devise-jwt 0.8.1 → 0.10.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 8fe413aae5cfcb2c703195cf5e4316f84efeecbf8f05ccca617dad9cce617009
4
- data.tar.gz: aed9bfe1e2852eea2dc04885a4e6afc1375cc2aa6a41d273894d4611042d7cf6
3
+ metadata.gz: 2b5a307382874853dba1abc67c451c9dd01e81a1b2dd84c94db6a10af7f4cc44
4
+ data.tar.gz: b3f6ec7a63b8f481038f2aeb72cb872d451dfc679537aa29b1d85aaa66c6aaab
5
5
  SHA512:
6
- metadata.gz: 5856bab014b5ef50d4c2412618f74307b8261dc117a4335f0597e3cc1fd67b1d74c568bc15b12a0961fdcd0d8edf0e07ef67280eb24d8eb43177152b3760d70a
7
- data.tar.gz: 0c3fd2d91daaefc8b261341498a6a359aa8092ca56d1f95ad934cf0e746761140de117f3ff9f08b8da48240cf8eaaeea62b8d473a7aeabe3bc693889dbd77c35
6
+ metadata.gz: e95511b4462ce942934858d578589ba618117e8bfc6e3f617f7082f82627b293e706d130a242afde25ce3e8ff5da8e8d4d058c54d51ac2dfd785f5e59747e87d
7
+ data.tar.gz: 713c71400296bae1493096d2f55b19bedff85cb7884502cd09a954872c72624a109887ef405cbee04ad56520ee255aab190f6b3c5032a952ecaa978223c9e06a
@@ -0,0 +1 @@
1
+ github: waiting-for-dev
@@ -0,0 +1,6 @@
1
+ version: 2
2
+ updates:
3
+ - package-ecosystem: "github-actions"
4
+ directory: "/"
5
+ schedule:
6
+ interval: "weekly"
@@ -0,0 +1,21 @@
1
+ name: CI
2
+
3
+ on: [push, pull_request]
4
+
5
+ jobs:
6
+ test:
7
+ runs-on: ubuntu-latest
8
+ strategy:
9
+ matrix:
10
+ ruby-version: ['2.7', '3.0', '3.1', ruby-head]
11
+
12
+ steps:
13
+ - uses: actions/checkout@v3
14
+ - name: Set up Ruby ${{ matrix.ruby-version }}
15
+ uses: ruby/setup-ruby@v1
16
+ with:
17
+ ruby-version: ${{ matrix.ruby-version }}
18
+ bundler-cache: true # 'bundle install' and cache
19
+ - name: Run specs
20
+ run: |
21
+ bundle exec rspec
@@ -0,0 +1,17 @@
1
+ name: Lint
2
+
3
+ on: [push, pull_request]
4
+
5
+ jobs:
6
+ lint:
7
+ runs-on: ubuntu-latest
8
+ steps:
9
+ - uses: actions/checkout@v3
10
+ - name: Set up Ruby ${{ matrix.ruby-version }}
11
+ uses: ruby/setup-ruby@v1
12
+ with:
13
+ ruby-version: 2.7
14
+ bundler-cache: true # 'bundle install' and cache
15
+ - name: Run specs
16
+ run: |
17
+ bundle exec rubocop
data/CHANGELOG.md CHANGED
@@ -4,7 +4,18 @@ All notable changes to this project will be documented in this file.
4
4
  The format is based on [Keep a Changelog](http://keepachangelog.com/)
5
5
  and this project adheres to [Semantic Versioning](http://semver.org/).
6
6
 
7
- ## [0.8.1] - 2020-02-14
7
+ ## [0.10.0] - 2022-09-16
8
+ ### Added
9
+ - Enable support for asymmetric algorithms
10
+
11
+ ### Fixed
12
+ - FIX: "No verification key available" on token decode
13
+
14
+ ## [0.9.0] - 2021-09-21
15
+ ### Fixed
16
+ - Fix compatibility with dry-configurable 0.13
17
+
18
+ ## [0.8.1] - 2021-02-14
8
19
  ### Fixed
9
20
  - Fix behaviour on code reload
10
21
  - Support ruby 3.0 and deprecate ruby 2.5
data/README.md CHANGED
@@ -5,21 +5,21 @@
5
5
  [![Code Climate](https://codeclimate.com/github/waiting-for-dev/devise-jwt/badges/gpa.svg)](https://codeclimate.com/github/waiting-for-dev/devise-jwt)
6
6
  [![Test Coverage](https://codeclimate.com/github/waiting-for-dev/devise-jwt/badges/coverage.svg)](https://codeclimate.com/github/waiting-for-dev/devise-jwt/coverage)
7
7
 
8
- `devise-jwt` is a [devise](https://github.com/plataformatec/devise) extension which uses [JWT](https://jwt.io/) tokens for user authentication. It follows [secure by default](https://en.wikipedia.org/wiki/Secure_by_default) principle.
8
+ `devise-jwt` is a [Devise](https://github.com/plataformatec/devise) extension which uses [JWT](https://jwt.io/) tokens for user authentication. It follows [secure by default](https://en.wikipedia.org/wiki/Secure_by_default) principle.
9
9
 
10
- This gem is just a replacement for cookies when these can't be used. As
11
- cookies, a token expired with `devise-jwt` will mandatorily have an expiration
10
+ This gem is just a replacement for cookies when these can't be used. As with
11
+ cookies, a `devise-jwt` token will mandatorily have an expiration
12
12
  time. If you need that your users never sign out, you will be better off with a
13
13
  solution using refresh tokens, like some implementation of OAuth2.
14
14
 
15
15
  You can read about which security concerns this library takes into account and about JWT generic secure usage in the following series of posts:
16
16
 
17
- - [Stand Up for JWT Revocation](http://waiting-for-dev.github.io/blog/2017/01/23/stand_up_for_jwt_revocation/)
18
- - [JWT Revocation Strategies](http://waiting-for-dev.github.io/blog/2017/01/24/jwt_revocation_strategies/)
19
- - [JWT Secure Usage](http://waiting-for-dev.github.io/blog/2017/01/25/jwt_secure_usage/)
20
- - [A secure JWT authentication implementation for Rack and Rails](http://waiting-for-dev.github.io/blog/2017/01/26/a_secure_jwt_authentication_implementation_for_rack_and_rails/)
17
+ - [Stand Up for JWT Revocation](http://waiting-for-dev.github.io/blog/2017/01/23/stand_up_for_jwt_revocation)
18
+ - [JWT Revocation Strategies](http://waiting-for-dev.github.io/blog/2017/01/24/jwt_revocation_strategies)
19
+ - [JWT Secure Usage](http://waiting-for-dev.github.io/blog/2017/01/25/jwt_secure_usage)
20
+ - [A secure JWT authentication implementation for Rack and Rails](http://waiting-for-dev.github.io/blog/2017/01/26/a_secure_jwt_authentication_implementation_for_rack_and_rails)
21
21
 
22
- `devise-jwt` is just a thin layer on top of [`warden-jwt_auth`](https://github.com/waiting-for-dev/warden-jwt_auth) that configures it to be used out of the box with devise and Rails.
22
+ `devise-jwt` is just a thin layer on top of [`warden-jwt_auth`](https://github.com/waiting-for-dev/warden-jwt_auth) that configures it to be used out of the box with Devise and Rails.
23
23
 
24
24
  ## Upgrade notes
25
25
 
@@ -31,24 +31,24 @@ For `Denylist`, you only need to update the `include` line you're using in your
31
31
 
32
32
  ```ruby
33
33
  # include Devise::JWT::RevocationStrategies::Blacklist # before
34
- include Devise::JWT::RevocationStrategies::Denylist
34
+ include Devise::JWT::RevocationStrategies::Denylist
35
35
  ```
36
36
 
37
- For `Whitelist`, you need to update the `include` line you're using in your user model:
37
+ For `Allowlist`, you need to update the `include` line you're using in your user model:
38
38
 
39
39
  ```ruby
40
40
  # include Devise::JWT::RevocationStrategies::Whitelist # before
41
41
  include Devise::JWT::RevocationStrategies::Allowlist
42
42
  ```
43
43
 
