RubyGems - devise-jwt - Versions diffs - 0.5.4 → 0.5.5 - Mend

devise-jwt 0.5.4 → 0.5.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 32fe8c3c030561e41ec59fdd1c8b908383f6b17a
-  data.tar.gz: 4e6963a574f5b2ce85348c6cf7d517012d8211c5
+  metadata.gz: 57b63a9ada186b91ddf11b892501aabae2f4492d
+  data.tar.gz: fa3f300ec74e2486c89a8c1a43ddd5e2cf7de9dd
 SHA512:
-  metadata.gz: 71cf006f402864377c0beb7651034b23aacb0e8d9f69843f6b2a32226a0e28b3ef574e608dde454e9d9bacb0bfc65467d07fd11b815a0d716c42921ec3bb82f4
-  data.tar.gz: a1d2488ef35b9943ddcb071b4ead6f5f9392e52027d26323e5af75c52d6c03534f9b566ac955d3f12020360c7e8b163bf8656a637804f29dd98367439c9ea880
+  metadata.gz: a3266cc44d2018dba06637e32ddc38c7d03a10d51db4c2417e3c4fd7efa4972bbc62e85176fab2b69aadebf5be34ade00685d32f08e609c0782fa16b288db74d
+  data.tar.gz: 6b633a9f667ee171e4b7c874ccbd321959b91c3581cc92c63a2d599ac9aa67db4eaff2088d5b3c0d725b3498fa6fc480917af85509785dae1d4f4ef1419baa42

data/CHANGELOG.md CHANGED

@@ -4,6 +4,11 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
+## [0.5.5] - 2018-01-30
+### Fixed
+- Update `warden-jwt_auth` dependency to reenable JWT scopes being stored to
+  the session and inform the user.
 ## [0.5.4] - 2018-01-09
 ### Fixed
 - Update `warden-jwt_auth` dependency to allow a JWT scope to be fetched from

data/README.md CHANGED

@@ -26,7 +26,7 @@ You can read about which security concerns this library takes into account and a
 Add this line to your application's Gemfile:
 ```ruby
-gem 'devise-jwt', '~> 0.5.4'
+gem 'devise-jwt', '~> 0.5.5'
 ```
 And then execute:
@@ -111,6 +111,42 @@ config.middleware.insert_before 0, Rack::Cors do
 end
 ```
+#### Session storage caveat
+If you are working with a Rails application that has session storage enabled
+and a default devise setup, chances are that same origin requests will be
+authenticated from the session regardless of a token being present in the
+headers or not.
+This is so because of the following default devise workflow:
+- When a user signs in with `:database_authenticatable` strategy, the user is
+  stored in the session unless one of the following conditions is met:
+  - Session is disabled.
+  - Devise `config.skip_session_storage` includes `:params_auth`.
+  - [Rails Request forgery
+    protection](http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection.html)
+    handles an unverified request (but this is usually deactivated for API
+    requests).
+- Warden (the engine below devise), authenticates any request that has the user
+  in the session without even reaching to any strategy (`:jwt_authenticatable`
+  in our case).
+So, if you want to avoid this caveat you have two options:
+- Disable the session. If you are developing an API, probably you don't need
+  it. In order to disable it, change `config/initializers/session_store.rb` to:
+  ```ruby
+  Rails.application.config.session_store :disabled
+  ```
+  Notice that if you created the application with the `--api` flag you already
+  have the session disabled.
+- If you still need the session for any other purpose, disable
+  `:database_authenticatable` user storage. In `config/initializers/devise.rb`:
+  ```ruby
+  config.skip_session_storage = [:http_auth, :params_auth]
+  ```
 ### Revocation strategies
 `devise-jwt` comes with three revocation strategies out of the box. Some of them are implementations of what is discussed in the blog post [JWT Revocation Strategies](http://waiting-for-dev.github.io/blog/2017/01/24/jwt_revocation_strategies/), where I also talk about their pros and cons.
@@ -311,9 +347,9 @@ end
 ### Testing
-Models configured with `:jwt_authenticatable` can't be retrieved from the
-session. For this reason, `sign_in` devise testing helper methods won't work as
-expected.
+Models configured with `:jwt_authenticatable` usually won't be retrieved from
+the session. For this reason, `sign_in` devise testing helper methods won't
+work as expected.
 What you need to do in order to authenticate test environment requests is the
 same that you will do in production: to provide a valid token in the

data/devise-jwt.gemspec CHANGED

@@ -22,7 +22,7 @@ Gem::Specification.new do |spec|
   spec.require_paths = ["lib"]
   spec.add_dependency 'devise', '~> 4.0'
-  spec.add_dependency 'warden-jwt_auth', '~> 0.3.4'
+  spec.add_dependency 'warden-jwt_auth', '~> 0.3.5'
   spec.add_development_dependency "bundler", "~> 1.12"
   spec.add_development_dependency "rake", "~> 10.0"

data/lib/devise/jwt/version.rb CHANGED

@@ -2,6 +2,6 @@
 module Devise
   module JWT
-    VERSION = '0.5.4'
+    VERSION = '0.5.5'
   end
 end

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: devise-jwt
 version: !ruby/object:Gem::Version
-  version: 0.5.4
+  version: 0.5.5
 platform: ruby
 authors:
 - Marc Busqué
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2018-01-09 00:00:00.000000000 Z
+date: 2018-01-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: devise
@@ -30,14 +30,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.3.4
+        version: 0.3.5
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.3.4
+        version: 0.3.5
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement