strongmind-auth 1.0.11 → 1.0.13

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5744571fb4c34f46eab563a74d0f09ff0da1a5d88be521d785d42bf11537b354
-  data.tar.gz: '036694d87a468271a854342b34823357649def9b7ee12fbccbaa9e1384c90a70'
+  metadata.gz: 5f8024e8a6ede6f16c3ab5a900c19e0aa736a703ac36d6668287b2a27ec61928
+  data.tar.gz: 7d63c841f85f811124902d077989ea5bc683923258048164f10d85f79ca41b06
 SHA512:
-  metadata.gz: 56e34ffb177bf0949cf0d8e670dd407e8c554ad88138432054b9bd1439ca989b6d5a020a461c9dc9204b5ead7dd81ef852e89114b7ea2d534dca7c44e6e8d610
-  data.tar.gz: 144c638476dabe423587f743b175a49a0e3a325ac64db51af008aab7ef3282e37e0471e99ff7c9698721bd74852e50d246cc7bf75e5fa6f4e5d4a5fc111dbc28
+  metadata.gz: 836af65fff974d2ec9b16166a72e0203f41eb7a3b59cee6054bd32b53fb7e1980b6e9f4295586731a54ab20c20d5205ba4a91687cdfe68c01d269d979d74bbd3
+  data.tar.gz: d4195a3e2c67eeb856e6374d0d9386af87001fa730708ba578b3f3a92ee7a15b26fd3965df6597f91680ce660744d1642f2cb1b931937e3bdc609229fe905e93

data/app/controllers/concerns/jwt_utilities.rb

@@ -0,0 +1,90 @@
+# frozen_string_literal: true
+
+# Mix-in for handling JWTs
+module JwtUtilities
+  extend ActiveSupport::Concern
+
+  def jwt_valid?(jwt, condition_key = nil, scopes = [])
+    begin
+      payload, _header = JWT.decode(jwt, public_key, true, {
+        verify_iat: true,
+        verify_iss: true,
+        verify_aud: true,
+        verify_sub: true,
+        algorithm: 'RS256',
+        leeway: 60
+      })
+    rescue JWT::DecodeError => e
+      Rails.logger.error e.message
+      return false
+    end
+
+    payload = payload.with_indifferent_access
+
+    unless !scopes.empty? && payload['scope'].present? && payload['scope'].all? { |elem| scopes.include?(elem) }
+      return false
+    end
+
+    return false unless payload['nonce'].nil?
+
+    return false unless condition_key.nil? || payload['events'].key?(condition_key)
+
+    true
+  end
+
+  def public_key
+    Rails.cache.fetch('jwt_utilities_public_key', expires_in: 1.day) do
+      x5c_val = OpenIDConnect::Discovery::Provider::Config.discover!(ENV['IDENTITY_BASE_URL']).jwks.first['x5c'].first
+      cert = OpenSSL::X509::Certificate.new(Base64.decode64(x5c_val))
+      cert.public_key
+    end
+  end
+
+  private
+
+  def fetch_user_token_info
+    user_jwt(session)
+  end
+
+  def user_access_token(session_data)
+    tokens = user_jwt(session_data)
+    tokens[:access_token]
+  end
+
+  def user_jwt(session_data)
+    tokens = current_user.nil? ? nil : Rails.cache.read(current_user&.uid)
+    validate_tokens(tokens) unless tokens.nil?
+
+    if tokens.nil?
+      tokens = generate_tokens(session_data)
+      validate_tokens(tokens)
+
+      unless current_user.nil?
+        tokens[:expires_in] = 1.hour.to_i if tokens[:expires_in].nil?
+        Rails.cache.write(current_user&.uid, tokens)
+      end
+    end
+    session_data[:refresh_token] = tokens[:refresh_token]
+
+    tokens
+  end
+
+  def validate_tokens(tokens)
+    return unless tokens[:error] == 'invalid_grant' || !tokens[:refresh_token]
+
+    raise Strongmind::Exceptions::RefreshTokenExpired, tokens[:error]
+  end
+
+  def generate_tokens(session_data)
+    identity_base_url = ENV['IDENTITY_BASE_URL']
+    identity_client_id = ENV['IDENTITY_CLIENT_ID']
+    response = Faraday.post("#{identity_base_url}/connect/token", {
+      client_id: identity_client_id,
+      client_secret: ENV['IDENTITY_CLIENT_SECRET'],
+      grant_type: 'refresh_token',
+      refresh_token: session_data[:refresh_token]
+    })
+
+    JSON.parse(response.body, symbolize_names: true)
+  end
+end

data/app/controllers/concerns/strong_mind_nav.rb

@@ -1,4 +1,5 @@
 require "strongmind/common_nav_fetcher"
+require "strongmind/exceptions"
 
 module StrongMindNav
   extend ActiveSupport::Concern
@@ -10,7 +11,7 @@ module StrongMindNav
       @top_navbar_html = navbar[:top_navbar_html]
       @bottom_navbar_html = navbar[:bottom_navbar_html]
       @theme_css = navbar[:theme_css]
-    rescue Strongmind::CommonNavFetcher::TokenNotFoundError, Strongmind::CommonNavFetcher::UserNotFoundError => e
+    rescue Strongmind::Exceptions::TokenNotFoundError, Strongmind::Exceptions::UserNotFoundError => e
       Sentry.capture_exception(e)
       Rails.logger.error(e)
       flash[:alert] = e.inspect if Rails.env.development?
@@ -18,6 +19,7 @@ module StrongMindNav
       render 'logins/index'
     rescue Exception => e
       Sentry.capture_exception(e)
+      Rails.logger.error(e)
       @top_navbar_html = render_to_string(partial: 'layouts/loading_navbar').html_safe
     end
   end

data/app/controllers/users/omniauth_callbacks_controller.rb

@@ -10,6 +10,8 @@ module Users
       User.auth_token_cache = auth
       @user = User.with_credentials(auth)
 
+      render plain: "You do not have permission to access this application.", status: :unauthorized and return if @user.nil?
+
       session[:refresh_token] = request.env['omniauth.auth'].credentials['refresh_token']
       flash.delete(:notice)
 

data/app/controllers/users/sessions_controller.rb

@@ -1,8 +1,12 @@
 # frozen_string_literal: true
 
 module Users
+
   class SessionsController < Devise::SessionsController
+    include JwtUtilities
+
     skip_before_action :fetch_common_nav
+    skip_before_action :verify_authenticity_token, only: :endsession
 
     def login
       redirect_to user_strongmind_omniauth_authorize_url
@@ -12,5 +16,31 @@ module Users
       redirect_to user_strongmind_omniauth_authorize_url
     end
 
+    def endsession
+      headers = { 'Cache-Control' => 'no-store' }
+      if jwt_valid?(params[:logout_token], 'http://schemas.openid.net/event/backchannel-logout')
+        payload, _header = JWT.decode(params[:logout_token], nil, false)
+        user_identity = payload['sub']
+        user = User.find_by(uid: user_identity)
+        user.invalidate_all_sessions!
+        render json: {}, status: :ok, headers:
+      else
+        render json: {}, status: :bad_request, headers:
+      end
+    end
+
+    def initiate_backchannel_logout
+      user_token_info = fetch_user_token_info
+
+      id_token_hint = user_token_info[:id_token]
+      token = user_token_info[:access_token]
+      current_user&.invalidate_all_sessions!
+      identity_base_url = ENV['IDENTITY_BASE_URL']
+      redirect_to "#{identity_base_url}/connect/endsession?id_token_hint=#{id_token_hint}", headers: {
+        'Content-Type' => 'application/json',
+        'Authorization' => "Bearer #{token}"
+      }, allow_other_host: true
+    end
+
   end
 end

data/app/models/user_base.rb

@@ -28,4 +28,14 @@ class UserBase < ApplicationRecord
   def auth_token_cache
     Rails.cache.read(uid)
   end
+  
+  def authenticatable_salt
+    return super unless session_token
+
+    "#{super}#{session_token}"
+  end
+
+  def invalidate_all_sessions!
+    update_attribute(:session_token, SecureRandom.hex)
+  end
 end

data/config/routes.rb

@@ -8,7 +8,7 @@ Rails.application.routes.draw do
   }
 
   devise_scope :user do
-    post 'users/sign_out', to: 'devise/sessions#destroy'
+    get 'users/sign_out', to: 'users/sessions#initiate_backchannel_logout'
 
     unauthenticated do
       root 'logins#index', as: :unauthenticated_root

data/lib/generators/strongmind/install_generator.rb

@@ -13,13 +13,25 @@ module Strongmind
 
     def protect_app_files_and_add_nav
       inject_into_file "app/controllers/application_controller.rb", after: "class ApplicationController < ActionController::Base\n" do
-        "  include StrongMindNav\n  before_action :authenticate_user!\n  before_action :fetch_common_nav\n
+        "  include StrongMindNav
+  before_action :authenticate_user!
+  before_action :fetch_common_nav
+
+  rescue_from Exceptions::RefreshTokenExpiredError do
+    current_user&.invalidate_all_sessions!
+    redirect_to \"#{ENV['IDENTITY_BASE_URL']}/connect/endsession\", headers: {
+        'Content-Type' => 'application/json'
+        }, allow_other_host: true
+    end
+
   # Implement the list of menu items for the application
   # def menu_items
   #   [
   #     { name: 'Home', icon: 'fa-solid fa-house', path_method: :root_path }
   #   ]
-  # end\n\n"
+  # end
+
+"
 
       end
     end
@@ -38,7 +50,7 @@ devise_scope :user do
     end
 
     def uid_migration
-      migration_template "add_uid_to_user.rb", "db/migrate/add_uid_to_user.rb"
+      migration_template "add_uid_and_session_token_to_user.rb", "db/migrate/add_uid_and_session_token_to_user.rb"
     end
 
     def self.next_migration_number(path)

data/lib/generators/strongmind/templates/{add_uid_to_user.rb → add_uid_and_session_token_to_user.rb}

@@ -1,8 +1,9 @@
 # frozen_string_literal: true
 
-class AddUidToUser < ActiveRecord::Migration[7.0]
+class AddUidAndSessionTokenToUser < ActiveRecord::Migration[7.0]
   def change
     add_column :users, :uid, :string
+    add_column :users, :session_token, :string
     add_index :users, :uid, unique: true
   end
 end

data/lib/strongmind/auth/version.rb

@@ -1,5 +1,5 @@
 module Strongmind
   module Auth
-    VERSION = "1.0.11"
+    VERSION = "1.0.13"
   end
 end

data/lib/strongmind/common_nav_fetcher.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
-
+require "strongmind/exceptions"
 require 'platform_sdk'
 
 module Strongmind
@@ -9,12 +9,8 @@ module Strongmind
 
     include Rails.application.routes.url_helpers
 
-    class TokenNotFoundError < StandardError; end
-
-    class UserNotFoundError < StandardError; end
-
     def initialize(user, request)
-      raise UserNotFoundError, 'User not found' unless user.present?
+      raise Strongmind::Exceptions::UserNotFoundError, 'User not found' unless user.present?
       raise ArgumentError, 'Request not found' unless request.present?
 
       @user = user
@@ -54,7 +50,7 @@ module Strongmind
       cache_data = Rails.cache.fetch(user.uid)
       cache_missing_message = " - check your caching settings (switch to file or redis)" if Rails.env.development?
       unless cache_data&.key?(:access_token)
-        raise TokenNotFoundError, "Token not found for user #{user.uid}#{cache_missing_message}"
+        raise Strongmind::Exceptions::TokenNotFoundError, "Token not found for user #{user.uid}#{cache_missing_message}"
       end
 
       cache_data[:access_token]
@@ -83,14 +79,12 @@ module Strongmind
     end
 
     def nav_item_data(item)
-      url = send(item[:path_method])
+      url = item[:url]
       {
         name: item[:name],
         icon: item[:icon],
-        url:,
-        is_disabled: item[:feature_flag] ? !user.feature_flag_enabled?(item[:feature_flag]) : false,
-        is_active: current_page?(url),
-        is_external: false
+        url: url,
+        is_active: current_page?(url)
       }
     end
   end

data/lib/strongmind/exceptions.rb

@@ -0,0 +1,9 @@
+module Strongmind
+  module Exceptions
+    class TokenNotFoundError < StandardError; end
+
+    class UserNotFoundError < StandardError; end
+
+    class RefreshTokenExpiredError < StandardError; end
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: strongmind-auth
 version: !ruby/object:Gem::Version
-  version: 1.0.11
+  version: 1.0.13
 platform: ruby
 authors:
 - Team Belding
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2024-03-15 00:00:00.000000000 Z
+date: 2024-03-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -105,6 +105,7 @@ files:
 - Rakefile
 - app/assets/config/strongmind_auth_manifest.js
 - app/assets/stylesheets/strongmind/auth/application.css
+- app/controllers/concerns/jwt_utilities.rb
 - app/controllers/concerns/strong_mind_nav.rb
 - app/controllers/logins_controller.rb
 - app/controllers/users/omniauth_callbacks_controller.rb
@@ -120,13 +121,14 @@ files:
 - config/routes.rb
 - lib/generators/strongmind/USAGE
 - lib/generators/strongmind/install_generator.rb
-- lib/generators/strongmind/templates/add_uid_to_user.rb
+- lib/generators/strongmind/templates/add_uid_and_session_token_to_user.rb
 - lib/generators/strongmind/templates/env
 - lib/generators/strongmind/templates/user.rb
 - lib/strongmind/auth.rb
 - lib/strongmind/auth/engine.rb
 - lib/strongmind/auth/version.rb
 - lib/strongmind/common_nav_fetcher.rb
+- lib/strongmind/exceptions.rb
 - lib/tasks/rails/auth_tasks.rake
 - lib/tasks/strongmind/auth_tasks.rake
 homepage: https://www.strongmind.com