Module: LcpRuby::Authentication

Defined in:

lib/lcp_ruby/authentication.rb,
lib/lcp_ruby/authentication/errors.rb,
lib/lcp_ruby/authentication/provider.rb,
lib/lcp_ruby/authentication/jwks_cache.rb,
lib/lcp_ruby/authentication/role_mapper.rb,
lib/lcp_ruby/authentication/devise_setup.rb,
lib/lcp_ruby/authentication/http_fetcher.rb,
lib/lcp_ruby/authentication/test_support.rb,
lib/lcp_ruby/authentication/user_resolver.rb,
lib/lcp_ruby/authentication/audit_subscriber.rb,
lib/lcp_ruby/authentication/omniauth_builder.rb,
lib/lcp_ruby/authentication/provider_registry.rb,
lib/lcp_ruby/authentication/bearer_jwt_verifier.rb,
lib/lcp_ruby/authentication/oidc_bearer_resolver.rb

Defined Under Namespace

Modules: AuditSubscriber, BearerJwtVerifier, HttpFetcher, JwksCache, OidcBearerResolver, TestSupport Classes: ConfigurationError, HostRejected, InvalidClaims, NoRoleMatch, OmniAuthBuilder, Provider, ProviderRegistry, RoleMapper, UnknownProvider, UserResolver

Class Method Summary

• .built_in? ⇒ Boolean
• .external? ⇒ Boolean
• .none? ⇒ Boolean
• .oidc? ⇒ Boolean
• .session_based? ⇒ Boolean

  True when authentication uses Warden/Devise — i.e.

• .setup_devise! ⇒ Object

  Configures Devise when authentication mode is :built_in.

Class Method Details

.built_in? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/lcp_ruby/authentication.rb', line 16

def built_in?
  LcpRuby.configuration.authentication == :built_in
end

.external? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/lcp_ruby/authentication.rb', line 24

def external?
  LcpRuby.configuration.authentication == :external
end

.none? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/lcp_ruby/authentication.rb', line 20

def none?
  LcpRuby.configuration.authentication == :none
end

.oidc? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/lcp_ruby/authentication.rb', line 28

def oidc?
  LcpRuby.configuration.authentication == :oidc
end

.session_based? ⇒ Boolean

True when authentication uses Warden/Devise — i.e. when the engine should wire up Devise routes and a sign_in/sign_out flow. OIDC also requires Warden because session creation goes through it.

Returns:

• (Boolean)

# File 'lib/lcp_ruby/authentication.rb', line 35

def session_based?
  %i[built_in oidc].include?(LcpRuby.configuration.authentication)
end

.setup_devise! ⇒ Object

Configures Devise when authentication mode is :built_in. Called from the engine initializer before Devise loads its own routes.

# File 'lib/lcp_ruby/authentication/devise_setup.rb', line 8

def setup_devise!
  require "devise"

  config = LcpRuby.configuration

  Devise.setup do |devise|
    devise.mailer_sender = config.auth_mailer_sender

    # Password settings
    devise.password_length = config.auth_password_min_length..128
    devise.email_regexp = /\A[^@\s]+@[^@\s]+\z/

    # Session timeout (nil = no timeout)
    devise.timeout_in = config.auth_session_timeout if config.auth_session_timeout

    # Lockable settings
    if config.auth_lock_after_attempts && config.auth_lock_after_attempts > 0
      devise.lock_strategy = :failed_attempts
      devise.unlock_strategy = :both
      devise.maximum_attempts = config.auth_lock_after_attempts
      devise.unlock_in = config.auth_lock_duration || 30.minutes
    end

    # Security
    # GET in addition to DELETE so plain `<a href="/auth/logout">` and bookmarks don't silently no-op.
    devise.sign_out_via = [ :get, :delete ]
    devise.strip_whitespace_keys = [ :email ]
    devise.stretches = Rails.env.test? ? 1 : 12

    # Turbo-compatible HTTP status codes
    devise.responder.error_status = :unprocessable_content
    devise.responder.redirect_status = :see_other

    # ORM
    require "devise/orm/active_record"
  end
end