44
- You also have to rename your `WhitelistedJwt` model to `AllowlistedJwt` and change the underlying database table to `allowlisted_jwts` (or configure the model to keep using the old name).
44
+ You also have to rename your `WhitelistedJwt` model to `AllowlistedJwt`, rename `model/whitelisted_jwt.rb` to `model/allowlisted_jwt.rb` and change the underlying database table to `allowlisted_jwts` (or configure the model to keep using the old name).
45
45
 
46
46
  ## Installation
47
47
 
48
48
  Add this line to your application's Gemfile:
49
49
 
50
50
  ```ruby
51
- gem 'devise-jwt', '~> 0.7.0'
51
+ gem 'devise-jwt'
52
52
  ```
53
53
 
54
54
  And then execute:
@@ -61,11 +61,11 @@ Or install it yourself as:
61
61
 
62
62
  ## Usage
63
63
 
64
- First you need to configure devise to work in an API application. You can follow the instructions in this project wiki page [Configuring devise for APIs](https://github.com/waiting-for-dev/devise-jwt/wiki/Configuring-devise-for-APIs) (you are more than welcome to improve them).
64
+ First, you need to configure Devise to work in an API application. You can follow the instructions in this project wiki page [Configuring Devise for APIs](https://github.com/waiting-for-dev/devise-jwt/wiki/Configuring-devise-for-APIs) (you are more than welcome to improve them).
65
65
 
66
66
  ### Secret key configuration
67
67
 
68
- First of all, you have to configure the secret key that will be used to sign generated tokens. You can do it in the devise initializer:
68
+ You have to configure the secret key that will be used to sign generated tokens. You can do it in the Devise initializer:
69
69
 
70
70
  ```ruby
71
71
  Devise.setup do |config|
@@ -76,22 +76,70 @@ Devise.setup do |config|
76
76
  end
77
77
  ```
78
78
 
79
- **Important:** You are encouraged to use a secret different than your application `secret_key_base`. It is quite possible that some other component of your system is already using it. If several components share the same secret key, chances that a vulnerability in one of them has a wider impact increase. In rails, generating new secrets is as easy as `bundle exec rake secret`. Also, never share your secrets pushing it to a remote repository, you are better off using an environment variable like in the example.
79
+ If you are using Encrypted Credentials (Rails 5.2+), you can store the secret key in `config/credentials.yml.enc`.
80
80
 
81
- Currently, HS256 algorithm is the one in use.
81
+ Open your credentials editor using `bin/rails credentials:edit` and add `devise_jwt_secret_key`.
82
+
83
+ > **Note** you may need to set `$EDITOR` depending on your specific environment.
84
+
85
+ ```yml
86
+
87
+ # Other secrets...
88
+
89
+ # Used as the base secret for Devise JWT
90
+ devise_jwt_secret_key: abc...xyz
91
+ ```
92
+
93
+ Add the following to the Devise initializer.
94
+
95
+ ```ruby
96
+ Devise.setup do |config|
97
+ # ...
98
+ config.jwt do |jwt|
99
+ jwt.secret = Rails.application.credentials.devise_jwt_secret_key!
100
+ end
101
+ end
102
+ ```
103
+
104
+ > **Important:** You are encouraged to use a secret different than your application `secret_key_base`. It is quite possible that some other component of your system is already using it. If several components share the same secret key, chances that a vulnerability in one of them has a wider impact increase. In rails, generating new secrets is as easy as `bundle exec rake secret`. Also, never share your secrets pushing it to a remote repository, you are better off using an environment variable like in the example.
105
+
106
+ Currently, HS256 algorithm is the one in use. You may configure a matching secret and algorithm name to use a different one (see [ruby-jwt](https://github.com/jwt/ruby-jwt#algorithms-and-usage) to see which are supported):
107
+
108
+ ```ruby
109
+ Devise.setup do |config|
110
+ # ...
111
+ config.jwt do |jwt|
112
+ jwt.secret = OpenSSL::PKey::RSA.new(Rails.application.credentials.devise_jwt_secret_key!)
113
+ jwt.algorithm = Rails.application.credentials.devise_jwt_algorithm!
114
+ end
115
+ end
116
+ ```
117
+
118
+ If the algorithm is asymmetric (e.g. RS256) which necessitates a different decoding secret, configure the `decoding_secret` setting as well:
119
+
120
+ ```ruby
121
+ Devise.setup do |config|
122
+ # ...
123
+ config.jwt do |jwt|
124
+ jwt.secret = OpenSSL::PKey::RSA.new(Rails.application.credentials.devise_jwt_private_key!)
125
+ jwt.decoding_secret = OpenSSL::PKey::RSA.new(Rails.application.credentials.devise_jwt_public_key!)
126
+ jwt.algorithm = 'RS256' # or some other asymmetric algorithm
127
+ end
128
+ end
129
+ ```
82
130
 
