slots-jwt 0.0.4 → 0.1.0

data/lib/slots/jwt/authentication_helper.rb

@@ -0,0 +1,147 @@
+# frozen_string_literal: true
+
+module Slots
+  module JWT
+    module AuthenticationHelper
+      ALL = Object.new
+
+      extend ActiveSupport::Concern
+
+      included do
+        include ActionController::HttpAuthentication::Token::ControllerMethods
+      end
+
+      def jw_token
+        return @_jw_token if instance_variable_defined?(:@_jw_token)
+        token = authenticate_with_http_token { |t, _| t }
+        @_jw_token = token ? Slots::JWT::Slokens.decode(token) : nil
+      end
+
+      def jw_token!
+        jw_token&.valid!
+      end
+
+      def update_expired_session_tokens
+        return false unless Slots::JWT.configuration.session_lifetime
+        return false unless jw_token&.expired? && jw_token.session.present?
+        new_session_token
+      end
+
+      def new_session_token
+        _current_user = Slots::JWT.configuration.authentication_model.from_sloken(@_jw_token)
+        return false unless _current_user&.update_session
+        @_current_user = _current_user
+        true
+      end
+
+      def current_user
+        return @_current_user if instance_variable_defined?(:@_current_user)
+        @_current_user = jw_token ? Slots::JWT.configuration.authentication_model.from_sloken(jw_token!) : nil
+      end
+      def load_user
+        current_user&.valid_in_database? && current_user.allowed_new_token?
+      end
+
+      def set_token_header!
+        # check if current user for logout
+        response.set_header('authorization', "Bearer token=#{current_user.token}") if current_user&.new_token?
+      end
+
+      def require_valid_user
+        # Load user will make sure it is in the database and valid in the database
+        raise Slots::JWT::InvalidToken, "User doesnt exist" if @_require_load_user && !load_user
+        access_denied! unless current_user && (@_ignore_callbacks || token_allowed?)
+      end
+      def require_load_user
+        # Use varaible so that if this action is prepended it will still only be called when checking for valid user,
+        # i.e. so its not called before update_expired_session_tokens if set
+        @_require_load_user = true
+      end
+      def ignore_callbacks
+        @_ignore_callbacks = true
+      end
+
+      def access_denied!
+        raise Slots::JWT::AccessDenied
+      end
+
+      def token_allowed?
+        !(self.class._reject_token?(self))
+      end
+
+      def new_token!(session)
+        current_user.create_token(session)
+        set_token_header!
+      end
+
+      def update_token!
+        current_user.update_token
+      end
+
+      module ClassMethods
+        def update_expired_session_tokens!(**options)
+          prepend_before_action :update_expired_session_tokens, **options
+          after_action :set_token_header!, **options
+        end
+
+        def require_login!(load_user: false, **options)
+          before_action :require_load_user, **options if load_user
+          before_action :require_valid_user, **options
+        end
+
+        def require_user_load!(**options)
+          prepend_before_action :require_load_user, **options
+        end
+
+        def skip_callback!(**options)
+          prepend_before_action :ignore_callbacks, **options
+        end
+
+        def ignore_login!(**options)
+          skip_before_action :require_valid_user, **options
+          skip_before_action :require_load_user, **options, raise: false
+          skip_before_action :update_expired_session_tokens, **options, raise: false
+          skip_after_action :set_token_header!, **options, raise: false
+        end
+
+        def catch_invalid_login(response: {errors: {authentication: ['login or password is invalid']}}, status: :unauthorized)
+          rescue_from Slots::JWT::AuthenticationFailed do |exception|
+            render json: response, status: status
+          end
+        end
+
+        def catch_invalid_token(response: {errors: {authentication: ['invalid or missing token']}}, status: :unauthorized)
+          rescue_from Slots::JWT::InvalidToken do |exception|
+            render json: response, status: status
+          end
+        end
+
+        def catch_access_denied(response: {errors: {authorization: ["can't access"]}}, status: :forbidden)
+          rescue_from Slots::JWT::AccessDenied do |exception|
+            render json: response, status: status
+          end
+        end
+
+        def reject_token(only: ALL, except: ALL, &block)
+          raise 'Cant pass both only and except' unless only == ALL || except == ALL
+          only = Array(only) if only != ALL
+          except = Array(except) if except != ALL
+
+          (@_reject_token ||= []).push([only, except, block])
+        end
+        def _reject_token?(con)
+          (@_reject_token ||= []).any? { |o, e, b| _check_to_reject?(con, o, e, b) } || _superclass_reject_token?(con)
+        end
+        def _check_to_reject?(con, only, except, block)
+          return false unless only == ALL || only.any? { |o| o.to_sym == con.action_name.to_sym }
+          return false if except != ALL && except.any? { |e| e.to_sym == con.action_name.to_sym }
+          con.instance_eval(&block)
+        end
+
+        def _superclass_reject_token?(con)
+          self.superclass.respond_to?('_reject_token?') && self.superclass._reject_token?(con)
+        end
+      end
+    end
+  end
+end

