anycable-core 1.4.4 → 1.5.0.rc.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b02bcc10302bdd445b92e77c0ce354734e82a0ba124c9e88b2997b87013bbf3d
-  data.tar.gz: dadf0fdc856292e614f39ebd43b996da49ce4e9771408429ba75fae7ace9877b
+  metadata.gz: b3469966952c29b422b3177acbb3402fc9bf500786d55774f9b3311b904548bb
+  data.tar.gz: 7e5a7302b61c07af90f61b11878212a464ba1eac0f7d6b664f91b8dcbd3fe9e6
 SHA512:
-  metadata.gz: 918addcfda8aea6f57eb7fd4872a4b93eeafc18862e93d75221d55f13ded38c218c231a47fbf1b803ca717618a518a05b0c6bf86b080000aa566281842033167
-  data.tar.gz: f96deb1656000ce9d2089f94da40860bb9820598a5afb002a7ae5c2bc28f71f799dad6efeeea824e7bf306ceb8b76aad109b824c675391d4f218a81f90d9e491
+  metadata.gz: 57e7aafe42eeddf359db963a688cf89acf9b109935f4561ba2eb4cb9c994e3a47d44b721b24f717be41630d4b8234d5f77a12d91246b0033e2385772287c43af
+  data.tar.gz: 53785ae7eaf8c86d1f164a89dbfeaee2063be1c4180f2a263cb2f47ca3ca41bc528f545ba65c1232c691fa6515bd4be39e9f6200b903b9b2bb8af02f09f37ccc

data/CHANGELOG.md

@@ -2,6 +2,28 @@
 
 ## master
 
+- Added JWT utils. ([@palkan][])
+
+You can now generate and verify AnyCable JWT tokens without using additional dependencies:
+
+```ruby
+token = AnyCable::JWT.encode({user_id: "1"})
+
+identifiers = AnyCable::JWT.decode(token)
+```
+
+This change will deprecate `anycable-rails-jwt`.
+
+- Added signed streams support. ([@palkan][])
+
+You can generate signed stream names as follows:
+
+```ruby
+signed_name = AnyCable::Streams.sign("chat/2024")
+```
+
+- Added `secret` and `broadcast_key` configuration parameters. ([@palkan][])
+
 ## 1.4.3 (2023-10-15)
 
 - Add broadcast options support. ([@palkan][])

data/lib/anycable/broadcast_adapters/http.rb

@@ -40,15 +40,21 @@ module AnyCable
       MAX_ATTEMPTS = 3
       DELAY = 2
 
-      attr_reader :url, :headers, :authorized
-      alias_method :authorized?, :authorized
+      attr_reader :url, :headers, :authorization
 
-      def initialize(url: AnyCable.config.http_broadcast_url, secret: AnyCable.config.http_broadcast_secret)
+      def initialize(url: AnyCable.config.http_broadcast_url, secret: AnyCable.config.broadcast_key)
         @url = url
         @headers = {}
+        @authorization = nil
+
+        if !secret
+          secret = AnyCable.config.broadcast_key!
+          @authorization = "with authorization key inferred from the application secret" if secret
+        end
+
         if secret
           headers["Authorization"] = "Bearer #{secret}"
-          @authorized = true
+          @authorization ||= "with authorization"
         end
 
         @uri = URI.parse(url)
@@ -71,7 +77,7 @@ module AnyCable
       end
 
       def announce!
-        logger.info "Broadcasting HTTP url: #{url}#{authorized? ? " (with authorization)" : ""}"
+        logger.info "Broadcasting HTTP url: #{url} (#{authorization || "no authorization"})"
       end
 
       private

data/lib/anycable/config.rb

@@ -7,6 +7,11 @@ require "uri"
 module AnyCable
   # AnyCable configuration.
   class Config < Anyway::Config
+    # These phareses are used to infer secret keys from the application secret
+    # and MUST match the ones used in AnyCable (Go)
+    BROADCAST_SECRET_PHRASE = "broadcast-cable"
+    HTTP_RPC_SECRET_PHRASE = "rpc-cable"
+
     class << self
       # Add usage txt for CLI
       def usage(txt)
@@ -22,9 +27,18 @@ module AnyCable
 
     attr_config(
       presets: "",
+      secret: nil,
+
+      ## Streams
+      streams_secret: nil,
 
-      ## PubSub
+      ## JWT
+      jwt_secret: nil,
+      jwt_ttl: 3600, # 1 hour
+
+      ## Broadcasting
       broadcast_adapter: :redis,
+      broadcast_key: nil,
 
       ### Redis options
       redis_url: ENV.fetch("REDIS_URL", "redis://localhost:6379"),
@@ -42,6 +56,7 @@ module AnyCable
 
       ### HTTP broadcasting options
       http_broadcast_url: "http://localhost:8090/_broadcast",
+      # DEPRECATED: use `broadcast_key` instead
       http_broadcast_secret: nil,
 
       ### Logging options
@@ -86,36 +101,67 @@ module AnyCable
       !http_health_port.nil? && http_health_port != ""
     end
 
+    def broadcast_key!
+      if http_broadcast_secret && !broadcast_key
+        self.broadcast_key ||= http_broadcast_secret
+        warn "DEPRECATION WARNING: `http_broadcast_secret` is deprecated, use `broadcast_key` instead"
+      end
+
+      return broadcast_key if broadcast_key
+      return unless secret
+
+      self.broadcast_key = infer_from_application_secret(BROADCAST_SECRET_PHRASE)
+    end
+
+    def http_rpc_secret!
+      return http_rpc_secret if http_rpc_secret
+      return unless secret
+
+      self.http_rpc_secret = infer_from_application_secret(HTTP_RPC_SECRET_PHRASE)
+    end
+
+    def streams_secret
+      super || secret
+    end
+
+    def jwt_secret
+      super || secret
+    end
+
     usage <<~TXT
       APPLICATION
-          --broadcast-adapter=type          Pub/sub adapter type for broadcasts, default: redis
-          --log-level=level                 Logging level, default: "info"
-          --log-file=path                   Path to log file, default: <none> (log to STDOUT)
-          --debug                           Turn on verbose logging ("debug" level and verbose logging on)
+          --broadcast-adapter=type          Broadcasting adapter, default: redis
+          --secret=secret                   Application secret, default: <none>
+          --broadcast-key=key               Broadcasting secret key, default: <none> (inferred from the application secret if any)
+          --streams-secret=secret           Signed streams secret, default: <none> (inferred from the application secret if any)
 
       HTTP HEALTH CHECKER
           --http-health-port=port           Port to run HTTP health server on, default: <none> (disabled)
           --http-health-path=path           Endpoint to serve health checks, default: "/health"
 
-      REDIS PUB/SUB
-          --redis-url=url                   Redis URL for pub/sub, default: REDIS_URL or "redis://localhost:6379"
+      REDIS
+          --redis-url=url                   Redis URL for broadcasting, default: REDIS_URL or "redis://localhost:6379"
           --redis-channel=name              Redis channel for broadcasting, default: "__anycable__"
           --redis-sentinels=<...hosts>      Redis Sentinel followers addresses (as a comma-separated list), default: nil
           --redis-tls-verify=yes|no         Whether to perform server certificate check in case of rediss:// protocol. Default: yes
           --redis-tls-client_cert-path=path Default: nil
           --redis-tls-client_key-path=path  Default: nil
 
-      NATS PUB/SUB
-          --nats-servers=<...addresses>     NATS servers for pub/sub, default: "nats://localhost:4222"
+      NATS
+          --nats-servers=<...addresses>     NATS servers for broadcasting, default: "nats://localhost:4222"
           --nats-channel=name               NATS channel for broadcasting, default: "__anycable__"
           --nats-dont-randomize-servers     Pass this option to disable NATS servers randomization during (re-)connect
 
-      HTTP PUB/SUB
-          --http-broadcast-url              HTTP pub/sub endpoint URL, default: "http://localhost:8090/_broadcast"
-          --http-broadcast-secret           HTTP pub/sub authorization secret, default: <none> (disabled)
+      HTTP BROADCASTING
+          --http-broadcast-url              HTTP broadcasting endpoint URL, default: "http://localhost:8090/_broadcast"
 
       HTTP RPC
-          --http-rpc-secret                 HTTP RPC authorization secret, default: <none> (disabled)
+          --http-rpc-secret                 HTTP RPC authorization secret, default: <none> (inferred from the application secret if any)
+
+      LOGGING
+          --log-level=level                 Logging level, default: "info"
+          --log-file=path                   Path to log file, default: <none> (log to STDOUT)
+          --debug                           Turn on verbose logging ("debug" level and verbose logging on)
     TXT
 
