strongmind-auth 1.0.10 → 1.0.12

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f48f262a82aa122f2c2e02f24a80af05e8ddc16c47b03f74e2ae6cd1e75f7b02
-  data.tar.gz: 178b4506c5e76422842f944e74f4fb24e94785085be8a3fa62699a3d12d1b88c
+  metadata.gz: 9f0de84646fc0bb458a34c17e3b6ba8e8f5754252cb5da1957822e75a7c52d4f
+  data.tar.gz: 3f944f111eb1b254ed97a13baf7b5e0d74401bb4edce2326ed36a94742af4499
 SHA512:
-  metadata.gz: 0fc9d5270f0f4c4f94db091278e00b928c3ba566d1a6eaa0c400ca6aa5b2ed59cbe1bf3169d69ad22906394a9c0a9cfe9195d4e65069cb465db54321eb87edb0
-  data.tar.gz: 3e3a8968049708aa7cf9db09d2a08387c95c59b92a19f84bdeaf070319ea85e7c3b19eb46160cb6ecc6cfe0acb75d34d244ee451e6dd90afdc3786f054e8812f
+  metadata.gz: cbba7ce9b16417331e9ec33a7b25225bb2ff3d3bc9651ac36936543197f1e95caec5c842100965b6564150c92015d46af23dfab26999db0f4847755d112eb775
+  data.tar.gz: 48fa3ec4e620252c4f1dfb88cd3f58df46f0054defe2f348d3282cfde28dc58829b628b6dfa5f054c5e2681b105b92b31e5c984a5711fdb68cfd1abd5b6cc7f0

data/app/controllers/concerns/jwt_utilities.rb

@@ -0,0 +1,90 @@
+# frozen_string_literal: true
+
+# Mix-in for handling JWTs
+module JwtUtilities
+  extend ActiveSupport::Concern
+
+  def jwt_valid?(jwt, condition_key = nil, scopes = [])
+    begin
+      payload, _header = JWT.decode(jwt, public_key, true, {
+        verify_iat: true,
+        verify_iss: true,
+        verify_aud: true,
+        verify_sub: true,
+        algorithm: 'RS256',
+        leeway: 60
+      })
+    rescue JWT::DecodeError => e
+      Rails.logger.error e.message
+      return false
+    end
+
+    payload = payload.with_indifferent_access
+
+    unless !scopes.empty? && payload['scope'].present? && payload['scope'].all? { |elem| scopes.include?(elem) }
+      return false
+    end
+
+    return false unless payload['nonce'].nil?
+
+    return false unless condition_key.nil? || payload['events'].key?(condition_key)
+
+    true
+  end
+
+  def public_key
+    Rails.cache.fetch('jwt_utilities_public_key', expires_in: 1.day) do
+      x5c_val = OpenIDConnect::Discovery::Provider::Config.discover!(ENV['IDENTITY_BASE_URL']).jwks.first['x5c'].first
+      cert = OpenSSL::X509::Certificate.new(Base64.decode64(x5c_val))
+      cert.public_key
+    end
+  end
+
+  private
+
+  def fetch_user_token_info
+    user_jwt(session)
+  end
+
+  def user_access_token(session_data)
+    tokens = user_jwt(session_data)
+    tokens[:access_token]
+  end
+
+  def user_jwt(session_data)
+    tokens = current_user.nil? ? nil : Rails.cache.read(current_user&.uid)
+    validate_tokens(tokens) unless tokens.nil?
+
+    if tokens.nil?
+      tokens = generate_tokens(session_data)
+      validate_tokens(tokens)
+
+      unless current_user.nil?
+        tokens[:expires_in] = 1.hour.to_i if tokens[:expires_in].nil?
+        Rails.cache.write(current_user&.uid, tokens)
+      end
+    end
+    session_data[:refresh_token] = tokens[:refresh_token]
+
+    tokens
+  end
+
+  def validate_tokens(tokens)
+    return unless tokens[:error] == 'invalid_grant' || !tokens[:refresh_token]
+
+    raise RefreshTokenExpired, tokens[:error]
+  end
+
+  def generate_tokens(session_data)
+    identity_base_url = ENV['IDENTITY_BASE_URL']
+    identity_client_id = ENV['IDENTITY_CLIENT_ID']
+    response = Faraday.post("#{identity_base_url}/connect/token", {
+      client_id: identity_client_id,
+      client_secret: ENV['IDENTITY_CLIENT_SECRET'],
+      grant_type: 'refresh_token',
+      refresh_token: session_data[:refresh_token]
+    })
+
+    JSON.parse(response.body, symbolize_names: true)
+  end
+end

