solidus_jwt 0.1.0 → 1.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0cf6dd72fda604868c1589819000a6d1607a8078fa642ce2a17cb071695b26f1
-  data.tar.gz: ca122c197a880c21398f6bcf28a2e8dd7709f90613e0fe41c4f24ea166802e09
+  metadata.gz: 5069a0d35cb2f777cae543265907fdd284e8e42ccb0e86c8bc4775e17beb6a88
+  data.tar.gz: 1019df1fc49a245eb54d5b64e1f52956a405c4f4f1003a043d65d81b871d672a
 SHA512:
-  metadata.gz: c1a2929d69915b28aec1df8c2a4fa450191ae0c465c57e5b7992938a88c9fb6363ae71282930b4dcea644add482d54c3406eb471a93a0c74a520ad8e11e9e98e
-  data.tar.gz: b7938c410ed7e14bc8098aa7314490beaff2bfc29b86249c72c9a2411f48b3a2b71441b6c17a159fff864caaf1923e348ba5b01c5acfcc570be3c60c1e75a571
+  metadata.gz: b042053167cadec496c99b501b12ada4a3090ea7163afa15718a768b9b01ab822ff8a6f139ffd8c93377525d26b0c83917acb19944ad485b161dd5162a14f1bf
+  data.tar.gz: c8266151ccbd5d50042c289e1ccd2993854dc305e364576489d08a38ab0a0b42166a93a1ac454aac438f306cb46785055cca600003c50bbdf1f8eadd288e72fa

data/.circleci/config.yml

@@ -0,0 +1,35 @@
+version: 2.1
+
+orbs:
+  # Always take the latest version of the orb, this allows us to
+  # run specs against Solidus supported versions only without the need
+  # to change this configuration every time a Solidus version is released
+  # or goes EOL.
+  solidusio_extensions: solidusio/extensions@volatile
+
+jobs:
+  run-specs-with-postgres:
+    executor: solidusio_extensions/postgres
+    steps:
+      - solidusio_extensions/run-tests
+  run-specs-with-mysql:
+    executor: solidusio_extensions/mysql
+    steps:
+      - solidusio_extensions/run-tests
+
+workflows:
+  "Run specs on supported Solidus versions":
+    jobs:
+      - run-specs-with-postgres
+      - run-specs-with-mysql
+  "Weekly run specs against master":
+    triggers:
+      - schedule:
+          cron: "0 0 * * 4" # every Thursday
+          filters:
+            branches:
+              only:
+                - master
+    jobs:
+      - run-specs-with-postgres
+      - run-specs-with-mysql

data/.gem_release.yml

@@ -0,0 +1,5 @@
+bump:
+  recurse: false
+  file: 'lib/solidus_jwt/version.rb'
+  message: Bump SolidusDemo1 to %{version}
+  tag: true

data/.github/CODEOWNERS

@@ -0,0 +1,4 @@
+##
+# Default Code Owner
+##
+* @skukx

data/.github/stale.yml

@@ -0,0 +1,17 @@
+# Number of days of inactivity before an issue becomes stale
+daysUntilStale: 60
+# Number of days of inactivity before a stale issue is closed
+daysUntilClose: 7
+# Issues with these labels will never be considered stale
+exemptLabels:
+  - pinned
+  - security
+# Label to use when marking an issue as stale
+staleLabel: wontfix
+# Comment to post when marking an issue as stale. Set to `false` to disable
+markComment: >
+  This issue has been automatically marked as stale because it has not had
+  recent activity. It will be closed if no further activity occurs. Thank you
+  for your contributions.
+# Comment to post when closing a stale issue. Set to `false` to disable
+closeComment: false

data/.gitignore

@@ -0,0 +1,19 @@
+*.gem
+\#*
+*~
+.#*
+.DS_Store
+.idea
+.project
+.sass-cache
+coverage
+Gemfile.lock
+tmp
+nbproject
+pkg
+*.swp
+spec/dummy
+spec/examples.txt
+
+sandbox/
+.byebug_history

