token_authority 0.1.0 → 0.2.0

data/app/controllers/token_authority/authorization_grants_controller.rb

@@ -0,0 +1,119 @@
+# frozen_string_literal: true
+
+module TokenAuthority
+  ##
+  # Controller for granting authorization to clients.
+  #
+  # Inherits from the controller configured via TokenAuthority.config.authenticatable_controller.
+  # The authenticatable controller must implement:
+  # - authenticate_user! (before_action that ensures user is logged in)
+  # - current_user (returns the currently authenticated user)
+  #
+  # For Devise users, these methods are already available on ApplicationController.
+  # For other authentication systems, implement these methods on your authenticatable controller.
+  class AuthorizationGrantsController < TokenAuthority.config.authenticatable_controller.constantize
+    include TokenAuthority::ControllerEventLogging
+
+    layout -> { TokenAuthority.config.consent_page_layout }
+
+    before_action :authenticate_user!
+    before_action :set_authorization_request
+    before_action :set_token_authority_client
+
+    rescue_from TokenAuthority::InvalidRedirectUrlError do |error|
+      session.delete(:token_authority_internal_state)
+      render "token_authority/client_error",
+        layout: TokenAuthority.config.error_page_layout,
+        status: :bad_request,
+        locals: {error_class: error.class, error_message: error.message}
+    end
+
+    def new
+      notify_event("authorization.consent.shown",
+        client_id: @token_authority_client.public_id,
+        client_name: @token_authority_client.name,
+        requested_scopes: @authorization_request.scope)
+
+      render :new, locals: {
+        client_name: @token_authority_client.name,
+        resources: @authorization_request.resources,
+        scopes: @authorization_request.scope
+      }
+    end
+
+    def create
+      state = @authorization_request.state
+
+      unless ActiveModel::Type::Boolean.new.cast(params[:approve])
+        notify_event("authorization.consent.denied",
+          client_id: @token_authority_client.public_id)
+
+        redirect_to_client(params_for_redirect: {error: "access_denied", state:}) and return
+      end
+
+      notify_event("authorization.consent.granted",
+        client_id: @token_authority_client.public_id,
+        granted_scopes: @authorization_request.scope)
+
+      grant = @token_authority_client.new_authorization_grant(
+        user: current_user,
+        challenge_params: {
+          code_challenge: @authorization_request.code_challenge,
+          code_challenge_method: @authorization_request.code_challenge_method,
+          redirect_uri: @authorization_request.redirect_uri,
+          resources: @authorization_request.resources,
+          scopes: @authorization_request.scope
+        }
+      )
+
+      if grant.persisted?
+        notify_event("authorization.grant.created",
+          grant_id: grant.public_id,
+          client_id: @token_authority_client.public_id,
+          expires_at: grant.expires_at&.iso8601,
+          scopes: grant.scopes)
+
+        redirect_to_client(params_for_redirect: {code: grant.public_id, state:}) and return
+      end
+
+      redirect_to_client(params_for_redirect: {error: "invalid_request", state:})
+    end
+
+    private
+
+    def set_authorization_request
+      internal_state = session[:token_authority_internal_state]
+
+      if internal_state.blank?
+        render_state_error("Authorization state not found")
+        return
+      end
+
+      @authorization_request = TokenAuthority::AuthorizationRequest.from_internal_state_token(internal_state)
+    rescue JWT::DecodeError, JWT::ExpiredSignature
+      clear_internal_state
+      render_state_error("Invalid or expired authorization state")
+    end
+
+    def set_token_authority_client
+      @token_authority_client = @authorization_request.token_authority_client
+    end
+
+    def redirect_to_client(params_for_redirect:)
+      clear_internal_state
+      url = @token_authority_client.url_for_redirect(params: params_for_redirect.compact)
+      redirect_to url, allow_other_host: true
+    end
+
+    def clear_internal_state
+      session.delete(:token_authority_internal_state)
+    end
+
+    def render_state_error(message)
+      render "token_authority/client_error",
+        layout: TokenAuthority.config.error_page_layout,
+        status: :bad_request,
+        locals: {error_class: "InvalidStateError", error_message: message}
+    end
+  end
+end

