solidus_jwt 0.1.0 → 1.0.0.beta1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 0cf6dd72fda604868c1589819000a6d1607a8078fa642ce2a17cb071695b26f1
-  data.tar.gz: ca122c197a880c21398f6bcf28a2e8dd7709f90613e0fe41c4f24ea166802e09
+  metadata.gz: e295cf784cd7480da864f9f402f75b9c8e9acb1ecdd611c7bb592121c329ea46
+  data.tar.gz: 31705028f11d7134864145b845e345f1816b0cb2e67bb21b7761ec15ce3f356a
 SHA512:
-  metadata.gz: c1a2929d69915b28aec1df8c2a4fa450191ae0c465c57e5b7992938a88c9fb6363ae71282930b4dcea644add482d54c3406eb471a93a0c74a520ad8e11e9e98e
-  data.tar.gz: b7938c410ed7e14bc8098aa7314490beaff2bfc29b86249c72c9a2411f48b3a2b71441b6c17a159fff864caaf1923e348ba5b01c5acfcc570be3c60c1e75a571
+  metadata.gz: 638d994f7ef700464469cfd1f601edce39118dc41bc221970e56bcc4814a5aa1792573b01c7fd06a16ae2a939ddcfe158f6151f0d184c688d84359f5c41eb0cd
+  data.tar.gz: 3102363bd70e336b49ec0b4287fae49b1b0bd2f5414e011fde6f8db3fc9e1e0d23fd42d97ce75f85c03feff2c03a08dd86f2779547c0e1132ff888eabd76dcf9

data/README.md

@@ -36,8 +36,9 @@ SolidusJwt::Config.configure do |config|
   config.jwt_secret           = 'secret'
   config.allow_spree_api_key  = true
   config.jwt_algorithm        = 'HS256'
-  config.jwt_expiration       = 3600
+  config.jwt_expiration       = 3_600
   config.jwt_options          = { only: %i[email first_name id last_name] }
+  config.refresh_expiration   = 2_592_000
 end
 ```
 
@@ -56,6 +57,9 @@ Defaults to `3600` (1 hour). The amount of time in seconds that the token should
 #### `jwt_options`
 Defaults to `{ only: %i[email first_name id last_name] }`. These options are passed into `Spree::User#as_json` when serializing the token's payload.  Keep in mind that the more information included, the larger the token will be. It may be in your best interest to keep it short and simple.
 
+#### `refresh_expiration`:
+Defaults to `2592000` (30 days). The amount of time in seconds that the token should last for.
+
 Usage
 -------------
 ### Generating and decoding a token:
@@ -83,7 +87,59 @@ SolidusJwt.decode(token)
 # ]
 ```
 
-### Distributing a Token Using 'solidus_auth_devise':
+### Autenticate through the API
+
+If authenticating through the API, you must have 
+[solidus_auth_devise](https://github.com/solidusio/solidus_auth_devise) setup
+because `solidus_jwt` piggybacks off of the [Devise](https://github.com/plataformatec/devise) 
+gem. This enables authentication through a single point. If you implement 
+[Devise Lockable](https://www.rubydoc.info/github/plataformatec/devise/master/Devise/Models/Lockable), 
+then locking is respected both on the front-end as well as on the API.
+
+```ruby
+POST /oauth/token
+{
+  "username": "user@example.com"
+  "password": "secret"
+  "grant_type": "password"
+}
+
+# { "access_token": "abc.123.efg", "refresh_token": "123456" }
+```
+
+You can now use the `access_token` to authentication with the 
+[Solidus API](https://github.com/solidusio/solidus/tree/master/api) in place
+of the `spree_api_key`.
+
+### Obtain a refresh token
+
+To refresh your access token, instead of re-authenticating you can send
+a refresh token.
+
+```ruby
+POST /oauth/token
+{
+  "refresh_token": "123456"
+  "grant_type": "refresh_token"
+}
+
+# { "access_token": "hij.456.klm", "refresh_token": "789abc" }
+```
+
+### Invalidate refresh tokens for a user
+
+It is good practice set the lifetime of an access token to be short. In case an
+access token is compromised, the attacker will only have access for a short time.
+
+To force a user to have to reauthencate rather than using a refresh token,
+you can do the following:
+
+```ruby
+# Invalidate all refresh tokens for a user
+SolidusJwt::Token.invalidate(user)
+```
+
+### Distributing a Token Using 'solidus_auth_devise' on front-end:
 