data/.rspec

@@ -0,0 +1 @@
+--color

data/.rubocop.yml

@@ -0,0 +1,16 @@
+require:
+  - solidus_dev_support/rubocop
+
+AllCops:
+  Exclude:
+    - sandbox/**/*
+    - spec/dummy/**/*
+
+Metrics/LineLength:
+  Enabled: false
+
+RSpec/MultipleExpectations:
+  Enabled: false
+
+RSpec/NestedGroups:
+  Enabled: false

data/.ruby-gemset

@@ -0,0 +1 @@
+solidus_jwt

data/.ruby-version

@@ -0,0 +1 @@
+2.6.5

data/Gemfile

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+source 'https://rubygems.org'
+git_source(:github) { |repo| "https://github.com/#{repo}.git" }
+
+branch = ENV.fetch('SOLIDUS_BRANCH', 'master')
+gem 'solidus', github: 'solidusio/solidus', branch: branch
+
+# Needed to help Bundler figure out how to resolve dependencies,
+# otherwise it takes forever to resolve them.
+# See https://github.com/bundler/bundler/issues/6677
+gem 'rails', '>0.a'
+
+# Provides basic authentication functionality for testing parts of your engine
+gem 'solidus_auth_devise'
+
+case ENV['DB']
+when 'mysql'
+  gem 'mysql2'
+when 'postgresql'
+  gem 'pg'
+else
+  gem 'sqlite3'
+end
+
+gemspec
+
+# Use a local Gemfile to include development dependencies that might not be
+# relevant for the project or for other contributors, e.g. pry-byebug.
+#
+# We use `send` instead of calling `eval_gemfile` to work around an issue with
+# how Dependabot parses projects: https://github.com/dependabot/dependabot-core/issues/1658.
+send(:eval_gemfile, 'Gemfile-local') if File.exist? 'Gemfile-local'

data/README.md

@@ -36,8 +36,9 @@ SolidusJwt::Config.configure do |config|
   config.jwt_secret           = 'secret'
   config.allow_spree_api_key  = true
   config.jwt_algorithm        = 'HS256'
-  config.jwt_expiration       = 3600
+  config.jwt_expiration       = 3_600
   config.jwt_options          = { only: %i[email first_name id last_name] }
+  config.refresh_expiration   = 2_592_000
 end
 ```
 
@@ -56,6 +57,9 @@ Defaults to `3600` (1 hour). The amount of time in seconds that the token should
 #### `jwt_options`
 Defaults to `{ only: %i[email first_name id last_name] }`. These options are passed into `Spree::User#as_json` when serializing the token's payload.  Keep in mind that the more information included, the larger the token will be. It may be in your best interest to keep it short and simple.
 
+#### `refresh_expiration`:
+Defaults to `2592000` (30 days). The amount of time in seconds that the token should last for.
+
 Usage
 -------------
 ### Generating and decoding a token:
@@ -83,7 +87,72 @@ SolidusJwt.decode(token)
 # ]
 ```
 