83
131
  ### Model configuration
84
132
 
85
133
  You have to tell which user models you want to be able to authenticate with JWT tokens. For them, the authentication process will be like this:
86
134
 
87
- - A user authenticates through devise create session request (for example, using the standard `:database_authenticatable` module).
135
+ - A user authenticates through Devise create session request (for example, using the standard `:database_authenticatable` module).
88
136
  - If the authentication succeeds, a JWT token is dispatched to the client in the `Authorization` response header, with format `Bearer #{token}` (tokens are also dispatched on a successful sign up).
89
137
  - The client can use this token to authenticate following requests for the same user, providing it in the `Authorization` request header, also with format `Bearer #{token}`
90
- - When the client visits devise destroy session request, the token is revoked.
138
+ - When the client visits Devise destroy session request, the token is revoked.
91
139
 
92
140
  See [request_formats](#request_formats) configuration option if you are using paths with a format segment (like `.json`) in order to use it properly.
93
141
 
94
- As you see, unlike other JWT authentication libraries, it is expected that tokens will be revoked by the server. I wrote about [why I think JWT revocation is needed and useful](http://waiting-for-dev.github.io/blog/2017/01/23/stand_up_for_jwt_revocation/).
142
+ As you see, unlike other JWT authentication libraries, it is expected that tokens will be revoked by the server. I wrote about [why I think JWT revocation is needed and useful](http://waiting-for-dev.github.io/blog/2017/01/23/stand_up_for_jwt_revocation).
95
143
 
96
144
  An example configuration:
97
145
 
@@ -102,7 +150,7 @@ class User < ApplicationRecord
102
150
  end
103
151
  ```
104
152
 
105
- If you need to add something to the JWT payload, you can do it defining a `jwt_payload` method in the user model. It must return a `Hash`. For instance:
153
+ If you need to add something to the JWT payload, you can do it by defining a `jwt_payload` method in the user model. It must return a `Hash`. For instance:
106
154
 
107
155
  ```ruby
108
156
  def jwt_payload
@@ -136,11 +184,11 @@ end
136
184
  #### Session storage caveat
137
185
 
138
186
  If you are working with a Rails application that has session storage enabled
139
- and a default devise setup, chances are that same origin requests will be
187
+ and a default Devise setup, chances are the same origin requests will be
140
188
  authenticated from the session regardless of a token being present in the
141
189
  headers or not.
142
190
 
143
- This is so because of the following default devise workflow:
191
+ This is so because of the following default Devise workflow:
144
192
 
145
193
  - When a user signs in with `:database_authenticatable` strategy, the user is
146
194
  stored in the session unless one of the following conditions is met:
@@ -150,13 +198,13 @@ This is so because of the following default devise workflow:
150
198
  protection](http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection.html)
151
199
  handles an unverified request (but this is usually deactivated for API
152
200
  requests).
153
- - Warden (the engine below devise), authenticates any request that has the user
154
- in the session without even reaching to any strategy (`:jwt_authenticatable`
201
+ - Warden (the engine below Devise), authenticates any request that the user has
202
+ in the session without requiring a strategy (`:jwt_authenticatable`
155
203
  in our case).
156
204
 
