Refactor Configuration & Authentication Unit Tests (#8)

* #7 major refactor of authorization and token verification

* #7 token verification unit tests

* #7 cleaning up so that a bunch of stuff is placed inside the encrypted credentials.

* #7 updated the README to include information about the secrets that are expected for DEVELOPMENT & PRODUCTION environments.

.editorconfig

@@ -0,0 +1,15 @@
+[*]
+charset=utf-8
+end_of_line=lf
+insert_final_newline=true
+indent_style=space
+indent_size=2
+
+[*.scss]
+indent_style=space
+indent_size=2
+
+[{*.yml,*.yaml}]
+indent_style=space
+indent_size=2
+

README.md

@@ -15,6 +15,7 @@ You need the following:
 
 Perform the following from the command line:
 
+1. Create your config/credentials.yml.enc file (see _No Secrets Here - Credentials Instead_ section below).
 1. `bundle install` - will install any of the missing gems declared in the `Gemfile`
 1. `docker-compose up -d` - start up a Redis and PostgreSQL server in a container
 1. `rake db:create` - only required the first time, make sure your database is created
@@ -26,7 +27,6 @@ Perform the following from the command line:
 
 `rails s` - to serve the API on [http://localhost:3000](http://localhost:3000)
 
-
 ### Database Seeds
 
 For development, feel free to edit the `db/fixtures/development/002_users.rb` file to add yourself.
@@ -83,29 +83,53 @@ If you're creating Sidekiq jobs please use the generator: `rails g sidekiq:worke
 
 ## Configuration Notes
 
-The `config/application.rb` sets the `record_session_activity` boolean which is used to determine whether
-we should be logging session activity.
+The `config/initializers/ermahgerd.rb` can be used to override a number of configuration options.
+
+The Configuration options are set to their defaults in `lib/ermahgerd/configuration.rb`; check out the
+initialize method.
 
 ----
 
-## Credentials
+## No Secrets Here - Credentials Instead
 
 As of Rails-5.2 secrets are hashed and locked down with the `config/master.key` file.  Run `rails credentials:help` for
 more information.
 
-Do you need to create a key?  Use `rake secret`
+This application ships with an already created `config/credentials.yml.enc` and we share the `master.key` amongst
+ourselves ... but not with Joe Public (or Josephine Public)
+
+If you're forking this or trying it yourself, you'll want to:
+
+1. `rm config/credentials.yml.enc` to get rid of the current credentials
+1. `rails credentials:edit`
+1. Add the keys that are described in the section below; don't forget to use the `rake secret` to create your keys
 
-Do you need to edit some secrets?  Do it from the command line:
+### Keys in `config/credentials.yml.enc`
 
 ```bash
-$ rails credentials:edit
+$ rails credentials:edit  # you might have to destroy the existing `config/credentials.yml.enc` if this command fails
 ```
 
-### Keys in `config/credentials.yml.enc`
+`secret_key_base` - used by most Rails apps in one way or another (e.g. BCrypt).  Please set this to a
+strong key; all environments (development, test, etc.) require this to be set.
+
+`jwk_set` - the set of JWK from Cognito that will be used to decode supplied Authorization tokens.  Yours will be found
+at `https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/jwks.json`.  
+Check out the Cognito docs: [https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-verifying-a-jwt.html#amazon-cognito-user-pools-using-tokens-step-2]
+By default, the TEST environment of this app does not use this JWK set.  DEVELOPMENT & PRODUCTION do use this unless
+you change the configuration through `config/initializers/ermahgerd.rb`.
+
+`token_aud` - name of the audience in your token from Cognito; makes sure not just any Cognito token 
+can access this app.  You can get this information from your Cognito configuration or the payloads 
+from your authentication requests to Cognito.  By default, the TEST environment of this app does 
+not use this setting; it makes up a fake audience value.  DEVELOPMENT & PRODUCTION do use this unless
+you change the configuration through `config/initializers/ermahgerd.rb`.
 
-`secret_key_base` - used by Rails in many ways (e.g. BCrypt)
 
-`jwk_set` - the set of JWK from Cognito that will be used to decode supplied Authorization tokens
+`token_iss` - the url that issued the token.  You can get this information from your Cognito configuration 
+or the payloads from your authentication requests to Cognito.  By default, the TEST environment of this app does 
+not use this setting; it makes up a fake audience value.  DEVELOPMENT & PRODUCTION do use this unless
+you change the configuration through `config/initializers/ermahgerd.rb`.
 
