slots-jwt 0.0.4 → 0.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3d6628ed470d9b4cec56322b2f5fb64ec3680eea78f133f7914390415e610492
-  data.tar.gz: 9f6e1a6276ebbaa24db8332423d47ecb9f630b3d68fe0a0d034bcd3140d2ecd2
+  metadata.gz: 839d8b81d5e72a4e4034aa14fcbf8ba479f7137d35e3ac31ff3f853a780f8925
+  data.tar.gz: 1c0b98884bb29be89fa2900ae627c08f7a9aa17871ec161643388b3a22ed0e16
 SHA512:
-  metadata.gz: 54d442b78eb5450335975c2b913029f236255e1adbb8a796afb261a3f67fe99c3838f69d5fa72cfe65b4eecf94d666c3ff797d81770072edad33270a5e63e698
-  data.tar.gz: 15aafdcc9d1e8d6a20e4d7bbf4911d44aa60baa9b73b96dc03cb05f36738c65a64ed1b3e51e3e616ffe64f8617b4016a9685e034ed9b3cd293718638a0b6f5e0
+  metadata.gz: 5073aed2a69fae5b4b03bd531030943e8c31c0d908a69ae3843db4c91b0531c68135ff7096865edcf6c33875a4eff86738871d2e21443cd35109a4683fd9b9de
+  data.tar.gz: 42d073d5a20f7aab3e066825b9e058f90a9342fb19093170a7853190ac8c18193c14f6db1a0b636ddfd9abd2e8186583f5fe844e4aed470c65d216593a1d5037

data/README.md

@@ -1,11 +1,25 @@
 # Slots
 Token authentication solution for rails 5 API. Slots use JSON Web Tokens for authentication and database session for remembering signed in users.
 
+## Table of Contents
+
+- [Getting started](#getting-started)
+- [Secrets](#secrets)
+- [Usage](#usage)
+- [Authorization](#authorization)
+- [Sessions](#sessions)
+- [Using with GraphQL](#graphql)
+- [Testing](#testing)
+- [Configurations](#configurations)
+- [Routes](#routes)
+- [Contributing](#contributing)
+- [License](#license)
+
 ## Getting started
 Slots 0.0.4 works with Rails 5. Add this line to your application's Gemfile:
 
 ```ruby
-gem 'slots'
+gem 'slots-jwt'
 ```
 Then run `bundle install`.
 
@@ -15,7 +29,7 @@ $ rails generate slots:install
 ```
 This will create `config/initializers/slots.rb` and add the following line to `config/routes.rb`
 ```ruby
-mount Slots::Engine => "/auth"
+mount Slots::JWT::Engine => "/auth"
 ```
 This will mount all slot routes to `auth/*`.
 
@@ -26,7 +40,7 @@ $ rails generate slots:model User
 Any rails accepted name can be used for the model but `User` is the expected default. If a different name is used for the authentication model than it must be defined in the config file for slots (this will automatically be done if the `generate slots` is used).
 config/initializers/slots.rb
 ```ruby
-Slots.configure do |config|
+Slots::JWT.configure do |config|
   ...
   config.authentication_model = 'AnotherModel'
   ...
@@ -49,6 +63,9 @@ Tokens are expected to be in the header of the request in the following format:
 ```
 They are also returned in the header in the same way.
 
+## Secret
+To sign JSON web tokens, a (secret) key is needed. By default Slots will look in the `ENV['SLOT_SECRET']`. This can be changed in the slots config file.
+
 ## Usage
 To require a user to be authenticated the following methods can be used in the controller.
 ```ruby
@@ -132,9 +149,105 @@ If sessions are allowed (`session_lifetime` is not nil) `session: true` can be p
   1. The first is by sending the token to `MOUNT_LOCATION/update_session_token`. This method will always return a new token even if the token has not expired. This will return the same information as `sign_in` (user information and with the token in the header).
   2. The second is by adding `update_expired_session_tokens!` (which takes the usual options of a `before_action` `only`, `except`, etc). This method will allow any route to take a valid expired token and it will return a new token in the headers with usual route information in the body. A token will only be returned in the header if the token passed is expired. When using this method a problem can arise were two request are made at the same time with the same expired token. The first request processed would return a new token but the second request would fail because the expired token does not match the information of the session anymore (since it was just updated) and would therefore return unauthorized. To fix this there is a previous jwt lifetime (which defaults to 5 seconds and can be changed in the config). This will allow the previous token to be valid for 5 seconds (or whatever is set in config). If a previous token is sent that is within the previous lifetime it will be a valid token but it will not return a new token (since one was already returned in the earlier request).
