WIP

Author: floehopper

gemfiles/rails_7.2.gemfile.lock

@@ -2,6 +2,7 @@ PATH
   remote: ..
   specs:
     rpi_auth (4.0.0)
+      oauth2
       omniauth-rails_csrf_protection (~> 1.0.0)
       omniauth_openid_connect (~> 0.7.1)
       rails (>= 6.1.4)
@@ -103,6 +104,9 @@ GEM
     coderay (1.1.3)
     concurrent-ruby (1.3.5)
     connection_pool (2.5.0)
+    crack (1.0.0)
+      bigdecimal
+      rexml
     crass (1.0.6)
     date (3.4.1)
     diff-lcs (1.6.1)
@@ -129,6 +133,7 @@ GEM
     ffi (1.17.1-x86_64-linux-musl)
     globalid (1.2.1)
       activesupport (>= 6.1)
+    hashdiff (1.1.2)
     hashie (5.0.0)
     i18n (1.14.7)
       concurrent-ruby (~> 1.0)
@@ -145,6 +150,8 @@ GEM
       bindata
       faraday (~> 2.0)
       faraday-follow_redirects
+    jwt (2.10.1)
+      base64
     language_server-protocol (3.17.0.4)
     lint_roller (1.1.0)
     listen (3.9.0)
@@ -164,6 +171,8 @@ GEM
     method_source (1.1.0)
     mini_mime (1.1.5)
     minitest (5.25.5)
+    multi_xml (0.7.1)
+      bigdecimal (~> 3.1)
     net-http (0.6.0)
       uri
     net-imap (0.5.6)
@@ -192,6 +201,13 @@ GEM
       racc (~> 1.4)
     nokogiri (1.18.7-x86_64-linux-musl)
       racc (~> 1.4)
+    oauth2 (2.0.9)
+      faraday (>= 0.17.3, < 3.0)
+      jwt (>= 1.0, < 3.0)
+      multi_xml (~> 0.5)
+      rack (>= 1.2, < 4)
+      snaky_hash (~> 2.0)
+      version_gem (~> 1.1)
     omniauth (2.1.3)
       hashie (>= 3.4.6)
       rack (>= 2.2.3)
@@ -294,6 +310,7 @@ GEM
     regexp_parser (2.10.0)
     reline (0.6.1)
       io-console (~> 0.5)
+    rexml (3.4.1)
     rspec-core (3.13.3)
       rspec-support (~> 3.13.0)
     rspec-expectations (3.13.3)
@@ -348,6 +365,9 @@ GEM
       simplecov_json_formatter (~> 0.1)
     simplecov-html (0.13.1)
     simplecov_json_formatter (0.1.4)
+    snaky_hash (2.0.1)
+      hashie
+      version_gem (~> 1.1, >= 1.1.1)
     stringio (3.1.6)
     swd (2.0.3)
       activesupport (>= 3)
@@ -366,10 +386,15 @@ GEM
     validate_url (1.0.15)
       activemodel (>= 3.0.0)
       public_suffix
+    version_gem (1.1.7)
     webfinger (2.1.3)
       activesupport
       faraday (~> 2.0)
       faraday-follow_redirects
+    webmock (3.25.1)
+      addressable (>= 2.8.0)
+      crack (>= 0.3.2)
+      hashdiff (>= 0.4.0, < 2.0.0)
     websocket-driver (0.7.7)
       base64
       websocket-extensions (>= 0.1.0)
@@ -402,6 +427,7 @@ DEPENDENCIES
   rubocop-rails
   rubocop-rspec
   simplecov
+  webmock
 
 BUNDLED WITH
    2.3.27

lib/rpi_auth.rb

@@ -4,6 +4,7 @@
 require 'rpi_auth/engine'
 require 'rpi_auth/configuration'
 require 'rpi_auth/models/authenticatable'
+require 'rpi_auth/models/with_tokens'
 require 'omniauth/rails_csrf_protection'
 
 module RpiAuth

lib/rpi_auth/controllers/auto_refreshing_token.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+require 'oauth2/error'
+
+module RpiAuth
+  module Controllers
+    module AutoRefreshingToken
+      extend ActiveSupport::Concern
+
+      include CurrentUser
+
+      included do
+        before_action :refresh_credentials_if_needed
+      end
+
+      private
+
+      def refresh_credentials_if_needed
+        return unless current_user
+
+        return if Time.now.to_i < current_user.expires_at
+
+        current_user.refresh_credentials!
+        self.current_user = current_user
+      # TODO: rescuing all ArgumentErrors is risky
+      rescue OAuth2::Error, ArgumentError
+        reset_session
+      end
+    end
+  end
+end

lib/rpi_auth/models/authenticatable.rb

@@ -23,11 +23,15 @@ module Authenticatable
         include ActiveModel::Serialization
 
         attr_accessor :user_id, *PROFILE_KEYS
+      end
 
-        # Allow serialization
-        def attributes
-          (['user_id'] + PROFILE_KEYS).index_with { |_k| nil }
-        end
+      def attribute_keys
+        %w[user_id] + PROFILE_KEYS
+      end
+
+      # Allow serialization
+      def attributes
+        attribute_keys.map(&:to_s).index_with { |_k| nil }
       end
 
