warden-cognito 0.1.0 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bf59a14b691d78eb16f048087c84307efd4a37789d2f85fe5100523571fcc134
-  data.tar.gz: 0be9c19501448ac6d78498e1570c3e2d763726463ab672d6b4194a5f3836ebf3
+  metadata.gz: ad71888695cae9d89e314a98ee48954af77ae821210bc11c4585027f770d6e6b
+  data.tar.gz: a0cf1379d7ac70acb57d9f96aa606ff9760c6d50529d3206f77ee79cfaea8b42
 SHA512:
-  metadata.gz: 19570e460e1d0d19b7e8c13d6bef79effaf77abb9770b48c0806bdd156e6357072f670b28cd8044d2ae34cb3f4ad822329942a9b860c7f636889fcb9b7a96b55
-  data.tar.gz: 8170cedc239e47cf814e8ec2fdb5e5a5c89b63443593fcd155a6de440440de5d5c061d3218f211f49bd9b43acbb6885afcd1acd13b403e5438893f8b941c3df3
+  metadata.gz: e74522ac52fc4986766bbdea18437a6996eef668ccd547c80b7cc4f048c1d31c0293614f889f241c86fb67cdbda2e837b1142ce1e69439ff296ff4ae63306827
+  data.tar.gz: b7911fa57b3eccc01bffee7a660e6c70c40fad15aa1e42d83b9895d5f8920220345cead762c51b1d9a20424dca4cc9314f6b49681ad010eedfa394e8f2480669

data/.rubocop.yml

@@ -2,6 +2,7 @@ AllCops:
   Exclude:
     - 'bin/*'
     - 'db/**/*'
+    - 'vendor/**/*'
 
 Style/FrozenStringLiteralComment:
   Enabled: false

data/.travis.yml

@@ -3,5 +3,16 @@ sudo: false
 language: ruby
 cache: bundler
 rvm:
-  - 2.6.3
-before_install: gem install bundler -v 1.17.2
+  - 2.6
+  - 2.7
+  - ruby-head
+before_install:
+  - gem update --system --no-doc
+  - gem install bundler
+script:
+  - bundle exec rspec
+  - bundle exec rubocop
+jobs:
+  allow_failures:
+    - rvm: ruby-head
+

data/CHANGELOG.md

@@ -5,4 +5,16 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
+
+## [0.2.0]
+- Extended exposed API
+- TestHelpers utils
+- Add Travis setup
+
+## [0.1.0]
+
 - Scratching the gem
+
+[Unreleased]: https://github.com/barkibu/warden-cognito/compare/v0.2.0...HEAD
+[0.2.0]: https://github.com/barkibu/warden-cognito/compare/v0.1.0...v0.2.0
+[0.1.0]: https://github.com/barkibu/warden-cognito/releases/tag/v0.1.0

data/README.md

@@ -1,6 +1,6 @@
 # Warden::Cognito
 
-[![Codeship Status for barkibu/warden-cognito](https://app.codeship.com/projects/f305e0e4-e1e3-40ef-90b3-ab7475ed480c/status?branch=master)](https://app.codeship.com/projects/417617)
+[![Build Status](https://travis-ci.com/barkibu/warden-cognito.svg?branch=master)](https://travis-ci.com/barkibu/warden-cognito)
 
 Welcome to your new gem! In this directory, you'll find the files you need to be able to package up your Ruby library into a gem. Put your Ruby code in the file `lib/warden/cognito`. To experiment with that code, run `bin/console` for an interactive prompt.
 
@@ -24,8 +24,7 @@ Or install it yourself as:
 
 ## Usage
 
-
-Add to  your initializers the following:
+Configure how the gem maps Cognito users to local ones adding to your initializers the following:
 ```ruby
  Warden::Cognito.configure do |config|
     config.user_repository = User
@@ -35,12 +34,35 @@ Add to  your initializers the following:
 end
 ```
 
+This gem will look for the following the env variables:
+- **AWS_REGION**
+- **AWS_COGNITO_USER_POOL_ID**
+- **AWS_COGNITO_CLIENT_ID**
+
+### With Devise
+
+You can know protects endpoints by settings the available strategies in the Warden section of your Device's configuration:
+```ruby
+  # config/initializers/devise.rb
+  # 
+  # /***/
+  config.warden do |manager|
+    manager.default_strategies(scope: :user).unshift :cognito_auth
+    manager.default_strategies(scope: :user).unshift :cognito_jwt
+    # /***/
+  end
+```
+
 ### User Repository
 
