Merge pull request #1065 from sul-dlss/iiif-authv2

Move token controller to a iiif/auth/v1 directory

.rubocop_todo.yml

@@ -1,6 +1,6 @@
 # This configuration was generated by
 # `rubocop --auto-gen-config`
-# on 2023-11-08 16:02:12 UTC using RuboCop version 1.57.2.
+# on 2023-12-06 16:20:31 UTC using RuboCop version 1.58.0.
 # The point is for the user to remove these configuration records
 # one by one as the offenses are removed from the code base.
 # Note that changes in the inspected code, or installation of new
@@ -15,7 +15,7 @@ Layout/MultilineMethodCallBraceLayout:
     - 'spec/routing/file_routing_spec.rb'
     - 'spec/routing/media_routing_spec.rb'
 
-# Offense count: 7
+# Offense count: 8
 # Configuration parameters: AllowedMethods, AllowedPatterns, CountRepeatedAttributes.
 Metrics/AbcSize:
   Max: 22
@@ -25,12 +25,12 @@ Metrics/AbcSize:
 Metrics/CyclomaticComplexity:
   Max: 10
 
-# Offense count: 12
+# Offense count: 13
 # Configuration parameters: CountComments, CountAsOne, AllowedMethods, AllowedPatterns.
 Metrics/MethodLength:
   Max: 25
 
-# Offense count: 31
+# Offense count: 25
 RSpec/AnyInstance:
   Exclude:
     - 'spec/controllers/media_controller_spec.rb'
@@ -39,19 +39,18 @@ RSpec/AnyInstance:
     - 'spec/features/status_spec.rb'
     - 'spec/requests/file_auth_request_spec.rb'
     - 'spec/requests/file_spec.rb'
+    - 'spec/requests/iiif/auth/v1/tokens_spec.rb'
     - 'spec/requests/iiif_auth_request_spec.rb'
     - 'spec/requests/iiif_spec.rb'
     - 'spec/requests/media_auth_request_spec.rb'
 
-# Offense count: 78
+# Offense count: 68
 # Configuration parameters: Prefixes, AllowedPatterns.
 # Prefixes: when, with, without
 RSpec/ContextWording:
   Exclude:
     - 'spec/abilities/ability_spec.rb'
     - 'spec/controllers/file_controller_spec.rb'
-    - 'spec/controllers/iiif_controller_spec.rb'
-    - 'spec/controllers/iiif_token_controller_spec.rb'
     - 'spec/controllers/legacy_image_service_controller_spec.rb'
     - 'spec/controllers/media_controller_spec.rb'
     - 'spec/features/status_spec.rb'
@@ -72,15 +71,15 @@ RSpec/DescribedClass:
     - 'spec/models/stacks_media_token_spec.rb'
     - 'spec/models/user_spec.rb'
 
-# Offense count: 7
+# Offense count: 4
 # This cop supports safe autocorrection (--autocorrect).
 RSpec/EmptyLineAfterExampleGroup:
   Exclude:
     - 'spec/abilities/ability_spec.rb'
     - 'spec/controllers/legacy_image_service_controller_spec.rb'
     - 'spec/requests/file_auth_request_spec.rb'
 
-# Offense count: 32
+# Offense count: 34
 # This cop supports safe autocorrection (--autocorrect).
 RSpec/EmptyLineAfterFinalLet:
   Exclude:
@@ -94,7 +93,7 @@ RSpec/EmptyLineAfterFinalLet:
     - 'spec/services/iiif_metadata_service_spec.rb'
     - 'spec/services/media_authentication_json_spec.rb'
 
-# Offense count: 6
+# Offense count: 7
 # This cop supports safe autocorrection (--autocorrect).
 # Configuration parameters: AllowConsecutiveOneLiners.
 RSpec/EmptyLineAfterHook:
@@ -103,24 +102,23 @@ RSpec/EmptyLineAfterHook:
     - 'spec/features/status_spec.rb'
     - 'spec/requests/iiif_spec.rb'
 
-# Offense count: 12
+# Offense count: 11
 # This cop supports safe autocorrection (--autocorrect).
 RSpec/EmptyLineAfterSubject:
   Exclude:
     - 'spec/abilities/ability_spec.rb'
-    - 'spec/controllers/iiif_controller_spec.rb'
     - 'spec/controllers/webauth_controller_spec.rb'
     - 'spec/models/iiif_image_spec.rb'
     - 'spec/models/projection_spec.rb'
     - 'spec/models/stacks_image_spec.rb'
     - 'spec/services/iiif_metadata_service_spec.rb'
 
-# Offense count: 20
+# Offense count: 22
 # Configuration parameters: CountAsOne.
 RSpec/ExampleLength:
-  Max: 24
+  Max: 16
 
-# Offense count: 15
+# Offense count: 12
 # This cop supports safe autocorrection (--autocorrect).
 # Configuration parameters: CustomTransform, IgnoredWords, DisallowedExamples.
 # DisallowedExamples: works
@@ -131,7 +129,7 @@ RSpec/ExampleWording:
     - 'spec/models/stacks_media_token_spec.rb'
     - 'spec/requests/iiif_auth_request_spec.rb'
 
-# Offense count: 3
+# Offense count: 2
 # This cop supports safe autocorrection (--autocorrect).
 # Configuration parameters: EnforcedStyle.
 # SupportedStyles: implicit, each, example
@@ -140,13 +138,11 @@ RSpec/HookArgument:
     - 'spec/requests/file_auth_request_spec.rb'
     - 'spec/requests/iiif_auth_request_spec.rb'
 
-# Offense count: 8
+# Offense count: 6
 # This cop supports safe autocorrection (--autocorrect).
 RSpec/LeadingSubject:
   Exclude:
     - 'spec/controllers/file_controller_spec.rb'
-    - 'spec/controllers/iiif_controller_spec.rb'
-    - 'spec/controllers/iiif_token_controller_spec.rb'
     - 'spec/models/projection_spec.rb'
     - 'spec/models/stacks_media_token_spec.rb'
     - 'spec/services/media_authentication_json_spec.rb'
@@ -159,19 +155,17 @@ RSpec/MessageSpies:
     - 'spec/controllers/file_controller_spec.rb'
     - 'spec/controllers/media_controller_spec.rb'
 
-# Offense count: 66
+# Offense count: 64
 RSpec/MultipleExpectations:
   Max: 12
 
-# Offense count: 80
+# Offense count: 64
 # Configuration parameters: EnforcedStyle, IgnoreSharedExamples.
 # SupportedStyles: always, named_only
 RSpec/NamedSubject:
   Exclude:
     - 'spec/controllers/application_controller_spec.rb'
     - 'spec/controllers/file_controller_spec.rb'
-    - 'spec/controllers/iiif_controller_spec.rb'
-    - 'spec/controllers/iiif_token_controller_spec.rb'
     - 'spec/controllers/webauth_controller_spec.rb'
     - 'spec/models/approved_location_spec.rb'
     - 'spec/models/projection_spec.rb'
@@ -183,10 +177,10 @@ RSpec/NamedSubject:
     - 'spec/services/iiif_metadata_service_spec.rb'
     - 'spec/services/media_authentication_json_spec.rb'
 
-# Offense count: 54
+# Offense count: 47
 # Configuration parameters: AllowedGroups.
 RSpec/NestedGroups:
-  Max: 6
+  Max: 5
 
 # Offense count: 4
 RSpec/RepeatedDescription:
@@ -214,7 +208,6 @@ RSpec/VerifiedDoubles:
     - 'spec/models/purl_spec.rb'
     - 'spec/models/stacks_media_token_spec.rb'
     - 'spec/services/iiif_info_service_spec.rb'
-    - 'spec/services/media_authentication_json_spec.rb'
 
 # Offense count: 2
 # This cop supports safe autocorrection (--autocorrect).
@@ -247,7 +240,7 @@ Style/HashAsLastArrayItem:
   Exclude:
     - 'app/controllers/object_controller.rb'
 
-# Offense count: 13
+# Offense count: 12
 # This cop supports safe autocorrection (--autocorrect).
 # Configuration parameters: PreferredDelimiters.
 Style/PercentLiteralDelimiters:

app/controllers/iiif/auth/v1/token_controller.rb

@@ -0,0 +1,125 @@
+# frozen_string_literal: true
+
+# API to create IIIF Authentication access tokens
+module Iiif
+  module Auth
+    module V1
+      # Creates tokens for IIIF auth v1
+      class TokenController < ApplicationController
+        skip_forgery_protection
+
+        def create
+          token = mint_bearer_token if token_eligible_user?
+
+          write_bearer_token_cookie(token) if token
+
+          @message = if token
+                       {
+                         accessToken: token,
+                         tokenType: 'Bearer',
+                         expiresIn: 3600
+                       }
+                     else
+                       { error: 'missingCredentials', description: '' }
+                     end
+
+          if browser_based_client_auth?
+            create_for_browser_based_client_application_auth
+          else
+            create_for_json_access_token_auth(token)
+          end
+        end
+
+        def create_for_item
+          if current_user.cdl_tokens.none? { |payload| payload['aud'] == params[:id] }
+            @message = { error: 'missingCredentials', description: '' }
+
+            if browser_based_client_auth?
+              create_for_browser_based_client_application_auth
+            else
+              create_for_json_access_token_auth(nil)
+            end
+
+            return
+          end
+
+          create
+        end
+
+        private
+
+        # An authenticated user can retrieve a token if they are logged in with webauth, as an
+        # app-user, or are accessing material from a location-specific kiosk.
+        # Other anonymous users are not eligible.
+        def token_eligible_user?
+          current_user.token_user? ||
+            current_user.webauth_user? ||
+            current_user.location? ||
+            current_user.cdl_tokens.any?
+        end
+
+        # Handle IIIF Authentication 1.0 browser-based client application requests
+        # See {http://iiif.io/api/auth/1.0/#interaction-for-browser-based-client-applications}
+        def create_for_browser_based_client_application_auth
+          browser_params.require(:origin)
+
+          # The browser-based interaction requires using iframes
+          # We disable this header (added by default) entirely to ensure
+          # that IIIF viewers embedded by iframes in other pages will
+          # work as expected.
+          response.headers['X-Frame-Options'] = ""
+
+          @message[:messageId] = browser_params[:messageId]
+
+          @origin = browser_params[:origin]
+
+          render 'create', layout: false
+        end
+
+        # Handle IIIF Authentication 1.0 JSON Access Token requests
+        # See {http://iiif.io/api/auth/1.0/#the-json-access-token-response}
+        def create_for_json_access_token_auth(token)
+          status = if callback_value || token
+                     :ok
+                   else
+                     :unauthorized
+                   end
+
+          render json: @message.to_json, callback: callback_value, status:
+        end
+
+        def json_params
+          params.permit(:callback)
+        end
+
+        def browser_params
+          params.permit(:messageId, :origin)
+        end
+
+        def browser_based_client_auth?
+          browser_params[:messageId].present?
+        end
+
+        def callback_value
+          json_params[:callback]
+        end
+
+        def mint_bearer_token
+          encode_credentials(current_user.token).sub('Token ', '')
+        end
+
+        def write_bearer_token_cookie(token)
+          # webauth users already have a webauth cookie; no additional cookie needed
+          return if current_user.webauth_user?
+
+          cookies[:bearer_token] = {
+            value: token,
+            expires: 1.hour.from_now,
+            httponly: true,
+            secure: request.ssl?
+          }
+        end
+      end
+    end
+  end
+end