 
+## GraphQL
+Using graphql-ruby??? Slots has helper modules and classes! It uses the following two feature of graphql-ruby to help with authorization/authentication, [extension](https://github.com/rmosolgo/graphql-ruby/blob/master/guides/type_definitions/extensions.md) and [limiting visibility](https://github.com/rmosolgo/graphql-ruby/blob/master/guides/schema/limiting_visibility.md). An example can be seen in [graph_test](https://github.com/jonathongardner/graph_test).
+### Authorizing fields
+```ruby
+class Types
+  AuthorizedField < GraphQL::Schema::Field
+    include Slots::JWT::TypeHelper
+  end
+end
+```
+
+```ruby
+module Types
+  class BaseObject < GraphQL::Schema::Object
+    field_class AuthorizedField
+  end
+end
+```
+
+```ruby
+module Types
+  class QueryType < Types::BaseObject
+    ...
+
+    field :authorized_field, [Types::AuthorizedFieldType], null: false, description: "An authorized field", required_permission: :admin
+    def authorized_field
+      ...
+    end
+  end
+end
+```
+
+### Authorizing Types
+
+```ruby
+module Types
+  class BaseObject < GraphQL::Schema::Object
+    # field_class AuthorizedField # can be used together
+    extend Slots::JWT::TypeHelper
+    # required_permission(:default_type)
+  end
+end
+```
+
+```ruby
+module Types
+  class AuthorizedType < Types::BaseObject
+    required_permission(:admin)
+    ...
+
+    field :field, String, null: false, description: "A string on an authorized field"
+    def field
+      ...
+    end
+  end
+end
+```
+
+### Filter
+Filter must be used with at least one of the above.
+```ruby
+class PermissionFilter < Slots::PermissionFilter
+  def allowed?
+    # available methods schema_member, current_user, required_permission, valid_loaded_user
+    return true if required_permission == :anyone
+    # loaded user gets it from the DB to help ensure user info is current
+    return valid_loaded_user if required_permission == :loaded_user
+
+    return is_admin if required_permission == :admin
+    # default to a valid user
+    current_user.present?
+  end
+
+  def is_admin
+    valid_loaded_user && current_user.admin
+  end
+end
+```
+
+```ruby
+class GraphqlController < ApplicationController
+  def execute
+    ...
+    context = {
+      current_user: current_user,# can be nil if current_user bad token or no token
+    }
+    filter = PermissionFilter.new(current_user)
+    result = GraphTestSchema.execute(query, only: filter, variables: variables, context: context, operation_name: operation_name)
+    ...
+  end
+  ...
+end
+
+```
+
+
 ## Testing
 
-By adding `include Slots::Tests` the following methods can be used within minitest, `authorized_get`, `authorized_post`, `authorized_put`, `authorized_patch` and `authorized_delete`. These methods are the same as the usual `get`, ... `delete` but the first param in the method must be the user. For example:
+By adding `include Slots::JWT::Tests` the following methods can be used within minitest, `authorized_get`, `authorized_post`, `authorized_put`, `authorized_patch` and `authorized_delete`. These methods are the same as the usual `get`, ... `delete` but the first param in the method must be the user. For example:
 ```ruby
 authorized_get users(:some_user), some_route_url, params: {one: 'something', ...}, headers: {'info' => 'someInfo', ...}
 ```
@@ -142,7 +255,7 @@ authorized_get users(:some_user), some_route_url, params: {one: 'something', ...
 ## Configurations
 Default configuration:
 ```ruby
-Slots.configure do |config|
+Slots::JWT.configure do |config|
   config.logins = :email
   config.login_regex_validations = true
   config.authentication_model = 'User'
@@ -180,7 +293,7 @@ The order should be newer to older secrets. This file can be created/updated man
 
 ## Routes
 
-All these routes will be mounted at the route used above in `mount Slots::Engine =>`.
+All these routes will be mounted at the route used above in `mount Slots::JWT::Engine =>`.
 
 | Route Helper | Route | Token |     |
 | ------------ | ----- | ----- | --- |
@@ -206,6 +319,8 @@ Some of the problems with JWS:
 
 The last solution I feel is the best because for most API calls (within the expiration time) the token remains stateless. The downsides can be negligible by setting the expiration time to something small (less than an hour). .
 
+### Why the name???
