userbin 0.3.5 → 0.4.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: fe753d445c9d4a87e78d129234ccf88ab2e5ef1f
-  data.tar.gz: 611c69c56f409d7157ada99598e4d0a4063ff125
+  metadata.gz: eae191f76ab1ba6ce4587ba1b815e3d8fabeab8e
+  data.tar.gz: f98042c6d8858878062c45851ca71489010c9738
 SHA512:
-  metadata.gz: bb5795d97506c84c17cfc09b96c73d022ab2e685b554aab90a01c0be9f5f5443907e1c53c117068c2a3682dc5e7350eb02586394b6017694ad47eeb5193814ab
-  data.tar.gz: 883d892aa1169d658c874b6f7dacc8400c5914ac1ac446187393eadad5fd30b992a915d5c252ffcce782fd932b3c6ab5af8871e2331324df9db14ea6ac3ddc66
+  metadata.gz: 6cbc7e71ac93e2f9eb8061e206451c144f378e4ec82ced8b3fda8ec94bb30bf020f6d9b5540d1c4e4c986927f14ab1735d66c331197ca99064ebc4429bb29e3f
+  data.tar.gz: c0b1103e93988a1a11ce39087be9ecda328824530403f77bf1fd20e68d2d343edd918aa4f7d6e883ea4f7cd959cf55d7175f03e88bff69e58755779b0c08f58b

data/README.md

@@ -1,11 +1,13 @@
 [![Build Status](https://travis-ci.org/userbin/userbin-ruby.png)](https://travis-ci.org/userbin/userbin-ruby)
+[![Gem Version](https://badge.fury.io/rb/userbin.png)](http://badge.fury.io/rb/userbin)
+[![Dependency Status](https://gemnasium.com/userbin/userbin-ruby.png)](https://gemnasium.com/userbin/userbin-ruby)
 
 Userbin for Ruby
 ================
 
-Userbin for Ruby adds user authentication, login flows and user management to your **Rails**, **Sinatra** or **Rack** app.
+Userbin for Ruby adds user authentication, login flows and user management to your **Rails**, **Sinatra** or **Rack** app, with users stored in your own database.
 
-[Userbin](https://userbin.com) provides a set of login, signup, and password reset forms that drop right into your application without any need of styling or writing markup. Connect your users via traditional logins or third party social networks. We take care of linking accounts across networks, resetting passwords, and keeping everything safe and secure.
+[Userbin](https://userbin.com) provides a set of login, signup, and password reset forms that drop right into your application without any need of styling or writing markup. Connect your users via traditional logins or third party social networks. It takes care of linking accounts across networks, resetting passwords, and keeping everything safe and secure.
 
 [Create a free account](https://userbin.com) at Userbin to start accepting users in your application.
 
@@ -24,51 +26,76 @@ Installation
     bundle install
     ```
 
-2.  Configure the Userbin module with the credentials you got from signing up.
+1.  Generate configuration
 
-    In a Rails app, put the following code into a new file at `config/initializers/userbin.rb`, and in Sinatra put it in your main application file and add `require "userbin"`.
-
-    ```ruby
-    Userbin.configure do |config|
-      config.app_id = "YOUR_APP_ID"
-      config.api_secret = "YOUR_API_SECRET"
-    end
+    ```shell
+    curl https://lib.userbin.com/install.sh | sh YOUR_APP_ID YOUR_API_SECRET
     ```
 
-    If you don't configure the `app_id` and `api_secret`, the Userbin module will read the `USERBIN_APP_ID` and `USERBIN_API_SECRET` environment variables. This may come in handy on Heroku.
+    If you don't configure the App ID and API Secret, the Userbin module will read the `USERBIN_APP_ID` and `USERBIN_API_SECRET` environment variables. This may come in handy on Heroku.
 
-3.  **Rack/Sinatra apps only**: Activate the Userbin Rack middleware
+1.  **Rack/Sinatra apps only**: Load and activate the Userbin Rack middleware
 
     ```ruby
+    require 'userbin'
+
     use Userbin::Authentication
     ```
 
 
-Usage
------
+Configuration
+-------------
 
-### Forms
+### Authenticating
 
-An easy way to integrate Userbin is via the [Widget](https://userbin.com/docs/javascript#widget), which will take care of building forms, validating input and provides a drop-in design that adapts nicely to all devices.
+You need to configure Userbin in order to provide the `current_user` model:
 
-The Widget is fairly high level, so remember that you can still use Userbin with your [own forms](https://userbin.com) if it doesn't fit your use-case.
+``` ruby
+Userbin.configure do
+  current_user do |profile|
+    User.find(profile.uid).first_or_initialize(
+      email: profile.email,
+      image: profile.image
+    )
+  end
+end
+```
 
-The following links will open up the Widget with the login or the signup form respectively.
+This code is run in the context of your application so you have access to your models, session or routes helpers. However, since this code is not run in the context of your application's ApplicationController it doesn't have access
+to the methods defined over there.
 
