Add Models::WithTokens concern

floehopper · floehopper · commit fdfc7948fdad · 2025-04-17T14:03:22.000+01:00
This can optionally be included into your user model in order to obtain an access token, a refresh token, and an expiry time when logging in. These attributes are set by the same mechanism in `AuthController#callback` that populates `user_id` on the user via `Authenticatable.from_omniauth`, but instead calls `WithTokens.from_omniauth` which in turn calls `Authenticatable.from_omniauth` via the ancestor chain. This also relies on: - `RpiAuth.configuration.scope` including the "offline" scope in the Rails app which is using the `rpi_auth` gem. - In the `profile` app `hydra_client` config for the Rails app, `grant_types` must include "refresh_token" and `scope` must include "offline". Again this has been substantially copied from `code-club-frontend`: - `app/models/user.rb` [1] - `spec/models/user_spec.rb` [2] Some things that I've changed: - Moved methods on `User` into an `RpiAuth` namespaced concern which can be included into the user model in the Rails app. - Override the recently added `Authenticatable#attribute_keys` method, but call `super` to avoid duplication. - I haven't included the aliases for `#id` & `#id=` methods, because it wasn't immediately obvious that these are relevant for projects other than `code-club-frontend`. - Use `RpiAuth.configuration.bypass_auth` instead of reading `BYPASS_AUTH` env var directly as per this PR [3] - Use `RpiAuth.configure` in the `before` block instead of using `ClimateControl.modify` in an `around` block. The former is possible, because the `RpiAuth` configuration is reset before every example [4]. [1]: https://github.com/RaspberryPiFoundation/code-club-frontend/blob/f7e965798d910584fed0d1eb7867f32a899f9ce8/app/models/user.rb [2]: https://github.com/RaspberryPiFoundation/code-club-frontend/blob/f7e965798d910584fed0d1eb7867f32a899f9ce8/spec/models/user_spec.rb [3]: https://github.com/RaspberryPiFoundation/experience-cs/pull/315 [4]: https://github.com/RaspberryPiFoundation/rpi-auth/blob/e54cc7a30c61cf43874a38c79f1e2f3e2b6d2103/spec/spec_helper.rb#L132-L136
diff --git a/lib/rpi_auth.rb b/lib/rpi_auth.rb
@@ -4,6 +4,7 @@
 require 'rpi_auth/engine'
 require 'rpi_auth/configuration'
 require 'rpi_auth/models/authenticatable'
+require 'rpi_auth/models/with_tokens'
 require 'omniauth/rails_csrf_protection'
 
 module RpiAuth
diff --git a/lib/rpi_auth/models/with_tokens.rb b/lib/rpi_auth/models/with_tokens.rb
@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+require 'rpi_auth/oauth_client'
+
+module RpiAuth
+  module Models
+    module WithTokens
+      extend ActiveSupport::Concern
+
+      include Authenticatable
+
+      included do
+        attr_accessor :access_token, :expires_at, :refresh_token
+      end
+
+      def attribute_keys
+        super + %w[access_token expires_at refresh_token user_id]
+      end
+
+      def refresh_credentials!
+        oauth_client = OauthClient.new
+        credentials = oauth_client.refresh_credentials(access_token:, refresh_token:)
+
+        assign_attributes(**credentials)
+      end
+
+      class_methods do
+        def from_omniauth(auth)
+          user = super
+          return unless user
+
+          if auth.credentials
+            user.access_token = auth.credentials.token
+            user.refresh_token = auth.credentials.refresh_token
+            user.expires_at = Time.now.to_i + auth.credentials.expires_in
+          end
+
+          user
+        end
+      end
+    end
+  end
+end
diff --git a/spec/dummy/app/models/user.rb b/spec/dummy/app/models/user.rb
@@ -1,3 +1,4 @@
 class User
   include RpiAuth::Models::Authenticatable
+  include RpiAuth::Models::WithTokens
 end
diff --git a/spec/rpi_auth/models/with_tokens_spec.rb b/spec/rpi_auth/models/with_tokens_spec.rb
@@ -0,0 +1,97 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+class DummyUser
+  include RpiAuth::Models::Authenticatable
+  include RpiAuth::Models::WithTokens
+end
+
+RSpec.describe DummyUser do
+  include ActiveSupport::Testing::TimeHelpers
+
+  subject(:user) { described_class.new }
+
+  it { is_expected.to respond_to(:access_token) }
+  it { is_expected.to respond_to(:refresh_token) }
+  it { is_expected.to respond_to(:expires_at) }
+
+  describe '#refresh_credentials!' do
+    subject(:refresh_credentials) { user.refresh_credentials! }
+
+    let(:stub_oauth_client) { instance_double(RpiAuth::OauthClient) }
+    let(:new_tokens) { { access_token: 'foo', refresh_token: 'bar', expires_at: 1.hour.from_now.utc } }
+
+    before do
+      allow(RpiAuth::OauthClient).to receive(:new).and_return(stub_oauth_client)
+      allow(stub_oauth_client).to receive(:refresh_credentials).with(access_token: user.access_token, refresh_token: user.refresh_token).and_return(new_tokens)
+    end
+
+    it { expect { refresh_credentials }.to change(user, :access_token).from(user.access_token).to(new_tokens[:access_token]) }
+    it { expect { refresh_credentials }.to change(user, :refresh_token).from(user.refresh_token).to(new_tokens[:refresh_token]) }
+    it { expect { refresh_credentials }.to change(user, :expires_at).from(user.expires_at).to(new_tokens[:expires_at]) }
+  end
+
+  describe '#from_omniauth' do
+    subject(:user) { described_class.from_omniauth(auth) }
+
+    let(:omniauth_user) { described_class.new }
+    let(:info) { omniauth_user.serializable_hash }
+    let(:credentials) { { token: SecureRandom.base64(12), refresh_token: SecureRandom.base64(12), expires_in: rand(60..240) } }
+
+    let(:auth) do
+      OmniAuth::AuthHash.new(
+        {
+          provider: 'rpi',
+          uid: omniauth_user.user_id,
+          credentials:,
+          extra: {
+            raw_info: info
+          }
+        }
+      )
+    end
+
+    it { is_expected.to be_a described_class }
+
+    it 'sets the access_token' do
+      expect(user.access_token).to eq credentials[:token]
+    end
+
+    it 'sets the refresh_token' do
+      expect(user.refresh_token).to eq credentials[:refresh_token]
+    end
+
+    context 'when no credentials are returned' do
+      let(:credentials) { nil }
+
+      it 'sets the access_token to be nil' do
+        expect(user.access_token).to be_nil
+      end
+    end
+
+    it 'sets the expires_at time correctly' do
+      freeze_time do
+        expect(user.expires_at).to eq credentials[:expires_in].seconds.from_now.to_i
+      end
+    end
+
+    context 'with unusual keys in info' do
+      let(:info) { { foo: :bar, flibble: :woo } }
+
+      it { is_expected.to be_a described_class }
+    end
+
+    context 'with no info' do
+      let(:info) { nil }
+
+      it { is_expected.to be_a described_class }
+    end
+
+    context 'with no auth set' do
+      let(:auth) { nil }
+
+      it { is_expected.to be_nil }
+    end
+  end
+end
