authify-api 0.4.0 → 0.4.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 14d6a59892c799848cfafc2560f6c8a563d47931
-  data.tar.gz: ac147175656a4ba68993aa277a08a54636dd5fd6
+  metadata.gz: 27ef09f0eac2be3b4726c08351dcffb65cfc8a4b
+  data.tar.gz: 19874f525600aec9655e219f8808c1346e336431
 SHA512:
-  metadata.gz: d70a5903b23f8cd25965bba23345a61d1a076eae15187ff79882131d0b7c1a408ffb08708d90e6ca84a60762327b6354ed59647b4032d7592f63ca18a48176fc
-  data.tar.gz: 9eb2b416d3ce781d6f1abd6891790ab359bfda9aff40adee30ebc72b4f775a551116cc121dcd21f4b99714b80ef5a91862042bd4d286f5656015fcceb495c56b
+  metadata.gz: f685845d5e55982ae4a47d191be11558fbd950c2b75a917bd1f280e8f2e6496e409bebc4b59ae2dee8e39db37bf837f38073782479a93f3a76cf12ddfa286e7c
+  data.tar.gz: dbed51e9635435d3a4c7c05467a1de6865bcf6118c5e6e69dac0ab532177466d536bfebc62be48e1a00e45a13ac26e5f66fb5c9d623f2208a054a52fac7d0c7c

data/README.md

@@ -1,5 +1,9 @@
 # Authify::API
 
+[![Gem Version](https://badge.fury.io/rb/authify-api.svg)](https://badge.fury.io/rb/authify-api)
+[![Build Status](https://travis-ci.org/knuedge/authify-api.svg?branch=master)](https://travis-ci.org/knuedge/authify-api)
+[![Coverage Status](https://coveralls.io/repos/github/knuedge/authify-api/badge.svg?branch=master)](https://coveralls.io/github/knuedge/authify-api?branch=master)
+
 ## Introduction
 
 Authify is a web service built from the ground up to simplify authentication and provide it securely to a collection of related web sites.
@@ -17,24 +21,87 @@ The Authify API service consists of a database for storing:
 * Groups (and membership)
 * Trusted authify delegates (other services with unlimited capabilities, including impersonating users)
 
