devise-jwt 0.6.0 → 0.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7424fb9a5d880c89e3fe1d8c7b9e9c7eb4cff7cc9fb746a69581fc0f92ef05eb
-  data.tar.gz: fb0aa453fb4f73acfe0d423651680062e5329ff1fa4e28bd827eff6781231e2c
+  metadata.gz: 1a4a4e4cfd349ee9e76533374b8269516152d37ddafd77b04c55a1d6d53b49c7
+  data.tar.gz: 06d6b7627bbbf01ce30796856236e8e854ad083bf35bfabb3972b1744f6fe8b8
 SHA512:
-  metadata.gz: 1f872a48f5e83e686745ebcc0d64368f4a6b450cbf01fea430c034a2660865ebacbbd5bcf3bbc3e10ebfbd201a04d249c82c34e2d5d2db1f91d7b3934e945508
-  data.tar.gz: 75e60907d0a5bb6fca5a180c935665ae854d8a772ec9fcf9e7965275416352e23c75dfe3be625280e9600cab92137eb3bf601350919234b3d13eeaf8793e9d2d
+  metadata.gz: 2574faee8bb3ca9f7481335360534104e04308772c6c0a1e19b4d2c0fafeb3d075d2faae2e23f98aee7115d9e64f9105b1020cc30825d8e40a633da1404b29de
+  data.tar.gz: bba859af422238968a66f01e13771db8efedf3626c5e21d67f16c192467c4ed1213d9844a6a0e615754c657155ea8b8dc972ac7bacd4c6b7984ce6c70e7c9f4b

data/.travis.yml

@@ -1,9 +1,8 @@
-sudo: false
 language: ruby
 rvm:
-  - 2.3
-  - 2.4
   - 2.5
+  - 2.6
+  - 2.7
 before_install:
   - gem update --system --no-doc
   - bundle install --gemfile=.overcommit_gems.rb

data/CHANGELOG.md

@@ -4,7 +4,11 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/) 
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
-## [0.6.0] - 2019-01-08
+## [0.7.0] - 2020-06-03
+### Fixed
+- Replace whitelist/blacklist terminology with allowlist/denylist
+
+## [0.6.0] - 2019-08-01
 ### Fixed
 - Update warden-jwt_auth dependency to v0.4.0 so that now it is possible to configure algorithm.
 

data/README.md

@@ -26,7 +26,7 @@ You can read about which security concerns this library takes into account and a
 Add this line to your application's Gemfile:
 
 ```ruby
-gem 'devise-jwt', '~> 0.5.9'
+gem 'devise-jwt', '~> 0.6.0'
 ```
 
 And then execute:
@@ -76,7 +76,7 @@ An example configuration:
 ```ruby
 class User < ApplicationRecord
   devise :database_authenticatable,
-         :jwt_authenticatable, jwt_revocation_strategy: Blacklist
+         :jwt_authenticatable, jwt_revocation_strategy: Denylist
 end
 ```
 
@@ -132,7 +132,7 @@ This is so because of the following default devise workflow:
   in the session without even reaching to any strategy (`:jwt_authenticatable`
   in our case).
 
-So, if you want to avoid this caveat you have two options:
+So, if you want to avoid this caveat you have three options:
 
 - Disable the session. If you are developing an API, probably you don't need
   it. In order to disable it, change `config/initializers/session_store.rb` to:
@@ -146,6 +146,15 @@ So, if you want to avoid this caveat you have two options:
   ```ruby
   config.skip_session_storage = [:http_auth, :params_auth]
   ```
+- If you are using Devise for another model (e.g. `AdminUser`) and doesn't want
+  to disable session storage for devise entirely, you can disable it on a
+  per-model basis:
+  ```ruby
+  class User < ApplicationRecord
+    devise :database_authenticatable #, your other enabled modules...
+    self.skip_session_storage = [:http_auth, :params_auth]
+  end
+  ```
 
 ### Revocation strategies
 
@@ -157,7 +166,7 @@ Here, the model class acts itself as the revocation strategy. It needs a new str
 
 It works like the following:
 
-- At the same time that a token is dispatched for a user, the `jti` claim is persisted to the `jti` column.
+- When a token is dispatched for a user, the `jti` claim is taken from the `jti` column in the model (which has been initialized when the record has been created).
 - At every authenticated action, the incoming token `jti` claim is matched against the `jti` column for that user. The authentication only succeeds if they are the same.
 - When the user requests to sign out its `jti` column changes, so that provided token won't be valid anymore.
 
@@ -196,29 +205,29 @@ def jwt_payload
 end
 ```
 
-#### Blacklist
+#### Denylist
 
-In this strategy, a database table is used as a blacklist of revoked JWT tokens. The `jti` claim, which uniquely identifies a token, is persisted. The `exp` claim is also stored to allow the clean-up of staled tokens.
+In this strategy, a database table is used as a list of revoked JWT tokens. The `jti` claim, which uniquely identifies a token, is persisted. The `exp` claim is also stored to allow the clean-up of staled tokens.
 
-In order to use it, you need to create the blacklist table in a migration:
+In order to use it, you need to create the denylist table in a migration:
 
 ```ruby
 def change
-  create_table :jwt_blacklist do |t|
+  create_table :jwt_denylist do |t|
     t.string :jti, null: false
     t.datetime :exp, null: false
   end
-  add_index :jwt_blacklist, :jti
+  add_index :jwt_denylist, :jti
 end
 ```
 For performance reasons, it is better if the `jti` column is an index.
 
-Note: if you used the blacklist strategy before vesion 0.4.0 you may not have the field *exp.* If not, run the following migration:
+Note: if you used the denylist strategy before vesion 0.4.0 you may not have the field *exp.* If not, run the following migration:
 
 ```ruby
-class AddExpirationTimeToJWTBlacklist < ActiveRecord::Migration
+class AddExpirationTimeToJWTDenylist < ActiveRecord::Migration
   def change
-    add_column :jwt_blacklist, :exp, :datetime, null: false
+    add_column :jwt_denylist, :exp, :datetime, null: false
   end
 end
 
@@ -227,10 +236,10 @@ end
 Then, you need to create the corresponding model and include the strategy:
 
 ```ruby
-class JWTBlacklist < ApplicationRecord
-  include Devise::JWT::RevocationStrategies::Blacklist
+class JwtDenylist < ApplicationRecord
+  include Devise::JWT::RevocationStrategies::Denylist
 
-  self.table_name = 'jwt_blacklist'
+  self.table_name = 'jwt_denylist'
 end
 ```
 
@@ -239,11 +248,11 @@ Last, configure the user model to use it:
 ```ruby
 class User < ApplicationRecord
   devise :database_authenticatable,
-         :jwt_authenticatable, jwt_revocation_strategy: JWTBlacklist
+         :jwt_authenticatable, jwt_revocation_strategy: JwtDenylist
 end
 ```
 
-#### Whitelist
+#### Allowlist
 
 Here, the model itself acts also as a revocation strategy, but it needs to have
 a one-to-many association with another table which stores the tokens (in fact
@@ -266,11 +275,11 @@ devices for the same user.
 The `exp` claim is also stored to allow the clean-up of staled tokens.
 
 In order to use it, you have to create yourself the associated table and model.
-The association table must be called `whitelisted_jwts`:
+The association table must be called `allowlisted_jwts`:
 
 ```ruby
 def change
-  create_table :whitelisted_jwts do |t|
+  create_table :allowlisted_jwts do |t|
     t.string :jti, null: false
     t.string :aud
     # If you want to leverage the `aud` claim, add to it a `NOT NULL` constraint:
@@ -279,7 +288,7 @@ def change
     t.references :your_user_table, foreign_key: { on_delete: :cascade }, null: false
   end
 
-  add_index :whitelisted_jwts, :jti, unique: true
+  add_index :allowlisted_jwts, :jti, unique: true
 end
 ```
 Important: You are encouraged to set a unique index in the jti column. This way we can be sure at the database level that there aren't two valid tokens with same jti at the same time. Definining `foreign_key: { on_delete: :cascade }, null: false` on `t.references :your_user_table` helps to keep referential integrity of your database.
@@ -287,7 +296,7 @@ Important: You are encouraged to set a unique index in the jti column. This way
 And then, the model:
 
 ```ruby
-class WhitelistedJwt < ApplicationRecord
+class AllowlistedJwt < ApplicationRecord
 end
 ```
 