 The user repository will be used to look for an entity to mark as authenticated, it must implement the following:
 - `find_by_cognito_username` that should return the user identified by the given username or nil
 - `find_by_cognito_attribute` that should return the user identified by the given Cognito User attribute (`config.identifying_attribute`) or nil
 
+### User Model
+
+The user model must expose a message `cognito_id` that returns the `identifying_attribute` for the given user.
+
 ### `after_local_user_not_found` Callback
 
 A callback triggered whenever the user correctly authenticated on Cognito but no local user exists (receives the full [cognito user](https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/CognitoIdentityProvider/Types/GetUserResponse.html))
@@ -49,6 +71,70 @@ A callback triggered whenever the user correctly authenticated on Cognito but no
 The cache used to store the AWS Json Web Keys as well as the mapping between local and remote identifiers.
 Defaults to `ActiveSupport::Cache::NullStore`
 
+### Testing
+
+The TestHelpers module is here to help testing code using this gem to validate tokens and authenticate users:
+
+Create a module and make sure it is loaded as part of the support files of your rspec configuration:
+
+```ruby
+module Helpers
+  module JWT
+    def self.included(base)
+      base.class_eval do
+        Warden::Cognito::TestHelpers.setup
+      end
+    end
+
+    def auth_headers_for_user(user, headers = {})
+      Warden::Cognito::TestHelpers.auth_headers(headers, user)
+    end
+
+    def jwt_for_user(user)
+      auth_headers_for_user(user)[:Authorization].split[1]
+    end
+  end
+end
+```
+
+Include this module in the relevant test types:
+```ruby
+RSpec.configure do |config|
+  # /***/
+  config.include Helpers::JWT, type: :request
+end
+```
+
+You can now generate tokens for your users in your tests, for instance:
+```ruby
+let(:user) { create(:user) } # Your users needs to be available through the UserRepository you defined
+let(:headers) { auth_headers_for_user(user) }
+let(:token) { jwt_for_user(user) }
+```
+
+### API
+
+This gem also exposes classes that you can use to validate tokens and/or fetch a user from a given token:
+
+```ruby
+token = 'The token a user passed along in a request'
+token_decoder = TokenDecoder.new(token)
+
+# Is the token valid ?
+token_decoder.validate!
+
+# What's in this token ?
+token_decoder.decoded_token
+
+# What's the phone_number attribute of the user identified by this token ?
+token_decoder.user_attribute('phone_number')
+
+# Who is the local user associated with this token
+user = LocalUserMapper.find(token_decoder)
+# or 
+user = LocalUserMapper.find_by_token(token)
+```
+
 ## Development
 
 After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
@@ -67,7 +153,7 @@ An then, for example:
 
 ## Contributing
 
-Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/warden-cognito.
+Bug reports and pull requests are welcome on GitHub at https://github.com/barkibu/warden-cognito.
 
 ## License
 

data/lib/warden/cognito.rb

@@ -10,17 +10,35 @@ module Warden
   module Cognito
     extend Dry::Configurable
 
+    def jwk_config_keys
+      %i[key issuer]
+    end
+
+    def jwk_instance(value)
+      attributes = value&.symbolize_keys&.slice(*jwk_config_keys) || {}
+      Struct.new(*jwk_config_keys, keyword_init: true).new(attributes)
+    end
+
+    module_function :jwk_config_keys, :jwk_instance
+
     setting :user_repository
-    setting :identifying_attribute, 'sub'
+    setting(:identifying_attribute, 'sub', &:to_s)
     setting :after_local_user_not_found
     setting :cache, ActiveSupport::Cache::NullStore.new
 
+    setting(:jwk, nil) { |value| jwk_instance(value) }
+
     Import = Dry::AutoInject(config)
   end
 end
 