       class_methods do

lib/rpi_auth/models/with_tokens.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+require 'rpi_auth/oauth_client'
+
+module RpiAuth
+  module Models
+    module WithTokens
+      extend ActiveSupport::Concern
+
+      include Authenticatable
+
+      included do
+        attr_accessor :access_token, :expires_at, :refresh_token
+
+        alias id user_id
+        alias id= user_id=
+      end
+
+      def attribute_keys
+        super + %w[access_token expires_at refresh_token user_id]
+      end
+
+      def refresh_credentials!
+        oauth_client = OauthClient.new
+        credentials = oauth_client.refresh_credentials(access_token:, refresh_token:)
+
+        assign_attributes(**credentials)
+      end
+
+      class_methods do
+        def from_omniauth(auth)
+          user = super
+          return unless user
+
+          if auth.credentials
+            user.access_token = auth.credentials.token
+            user.refresh_token = auth.credentials.refresh_token
+            user.expires_at = Time.now.to_i + auth.credentials.expires_in
+          end
+
+          user
+        end
+      end
+    end
+  end
+end

lib/rpi_auth/oauth_client.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+require 'oauth2/client'
+require 'oauth2/access_token'
+
+module RpiAuth
+  class OauthClient
+    attr_reader :client
+
+    def initialize
+      @client = OAuth2::Client.new(
+        RpiAuth.configuration.auth_client_id,
+        RpiAuth.configuration.auth_client_secret,
+        site: RpiAuth.configuration.auth_token_url,
+        token_url: RpiAuth.configuration.token_endpoint.path,
+        authorize_url: RpiAuth.configuration.authorization_endpoint.path
+      )
+    end
+
+    def refresh_credentials(**credentials)
+      new_credentials = if RpiAuth.configuration.bypass_auth
+                          credentials.merge(expires_at: 1.hour.from_now)
+                        else
+                          OAuth2::AccessToken.from_hash(client, credentials).refresh.to_hash
+                        end
+
+      {
+        access_token: new_credentials[:access_token],
+        refresh_token: new_credentials[:refresh_token],
+        expires_at: new_credentials[:expires_at].to_i
+      }
+    end
+  end
+end

rpi_auth.gemspec

@@ -21,6 +21,7 @@ Gem::Specification.new do |spec|
 
   spec.required_ruby_version = '>= 3.1.0'
 
+  spec.add_dependency 'oauth2'
   spec.add_dependency 'omniauth_openid_connect', '~> 0.7.1'
   spec.add_dependency 'omniauth-rails_csrf_protection', '~> 1.0.0'
   spec.add_dependency 'rails', '>= 6.1.4'
@@ -36,4 +37,5 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'rubocop-rails'
   spec.add_development_dependency 'rubocop-rspec'
   spec.add_development_dependency 'simplecov'
+  spec.add_development_dependency 'webmock'
 end

spec/dummy/app/controllers/application_controller.rb

@@ -1,3 +1,7 @@
+require 'rpi_auth/controllers/current_user'
+require 'rpi_auth/controllers/auto_refreshing_token'
+
 class ApplicationController < ActionController::Base
   include RpiAuth::Controllers::CurrentUser
+  include RpiAuth::Controllers::AutoRefreshingToken
 end

spec/dummy/app/models/user.rb

@@ -1,3 +1,4 @@
 class User
   include RpiAuth::Models::Authenticatable
+  include RpiAuth::Models::WithTokens
 end

spec/dummy/spec/requests/refresh_credentials_spec.rb

@@ -0,0 +1,95 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+require 'oauth2/error'
+
+RSpec.describe 'Refreshing the auth token', type: :request do
+  include ActiveSupport::Testing::TimeHelpers
+
+  subject(:request) { get root_path }
+
+  let(:logged_in_text) { 'Log out' }
+  let(:stub_oauth_client) { instance_double(RpiAuth::OauthClient) }
+
+  before do
+    freeze_time
+    allow(RpiAuth::OauthClient).to receive(:new).and_return(stub_oauth_client)
+    allow(stub_oauth_client).to receive(:refresh_credentials).with(any_args)
+    RpiAuth.configuration.user_model = 'User'
+  end
+
+  after do
+    unfreeze_time
+  end
+
+  shared_examples 'there is no attempt to renew the token' do
+    it 'calls refresh_credentials on the oauth client' do
+      request
+      expect(stub_oauth_client).not_to have_received(:refresh_credentials)
+    end
+  end
+
+  shared_examples 'there is an attempt to renew the token' do
+    it 'does not call refresh_credentials on the oauth client' do
+      request
+      expect(stub_oauth_client).to have_received(:refresh_credentials)
+    end
+  end
+
+  shared_examples 'the user is logged in' do
+    it do
+      request
+      expect(response.body).to include(logged_in_text)
+    end
+  end
+
+  shared_examples 'the user is logged out' do
+    it do
+      request
+      expect(response.body).not_to include(logged_in_text)
+    end
+  end
+
+  context 'when not logged in' do
+    it_behaves_like 'the user is logged out'
+    it_behaves_like 'there is no attempt to renew the token'
+  end
+
+  context 'when logged in' do
+    let(:user) { User.new(expires_at:) }
+
+    before do
+      log_in(user:)
+    end
+
+    context 'when the access token has not expired' do
+      let(:expires_at) { 10.seconds.from_now }
+
+      it_behaves_like 'the user is logged in'
+      it_behaves_like 'there is no attempt to renew the token'
+    end
+
+    context 'when the access token has expired' do
+      let(:expires_at) { 10.seconds.ago }
+
+      before do
+        allow(stub_oauth_client).to receive(:refresh_credentials).with(any_args).and_return({ access_token: 'foo',
+                                                                                              refresh_token: 'bar',
+                                                                                              expires_at: 10.minutes.from_now })
+      end
+
+      it_behaves_like 'the user is logged in'
+      it_behaves_like 'there is an attempt to renew the token'
+
+      context 'when an OAuth error is raised' do
+        before do
+          allow(stub_oauth_client).to receive(:refresh_credentials).with(any_args).and_raise(OAuth2::Error.new('blargh'))
+        end
+
+        it_behaves_like 'the user is logged out'
+        it_behaves_like 'there is an attempt to renew the token'
+      end
+    end
+  end
+end