@@ -295,7 +304,7 @@ Finally, include the strategy in the model and configure it:
 
 ```ruby
 class User < ApplicationRecord
-  include Devise::JWT::RevocationStrategies::Whitelist
+  include Devise::JWT::RevocationStrategies::Allowlist
 
   devise :database_authenticatable,
          :jwt_authenticatable, jwt_revocation_strategy: self

data/devise-jwt.gemspec

@@ -33,6 +33,6 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'sqlite3', '~> 1.3'
   spec.add_development_dependency 'rspec-rails', '~> 3.5'
   # Test reporting
-  spec.add_development_dependency 'simplecov', '~> 0.16'
+  spec.add_development_dependency 'simplecov', '0.17'
   spec.add_development_dependency 'codeclimate-test-reporter', '~> 1.0'
 end

data/lib/devise/jwt/revocation_strategies.rb

@@ -1,8 +1,8 @@
 # frozen_string_literal: true
 
 require 'devise/jwt/revocation_strategies/jti_matcher'
-require 'devise/jwt/revocation_strategies/blacklist'
-require 'devise/jwt/revocation_strategies/whitelist'
+require 'devise/jwt/revocation_strategies/denylist'
+require 'devise/jwt/revocation_strategies/allowlist'
 require 'devise/jwt/revocation_strategies/null'
 
 module Devise

data/lib/devise/jwt/revocation_strategies/{whitelist.rb → allowlist.rb}

@@ -7,32 +7,32 @@ module Devise
     module RevocationStrategies
       # This strategy must be included in the user model.
       #
-      # The JwtWhitelist table must include `jti`, `aud`, `exp` and `user_id`
+      # The JwtAllowlist table must include `jti`, `aud`, `exp` and `user_id`
       # columns
       #
       # In order to tell whether a token is revoked, it just tries to find the
-      # `jti` and `aud` values from the token on the `whitelisted_jwts`
+      # `jti` and `aud` values from the token on the `allowlisted_jwts`
       # table for the respective user.
       #
       # If the values don't exist means the token was revoked.
       # On revocation, it deletes the matching record from the
-      # `whitelisted_jwts` table.
+      # `allowlisted_jwts` table.
       #
       # On sign in, it creates a new record with the `jti` and `aud` values.
-      module Whitelist
+      module Allowlist
         extend ActiveSupport::Concern
 
         included do
-          has_many :whitelisted_jwts, dependent: :destroy
+          has_many :allowlisted_jwts, dependent: :destroy
 
           # @see Warden::JWTAuth::Interfaces::RevocationStrategy#jwt_revoked?
           def self.jwt_revoked?(payload, user)
-            !user.whitelisted_jwts.exists?(payload.slice('jti', 'aud'))
+            !user.allowlisted_jwts.exists?(payload.slice('jti', 'aud'))
           end
 
           # @see Warden::JWTAuth::Interfaces::RevocationStrategy#revoke_jwt
           def self.revoke_jwt(payload, user)
-            jwt = user.whitelisted_jwts.find_by(payload.slice('jti', 'aud'))
+            jwt = user.allowlisted_jwts.find_by(payload.slice('jti', 'aud'))
             jwt.destroy! if jwt
           end
         end
@@ -40,7 +40,7 @@ module Devise
         # Warden::JWTAuth::Interfaces::User#on_jwt_dispatch
         # :reek:FeatureEnvy
         def on_jwt_dispatch(_token, payload)
-          whitelisted_jwts.create!(
+          allowlisted_jwts.create!(
             jti: payload['jti'],
             aud: payload['aud'],
             exp: Time.at(payload['exp'].to_i)

data/lib/devise/jwt/revocation_strategies/{blacklist.rb → denylist.rb}

@@ -10,7 +10,7 @@ module Devise
       #
       # In order to tell whether a token is revoked, it just checks whether
       # `jti` is in the table. On revocation, creates a new record with it.
-      module Blacklist
+      module Denylist
         extend ActiveSupport::Concern
 
         included do

data/lib/devise/jwt/test_helpers.rb

@@ -9,7 +9,7 @@ module Devise
       #
       # Side effects could happen if you have implemented
       # `on_jwt_dispatch` method on the user model (as it happens in
-      # the whitelist revocation strategy).
+      # the allowlist revocation strategy).
       #
       # Be aware that a fresh copy of `headers` is returned with the new
       # key/value pair added, instead of modifying given argument.

data/lib/devise/jwt/version.rb

@@ -2,6 +2,6 @@
 
 module Devise
   module JWT
-    VERSION = '0.6.0'
+    VERSION = '0.7.0'
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: devise-jwt
 version: !ruby/object:Gem::Version
-  version: 0.6.0
+  version: 0.7.0
 platform: ruby
 authors:
 - Marc Busqué
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2019-08-01 00:00:00.000000000 Z
+date: 2020-06-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: devise
@@ -140,16 +140,16 @@ dependencies:
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - '='
       - !ruby/object:Gem::Version
-        version: '0.16'
+        version: '0.17'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - '='
       - !ruby/object:Gem::Version
-        version: '0.16'
+        version: '0.17'
 - !ruby/object:Gem::Dependency
   name: codeclimate-test-reporter
   requirement: !ruby/object:Gem::Requirement
@@ -198,10 +198,10 @@ files:
 - lib/devise/jwt/models/jwt_authenticatable.rb
 - lib/devise/jwt/railtie.rb
 - lib/devise/jwt/revocation_strategies.rb
-- lib/devise/jwt/revocation_strategies/blacklist.rb
+- lib/devise/jwt/revocation_strategies/allowlist.rb
+- lib/devise/jwt/revocation_strategies/denylist.rb
 - lib/devise/jwt/revocation_strategies/jti_matcher.rb
 - lib/devise/jwt/revocation_strategies/null.rb
-- lib/devise/jwt/revocation_strategies/whitelist.rb
 - lib/devise/jwt/test_helpers.rb
 - lib/devise/jwt/version.rb
 homepage: https://github.com/waiting-for-dev/devise-jwt
@@ -223,8 +223,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.8
+rubygems_version: 3.1.2
 signing_key: 
 specification_version: 4
 summary: JWT authentication for devise