devise-jwt 0.6.0 → 0.11.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7424fb9a5d880c89e3fe1d8c7b9e9c7eb4cff7cc9fb746a69581fc0f92ef05eb
-  data.tar.gz: fb0aa453fb4f73acfe0d423651680062e5329ff1fa4e28bd827eff6781231e2c
+  metadata.gz: 2edd445c57c9d9cd2ed101bc9fd9e2678a4ef8dee9b671d168e5083a08edff2b
+  data.tar.gz: 2e8c86be9239ac50fe91589ddacc9110c8df84887d7f2e72a5477afa325fc961
 SHA512:
-  metadata.gz: 1f872a48f5e83e686745ebcc0d64368f4a6b450cbf01fea430c034a2660865ebacbbd5bcf3bbc3e10ebfbd201a04d249c82c34e2d5d2db1f91d7b3934e945508
-  data.tar.gz: 75e60907d0a5bb6fca5a180c935665ae854d8a772ec9fcf9e7965275416352e23c75dfe3be625280e9600cab92137eb3bf601350919234b3d13eeaf8793e9d2d
+  metadata.gz: 2d9658efde24910caf33abbfdc4ad050900a7904db121612c57023d74db89f5912cadc01c9b1cb69709ece57485b99743ce8c2c3b9f9a86fb6347ce54f270489
+  data.tar.gz: d01552367f5d62ce7b454434d97f840f90c2bafe284c3d5c5ae83bb4fdf541056c895613b7dfb1556d2858fb8a521d824e87f7c08a96aec439ef4aa6d7f6c0c6

data/.codeclimate.yml

@@ -8,8 +8,6 @@ engines:
     enabled: true
   rubocop:
     enabled: true
-  reek:
-    enabled: true
 ratings:
   paths:
   - "**.rb"
@@ -18,3 +16,4 @@ exclude_paths:
   - Gemfile
   - bin/console
   - devise-jwt.gemspec
+  - vendor/

data/.github/FUNDING.yml

@@ -0,0 +1 @@
+github: waiting-for-dev

data/.github/dependabot.yml

@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"

data/.github/workflows/ci.yml

@@ -0,0 +1,21 @@
+name: CI 
+
+on: [push, pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        ruby-version: ['3.0', '3.1', '3.2', ruby-head]
+
+    steps:
+    - uses: actions/checkout@v3
+    - name: Set up Ruby ${{ matrix.ruby-version }}
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby-version }}
+        bundler-cache: true # 'bundle install' and cache
+    - name: Run specs 
+      run: |
+        bundle exec rspec

data/.github/workflows/lint.yml

@@ -0,0 +1,17 @@
+name: Lint
+
+on: [push, pull_request]
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - name: Set up Ruby ${{ matrix.ruby-version }}
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: 2.7 
+        bundler-cache: true # 'bundle install' and cache
+    - name: Run specs 
+      run: |
+        bundle exec rubocop

data/.rubocop.yml

@@ -1,6 +1,11 @@
 require: rubocop-rspec
 AllCops:
-  TargetRubyVersion: 2.3
+  TargetRubyVersion: 3.0
+  Exclude:
+    - Gemfile
+    - devise-jwt.gemspec
+    - spec/fixtures/rails_app/**/*
+    - vendor/**/*
 RSpec/NestedGroups:
   Max: 3
 RSpec/MessageExpectation:
@@ -14,3 +19,37 @@ Metrics/BlockLength:
     - "spec/**/*.rb"
 Style/SafeNavigation:
   Enabled: false
+Layout/EmptyLinesAroundAttributeAccessor:
+  Enabled: true
+Layout/SpaceAroundMethodCallOperator:
+  Enabled: true
+Lint/DeprecatedOpenSSLConstant:
+  Enabled: true
+Lint/MixedRegexpCaptureTypes:
+  Enabled: true
+Lint/RaiseException:
+  Enabled: true
+Lint/StructNewOverride:
+  Enabled: true
+Style/AccessorGrouping:
+  Enabled: true
+Style/BisectedAttrAccessor:
+  Enabled: true
+Style/ExponentialNotation:
+  Enabled: true
+Style/HashEachMethods:
+  Enabled: true
+Style/HashTransformKeys:
+  Enabled: true
+Style/HashTransformValues:
+  Enabled: true
+Style/RedundantAssignment:
+  Enabled: true
+Style/RedundantFetchBlock:
+  Enabled: true
+Style/RedundantRegexpCharacterClass:
+  Enabled: true
+Style/RedundantRegexpEscape:
+  Enabled: true
+Style/SlicingWithRange:
+  Enabled: true

data/CHANGELOG.md

@@ -4,7 +4,35 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/) 
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
-## [0.6.0] - 2019-01-08
+## [0.11.0] - 2023-05-10
+### Added
+- Add support for rotation_secret
+
+## [0.10.0] - 2022-09-16
+### Added
+- Enable support for asymmetric algorithms
+
+### Fixed
+- FIX: "No verification key available" on token decode
+
+## [0.9.0] - 2021-09-21
+### Fixed
+- Fix compatibility with dry-configurable 0.13
+
+## [0.8.1] - 2021-02-14
+### Fixed
+- Fix behaviour on code reload
+- Support ruby 3.0 and deprecate ruby 2.5
+
+## [0.8.0] - 2020-07-06
+### Fixed
+- Fix compatibility with last version of dry-configurable
+
+## [0.7.0] - 2020-06-03
+### Fixed
+- Replace whitelist/blacklist terminology with allowlist/denylist
+
+## [0.6.0] - 2019-08-01
 ### Fixed
 - Update warden-jwt_auth dependency to v0.4.0 so that now it is possible to configure algorithm.
 

