devise-jwt 0.5.6 → 0.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: a1dcf5432b3eca3682d6eda74ea8659a4de99692
-  data.tar.gz: 98ca51ba3d3e16558f3e2690504f517fffe45b73
+SHA256:
+  metadata.gz: 1a4a4e4cfd349ee9e76533374b8269516152d37ddafd77b04c55a1d6d53b49c7
+  data.tar.gz: 06d6b7627bbbf01ce30796856236e8e854ad083bf35bfabb3972b1744f6fe8b8
 SHA512:
-  metadata.gz: 5f4a10c20c6dd4638f7fdf661f7715d93a7337dc1e7458f507a2c0f0dcebc80ca58108783a2ded9cbf3c6efda25773e6ce8916a17029b542726ea512eb2ce161
-  data.tar.gz: 930058ffefc9dfcfcf47143fbbb27cc81ad10e5528ec99e860d8d0e64ee144fee8b0ed5684ade1f83f28fe1e397cc9a63038ff77f0c5acb0058583bc08634754
+  metadata.gz: 2574faee8bb3ca9f7481335360534104e04308772c6c0a1e19b4d2c0fafeb3d075d2faae2e23f98aee7115d9e64f9105b1020cc30825d8e40a633da1404b29de
+  data.tar.gz: bba859af422238968a66f01e13771db8efedf3626c5e21d67f16c192467c4ed1213d9844a6a0e615754c657155ea8b8dc972ac7bacd4c6b7984ce6c70e7c9f4b

data/.travis.yml

@@ -1,9 +1,8 @@
-sudo: false
 language: ruby
 rvm:
-  - 2.2.6
-  - 2.3.3
-  - 2.4.0
+  - 2.5
+  - 2.6
+  - 2.7
 before_install:
   - gem update --system --no-doc
   - bundle install --gemfile=.overcommit_gems.rb

data/CHANGELOG.md

@@ -4,6 +4,26 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/) 
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
+## [0.7.0] - 2020-06-03
+### Fixed
+- Replace whitelist/blacklist terminology with allowlist/denylist
+
+## [0.6.0] - 2019-08-01
+### Fixed
+- Update warden-jwt_auth dependency to v0.4.0 so that now it is possible to configure algorithm.
+
+## [0.5.9] - 2019-03-29
+### Fixed
+- Update dependencies.
+
+## [0.5.8] - 2018-09-07
+### Fixed
+- Fix test helper to persist whitelisted tokens.
+
+## [0.5.7] - 2018-06-22
+### Added
+- Use `primary_key` instead of `id` to fetch resource.
+
 ## [0.5.6] - 2018-02-22
 ### Fixed
 - Work with more than one `sign_out_via` configured

data/README.md

@@ -26,7 +26,7 @@ You can read about which security concerns this library takes into account and a
 Add this line to your application's Gemfile:
 
 ```ruby
-gem 'devise-jwt', '~> 0.5.6'
+gem 'devise-jwt', '~> 0.6.0'
 ```
 
 And then execute:
@@ -76,7 +76,7 @@ An example configuration:
 ```ruby
 class User < ApplicationRecord
   devise :database_authenticatable,
-         :jwt_authenticatable, jwt_revocation_strategy: Blacklist
+         :jwt_authenticatable, jwt_revocation_strategy: Denylist
 end
 ```
 
@@ -132,7 +132,7 @@ This is so because of the following default devise workflow:
   in the session without even reaching to any strategy (`:jwt_authenticatable`
   in our case).
 
-So, if you want to avoid this caveat you have two options:
+So, if you want to avoid this caveat you have three options:
 
 - Disable the session. If you are developing an API, probably you don't need
   it. In order to disable it, change `config/initializers/session_store.rb` to:
@@ -146,6 +146,15 @@ So, if you want to avoid this caveat you have two options:
   ```ruby
   config.skip_session_storage = [:http_auth, :params_auth]
   ```
+- If you are using Devise for another model (e.g. `AdminUser`) and doesn't want
+  to disable session storage for devise entirely, you can disable it on a
+  per-model basis:
+  ```ruby
+  class User < ApplicationRecord
+    devise :database_authenticatable #, your other enabled modules...
+    self.skip_session_storage = [:http_auth, :params_auth]
+  end
+  ```
 
 ### Revocation strategies
 
@@ -157,7 +166,7 @@ Here, the model class acts itself as the revocation strategy. It needs a new str
 
 It works like the following:
 
-- At the same time that a token is dispatched for a user, the `jti` claim is persisted to the `jti` column.
+- When a token is dispatched for a user, the `jti` claim is taken from the `jti` column in the model (which has been initialized when the record has been created).
 - At every authenticated action, the incoming token `jti` claim is matched against the `jti` column for that user. The authentication only succeeds if they are the same.
 - When the user requests to sign out its `jti` column changes, so that provided token won't be valid anymore.
 