157
205
  So, if you want to avoid this caveat you have three options:
158
206
 
159
- - Disable the session. If you are developing an API, probably you don't need
207
+ - Disable the session. If you are developing an API, you probably don't need
160
208
  it. In order to disable it, change `config/initializers/session_store.rb` to:
161
209
  ```ruby
162
210
  Rails.application.config.session_store :disabled
@@ -169,7 +217,7 @@ So, if you want to avoid this caveat you have three options:
169
217
  config.skip_session_storage = [:http_auth, :params_auth]
170
218
  ```
171
219
  - If you are using Devise for another model (e.g. `AdminUser`) and doesn't want
172
- to disable session storage for devise entirely, you can disable it on a
220
+ to disable session storage for Devise entirely, you can disable it on a
173
221
  per-model basis:
174
222
  ```ruby
175
223
  class User < ApplicationRecord
@@ -180,11 +228,11 @@ So, if you want to avoid this caveat you have three options:
180
228
 
181
229
  ### Revocation strategies
182
230
 
183
- `devise-jwt` comes with three revocation strategies out of the box. Some of them are implementations of what is discussed in the blog post [JWT Revocation Strategies](http://waiting-for-dev.github.io/blog/2017/01/24/jwt_revocation_strategies/), where I also talk about their pros and cons.
231
+ `devise-jwt` comes with three revocation strategies out of the box. Some of them are implementations of what is discussed in the blog post [JWT Revocation Strategies](http://waiting-for-dev.github.io/blog/2017/01/24/jwt_revocation_strategies), where I also talk about their pros and cons.
184
232
 
185
233
  #### JTIMatcher
186
234
 
187
- Here, the model class acts itself as the revocation strategy. It needs a new string column with name `jti` to be added to the user. `jti` stands for JWT ID, and it is a standard claim meant to uniquely identify a token.
235
+ Here, the model class acts as the revocation strategy. It needs a new string column named `jti` to be added to the user. `jti` stands for JWT ID, and it is a standard claim meant to uniquely identify a token.
188
236
 
189
237
  It works like the following:
190
238
 
@@ -229,7 +277,7 @@ end
229
277
 
230
278
  #### Denylist
231
279
 
232
- In this strategy, a database table is used as a list of revoked JWT tokens. The `jti` claim, which uniquely identifies a token, is persisted. The `exp` claim is also stored to allow the clean-up of staled tokens.
280
+ In this strategy, a database table is used as a list of revoked JWT tokens. The `jti` claim, which uniquely identifies a token, is persisted. The `exp` claim is also stored to allow the clean-up of stale tokens.
233
281
 
234
282
  In order to use it, you need to create the denylist table in a migration:
235
283
 
@@ -244,7 +292,7 @@ end
244
292
  ```
245
293
  For performance reasons, it is better if the `jti` column is an index.
246
294
 
247
- Note: if you used the denylist strategy before vesion 0.4.0 you may not have the field *exp.* If not, run the following migration:
295
+ Note: if you used the denylist strategy before version 0.4.0 you may not have the field *exp.* If not, run the following migration:
248
296
 
