zaikio-oauth_client 0.17.2 → 0.19.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 605b297bfe708d26eb51ed1060bf243fc3060fd27df8f4ec481dcf94a471fcc2
-  data.tar.gz: 839bb62b7d00b272978fa3f225bd7416a7c12cf7508e4ab2242183fcb7c8d801
+  metadata.gz: d82ba1e01192f3e9fac8f47bc5ded67fb2b869f724fcdcd26ec42718c4ca53f5
+  data.tar.gz: 48a24101ed54396c68d96077c0eaf7dc16fbd317ecbae092773ae9f29a31b9bd
 SHA512:
-  metadata.gz: 2c7e04798b1ca7338e30005794e2d804a90633816323f678bd2f9a7bcb7f9b8f368e3e68ac38490c44bf48761db785169f41e8f9cf22ce7cdee7b40b82e5ee05
-  data.tar.gz: 189afa394a1a0739d5a4ed60ed4fc667ee8aed698329fb7eb87cc6785bfc88ee610028d9b5fb4ac8ba389c399104e8956c8656ce0a4bbb1132b039f6b1612446
+  metadata.gz: 46884a09302f56b53e64e8ee2cd1172c5792a1ecf82ff6e0a8b054d979f86f3b63449a4bd79633c3f95f076e11e0f3bc5669b26d8988643232c784c92f447d5b
+  data.tar.gz: f1e5992edef1cda3bd6b68f2089c07201264d2b1e64a4713ae0d6ec84af5e708172b9b53ceb76d38245645ec41ebf79f4da7d63a40e17a6441e4d7171f9e47e8

data/README.md

@@ -14,7 +14,17 @@ Then run `bundle install`.
 
 ## Setup & Configuration
 
-### 1. Copy & run Migrations
+### 1. Setup Active Record encryption
+
+Setup [Active Record Encryption](https://guides.rubyonrails.org/active_record_encryption.html#setup) by running:
+
+```
+rails db:encryption:init
+```
+
+(Continue generating the credentials each for different environments)
+
+### 2. Copy & run Migrations
 
 ```bash
 rails zaikio_oauth_client:install:migrations
@@ -24,7 +34,7 @@ rails db:migrate
 This will create the tables:
 + `zaikio_access_tokens`
 
-### 2. Mount routes
+### 3. Mount routes
 
 Add this to `config/routes.rb`:
 
@@ -32,7 +42,7 @@ Add this to `config/routes.rb`:
 mount Zaikio::OAuthClient::Engine => "/zaikio"
 ```
 
-### 3. Configure Gem
+### 4. Configure Gem
 
 ```rb
 # config/initializers/zaikio_oauth_client.rb
@@ -70,7 +80,7 @@ end
 ```
 
 
-### 4. Clean up outdated access tokens (recommended)
+### 5. Clean up outdated access tokens (recommended)
 
 To avoid keeping all expired oath and refresh tokens in your database, we recommend to implement their scheduled deletion. We recommend therefore to use a schedule gems such as [sidekiq](https://github.com/mperham/sidekiq) and [sidekiq-scheduler](https://github.com/moove-it/sidekiq-scheduler).
 
@@ -135,12 +145,19 @@ redirect_to zaikio_oauth_client.new_subscription_path(plan: "free")
 
 #### Session handling
 
-The Zaikio gem engine will set a cookie for the user after a successful OAuth flow: `session[:zaikio_person_id]`.
+The Zaikio gem engine will set a cookie for the access token after a successful OAuth flow: `session[:zaikio_access_token_id]`.
 
 If you are using for example `Zaikio::Hub::Models`, you can use this snippet to set the current user:
 
 ```ruby
-Current.user ||= Zaikio::Hub::Models::Person.find_by(id: session[:zaikio_person_id])
+access_token = Zaikio::OAuthClient.find_active_access_token(session[:zaikio_access_token_id])
+session[:zaikio_access_token_id] = access_token&.id
+Current.user = Zaikio::Hub::Models::Person.find_by(id: access_token&.bearer_id)
+
+unless Current.user
+  session[:origin] = request.fullpath
+  redirect_to zaikio_oauth_client.new_session_path
+end
 ````
 
 You can then use `Current.user` anywhere.

data/app/models/zaikio/access_token.rb

@@ -5,7 +5,11 @@ module Zaikio
   class AccessToken < ApplicationRecord
     self.table_name = "zaikio_access_tokens"
 
