Class: KindeSdk::AuthController

Inherits:
ActionController::Base
  • Object
show all
Includes:
AuthHelper
Defined in:
app/controllers/kinde_sdk/auth_controller.rb

Overview

AuthController handles all authentication-related actions for the Kinde SDK including OAuth2 flows, token management, and session handling

Instance Method Summary collapse

Methods included from AuthHelper

#get_client, #logged_in?, #refresh_session_tokens, #session_present_in?, #set_session_tokens, #token_expired?

Instance Method Details

#authvoid

This method returns an undefined value.

Initiates the OAuth2 authorization flow Generates a secure nonce and redirects to Kinde's authorization endpoint



20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
# File 'app/controllers/kinde_sdk/auth_controller.rb', line 20

def auth
  # Generate a secure random nonce for CSRF protection
  nonce = SecureRandom.urlsafe_base64(16)

  # Get authorization URL and PKCE code verifier from SDK
  auth_params = { nonce: nonce }

  # Check for invitation_code in query parameters
  # Validate to prevent injection and ensure it's a reasonable length
  if params[:invitation_code].is_a?(String) && params[:invitation_code].strip.length > 0 && params[:invitation_code].length <= 255
    auth_params[:invitation_code] = params[:invitation_code].strip
  end

  auth_data = KindeSdk.auth_url(**auth_params)
  
  # Store PKCE code verifier and nonce in session for validation
  session[:code_verifier] = auth_data[:code_verifier] if auth_data[:code_verifier].present?
  session[:auth_nonce] = nonce
  session[:auth_state] = {
    requested_at: Time.current.to_i,
    redirect_url: auth_data[:url],
    # Only allow reauth-leniency when reauth_state was provided
    supports_reauth: params[:reauth_state].present?
  }
  
  redirect_to auth_data[:url], allow_other_host: true
rescue StandardError => e
  handle_error("Auth initialization failed", e)
end

#callbackvoid

This method returns an undefined value.

Handles the OAuth2 callback from Kinde Validates the response, exchanges code for tokens, and sets up the session



53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
# File 'app/controllers/kinde_sdk/auth_controller.rb', line 53

def callback
  # Handle reauth errors first
  if handle_reauth_error
    return
  end

  tokens = fetch_and_validate_tokens
  return if performed?

  # Store tokens and user information in session
  set_session_tokens(tokens)
  
  # Clean up temporary auth session data
  clear_auth_session
  
  redirect_to "/"
rescue StandardError => e
  handle_error("Authentication callback failed", e)
end

#client_credentials_authvoid

This method returns an undefined value.

Handles machine-to-machine (M2M) authentication using client credentials Stores the access token in Redis for subsequent API calls



76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
# File 'app/controllers/kinde_sdk/auth_controller.rb', line 76

def client_credentials_auth
  result = KindeSdk.client_credentials_access(
    client_id: ENV["KINDE_MANAGEMENT_CLIENT_ID"],
    client_secret: ENV["KINDE_MANAGEMENT_CLIENT_SECRET"]
  )
  
  if result["error"].present?
    raise result["error"]
  end
  
  # Store M2M token in Redis with expiration
  $redis.set("kinde_m2m_token", result["access_token"], ex: result["expires_in"].to_i)
  redirect_to mgmt_path
rescue StandardError => e
  handle_error("Client credentials authentication failed", e)
end

#logoutvoid

This method returns an undefined value.

Initiates the logout process by redirecting to Kinde's logout endpoint



109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
# File 'app/controllers/kinde_sdk/auth_controller.rb', line 109

def logout
  # Ensure we have a valid logout URL configured
  unless KindeSdk.config.logout_url.present?
    redirect_with_error("Logout URL not configured")
    return
  end

  # Get the logout URL with our callback URL
  logout_url = KindeSdk.logout_url(
    logout_url: KindeSdk.config.logout_url,
    domain: KindeSdk.config.domain
  )

  # Clear local session before redirecting to Kinde
  session.delete(:kinde_token_store)
  session.delete(:kinde_user)
  clear_auth_session

  # Redirect to Kinde's logout endpoint
  redirect_to logout_url, allow_other_host: true
rescue StandardError => e
  handle_error("Logout initialization failed", e)
end

#logout_callbackvoid

This method returns an undefined value.

Handles the callback after successful logout



135
136
137
138
139
# File 'app/controllers/kinde_sdk/auth_controller.rb', line 135

def logout_callback
  # Session is already cleared in logout method
  # Just redirect to home page
  redirect_to "/"
end

#refresh_tokenvoid

This method returns an undefined value.

Refreshes the access token using the refresh token



95
96
97
98
99
100
101
102
103
104
105
# File 'app/controllers/kinde_sdk/auth_controller.rb', line 95

def refresh_token
  return redirect_with_error("No valid session found") unless session[:kinde_token_store].present?

  if refresh_session_tokens
    redirect_to "/"
  else
    redirect_with_error("Failed to refresh token")
  end
rescue StandardError => e
  handle_error("Token refresh failed", e)
end