-```html
-<a class="ub-login">Log in</a>
-```
 
-```html
-<a class="ub-signup">Sign up</a>
+### Protecting routes
+
+Use `authorize` to control access in controllers:
+
+```ruby
+class ArticlesController < ApplicationController
+  before_filter :authorize
+
+  def index
+    current_user.articles
+  end
+end
 ```
 
-The logout link will clear the session and redirect the user back to your root path:
+Or, you can authorize users in `config/routes.rb`:
 
-```html
-<a class="ub-logout">Log out</a>
+```ruby
+Blog::Application.routes.draw do
+  constraints Userbin::Protect.new { |user| user.admin? } do
+    root to: 'admin'
+  end
+
+  constraints Userbin::Protect.new do
+    mount MagicalWorker
+  end
+end
 ```
 
+Usage
+-----
+
 ### The current user
 
 Userbin keeps track of the currently logged in user which can be accessed through the `current_user` property. This automatically taps into libraries such as the authorization solution [CanCan](https://github.com/ryanb/cancan).
@@ -85,8 +112,31 @@ To check if a user is logged in, use `user_logged_in?` (or its alias `user_signe
 <% end %>
 ```
 
+
 **Rack/Sinatra apps only**: Since above helpers aren't available outside Rails, instead use `Userbin.current_user` and `Userbin.user_logged_in?`.
 
+### Forms
+
+An easy way to integrate Userbin is via the [Widget](https://userbin.com/docs/javascript#widget), which will take care of building forms, validating input and provides a drop-in design that adapts nicely to all devices.
+
+The Widget is fairly high level, so remember that you can still use Userbin with your [own forms](https://userbin.com) if it doesn't fit your use-case.
+
+Use `current_user` and `logged_in?` in controllers, views, and helpers:
+
+```haml
+- if signed_in?
+  = current_user.email
+  = link_to 'Log out', '/', class: 'ub-logout'
+- else
+  = link_to 'Sign up', '/dashboard', class: 'ub-signup'
+  = link_to 'Log in', '/dashboard', class: 'ub-login'
+```
+
+### Protecting resources
+
+...
+
+
 Configuration
 -------------
 

data/lib/userbin.rb

@@ -16,9 +16,7 @@ api_endpoint = ENV.fetch('USERBIN_API_ENDPOINT') {
   c.use Userbin::BasicAuth
   c.use Faraday::Request::UrlEncoded
   c.use Her::Middleware::DefaultParseJSON
-  #c.use Userbin::ParseSignedJSON
   c.use Faraday::Adapter::NetHttp
-  #c.use Userbin::VerifySignature
 end
 
 require "userbin/configuration"

data/lib/userbin/authentication.rb

@@ -12,41 +12,29 @@ module Userbin
         raise ConfigurationError, "app_id and api_secret must be present"
       end
 
+      Thread.current[:userbin] = nil
+
       request = Rack::Request.new(env)
 
       begin
-        if env["PATH_INFO"] == "/userbin" &&
-           env["REQUEST_METHOD"] == "POST"
-          signature, data = Userbin.authenticate_events!(request)
-
-          MultiJson.decode(data)['events'].each do |event|
-            Userbin::Events.trigger(event)
-          end
-
-          [ 200, { 'Content-Type' => 'text/html',
-            'Content-Length' => '2' }, ['OK'] ]
-        else
-          signature, data = Userbin.authenticate!(request)
-
-          if !Userbin.authenticated? && Userbin.config.protected_path &&
-            env["PATH_INFO"].start_with?(Userbin.config.protected_path)
+        jwt = Userbin.authenticate!(request)
 
-            return render_gateway(env["PATH_INFO"])
-          end
+        if !Userbin.authenticated? && Userbin.config.protected_path &&
+          env["PATH_INFO"].start_with?(Userbin.config.protected_path)
 
-          generate_response(env, signature, data)
+          return render_gateway(env["PATH_INFO"])
         end
+
+        generate_response(env, jwt)
       rescue Userbin::SecurityError
         message =
-          'Userbin::SecurityError: Invalid signature. Refresh to try again.'
+          'Userbin::SecurityError: Invalid session. Refresh to try again.'
         headers = {
           'Content-Type' => 'text/text'
         }
 
         Rack::Utils.delete_cookie_header!(
-          headers, '_ubs', value = {})
