feat(auth): authenticate using oidc (#400)

BREAKING CHANGE: Introduces a new authentication system.
- The application_url property is required to initialize ForestLiana,
- CORS rules must be adapted (to allow null origins).

Author: DrRaider

.gitignore

@@ -33,7 +33,6 @@ build/
 # for a library or gem, you might want to ignore these files since the code is
 # intended to run in multiple environments; otherwise, check them in:
 # Gemfile.lock
-# .ruby-version
 # .ruby-gemset
 
 # unless supporting rvm < 1.11.0 or doing something fancy, ignore this:
@@ -43,3 +42,7 @@ node_modules/
 
 # IDE
 /.idea/
+
+# rbenv
+.ruby-version
+

Gemfile

@@ -33,3 +33,6 @@ gem 'base32', '0.3.2'
 gem 'rotp', '3.1'
 gem 'httparty', '0.13.7'
 gem 'ipaddress', '0.8.3'
+gem 'openid_connect', '1.2.0'
+gem 'json'
+gem 'json-jwt', '1.12.0'

Gemfile.lock

@@ -8,8 +8,11 @@ PATH
       groupdate (= 2.5.2)
       httparty
       ipaddress
+      json
+      json-jwt
       jsonapi-serializers (>= 0.14.0)
       jwt
+      openid_connect
       rack-cors
       rails (>= 4.0)
       rotp
@@ -53,44 +56,70 @@ GEM
       minitest (~> 5.1)
       thread_safe (~> 0.3, >= 0.3.4)
       tzinfo (~> 1.1)
+    aes_key_wrap (1.1.0)
     arel (6.0.4)
     arel-helpers (2.10.0)
       activerecord (>= 3.1.0, < 7)
+    attr_required (1.0.1)
     base32 (0.3.2)
-    bcrypt (3.1.10)
-    builder (3.2.3)
-    byebug (8.2.2)
-    concurrent-ruby (1.1.5)
+    bcrypt (3.1.16)
+    bindata (2.4.8)
+    builder (3.2.4)
+    byebug (11.0.1)
+    concurrent-ruby (1.1.7)
     crass (1.0.6)
-    diff-lcs (1.3)
+    diff-lcs (1.4.4)
     erubis (2.7.0)
-    globalid (0.4.1)
+    globalid (0.4.2)
       activesupport (>= 4.2.0)
     groupdate (2.5.2)
       activesupport (>= 3)
     httparty (0.13.7)
       json (~> 1.8)
       multi_xml (>= 0.5.2)
+    httpclient (2.8.3)
     i18n (0.9.5)
       concurrent-ruby (~> 1.0)
     ipaddress (0.8.3)
     json (1.8.6)
+    json-jwt (1.12.0)
+      activesupport (>= 4.2)
+      aes_key_wrap
+      bindata
     jsonapi-serializers (1.0.1)
       activesupport
-    jwt (1.5.4)
-    loofah (2.8.0)
+    jwt (2.2.2)
+    loofah (2.7.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
-    mail (2.7.0)
+    mail (2.7.1)
       mini_mime (>= 0.1.1)
-    mini_mime (1.0.0)
+    mini_mime (1.0.2)
     mini_portile2 (2.4.0)
-    minitest (5.11.3)
+    minitest (5.14.2)
     multi_xml (0.6.0)
     nokogiri (1.10.10)
       mini_portile2 (~> 2.4.0)
-    rack (1.6.10)
-    rack-cors (0.4.0)
+    openid_connect (1.2.0)
+      activemodel
+      attr_required (>= 1.0.0)
+      json-jwt (>= 1.5.0)
+      rack-oauth2 (>= 1.6.1)
+      swd (>= 1.0.0)
+      tzinfo
+      validate_email
+      validate_url
+      webfinger (>= 1.0.1)
+    public_suffix (4.0.6)
+    rack (1.6.13)
+    rack-cors (1.0.6)
+      rack (>= 1.6.0)
+    rack-oauth2 (1.12.0)
+      activesupport
+      attr_required
+      httpclient
+      json-jwt (>= 1.11.0)
+      rack (< 2.1)
     rack-test (0.6.3)
       rack (>= 1.0)
     rails (4.2.7.1)
@@ -119,12 +148,12 @@ GEM
       thor (>= 0.18.1, < 2.0)
     rake (13.0.1)
     rotp (3.1.0)
-    rspec-core (3.8.0)
+    rspec-core (3.8.2)
       rspec-support (~> 3.8.0)
-    rspec-expectations (3.8.2)
+    rspec-expectations (3.8.6)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.8.0)
-    rspec-mocks (3.8.0)
+    rspec-mocks (3.8.2)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.8.0)
     rspec-rails (3.8.2)
@@ -135,20 +164,33 @@ GEM
       rspec-expectations (~> 3.8.0)
       rspec-mocks (~> 3.8.0)
       rspec-support (~> 3.8.0)
-    rspec-support (3.8.0)
+    rspec-support (3.8.3)
     sprockets (3.7.2)
       concurrent-ruby (~> 1.0)
       rack (> 1, < 3)
-    sprockets-rails (3.2.1)
+    sprockets-rails (3.2.2)
       actionpack (>= 4.0)
       activesupport (>= 4.0)
       sprockets (>= 3.0.0)
     sqlite3 (1.3.13)
-    thor (0.20.0)
+    swd (1.2.0)
+      activesupport (>= 3)
+      attr_required (>= 0.0.5)
+      httpclient (>= 2.4)
+    thor (1.0.1)
     thread_safe (0.3.6)
-    tzinfo (1.2.5)
+    tzinfo (1.2.8)
       thread_safe (~> 0.1)
-    useragent (0.16.5)
+    useragent (0.16.10)
+    validate_email (0.1.6)
+      activemodel (>= 3.0)
+      mail (>= 2.2.5)
+    validate_url (1.0.13)
+      activemodel (>= 3.0.0)
+      public_suffix
+    webfinger (1.1.0)
+      activesupport
+      httpclient (>= 2.4)
 