+Last but not least the most important question of them all... why slots??? or better yet slots-jwt??? well I'll start with the first, a slot machine takes tokens... yep that's it, all other authentication names had been taken so this is it. So why slots-jwt? Well hopefully it helps clarify a little what it does but most of all rubygems wouldn't let me name it slots because it was to close to another name..?..? so I added `-jwt`.
 
 ## Contributing
 

data/app/controllers/slots/jwt/sessions_controller.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+module Slots
+  module JWT
+    class SessionsController < ApplicationController
+      update_expired_session_tokens! only: :update_session_token # needed if token is expired
+      require_user_load! only: :update_session_token
+      require_login! only: [:update_session_token, :sign_out]
+      skip_callback!
+
+      def sign_in
+        @_current_user = _authentication_model.find_for_authentication(params[:login])
+
+        current_user.authenticate!(params[:password])
+
+        new_token!(ActiveModel::Type::Boolean.new.cast(params[:session]))
+        render json: current_user.as_json, status: :accepted
+      end
+
+      def sign_out
+        Slots::JWT::Session.find_by(session: jw_token.session)&.delete if jw_token.session.present?
+        head :ok
+      end
+
+      def update_session_token
+        # TODO think about not allowing user to get new token here because then there
+        current_user.update_token unless current_user.new_token?
+        render json: current_user.as_json, status: :accepted
+      end
+
+      private
+
+        def _authentication_model
+          Slots::JWT.configuration.authentication_model
+        end
+    end
+  end
+end

data/app/models/slots/jwt/application_record.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module Slots
+  module JWT
+    class ApplicationRecord < ActiveRecord::Base
+      self.abstract_class = true
+    end
+  end
+end

data/app/models/slots/jwt/session.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+module Slots
+  module JWT
+    class Session < ApplicationRecord
+      belongs_to :user, session_assocaition
+      before_validation :create_random_session, on: :create
+      validates :session, :jwt_iat, presence: true
+      validates :session, uniqueness: true
+
+      def update_random_session
+        self.session = SecureRandom.hex(32)
+      end
+
+      def self.expired
+        self.where(self.arel_table[:created_at].lte(Slots::JWT.configuration.session_lifetime.ago))
+      end
+
+      def self.not_expired
+        self.where(self.arel_table[:created_at].gt(Slots::JWT.configuration.session_lifetime.ago))
+      end
+
+      def self.matches_jwt(sloken_jws)
+        jwt_where = self.arel_table[:jwt_iat].eq(sloken_jws.iat)
+        if Slots::JWT.configuration.previous_jwt_lifetime
+          jwt_where = jwt_where.or(
+            Arel::Nodes::Grouping.new(
+              self.arel_table[:previous_jwt_iat].eq(sloken_jws.iat)
+                .and(self.arel_table[:jwt_iat].gt(Slots::JWT.configuration.previous_jwt_lifetime.ago.to_i))
+              )
+          )
+        end
+
+        self.not_expired
+          .where(jwt_where)
+          .find_by(session: sloken_jws.session)
+      end
+      private
+        def create_random_session
+          update_random_session unless self.session
+        end
+    end
+  end
+end

data/config/initializers/inflections.rb

@@ -0,0 +1,3 @@
+ActiveSupport::Inflector.inflections(:en) do |inflect|
+  inflect.acronym 'JWT'
+end

data/config/routes.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
-user_model = Slots.configuration.authentication_model&.name&.underscore || ""
-Slots::Engine.routes.draw do
+user_model = Slots::JWT.configuration.authentication_model&.name&.underscore || ""
+Slots::JWT::Engine.routes.draw do
   get 'sign_in', to: 'sessions#sign_in'
   post 'sign_in', to: 'sessions#sign_in'
   delete 'sign_out', to: 'sessions#sign_out'

data/lib/generators/slots/install/USAGE

@@ -10,4 +10,4 @@ Example:
 
     This will add:
       TO: config/routes.rb
-        mount Slots::Engine => "/slots"
+        mount Slots::JWT::Engine => "/slots"

data/lib/generators/slots/install/install_generator.rb

@@ -10,7 +10,7 @@ module Slots
     end
 
     def add_route
-      route "mount Slots::Engine => '/auth'"
+      route "mount Slots::JWT::Engine => '/auth'"
     end
   end
 end

data/lib/generators/slots/install/templates/create_slots_sessions.rb

