API Access Tokens, encrypted and signed

Author: eliotsykes

Gemfile

@@ -10,6 +10,7 @@ gem 'sass-rails', '~> 4.0'
 gem 'sqlite3'
 gem 'turbolinks'
 gem 'uglifier', '>= 1.3.0'
+gem 'symmetric-encryption', '~> 3.8.1'
 
 gem 'quiet_assets', group: :development
 

Gemfile.lock

@@ -54,6 +54,8 @@ GEM
       ffi (~> 1.0, >= 1.0.11)
     cliver (0.3.2)
     coderay (1.1.0)
+    coercible (1.0.0)
+      descendants_tracker (~> 0.0.1)
     coffee-rails (4.1.0)
       coffee-script (>= 2.2.0)
       railties (>= 4.0.0, < 5.0)
@@ -67,6 +69,8 @@ GEM
       safe_yaml (~> 1.0.0)
     database_cleaner (1.4.1)
     debug_inspector (0.0.2)
+    descendants_tracker (0.0.4)
+      thread_safe (~> 0.3, >= 0.3.1)
     devise (3.5.1)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
@@ -226,6 +230,8 @@ GEM
       activesupport (>= 3.0)
       sprockets (>= 2.8, < 4.0)
     sqlite3 (1.3.10)
+    symmetric-encryption (3.8.1)
+      coercible (~> 1.0)
     thor (0.19.1)
     thread_safe (0.3.5)
     tilt (1.4.1)
@@ -282,6 +288,7 @@ DEPENDENCIES
   spring
   spring-commands-rspec
   sqlite3
+  symmetric-encryption (~> 3.8.1)
   turbolinks
   uglifier (>= 1.3.0)
   vcr

README.md

@@ -22,6 +22,7 @@ Hopefully this will be of help to those of you learning RSpec and Rails. If ther
 
 - [Support Configuration](#support-configuration)
 - [Run Specs in a Random Order](#run-specs-in-a-random-order)
+- [Testing Production Errors](#testing-production-errors)
 - [Testing Rake Tasks with RSpec](#testing-rake-tasks-with-rspec)
 - [Pry-rescue debugging](#pry-rescue-debugging)
 - [Time Travel Examples](#time-travel-examples)
@@ -41,6 +42,7 @@ Hopefully this will be of help to those of you learning RSpec and Rails. If ther
   - [Matchers](#matchers)
   - [Generators](#generators)
   - [Feature Specs & Docs](#feature-specs--docs)
+  - [API Request Specs, Docs, & Helpers](#api-request-specs-docs--helpers)
   - [Mailer Specs & Docs](#mailer-specs--docs)
   - [Controller Specs & Docs](#controller-specs--docs)
   - [View Specs & Docs](#view-specs--docs)
@@ -73,12 +75,18 @@ The specs run in a random order each time the test suite is run. This helps prev
 Random order test runs are configured using the `config.order = :random` and `Kernel.srand config.seed` options in [spec/spec_helper.rb](spec/spec_helper.rb).
 
 
+# Testing Production Errors
+
+When errors are raised, the Rails test environment may not behave as in production. The test environment may mask the actual error response you want to test. To help with this, you can disable test environment exception handling temporarily, [spec/support/error_responses.rb](spec/support/error_responses.rb) provides `respond_without_detailed_exceptions`. See it in use in [spec/api/v1/token_spec.rb](spec/api/v1/token_spec.rb) to provide production-like error responses in the test environment.
+
+
 # Testing Rake Tasks with RSpec
 
 RSpec testing Rake task configuration and example:
 - [spec/support/tasks.rb](spec/support/tasks.rb)
 - [spec/tasks/subscription_tasks_spec.rb](spec/tasks/subscription_tasks_spec.rb)
 
+
 # Pry-rescue debugging
 pry-rescue can be used to debug failing specs, by opening pry's debugger whenever a test failure is encountered. For setup and usage see [pry-rescue's README](https://github.com/ConradIrwin/pry-rescue).
 
@@ -208,6 +216,7 @@ Custom matchers configuration how-to and examples:
 - Chainable matcher: [spec/matchers/be_confirm_subscription_page.rb](spec/matchers/be_confirm_subscription_page.rb)
 - [spec/matchers/have_error_messages.rb](spec/matchers/have_error_messages.rb)
 - [spec/features/subscribe_to_newsletter_spec.rb](spec/features/subscribe_to_newsletter_spec.rb)
+- Lightweight matcher with `satisfy`: [spec/api/v1/token_spec.rb](spec/api/v1/token_spec.rb)
 
 
 # RSpec-Expectations Docs
@@ -220,41 +229,47 @@ Custom matchers configuration how-to and examples:
 - [spec/controllers/subscriptions_controller_spec.rb](spec/controllers/subscriptions_controller_spec.rb)
 - [spec/mailers/subscription_mailer_spec.rb](spec/mailers/subscription_mailer_spec.rb)
 - [spec/models/subscription_spec.rb](spec/models/subscription_spec.rb)
-- [RSpec Mocks API](https://relishapp.com/rspec/rspec-mocks/v/3-1/docs)
+- [RSpec Mocks API](https://relishapp.com/rspec/rspec-mocks/docs)
 
 # RSpec-Rails
-See [RSpec Rails](https://relishapp.com/rspec/rspec-rails/v/3-1/docs) for installation instructions.
+See [RSpec Rails](https://relishapp.com/rspec/rspec-rails/docs) for installation instructions.
 
 ## Matchers
-- https://relishapp.com/rspec/rspec-rails/v/3-1/docs/matchers
+- https://relishapp.com/rspec/rspec-rails/docs/matchers
 
 ## Generators
-- https://relishapp.com/rspec/rspec-rails/v/3-1/docs/generators
+- https://relishapp.com/rspec/rspec-rails/docs/generators
 
 ## Feature Specs & Docs
 - [spec/features/subscribe_to_newsletter_spec.rb](spec/features/subscribe_to_newsletter_spec.rb)
-- [Feature specs API](https://relishapp.com/rspec/rspec-rails/v/3-1/docs/feature-specs/feature-spec)
+- [Feature specs API](https://relishapp.com/rspec/rspec-rails/docs/feature-specs/feature-spec)
+
+## API Request Specs, Docs, & Helpers
+- [spec/api/v1/token_spec.rb](spec/api/v1/token_spec.rb)
+- [spec/support/json_helper.rb](spec/support/json_helper.rb)
+- [spec/support/error_responses.rb](spec/support/error_responses.rb)
+- [Request specs API](https://relishapp.com/rspec/rspec-rails/docs/request-specs/request-spec)
 
 ## Mailer Specs & Docs
 - [spec/mailers/subscription_mailer_spec.rb](spec/mailers/subscription_mailer_spec.rb)
-- [Mailer specs API](https://relishapp.com/rspec/rspec-rails/v/3-1/docs/mailer-specs/url-helpers-in-mailer-examples)
+- [Mailer specs API](https://relishapp.com/rspec/rspec-rails/docs/mailer-specs/url-helpers-in-mailer-examples)
 
 ## Controller Specs & Docs
 - [spec/controllers/subscriptions_controller_spec.rb](spec/controllers/subscriptions_controller_spec.rb)
-- [Controller specs API](https://relishapp.com/rspec/rspec-rails/v/3-1/docs/controller-specs)
+- [Controller specs API](https://relishapp.com/rspec/rspec-rails/docs/controller-specs)
 - [Controller specs cheatsheet](https://gist.github.com/eliotsykes/5b71277b0813fbc0df56)
 
 ## View Specs & Docs
 - [The Big List of View Specs](https://eliotsykes.com/view-specs)
-- [View specs API](https://relishapp.com/rspec/rspec-rails/v/3-3/docs/view-specs)
+- [View specs API](https://relishapp.com/rspec/rspec-rails/docs/view-specs)
 
 ## Helper Specs & Docs
 - [spec/helpers/application_helper_spec.rb](spec/helpers/application_helper_spec.rb)
-- [Helper specs API](https://relishapp.com/rspec/rspec-rails/v/3-1/docs/helper-specs/helper-spec)
+- [Helper specs API](https://relishapp.com/rspec/rspec-rails/docs/helper-specs/helper-spec)
 
 ## Routing Specs & Docs
 - [spec/routing/subscriptions_routing_spec.rb](spec/routing/subscriptions_routing_spec.rb)
-- [Routing specs API](https://relishapp.com/rspec/rspec-rails/v/3-1/docs/routing-specs)
+- [Routing specs API](https://relishapp.com/rspec/rspec-rails/docs/routing-specs)
 
 
 # Enable Spring for RSpec

app/controllers/api/api_controller.rb

@@ -0,0 +1,9 @@
+class Api::ApiController < ActionController::Base
+  protect_from_forgery with: :null_session
+
+  def self.disable_turbolinks_cookies
+    skip_before_action :set_request_method_cookie
+  end
+
+  disable_turbolinks_cookies
+end

app/controllers/api/v1/access_tokens_controller.rb

@@ -0,0 +1,24 @@
+class Api::V1::AccessTokensController < Api::ApiController
+
+  def create
+    respond_to_json do
+      render json: { access_token: token_guardian.issue_token }, status: :created
+    end
+  end
+
+  private
+
+  def respond_to_json
+    assert_request_content_type Mime::JSON
+    respond_to { |format| format.json { yield } }
+  end
+
+  def assert_request_content_type(content_type)
+    raise UnsupportedMediaType unless request.content_type == content_type
+  end
+  
+  def token_guardian
+    @token_guardian ||= TokenGuardian.build(controller: self)
+  end
+
+end

app/models/access_token.rb

@@ -0,0 +1,7 @@
+class AccessToken < ActiveRecord::Base
+  include HardenedToken
+  hardened_token
+
+  belongs_to :user
+
+end

app/models/concerns/hardened_token.rb

@@ -0,0 +1,37 @@
+module HardenedToken
+  extend ActiveSupport::Concern
+
+  LOCATOR_LENGTH = { bytes: 48.freeze, chars: 64.freeze }.freeze
+  SECRET_LENGTH = { bytes: 192.freeze, chars: 256.freeze }.freeze
+
+  def unencrypted
+    "#{locator}:#{secret}"
+  end
+
+  class_methods do
+
+    def hardened_token
+      attr_encrypted :secret, random_iv: true
+
+      before_validation do
+        self.locator = self.class.generate_locator if locator.blank?
+        self.secret = self.class.generate_secret if secret.blank?
+      end
+
+      validates_length_of :locator, is: LOCATOR_LENGTH[:chars]
+      validates_uniqueness_of :locator, case_sensitive: true
+
+      validates_length_of :secret, is: SECRET_LENGTH[:chars]
+      validates :encrypted_secret, symmetric_encryption: true
+    end
+
+    def generate_locator
+      SecureRandom.urlsafe_base64 LOCATOR_LENGTH[:bytes]
+    end
+
+    def generate_secret
+      SecureRandom.urlsafe_base64 SECRET_LENGTH[:bytes]
+    end
+  end
+
+end

app/models/token_guardian.rb

@@ -0,0 +1,47 @@
+class TokenGuardian
+
+  attr_reader :encryptor, :params
+
+  def self.build(controller:)
+    # Borrow MessageEncryptor, thank you CookieJar.
+    encryptor = controller.request.cookie_jar.encrypted.instance_variable_get :@encryptor
+    TokenGuardian.new(encryptor: encryptor, params: controller.params)
+  end
+
+  def initialize(encryptor:, params:)
+    @encryptor = encryptor
+    @params = params
+  end
+
+  def issue_token
+    user = authenticate_user
+    access_token = user.issue_access_token
+    encryptor.encrypt_and_sign(access_token.unencrypted)
+  end
+
+  private
+
+  def authenticate_user
+    authenticate_user_with_devise
+  end
+
+  def authenticate_user_with_devise
+    user = User.find_for_database_authentication(email: user_params[:email])
+
+    if user && user.valid_for_authentication? { user.valid_password?(user_params[:password]) }
+      user.update_attribute(:failed_attempts, 0) unless user.failed_attempts.zero?
+      return user
+    end
+
+    raise UnauthorizedAccess
+  end
+
+  def user_params
+    @user_params ||= if @user_params.nil?
+      user_parameters = params.require(:user)
+      user_parameters.require(:email)
+      user_parameters.require(:password)
+      user_parameters.permit(:email, :password)
+    end
+  end
+end

app/models/user.rb

@@ -4,4 +4,10 @@ class User < ActiveRecord::Base
   devise :database_authenticatable, :registerable,
          :recoverable, :rememberable, :trackable, :validatable,
          :confirmable, :lockable
+
+  has_many :access_tokens, dependent: :destroy
+
+  def issue_access_token
+    access_tokens.create!
+  end
 end

config/initializers/devise.rb

@@ -169,11 +169,11 @@
   # :time  = Re-enables login after a certain amount of time (see :unlock_in below)
   # :both  = Enables both strategies
   # :none  = No unlock strategy. You should handle unlocking by yourself.
-  # config.unlock_strategy = :both
+  config.unlock_strategy = :none
 
   # Number of authentication tries before locking an account if lock_strategy
   # is failed attempts.
-  config.maximum_attempts = 3
+  config.maximum_attempts = 10
 
   # Time interval to unlock the account if :time is enabled as unlock_strategy.
   # config.unlock_in = 1.hour