simple-api-auth 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 4b66b03e6dde55a63109efefcf8571850b7c471e
+  data.tar.gz: 8409349483eea331a07698ccf8c25de59ad14fb4
+SHA512:
+  metadata.gz: 1696e31b7c4af412db8382b66ed70727422dfdb0c6a2225331f96c9d94eb4dc4e35cd04dde3e970963aee49545947b834765d2557c8663cce24f5ba80ed81119
+  data.tar.gz: 2123dd8a3fe6c5eac4c430e1ac80594d18596d7fe0df9eaf8ecddd7bfcbc8c29d88c96b4698fffa4fca2a4e8dae975ce07519aae464cbf17f153ef17161b980d

data/.gitignore

@@ -0,0 +1,14 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+*.bundle
+*.so
+*.o
+*.a
+mkmf.log

data/.rspec

@@ -0,0 +1,3 @@
+--color
+--require spec_helper
+--format documentation

data/.rubocop.yml

@@ -0,0 +1,14 @@
+Documentation:
+  Enabled: false
+Style/FileName:
+  Enabled: false
+
+Metrics/LineLength:
+  Max: 100
+
+AllCops:
+  Exclude:
+    - 'db/**/*'
+    - 'config/**/*'
+    - 'bin/**/*'
+    - 'Guardfile'

data/.ruby-version

@@ -0,0 +1 @@
+2.1.4

data/.travis.yml

@@ -0,0 +1,16 @@
+language: ruby
+cache: bundler
+rvm:
+- 1.9.3-p484
+- 2.0.0-p353
+- 2.1.0
+- 2.1.2
+- 2.1.3
+- 2.1.4
+notifications:
+  email: false
+  slack:
+    secure: n7JigGAnMzisSryncblhmgh+/WoiOJJ3VoMiS6gYufJEjoiAByiOGKuMDYld/IfIZ9laD/XFx2l4aAl7QwCgae/EaKaZQeEoVSpIqacwsPNsQwqXf0IehgYv7/vykihYlFLu6eOCoqOXgDDWxP3Knned251MYzp8EcjNkUtZMrU=
+addons:
+  code_climate:
+    repo_token: 9bd643c8090c8ef179d2b7d20d41d2e4399c031f621efdb125c1dc2ca5d9e6cc

data/Gemfile

@@ -0,0 +1,12 @@
+source 'https://rubygems.org'
+
+gemspec
+
+group :development do
+  gem 'guard', require: false
+  gem 'guard-rspec', require: false
+end
+
+group :test do
+  gem 'codeclimate-test-reporter', require: false
+end

data/Guardfile

@@ -0,0 +1,5 @@
+guard :rspec, cmd: 'bundle exec rspec' do
+  watch(/^spec\/.+_spec\.rb$/)
+  watch(/^lib\/(.+)\.rb$/)     { |m| "spec/lib/#{m[1]}_spec.rb" }
+  watch('spec/spec_helper.rb')  { 'spec' }
+end

