yiffspace 0.0.7 → 0.0.9

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6df835265036ddab2c96c9eee4f74e2d486ff5edcf6e08ea4ee245fd4d4860c4
-  data.tar.gz: 3f830fa81d6c083aff4f8b16d8f53a05d60ec2bee6cc7da16d97a5f9fb24a177
+  metadata.gz: 3cae6e6673d3c50b8899ec0c198d88af750ba9729804c8c6912ba8a14cf6712a
+  data.tar.gz: be9e9e433eca4720756d0a113b383159e4b4572b9bc4783f6eab6755c24de4f7
 SHA512:
-  metadata.gz: a341d471f5e1aeb0d0226b7cd237927aa209f974d1b8a8c76642e7635629187714515e6051f8db78964c08dcffb90f6b52b913ae7f17e1baf4f52926e48361fc
-  data.tar.gz: d6d84c18eb1b40da513fe8dd8fb79c1e2719d9ffa23e17a3132cedd03e336a5cfc08429d3a3ecab8606baf963aaa1d0bdb33d3207617ac6e4a59c389582c412c
+  metadata.gz: 6979ad72bc811ea8bc2c831e60122c2f4bd5fe75cca656866a5d607df51c2822f66d8a5d0436f1f984f401683deeb8605ae7821dfceba4bc929732b7d96274ac
+  data.tar.gz: f96a1cff3676ef954004f9006524760894e44fa134445c6359b30beb118c7f6326263fc529b79306cc80f7b708cb37af70e6af41e6db8b68ef66686831f52339

data/engines/auth/app/controllers/yiff_space/auth/root_controller.rb

@@ -6,50 +6,22 @@ module YiffSpace
       include(Helper)
 
       def show
-        state            = generate_state!
-        self.return_path = params[:path]
-        redirect_to(auth_client_config.url(state: state), allow_other_host: true)
+        client.sign_in(redirect_uri: auth_client_config.redirect_uri, post_redirect_uri: params[:path] || "/")
       end
 
       def cb
-        return render("yiffspace/error", locals: { message: "missing code in request" }, status: :bad_request) if params[:code].blank?
-        return render("yiffspace/error", locals: { message: "missing state in request" }, status: :bad_request) if params[:state].blank?
-        return render("yiffspace/error", locals: { message: "invalid state in request" }, status: :bad_request) if params[:state] != state
-
-        reset_state!
-        exchange  = auth_client_config.exchange(params[:code])
-        self.auth = exchange.auth
-        self.user = exchange.user
-        path      = return_path
-        action    = auth_client_config.after_auth_action
-        reset_return_path!
-        if action.is_a?(Proc)
-          instance_exec(*(action.arity.zero? ? [] : [path]), &action)
-          return if performed?
-        elsif action.is_a?(String)
-          return redirect_to(action)
-        end
-
-        redirect_to(path || "/")
+        client.handle_sign_in_callback(url: request.original_url)
+        user = client.fetch_user_info
+        token = client.access_token_claims(resource: auth_client_config.resource)
+        self.user = UserInfo.new(id: user["identities"]["discord"]["userId"], user: user, discord: user["identities"]["discord"]["details"]["rawData"])
+        self.auth = AuthInfo.new(id: user["identities"]["discord"]["userId"], token: token, permissions: token["scope"].split, roles: user["roles"], client_id: auth_client_config.client_id)
       end
 
       def permissions; end
 
       def logout
-        return redirect_back_or_to("/") if auth.blank? && user.blank?
-
-        self.return_path = params[:path] # sanitization
-        path             = return_path
-        action           = auth_client_config.after_logout_action
-        full_reset!
-        if action.is_a?(Proc)
-          action.call(*[self, path].slice(0, action.arity))
-          return if performed?
-        elsif action.is_a?(String)
-          return redirect_to(action)
-        end
-
-        redirect_to(path || "/")
+        client.sign_out(post_logout_redirect_uri: request.base_url)
+        reset_user!
       end
 
       def debug
@@ -60,8 +32,16 @@ module YiffSpace
           params:  params,
           session: session,
           client:  auth_client_config.as_json.merge(client_secret: "[REDACTED]"),
+          user:    client.fetch_user_info,
+          token:   client.access_token_claims(resource: "https://gallery.furry.cool"),
         })
       end
+
+      private
+
+      def client
+        @client ||= auth_client_config.logto(self)
+      end
     end
   end
 end

data/engines/auth/app/views/yiff_space/auth/root/permissions.html.erb

@@ -1,5 +1,5 @@
 <h1 class="title">Permissions</h1>
-<% if auth? %>
+<% if logged_in? %>
   <% if auth.permissions.any? %>
     <ul class="permissions-list">
       <% auth.permissions.each do |perm| %>

data/lib/yiffspace/auth/auth_info/anonymous.rb

@@ -12,10 +12,6 @@ module YiffSpace
           define_method(attr) { |*, **| raise(NotImplementedError, "#{attr} is not present on anonymous auth") }
         end
 