     # Build Redis parameters
@@ -216,5 +262,14 @@ module AnyCable
       write_config_attr(key, value)
       __trace__&.record_value(value, key, type: :preset, preset: preset)
     end
+
+    def infer_from_application_secret(phrase)
+      app_secret = secret
+      return unless app_secret
+
+      require "openssl"
+
+      OpenSSL::HMAC.hexdigest("SHA256", app_secret, phrase)
+    end
   end
 end

data/lib/anycable/httrpc/server.rb

@@ -4,6 +4,11 @@ module AnyCable
   module HTTRPC
     class Server
       def initialize(token: AnyCable.config.http_rpc_secret)
+        if !token
+          token = AnyCable.config.http_rpc_secret!
+          AnyCable.logger.info("AnyCable HTTP RPC created with authorization key inferred from the application secret")
+        end
+
         @token = token
       end
 

data/lib/anycable/jwt.rb

@@ -0,0 +1,110 @@
+# frozen_string_literal: true
+
+require "json"
+require "openssl"
+
+module AnyCable
+  module JWT
+    class DecodeError < StandardError; end
+
+    class VerificationError < DecodeError; end
+
+    class ExpiredSignature < DecodeError; end
+
+    # Basic JWT encode/decode implementation suitable to our needs
+    # and not requiring external dependencies
+    module BasicImpl
+      ALGORITHM = "HS256"
+
+      class << self
+        def encode(payload, secret_key)
+          payload = ::Base64.urlsafe_encode64(payload.to_json, padding: false)
+          headers = ::Base64.urlsafe_encode64({"alg" => ALGORITHM}.to_json, padding: false)
+
+          header = "#{headers}.#{payload}"
+          signature = sign(header, secret_key)
+
+          "#{header}.#{signature}"
+        end
+
+        def decode(token, secret_key)
+          header, payload, signature = token.split(".")
+          # Check segments
+          raise DecodeError, "Not enough or too many segments" unless header && payload && signature
+
+          # Verify the algorithm
+          decoded_header = ::JSON.parse(::Base64.urlsafe_decode64(header))
+          raise DecodeError, "Algorithm not supported" unless decoded_header["alg"] == ALGORITHM
+
+          # Verify the signature
+          expected_signature = sign("#{header}.#{payload}", secret_key)
+          raise VerificationError, "Signature verification failed" unless secure_compare(signature, expected_signature)
+
+          # Verify expiration
+          decoded_payload = ::JSON.parse(::Base64.urlsafe_decode64(payload))
+          if decoded_payload.key?("exp")
+            raise ExpiredSignature, "Signature has expired" if Time.now.to_i >= decoded_payload["exp"]
+          end
+
+          decoded_payload
+        rescue JSON::ParserError, ArgumentError
+          raise DecodeError, "Invalid segment encoding"
+        end
+
+        # We don't really care about timing attacks here,
+        # since verification is done on the AnyCable server side.
+        # But still, we can use constant-time comparison when it's available.
+        if OpenSSL.respond_to?(:fixed_length_secure_compare)
+          def secure_compare(a, b)
+            return false if a.bytesize != b.bytesize
+
+            OpenSSL.fixed_length_secure_compare(a, b)
+          end
+        else
+          def secure_compare(a, b)
+            return false if a.bytesize != b.bytesize
+
+            a == b
+          end
+        end
+
+        def sign(data, secret_key)
+          ::Base64.urlsafe_encode64(
+            ::OpenSSL::HMAC.digest("SHA256", secret_key, data),
+            padding: false
+          )
+        end
+      end
+    end
+
+    class << self
+      attr_accessor :jwt_impl
+
+      def encode(payload, expires_at: nil, secret_key: AnyCable.config.jwt_secret, ttl: AnyCable.config.jwt_ttl)
+        raise ArgumentError, "JWT encryption key is not specified. Add it via `jwt_secret` or `secret` option" if secret_key.nil? || secret_key.empty?
+
+        encoded = Serializer.serialize(payload).to_json
+
+        data = {ext: encoded}
+
+        data[:exp] = expires_at.to_i if expires_at
+
+        if ttl&.positive? && !data.key?(:exp)
+          data[:exp] = Time.now.to_i + ttl
+        end
+
+        jwt_impl.encode(data, secret_key)
+      end
+
+      def decode(token, secret_key: AnyCable.config.jwt_secret)
+        raise ArgumentError, "JWT encryption key is not specified. Add it via `jwt_secret` or `secret` option" if secret_key.nil? || secret_key.empty?
+
+        jwt_impl.decode(token, secret_key).then do |decoded|
+          ::JSON.parse(decoded.fetch("ext"), symbolize_names: true)
+        end.then { |data| Serializer.deserialize(data) }
+      end
+    end
+
+    self.jwt_impl = BasicImpl
+  end
+end