-### Distributing a Token Using 'solidus_auth_devise':
+### Autenticate through the API
+
+If authenticating through the API, you must have 
+[solidus_auth_devise](https://github.com/solidusio/solidus_auth_devise) setup
+because `solidus_jwt` piggybacks off of the [Devise](https://github.com/plataformatec/devise) 
+gem. This enables authentication through a single point. If you implement 
+[Devise Lockable](https://www.rubydoc.info/github/plataformatec/devise/master/Devise/Models/Lockable), 
+then locking is respected both on the front-end as well as on the API.
+
+```ruby
+POST /oauth/token
+{
+  "username": "user@example.com"
+  "password": "secret"
+  "grant_type": "password"
+}
+
+# { "access_token": "abc.123.efg", "refresh_token": "123456" }
+```
+
+You can now use the `access_token` to authentication with the 
+[Solidus API](https://github.com/solidusio/solidus/tree/master/api) in place
+of the `spree_api_key`.
+
+#### Matching token to a user
+
+By default, the token matches a user using the `Spree::User.for_jwt` method. This methods
+Finds a user by id using the subject claim of the token. If you want to customize how the
+subject claim is interpreted you can override this method
+
+```ruby
+def self.for_jwt(sub)
+  # find_by(id: sub)
+  find_by(my_external_id: sub)
+end
+```
+
+### Obtain a refresh token
+
+To refresh your access token, instead of re-authenticating you can send
+a refresh token.
+
+```ruby
+POST /oauth/token
+{
+  "refresh_token": "123456"
+  "grant_type": "refresh_token"
+}
+
+# { "access_token": "hij.456.klm", "refresh_token": "789abc" }
+```
+
+### Invalidate refresh tokens for a user
+
+It is good practice set the lifetime of an access token to be short. In case an
+access token is compromised, the attacker will only have access for a short time.
+
+To force a user to have to reauthencate rather than using a refresh token,
+you can do the following:
+
+```ruby
+# Invalidate all refresh tokens for a user
+SolidusJwt::Token.invalidate(user)
+```
+
+### Distributing a Token Using 'solidus_auth_devise' on front-end:
 
 To have the `solidus_auth_devise` gem distribute a token back to the client
 you can do the following:

data/Rakefile

@@ -1,30 +1,6 @@
-require 'bundler'
+# frozen_string_literal: true
 
-Bundler::GemHelper.install_tasks
+require 'solidus_dev_support/rake_tasks'
+SolidusDevSupport::RakeTasks.install
 
-begin
-  require 'spree/testing_support/extension_rake'
-  require 'rubocop/rake_task'
-  require 'rspec/core/rake_task'
-
-  RSpec::Core::RakeTask.new(:spec)
-
-  RuboCop::RakeTask.new
-
-  task default: %i(first_run rubocop spec)
-rescue LoadError
-  # no rspec available
-end
-
-task :first_run do
-  if Dir['spec/dummy'].empty?
-    Rake::Task[:test_app].invoke
-    Dir.chdir('../../')
-  end
-end
-
-desc 'Generates a dummy app for testing'
-task :test_app do
-  ENV['LIB_NAME'] = 'solidus_jwt'
-  Rake::Task['extension:test_app'].invoke
-end
+task default: 'extension:specs'

data/_config.yml

@@ -0,0 +1 @@
+theme: jekyll-theme-cayman

data/app/decorators/controllers/solidus_jwt/spree/api/base_controller_decorator.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+module SolidusJwt
+  module Spree
+    module Api
+      module BaseControllerDecorator
+        def self.prepended(base)
+          base.rescue_from JWT::DecodeError do
+            render "spree/api/errors/invalid_api_key", status: :unauthorized
+          end
+        end
+
+        ##
+        # Overrides Solidus
+        # @see https://github.com/solidusio/solidus/blob/master/api/app/controllers/spree/api/base_controller.rb
+        #
+        def load_user
+          return super if json_web_token.blank?
+
+          # rubocop:disable Naming/MemoizedInstanceVariableName
+          @current_api_user ||= ::Spree.user_class.for_jwt(json_web_token['sub'] || json_web_token['id'])
+          # rubocop:enable Naming/MemoizedInstanceVariableName
+        end
+
+        def json_web_token
+          @json_web_token ||= SolidusJwt.decode(api_key).first
+        rescue JWT::DecodeError
+          # Allow spree to try and authenticate if we still allow it. Otherwise
+          # raise an error
+          return if SolidusJwt::Config.allow_spree_api_key
+
+          raise
+        end
+
+        if SolidusSupport.api_available?
+          ::Spree::Api::BaseController.prepend self
+        end
+      end
+    end
+  end
+end