249
297
  ```ruby
250
298
  class AddExpirationTimeToJWTDenylist < ActiveRecord::Migration
@@ -276,9 +324,9 @@ end
276
324
 
277
325
  #### Allowlist
278
326
 
279
- Here, the model itself acts also as a revocation strategy, but it needs to have
327
+ Here, the model itself also acts as a revocation strategy, but it needs to have
280
328
  a one-to-many association with another table which stores the tokens (in fact
281
- their `jti` claim, which uniquely identifies them) valids for each user record.
329
+ their `jti` claim, which uniquely identifies them) that are valid for each user record.
282
330
 
283
331
  The workflow is as the following:
284
332
 
@@ -296,7 +344,7 @@ devices for the same user.
296
344
 
297
345
  The `exp` claim is also stored to allow the clean-up of staled tokens.
298
346
 
299
- In order to use it, you have to create yourself the associated table and model.
347
+ In order to use it, you have to create the associated table and model.
300
348
  The association table must be called `allowlisted_jwts`:
301
349
 
302
350
  ```ruby
@@ -313,7 +361,7 @@ def change
313
361
  add_index :allowlisted_jwts, :jti, unique: true
314
362
  end
315
363
  ```
316
- Important: You are encouraged to set a unique index in the jti column. This way we can be sure at the database level that there aren't two valid tokens with same jti at the same time. Definining `foreign_key: { on_delete: :cascade }, null: false` on `t.references :your_user_table` helps to keep referential integrity of your database.
364
+ Important: You are encouraged to set a unique index in the `jti` column. This way we can be sure at the database level that there aren't two valid tokens with the same `jti` at the same time. Defining `foreign_key: { on_delete: :cascade }, null: false` on `t.references :your_user_table` helps to keep referential integrity of your database.
317
365
 
318
366
  And then, the model:
319
367
 
@@ -355,7 +403,7 @@ end
355
403
 
356
404
  #### Custom strategies
357
405
 
358
- You can also implement your own strategies. They just need to implement two methods: `jwt_revoked?` and `revoke_jwt`, both of them accepting as parameters the JWT payload and the user record, in this order.
406
+ You can also implement your own strategies. They just need to implement two methods: `jwt_revoked?` and `revoke_jwt`, both of them accept the JWT payload and the user record as parameters, in this order.
359
407
 
360
408
  For instance:
361
409
 
@@ -379,10 +427,10 @@ end
379
427
  ### Testing
380
428
 
381
429
  Models configured with `:jwt_authenticatable` usually won't be retrieved from
382
- the session. For this reason, `sign_in` devise testing helper methods won't
430
+ the session. For this reason, `sign_in` Devise testing helper methods won't
383
431
  work as expected.
384
432
 
385
- What you need to do in order to authenticate test environment requests is the
433
+ What you need to do to authenticate test environment requests is the
386
434
  same that you will do in production: to provide a valid token in the
387
435
  `Authorization` header (in the form of `Bearer #{token}`) at every request.
388
436
 
@@ -420,7 +468,7 @@ Usually you will wrap this in your own test helper.
420
468
 
421
469
  ### Configuration reference
422
470
 
423
- This library can be configured calling `jwt` on devise config object:
471
+ This library can be configured calling `jwt` on Devise config object:
424
472
 
425
473
  ```ruby
426
474
  Devise.setup do |config|
@@ -431,17 +479,17 @@ end
431
479
  ```
432
480
  #### secret
433
481
 
434
- Secret key used to sign generated JWT tokens. You must set it.
482
+ Secret key is used to sign generated JWT tokens. You must set it.
435
483
 
436
484
  #### expiration_time
437
485
 
438
486
  Number of seconds while a JWT is valid after its generation. After that, it won't be valid anymore, even if it hasn't been revoked.
439
487
 
440
- Defaults to 3600 (1 hour).
488
+ Defaults to 3600 seconds (1 hour).
