NeoPass strategy interacts with dev NeoPass server, which is still WIP

In this change, we wire up a new NeoPass OAuth2 strategy for OmniAuth,
and hook up the "Log in with NeoPass" button to use it!

The authentication currently fails with `invalid_credentials`, and
shows the `owo` response we hardcoded into the NeoPass server's token
response. We need to finally follow up on the little `TODO` written in
there!

Gemfile

@@ -27,6 +27,7 @@ gem 'devise', '~> 4.9', '>= 4.9.2'
 gem 'devise-encryptable', '~> 0.2.0'
 gem 'omniauth', '~> 2.1'
 gem 'omniauth-rails_csrf_protection', '~> 1.0'
+gem 'omniauth-oauth2', '~> 1.8'
 
 # For pagination UI.
 gem 'will_paginate', '~> 4.0'

Gemfile.lock

@@ -155,6 +155,10 @@ GEM
       process-metrics (~> 0.2.0)
       protocol-rack (~> 0.1)
       samovar (~> 2.1)
+    faraday (2.9.0)
+      faraday-net_http (>= 2.0, < 3.2)
+    faraday-net_http (3.1.0)
+      net-http
     ffi (1.16.3)
     fiber-annotation (0.2.0)
     fiber-local (1.0.0)
@@ -179,6 +183,8 @@ GEM
     jsbundling-rails (1.3.0)
       railties (>= 6.0.0)
     json (2.7.1)
+    jwt (2.8.1)
+      base64
     launchy (2.5.2)
       addressable (~> 2.8)
     letter_opener (1.9.0)
@@ -202,6 +208,8 @@ GEM
     multi_xml (0.6.0)
     mutex_m (0.2.0)
     mysql2 (0.5.6)
+    net-http (0.4.1)
+      uri
     net-imap (0.4.10)
       date
       net-protocol
@@ -215,10 +223,20 @@ GEM
     nokogiri (1.16.2)
       mini_portile2 (~> 2.8.2)
       racc (~> 1.4)
+    oauth2 (2.0.9)
+      faraday (>= 0.17.3, < 3.0)
+      jwt (>= 1.0, < 3.0)
+      multi_xml (~> 0.5)
+      rack (>= 1.2, < 4)
+      snaky_hash (~> 2.0)
+      version_gem (~> 1.1)
     omniauth (2.1.2)
       hashie (>= 3.4.6)
       rack (>= 2.2.3)
       rack-protection
+    omniauth-oauth2 (1.8.0)
+      oauth2 (>= 1.4, < 3)
+      omniauth (~> 2.0)
     omniauth-rails_csrf_protection (1.0.1)
       actionpack (>= 4.2)
       omniauth (~> 2.0)
@@ -331,6 +349,9 @@ GEM
     shell (0.8.1)
       e2mmap
       sync
+    snaky_hash (2.0.1)
+      hashie
+      version_gem (~> 1.1, >= 1.1.1)
     sprockets (4.2.1)
       concurrent-ruby (~> 1.0)
       rack (>= 2.2.4, < 4)
@@ -358,6 +379,8 @@ GEM
       railties (>= 6.0.0)
     tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
+    uri (0.13.0)
+    version_gem (1.1.3)
     warden (1.2.9)
       rack (>= 2.0.9)
     web-console (4.2.1)
@@ -394,6 +417,7 @@ DEPENDENCIES
   mysql2 (~> 0.5.5)
   nokogiri (~> 1.15, >= 1.15.3)
   omniauth (~> 2.1)
+  omniauth-oauth2 (~> 1.8)
   omniauth-rails_csrf_protection (~> 1.0)
   parallel (~> 1.23)
   rack-attack (~> 6.7)

app/controllers/devise/omniauth_callbacks_controller.rb

@@ -1,8 +1,9 @@
 class Devise::OmniauthCallbacksController < ApplicationController
-	# See https://github.com/omniauth/omniauth/wiki/FAQ#rails-session-is-clobbered-after-callback-on-developer-strategy
-	skip_before_action :verify_authenticity_token, only: :developer
-
-	def developer
+	def neopass
 		render plain: "Success!"
 	end
+
+	def failure
+		render plain: "Failure"
+	end
 end

app/models/auth_user.rb

@@ -3,7 +3,7 @@ class AuthUser < AuthRecord
 
   devise :database_authenticatable, :encryptable, :registerable, :validatable,
     :rememberable, :trackable, :recoverable, :omniauthable,
-    omniauth_providers: [:developer]
+    omniauth_providers: [:neopass]
 
   validates :name, presence: true, uniqueness: {case_sensitive: false},
     length: {maximum: 20}

app/views/devise/sessions/new.html.erb

@@ -2,8 +2,8 @@
 
 <% if @can_use_neopass %>
   <%= button_to "Log in with NeoPass",
-                auth_user_developer_omniauth_authorize_path,
-                data: {turbo: false} # important for developer strategy
+                auth_user_neopass_omniauth_authorize_path,
+                data: {turbo: false} # Turbo can't handle this redirect!
   %>
 <% end %>
 

config/environments/development.rb

@@ -119,4 +119,7 @@ Rails.application.configure do
 
   # To see NeoPass features, add ?neopass=1 to relevant pages.
   config.neopass_access_secret = "1"
+
+  # Use the local NeoPass development server.
+  config.neopass_origin = "http://localhost:8585"
 end

config/environments/production.rb

@@ -137,4 +137,7 @@ Rails.application.configure do
 
   # To see NeoPass features, add ?neopass=<SECRET> to relevant pages.
   config.neopass_access_secret = Rails.credentials.neopass.access_secret
+
+  # Use the live NeoPass production server.
+  config.neopass_origin = "https://oidc.neopets.com"
 end

config/environments/test.rb

@@ -74,4 +74,7 @@ Rails.application.configure do
 
   # To see NeoPass features, add ?neopass=1 to relevant pages.
   config.neopass_access_secret = "1"
+
+  # Use the local NeoPass development server.
+  config.neopass_origin = "http://localhost:8585"
 end

config/initializers/devise.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+require "strategies/neopass"
 
 # Assuming you have not yet modified this file, each configuration option below
 # is set to its default value. Note that some are commented out while others
@@ -273,7 +274,7 @@ Devise.setup do |config|
   # ==> OmniAuth
   # Add a new OmniAuth provider. Check the wiki for more information on setting
   # up on your models and hooks.
-  config.omniauth :developer
+  config.omniauth :neopass, strategy_class: Strategies::NeoPass
 
   # ==> Warden configuration
   # If you want to use other strategies, that are not supported by Devise, or

config/initializers/inflections.rb

@@ -15,7 +15,10 @@
 #   inflect.acronym "RESTful"
 # end
 
-# Teach Zeitwerk that `RocketAMF` is what to expect in `lib/rocketamf`.
 ActiveSupport::Inflector.inflections(:en) do |inflect|
+  # Teach Zeitwerk that `RocketAMF` is what to expect in `lib/rocketamf`.
   inflect.acronym "RocketAMF"
+
+  # Teach Zeitwerk that "NeoPass" is what to expect in `neopass.rb`.
+  inflect.acronym "NeoPass"
 end

lib/strategies/neopass.rb

@@ -0,0 +1,13 @@
+require "omniauth-oauth2"
+
+module Strategies
+	class NeoPass < OmniAuth::Strategies::OAuth2
+		option :name, "neopass"
+
+		option :client_options, {
+			site: Rails.configuration.neopass_origin,
+			authorize_url: "/oauth2/auth",
+			token_url: "/oauth2/token",
+		}
+	end
+end