Module: Fluence::Gateway::Auth::GatewayAuthentication

Extended by:

ActiveSupport::Concern

Defined in:

lib/fluence/gateway/auth/gateway_authentication.rb

Overview

Note:

The scope name is captured at include time. Changing Configuration#scope_name afterwards has no effect on already-defined helpers.

Controller concern that reads the gateway identity headers and exposes scope-prefixed authentication helpers.

When the concern is included, three instance methods are defined on the host controller class (via define_method), where <scope> is Configuration#scope_name:

• current_<scope> — memoised lookup of the user record.
• <scope>_signed_in? — true when current_<scope> is present.
• authenticate_<scope>! — renders 401 when the user is absent.

The record is looked up via model_class.find_by(subject_column => gateway_user_id). If no record matches and Configuration#on_missing_user is set, it is invoked for just-in-time provisioning.

In Rails, Railtie includes this concern automatically in ActionController::API and ActionController::Base subclasses.

Examples:

Default configuration (user_model = 'User')

class ApplicationController < ActionController::API
  include Fluence::Gateway::Auth::GatewayAuthentication
  before_action :authenticate_user!
end

Custom user model

Fluence::Gateway::Auth.configure { |c| c.user_model = 'Account' }
# helpers become: current_account / account_signed_in? / authenticate_account!

Constant Summary

GATEWAY_LOGOUT_PATH =

Path of the gateway logout endpoint, used by #gateway_logout_path. Only meaningful for server-rendered tenants where the gateway owns the session cookie.

'/auth/logout'

Instance Method Summary

• #gateway_client_id ⇒ String^?

  Raw value of the X-Client-Id header (the Doorkeeper application uid).

• #gateway_logout_path ⇒ String

  Path of the gateway logout endpoint.

• #gateway_user_email ⇒ String^?

  Raw value of the X-User-Email header.

• #gateway_user_first_name ⇒ String^?

  Raw value of the X-User-First-Name header.

• #gateway_user_id ⇒ String^?

  Raw value of the X-User-Id header (the gateway subject).

• #gateway_user_last_name ⇒ String^?

  Raw value of the X-User-Last-Name header.

• #gateway_user_scopes ⇒ String^?

  Raw value of the X-User-Scopes header (space-separated OAuth scopes, as emitted by Doorkeeper).

• #service_request? ⇒ Boolean

  True when the request carries a client identity but no user, i.e.

Instance Method Details

#gateway_client_id ⇒ String^?

Raw value of the X-Client-Id header (the Doorkeeper application uid).

Returns:

• (String, nil)

#gateway_logout_path ⇒ String

Path of the gateway logout endpoint. Only meaningful for server-rendered tenants where the gateway holds the session cookie; SPA tenants drop their token client-side and have no server-side logout to call.

Examples:

In an ERB layout

<%= link_to 'Logout', gateway_logout_path, data: { turbo_method: :delete } %>

Returns:

• (String) —

  always GATEWAY_LOGOUT_PATH.

#gateway_user_email ⇒ String^?

Raw value of the X-User-Email header.

Returns:

• (String, nil) —

  nil when the gateway did not forward an email (typical of service requests).

#gateway_user_first_name ⇒ String^?

Raw value of the X-User-First-Name header.

Returns:

• (String, nil)

#gateway_user_id ⇒ String^?

Raw value of the X-User-Id header (the gateway subject).

Returns:

• (String, nil) —

  nil on anonymous or service requests.

#gateway_user_last_name ⇒ String^?

Raw value of the X-User-Last-Name header.

Returns:

• (String, nil)

#gateway_user_scopes ⇒ String^?

Raw value of the X-User-Scopes header (space-separated OAuth scopes, as emitted by Doorkeeper).

Returns:

• (String, nil)

#service_request? ⇒ Boolean

True when the request carries a client identity but no user, i.e. it was issued with a client_credentials token.

Returns:

• (Boolean)