-        def entitlements
-          []
-        end
-
         def roles
           []
         end
@@ -50,7 +46,7 @@ module YiffSpace
         end
 
         def self.from_json(*)
-          Anonymous.new
+          Anonymous.instance
         end
 
         def self.from_session(data)

data/lib/yiffspace/auth/auth_info.rb

@@ -3,21 +3,23 @@
 module YiffSpace
   module Auth
     class AuthInfo
-      attr_reader(:id, :token, :entitlements, :roles, :permissions)
+      attr_reader(:id, :token, :roles, :permissions, :client_id)
 
       # @param id String
       # @param roles Array(String)
-      # @param entitlements Array(String)
-      # @param token OpenIDConnect::AccessToken
-      def initialize(id:, entitlements:, roles:, token:)
+      # @param permissions Array(String)
+      # @param token LogtoClient::AccessTokenClaims
+      # @param client_id String
+      def initialize(id:, roles:, permissions:, token:, client_id:)
         raise(ArgumentError, "no id provided") if id.blank?
         raise(ArgumentError, "no token provided") if token.blank?
+        raise(ArgumentError, "no client id provided") if client_id.blank?
 
         @id           = id
         @token        = token
-        @entitlements = Array(entitlements)
         @roles        = Array(roles)
-        @permissions  = Permissions.new(@entitlements)
+        @permissions  = Permissions.new(permissions, separator: YiffSpace::Auth.get_by_id(client_id).permissions_separator)
+        @client_id    = client_id
       end
 
       def anonymous?
@@ -39,10 +41,11 @@ module YiffSpace
 
       def serializable_hash(*)
         {
-          "id"           => id,
-          "token"        => ::YiffSpace::Auth.serialize_token(token),
-          "entitlements" => entitlements,
-          "roles"        => roles,
+          "id"          => id,
+          "token"       => token.as_json,
+          "roles"       => roles,
+          "permissions" => permissions.values,
+          "client_id"   => client_id,
         }
       end
 
@@ -57,10 +60,11 @@ module YiffSpace
         data = ::YiffSpace::Utils::OpenHash.from(data)
 
         new(
-          id:           data.id,
-          token:        ::YiffSpace::Auth.unserialize_token(data.token),
-          entitlements: data.entitlements,
-          roles:        data.roles,
+          id:          data.id,
+          token:       data.token,
+          roles:       data.roles,
+          permissions: data.permissions,
+          client_id:   data.client_id,
         )
       end
 

data/lib/yiffspace/auth/client.rb

@@ -1,58 +1,42 @@
 # frozen_string_literal: true
 
+require_relative("../core_ext/logto/named_session_storage")
+
 module YiffSpace
   module Auth
     class Client
-      attr_accessor(:client_name, :client_id, :client_secret, :redirect_uri,
-                    :server_url, :scopes, :auth_session_key, :user_session_key,
-                    :token_session_key, :return_path_session_key, :state_session_key,
-                    :state_generator, :after_auth_action, :after_logout_action,
-                    :update_discord_images)
+      attr_accessor(:client_id, :client_secret, :scopes, :resource,
+                    :redirect_uri, :server_url, :auth_session_key,
+                    :user_session_key, :update_discord_images, :permissions_separator)
 
       attr_reader(:name)
 
       def initialize(name)
         @name                    = name.to_sym
-        @server_url              = "https://auth.yiff.space"
+        @scopes                  = %i[openid offline_access profile roles identities]
         @redirect_uri            = "http://127.0.0.1:3000/auth/cb"
-        @scopes                  = %i[openid discord offline_access entitlements]
+        @server_url              = "https://auth.yiff.space"
         @auth_session_key        = :"yiffspace_auth_#{name}"
         @user_session_key        = :"yiffspace_user_#{name}"
-        @token_session_key       = :"yiffspace_token_#{name}"
-        @return_path_session_key = :"yiffspace_return_path_#{name}"
-        @state_session_key       = :"yiffspace_state_#{name}"
-        @state_generator         = -> { SecureRandom.hex(48) }
         @update_discord_images   = true
+        @permissions_separator   = ":"
       end
 
