RubyGems - yiffspace - Versions diffs - 0.0.15 → 0.0.16 - Mend

yiffspace 0.0.15 → 0.0.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

checksums.yaml +4 -4
data/engines/auth/app/controllers/yiff_space/auth/root_controller.rb +2 -0
data/engines/auth/app/controllers/yiff_space/auth/webhook_controller.rb +73 -0
data/engines/auth/config/routes.rb +1 -0
data/lib/yiffspace/auth/client.rb +3 -1
data/lib/yiffspace/auth/engine.rb +1 -0
data/lib/yiffspace/auth/helper.rb +39 -3
data/lib/yiffspace/logto_management_client.rb +29 -0
data/lib/yiffspace/version.rb +1 -1
metadata +2 -1

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 58a833e8004dac25e9e9565130e951f23699eb3c0c2c0dc9d203f3215b429ae3
-  data.tar.gz: 01d16ad7990ca32d619b335b66ebecf7e85291b6184fda283412617a020d6504
+  metadata.gz: a12391067375c3fe9b67ce2cd6b798471109847146659bde7e831e97b5512f8d
+  data.tar.gz: 603e6b07f15adc922e2665ed15f6eafd4a65ffefdb63ce618cb29e09fc82956e
 SHA512:
-  metadata.gz: 2f6c468d10df637cb4ece7643237cdf9df17ccd03c425dd56a83abd20ea240fc808d7ee8da7963ad44f17065ad48fc069e45e764a277e1f5d5fa906e8eefa6d7
-  data.tar.gz: e949da7c71b6df6eec77304a6223100327a014f020f21c791842aa1bed3a7f853ae2b08a82e4e7b350cbc796ccd186d449529d6b1dffc487d0d182732e6fb8b8
+  metadata.gz: 423e58dc486f4c20e4990b6850dccde2066d75fe79ca82707f3601ffe364db811039d5663f2ec201659f17f3312d375207c0b415eb992e07a3bedf503cfdaf2e
+  data.tar.gz: 8f6b52d3b39fd93fc3bc23b30e699e3fa2bfc51dcbeff7e0dc65e6cd5bfb67cfb24b882455fcfae0c1aa0fe36a82bd933ec744f8ac61ab304d2c81830d5c5aca

data/engines/auth/app/controllers/yiff_space/auth/root_controller.rb CHANGED Viewed

@@ -5,6 +5,8 @@ module YiffSpace
     class RootController < ApplicationController
       include(Helper)
+      before_action(:sync_auth_if_dirty!)
       def show
         client.sign_in(redirect_uri: auth_client_config.redirect_uri, post_redirect_uri: params[:path] || "/")
       end

data/engines/auth/app/controllers/yiff_space/auth/webhook_controller.rb ADDED Viewed

@@ -0,0 +1,73 @@
+# frozen_string_literal: true
+require("openssl")
+require("active_support/security_utils")
+module YiffSpace
+  module Auth
+    class WebhookController < ApplicationController
+      skip_before_action(:verify_authenticity_token)
+      HANDLED_EVENTS = %w[
+        User.Roles.Updated
+        User.SuspensionStatus.Updated
+        User.Deleted
+        Role.Scopes.Updated
+      ].freeze
+      DIRTY_FLAG_TTL = 24.hours
+      def create
+        unless verify_signature
+          render(plain: "Unauthorized", status: :unauthorized)
+          return
+        end
+        payload = JSON.parse(request.raw_post)
+        event   = payload["event"]
+        handle_event(event, payload) if HANDLED_EVENTS.include?(event)
+        head(:ok)
+      rescue JSON::ParserError
+        render(plain: "Bad Request", status: :bad_request)
+      end
+      private
+      def verify_signature
+        secret = auth_client_config.logto_webhook_secret
+        return true if secret.blank?
+        received = request.headers["logto-signature-sha-256"].to_s
+        expected = OpenSSL::HMAC.hexdigest("SHA256", secret, request.raw_post)
+        ActiveSupport::SecurityUtils.secure_compare(received, expected)
+      end
+      def handle_event(event, payload)
+        data = payload["data"] || {}
+        if event == "Role.Scopes.Updated"
+          handle_role_scopes_updated(data)
+        else
+          user_id = data["id"]
+          mark_dirty(user_id) if user_id.present?
+        end
+      end
+      def handle_role_scopes_updated(data)
+        role_id = data["id"]
+        return if role_id.blank?
+        management = auth_client_config.logto_management
+        users      = management.get_users_with_role(role_id)
+        users.each { |u| mark_dirty(u["id"]) }
+      rescue StandardError => e
+        Rails.logger.error("[YiffSpace::Auth::WebhookController] Role.Scopes.Updated fan-out failed: #{e.message}")
+      end
+      def mark_dirty(user_id)
+        Rails.cache.write(format(Helper::DIRTY_FLAG_KEY, user_id), true, expires_in: DIRTY_FLAG_TTL)
+      end
+    end
+  end
+end

data/engines/auth/config/routes.rb CHANGED Viewed

@@ -2,6 +2,7 @@
 YiffSpace::Auth::Engine.routes.draw do
   constraints(YiffSpace::Auth::SetClientName.default) do
+    post(:webhook, controller: :webhook)
     get(:cb, controller: :root)
     get(:logout, controller: :root)
     get(:permissions, controller: :root)