data/app/controllers/concerns/strong_mind_nav.rb

@@ -12,6 +12,9 @@ module StrongMindNav
       @theme_css = navbar[:theme_css]
     rescue Strongmind::CommonNavFetcher::TokenNotFoundError, Strongmind::CommonNavFetcher::UserNotFoundError => e
       Sentry.capture_exception(e)
+      Rails.logger.error(e)
+      flash[:alert] = e.inspect if Rails.env.development?
+      @stop_redirect = true if Rails.env.development?
       render 'logins/index'
     rescue Exception => e
       Sentry.capture_exception(e)

data/app/controllers/users/sessions_controller.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+module Users
+  class RefreshTokenExpired < StandardError
+  end
+
+  class SessionsController < Devise::SessionsController
+    include JwtUtilities
+
+    skip_before_action :fetch_common_nav
+    skip_before_action :verify_authenticity_token, only: :endsession
+
+    def login
+      redirect_to user_strongmind_omniauth_authorize_url
+    end
+
+    def new
+      redirect_to user_strongmind_omniauth_authorize_url
+    end
+
+    def endsession
+      headers = { 'Cache-Control' => 'no-store' }
+      if jwt_valid?(params[:logout_token], 'http://schemas.openid.net/event/backchannel-logout')
+        payload, _header = JWT.decode(params[:logout_token], nil, false)
+        user_identity = payload['sub']
+        user = User.find_by(uid: user_identity)
+        user.invalidate_all_sessions!
+        render json: {}, status: :ok, headers:
+      else
+        render json: {}, status: :bad_request, headers:
+      end
+    end
+
+    def initiate_backchannel_logout
+      user_token_info = fetch_user_token_info
+
+      id_token_hint = user_token_info[:id_token]
+      token = user_token_info[:access_token]
+      current_user&.invalidate_all_sessions!
+      identity_base_url = ENV['IDENTITY_BASE_URL']
+      redirect_to "#{identity_base_url}/connect/endsession?id_token_hint=#{id_token_hint}", headers: {
+        'Content-Type' => 'application/json',
+        'Authorization' => "Bearer #{token}"
+      }, allow_other_host: true
+    end
+
+  end
+end

data/app/models/user_base.rb

@@ -28,4 +28,14 @@ class UserBase < ApplicationRecord
   def auth_token_cache
     Rails.cache.read(uid)
   end
+  
+  def authenticatable_salt
+    return super unless session_token
+
+    "#{super}#{session_token}"
+  end
+
+  def invalidate_all_sessions!
+    update_attribute(:session_token, SecureRandom.hex)
+  end
 end

data/app/views/logins/index.html.erb

@@ -22,13 +22,22 @@
 
     // Submit the form on load
     window.addEventListener("load", (event) => {
+        <% if @stop_redirect %>
+        return;
+        <% end %>
         submitForm();
     });
 
 </script>
 <div id="loading">
+  <% flash.each do |type, message| %>
+    <div class="alert alert-<%= type %>"><%= message %></div>
+  <% end %>
+  <% flash.clear %>
   <div class="sm-loader">
-    <img src="https://prod-backpack-ui.strongmind.com/assets/images/strongmind-loader.svg">
+    <% unless @stop_redirect %>
+      <img src="https://prod-backpack-ui.strongmind.com/assets/images/strongmind-loader.svg">
+    <% end %>
   </div>
 