-        Rack::Utils.delete_cookie_header!(
-          headers, '_ubd', value = {})
+          headers, '_ubt', value = {})
 
         [ 400, headers, [message] ]
       end
@@ -99,7 +87,7 @@ module Userbin
       [403, headers, [login_page]]
     end
 
-    def generate_response(env, signature, data)
+    def generate_response(env, jwt)
       status, headers, response = @app.call(env)
 
       if headers['Content-Type'] && headers['Content-Type']['text/html']
@@ -123,16 +111,12 @@ module Userbin
         end
       end
 
-      if signature && data
+      if jwt
         Rack::Utils.set_cookie_header!(
-          headers, '_ubs', value: signature, path: '/')
-        Rack::Utils.set_cookie_header!(
-          headers, '_ubd', value: data, path: '/')
+          headers, '_ubt', value: jwt, path: '/')
       else
         Rack::Utils.delete_cookie_header!(
-          headers, '_ubs', value = {})
-        Rack::Utils.delete_cookie_header!(
-          headers, '_ubd', value = {})
+          headers, '_ubt', value = {})
       end
 
       [status, headers, response]

data/lib/userbin/basic_auth.rb

@@ -11,9 +11,7 @@ module Userbin
   class VerifySignature < Faraday::Response::Middleware
     def call(env)
       @app.call(env).on_complete do
-        signature = env[:response_headers]['x-userbin-signature']
-        data = env[:body]
-        Userbin.valid_signature?(signature, data)
+        Userbin.decode_jwt(env[:body])
       end
     end
   end

data/lib/userbin/userbin.rb

@@ -1,42 +1,37 @@
 module Userbin
-  def self.authenticate_events!(request, now = Time.now)
-    signature, data =
-      request.params.values_at('signature', 'data')
-
-    valid_signature?(signature, data)
-
-    [signature, data]
+  def self.decode_jwt(jwt)
+    JWT.decode(jwt, Userbin.config.api_secret)
   end
 
-  # Provide either a Rack::Request or a Hash containing :signature and :data.
-  #
-  def self.authenticate!(request, now = Time.now)
-    signature, data =
-      request.cookies.values_at('_ubs', '_ubd')
+  def self.authenticate!(request)
+    jwt = request.cookies['_ubt']
+    return unless jwt
 
-    if signature && data && valid_signature?(signature, data)
+    decoded = Userbin.decode_jwt(jwt)
 
-      current = Userbin::Session.new(MultiJson.decode(data))
+    if Time.now > Time.at(decoded['expires_at'] / 1000)
+      jwt = refresh_session(decoded['id'])
+      return unless jwt
 
-      if now > Time.at(current.expires_at / 1000)
-        signature, data = refresh_session(current.id)
+      decoded = Userbin.decode_jwt(jwt)
+
+      if Time.now > Time.at(decoded['expires_at'] / 1000)
+        raise Userbin::SecurityError
       end
     end
 
-    tmp = MultiJson.decode(data) if data
-
-    self.current = Userbin::Session.new(tmp)
+    self.current = Userbin::Session.new(decoded)
 
-    [signature, data]
+    return jwt
   end
 
   def self.refresh_session(session_id)
     api_endpoint = ENV["USERBIN_API_ENDPOINT"] || 'https://api.userbin.com'
-    uri = URI("#{api_endpoint}/sessions/#{session_id}/refresh")
+    uri = URI("#{api_endpoint}/sessions/#{session_id}/refresh.jwt")
     uri.user = config.app_id
     uri.password = config.api_secret
     net = Net::HTTP.post_form(uri, {})
-    [net['X-Userbin-Signature'], net.body]
+    net.body
   end
 
   def self.current
@@ -107,15 +102,4 @@ module Userbin
   def self.user
     current_user
   end
-
-  private
-
-  # Checks signature against secret and returns boolean
-  #
-  def self.valid_signature?(signature, data)
-    digest = OpenSSL::Digest::SHA256.new
-    valid = signature == OpenSSL::HMAC.hexdigest(digest, config.api_secret, data)
-    raise SecurityError, "Invalid signature" unless valid
-    valid
-  end
 end

data/lib/userbin/version.rb

@@ -1,3 +1,3 @@
 module Userbin
-  VERSION = "0.3.5"
+  VERSION = "0.4.2"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: userbin
 version: !ruby/object:Gem::Version
-  version: 0.3.5
+  version: 0.4.2
 platform: ruby
 authors:
 - Johan