data/lib/slots/jwt/configuration.rb

@@ -0,0 +1,84 @@
+# frozen_string_literal: true
+
+require 'yaml'
+
+module Slots
+  module JWT
+    class Configuration
+      attr_accessor :login_regex_validations, :token_lifetime, :session_lifetime, :previous_jwt_lifetime
+      attr_reader :logins
+      attr_writer :authentication_model
+
+      # raise_no_error is used for rake to load
+      def initialize
+        @logins = {email: //}
+        @login_regex_validations = true
+        @authentication_model = 'User'
+        @secret_keys = [{created_at: 0, secret: ENV['SLOT_SECRET']}]
+        @token_lifetime = 1.hour
+        @session_lifetime = 2.weeks # Set to nil if you dont want sessions
+        @previous_jwt_lifetime = 5.seconds # Set to nil if you dont want sessions
+        @manage_callbacks = Proc.new { }
+      end
+
+      def logins=(value)
+        if value.is_a? Symbol
+          @logins = {value => //}
+        elsif value.is_a?(Hash)
+          # Should do most inclusive regex last
+          raise 'must be hash of symbols => regex' unless value.length > 0 && value.all? { |k, v| k.is_a?(Symbol) && v.is_a?(Regexp) }
+          @logins = value
+        else
+          raise 'must be a symbol or hash'
+        end
+      end
+
+      def authentication_model
+        @authentication_model.to_s.constantize rescue nil
+      end
+
+      def secret=(v)
+        @secret_keys = [{created_at: 0, secret: v}]
+      end
+
+      def secret_yaml=(file_path_string)
+        secret_keys = YAML.load_file(Slots::JWT.secret_yaml_file)
+        @secret_keys = []
+        secret_keys.each do |secret_key|
+          raise ArgumentError, 'Need CREATED_AT' unless (created_at = secret_key['CREATED_AT']&.to_i)
+          raise ArgumentError, 'Need SECRET' unless (secret = secret_key['SECRET'])
+          previous_created_at = @secret_keys[-1]&.dig(:created_at) || Time.now.to_i
+
+          raise ArgumentError, 'CREATED_AT must be newest to latest' unless previous_created_at > created_at
+          @secret_keys.push(
+            created_at: created_at,
+            secret: secret
+          )
+        end
+      end
+
+      def secret(at = Time.now.to_i)
+        @secret_keys.each do |secret_hash|
+          return secret_hash[:secret] if at > secret_hash[:created_at]
+        end
+        raise InvalidSecret, 'Invalid Secret'
+      end
+    end
+
+    class << self
+      attr_writer :configuration
+
+      def configuration
+        @configuration ||= Configuration.new
+      end
+
+      def configure
+        yield configuration
+      end
+
+      def secret_yaml_file
+        Rails.root.join('config', 'slots_secrets.yml')
+      end
+    end
+  end
+end

data/lib/slots/jwt/database_authentication.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module Slots
+  module JWT
+    module DatabaseAuthentication
+      extend ActiveSupport::Concern
+
+      included do
+        has_secure_password
+      end
+
+      # TODO allow super
+      def as_json(*)
+        super.except('password_digest')
+      end
+
+      module ClassMethods
+      end
+    end
+  end
+end

