devise-jwt 0.3.0 → 0.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +5 -0
- data/README.md +19 -4
- data/lib/devise/jwt/revocation_strategies/blacklist.rb +2 -1
- data/lib/devise/jwt/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 57dbd666a512c877cf3989c9f29d6a5c46467d49
|
|
4
|
+
data.tar.gz: 63b617a8088adaf8e320a93728147829748b5ec2
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: d831413c6c9da16087894f95a7988c62e457d75dfdc3b90d8a59255859158ee9e54c67b981dbc0ae5e6ff7e137f426c59f351a16192cc0a8bb690fb5b995ba0d
|
|
7
|
+
data.tar.gz: f2af5bba7256f2990d6f3be6e553446a5d3bc8e60cf2b0d59a67c2f80f3f878b3ebf9f4d8a0f9afdec940a970468061d239b89f583e4482bed92ee7881d9f387
|
data/CHANGELOG.md
CHANGED
|
@@ -4,6 +4,11 @@ All notable changes to this project will be documented in this file.
|
|
|
4
4
|
The format is based on [Keep a Changelog](http://keepachangelog.com/)
|
|
5
5
|
and this project adheres to [Semantic Versioning](http://semver.org/).
|
|
6
6
|
|
|
7
|
+
## [0.4.0] - 2017-08-07
|
|
8
|
+
|
|
9
|
+
### Added
|
|
10
|
+
- Store `exp` in the blacklist strategy to easy cleaning tasks
|
|
11
|
+
|
|
7
12
|
## [0.3.0] - 2017-06-07
|
|
8
13
|
### Fixed
|
|
9
14
|
- Allow configuring request formats to take into account through
|
data/README.md
CHANGED
|
@@ -10,7 +10,7 @@
|
|
|
10
10
|
You can read about which security concerns this library takes into account and about JWT generic secure usage in the following series of posts:
|
|
11
11
|
|
|
12
12
|
- [Stand Up for JWT Revocation](http://waiting-for-dev.github.io/blog/2017/01/23/stand_up_for_jwt_revocation/)
|
|
13
|
-
- [JWT
|
|
13
|
+
- [JWT Revocation Strategies](http://waiting-for-dev.github.io/blog/2017/01/24/jwt_revocation_strategies/)
|
|
14
14
|
- [JWT Secure Usage](http://waiting-for-dev.github.io/blog/2017/01/25/jwt_secure_usage/)
|
|
15
15
|
- [A secure JWT authentication implementation for Rack and Rails](http://waiting-for-dev.github.io/blog/2017/01/26/a_secure_jwt_authentication_implementation_for_rack_and_rails/)
|
|
16
16
|
|
|
@@ -21,7 +21,7 @@ You can read about which security concerns this library takes into account and a
|
|
|
21
21
|
Add this line to your application's Gemfile:
|
|
22
22
|
|
|
23
23
|
```ruby
|
|
24
|
-
gem 'devise-jwt', '~> 0.
|
|
24
|
+
gem 'devise-jwt', '~> 0.3.0'
|
|
25
25
|
```
|
|
26
26
|
|
|
27
27
|
And then execute:
|
|
@@ -60,6 +60,8 @@ You have to tell which user models you want to be able to authenticate with JWT
|
|
|
60
60
|
- The client can use this token to authenticate following requests for the same user, providing it in the `Authorization` request header, also with format `Bearer #{token}`
|
|
61
61
|
- When the client visits devise destroy session request, the token is revoked.
|
|
62
62
|
|
|
63
|
+
See [request_formats](#request_formats) configuration option if you are using paths with a format segment (like `.json`) in order to use it properly.
|
|
64
|
+
|
|
63
65
|
As you see, unlike other JWT authentication libraries, it is expected that tokens will be revoked by the server. I wrote about [why I think JWT revocation is needed and useful](http://waiting-for-dev.github.io/blog/2017/01/23/stand_up_for_jwt_revocation/).
|
|
64
66
|
|
|
65
67
|
An example configuration:
|
|
@@ -79,9 +81,11 @@ def jwt_payload
|
|
|
79
81
|
end
|
|
80
82
|
```
|
|
81
83
|
|
|
84
|
+
Note: if you are making cross-domain requests, make sure that you add `Authorization` header to the list of allowed request headers and exposed response headers. You can use something like [rack-cors](https://github.com/cyu/rack-cors) for that.
|
|
85
|
+
|
|
82
86
|
### Revocation strategies
|
|
83
87
|
|
|
84
|
-
`devise-jwt` comes with two revocation strategies out of the box. They are implementations of what is discussed in the blog post [JWT
|
|
88
|
+
`devise-jwt` comes with two revocation strategies out of the box. They are implementations of what is discussed in the blog post [JWT Revocation Strategies](http://waiting-for-dev.github.io/blog/2017/01/24/jwt_revocation_strategies/), where I also talk about their pros and cons.
|
|
85
89
|
|
|
86
90
|
#### JTIMatcher
|
|
87
91
|
|
|
@@ -138,13 +142,24 @@ In order to use it, you need to create the blacklist table in a migration:
|
|
|
138
142
|
def change
|
|
139
143
|
create_table :jwt_blacklist do |t|
|
|
140
144
|
t.string :jti, null: false
|
|
145
|
+
t.datetime :exp, null: false
|
|
141
146
|
end
|
|
142
147
|
add_index :jwt_blacklist, :jti
|
|
143
148
|
end
|
|
144
149
|
```
|
|
145
|
-
|
|
146
150
|
For performance reasons, it is better if the `jti` column is an index.
|
|
147
151
|
|
|
152
|
+
Note: if you used the blacklist strategy before vesion 0.4.0 you may not have the field *exp.* If not, run the following migration:
|
|
153
|
+
|
|
154
|
+
```ruby
|
|
155
|
+
class AddExpirationTimeToJWTBlacklist < ActiveRecord::Migration
|
|
156
|
+
def change
|
|
157
|
+
add_column :jwt_blacklist, :exp, :datetime, null: false
|
|
158
|
+
end
|
|
159
|
+
end
|
|
160
|
+
|
|
161
|
+
```
|
|
162
|
+
|
|
148
163
|
Then, you need to create the corresponding model and include the strategy:
|
|
149
164
|
|
|
150
165
|
```ruby
|
data/lib/devise/jwt/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: devise-jwt
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.4.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Marc Busqué
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2017-
|
|
11
|
+
date: 2017-08-07 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: devise
|