 PLATFORMS
   ruby
@@ -162,8 +204,11 @@ DEPENDENCIES
   groupdate (= 2.5.2)
   httparty (= 0.13.7)
   ipaddress (= 0.8.3)
+  json
+  json-jwt (= 1.12.0)
   jsonapi-serializers (= 1.0.1)
   jwt
+  openid_connect (= 1.2.0)
   rack-cors
   rails (= 4.2.7.1)
   rake

app/controllers/forest_liana/application_controller.rb

@@ -3,8 +3,6 @@
 
 module ForestLiana
   class ApplicationController < ForestLiana::BaseController
-    REGEX_COOKIE_SESSION_TOKEN = /forest_session_token=([^;]*)/;
-
     def self.papertrail?
       Object.const_get('PaperTrail::Version').is_a?(Class) rescue false
     end
@@ -64,7 +62,7 @@ def authenticate_user_from_jwt
             token = request.headers['Authorization'].split.second
           # NOTICE: Necessary for downloads authentication.
           elsif request.headers['cookie']
-            match = REGEX_COOKIE_SESSION_TOKEN.match(request.headers['cookie'])
+            match = ForestLiana::Token::REGEX_COOKIE_SESSION_TOKEN.match(request.headers['cookie'])
             token = match[1] if match && match[1]
           end
 
@@ -97,10 +95,6 @@ def get_smart_action_context
       end
     end
 
-    def route_not_found
-      head :not_found
-    end
-
     def internal_server_error
       head :internal_server_error
     end

