authify-api 0.3.0 → 0.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 3fca257750d3b6838d69bf82accc2509efedec36
-  data.tar.gz: 3e7bffd8e96c2eaa0fac52f0f7cbc7511e0d8a4d
+  metadata.gz: 7722ad1f79781ba027cff0bfc6f174d194fb24de
+  data.tar.gz: bf8817c6c7b784ee76cfe3e4665540fc3e3b59eb
 SHA512:
-  metadata.gz: 0f6224388bec7ae3b38a11c3447950ef5bec48b9505aaade543c9cd517cb643897189bfc077df39fc19a103ab13276b7edb53756981a800b95a4d3b0d43875fe
-  data.tar.gz: 1169b5cd8efe0660d3ff7fbf533e1dd086dcea7bc30e7824fadcd80dfeeab3c5daff5267b8a669a1ccbcb1077c2763bc59006539c2cdabcecc8e6cd198b2b69f
+  metadata.gz: 7aec0faa2c66766a5f3b2570a52198598ee9ab42605581f964841531637954ab69ee255e2fe85747227b7a9c8fc9fbe15bc6c12b8ad91579670098089142ea83
+  data.tar.gz: faddeefb5815e21c5c7d991f123ab1f71cb802792183fdf2af43f135d82b1e7b1f25e0143703d000fbe5fdc21d7e898eb3bd36279fcfb4adc4c2e56e8c4fd248

data/README.md

@@ -21,7 +21,7 @@ Nearly all API endpoints available via Authify implement the [{json:api}](http:/
 
 * `GET /jwt/key` - Returns Content Type: `application/json`. This endpoint returns a JSON Object with the key `data` whose value is a PEM-encoded ECDSA public key, which should be used to verify the signature made by the Authify service.
 * `GET /jwt/meta` - Returns Content Type: `application/json`. This endpoint returns a JSON Object with the keys `algorithm`, `issuer`, and `expiration` that describe the kind of JWTs produced by this service.
-* `POST /jwt/token` - Returns (and only accepts) Content Type: `application/json`. This endpoint is used to obtain a [JWT](https://en.wikipedia.org/wiki/JSON_Web_Token). This endpoint expects a JSON Object with either the keys `access_key` and `secret_key` _OR_ `email` and `password`. There is no firm requirement to use either pair for any particular purpose, but for scenarios where the credentials may be stored, the `access_key` and `secret_key` may be used since those can easily be revoked if necessary. Upon successful authentication, the endpoint provides a JSON Object with the key `jwt` and a signed JWT. There should be nothing highly sensitive embedded in the JWT. The JWT defaults to expiring every 15 minutes.
+* `POST /jwt/token` - Returns (and only accepts) Content Type: `application/json`. This endpoint is used to obtain a [JWT](https://en.wikipedia.org/wiki/JSON_Web_Token). This endpoint expects a JSON Object with either the keys `access_key` and `secret_key` _OR_ `email` and `password`. There is no firm requirement to use either pair for any particular purpose, but for scenarios where the credentials may be stored, the `access_key` and `secret_key` may be used since those can easily be revoked if necessary. Upon successful authentication, the endpoint provides a JSON Object with the key `jwt` and a signed JWT. There should be nothing highly sensitive embedded in the JWT. The JWT defaults to expiring every 15 minutes. This endpoint also allows optionally specifying a key called `inject` with a JSON object as a value. This JSON object will then be injected into a top-level `custom` key in the returned JWT _as is_.
 * `POST /registration/signup` - Returns (and only accepts) Content Type: `application/json`. This endpoint is used to signup for an account with Authify. This endpoint expects a JSON Object, requiring the keys `email` and `password`, with `name` and `via` being optional. If `via` is provided, then it must be a JSON Object with the keys `provider` and `uid`, otherwise it will be ignored. The `via` key is used to add an alternate identity (meaning they logged-in through an integration, like Github), and is only trusted from trusted delegates (meaning it will be ignored for anonymous calls to this endpoint). This endpoint returns a JSON Object with the keys `id`, `email`, and `verified`, on success. If the user is registered by a trusted delegate *and* `via` options were provided, the users is implicitly trusted and a `jwt` key will also be provided for authentication.
 * `POST /registration/verify` - Returns (and only accepts) Content Type: `application/json`. This endpoint is used to verify a registered user's email address. This endpoint expects a JSON Object, requiring the keys `email`, `password`, and `token`. This endpoint returns a JSON Object with the keys `id`, `email`, `verified`, and `jwt` on success.
 * `POST /registration/forgot_password` - Returns (and only accepts) Content Type: `application/json`. This endpoint serves two related purposes: it is used to trigger resetting a forgotten (or non-existent) password and it is used to actually set the value of a user's password. The difference in which operation is performed is based on the POST data. When provided a JSON Object with only the key `email`, the endpoint sends the user an email with a verification token, returning an empty JSON Object as a result. When provided a JSON Object with the keys `email`, `password`, and `token`, the endpoint verifies that the token matches, then sets the user's password, returning a JSON Object with the keys `id`, `email`, `verified`, and `jwt` on success.
@@ -226,6 +226,25 @@ The server will return something like:
 {"jwt":"eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzUxMiJ9.eyJleHAiOjE0ODY0ODcyODcsImlhdCI6MTQ4NjQ4MzY4NywiaXNzIjoiTXkgQXdlc29tZSBDb21wYW55IEluYy4iLCJzY29wZXMiOlsidXNlcl9hY2Nlc3MiXSwidXNlciI6eyJ1c2VybmFtZSI6ImZvb0BiYXIuY29tIiwidWlkIjoyLCJvcmdhbml6YXRpb25zIjpbXSwiZ3JvdXBzIjpbXX19.AWfPpKX9mP03Djz3-LMneJdEVsXQm_4GOPVCdkfiiBeIR4pVLKTVrNoNdlNgSEkZEeUw1RPsVxpAR7wDgB4cNcYiAP3fNaD8OPyWfOQAV0lTvDUSH3YU39cZAVwvbX9HleOHBLrFGBbui5wSvfi7WZZlH808psiuUAVhBOe7mfrNiHGB"}
 ```
 
+You can also request that the server inject some custom payload data into the JWT:
+
+```shell
+curl \
+  -H 'Accept: application/json' \
+  -H 'Content-Type: application/json' \
+  --data \
+  '{
+    "access_key": "5f4abd1c6423ef02d1ec42e1cddaf5f8",
+    "secret_key": "fb97aa7d4e48f3e4bbb2930161a423fa8308393426c3612940da03f22cf36879",
+    "inject": {
+      "foo": "bar"
+    }
+   }' \
+  https://auth.mycompany.com/jwt/token
+```
+
+This can be useful for loosely coupling services that need to exchange small amounts of (preferably encrypted) data. This data is arbitrary and Authify does nothing to validate it. It simply injects it into the payload before it is signed, so don't assume nefarious users can't spoof things. You'll likely need to do something to make the data verifiable on the receiving end.
+
 #### Use the JWT to Access a Protected Resource
 