data/lib/slots/jwt/engine.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module Slots
+  module JWT
+    class Engine < ::Rails::Engine
+      isolate_namespace Slots::JWT
+    end
+  end
+end

data/lib/slots/jwt/extra_classes.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module Slots
+  module JWT
+    class AuthenticationFailed < StandardError
+    end
+    class InvalidToken < StandardError
+    end
+    class AccessDenied < StandardError
+    end
+    class InvalidSecret < StandardError
+    end
+  end
+end

data/lib/slots/jwt/generic_methods.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+module Slots
+  module JWT
+    module GenericMethods
+      extend ActiveSupport::Concern
+
+      included do
+      end
+
+      def allowed_new_token?
+        !(self.class._reject_new_token?(self))
+      end
+
+      def run_token_created_callback
+        self.class._token_created_callback(self)
+      end
+
+      def authenticate?(password)
+        password.present? && persisted? && respond_to?(:authenticate) && authenticate(password) && allowed_new_token?
+      end
+
+      def authenticate!(password)
+        raise Slots::JWT::AuthenticationFailed unless self.authenticate?(password)
+        true
+      end
+
+      module ClassMethods
+        def find_for_authentication(login)
+          Slots::JWT.configuration.logins.each do |k, v|
+            next unless login&.match(v)
+            return find_by(arel_table[k].lower.eq(login.downcase)) || new
+          end
+          new
+        end
+
+        def reject_new_token(&block)
+          (@_reject_new_token ||= []).push(block)
+        end
+        def _reject_new_token?(user)
+          (@_reject_new_token ||= []).any? { |b| user.instance_eval(&b) }
+        end
+
+        def token_created_callback(&block)
+          (@_token_created_callback ||= []).push(block)
+        end
+        def _token_created_callback(user)
+          (@_token_created_callback ||= []).each { |b| user.instance_eval(&b) }
+        end
+      end
+    end
+  end
+end

data/lib/slots/jwt/generic_validations.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+module Slots
+  module JWT
+    module GenericValidations
+      extend ActiveSupport::Concern
+
+      included do
+        validate :unique_and_present, :logins_meets_criteria
+      end
+
+      def logins_meets_criteria
+        return if self.errors.any?
+        return unless Slots::JWT.configuration.login_regex_validations
+        logins = Slots::JWT.configuration.logins
+        login_c = logins.keys
+        logins.each do |col, reg|
+          login_c.delete(col) # Login columns left
+          column_match(reg, col)
+          column_dont_match(reg, col, login_c)
+        end
+      end
+
+      def unique_and_present
+        # Use this rather than validates because logins in configure might not be set yet on include
+        Slots::JWT.configuration.logins.each do |column, _|
+          value = self.send(column)
+          next self.errors.add(column, "can't be blank") unless value.present?
+
+          pk_value = self.send(self.class.primary_key)
+          lower_case = self.class.arel_table[column].lower.eq(value.downcase)
+          next unless self.class.where.not(self.class.primary_key => pk_value).where(lower_case).exists?
+          self.errors.add(column, "has already been taken")
+        end
+      end
+
+      def column_match(regex, column)
+        # TODO change error message to use locals? or something configurable
+        self.errors.add(column, "didn't match login criteria") unless self.send(column).match(regex)
+      end
+
+      def column_dont_match(regex, column_not_to_match, columns)
+        columns.each do |c|
+          # Since we check if any errors should be present
+          self.errors.add(c, "matched #{column_not_to_match} login criteria") if self.send(c).match(regex)
+        end
+      end
+
+      module ClassMethods
+      end
+    end
+  end
+end

data/lib/slots/jwt/permission_filter.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+module Slots
+  module JWT
+    class PermissionFilter
+      def initialize(current_user)
+        @current_user = current_user
+      end
+
+      def call(schema_member, ctx)
+        @schema_member = schema_member
+        return true if _dont_check?
+        allowed?
+      end
+      protected
+        attr_reader :schema_member, :current_user
+
+      private
+        def _dont_check?
+          !schema_member.metadata[:has_required_permission]
+        end
+
+        def required_permission
+          schema_member.metadata[:required_permission]
+        end
+
+        def valid_loaded_user
+          return @valid_loaded_user if instance_variable_defined?(:@valid_loaded_user)
+          @valid_loaded_user = current_user&.valid_in_database? && current_user.allowed_new_token?
+        end
+
+        def is_admin
+          valid_loaded_user && current_user.admin
+        end
+    end
+  end
+end

data/lib/slots/jwt/slokens.rb

@@ -0,0 +1,115 @@
+# frozen_string_literal: true
+
+require 'jwt'
+module Slots
+  module JWT
+    class Slokens
+      attr_reader :token, :exp, :iat, :extra_payload, :authentication_model_values, :session
+      def initialize(decode: false, encode: false, token: nil, authentication_record: nil, extra_payload: nil, session: nil)
+        if decode
+          @token = token
+          decode()
+        elsif encode
+          @authentication_model_values = authentication_record.as_json
+          @extra_payload = extra_payload.as_json
+          @session = session
+          update_iat
+          update_exp
+          encode()
+          @valid = true
+        else
+          raise 'must encode or decode'
+        end
+      end
+      def self.decode(token)
+        self.new(decode: true, token: token)
+      end
+      def self.encode(authentication_record, session = '', extra_payload)
+        self.new(encode: true, authentication_record: authentication_record, session: session, extra_payload: extra_payload)
+      end
+
+      def expired?
+        @expired
+      end
+
+      def valid?
+        @valid
+      end
+
+      def valid!
+        raise InvalidToken, "Invalid Token" unless valid?
+        self
+      end
+
+      def update_token_data(authentication_record, extra_payload)
+        @authentication_model_values = authentication_record.as_json
+        @extra_payload = extra_payload.as_json
+        update_iat
+        encode
+      end
+
+      def update_token(authentication_record, extra_payload)
+        update_exp
+        update_token_data(authentication_record, extra_payload)
+      end
+
+      def payload
+        {
+          authentication_model_key => @authentication_model_values,
+          'exp' => @exp,
+          'iat' => @iat,
+          'session' => @session,
+          'extra_payload' => @extra_payload,
+        }
+      end
+
+      private
+        def authentication_model_key
+          Slots::JWT.configuration.authentication_model.name.underscore
+        end
+
+        def default_expected_keys
+          ['exp', 'iat', 'session', authentication_model_key]
+        end
+        def secret
+          Slots::JWT.configuration.secret(@iat)
+        end
+        def update_iat
+          @iat = Time.now.to_i
+        end
+        def update_exp
+          @exp = Slots::JWT.configuration.token_lifetime.from_now.to_i
+        end
+        def encode
+          @token = ::JWT.encode self.payload, secret, 'HS256'
+          @expired = false
+          @valid = true
+        end
+
+        def decode
+          begin
+            set_payload
+            ::JWT.decode @token, secret, true, verify_iat: true, algorithm: 'HS256'
+          rescue ::JWT::ExpiredSignature
+            @expired = true
+          rescue ::JWT::InvalidIatError, ::JWT::VerificationError, ::JWT::DecodeError, NoMethodError, JSON::ParserError, Slots::JWT::InvalidSecret
+            @valid = false
+          else
+            @valid = payload.slice(*default_expected_keys).compact.length == default_expected_keys.length
+          end
+        end
+
+        def set_payload
+          encoded64 = @token.split('.')[1] || ''
+          string_payload = Base64.decode64(encoded64)
+          local_payload = JSON.parse(string_payload)
+          raise JSON::ParserError unless local_payload.is_a?(Hash)
+          @exp = local_payload['exp']&.to_i
+          @iat = local_payload['iat']&.to_i
+          @session = local_payload['session']
+          @authentication_model_values = local_payload[authentication_model_key]
+          @extra_payload = local_payload['extra_payload']
+        end
+    end
+  end
+end