devise-jwt 0.10.0 → 0.13.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2b5a307382874853dba1abc67c451c9dd01e81a1b2dd84c94db6a10af7f4cc44
-  data.tar.gz: b3f6ec7a63b8f481038f2aeb72cb872d451dfc679537aa29b1d85aaa66c6aaab
+  metadata.gz: 3d189f85171b96941564ca209393e88cddd486987f5dbb09c94a86bda15e2fb6
+  data.tar.gz: 3e513907f6c745dce964a48b757be8de97e7e07a0db2ffa83718af4622a77411
 SHA512:
-  metadata.gz: e95511b4462ce942934858d578589ba618117e8bfc6e3f617f7082f82627b293e706d130a242afde25ce3e8ff5da8e8d4d058c54d51ac2dfd785f5e59747e87d
-  data.tar.gz: 713c71400296bae1493096d2f55b19bedff85cb7884502cd09a954872c72624a109887ef405cbee04ad56520ee255aab190f6b3c5032a952ecaa978223c9e06a
+  metadata.gz: 7786325a88c8200ef09f9ce634f31fb930904e4ab48618a394d1d0778ea2895127089f138fe78345a6d35e6048236121c1d3424e7b65ba7b12abc81a0ddf95e7
+  data.tar.gz: bca1e74cd44f45991f9d1389932e4d5bd0b89c193af38e6601cccbee4682796948b8cd5f090095928f26f4463e3289707a1125d2139ede90afa73dae3a6d6476

data/.github/workflows/ci.yml

@@ -1,4 +1,4 @@
-name: CI 
+name: CI
 
 on: [push, pull_request]
 
@@ -7,15 +7,16 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        ruby-version: ['2.7', '3.0', '3.1', ruby-head]
+        ruby-version: ['3.2', '3.3', '3.4', ruby-head]
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v6
     - name: Set up Ruby ${{ matrix.ruby-version }}
       uses: ruby/setup-ruby@v1
       with:
         ruby-version: ${{ matrix.ruby-version }}
         bundler-cache: true # 'bundle install' and cache
-    - name: Run specs 
+    - name: Run specs
       run: |
+        cd spec/fixtures/rails_app && bundle && bundle exec rails db:setup && cd -
         bundle exec rspec

data/.github/workflows/lint.yml

@@ -6,12 +6,12 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v6
     - name: Set up Ruby ${{ matrix.ruby-version }}
       uses: ruby/setup-ruby@v1
       with:
-        ruby-version: 2.7 
+        ruby-version: 3.4
         bundler-cache: true # 'bundle install' and cache
-    - name: Run specs 
+    - name: Run specs
       run: |
         bundle exec rubocop

data/.gitignore

@@ -6,7 +6,11 @@
 /doc/
 /pkg/
 /spec/reports/
+/spec/fixtures/rails_app/db/test.sqlite3*
+/spec/fixtures/rails_app/db/development.sqlite3*
+/spec/fixtures/rails_app/tmp
 /tmp/
 .overcommit_gems.rb.lock
 *.log
 *sqlite3-journal
+/tags

data/.rubocop.yml

@@ -1,6 +1,6 @@
 require: rubocop-rspec
 AllCops:
-  TargetRubyVersion: 2.7
+  TargetRubyVersion: 3.0
   Exclude:
     - Gemfile
     - devise-jwt.gemspec

data/CHANGELOG.md

@@ -1,9 +1,24 @@
-# Change Log
+[#](#) Change Log
 All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/) 
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
+## [0.13.0] - 2026-01-13
+- Support devise 5.0
+
+## [0.12.1] - 2024-07-12
+- Fix properly support for `token_header` & `issuer` config options
+
+## [0.12.0] - 2024-07-10
+### Added
+- Add support for `token_header` config
+- Add support for `issuer` config
+
+## [0.11.0] - 2023-05-10
+### Added
+- Add support for rotation_secret
+
 ## [0.10.0] - 2022-09-16
 ### Added
 - Enable support for asymmetric algorithms