@@ -1,6 +1,6 @@
 class CreateSlotsSessions < ActiveRecord::Migration[5.2]
   def change
-    create_table :slots_sessions do |t|
+    create_table :slots_jwt_sessions do |t|
       t.string :session, length: 128
       t.bigint :jwt_iat
       t.bigint :previous_jwt_iat
@@ -8,6 +8,6 @@ class CreateSlotsSessions < ActiveRecord::Migration[5.2]
 
       t.timestamps
     end
-    add_index :slots_sessions, :session, unique: true
+    add_index :slots_jwt_sessions, :session, unique: true
   end
 end

data/lib/generators/slots/install/templates/slots.rb

@@ -1,4 +1,4 @@
-Slots.configure do |config|
+Slots::JWT.configure do |config|
   # config.logins = :email || {email: /@/, username: //}
   # config.login_regex_validations = true
   # config.authentication_model = 'User'

data/lib/generators/slots/model/model_generator.rb

@@ -15,7 +15,7 @@ module Slots
         file = 'config/initializers/slots.rb'
         config = /\n.+config\.authentication_model = .+/
         gsub_file(file, config, "", verbose: false)
-        inject_into_file(file, after: /Slots.configure do .+\n/) do
+        inject_into_file(file, after: /Slots::JWT.configure do .+\n/) do
           "  config.authentication_model = '#{name.classify}'\n"
         end
       end

data/lib/slots.rb

@@ -1,46 +1,3 @@
-# frozen_string_literal: true
-
-require "slots/configuration"
-require "slots/database_authentication"
-require "slots/engine"
-require "slots/extra_classes"
-require "slots/generic_methods"
-require "slots/generic_validations"
-require "slots/slokens"
-require "slots/tests"
-require "slots/tokens"
-require "slots/authentication_helper"
-
+require 'slots/jwt'
 module Slots
-  # Your code goes here...
-  module Model
-    def session_assocaition
-      {foreign_key: "#{Slots.configuration.authentication_model.to_s.underscore}_id", class_name: Slots.configuration.authentication_model.to_s}
-    end
-
-    def slots(*extensions)
-      to_include = [GenericMethods, GenericValidations, Tokens]
-      extensions.each do |e|
-        extension = e.to_sym
-        case extension
-        when :database_authentication
-          to_include.push(DatabaseAuthentication)
-        else
-          raise "The following slot extension was not found: #{extension}\nThe following are allows :database_authentication, :approvable, :confirmable"
-        end
-      end
-      define_method(:slots?) { |v| extensions.include?(v) }
-
-      include(*to_include)
-      has_many :sessions, session_assocaition.merge(class_name: 'Slots::Session')
-    end
-
-    # module Controller
-    #   extended do
-    # include Slots::AuthenticationHelper
-    #   end
-    # end
-  end
-  ActiveRecord::Base.extend Slots::Model
-  ActionController::API.include Slots::AuthenticationHelper
 end

data/lib/slots/jwt.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+require "slots/jwt/configuration"
+require "slots/jwt/database_authentication"
+require "slots/jwt/engine"
+require "slots/jwt/extra_classes"
+require "slots/jwt/generic_methods"
+require "slots/jwt/generic_validations"
+require "slots/jwt/slokens"
+require "slots/jwt/tests"
+require "slots/jwt/tokens"
+require "slots/jwt/authentication_helper"
+require "slots/jwt/permission_filter"
+require "slots/jwt/type_helper"
+
+module Slots
+  module JWT
+    module Model
+      def session_assocaition
+        {foreign_key: "#{Slots::JWT.configuration.authentication_model.to_s.underscore}_id", class_name: Slots::JWT.configuration.authentication_model.to_s}
+      end
+
+      def slots(*extensions)
+        to_include = [GenericMethods, GenericValidations, Tokens]
+        extensions.each do |e|
+          extension = e.to_sym
+          case extension
+          when :database_authentication
+            to_include.push(DatabaseAuthentication)
+          else
+            raise "The following slot extension was not found: #{extension}\nThe following are allows :database_authentication, :approvable, :confirmable"
+          end
+        end
+        define_method(:slots?) { |v| extensions.include?(v) }
+
+        include(*to_include)
+        has_many :sessions, session_assocaition.merge(class_name: 'Slots::JWT::Session')
+      end
+
+      # module Controller
+      #   extended do
+      # include Slots::AuthenticationHelper
+      #   end
+      # end
+    end
+    ActiveRecord::Base.extend Slots::JWT::Model
+    ActionController::API.include Slots::JWT::AuthenticationHelper
+  end
+end