 To have the `solidus_auth_devise` gem distribute a token back to the client
 you can do the following:

data/app/controllers/spree/api/oauths_controller.rb

@@ -0,0 +1,34 @@
+module Spree
+  module Api
+    class OauthsController < BaseController
+      skip_before_action :authenticate_user
+
+      def token
+        if user = try_authenticate_user
+          render_token_for(user)
+        else
+          render status: 401, json: { error: 'invalid username or password' }
+        end
+      end
+
+      private
+
+      def render_token_for(user)
+        render json: {
+          access_token: user.generate_jwt,
+          refresh_token: generate_refresh_token_for(user)
+        }
+      end
+
+      def try_authenticate_user
+        warden.authenticate(:solidus_jwt_password) ||
+          warden.authenticate(:solidus_jwt_refresh_token)
+      end
+
+      def generate_refresh_token_for(user)
+        token_resource = user.auth_tokens.create!
+        token_resource.token
+      end
+    end
+  end
+end

data/app/models/application_record.rb

@@ -0,0 +1,3 @@
+class ApplicationRecord < ActiveRecord::Base
+  self.abstract_class = true
+end

data/app/models/solidus_jwt/application_record.rb

@@ -0,0 +1,9 @@
+module SolidusJwt
+  class ApplicationRecord < ::ApplicationRecord
+    self.abstract_class = true
+
+    def self.table_name_prefix
+      'solidus_jwt_'
+    end
+  end
+end

data/app/models/solidus_jwt/token.rb

@@ -0,0 +1,48 @@
+module SolidusJwt
+  class Token < ApplicationRecord
+    attr_readonly :token
+    enum auth_type: %i[refresh_token access_token]
+
+    belongs_to :user, class_name: Spree::UserClassHandle.new
+
+    scope :non_expired, -> {
+      where(
+        'solidus_jwt_tokens.created_at >= ?',
+        SolidusJwt::Config.refresh_expiration.seconds.ago
+      )
+    }
+
+    enum auth_type: %i[refresh access]
+
+    validates :token, presence: true
+
+    before_validation(on: :create) do
+      self.token ||= SecureRandom.uuid
+    end
+
+    ##
+    # Set all  non expired refresh tokens to inactive
+    #
+    def self.invalidate(user)
+      non_expired.
+        where(user_id: user.to_param).
+        update_all(active: false)
+    end
+
+    ##
+    # Whether to honor a token or not.
+    # @return [Boolean]
+    #
+    def self.honor?(token)
+      non_expired.where(active: true).find_by(token: token).present?
+    end
+
+    def honor?
+      active? && !expired?
+    end
+
+    def expired?
+      created_at < SolidusJwt::Config.refresh_expiration.seconds.ago
+    end
+  end
+end

data/app/models/spree/user_decorator.rb

@@ -1,5 +1,9 @@
 module Spree
   module UserDecorator
+    def self.prepended(base)
+      base.has_many :auth_tokens, class_name: 'SolidusJwt::Token'
+    end
+
     ##
     # Generate a json web token
     # @see https://github.com/jwt/ruby-jwt

data/config/routes.rb

@@ -1,3 +1,4 @@
 Spree::Core::Engine.routes.draw do
   # Add your extension routes here
+  post 'oauth/token', to: 'api/oauths#token'
 end

data/db/migrate/20190222220038_create_solidus_jwt_tokens.rb

@@ -0,0 +1,12 @@
+class CreateSolidusJwtTokens < ActiveRecord::Migration[5.2]
+  def change
+    create_table :solidus_jwt_tokens do |t|
+      t.string :token, index: true
+      t.integer :auth_type, default: 0, null: false
+      t.integer :user_id, index: true
+      t.boolean :active, default: true, null: false
+
+      t.timestamps null: false
+    end
+  end
+end

data/lib/solidus_jwt.rb

@@ -1,8 +1,12 @@
 require 'jwt'
 
 require 'solidus_core'
+require 'solidus_auth_devise'
 require 'solidus_jwt/engine'
 
+require 'solidus_jwt/devise_strategies/password'
+require 'solidus_jwt/devise_strategies/refresh_token'
+
 require 'solidus_jwt/version'
 require 'solidus_jwt/config'
 require 'solidus_jwt/concerns/decodeable'

data/lib/solidus_jwt/devise_strategies/password.rb

@@ -0,0 +1,50 @@
+module SolidusJwt
+  module DeviseStrategies
+    class Password < Devise::Strategies::Base
+      def valid?
+        valid_grant_type? && valid_params?
+      end
+
+      def authenticate!
+        resource = mapping.to.find_for_database_authentication(auth_hash)
+
+        block = proc { resource.valid_password?(password) }
+
+        if resource&.valid_for_authentication?(&block)
+          resource.after_database_authentication
+          return success!(resource)
+        end
+
+        fail!(:invalid)
+      end
+
+      private
+
+      def auth_hash
+        { email: username }
+      end
+
+      def grant_type
+        params[:grant_type]
+      end
+
+      def username
+        params[:username]
+      end
+
+      def password
+        params[:password]
+      end
+
+      def valid_grant_type?
+        grant_type == 'password'
+      end
+
+      def valid_params?
+        username.present? && password.present?
+      end
+    end
+  end
+end
+
+Warden::Strategies.add(:solidus_jwt_password, SolidusJwt::DeviseStrategies::Password)