data/LICENSE

@@ -0,0 +1,22 @@
+Copyright (c) 2014 Claude Tech
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,169 @@
+# simple-api-auth [![Build Status](https://travis-ci.org/claudetech/ruby-simple-api-auth.svg?branch=master)](https://travis-ci.org/claudetech/ruby-simple-api-auth) [![Coverage Status](https://coveralls.io/repos/claudetech/ruby-simple-api-auth/badge.png?branch=master)](https://coveralls.io/r/claudetech/ruby-simple-api-auth?branch=master) [![Code Climate](https://codeclimate.com/github/claudetech/ruby-simple-api-auth/badges/gpa.svg)](https://codeclimate.com/github/claudetech/ruby-simple-api-auth)
+
+This gem provides a very basic token based authentication
+to use for API.
+This is meant to be used as a lightweight authentication
+solution when OAuth2 is too much.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'simple-api-auth'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install simple-api-auth
+
+## Usage
+
+This gem works out of the box with `ActiveRecord` and can be used stand alone
+with a little more work.
+
+### ActiveRecord usage
+
+Just include `acts_as_api_authenticable` in your model.
+
+```ruby
+class User < ActiveRecord::Base
+  acts_as_api_authenticable
+end
+```
+
+you will need to have `ssa_key` and `ssa_secret` defined as strings
+in your database for this to work. If you want to change the columns name,
+you can pass them in option.
+
+```ruby
+class User < ActiveRecord::Base
+  acts_as_api_authenticable ssa_key: :resource_key_field, ssa_secret: :secret_token
+end
+```
+
+If you want the keys to be generated when you create a new instance of the model, you can pass `:auto_generate` with either `true`, or the field you want
+to generate.
+
+```ruby
+class User < ActiveRecord::Base
+  # this will generate a after_initialize to assign `ssa_key`
+  acts_as_api_authenticable auto_generate: :ssa_key
+  # this will generate a after_initialize for both `ssa_key` and `ssa_secret`
+  acts_as_api_authenticable auto_generate: true
+end
+```
+
+Note that the keys for autogenerate should be `:ssa_key` and `:ssa_secret` even if you change the key column name.
+
+You can then use
+
+```ruby
+User.authenticate(request)
+```
+
+this will return the user if the request is valid, or `nil` otherwise.
+
+### Standalone usage
+
+This gem can easily used without `ActiveRecord`.
+
+```ruby
+ssa_key = SimpleApiAuth.extract_key(request)
+secret_key = your_logic_to_get_secret_key(ssa_key)
+valid = SimpleApiAuth.valid_signature?(request, secret_key)
+```
+
+### Configuration
+
+The library accepts the following configurations
+
+```ruby
+SimpleApiAuth.configure do |config|
+    # values used as default with `acts_as_api_authenticable`
+    config.model_defaults = { ssa_key: :ssa_key, ssa_secret: :ssa_secret, auto_generate: false }
+
+    # the normalized keys for the HTTP headers
+    config.header_keys = { key: :x_saa_key, time: :x_saa_auth_time, authorization: :authorization
+      }
+
+    # the methods name for the HTTP request used
+    config.request_fields = {
+      headers: :headers,
+      http_verb: :method,
+      uri: :path,
+      query_string: :query_string,
+      body: :body
+    }
+
+    # the allowed HTTP methods
+    config.allowed_methods = [:get, :post, :put, :patch, :delete]
+
+    # the required headers for the HTTP request
+    config.required_headers = config.header_keys.values
+
+    # the class to use to hash requests
+    # it must contain a `hmac` and a `hash` method
+    config.hasher = SimpleApiAuth::Hasher::SHA1
+
+    # the class to use to sign requests
+    # it must contain a `sign` method
+    config.signer = SimpleApiAuth::Signer
+    config.request_timeout = 5
+    config.logger = nil
+end
+```
+
+
+### Supported frameworks
+
+This library should be configurable enough to work with more or less any framework.
+It will work out of the box for Rails, and will just need a little setup
+to work with `request` objects with a different API.
+
+For example, to work with Sinatra request, the following can be passed
+
+```ruby
+SimpleApiAuth.configure do |config|
+  config.request_fields.merge! {
+    headers: :env,
+    http_verb: :request_method,
+    uri: :path_info
+  }
+end
+```
+
+Note that `body` should return something with a `read` method,
+and `query_string` should contain the URI encoded query string.
+
+## Clients
+
+This library can also be used as a client. You can compute the request
+signature with
+
+```ruby
+signature = SimpleApiAuth.compute_signature(request, secret_key)
+```
+
+or directly sign the request with
+
+```ruby
+SimpleApiAuth.sign!(request, secret_key)
+```
+
+A JS client, with an AngularJS module intregrated with the `$http` service
+is in progress and should be available soon (with a few weeks).
+
+Contributions are very welcome for other clients.
+
+## Contributing
+
+1. Fork it ( https://github.com/claudetech/simple-api-auth/fork )
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create a new Pull Request

data/Rakefile

@@ -0,0 +1,7 @@
+require 'bundler/gem_tasks'
+
+require 'rspec/core/rake_task'
+
+RSpec::Core::RakeTask.new(:spec)
+
+task default: :spec

