devise-jwt 0.3.0 → 0.4.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +5 -0
- data/README.md +19 -4
- data/lib/devise/jwt/revocation_strategies/blacklist.rb +2 -1
- data/lib/devise/jwt/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 57dbd666a512c877cf3989c9f29d6a5c46467d49
|
|
4
|
+
data.tar.gz: 63b617a8088adaf8e320a93728147829748b5ec2
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: d831413c6c9da16087894f95a7988c62e457d75dfdc3b90d8a59255859158ee9e54c67b981dbc0ae5e6ff7e137f426c59f351a16192cc0a8bb690fb5b995ba0d
|
|
7
|
+
data.tar.gz: f2af5bba7256f2990d6f3be6e553446a5d3bc8e60cf2b0d59a67c2f80f3f878b3ebf9f4d8a0f9afdec940a970468061d239b89f583e4482bed92ee7881d9f387
|
data/CHANGELOG.md
CHANGED
|
@@ -4,6 +4,11 @@ All notable changes to this project will be documented in this file.
|
|
|
4
4
|
The format is based on [Keep a Changelog](http://keepachangelog.com/)
|
|
5
5
|
and this project adheres to [Semantic Versioning](http://semver.org/).
|
|
6
6
|
|
|
7
|
+
## [0.4.0] - 2017-08-07
|
|
8
|
+
|
|
9
|
+
### Added
|
|
10
|
+
- Store `exp` in the blacklist strategy to easy cleaning tasks
|
|
11
|
+
|
|
7
12
|
## [0.3.0] - 2017-06-07
|
|
8
13
|
### Fixed
|
|
9
14
|
- Allow configuring request formats to take into account through
|
data/README.md
CHANGED
|
@@ -10,7 +10,7 @@
|
|
|
10
10
|
You can read about which security concerns this library takes into account and about JWT generic secure usage in the following series of posts:
|
|
11
11
|
|
|
12
12
|
- [Stand Up for JWT Revocation](http://waiting-for-dev.github.io/blog/2017/01/23/stand_up_for_jwt_revocation/)
|
|
13
|
-
- [JWT
|
|
13
|
+
- [JWT Revocation Strategies](http://waiting-for-dev.github.io/blog/2017/01/24/jwt_revocation_strategies/)
|
|
14
14
|
- [JWT Secure Usage](http://waiting-for-dev.github.io/blog/2017/01/25/jwt_secure_usage/)
|
|
15
15
|
- [A secure JWT authentication implementation for Rack and Rails](http://waiting-for-dev.github.io/blog/2017/01/26/a_secure_jwt_authentication_implementation_for_rack_and_rails/)
|
|
16
16
|
|
|
@@ -21,7 +21,7 @@ You can read about which security concerns this library takes into account and a
|
|
|
21
21
|
Add this line to your application's Gemfile:
|
|
22
22
|
|
|
23
23
|
```ruby
|
|
24
|
-
gem 'devise-jwt', '~> 0.
|
|
24
|
+
gem 'devise-jwt', '~> 0.3.0'
|
|
25
25
|
```
|
|
26
26
|
|
|
27
27
|
And then execute:
|
|
@@ -60,6 +60,8 @@ You have to tell which user models you want to be able to authenticate with JWT
|
|
|
60
60
|
- The client can use this token to authenticate following requests for the same user, providing it in the `Authorization` request header, also with format `Bearer #{token}`
|
|
61
61
|
- When the client visits devise destroy session request, the token is revoked.
|
|
62
62
|
|
|
63
|
+
See [request_formats](#request_formats) configuration option if you are using paths with a format segment (like `.json`) in order to use it properly.
|
|
64
|
+
|
|
63
65
|
As you see, unlike other JWT authentication libraries, it is expected that tokens will be revoked by the server. I wrote about [why I think JWT revocation is needed and useful](http://waiting-for-dev.github.io/blog/2017/01/23/stand_up_for_jwt_revocation/).
|
|
64
66
|
|
|
65
67
|
An example configuration:
|
|
@@ -79,9 +81,11 @@ def jwt_payload
|
|
|
79
81
|
end
|
|
80
82
|
```
|
|
81
83
|
|
|
84
|
+
Note: if you are making cross-domain requests, make sure that you add `Authorization` header to the list of allowed request headers and exposed response headers. You can use something like [rack-cors](https://github.com/cyu/rack-cors) for that.
|
|
85
|
+
|
|
82
86
|
### Revocation strategies
|
|
83
87
|
|
|
84
|
-
`devise-jwt` comes with two revocation strategies out of the box. They are implementations of what is discussed in the blog post [JWT
|
|
88
|
+
`devise-jwt` comes with two revocation strategies out of the box. They are implementations of what is discussed in the blog post [JWT Revocation Strategies](http://waiting-for-dev.github.io/blog/2017/01/24/jwt_revocation_strategies/), where I also talk about their pros and cons.
|
|
85
89
|
|
|
86
90
|
#### JTIMatcher
|
|
87
91
|
|
|
@@ -138,13 +142,24 @@ In order to use it, you need to create the blacklist table in a migration:
|
|
|
138
142
|
def change
|
|
139
143
|
create_table :jwt_blacklist do |t|
|
|
140
144
|
t.string :jti, null: false
|
|
145
|
+
t.datetime :exp, null: false
|
|
141
146
|
end
|
|
142
147
|
add_index :jwt_blacklist, :jti
|
|
143
148
|
end
|
|
144
149
|
```
|
|
145
|
-
|
|
146
150
|
For performance reasons, it is better if the `jti` column is an index.
|
|
147
151
|
|
|
152
|
+
Note: if you used the blacklist strategy before vesion 0.4.0 you may not have the field *exp.* If not, run the following migration:
|
|
153
|
+
|
|
154
|
+
```ruby
|
|
155
|
+
class AddExpirationTimeToJWTBlacklist < ActiveRecord::Migration
|
|
156
|
+
def change
|
|
157
|
+
add_column :jwt_blacklist, :exp, :datetime, null: false
|
|
158
|
+
end
|
|
159
|
+
end
|
|
160
|
+
|
|
161
|
+
```
|
|
162
|
+
|
|
148
163
|
Then, you need to create the corresponding model and include the strategy:
|
|
149
164
|
|
|
150
165
|
```ruby
|
data/lib/devise/jwt/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: devise-jwt
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.4.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Marc Busqué
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2017-
|
|
11
|
+
date: 2017-08-07 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: devise
|