data/app/decorators/models/solidus_jwt/spree/user_decorator.rb

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+module SolidusJwt
+  module Spree
+    module UserDecorator
+      def self.prepended(base)
+        base.extend ClassMethods
+        base.has_many :auth_tokens, class_name: 'SolidusJwt::Token'
+      end
+
+      module ClassMethods
+        ##
+        # Find user based on subject claim in
+        # our json web token
+        # @see https://tools.ietf.org/html/rfc7519#section-4.1.2
+        #
+        # @example get user token
+        #   payload = SolidusJwt.decode(token).first
+        #   user = Spree::User.for_jwt(payload['sub'])
+        #
+        # @param sub [string] The subject claim of jwt
+        # @return [Spree.user_class, NilClass] If a match is found, returns the user,
+        #   otherwise, returns nil
+        #
+        def for_jwt(sub)
+          find_by(id: sub)
+        end
+      end
+
+      ##
+      # Generate a json web token
+      # @see https://github.com/jwt/ruby-jwt
+      # @return [String]
+      #
+      def generate_jwt(expires_in: nil)
+        SolidusJwt.encode(payload: as_jwt_payload, expires_in: expires_in)
+      end
+      alias generate_jwt_token generate_jwt
+
+      ##
+      # Serializes user attributes to hash and applies
+      # the sub jwt claim.
+      #
+      # @return [Hash] The payload for json web token
+      #
+      def as_jwt_payload
+        options = SolidusJwt::Config.jwt_options
+        claims = { sub: id }
+
+        as_json(options)
+          .merge(claims)
+          .as_json
+      end
+
+      ::Spree.user_class.prepend self
+    end
+  end
+end

data/app/models/solidus_jwt/base_record.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module SolidusJwt
+  base_class = defined?(::ApplicationRecord) ? ::ApplicationRecord : ActiveRecord::Base
+
+  class BaseRecord < base_class
+    self.abstract_class = true
+
+    def self.table_name_prefix
+      'solidus_jwt_'
+    end
+  end
+end

data/app/models/solidus_jwt/token.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+module SolidusJwt
+  class Token < BaseRecord
+    attr_readonly :token
+    enum auth_type: { refresh_token: 0, access_token: 1 }
+
+    # rubocop:disable Rails/ReflectionClassName
+    belongs_to :user, class_name: ::Spree::UserClassHandle.new
+    # rubocop:enable Rails/ReflectionClassName
+
+    scope :non_expired, -> {
+      where(
+        'solidus_jwt_tokens.created_at >= ?',
+        SolidusJwt::Config.refresh_expiration.seconds.ago
+      )
+    }
+
+    enum auth_type: { refresh: 0, access: 1 }
+
+    validates :token, presence: true
+
+    before_validation(on: :create) do
+      self.token ||= SecureRandom.uuid
+    end
+
+    ##
+    # Set all  non expired refresh tokens to inactive
+    #
+    def self.invalidate(user)
+      # rubocop:disable Rails/SkipsModelValidations
+      non_expired.
+        where(user_id: user.to_param).
+        update_all(active: false)
+      # rubocop:enable Rails/SkipsModelValidations
+    end
+
+    ##
+    # Whether to honor a token or not.
+    # @return [Boolean]
+    #
+    def self.honor?(token)
+      non_expired.where(active: true).find_by(token: token).present?
+    end
+
+    ##
+    # Whether the token should be honored.
+    # @return [Boolean] Will be true if the token is active and not expired.
+    #   Otherwise false.
+    def honor?
+      active? && !expired?
+    end
+
+    ##
+    # Whether the token is expired
+    # @return [Boolean] If the token is older than the configured refresh
+    #   expiration amount then will be true. Otherwise false.
+    #
+    def expired?
+      created_at < SolidusJwt::Config.refresh_expiration.seconds.ago
+    end
+  end
+end