data/Dockerfile

@@ -1,9 +1,7 @@
-FROM ruby:2.3.1
-ENV APP_HOME /app/
-ENV LIB_DIR lib/devise/jwt/
-RUN apt-get update -qq && apt-get install -y build-essential libpq-dev libxml2-dev libxslt1-dev nodejs
-RUN mkdir -p $APP_HOME/$LIB_DIR
-WORKDIR $APP_HOME
-COPY Gemfile *gemspec $APP_HOME
-COPY $LIB_DIR/version.rb $APP_HOME/$LIB_DIR
-RUN bundle install
+FROM ruby:3.0.0
+ENV APP_USER devise_jwt_user
+RUN apt-get update -qq && \
+    apt-get install -y build-essential sqlite3 libsqlite3-dev
+RUN useradd -ms /bin/bash $APP_USER
+USER $APP_USER
+WORKDIR /home/$APP_USER/app

data/LICENSE.txt

@@ -1,6 +1,6 @@
 The MIT License (MIT)
 
-Copyright (c) 2016 Marc Busqué
+Copyright (c) 2016-2020 Marc Busqué
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

data/README.md

@@ -5,28 +5,50 @@
 [![Code Climate](https://codeclimate.com/github/waiting-for-dev/devise-jwt/badges/gpa.svg)](https://codeclimate.com/github/waiting-for-dev/devise-jwt)
 [![Test Coverage](https://codeclimate.com/github/waiting-for-dev/devise-jwt/badges/coverage.svg)](https://codeclimate.com/github/waiting-for-dev/devise-jwt/coverage)
 
-`devise-jwt` is a [devise](https://github.com/plataformatec/devise) extension which uses [JWT](https://jwt.io/) tokens for user authentication. It follows [secure by default](https://en.wikipedia.org/wiki/Secure_by_default) principle.
+`devise-jwt` is a [Devise](https://github.com/plataformatec/devise) extension which uses [JWT](https://jwt.io/) tokens for user authentication. It follows [secure by default](https://en.wikipedia.org/wiki/Secure_by_default) principle.
 
-This gem is just a replacement for cookies when these can't be used. As
-cookies, a token expired with `devise-jwt` will mandatorily have an expiration
+This gem is just a replacement for cookies when these can't be used. As with
+cookies, a `devise-jwt` token will mandatorily have an expiration
 time. If you need that your users never sign out, you will be better off with a
 solution using refresh tokens, like some implementation of OAuth2.
 
 You can read about which security concerns this library takes into account and about JWT generic secure usage in the following series of posts:
 
-- [Stand Up for JWT Revocation](http://waiting-for-dev.github.io/blog/2017/01/23/stand_up_for_jwt_revocation/)
-- [JWT Revocation Strategies](http://waiting-for-dev.github.io/blog/2017/01/24/jwt_revocation_strategies/)
-- [JWT Secure Usage](http://waiting-for-dev.github.io/blog/2017/01/25/jwt_secure_usage/)
-- [A secure JWT authentication implementation for Rack and Rails](http://waiting-for-dev.github.io/blog/2017/01/26/a_secure_jwt_authentication_implementation_for_rack_and_rails/)
+- [Stand Up for JWT Revocation](http://waiting-for-dev.github.io/blog/2017/01/23/stand_up_for_jwt_revocation)
+- [JWT Revocation Strategies](http://waiting-for-dev.github.io/blog/2017/01/24/jwt_revocation_strategies)
+- [JWT Secure Usage](http://waiting-for-dev.github.io/blog/2017/01/25/jwt_secure_usage)
+- [A secure JWT authentication implementation for Rack and Rails](http://waiting-for-dev.github.io/blog/2017/01/26/a_secure_jwt_authentication_implementation_for_rack_and_rails)
 
-`devise-jwt` is just a thin layer on top of [`warden-jwt_auth`](https://github.com/waiting-for-dev/warden-jwt_auth) that configures it to be used out of the box with devise and Rails.
+`devise-jwt` is just a thin layer on top of [`warden-jwt_auth`](https://github.com/waiting-for-dev/warden-jwt_auth) that configures it to be used out of the box with Devise and Rails.
+
+## Upgrade notes
+
+### v0.7.0
+
+Since version v0.7.0 `Blacklist` revocation strategy has been renamed to `Denylist` while `Whitelist` has been renamed to `Allowlist`.
+
+For `Denylist`, you only need to update the `include` line you're using in your revocation strategy model:
+
+```ruby
+# include Devise::JWT::RevocationStrategies::Blacklist # before
+include Devise::JWT::RevocationStrategies::Denylist
+```
+
+For `Allowlist`, you need to update the `include` line you're using in your user model:
+
+```ruby
+# include Devise::JWT::RevocationStrategies::Whitelist # before
+include Devise::JWT::RevocationStrategies::Allowlist
+```
+
+You also have to rename your `WhitelistedJwt` model to `AllowlistedJwt`, rename `model/whitelisted_jwt.rb` to `model/allowlisted_jwt.rb` and change the underlying database table to `allowlisted_jwts` (or configure the model to keep using the old name).
 
 ## Installation
 
 Add this line to your application's Gemfile:
 
 ```ruby
-gem 'devise-jwt', '~> 0.5.9'
+gem 'devise-jwt'
 ```
 
 And then execute:
@@ -39,11 +61,11 @@ Or install it yourself as:
 
 ## Usage
 
-First you need to configure devise to work in an API application. You can follow the instructions in this project wiki page [Configuring devise for APIs](https://github.com/waiting-for-dev/devise-jwt/wiki/Configuring-devise-for-APIs) (you are more than welcome to improve them).
+First, you need to configure Devise to work in an API application. You can follow the instructions in this project wiki page [Configuring Devise for APIs](https://github.com/waiting-for-dev/devise-jwt/wiki/Configuring-devise-for-APIs) (you are more than welcome to improve them).
 