data/lib/anycable/serializer.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+module AnyCable
+  # Serializer is responsible for converting Ruby objects to and from a transferrable format (e.g., for identifiers, connection/channel state, etc.).
+  # It relies on configurable `.object_serializer` to handle non-primitive values and handles Hash/Array seririlzation.
+  module Serializer
+    class << self
+      attr_accessor :object_serializer
+
+      def serialize(obj)
+        handled = object_serializer&.serialize(obj)
+        return handled if handled
+
+        case obj
+        when nil, true, false, Integer, Float, String, Symbol
+          obj
+        when Hash
+          obj.transform_values { |v| serialize(v) }
+        when Array
+          obj.map { |v| serialize(v) }
+        else
+          raise ArgumentError, "Can't serialize #{obj.inspect}"
+        end
+      end
+
+      # Deserialize previously serialized value to a Ruby object.
+      def deserialize(val)
+        if val.is_a?(::String)
+          handled = object_serializer&.deserialize(val)
+          return handled if handled
+        end
+
+        case val
+        when Hash
+          val.transform_values { |v| deserialize(v) }
+        when Array
+          val.map { |v| deserialize(v) }
+        else
+          val
+        end
+      end
+    end
+  end
+end

data/lib/anycable/streams.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+require "openssl"
+require "base64"
+require "json"
+
+module AnyCable
+  module Streams
+    class << self
+      def signed(stream_name)
+        ::Base64.urlsafe_encode64(::JSON.dump(stream_name)).then do |encoded|
+          "#{encoded}--#{signature(encoded)}"
+        end
+      end
+
+      def verified(signed_stream_name)
+        encoded, sig = signed_stream_name.split("--")
+        raise ArgumentError, "stream name has incorrect format" unless encoded
+
+        return unless sig == signature(encoded)
+
+        ::Base64.urlsafe_decode64(encoded).then do |decoded|
+          ::JSON.parse(decoded)
+        end
+      end
+
+      private
+
+      def signature(val)
+        key = AnyCable.config.streams_secret
+
+        raise ArgumentError, "streams signing secret is missing" unless key
+
+        ::OpenSSL::HMAC.hexdigest("SHA256", key, val)
+      end
+    end
+  end
+end

data/lib/anycable/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module AnyCable
-  VERSION = "1.4.4"
+  VERSION = "1.5.0.rc.1"
 end

data/lib/anycable.rb

@@ -26,6 +26,10 @@ require "anycable/httrpc/server"
 #
 # Broadcasting messages to WS is done through _broadcast adapter_ (Redis Pub/Sub by default).
 module AnyCable
+  autoload :JWT, "anycable/jwt"
+  autoload :Serializer, "anycable/serializer"
+  autoload :Streams, "anycable/streams"
+
   class << self
     # Provide connection factory which
     # is a callable object with build

data/sig/anycable/config.rbs

@@ -4,6 +4,16 @@ module AnyCable
     def presets=: (Array[String]) -> void
     def broadcast_adapter: () -> Symbol
     def broadcast_adapter=: (Symbol) -> void
+    def secret: () -> String?
+    def secret=: (String?) -> void
+    def streams_secret: () -> String?
+    def streams_secret=: (String?) -> void
+    def jwt_secret: () -> String?
+    def jwt_secret=: (String?) -> void
+    def jwt_ttl: () -> Integer?
+    def jwt_ttl=: (Integer) -> void
+    def broadcast_key: () -> String?
+    def broadcast_key=: (String?) -> void
     def redis_url: () -> String
     def redis_url=: (String) -> void
     def redis_sentinels: () -> Array[String | Hash[untyped, untyped]]?
@@ -41,8 +51,8 @@ module AnyCable
     def http_health_port=: (Integer) -> void
     def http_health_path: () -> String
     def http_health_path=: (String) -> void
-    def http_rpc_secret: () -> String
-    def http_rpc_secret=: (String) -> void
+    def http_rpc_secret: () -> String?
+    def http_rpc_secret=: (String?) -> void
     def version_check_enabled: () -> bool
     def version_check_enabled=: (bool) -> void
     def version_check_enabled?: () -> bool
@@ -52,6 +62,9 @@ module AnyCable
   end
 
   class Config < Anyway::Config
+    BROADCAST_SECRET_PHRASE: String
+    HTTP_RPC_SECRET_PHRASE: String
+
     def self.usage: (String txt) -> void
     def self.usages: () -> Array[String]
 