-Nearly all API endpoints available via Authify implement the [{json:api}](http://jsonapi.org/) 1.0 specification. The exceptions are:
+Nearly all API endpoints available via Authify implement the [{json:api}](http://jsonapi.org/) 1.0 specification, though there are a few exceptions.
+
+### Non-standard API Endpoints
+
+**`GET /jwt/key`**
+_Returns Content Type: `application/json`._
+
+This endpoint returns a JSON Object with the key `data` whose value is a PEM-encoded ECDSA public key, which should be used to verify the signature made by the Authify service.
+
+**`GET /jwt/meta`**
+_Returns Content Type: `application/json`._
+
+This endpoint returns a JSON Object with the keys `algorithm`, `issuer`, and `expiration` that describe the kind of JWTs produced by this service.
+
+**`POST /jwt/token`**
+_Returns (and only accepts) Content Type: `application/json`._
+
+This endpoint is used to obtain a [JWT](https://en.wikipedia.org/wiki/JSON_Web_Token). This endpoint expects a JSON Object with either the keys `access_key` and `secret_key` _OR_ `email` and `password`. There is no firm requirement to use either pair for any particular purpose, but for scenarios where the credentials may be stored, the `access_key` and `secret_key` can easily be revoked if necessary.
+
+Upon successful authentication, the endpoint provides a JSON Object with the key `jwt` and a signed JWT. There should be nothing highly sensitive embedded in the JWT. The JWT defaults to expiring every 15 minutes.
+
+This endpoint also allows optionally specifying a key called `inject` with a JSON object as a value. This JSON object will then be injected into a top-level `custom` key in the returned JWT _as is_.
+
+**`GET/POST /jwt/verify`**
+_Returns (and only accepts) Content Type: `application/json`_
+
+This endpoint is useful for debugging or for low-volume, simple clients. Pass either a `GET` parameter of `token` or `POST` a JSON object with the key `token`. In either case, the value is a JWT that can be validated and have its details returned as simple JSON data.
+
+For valid JWTs, this endpoint will return a JSON object with the keys `valid`, `payload`, `type`, and `algorithm`. The `valid` field is a boolean that describes whether or not the JWT is valid for use with this instance of Authify. The `payload` field is the full JWT payload, with all its claims listed as keys in a JSON object. The `type` key should always return `JWT` but is reserved for future use. Finally, the `algorithm` key describes the JWA algorithm used to sign the key. See the [configuration section](#configuration) for details on the algorithm.
+
+For invalid or expired JWTs, this endpoint will still return `200 OK`, so don't rely on that to determine if the JWT is valid. It will, however, return different data. In this case, the endpoint will respond with a JSON object with the keys `valid`, `errors`, and `reason`. For invalid JWTs, the `valid` boolean will be `false`. The `errors` key will be a list of errors encountered while processing the JWT. The `reason` key provides a simple and generic explanation of the first encountered failure.
+
+**`POST /registration/signup`**
+_Returns (and only accepts) Content Type: `application/json`._
+
+This endpoint is used to signup for an account with Authify. This endpoint expects a JSON Object, requiring the keys `email` and `password`, with `name` and `via` being optional. If `via` is provided, then it must be a JSON Object with the keys `provider` and `uid`, otherwise it will be ignored. The `via` key is used to add an alternate identity (meaning they logged-in through an integration, like Github), and is only trusted from trusted delegates (meaning it will be ignored for anonymous calls to this endpoint).
+
+This endpoint returns a JSON Object with the keys `id`, `email`, and `verified`, on success. If the user is registered by a trusted delegate *and* `via` options were provided, the users is implicitly trusted and a `jwt` key will also be provided for authentication. Otherwise, users will need to proceed to `/registration/verify` with the token they receive by email to verify their identity.
+
+This endpoint allows customization of the emails sent for users requiring verification. For information on how this works, see the [Templating](#templating) section. The following template expressions are available: `token` and `valid_until`.
 
-* `GET /jwt/key` - Returns Content Type: `application/json`. This endpoint returns a JSON Object with the key `data` whose value is a PEM-encoded ECDSA public key, which should be used to verify the signature made by the Authify service.
-* `GET /jwt/meta` - Returns Content Type: `application/json`. This endpoint returns a JSON Object with the keys `algorithm`, `issuer`, and `expiration` that describe the kind of JWTs produced by this service.
-* `POST /jwt/token` - Returns (and only accepts) Content Type: `application/json`. This endpoint is used to obtain a [JWT](https://en.wikipedia.org/wiki/JSON_Web_Token). This endpoint expects a JSON Object with either the keys `access_key` and `secret_key` _OR_ `email` and `password`. There is no firm requirement to use either pair for any particular purpose, but for scenarios where the credentials may be stored, the `access_key` and `secret_key` may be used since those can easily be revoked if necessary. Upon successful authentication, the endpoint provides a JSON Object with the key `jwt` and a signed JWT. There should be nothing highly sensitive embedded in the JWT. The JWT defaults to expiring every 15 minutes. This endpoint also allows optionally specifying a key called `inject` with a JSON object as a value. This JSON object will then be injected into a top-level `custom` key in the returned JWT _as is_.
-* `POST /registration/signup` - Returns (and only accepts) Content Type: `application/json`. This endpoint is used to signup for an account with Authify. This endpoint expects a JSON Object, requiring the keys `email` and `password`, with `name` and `via` being optional. If `via` is provided, then it must be a JSON Object with the keys `provider` and `uid`, otherwise it will be ignored. The `via` key is used to add an alternate identity (meaning they logged-in through an integration, like Github), and is only trusted from trusted delegates (meaning it will be ignored for anonymous calls to this endpoint). This endpoint returns a JSON Object with the keys `id`, `email`, and `verified`, on success. If the user is registered by a trusted delegate *and* `via` options were provided, the users is implicitly trusted and a `jwt` key will also be provided for authentication. This endpoint allows customization of the emails sent for users requiring verification. For information on how this works, see the [Templating](#templating) section. The following template expressions are available: `token` and `valid_until`.
-* `POST /registration/verify` - Returns (and only accepts) Content Type: `application/json`. This endpoint is used to verify a registered user's email address. This endpoint expects a JSON Object, requiring the keys `email`, `password`, and `token`. This endpoint returns a JSON Object with the keys `id`, `email`, `verified`, and `jwt` on success.
-* `POST /registration/forgot_password` - Returns (and only accepts) Content Type: `application/json`. This endpoint serves two related purposes: it is used to trigger resetting a forgotten (or non-existent) password and it is used to actually set the value of a user's password. The difference in which operation is performed is based on the POST data. When provided a JSON Object with only the key `email`, the endpoint sends the user an email with a verification token, returning an empty JSON Object as a result. When provided a JSON Object with the keys `email`, `password`, and `token`, the endpoint verifies that the token matches, then sets the user's password, returning a JSON Object with the keys `id`, `email`, `verified`, and `jwt` on success. This endpoint allows customization of the emails sent for users requiring verification. For information on how this works, see the [Templating](#templating) section. The following template expressions are available: `token` and `valid_until`.
+**`POST /registration/verify`**
+_Returns (and only accepts) Content Type: `application/json`._
+
+This endpoint is used to verify a registered user's email address. Currently, the data used to verify users is a token provided via email.
+
+This endpoint expects a JSON Object, requiring the keys `email`, `password`, and `token`. This endpoint returns a JSON Object with the keys `id`, `email`, `verified`, and `jwt` on success.
+
+**`POST /registration/forgot_password`**
+_Returns (and only accepts) Content Type: `application/json`._
+
+This endpoint serves two related purposes: it is used to trigger resetting a forgotten (or non-existent) password and it is used to actually set the value of a user's password. The difference in which operation is performed is based on the POST data.
+
+When provided a JSON Object with only the key `email`, the endpoint sends the user an email with a verification token, returning an empty JSON Object as a result. When provided a JSON Object with the keys `email`, `password`, and `token`, the endpoint verifies that the token matches, then sets the user's password, returning a JSON Object with the keys `id`, `email`, `verified`, and `jwt` on success.
+
+This endpoint allows customization of the emails sent for users requiring verification. For information on how this works, see the [Templating](#templating) section. The following template expressions are available: `token` and `valid_until`.
+
+### {json:api} API Endpoints
 
 All other endpoints adhere to the {json:api} specification and can be found at the following base paths:
 
-* `/apikeys` - User API keys. Index is restricted. Should only really be useful for users manipulating their own keys.
-* `/groups` - Groups. Index is restricted. Most interactions with groups should be scoped via organizations.
-* `/identities` - Alternate User Identities. These are other services that the user can login via (web UI only).
-* `/organizations` - Organizations. These are high-level groupings of users and groups. Non-administrators should only be able to see limited amounts of information about organizations.
-* `/users` - Users controller.
+**`/apikeys`**
+User API keys. Index is restricted. Should only really be useful for users manipulating their own keys.
+
+**`/groups`**
+Groups. Index is restricted. Most interactions with groups should be scoped via organizations.
+
+**`/identities`**
+Alternate User Identities. These are other services that the user can login via (web UI only).
 
