authrocket 3.0.0 → 3.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 138d4247bae61aa6ac0c171621a438d8b6d47db7de2a2cc9b7ad61ea7df0784d
-  data.tar.gz: c83fe483dbdaf4d0e0152972c42e76b17ec5133114cae0b1081c082b74883cee
+  metadata.gz: 82ed5a2ea3b1c412a72c84aeac220c4b54e26ca5a0f9cc7248ecbca9e3c211bb
+  data.tar.gz: 5acc9665f07016d75af2f26d08527206749cc7e4bfe56df6df248e50a3d9fe5f
 SHA512:
-  metadata.gz: 89f83a485b4c382eba642e16d9617bd0107833ee79abe6379fb3126a939f3515becda60182fc886a7976e739f1b45d6a60918ad82dc91cd6960fb8cebb306063
-  data.tar.gz: d1b32f8ac525755fa7cfed8e06846c6aa6d58e124ba775ecde423901fcc7157db09f65553e27b670f2ab7ec596621d2c033ecbaab2e7da104369955cea2895a2
+  metadata.gz: 375bcc4653c32f973da17893ff5250131c655d7122a4ba88a3d818fc454ebfdc7c9561db996c67bb6dec141823dceb1975124b8a0714eae448ac24965ae7d2e0
+  data.tar.gz: b12e98876190ded64592edc86c2fd160dd8b72f75086617f72164b3f7aef90f0dc2bb6fc62195eb8e2a0b375bda7f93a1a517fdeff421fbf2b8c0d0912bd47b3

data/CHANGELOG.md

@@ -1,3 +1,9 @@
+#### 3.1.0
+
+- Automatically handle login tokens in an Authorization header
+  eg: Authorization: Bearer {the-token}
+- Optimize LR JWKS support to match by kid
+
 #### 3.0.0
 
 - NOTE: This version includes breaking changes.

data/README.md

@@ -107,7 +107,7 @@ Sets an application-wide default realm ID. If you're using a single realm, this
 `AUTHROCKET_URL = https://api-e2.authrocket.com/v2`
 The URL of the AuthRocket API server. This may vary depending on which cluster your service is provisioned on.
 
-`LOGINROCKET_URL = https://sample.e2.loginrocket.com/`
+`LOGINROCKET_URL = https://SAMPLE.e2.loginrocket.com/`
 The LoginRocket URL for your Connected App. Used by the streamlined Rails integration (for redirects) and for auto-retrieval of RS256 JWT keys (if AUTHROCKET_JWT_KEY is not set). If your app uses multiple realms, you'll need to handle this on your own. If you're using a custom domain, this will be that domain and will not contain 'loginrocket.com'.
 
 

data/lib/authrocket/api/version.rb

@@ -1,3 +1,3 @@
 module AuthRocket
-  VERSION = '3.0.0'
+  VERSION = '3.1.0'
 end

data/lib/authrocket/rails/controller_helper.rb

@@ -10,6 +10,14 @@ module AuthRocket::ControllerHelper
     end
   end
 
+  def process_authorization_header
+    if request.headers['authorization'] =~ %r{Bearer (.+)$}i
+      if s = AuthRocket::Session.from_token($1)
+        @_current_session = s
+      end
+    end
+  end
+
   def require_login
     unless current_session
       redirect_to ar_login_url(redirect_uri: safe_this_uri)

data/lib/authrocket/rails/engine.rb

@@ -9,6 +9,7 @@ module AuthRocket
           include AuthRocket::ControllerHelper
           helper AuthRocket::ControllerHelper
           before_action :process_inbound_token
+          before_action :process_authorization_header
         end
       end
     end

data/lib/authrocket/session.rb

@@ -19,21 +19,21 @@ module AuthRocket
     # options - :algo   - one of HS256, RS256 (default: auto-detect based on :jwt_key)
     #         - :within - (in seconds) Maximum time since the token was (re)issued
     #         - credentials: {jwt_key: StringOrKey} - used to verify the token
+    # returns Session or nil
     def self.from_token(token, options={})
-      secret = options.dig(:credentials, :jwt_key) || credentials[:jwt_key]
       if lr_url = options.dig(:credentials, :loginrocket_url) || credentials[:loginrocket_url]
         lr_url = lr_url.dup
         lr_url.concat '/' unless lr_url.ends_with?('/')
         lr_url.concat 'connect/jwks'
       end
-
-      algo = options[:algo]
+      secret = options.dig(:credentials, :jwt_key) || credentials[:jwt_key]
       if secret.is_a?(String) && secret.length > 256
         unless secret.starts_with?('-----BEGIN ')
           secret = "-----BEGIN PUBLIC KEY-----\n#{secret}\n-----END PUBLIC KEY-----"
         end
         secret = OpenSSL::PKey.read secret
       end
+      algo = options[:algo]
       algo ||= 'RS256' if secret.is_a?(OpenSSL::PKey::RSA)
       algo ||= 'HS256' if secret
 
@@ -42,34 +42,22 @@ module AuthRocket
       raise Error, "Missing jwt_key; set LOGINROCKET_URL, AUTHROCKET_JWT_KEY, or pass in credentials: {loginrocket_url: ...} or {jwt_key: ...}" if secret.blank? && !jwks_eligible
       return if token.blank?
 
+      base_params = {token: token, within: options[:within], local_creds: options[:credentials]}
       if jwks_eligible
-        base_params = {token: token, algo: 'RS256', within: options[:within], local_creds: options[:credentials]}
-        load_jwk_set(lr_url, use_cached: true).each do |secret|
-          begin
-            return parse_jwt secret: secret, **base_params
-          rescue JWT::DecodeError
-          end
-        end
-        load_jwk_set(lr_url, use_cached: false).each do |secret|
-          begin
-            return parse_jwt secret: secret, **base_params
-          rescue JWT::DecodeError
-          end
+        kid = JSON.parse(JWT::Base64.url_decode(token.split('.')[0]))['kid'] rescue nil
+        return if kid.blank?
+
+        load_jwk_set(lr_url) unless @_jwks[kid]
+        if key_set = @_jwks[kid]
+          parse_jwt **key_set, **base_params
         end
-        nil
       else
-        begin
-          parse_jwt token: token, secret: secret, algo: algo, within: options[:within], local_creds: options[:credentials]
-        rescue JWT::DecodeError
-          nil
-        end
+        parse_jwt secret: secret, algo: algo, **base_params
       end
     end
 
     # private
-    # raises an exception if eligible for retry using different token
-    # returns Session on success
-    # returns nil on a definitive token-parsed-but-invalid
+    # returns Session or nil
     def self.parse_jwt(token:, secret:, algo:, within:, local_creds: nil)
       opts = {
         algorithm: algo,
@@ -124,32 +112,16 @@ module AuthRocket
         }, local_creds)
 
       session
-    rescue JWT::ExpiredSignature, JWT::ImmatureSignature, JWT::InvalidAudError,
-        JWT::InvalidIatError, JWT::InvalidIssuerError
-      # successfully parsed, but invalid claims
+    rescue JWT::DecodeError
       nil
     end
 
     @_jwks ||= {}
     JWKS_MUTEX = Mutex.new
-    MIN_ATTEMPT_WINDOW = 71 # seconds
 
     # private
-    # use_cached - if there is a cached result, use it regardless of last cache load time
-    def self.load_jwk_set(uri, use_cached:)
-      keys, last_time = @_jwks.dig(uri, :keys), @_jwks.dig(uri, :time)
-      last_time ||= 0
-
-      return keys if use_cached && last_time > 0
-      return keys if Time.now.to_f - MIN_ATTEMPT_WINDOW < last_time
-
+    def self.load_jwk_set(uri)
       JWKS_MUTEX.synchronize do
-        # recheck in case we locked while being loaded in another process
-        newer_keys, newer_time = @_jwks.dig(uri, :keys), @_jwks.dig(uri, :time)
-        newer_time ||= 0
-
-        return newer_keys if newer_time > last_time
-
         path = URI.parse(uri).path
         headers = build_headers({}, {})
         rest_opts = {
@@ -164,20 +136,12 @@ module AuthRocket
         response = execute_request(rest_opts)
         parsed = parse_response(response)
           # => {data: json, errors: errors, metadata: metadata}
-        certs = parsed[:data][:keys].map do |h|
+        parsed[:data][:keys].each do |h|
           crt = "-----BEGIN PUBLIC KEY-----\n#{h['x5c'][0]}\n-----END PUBLIC KEY-----"
-          OpenSSL::PKey.read crt
-        end
-
-        @_jwks[uri] = {keys: certs, time: Time.now.to_f}
-        keys ||= []
-        just_added = certs - keys
-        if just_added.any?
-          just_added
-        else
-          certs
+          @_jwks[h['kid']] = {secret: OpenSSL::PKey.read(crt), algo: h['alg']}
         end
       end
+      @_jwks
     end
 
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: authrocket
 version: !ruby/object:Gem::Version
-  version: 3.0.0
+  version: 3.1.0
 platform: ruby
 authors:
 - AuthRocket Team
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-02-22 00:00:00.000000000 Z
+date: 2020-03-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: addressable