+require 'warden/cognito/jwk_loader'
 require 'warden/cognito/version'
+require 'warden/cognito/user_not_found_callback'
+require 'warden/cognito/local_user_mapper'
 require 'warden/cognito/authenticatable_strategy'
 require 'warden/cognito/token_authenticatable_strategy'
+require 'warden/cognito/token_decoder'
 require 'warden/cognito/user_helper'
 require 'warden/cognito/cognito_client'
+require 'warden/cognito/test_helpers'

data/lib/warden/cognito/authenticatable_strategy.rb

@@ -4,11 +4,12 @@ require 'aws-sdk-cognitoidentityprovider'
 module Warden
   module Cognito
     class AuthenticatableStrategy < Warden::Strategies::Base
-      attr_reader :helper
+      attr_reader :helper, :user_not_found_callback
 
       def initialize(env, scope = nil)
         super
-        @helper = UserHelper
+        @user_not_found_callback = UserNotFoundCallback.new
+        @helper = UserHelper.new
       end
 
       def valid?
@@ -16,11 +17,11 @@ module Warden
       end
 
       def authenticate!
-        initiate_auth_response = CognitoClient.initiate_auth(email, password)
+        attempt = CognitoClient.initiate_auth(email, password)
 
-        return fail(:unknow_cognito_response) unless initiate_auth_response
+        return fail(:unknow_cognito_response) unless attempt
 
-        user = local_user || after_user_local_not_found(initiate_auth_response.authentication_result)
+        user = local_user || trigger_callback(attempt.authentication_result)
 
         fail!(:unknown_user) unless user.present?
         success!(user)
@@ -32,13 +33,13 @@ module Warden
 
       private
 
-      def local_user
-        helper.find_by_cognito_username(email)
+      def trigger_callback(authentication_result)
+        cognito_user = CognitoClient.fetch(authentication_result.access_token)
+        user_not_found_callback.call(cognito_user)
       end
 
-      def after_user_local_not_found(authentication_result)
-        user_response = CognitoClient.fetch(authentication_result.access_token)
-        Cognito.config.after_local_user_not_found&.call(user_response)
+      def local_user
+        helper.find_by_cognito_username(email)
       end
 
       def cognito_authenticable?

data/lib/warden/cognito/jwk_loader.rb

@@ -0,0 +1,28 @@
+module Warden
+  module Cognito
+    class JwkLoader
+      include Cognito::Import['cache']
+      include Cognito::Import['jwk']
+
+      def jwt_issuer
+        jwk.issuer || "https://cognito-idp.#{ENV['AWS_REGION']}.amazonaws.com/#{ENV['AWS_COGNITO_USER_POOL_ID']}"
+      end
+
+      def call(options)
+        return { keys: [jwk.key.export] } if jwk.key.present?
+
+        cache.delete(jwk_url) if options[:invalidate]
+
+        cache.fetch(jwk_url, expires_in: 1.hour) do
+          JSON.parse(HTTP.get(jwk_url).body.to_s).deep_symbolize_keys
+        end
+      end
+
+      private
+
+      def jwk_url
+        "#{jwt_issuer}/.well-known/jwks.json"
+      end
+    end
+  end
+end

data/lib/warden/cognito/local_user_mapper.rb

@@ -0,0 +1,34 @@
+module Warden
+  module Cognito
+    class LocalUserMapper
+      include Cognito::Import['cache', 'identifying_attribute']
+
+      class << self
+        def find(token_decoder)
+          new.call(token_decoder)
+        end
+
+        def find_by_token(token)
+          find(TokenDecoder.new(token))
+        end
+      end
+
+      def call(token_decoder)
+        helper.find_by_cognito_attribute local_identifier(token_decoder)
+      end
+
+      private
+
+      def local_identifier(token_decoder)
+        cache_key = "COGNITO_LOCAL_IDENTIFIER_#{token_decoder.sub}"
+        cache.fetch(cache_key, skip_nil: true) do
+          token_decoder.user_attribute(identifying_attribute)
+        end
+      end
+
+      def helper
+        UserHelper.new
+      end
+    end
+  end
+end

data/lib/warden/cognito/test_helpers.rb

@@ -0,0 +1,41 @@
+require 'rspec'
+
+module Warden
+  module Cognito
+    class TestHelpers
+      class EnvironmentError < StandardError; end
+
+      @jwk = JWT::JWK.new(OpenSSL::PKey::RSA.new(2048))
+
+      class << self
+        attr_reader :jwk
+
+        def setup
+          Warden::Cognito.config.jwk = { key: jwk, issuer: local_issuer }
+        end
+
+        def auth_headers(headers, user)
+          headers.merge(Authorization: "Bearer #{generate_token(user)}")
+        end
+
+        def local_issuer
+          'local_issuer'
+        end
+
+        private
+
+        def generate_token(user)
+          payload = { sub: user.object_id,
+                      "#{identifying_attribute}": user.cognito_id,
+                      iss: local_issuer }
+          headers = { kid: jwk.kid }
+          JWT.encode(payload, jwk.keypair, 'RS256', headers)
+        end
+
+        def identifying_attribute
+          Warden::Cognito.config.identifying_attribute
+        end
+      end
+    end
+  end
+end

data/lib/warden/cognito/token_authenticatable_strategy.rb

@@ -6,22 +6,15 @@ module Warden
     class TokenAuthenticatableStrategy < Warden::Strategies::Base
       METHOD = 'Bearer'.freeze
 
