Module: Tina4::Auth

Defined in:

lib/tina4/auth.rb

Constant Summary

KEYS_DIR =

".keys"

BLANK_SECRET_WARNING =

Single source of truth for the blank-secret warning, emitted identically from both the CI/prod boot path (ensure_dev_secret) and the lazy per-call resolver (hmac_secret). Actionable: names exactly what to set.

"Auth: TINA4_SECRET is not set — JWT signing is insecure. Set TINA4_SECRET " \
"to a random value (e.g. `openssl rand -hex 32`) in your environment or " \
".env before serving traffic. " \
"For LOCAL DEV, set TINA4_DEBUG=true and a per-machine secret is generated " \
"automatically into .env.local (gitignored). Seeing this warning means the " \
"run was NOT detected as dev - typically a container or CI without " \
"TINA4_DEBUG set, or TINA4_ENV=production."

Class Method Summary

• .auth_handler(&block) ⇒ Object
• .authenticate_request(headers, secret: nil, algorithm: "HS256") ⇒ Object
• .base64url_decode(str) ⇒ Object

  Base64url-decode (handles missing padding).

• .base64url_encode(data) ⇒ Object

  Base64url-encode without padding (JWT spec).

• .bearer_auth ⇒ Object
• .check_password(password, hash) ⇒ Object
• .default_secure_auth ⇒ Object

  Default auth handler for secured routes (POST/PUT/PATCH/DELETE) Used automatically unless auth: false is passed.

• .ensure_dev_secret(root_dir = Dir.pwd) ⇒ Object

  Boot-time bootstrap (run once after env load, before auth is used).

• .get_payload(token) ⇒ Object
• .get_token(payload, expires_in: 60, secret: nil) ⇒ Object (also: create_token)

  ── Token API (auto-selects HS256 or RS256) ─────────────────.

• .hash_password(password, salt = nil, iterations = 260000) ⇒ Object
• .hmac_decode(token, secret) ⇒ Object

  Decode and verify a JWT signed with HS256.

• .hmac_encode(claims, secret) ⇒ Object

  Build a JWT using HS256 with Ruby’s OpenSSL::HMAC (no gem needed).

• .hmac_secret ⇒ Object

  Lazy per-call secret resolver.

• .private_key ⇒ Object
• .public_key ⇒ Object
• .refresh_token(token, expires_in: 60) ⇒ Object
• .setup(root_dir = Dir.pwd) ⇒ Object
• .use_hmac? ⇒ Boolean

  Returns true when SECRET env var is set and no RSA keys exist in .keys/.

• .valid_token(token) ⇒ Object

  Verify a JWT signature + expiry.

• .valid_token_detail(token) ⇒ Object (also: validate_token)
• .validate_api_key(provided, expected: nil) ⇒ Object

Class Method Details

.auth_handler(&block) ⇒ Object

# File 'lib/tina4/auth.rb', line 292

def auth_handler(&block)
  if block_given?
    @custom_handler = block
  else
    @custom_handler || method(:default_auth_handler)
  end
end

.authenticate_request(headers, secret: nil, algorithm: "HS256") ⇒ Object

# File 'lib/tina4/auth.rb', line 259

def authenticate_request(headers, secret: nil, algorithm: "HS256")
  auth_header = headers["HTTP_AUTHORIZATION"] || headers["Authorization"] || ""
  return nil unless auth_header =~ /\ABearer\s+(.+)\z/i

  token = Regexp.last_match(1)

  # API_KEY bypass — timing-safe comparison via validate_api_key
  # (OpenSSL.fixed_length_secure_compare). Parity with Python's
  # authenticate_request (validate_api_key), PHP (hash_equals) and
  # Node (timingSafeEqual). Never use a plain `==` here — that leaks the
  # key length/prefix through comparison timing.
  if validate_api_key(token)
    return { "api_key" => true }
  end