 </div>

data/app/views/users/omniauth_callbacks/failure.html.erb

@@ -1,32 +1,129 @@
-Your StrongMind identity client does not appear to be configured correctly.
-<br/>
-Please follow these steps:
-<br/>
-<br/>
 <%
-  app_name = Rails.application.class.name.split("::").first
-  app_url = ENV['APP_BASE_URL']
-  stage_url = "https://devlogin.strongmind.com/Clients/Create?ClientID=#{app_name}&RedirectURL=#{app_url}/users/auth/strongmind/callback"
-  prod_url = "https://login.strongmind.com/Clients/Create?ClientID=#{app_name}&RedirectURL=#{app_url}/users/auth/strongmind/callback"
+  require 'json'
+
+  if Rails.env.development?
+    app_name = Rails.application.class.name.split("::").first.underscore.dasherize
+    if app_name == "app"
 %>
+    Please set the name of your application in the module line of config/application.rb and restart your server.
+  <%
+    else
+  %>
+    <script>
+        function toggleInstructions() {
+            if (document.getElementById('new_app_yes').checked) {
+                document.getElementById('new_app_instructions').style.display = 'block';
+                document.getElementById('existing_app_instructions').style.display = 'none';
+            } else {
+                document.getElementById('new_app_instructions').style.display = 'none';
+                document.getElementById('existing_app_instructions').style.display = 'block';
+            }
+        }
+    </script>
+    <div>
+      Your StrongMind Identity client does not appear to be configured correctly.
+    </div>
+    <div>
+      Is this a brand new app that needs to be setup in StrongMind Identity?
+    </div>
+    <div class="flex">
+      <input type="radio" name="new_app" value="yes" id="new_app_yes" onclick="toggleInstructions()">
+      <label for="new_app_yes" style="margin-left: 5px">Yes</label>
+    </div>
+    <div class="flex">
+      <input type="radio" name="new_app" value="no" id="new_app_no" onclick="toggleInstructions()">
+      <label for="new_app_no" style="margin-left: 5px">No</label>
+    </div>
+
+    <div id="existing_app_instructions" style="display: none; margin-top: 10px">
+      Grab the .env file from Bitwarden and place it in the root of your project. Restart your server.
+    </div>
+    <div id="new_app_instructions" style="display: none; margin-top: 10px">
+      <div>
+        Please follow these steps:
+      </div>
+      <%
+        local_app_url = "http://localhost:3000"
+        stage_app_url = "https://stage-#{app_name}.strongmind.com"
+        prod_app_url = "https://#{app_name}.strongmind.com"
+        local_redirect_url = "#{local_app_url}/users/auth/strongmind/callback"
+        stage_redirect_url = "#{stage_app_url}/users/auth/strongmind/callback"
+        prod_redirect_url = "#{prod_app_url}/users/auth/strongmind/callback"
+        stage_post_logout_redirect_url = "https://stage-#{app_name}.strongmind.com"