-    def self.build_from_access_token(access_token, requested_scopes: nil)
+    # Encryption
+    encrypts :token
+    encrypts :refresh_token
+
+    def self.build_from_access_token(access_token, requested_scopes: nil, include_refresh_token: true)
       payload = JWT.decode(access_token.token, nil, false).first rescue {} # rubocop:disable Style/RescueModifier
       scopes = access_token.params["scope"].split(",")
       new(
@@ -14,7 +18,7 @@ module Zaikio
         bearer_id: access_token.params["bearer"]["id"],
         audience: access_token.params["audiences"].first,
         token: access_token.token,
-        refresh_token: access_token.refresh_token,
+        refresh_token: (access_token.refresh_token if include_refresh_token),
         expires_at: Time.strptime(access_token.expires_at.to_s, "%s"),
         scopes: scopes,
         requested_scopes: requested_scopes || scopes
@@ -63,7 +67,7 @@ module Zaikio
     end
 
     def bearer_klass
-      return unless Zaikio.const_defined?("Hub::Models", false) # rubocop:disable Performance/StringIdentifierArgument
+      return unless Zaikio.const_defined?("Hub::Models", false)
 
       if Zaikio::Hub::Models.configuration.respond_to?(:"#{bearer_type.underscore}_class_name")
         Zaikio::Hub::Models.configuration.public_send(:"#{bearer_type.underscore}_class_name").constantize
@@ -91,5 +95,15 @@ module Zaikio
       destroy
       nil
     end
+
+    def revoke!
+      return unless Zaikio.const_defined?("Hub::RevokedAccessToken", false)
+
+      Zaikio::Hub.with_token(token) do
+        Zaikio::Hub::RevokedAccessToken.create
+      end
+    rescue Zaikio::ConnectionError => e
+      Zaikio::OAuthClient.configuration.logger.warn "Access Token #{id} could not be revoked: #{e.message}"
+    end
   end
 end

data/db/migrate/20220425130923_encrypt_tokens.rb

@@ -0,0 +1,45 @@
+class EncryptTokens < ActiveRecord::Migration[7.0]
+  def change
+    reversible do |dir|
+      dir.up do
+        rename_column :zaikio_access_tokens, :token, :unencrypted_token
+        rename_column :zaikio_access_tokens, :refresh_token, :unencrypted_refresh_token
+
+        add_column :zaikio_access_tokens, :token, :string
+        add_column :zaikio_access_tokens, :refresh_token, :string
+
+        Zaikio::AccessToken.find_each do |access_token|
+          access_token.update(
+            token: access_token.unencrypted_token,
+            refresh_token: access_token.unencrypted_refresh_token
+          )
+        end
+
+        change_column_null :zaikio_access_tokens, :token, false
+
+        remove_column :zaikio_access_tokens, :unencrypted_token, :string
+        remove_column :zaikio_access_tokens, :unencrypted_refresh_token, :string
+      end
+
+      dir.down do
+        add_column :zaikio_access_tokens, :unencrypted_token, :string
+        add_column :zaikio_access_tokens, :unencrypted_refresh_token, :string
+
+        Zaikio::AccessToken.find_each do |access_token|
+          access_token.update_columns(
+            unencrypted_token: access_token.token,
+            unencrypted_refresh_token: access_token.refresh_token
+          )
+        end
+
+        remove_column :zaikio_access_tokens, :token, :string
+        remove_column :zaikio_access_tokens, :refresh_token, :string
+
+        rename_column :zaikio_access_tokens, :unencrypted_token, :token
+        rename_column :zaikio_access_tokens, :unencrypted_refresh_token, :refresh_token
+
+        change_column_null :zaikio_access_tokens, :token, false
+      end
+    end
+  end
+end

data/lib/zaikio/oauth_client/authenticatable.rb

@@ -55,13 +55,16 @@ module Zaikio
       end
 
       def destroy
-        access_token_id = session[:zaikio_access_token_id]
+        if (access_token = Zaikio::AccessToken.valid.or(Zaikio::AccessToken.valid_refresh)
+                                             .find_by(id: session[:zaikio_access_token_id]))
+          access_token.revoke!
+        end
         session.delete(:zaikio_access_token_id)
         session.delete(:origin)
 
         redirect_to send(
           respond_to?(:after_destroy_path_for) ? :after_destroy_path_for : :default_after_destroy_path_for,
-          access_token_id
+          access_token.id
         )
       end
 

data/lib/zaikio/oauth_client/version.rb

@@ -1,5 +1,5 @@
 module Zaikio
   module OAuthClient
-    VERSION = "0.17.2".freeze
+    VERSION = "0.19.0".freeze
   end
 end

data/lib/zaikio/oauth_client.rb

@@ -6,7 +6,7 @@ require "zaikio/oauth_client/configuration"
 require "zaikio/oauth_client/authenticatable"
 
 module Zaikio
-  module OAuthClient
+  module OAuthClient # rubocop:disable Metrics/ModuleLength
     class << self
       attr_reader :client_name
 
@@ -58,9 +58,8 @@ module Zaikio
         end
       end
 
-      # Finds the best possible access token, using the DB or an API call
-      #   * If the token has expired, it will be refreshed using the refresh_token flow
-      #     (if this fails, we fallback to getting a new token using client_credentials)
+      # Finds active access token, using the DB or Client Credentials flow
+      #   * It searches in the DB for an active access token
       #   * If the token does not exist, we'll get a new one using the client_credentials flow
       def get_access_token(bearer_id:, client_name: nil, bearer_type: "Person", scopes: nil, valid_for: 30.seconds)
         client_config = client_config_for(client_name || self.client_name)
@@ -72,8 +71,6 @@ module Zaikio
                                          requested_scopes: scopes,
                                          valid_for: valid_for)
 
-        token = token.refresh! if token&.expired?
-
         token ||= fetch_new_token(client_config: client_config,
                                   bearer_type: bearer_type,
                                   bearer_id: bearer_id,
@@ -81,21 +78,31 @@ module Zaikio
         token
       end
 
-      # Finds the best usable access token. Note that this token may have expired and
-      # would require refreshing.
-      def find_usable_access_token(client_name:, bearer_type:, bearer_id:, requested_scopes:, valid_for: 30.seconds)  # rubocop:disable Metrics/MethodLength
-        configuration.logger.debug "Try to fetch token for client_name: #{client_name}, "\
+      # This method can be used to find an active access token by id.
+      # It might refresh the access token to get an active one.
+      def find_active_access_token(id)
+        return unless id
+
+        access_token = Zaikio::AccessToken.find_by(id: id)
+        access_token = access_token.refresh! if access_token&.expired?
+
+        access_token
+      end
+
+      # Finds active access token with matching criteria for bearer and scopes.
+      def find_usable_access_token(client_name:, bearer_type:, bearer_id:, requested_scopes:, valid_for: 30.seconds) # rubocop:disable Metrics/MethodLength
+        configuration.logger.debug "Try to fetch token for client_name: #{client_name}, " \
                                    "bearer #{bearer_type}/#{bearer_id}, requested_scopes: #{requested_scopes}"
 
         fetch_access_token = lambda {
           Zaikio::AccessToken
             .where(audience: client_name)
-            .usable(
+            .by_bearer(
               bearer_type: bearer_type,
               bearer_id: bearer_id,
-              requested_scopes: requested_scopes,
-              valid_until: valid_for.from_now
+              requested_scopes: requested_scopes
             )
+            .valid(valid_for.from_now)
             .first
         }
 
@@ -113,7 +120,10 @@ module Zaikio
             bearer_id: bearer_id,
             scopes: scopes
           ),
-          requested_scopes: scopes
+          requested_scopes: scopes,
+          include_refresh_token: false
+          # Do not store refresh token on client credentials flow
+          # https://docs.zaikio.com/changelog/2022-08-09_client-credentials-drop-refresh-token.html
         ).tap(&:save!)
       end
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: zaikio-oauth_client
 version: !ruby/object:Gem::Version
-  version: 0.17.2
+  version: 0.19.0
 platform: ruby
 authors:
 - Zaikio GmbH
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-01-07 00:00:00.000000000 Z
+date: 2022-08-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: actionpack
@@ -89,7 +89,7 @@ dependencies:
         version: '0.5'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '3.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -99,7 +99,7 @@ dependencies:
         version: '0.5'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '3.0'
 - !ruby/object:Gem::Dependency
   name: pg
   requirement: !ruby/object:Gem::Requirement
@@ -157,6 +157,7 @@ files:
 - db/migrate/20191017132048_create_zaikio_access_tokens.rb
 - db/migrate/20210222135920_enhance_access_token_index.rb
 - db/migrate/20210224154303_add_requested_scopes_to_zaikio_access_tokens.rb
+- db/migrate/20220425130923_encrypt_tokens.rb
 - lib/tasks/zaikio_tasks.rake
 - lib/zaikio/oauth_client.rb
 - lib/zaikio/oauth_client/authenticatable.rb