Module: Henlo::Authenticable

Defined in:
lib/henlo/authenticable.rb

Overview

Module

Class Method Summary collapse

Class Method Details

.it_expired(reauthenticate_strategy, token, model) ⇒ Object

This method is to be called before ‘it_me?` is called, so that expired tokens are treated before the authentication begins. Requests made with expired id tokens are rejected with an error. Requests made with expired refresh tokens are then processed with “reauthentication_strategy. This method is passed as an argument to `it_expired` by the app. You can define how users are reauthenticated in your own app.



80
81
82
83
84
85
86
87
88
89
 
# File 'lib/henlo/authenticable.rb', line 80

def self.it_expired(reauthenticate_strategy, token, model)
  token = Knock::AuthToken.new(token: token, verify_options: {verify_expiration: false}).token
  claim = Knock::AuthToken.new(token: token, verify_options: {verify_expiration: false}).payload
  resource = parse_resource(claim, model)
  if claim["type"] == "id"
    raise ActionController::InvalidAuthenticityToken 
  else 
    reauthenticate_strategy
  end    
end

.it_me?(token, model) ⇒ Boolean

Authenticates resource by first determining the treatment based on the type of token. Requests with valid id tokens will be processed. Requests with refresh tokens will be checked for 1) whether the resource has been flagged for blacklist check and if yes, 2) whether the token’s jwt identifier has been flaglisted. If neither 1) nor 2) is established, the token will be checked for a match of the jwt identifier The resource is returned if all these checks are passed.

Returns:

  • (Boolean) 


51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
 
# File 'lib/henlo/authenticable.rb', line 51

def self.it_me?(token, model)
  type = parse_token_type(token)
  payload = Knock::AuthToken.new(token: token).payload
  resource = parse_resource(payload, model)
  case type 
  when "id"
    resource
  when "refresh"
    if it_suspicious?(resource) && it_not_fren?(resource)
      nil
    else 
      if jti_match?(payload, resource)
        resource
      else 
        Henlo::Revocable.token_blockt(payload, resource)
        nil 
      end       
    end 
  else 
    nil 
  end 
end

.it_not_fren?(resource) ⇒ Boolean

Check the blacklisted tokens table to see whether the token’s jwt identifier has been blacklisted

Returns:

  • (Boolean) 


30
31
32
 
# File 'lib/henlo/authenticable.rb', line 30

def self.it_not_fren?(resource)
  BlacklistedToken.where(token_jti: resource.refresh_token_jti).first
end

.it_suspicious?(resource) ⇒ Boolean

Check the resource to see if it has been flagged for blacklist check

Returns:

  • (Boolean) 


23
24
25
 
# File 'lib/henlo/authenticable.rb', line 23

def self.it_suspicious?(resource)
  resource.blacklist_check?    
end

.jti_match?(payload, resource) ⇒ Boolean

Match the token jwt identifier with what is stored in the database for the resource, a lack of match indicates suspicious activities

Returns:

  • (Boolean) 


17
18
19
 
# File 'lib/henlo/authenticable.rb', line 17

def self.jti_match?(payload, resource)
  payload["jti"] === resource.refresh_token_jti
end

.parse_resource(payload, model) ⇒ Object

Parse the resource as identified by the id encoded in the jwt with the key “sub”



36
37
38
39
40
41
42
 
# File 'lib/henlo/authenticable.rb', line 36

def self.parse_resource(payload, model)
  resource = model.capitalize.constantize.where(id: payload["sub"]).first
  if resource.nil? 
    raise ActiveRecord::RecordNotFound
  end
  resource
end

.parse_token_type(token, options = {}) ⇒ Object

Retrieve the token type from the jwt payload



9
10
11
12
 
# File 'lib/henlo/authenticable.rb', line 9

def self.parse_token_type(token, options={})
  claim = Knock::AuthToken.new(token: token, verify_options: options).payload
  claim["type"]
end