toker 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 05f09692a0b7434bd2b9f5863d56d0bb1f7a095f
+  data.tar.gz: 59b9044130987a282cf44d0fa87d98aa1d4f8af9
+SHA512:
+  metadata.gz: 55394ef9108cda69194d6a282ad88ac2e1d383c6c9ec306e9b6272b6881f1f770d1fdfa2b9a9d98ae6bb390b2aa3d6cef250e99f151f7e0319d2af0a6071892b
+  data.tar.gz: 3129c5c317708647272eabcc8c289af3f057d29a62ffef15d62205ee89495ccb1acd77ca4559cb522eabf7b732e055ce5cbe2ed5a7195fbb74cac03de1cd18ee

data/LICENSE

@@ -0,0 +1,19 @@
+The MIT License (MIT)
+Copyright © 2016 Jack Flannery
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the “Software”), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,120 @@
+# Toke
+
+Toke is a Rails engine that is designed to be mounted in a Rails API and provides simple token based authentication. Toke provides a user model and restful JSON routes for registering new users, logging in, and logging out. Toke will return a JSON Web Token (JWT) upon successfull login, which will be required for any actions that you choose to secure by using the provided `before_action toke!`
+
+**Warning: Toke uses an http header to pass the token, so use always https.**
+
+### Install
+
+    gem install toke
+  
+or in a your Gemfile:
+
+    gem 'toke', '~> 0.1.0'
+
+#### Install the migrations
+
+Toke uses two Active Record models: `Toke::User` and `Toke::Token`. `Users` have one (`has_one`) `Token` and `Tokens` belong to (`belong_to`) `Users`. The tables for the models are `toke_users` and `toke_tokens`. To copy the two migrations into your application's `db/migrate` directory, that will create these tables, run the following rake command:
+
+    rake install:toke:migrations
+
+Feel free to add additional fields to these migrations, but be sure not to remove anything, all are required. Migrate your datebase as usual:
+
+    rake db:migrate
+
+#### Mount the Toke engine
+
+Toke's routes need to be added to your application's routes. You can namespace the tokes routes by mounting Toke at a path such `/toke` by adding the following line to your routes file:
+
+    mount Toke::Engine => "/toke"
+
+Or you can just mount Toke at `/` if that works for you:
+
+    mount Toke::Engine => "/"
+
+Run `rake routes` to see the all of the routes that are added to your application.
+
+Finally include the `Toke::TokenAuthentication` module in your ApplicationController, or any individual controller where you need the `toke!` and `current_user` methods available.
+
+    include Toke::TokenAuthentication
+
+### Log In
+
+If you have a user with email: jack@example.com and password "secret", login with a POST request using http basic authentication to pass the email and password in a header, with an empty body. This can be demonstrated with the curl: (all expamles assume that Toke is mounted at `/`)
+
+    curl -i -X POST example.com/login -u "jack@example.com:secret"
+    
+If authentication fails, status code `401 Unauthorized` will be returned.
+
+If authentication is successfull, then status code `201 Created` will be returned, and the body will contain the JSON representation of the logged in user. Also returned will be an `Authorization` header containing the token, for example:
+
+    Authorization: Token eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0b2tlbl9pZCI6MSwiZXhwIjoxNTExODAzNzEzfQ.6nBJNPQ5jJsSOOCAWtAjaMnU3r6ofECsC9ckm4YbGrU
+
+If you store the token on the client, such as in browser local storage, and need to check if it is still valid and not expired, send a `PUT` request to `/login` with the token in an `Authorization` request header. For example on a single page web app, you may want to validate the token is valid and get the `User` object back in response on every page load when the user is logged in. Done in curl that would look like this:
+
+    curl -i -X PUT example.com/login -H 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0b2tlbl9pZCI6MSwiZXhwIjoxNTExODAzNzEzfQ.6nBJNPQ5jJsSOOCAWtAjaMnU3r6ofECsC9ckm4YbGrU'
+
+If successful `200 OK` will be returned along the `User` object in the body. If the token is expired or invalid a `401 Unauthorized` will be returned instead.
+
+### Securing a controller action
+
+The `toke!` method is provided to use as a before action to secure your API endpoints. Add the following to a controller that should require authentication
+
+    before_action toke!
+
+Secured endpoints will now require an `Authorization` request header containing the token recieved in the response header of the login API call. If you have a the following `PostsController`
+
+    class PostsController < ApplicationController
+      before_action :toke!
+
+      # ...
+    end
+
+and a routes file like this:
+
+    Rails.application.routes.draw do
+      mount Toke::Engine => "/"
+      resources :posts
+    end
+
+A get request to the index action would look like this with curl:
+
+    curl -i example.com/posts -H 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0b2tlbl9pZCI6MSwiZXhwIjoxNTExODAzNzEzfQ.6nBJNPQ5jJsSOOCAWtAjaMnU3r6ofECsC9ckm4YbGrU'
+
+If the token matches and is not expired, then your controller action will execute. Inside the contoller action, `current_user` will be available, giving you access to the `User` object that matched the given token.
+
+If the token is expired, invalid or not given at all, by default a status of `401 Unauthorized` and an empty response body will be returned.
+
+You can change the default behavior of returning `401` by passing a block to `toke!`. The block will be executed when authentication fails. For example, you may want your controller to have a limited functionality to anyone not logged in with a token. You may have published posts that you would permit anyone to access. However logged in users with a token should have access to all of their own posts, published or not. You can achieve this with something like the following:
+
+    class PostsController < ApplicationController
+      before_action :toke!, only: [:create, :update, :destroy]
+      
+      before_action only: :index do
+        toke! do |errors|
+          render json: Post.published
+        end
+      end
+
+      before_action only: :show do
+        toke! do |errors|
+          render json: Post.published.find(params[:id])
+        end
+      end
+      
+      def index
+        render json: current_user.posts
+      end
+      
+      def show
+        render json: current_user.posts.find(params[:id])
+      end
+
+      # ...
+    end
+
+### Log Out
+
+To logout send a `delete` request to `/logout` passing the token as you would on any other secured endpoint. In curl:
+
+    curl -i -X DELETE example.com/logout -H 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0b2tlbl9pZCI6MSwiZXhwIjoxNTExODAzNzEzfQ.6nBJNPQ5jJsSOOCAWtAjaMnU3r6ofECsC9ckm4YbGrU'