data/lib/simple-api-auth/authenticable.rb

@@ -0,0 +1,72 @@
+module SimpleApiAuth
+  module Authenticable
+    def api_authenticable?
+      false
+    end
+
+    def acts_as_api_authenticable(options = {})
+      if api_authenticable?
+        self.ssa_options = ssa_options.merge(options)
+      else
+        extend ClassMethods
+        include InstanceMethods
+        self.ssa_options = SimpleApiAuth.config.make_model_options(options)
+        ssa_options[:auto_generate].each do |field|
+          send(:after_initialize, "assign_#{field}")
+        end
+      end
+    end
+
+    module ClassMethods
+      attr_accessor :ssa_options
+
+      def api_authenticable?
+        true
+      end
+
+      def ssa_authenticate(request)
+        request = SimpleApiAuth::Request.create(request)
+        entity = ssa_find(request)
+        return false if entity.nil?
+        secret_key = entity.send(ssa_options[:ssa_secret])
+        return false unless SimpleApiAuth.valid_signature?(request, secret_key)
+        entity
+      end
+
+      def ssa_find(request)
+        key = SimpleApiAuth.extract_key(request)
+        find_by(ssa_options[:ssa_key] => key)
+      end
+
+      def generate_ssa_key(options = {})
+        length = options[:length] || (Math.log(count + 1, 64) + 5)
+        loop do
+          key = SecureRandom.urlsafe_base64(length)
+          break key unless exists?(ssa_options[:ssa_key] => key)
+        end
+      end
+
+      def generate_ssa_secret(options = {})
+        length = options[:length] || 64
+        SecureRandom.urlsafe_base64(length)
+      end
+    end
+
+    module InstanceMethods
+      def assign_ssa_key(options = {})
+        assign_ssa(:ssa_key, options)
+      end
+
+      def assign_ssa_secret(options = {})
+        assign_ssa(:ssa_secret, options)
+      end
+
+      private
+
+      def assign_ssa(field, options = {})
+        key_name = self.class.ssa_options[field]
+        send("#{key_name}=", self.class.send("generate_#{field}", options))
+      end
+    end
+  end
+end

data/lib/simple-api-auth/authenticator.rb

@@ -0,0 +1,32 @@
+module SimpleApiAuth
+  class Authenticator
+    include SimpleApiAuth::Helpers::Auth
+
+    attr_accessor :request, :signer
+
+    def initialize(request, secret_key, options = {})
+      self.request = SimpleApiAuth::Request.create(request)
+      self.signer = SimpleApiAuth.config.signer.new
+      @options = options
+      @secret_key = secret_key
+    end
+
+    def valid_signature?
+      return false if !check_data(request) || too_old?(request)
+      signed_request = signer.sign(request, @secret_key)
+      SimpleApiAuth.log(Logger::DEBUG, "Signed request: #{signed_request}")
+      SimpleApiAuth.log(Logger::DEBUG, "User signature: #{signature}")
+      secure_equals?(signed_request, signature, @secret_key)
+    end
+
+    private
+
+    def signature
+      extract_signature(headers)
+    end
+
+    def headers
+      request.headers
+    end
+  end
+end

