zaikio-oauth_client 0.12.1 → 0.15.1.beta1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2e0377cbc59afa07b79f540877cbba7c79c0a23240202cdd1e1b0b1f79d21104
-  data.tar.gz: 3b99c3429d501c37bb259046159794df88a26789d519a7ec50203961a62cfd43
+  metadata.gz: 5695820de8df28288feb3794016c0288e2dce2d7890a8c3bd9b11685fc39c32f
+  data.tar.gz: 2616666c8df490d153339d6953f6066a46f00669dfd037dcc2faf62873b44e9a
 SHA512:
-  metadata.gz: f6b9f87688b92771ee8bb9ae1eea9ae9c83a09f393860925698ffa7adf515478b70d1621e438420ae39642a27c8c193a5a8232e1d028c58858428d8835b685e2
-  data.tar.gz: 153edcd1c0eb91874efd44ad501c157ad5210da20447064b07d59967593cb59a2e940767f3a3c32943ae550a55e0f537a737bcab4f17fe6d373ff44f049c06f8
+  metadata.gz: dd7d9785f60d8c025ec461d6ab006f714f7f9abfd83ebffcfcf261c17a386903a6d9a42eb57708fd23b23662060190be1b5fd3089f03c10e0459a5106bcf4268
+  data.tar.gz: 1a554847284740a40cd231681572c30a0ae32c441a3da4de9feafdc36ea9057ff66ec93281be4108e4e1e7683c8f550a4bdf4b63153292f295295b29d0007a3f

data/README.md

@@ -36,32 +36,34 @@ mount Zaikio::OAuthClient::Engine => "/zaikio"
 
 ```rb
 # config/initializers/zaikio_oauth_client.rb
-Zaikio::OAuthClient.configure do |config|
-  config.environment = :sandbox
-
-  config.register_client :warehouse do |warehouse|
-    warehouse.client_id       = "52022d7a-7ba2-41ed-8890-97d88e6472f6"
-    warehouse.client_secret   = "ShiKTnHqEf3M8nyHQPyZgbz7"
-    warehouse.default_scopes  = %w[directory.person.r]
-
-    warehouse.register_organization_connection do |org|
-      org.default_scopes = %w[directory.organization.r]
+Rails.application.reloader.to_prepare do
+  Zaikio::OAuthClient.configure do |config|
+    config.environment = :sandbox
+
+    config.register_client :warehouse do |warehouse|
+      warehouse.client_id       = "52022d7a-7ba2-41ed-8890-97d88e6472f6"
+      warehouse.client_secret   = "ShiKTnHqEf3M8nyHQPyZgbz7"
+      warehouse.default_scopes  = %w[directory.person.r]
+
+      warehouse.register_organization_connection do |org|
+        org.default_scopes = %w[directory.organization.r]
+      end
     end
-  end
 
-  config.register_client :warehouse_goods_call_of do |warehouse_goods_call_of|
-    warehouse_goods_call_of.client_id       = "12345-7ba2-41ed-8890-97d88e6472f6"
-    warehouse_goods_call_of.client_secret   = "secret"
-    warehouse_goods_call_of.default_scopes  = %w[directory.person.r]
+    config.register_client :warehouse_goods_call_of do |warehouse_goods_call_of|
+      warehouse_goods_call_of.client_id       = "12345-7ba2-41ed-8890-97d88e6472f6"
+      warehouse_goods_call_of.client_secret   = "secret"
+      warehouse_goods_call_of.default_scopes  = %w[directory.person.r]
 
-    warehouse_goods_call_of.register_organization_connection do |org|
-      org.default_scopes = %w[directory.organization.r]
+      warehouse_goods_call_of.register_organization_connection do |org|
+        org.default_scopes = %w[directory.organization.r]
+      end
     end
-  end
 
-  config.around_auth do |access_token, block|
-    Zaikio::Hub.with_token(access_token.token) do
-      block.call(access_token)
+    config.around_auth do |access_token, block|
+      Zaikio::Hub.with_token(access_token.token) do
+        block.call(access_token)
+      end
     end
   end
 end
@@ -264,6 +266,18 @@ Zaikio::OAuthClient.with_auth(bearer_type: "Organization", bearer_id: "fd61f5f5-
 end
 ```
 
+If you need the token for a certain period (e.g. a long-running job which makes many
+requests in sequence), you can specify the `valid_for` interval when requesting the token.
+By default, it won't return an access token which was due to expire in less than 30
+seconds from now. If there is an existing token, but it was due to expire before the end
+of the validity period, this will go and get a fresh token anyway:
+
+```rb
+Zaikio::OAuthClient.with_auth(..., valid_for: 10.minutes) do |access_token|
+  # ...
+end
+```
+
 ## Use of dummy app
 