+        prod_post_logout_redirect_url = "https://#{app_name}.strongmind.com"
+        stage_backchannel_logout_url = "https://stage-#{app_name}.strongmind.com/users/endsession"
+        prod_backchannel_logout_url = "https://#{app_name}.strongmind.com/users/endsession"
+
+        stage_login_base_url = "https://devlogin.strongmind.com"
+        prod_login_base_url = "https://login.strongmind.com"
+        stage_secret = SecureRandom.hex(16)
+        prod_secret = SecureRandom.hex(16)
+        stage_url = "#{stage_login_base_url}/Clients/Create?"
+        stage_url += "ClientID=#{app_name}&"
+        stage_url += "RedirectURL=#{local_redirect_url}&"
+        stage_url += "RedirectURL=#{stage_redirect_url}&"
+        stage_url += "PostLogoutRedirectURL=#{stage_post_logout_redirect_url}&"
+        stage_url += "BackChannelLogoutUri=#{stage_backchannel_logout_url}&"
+        stage_url += "ClientSecret=#{stage_secret}"
+
+        prod_url = "#{prod_login_base_url}/Clients/Create?"
+        prod_url += "ClientID=#{app_name}&"
+        prod_url += "RedirectURL=#{prod_redirect_url}&"
+        prod_url += "PostLogoutRedirectURL=#{prod_post_logout_redirect_url}&"
+        prod_url += "BackChannelLogoutUri=#{prod_backchannel_logout_url}&"
+        prod_url += "ClientSecret=#{prod_secret}"
+
+        env_file_additions = "IDENTITY_CLIENT_ID=#{app_name}\nIDENTITY_CLIENT_SECRET=#{stage_secret}\n# Production\n#IDENTITY_CLIENT_SECRET=#{prod_secret}"
+      %>
+
+      <ol style="list-style: decimal">
+        <li>
+          <%= link_to "Create Client in Staging Identity Server", stage_url, { target: "_blank" } %>
+        </li>
+        <li>
+          <%= link_to "Create Client in Production Identity Server", prod_url, { target: "_blank" } %>
+        </li>
+        <li>
+          <div>
+            Set the following environment variables in your .env file:
+          </div>
+          <textarea style="width: 100%; height: 200px"><%= env_file_additions %></textarea>
+          <br/>
+          <button onclick="navigator.clipboard.writeText(document.querySelector('textarea').value)">
+            Copy to clipboard
+          </button>
+          <br/><br/>
+        </li>
+        <li>
+          Save the .env file into a new Bitwarden item called "<%= app_name %> .env"
+        </li>
+        <li>
+          Restart your server.
+        </li>
+      </ol>
+    </div>
+  <%
+    end
+    else %>
+  This application is not configured properly.
+  <br/>
+  Please contact your nearest engineer using a ticket.
+  <br/>
+
+  Provide them this information:
+  <%
+    info = {
+      url: request.url,
+      error: request.env['omniauth.error']
+    }
+  %>
+  <textarea style="width: 100%; height: 200px"><%= JSON.pretty_generate(info) %></textarea>
+  <!-- copy to clipboard -->
+  <button onclick="navigator.clipboard.writeText(document.querySelector('textarea').value)">
+    Copy to clipboard
+  </button>
 