 ### Secret key configuration
 
-First of all, you have to configure the secret key that will be used to sign generated tokens. You can do it in the devise initializer:
+You have to configure the secret key that will be used to sign generated tokens. You can do it in the Devise initializer:
 
 ```ruby
 Devise.setup do |config|
@@ -54,33 +76,81 @@ Devise.setup do |config|
 end
 ```
 
-**Important:** You are encouraged to use a secret different than your application `secret_key_base`. It is quite possible that some other component of your system is already using it. If several components share the same secret key, chances that a vulnerability in one of them has a wider impact increase. In rails, generating new secrets is as easy as `bundle exec rake secret`. Also, never share your secrets pushing it to a remote repository, you are better off using an environment variable like in the example.
+If you are using Encrypted Credentials (Rails 5.2+), you can store the secret key in `config/credentials.yml.enc`.
+
+Open your credentials editor using `bin/rails credentials:edit` and add `devise_jwt_secret_key`.
+
+> **Note** you may need to set `$EDITOR` depending on your specific environment.
+
+```yml
+
+# Other secrets...
+
+# Used as the base secret for Devise JWT
+devise_jwt_secret_key: abc...xyz
+```
+
+Add the following to the Devise initializer.
+
+```ruby
+Devise.setup do |config|
+  # ...
+  config.jwt do |jwt|
+    jwt.secret = Rails.application.credentials.devise_jwt_secret_key!
+  end
+end
+```
+
+> **Important:** You are encouraged to use a secret different than your application `secret_key_base`. It is quite possible that some other component of your system is already using it. If several components share the same secret key, chances that a vulnerability in one of them has a wider impact increase. In rails, generating new secrets is as easy as `bundle exec rake secret`. Also, never share your secrets pushing it to a remote repository, you are better off using an environment variable like in the example.
+
+Currently, HS256 algorithm is the one in use. You may configure a matching secret and algorithm name to use a different one (see [ruby-jwt](https://github.com/jwt/ruby-jwt#algorithms-and-usage) to see which are supported):
+
+```ruby
+Devise.setup do |config|
+  # ...
+  config.jwt do |jwt|
+    jwt.secret = OpenSSL::PKey::RSA.new(Rails.application.credentials.devise_jwt_secret_key!)
+    jwt.algorithm = Rails.application.credentials.devise_jwt_algorithm!
+  end
+end
+```
 
-Currently, HS256 algorithm is the one in use.
+If the algorithm is asymmetric (e.g. RS256) which necessitates a different decoding secret, configure the `decoding_secret` setting as well:
+
+```ruby
+Devise.setup do |config|
+  # ...
+  config.jwt do |jwt|
+    jwt.secret = OpenSSL::PKey::RSA.new(Rails.application.credentials.devise_jwt_private_key!)
+    jwt.decoding_secret = OpenSSL::PKey::RSA.new(Rails.application.credentials.devise_jwt_public_key!)
+    jwt.algorithm = 'RS256' # or some other asymmetric algorithm
+  end
+end
+```
 
 ### Model configuration
 
 You have to tell which user models you want to be able to authenticate with JWT tokens. For them, the authentication process will be like this:
 
-- A user authenticates through devise create session request (for example, using the standard `:database_authenticatable` module).
+- A user authenticates through Devise create session request (for example, using the standard `:database_authenticatable` module).
 - If the authentication succeeds, a JWT token is dispatched to the client in the `Authorization` response header, with format `Bearer #{token}` (tokens are also dispatched on a successful sign up).
 - The client can use this token to authenticate following requests for the same user, providing it in the `Authorization` request header, also with format `Bearer #{token}`
-- When the client visits devise destroy session request, the token is revoked.
+- When the client visits Devise destroy session request, the token is revoked.
 
 See [request_formats](#request_formats) configuration option if you are using paths with a format segment (like `.json`) in order to use it properly.
 
-As you see, unlike other JWT authentication libraries, it is expected that tokens will be revoked by the server. I wrote about [why I think JWT revocation is needed and useful](http://waiting-for-dev.github.io/blog/2017/01/23/stand_up_for_jwt_revocation/).
+As you see, unlike other JWT authentication libraries, it is expected that tokens will be revoked by the server. I wrote about [why I think JWT revocation is needed and useful](http://waiting-for-dev.github.io/blog/2017/01/23/stand_up_for_jwt_revocation).
 
 An example configuration:
 
 ```ruby
 class User < ApplicationRecord
   devise :database_authenticatable,
-         :jwt_authenticatable, jwt_revocation_strategy: Blacklist
+         :jwt_authenticatable, jwt_revocation_strategy: Denylist
 end
 ```
 
-If you need to add something to the JWT payload, you can do it defining a `jwt_payload` method in the user model. It must return a `Hash`. For instance:
+If you need to add something to the JWT payload, you can do it by defining a `jwt_payload` method in the user model. It must return a `Hash`. For instance:
 
 ```ruby
 def jwt_payload
@@ -114,11 +184,11 @@ end
 #### Session storage caveat
 
 If you are working with a Rails application that has session storage enabled
-and a default devise setup, chances are that same origin requests will be
+and a default Devise setup, chances are the same origin requests will be
 authenticated from the session regardless of a token being present in the
 headers or not.
 
-This is so because of the following default devise workflow:
+This is so because of the following default Devise workflow:
 
 - When a user signs in with `:database_authenticatable` strategy, the user is
   stored in the session unless one of the following conditions is met:
@@ -128,13 +198,13 @@ This is so because of the following default devise workflow:
     protection](http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection.html)
     handles an unverified request (but this is usually deactivated for API
     requests).
-- Warden (the engine below devise), authenticates any request that has the user
-  in the session without even reaching to any strategy (`:jwt_authenticatable`
+- Warden (the engine below Devise), authenticates any request that the user has
+  in the session without requiring a strategy (`:jwt_authenticatable`
   in our case).
 
-So, if you want to avoid this caveat you have two options:
+So, if you want to avoid this caveat you have three options:
 
-- Disable the session. If you are developing an API, probably you don't need
+- Disable the session. If you are developing an API, you probably don't need
   it. In order to disable it, change `config/initializers/session_store.rb` to:
   ```ruby
   Rails.application.config.session_store :disabled
@@ -146,18 +216,27 @@ So, if you want to avoid this caveat you have two options:
   ```ruby
   config.skip_session_storage = [:http_auth, :params_auth]
   ```
+- If you are using Devise for another model (e.g. `AdminUser`) and doesn't want
+  to disable session storage for Devise entirely, you can disable it on a
+  per-model basis:
+  ```ruby
+  class User < ApplicationRecord
+    devise :database_authenticatable #, your other enabled modules...
+    self.skip_session_storage = [:http_auth, :params_auth]
+  end
+  ```
 
