Invalidate tokens. Expire Tokens. And config options. (#7)

* Adding the ability to revoke tokens

We keep track of a set of "revoke_tokens", which are stored in the DB, and also in the JWT token.

If the revoke token is removed from the DB, and a user tries to use the corrosponding JWT token, then the request will be denied.

Also adding messages to a lot of exceptions.

* Add some docs

* Switching to a single verifier token

* Rename revokable to revocable

* Renaming to Tokenable::Verifier

* Much cleaner way to check if Verifier is included

* Adding support for Expiring Tokens + Tokenable config (#8)

* Adding support for expiring tokens

This is optional, and if the config setting (yet to be built) is set to nil, then the tokens will never expire

* Adding config options for lifespan, and secret

* No need to catch here, as we catch this exception in `current_user`

* We want to call jwt_user_id first, so that the root exception is bubbled up

* Catching and throwing more specific JWT errors

* Some docs on Config options, and also document that user_id is returned

* Specific section on token expiry

* Change docs order a bit

* Moving to a Config class so we can easily test, and also add a nicer way to access Proc's

* Bit nicer way to get proc_reader when needed

* Use from_tokenable_params instead of from_params

* Use string instead of uuid

* Fix this

* Some docs

Author: scottrobertson

README.md

@@ -44,15 +44,54 @@ You can chose from:
 You can also create your own stragery. This is as simple as creating a method on the User object.
 
 ```ruby
-def self.from_params(params)
+def self.from_tokenable_params(params)
   user = User.find_by(something: params[:something])
   return nil unless user.present?
-  
+
   return nil unless user.password_valid?(params[:password])
   user
 end
 ```
 
+### Invalidate Tokens
+
+If you want to be able to invalidate tokens from the server, then you can add `Tokenable::Verifier`.
+
+```ruby
+class User < ApplicationRecord
+  include Tokenable::Verifier
+end
+```
+
+And running the following migration:
+
+```bash
+rails g migration AddTokenableVerifierToUsers tokenable_verifier:string
+```
+
+You can now invalidate all tokens by calling `user.invalidate_tokens!`.
+
+### Token Expiry
+
+By default, tokens will live forever. If you want to change this, you can set a config option (see below for how to set that up).
+
+```ruby
+Tokenable::Config.lifespan = 7.days
+```
+
+### Configuration Options
+
+Tokenable works out of the box, with no config required, however you can tweak the settings, by creating `config/initializers/tokenable.rb` file.
+
+```ruby
+# The secret used to create these tokens. This is then used to verify the
+# token is valid. Note: Tokens are not encrypted, and container the user_id.
+# Default: Rails.application.secret_key_base
+Tokenable::Config.secret = 'a-256-bit-string'
+```
+
+### Example Usage
+
 Once you have this setup, you can login. For example, you could login using `axios` in JavaScript:
 
 ```js
@@ -62,12 +101,13 @@ const { data } = await axios.post("https://example.com/api/auth", {
 });
 
 const token = data.data.token;
+const user_id = data.data.user_id;
 ```
 
 You then use this token in all future API requests:
 
 ```js
-const { data } = await axios.get("https://example.com/api/user", {
+const { data } = await axios.get(`https://example.com/api/user/${user_id}`, {
   headers: { Authorization: `Bearer ${token}` },
 });
 ```

lib/tokenable.rb

@@ -2,6 +2,8 @@
 
 require_relative 'tokenable/version'
 require_relative 'tokenable/authable'
+require_relative 'tokenable/verifier'
+require_relative 'tokenable/config'
 require_relative 'tokenable/railtie' if defined?(Rails)
 
 module Tokenable

lib/tokenable/authable.rb

@@ -14,8 +14,6 @@ module Authable
 
     def user_signed_in?
       current_user.present?
-    rescue Tokenable::Unauthorized
-      false
     end
 
     def current_user
@@ -25,44 +23,65 @@ def current_user
     end
 
     def require_tokenable_user!
-      raise Tokenable::Unauthorized unless user_signed_in?
+      raise Tokenable::Unauthorized.new('User not found in JWT token') unless jwt_user_id
+      raise Tokenable::Unauthorized.new('User is not signed in') unless user_signed_in?
+      raise Tokenable::Unauthorized.new('Token verifier is invalid') if user_class.included_modules.include?(Tokenable::Verifier) && !current_user.valid_verifier?(jwt_verifier)
     end
 
     private
 
     def user_class
-      User
+      Tokenable::Config.user_class
     end
 
     def token_from_header
-      headers['Authorization'].to_s.split(' ').last
+      request.authorization.to_s.split(' ').last
     end
 
