      uri = URI.parse(raw)
+      app_host = URI.parse(Shakha.config.app_origin).host
+
+      return "/" unless uri.path.present? && uri.path.start_with?("/")
 
-    def http_post(url, body)
-      uri = URI.parse(url)
-      http = Net::HTTP.new(uri.host, uri.port)
-      http.use_ssl = uri.scheme == "https"
-      http.open_timeout = 5
-      http.read_timeout = 10
+      if uri.host.present? && uri.host != app_host && !allowed_origin?(uri.origin)
+        return "/"
+      end
 
-      request = Net::HTTP::Post.new(uri.request_uri)
-      request["Content-Type"] = "application/x-www-form-urlencoded"
-      request.body = URI.encode_www_form(body)
+      raw
+    rescue URI::InvalidURIError
+      "/"
+    end
 
-      response = http.request(request)
+    def allowed_origin?(origin)
+      Shakha.config.allowed_redirect_origins&.include?(origin) || false
+    end
 
-      unless response.is_a?(Net::HTTPSuccess)
-        Rails.logger.error("[Shakha] Google API error: HTTP #{response.code} — #{response.body.truncate(500)}")
-        raise GoogleOAuthError, "Google returned HTTP #{response.code}"
+    def find_or_create_client
+      origin = request.origin || Shakha.config.app_origin
+      origin_uri = URI.parse(origin).origin
+      Shakha::Client.find_or_create_by!(origin: origin_uri) do |client|
+        client.name = URI.parse(origin).host
       end
+    end
 
-      response
-    rescue Net::OpenTimeout, Net::ReadTimeout, Errno::ECONNREFUSED, SocketError => e
-      Rails.logger.error("[Shakha] Network error contacting Google: #{e.message}")
-      raise GoogleOAuthError, "Unable to reach Google authentication service"
+    def user_facing_error(exception)
+      case exception
+      when PKCEError then "Authentication failed. Please try again."
+      when OAuthError then "Unable to sign in. Please try again later."
+      else "An unexpected error occurred. Please try again."
+      end
     end
   end
-end
+end

data/app/controllers/shakha/session_controller.rb

@@ -2,76 +2,31 @@
 
 module Shakha
   class SessionController < ApplicationController
-    include Auditable
-    skip_before_action :verify_authenticity_token, only: [:check]
-
-    def index
-      return render json: { error: "Authentication required" }, status: :unauthorized unless signed_in?
-
-      sessions = current_user.sessions.active.order(created_at: :desc)
+    def show
+      unless signed_in?
+        return render json: { error: "Authentication required" }, status: :unauthorized
+      end
 
       render json: {
-        current_token: current_session.token,
-        sessions: sessions.map { |s|
-          {
-            id: s.id,
-            token: s.token,
-            created_at: s.created_at.iso8601,
-            expires_at: s.expires_at.iso8601,
-            current: s.token == current_session.token
-          }
+        user: {
+          id: current_user.id,
+          email: current_user.email,
+          name: current_user.name,
+          picture: current_user.picture,
+          provider: current_user.provider
+        },
+        session: {
+          expires_at: current_session.expires_at.iso8601
         }
       }
     end
 
-    def show
-      render json: {
-        user_id: current_user&.pairwise_sub,
-        email: current_user&.email,
-        name: current_user&.name,
-        expires_at: current_session&.expires_at&.iso8601
-      }
-    end
-
     def check
       if signed_in?
         render json: { status: "active" }
       else
-        render json: {
-          status: "login_required",
-          reason: "no_session"
-        }, status: :unauthorized
-      end
-    end
-
-    def destroy
-      current_session&.destroy
-      cookies.delete(:shakha_session_token)
-
-      respond_to do |format|
-        format.html { redirect_to params[:return_to].presence || "/" }
-        format.json { render json: { status: "signed_out" } }
+        render json: { status: "expired" }, status: :unauthorized
       end
     end
-
-    def list
-      return redirect_to "/auth/shakha" unless signed_in?
-
-      @sessions = current_user.sessions.active.order(created_at: :desc)
-      @current_token = current_session&.token
-    end
-
-    def revoke
-      return render json: { error: "Authentication required" }, status: :unauthorized unless signed_in?
-
-      session = current_user.sessions.find(params[:id])
-      session.destroy
-
-      cookies.delete(:shakha_session_token) if session.token == current_session&.token
-
-      log_session_revoked(session)
-
-      render json: { status: "revoked" }
-    end
   end
-end
+end

data/app/models/shakha/client.rb

@@ -9,10 +9,6 @@ module Shakha
 
     validates :origin, presence: true, uniqueness: true
 
-    def client_id
-      "origin:#{origin}"
-    end
-
     def self.find_by_origin!(origin)
       find_by!(origin: URI.parse(origin).origin)
     end

data/app/models/shakha/session.rb

@@ -8,7 +8,6 @@ module Shakha
     belongs_to :client, class_name: "Shakha::Client"
 
     before_create :generate_token
-    before_create :generate_jti
 
     scope :active, -> { where("created_at > ?", Shakha.config.session_lifetime.ago) }
 
@@ -25,9 +24,5 @@ module Shakha
     def generate_token
       self.token ||= SecureRandom.urlsafe_base64(32)
     end
-
-    def generate_jti
-      self.jti ||= SecureRandom.uuid
-    end
   end
 end

data/app/models/shakha/user.rb

@@ -7,11 +7,9 @@ module Shakha
     belongs_to :client, class_name: "Shakha::Client"
     has_many :sessions, class_name: "Shakha::Session", dependent: :destroy
 
-    validates :pairwise_sub, presence: true
+    validates :provider, presence: true
+    validates :uid, presence: true
+    validates :uid, uniqueness: { scope: :provider }
     validates :email, uniqueness: { scope: :client_id }, allow_blank: true
-
-    def can_access?(resource)
-      true
-    end
   end
 end

data/app/views/shakha/auth/new.html.erb

@@ -16,25 +16,13 @@
     </div>
 
     <div class="sh-card__body">
-      <%= link_to shakha.authorize_path(request_pii: 1),
-                  class: "sh-btn sh-btn--google",
-                  data: { turbo: false } do %>
-        <svg class="sh-btn__icon" viewBox="0 0 18 18" aria-hidden="true">
-          <path fill="#4285F4" d="M17.64 9.2c0-.637-.057-1.251-.164-1.84H9v3.481h4.844c-.209 1.125-.843 2.078-1.796 2.717v2.258h2.908c1.702-1.567 2.684-3.875 2.684-6.615z"/>
-          <path fill="#34A853" d="M9 18c2.43 0 4.467-.806 5.956-2.184l-2.908-2.258c-.806.54-1.837.86-3.048.86-2.344 0-4.328-1.584-5.036-3.711H.957v2.332A8.997 8.997 0 0 0 9 18z"/>
-          <path fill="#FBBC05" d="M3.964 10.71A5.41 5.41 0 0 1 3.682 9c0-.593.102-1.17.282-1.71V4.958H.957A8.996 8.996 0 0 0 0 9c0 1.452.348 2.827.957 4.042l3.007-2.332z"/>
-          <path fill="#EA4335" d="M9 3.58c1.321 0 2.508.454 3.44 1.345l2.582-2.58C13.463.891 11.426 0 9 0A8.997 8.997 0 0 0 .957 4.958L3.964 7.29C4.672 5.163 6.656 3.58 9 3.58z"/>
-        </svg>
-        Continue with Google
+      <% @providers.each do |provider| %>
+        <%= link_to shakha.send("#{provider}_authorize_path"),
+                    class: "sh-btn sh-btn--#{provider}",
+                    data: { turbo: false } do %>
+          Continue with <%= provider.to_s.titleize %>
+        <% end %>
       <% end %>
-
-      <div class="sh-divider">or</div>
-
-      <p class="sh-text-center" style="color: var(--sh-text-tertiary); font-size: var(--sh-text-sm);">
-        By signing in, you agree to our
-        <a href="#">Terms</a> and
-        <a href="#">Privacy Policy</a>.
-      </p>
     </div>
 
     <div class="sh-card__footer">

data/lib/shakha/config.rb

@@ -3,43 +3,19 @@
 module Shakha
   class Config
     attr_accessor :app_origin,
-                  :service_url,
-                  :service_secret,
                   :google_client_id,
                   :google_client_secret,
-                  :issuer,
+                  :github_client_id,
+                  :github_client_secret,
+                  :providers,
                   :session_lifetime,
-                  :signing_key,
-                  :verification_key,
-                  :key_id,
                   :rate_limiting_enabled,
                   :allowed_redirect_origins
 
     def initialize
       @session_lifetime = 30.days
-      @issuer = "https://shakha.dev"
       @rate_limiting_enabled = false
-    end
-
-    def embedded?
-      service_url.blank?
-    end
-
-    def service_base_url
-      return app_origin if embedded?
-
-      service_url.chomp("/")
-    end
-
-    def client_id
-      return @client_id if defined?(@client_id)
-
-      origin = URI.parse(app_origin).origin
-      @client_id = "origin:#{origin}"
-    end
-
-    def audience
-      client_id
+      @providers = [:google]
     end
   end
-end
+end

data/lib/shakha/config_validator.rb

@@ -5,10 +5,9 @@ module Shakha
     class << self
       def validate!(config)
         missing = []
-        missing << "SHAKHA_APP_ORIGIN" unless config.app_origin.present?
+        missing << "APP_ORIGIN" unless config.app_origin.present?
         missing << "GOOGLE_CLIENT_ID" unless config.google_client_id.present?
         missing << "GOOGLE_CLIENT_SECRET" unless config.google_client_secret.present?
-        missing << "SHAKHA_SERVICE_SECRET" unless config.service_secret.present?
 
         unless missing.empty?
           message = "Shakha: missing required configuration: #{missing.join(', ')}"