-      def openid_config
-        @openid_config ||= OpenIDConnect::Discovery::Provider::Config.discover!("#{server_url}/application/o/#{client_name}/")
-      end
-
-      def oidc_client
-        @oidc_client ||= OpenIDConnect::Client.new(
-          identifier:             client_id,
-          secret:                 client_secret,
-          redirect_uri:           redirect_uri,
-          authorization_endpoint: openid_config.authorization_endpoint,
-          token_endpoint:         openid_config.token_endpoint,
-          userinfo_endpoint:      openid_config.userinfo_endpoint,
+      def logto(controller)
+        LogtoClient.new(
+          config:   LogtoClient::Config.new(
+            endpoint:   server_url,
+            app_id:     client_id,
+            app_secret: client_secret,
+            scopes:     scopes,
+            resources:  [resource].compact,
+          ),
+          # Allow the client to redirect to other hosts (i.e. your Logto tenant)
+          navigate: ->(uri) { controller.redirect_to(uri, allow_other_host: true) },
+          # Controller has access to the session object
+          storage:  LogtoClient::NamedSessionStorage.new("yiffspace", controller.session, app_id: @name),
         )
       end
-
-      def url(state: nil)
-        oidc_client.authorization_uri(scope: scopes, state: state)
-      end
-
-      def exchange(code)
-        oidc_client.authorization_code = code
-        token                          = oidc_client.access_token!
-        user                           = token.userinfo!
-        id                             = user.raw_attributes["discord"]["id"]
-        authinfo                       = AuthInfo.new(token: token, entitlements: user.raw_attributes["entitlements"], roles: user.raw_attributes["roles"], id: id)
-        userinfo                       = UserInfo.new(user: user, id: id, discord: user.raw_attributes["discord"], client_id: oidc_client.identifier)
-        Auth::ExchangeResponse.new(authinfo, userinfo)
-      end
     end
   end
 end

data/lib/yiffspace/auth/engine.rb

@@ -38,7 +38,7 @@ module YiffSpace
             subclass.engine_name("yiffspace_auth_#{name}")
             # Inherit isolation settings that aren't copied from the parent class
             subclass.instance_variable_set(:@isolated, true)
-            subclass.routes.default_scope = { module: "yiffspace/auth" }
+            subclass.routes.default_scope = { module: "yiff_space/auth" }
             subclass.routes.draw do
               constraints(SetClientName.new(name)) do
                 get(:cb, controller: :root)

data/lib/yiffspace/auth/helper.rb

@@ -72,50 +72,21 @@ module YiffSpace
         session.delete(auth_client_config.user_session_key)
       end
 
-      def state
-        session[auth_client_config.state_session_key]
-      end
-
-      def state=(value)
-        session[auth_client_config.state_session_key] = value
-      end
-
-      def reset_state!
-        session.delete(auth_client_config.state_session_key)
-      end
-
-      def generate_state!
-        generator  = auth_client_config.state_generator
-        self.state = generator.call(*(generator.arity.zero? ? [] : [self]))
-      end
-
-      def return_path
-        session[auth_client_config.return_path_session_key]
-      end
-
-      def return_path=(value)
-        return if value && (!value.start_with?("/") || value.start_with?("//"))
-
-        session[auth_client_config.return_path_session_key] = value
-      end
-
-      def reset_return_path!
-        session.delete(auth_client_config.return_path_session_key)
-      end
-
       def full_reset!
-        reset_state!
         reset_auth!
         reset_user!
-        reset_return_path!
       end
 
       def require_auth(path)
-        redirect_to(path) unless auth?
+        redirect_to(path) unless user?
+      end
+
+      def logged_in?
+        user?
       end
 
       def has_permission?(name)
-        return false unless auth?
+        return false unless user?
 
         auth.permissions.has?(name)
       end

data/lib/yiffspace/auth/permissions.rb

@@ -9,13 +9,14 @@ module YiffSpace
 
       include(Enumerable)
 
-      def initialize(perms)
+      def initialize(perms, separator: ":")
         @values = perms
         @tree   = {}
+        @separator = separator
 
         perms.each do |perm|
           current = @tree
-          parts   = perm.split(".")
+          parts   = perm.split(separator)
 
           parts.each do |part|
             current[part] ||= {}
@@ -51,10 +52,10 @@ module YiffSpace
         end
 
         if @tree.key?(str)
-          self.class.new_from_subtree(@tree[str])
+          self.class.new_from_subtree(@tree[str], @separator)
         else
           # return empty node instead of raising
-          self.class.new([])
+          self.class.new([], separator: @separator)
         end
       end
 
