Class: Shakha::AuthController

Inherits:

ApplicationController

• Object
• ActionController::Base
• ApplicationController
• Shakha::AuthController

Includes:

PKCEMixin

Defined in:

app/controllers/shakha/auth_controller.rb

Constant Summary

Constants included from PKCEMixin

PKCEMixin::CODE_CHALLENGE_METHOD, PKCEMixin::CODE_VERIFIER_LENGTH, PKCEMixin::PKCE_COOKIE_EXPIRY_SECONDS, PKCEMixin::PKCE_COOKIE_NAME

Instance Method Summary

• #authorize ⇒ Object
• #callback ⇒ Object
• #error ⇒ Object
• #new ⇒ Object
• #token ⇒ Object

Methods included from PKCEMixin

generate_code_challenge, generate_code_verifier

Instance Method Details

#authorize ⇒ Object

# File 'app/controllers/shakha/auth_controller.rb', line 17

def authorize
  params[:return_to] = sanitize_return_to(params[:return_to])
  pkce = create_pkce_bundle
  @client = find_or_create_client

  google_auth_url = build_google_auth_url(pkce)

  redirect_to google_auth_url, allow_other_host: true
end

#callback ⇒ Object

# File 'app/controllers/shakha/auth_controller.rb', line 27

def callback
  pkce_result = verify_pkce!(params[:code], params[:state])
  exchange_code_for_tokens(params[:code], pkce_result[:verifier], pkce_result[:return_to])
rescue PKCEError, GoogleOAuthError => e
  ActiveSupport::Notifications.instrument("shakha.sign_in_failed", {
    reason: e.class.name,
    ip: request.remote_ip
  })
  Rails.logger.warn("[Shakha] Auth error: #{e.class}: #{e.message}")
  redirect_to "/auth/shakha/error?message=#{URI.encode_www_form_component(user_facing_error(e))}"
end

#error ⇒ Object

# File 'app/controllers/shakha/auth_controller.rb', line 57

def error
  @message = params[:message] || "Authentication failed"
end

#new ⇒ Object

# File 'app/controllers/shakha/auth_controller.rb', line 12

def new
  @client = find_or_create_client
  @return_to = sanitize_return_to(params[:return_to])
end

#token ⇒ Object

# File 'app/controllers/shakha/auth_controller.rb', line 39

def token
  code = params[:code]
  verifier = params[:code_verifier]

  raise PKCEError, "Missing code" unless code
  raise PKCEError, "Missing code_verifier" unless verifier

  id_token = exchange_code_for_id_token(code, verifier)

  render json: {
    id_token: id_token,
    pairwise_sub: id_token_payload(id_token)[:sub],
    expires_in: 24.hours.to_i
  }
rescue PKCEError, JWTError, GoogleOAuthError => e
  render json: { error: e.message }, status: :unauthorized
end