data/lib/solidus_jwt/devise_strategies/refresh_token.rb

@@ -0,0 +1,49 @@
+module SolidusJwt
+  module DeviseStrategies
+    class RefreshToken < Devise::Strategies::Base
+      def valid?
+        valid_grant_type? && valid_params?
+      end
+
+      def authenticate!
+        resource = SolidusJwt::Token.find_by(auth_hash)
+        return fail!(:invalid) if resource.nil? || resource.user.nil?
+
+        block = proc do
+          # If we honor then mark the refresh token as stale for one time use
+          resource.honor? && resource.update_columns(active: false)
+        end
+
+        if resource.user.valid_for_authentication?(&block)
+          return success!(resource.user)
+        end
+
+        fail!(:invalid)
+      end
+
+      private
+
+      def auth_hash
+        { auth_type: :refresh, token: refresh_token }
+      end
+
+      def grant_type
+        params[:grant_type]
+      end
+
+      def refresh_token
+        params[:refresh_token]
+      end
+
+      def valid_grant_type?
+        grant_type == 'refresh_token'
+      end
+
+      def valid_params?
+        refresh_token.present?
+      end
+    end
+  end
+end
+
+Warden::Strategies.add(:solidus_jwt_refresh_token, SolidusJwt::DeviseStrategies::RefreshToken)

data/lib/solidus_jwt/factories.rb

@@ -3,4 +3,15 @@ FactoryBot.define do
   #
   # Example adding this to your spec_helper will load these Factories for use:
   # require 'solidus_jwt/factories'
+  factory :token, class: SolidusJwt::Token do
+    association :user
+
+    trait :expired do
+      created_at { 1.year.ago }
+    end
+
+    trait :inactive do
+      active { false }
+    end
+  end
 end

data/lib/solidus_jwt/preferences.rb

@@ -34,6 +34,12 @@ module SolidusJwt
     #
     preference :jwt_options, :hash, default: { only: %i[email first_name id last_name] }
 
+    # @!attribute [rw] refresh_expriation
+    #   @return [String] How long until the refresh token expires in seconds
+    #   (default: +2592000+)
+    #
+    preference :refresh_expiration, :integer, default: 2_592_000
+
     ##
     # Get the secret token to encrypt json web tokens with.
     # @return [String] The secret used to encrypt json web tokens

data/lib/solidus_jwt/version.rb

@@ -1,8 +1,8 @@
 module SolidusJwt
-  MAJOR = 0
-  MINOR = 1
+  MAJOR = 1
+  MINOR = 0
   PATCH = 0
-  PRERELEASE = nil
+  PRERELEASE = 'beta1'
 
   def self.version
     version = [MAJOR, MINOR, PATCH].join('.')

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: solidus_jwt
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 1.0.0.beta1
 platform: ruby
 authors:
 - Taylor Scott
@@ -11,25 +11,33 @@ cert_chain: []
 date: 2019-11-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  name: solidus_core
+  name: jwt
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '1.0'
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: '3'
+        version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '1.0'
-    - - "<"
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: solidus_auth_devise
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '3'
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: solidus_backend
   requirement: !ruby/object:Gem::Requirement
@@ -51,33 +59,39 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '3'
 - !ruby/object:Gem::Dependency
-  name: solidus_support
+  name: solidus_core
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.1.3
+        version: '1.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.1.3
+        version: '1.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3'
 - !ruby/object:Gem::Dependency
-  name: jwt
+  name: solidus_support
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.1.3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.1.3
 - !ruby/object:Gem::Dependency
   name: byebug
   requirement: !ruby/object:Gem::Requirement
@@ -303,14 +317,21 @@ files:
 - app/assets/stylesheets/spree/frontend/solidus_jwt.css
 - app/controllers/spree/api/base_controller/json_web_tokens.rb
 - app/controllers/spree/api/base_controller_decorator.rb
+- app/controllers/spree/api/oauths_controller.rb
+- app/models/application_record.rb
+- app/models/solidus_jwt/application_record.rb
+- app/models/solidus_jwt/token.rb
 - app/models/spree/user_decorator.rb
 - config/locales/en.yml
 - config/routes.rb
+- db/migrate/20190222220038_create_solidus_jwt_tokens.rb
 - lib/generators/solidus_jwt/install/install_generator.rb
 - lib/solidus_jwt.rb
 - lib/solidus_jwt/concerns/decodeable.rb
 - lib/solidus_jwt/concerns/encodeable.rb
 - lib/solidus_jwt/config.rb
+- lib/solidus_jwt/devise_strategies/password.rb
+- lib/solidus_jwt/devise_strategies/refresh_token.rb
 - lib/solidus_jwt/distributor/devise.rb
 - lib/solidus_jwt/engine.rb
 - lib/solidus_jwt/factories.rb
@@ -331,9 +352,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
 rubygems_version: 3.0.3
 signing_key: