# frozen_string_literal: true module HTTPX module Plugins # # https://gitlab.com/os85/httpx/wikis/OAuth # module OAuth class << self def load_dependencies(_klass) require_relative "auth/basic" end end SUPPORTED_GRANT_TYPES = %w[client_credentials refresh_token].freeze SUPPORTED_AUTH_METHODS = %w[client_secret_basic client_secret_post].freeze class OAuthSession attr_reader :token_endpoint_auth_method, :grant_type, :client_id, :client_secret, :access_token, :refresh_token, :scope def initialize( issuer:, client_id:, client_secret:, access_token: nil, refresh_token: nil, scope: nil, token_endpoint: nil, response_type: nil, grant_type: nil, token_endpoint_auth_method: "client_secret_basic" ) @issuer = URI(issuer) @client_id = client_id @client_secret = client_secret @token_endpoint = URI(token_endpoint) if token_endpoint @response_type = response_type @scope = case scope when String scope.split when Array scope end @access_token = access_token @refresh_token = refresh_token @token_endpoint_auth_method = String(token_endpoint_auth_method) @grant_type = grant_type || (@refresh_token ? "refresh_token" : "client_credentials") unless SUPPORTED_AUTH_METHODS.include?(@token_endpoint_auth_method) raise Error, "#{@token_endpoint_auth_method} is not a supported auth method" end return if SUPPORTED_GRANT_TYPES.include?(@grant_type) raise Error, "#{@grant_type} is not a supported grant type" end def token_endpoint @token_endpoint || "#{@issuer}/token" end def load(http) return unless @token_endpoint && @token_endpoint_auth_method && @grant_type && @scope metadata = http.get("#{issuer}/.well-known/oauth-authorization-server").raise_for_status.json @token_endpoint = metadata["token_endpoint"] @scope = metadata["scopes_supported"] @grant_type = Array(metadata["grant_types_supported"]).find { |gr| SUPPORTED_GRANT_TYPES.include?(gr) } @token_endpoint_auth_method = Array(metadata["token_endpoint_auth_methods_supported"]).find do |am| SUPPORTED_AUTH_METHODS.include?(am) end end def merge(other) obj = dup case other when OAuthSession other.instance_variables.each do |ivar| val = other.instance_variable_get(ivar) next unless val obj.instance_variable_set(ivar, val) end when Hash other.each do |k, v| obj.instance_variable_set(:"@#{k}", v) if obj.instance_variable_defined?(:"@#{k}") end end obj end end module OptionsMethods def option_oauth_session(value) case value when Hash OAuthSession.new(**value) when OAuthSession value else raise TypeError, ":oauth_session must be a #{OAuthSession}" end end end module InstanceMethods def oauth_auth(**args) with(oauth_session: OAuthSession.new(**args)) end def with_access_token oauth_session = @options.oauth_session oauth_session.load(self) grant_type = oauth_session.grant_type headers = {} form_post = { "grant_type" => grant_type, "scope" => Array(oauth_session.scope).join(" ") }.compact # auth case oauth_session.token_endpoint_auth_method when "client_secret_basic" headers["authorization"] = Authentication::Basic.new(oauth_session.client_id, oauth_session.client_secret).authenticate when "client_secret_post" form_post["client_id"] = oauth_session.client_id form_post["client_secret"] = oauth_session.client_secret end case grant_type when "client_credentials" # do nothing when "refresh_token" form_post["refresh_token"] = oauth_session.refresh_token end token_request = build_request("POST", oauth_session.token_endpoint, headers: headers, form: form_post) token_request.headers.delete("authorization") unless oauth_session.token_endpoint_auth_method == "client_secret_basic" token_response = request(token_request) token_response.raise_for_status payload = token_response.json access_token = payload["access_token"] refresh_token = payload["refresh_token"] with(oauth_session: oauth_session.merge(access_token: access_token, refresh_token: refresh_token)) end def build_request(*, _) request = super return request if request.headers.key?("authorization") oauth_session = @options.oauth_session return request unless oauth_session && oauth_session.access_token request.headers["authorization"] = "Bearer #{oauth_session.access_token}" request end end end register_plugin :oauth, OAuth end end