Class: Passage::Auth

Inherits:
Object
  • Object
show all
Defined in:
lib/passageidentity/auth.rb

Constant Summary collapse

@@app_cache = 
{}

Instance Method Summary collapse

Constructor Details

#initialize(app_id, auth_strategy, connection) ⇒ Auth

Returns a new instance of Auth.



9
10
11
12
13
14
15
 
# File 'lib/passageidentity/auth.rb', line 9

def initialize(app_id, auth_strategy, connection)
  @app_id = app_id
  @auth_strategy = auth_strategy
  @connection = connection

  fetch_jwks
end

Instance Method Details

#authenticate_request(request) ⇒ Object 



54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
 
# File 'lib/passageidentity/auth.rb', line 54

def authenticate_request(request)
  # Get the token based on the strategy
  if @auth_strategy === Passage::COOKIE_STRATEGY
    unless request.cookies["psg_auth_token"].present?
      raise PassageError.new(
              message:
                `missing authentication token: expected "psg_auth_token" cookie`
            )
    end
    @token = request.cookies["psg_auth_token"]
  else
    headers = request.headers
    unless headers["Authorization"].present?
      raise PassageError.new(message: "no authentication token in header")
    end
    @token = headers["Authorization"].split(" ").last
  end

  # authenticate the token
  if @token
    return authenticate_token(@token)
  else
    raise PassageError.new(message: "no authentication token")
  end
  nil
end

#authenticate_token(token) ⇒ Object 



81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
 
# File 'lib/passageidentity/auth.rb', line 81

def authenticate_token(token)
  kid = JWT.decode(token, nil, false)[1]["kid"]
  exists = false
  for jwk in @jwks["keys"]
    if jwk["kid"] == kid
      exists = true
      break
    end
  end
  fetch_jwks unless exists
  begin
    claims =
      JWT.decode(
        token,
        nil,
        true,
        {
          aud: @auth_origin,
          verify_aud: true,
          algorithms: ["RS256"],
          jwks: @jwks
        }
      )
    return claims[0]["sub"]
  rescue JWT::InvalidIssuerError => e
    raise PassageError.new(message: e.message)
  rescue JWT::InvalidAudError => e
    raise PassageError.new(e.message)
  rescue JWT::ExpiredSignature => e
    raise PassageError.new(e.message)
  rescue JWT::IncorrectAlgorithm => e
    raise PassageError.new(e.message)
  rescue JWT::DecodeError => e
    raise PassageError.new(e.message)
  end
end

#fetch_appObject 



17
18
19
20
21
22
23
24
25
26
27
28
 
# File 'lib/passageidentity/auth.rb', line 17

def fetch_app()
  begin
    response = @connection.get("/v1/apps/#{@app_id}")
    return response.body["app"]
  rescue Faraday::Error => e
    raise PassageError.new(
            message: "failed to fetch passage app",
            status_code: e.response[:status],
            body: e.response[:body]
          )
  end
end

#fetch_jwksObject 



30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
 
# File 'lib/passageidentity/auth.rb', line 30

def fetch_jwks()
  if @@app_cache[@app_id]
    @jwks, @auth_origin = @@app_cache[@app_id]
  else
    app = fetch_app
    auth_gw_connection =
      Faraday.new(url: "https://auth.passage.id") do |f|
        f.request :json
        f.request :retry
        f.response :raise_error
        f.response :json
        f.adapter :net_http
      end

    # fetch the public key if not in cache
    app = fetch_app
    @auth_origin = app["auth_origin"]
    response =
      auth_gw_connection.get("/v1/apps/#{@app_id}/.well-known/jwks.json")
    @jwks = response.body
    @@app_cache[@app_id] ||= [@jwks, @auth_origin]
  end
end