Class: Himari::RefreshToken

Inherits:

Object

• Object
• Himari::RefreshToken

Includes:

TokenString

Defined in:

lib/himari/refresh_token.rb

Instance Attribute Summary

• #claims ⇒ Object readonly

  Returns the value of attribute claims.

• #client_id ⇒ Object readonly

  Returns the value of attribute client_id.

• #expiry ⇒ Object readonly

  Returns the value of attribute expiry.

• #handle ⇒ Object readonly

  Returns the value of attribute handle.

• #openid ⇒ Object readonly

  Returns the value of attribute openid.

• #scopes ⇒ Object readonly

  Returns the value of attribute scopes.

• #session_handle ⇒ Object readonly

  Returns the value of attribute session_handle.

• #updated_at ⇒ Object readonly

  Returns the value of attribute updated_at.

• #version ⇒ Object readonly

  Returns the value of attribute version.

Attributes included from TokenString

#verification

Class Method Summary

• .default_lifetime ⇒ Object
• .magic_header ⇒ Object

Instance Method Summary

• #as_json ⇒ Object
• #as_log ⇒ Object
• #initialize(handle:, client_id:, claims:, session_handle:, expiry:, openid: false, scopes: [], secret: nil, secret_hash: nil, secret_hash_prev: nil, version: 1, updated_at: nil) ⇒ RefreshToken constructor

  A new instance of RefreshToken.

• #rotate(claims:, openid:, now: Time.now) ⇒ Object

  Rotate the token in place (same handle): mint a new current secret while keeping the just-presented secret valid as the previous one, so a client whose rotation response is lost can retry with the secret it still holds.

Methods included from TokenString

#format, hash_secret, included, #magic_header, #secret, #secret_hash, #secret_hash_prev, #verify!, #verify_expiry!, #verify_secret!

Constructor Details

#initialize(handle:, client_id:, claims:, session_handle:, expiry:, openid: false, scopes: [], secret: nil, secret_hash: nil, secret_hash_prev: nil, version: 1, updated_at: nil) ⇒ RefreshToken

Returns a new instance of RefreshToken.

# File 'lib/himari/refresh_token.rb', line 18

def initialize(handle:, client_id:, claims:, session_handle:, expiry:, openid: false, scopes: [], secret: nil, secret_hash: nil, secret_hash_prev: nil, version: 1, updated_at: nil)
  @handle = handle
  @client_id = client_id
  @claims = claims
  @session_handle = session_handle
  @openid = openid
  @scopes = scopes
  @expiry = expiry

  @secret = secret
  @secret_hash = secret_hash
  @secret_hash_prev = secret_hash_prev
  @version = version
  @updated_at = updated_at || Time.now.to_i
  @verification = nil
end

Instance Attribute Details

#claims ⇒ Object (readonly)

Returns the value of attribute claims.

# File 'lib/himari/refresh_token.rb', line 35

def claims
  @claims
end

#client_id ⇒ Object (readonly)

Returns the value of attribute client_id.

# File 'lib/himari/refresh_token.rb', line 35

def client_id
  @client_id
end

#expiry ⇒ Object (readonly)

Returns the value of attribute expiry.

# File 'lib/himari/refresh_token.rb', line 35

def expiry
  @expiry
end

#handle ⇒ Object (readonly)

Returns the value of attribute handle.

# File 'lib/himari/refresh_token.rb', line 35

def handle
  @handle
end

#openid ⇒ Object (readonly)

Returns the value of attribute openid.

# File 'lib/himari/refresh_token.rb', line 35

def openid
  @openid
end

#scopes ⇒ Object (readonly)

Returns the value of attribute scopes.

# File 'lib/himari/refresh_token.rb', line 35

def scopes
  @scopes
end

#session_handle ⇒ Object (readonly)

Returns the value of attribute session_handle.

# File 'lib/himari/refresh_token.rb', line 35

def session_handle
  @session_handle
end

#updated_at ⇒ Object (readonly)

Returns the value of attribute updated_at.

# File 'lib/himari/refresh_token.rb', line 35

def updated_at
  @updated_at
end

#version ⇒ Object (readonly)

Returns the value of attribute version.

# File 'lib/himari/refresh_token.rb', line 35

def version
  @version
end

Class Method Details

.default_lifetime ⇒ Object

Raises:

• (ArgumentError)

# File 'lib/himari/refresh_token.rb', line 14

def self.default_lifetime
  raise ArgumentError, "RefreshToken requires an explicit lifetime:"
end

.magic_header ⇒ Object

# File 'lib/himari/refresh_token.rb', line 10

def self.magic_header
  'hmrt'
end

Instance Method Details

#as_json ⇒ Object

# File 'lib/himari/refresh_token.rb', line 77

def as_json
  {
    handle: handle,
    secret_hash: secret_hash,
    secret_hash_prev: secret_hash_prev,
    client_id: client_id,
    claims: claims,
    session_handle: session_handle,
    openid: openid,
    scopes: scopes,
    expiry: expiry.to_i,
    version: version,
    updated_at: updated_at.to_i,
  }
end

#as_log ⇒ Object

# File 'lib/himari/refresh_token.rb', line 62

def as_log
  {
    handle: handle,
    client_id: client_id,
    claims: claims,
    session_handle: session_handle,
    openid: openid,
    scopes: scopes,
    expiry: expiry,
    version: version,
    updated_at: updated_at,
    prev_secret_set: !secret_hash_prev.nil?,
  }
end

#rotate(claims:, openid:, now: Time.now) ⇒ Object

Rotate the token in place (same handle): mint a new current secret while keeping the just-presented secret valid as the previous one, so a client whose rotation response is lost can retry with the secret it still holds. The secret to keep is the hash verify! matched (TokenString#verification) — whichever slot the client used; rotate is therefore only valid after a successful verify!. version is bumped so a concurrent refresh against the version we read fails the conditional update. expiry is preserved: the initial lifetime is an absolute cap on the rotation chain, not slid forward on each refresh.

Raises:

• (TokenString::SecretMissing)

# File 'lib/himari/refresh_token.rb', line 44

def rotate(claims:, openid:, now: Time.now)
  raise TokenString::SecretMissing, "rotate requires a verified secret; call verify! first" unless verification

  self.class.new(
    handle:,
    client_id:,
    session_handle:,
    claims:,
    openid:,
    scopes:,
    secret: SecureRandom.urlsafe_base64(48),
    secret_hash_prev: verification.secret_hash,
    version: version + 1,
    updated_at: now.to_i,
    expiry:,
  )
end