Module: Verikloak::Rails::Controller

Extended by:

ActiveSupport::Concern

Defined in:

lib/verikloak/rails/controller.rb

Overview

Controller concern providing Verikloak helpers and JSON error handling.

Includes ‘before_action :authenticate_user!`, helpers such as `current_user_claims`, and consistent 401/403 responses. Optionally wraps requests with tagged logging and a 500 JSON renderer.

Instance Method Summary

• #authenticate_user! ⇒ void

  Ensures a user is authenticated, otherwise renders a JSON 401 response.

• #authenticated? ⇒ Boolean

  Whether the request has verified user claims.

• #current_subject ⇒ String^?

  The ‘sub` (subject) claim from the current user claims.

• #current_token ⇒ String^?

  The raw bearer token used for the current request.

• #current_user_claims ⇒ Hash^?

  The verified JWT claims for the current user.

• #with_required_audience!(*required) ⇒ void

  Enforces that the current user has all required audiences.

Instance Method Details

#authenticate_user! ⇒ void

This method returns an undefined value.

Ensures a user is authenticated, otherwise renders a JSON 401 response.

Examples:

In a controller

class ApiController < ApplicationController
  before_action :authenticate_user!
end

# File 'lib/verikloak/rails/controller.rb', line 43

def authenticate_user!
  return if authenticated?

  e = begin
    ::Verikloak::Error.new('unauthorized')
  rescue StandardError
    StandardError.new('Unauthorized')
  end
  Verikloak::Rails.config.error_renderer.render(self, e)
end

#authenticated? ⇒ Boolean

Whether the request has verified user claims.

Returns:

• (Boolean)

# File 'lib/verikloak/rails/controller.rb', line 56

def authenticated? = current_user_claims.present?

#current_subject ⇒ String^?

The ‘sub` (subject) claim from the current user claims.

Returns:

• (String, nil)

# File 'lib/verikloak/rails/controller.rb', line 82

def current_subject = current_user_claims && current_user_claims['sub']

#current_token ⇒ String^?

The raw bearer token used for the current request. Prefer Rack env; fall back to RequestStore when available.

Returns:

• (String, nil)

# File 'lib/verikloak/rails/controller.rb', line 72

def current_token
  env_token = request.env['verikloak.token']
  return env_token unless env_token.nil?
  return ::RequestStore.store[:verikloak_token] if defined?(::RequestStore) && ::RequestStore.respond_to?(:store)

  nil
end

#current_user_claims ⇒ Hash^?

The verified JWT claims for the current user. Prefer Rack env; fall back to RequestStore when available.

Returns:

• (Hash, nil)

# File 'lib/verikloak/rails/controller.rb', line 61

def current_user_claims
  env_claims = request.env['verikloak.user']
  return env_claims unless env_claims.nil?
  return ::RequestStore.store[:verikloak_user] if defined?(::RequestStore) && ::RequestStore.respond_to?(:store)

  nil
end

#with_required_audience!(*required) ⇒ void

This method returns an undefined value.

Enforces that the current user has all required audiences.

Examples:

with_required_audience!('my-api', 'payments')

Parameters:

• required (Array<String>) —

  one or more audiences to require

Raises:

• (Verikloak::Error) —

  when the required audience is missing

# File 'lib/verikloak/rails/controller.rb', line 91

def with_required_audience!(*required)
  aud = Array(current_user_claims&.dig('aud'))
  return if required.flatten.all? { |r| aud.include?(r) }

  raise ::Verikloak::Error.new('forbidden', 'Required audience not satisfied')
end