zaikio-oauth_client 0.7.2 → 0.11.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 32f871e3c1b27ab91ce3bbaa35d4ac460cc12d93401c1b73d4dd618cd83d1f00
-  data.tar.gz: 1ce0459fdb769c4f5c7e31287cccc16d6fce74a819557dfa1c5c6cd3120991ee
+  metadata.gz: c3caeb6fd8b46df684ae2ead61a41965d33d0c8447576ca3dd4472e035917732
+  data.tar.gz: 7efeeb1977f82515ac60e41dfeec76a2e03867cead09e4e7bdee225f9e2d7051
 SHA512:
-  metadata.gz: 567ac3217d0b63498fc6d18292c4b1fcdd6d8407c2341daae177388e2e68104bfd0aab00990606099b7e9f5d10dc13e7572586271eb0f76c8c6200520db81f81
-  data.tar.gz: b9366a697539fa31138e2ddc8b9f02f9dd6ed6cd11113bbc8ed3c1732301044395b19d033eda14d5b7bb7ad7c32f0836be6e89a000b2f7dd6270f05385846283
+  metadata.gz: 49c66d7cee9b78180b46f5f75318e9cdab0e0ea04cf7bf349c09990ac337dc367e32fcf15f70a3728fa524a53ea3a5771e0c436b9902d4f7a023ad72a0b21adb
+  data.tar.gz: b82883c6b3b85dabe9759266bd5c5f4b338bb9917c3bd60696412e4651a23c45e73e296a600258aa7072ad5c417dd728742afecdba8a5f14b66a673ff836e0f4

data/README.md

@@ -118,6 +118,19 @@ redirect_to zaikio_oauth_client.new_session_path(force_login: true)
 redirect_to zaikio_oauth_client.new_session_path(state: "something-my-app-uses")
 ```
 
+You can also send them to the [Subscription Redirect
+flow](https://docs.zaikio.com/api/directory/guides/subscriptions/redirect-flow/), which
+behaves & redirects back like a regular Organization flow except it additionally sets up a
+subscription for the organization:
+
+```ruby
+# Require them to select a plan themselves...
+redirect_to zaikio_oauth_client.new_subscription_path
+
+# Or preselect a plan for them
+redirect_to zaikio_oauth_client.new_subscription_path(plan: "free")
+```
+
 #### Session handling
 
 The Zaikio gem engine will set a cookie for the user after a successful OAuth flow: `cookies.encrypted[:zaikio_person_id]`.
@@ -174,6 +187,11 @@ class ApplicationController < ActionController::Base
 
     main_app.root_path
   end
+
+  def error_path_for(error_code, description: nil)
+    # Handle error
+    main_app.root_path
+  end
 end
 ```
 
@@ -254,7 +272,7 @@ To release a new version of the gem:
 - Update the version in `lib/zaikio/oauth_client/version.rb`
 - Update `CHANGELOG.md` to include the new version and its release date
 - Commit and push your changes
-- Create a [new release on GitHub](https://github.com/zaikio/zaikio-directory-models/releases/new)
+- Create a [new release on GitHub](https://github.com/zaikio/zaikio-oauth_client/releases/new)
 - CircleCI will build the Gem package and push it Rubygems for you
 
 ## License

data/app/controllers/zaikio/oauth_client/subscriptions_controller.rb

@@ -0,0 +1,28 @@
+module Zaikio
+  module OAuthClient
+    class SubscriptionsController < ConnectionsController
+      def new
+        opts = params.permit(:client_name, :state, :plan, :organization_id)
+        opts[:redirect_with_error] = 1
+        opts[:state] ||= cookies.encrypted[:state] = SecureRandom.urlsafe_base64(32)
+
+        plan            = opts.delete(:plan)
+        organization_id = opts.delete(:organization_id)
+
+        subscription_scope = if organization_id.present?
+                               "Org/#{organization_id}.subscription_create"
+                             else
+                               "Org.subscription_create"
+                             end
+
+        subscription_scope << ".#{plan}" if plan.present?
+
+        redirect_to oauth_client.auth_code.authorize_url(
+          redirect_uri: approve_url(opts.delete(:client_name)),
+          scope: subscription_scope,
+          **opts
+        )
+      end
+    end
+  end
+end

data/app/models/zaikio/access_token.rb

@@ -78,15 +78,19 @@ module Zaikio
           attributes.slice("token", "refresh_token")
         ).refresh!
 