 ----
 

app/controllers/api/v1/base_jsonapi_resources_controller.rb

@@ -2,12 +2,12 @@
 
 module Api
   module V1
-    # This is a JSONAPI-Resources ready controller that tests authentication using CognitoAuthorizer concern.
+    # This is a JSONAPI-Resources ready controller that tests authentication using Ermahgerd::Authorizer concern.
     # Authorization is managed through Pundit policies.
     class BaseJsonapiResourcesController < ApplicationController
       include Ermahgerd::CurrentUser
       include JSONAPI::ActsAsResourceController
-      include CognitoAuthorizer
+      include Ermahgerd::Authorizer
       include Pundit # included for Posterity sake should we override a controller and need to `authorize`
 
       # :authorize_request! is from the CognitoAuthorizer concern ensuring valid `authenticated` requests
@@ -20,7 +20,7 @@ class BaseJsonapiResourcesController < ApplicationController
 
       # Using the setting in `config/application.rb` determine whether or not to record session activity
       def record_session_activity
-        return unless Rails.configuration.record_session_activity
+        return unless Ermahgerd.configuration.record_session_activity
 
         # TODO: we need to use the `jti` from the token
         # TODO: See https://en.wikipedia.org/wiki/JSON_Web_Token#Standard_fields

app/controllers/application_controller.rb

@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
 # Controller that all generated Controllers inherit from.
-# The CognitoAuthorizer will provide an `:authorize_request!` hook to ensure supplied tokens are valid.
 #
 # This controller is configured to rescue from the following errors:
 # 1. ActiveRecord::RecordNotFound - that way you can Model.find_by! and have the controller handle the error

config/application.rb

@@ -33,25 +33,13 @@ class Application < Rails::Application
     # -- all .rb files in that directory are automatically loaded after loading
     # the framework and any gems in your application.
 
-    config.access_token_expire_seconds = ENV.fetch('ACCESS_TOKEN_EXPIRE_SECONDS') { 3600 }
-
-    config.access_token_leeway_seconds = ENV.fetch('ACCESS_TOKEN_LEEWAY_SECONDS') { 0 }
-
-    config.refresh_token_expire_days = ENV.fetch('REFRESH_TOKEN_EXPIRE_DAYS') { 365 }
-
     # Only loads a smaller set of middleware suitable for API only apps.
     # Middleware like session, flash, cookies can be added back manually.
     # Skip views, helpers and assets when generating a new resource.
     config.api_only = true
 
-    # Whether or not to record `SessionActivity` in the `BaseResourceController`
-    config.record_session_activity = ENV.fetch('RECORD_SESSION_ACTIVITY') { true }
-
-    # The id token's audience
-    config.token_aud = ENV.fetch('TOKEN_AUD') { 'ermahgerd' }
-
-    # The id token's issuer
-    config.token_iss = ENV.fetch('TOKEN_ISS') { 'https://cognito-idp.ca-central-1.amazonaws.com/us-east-1_example' }
+    # Ermahgerd Configuration
+    # ------------------------------------------------------------------------------------------------------------------
 
     config.version = '0.0.1-rc.2'
   end

config/credentials.yml.enc

@@ -1 +1 @@
-HhizsWaU5RfbC43XVL+XCPoBH6VisLZSWKms1RT9BjeIeapwPJ5rYUNyqOw6evT1z+b0+epXTACuz6rjy5LkRm6imxd/kd7CEuD6Vl7RBi5Yn6Ernt3qDqUaHEabOITPFHei2yrR1e1yAE9v0d80QcfH1BOmns5fVxm3wfKOucx/lrtKBZfaDzSjBwYJq/hl2YK5PCdBfRSmn1FNrH+oG4o3t1COuHRbJaqaxeNPTREX9kxJ5xsBj5nUfCxqLkwDbEl8RcsmNGnJpIrVMT7zCJBdSO6fMssDEkzrm1ovFPdWaggxYZob6OTP4b6I3oWsXT13Ai3wYbrSWq9OP4h8q82aHqMUejJsHBBGwAd4OUASJTKWb82xvjXnOuYSt5cMeMuP5gnsILvh2xFXHUPLlT8Xt7/HK6FYFWvjc6i7vBGPuouGA/3jIUsMV7C7EqjhSQtfALKX1bU5q3VIXujMMUwSxj/Gu/V8RSBMY209usWruKt3e+1ZjemI72A5ZPELlUICbEXOcKJCuZ2vIH2C4IMn47TPP8Fm5Sb6suniESlIvK6pNSbJJ5btpa5w9VOqAT4jp0fI9tZ9oRk5xo1KTcf1K0bgxQhsdrig2dPIyjsQMwR35T8c1zs2f1NHpvPzqNmq7xZKZCHqMeoEQWq5OxdRFxtfmtltTw4wDVMMRSEzXAWqkZLF6PsM9SvYpyu1TGOczzolU9vZAhbGzse9k9en8XRiXuSYtBKV5tnfN/yssY/ATEd55Cwz/WUIjTqcpbK1rPp5goYzJBurAEtUa8MXlvedaEAf6bApohLNc23UtEOE3DzD7I9YVUEj+GZ8OQM5ypy/RDEEkwlL0/RIW7iUW2r/HpNsokDT6FIhZchCXW8OXl9xsDFMuFXGUoc89GZlQ03MQ28s0UR2+kTXdhte74zXlW9UjKUIzP+v0sHiDMYYG5LAB/C1mB2CknJ9b+x7ukVzq2vJgSQOnY/jIAfRODyGAhQxlGG9jIYBA62iBzZV3wIWNiVRqfqsgfHgkLtEJnQ5W36HD+W07Ywh4RCSmfjgrakruUnDgQHKJc6KM2mDmBh+OwwRCVYxDF0pO9qcljyrf2JiUvqa7Ki1+j6gSLPc9GweTjkPlnLiNhwxSxntcjza/zE3q5RIfYFg8ftEPfXkL1xYS/Xk1WxjYm81rju+8ibf82n7+KBWz2TRg+JoKdN8HMF6E2S07XR4WvRZiaQ8L1Wn+QlO3NU8eat0yIq8f+z/Vgup3WlAdg2VgyZA3+HKqmrw6QTpwedVkLCrF+ujVYhNDw4FgWXRvK3P5f3KdtQckEAkKGYu1o8nUZCxBIzDbpQRRrCaaW2cv9nFdDQVzP8w5k0czjymKrAoWA2HuKdqXLSgCkyuiPXeA8u9LNkoR1WdQIDv8U115tcREt4hEurh2FBfBZ4mshaIwmNjEzdc1AABZklz+Gxpx7yg6bVU1JevfZ9ScxRtHLBXl5z7Mwk32ZC5HG2wfwlk49YjQqgP01MFTzYpNuT/mord1SPmuADotff4AO9ohmZnFeiJ1Zc2u2JLknEPO0vXYvxDQuPpvHwbgr2ZfJapjf1k2gp+YTPfQfM8l5+KwGRAfXRW4nHyxIYYNU778wqXccNxEcIncfxADdOCAD5n9GyZvxD9oSpYOSX4ZcqY--POcge2U72nLGxoHm--bFkc00l4ReQ+sMpFabV+HQ==
+U9DiZzG4VAaGpeq/tmjdwqgo9U+tY9cncNdXt48FjJ7GOdQMRahtTr+17iaENU63bx52izPWdiCJ5qTk7I67rJS3S6VVh6GwTo7zV7SmC90zQp5lxaK0TN8yVpXqxMiOIB4UC/GcgfikHAHNHMcOeUzcQEEsyJ+3/6P0KbQ3UFDPJSPoKO5ftIMEMDhEE+C/bCrUz1oqsiK3GnkF510jK3mGcD1h4twDGBDRQd2POofwBpd2e1ShriwuRpQB8jXbrZkWQYV7X2VfqNp55pCjVpy3y3cF2uWvHYyt34DZl6tPQce+KrSW61wq5p9sMtTE3Xqjll+NAfLyXDsGsmnghz3p03NvDXsAp8ZVZijjdGwQvd3atz9N9E79M8c6vh9pDMlCEvGghYmWyHfsH0BgzqTPOZD6UfNyYUc82YDt7i4Yl76AdIkeHA5EDBMdrH4g0n15inB82hYPR4bmFV1HiZ/FrqsEtr95tGe84ZJqM7G12DtHZuxJVk+ygwVWQAhIQ0sZWF5x7iSkCQrbEbslbUYErdNOCq0/r4TpWsAEWHxJ38BC99ixnrYdBujGK8CYTP5g+mKHYmCrScq4b95SI0G3KBqlZ2CYHA5OITvNdoH1cLwbKmnWmdl6PUBKJkTqg8M+qzbrdnWdDwqk7Mjy0CeqOIbyYKGahERJoHaxDrzGpDAzPMA7D5GCY11mlHEckwtnEINGmu/MS4uYxI+8mMJbWvC5RLiOLnjMiFeEy8bIDx/rTumWcm9WFFdo/5YYKWxZadI6UZMoZqZOVLteaHaBf0sbFdjyKeTq2Llb4jR6EyrLKJ3pw2udY4s8dxzmmwaX4ap38xzGqtqklutj5Jj+brYvI5cCpBN9rxl2Jhp3E0eJLWbKl3pLY3aPyYamtvBLqEgPN4SxlCqru+xyrSciQn66xhXL7R38Kik/zcqNRpi0vT8g+dEXmUxu4qgbcrLMS1ymTXY7fq5jR7fOAaDDepcHGoHVS+S7mgg5thvMI1hgf//7nKaq89ctKi82Fu6zaBzAhZN42ZHdlOCeHyEzHU674rHxvcskvSjp+mm82vHsk6L3bQGgbz4hZhWY+xt+lWhhNpChpGbaTWSiG4tyDI5brhtrzy2ed66KuefX9Q4cWw45RXhdKNfo4rF95CKVuRExh5DwQHbVzKGnYB22bWlzXYrPdCCzCpz4aw32Q31ZWR3KEi0+j9jz+qqgTQdwWqTf0hG++v00KJX3agbpIq7WArQzKSEN2HCOpbLU4LhEGaDJFzGTvjmiM6iIs6RziBIJ/Wm3d7mJ+HdbedocxqZZOR8GmUAc3gI5eSxtmfeOfQqw+Xu/FxUcKoPaIdjqR1HbTe6lFX2oudAnPcAMMtKfXXF875LO7lR6irLcgn69/sXf/SGSBNBQrNNGcGsU8w8em7AaqEtzJc9lj0COL/jBW44FySUwfYFkln4C9FmnlfVm4fy3ACA3kprb6pYqGjmBx86IwMxPGjIX0omv07lhcCssbqMHFMB6EKh8D18Bd6A2AlgJHET0b1UUh6S44iQxHwNoS666eY+BjwSg0YF6rrGTbWgiDwTw3fOEmk8Z1ANEZJFR74GIqdxLjNORJ2YyAiyNgq4UoULDyS83hcECl0mYz3gQIeLDPXlIXbPjZZ+ZsVZ3Itj2zOT2VQM4j5LRHD547xeNTyTp3QP2/PSa3M9zZQJHiWOGeFGs0f040IlIXa0WoKB7jmQDQxkzNDYt3zjSgIOmflteCZnNAlMMRgmgOP8BYagjxfQhV+PX8/tAuefng8McxewjszBXjHguvGsbDHgiadBwTmLL54iCUDY9ODjEt7bYWXnRD9whtG/Jz4jXREQM8Y0/rMvJXF8NB+F5NeLKTl0U+MRdNE1/TwmHwfUsNnw1p5hofcBUBGAgMWLTE8kWQxPni+Jyd87/EwvS6ZhSoeWJGFJ5HeQgAJ9T6tLT6fm2nGTqWV25mWOrAs7tQ5dilrNhHEk5S7l/rGI/82jCY95hNUuaKGr3tN/oxENU/gYA4Nz4v3Yh1JoGKyc29Y/qxHgHWA7T9nOXT72I7IDXlslfq2F51pQyZaRd3p/kLBvqx6LUKHB1uzebUY2ehXSglnu6r29op9mil8ooS1PGMv9WFXVvD+Xi5kUXFAWHEGUAuZirqmqZA0cLdd7+XJ6xnulCDGZcECarxtvqEKxDLYlZZ/pwy22iNAebHZUeEb7ZeQC/T5nrzli1IEtJtCwI7RbIa4/ZE5M=--AbM22LPCmnqIhi2V--ia58uQ89MN6sPuhNkrBfKQ==