 ```shell

data/lib/authify/api/helpers/jwt_encryption.rb

@@ -5,13 +5,13 @@ module Authify
       module JWTEncryption
         include Core::Helpers::JWTSSL
 
-        def jwt_token(user = nil)
+        def jwt_token(user: nil, custom_data: {})
           user ||= current_user
-          JWT.encode jwt_payload(user), private_key, CONFIG[:jwt][:algorithm]
+          JWT.encode jwt_payload(user, custom_data), private_key, CONFIG[:jwt][:algorithm]
         end
 
-        def jwt_payload(user)
-          {
+        def jwt_payload(user, custom_data)
+          data = {
             exp: Time.now.to_i + 60 * CONFIG[:jwt][:expiration].to_i,
             iat: Time.now.to_i,
             iss: CONFIG[:jwt][:issuer],
@@ -24,6 +24,8 @@ module Authify
               organizations: simple_orgs_by_user(user)
             }
           }
+          data[:custom] = custom_data if custom_data && !custom_data.empty?
+          data
         end
 
         def simple_orgs_by_user(user)

data/lib/authify/api/services/jwt_provider.rb

@@ -38,6 +38,8 @@ module Authify
           # For Trusted Delegates signing users in via omniauth
           omni_provider = @parsed_body[:provider]
           omni_uid = @parsed_body[:uid]
+          # Allows injecting custom payload data
+          custom_data = @parsed_body[:inject] || {}
 
           found_user = if access
                          Models::User.from_api_key(access, secret)
@@ -49,7 +51,7 @@ module Authify
 
           if found_user
             update_current_user found_user
-            { jwt: jwt_token }.to_json
+            { jwt: jwt_token(custom_data: custom_data) }.to_json
           else
             halt 401
           end

data/lib/authify/api/services/registration.rb

@@ -56,7 +56,7 @@ module Authify
           response = { id: new_user.id, email: new_user.email }
           if new_user.verified?
             response[:verified] = true
-            response[:jwt]      = jwt_token(new_user)
+            response[:jwt]      = jwt_token(user: new_user)
           else
             response[:verified] = false
           end
@@ -78,7 +78,7 @@ module Authify
               id: found_user.id,
               email: found_user.email,
               verified: found_user.verified?,
-              jwt: jwt_token(found_user)
+              jwt: jwt_token(user: found_user)
             }.to_json
           else
             found_user.verified = false
@@ -109,7 +109,7 @@ module Authify
             id: found_user.id,
             email: found_user.email,
             verified: found_user.verified?,
-            jwt: jwt_token(found_user)
+            jwt: jwt_token(user: found_user)
           }.to_json
         end
       end

data/lib/authify/api/version.rb

@@ -3,7 +3,7 @@ module Authify
     VERSION = [
       0, # Major
       3, # Minor
-      0  # Patch
+      1  # Patch
     ].join('.')
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: authify-api
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.3.1
 platform: ruby
 authors:
 - Jonathan Gnagy
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2017-04-22 00:00:00.000000000 Z
+date: 2017-05-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: authify-core