@@ -62,10 +63,11 @@ module YiffSpace
         true
       end
 
-      def self.new_from_subtree(tree)
+      def self.new_from_subtree(tree, separator)
         obj = allocate
         obj.instance_variable_set(:@tree, tree)
         obj.instance_variable_set(:@values, leaves_from_tree(tree))
+        obj.instance_variable_set(:@separator, separator)
         obj
       end
 

data/lib/yiffspace/auth/user_info/anonymous.rb

@@ -58,7 +58,7 @@ module YiffSpace
         end
 
         def self.from_json(*)
-          Anonymous.new
+          Anonymous.instance
         end
 
         def self.from_session(data)

data/lib/yiffspace/auth/user_info.rb

@@ -3,20 +3,18 @@
 module YiffSpace
   module Auth
     class UserInfo
-      attr_reader(:id, :user, :discord, :client_id)
+      attr_reader(:id, :user, :discord)
 
       # @param id String
-      # @param user OpenIDConnect::ResponseObject::UserInfo
+      # @param user LogtoCore::UserInfoResponse
       # @param discord Hash
-      # @param client_id String
-      def initialize(id:, user:, discord:, client_id:)
+      def initialize(id:, user:, discord:)
         raise(ArgumentError, "no id provided") if id.blank?
         raise(ArgumentError, "no user provided") if user.blank?
 
         @id        = id
         @user      = user
         @discord   = DiscordInfo.from_json(discord)
-        @client_id = client_id
       end
 
       def anonymous?
@@ -58,7 +56,7 @@ module YiffSpace
         {
           "id"      => id,
           "discord" => discord.serializable_hash,
-          "user"    => ::YiffSpace::Auth.serialize_user(user, client_id: client_id),
+          "user"    => user.as_json,
         }
       end
 
@@ -72,12 +70,10 @@ module YiffSpace
         data = JSON.parse(data) if data.is_a?(String)
         data = ::YiffSpace::Utils::OpenHash.from(data)
 
-        user_data = ::YiffSpace::Utils::OpenHash.from(data.user)
         new(
-          id:        data.id,
-          discord:   data.discord,
-          user:      ::YiffSpace::Auth.unserialize_user(user_data),
-          client_id: user_data.client_id,
+          id:      data.id,
+          discord: data.discord,
+          user:    data.user,
         )
       end
 

data/lib/yiffspace/auth.rb

@@ -1,12 +1,7 @@
 # frozen_string_literal: true
 
-require("openid_connect")
-
 module YiffSpace
   module Auth
-    class SerializeError < StandardError; end
-
-    ExchangeResponse    = Struct.new(:auth, :user)
     CLIENT_NAME_ENV     = "yiffspace.auth.client_name"
     DEFAULT_CLIENT_NAME = :default
 
@@ -23,50 +18,15 @@ module YiffSpace
     end
 
     def [](name)
-      @clients[name.to_sym] or raise(KeyError, "unknown auth client: #{name.inspect}")
+      @clients[name.to_sym] || raise(KeyError, "unknown auth client: #{name.inspect}")
     end
 
     def default
       @clients[DEFAULT_CLIENT_NAME] || raise("no default client configured")
     end
 
-    def find_by_client_id(client_id)
-      @clients.values.find { |c| c.oidc_client.identifier == client_id }
-    end
-
-    def serialize_token(token)
-      { attributes: token.raw_attributes.without("client"), client_id: token.client.identifier }
-    end
-
-    def unserialize_token(data)
-      raise(SerializeError, "no token data provided") if data.blank?
-      return data if data.is_a?(OpenIDConnect::AccessToken)
-
-      data = JSON.parse(data) if data.is_a?(String)
-      data = ::YiffSpace::Utils::OpenHash.from(data)
-      raise(SerializeError, "no client id for token, refusing to reconstruct") if data.client_id.nil?
-
-      client_config = find_by_client_id(data.client_id)
-      raise(SerializeError, "unknown client_id #{data.client_id.inspect}") unless client_config
-
-      OpenIDConnect::AccessToken.new(data.attributes.merge(client: client_config.oidc_client))
-    end
-
-    def serialize_user(user, client_id:)
-      { attributes: user.raw_attributes, client_id: client_id }
-    end
-
-    def unserialize_user(data)
-      raise(SerializeError, "no user data provided") if data.blank?
-      return data if data.is_a?(OpenIDConnect::ResponseObject::UserInfo)
-
-      data = JSON.parse(data) if data.is_a?(String)
-      data = ::YiffSpace::Utils::OpenHash.from(data)
-      raise(SerializeError, "no client id for user, refusing to reconstruct") if data.client_id.nil?
-
-      find_by_client_id(data.client_id) or raise(SerializeError, "unknown client_id #{data.client_id.inspect}")
-
-      OpenIDConnect::ResponseObject::UserInfo.new(data.attributes)
+    def get_by_id(id)
+      @clients.values.find { |c| c.client_id == id } || raise(ArgumentError, "unable to find client with id: #{id}")
     end
 
     def enable_debug_action?

