cognito_token_verifier 0.1.0 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b62edbc24a15d7e43934a4ffcb641370e503084caffbac662da565528b3621f4
-  data.tar.gz: 4d562bee7ee8130d082c3f24530a1e62f235c03e176733bdd7b17d7cf7deca09
+  metadata.gz: e52ad068216f8d8e80a8386541332664f16adbb05182df520a34ec3f52b9c951
+  data.tar.gz: 063cc32b60dbe0bf6eed61ef853a06d661fb4fefa9af6618715417b33606bd7c
 SHA512:
-  metadata.gz: 000d7d04865954163674f2970163cd411fae1a8bbd83cf7f2dd5feeac00f5674367fd07621e135a44c59a2687115092405834ae42a9d5cad5bbbf7353a62a5bf
-  data.tar.gz: e1c17ca0365937f4bad00d395283f9d8f74fc58342cda151a23597c34925d1f058ed2f23ecad157b26a028854225275b4dd5b3b7d4646facf5184a7f280ca972
+  metadata.gz: f0c6192b9d02a7fac391df255c2332efb61099317bf7fd20cd773cb29e64882df3534196a23f37eb91136e84eda0db8601d2eda6536665531a104ea2f2e12ea0
+  data.tar.gz: 640249a032a23885d719b13334c69cabb41ddc3dc14d2e8e5848ff264594d1a8f1d14c4a87a3961389d11975145fbb10758c81481aa88939e0b5d40466c97bfe

data/.travis.yml

@@ -3,13 +3,14 @@ sudo: false
 language: ruby
 cache: bundler
 rvm:
-  - 2.3.8
-  - 2.4.5
-  - 2.5.3
-  - 2.6.1
-before_install: gem install bundler -v 2.0.1
+  - 2.5.8
+  - 2.6.6
+  - 2.7.1
+before_install: gem install bundler
 gemfile:
   - Gemfile
-  - gemfiles/rails42.gemfile
-  - gemfiles/rails51.gemfile
   - gemfiles/rails52.gemfile
+  - gemfiles/rails6.gemfile
+
+# jobs:
+#   exclude:

data/CHANGELOG.md

@@ -0,0 +1,22 @@
+# CHANGELOG.md
+
+## 0.3.2 (2020-03-31)
+
+  - Update development version of Rails gems for `actionview` security patch
+
+## 0.3.1 (2020-02-27)
+
+  - Update `nokogiri` version to 1.10.8 for security patches in gem development
+
+## 0.3.0 (2019-11-14)
+
+  - Add Rails 6 support
+  - Update minimum json-jwt and loofah libraries for CVEs
+
+## 0.2.0 (2019-02-21)
+
+  - Improvements to handling errors fetching JWKs and decoding Cognito JWTs
+
+## 0.1.0 (2019-02-20)
+
+  - Initial release of Cognito token verification gem

data/Gemfile.lock

@@ -1,116 +1,120 @@
 PATH
   remote: .
   specs:
-    cognito_token_verifier (0.1.0)
-      activesupport (>= 4.2, < 6.0)
-      json-jwt (~> 1.1)
+    cognito_token_verifier (0.4.0)
+      activesupport (>= 5.2, < 6.1)
+      json-jwt (~> 1.11)
       rest-client (~> 2.0)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    actionpack (5.2.2)
-      actionview (= 5.2.2)
-      activesupport (= 5.2.2)
-      rack (~> 2.0)
+    actionpack (6.0.3.3)
+      actionview (= 6.0.3.3)
+      activesupport (= 6.0.3.3)
+      rack (~> 2.0, >= 2.0.8)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
-      rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    actionview (5.2.2)
-      activesupport (= 5.2.2)
+      rails-html-sanitizer (~> 1.0, >= 1.2.0)
+    actionview (6.0.3.3)
+      activesupport (= 6.0.3.3)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
-      rails-html-sanitizer (~> 1.0, >= 1.0.3)
-    activesupport (5.2.2)
+      rails-html-sanitizer (~> 1.1, >= 1.2.0)
+    activesupport (6.0.3.3)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 0.7, < 2)
       minitest (~> 5.1)
       tzinfo (~> 1.1)
-    aes_key_wrap (1.0.1)
-    bindata (2.4.4)
-    builder (3.2.3)
-    byebug (11.0.0)
-    concurrent-ruby (1.1.4)
-    crass (1.0.4)
-    diff-lcs (1.3)
-    domain_name (0.5.20180417)
+      zeitwerk (~> 2.2, >= 2.2.2)
+    aes_key_wrap (1.1.0)
+    bindata (2.4.8)
+    builder (3.2.4)
+    byebug (11.1.3)
+    concurrent-ruby (1.1.7)
+    crass (1.0.6)
+    diff-lcs (1.4.4)
+    domain_name (0.5.20190701)
       unf (>= 0.0.5, < 1.0.0)
-    erubi (1.8.0)
+    erubi (1.9.0)
+    http-accept (1.7.0)
     http-cookie (1.0.3)
       domain_name (~> 0.5)
-    i18n (1.5.3)
+    i18n (1.8.5)
       concurrent-ruby (~> 1.0)
-    json-jwt (1.10.0)
+    json-jwt (1.13.0)
       activesupport (>= 4.2)
       aes_key_wrap
       bindata
-    loofah (2.2.3)
+    loofah (2.7.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
-    method_source (0.9.2)
-    mime-types (3.2.2)
+    method_source (1.0.0)
+    mime-types (3.3.1)
       mime-types-data (~> 3.2015)
-    mime-types-data (3.2018.0812)
+    mime-types-data (3.2020.0512)
     mini_portile2 (2.4.0)
-    minitest (5.11.3)
+    minitest (5.14.2)
     netrc (0.11.0)
-    nokogiri (1.10.1)
+    nokogiri (1.10.10)
       mini_portile2 (~> 2.4.0)
-    rack (2.0.6)
+    rack (2.2.3)
     rack-test (1.1.0)
       rack (>= 1.0, < 3)
     rails-dom-testing (2.0.3)
       activesupport (>= 4.2.0)
       nokogiri (>= 1.6)
-    rails-html-sanitizer (1.0.4)
-      loofah (~> 2.2, >= 2.2.2)
-    railties (5.2.2)
-      actionpack (= 5.2.2)
-      activesupport (= 5.2.2)
+    rails-html-sanitizer (1.3.0)
+      loofah (~> 2.3)
+    railties (6.0.3.3)
+      actionpack (= 6.0.3.3)
+      activesupport (= 6.0.3.3)
       method_source
       rake (>= 0.8.7)
-      thor (>= 0.19.0, < 2.0)
-    rake (12.3.2)
-    rest-client (2.0.2)
+      thor (>= 0.20.3, < 2.0)
+    rake (13.0.1)
+    rest-client (2.1.0)
+      http-accept (>= 1.7.0, < 2.0)
       http-cookie (>= 1.0.2, < 2.0)
       mime-types (>= 1.16, < 4.0)
       netrc (~> 0.8)
-    rspec-core (3.8.0)
-      rspec-support (~> 3.8.0)
-    rspec-expectations (3.8.2)
+    rspec-core (3.9.2)
+      rspec-support (~> 3.9.3)
+    rspec-expectations (3.9.2)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.8.0)
-    rspec-mocks (3.8.0)
+      rspec-support (~> 3.9.0)
+    rspec-mocks (3.9.1)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.8.0)
-    rspec-rails (3.8.2)
+      rspec-support (~> 3.9.0)
+    rspec-rails (3.9.1)
       actionpack (>= 3.0)
       activesupport (>= 3.0)
       railties (>= 3.0)
-      rspec-core (~> 3.8.0)
-      rspec-expectations (~> 3.8.0)
-      rspec-mocks (~> 3.8.0)
-      rspec-support (~> 3.8.0)
-    rspec-support (3.8.0)
-    thor (0.20.3)
+      rspec-core (~> 3.9.0)
+      rspec-expectations (~> 3.9.0)
+      rspec-mocks (~> 3.9.0)
+      rspec-support (~> 3.9.0)
+    rspec-support (3.9.3)
+    thor (1.0.1)
     thread_safe (0.3.6)
-    tzinfo (1.2.5)
+    tzinfo (1.2.7)
       thread_safe (~> 0.1)
     unf (0.1.4)
       unf_ext
-    unf_ext (0.0.7.5)
+    unf_ext (0.0.7.7)
+    zeitwerk (2.4.0)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
-  actionpack (>= 4.2, < 6.0)
+  actionpack (>= 5.2, < 6.1)
   bundler (~> 2.0)
-  byebug
+  byebug (~> 11.0)
   cognito_token_verifier!
-  rake (>= 10.0, < 13.0)
+  rake (>= 10.0, < 14.0)
   rspec-rails (~> 3.0)
 
 BUNDLED WITH
-   2.0.1
+   2.1.4

data/README.md

@@ -1,6 +1,6 @@
 # CognitoTokenVerifier [![Build Status](https://travis-ci.org/CodingAnarchy/cognito_token_verifier.svg?branch=master)](https://travis-ci.org/CodingAnarchy/cognito_token_verifier)
 
-Verify and decode AWS Cognito tokens for use in your Ruby application.
+Verify and decode AWS Cognito tokens for use in your Rails 5.2+ application. Rails versions <= 5.2 are incompatible with the required gemspec as of  0.4+, as they are no longer supported for security fixes by the Rails team.
 
 ## Installation
 

data/cognito_token_verifier.gemspec

@@ -12,6 +12,7 @@ Gem::Specification.new do |spec|
   spec.summary       = %q{Verify and parse AWS Cognito JWTs to authenticate endpoints}
   spec.homepage      = "https://github.com/CodingAnarchy/cognito_token_verifier"
   spec.license       = "MIT"
+  spec.required_ruby_version = ">= 2.3.8"
 
   # Prevent pushing this gem to RubyGems.org. To allow pushes either set the 'allowed_push_host'
   # to allow pushing to a single host or delete this section to allow pushing to any host.
@@ -30,13 +31,13 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
 
-  spec.add_runtime_dependency "activesupport", [">= 4.2", "< 6.0"]
-  spec.add_runtime_dependency "json-jwt", "~> 1.1"
+  spec.add_runtime_dependency "activesupport", [">= 5.2", "< 6.1"]
+  spec.add_runtime_dependency "json-jwt", "~> 1.11"
   spec.add_runtime_dependency "rest-client", "~> 2.0"
 
   spec.add_development_dependency "byebug", "~> 11.0"
   spec.add_development_dependency "bundler", "~> 2.0"
-  spec.add_development_dependency "rake", [">= 10.0", "< 13.0"]
+  spec.add_development_dependency "rake", [">= 10.0", "< 14.0"]
   spec.add_development_dependency "rspec-rails", "~> 3.0"
-  spec.add_development_dependency "actionpack", [">= 4.2", "< 6.0"]
+  spec.add_development_dependency "actionpack", [">= 5.2", "< 6.1"]
 end

data/gemfiles/rails52.gemfile

@@ -1,7 +1,7 @@
 source "https://rubygems.org"
 
 gem "activesupport", "~> 5.2.0"
-gem "json-jwt", "~> 1.1"
+gem "json-jwt", "~> 1.11"
 gem "rest-client", "~> 2.0"
 
 gem "byebug"

data/gemfiles/{rails42.gemfile → rails6.gemfile}

@@ -1,11 +1,11 @@
 source "https://rubygems.org"
 
-gem "activesupport", "~> 4.2.0"
-gem "json-jwt", "~> 1.1"
+gem "activesupport", "~> 6.0.0"
+gem "json-jwt", "~> 1.11"
 gem "rest-client", "~> 2.0"
 
 gem "byebug"
 gem "bundler", "~> 2.0"
-gem "rake", "~> 10.0"
+gem "rake", "~> 12.0"
 gem "rspec-rails", "~> 3.0"
-gem "actionpack", "~> 4.2.0"
+gem "actionpack", "~> 6.0.0"

data/lib/cognito_token_verifier/config.rb

@@ -20,9 +20,12 @@ module CognitoTokenVerifier
     end
 
     def jwks
-      raise ConfigSetupError.new(self) unless aws_region.present? and user_pool_id.present?
-      @jwks ||= JSON.parse(RestClient.get(jwk_url))
-      # TODO: rescue RestClient and JSON errors here to present a more user-friendly error
+      begin
+        raise ConfigSetupError.new(self) unless aws_region.present? and user_pool_id.present?
+        @jwks ||= JSON.parse(RestClient.get(jwk_url))
+      rescue RestClient::Exception, JSON::JSONError => e
+        raise JWKFetchError
+      end
     end
 
     def iss

data/lib/cognito_token_verifier/errors.rb

@@ -12,11 +12,23 @@ module CognitoTokenVerifier
     end
   end
 
+  class JWKFetchError < StandardError
+    def message
+      "Error fetching JWKs for your Cognito user pool.  Please verify your configuration of the CognitoTokenVerifier gem."
+    end
+  end
+
   class TokenMissing < CognitoTokenVerifier::Error
     def message
       "Cognito token not provided.  Please retransmit request with Cognito token in authorization header."
     end
   end
+
+  class TokenDecodingError < CognitoTokenVerifier::Error
+    def message
+      "Cognito token could not be decoded. Please ensure the request token is from the correct Cognito user pool and try again." 
+    end
+  end
   
   class TokenExpired < StandardError
     def message

data/lib/cognito_token_verifier/token.rb

@@ -5,10 +5,13 @@ module CognitoTokenVerifier
     attr_reader :header, :decoded_token
 
     def initialize(jwt)
-      @header= JSON.parse(Base64.decode64(jwt.split('.')[0]))
-      @jwk = JSON::JWK.new(CognitoTokenVerifier.config.jwks["keys"].detect{|jwk| jwk['kid'] == header['kid']})
-      @decoded_token = JSON::JWT.decode(jwt, @jwk)
-      # TODO: rescue errors for JSON/JWK/JWT parsing/decoding to present user-friendly "token could not be decoded" error
+      begin
+        @header= JSON.parse(Base64.decode64(jwt.split('.')[0]))
+        @jwk = JSON::JWK.new(CognitoTokenVerifier.config.jwks["keys"].detect{|jwk| jwk['kid'] == header['kid']})
+        @decoded_token = JSON::JWT.decode(jwt, @jwk)
+      rescue JSON::JWS::VerificationFailed, JSON::JSONError => e
+        raise TokenDecodingError
+      end
     end
 
     def expired?

data/lib/cognito_token_verifier/version.rb

@@ -1,3 +1,3 @@
 module CognitoTokenVerifier
-  VERSION = "0.1.0"
+  VERSION = "0.4.0"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cognito_token_verifier
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.4.0
 platform: ruby
 authors:
 - Matt Tanous
-autorequire: 
+autorequire:
 bindir: exe
 cert_chain: []
-date: 2019-02-20 00:00:00.000000000 Z
+date: 2020-09-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -16,34 +16,34 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '4.2'
+        version: '5.2'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '6.0'
+        version: '6.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '4.2'
+        version: '5.2'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '6.0'
+        version: '6.1'
 - !ruby/object:Gem::Dependency
   name: json-jwt
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.1'
+        version: '1.11'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.1'
+        version: '1.11'
 - !ruby/object:Gem::Dependency
   name: rest-client
   requirement: !ruby/object:Gem::Requirement
@@ -95,7 +95,7 @@ dependencies:
         version: '10.0'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '13.0'
+        version: '14.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -105,7 +105,7 @@ dependencies:
         version: '10.0'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '13.0'
+        version: '14.0'
 - !ruby/object:Gem::Dependency
   name: rspec-rails
   requirement: !ruby/object:Gem::Requirement
@@ -126,21 +126,21 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '4.2'
+        version: '5.2'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '6.0'
+        version: '6.1'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '4.2'
+        version: '5.2'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '6.0'
-description: 
+        version: '6.1'
+description:
 email:
 - mtanous22@gmail.com
 executables: []
@@ -159,9 +159,8 @@ files:
 - bin/console
 - bin/setup
 - cognito_token_verifier.gemspec
-- gemfiles/rails42.gemfile
-- gemfiles/rails51.gemfile
 - gemfiles/rails52.gemfile
+- gemfiles/rails6.gemfile
 - lib/cognito_token_verifier.rb
 - lib/cognito_token_verifier/config.rb
 - lib/cognito_token_verifier/controller_macros.rb
@@ -175,7 +174,7 @@ metadata:
   homepage_uri: https://github.com/CodingAnarchy/cognito_token_verifier
   source_code_uri: https://github.com/CodingAnarchy/cognito_token_verifier
   changelog_uri: https://github.com/CodingAnarchy/cognito_token_verifier/blob/master/CHANGELOG.md
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -183,16 +182,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 2.3.8
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.8
-signing_key: 
+rubygems_version: 3.0.3
+signing_key:
 specification_version: 4
 summary: Verify and parse AWS Cognito JWTs to authenticate endpoints
 test_files: []

data/gemfiles/rails51.gemfile

@@ -1,11 +0,0 @@
-source "https://rubygems.org"
-
-gem "activesupport", "~> 5.1.0"
-gem "json-jwt", "~> 1.1"
-gem "rest-client", "~> 2.0"
-
-gem "byebug"
-gem "bundler", "~> 2.0"
-gem "rake", "~> 11.0"
-gem "rspec-rails", "~> 3.0"
-gem "actionpack", "~> 5.1.0"