signinable 2.0.12 → 2.0.15

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: dcefec413ade50e4c25e5092ce23033646cb6ed3b7e19bbe473011ecbf4bb649
-  data.tar.gz: e9c6374287e726ce2007b3a6654063d017138161cfaf51cb2076167e629708d2
+  metadata.gz: 5874be18901fc2c73dc44f49b54e847a9837b3d735ba4bb5c5cb285df08ee811
+  data.tar.gz: b87d026e0221c8684ae4fc1576743fd2cd782fa3a145dbdc814c3ea6d332733b
 SHA512:
-  metadata.gz: '07509bfee44ecffa2072e9c7730c8b9aa557c60bf1d3d599366f9b793b77b7a4934f7de800a77157bfdba2773be1e7908343ef11d90550a6d52fccb8d8982786'
-  data.tar.gz: ecd7ec4b2e43ff9d6a219d255674a8ee0663d190549123af5998300ba1ce52d4c972b9636b433fe685fa43d9da6159303a650c9f2937453c01e40b35719da91f
+  metadata.gz: 237c7de3fef5bc654629f346468beb3df87a3b707988858233d56d224c874be405ef7b4bc32d94e0ec3a48248aaeaae55fe7107d595832497a0d0fd849549d45
+  data.tar.gz: ec0357a307c90c515770f5de1be6457da1cb021fc0bd2dd9fba0a373cd065a32d2236807f58c2a9e68039d6bf2bd19cabb91987e6d1c1b660188cfde94fc7909

data/app/models/signin.rb

@@ -10,12 +10,16 @@ class Signin < ActiveRecord::Base
             presence: true,
             format: { with: Regexp.union(Resolv::IPv4::Regex, Resolv::IPv6::Regex) }
 
+  scope :active, -> { where('expiration_time IS NULL OR expiration_time > ?', Time.zone.now) }
+
   before_validation on: :create do
-    self.token = SecureRandom.urlsafe_base64(rand(50..100))
+    self.token = generate_token
   end
 
+  serialize :custom_data if ActiveRecord::Base.connection.instance_values['config'][:adapter].match('mysql')
+
   def expire!
-    renew!(0)
+    renew!(period: 0, ip: ip, user_agent: user_agent)
   end
 
   def expired?
@@ -26,9 +30,16 @@ class Signin < ActiveRecord::Base
     !expiration_time.nil?
   end
 
-  def renew!(period)
-    update!(expiration_time: (Time.zone.now + period))
+  def renew!(period:, ip:, user_agent:, refresh_token: false)
+    update_hash = { ip: ip, user_agent: user_agent }
+    update_hash[:expiration_time] = Time.zone.now + period if expireable?
+    update_hash[:token] = generate_token if refresh_token
+    update!(update_hash)
   end
 
-  serialize :custom_data if ActiveRecord::Base.connection.instance_values['config'][:adapter].match('mysql')
+  private
+
+  def generate_token
+    SecureRandom.urlsafe_base64(rand(50..100))
+  end
 end

data/lib/signinable/engine.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require 'jwt'
+
 module Signinable
   class Engine < ::Rails::Engine
     initializer :append_migrations do |app|

data/lib/signinable/model_additions.rb

@@ -6,30 +6,36 @@ module Signinable
 
     module ClassMethods
       ALLOWED_RESTRICTIONS = %i[ip user_agent].freeze
-      DEFAULT_EXPIRATION = 7200
+      DEFAULT_REFRESH_EXP = 7200
+      DEFAULT_JWT_EXP = 900
 
-      cattr_reader :signin_expiration
+      cattr_reader :refresh_exp
       cattr_reader :simultaneous_signings
       cattr_reader :signin_restrictions
+      cattr_reader :jwt_secret
+      cattr_reader :jwt_exp
 
       def signinable(options = {})
-        self.signin_expiration = options.fetch(:expiration, DEFAULT_EXPIRATION)
+        self.refresh_exp = options.fetch(:refresh_exp, DEFAULT_REFRESH_EXP)
         self.simultaneous_signings = options.fetch(:simultaneous, true)
         self.signin_restrictions = options[:restrictions]
+        self.jwt_secret = options.fetch(:jwt_secret)
+        self.jwt_exp = options.fetch(:jwt_exp, DEFAULT_JWT_EXP)
 
         has_many :signins, as: :signinable, dependent: :destroy
+
+        attr_accessor :jwt
       end
 
