Module: Verikloak::Rails::Controller

Extended by:

ActiveSupport::Concern

Defined in:

lib/verikloak/rails/controller.rb

Overview

Controller concern providing Verikloak helpers and JSON error handling.

Includes ‘before_action :authenticate_user!`, helpers such as `current_user_claims`, and consistent 401/403 responses. Optionally wraps requests with tagged logging and a 500 JSON renderer.

Instance Method Summary

• #authenticate_user! ⇒ void

  Ensures a user is authenticated, otherwise renders a JSON 401 response.

• #authenticated? ⇒ Boolean

  Whether the request has verified user claims.

• #current_subject ⇒ String^?

  The ‘sub` (subject) claim from the current user claims.

• #current_token ⇒ String^?

  The raw bearer token used for the current request.

• #current_user_claims ⇒ Hash^?

  The verified JWT claims for the current user.

• #with_required_audience!(*required) ⇒ void

  Enforces that the current user has all required audiences.

Instance Method Details

#authenticate_user! ⇒ void

This method returns an undefined value.

Ensures a user is authenticated, otherwise renders a JSON 401 response.

Examples:

In a controller

class ApiController < ApplicationController
  before_action :authenticate_user!
end

# File 'lib/verikloak/rails/controller.rb', line 44

def authenticate_user!
  return if Verikloak::Rails.config.skip_path_matcher.skip?(request.path_info)
  return if authenticated?

  e = ::Verikloak::Error.new('Unauthorized', code: 'unauthorized')
  Verikloak::Rails.config.error_renderer.render(self, e)
end

#authenticated? ⇒ Boolean

Whether the request has verified user claims.

Returns:

• (Boolean)

# File 'lib/verikloak/rails/controller.rb', line 54

def authenticated? = current_user_claims.present?

#current_subject ⇒ String^?

The ‘sub` (subject) claim from the current user claims.

Returns:

• (String, nil)

# File 'lib/verikloak/rails/controller.rb', line 72

def current_subject = current_user_claims && current_user_claims['sub']

#current_token ⇒ String^?

The raw bearer token used for the current request. Prefer Rack env; fall back to RequestStore when available.

Returns:

• (String, nil)

# File 'lib/verikloak/rails/controller.rb', line 66

def current_token
  _verikloak_fetch_request_context('verikloak.token', :verikloak_token)
end

#current_user_claims ⇒ Hash^?

The verified JWT claims for the current user. Prefer Rack env; fall back to RequestStore when available.

Returns:

• (Hash, nil)

# File 'lib/verikloak/rails/controller.rb', line 59

def current_user_claims
  _verikloak_fetch_request_context('verikloak.user', :verikloak_user)
end

#with_required_audience!(*required) ⇒ void

This method returns an undefined value.

Enforces that the current user has all required audiences.

Examples:

with_required_audience!('my-api', 'payments')

Parameters:

• required (Array<String>) —

  one or more audiences to require

Raises:

• (Verikloak::Error) —

  when the required audience is missing

# File 'lib/verikloak/rails/controller.rb', line 81

def with_required_audience!(*required)
  aud = Array(current_user_claims&.dig('aud'))
  return if required.flatten.all? { |r| aud.include?(r) }

  raise ::Verikloak::Error.new('Required audience not satisfied', code: 'forbidden')
end