-        access_token = self.class.build_from_access_token(
+        destroy
+
+        self.class.build_from_access_token(
           refreshed_token,
           requested_scopes: requested_scopes
-        )
+        ).tap(&:save!)
+      end
+    rescue OAuth2::Error => e
+      raise unless e.code == "invalid_grant"
 
-        transaction { destroy if access_token.save! }
+      destroy
 
-        access_token
-      end
+      nil
     end
   end
 end

data/config/locales/de.yml

@@ -0,0 +1,4 @@
+de:
+  zaikio:
+    oauth_client:
+      error_occured: "Beim Login ist ein Fehler aufgetreten: %{error} %{description}. Bitte versuche es nochmal."

data/config/locales/en.yml

@@ -1,6 +1,7 @@
 en:
   zaikio:
+    oauth_client:
+      error_occured: "An error occurred during login: %{error} %{description}. Please try again."
     forms:
       optional: Optional
       learn_more: Learn more
-

data/config/routes.rb

@@ -1,15 +1,17 @@
 Zaikio::OAuthClient::Engine.routes.draw do
-  sessions_controller = Zaikio::OAuthClient.configuration.sessions_controller_name
-  connections_controller = Zaikio::OAuthClient.configuration.connections_controller_name
+  config = Zaikio::OAuthClient.configuration
 
-  # People
-  get "(/:client_name)/sessions/new", action: :new, controller: sessions_controller, as: :new_session
-  get "(/:client_name)/sessions/approve", action: :approve, controller: sessions_controller, as: :approve_session
-  delete "(/:client_name)/session", action: :destroy, controller: sessions_controller, as: :session
+  scope path: "(/:client_name)" do
+    # People
+    get "/sessions/new",     action: :new,     controller: config.sessions_controller_name, as: :new_session
+    get "/sessions/approve", action: :approve, controller: config.sessions_controller_name, as: :approve_session
+    delete "/session",       action: :destroy, controller: config.sessions_controller_name, as: :session
 
-  # Organizations
-  get "(/:client_name)/connections/new", action: :new,
-                                         controller: connections_controller, as: :new_connection
-  get "(/:client_name)/connections/approve", action: :approve,
-                                             controller: connections_controller, as: :approve_connection
+    # Organizations
+    get "/connections/new",     action: :new,     controller: config.connections_controller_name, as: :new_connection
+    get "/connections/approve", action: :approve, controller: config.connections_controller_name, as: :approve_connection
+
+    # Subscriptions
+    get "/subscriptions/new", action: :new, controller: config.subscriptions_controller_name, as: :new_subscription
+  end
 end

data/lib/zaikio/oauth_client.rb

@@ -1,5 +1,6 @@
 require "oauth2"
 
+require "zaikio/oauth_client/error"
 require "zaikio/oauth_client/engine"
 require "zaikio/oauth_client/configuration"
 require "zaikio/oauth_client/authenticatable"
@@ -57,34 +58,61 @@ module Zaikio
         end
       end
 
-      def get_access_token(client_name: nil, bearer_type: "Person", bearer_id: nil, scopes: nil) # rubocop:disable Metrics/MethodLength
-        client_name ||= self.client_name
-        client_config = client_config_for(client_name)
+      # Finds the best possible access token, using the DB or an API call
+      #   * If the token has expired, it will be refreshed using the refresh_token flow
+      #     (if this fails, we fallback to getting a new token using client_credentials)
+      #   * If the token does not exist, we'll get a new one using the client_credentials flow
+      def get_access_token(bearer_id:, client_name: nil, bearer_type: "Person", scopes: nil)
+        client_config = client_config_for(client_name || self.client_name)
         scopes ||= client_config.default_scopes_for(bearer_type)
 