@@ -182,7 +191,7 @@ Then, you have to add the strategy to the model class and configure it according
 ```ruby
 class User < ApplicationRecord
   include Devise::JWT::RevocationStrategies::JTIMatcher
-  
+
   devise :database_authenticatable,
          :jwt_authenticatable, jwt_revocation_strategy: self
 end
@@ -196,29 +205,29 @@ def jwt_payload
 end
 ```
 
-#### Blacklist
+#### Denylist
 
-In this strategy, a database table is used as a blacklist of revoked JWT tokens. The `jti` claim, which uniquely identifies a token, is persisted. The `exp` claim is also stored to allow the clean-up of staled tokens.
+In this strategy, a database table is used as a list of revoked JWT tokens. The `jti` claim, which uniquely identifies a token, is persisted. The `exp` claim is also stored to allow the clean-up of staled tokens.
 
-In order to use it, you need to create the blacklist table in a migration:
+In order to use it, you need to create the denylist table in a migration:
 
 ```ruby
 def change
-  create_table :jwt_blacklist do |t|
+  create_table :jwt_denylist do |t|
     t.string :jti, null: false
     t.datetime :exp, null: false
   end
-  add_index :jwt_blacklist, :jti
+  add_index :jwt_denylist, :jti
 end
 ```
 For performance reasons, it is better if the `jti` column is an index.
 
-Note: if you used the blacklist strategy before vesion 0.4.0 you may not have the field *exp.* If not, run the following migration:
+Note: if you used the denylist strategy before vesion 0.4.0 you may not have the field *exp.* If not, run the following migration:
 
 ```ruby
-class AddExpirationTimeToJWTBlacklist < ActiveRecord::Migration
+class AddExpirationTimeToJWTDenylist < ActiveRecord::Migration
   def change
-    add_column :jwt_blacklist, :exp, :datetime, null: false
+    add_column :jwt_denylist, :exp, :datetime, null: false
   end
 end
 
@@ -227,10 +236,10 @@ end
 Then, you need to create the corresponding model and include the strategy:
 
 ```ruby
-class JWTBlacklist < ApplicationRecord
-  include Devise::JWT::RevocationStrategies::Blacklist
+class JwtDenylist < ApplicationRecord
+  include Devise::JWT::RevocationStrategies::Denylist
 
-  self.table_name = 'jwt_blacklist'
+  self.table_name = 'jwt_denylist'
 end
 ```
 
@@ -239,11 +248,11 @@ Last, configure the user model to use it:
 ```ruby
 class User < ApplicationRecord
   devise :database_authenticatable,
-         :jwt_authenticatable, jwt_revocation_strategy: JWTBlacklist
+         :jwt_authenticatable, jwt_revocation_strategy: JwtDenylist
 end
 ```
 
-#### Whitelist
+#### Allowlist
 
 Here, the model itself acts also as a revocation strategy, but it needs to have
 a one-to-many association with another table which stores the tokens (in fact
@@ -266,37 +275,37 @@ devices for the same user.
 The `exp` claim is also stored to allow the clean-up of staled tokens.
 
 In order to use it, you have to create yourself the associated table and model.
-The association table must be called `whitelisted_jwts`:
+The association table must be called `allowlisted_jwts`:
 
 ```ruby
 def change
-  create_table :whitelisted_jwts do |t|
+  create_table :allowlisted_jwts do |t|
     t.string :jti, null: false
     t.string :aud
     # If you want to leverage the `aud` claim, add to it a `NOT NULL` constraint:
     # t.string :aud, null: false
     t.datetime :exp, null: false
-    t.references :your_user_table, foreign_key: true
+    t.references :your_user_table, foreign_key: { on_delete: :cascade }, null: false
   end
-  
-  add_index :whitelisted_jwts, :jti, unique: true
+
+  add_index :allowlisted_jwts, :jti, unique: true
 end
 ```
-Important: You are encouraged to set a unique index in the jti column. This way we can be sure at the database level that there aren't two valid tokens with same jti at the same time.
+Important: You are encouraged to set a unique index in the jti column. This way we can be sure at the database level that there aren't two valid tokens with same jti at the same time. Definining `foreign_key: { on_delete: :cascade }, null: false` on `t.references :your_user_table` helps to keep referential integrity of your database.
 
 And then, the model:
 
 ```ruby
-class WhitelistedJwt < ApplicationRecord
+class AllowlistedJwt < ApplicationRecord
 end
 ```
 
-Finally, include de strategy in the model and configure it:
+Finally, include the strategy in the model and configure it:
 
 ```ruby
 class User < ApplicationRecord
-  include Devise::JWT::RevocationStrategies::Whitelist
-  
+  include Devise::JWT::RevocationStrategies::Allowlist
+
   devise :database_authenticatable,
          :jwt_authenticatable, jwt_revocation_strategy: self
 end
@@ -333,7 +342,7 @@ module MyCustomStrategy
   def self.jwt_revoked?(payload, user)
     # Does something to check whether the JWT token is revoked for given user
   end
-  
+
   def self.revoke_jwt(payload, user)
     # Does something to revoke the JWT token for given user
   end
@@ -378,9 +387,9 @@ require 'devise/jwt/test_helpers'
     headers = { 'Accept' => 'application/json', 'Content-Type' => 'application/json' }
     # This will add a valid token for `user` in the `Authorization` header
     auth_headers = Devise::JWT::TestHelpers.auth_headers(headers, user)
-    
+
     get '/my/end_point', headers: auth_headers
-    
+
     expect_something()
   end
 ```
@@ -425,7 +434,7 @@ jwt.dispatch_requests = [
 
 **Important**: You are encouraged to delimit your regular expression with `^` and `$` to avoid unintentional matches.
 
-#### revocation_requests 
+#### revocation_requests
 
 Besides the destroy session one, additional requests where JWT tokens should be revoked.
 

data/devise-jwt.gemspec

@@ -22,17 +22,17 @@ Gem::Specification.new do |spec|
   spec.require_paths = ["lib"]
 
   spec.add_dependency 'devise', '~> 4.0'
-  spec.add_dependency 'warden-jwt_auth', '~> 0.3.5'
+  spec.add_dependency 'warden-jwt_auth', '~> 0.4'
 
-  spec.add_development_dependency "bundler", "~> 1.12"
-  spec.add_development_dependency "rake", "~> 10.0"
-  spec.add_development_dependency "rspec", "~> 3.0"
-  spec.add_development_dependency "pry-byebug", "~> 3.4"
+  spec.add_development_dependency "bundler", "> 1"
+  spec.add_development_dependency "rake", "~> 12.3"
+  spec.add_development_dependency "rspec", "~> 3.8"
+  spec.add_development_dependency "pry-byebug", "~> 3.7"
   # Needed to test the rails fixture application
   spec.add_development_dependency 'rails', '~> 5.0'
   spec.add_development_dependency 'sqlite3', '~> 1.3'
   spec.add_development_dependency 'rspec-rails', '~> 3.5'
   # Test reporting
-  spec.add_development_dependency 'simplecov', '~> 0.13'
+  spec.add_development_dependency 'simplecov', '0.17'
   spec.add_development_dependency 'codeclimate-test-reporter', '~> 1.0'
 end

data/issue_template.md

@@ -0,0 +1,28 @@
+Please, for a bug report fill in the following template. Before that, make sure to read the whole [README](https://github.com/waiting-for-dev/devise-jwt/blob/master/README.md) and check if your issue is not related with [CORS](https://github.com/waiting-for-dev/devise-jwt#model-configuration).
+
+Feature requests and questions about `devise-jwt` are also accepted. It isn't the place for generic questions about using `devise` with an API. For that, read our [wiki page](https://github.com/waiting-for-dev/devise-jwt/wiki/Configuring-devise-for-APIs) or ask somewhere else like [stackoverflow](https://stackoverflow.com/)
+
+## Expected behavior
+
+## Actual behavior
+
+## Steps to Reproduce the Problem
+
+1.
+2.
+3.
+
+## Debugging information
+
+Provide following information. Please, format pasted output as code. Feel free to remove the secret key value.
+
+- Version of `devise-jwt` in use
+- Version of `rails` in use
+- Output of `Devise::JWT.config`
+- Output of `Warden::JWTAuth.config`
+- Output of `Devise.mappings`
+- If your issue is related with not getting a JWT from the server:
+  - Involved request path, method and request headers
+  - Response headers for that request
+- If your issue is related with not being able to revoke a JWT:
+  - Involved request path, method and request headers

data/lib/devise/jwt/defaults_generator.rb

@@ -27,6 +27,7 @@ module Devise