data/lib/yiffspace/core_ext/all.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-require_relative("active_record/where_chain")
+require_relative("active_record/all")
 require_relative("arel/all")
 require_relative("enumerable/all")
 require_relative("hash/all")

data/lib/yiffspace/core_ext/logto/named_session_storage.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+require_relative("../../extensions/logto/named_session_storage")
+
+class LogtoClient
+  NamedSessionStorage = YiffSpace::Extensions::Logto::NamedSessionStorage
+end

data/lib/yiffspace/extensions/logto/named_session_storage.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+require("logto/client")
+
+module YiffSpace
+  module Extensions
+    module Logto
+      class NamedSessionStorage < LogtoClient::SessionStorage
+        def initialize(name, session, app_id: nil)
+          super(session, app_id: app_id)
+          @name = name
+        end
+
+        protected
+
+        def get_session_key(key)
+          "#{@name}_#{@app_id || 'default'}_#{key}"
+        end
+      end
+    end
+  end
+end

data/lib/yiffspace/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module YiffSpace
-  VERSION = "0.0.7"
+  VERSION = "0.0.9"
 end

data/lib/yiffspace.rb

@@ -21,4 +21,11 @@ loader.inflector.inflect({ "postgresql" => "PostgreSQL", "yiffspace" => "YiffSpa
 loader.ignore("#{__dir__}/yiffspace/core_ext")
 loader.ignore("#{__dir__}/yiffspace/include")
 loader.ignore("#{__dir__}/yiffspace/railtie.rb")
+loader.ignore("#{__dir__}/yiffspace/auth/engine.rb")
 loader.setup
+
+# Require the auth engine eagerly so it registers with Rails before the host app's
+# active_support.initialize_per_engine_zeitwerk_loaders initializer runs. Without this,
+# the engine is only loaded during route drawing (after Zeitwerk setup) and its
+# app/controllers path is never added to the app's autoload roots.
+require_relative("yiffspace/auth/engine") if defined?(Rails)

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: yiffspace
 version: !ruby/object:Gem::Version
-  version: 0.0.7
+  version: 0.0.9
 platform: ruby
 authors:
 - Donovan_DMC
 bindir: bin
 cert_chain: []
-date: 2026-06-03 00:00:00.000000000 Z
+date: 2026-06-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: abbrev
@@ -38,19 +38,19 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0.24'
 - !ruby/object:Gem::Dependency
-  name: openid_connect
+  name: logto
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '2.3'
+        version: 0.2.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '2.3'
+        version: 0.2.0
 - !ruby/object:Gem::Dependency
   name: rails
   requirement: !ruby/object:Gem::Requirement
@@ -104,8 +104,8 @@ files:
 - LICENSE
 - README.md
 - Rakefile
-- app/assets/config/yiff_space_manifest.js
-- app/assets/stylesheets/yiff_space/application.css
+- app/assets/config/yiffspace_manifest.js
+- app/assets/stylesheets/yiffspace/application.css
 - app/controllers/yiff_space/application_controller.rb
 - app/helpers/yiff_space/application_helper.rb
 - app/helpers/yiff_space/auth_helper.rb
@@ -155,6 +155,7 @@ files:
 - lib/yiffspace/core_ext/enumerable/parallel.rb
 - lib/yiffspace/core_ext/hash/all.rb
 - lib/yiffspace/core_ext/hash/to_open_hash.rb
+- lib/yiffspace/core_ext/logto/named_session_storage.rb
 - lib/yiffspace/core_ext/string/all.rb
 - lib/yiffspace/core_ext/string/sql.rb
 - lib/yiffspace/core_ext/string/to_b.rb
@@ -170,6 +171,7 @@ files:
 - lib/yiffspace/extensions/arel/visitors/postgresql/left_join_lateral.rb
 - lib/yiffspace/extensions/enumerable/parallel.rb
 - lib/yiffspace/extensions/hash/to_open_hash.rb
+- lib/yiffspace/extensions/logto/named_session_storage.rb
 - lib/yiffspace/extensions/string/sql.rb
 - lib/yiffspace/extensions/string/to_b.rb
 - lib/yiffspace/extensions/string/truthy_falsy.rb