-In addition to expiring JWTs provided via `/jwt/token` for normal user interactions, Trusted Delegates can perform any action by providing the `X-Authify-Access`, `X-Authify-Secret`, and the `X-Authify-On-Behalf-Of` headers. The `Access` and `Secret` headers are used to authenticate the remote application, and the `On-Behalf-Of` is used to impersonate the user (usually determined through a process on the remote end to establish the user's identity). Note that while these sound similar to User API keys, these Trusted Delegate credentials are longer and can not be interchanged. These values do not expire and are not easily created or removed. For this reason, they should be used **very** sparingly. They can only be created, listed, or removed via a set of `rake` commands run server-side. These are:
+**`/organizations`**
+Organizations. These are high-level groupings of users and groups. Non-administrators should only be able to see limited amounts of information about organizations.
+
+**`/users`**
+Users controller.
+
+### Trusted Delegates
+
+In addition to expiring JWTs provided via `/jwt/token` for normal user interactions, Trusted Delegates can perform any action by providing the `X-Authify-Access`, `X-Authify-Secret`, and the `X-Authify-On-Behalf-Of` headers. The `Access` and `Secret` headers are used to authenticate the remote application, and the `On-Behalf-Of` is used to impersonate the user (determined through a process on the remote, trusted delegate's end to establish the user's identity).
+
+Note that while these sound similar to User API keys, these Trusted Delegate credentials are longer and can not be interchanged with User API Keys. These values do not expire and are not easily created or removed. For this reason, they should be used **very** sparingly. They can only be created, listed, or removed via a set of `rake` commands run server-side. These are:
 
 * `rake delegate:add[<name>]` - where `<name>` is the unique name of the trusted delegate. For example, `rake delegate:add[foo]` adds a remote delegate named `foo`. This command will output a key / value set providing the access\_key and secret\_key. The secret\_key is stored as a one-way hash in the DB, so it can never be retrieved again.
 * `rake delegate:list` - lists the names of all trusted delegates along with their access keys.
@@ -60,12 +127,23 @@ Or install it yourself as:
 
 The Authify API services supports the following configuration settings, managed via environment variables of the same name:
 
-* `AUTHIFY_DB_URL` - The URL used by [ActiveRecord](http://guides.rubyonrails.org/configuring.html#configuring-a-database) to connect to the database. Currently supports `mysql2://` or `sqlite3://` URLs, though any driver supported by ActiveRecord should work if the required gems are installed. Defaults to `mysql2://root@localhost:3306/authifydb`.
-* `AUTHIFY_PUBKEY_PATH` - The path on the filesystem to the PEM-encoded, public ECDSA key. Defaults to `~/.authify/ssl/public.pem`.
-* `AUTHIFY_PRIVKEY_PATH` - The path on the filesystem to the PEM-encoded, private ECDSA key. Currently, Authify only supports an [ECDSA](https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm) keys. Options include using a `secp521r1` curve and the [SHA-512](https://en.wikipedia.org/wiki/SHA-2) hashing algorithm (called `ES512`), a `secp384r1` curve and the SHA-384 hashing algorithm (called `ES384`), or a `prime256v1` curve and the SHA-256 hashing algorithm (called `ES256`). See `AUTHIFY_JWT_ALGORITHM` below for information on how to configure Authify's algorithm to match the public and private keys you provide. The keys you specify **must** match the ECDSA algortihm and curve used to create them.
-* `AUTHIFY_JWT_ISSUER` - The name of the issuer ([iss field](https://en.wikipedia.org/wiki/JSON_Web_Token#Standard_fields)) used when creating the JWT. This **must** match on any service that verifies the JWT (meaning any service relying on Authify for authentication), and it **must** be the same for all services that integrate with Authify.
-* `AUTHIFY_JWT_ALGORITHM` - The name of the [JWA](https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40) algorithm to use when loading keys and creating or verifying JWT signatures. Valid values are `ES256`, `ES384`, or `ES512`. Defaults to `ES512`. This **must** match the curve and algorithm used to produce the public and private keys found at `AUTHIFY_PUBKEY_PATH` and `AUTHIFY_PRIVKEY_PATH`, respectively. Note that the curves `prime256v1` (also called NIST P-256) used by `ES256` and `secp384r1` (also called NIST P-384) used by `ES384`, while offering a wider range of compatible SSL libraries, are described as unsafe on [SafeCurves](https://safecurves.cr.yp.to/) for several reasons described there.
-* `AUTHIFY_JWT_EXPIRATION` - How long should a JWT be valid (in minutes). Defaults to 15. Too small of a value will mean a lot more requests to the API; too high increases the possibility of viable keys being captured.
+**`AUTHIFY_DB_URL`**
+The URL used by [ActiveRecord](http://guides.rubyonrails.org/configuring.html#configuring-a-database) to connect to the database. Currently supports `mysql2://` or `sqlite3://` URLs, though any driver supported by ActiveRecord should work if the required gems are installed. Defaults to `mysql2://root@localhost:3306/authifydb`.
+
+**`AUTHIFY_PUBKEY_PATH`**
+The path on the filesystem to the PEM-encoded, public ECDSA key. Defaults to `~/.authify/ssl/public.pem`.
+
+**`AUTHIFY_PRIVKEY_PATH`**
+The path on the filesystem to the PEM-encoded, private ECDSA key. Currently, Authify only supports an [ECDSA](https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm) keys. Options include using a `secp521r1` curve and the [SHA-512](https://en.wikipedia.org/wiki/SHA-2) hashing algorithm (called `ES512`), a `secp384r1` curve and the SHA-384 hashing algorithm (called `ES384`), or a `prime256v1` curve and the SHA-256 hashing algorithm (called `ES256`). See `AUTHIFY_JWT_ALGORITHM` below for information on how to configure Authify's algorithm to match the public and private keys you provide. The keys you specify **must** match the ECDSA algortihm and curve used to create them.
+
+**`AUTHIFY_JWT_ISSUER`**
+The name of the issuer ([iss field](https://en.wikipedia.org/wiki/JSON_Web_Token#Standard_fields)) used when creating the JWT. This **must** match on any service that verifies the JWT (meaning any service relying on Authify for authentication), and it **must** be the same for all services that integrate with Authify.
+
+**`AUTHIFY_JWT_ALGORITHM`**
+The name of the [JWA](https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40) algorithm to use when loading keys and creating or verifying JWT signatures. Valid values are `ES256`, `ES384`, or `ES512`. Defaults to `ES512`. This **must** match the curve and algorithm used to produce the public and private keys found at `AUTHIFY_PUBKEY_PATH` and `AUTHIFY_PRIVKEY_PATH`, respectively. Note that the curves `prime256v1` (also called NIST P-256) used by `ES256` and `secp384r1` (also called NIST P-384) used by `ES384`, while offering a wider range of compatible SSL libraries, are described as unsafe on [SafeCurves](https://safecurves.cr.yp.to/) for several reasons described there.
+
+**`AUTHIFY_JWT_EXPIRATION`**
+How long should a JWT be valid (in minutes). Defaults to 15. Too small of a value will mean a lot more requests to the API; too high increases the possibility of viable keys being captured.
 
 ## Usage and Authentication Workflow
 

data/authify-api.gemspec

@@ -45,6 +45,8 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'rubocop', '~> 0.35'
   spec.add_development_dependency 'yard',    '~> 0.8'
   spec.add_development_dependency 'travis', '~> 1.8'
-  spec.add_development_dependency 'simplecov', '~> 0.13'
+  spec.add_development_dependency 'simplecov', '~> 0.14'
+  spec.add_development_dependency 'coveralls', '~> 0.8'
+  spec.add_development_dependency 'byebug', '~> 9'
   spec.add_development_dependency 'rack-test', '~> 0.6'
 end

data/db/schema.rb

@@ -10,91 +10,91 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 20170328151033) do
+ActiveRecord::Schema.define(version: 20170609181046) do
 
-  create_table "apikeys", force: :cascade, options: "ENGINE=InnoDB DEFAULT CHARSET=utf8" do |t|
-    t.integer  "user_id"
-    t.string   "access_key"
-    t.text     "secret_key_digest", limit: 65535
-    t.datetime "created_at",                      null: false
-    t.datetime "updated_at",                      null: false
-    t.index ["access_key"], name: "index_apikeys_on_access_key", using: :btree
-    t.index ["user_id"], name: "index_apikeys_on_user_id", using: :btree
+  create_table "apikeys", id: :integer, force: :cascade, options: "ENGINE=InnoDB DEFAULT CHARSET=utf8" do |t|
+    t.integer "user_id"
+    t.string "access_key"
+    t.text "secret_key_digest"
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.index ["access_key"], name: "index_apikeys_on_access_key"
+    t.index ["user_id"], name: "index_apikeys_on_user_id"
   end
 
-  create_table "groups", force: :cascade, options: "ENGINE=InnoDB DEFAULT CHARSET=utf8" do |t|
-    t.integer  "organization_id"
-    t.string   "name"
-    t.text     "description",     limit: 65535
-    t.datetime "created_at",                    null: false
-    t.datetime "updated_at",                    null: false
-    t.index ["name"], name: "index_groups_on_name", using: :btree
-    t.index ["organization_id"], name: "index_groups_on_organization_id", using: :btree
+  create_table "groups", id: :integer, force: :cascade, options: "ENGINE=InnoDB DEFAULT CHARSET=utf8" do |t|
+    t.integer "organization_id"
+    t.string "name"
+    t.text "description"
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.index ["name"], name: "index_groups_on_name"
+    t.index ["organization_id"], name: "index_groups_on_organization_id"
   end
 
   create_table "groups_users", id: false, force: :cascade, options: "ENGINE=InnoDB DEFAULT CHARSET=utf8" do |t|
     t.integer "group_id"
     t.integer "user_id"
-    t.index ["group_id"], name: "index_groups_users_on_group_id", using: :btree
-    t.index ["user_id"], name: "index_groups_users_on_user_id", using: :btree
+    t.index ["group_id"], name: "index_groups_users_on_group_id"
+    t.index ["user_id"], name: "index_groups_users_on_user_id"
   end
 
-  create_table "identities", force: :cascade, options: "ENGINE=InnoDB DEFAULT CHARSET=utf8" do |t|
-    t.integer  "user_id"
-    t.string   "provider"
-    t.string   "uid"
+  create_table "identities", id: :integer, force: :cascade, options: "ENGINE=InnoDB DEFAULT CHARSET=utf8" do |t|
+    t.integer "user_id"
+    t.string "provider"
+    t.string "uid"
     t.datetime "created_at", null: false
     t.datetime "updated_at", null: false
-    t.index ["provider"], name: "index_identities_on_provider", using: :btree
-    t.index ["uid"], name: "index_identities_on_uid", using: :btree
-    t.index ["user_id"], name: "index_identities_on_user_id", using: :btree
+    t.index ["provider"], name: "index_identities_on_provider"
+    t.index ["uid"], name: "index_identities_on_uid"
+    t.index ["user_id"], name: "index_identities_on_user_id"
   end
 
-  create_table "organization_memberships", force: :cascade, options: "ENGINE=InnoDB DEFAULT CHARSET=utf8" do |t|
+  create_table "organization_memberships", id: :integer, force: :cascade, options: "ENGINE=InnoDB DEFAULT CHARSET=utf8" do |t|
     t.integer "organization_id"
     t.integer "user_id"
-    t.boolean "admin",           default: false
-    t.index ["admin"], name: "index_organization_memberships_on_admin", using: :btree
-    t.index ["organization_id"], name: "index_organization_memberships_on_organization_id", using: :btree
-    t.index ["user_id"], name: "index_organization_memberships_on_user_id", using: :btree
+    t.boolean "admin", default: false
+    t.index ["admin"], name: "index_organization_memberships_on_admin"
+    t.index ["organization_id"], name: "index_organization_memberships_on_organization_id"
+    t.index ["user_id"], name: "index_organization_memberships_on_user_id"
   end
 
-  create_table "organizations", force: :cascade, options: "ENGINE=InnoDB DEFAULT CHARSET=utf8" do |t|
-    t.string   "name"
-    t.string   "public_email"
-    t.string   "gravatar_email"
-    t.string   "billing_email"
-    t.text     "description",    limit: 65535
-    t.string   "url"
-    t.string   "location"
-    t.datetime "created_at",                   null: false
-    t.datetime "updated_at",                   null: false
-    t.index ["name"], name: "index_organizations_on_name", using: :btree
+  create_table "organizations", id: :integer, force: :cascade, options: "ENGINE=InnoDB DEFAULT CHARSET=utf8" do |t|
+    t.string "name"
+    t.string "public_email"
+    t.string "gravatar_email"
+    t.string "billing_email"
+    t.text "description"
+    t.string "url"
+    t.string "location"
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.index ["name"], name: "index_organizations_on_name"
   end
 
-  create_table "trusted_delegates", force: :cascade, options: "ENGINE=InnoDB DEFAULT CHARSET=utf8" do |t|
-    t.string   "name"
-    t.string   "access_key"
-    t.text     "secret_key_digest", limit: 65535
-    t.text     "description",       limit: 65535
-    t.datetime "created_at",                      null: false
-    t.datetime "updated_at",                      null: false
-    t.index ["access_key"], name: "index_trusted_delegates_on_access_key", using: :btree
-    t.index ["name"], name: "index_trusted_delegates_on_name", using: :btree
+  create_table "trusted_delegates", id: :integer, force: :cascade, options: "ENGINE=InnoDB DEFAULT CHARSET=utf8" do |t|
+    t.string "name"
+    t.string "access_key"
+    t.text "secret_key_digest"
+    t.text "description"
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.index ["access_key"], name: "index_trusted_delegates_on_access_key"
+    t.index ["name"], name: "index_trusted_delegates_on_name"
   end
 
-  create_table "users", force: :cascade, options: "ENGINE=InnoDB DEFAULT CHARSET=utf8" do |t|
-    t.string   "email"
-    t.text     "password_digest",    limit: 65535
-    t.string   "full_name"
-    t.datetime "created_at",                                       null: false
-    t.datetime "updated_at",                                       null: false
-    t.boolean  "admin",                            default: false, null: false
-    t.boolean  "verified"
-    t.string   "verification_token"
-    t.index ["admin"], name: "index_users_on_admin", using: :btree
-    t.index ["email"], name: "index_users_on_email", using: :btree
-    t.index ["verified"], name: "index_users_on_verified", using: :btree
+  create_table "users", id: :integer, force: :cascade, options: "ENGINE=InnoDB DEFAULT CHARSET=utf8" do |t|
+    t.string "email"
+    t.text "password_digest"
+    t.string "full_name"
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.boolean "admin", default: false, null: false
+    t.boolean "verified"
+    t.string "verification_token"
+    t.index ["admin"], name: "index_users_on_admin"
+    t.index ["email"], name: "index_users_on_email"
+    t.index ["verified"], name: "index_users_on_verified"
   end
 
 end

data/lib/authify/api/controllers/organization.rb

@@ -9,7 +9,7 @@ module Authify
 
           def role
             Array(super).tap do |a|
-              a << :owner if resource && current_user.admin_for?(resource)
+              a << :owner if resource && current_user && current_user.admin_for?(resource)
               a << :member if resource && resource.users.include?(current_user)
             end.uniq
           end

data/lib/authify/api/helpers/jwt_encryption.rb

@@ -5,12 +5,13 @@ module Authify
       module JWTEncryption
         include Core::Helpers::JWTSSL
 
-        def jwt_token(user: nil, custom_data: {})
+        def jwt_token(user: nil, custom_data: {}, meta: nil)
           user ||= current_user
-          JWT.encode jwt_payload(user, custom_data), private_key, CONFIG[:jwt][:algorithm]
+          JWT.encode jwt_payload(user, custom_data, meta), private_key, CONFIG[:jwt][:algorithm]
         end
 
-        def jwt_payload(user, custom_data)
+        # rubocop:disable Metrics/AbcSize
+        def jwt_payload(user, custom_data, metadata = nil)
           data = {
             exp: Time.now.to_i + 60 * CONFIG[:jwt][:expiration].to_i,
             iat: Time.now.to_i,
@@ -25,9 +26,37 @@ module Authify
             }
           }
           data[:custom] = custom_data if custom_data && !custom_data.empty?
+          data[:meta] = metadata if metadata && metadata.is_a?(Hash) && !metadata.empty?
           data
         end
 
+        def jwt_options
+          {
+            algorithm: CONFIG[:jwt][:algorithm],
+            verify_iss: true,
+            verify_iat: true,
+            iss: CONFIG[:jwt][:issuer]
+          }
+        end
+
+        def process_token(token)
+          results = {}
+
+          begin
+            decoded = JWT.decode(token, public_key, true, jwt_options)
+
+            results[:valid] = true
+            results[:payload] = decoded[0]
+            results[:type] = decoded[1]['typ']
+            results[:algorithm] = decoded[1]['alg']
+          rescue JWT::DecodeError => e
+            results[:valid] = false
+            results[:errors] = Array[e]
+            results[:reason] = 'Corrupt or invalid JWT'
+          end
+          results
+        end
+
         def simple_orgs_by_user(user)
           user.organizations.map do |o|
             {

data/lib/authify/api/services/jwt_provider.rb

@@ -70,6 +70,7 @@ module Authify
           if found_user
             update_current_user found_user
             Metrics.instance.increment('jwt.tokens.provided')
+
             { jwt: jwt_token(custom_data: custom_data) }.to_json
           else
             halt 401
@@ -103,6 +104,18 @@ module Authify
         options '/key' do
           halt 200
         end
+
+        get '/verify' do
+          process_token(@params[:token]).to_json
+        end
+
+        post '/verify' do
+          process_token(@parsed_body[:token]).to_json
+        end
+
+        options '/verify' do
+          halt 200
+        end
       end
     end
   end

data/lib/authify/api/services/monitoring.rb

@@ -9,20 +9,11 @@ module Authify
 
         before do
           content_type 'application/json'
-
-          begin
-            unless request.get? || request.options?
-              request.body.rewind
-              @parsed_body = JSON.parse(request.body.read, symbolize_names: true)
-            end
-          rescue => e
-            halt(400, { error: "Request must be valid JSON: #{e.message}" }.to_json)
-          end
         end
 
         after do
           headers 'Access-Control-Allow-Origin' => '*',
-                  'Access-Control-Allow-Methods' => %w[OPTIONS GET POST],
+                  'Access-Control-Allow-Methods' => %w[OPTIONS GET],
                   'Access-Control-Allow-Headers' => %w[
                     Origin
                     Accept

data/lib/authify/api/version.rb

@@ -3,7 +3,7 @@ module Authify
     VERSION = [
       0, # Major
       4, # Minor
-      0  # Patch
+      1  # Patch
     ].join('.')
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: authify-api
 version: !ruby/object:Gem::Version
-  version: 0.4.0
+  version: 0.4.1
 platform: ruby
 authors:
 - Jonathan Gnagy
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2017-06-08 00:00:00.000000000 Z
+date: 2017-06-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: authify-core
@@ -308,14 +308,42 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.13'
+        version: '0.14'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.13'
+        version: '0.14'
+- !ruby/object:Gem::Dependency
+  name: coveralls
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.8'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.8'
+- !ruby/object:Gem::Dependency
+  name: byebug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '9'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '9'
 - !ruby/object:Gem::Dependency
   name: rack-test
   requirement: !ruby/object:Gem::Requirement