app/controllers/forest_liana/authentication_controller.rb

@@ -0,0 +1,122 @@
+require 'uri'
+require 'json'
+
+module ForestLiana
+  class AuthenticationController < ForestLiana::BaseController
+    START_AUTHENTICATION_ROUTE = 'authentication'
+    CALLBACK_AUTHENTICATION_ROUTE = 'authentication/callback'
+    LOGOUT_ROUTE = 'authentication/logout';
+    PUBLIC_ROUTES = [
+      "/#{START_AUTHENTICATION_ROUTE}",
+      "/#{CALLBACK_AUTHENTICATION_ROUTE}",
+      "/#{LOGOUT_ROUTE}",
+    ]
+
+    def initialize
+      @authentication_service = ForestLiana::Authentication.new()
+    end
+  
+    def get_callback_url
+        URI.join(ForestLiana.application_url, "/forest/#{CALLBACK_AUTHENTICATION_ROUTE}").to_s
+    rescue => error
+      raise "application_url is not valid or not defined" if error.is_a?(ArgumentError)
+    end
+
+    def get_and_check_rendering_id
+      if !params.has_key?('renderingId')
+        raise ForestLiana::MESSAGES[:SERVER_TRANSACTION][:MISSING_RENDERING_ID]
+      end
+
+      rendering_id = params[:renderingId]
+      
+      if !(rendering_id.instance_of?(String) || rendering_id.instance_of?(Numeric)) || (rendering_id.instance_of?(Numeric) && rendering_id.nan?)
+        raise ForestLiana::MESSAGES[:SERVER_TRANSACTION][:INVALID_RENDERING_ID]
+      end
+
+      return rendering_id.to_i
+    end
+
+    def start_authentication 
+      begin
+        rendering_id = get_and_check_rendering_id()
+        callback_url = get_callback_url()
+
+        result = @authentication_service.start_authentication(
+          callback_url,
+          { 'renderingId' => rendering_id },
+        )
+
+        redirect_to(result['authorization_url'])
+      rescue => error
+        render json: { errors: [{ status: 500, detail: error.message }] },
+          status: :internal_server_error, serializer: nil
+      end
+    end
+
+    def authentication_callback
+      begin
+        callback_url = get_callback_url()
+
+        token = @authentication_service.verify_code_and_generate_token(
+          callback_url,
+          params,
+        )
+    
+        response.set_cookie(
+          'forest_session_token',
+          {
+            value: token,
+            httponly: true,
+            secure: true,
+            expires: ForestLiana::Token.expiration_in_days,
+            samesite: 'none',
+            path: '/'
+          },
+        )
+
+        response_body = {
+          tokenData: JWT.decode(token, ForestLiana.auth_secret, true, { algorithm: 'HS256' })[0]
+        }
+
+        # The token is sent decoded, because we don't want to share the whole, signed token
+        # that is used to authenticate people
+        # but the token itself contains interesting values, such as its expiration date
+        response_body[:token] = token if !ForestLiana.application_url.start_with?('https://')
+
+        render json: response_body, status: 200
+
+      rescue => error
+        render json: { errors: [{ status: 500, detail: error.message }] },
+          status: :internal_server_error, serializer: nil
+      end
+    end
+
+    def logout
+      begin
+        if cookies.has_key?(:forest_session_token)
+          forest_session_token = cookies[:forest_session_token]
+          
+          if forest_session_token
+            response.set_cookie(
+              'forest_session_token',
+              {
+                value: forest_session_token,
+                httponly: true,
+                secure: true,
+                expires: Time.at(0),
+                samesite: 'none',
+                path: '/'
+              },
+            )
+          end
+        end
+
+        render json: {}, status: 204
+      rescue => error
+        render json: { errors: [{ status: 500, detail: error.message }] },
+        status: :internal_server_error, serializer: nil
+      end
+    end
+
+  end
+end

app/controllers/forest_liana/base_controller.rb

@@ -4,6 +4,10 @@ class BaseController < ::ActionController::Base
     wrap_parameters false
     before_action :reject_unauthorized_ip
 
+    def route_not_found
+      head :not_found
+    end
+
     private
 
     def reject_unauthorized_ip

app/controllers/forest_liana/router.rb

@@ -7,7 +7,7 @@ def call(env)
     if resource.nil?
       FOREST_LOGGER.error "Routing error: Resource not found for collection #{collection_name}."
       FOREST_LOGGER.error "If this is a Smart Collection, please ensure your Smart Collection routes are defined before the mounted ForestLiana::Engine?"
-      ForestLiana::ApplicationController.action(:route_not_found).call(env)
+      ForestLiana::BaseController.action(:route_not_found).call(env)
     else
       begin
         component_prefix = ForestLiana.component_prefix(resource)
@@ -40,7 +40,7 @@ def call(env)
         controller.action(action.to_sym).call(env)
       rescue NoMethodError => exception
         FOREST_LOGGER.error "Routing error: #{exception}\n#{exception.backtrace.join("\n\t")}"
-        ForestLiana::ApplicationController.action(:route_not_found).call(env)
+        ForestLiana::BaseController.action(:route_not_found).call(env)
       end
     end
   end

app/controllers/forest_liana/sessions_controller.rb

@@ -85,7 +85,7 @@ def process_login(
         # NOTICE: Set a cookie to ensure secure authentication using export feature.
         # NOTICE: The token is empty at first authentication step if the 2FA option is active.
         if reponse_data[:token]
-          response.set_cookie("forest_session_token", { value: reponse_data[:token], expires: (Time.current + 14.days) })
+          response.set_cookie("forest_session_token", { value: reponse_data[:token], expires: (ForestLiana::Token.expiration_in_days) })
         end
 
         render(json: reponse_data, serializer: nil)

app/controllers/forest_liana/stats_controller.rb

@@ -6,11 +6,11 @@ class StatsController < ForestLiana::ApplicationController
       before_action :find_resource, except: [:get_with_live_query]
     end
 
-    CHART_TYPE_VALUE = 'Value';
-    CHART_TYPE_PIE = 'Pie';
-    CHART_TYPE_LINE = 'Line';
-    CHART_TYPE_LEADERBOARD = 'Leaderboard';
-    CHART_TYPE_OBJECTIVE = 'Objective';
+    CHART_TYPE_VALUE = 'Value'
+    CHART_TYPE_PIE = 'Pie'
+    CHART_TYPE_LINE = 'Line'
+    CHART_TYPE_LEADERBOARD = 'Leaderboard'
+    CHART_TYPE_OBJECTIVE = 'Objective'
 
     def get
       case params[:type]