-        access_token = Zaikio::AccessToken.where(audience: client_config.client_name)
-                                          .usable(
-                                            bearer_type: bearer_type,
-                                            bearer_id: bearer_id,
-                                            requested_scopes: scopes
-                                          )
-                                          .first
-
-        if access_token.blank?
-          access_token = Zaikio::AccessToken.build_from_access_token(
-            client_config.token_by_client_credentials(
+        token = find_usable_access_token(client_name: client_config.client_name,
+                                         bearer_type: bearer_type,
+                                         bearer_id: bearer_id,
+                                         requested_scopes: scopes)
+
+        token = token.refresh! if token&.expired?
+
+        token ||= fetch_new_token(client_config: client_config,
+                                  bearer_type: bearer_type,
+                                  bearer_id: bearer_id,
+                                  scopes: scopes)
+        token
+      end
+
+      # Finds the best usable access token. Note that this token may have expired and
+      # would require refreshing.
+      def find_usable_access_token(client_name:, bearer_type:, bearer_id:, requested_scopes:)
+        configuration.logger.debug "Try to fetch token for client_name: #{client_name}, "\
+          "bearer #{bearer_type}/#{bearer_id}, requested_scopes: #{requested_scopes}"
+
+        fetch_access_token = lambda {
+          Zaikio::AccessToken
+            .where(audience: client_name)
+            .usable(
               bearer_type: bearer_type,
               bearer_id: bearer_id,
-              scopes: scopes
-            ),
-            requested_scopes: scopes
-          )
-          access_token.save!
-        elsif access_token&.expired?
-          access_token = access_token.refresh!
+              requested_scopes: requested_scopes
+            )
+            .first
+        }
+
+        if configuration.logger.respond_to?(:silence)
+          configuration.logger.silence { fetch_access_token.call }
+        else
+          fetch_access_token.call
         end
+      end
 
-        access_token
+      def fetch_new_token(client_config:, bearer_type:, bearer_id:, scopes:)
+        Zaikio::AccessToken.build_from_access_token(
+          client_config.token_by_client_credentials(
+            bearer_type: bearer_type,
+            bearer_id: bearer_id,
+            scopes: scopes
+          ),
+          requested_scopes: scopes
+        ).tap(&:save!)
       end
 
       def get_plain_scopes(scopes)

data/lib/zaikio/oauth_client/authenticatable.rb

@@ -5,7 +5,9 @@ module Zaikio
 
       def new
         opts = params.permit(:client_name, :show_signup, :force_login, :state)
+        opts[:redirect_with_error] = 1
         client_name = opts.delete(:client_name)
+        opts[:state] ||= cookies.encrypted[:state] = SecureRandom.urlsafe_base64(32)
 
         redirect_to oauth_client.auth_code.authorize_url(
           redirect_uri: approve_url(client_name),
@@ -15,6 +17,21 @@ module Zaikio
       end
 
       def approve
+        if params[:error].present?
+          redirect_to send(
+            respond_to?(:error_path_for) ? :error_path_for : :default_error_path_for,
+            params[:error],
+            description: params[:error_description]
+          ) and return
+        end
+
+        if cookies.encrypted[:state].present? && params[:state] != cookies.encrypted[:state]
+          return redirect_to send(
+            respond_to?(:error_path_for) ? :error_path_for : :default_error_path_for,
+            "invalid_state"
+          )
+        end
+
         access_token = create_access_token
 