  # If a custom secret is provided, validate against it directly
  if secret
    payload = hmac_decode(token, secret)
    return payload ? payload : nil
  end

  valid_token(token) ? get_payload(token) : nil
end

.base64url_decode(str) ⇒ Object

Base64url-decode (handles missing padding)

# File 'lib/tina4/auth.rb', line 107

def base64url_decode(str)
  # Add back padding
  remainder = str.length % 4
  str += "=" * ((4 - remainder) % 4) if remainder != 0
  Base64.urlsafe_decode64(str)
end

.base64url_encode(data) ⇒ Object

Base64url-encode without padding (JWT spec)

# File 'lib/tina4/auth.rb', line 102

def base64url_encode(data)
  Base64.urlsafe_encode64(data, padding: false)
end

.bearer_auth ⇒ Object

# File 'lib/tina4/auth.rb', line 300

def bearer_auth
  lambda do |env|
    auth_header = env["HTTP_AUTHORIZATION"] || ""
    return false unless auth_header =~ /\ABearer\s+(.+)\z/i

    token = Regexp.last_match(1)

    # API_KEY bypass — timing-safe comparison via validate_api_key
    # (OpenSSL.fixed_length_secure_compare). Parity with Python's
    # authenticate_request (validate_api_key), PHP (hash_equals) and
    # Node (timingSafeEqual). Never use a plain `==` here — that leaks the
    # key length/prefix through comparison timing.
    if validate_api_key(token)
      env["tina4.auth"] = { "api_key" => true }
      return true
    end

    if valid_token(token)
      env["tina4.auth"] = get_payload(token)
      true
    else
      false
    end
  end
end

.check_password(password, hash) ⇒ Object

# File 'lib/tina4/auth.rb', line 225

def check_password(password, hash)
  parts = hash.split('$')
  return false unless parts.length == 4 && parts[0] == 'pbkdf2_sha256'
  iterations = parts[1].to_i
  salt = parts[2]
  expected = parts[3]
  dk = OpenSSL::KDF.pbkdf2_hmac(password, salt: salt, iterations: iterations, length: 32, hash: "sha256")
  actual = dk.unpack1('H*')
  # Timing-safe comparison
  OpenSSL.fixed_length_secure_compare(actual, expected)
rescue
  false
end

.default_secure_auth ⇒ Object

Default auth handler for secured routes (POST/PUT/PATCH/DELETE) Used automatically unless auth: false is passed

# File 'lib/tina4/auth.rb', line 328

def default_secure_auth
  @default_secure_auth ||= bearer_auth
end

.ensure_dev_secret(root_dir = Dir.pwd) ⇒ Object

Boot-time bootstrap (run once after env load, before auth is used).

Mirrors the Python master’s tina4_python.auth.ensure_dev_secret:

- If TINA4_SECRET is already set → no-op (returns nil).
- Else if NOT dev, OR CI, OR production → emit the actionable
  blank-secret warning and return nil. NEVER generates or persists a
  secret in CI or production. (Hard security constraint.)
- Else (dev, not CI, not prod, blank secret) → mint a 32-byte
  (64 hex char) random secret, set it in the process env immediately,
  then APPEND it to <root_dir>/.env.local (gitignored, created if
  missing). On ANY write failure keep the in-memory secret and warn —
  never raise (boot must not crash).

‘root_dir` exists only so tests can target a temp dir without chdir; production callers pass nothing (defaults to Dir.pwd).

Returns the generated secret (String) when it mints one, else nil.

# File 'lib/tina4/auth.rb', line 48

def ensure_dev_secret(root_dir = Dir.pwd)
  existing = ENV["TINA4_SECRET"]
  return nil if existing && !existing.empty?