-      attr_reader :helper, :config
+      attr_reader :helper
 
       def initialize(env, scope = nil)
         super
-        @config = Cognito.config
-        @helper = UserHelper
-      end
-
-      def jwks
-        config.cache.fetch(jwk_url, expires_in: 1.hour) do
-          JSON.parse(HTTP.get(jwk_url).body.to_s).deep_symbolize_keys
-        end
+        @helper = UserHelper.new
       end
 
       def valid?
-        decoded_token.present?
+        token_decoder.validate!
       rescue ::JWT::ExpiredSignature
         true
       rescue StandardError
@@ -29,7 +22,8 @@ module Warden
       end
 
       def authenticate!
-        user = local_user || config.after_local_user_not_found&.call(cognito_user)
+        user = local_user || UserNotFoundCallback.call(cognito_user)
+
         fail!(:unknown_user) unless user.present?
         success!(user)
       rescue ::JWT::ExpiredSignature
@@ -40,49 +34,16 @@ module Warden
 
       private
 
-      def jwt_issuer
-        "https://cognito-idp.#{ENV['AWS_REGION']}.amazonaws.com/#{ENV['AWS_COGNITO_USER_POOL_ID']}"
-      end
-
-      def jwk_url
-        "#{jwt_issuer}/.well-known/jwks.json"
-      end
-
-      def local_user
-        helper.find_by_cognito_attribute(local_identifier)
-      end
-
-      def cognito_user_cache_key
-        "COGNITO_LOCAL_IDENTIFIER_#{cognito_user_identifier}"
-      end
-
-      def cognito_user_identifier
-        decoded_token.first['sub']
-      end
-
-      def local_identifier
-        config.cache.fetch(cognito_user_cache_key, skip_nil: true) do
-          user_attribute identifying_attribute
-        end
-      end
-
       def cognito_user
-        @cognito_user ||= CognitoClient.fetch(token)
-      end
-
-      def user_attribute(attribute_name)
-        cognito_user.user_attributes.detect do |attribute|
-          attribute.name == attribute_name
-        end&.value
+        token_decoder.cognito_user
       end
 
-      def identifying_attribute
-        config.identifying_attribute.to_s
+      def local_user
+        LocalUserMapper.find token_decoder
       end
 
-      def decoded_token
-        @decoded_token ||= ::JWT.decode(token, nil, true, iss: jwt_issuer, verify_iss: true,
-                                                          algorithms: ['RS256'], jwks: jwks)
+      def token_decoder
+        @token_decoder ||= TokenDecoder.new(token)
       end
 
       def token

data/lib/warden/cognito/token_decoder.rb

@@ -0,0 +1,45 @@
+module Warden
+  module Cognito
+    class TokenDecoder
+      attr_reader :jwk_loader, :token
+
+      def initialize(token)
+        @token = token
+        @jwk_loader = JwkLoader.new
+      end
+
+      def validate!
+        decoded_token.present?
+      end
+
+      def sub
+        decoded_token.first['sub']
+      end
+
+      def decoded_token
+        @decoded_token ||= ::JWT.decode(token, nil, true, iss: jwk_loader.jwt_issuer, verify_iss: true,
+                                                          algorithms: ['RS256'], jwks: jwk_loader)
+      end
+
+      def cognito_user
+        @cognito_user ||= CognitoClient.fetch(token)
+      end
+
+      def user_attribute(attribute_name)
+        token_attribute(attribute_name).presence || cognito_user_attribute(attribute_name)
+      end
+
+      private
+
+      def token_attribute(attribute_name)
+        decoded_token.first[attribute_name] if decoded_token.first.key? attribute_name
+      end
+
+      def cognito_user_attribute(attribute_name)
+        cognito_user.user_attributes.detect do |attribute|
+          attribute.name == attribute_name
+        end&.value
+      end
+    end
+  end
+end

data/lib/warden/cognito/user_helper.rb

@@ -1,20 +1,14 @@
 module Warden
   module Cognito
-    module UserHelper
-      class << self
-        def find_by_cognito_username(username)
-          user_repository.find_by_cognito_username(username)
-        end
+    class UserHelper
+      include Cognito::Import['user_repository']
 