441
489
 
442
490
  #### dispatch_requests
443
491
 
444
- Besides the create session one, additional requests where JWT tokens should be dispatched.
492
+ Besides the create session one, there are additional requests where JWT tokens should be dispatched.
445
493
 
446
494
  It must be a bidimensional array, each item being an array of two elements: the request method and a regular expression that must match the request path.
447
495
 
@@ -458,7 +506,7 @@ jwt.dispatch_requests = [
458
506
 
459
507
  #### revocation_requests
460
508
 
461
- Besides the destroy session one, additional requests where JWT tokens should be revoked.
509
+ Besides the destroy session one, there are additional requests where JWT tokens should be revoked.
462
510
 
463
511
  It must be a bidimensional array, each item being an array of two elements: the request method and a regular expression that must match the request path.
464
512
 
@@ -477,7 +525,7 @@ jwt.revocation_requests = [
477
525
 
478
526
  Request formats that must be processed (in order to dispatch or revoke tokens).
479
527
 
480
- It must be a hash of devise scopes as keys and an array of request formats as
528
+ It must be a hash of Devise scopes as keys and an array of request formats as
481
529
  values. When a scope is not present or if it has a nil item, requests without
482
530
  format will be taken into account.
483
531
 
data/devise-jwt.gemspec CHANGED
@@ -22,12 +22,11 @@ Gem::Specification.new do |spec|
22
22
  spec.require_paths = ["lib"]
23
23
 
24
24
  spec.add_dependency 'devise', '~> 4.0'
25
- spec.add_dependency 'warden-jwt_auth', '~> 0.5'
25
+ spec.add_dependency 'warden-jwt_auth', '~> 0.6'
26
26
 
27
27
  spec.add_development_dependency "bundler", "> 1"
28
28
  spec.add_development_dependency "rake", "~> 13.0"
29
29
  spec.add_development_dependency "rspec"
30
- spec.add_development_dependency "pry-byebug", "~> 3.7"
31
30
  # Needed to test the rails fixture application
32
31
  spec.add_development_dependency 'rails', '~> 6.0'
33
32
  spec.add_development_dependency 'sqlite3', '~> 1.3'
@@ -2,6 +2,6 @@
2
2
 
3
3
  module Devise
4
4
  module JWT
5
- VERSION = '0.8.1'
5
+ VERSION = '0.10.0'
6
6
  end
7
7
  end
data/lib/devise/jwt.rb CHANGED
@@ -17,9 +17,7 @@ module Devise
17
17
  #
18
18
  # @see Warden::JWTAuth
19
19
  def self.jwt
20
- Warden::JWTAuth.config.to_h
21
20
  yield(Devise::JWT.config)
22
- Devise::JWT.config.to_h
23
21
  end
24
22
 
25
23
  add_module(:jwt_authenticatable, strategy: :jwt)
@@ -34,27 +32,31 @@ module Devise
34
32
  Warden::JWTAuth.config.send(setting)
35
33
  end
36
34
 
37
- setting(:secret, Warden::JWTAuth.config.secret) do |value|
38
- forward_to_warden(:secret, value)
39
- end
35
+ setting(:secret,
36
+ default: Warden::JWTAuth.config.secret,
37
+ constructor: ->(value) { forward_to_warden(:secret, value) })
40
38
 
41
- setting(:expiration_time, Warden::JWTAuth.config.expiration_time) do |value|
42
- forward_to_warden(:expiration_time, value)
43
- end
39
+ setting(:decoding_secret,
40
+ constructor: ->(value) { forward_to_warden(:decoding_secret, value) })
41
+
42
+ setting(:algorithm,
43
+ constructor: ->(value) { forward_to_warden(:algorithm, value) })
44
+
45
+ setting(:expiration_time,
46
+ default: Warden::JWTAuth.config.expiration_time,
47
+ constructor: ->(value) { forward_to_warden(:expiration_time, value) })
44
48
 
45
49
  setting(:dispatch_requests,
46
- Warden::JWTAuth.config.dispatch_requests) do |value|
47
- forward_to_warden(:dispatch_requests, value)
48
- end
50
+ default: Warden::JWTAuth.config.dispatch_requests,
51
+ constructor: ->(value) { forward_to_warden(:dispatch_requests, value) })
49
52
 
50
53
  setting(:revocation_requests,
51
- Warden::JWTAuth.config.revocation_requests) do |value|
52
- forward_to_warden(:revocation_requests, value)
53
- end
54
+ default: Warden::JWTAuth.config.revocation_requests,
55
+ constructor: ->(value) { forward_to_warden(:revocation_requests, value) })
54
