Merge branch 'main' into update-workflows

Author: patch0

.github/workflows/test.yml

@@ -28,6 +28,11 @@ jobs:
         ruby-version: ${{ matrix.ruby-version }}
         rubygems: 3.4.10
         bundler-cache: true # runs 'bundle install' and caches installed gems automatically
+
+    - name: Run linter
+      if: matrix.ruby-version == '3.3' && matrix.gemfile == 'rails_7.2'
+      run: bundle exec rubocop
+
     - name: Run tests
       run: bundle exec rspec
 

.rubocop_todo.yml

@@ -1,12 +1,12 @@
 # This configuration was generated by
 # `rubocop --auto-gen-config`
-# on 2025-04-14 10:55:46 UTC using RuboCop version 1.75.2.
+# on 2025-06-04 10:53:17 UTC using RuboCop version 1.75.2.
 # The point is for the user to remove these configuration records
 # one by one as the offenses are removed from the code base.
 # Note that changes in the inspected code, or installation of new
 # versions of RuboCop, may require this file to be generated again.
 
-# Offense count: 11
+# Offense count: 12
 # Configuration parameters: EnforcedStyle, AllowedGems, Include.
 # SupportedStyles: Gemfile, gems.rb, gemspec
 # Include: **/*.gemspec, **/Gemfile, **/gems.rb
@@ -28,19 +28,12 @@ RSpec/ExampleLength:
 RSpec/MultipleExpectations:
   Max: 4
 
-# Offense count: 8
+# Offense count: 9
 # Configuration parameters: AllowSubject.
 RSpec/MultipleMemoizedHelpers:
   Max: 6
 
-# Offense count: 12
+# Offense count: 13
 # Configuration parameters: AllowedGroups.
 RSpec/NestedGroups:
   Max: 5
-
-# Offense count: 1
-# Configuration parameters: Include, CustomTransform, IgnoreMethods, IgnoreMetadata.
-# Include: **/*_spec.rb
-RSpec/SpecFilePathFormat:
-  Exclude:
-    - 'spec/rpi_auth/models/authenticatable_spec.rb'

CHANGELOG.md

@@ -14,6 +14,46 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Removed
 
+## [v4.3.0]
+
+### Added
+
+- Add optional `on_login_success` callback (#90)
+
+### Fixed
+
+- Return boolean from `AccountTypes#student_account?` (#91)
+
+### Removed
+
+## [v4.2.1]
+
+### Fixed
+
+- Refresh access tokens before expiry (#89)
+
+## [v4.2.0]
+
+### Added
+
+- Allow OmniAuth setup phase to be configured (#76)
+- Add `RpiAuth::Models::Roles#parsed_roles` (extracted from experience-cs) (#87)
+- Add `RpiAuth::Models::AccountTypes#student_account?` (extracted from experience-cs) (#87)
+
+## [v4.1.1]
+
+### Fixed
+
+- Fix requiring of oauth2 to avoid `NoMethodError: undefined method 'config' for module OAuth2` (#86)
+
+## [v4.1.0]
+
+### Added
+- Add access token-related functionality including auto-refresh (#83)
+
+### Fixed
+- Fix use of `User#expires_at` in `SpecHelpers#stub_auth_for` (#82)
+
 ## [v4.0.0]
 
 ### Added
@@ -133,7 +173,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - rails model concern to allow host app to add auth behaviour to a model
 - callback, logout and failure routes to handle auth
 
-[Unreleased]: https://github.com/RaspberryPiFoundation/rpi-auth/compare/v4.0.0...HEAD
+[Unreleased]: https://github.com/RaspberryPiFoundation/rpi-auth/compare/v4.3.0...HEAD
+[v4.3.0]: https://github.com/RaspberryPiFoundation/rpi-auth/releases/tag/v4.3.0
+[v4.2.1]: https://github.com/RaspberryPiFoundation/rpi-auth/releases/tag/v4.2.1
+[v4.2.0]: https://github.com/RaspberryPiFoundation/rpi-auth/releases/tag/v4.2.0
+[v4.1.1]: https://github.com/RaspberryPiFoundation/rpi-auth/releases/tag/v4.1.1
+[v4.1.0]: https://github.com/RaspberryPiFoundation/rpi-auth/releases/tag/v4.1.0
 [v4.0.0]: https://github.com/RaspberryPiFoundation/rpi-auth/releases/tag/v4.0.0
 [v3.6.0]: https://github.com/RaspberryPiFoundation/rpi-auth/releases/tag/v3.6.0
 [v3.5.0]: https://github.com/RaspberryPiFoundation/rpi-auth/releases/tag/v3.5.0

