devise-jwt 0.6.0 → 0.7.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 7424fb9a5d880c89e3fe1d8c7b9e9c7eb4cff7cc9fb746a69581fc0f92ef05eb
4
- data.tar.gz: fb0aa453fb4f73acfe0d423651680062e5329ff1fa4e28bd827eff6781231e2c
3
+ metadata.gz: 1a4a4e4cfd349ee9e76533374b8269516152d37ddafd77b04c55a1d6d53b49c7
4
+ data.tar.gz: 06d6b7627bbbf01ce30796856236e8e854ad083bf35bfabb3972b1744f6fe8b8
5
5
  SHA512:
6
- metadata.gz: 1f872a48f5e83e686745ebcc0d64368f4a6b450cbf01fea430c034a2660865ebacbbd5bcf3bbc3e10ebfbd201a04d249c82c34e2d5d2db1f91d7b3934e945508
7
- data.tar.gz: 75e60907d0a5bb6fca5a180c935665ae854d8a772ec9fcf9e7965275416352e23c75dfe3be625280e9600cab92137eb3bf601350919234b3d13eeaf8793e9d2d
6
+ metadata.gz: 2574faee8bb3ca9f7481335360534104e04308772c6c0a1e19b4d2c0fafeb3d075d2faae2e23f98aee7115d9e64f9105b1020cc30825d8e40a633da1404b29de
7
+ data.tar.gz: bba859af422238968a66f01e13771db8efedf3626c5e21d67f16c192467c4ed1213d9844a6a0e615754c657155ea8b8dc972ac7bacd4c6b7984ce6c70e7c9f4b
@@ -1,9 +1,8 @@
1
- sudo: false
2
1
  language: ruby
3
2
  rvm:
4
- - 2.3
5
- - 2.4
6
3
  - 2.5
4
+ - 2.6
5
+ - 2.7
7
6
  before_install:
8
7
  - gem update --system --no-doc
9
8
  - bundle install --gemfile=.overcommit_gems.rb
@@ -4,7 +4,11 @@ All notable changes to this project will be documented in this file.
4
4
  The format is based on [Keep a Changelog](http://keepachangelog.com/)
5
5
  and this project adheres to [Semantic Versioning](http://semver.org/).
6
6
 
7
- ## [0.6.0] - 2019-01-08
7
+ ## [0.7.0] - 2020-06-03
8
+ ### Fixed
9
+ - Replace whitelist/blacklist terminology with allowlist/denylist
10
+
11
+ ## [0.6.0] - 2019-08-01
8
12
  ### Fixed
9
13
  - Update warden-jwt_auth dependency to v0.4.0 so that now it is possible to configure algorithm.
10
14
 
data/README.md CHANGED
@@ -26,7 +26,7 @@ You can read about which security concerns this library takes into account and a
26
26
  Add this line to your application's Gemfile:
27
27
 
28
28
  ```ruby
29
- gem 'devise-jwt', '~> 0.5.9'
29
+ gem 'devise-jwt', '~> 0.6.0'
30
30
  ```
31
31
 
32
32
  And then execute:
@@ -76,7 +76,7 @@ An example configuration:
76
76
  ```ruby
77
77
  class User < ApplicationRecord
78
78
  devise :database_authenticatable,
79
- :jwt_authenticatable, jwt_revocation_strategy: Blacklist
79
+ :jwt_authenticatable, jwt_revocation_strategy: Denylist
80
80
  end
81
81
  ```
82
82
 
@@ -132,7 +132,7 @@ This is so because of the following default devise workflow:
132
132
  in the session without even reaching to any strategy (`:jwt_authenticatable`
133
133
  in our case).
134
134
 
135
- So, if you want to avoid this caveat you have two options:
135
+ So, if you want to avoid this caveat you have three options:
136
136
 
137
137
  - Disable the session. If you are developing an API, probably you don't need
138
138
  it. In order to disable it, change `config/initializers/session_store.rb` to:
@@ -146,6 +146,15 @@ So, if you want to avoid this caveat you have two options:
146
146
  ```ruby
147
147
  config.skip_session_storage = [:http_auth, :params_auth]
148
148
  ```
149
+ - If you are using Devise for another model (e.g. `AdminUser`) and doesn't want
150
+ to disable session storage for devise entirely, you can disable it on a
151
+ per-model basis:
152
+ ```ruby
153
+ class User < ApplicationRecord
154
+ devise :database_authenticatable #, your other enabled modules...
155
+ self.skip_session_storage = [:http_auth, :params_auth]
156
+ end
157
+ ```
149
158
 
150
159
  ### Revocation strategies
151
160
 
@@ -157,7 +166,7 @@ Here, the model class acts itself as the revocation strategy. It needs a new str
157
166
 
158
167
  It works like the following:
159
168
 
160
- - At the same time that a token is dispatched for a user, the `jti` claim is persisted to the `jti` column.
169
+ - When a token is dispatched for a user, the `jti` claim is taken from the `jti` column in the model (which has been initialized when the record has been created).
161
170
  - At every authenticated action, the incoming token `jti` claim is matched against the `jti` column for that user. The authentication only succeeds if they are the same.
162
171
  - When the user requests to sign out its `jti` column changes, so that provided token won't be valid anymore.
163
172
 
@@ -196,29 +205,29 @@ def jwt_payload
196
205
  end
197
206
  ```
198
207
 
199
- #### Blacklist
208
+ #### Denylist
200
209
 
201
- In this strategy, a database table is used as a blacklist of revoked JWT tokens. The `jti` claim, which uniquely identifies a token, is persisted. The `exp` claim is also stored to allow the clean-up of staled tokens.
210
+ In this strategy, a database table is used as a list of revoked JWT tokens. The `jti` claim, which uniquely identifies a token, is persisted. The `exp` claim is also stored to allow the clean-up of staled tokens.
202
211
 
203
- In order to use it, you need to create the blacklist table in a migration:
212
+ In order to use it, you need to create the denylist table in a migration:
204
213
 
205
214
  ```ruby
206
215
  def change
207
- create_table :jwt_blacklist do |t|
216
+ create_table :jwt_denylist do |t|
208
217
  t.string :jti, null: false
209
218
  t.datetime :exp, null: false
210
219
  end
211
- add_index :jwt_blacklist, :jti
220
+ add_index :jwt_denylist, :jti
212
221
  end
213
222
  ```
214
223
  For performance reasons, it is better if the `jti` column is an index.
215
224
 
216
- Note: if you used the blacklist strategy before vesion 0.4.0 you may not have the field *exp.* If not, run the following migration:
225
+ Note: if you used the denylist strategy before vesion 0.4.0 you may not have the field *exp.* If not, run the following migration:
217
226
 
218
227
  ```ruby
219
- class AddExpirationTimeToJWTBlacklist < ActiveRecord::Migration
228
+ class AddExpirationTimeToJWTDenylist < ActiveRecord::Migration
220
229
  def change
221
- add_column :jwt_blacklist, :exp, :datetime, null: false
230
+ add_column :jwt_denylist, :exp, :datetime, null: false
222
231
  end
223
232
  end
224
233
 
@@ -227,10 +236,10 @@ end
227
236
  Then, you need to create the corresponding model and include the strategy:
228
237
 
229
238
  ```ruby
230
- class JWTBlacklist < ApplicationRecord
231
- include Devise::JWT::RevocationStrategies::Blacklist
239
+ class JwtDenylist < ApplicationRecord
240
+ include Devise::JWT::RevocationStrategies::Denylist
232
241
 
233
- self.table_name = 'jwt_blacklist'
242
+ self.table_name = 'jwt_denylist'
234
243
  end
235
244
  ```
236
245
 
@@ -239,11 +248,11 @@ Last, configure the user model to use it:
239
248
  ```ruby
240
249
  class User < ApplicationRecord
241
250
  devise :database_authenticatable,
242
- :jwt_authenticatable, jwt_revocation_strategy: JWTBlacklist
251
+ :jwt_authenticatable, jwt_revocation_strategy: JwtDenylist
243
252
  end
244
253
  ```
245
254
 
246
- #### Whitelist
255
+ #### Allowlist
247
256
 
248
257
  Here, the model itself acts also as a revocation strategy, but it needs to have
249
258
  a one-to-many association with another table which stores the tokens (in fact
@@ -266,11 +275,11 @@ devices for the same user.
266
275
  The `exp` claim is also stored to allow the clean-up of staled tokens.
267
276
 
268
277
  In order to use it, you have to create yourself the associated table and model.
269
- The association table must be called `whitelisted_jwts`:
278
+ The association table must be called `allowlisted_jwts`:
270
279
 