config/environments/test.rb

@@ -21,7 +21,7 @@
   }
 
   # Show full error reports and disable caching.
-  config.consider_all_requests_local       = true
+  config.consider_all_requests_local = true
   config.action_controller.perform_caching = false
 
   # Raise exceptions instead of rendering exception templates.

config/initializers/ermahgerd.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+Ermahgerd.configure do |config|
+  if Rails.env.test?
+    # Cognito Token Verification Configuration
+    # ------------------------------------------------------------------------------------------------------------------
+
+    # The id token's audience
+    config.token_aud = 'ermahgerd'
+
+    # The id token's issuer
+    config.token_iss = 'https://cognito-idp.ca-central-1.amazonaws.com/ca-central-1_exampleXyZ'
+  end
+end

db/fixtures/development/002_users.rb

@@ -5,7 +5,7 @@
 User.seed_once(
   :email,
   {
-    email: '[email protected]',
+    email: 'dan.nelson@cybertooth.io',
     first_name: 'Dan',
     last_name: 'Nelson',
     nickname: 'Hollywood',

lib/ermahgerd.rb

@@ -1,8 +1,14 @@
 # frozen_string_literal: true
 
+require 'ermahgerd/authorizer'
+require 'ermahgerd/configuration'
 require 'ermahgerd/current_user'
 require 'ermahgerd/errors'
 
+# The Ermahgerd module has a bunch of constants and configuration elements found within.
+# There are also a number of very reusable concerns and classes that can be used throughout this project, or
+# copied into another project.
 module Ermahgerd
   HEADER_AUTHORIZATION = 'Authorization'
+  HEADER_IDENTIFICATION = 'Identification'
 end