56
 
55
- setting(:aud_header, Warden::JWTAuth.config.aud_header) do |value|
56
- forward_to_warden(:aud_header, value)
57
- end
57
+ setting(:aud_header,
58
+ default: Warden::JWTAuth.config.aud_header,
59
+ constructor: ->(value) { forward_to_warden(:aud_header, value) })
58
60
 
59
61
  # A hash of warden scopes as keys and an array of request formats that will
60
62
  # be processed as values. When a scope is not present or if it has a nil
@@ -69,6 +71,6 @@ module Devise
69
71
  # user: [:json],
70
72
  # admin_user: [nil, :xml]
71
73
  # }
72
- setting :request_formats, {}
74
+ setting :request_formats, default: {}
73
75
  end
74
76
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: devise-jwt
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.8.1
4
+ version: 0.10.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Marc Busqué
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2021-02-14 00:00:00.000000000 Z
11
+ date: 2022-09-16 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: devise
@@ -30,14 +30,14 @@ dependencies:
30
30
  requirements:
31
31
  - - "~>"
32
32
  - !ruby/object:Gem::Version
33
- version: '0.5'
33
+ version: '0.6'
34
34
  type: :runtime
35
35
  prerelease: false
36
36
  version_requirements: !ruby/object:Gem::Requirement
37
37
  requirements:
38
38
  - - "~>"
39
39
  - !ruby/object:Gem::Version
40
- version: '0.5'
40
+ version: '0.6'
41
41
  - !ruby/object:Gem::Dependency
42
42
  name: bundler
43
43
  requirement: !ruby/object:Gem::Requirement
@@ -80,20 +80,6 @@ dependencies:
80
80
  - - ">="
81
81
  - !ruby/object:Gem::Version
82
82
  version: '0'
83
- - !ruby/object:Gem::Dependency
84
- name: pry-byebug
85
- requirement: !ruby/object:Gem::Requirement
86
- requirements:
87
- - - "~>"
88
- - !ruby/object:Gem::Version
89
- version: '3.7'
90
- type: :development
91
- prerelease: false
92
- version_requirements: !ruby/object:Gem::Requirement
93
- requirements:
94
- - - "~>"
95
- - !ruby/object:Gem::Version
96
- version: '3.7'
97
83
  - !ruby/object:Gem::Dependency
98
84
  name: rails
99
85
  requirement: !ruby/object:Gem::Requirement
@@ -200,10 +186,13 @@ extensions: []
200
186
  extra_rdoc_files: []
201
187
  files:
202
188
  - ".codeclimate.yml"
189
+ - ".github/FUNDING.yml"
190
+ - ".github/dependabot.yml"
191
+ - ".github/workflows/ci.yml"
192
+ - ".github/workflows/lint.yml"
203
193
  - ".gitignore"
204
194
  - ".rspec"
205
195
  - ".rubocop.yml"
206
- - ".travis.yml"
207
196
  - CHANGELOG.md
208
197
  - CODE_OF_CONDUCT.md
209
198
  - Dockerfile
@@ -248,7 +237,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
248
237
  - !ruby/object:Gem::Version
249
238
  version: '0'
250
239
  requirements: []
251
- rubygems_version: 3.2.3
240
+ rubygems_version: 3.0.3.1
252
241
  signing_key:
253
242
  specification_version: 4
254
243
  summary: JWT authentication for devise
data/.travis.yml DELETED
@@ -1,21 +0,0 @@
1
- language: ruby
2
- cache: bundler
3
- rvm:
4
- - 2.6
5
- - 2.7
6
- - 3.0
7
- - ruby-head
8
- before_install:
9
- - gem update --system --no-doc
10
- - gem install bundler
11
- script:
12
- - bundle exec rspec
13
- - bundle exec rubocop
14
- - bundle exec codeclimate-test-reporter
15
- jobs:
16
- allow_failures:
17
- - rvm: ruby-head
18
- addons:
19
- code_climate:
20
- repo_token:
21
- secure: OWVschEUE+pVEQFR9dgtCUVmf2GJF3e7RTvX9M3CS7fhLyWqDlHdkCxmxCGJQDBVXR59ReCni2sbbRgkfqekkggLEG3gvHl2uof9+PVVRXTbDDDydwDGHLvcT8ZVJOHVgqgX899j6eBSsqdtSB7rMEdMOYBYDw35/yd844LkaW+sOWUbx0SJSo0V0QtJe3DC7vTAo/EEGTQs7WRGcXa6Pg9RlWiK7ThVoEbXQ4GDdjS5mWsQer4QcdnOfiuBL8mC3XAX+wJyBIqAVetAmhFKtwH+pKYMqRbcI/iBSaHslGowLr+tQW/tLO9XZsz95C6037XUse6BUJ5U9mYsgcnebslVJnuQ4dyXTXwQ2e1Fzy4iYr9Iz2Yhr3EjchXOvXh0D2BDPLCZMF98W/hsPZ4hPq/FhfjdfJXHcuqU6k7Ozr6UTwMmuNMvR7af2hXGaralTPOH8SVh/RtxpWsAocNA4n1b7dhdpMLKDNZ7GxdunDo5zJ03HUH4d0SDexnx3xSpfR/q+FJDHNxfD7KVAsgQYnrNjde/DnYszV2E3EAUVWF71ZaNQIvDyS1gyBjjvkSGRGL5tY7z+sdaRfE68toidgl2eR08vt/eYo3DIIzwPvI5N/BTv/Xm8vQ+jfwxCF6Ezr1TJTZW4auoMBAVqrr4HoO6T7VHTOeUD0Bukp7KBfQ=