         devise_mappings.each_key do |scope|
           inspector = MappingInspector.new(scope)
           next unless inspector.jwt?
+
           add_defaults(inspector)
         end
         defaults
@@ -62,16 +63,19 @@ module Devise
 
       def add_sign_in_request(inspector)
         return unless inspector.session?
+
         defaults[:dispatch_requests].push(*sign_in_requests(inspector))
       end
 
       def add_registration_request(inspector)
         return unless inspector.registration?
+
         defaults[:dispatch_requests].push(*registration_requests(inspector))
       end
 
       def add_revocation_requests(inspector)
         return unless inspector.session?
+
         defaults[:revocation_requests].push(*sign_out_requests(inspector))
       end
 

data/lib/devise/jwt/models/jwt_authenticatable.rb

@@ -17,7 +17,7 @@ module Devise
 
       included do
         def self.find_for_jwt_authentication(sub)
-          find_by(id: sub)
+          find_by(primary_key => sub)
         end
       end
 

data/lib/devise/jwt/revocation_strategies.rb

@@ -1,8 +1,8 @@
 # frozen_string_literal: true
 
 require 'devise/jwt/revocation_strategies/jti_matcher'
-require 'devise/jwt/revocation_strategies/blacklist'
-require 'devise/jwt/revocation_strategies/whitelist'
+require 'devise/jwt/revocation_strategies/denylist'
+require 'devise/jwt/revocation_strategies/allowlist'
 require 'devise/jwt/revocation_strategies/null'
 
 module Devise

data/lib/devise/jwt/revocation_strategies/{whitelist.rb → allowlist.rb}

@@ -7,32 +7,32 @@ module Devise
     module RevocationStrategies
       # This strategy must be included in the user model.
       #
-      # The JwtWhitelist table must include `jti`, `aud`, `exp` and `user_id`
+      # The JwtAllowlist table must include `jti`, `aud`, `exp` and `user_id`
       # columns
       #
       # In order to tell whether a token is revoked, it just tries to find the
-      # `jti` and `aud` values from the token on the `whitelisted_jwts`
+      # `jti` and `aud` values from the token on the `allowlisted_jwts`
       # table for the respective user.
       #
       # If the values don't exist means the token was revoked.
       # On revocation, it deletes the matching record from the
-      # `whitelisted_jwts` table.
+      # `allowlisted_jwts` table.
       #
       # On sign in, it creates a new record with the `jti` and `aud` values.
-      module Whitelist
+      module Allowlist
         extend ActiveSupport::Concern
 
         included do
-          has_many :whitelisted_jwts, dependent: :destroy
+          has_many :allowlisted_jwts, dependent: :destroy
 
           # @see Warden::JWTAuth::Interfaces::RevocationStrategy#jwt_revoked?
           def self.jwt_revoked?(payload, user)
-            !user.whitelisted_jwts.exists?(payload.slice('jti', 'aud'))
+            !user.allowlisted_jwts.exists?(payload.slice('jti', 'aud'))
           end
 
           # @see Warden::JWTAuth::Interfaces::RevocationStrategy#revoke_jwt
           def self.revoke_jwt(payload, user)
-            jwt = user.whitelisted_jwts.find_by(payload.slice('jti', 'aud'))
+            jwt = user.allowlisted_jwts.find_by(payload.slice('jti', 'aud'))
             jwt.destroy! if jwt
           end
         end
@@ -40,7 +40,7 @@ module Devise
         # Warden::JWTAuth::Interfaces::User#on_jwt_dispatch
         # :reek:FeatureEnvy
         def on_jwt_dispatch(_token, payload)
-          whitelisted_jwts.create!(
+          allowlisted_jwts.create!(
             jti: payload['jti'],
             aud: payload['aud'],
             exp: Time.at(payload['exp'].to_i)

data/lib/devise/jwt/revocation_strategies/{blacklist.rb → denylist.rb}

@@ -10,7 +10,7 @@ module Devise
       #
       # In order to tell whether a token is revoked, it just checks whether
       # `jti` is in the table. On revocation, creates a new record with it.
-      module Blacklist
+      module Denylist
         extend ActiveSupport::Concern
 
         included do

data/lib/devise/jwt/test_helpers.rb

