devise-jwt 0.11.0 → 0.12.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.github/workflows/ci.yml +2 -2
- data/.github/workflows/lint.yml +1 -1
- data/CHANGELOG.md +6 -1
- data/README.md +45 -2
- data/devise-jwt.gemspec +1 -1
- data/lib/devise/jwt/version.rb +1 -1
- metadata +8 -8
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 04ea0b0abaaaf9486d4bc19ca5dfed4c867e12071934e8bb963fccd9fbd4fd90
|
4
|
+
data.tar.gz: 36375dfe1a8be67b238b8bddb1d7ccffb5c207a36faa380230fd99968f746421
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: f07dbe6fafbcd51f6c380866432db7b2c372c576005ec307a0eaaacd73f1dd10b9d9fae9783da5e6a5afca15ea021262ac4068738d4a3648cb87602e8acbd089
|
7
|
+
data.tar.gz: 345765410de35fe76e5603ba4a42ce0f0bba52eb3743a627418b84e283bbdeffdd4cb6b0ebe932d8e88de41ca112d358ebc6b3cde9a52bda9b128e2425c60fc5
|
data/.github/workflows/ci.yml
CHANGED
@@ -7,10 +7,10 @@ jobs:
|
|
7
7
|
runs-on: ubuntu-latest
|
8
8
|
strategy:
|
9
9
|
matrix:
|
10
|
-
ruby-version: ['3.0', '3.1', '3.2', ruby-head]
|
10
|
+
ruby-version: ['3.0', '3.1', '3.2', '3.3', ruby-head]
|
11
11
|
|
12
12
|
steps:
|
13
|
-
- uses: actions/checkout@
|
13
|
+
- uses: actions/checkout@v4
|
14
14
|
- name: Set up Ruby ${{ matrix.ruby-version }}
|
15
15
|
uses: ruby/setup-ruby@v1
|
16
16
|
with:
|
data/.github/workflows/lint.yml
CHANGED
data/CHANGELOG.md
CHANGED
@@ -1,9 +1,14 @@
|
|
1
|
-
# Change Log
|
1
|
+
[#](#) Change Log
|
2
2
|
All notable changes to this project will be documented in this file.
|
3
3
|
|
4
4
|
The format is based on [Keep a Changelog](http://keepachangelog.com/)
|
5
5
|
and this project adheres to [Semantic Versioning](http://semver.org/).
|
6
6
|
|
7
|
+
## [0.12.0] - 2024-07-10
|
8
|
+
### Added
|
9
|
+
- Add support for `token_header` config
|
10
|
+
- Add support for `issuer` config
|
11
|
+
|
7
12
|
## [0.11.0] - 2023-05-10
|
8
13
|
### Added
|
9
14
|
- Add support for rotation_secret
|
data/README.md
CHANGED
@@ -101,7 +101,7 @@ Devise.setup do |config|
|
|
101
101
|
end
|
102
102
|
```
|
103
103
|
|
104
|
-
> **Important:** You are encouraged to use a secret different than your application `secret_key_base`. It is quite possible that some other component of your system is already using it. If several components share the same secret key, chances that a vulnerability in one of them has a wider impact increase. In rails, generating new secrets is as easy as `
|
104
|
+
> **Important:** You are encouraged to use a secret different than your application `secret_key_base`. It is quite possible that some other component of your system is already using it. If several components share the same secret key, chances that a vulnerability in one of them has a wider impact increase. In rails, generating new secrets is as easy as `rails secret`. Also, never share your secrets pushing it to a remote repository, you are better off using an environment variable like in the example.
|
105
105
|
|
106
106
|
Currently, HS256 algorithm is the one in use. You may configure a matching secret and algorithm name to use a different one (see [ruby-jwt](https://github.com/jwt/ruby-jwt#algorithms-and-usage) to see which are supported):
|
107
107
|
|
@@ -202,10 +202,11 @@ This is so because of the following default Devise workflow:
|
|
202
202
|
in the session without requiring a strategy (`:jwt_authenticatable`
|
203
203
|
in our case).
|
204
204
|
|
205
|
-
So, if you want to avoid this caveat you have
|
205
|
+
So, if you want to avoid this caveat you have five options:
|
206
206
|
|
207
207
|
- Disable the session. If you are developing an API, you probably don't need
|
208
208
|
it. In order to disable it, change `config/initializers/session_store.rb` to:
|
209
|
+
|
209
210
|
```ruby
|
210
211
|
Rails.application.config.session_store :disabled
|
211
212
|
```
|
@@ -213,18 +214,41 @@ So, if you want to avoid this caveat you have three options:
|
|
213
214
|
have the session disabled.
|
214
215
|
- If you still need the session for any other purpose, disable
|
215
216
|
`:database_authenticatable` user storage. In `config/initializers/devise.rb`:
|
217
|
+
|
216
218
|
```ruby
|
217
219
|
config.skip_session_storage = [:http_auth, :params_auth]
|
218
220
|
```
|
219
221
|
- If you are using Devise for another model (e.g. `AdminUser`) and doesn't want
|
220
222
|
to disable session storage for Devise entirely, you can disable it on a
|
221
223
|
per-model basis:
|
224
|
+
|
222
225
|
```ruby
|
223
226
|
class User < ApplicationRecord
|
224
227
|
devise :database_authenticatable #, your other enabled modules...