data/app/controllers/token_authority/authorizations_controller.rb

@@ -0,0 +1,105 @@
+# frozen_string_literal: true
+
+module TokenAuthority
+  # Handles OAuth 2.1 authorization requests (GET /authorize).
+  #
+  # This controller implements the initial step of the authorization code flow.
+  # It validates the authorization request parameters, authenticates the client,
+  # and redirects to the consent screen if everything is valid.
+  #
+  # The controller emits structured events for monitoring authorization requests,
+  # validation failures, and error conditions. Error responses follow OAuth 2.1
+  # specifications, redirecting to the client's redirect_uri when possible.
+  #
+  # @example Authorization request
+  #   GET /authorize?client_id=abc123
+  #     &redirect_uri=https://app.example.com/callback
+  #     &response_type=code
+  #     &state=xyz
+  #     &code_challenge=E9Melhoa...
+  #     &code_challenge_method=S256
+  #     &scope=read+write
+  #
+  # @since 0.2.0
+  class AuthorizationsController < ActionController::Base
+    include TokenAuthority::ClientAuthentication
+    include TokenAuthority::ControllerEventLogging
+
+    before_action :authenticate_client
+
+    rescue_from TokenAuthority::InvalidRedirectUrlError do |error|
+      render "token_authority/client_error",
+        layout: TokenAuthority.config.error_page_layout,
+        status: :bad_request,
+        locals: {error_class: error.class, error_message: error.message}
+    end
+
+    def authorize
+      state = params[:state]
+      resources = Array(params[:resource]).presence || []
+
+      notify_event("authorization.request.received",
+        client_id: params[:client_id],
+        client_type: @token_authority_client&.client_type,
+        redirect_uri: params[:redirect_uri],
+        has_pkce: params[:code_challenge].present?,
+        requested_scopes: params[:scope],
+        requested_resources: resources)
+
+      authorization_request = @token_authority_client.new_authorization_request(
+        client_id: params[:client_id],
+        code_challenge: params[:code_challenge],
+        code_challenge_method: params[:code_challenge_method],
+        redirect_uri: params[:redirect_uri],
+        response_type: params[:response_type],
+        state:,
+        resources:,
+        scope: params[:scope]
+      )
+
+      if authorization_request.valid?
+        notify_event("authorization.request.validated",
+          client_id: params[:client_id],
+          validated_scopes: authorization_request.scope,
+          validated_resources: authorization_request.resources)
+
+        session[:token_authority_internal_state] = authorization_request.to_internal_state_token
+        redirect_to new_authorization_grant_path
+      elsif authorization_request.errors.where(:redirect_uri).any?
+        notify_event("authorization.request.failed",
+          client_id: params[:client_id],
+          error_type: "invalid_redirect_uri",
+          validation_errors: authorization_request.errors.full_messages)
+
+        head :bad_request and return
+      elsif authorization_request.errors.where(:resources).any?
+        notify_event("authorization.request.failed",
+          client_id: params[:client_id],
+          error_type: "invalid_target",
+          validation_errors: authorization_request.errors.full_messages)
+
+        params_for_redirect = {error: :invalid_target, state:}.compact
+        url = @token_authority_client.url_for_redirect(params: params_for_redirect.compact)
+        redirect_to url, allow_other_host: true
+      elsif authorization_request.errors.where(:scope).any?
+        notify_event("authorization.request.failed",
+          client_id: params[:client_id],
+          error_type: "invalid_scope",
+          validation_errors: authorization_request.errors.full_messages)
+
+        params_for_redirect = {error: :invalid_scope, state:}.compact
+        url = @token_authority_client.url_for_redirect(params: params_for_redirect.compact)
+        redirect_to url, allow_other_host: true
+      else
+        notify_event("authorization.request.failed",
+          client_id: params[:client_id],
+          error_type: "invalid_request",
+          validation_errors: authorization_request.errors.full_messages)
+
+        params_for_redirect = {error: :invalid_request, state:}.compact
+        url = @token_authority_client.url_for_redirect(params: params_for_redirect.compact)
+        redirect_to url, allow_other_host: true
+      end
+    end
+  end
+end

data/app/controllers/token_authority/clients_controller.rb

@@ -0,0 +1,99 @@
+# frozen_string_literal: true
+
+module TokenAuthority
+  ##
+  # Controller for dynamic client registration (RFC 7591)
+  class ClientsController < ActionController::API
+    include TokenAuthority::InitialAccessTokenAuthentication
+    include TokenAuthority::ControllerEventLogging
+
+    rescue_from TokenAuthority::InvalidClientMetadataError do |error|
+      notify_event("client.registration.failed",
+        error_type: "invalid_client_metadata",
+        validation_errors: [error.message])
+
+      render_registration_error("invalid_client_metadata", error.message)
+    end
+
+    rescue_from TokenAuthority::InvalidSoftwareStatementError do |error|
+      notify_event("client.registration.failed",
+        error_type: "invalid_software_statement",
+        validation_errors: [error.message])
+
+      render_registration_error("invalid_software_statement", error.message)
+    end
+
+    rescue_from TokenAuthority::UnapprovedSoftwareStatementError do |error|
+      notify_event("client.registration.failed",
+        error_type: "unapproved_software_statement",
+        validation_errors: [error.message])
+
+      render_registration_error("unapproved_software_statement", error.message)
+    end
+
+    rescue_from TokenAuthority::InvalidInitialAccessTokenError do
+      notify_event("client.registration.failed",
+        error_type: "invalid_token",
+        validation_errors: ["Initial access token is invalid or missing"])
+
+      render_registration_error("invalid_token", "Initial access token is invalid or missing", status: :unauthorized)
+    end
+
+    rescue_from ActiveRecord::RecordInvalid do |error|
+      notify_event("client.registration.failed",
+        error_type: "invalid_client_metadata",
+        validation_errors: error.record.errors.full_messages)
+
+      render_registration_error("invalid_client_metadata", error.record.errors.full_messages.join(", "))
+    end
+
+    def create
+      request = ClientRegistrationRequest.new(registration_params)
+
+      if request.valid?
+        client = request.create_client!
+
+        notify_event("client.registration.completed",
+          client_id: client.public_id,
+          client_name: client.name,
+          client_type: client.client_type,
+          grant_types: client.grant_types)
+
+        render json: ClientRegistrationResponse.new(client:).to_h, status: :created
+      else
+        notify_event("client.registration.failed",
+          error_type: "invalid_client_metadata",
+          validation_errors: request.errors.full_messages)
+
+        render_registration_error("invalid_client_metadata", request.errors.full_messages.join(", "))
+      end
+    end
+
+    private
+
+    def registration_params
+      params.permit(
+        :token_endpoint_auth_method,
+        :client_name,
+        :client_uri,
+        :logo_uri,
+        :tos_uri,
+        :policy_uri,
+        :scope,
+        :jwks_uri,
+        :software_id,
+        :software_version,
+        :software_statement,
+        redirect_uris: [],
+        grant_types: [],
+        response_types: [],
+        contacts: [],
+        jwks: {}
+      )
+    end
+
+    def render_registration_error(error, error_description, status: :bad_request)
+      render json: {error:, error_description:}, status:
+    end
+  end
+end

data/app/controllers/token_authority/metadata_controller.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+module TokenAuthority
+  ##
+  # Controller for RFC 8414 OAuth 2.0 Authorization Server Metadata
+  class MetadataController < ActionController::API
+    def show
+      metadata = AuthorizationServerMetadata.new(mount_path: params[:mount_path])
+      render json: metadata.to_h
+    end
+  end
+end

data/app/controllers/token_authority/resource_metadata_controller.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+module TokenAuthority
+  ##
+  # Controller for RFC 9728 OAuth 2.0 Protected Resource Metadata
+  class ResourceMetadataController < ActionController::API
+    def show
+      metadata = ProtectedResourceMetadata.new(mount_path: params[:mount_path])
+      render json: metadata.to_h
+    end
+  end
+end

data/app/controllers/token_authority/sessions_controller.rb

@@ -0,0 +1,228 @@
+# frozen_string_literal: true
+
+module TokenAuthority
+  ##
+  # Controller for issuing access and refresh tokens.
+  class SessionsController < ActionController::API
+    include TokenAuthority::ClientAuthentication
+    include TokenAuthority::ControllerEventLogging
+
+    before_action :set_authorization_grant, only: :token
+    before_action :authenticate_client, except: :unsupported_grant_type
+
+    rescue_from TokenAuthority::InvalidGrantError do
+      notify_event("token.exchange.failed",
+        client_id: params[:client_id],
+        error_type: "invalid_grant",
+        validation_errors: ["Authorization grant is invalid or expired"])
+
+      render_token_request_error(error: "invalid_grant")
+    end
+
+    rescue_from TokenAuthority::ServerError do |error|
+      Rails.logger.error(error.message)
+      render_token_request_error(error: "server_error", status: :internal_server_error)
+    end
+
+    def token
+      resources = Array(params[:resource]).presence || []
+
+      notify_event("token.exchange.requested",
+        client_id: params[:client_id],
+        grant_id: @authorization_grant&.public_id,
+        has_code_verifier: params[:code_verifier].present?)
+
+      access_token_request = TokenAuthority::AccessTokenRequest.new(
+        token_authority_authorization_grant: @authorization_grant,
+        code_verifier: params[:code_verifier],
+        redirect_uri: params[:redirect_uri],
+        resources:,
+        scope: params[:scope]
+      )
+
+      if access_token_request.valid?
+        access_token, refresh_token, expiration, scope, token_authority_session = @authorization_grant.redeem(
+          resources: access_token_request.effective_resources,
+          scopes: access_token_request.effective_scopes
+        ).deconstruct
+
+        notify_event("token.exchange.completed",
+          client_id: params[:client_id],
+          session_id: token_authority_session&.id,
+          expires_in: expiration)
+
+        response_body = {access_token:, refresh_token:, token_type: "bearer", expires_in: expiration, scope:}.compact
+        render json: response_body
+      elsif access_token_request.errors.where(:resources).any?
+        notify_event("token.exchange.failed",
+          client_id: params[:client_id],
+          error_type: "invalid_target",
+          validation_errors: access_token_request.errors.full_messages)
+
+        render_token_request_error(error: "invalid_target")
+      elsif access_token_request.errors.where(:scope).any?
+        notify_event("token.exchange.failed",
+          client_id: params[:client_id],
+          error_type: "invalid_scope",
+          validation_errors: access_token_request.errors.full_messages)
+
+        render_token_request_error(error: "invalid_scope")
+      else
+        notify_event("token.exchange.failed",
+          client_id: params[:client_id],
+          error_type: "invalid_request",
+          validation_errors: access_token_request.errors.full_messages)
+
+        render_token_request_error(error: "invalid_request")
+      end
+    end
+
+    def refresh
+      token = TokenAuthority::RefreshToken.from_token(params[:refresh_token])
+      resources = Array(params[:resource]).presence || []
+
+      refresh_token_request = TokenAuthority::RefreshTokenRequest.new(
+        token:,
+        client_id: params[:client_id],
+        resources:,
+        scope: params[:scope]
+      )
+
+      old_session = refresh_token_request.token_authority_session
+
+      notify_event("token.refresh.requested",
+        client_id: params[:client_id],
+        session_id: old_session&.id)
+
+      if refresh_token_request.valid?
+        access_token, refresh_token, expiration, scope, new_session = old_session.refresh(
+          token:,
+          client_id: refresh_token_request.resolved_client_id,
+          resources: refresh_token_request.effective_resources,
+          scopes: refresh_token_request.effective_scopes
+        ).deconstruct
+
+        notify_event("token.refresh.completed",
+          client_id: params[:client_id],
+          old_session_id: old_session&.id,
+          new_session_id: new_session&.id)
+
+        response_body = {access_token:, refresh_token:, token_type: "bearer", expires_in: expiration, scope:}.compact
+        render json: response_body
+      elsif refresh_token_request.errors.where(:resources).any?
+        notify_event("token.refresh.failed",
+          client_id: params[:client_id],
+          error_type: "invalid_target",
+          validation_errors: refresh_token_request.errors.full_messages)
+
+        render_token_request_error(error: "invalid_target")
+      elsif refresh_token_request.errors.where(:scope).any?
+        notify_event("token.refresh.failed",
+          client_id: params[:client_id],
+          error_type: "invalid_scope",