 You can use the included dummy app as a showcase for the workflow and to adjust your own application. To set up the dummy application properly, go into `test/dummy` and use [puma-dev](https://github.com/puma/puma-dev) like this:

data/Rakefile

@@ -35,9 +35,7 @@ require 'rubocop/rake_task'
 
 namespace :test do
   desc 'Runs RuboCop on specified directories'
-  RuboCop::RakeTask.new(:rubocop) do |task|
-    task.fail_on_error = false
-  end
+  RuboCop::RakeTask.new(:rubocop)
 end
 
 Rake::Task[:test].enhance ['test:rubocop']

data/app/controllers/zaikio/oauth_client/subscriptions_controller.rb

@@ -3,7 +3,6 @@ module Zaikio
     class SubscriptionsController < ConnectionsController
       def new
         opts = params.permit(:client_name, :state, :plan, :organization_id)
-        opts[:redirect_with_error] = 1
         opts[:state] ||= session[:state] = SecureRandom.urlsafe_base64(32)
 
         plan            = opts.delete(:plan)

data/app/models/zaikio/access_token.rb

@@ -5,7 +5,7 @@ module Zaikio
   class AccessToken < ApplicationRecord
     self.table_name = "zaikio_access_tokens"
 
-    def self.build_from_access_token(access_token, requested_scopes: nil) # rubocop:disable Metrics/AbcSize
+    def self.build_from_access_token(access_token, requested_scopes: nil)
       payload = JWT.decode(access_token.token, nil, false).first rescue {} # rubocop:disable Style/RescueModifier
       scopes = access_token.params["scope"].split(",")
       new(
@@ -26,27 +26,28 @@ module Zaikio
     end
 
     # Scopes
-    scope :valid, lambda {
-      where("expires_at > :now", now: Time.current)
+    scope :valid, lambda { |valid_until = Time.current|
+      where("expires_at > :valid_until", valid_until: valid_until)
         .where.not(id: Zaikio::JWTAuth.revoked_token_ids)
     }
     scope :with_invalid_refresh_token, lambda {
       where("created_at <= ?", Time.current - Zaikio::AccessToken.refresh_token_valid_for)
     }
-    scope :valid_refresh, lambda {
-      where("expires_at <= :now AND created_at > :created_at_max",
-            now: Time.current,
-            created_at_max: Time.current - refresh_token_valid_for)
-        .where("refresh_token IS NOT NULL")
+    scope :valid_refresh, lambda { |valid_until = Time.current|
+      where("expires_at <= :valid_until AND created_at > :created_at_max",
+            valid_until: valid_until,
+            created_at_max: valid_until - refresh_token_valid_for)
+        .where.not(refresh_token: nil)
         .where.not(id: Zaikio::JWTAuth.revoked_token_ids)
     }
     scope :by_bearer, lambda { |bearer_id:, requested_scopes: [], bearer_type: "Person"|
       where(bearer_type: bearer_type, bearer_id: bearer_id)
         .where("requested_scopes @> ARRAY[?]::varchar[]", requested_scopes)
     }
-    scope :usable, lambda { |options|
-      by_bearer(**options).valid.or(by_bearer(**options).valid_refresh)
-                          .order(expires_at: :desc)
+    scope :usable, lambda { |valid_until: Time.current, **options|
+      by_bearer(**options).valid(valid_until).or(
+        by_bearer(**options).valid_refresh
+      ).order(expires_at: :desc)
     }
 
     def expired?
@@ -72,6 +73,8 @@ module Zaikio
     end
 
     def refresh!
+      return unless refresh_token?
+
       Zaikio::OAuthClient.with_oauth_scheme(:basic_auth) do
         refreshed_token = OAuth2::AccessToken.from_hash(
           Zaikio::OAuthClient.for(audience),
@@ -80,16 +83,12 @@ module Zaikio
 
         destroy
 
-        self.class.build_from_access_token(
-          refreshed_token,
-          requested_scopes: requested_scopes
-        ).tap(&:save!)
+        self.class.build_from_access_token(refreshed_token, requested_scopes: requested_scopes).tap(&:save!)
       end
     rescue OAuth2::Error => e
       raise unless e.code == "invalid_grant"
 
       destroy
-
       nil
     end
   end

data/lib/zaikio/oauth_client.rb

@@ -49,7 +49,7 @@ module Zaikio
                          get_access_token(**options_or_access_token)
                        end
 
-        return unless block_given?
+        return unless block
 
         if configuration.around_auth_block
           configuration.around_auth_block.call(access_token, block)
@@ -62,14 +62,15 @@ module Zaikio
       #   * If the token has expired, it will be refreshed using the refresh_token flow
       #     (if this fails, we fallback to getting a new token using client_credentials)
       #   * If the token does not exist, we'll get a new one using the client_credentials flow
-      def get_access_token(bearer_id:, client_name: nil, bearer_type: "Person", scopes: nil)
+      def get_access_token(bearer_id:, client_name: nil, bearer_type: "Person", scopes: nil, valid_for: 30.seconds)
         client_config = client_config_for(client_name || self.client_name)
         scopes ||= client_config.default_scopes_for(bearer_type)
 
         token = find_usable_access_token(client_name: client_config.client_name,
                                          bearer_type: bearer_type,
                                          bearer_id: bearer_id,
-                                         requested_scopes: scopes)
+                                         requested_scopes: scopes,
+                                         valid_for: valid_for)
 
         token = token.refresh! if token&.expired?
 