  unless dev? && !ci? && !production?
    warn_blank_secret
    return nil
  end

  new_secret = SecureRandom.hex(32) # 32 bytes -> 64 hex chars
  ENV["TINA4_SECRET"] = new_secret  # available for this run immediately

  begin
    local_path = File.join(root_dir, ".env.local")
    # If the file exists and does not end in a newline, prepend one so the
    # new key lands on its own line rather than gluing onto the last value.
    prefix = ""
    if File.exist?(local_path)
      content = File.read(local_path)
      prefix = "\n" if !content.empty? && !content.end_with?("\n")
    end
    File.open(local_path, "a") { |f| f.write("#{prefix}TINA4_SECRET=#{new_secret}\n") }
    log_info("Auth: generated a development secret, saved to .env.local (gitignored)")
  rescue StandardError => e
    # Keep the in-memory secret for this run; just warn. Never crash boot.
    log_warning("Auth: generated a development secret but could not write .env.local (#{e.message}); using it for this run only")
  end

  new_secret
end

.get_payload(token) ⇒ Object

# File 'lib/tina4/auth.rb', line 240

def get_payload(token)
  parts = token.split(".")
  return nil unless parts.length == 3

  payload_json = base64url_decode(parts[1])
  JSON.parse(payload_json)
rescue ArgumentError, JSON::ParserError
  nil
end

.get_token(payload, expires_in: 60, secret: nil) ⇒ Object Also known as: create_token

── Token API (auto-selects HS256 or RS256) ─────────────────

# File 'lib/tina4/auth.rb', line 158

def get_token(payload, expires_in: 60, secret: nil)
  now = Time.now.to_i
  claims = payload.merge(
    "iat" => now,
    "exp" => now + (expires_in * 60).to_i,
    "nbf" => now
  )

  if secret
    hmac_encode(claims, secret)
  elsif use_hmac?
    hmac_encode(claims, hmac_secret)
  else
    ensure_keys
    require "jwt"
    JWT.encode(claims, private_key, "RS256")
  end
end

.hash_password(password, salt = nil, iterations = 260000) ⇒ Object

# File 'lib/tina4/auth.rb', line 219

def hash_password(password, salt = nil, iterations = 260000)
  salt ||= SecureRandom.hex(16)
  dk = OpenSSL::KDF.pbkdf2_hmac(password, salt: salt, iterations: iterations, length: 32, hash: "sha256")
  "pbkdf2_sha256$#{iterations}$#{salt}$#{dk.unpack1('H*')}"
end

.hmac_decode(token, secret) ⇒ Object

Decode and verify a JWT signed with HS256. Returns the payload hash or nil.

# File 'lib/tina4/auth.rb', line 128

def hmac_decode(token, secret)
  parts = token.split(".")
  return nil unless parts.length == 3

  header_json = base64url_decode(parts[0])
  header = JSON.parse(header_json)
  return nil unless header["alg"] == "HS256"

  # Verify signature
  signing_input = "#{parts[0]}.#{parts[1]}"
  expected_sig = OpenSSL::HMAC.digest("SHA256", secret, signing_input)
  actual_sig = base64url_decode(parts[2])

  # Constant-time comparison to prevent timing attacks
  return nil unless OpenSSL.fixed_length_secure_compare(expected_sig, actual_sig)

  payload = JSON.parse(base64url_decode(parts[1]))

  # Check expiry
  now = Time.now.to_i
  return nil if payload["exp"] && now >= payload["exp"]
  return nil if payload["nbf"] && now < payload["nbf"]

  payload
rescue ArgumentError, JSON::ParserError, OpenSSL::HMACError
  nil
end

.hmac_encode(claims, secret) ⇒ Object

Build a JWT using HS256 with Ruby’s OpenSSL::HMAC (no gem needed)

# File 'lib/tina4/auth.rb', line 115

def hmac_encode(claims, secret)
  header = { "alg" => "HS256", "typ" => "JWT" }
  segments = [
    base64url_encode(JSON.generate(header)),
    base64url_encode(JSON.generate(claims))
  ]
  signing_input = segments.join(".")
  signature = OpenSSL::HMAC.digest("SHA256", secret, signing_input)
  segments << base64url_encode(signature)
  segments.join(".")
end

.hmac_secret ⇒ Object

Lazy per-call secret resolver. When the secret is blank, emit the actionable blank-secret warning (the same text the CI/prod bootstrap path uses) before returning. Parity with Python’s _resolve_secret.

# File 'lib/tina4/auth.rb', line 95

def hmac_secret
  secret = ENV["TINA4_SECRET"]
  warn_blank_secret if secret.nil? || secret.empty?
  secret
end

.private_key ⇒ Object

# File 'lib/tina4/auth.rb', line 336

def private_key
  @private_key ||= OpenSSL::PKey::RSA.new(File.read(private_key_path))
end

.public_key ⇒ Object

# File 'lib/tina4/auth.rb', line 340

def public_key
  @public_key ||= OpenSSL::PKey::RSA.new(File.read(public_key_path))
end

.refresh_token(token, expires_in: 60) ⇒ Object

# File 'lib/tina4/auth.rb', line 250

def refresh_token(token, expires_in: 60)
  return nil unless valid_token(token)

  payload = get_payload(token)
  return nil unless payload
  payload = payload.reject { |k, _| %w[iat exp nbf].include?(k) }
  get_token(payload, expires_in: expires_in)
end

.setup(root_dir = Dir.pwd) ⇒ Object

# File 'lib/tina4/auth.rb', line 25

def setup(root_dir = Dir.pwd)
  @keys_dir = File.join(root_dir, KEYS_DIR)
  FileUtils.mkdir_p(@keys_dir)
  ensure_keys
end

.use_hmac? ⇒ Boolean

Returns true when SECRET env var is set and no RSA keys exist in .keys/

Returns:

• (Boolean)

# File 'lib/tina4/auth.rb', line 82

def use_hmac?
  secret = ENV["TINA4_SECRET"]
  return false if secret.nil? || secret.empty?

  # If RSA keys already exist on disk, prefer RS256 for backward compat
  @keys_dir ||= File.join(Dir.pwd, KEYS_DIR)
  !(File.exist?(File.join(@keys_dir, "private.pem")) &&
    File.exist?(File.join(@keys_dir, "public.pem")))
end

.valid_token(token) ⇒ Object

Verify a JWT signature + expiry.

3.13.0: return type changed from ‘Boolean` to `Hash | nil`. The decoded payload is returned on success, nil on failure. Matches firebase/jwt-ruby and Python’s Auth.valid_token in 3.13.0.

Legacy ‘if Tina4::Auth.valid_token(t)` patterns keep working because a non-empty Hash is truthy and nil is falsy.

# File 'lib/tina4/auth.rb', line 186

def valid_token(token)
  if use_hmac?
    hmac_decode(token, hmac_secret) # returns Hash payload or nil
  else
    ensure_keys
    require "jwt"
    decoded = JWT.decode(token, public_key, true, algorithm: "RS256")
    decoded[0] # firebase/jwt-ruby returns [payload, header]
  end
rescue JWT::ExpiredSignature, JWT::DecodeError
  nil
end

.valid_token_detail(token) ⇒ Object Also known as: validate_token

# File 'lib/tina4/auth.rb', line 199

def valid_token_detail(token)
  if use_hmac?
    payload = hmac_decode(token, hmac_secret)
    if payload
      { valid: true, payload: payload }
    else
      { valid: false, error: "Invalid or expired token" }
    end
  else
    ensure_keys
    require "jwt"
    decoded = JWT.decode(token, public_key, true, algorithm: "RS256")
    { valid: true, payload: decoded[0] }
  end
rescue JWT::ExpiredSignature
  { valid: false, error: "Token expired" }
rescue JWT::DecodeError => e
  { valid: false, error: e.message }
end

.validate_api_key(provided, expected: nil) ⇒ Object

# File 'lib/tina4/auth.rb', line 283

def validate_api_key(provided, expected: nil)
  expected ||= ENV["TINA4_API_KEY"]
  return false if expected.nil? || expected.empty?
  return false if provided.nil? || provided.empty?
  return false if provided.length != expected.length

  OpenSSL.fixed_length_secure_compare(provided, expected)
end