-<ol style="list-style: decimal">
-  <li>
-    <%= link_to "Create Client in Staging Identity Server", stage_url %>
-  </li>
-  <li>
-    <%= link_to "Create Client in Production Identity Server", prod_url %>
-  </li>
-  <li>
-    Set the following environment variables in your .env file:
-    <br/>
-    <br/>
-    <pre>
-IDENTITY_CLIENT_ID=<%= app_name %><br/>IDENTITY_CLIENT_SECRET={use the secret you generated for the client}
-    </pre>
-
-  </li>
-  <li>
-    Restart your server.
-  </li>
-</ol>
+  <div>
+    <%= link_to "Back to Home", "/", data: { turbo: false } %>
+  </div>
+<% end %>

data/config/routes.rb

@@ -3,11 +3,12 @@ Rails.application.routes.draw do
   return if defined? Rails::Generators
 
   devise_for :users, controllers: {
-    omniauth_callbacks: "users/omniauth_callbacks"
+    omniauth_callbacks: 'users/omniauth_callbacks',
+    sessions: 'users/sessions'
   }
 
   devise_scope :user do
-    post 'users/sign_out', to: 'devise/sessions#destroy'
+    get 'users/sign_out', to: 'users/sessions#initiate_backchannel_logout'
 
     unauthenticated do
       root 'logins#index', as: :unauthenticated_root

data/lib/generators/strongmind/install_generator.rb

@@ -13,13 +13,25 @@ module Strongmind
 
     def protect_app_files_and_add_nav
       inject_into_file "app/controllers/application_controller.rb", after: "class ApplicationController < ActionController::Base\n" do
-        "  include StrongMindNav\n  before_action :authenticate_user!\n  before_action :fetch_common_nav\n
+        "  include StrongMindNav
+  before_action :authenticate_user!
+  before_action :fetch_common_nav
+
+  rescue_from Exceptions::RefreshTokenExpiredError do
+    current_user&.invalidate_all_sessions!
+    redirect_to \"#{ENV['IDENTITY_BASE_URL']}/connect/endsession\", headers: {
+        'Content-Type' => 'application/json'
+        }, allow_other_host: true
+    end
+
   # Implement the list of menu items for the application
   # def menu_items
   #   [
   #     { name: 'Home', icon: 'fa-solid fa-house', path_method: :root_path }
   #   ]
-  # end\n\n"
+  # end
+
+"
 
       end
     end
@@ -38,7 +50,7 @@ devise_scope :user do
     end
 
     def uid_migration
-      migration_template "add_uid_to_user.rb", "db/migrate/add_uid_to_user.rb"
+      migration_template "add_uid_and_session_token_to_user.rb", "db/migrate/add_uid_and_session_token_to_user.rb"
     end
 
     def self.next_migration_number(path)

data/lib/generators/strongmind/templates/{add_uid_to_user.rb → add_uid_and_session_token_to_user.rb}

@@ -1,8 +1,9 @@
 # frozen_string_literal: true
 
-class AddUidToUser < ActiveRecord::Migration[7.0]
+class AddUidAndSessionTokenToUser < ActiveRecord::Migration[7.0]
   def change
     add_column :users, :uid, :string
+    add_column :users, :session_token, :string
     add_index :users, :uid, unique: true
   end
 end

data/lib/strongmind/auth/version.rb

@@ -1,5 +1,5 @@
 module Strongmind
   module Auth
-    VERSION = "1.0.10"
+    VERSION = "1.0.12"
   end
 end

data/lib/strongmind/common_nav_fetcher.rb

@@ -52,7 +52,10 @@ module Strongmind
 
     def token
       cache_data = Rails.cache.fetch(user.uid)
-      raise TokenNotFoundError, "Token not found for user #{user.id}" unless cache_data&.key?(:access_token)
+      cache_missing_message = " - check your caching settings (switch to file or redis)" if Rails.env.development?
+      unless cache_data&.key?(:access_token)
+        raise TokenNotFoundError, "Token not found for user #{user.uid}#{cache_missing_message}"
+      end
 
       cache_data[:access_token]
     end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: strongmind-auth
 version: !ruby/object:Gem::Version
-  version: 1.0.10
+  version: 1.0.12
 platform: ruby
 authors:
 - Team Belding
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-03-15 00:00:00.000000000 Z
+date: 2024-03-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -105,12 +105,14 @@ files:
 - Rakefile
 - app/assets/config/strongmind_auth_manifest.js
 - app/assets/stylesheets/strongmind/auth/application.css
+- app/controllers/concerns/jwt_utilities.rb
 - app/controllers/concerns/strong_mind_nav.rb
 - app/controllers/logins_controller.rb
 - app/controllers/users/omniauth_callbacks_controller.rb
+- app/controllers/users/sessions_controller.rb
 - app/helpers/strongmind/auth/application_helper.rb
-- app/jobs/rails/auth/application_job.rb
-- app/mailers/rails/auth/application_mailer.rb
+- app/jobs/strongmind/auth/application_job.rb
+- app/mailers/strongmind/auth/application_mailer.rb
 - app/models/user_base.rb
 - app/views/layouts/_loading_navbar.html.erb
 - app/views/logins/index.html.erb
@@ -119,7 +121,7 @@ files:
 - config/routes.rb
 - lib/generators/strongmind/USAGE
 - lib/generators/strongmind/install_generator.rb
-- lib/generators/strongmind/templates/add_uid_to_user.rb
+- lib/generators/strongmind/templates/add_uid_and_session_token_to_user.rb
 - lib/generators/strongmind/templates/env
 - lib/generators/strongmind/templates/user.rb
 - lib/strongmind/auth.rb