RubyGems - devise-jwt - Versions diffs - 0.11.0 → 0.12.1 - Mend

devise-jwt 0.11.0 → 0.12.1

Files changed (9) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2edd445c57c9d9cd2ed101bc9fd9e2678a4ef8dee9b671d168e5083a08edff2b
-  data.tar.gz: 2e8c86be9239ac50fe91589ddacc9110c8df84887d7f2e72a5477afa325fc961
+  metadata.gz: a98fec2d0b17caa885ee365a32465e0343bc297d5abff540e24a92ce9500b2f6
+  data.tar.gz: 696838ef6812514d0db046f710d3ee027f09d521b6cc7e8da8b902167adf644f
 SHA512:
-  metadata.gz: 2d9658efde24910caf33abbfdc4ad050900a7904db121612c57023d74db89f5912cadc01c9b1cb69709ece57485b99743ce8c2c3b9f9a86fb6347ce54f270489
-  data.tar.gz: d01552367f5d62ce7b454434d97f840f90c2bafe284c3d5c5ae83bb4fdf541056c895613b7dfb1556d2858fb8a521d824e87f7c08a96aec439ef4aa6d7f6c0c6
+  metadata.gz: 7c4c4f38cb9657c4887e1e494f671430e85c067afd0e48ef4304ea3e86c2c3026c4c1a7debb90581fb08bca4eb638767d9d3dc93270cc2622d32acebf2843c8f
+  data.tar.gz: cc33344c9c81402304a948eb040f5993b45c00acea9efaa4a645186fa1ffd32cccec3d2c2eaa42fae4b7c76edaf707099c47cc6883160fdd0a8db1b1b5be0591

data/.github/workflows/ci.yml CHANGED Viewed

@@ -7,10 +7,10 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        ruby-version: ['3.0', '3.1', '3.2', ruby-head]
+        ruby-version: ['3.0', '3.1', '3.2', '3.3', ruby-head]
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - name: Set up Ruby ${{ matrix.ruby-version }}
       uses: ruby/setup-ruby@v1
       with:

data/.github/workflows/lint.yml CHANGED Viewed

@@ -6,7 +6,7 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - name: Set up Ruby ${{ matrix.ruby-version }}
       uses: ruby/setup-ruby@v1
       with:

data/CHANGELOG.md CHANGED Viewed

@@ -1,9 +1,17 @@
-# Change Log
+[#](#) Change Log
 All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
+## [0.12.1] - 2024-07-12
+- Fix properly support for `token_header` & `issuer` config options
+## [0.12.0] - 2024-07-10
+### Added
+- Add support for `token_header` config
+- Add support for `issuer` config
 ## [0.11.0] - 2023-05-10
 ### Added
 - Add support for rotation_secret

data/README.md CHANGED Viewed

@@ -101,7 +101,7 @@ Devise.setup do |config|
 end
 ```
-> **Important:** You are encouraged to use a secret different than your application `secret_key_base`. It is quite possible that some other component of your system is already using it. If several components share the same secret key, chances that a vulnerability in one of them has a wider impact increase. In rails, generating new secrets is as easy as `bundle exec rake secret`. Also, never share your secrets pushing it to a remote repository, you are better off using an environment variable like in the example.
+> **Important:** You are encouraged to use a secret different than your application `secret_key_base`. It is quite possible that some other component of your system is already using it. If several components share the same secret key, chances that a vulnerability in one of them has a wider impact increase. In rails, generating new secrets is as easy as `rails secret`. Also, never share your secrets pushing it to a remote repository, you are better off using an environment variable like in the example.
 Currently, HS256 algorithm is the one in use. You may configure a matching secret and algorithm name to use a different one (see [ruby-jwt](https://github.com/jwt/ruby-jwt#algorithms-and-usage) to see which are supported):
@@ -202,10 +202,11 @@ This is so because of the following default Devise workflow:
   in the session without requiring a strategy (`:jwt_authenticatable`
   in our case).
-So, if you want to avoid this caveat you have three options:
+So, if you want to avoid this caveat you have five options:
 - Disable the session. If you are developing an API, you probably don't need
   it. In order to disable it, change `config/initializers/session_store.rb` to:
   ```ruby
   Rails.application.config.session_store :disabled
   ```
@@ -213,18 +214,41 @@ So, if you want to avoid this caveat you have three options:
   have the session disabled.
 - If you still need the session for any other purpose, disable
   `:database_authenticatable` user storage. In `config/initializers/devise.rb`:
   ```ruby
   config.skip_session_storage = [:http_auth, :params_auth]
   ```
 - If you are using Devise for another model (e.g. `AdminUser`) and doesn't want
   to disable session storage for Devise entirely, you can disable it on a
   per-model basis:
   ```ruby
   class User < ApplicationRecord
     devise :database_authenticatable #, your other enabled modules...
     self.skip_session_storage = [:http_auth, :params_auth]
   end
   ```
+- If you need the session for some of the controllers, you are able to disable it at
+  the controller level for those controllers which don't need it:
+  ```ruby
+  class AdminsController < ApplicationController
+    before_action :drop_session_cookie
+    private
+    def drop_session_cookie
+      request.session_options[:skip] = true
+    end
+  ```
+- As the last option you can tell Devise to not store the user in the Warden session
+  if you override default Devise `SessionsController` with your own one, and pass
+  `store: false` attribute to the `sign_in`, `sign_in_and_redirect`, `bypass_sign_in`
+  methods:
+  ```ruby
+  sign_in user, store: false
+  ```
 ### Revocation strategies
@@ -547,6 +571,19 @@ jwt.request_formats = {
 By default, only requests without format are processed.
+#### token_header
+Request/response header which will transmit the JWT token.
+Defaults to 'Authorization'
+#### issuer
+Expected issuer claim. If present, it will be checked against the incoming
+token issuer claim and authorization will be skipped if they don't match.
+Defaults to nil.
 #### aud_header
 Request header which content will be stored to the `aud` claim in the payload.
@@ -563,6 +600,25 @@ like an OAuth workflow with client id and client secret.
 Defaults to `JWT_AUD`.
+#### token_header
+Request header containing the token in the format of `Bearer #{token}`.
+Defaults to `Authorization`.
+#### issuer
+The [issuer claim in the token](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.1).
+If present, it will be checked against the incoming token issuer claim and
+authorization will be skipped if they don't match.
+Defaults to `nil`.
+```ruby
+jwt.issuer = 'http://myapp.com'
+```
 ## Development
 There are docker and docker-compose files configured to create a development environment for this gem. So, if you use Docker you only need to run:

data/devise-jwt.gemspec CHANGED Viewed

@@ -22,7 +22,7 @@ Gem::Specification.new do |spec|
   spec.require_paths = ["lib"]
   spec.add_dependency 'devise', '~> 4.0'
-  spec.add_dependency 'warden-jwt_auth', '~> 0.8'
+  spec.add_dependency 'warden-jwt_auth', '~> 0.10'
   spec.add_development_dependency "bundler", "> 1"
   spec.add_development_dependency "rake", "~> 13.0"

data/lib/devise/jwt/version.rb CHANGED Viewed

@@ -2,6 +2,6 @@
 module Devise
   module JWT
-    VERSION = '0.11.0'
+    VERSION = '0.12.1'
   end
 end

data/lib/devise/jwt.rb CHANGED Viewed

@@ -58,6 +58,14 @@ module Devise
             default: Warden::JWTAuth.config.revocation_requests,
             constructor: ->(value) { forward_to_warden(:revocation_requests, value) })
+    setting(:token_header,
+            default: Warden::JWTAuth.config.token_header,
+            constructor: ->(value) { forward_to_warden(:token_header, value) })
+    setting(:issuer,
+            default: Warden::JWTAuth.config.issuer,
+            constructor: ->(value) { forward_to_warden(:issuer, value) })
     setting(:aud_header,
             default: Warden::JWTAuth.config.aud_header,
             constructor: ->(value) { forward_to_warden(:aud_header, value) })

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: devise-jwt
 version: !ruby/object:Gem::Version
-  version: 0.11.0
+  version: 0.12.1
 platform: ruby
 authors:
 - Marc Busqué
-autorequire:
+autorequire:
 bindir: exe
 cert_chain: []
-date: 2023-05-10 00:00:00.000000000 Z
+date: 2024-07-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: devise
@@ -30,14 +30,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.8'
+        version: '0.10'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.8'
+        version: '0.10'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -222,7 +222,7 @@ homepage: https://github.com/waiting-for-dev/devise-jwt
 licenses:
 - MIT
 metadata: {}
-post_install_message:
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -237,8 +237,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.3.7
-signing_key:
+rubygems_version: 3.5.9
+signing_key:
 specification_version: 4
 summary: JWT authentication for devise
 test_files: []