Class: Passage::Auth

Inherits:
Object
  • Object
show all
Defined in:
lib/passageidentity/auth.rb

Constant Summary collapse

@@app_cache = 
{}

Instance Method Summary collapse

Constructor Details

#initialize(app_id, auth_strategy) ⇒ Auth

Returns a new instance of Auth.



10
11
12
13
14
15
 
# File 'lib/passageidentity/auth.rb', line 10

def initialize(app_id, auth_strategy)
  @app_id = app_id
  @auth_strategy = auth_strategy

  fetch_jwks
end

Instance Method Details

#authenticate_request(request) ⇒ Object 



57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
 
# File 'lib/passageidentity/auth.rb', line 57

def authenticate_request(request)
  warn "[DEPRECATION] `auth.authenticate_request()` is deprecated.  Please use `auth.validate_jwt()` instead."

  # Get the token based on the strategy
  if @auth_strategy === Passage::COOKIE_STRATEGY
    unless request.cookies.key?("psg_auth_token")
      raise PassageError.new(
              message:
                "missing authentication token: expected \"psg_auth_token\" cookie"
            )
    end
    @token = request.cookies["psg_auth_token"]
  else
    headers = request.headers
    unless headers.key?("Authorization")
      raise PassageError.new(message: "no authentication token in header")
    end
    @token = headers["Authorization"].split(" ").last
  end

  # authenticate the token
  if @token
    return authenticate_token(@token)
  else
    raise PassageError.new(message: "no authentication token")
  end
  nil
end

#authenticate_token(token) ⇒ Object 



94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
 
# File 'lib/passageidentity/auth.rb', line 94

def authenticate_token(token)
  begin
    kid = JWT.decode(token, nil, false)[1]["kid"]
    exists = false
    for jwk in @jwks["keys"]
      if jwk["kid"] == kid
        exists = true
        break
      end
    end
    fetch_jwks unless exists
    claims =
      JWT.decode(
        token,
        nil,
        true,
        {
          aud: @auth_origin,
          verify_aud: true,
          algorithms: ["RS256"],
          jwks: @jwks
        }
      )
    return claims[0]["sub"]
  rescue JWT::InvalidIssuerError => e
    raise PassageError.new(message: e.message)
  rescue JWT::InvalidAudError => e
    raise PassageError.new(message: e.message)
  rescue JWT::ExpiredSignature => e
    raise PassageError.new(message: e.message)
  rescue JWT::IncorrectAlgorithm => e
    raise PassageError.new(message: e.message)
  rescue JWT::DecodeError => e
    raise PassageError.new(message: e.message)
  end
end

#fetch_appObject 



17
18
19
20
21
22
23
24
25
26
27
28
29
30
 
# File 'lib/passageidentity/auth.rb', line 17

def fetch_app()
  begin
    client = OpenapiClient::AppsApi.new
    response = client.get_app(@app_id)
    
    return response.app
  rescue Faraday::Error => e
    raise PassageError.new(
            message: "failed to fetch passage app",
            status_code: e.response[:status],
            body: e.response[:body]
          )
  end
end

#fetch_jwksObject 



32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
 
# File 'lib/passageidentity/auth.rb', line 32

def fetch_jwks()
  if @@app_cache[@app_id]
    @jwks, @auth_origin = @@app_cache[@app_id]
  else
    app = fetch_app
    auth_gw_connection =
      Faraday.new(url: "https://auth.passage.id") do |f|
        f.request :json
        f.request :retry
        f.response :raise_error
        f.response :json
        f.adapter :net_http
      end

    # fetch the public key if not in cache
    app = fetch_app

    @auth_origin = app.auth_origin
    response =
      auth_gw_connection.get("/v1/apps/#{@app_id}/.well-known/jwks.json")
    @jwks = response.body
    @@app_cache[@app_id] ||= [@jwks, @auth_origin]
  end
end

#revoke_user_refresh_tokens(user_id) ⇒ Object 



131
132
133
134
135
136
137
138
139
140
141
142
143
 
# File 'lib/passageidentity/auth.rb', line 131

def revoke_user_refresh_tokens(user_id)
  begin
    client = OpenapiClient::TokensApi.new
    response = client.revoke_user_refresh_tokens(@app_id, user_id)
    return true
  rescue Faraday::Error => e
    raise PassageError.new(
            message: "failed to revoke user's refresh tokens",
            status_code: e.response[:status],
            body: e.response[:body]
          )
  end
end

#validate_jwt(token) ⇒ Object 



86
87
88
89
90
91
92
 
# File 'lib/passageidentity/auth.rb', line 86

def validate_jwt(token)
  if token
    return authenticate_token(token)
  else
    raise PassageError.new(message: "no authentication token")
  end
end