data/lib/simple-api-auth/config.rb

@@ -0,0 +1,61 @@
+module SimpleApiAuth
+  class Config
+    attr_accessor :request_fields, :allowed_methods
+    attr_accessor :signer, :request_timeout, :required_headers, :hasher
+    attr_accessor :logger, :header_keys, :model_defaults
+
+    def initialize
+      reset!
+    end
+
+    def reset!
+      self.model_defaults = model_default_values
+      self.header_keys = default_header_keys
+      self.request_fields = default_request_fields
+      self.allowed_methods = [:get, :post, :put, :patch, :delete]
+      self.required_headers = default_header_keys.values
+      self.hasher = SimpleApiAuth::Hasher::SHA1
+      self.signer = SimpleApiAuth::Signer
+      self.request_timeout = 5
+      self.logger = nil
+    end
+
+    def make_model_options(options)
+      options = model_defaults.merge(options)
+      if options[:auto_generate].is_a?(Symbol)
+        options[:auto_generate] = [options[:auto_generate]]
+      elsif !options[:auto_generate].is_a?(Array)
+        options[:auto_generate] = options[:auto_generate] ? [:ssa_key, :ssa_secret] : []
+      end
+      options
+    end
+
+    private
+
+    def default_request_fields
+      {
+        headers: :headers,
+        http_verb: :method,
+        uri: :path,
+        query_string: :query_string,
+        body: :body
+      }
+    end
+
+    def default_header_keys
+      {
+        key: :x_saa_key,
+        time: :x_saa_auth_time,
+        authorization: :authorization
+      }
+    end
+
+    def model_default_values
+      {
+        ssa_key: :ssa_key,
+        ssa_secret: :ssa_secret,
+        auto_generate: []
+      }
+    end
+  end
+end

data/lib/simple-api-auth/hashers/sha1_hasher.rb

@@ -0,0 +1,14 @@
+module SimpleApiAuth
+  module Hasher
+    class SHA1
+      def hash(value)
+        Digest::SHA1.digest(value)
+      end
+
+      def hmac(key, message)
+        digest = OpenSSL::Digest.new('sha1')
+        OpenSSL::HMAC.digest(digest, key, message)
+      end
+    end
+  end
+end

data/lib/simple-api-auth/helpers/auth_helpers.rb

@@ -0,0 +1,49 @@
+module SimpleApiAuth
+  module Helpers
+    module Auth
+      def extract_signature(headers)
+        header_key = SimpleApiAuth.config.header_keys[:authorization]
+        match = /Signature: (.+)/.match(headers[header_key])
+        match && match[1]
+      end
+
+      def required_headers
+        options[:required_headers] || SimpleApiAuth.config.required_headers
+      end
+
+      def request_timeout
+        (options[:request_timeout] || SimpleApiAuth.config.request_timeout) * 60
+      end
+
+      def allowed_methods
+        options[:allowed_methods] || SimpleApiAuth.config.allowed_methods
+      end
+
+      def options
+        @options || {}
+      end
+
+      def check_data(request)
+        required_headers.each do |k, _|
+          return false unless request.headers.key?(k)
+        end
+        allowed_methods.include?(request.http_verb)
+      end
+
+      def too_old?(request)
+        request_time = request.time
+        return false if request_time.nil?
+        difference = Time.now - request_time
+        difference < 0 || difference > request_timeout
+      end
+
+      def secure_equals?(m1, m2, key)
+        sha1_hmac(key, m1) == sha1_hmac(key, m2)
+      end
+
+      def sha1_hmac(key, message)
+        SimpleApiAuth::Hasher::SHA1.new.hmac(key, message)
+      end
+    end
+  end
+end

data/lib/simple-api-auth/helpers/request_helpers.rb

@@ -0,0 +1,18 @@
+module SimpleApiAuth
+  module Helpers
+    module Request
+      def normalize_headers(headers)
+        normalized_headers = {}
+        headers.each do |key, value|
+          normalized_key = normalize(key)
+          normalized_headers[normalized_key] = value
+        end
+        normalized_headers
+      end
+
+      def normalize(s)
+        s.to_s.downcase.gsub(/-/, '_').to_sym
+      end
+    end
+  end
+end

data/lib/simple-api-auth/request.rb

@@ -0,0 +1,34 @@
+module SimpleApiAuth
+  class Request
+    include SimpleApiAuth::Helpers::Request
+
+    attr_accessor :headers, :http_verb, :query_string, :uri, :body
+
+    def initialize(options = {})
+      options.each do |k, v|
+        send("#{k}=", v)
+      end
+      self.headers = normalize_headers(headers)
+      self.http_verb = normalize(http_verb)
+    end
+
+    def time
+      header_key = SimpleApiAuth.config.header_keys[:time]
+      Time.parse(headers[header_key])
+    rescue ArgumentError
+      nil
+    end
+
+    def self.create(request)
+      if request.is_a?(Request)
+        request
+      else
+        options = {}
+        SimpleApiAuth.config.request_fields.each do |k, v|
+          options[k] = request.send(v)
+        end
+        Request.new(options)
+      end
+    end
+  end
+end

data/lib/simple-api-auth/signer.rb

@@ -0,0 +1,53 @@
+module SimpleApiAuth
+  class Signer
+    attr_accessor :hasher
+
+    def initialize(options = {})
+      hahser_class = options[:hasher] || SimpleApiAuth.config.hasher
+      self.hasher = hahser_class.new
+    end
+
+    def sign(request, secret_key)
+      signing_key = make_singing_key(request, secret_key)
+      SimpleApiAuth.log(Logger::DEBUG, "Signing key(hex): #{Digest.hexencode(signing_key)}")
+
+      string_to_sign = make_string_to_sign(request)
+      SimpleApiAuth.log(Logger::DEBUG, "String to sign: #{string_to_sign}")
+
+      signature = hasher.hmac(signing_key, string_to_sign)
+      Digest.hexencode(signature)
+    end
+
+    def make_string_to_sign(request)
+      hashed_request = make_hashed_request(request)
+      SimpleApiAuth.log(Logger::DEBUG, "Hashed request: #{hashed_request}")
+      [
+        request.time.iso8601,
+        hashed_request
+      ].join("\n")
+    end
+
+    def make_hashed_request(request)
+      canonical_request_string = make_canonical_request(request)
+      SimpleApiAuth.log(Logger::DEBUG, "Canonical request string: #{canonical_request_string}")
+      Digest.hexencode(hasher.hash(canonical_request_string))
+    end
+
+    private
+
+    def make_singing_key(request, secret_key)
+      date = request.time.strftime('%Y%m%d')
+      hashed_date = hasher.hmac('ssa' + secret_key, date)
+      hasher.hmac(hashed_date, 'ssa_request')
+    end
+
+    def make_canonical_request(request)
+      [
+        request.http_verb,
+        URI.encode(request.uri),
+        URI.encode(request.query_string),
+        Digest.hexencode(hasher.hash(request.body.read))
+      ].join("\n")
+    end
+  end
+end

data/lib/simple-api-auth/version.rb

@@ -0,0 +1,6 @@
+module SimpleApiAuth
+  MAJOR = 0
+  MINOR = 1
+  PATCH = 0
+  VERSION = "#{MAJOR}.#{MINOR}.#{PATCH}"
+end

data/lib/simple-api-auth.rb

@@ -0,0 +1,47 @@
+require 'open-uri'
+
+['extensions/', 'helpers/', '', 'hashers/'].each do |path|
+  files = Dir[File.expand_path("simple-api-auth/#{path}*.rb", File.dirname(__FILE__))]
+  files.each do |m|
+    require m
+  end
+end
+
+module SimpleApiAuth
+  def self.config
+    @config ||= Config.new
+  end
+
+  def self.configure
+    yield config
+  end
+
+  def self.log(severity, message = nil, progname = nil, &block)
+    config.logger.log(severity, message, progname, &block) unless config.logger.nil?
+  end
+
+  def self.extract_key(request)
+    request = SimpleApiAuth::Request.create(request)
+    request.headers[SimpleApiAuth.config.header_keys[:key]]
+  end
+
+  def self.valid_signature?(request, secret_key, options = {})
+    authenticator = Authenticator.new(request, secret_key, options)
+    authenticator.valid_signature?
+  end
+
+  def self.compute_signature(request, secret_key, options = {})
+    signer = SimpleApiAuth.config.signer.new(options)
+    signer.sign(request, secret_key)
+  end
+
+  def self.sign!(request, secret_key, options = {})
+    signature = compute_signature(request, secret_key, options)
+    header_name = SimpleApiAuth.config.request_fields[:headers]
+    authorization_key = SimpleApiAuth.config.header_keys[:authorization]
+    request.send(header_name)[authorization_key] = "Signature: #{signature}"
+    request
+  end
+end
+
+ActiveRecord::Base.send(:extend, SimpleApiAuth::Authenticable) if defined?(ActiveRecord::Base)