Add AuthenticateWithApiKey command

Author: azimux

CHANGELOG.md

@@ -1,3 +1,7 @@
+## [0.0.10] - 2025-04-28
+
+- Add AuthenticateWithApiKey command
+
 ## [0.0.9] - 2025-04-22
 
 - Handle malformed jwt tokens

Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    foobara-auth (0.0.9)
+    foobara-auth (0.0.11)
       argon2
       foobara (~> 0.0.1)
       jwt
@@ -26,7 +26,7 @@ GEM
     diff-lcs (1.6.1)
     docile (1.4.1)
     dotenv (3.1.8)
-    extract-repo (0.0.10)
+    extract-repo (0.0.11)
       foobara (~> 0.0.102)
       foobara-sh-cli-connector (~> 0.0.1)
     ffi (1.17.2)
@@ -63,7 +63,7 @@ GEM
       foobara-type-generator (~> 0.0.1)
       foobara-typescript-react-command-form-generator (~> 0.0.1)
       foobara-typescript-remote-command-generator (~> 0.0.1)
-    foobara (0.0.108)
+    foobara (0.0.114)
       bigdecimal
       foobara-lru-cache (~> 0.0.2)
       foobara-util (~> 0.0.11)
@@ -79,7 +79,7 @@ GEM
       foobara-files-generator
     foobara-dotenv-loader (0.0.3)
       dotenv
-    foobara-empty-ruby-project-generator (0.0.17)
+    foobara-empty-ruby-project-generator (0.0.18)
       extract-repo (~> 0.0.1)
       foobara (~> 0.0.94)
       foobara-files-generator (~> 0.0.1)
@@ -114,7 +114,7 @@ GEM
     foobara-rubocop-rules (0.0.8)
       rubocop
       rubocop-rspec
-    foobara-sh-cli-connector (0.0.15)
+    foobara-sh-cli-connector (0.0.16)
       foobara (~> 0.0.88)
     foobara-sh-cli-connector-generator (0.0.4)
       foobara-files-generator (~> 0.0.1)
@@ -125,7 +125,7 @@ GEM
       foobara-files-generator
     foobara-typescript-react-command-form-generator (0.0.12)
       foobara-typescript-remote-command-generator (~> 0.0.1)
-    foobara-typescript-remote-command-generator (0.0.18)
+    foobara-typescript-remote-command-generator (0.0.19)
       foobara-files-generator (~> 0.0.1)
     foobara-util (0.0.11)
     formatador (1.1.0)
@@ -152,7 +152,7 @@ GEM
       pp (>= 0.6.0)
       rdoc (>= 4.0.0)
       reline (>= 0.4.2)
-    json (2.10.2)
+    json (2.11.3)
     jwt (2.10.1)
       base64
     language_server-protocol (3.17.0.4)
@@ -182,10 +182,10 @@ GEM
     pry-byebug (3.11.0)
       byebug (~> 12.0)
       pry (>= 0.13, < 0.16)
-    psych (5.2.3)
+    psych (5.2.4)
       date
       stringio
-    public_suffix (6.0.1)
+    public_suffix (6.0.2)
     racc (1.8.1)
     rainbow (3.1.1)
     rake (13.2.1)
@@ -204,17 +204,17 @@ GEM
       rspec-mocks (~> 3.13.0)
     rspec-core (3.13.3)
       rspec-support (~> 3.13.0)
-    rspec-expectations (3.13.3)
+    rspec-expectations (3.13.4)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.13.0)
     rspec-its (2.0.0)
       rspec-core (>= 3.13.0)
       rspec-expectations (>= 3.13.0)
-    rspec-mocks (3.13.2)
+    rspec-mocks (3.13.3)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.13.0)
-    rspec-support (3.13.2)
-    rubocop (1.75.3)
+    rspec-support (3.13.3)
+    rubocop (1.75.4)
       json (~> 2.3)
       language_server-protocol (~> 3.17.0.2)
       lint_roller (~> 1.1.0)

spec/authenticate_with_api_key_spec.rb

@@ -0,0 +1,53 @@
+RSpec.describe Foobara::Auth::AuthenticateWithApiKey do
+  after { Foobara.reset_alls }
+
+  before do
+    Foobara::Persistence.default_crud_driver = Foobara::Persistence::CrudDrivers::InMemory.new
+  end
+
+  let(:command) { described_class.new(inputs) }
+  let(:outcome) { command.run }
+  let(:result) { outcome.result }
+  let(:errors) { outcome.errors }
+  let(:errors_hash) { outcome.errors_hash }
+
+  let(:user) do
+    Foobara::Auth::CreateUser.run!(username: "Basil", email: "[email protected]", plaintext_password:)
+  end
+  let(:plaintext_password) { "somepassword" }
+
+  context "when authenticating with api key" do
+    let(:api_key) do
+      Foobara::Auth::CreateApiKey.run!(user: user.id)
+    end
+
+    let(:inputs) do
+      { api_key: }
+    end
+
+    it "is successful" do
+      expect(outcome).to be_success
+      expect(result.size).to eq(2)
+      auth_user, token = result
+      expect(auth_user).to be_a(Foobara::Auth::Types::User)
+      expect(token).to be_a(Foobara::Auth::Types::Token)
+      expect(auth_user.username).to eq(user.username)
+    end
+
+    context "with an invalid api key" do
+      let(:inputs) do
+        { api_key: invalid_token }
+      end
+      let(:invalid_token) do
+        text = api_key.dup
+        text[-5] = text[-5] == "x" ? "y" : "x"
+        text
+      end
+
+      it "fails with appropriate error" do
+        expect(outcome).to_not be_success
+        expect(outcome.errors_hash).to include("runtime.invalid_api_key")
+      end
+    end
+  end
+end

src/authenticate_with_api_key.rb

@@ -0,0 +1,59 @@
+require_relative "verify_token"
+
+module Foobara
+  module Auth
+    class AuthenticateWithApiKey < Foobara::Command
+      class InvalidApiKeyError < Foobara::RuntimeError
+        context api_key_id: :string
+        message "Invalid api key"
+      end
+
+      depends_on VerifyToken
+      depends_on_entities Types::Token
+
+      inputs do
+        api_key :string, :required, :sensitive
+        access_token_ttl :integer, default: 30 * 60
+        api_key_ttl :integer, default: 7 * 24 * 60 * 60
+      end
+
+      result [Types::User, Types::Token]
+
+      def execute
+        determine_api_key_id_and_secret
+        load_api_key_record
+        verify_api_key
+
+        load_user
+
+        user_and_credential
+      end
+
+      attr_accessor :expires_at, :api_key_record, :api_key_id, :api_key_secret, :user
+
+      def determine_api_key_id_and_secret
+        self.api_key_id, self.api_key_secret = api_key.split("_")
+      end
+
+      def load_api_key_record
+        self.api_key_record = Types::Token.load(api_key_id)
+      end
+
+      def verify_api_key
+        valid = run_subcommand!(VerifyToken, token_string: api_key)
+
+        unless valid[:verified]
+          add_runtime_error(InvalidApiKeyError.new(context: { api_key_id: }))
+        end
+      end
+
+      def load_user
+        self.user ||= Types::User.that_owns(api_key_record, "api_keys")
+      end
+
+      def user_and_credential
+        [user, api_key_record]
+      end
+    end
+  end
+end

src/refresh_login.rb

@@ -6,11 +6,6 @@ class InvalidRefreshTokenError < Foobara::RuntimeError
         message "Invalid refresh token"
       end
 
-      class RefreshTokenNotOwnedByUser < Foobara::RuntimeError
-        context refresh_token_id: :string
-        message "This refresh token is not owned by this user"
-      end
-
       depends_on CreateRefreshToken, VerifyToken, BuildAccessToken
       depends_on_entities Types::Token
 
@@ -32,14 +27,16 @@ def execute
         # Delete it instead maybe?
         mark_refresh_token_as_used
 
+        load_user
+
         generate_access_token
         generate_new_refresh_token
 
         tokens
       end
 
       attr_accessor :access_token, :new_refresh_token, :expires_at, :refresh_token_record,
-                    :refresh_token_id, :refresh_token_secret
+                    :refresh_token_id, :refresh_token_secret, :user
 
       def determine_refresh_token_id_and_secret
         self.refresh_token_id, self.refresh_token_secret = refresh_token.split("_")
@@ -65,8 +62,8 @@ def generate_access_token
         self.access_token = run_subcommand!(BuildAccessToken, user:, token_ttl: access_token_ttl)
       end
 
-      def user
-        @user ||= Types::User.that_owns(refresh_token_record, "refresh_tokens")
+      def load_user
+        self.user ||= Types::User.that_owns(refresh_token_record, "refresh_tokens")
       end
 
       def generate_new_refresh_token

src/register.rb

@@ -2,6 +2,7 @@
 
 module Foobara
   module Auth
+    # TODO: should raise error if username or email already in use!
     class Register < Foobara::Command
       depends_on CreateUser, SetPassword
 

version.rb

@@ -1,6 +1,6 @@
 module Foobara
   module Auth
-    VERSION = "0.0.9".freeze
+    VERSION = "0.0.10".freeze
 
     local_ruby_version = File.read("#{__dir__}/.ruby-version").chomp
     local_ruby_version_minor = local_ruby_version[/\A(\d+\.\d+)\.\d+\z/, 1]