 ### Revocation strategies
 
-`devise-jwt` comes with three revocation strategies out of the box. Some of them are implementations of what is discussed in the blog post [JWT Revocation Strategies](http://waiting-for-dev.github.io/blog/2017/01/24/jwt_revocation_strategies/), where I also talk about their pros and cons.
+`devise-jwt` comes with three revocation strategies out of the box. Some of them are implementations of what is discussed in the blog post [JWT Revocation Strategies](http://waiting-for-dev.github.io/blog/2017/01/24/jwt_revocation_strategies), where I also talk about their pros and cons.
 
 #### JTIMatcher
 
-Here, the model class acts itself as the revocation strategy. It needs a new string column with name `jti` to be added to the user. `jti` stands for JWT ID, and it is a standard claim meant to uniquely identify a token.
+Here, the model class acts as the revocation strategy. It needs a new string column named `jti` to be added to the user. `jti` stands for JWT ID, and it is a standard claim meant to uniquely identify a token.
 
 It works like the following:
 
-- At the same time that a token is dispatched for a user, the `jti` claim is persisted to the `jti` column.
+- When a token is dispatched for a user, the `jti` claim is taken from the `jti` column in the model (which has been initialized when the record has been created).
 - At every authenticated action, the incoming token `jti` claim is matched against the `jti` column for that user. The authentication only succeeds if they are the same.
 - When the user requests to sign out its `jti` column changes, so that provided token won't be valid anymore.
 
@@ -196,29 +275,29 @@ def jwt_payload
 end
 ```
 
-#### Blacklist
+#### Denylist
 
-In this strategy, a database table is used as a blacklist of revoked JWT tokens. The `jti` claim, which uniquely identifies a token, is persisted. The `exp` claim is also stored to allow the clean-up of staled tokens.
+In this strategy, a database table is used as a list of revoked JWT tokens. The `jti` claim, which uniquely identifies a token, is persisted. The `exp` claim is also stored to allow the clean-up of stale tokens.
 
-In order to use it, you need to create the blacklist table in a migration:
+In order to use it, you need to create the denylist table in a migration:
 
 ```ruby
 def change
-  create_table :jwt_blacklist do |t|
+  create_table :jwt_denylist do |t|
     t.string :jti, null: false
     t.datetime :exp, null: false
   end
-  add_index :jwt_blacklist, :jti
+  add_index :jwt_denylist, :jti
 end
 ```
 For performance reasons, it is better if the `jti` column is an index.
 
-Note: if you used the blacklist strategy before vesion 0.4.0 you may not have the field *exp.* If not, run the following migration:
+Note: if you used the denylist strategy before version 0.4.0 you may not have the field *exp.* If not, run the following migration:
 
 ```ruby
-class AddExpirationTimeToJWTBlacklist < ActiveRecord::Migration
+class AddExpirationTimeToJWTDenylist < ActiveRecord::Migration
   def change
-    add_column :jwt_blacklist, :exp, :datetime, null: false
+    add_column :jwt_denylist, :exp, :datetime, null: false
   end
 end
 
@@ -227,10 +306,10 @@ end
 Then, you need to create the corresponding model and include the strategy:
 
 ```ruby
-class JWTBlacklist < ApplicationRecord
-  include Devise::JWT::RevocationStrategies::Blacklist
+class JwtDenylist < ApplicationRecord
+  include Devise::JWT::RevocationStrategies::Denylist
 
-  self.table_name = 'jwt_blacklist'
+  self.table_name = 'jwt_denylist'
 end
 ```
 
@@ -239,15 +318,15 @@ Last, configure the user model to use it:
 ```ruby
 class User < ApplicationRecord
   devise :database_authenticatable,
-         :jwt_authenticatable, jwt_revocation_strategy: JWTBlacklist
+         :jwt_authenticatable, jwt_revocation_strategy: JwtDenylist
 end
 ```
 
-#### Whitelist
+#### Allowlist
 
-Here, the model itself acts also as a revocation strategy, but it needs to have
+Here, the model itself also acts as a revocation strategy, but it needs to have
 a one-to-many association with another table which stores the tokens (in fact
-their `jti` claim, which uniquely identifies them) valids for each user record.
+their `jti` claim, which uniquely identifies them) that are valid for each user record.
 
 The workflow is as the following:
 
@@ -265,12 +344,12 @@ devices for the same user.
 
 The `exp` claim is also stored to allow the clean-up of staled tokens.
 
-In order to use it, you have to create yourself the associated table and model.
-The association table must be called `whitelisted_jwts`:
+In order to use it, you have to create the associated table and model.
+The association table must be called `allowlisted_jwts`:
 
 ```ruby
 def change
-  create_table :whitelisted_jwts do |t|
+  create_table :allowlisted_jwts do |t|
     t.string :jti, null: false
     t.string :aud
     # If you want to leverage the `aud` claim, add to it a `NOT NULL` constraint:
@@ -279,15 +358,15 @@ def change
     t.references :your_user_table, foreign_key: { on_delete: :cascade }, null: false
   end
 
-  add_index :whitelisted_jwts, :jti, unique: true
+  add_index :allowlisted_jwts, :jti, unique: true
 end
 ```
-Important: You are encouraged to set a unique index in the jti column. This way we can be sure at the database level that there aren't two valid tokens with same jti at the same time. Definining `foreign_key: { on_delete: :cascade }, null: false` on `t.references :your_user_table` helps to keep referential integrity of your database.
+Important: You are encouraged to set a unique index in the `jti` column. This way we can be sure at the database level that there aren't two valid tokens with the same `jti` at the same time. Defining `foreign_key: { on_delete: :cascade }, null: false` on `t.references :your_user_table` helps to keep referential integrity of your database.
 