@@ -60,6 +73,9 @@ module AnyCable
     alias debug? debug
     alias version_check_enabled? version_check_enabled
 
+    def http_rpc_secret!: () -> String?
+    def broadcast_key!: () -> String?
+
     def load: (*untyped) -> void
     def http_health_port_provided?: () -> bool
     def to_redis_params: () -> { url: String, sentinels: Array[untyped]?, ssl_params: Hash[Symbol, untyped]? }
@@ -74,5 +90,6 @@ module AnyCable
     def write_preset: (Symbol, untyped, preset: String) -> void
     def write_config_attr: (Symbol, untyped) -> void
     def __trace__: () -> untyped
+    def infer_from_application_secret: (String) -> String?
   end
 end

data/sig/anycable/jwt.rbs

@@ -0,0 +1,21 @@
+module AnyCable
+  module JWT
+    interface _Impl
+      def encode: (Hash[String | Symbol, untyped] payload, String secret_key) -> String
+      def decode: (String token, String secret_key) -> Hash[String, untyped]
+    end
+
+    module BasicImpl
+      extend _Impl
+
+      def self.sign: (String data, String key) -> String
+      def self.secure_compare: (String a, String b) -> bool
+    end
+
+    def self.jwt_impl: () -> _Impl
+    def self.jwt_impl=: (_Impl) -> void
+
+    def self.encode: (untyped payload, ?secret_key: String?, ?ttl: Integer, ?expires_at: Time | Integer) -> String
+    def self.decode: (String token, ?secret_key: String?) -> untyped
+  end
+end

data/sig/anycable/serializer.rbs

@@ -0,0 +1,14 @@
+module AnyCable
+  interface _ObjectSerializer
+    def serialize: (untyped) -> untyped
+    def deserialize: (String) -> untyped
+  end
+
+  module Serializer
+    def self.object_serializer: () -> _ObjectSerializer?
+    def self.object_serializer=: (_ObjectSerializer?) -> void
+
+    def self.serialize: (untyped) -> untyped
+    def self.deserialize: (untyped) -> untyped
+  end
+end

data/sig/anycable/streams.rbs

@@ -0,0 +1,8 @@
+module AnyCable
+  module Streams
+    def self.signed: (String) -> String
+    def self.verified: (String) -> String?
+
+    private def self.signature: (String) -> String
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: anycable-core
 version: !ruby/object:Gem::Version
-  version: 1.4.4
+  version: 1.5.0.rc.1
 platform: ruby
 authors:
 - palkan
@@ -28,16 +28,16 @@ dependencies:
   name: google-protobuf
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '3.25'
+        version: '3.13'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '3.25'
+        version: '3.13'
 - !ruby/object:Gem::Dependency
   name: redis
   requirement: !ruby/object:Gem::Requirement
@@ -217,6 +217,7 @@ files:
 - lib/anycable/grpc_kit/server.rb
 - lib/anycable/health_server.rb
 - lib/anycable/httrpc/server.rb
+- lib/anycable/jwt.rb
 - lib/anycable/middleware.rb
 - lib/anycable/middleware_chain.rb
 - lib/anycable/middlewares/check_version.rb
@@ -230,7 +231,9 @@ files:
 - lib/anycable/rpc/handlers/disconnect.rb
 - lib/anycable/rspec.rb
 - lib/anycable/rspec/rpc_command_context.rb
+- lib/anycable/serializer.rb
 - lib/anycable/socket.rb
+- lib/anycable/streams.rb
 - lib/anycable/version.rb
 - sig/anycable.rbs
 - sig/anycable/broadcast_adapters.rbs
@@ -248,6 +251,7 @@ files:
 - sig/anycable/grpc/server.rbs
 - sig/anycable/health_server.rbs
 - sig/anycable/httrpc/server.rbs
+- sig/anycable/jwt.rbs
 - sig/anycable/middleware.rbs
 - sig/anycable/middleware_chain.rbs
 - sig/anycable/middlewares/check_version.rbs
@@ -258,7 +262,9 @@ files:
 - sig/anycable/rpc/handlers/command.rbs
 - sig/anycable/rpc/handlers/connect.rbs
 - sig/anycable/rpc/handlers/disconnect.rbs
+- sig/anycable/serializer.rbs
 - sig/anycable/socket.rbs
+- sig/anycable/streams.rbs
 - sig/anycable/version.rbs
 - sig/manifest.yml
 homepage: http://github.com/anycable/anycable
@@ -282,9 +288,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: 2.7.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
 rubygems_version: 3.4.20
 signing_key: