persephone

This gem provides token based OAuth2 authorization within Rails 4 apps that use Mongoid 5 (commonly referred to as client_credentials authorization). It is named after the Greek goddess of the underworld for no good reason other than I liked the name.

A complete list of changes can be found in CHANGES.md.

In your Rails app gemfile, add the following:

gem 'persephone', '~> 1.0.0'

You will need to create applications that are allowed to authenticate with your API by doing the following in a rails console:

app = Persephone::App.create(name: 'This is a name.', scopes: ['scope1', 'scope2'])

You'll need your client ID and client secret in order to authenticate.

app.client_id
app.client_secret

The App model has two additional fields which can be used to store identifiers for external objects either through an ID number or a string SLUG.

app = Persephone::App.new(params)
app.app_id = 23
app.app_slug = 'some_slug_here'
app.save

Persephone automatically provides you with the /oauth/token route. You will authenticate by POSTing a JSON payload containing your client_id and client_secret to the /oauth/token location on your API. A payload should look something like this:

{
    "client_id": "dcf155afc48376e40efa6173da6bf16a21aaaa89c888c1e730d001c1e58c816e",
    "client_secret": "da80b20365c221fcc7d0e3e3378ef9c6d6a03c9ea4014f50a94909d3cd395ad5"
}

If your client ID and secret are correct, you should receive a token as a response. This should look something like:

{
  "token": "63b27b3502241d75abadf72d607c172ec555216b60d3828aff12151f393e8b05",
  "expires": "2016-07-07T20:16:38.369+00:00"
}

All additional calls to the API will add the Authorization header, which should look something like:

Authorization: Bearer 63b27b3502241d75abadf72d607c172ec555216b60d3828aff12151f393e8b05

You'll need to create a controller concern with the following code:

module Authentication
  extend ActiveSupport::Concern

  included do
    before_action :authorize

    def authorize
      Persephone.authorized? request.headers
    end
  end
end

Then simply add the Authentication concern to any controller:

class SomeController < ApplicationController
  include Authentication

end

You can also skip authentication using the skip_before_action method:

class SomeController < ApplicationController
  include Authentication
  skip_before_action :authorize, only: :some_method
end

You can add some additional layers of security by locking down various controllers and methods to only allow access to applications with a specific scope. First, you need to set the scope on the application. By default, all applications receive the 'public' scope unless you specifically set the scopes value.

app = Persephone::App.find_by(client_id: 'dcf155afc48376e40efa6173da6bf16a21aaaa89c888c1e730d001c1e58c816e')
app.scopes = ['public', 'private']
app.save

Note that scopes must be an array of values.

Make a new concern for each scope:

module PrivateAuthentication
  extend ActiveSupport::Concern

  included do
    before_action :authorize_private_scope

    def authorize_private_scope
      Persephone.authorized? request.headers, ['private']
    end
  end
end

module PublicAuthentication
  extend ActiveSupport::Concern

  included do
    before_action :authorize_public_scope

    def authorize_public_scope
      Persephone.authorized? request.headers
    end
  end
end

Then simply include whichever concern is appropriate for your controller. You can require BOTH scopes if you include both concerns.

• Fork it
• Create your feature branch (git checkout -b my-new-feature)
• Commit your changes (git commit -am 'Added some feature')
• Push to the branch (git push origin my-new-feature)
• Create new Pull Request