 And then, the model:
 
 ```ruby
-class WhitelistedJwt < ApplicationRecord
+class AllowlistedJwt < ApplicationRecord
 end
 ```
 
@@ -295,7 +374,7 @@ Finally, include the strategy in the model and configure it:
 
 ```ruby
 class User < ApplicationRecord
-  include Devise::JWT::RevocationStrategies::Whitelist
+  include Devise::JWT::RevocationStrategies::Allowlist
 
   devise :database_authenticatable,
          :jwt_authenticatable, jwt_revocation_strategy: self
@@ -324,7 +403,7 @@ end
 
 #### Custom strategies
 
-You can also implement your own strategies. They just need to implement two methods: `jwt_revoked?` and `revoke_jwt`, both of them accepting as parameters the JWT payload and the user record, in this order.
+You can also implement your own strategies. They just need to implement two methods: `jwt_revoked?` and `revoke_jwt`, both of them accept the JWT payload and the user record as parameters, in this order.
 
 For instance:
 
@@ -348,10 +427,10 @@ end
 ### Testing
 
 Models configured with `:jwt_authenticatable` usually won't be retrieved from
-the session. For this reason, `sign_in` devise testing helper methods won't
+the session. For this reason, `sign_in` Devise testing helper methods won't
 work as expected.
 
-What you need to do in order to authenticate test environment requests is the
+What you need to do to authenticate test environment requests is the
 same that you will do in production: to provide a valid token in the
 `Authorization` header (in the form of `Bearer #{token}`) at every request.
 
@@ -389,7 +468,7 @@ Usually you will wrap this in your own test helper.
 
 ### Configuration reference
 
-This library can be configured calling `jwt` on devise config object:
+This library can be configured calling `jwt` on Devise config object:
 
 ```ruby
 Devise.setup do |config|
@@ -400,17 +479,21 @@ end
 ```
 #### secret
 
-Secret key used to sign generated JWT tokens. You must set it.
+Secret key is used to sign generated JWT tokens. You must set it.
+
+#### rotation_secret
+
+Allow rotating secrets. Set a new value to `secret` and copy the old secret to `rotation_secret`.
 
 #### expiration_time
 
 Number of seconds while a JWT is valid after its generation. After that, it won't be valid anymore, even if it hasn't been revoked.
 
-Defaults to 3600 (1 hour).
+Defaults to 3600 seconds (1 hour).
 
 #### dispatch_requests
 
-Besides the create session one, additional requests where JWT tokens should be dispatched.
+Besides the create session one, there are additional requests where JWT tokens should be dispatched.
 
 It must be a bidimensional array, each item being an array of two elements: the request method and a regular expression that must match the request path.
 
@@ -427,7 +510,7 @@ jwt.dispatch_requests = [
 
 #### revocation_requests
 
-Besides the destroy session one, additional requests where JWT tokens should be revoked.
+Besides the destroy session one, there are additional requests where JWT tokens should be revoked.
 
 It must be a bidimensional array, each item being an array of two elements: the request method and a regular expression that must match the request path.
 
@@ -446,7 +529,7 @@ jwt.revocation_requests = [
 
 Request formats that must be processed (in order to dispatch or revoke tokens).
 
-It must be a hash of devise scopes as keys and an array of request formats as
+It must be a hash of Devise scopes as keys and an array of request formats as
 values. When a scope is not present or if it has a nil item, requests without
 format will be taken into account.
 
@@ -490,14 +573,6 @@ An then, for example:
 
 `docker-compose exec app rspec`
 
-This gem uses [overcommit](https://github.com/brigade/overcommit) to execute some code review engines. If you submit a pull request, it will be executed in the CI process. In order to set it up, you need to do:
-
-```ruby
-bundle install --gemfile=.overcommit_gems.rb
-overcommit --sign
-overcommit --run # To test if it works
-```
-
 ## Contributing
 
 Bug reports and pull requests are welcome on GitHub at https://github.com/waiting-for-dev/devise-jwt. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [Contributor Covenant](http://contributor-covenant.org) code of conduct.

data/bin/console

@@ -1,14 +1,15 @@
 #!/usr/bin/env ruby
+# frozen_string_literal: true
 
-require "bundler/setup"
-require "devise/jwt"
+require 'bundler/setup'
+require 'devise/jwt'
 
 # You can add fixtures and/or initialization code here to make experimenting
 # with your gem easier. You can also use a different console, if you like.
 
 # (If you use this, don't forget to add pry to your Gemfile!)
-# require "pry"
+# require 'pry'
 # Pry.start
 
-require "irb"
+require 'irb'
 IRB.start

data/devise-jwt.gemspec

@@ -22,17 +22,19 @@ Gem::Specification.new do |spec|
   spec.require_paths = ["lib"]
 
   spec.add_dependency 'devise', '~> 4.0'
-  spec.add_dependency 'warden-jwt_auth', '~> 0.4'
+  spec.add_dependency 'warden-jwt_auth', '~> 0.8'
 
   spec.add_development_dependency "bundler", "> 1"
-  spec.add_development_dependency "rake", "~> 12.3"
-  spec.add_development_dependency "rspec", "~> 3.8"
-  spec.add_development_dependency "pry-byebug", "~> 3.7"
+  spec.add_development_dependency "rake", "~> 13.0"
+  spec.add_development_dependency "rspec"
   # Needed to test the rails fixture application
-  spec.add_development_dependency 'rails', '~> 5.0'
+  spec.add_development_dependency 'rails', '~> 6.0'
   spec.add_development_dependency 'sqlite3', '~> 1.3'
-  spec.add_development_dependency 'rspec-rails', '~> 3.5'
+  spec.add_development_dependency 'rspec-rails', '~> 4.0'
+  # Cops
+  spec.add_development_dependency 'rubocop', '~> 0.87'
+  spec.add_development_dependency 'rubocop-rspec', '~> 1.42'
   # Test reporting
-  spec.add_development_dependency 'simplecov', '~> 0.16'
+  spec.add_development_dependency 'simplecov', '0.17'
   spec.add_development_dependency 'codeclimate-test-reporter', '~> 1.0'
 end

data/docker-compose.yml

@@ -2,6 +2,11 @@ version: '2'
 services:
   app:
     build: .
-    command: tail -f Gemfile
+    image: devise_jwt
+    command: bash -c "bundle && tail -f Gemfile"
     volumes:
-      - .:/app
+      - .:/home/devise_jwt_user/app
+    tty: true
+    stdin_open: true
+    tmpfs:
+      - /tmp

data/issue_template.md

@@ -18,6 +18,7 @@ Provide following information. Please, format pasted output as code. Feel free t
 
 - Version of `devise-jwt` in use
 - Version of `rails` in use
+- Version of `warden-jwt_auth` in use
 - Output of `Devise::JWT.config`
 - Output of `Warden::JWTAuth.config`
 - Output of `Devise.mappings`

data/lib/devise/jwt/defaults_generator.rb

@@ -42,14 +42,12 @@ module Devise
         add_revocation_requests(inspector)
       end
 
-      # :reek:FeatureEnvy
       def add_mapping(inspector)
         scope = inspector.scope
         model = inspector.model
         defaults[:mappings][scope] = model.name
       end
 
-      # :reek:FeatureEnvy
       def add_revocation_strategy(inspector)
         scope = inspector.scope
         strategy = inspector.model.jwt_revocation_strategy
@@ -91,7 +89,6 @@ module Devise
         requests(inspector, :registration)
       end
 
-      # :reek:FeatureEnvy
       def requests(inspector, name)
         path = inspector.path(name)
         methods = inspector.methods(name)
@@ -100,7 +97,6 @@ module Devise
         end
       end
 
-      # :reek:UtilityFunction
       def requests_for_format(path, methods, format)
         path_regexp = format ? /^#{path}.#{format}$/ : /^#{path}$/
         methods.map do |method|

data/lib/devise/jwt/mapping_inspector.rb

@@ -27,7 +27,6 @@ module Devise
         mapping.to
       end
 
-      # :reek:FeatureEnvy
       def path(name)
         prefix, scope, request = path_parts(name)
         [prefix, scope, request].delete_if do |item|
@@ -35,7 +34,6 @@ module Devise
         end.join('/').prepend('/').gsub('//', '/')
       end
 
-      # :reek:ControlParameter
       def methods(name)
         method = case name
                  when :sign_in      then 'POST'

data/lib/devise/jwt/railtie.rb

@@ -21,6 +21,15 @@ module Devise
             config.revocation_strategies = defaults[:revocation_strategies]
           end
         end
+
+        ActiveSupport::Reloader.to_prepare do
+          Warden::JWTAuth.configure do |config|