271
280
  ```ruby
272
281
  def change
273
- create_table :whitelisted_jwts do |t|
282
+ create_table :allowlisted_jwts do |t|
274
283
  t.string :jti, null: false
275
284
  t.string :aud
276
285
  # If you want to leverage the `aud` claim, add to it a `NOT NULL` constraint:
@@ -279,7 +288,7 @@ def change
279
288
  t.references :your_user_table, foreign_key: { on_delete: :cascade }, null: false
280
289
  end
281
290
 
282
- add_index :whitelisted_jwts, :jti, unique: true
291
+ add_index :allowlisted_jwts, :jti, unique: true
283
292
  end
284
293
  ```
285
294
  Important: You are encouraged to set a unique index in the jti column. This way we can be sure at the database level that there aren't two valid tokens with same jti at the same time. Definining `foreign_key: { on_delete: :cascade }, null: false` on `t.references :your_user_table` helps to keep referential integrity of your database.
@@ -287,7 +296,7 @@ Important: You are encouraged to set a unique index in the jti column. This way
287
296
  And then, the model:
288
297
 
289
298
  ```ruby
290
- class WhitelistedJwt < ApplicationRecord
299
+ class AllowlistedJwt < ApplicationRecord
291
300
  end
292
301
  ```
293
302
 
@@ -295,7 +304,7 @@ Finally, include the strategy in the model and configure it:
295
304
 
296
305
  ```ruby
297
306
  class User < ApplicationRecord
298
- include Devise::JWT::RevocationStrategies::Whitelist
307
+ include Devise::JWT::RevocationStrategies::Allowlist
299
308
 
300
309
  devise :database_authenticatable,
301
310
  :jwt_authenticatable, jwt_revocation_strategy: self
@@ -33,6 +33,6 @@ Gem::Specification.new do |spec|
33
33
  spec.add_development_dependency 'sqlite3', '~> 1.3'
34
34
  spec.add_development_dependency 'rspec-rails', '~> 3.5'
35
35
  # Test reporting
36
- spec.add_development_dependency 'simplecov', '~> 0.16'
36
+ spec.add_development_dependency 'simplecov', '0.17'
37
37
  spec.add_development_dependency 'codeclimate-test-reporter', '~> 1.0'
38
38
  end
@@ -1,8 +1,8 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  require 'devise/jwt/revocation_strategies/jti_matcher'
4
- require 'devise/jwt/revocation_strategies/blacklist'
5
- require 'devise/jwt/revocation_strategies/whitelist'
4
+ require 'devise/jwt/revocation_strategies/denylist'
5
+ require 'devise/jwt/revocation_strategies/allowlist'
6
6
  require 'devise/jwt/revocation_strategies/null'
7
7
 
8
8
  module Devise
@@ -7,32 +7,32 @@ module Devise
7
7
  module RevocationStrategies
8
8
  # This strategy must be included in the user model.
9
9
  #
10
- # The JwtWhitelist table must include `jti`, `aud`, `exp` and `user_id`
10
+ # The JwtAllowlist table must include `jti`, `aud`, `exp` and `user_id`
11
11
  # columns
12
12
  #
13
13
  # In order to tell whether a token is revoked, it just tries to find the
14
- # `jti` and `aud` values from the token on the `whitelisted_jwts`
14
+ # `jti` and `aud` values from the token on the `allowlisted_jwts`
15
15
  # table for the respective user.
16
16
  #
17
17
  # If the values don't exist means the token was revoked.
18
18
  # On revocation, it deletes the matching record from the
19
- # `whitelisted_jwts` table.
19
+ # `allowlisted_jwts` table.
20
20
  #
21
21
  # On sign in, it creates a new record with the `jti` and `aud` values.
22
- module Whitelist
22
+ module Allowlist
23
23
  extend ActiveSupport::Concern
24
24
 
25
25
  included do
26
- has_many :whitelisted_jwts, dependent: :destroy
26
+ has_many :allowlisted_jwts, dependent: :destroy
27
27
 
28
28
  # @see Warden::JWTAuth::Interfaces::RevocationStrategy#jwt_revoked?
29
29
  def self.jwt_revoked?(payload, user)
30
- !user.whitelisted_jwts.exists?(payload.slice('jti', 'aud'))
30
+ !user.allowlisted_jwts.exists?(payload.slice('jti', 'aud'))
31
31
  end
32
32
 
33
33
  # @see Warden::JWTAuth::Interfaces::RevocationStrategy#revoke_jwt
34
34
  def self.revoke_jwt(payload, user)
35
- jwt = user.whitelisted_jwts.find_by(payload.slice('jti', 'aud'))
35
+ jwt = user.allowlisted_jwts.find_by(payload.slice('jti', 'aud'))
36
36
  jwt.destroy! if jwt
37
37
  end
38
38
  end
@@ -40,7 +40,7 @@ module Devise
40
40
  # Warden::JWTAuth::Interfaces::User#on_jwt_dispatch
41
41
  # :reek:FeatureEnvy
42
42
  def on_jwt_dispatch(_token, payload)
43
- whitelisted_jwts.create!(
43
+ allowlisted_jwts.create!(
44
44
  jti: payload['jti'],
45
45
  aud: payload['aud'],
46
46
  exp: Time.at(payload['exp'].to_i)
@@ -10,7 +10,7 @@ module Devise
10
10
  #
11
11
  # In order to tell whether a token is revoked, it just checks whether
12
12
  # `jti` is in the table. On revocation, creates a new record with it.
13
- module Blacklist
13
+ module Denylist
14
14
  extend ActiveSupport::Concern
15
15
 
16
16
  included do
@@ -9,7 +9,7 @@ module Devise
9
9
  #
10
10
  # Side effects could happen if you have implemented
11
11
  # `on_jwt_dispatch` method on the user model (as it happens in
12
- # the whitelist revocation strategy).
12
+ # the allowlist revocation strategy).
13
13
  #
14
14
  # Be aware that a fresh copy of `headers` is returned with the new
15
15
  # key/value pair added, instead of modifying given argument.
@@ -2,6 +2,6 @@
2
2
 
3
3
  module Devise
4
4
  module JWT
5
- VERSION = '0.6.0'
5
+ VERSION = '0.7.0'
6
6
  end
7
7
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: devise-jwt
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.6.0
4
+ version: 0.7.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Marc Busqué
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2019-08-01 00:00:00.000000000 Z
11
+ date: 2020-06-03 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: devise
@@ -140,16 +140,16 @@ dependencies:
140
140
  name: simplecov
141
141
  requirement: !ruby/object:Gem::Requirement
142
142
  requirements:
143
- - - "~>"
143
+ - - '='
144
144
  - !ruby/object:Gem::Version
145
- version: '0.16'
145
+ version: '0.17'
146
146
  type: :development
147
147
  prerelease: false
148
148
  version_requirements: !ruby/object:Gem::Requirement
149
149
  requirements:
150
- - - "~>"
150
+ - - '='
151
151
  - !ruby/object:Gem::Version
152
- version: '0.16'
152
+ version: '0.17'
153
153
  - !ruby/object:Gem::Dependency
154
154
  name: codeclimate-test-reporter
155
155
  requirement: !ruby/object:Gem::Requirement
@@ -198,10 +198,10 @@ files:
198
198
  - lib/devise/jwt/models/jwt_authenticatable.rb
199
199
  - lib/devise/jwt/railtie.rb
200
200
  - lib/devise/jwt/revocation_strategies.rb
201
- - lib/devise/jwt/revocation_strategies/blacklist.rb
201
+ - lib/devise/jwt/revocation_strategies/allowlist.rb
202
+ - lib/devise/jwt/revocation_strategies/denylist.rb
202
203
  - lib/devise/jwt/revocation_strategies/jti_matcher.rb
203
204
  - lib/devise/jwt/revocation_strategies/null.rb
204
- - lib/devise/jwt/revocation_strategies/whitelist.rb
205
205
  - lib/devise/jwt/test_helpers.rb
206
206
  - lib/devise/jwt/version.rb
207
207
  homepage: https://github.com/waiting-for-dev/devise-jwt
@@ -223,8 +223,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
223
223
  - !ruby/object:Gem::Version
224
224
  version: '0'
225
225
  requirements: []
226
- rubyforge_project:
227
- rubygems_version: 2.7.8
226
+ rubygems_version: 3.1.2
228
227
  signing_key:
229
228
  specification_version: 4
230
229
  summary: JWT authentication for devise