data/lib/yiffspace/auth/client.rb CHANGED Viewed

@@ -8,7 +8,8 @@ module YiffSpace
     class Client
       attr_accessor(:client_id, :client_secret, :scopes, :permissions,
                     :resource, :redirect_uri, :server_url, :auth_session_key,
-                    :user_session_key, :update_discord_images, :permissions_separator)
+                    :user_session_key, :update_discord_images, :permissions_separator,
+                    :logto_webhook_secret)
       attr_reader(:name)
@@ -22,6 +23,7 @@ module YiffSpace
         @user_session_key        = :"yiffspace_user_#{name}"
         @update_discord_images   = true
         @permissions_separator   = ":"
+        @logto_webhook_secret    = nil
       end
       def logto(controller)

data/lib/yiffspace/auth/engine.rb CHANGED Viewed

@@ -41,6 +41,7 @@ module YiffSpace
             subclass.routes.default_scope = { module: "yiff_space/auth" }
             subclass.routes.draw do
               constraints(SetClientName.new(name)) do
+                post(:webhook, controller: :webhook)
                 get(:cb, controller: :root)
                 get(:logout, controller: :root)
                 get(:permissions, controller: :root)

data/lib/yiffspace/auth/helper.rb CHANGED Viewed

@@ -78,19 +78,55 @@ module YiffSpace
       end
       def require_auth(path)
-        redirect_to(path) unless user?
+        redirect_to(path) unless logged_in?
       end
       def logged_in?
-        user?
+        auth? && user?
       end
       def has_permission?(name)
-        return false unless user?
+        return false unless logged_in?
         auth.permissions.has?(name)
       end
+      DIRTY_FLAG_KEY = "yiffspace:auth:dirty:%s"
+      # Checks the dirty flag written by the Logto webhook handler. If set, re-fetches
+      # the user's current roles and permissions from the Logto Management API and
+      # rewrites the session — without waiting for the access token to expire.
+      # Call this as a before_action in any controller that needs instant revocation.
+      def sync_auth_if_dirty!
+        return unless auth?
+        flag_key = format(DIRTY_FLAG_KEY, auth.id)
+        return unless Rails.cache.exist?(flag_key)
+        Rails.cache.delete(flag_key)
+        management = auth_client_config.logto_management
+        api_user   = management.get_user_by_id(auth.id)
+        if api_user.nil? || api_user.data["isSuspended"]
+          full_reset!
+          return
+        end
+        roles       = management.get_user_roles(auth.id)
+        permissions = roles.flat_map { |role| management.get_role_scopes(role["id"]) }
+                           .pluck("name")
+                           .uniq
+        self.auth = AuthInfo.new(
+          id:          auth.id,
+          token:       auth.token,
+          roles:       roles.pluck("name"),
+          permissions: permissions,
+          client_id:   auth.client_id,
+        )
+      end
       def url_helpers
         YiffSpace::Auth::Engine.for(client_name).routes.url_helpers
       end

data/lib/yiffspace/logto_management_client.rb CHANGED Viewed

@@ -74,5 +74,34 @@ module YiffSpace
     def get_or_create_user(id)
       get_user(id) || create_user(id)
     end
+    def get_user_by_id(logto_id)
+      response = HTTParty.get("#{auth.server_url}/api/users/#{logto_id}", { headers: { "Authorization" => "Bearer #{get_token}" } })
+      return nil if response.code == 404
+      raise("failed to get user: #{response.code} #{response.message}\n#{response.parsed_response.inspect}") if response.code != 200
+      Auth::ApiUser.new(response.parsed_response)
+    end
+    def get_user_roles(logto_id)
+      response = HTTParty.get("#{auth.server_url}/api/users/#{logto_id}/roles", { headers: { "Authorization" => "Bearer #{get_token}" } })
+      raise("failed to get user roles: #{response.code} #{response.message}\n#{response.parsed_response.inspect}") if response.code != 200
+      response.parsed_response
+    end
+    def get_role_scopes(role_id)
+      response = HTTParty.get("#{auth.server_url}/api/roles/#{role_id}/scopes", { headers: { "Authorization" => "Bearer #{get_token}" } })
+      raise("failed to get role scopes: #{response.code} #{response.message}\n#{response.parsed_response.inspect}") if response.code != 200
+      response.parsed_response
+    end
+    def get_users_with_role(role_id)
+      response = HTTParty.get("#{auth.server_url}/api/roles/#{role_id}/users", { headers: { "Authorization" => "Bearer #{get_token}" } })
+      raise("failed to get users with role: #{response.code} #{response.message}\n#{response.parsed_response.inspect}") if response.code != 200
+      response.parsed_response
+    end
   end
 end

data/lib/yiffspace/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module YiffSpace
-  VERSION = "0.0.15"
+  VERSION = "0.0.16"
 end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: yiffspace
 version: !ruby/object:Gem::Version
-  version: 0.0.15
+  version: 0.0.16
 platform: ruby
 authors:
 - Donovan_DMC
@@ -114,6 +114,7 @@ files:
 - app/views/yiff_space/error.html.erb
 - engines/auth/app/controllers/yiff_space/auth/application_controller.rb
 - engines/auth/app/controllers/yiff_space/auth/root_controller.rb
+- engines/auth/app/controllers/yiff_space/auth/webhook_controller.rb
 - engines/auth/app/views/yiff_space/auth/root/permissions.html.erb
 - engines/auth/config/routes.rb
 - lib/tasks/yiff_space_tasks.rake