-        def find_by_cognito_attribute(arg)
-          user_repository.find_by_cognito_attribute(arg)
-        end
-
-        private
+      def find_by_cognito_username(username)
+        user_repository.find_by_cognito_username(username)
+      end
 
-        def user_repository
-          Cognito.config.user_repository
-        end
+      def find_by_cognito_attribute(arg)
+        user_repository.find_by_cognito_attribute(arg)
       end
     end
   end

data/lib/warden/cognito/user_not_found_callback.rb

@@ -0,0 +1,17 @@
+module Warden
+  module Cognito
+    class UserNotFoundCallback
+      include Cognito::Import['after_local_user_not_found']
+
+      class << self
+        def call(cognito_user)
+          new.call(cognito_user)
+        end
+      end
+
+      def call(cognito_user)
+        after_local_user_not_found&.call(cognito_user)
+      end
+    end
+  end
+end

data/lib/warden/cognito/version.rb

@@ -1,5 +1,5 @@
 module Warden
   module Cognito
-    VERSION = '0.1.0'.freeze
+    VERSION = '0.2.0'.freeze
   end
 end

data/warden-cognito.gemspec

@@ -5,7 +5,7 @@ require 'warden/cognito/version'
 Gem::Specification.new do |spec|
   spec.name          = 'warden-cognito'
   spec.version       = Warden::Cognito::VERSION
-  spec.authors       = ['Juan F. Pérez']
+  spec.authors       = ['Juan F. Pérez', 'Léo Figea']
   spec.email         = ['761794+jguitar@users.noreply.github.com']
 
   spec.summary       = 'Amazon Cognito authentication for Warden'
@@ -39,7 +39,7 @@ Gem::Specification.new do |spec|
   spec.add_dependency 'jwt', '~> 2.1'
   spec.add_dependency 'warden', '~> 1.2'
 
-  spec.add_development_dependency 'bundler', '~> 1.17'
+  spec.add_development_dependency 'bundler'
   spec.add_development_dependency 'pry-byebug', '~> 3.7'
   spec.add_development_dependency 'rack-test', '~> 1.1'
   spec.add_development_dependency 'rake', '>= 12.3.3'

metadata

@@ -1,14 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: warden-cognito
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
 platform: ruby
 authors:
 - Juan F. Pérez
-autorequire: 
+- Léo Figea
+autorequire:
 bindir: exe
 cert_chain: []
-date: 2020-11-12 00:00:00.000000000 Z
+date: 2020-11-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -98,16 +99,16 @@ dependencies:
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.17'
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.17'
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: pry-byebug
   requirement: !ruby/object:Gem::Requirement
@@ -189,7 +190,6 @@ files:
 - ".gitignore"
 - ".rspec"
 - ".rubocop.yml"
-- ".ruby-version"
 - ".travis.yml"
 - CHANGELOG.md
 - Dockerfile
@@ -203,8 +203,13 @@ files:
 - lib/warden/cognito.rb
 - lib/warden/cognito/authenticatable_strategy.rb
 - lib/warden/cognito/cognito_client.rb
+- lib/warden/cognito/jwk_loader.rb
+- lib/warden/cognito/local_user_mapper.rb
+- lib/warden/cognito/test_helpers.rb
 - lib/warden/cognito/token_authenticatable_strategy.rb
+- lib/warden/cognito/token_decoder.rb
 - lib/warden/cognito/user_helper.rb
+- lib/warden/cognito/user_not_found_callback.rb
 - lib/warden/cognito/version.rb
 - warden-cognito.gemspec
 homepage: https://github.com/barkibu/warden-cognito
@@ -214,7 +219,7 @@ metadata:
   homepage_uri: https://github.com/barkibu/warden-cognito
   source_code_uri: https://github.com/barkibu/warden-cognito
   changelog_uri: https://github.com/barkibu/warden-cognito/blob/master/CHANGELOG.md
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -229,8 +234,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
-signing_key: 
+rubygems_version: 3.1.4
+signing_key:
 specification_version: 4
 summary: Amazon Cognito authentication for Warden
 test_files: []

data/.ruby-version

@@ -1 +0,0 @@
-2.6.5