         origin = cookies.encrypted[:origin]
@@ -31,6 +48,7 @@ module Zaikio
       def destroy
         access_token_id = cookies.encrypted[:zaikio_access_token_id]
         cookies.delete :zaikio_access_token_id
+        cookies.delete :state
 
         redirect_to send(
           respond_to?(:after_destroy_path_for) ? :after_destroy_path_for : :default_after_destroy_path_for,
@@ -87,6 +105,16 @@ module Zaikio
 
         main_app.root_path
       end
+
+      def default_error_path_for(error_code, description: nil)
+        raise Zaikio::OAuthClient::InvalidScopesError, description if error_code == "invalid_scope"
+
+        unless error_code == "access_denied"
+          flash[:alert] = I18n.t("zaikio.oauth_client.error_occured", error: error_code, description: description)
+        end
+
+        main_app.root_path
+      end
     end
   end
 end

data/lib/zaikio/oauth_client/configuration.rb

@@ -13,19 +13,25 @@ module Zaikio
       }.freeze
 
       attr_accessor :host
-      attr_writer :logger
       attr_reader :client_configurations, :environment, :around_auth_block,
-                  :sessions_controller_name, :connections_controller_name
+                  :sessions_controller_name, :connections_controller_name, :subscriptions_controller_name
 
       def initialize
         @client_configurations = {}
         @around_auth_block = nil
         @sessions_controller_name = "sessions"
         @connections_controller_name = "connections"
+        @subscriptions_controller_name = "subscriptions"
+        Zaikio::AccessToken.logger = logger
       end
 
       def logger
-        @logger ||= Logger.new($stdout)
+        @logger ||= ActiveSupport::Logger.new($stdout)
+      end
+
+      def logger=(logger)
+        @logger = logger
+        Zaikio::AccessToken.logger = @logger
       end
 
       def register_client(name)
@@ -58,6 +64,10 @@ module Zaikio
         @connections_controller_name = "/#{name}"
       end
 
+      def subscriptions_controller_name=(name)
+        @subscriptions_controller_name = "/#{name}"
+      end
+
       private
 
       def host_for(environment)

data/lib/zaikio/oauth_client/error.rb

@@ -0,0 +1,5 @@
+module Zaikio
+  module OAuthClient
+    class InvalidScopesError < StandardError; end
+  end
+end

data/lib/zaikio/oauth_client/version.rb

@@ -1,5 +1,5 @@
 module Zaikio
   module OAuthClient
-    VERSION = "0.7.2".freeze
+    VERSION = "0.11.0".freeze
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: zaikio-oauth_client
 version: !ruby/object:Gem::Version
-  version: 0.7.2
+  version: 0.11.0
 platform: ruby
 authors:
 - Zaikio GmbH
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-03-29 00:00:00.000000000 Z
+date: 2021-04-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: actionpack
@@ -144,11 +144,13 @@ files:
 - Rakefile
 - app/controllers/zaikio/oauth_client/connections_controller.rb
 - app/controllers/zaikio/oauth_client/sessions_controller.rb
+- app/controllers/zaikio/oauth_client/subscriptions_controller.rb
 - app/helpers/zaikio/application_helper.rb
 - app/jobs/zaikio/application_job.rb
 - app/jobs/zaikio/cleanup_access_tokens_job.rb
 - app/models/zaikio/access_token.rb
 - config/initializers/inflections.rb
+- config/locales/de.yml
 - config/locales/en.yml
 - config/routes.rb
 - db/migrate/20190426155505_enable_postgres_extensions_for_uuids.rb
@@ -161,6 +163,7 @@ files:
 - lib/zaikio/oauth_client/client_configuration.rb
 - lib/zaikio/oauth_client/configuration.rb
 - lib/zaikio/oauth_client/engine.rb
+- lib/zaikio/oauth_client/error.rb
 - lib/zaikio/oauth_client/test_helper.rb
 - lib/zaikio/oauth_client/version.rb
 homepage: https://github.com/zaikio/zaikio-oauth_client