+            defaults = DefaultsGenerator.call
+
+            config.mappings = defaults[:mappings]
+            config.revocation_strategies = defaults[:revocation_strategies]
+          end
+        end
       end
     end
   end

data/lib/devise/jwt/revocation_strategies/{whitelist.rb → allowlist.rb}

@@ -7,40 +7,39 @@ module Devise
     module RevocationStrategies
       # This strategy must be included in the user model.
       #
-      # The JwtWhitelist table must include `jti`, `aud`, `exp` and `user_id`
+      # The JwtAllowlist table must include `jti`, `aud`, `exp` and `user_id`
       # columns
       #
       # In order to tell whether a token is revoked, it just tries to find the
-      # `jti` and `aud` values from the token on the `whitelisted_jwts`
+      # `jti` and `aud` values from the token on the `allowlisted_jwts`
       # table for the respective user.
       #
       # If the values don't exist means the token was revoked.
       # On revocation, it deletes the matching record from the
-      # `whitelisted_jwts` table.
+      # `allowlisted_jwts` table.
       #
       # On sign in, it creates a new record with the `jti` and `aud` values.
-      module Whitelist
+      module Allowlist
         extend ActiveSupport::Concern
 
         included do
-          has_many :whitelisted_jwts, dependent: :destroy
+          has_many :allowlisted_jwts, dependent: :destroy
 
           # @see Warden::JWTAuth::Interfaces::RevocationStrategy#jwt_revoked?
           def self.jwt_revoked?(payload, user)
-            !user.whitelisted_jwts.exists?(payload.slice('jti', 'aud'))
+            !user.allowlisted_jwts.exists?(payload.slice('jti', 'aud'))
           end
 
           # @see Warden::JWTAuth::Interfaces::RevocationStrategy#revoke_jwt
           def self.revoke_jwt(payload, user)
-            jwt = user.whitelisted_jwts.find_by(payload.slice('jti', 'aud'))
+            jwt = user.allowlisted_jwts.find_by(payload.slice('jti', 'aud'))
             jwt.destroy! if jwt
           end
         end
 
         # Warden::JWTAuth::Interfaces::User#on_jwt_dispatch
-        # :reek:FeatureEnvy
         def on_jwt_dispatch(_token, payload)
-          whitelisted_jwts.create!(
+          allowlisted_jwts.create!(
             jti: payload['jti'],
             aud: payload['aud'],
             exp: Time.at(payload['exp'].to_i)

data/lib/devise/jwt/revocation_strategies/{blacklist.rb → denylist.rb}

@@ -10,7 +10,7 @@ module Devise
       #
       # In order to tell whether a token is revoked, it just checks whether
       # `jti` is in the table. On revocation, creates a new record with it.
-      module Blacklist
+      module Denylist
         extend ActiveSupport::Concern
 
         included do

data/lib/devise/jwt/revocation_strategies.rb

@@ -1,8 +1,8 @@
 # frozen_string_literal: true
 
 require 'devise/jwt/revocation_strategies/jti_matcher'
-require 'devise/jwt/revocation_strategies/blacklist'
-require 'devise/jwt/revocation_strategies/whitelist'
+require 'devise/jwt/revocation_strategies/denylist'
+require 'devise/jwt/revocation_strategies/allowlist'
 require 'devise/jwt/revocation_strategies/null'
 
 module Devise

data/lib/devise/jwt/test_helpers.rb

@@ -9,7 +9,7 @@ module Devise
       #
       # Side effects could happen if you have implemented
       # `on_jwt_dispatch` method on the user model (as it happens in
-      # the whitelist revocation strategy).
+      # the allowlist revocation strategy).
       #
       # Be aware that a fresh copy of `headers` is returned with the new
       # key/value pair added, instead of modifying given argument.
@@ -20,18 +20,13 @@ module Devise
       # autodetected.
       # @param aud [String] The aud claim. If `nil` it will be autodetected from
       # the header name configured in `Devise::JWT.config.aud_header`.
-      #
-      # :reek:LongParameterList
-      # :reek:ManualDispatch
       def self.auth_headers(headers, user, scope: nil, aud: nil)
         scope ||= Devise::Mapping.find_scope!(user)
         aud ||= headers[Warden::JWTAuth.config.aud_header]
         token, payload = Warden::JWTAuth::UserEncoder.new.call(
           user, scope, aud
         )
-        if user.respond_to?(:on_jwt_dispatch)
-          user.on_jwt_dispatch(token, payload)
-        end
+        user.on_jwt_dispatch(token, payload) if user.respond_to?(:on_jwt_dispatch)
         Warden::JWTAuth::HeaderParser.to_headers(headers, token)
       end
     end

data/lib/devise/jwt/version.rb

@@ -2,6 +2,6 @@
 
 module Devise
   module JWT
-    VERSION = '0.6.0'
+    VERSION = '0.11.0'
   end
 end

data/lib/devise/jwt.rb

@@ -26,25 +26,41 @@ module Devise
   module JWT
     extend Dry::Configurable
 
-    setting(:secret) do |value|
-      forward_to_warden(:secret, value)
+    def self.forward_to_warden(setting, value)
+      default = Warden::JWTAuth.config.send(setting)
+      Warden::JWTAuth.config.send("#{setting}=", value || default)
+      Warden::JWTAuth.config.send(setting)
     end
 
-    setting(:expiration_time) do |value|
-      forward_to_warden(:expiration_time, value)
-    end
+    setting(:secret,
+            default: Warden::JWTAuth.config.secret,
+            constructor: ->(value) { forward_to_warden(:secret, value) })
 
-    setting(:dispatch_requests) do |value|
-      forward_to_warden(:dispatch_requests, value)
-    end
+    setting(:rotation_secret,
+            default: Warden::JWTAuth.config.rotation_secret,
+            constructor: ->(value) { forward_to_warden(:rotation_secret, value) })
 
-    setting(:revocation_requests) do |value|
-      forward_to_warden(:revocation_requests, value)
-    end
+    setting(:decoding_secret,
+            constructor: ->(value) { forward_to_warden(:decoding_secret, value) })
 
-    setting(:aud_header) do |value|
-      forward_to_warden(:aud_header, value)
-    end
+    setting(:algorithm,
+            constructor: ->(value) { forward_to_warden(:algorithm, value) })
+
+    setting(:expiration_time,
+            default: Warden::JWTAuth.config.expiration_time,
+            constructor: ->(value) { forward_to_warden(:expiration_time, value) })
+
+    setting(:dispatch_requests,
+            default: Warden::JWTAuth.config.dispatch_requests,
+            constructor: ->(value) { forward_to_warden(:dispatch_requests, value) })
+
+    setting(:revocation_requests,
+            default: Warden::JWTAuth.config.revocation_requests,
+            constructor: ->(value) { forward_to_warden(:revocation_requests, value) })
+
+    setting(:aud_header,
+            default: Warden::JWTAuth.config.aud_header,