-      def authenticate_with_token(token, ip, user_agent, skip_restrictions: [])
-        signin = Signin.find_by(token: token)
+      def authenticate_with_token(jwt, ip, user_agent, skip_restrictions: [])
+        jwt_payload = extract_jwt_payload(jwt)
+        return refresh_jwt(jwt, ip, user_agent, skip_restrictions: skip_restrictions) unless jwt_payload
 
-        return unless signin
-        return nil if signin.expired?
-        return nil unless check_simultaneous_signings(signin)
-        return nil unless check_signin_permission(signin, { ip: ip, user_agent: user_agent }, skip_restrictions)
+        signinable = find_by(primary_key => jwt_payload['signinable_id'])
+        return nil unless signinable
 
-        signin.renew!(expiration_period) if signin.expireable?
-        signin.signinable
+        signinable.jwt = jwt
+        signinable
       end
 
       def check_signin_permission(signin, restrictions_to_check, skip_restrictions)
@@ -37,16 +43,57 @@ module Signinable
       end
 
       def expiration_period
-        return signin_expiration.call if signin_expiration.respond_to?(:call)
+        return refresh_exp.call if refresh_exp.respond_to?(:call)
+
+        refresh_exp
+      end
 
-        signin_expiration
+      def generate_jwt(refresh_token, signinable_id)
+        JWT.encode(
+          {
+            refresh_token: refresh_token,
+            signinable_id: signinable_id,
+            exp: Time.zone.now.to_i + jwt_exp
+          },
+          jwt_secret,
+          'HS256'
+        )
+      end
+
+      def refresh_jwt(jwt, ip, user_agent, skip_restrictions: [])
+        token = refresh_token_from_jwt(jwt)
+        return nil unless token
+
+        signin = Signin.find_by(token: token)
+
+        return unless signin
+        return nil if signin.expired?
+        return nil unless check_signin_permission(signin, { ip: ip, user_agent: user_agent }, skip_restrictions)
+
+        signin.renew!(period: expiration_period, ip: ip, user_agent: user_agent, refresh_token: true)
+        signin.signinable.jwt = generate_jwt(signin.token, signin.signinable_id)
+        signin.signinable
       end
 
       private
 
-      cattr_writer :signin_expiration
+      cattr_writer :refresh_exp
       cattr_writer :simultaneous_signings
       cattr_writer :signin_restrictions
+      cattr_writer :jwt_secret
+      cattr_writer :jwt_exp
+
+      def extract_jwt_payload(jwt)
+        JWT.decode(jwt, jwt_secret, true, { algorithm: 'HS256' })[0]
+      rescue JWT::DecodeError
+        nil
+      end
+
+      def refresh_token_from_jwt(jwt)
+        JWT.decode(jwt, jwt_secret, true, { verify_expiration: false, algorithm: 'HS256' })[0]['refresh_token']
+      rescue JWT::DecodeError
+        nil
+      end
 
       def signin_permitted?(signin, restrictions_to_check, skip_restrictions)
         restriction_fields = signin_restriction_fields(signin, skip_restrictions)
@@ -68,25 +115,22 @@ module Signinable
                  end
         (fields - skip_restrictions) & ALLOWED_RESTRICTIONS
       end
-
-      def check_simultaneous_signings(signin)
-        return true if simultaneous_signings
-
-        signin == signin.signinable.last_signin
-      end
     end
 
     def signin(ip, user_agent, referer, permanent: false, custom_data: {})
       expires_in = self.class.expiration_period
       expiration_time = expires_in.zero? || permanent ? nil : expires_in.seconds.from_now
-      Signin.create!(
+      Signin.where(signinable: self).active.map(&:expire!) unless self.class.simultaneous_signings
+      signin = Signin.create!(
         signinable: self,
         ip: ip,
         referer: referer,
         user_agent: user_agent,
         expiration_time: expiration_time,
         custom_data: custom_data
-      ).token
+      )
+
+      self.jwt = self.class.generate_jwt(signin.token, signin.signinable_id)
     end
 
     def signout(token, ip, user_agent, skip_restrictions: [])
@@ -105,7 +149,7 @@ module Signinable
     end
 
     def last_signin
-      signins.last
+      signins.active.last
     end
   end
 end

data/lib/signinable/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Signinable
-  VERSION = '2.0.12'
+  VERSION = '2.0.15'
 end

data/spec/dummy/app/models/user.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 class User < ActiveRecord::Base
-  signinable
+  signinable jwt_secret: 'test', jwt_exp: 100
 end