-    def token_from_user(user_id)
+    def token_from_user(user)
       jwt_data = {
-        user_id: user_id,
-      }
-      jwt_token = JWT.encode(jwt_data, jwt_secret, 'HS256')
-      {
-        user_id: user_id,
-        token: jwt_token,
+        data: {
+          user_id: user.id,
+        }
       }
+
+      if jwt_expiry_time
+        jwt_data[:exp] = jwt_expiry_time
+      end
+
+      if user_class.included_modules.include?(Tokenable::Verifier)
+        jwt_data[:data][:verifier] = user.current_verifier
+      end
+
+      JWT.encode(jwt_data, jwt_secret, 'HS256')
     end
 
     def jwt_user_id
-      jwt['data']['user_id']
+      jwt.dig('data', 'user_id')
+    end
+
+    def jwt_verifier
+      jwt.dig('data', 'verifier')
     end
 
     def jwt
-      raise Tokenable::Unauthorized unless token_from_header.present?
+      raise Tokenable::Unauthorized.new('Bearer token not provided') unless token_from_header.present?
+
+      @jwt ||= JWT.decode(token_from_header, jwt_secret, true, { algorithm: 'HS256' }).first.to_h
+    rescue JWT::ExpiredSignature
+      raise Tokenable::Unauthorized.new('Token has expired')
+    rescue JWT::VerificationError
+      raise Tokenable::Unauthorized.new('The tokenable secret used in this token does not match the one supplied in Tokenable::Config.secret')
+    rescue JWT::DecodeError
+      raise Tokenable::Unauthorized.new('JWT exception thrown')
+    end
 
-      @jwt ||= JWT.decode(token_from_header, jwt_secret, true, { algorithm: 'HS256' }).first
-    rescue JWT::ExpiredSignature, JWT::DecodeError
-      raise Tokenable::Unauthorized
+    def jwt_expiry_time
+      Tokenable::Config.lifespan
     end
 
     def jwt_secret
-      Rails.application.secret_key_base
+      Tokenable::Config.secret
     end
   end
 end

lib/tokenable/config.rb

@@ -0,0 +1,28 @@
+module Tokenable
+  class Config
+    # How long should the token last before it expires?
+    # E.G: Tokenable::Config.lifespan = 7.days
+    mattr_accessor :lifespan, default: nil
+
+    # The secret used by JWT to encode the Token.
+    # We default to Rails secret_key_base
+    # This can be any 256 bit string.
+    mattr_writer :secret, default: -> { Rails.application.secret_key_base }
+
+    # The user model that we will perform actions on
+    mattr_writer :user_class, default: -> { User }
+
+    # We do this, as some of our defaults need to live in a Proc (as this library is loaded before Rails)
+    # This means we can return the value when the method is called, instead of the Proc.
+    def self.method_missing(method_name, *args, &block)
+      self.class_variable_defined?("@@#{method_name}") ? self.proc_reader(method_name) : super
+    end
+
+    private
+
+    def self.proc_reader(key)
+      value = self.class_variable_get("@@#{key}")
+      value.is_a?(Proc) ? value.call : value
+    end
+  end
+end

lib/tokenable/controllers/tokens_controller.rb

@@ -5,11 +5,17 @@ class TokensController < ::ActionController::API
     include Authable
 
     def create
-      user_id, = User.from_params(params)
-      raise Tokenable::Unauthorized unless user_id
+      user = User.from_tokenable_params(params)
+      raise Tokenable::Unauthorized unless user
 
-      token = token_from_user(user_id)
-      render json: { data: token }, status: 201
+      response = {
+        data: {
+          token: token_from_user(user),
+          user_id: user.id
+        }
+      }
+
+      render json: response, status: 201
     end
   end
 end

lib/tokenable/strategies/devise.rb

@@ -6,16 +6,15 @@ module Devise
       extend ActiveSupport::Concern
 
       class_methods do
-        # @return [string, nil] Returns user_id + revocation key (not used yet)
-        def from_params(params)
+        def from_tokenable_params(params)
           email, password = parse_auth_params(params)
 
           user = User.find_by(email: email)
           return nil unless user
 
           return nil unless user.valid_password?(password)
 
-          [user.id, nil]
+          user
         end
 
         private

lib/tokenable/strategies/secure_password.rb

@@ -6,16 +6,15 @@ module SecurePassword
       extend ActiveSupport::Concern
 
       class_methods do
-        # @return [string, nil] Returns user_id + revocation key (not used yet)
-        def from_params(params)
+        def from_tokenable_params(params)
           email, password = parse_auth_params(params)
 
-          user = User.select(:id, :password_digest).find_by(email: email)
+          user = User.find_by(email: email)
           return nil unless user
 
           return nil unless user.authenticate(password)
 
-          [user.id, nil]
+          user
         end
 
         private

lib/tokenable/verifier.rb

@@ -0,0 +1,30 @@
+module Tokenable
+  module Verifier
+    extend ActiveSupport::Concern
+
+    def valid_verifier?(verifier)
+      raise Tokenable::Unauthorized.new("#{verifier_key} field is missing") unless self.has_attribute?(verifier_key)
+
+      current_verifier == verifier
+    end
+
+    def current_verifier
+      read_attribute(verifier_key) || issue_verifier!
+    end
+
+    def invalidate_tokens!
+      issue_verifier!
+    end
+
+    def issue_verifier!
+      self.update!(verifier_key => SecureRandom.uuid)
+      read_attribute(verifier_key)
+    end
+
+    private
+
+    def verifier_key
+      :tokenable_verifier
+    end
+  end
+end