+            constructor: ->(value) { forward_to_warden(:aud_header, value) })
 
     # A hash of warden scopes as keys and an array of request formats that will
     # be processed as values. When a scope is not present or if it has a nil
@@ -59,10 +75,6 @@ module Devise
     #   user: [:json],
     #   admin_user: [nil, :xml]
     # }
-    setting :request_formats, {}
-
-    def self.forward_to_warden(setting, value)
-      Warden::JWTAuth.config.send("#{setting}=", value)
-    end
+    setting :request_formats, default: {}
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: devise-jwt
 version: !ruby/object:Gem::Version
-  version: 0.6.0
+  version: 0.11.0
 platform: ruby
 authors:
 - Marc Busqué
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2019-08-01 00:00:00.000000000 Z
+date: 2023-05-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: devise
@@ -30,14 +30,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.4'
+        version: '0.8'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.4'
+        version: '0.8'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -58,98 +58,112 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '12.3'
+        version: '13.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '12.3'
+        version: '13.0'
 - !ruby/object:Gem::Dependency
   name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rails
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.8'
+        version: '6.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.8'
+        version: '6.0'
 - !ruby/object:Gem::Dependency
-  name: pry-byebug
+  name: sqlite3
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.7'
+        version: '1.3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.7'
+        version: '1.3'
 - !ruby/object:Gem::Dependency
-  name: rails
+  name: rspec-rails
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '5.0'
+        version: '4.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '5.0'
+        version: '4.0'
 - !ruby/object:Gem::Dependency
-  name: sqlite3
+  name: rubocop
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.3'
+        version: '0.87'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.3'
+        version: '0.87'
 - !ruby/object:Gem::Dependency
-  name: rspec-rails
+  name: rubocop-rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.5'
+        version: '1.42'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '3.5'
+        version: '1.42'
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - '='
       - !ruby/object:Gem::Version
-        version: '0.16'
+        version: '0.17'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - '='
       - !ruby/object:Gem::Version
-        version: '0.16'
+        version: '0.17'
 - !ruby/object:Gem::Dependency
   name: codeclimate-test-reporter
   requirement: !ruby/object:Gem::Requirement
@@ -172,13 +186,13 @@ extensions: []
 extra_rdoc_files: []
 files:
 - ".codeclimate.yml"
+- ".github/FUNDING.yml"
+- ".github/dependabot.yml"
+- ".github/workflows/ci.yml"
+- ".github/workflows/lint.yml"
 - ".gitignore"
-- ".overcommit.yml"
-- ".overcommit_gems.rb"
-- ".reek"
 - ".rspec"
 - ".rubocop.yml"
-- ".travis.yml"
 - CHANGELOG.md
 - CODE_OF_CONDUCT.md
 - Dockerfile
@@ -198,10 +212,10 @@ files:
 - lib/devise/jwt/models/jwt_authenticatable.rb
 - lib/devise/jwt/railtie.rb
 - lib/devise/jwt/revocation_strategies.rb
-- lib/devise/jwt/revocation_strategies/blacklist.rb
+- lib/devise/jwt/revocation_strategies/allowlist.rb
+- lib/devise/jwt/revocation_strategies/denylist.rb
 - lib/devise/jwt/revocation_strategies/jti_matcher.rb
 - lib/devise/jwt/revocation_strategies/null.rb
-- lib/devise/jwt/revocation_strategies/whitelist.rb
 - lib/devise/jwt/test_helpers.rb
 - lib/devise/jwt/version.rb
 homepage: https://github.com/waiting-for-dev/devise-jwt
@@ -223,8 +237,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.8
+rubygems_version: 3.3.7
 signing_key: 
 specification_version: 4
 summary: JWT authentication for devise

data/.overcommit.yml

@@ -1,56 +0,0 @@
-#
-# Select version of overcommit and the other tools from Gemfile
-#
-gemfile: .overcommit_gems.rb
-
-#
-# Hooks that are run against every commit message after a user has written it.
-#
-CommitMsg:
-  ALL:
-    required: true
-    exclude: &default_excludes
-      - Gemfile
-      - devise-jwt.gemspec
-      - spec/fixtures/rails_app/**/*
-      - README.md
-      - CHANGELOG.md
-
-  HardTabs:
-    enabled: true
-
-  SingleLineSubject:
-    enabled: true
-
-#
-# Hooks that are run after `git commit` is executed, before the commit message
-# editor is displayed.
-#
-PreCommit:
-  ALL:
-    required: true
-    exclude: *default_excludes
-
-  BundleAudit:
-    enabled: true
-
-  BundleCheck:
-    enabled: true
-
-  LocalPathsInGemfile:
-    enabled: true
-
-  ExecutePermissions:
-    enabled: true
-    exclude:
-      - *default_excludes
-      - bin/*
-
-  Reek:
-    enabled: true
-
-  RuboCop:
-    enabled: true
-
-  TrailingWhitespace:
-    enabled: true

data/.overcommit_gems.rb

@@ -1,15 +0,0 @@
-# frozen_string_literal: true
-
-source 'https://rubygems.org'
-
-gem 'overcommit', '~> 0.36'
-
-# Patch-level verification for Bundled apps
-gem 'bundler-audit', '~> 0.5'
-
-# Ruby code smell reporter
-gem 'reek', '~> 4.5'
-
-# Ruby code style checking
-gem 'rubocop', '~> 0.47'
-gem 'rubocop-rspec', '~> 1.10'

data/.travis.yml

@@ -1,21 +0,0 @@
-sudo: false
-language: ruby
-rvm:
-  - 2.3
-  - 2.4
-  - 2.5
-before_install:
-  - gem update --system --no-doc
-  - bundle install --gemfile=.overcommit_gems.rb
-before_script:
-  - git config --global user.email 'travis@travis.ci'
-  - git config --global user.name 'Travis CI'
-script:
-  - bundle exec rspec
-  - bundle exec codeclimate-test-reporter
-  - overcommit --sign
-  - overcommit --run
-addons:
-  code_climate:
-    repo_token:
-      secure: OWVschEUE+pVEQFR9dgtCUVmf2GJF3e7RTvX9M3CS7fhLyWqDlHdkCxmxCGJQDBVXR59ReCni2sbbRgkfqekkggLEG3gvHl2uof9+PVVRXTbDDDydwDGHLvcT8ZVJOHVgqgX899j6eBSsqdtSB7rMEdMOYBYDw35/yd844LkaW+sOWUbx0SJSo0V0QtJe3DC7vTAo/EEGTQs7WRGcXa6Pg9RlWiK7ThVoEbXQ4GDdjS5mWsQer4QcdnOfiuBL8mC3XAX+wJyBIqAVetAmhFKtwH+pKYMqRbcI/iBSaHslGowLr+tQW/tLO9XZsz95C6037XUse6BUJ5U9mYsgcnebslVJnuQ4dyXTXwQ2e1Fzy4iYr9Iz2Yhr3EjchXOvXh0D2BDPLCZMF98W/hsPZ4hPq/FhfjdfJXHcuqU6k7Ozr6UTwMmuNMvR7af2hXGaralTPOH8SVh/RtxpWsAocNA4n1b7dhdpMLKDNZ7GxdunDo5zJ03HUH4d0SDexnx3xSpfR/q+FJDHNxfD7KVAsgQYnrNjde/DnYszV2E3EAUVWF71ZaNQIvDyS1gyBjjvkSGRGL5tY7z+sdaRfE68toidgl2eR08vt/eYo3DIIzwPvI5N/BTv/Xm8vQ+jfwxCF6Ezr1TJTZW4auoMBAVqrr4HoO6T7VHTOeUD0Bukp7KBfQ=