Class: Passage::Auth
- Inherits:
-
Object
- Object
- Passage::Auth
- Defined in:
- lib/passageidentity/auth.rb
Constant Summary collapse
- @@app_cache =
{}
Instance Method Summary collapse
- #authenticate_request(request) ⇒ Object
- #authenticate_token(token) ⇒ Object
- #fetch_app ⇒ Object
- #fetch_jwks ⇒ Object
-
#initialize(app_id, auth_strategy, connection) ⇒ Auth
constructor
A new instance of Auth.
Constructor Details
#initialize(app_id, auth_strategy, connection) ⇒ Auth
Returns a new instance of Auth.
9 10 11 12 13 14 15 |
# File 'lib/passageidentity/auth.rb', line 9 def initialize(app_id, auth_strategy, connection) @app_id = app_id @auth_strategy = auth_strategy @connection = connection fetch_jwks end |
Instance Method Details
#authenticate_request(request) ⇒ Object
54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 |
# File 'lib/passageidentity/auth.rb', line 54 def authenticate_request(request) # Get the token based on the strategy if @auth_strategy === Passage::COOKIE_STRATEGY unless request.["psg_auth_token"].present? raise PassageError.new( message: `missing authentication token: expected "psg_auth_token" cookie` ) end @token = request.["psg_auth_token"] else headers = request.headers unless headers["Authorization"].present? raise PassageError.new(message: "no authentication token in header") end @token = headers["Authorization"].split(" ").last end # authenticate the token if @token return authenticate_token(@token) else raise PassageError.new(message: "no authentication token") end nil end |
#authenticate_token(token) ⇒ Object
81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 |
# File 'lib/passageidentity/auth.rb', line 81 def authenticate_token(token) kid = JWT.decode(token, nil, false)[1]["kid"] exists = false for jwk in @jwks["keys"] if jwk["kid"] == kid exists = true break end end fetch_jwks unless exists begin claims = JWT.decode( token, nil, true, { aud: @auth_origin, verify_aud: true, algorithms: ["RS256"], jwks: @jwks } ) return claims[0]["sub"] rescue JWT::InvalidIssuerError => e raise PassageError.new(message: e.) rescue JWT::InvalidAudError => e raise PassageError.new(e.) rescue JWT::ExpiredSignature => e raise PassageError.new(e.) rescue JWT::IncorrectAlgorithm => e raise PassageError.new(e.) rescue JWT::DecodeError => e raise PassageError.new(e.) end end |
#fetch_app ⇒ Object
17 18 19 20 21 22 23 24 25 26 27 28 |
# File 'lib/passageidentity/auth.rb', line 17 def fetch_app() begin response = @connection.get("/v1/apps/#{@app_id}") return response.body["app"] rescue Faraday::Error => e raise PassageError.new( message: "failed to fetch passage app", status_code: e.response[:status], body: e.response[:body] ) end end |
#fetch_jwks ⇒ Object
30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 |
# File 'lib/passageidentity/auth.rb', line 30 def fetch_jwks() if @@app_cache[@app_id] @jwks, @auth_origin = @@app_cache[@app_id] else app = fetch_app auth_gw_connection = Faraday.new(url: "https://auth.passage.id") do |f| f.request :json f.request :retry f.response :raise_error f.response :json f.adapter :net_http end # fetch the public key if not in cache app = fetch_app @auth_origin = app["auth_origin"] response = auth_gw_connection.get("/v1/apps/#{@app_id}/.well-known/jwks.json") @jwks = response.body @@app_cache[@app_id] ||= [@jwks, @auth_origin] end end |