@@ -82,9 +83,9 @@ module Zaikio
 
       # Finds the best usable access token. Note that this token may have expired and
       # would require refreshing.
-      def find_usable_access_token(client_name:, bearer_type:, bearer_id:, requested_scopes:)
+      def find_usable_access_token(client_name:, bearer_type:, bearer_id:, requested_scopes:, valid_for: 30.seconds)  # rubocop:disable Metrics/MethodLength
         configuration.logger.debug "Try to fetch token for client_name: #{client_name}, "\
-          "bearer #{bearer_type}/#{bearer_id}, requested_scopes: #{requested_scopes}"
+                                   "bearer #{bearer_type}/#{bearer_id}, requested_scopes: #{requested_scopes}"
 
         fetch_access_token = lambda {
           Zaikio::AccessToken
@@ -92,7 +93,8 @@ module Zaikio
             .usable(
               bearer_type: bearer_type,
               bearer_id: bearer_id,
-              requested_scopes: requested_scopes
+              requested_scopes: requested_scopes,
+              valid_until: valid_for.from_now
             )
             .first
         }
@@ -117,9 +119,9 @@ module Zaikio
 
       def get_plain_scopes(scopes)
         regex = /^((Org|Per)\.)?(.*)$/
-        scopes.map do |scope|
+        scopes.filter_map do |scope|
           (regex.match(scope) || [])[3]
-        end.compact
+        end
       end
 
       private

data/lib/zaikio/oauth_client/authenticatable.rb

@@ -4,8 +4,8 @@ module Zaikio
       extend ActiveSupport::Concern
 
       def new
-        opts = params.permit(:client_name, :show_signup, :force_login, :state)
-        opts[:redirect_with_error] = 1
+        opts = params.permit(:client_name, :show_signup, :prompt, :force_login, :state, :lang)
+        opts[:lang] ||= I18n.locale if defined?(I18n)
         client_name = opts.delete(:client_name)
         opts[:state] ||= session[:state] = SecureRandom.urlsafe_base64(32)
 
@@ -16,7 +16,7 @@ module Zaikio
         )
       end
 
-      def approve
+      def approve  # rubocop:disable Metrics/MethodLength,Metrics/AbcSize
         if params[:error].present?
           redirect_to send(
             respond_to?(:error_path_for) ? :error_path_for : :default_error_path_for,
@@ -81,7 +81,7 @@ module Zaikio
 
       def client_config
         client_config = Zaikio::OAuthClient.configuration.find!(client_name)
-        client_config = use_org_config? ? client_config.org_config : client_config
+        client_config = client_config.org_config if use_org_config?
 
         client_config or raise ActiveRecord::RecordNotFound
       end

data/lib/zaikio/oauth_client/client_configuration.rb

@@ -20,7 +20,7 @@ module Zaikio
           client_secret,
           authorize_url: "oauth/authorize",
           token_url: "oauth/access_token",
-          connection_opts: { headers: { "Accept": "application/json" } },
+          connection_opts: { headers: { Accept: "application/json" } },
           site: Zaikio::OAuthClient.configuration.host
         )
 

data/lib/zaikio/oauth_client/test_helper.rb

@@ -3,7 +3,7 @@ module Zaikio
     module TestHelper
       extend ActiveSupport::Concern
 
-      class TestSessionController < ActionController::Base
+      class TestSessionController < ActionController::Base # rubocop:disable Rails/ApplicationController
         def show
           if session[params[:key]].nil?
             head :no_content

data/lib/zaikio/oauth_client/version.rb

@@ -1,5 +1,5 @@
 module Zaikio
   module OAuthClient
-    VERSION = "0.12.1".freeze
+    VERSION = "0.15.1.beta1".freeze
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: zaikio-oauth_client
 version: !ruby/object:Gem::Version
-  version: 0.12.1
+  version: 0.15.1.beta1
 platform: ruby
 authors:
 - Zaikio GmbH
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-04-23 00:00:00.000000000 Z
+date: 2021-08-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: actionpack
@@ -183,9 +183,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
 rubygems_version: 3.2.3
 signing_key: