RubyGems - devise-jwt - Versions diffs - 0.10.0 → 0.12.0 - Mend

devise-jwt 0.10.0 → 0.12.0

Files changed (10) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2b5a307382874853dba1abc67c451c9dd01e81a1b2dd84c94db6a10af7f4cc44
-  data.tar.gz: b3f6ec7a63b8f481038f2aeb72cb872d451dfc679537aa29b1d85aaa66c6aaab
+  metadata.gz: 04ea0b0abaaaf9486d4bc19ca5dfed4c867e12071934e8bb963fccd9fbd4fd90
+  data.tar.gz: 36375dfe1a8be67b238b8bddb1d7ccffb5c207a36faa380230fd99968f746421
 SHA512:
-  metadata.gz: e95511b4462ce942934858d578589ba618117e8bfc6e3f617f7082f82627b293e706d130a242afde25ce3e8ff5da8e8d4d058c54d51ac2dfd785f5e59747e87d
-  data.tar.gz: 713c71400296bae1493096d2f55b19bedff85cb7884502cd09a954872c72624a109887ef405cbee04ad56520ee255aab190f6b3c5032a952ecaa978223c9e06a
+  metadata.gz: f07dbe6fafbcd51f6c380866432db7b2c372c576005ec307a0eaaacd73f1dd10b9d9fae9783da5e6a5afca15ea021262ac4068738d4a3648cb87602e8acbd089
+  data.tar.gz: 345765410de35fe76e5603ba4a42ce0f0bba52eb3743a627418b84e283bbdeffdd4cb6b0ebe932d8e88de41ca112d358ebc6b3cde9a52bda9b128e2425c60fc5

data/.github/workflows/ci.yml CHANGED Viewed

@@ -7,10 +7,10 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        ruby-version: ['2.7', '3.0', '3.1', ruby-head]
+        ruby-version: ['3.0', '3.1', '3.2', '3.3', ruby-head]
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - name: Set up Ruby ${{ matrix.ruby-version }}
       uses: ruby/setup-ruby@v1
       with:

data/.github/workflows/lint.yml CHANGED Viewed

@@ -6,7 +6,7 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - name: Set up Ruby ${{ matrix.ruby-version }}
       uses: ruby/setup-ruby@v1
       with:

data/.rubocop.yml CHANGED Viewed

@@ -1,6 +1,6 @@
 require: rubocop-rspec
 AllCops:
-  TargetRubyVersion: 2.7
+  TargetRubyVersion: 3.0
   Exclude:
     - Gemfile
     - devise-jwt.gemspec

data/CHANGELOG.md CHANGED Viewed

@@ -1,9 +1,18 @@
-# Change Log
+[#](#) Change Log
 All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
+## [0.12.0] - 2024-07-10
+### Added
+- Add support for `token_header` config
+- Add support for `issuer` config
+## [0.11.0] - 2023-05-10
+### Added
+- Add support for rotation_secret
 ## [0.10.0] - 2022-09-16
 ### Added
 - Enable support for asymmetric algorithms

data/README.md CHANGED Viewed

@@ -101,7 +101,7 @@ Devise.setup do |config|
 end
 ```
-> **Important:** You are encouraged to use a secret different than your application `secret_key_base`. It is quite possible that some other component of your system is already using it. If several components share the same secret key, chances that a vulnerability in one of them has a wider impact increase. In rails, generating new secrets is as easy as `bundle exec rake secret`. Also, never share your secrets pushing it to a remote repository, you are better off using an environment variable like in the example.
+> **Important:** You are encouraged to use a secret different than your application `secret_key_base`. It is quite possible that some other component of your system is already using it. If several components share the same secret key, chances that a vulnerability in one of them has a wider impact increase. In rails, generating new secrets is as easy as `rails secret`. Also, never share your secrets pushing it to a remote repository, you are better off using an environment variable like in the example.
 Currently, HS256 algorithm is the one in use. You may configure a matching secret and algorithm name to use a different one (see [ruby-jwt](https://github.com/jwt/ruby-jwt#algorithms-and-usage) to see which are supported):
@@ -202,10 +202,11 @@ This is so because of the following default Devise workflow:
   in the session without requiring a strategy (`:jwt_authenticatable`
   in our case).
-So, if you want to avoid this caveat you have three options:
+So, if you want to avoid this caveat you have five options:
 - Disable the session. If you are developing an API, you probably don't need
   it. In order to disable it, change `config/initializers/session_store.rb` to:
   ```ruby
   Rails.application.config.session_store :disabled
   ```
@@ -213,18 +214,41 @@ So, if you want to avoid this caveat you have three options:
   have the session disabled.
 - If you still need the session for any other purpose, disable
   `:database_authenticatable` user storage. In `config/initializers/devise.rb`:
   ```ruby
   config.skip_session_storage = [:http_auth, :params_auth]
   ```
 - If you are using Devise for another model (e.g. `AdminUser`) and doesn't want
   to disable session storage for Devise entirely, you can disable it on a
   per-model basis:
   ```ruby
   class User < ApplicationRecord
     devise :database_authenticatable #, your other enabled modules...
     self.skip_session_storage = [:http_auth, :params_auth]
   end
   ```
+- If you need the session for some of the controllers, you are able to disable it at
+  the controller level for those controllers which don't need it:
+  ```ruby
+  class AdminsController < ApplicationController
+    before_action :drop_session_cookie
+    private
+    def drop_session_cookie
+      request.session_options[:skip] = true
+    end
+  ```
+- As the last option you can tell Devise to not store the user in the Warden session
+  if you override default Devise `SessionsController` with your own one, and pass
+  `store: false` attribute to the `sign_in`, `sign_in_and_redirect`, `bypass_sign_in`
+  methods:
+  ```ruby
+  sign_in user, store: false
+  ```
 ### Revocation strategies
@@ -481,6 +505,10 @@ end
 Secret key is used to sign generated JWT tokens. You must set it.
+#### rotation_secret
+Allow rotating secrets. Set a new value to `secret` and copy the old secret to `rotation_secret`.
 #### expiration_time
 Number of seconds while a JWT is valid after its generation. After that, it won't be valid anymore, even if it hasn't been revoked.
@@ -559,6 +587,25 @@ like an OAuth workflow with client id and client secret.
 Defaults to `JWT_AUD`.
+#### token_header
+Request header containing the token in the format of `Bearer #{token}`.
+Defaults to `Authorization`.
+#### issuer
+The [issuer claim in the token](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.1).
+If present, it will be checked against the incoming token issuer claim and
+authorization will be skipped if they don't match.
+Defaults to `nil`.
+```ruby
+jwt.issuer = 'http://myapp.com'
+```
 ## Development
 There are docker and docker-compose files configured to create a development environment for this gem. So, if you use Docker you only need to run:

data/devise-jwt.gemspec CHANGED Viewed

@@ -22,7 +22,7 @@ Gem::Specification.new do |spec|
   spec.require_paths = ["lib"]
   spec.add_dependency 'devise', '~> 4.0'
-  spec.add_dependency 'warden-jwt_auth', '~> 0.6'
+  spec.add_dependency 'warden-jwt_auth', '~> 0.10'
   spec.add_development_dependency "bundler", "> 1"
   spec.add_development_dependency "rake", "~> 13.0"

data/lib/devise/jwt/version.rb CHANGED Viewed

@@ -2,6 +2,6 @@
 module Devise
   module JWT
-    VERSION = '0.10.0'
+    VERSION = '0.12.0'
   end
 end

data/lib/devise/jwt.rb CHANGED Viewed

@@ -36,6 +36,10 @@ module Devise
             default: Warden::JWTAuth.config.secret,
             constructor: ->(value) { forward_to_warden(:secret, value) })
+    setting(:rotation_secret,
+            default: Warden::JWTAuth.config.rotation_secret,
+            constructor: ->(value) { forward_to_warden(:rotation_secret, value) })
     setting(:decoding_secret,
             constructor: ->(value) { forward_to_warden(:decoding_secret, value) })

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: devise-jwt
 version: !ruby/object:Gem::Version
-  version: 0.10.0
+  version: 0.12.0
 platform: ruby
 authors:
 - Marc Busqué
-autorequire:
+autorequire:
 bindir: exe
 cert_chain: []
-date: 2022-09-16 00:00:00.000000000 Z
+date: 2024-07-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: devise
@@ -30,14 +30,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.6'
+        version: '0.10'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.6'
+        version: '0.10'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -222,7 +222,7 @@ homepage: https://github.com/waiting-for-dev/devise-jwt
 licenses:
 - MIT
 metadata: {}
-post_install_message:
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -237,8 +237,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3.1
-signing_key:
+rubygems_version: 3.5.9
+signing_key:
 specification_version: 4
 summary: JWT authentication for devise
 test_files: []