@@ -7,6 +7,10 @@ module Devise
       # Returns headers with a valid token in the `Authorization` header
       # added.
       #
+      # Side effects could happen if you have implemented
+      # `on_jwt_dispatch` method on the user model (as it happens in
+      # the allowlist revocation strategy).
+      #
       # Be aware that a fresh copy of `headers` is returned with the new
       # key/value pair added, instead of modifying given argument.
       #
@@ -18,12 +22,16 @@ module Devise
       # the header name configured in `Devise::JWT.config.aud_header`.
       #
       # :reek:LongParameterList
+      # :reek:ManualDispatch
       def self.auth_headers(headers, user, scope: nil, aud: nil)
         scope ||= Devise::Mapping.find_scope!(user)
         aud ||= headers[Warden::JWTAuth.config.aud_header]
-        token, _payload = Warden::JWTAuth::UserEncoder.new.call(
+        token, payload = Warden::JWTAuth::UserEncoder.new.call(
           user, scope, aud
         )
+        if user.respond_to?(:on_jwt_dispatch)
+          user.on_jwt_dispatch(token, payload)
+        end
         Warden::JWTAuth::HeaderParser.to_headers(headers, token)
       end
     end

data/lib/devise/jwt/version.rb

@@ -2,6 +2,6 @@
 
 module Devise
   module JWT
-    VERSION = '0.5.6'
+    VERSION = '0.7.0'
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: devise-jwt
 version: !ruby/object:Gem::Version
-  version: 0.5.6
+  version: 0.7.0
 platform: ruby
 authors:
 - Marc Busqué
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2018-02-22 00:00:00.000000000 Z
+date: 2020-06-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: devise
@@ -30,70 +30,70 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.3.5
+        version: '0.4'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.3.5
+        version: '0.4'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">"
       - !ruby/object:Gem::Version
-        version: '1.12'
+        version: '1'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">"
       - !ruby/object:Gem::Version
-        version: '1.12'
+        version: '1'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '12.3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '12.3'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: '3.8'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: '3.8'
 - !ruby/object:Gem::Dependency
   name: pry-byebug
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.4'
+        version: '3.7'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.4'
+        version: '3.7'
 - !ruby/object:Gem::Dependency
   name: rails
   requirement: !ruby/object:Gem::Requirement
@@ -140,16 +140,16 @@ dependencies:
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - '='
       - !ruby/object:Gem::Version
-        version: '0.13'
+        version: '0.17'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - '='
       - !ruby/object:Gem::Version
-        version: '0.13'
+        version: '0.17'
 - !ruby/object:Gem::Dependency
   name: codeclimate-test-reporter
   requirement: !ruby/object:Gem::Requirement
@@ -190,6 +190,7 @@ files:
 - bin/setup
 - devise-jwt.gemspec
 - docker-compose.yml
+- issue_template.md
 - lib/devise/jwt.rb
 - lib/devise/jwt/defaults_generator.rb
 - lib/devise/jwt/mapping_inspector.rb
@@ -197,10 +198,10 @@ files:
 - lib/devise/jwt/models/jwt_authenticatable.rb
 - lib/devise/jwt/railtie.rb
 - lib/devise/jwt/revocation_strategies.rb
-- lib/devise/jwt/revocation_strategies/blacklist.rb
+- lib/devise/jwt/revocation_strategies/allowlist.rb
+- lib/devise/jwt/revocation_strategies/denylist.rb
 - lib/devise/jwt/revocation_strategies/jti_matcher.rb
 - lib/devise/jwt/revocation_strategies/null.rb
-- lib/devise/jwt/revocation_strategies/whitelist.rb
 - lib/devise/jwt/test_helpers.rb
 - lib/devise/jwt/version.rb
 homepage: https://github.com/waiting-for-dev/devise-jwt
@@ -222,8 +223,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.6.8
+rubygems_version: 3.1.2
 signing_key: 
 specification_version: 4
 summary: JWT authentication for devise