data/Rakefile

@@ -0,0 +1,35 @@
+#!/usr/bin/env rake
+
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+
+require 'rdoc/task'
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'Toke'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.rdoc')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+APP_RAKEFILE = File.expand_path("../spec/dummy/Rakefile", __FILE__)
+load 'rails/tasks/engine.rake'
+
+Bundler::GemHelper.install_tasks
+
+Dir[File.join(File.dirname(__FILE__), 'tasks/**/*.rake')].each {|f| load f }
+
+require 'rake/testtask'
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib'
+  t.libs << 'test'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = false
+end
+
+task default: :test

data/app/controllers/toker/application_controller.rb

@@ -0,0 +1,6 @@
+module Toker
+  class ApplicationController < ActionController::API
+    include ActionController::HttpAuthentication::Basic::ControllerMethods
+    include Toker::TokenAuthentication
+  end
+end

data/app/controllers/toker/sessions_controller.rb

@@ -0,0 +1,51 @@
+module Toker
+  class SessionsController < ApplicationController
+    before_action :toke!, only: :destroy
+
+    def create
+      @user = authenticate_with_http_basic do |email, password|
+        user = User.find_by email: email
+        if user && user.authenticate(password)
+          user.token.destroy if user.token
+          user.token = Token.create expires_at: 1.year.from_now
+          user.token.generate_key!
+          user.token.save
+          user
+        end
+      end
+      if @user
+        response.headers['Authorization'] = "Token #{@user.token.key}"
+        render json: @user, status: :created
+      else
+        render json: { Unauthorized: 'Invalid email or password' }, status: :unauthorized
+      end
+    end
+
+    def update
+      token = authenticate_with_http_token do |jwt, options|
+        Token.decode(jwt)[0]
+      end
+      user = token.user if token
+      if user
+        response.headers['Authorization'] = "Token #{token.key}"
+        render json: user
+      else
+        render json: { Unauthorized: 'Invalid session' }, status: :unauthorized
+      end
+    end
+
+    def destroy
+      @user.token.destroy
+      head :no_content
+    end
+
+    private
+
+    def payload
+      {
+        user_id: @user.id,
+        exp: 1.year.from_now.to_i
+      }
+    end
+  end
+end

data/app/controllers/toker/users_controller.rb

@@ -0,0 +1,31 @@
+module Toker
+
+  class UsersController < ApplicationController
+
+    before_action :toke!
+
+    def create
+      user = User.new(person_params)
+      if user.save
+        render json: user, status: 201
+      else
+        head 500
+      end
+    end
+
+    def index
+      render json: User.all
+    end
+
+    def show
+      user = User.find(params[:id])
+      render json: user
+    end
+
+    private
+
+    def person_params
+      params.require(:user).permit(:email, :password, :password_confirmation)
+    end
+  end
+end

data/app/helpers/toker/application_helper.rb

@@ -0,0 +1,4 @@
+module Toker
+  module ApplicationHelper
+  end
+end

data/app/models/toker/token.rb

@@ -0,0 +1,30 @@
+module Toker
+  class Token < ActiveRecord::Base
+    belongs_to :user
+
+    def generate_key!
+      self.key = JWT.encode payload, Rails.application.secrets.secret_key_base, 'HS256'
+      return self.key
+    end
+
+    def payload
+      {
+        token_id: id,
+        exp: expires_at.to_i
+      }
+    end
+
+    def self.decode(jwt)
+      begin
+        decoded_token = JWT.decode jwt, Rails.application.secrets.secret_key_base, 'HS256'
+        token_id = decoded_token[0]['token_id']
+        token = Token.find(token_id)
+      rescue JWT::ExpiredSignature
+        error = { Unauthorized: 'Token expired' }
+      rescue JWT::DecodeError, JWT::VerificationError, ActiveRecord::RecordNotFound
+        error = { Unauthorized: 'Token invalid' }
+      end
+      [token, error]
+    end
+  end
+end

data/app/models/toker/user.rb

@@ -0,0 +1,11 @@
+module Toker
+  class User < ActiveRecord::Base
+    has_secure_password
+
+    validates :email, presence: true, uniqueness: true
+    validates :password, confirmation: true, length: { in: 6..50 }
+    validates :password_confirmation, presence: true
+
+    has_one :token
+  end
+end

data/app/serializers/toker/token_serializer.rb

@@ -0,0 +1,9 @@
+module Toker
+  class TokenSerializer < ActiveModel::Serializer
+    attributes :id, :key, :expires_at, :user_id
+
+    def expires_at
+      object.expires_at.to_s(:db)
+    end
+  end
+end

data/app/serializers/toker/user_serializer.rb

@@ -0,0 +1,5 @@
+module Toker
+  class UserSerializer < ActiveModel::Serializer
+    attributes :id, :email
+  end
+end

data/config/initializers/active_model_serializers.rb

@@ -0,0 +1 @@
+ActiveModelSerializers.config.adapter = :json

data/config/routes.rb

@@ -0,0 +1,9 @@
+Toker::Engine.routes.draw do
+  post 'register', to: 'users#create'
+
+  post 'login', to: 'sessions#create'
+  put 'login', to: 'sessions#update'
+  delete 'logout', to: 'sessions#destroy'
+
+  resources :users, only: [:index, :show]
+end

data/db/migrate/20130822225749_create_toker_users.rb

@@ -0,0 +1,10 @@
+class CreateTokerUsers < ActiveRecord::Migration
+  def change
+    create_table :toker_users do |t|
+      t.string :email, index: true
+      t.string :password_digest
+
+      t.timestamps
+    end
+  end
+end

data/db/migrate/20130908035917_create_toker_tokens.rb

@@ -0,0 +1,11 @@
+class CreateTokerTokens < ActiveRecord::Migration
+  def change
+    create_table :toker_tokens do |t|
+      t.references :user, index: true
+      t.string :key, limit: 256
+      t.timestamp :expires_at
+
+      t.timestamps
+    end
+  end
+end

data/lib/tasks/toker_tasks.rake

@@ -0,0 +1,4 @@
+# desc "Explaining what the task does"
+# task :toker do
+#   # Task goes here
+# end

data/lib/toker.rb

@@ -0,0 +1,37 @@
+require "toker/engine"
+require "active_model_serializers"
+require "jwt"
+
+module Toker
+  module TokenAuthentication
+    include ActionController::HttpAuthentication::Token::ControllerMethods
+
+    def toke!(&unauthorized_handler)
+      token = authenticate_with_http_token do |jwt, options|
+        token, error = Token.decode(jwt)
+        errors.merge!(error) if error
+        token
+      end
+
+      @user = token.user if token
+
+      unless @user
+        if block_given?
+          unauthorized_handler.call(errors)
+        else
+          render json: errors, status: :unauthorized
+        end
+      end
+    end
+
+    def current_user
+      @user
+    end
+
+    private
+
+    def errors
+      @errors ||= { 'Unauthorized' => 'Token required' }
+    end
+  end
+end

data/lib/toker/engine.rb

@@ -0,0 +1,5 @@
+module Toker
+  class Engine < ::Rails::Engine
+    isolate_namespace Toker
+  end
+end

data/lib/toker/version.rb

@@ -0,0 +1,3 @@
+module Toker
+  VERSION = "0.1.0"
+end

data/spec/controllers/toker/sessions_controller_spec.rb

@@ -0,0 +1,7 @@
+require 'rails_helper'
+
+module Toker
+
+  describe SessionsController do
+  end
+end