+          validation_errors: refresh_token_request.errors.full_messages)
+
+        render_token_request_error(error: "invalid_scope")
+      else
+        notify_event("token.refresh.failed",
+          client_id: params[:client_id],
+          error_type: "invalid_request",
+          validation_errors: refresh_token_request.errors.full_messages)
+
+        render_token_request_error(error: "invalid_request")
+      end
+    rescue JWT::DecodeError
+      notify_event("token.refresh.failed",
+        client_id: params[:client_id],
+        error_type: "invalid_request",
+        validation_errors: ["Invalid refresh token format"])
+
+      render_token_request_error(error: "invalid_request")
+    rescue TokenAuthority::RevokedSessionError => error
+      notify_event("security.token.theft_detected",
+        client_id: error.client_id,
+        refreshed_session_id: error.refreshed_session_id,
+        revoked_session_id: error.revoked_session_id)
+
+      Rails.logger.warn(error.message)
+      render_token_request_error(error: "invalid_request")
+    end
+
+    def unsupported_grant_type
+      render_token_request_error(error: "unsupported_grant_type")
+    end
+
+    def revoke
+      notify_event("token.revocation.requested",
+        client_id: @token_authority_client&.public_id,
+        type_hint: params[:token_type_hint])
+
+      token = TokenAuthority::JsonWebToken.decode(params[:token])
+      token_authority_session = TokenAuthority::Session.find_by(access_token_jti: token[:jti]) ||
+        TokenAuthority::Session.find_by(refresh_token_jti: token[:jti])
+
+      TokenAuthority::Session.revoke_for_token(jti: token[:jti])
+
+      notify_event("token.revocation.completed",
+        client_id: @token_authority_client&.public_id,
+        session_id: token_authority_session&.id)
+
+      head :ok
+    rescue JWT::DecodeError
+      render_unsupported_token_type_error
+    end
+
+    def revoke_access_token
+      notify_event("token.revocation.requested",
+        client_id: @token_authority_client&.public_id,
+        type_hint: "access_token")
+
+      token = TokenAuthority::AccessToken.from_token(params[:token])
+      token_authority_session = TokenAuthority::Session.find_by(access_token_jti: token.jti)
+
+      TokenAuthority::Session.revoke_for_access_token(access_token_jti: token.jti)
+
+      notify_event("token.revocation.completed",
+        client_id: @token_authority_client&.public_id,
+        session_id: token_authority_session&.id)
+
+      head :ok
+    rescue JWT::DecodeError
+      render_unsupported_token_type_error
+    end
+
+    def revoke_refresh_token
+      notify_event("token.revocation.requested",
+        client_id: @token_authority_client&.public_id,
+        type_hint: "refresh_token")
+
+      token = TokenAuthority::RefreshToken.from_token(params[:token])
+      token_authority_session = TokenAuthority::Session.find_by(refresh_token_jti: token.jti)
+
+      TokenAuthority::Session.revoke_for_refresh_token(refresh_token_jti: token.jti)
+
+      notify_event("token.revocation.completed",
+        client_id: @token_authority_client&.public_id,
+        session_id: token_authority_session&.id)
+
+      head :ok
+    rescue JWT::DecodeError
+      render_unsupported_token_type_error
+    end
+
+    private
+
+    def set_authorization_grant
+      @authorization_grant = TokenAuthority::AuthorizationGrant.find_by(public_id: params[:code])
+      raise TokenAuthority::InvalidGrantError if @authorization_grant.blank? || @authorization_grant.redeemed?
+    end
+
+    def render_token_request_error(error:, status: :bad_request)
+      render json: {error:}, status:
+    end
+
+    def render_unsupported_token_type_error
+      render json: {error: "unsupported_token_type"}, status: :bad_request
+    end
+  end
+end

data/app/helpers/token_authority/authorization_grants_helper.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+module TokenAuthority
+  module AuthorizationGrantsHelper
+    # Returns a human-friendly display name for a resource URI.
+    # Looks up the URI in the configured rfc_8707_resources mapping.
+    # Falls back to the URI itself if no mapping is configured.
+    #
+    # @param resource_uri [String] The resource URI
+    # @return [String] The display name or the URI if no mapping exists
+    def resource_display_name(resource_uri)
+      resources = TokenAuthority.config.rfc_8707_resources || {}
+      resources[resource_uri] || resource_uri
+    end
+
+    # Returns a human-friendly display name for a scope.
+    # Looks up the scope in the configured scopes mapping.
+    # Falls back to the scope itself if no mapping is configured.
+    #
+    # @param scope [String] The scope string
+    # @return [String] The display name or the scope if no mapping exists
+    def scope_display_name(scope)
+      scopes = TokenAuthority.config.scopes || {}
+      scopes[scope] || scope
+    end
+  end
+end