README.md

@@ -170,6 +170,10 @@ link_to 'Log out', rpi_auth_logout_path, params: { returnTo: '/thanks-dude' }
 
 This has to be a relative URL, i.e. it has to start with a slash.  This is to ensure there's no open redirect.
 
+### Callback on successful login
+
+If the RpiAuth configuration option `on_login_success` is set to a `Proc`, this will be called in the context of the `RpiAuth::AuthController#callback` action, i.e. `current_user` will be available. This is intended to allow apps to record successful logins.
+
 ### Globbed/catch-all routes
 
 If your app has a catch-all route at the end of the routing table, you must
@@ -187,6 +191,29 @@ class in `config/application.rb`.
 config.railties_order = [RpiAuth::Engine, :main_app, :all]
 ```
 
+### Obtaining an access token for user
+
+This optional behaviour is useful if your Rails app (which is using this gem)
+needs to use a RPF API which required authentication via an OAuth2 access
+token.
+
+Include the `RpiAuth::Models::WithTokens` concern (which depends on the
+`RpiAuth::Models::Authenticatable` concern) into your user model in order to
+add `access_token`, `refresh_token` & `expires_at` attributes. These methods
+are automatically populated by `RpiAuth::AuthController#callback` via the
+`RpiAuth::Models::WithTokens.from_omniauth` method.
+
+This also relies on the following:
+- `RpiAuth.configuration.scope` including the "offline" scope in the Rails app
+  which is using the `rpi_auth` gem.
+- In the `profile` app `hydra_client` config for the Rails app, `grant_types`
+  must include "refresh_token" and `scope` must include "offline".
+
+Include the `RpiAuth::Controllers::AutoRefreshingToken` concern (which depends
+on the `RpiAuth::Controllers::CurrentUser` concern) into your controller so
+that when the user's access token expires, a new one is obtained using the
+user's refresh token.
+
 ## Test helpers and routes
 
 There are some standardised test helpers in `RpiAuth::SpecHelpers` that can be used when testing.

app/controllers/rpi_auth/auth_controller.rb

@@ -27,6 +27,8 @@ def callback
       auth = request.env['omniauth.auth']
       self.current_user = RpiAuth.user_model.from_omniauth(auth)
 
+      run_login_success_callback
+
       redirect_to ensure_relative_url(login_redirect_path)
     end
 
@@ -53,6 +55,16 @@ def failure
 
     private
 
+    def run_login_success_callback
+      return unless RpiAuth.configuration.on_login_success.is_a?(Proc)
+
+      begin
+        instance_exec(&RpiAuth.configuration.on_login_success)
+      rescue StandardError => e
+        Rails.logger.warn("Caught #{e} while processing on_login_success proc.")
+      end
+    end
+
     def login_redirect_path
       unless RpiAuth.configuration.success_redirect.is_a?(Proc)
         return RpiAuth.configuration.success_redirect || request.env['omniauth.origin']

gemfiles/rails_6.1.gemfile.lock

@@ -1,7 +1,8 @@
 PATH
   remote: ..
   specs:
-    rpi_auth (4.0.0)
+    rpi_auth (4.3.0)
+      oauth2
       omniauth-rails_csrf_protection (~> 1.0.0)
       omniauth_openid_connect (~> 0.7.1)
       rails (>= 6.1.4)
@@ -74,6 +75,7 @@ GEM
     ast (2.4.3)
     attr_required (1.0.2)
     base64 (0.2.0)
+    bigdecimal (3.1.9)
     bindata (2.5.1)
     builder (3.3.0)
     byebug (12.0.0)
@@ -88,35 +90,41 @@ GEM
       xpath (~> 3.2)
     coderay (1.1.3)
     concurrent-ruby (1.3.5)
+    crack (1.0.0)
+      bigdecimal
+      rexml
     crass (1.0.6)
     date (3.4.1)
     diff-lcs (1.6.1)
     docile (1.4.1)
     email_validator (2.2.4)
       activemodel
     erubi (1.13.1)
-    faraday (2.13.0)
+    faraday (2.13.4)
       faraday-net_http (>= 2.0, < 3.5)
       json
       logger
     faraday-follow_redirects (0.3.0)
       faraday (>= 1, < 3)
-    faraday-net_http (3.4.0)
+    faraday-net_http (3.4.1)
       net-http (>= 0.5.0)
     ffi (1.17.1)
     globalid (1.2.1)
       activesupport (>= 6.1)
+    hashdiff (1.1.2)
     hashie (5.0.0)
     i18n (1.14.7)
       concurrent-ruby (~> 1.0)
     json (2.10.2)
-    json-jwt (1.16.7)
+    json-jwt (1.17.0)
       activesupport (>= 4.2)
       aes_key_wrap
       base64
       bindata
       faraday (~> 2.0)
       faraday-follow_redirects
+    jwt (3.1.2)
+      base64
     language_server-protocol (3.17.0.4)
     lint_roller (1.1.0)
     listen (3.9.0)
@@ -137,6 +145,8 @@ GEM
     mini_mime (1.1.5)
     mini_portile2 (2.8.8)
     minitest (5.25.5)
+    multi_xml (0.7.1)
+      bigdecimal (~> 3.1)
     net-http (0.6.0)
       uri
     net-imap (0.5.6)
@@ -152,6 +162,14 @@ GEM
     nokogiri (1.18.7)
       mini_portile2 (~> 2.8.2)
       racc (~> 1.4)
+    oauth2 (2.0.12)
+      faraday (>= 0.17.3, < 4.0)
+      jwt (>= 1.0, < 4.0)
+      logger (~> 1.2)
+      multi_xml (~> 0.5)
+      rack (>= 1.2, < 4)
+      snaky_hash (~> 2.0, >= 2.0.3)
+      version_gem (>= 1.1.8, < 3)
     omniauth (2.1.3)
       hashie (>= 3.4.6)
       rack (>= 2.2.3)
@@ -237,6 +255,7 @@ GEM
     rb-inotify (0.11.1)
       ffi (~> 1.0)
     regexp_parser (2.10.0)
+    rexml (3.4.1)
     rspec-core (3.13.3)
       rspec-support (~> 3.13.0)
     rspec-expectations (3.13.3)
@@ -290,6 +309,9 @@ GEM
       simplecov_json_formatter (~> 0.1)
     simplecov-html (0.13.1)
     simplecov_json_formatter (0.1.4)
+    snaky_hash (2.0.3)
+      hashie (>= 0.1.0, < 6)
+      version_gem (>= 1.1.8, < 3)
     sprockets (4.2.1)
       concurrent-ruby (~> 1.0)
       rack (>= 2.2.4, < 4)
@@ -313,10 +335,15 @@ GEM
     validate_url (1.0.15)
       activemodel (>= 3.0.0)
       public_suffix
+    version_gem (1.1.8)
     webfinger (2.1.3)
       activesupport
       faraday (~> 2.0)
       faraday-follow_redirects
+    webmock (3.25.1)
+      addressable (>= 2.8.0)
+      crack (>= 0.3.2)
+      hashdiff (>= 0.4.0, < 2.0.0)
     websocket-driver (0.7.7)
       base64
       websocket-extensions (>= 0.1.0)
@@ -342,6 +369,7 @@ DEPENDENCIES
   rubocop-rails
   rubocop-rspec
   simplecov
+  webmock
 
 BUNDLED WITH
    2.3.27