|
225
228
|
self.skip_session_storage = [:http_auth, :params_auth]
|
226
229
|
end
|
227
230
|
```
|
231
|
+
- If you need the session for some of the controllers, you are able to disable it at
|
232
|
+
the controller level for those controllers which don't need it:
|
233
|
+
|
234
|
+
```ruby
|
235
|
+
class AdminsController < ApplicationController
|
236
|
+
before_action :drop_session_cookie
|
237
|
+
|
238
|
+
private
|
239
|
+
|
240
|
+
def drop_session_cookie
|
241
|
+
request.session_options[:skip] = true
|
242
|
+
end
|
243
|
+
```
|
244
|
+
- As the last option you can tell Devise to not store the user in the Warden session
|
245
|
+
if you override default Devise `SessionsController` with your own one, and pass
|
246
|
+
`store: false` attribute to the `sign_in`, `sign_in_and_redirect`, `bypass_sign_in`
|
247
|
+
methods:
|
248
|
+
|
249
|
+
```ruby
|
250
|
+
sign_in user, store: false
|
251
|
+
```
|
228
252
|
|
229
253
|
### Revocation strategies
|
230
254
|
|
@@ -563,6 +587,25 @@ like an OAuth workflow with client id and client secret.
|
|
563
587
|
|
564
588
|
Defaults to `JWT_AUD`.
|
565
589
|
|
590
|
+
#### token_header
|
591
|
+
|
592
|
+
Request header containing the token in the format of `Bearer #{token}`.
|
593
|
+
|
594
|
+
Defaults to `Authorization`.
|
595
|
+
|
596
|
+
#### issuer
|
597
|
+
|
598
|
+
The [issuer claim in the token](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.1).
|
599
|
+
|
600
|
+
If present, it will be checked against the incoming token issuer claim and
|
601
|
+
authorization will be skipped if they don't match.
|
602
|
+
|
603
|
+
Defaults to `nil`.
|
604
|
+
|
605
|
+
```ruby
|
606
|
+
jwt.issuer = 'http://myapp.com'
|
607
|
+
```
|
608
|
+
|
566
609
|
## Development
|
567
610
|
|
568
611
|
There are docker and docker-compose files configured to create a development environment for this gem. So, if you use Docker you only need to run:
|
data/devise-jwt.gemspec
CHANGED
@@ -22,7 +22,7 @@ Gem::Specification.new do |spec|
|
|
22
22
|
spec.require_paths = ["lib"]
|
23
23
|
|
24
24
|
spec.add_dependency 'devise', '~> 4.0'
|
25
|
-
spec.add_dependency 'warden-jwt_auth', '~> 0.
|
25
|
+
spec.add_dependency 'warden-jwt_auth', '~> 0.10'
|
26
26
|
|
27
27
|
spec.add_development_dependency "bundler", "> 1"
|
28
28
|
spec.add_development_dependency "rake", "~> 13.0"
|
data/lib/devise/jwt/version.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: devise-jwt
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.12.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Marc Busqué
|
8
|
-
autorequire:
|
8
|
+
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2024-07-10 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: devise
|
@@ -30,14 +30,14 @@ dependencies:
|
|
30
30
|
requirements:
|
31
31
|
- - "~>"
|
32
32
|
- !ruby/object:Gem::Version
|
33
|
-
version: '0.
|
33
|
+
version: '0.10'
|
34
34
|
type: :runtime
|
35
35
|
prerelease: false
|
36
36
|
version_requirements: !ruby/object:Gem::Requirement
|
37
37
|
requirements:
|
38
38
|
- - "~>"
|
39
39
|
- !ruby/object:Gem::Version
|
40
|
-
version: '0.
|
40
|
+
version: '0.10'
|
41
41
|
- !ruby/object:Gem::Dependency
|
42
42
|
name: bundler
|
43
43
|
requirement: !ruby/object:Gem::Requirement
|
@@ -222,7 +222,7 @@ homepage: https://github.com/waiting-for-dev/devise-jwt
|
|
222
222
|
licenses:
|
223
223
|
- MIT
|
224
224
|
metadata: {}
|
225
|
-
post_install_message:
|
225
|
+
post_install_message:
|
226
226
|
rdoc_options: []
|
227
227
|
require_paths:
|
228
228
|
- lib
|
@@ -237,8 +237,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
237
237
|
- !ruby/object:Gem::Version
|
238
238
|
version: '0'
|
239
239
|
requirements: []
|
240
|
-
rubygems_version: 3.
|
241
|
-
signing_key:
|
240
|
+
rubygems_version: 3.5.9
|
241
|
+
signing_key:
|
242
242
|
specification_version: 4
|
243
243
|
summary: JWT authentication for devise
|
244
244
|
test_files: []
|