data/README.md

@@ -101,7 +101,7 @@ Devise.setup do |config|
 end
 ```
 
-> **Important:** You are encouraged to use a secret different than your application `secret_key_base`. It is quite possible that some other component of your system is already using it. If several components share the same secret key, chances that a vulnerability in one of them has a wider impact increase. In rails, generating new secrets is as easy as `bundle exec rake secret`. Also, never share your secrets pushing it to a remote repository, you are better off using an environment variable like in the example.
+> **Important:** You are encouraged to use a secret different than your application `secret_key_base`. It is quite possible that some other component of your system is already using it. If several components share the same secret key, chances that a vulnerability in one of them has a wider impact increase. In rails, generating new secrets is as easy as `rails secret`. Also, never share your secrets pushing it to a remote repository, you are better off using an environment variable like in the example.
 
 Currently, HS256 algorithm is the one in use. You may configure a matching secret and algorithm name to use a different one (see [ruby-jwt](https://github.com/jwt/ruby-jwt#algorithms-and-usage) to see which are supported):
 
@@ -202,10 +202,11 @@ This is so because of the following default Devise workflow:
   in the session without requiring a strategy (`:jwt_authenticatable`
   in our case).
 
-So, if you want to avoid this caveat you have three options:
+So, if you want to avoid this caveat you have five options:
 
 - Disable the session. If you are developing an API, you probably don't need
   it. In order to disable it, change `config/initializers/session_store.rb` to:
+  
   ```ruby
   Rails.application.config.session_store :disabled
   ```
@@ -213,18 +214,41 @@ So, if you want to avoid this caveat you have three options:
   have the session disabled.
 - If you still need the session for any other purpose, disable
   `:database_authenticatable` user storage. In `config/initializers/devise.rb`:
+  
   ```ruby
   config.skip_session_storage = [:http_auth, :params_auth]
   ```
 - If you are using Devise for another model (e.g. `AdminUser`) and doesn't want
   to disable session storage for Devise entirely, you can disable it on a
   per-model basis:
+  
   ```ruby
   class User < ApplicationRecord
     devise :database_authenticatable #, your other enabled modules...
     self.skip_session_storage = [:http_auth, :params_auth]
   end
   ```
+- If you need the session for some of the controllers, you are able to disable it at
+  the controller level for those controllers which don't need it:
+  
+  ```ruby
+  class AdminsController < ApplicationController
+    before_action :drop_session_cookie
+
+    private
+
+    def drop_session_cookie
+      request.session_options[:skip] = true
+    end
+  ```
+- As the last option you can tell Devise to not store the user in the Warden session
+  if you override default Devise `SessionsController` with your own one, and pass
+  `store: false` attribute to the `sign_in`, `sign_in_and_redirect`, `bypass_sign_in`
+  methods:
+  
+  ```ruby
+  sign_in user, store: false
+  ```
 
 ### Revocation strategies
 
@@ -481,6 +505,10 @@ end
 
 Secret key is used to sign generated JWT tokens. You must set it.
 
+#### rotation_secret
+
+Allow rotating secrets. Set a new value to `secret` and copy the old secret to `rotation_secret`.
+
 #### expiration_time
 
 Number of seconds while a JWT is valid after its generation. After that, it won't be valid anymore, even if it hasn't been revoked.
@@ -543,6 +571,19 @@ jwt.request_formats = {
 
 By default, only requests without format are processed.
 
+#### token_header
+
+Request/response header which will transmit the JWT token.
+
+Defaults to 'Authorization'
+
+#### issuer
+
+Expected issuer claim. If present, it will be checked against the incoming
+token issuer claim and authorization will be skipped if they don't match.
+
+Defaults to nil.
+
 #### aud_header
 
 Request header which content will be stored to the `aud` claim in the payload.
@@ -559,6 +600,25 @@ like an OAuth workflow with client id and client secret.
 
 Defaults to `JWT_AUD`.
 
+#### token_header
+
+Request header containing the token in the format of `Bearer #{token}`.
+
+Defaults to `Authorization`.
+
+#### issuer
+
+The [issuer claim in the token](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.1).
+
+If present, it will be checked against the incoming token issuer claim and
+authorization will be skipped if they don't match.
+
+Defaults to `nil`.
+
+```ruby
+jwt.issuer = 'http://myapp.com'
+```
+
 ## Development
 
 There are docker and docker-compose files configured to create a development environment for this gem. So, if you use Docker you only need to run:

data/devise-jwt.gemspec

@@ -21,20 +21,20 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
 
-  spec.add_dependency 'devise', '~> 4.0'
-  spec.add_dependency 'warden-jwt_auth', '~> 0.6'
+  spec.add_dependency 'devise', '>= 4.0.0', '< 6.0.0'
+  spec.add_dependency 'warden-jwt_auth', '~> 0.10'
 
   spec.add_development_dependency "bundler", "> 1"
   spec.add_development_dependency "rake", "~> 13.0"
   spec.add_development_dependency "rspec"
   # Needed to test the rails fixture application
-  spec.add_development_dependency 'rails', '~> 6.0'
-  spec.add_development_dependency 'sqlite3', '~> 1.3'
-  spec.add_development_dependency 'rspec-rails', '~> 4.0'
+  spec.add_development_dependency 'rails'
+  spec.add_development_dependency 'sqlite3'
+  spec.add_development_dependency 'rspec-rails'
   # Cops
-  spec.add_development_dependency 'rubocop', '~> 0.87'
-  spec.add_development_dependency 'rubocop-rspec', '~> 1.42'
+  spec.add_development_dependency 'rubocop'
+  spec.add_development_dependency 'rubocop-rspec'
   # Test reporting
-  spec.add_development_dependency 'simplecov', '0.17'
-  spec.add_development_dependency 'codeclimate-test-reporter', '~> 1.0'
+  spec.add_development_dependency 'simplecov'
+  spec.add_development_dependency 'codeclimate-test-reporter'
 end

data/lib/devise/jwt/version.rb

@@ -2,6 +2,6 @@
 
 module Devise
   module JWT
-    VERSION = '0.10.0'
+    VERSION = '0.13.0'
   end
 end

data/lib/devise/jwt.rb

@@ -36,6 +36,10 @@ module Devise
             default: Warden::JWTAuth.config.secret,
             constructor: ->(value) { forward_to_warden(:secret, value) })
 
+    setting(:rotation_secret,
+            default: Warden::JWTAuth.config.rotation_secret,
+            constructor: ->(value) { forward_to_warden(:rotation_secret, value) })
+
     setting(:decoding_secret,
             constructor: ->(value) { forward_to_warden(:decoding_secret, value) })
 
@@ -54,6 +58,14 @@ module Devise
             default: Warden::JWTAuth.config.revocation_requests,
             constructor: ->(value) { forward_to_warden(:revocation_requests, value) })
 
+    setting(:token_header,
+            default: Warden::JWTAuth.config.token_header,
+            constructor: ->(value) { forward_to_warden(:token_header, value) })
+
+    setting(:issuer,
+            default: Warden::JWTAuth.config.issuer,
+            constructor: ->(value) { forward_to_warden(:issuer, value) })
+
     setting(:aud_header,
             default: Warden::JWTAuth.config.aud_header,
             constructor: ->(value) { forward_to_warden(:aud_header, value) })

metadata

@@ -1,43 +1,49 @@
 --- !ruby/object:Gem::Specification
 name: devise-jwt
 version: !ruby/object:Gem::Version
-  version: 0.10.0
+  version: 0.13.0
 platform: ruby
 authors:
 - Marc Busqué
-autorequire: 
+autorequire:
 bindir: exe
 cert_chain: []
-date: 2022-09-16 00:00:00.000000000 Z
+date: 2026-01-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: devise
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 4.0.0
+    - - "<"
       - !ruby/object:Gem::Version
-        version: '4.0'
+        version: 6.0.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 4.0.0
+    - - "<"
       - !ruby/object:Gem::Version
-        version: '4.0'
+        version: 6.0.0
 - !ruby/object:Gem::Dependency
   name: warden-jwt_auth
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.6'
+        version: '0.10'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.6'
+        version: '0.10'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -84,100 +90,100 @@ dependencies:
   name: rails
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '6.0'
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '6.0'
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: sqlite3
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.3'
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.3'
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rspec-rails
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '4.0'
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '4.0'
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rubocop
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '0.87'
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '0.87'
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rubocop-rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.42'
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.42'
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '='
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '0.17'
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '='
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '0.17'
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: codeclimate-test-reporter
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.0'
+        version: '0'
 description: JWT authentication for devise with configurable token revocation strategies
 email:
 - marc@lamarciana.com
@@ -195,7 +201,6 @@ files:
 - ".rubocop.yml"
 - CHANGELOG.md
 - CODE_OF_CONDUCT.md
-- Dockerfile
 - Gemfile
 - LICENSE.txt
 - README.md
@@ -203,7 +208,6 @@ files:
 - bin/console
 - bin/setup
 - devise-jwt.gemspec
-- docker-compose.yml
 - issue_template.md
 - lib/devise/jwt.rb
 - lib/devise/jwt/defaults_generator.rb
@@ -222,7 +226,7 @@ homepage: https://github.com/waiting-for-dev/devise-jwt
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -237,8 +241,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3.1
-signing_key: 
+rubygems_version: 3.5.9
+signing_key:
 specification_version: 4
 summary: JWT authentication for devise
 test_files: []

data/Dockerfile

@@ -1,7 +0,0 @@
-FROM ruby:3.0.0
-ENV APP_USER devise_jwt_user
-RUN apt-get update -qq && \
-    apt-get install -y build-essential sqlite3 libsqlite3-dev
-RUN useradd -ms /bin/bash $APP_USER
-USER $APP_USER
-WORKDIR /home/$APP_USER/app

data/docker-compose.yml

@@ -1,12 +0,0 @@
-version: '2'
-services:
-  app:
-    build: .
-    image: devise_jwt
-    command: bash -c "bundle && tail -f Gemfile"
-    volumes:
-      - .:/home/devise_jwt_user/app
-    tty: true
-    stdin_open: true
-    tmpfs:
-      - /tmp