devise-jwt 0.9.0 → 0.10.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5e40b6ccd72ec79899cc680dcbcafbfa0e2375ef5a079d21fd2bbd41863a0dd1
-  data.tar.gz: a2e8404f365a91acd324d5d62a6276943d08f0fd012b33f8e1a54098531d9327
+  metadata.gz: 2b5a307382874853dba1abc67c451c9dd01e81a1b2dd84c94db6a10af7f4cc44
+  data.tar.gz: b3f6ec7a63b8f481038f2aeb72cb872d451dfc679537aa29b1d85aaa66c6aaab
 SHA512:
-  metadata.gz: 1d39b950c6f645a487274958c644f637a61c4bcade854703027c04202f594fe4b7409861b8275b13f02d231ea2a292135b3ec94a06e3c04cc593529129ce7f68
-  data.tar.gz: a804da86acdc39451f169fef0e8b04ca7bd8874600a6259ae494a02ca85b727e3bd9e08590cfa0ca8c615af11ebec58df5032948a1ae76a57e3fd1f2cc52e11e
+  metadata.gz: e95511b4462ce942934858d578589ba618117e8bfc6e3f617f7082f82627b293e706d130a242afde25ce3e8ff5da8e8d4d058c54d51ac2dfd785f5e59747e87d
+  data.tar.gz: 713c71400296bae1493096d2f55b19bedff85cb7884502cd09a954872c72624a109887ef405cbee04ad56520ee255aab190f6b3c5032a952ecaa978223c9e06a

data/.github/FUNDING.yml

@@ -0,0 +1 @@
+github: waiting-for-dev

data/.github/dependabot.yml

@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"

data/.github/workflows/ci.yml

@@ -0,0 +1,21 @@
+name: CI 
+
+on: [push, pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        ruby-version: ['2.7', '3.0', '3.1', ruby-head]
+
+    steps:
+    - uses: actions/checkout@v3
+    - name: Set up Ruby ${{ matrix.ruby-version }}
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby-version }}
+        bundler-cache: true # 'bundle install' and cache
+    - name: Run specs 
+      run: |
+        bundle exec rspec

data/.github/workflows/lint.yml

@@ -0,0 +1,17 @@
+name: Lint
+
+on: [push, pull_request]
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - name: Set up Ruby ${{ matrix.ruby-version }}
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: 2.7 
+        bundler-cache: true # 'bundle install' and cache
+    - name: Run specs 
+      run: |
+        bundle exec rubocop

data/CHANGELOG.md

@@ -4,6 +4,13 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/) 
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
+## [0.10.0] - 2022-09-16
+### Added
+- Enable support for asymmetric algorithms
+
+### Fixed
+- FIX: "No verification key available" on token decode
+
 ## [0.9.0] - 2021-09-21
 ### Fixed
 - Fix compatibility with dry-configurable 0.13

data/README.md

@@ -5,10 +5,10 @@
 [![Code Climate](https://codeclimate.com/github/waiting-for-dev/devise-jwt/badges/gpa.svg)](https://codeclimate.com/github/waiting-for-dev/devise-jwt)
 [![Test Coverage](https://codeclimate.com/github/waiting-for-dev/devise-jwt/badges/coverage.svg)](https://codeclimate.com/github/waiting-for-dev/devise-jwt/coverage)
 
-`devise-jwt` is a [devise](https://github.com/plataformatec/devise) extension which uses [JWT](https://jwt.io/) tokens for user authentication. It follows [secure by default](https://en.wikipedia.org/wiki/Secure_by_default) principle.
+`devise-jwt` is a [Devise](https://github.com/plataformatec/devise) extension which uses [JWT](https://jwt.io/) tokens for user authentication. It follows [secure by default](https://en.wikipedia.org/wiki/Secure_by_default) principle.
 
-This gem is just a replacement for cookies when these can't be used. As
-cookies, a token expired with `devise-jwt` will mandatorily have an expiration
+This gem is just a replacement for cookies when these can't be used. As with
+cookies, a `devise-jwt` token will mandatorily have an expiration
 time. If you need that your users never sign out, you will be better off with a
 solution using refresh tokens, like some implementation of OAuth2.
 
@@ -19,7 +19,7 @@ You can read about which security concerns this library takes into account and a
 - [JWT Secure Usage](http://waiting-for-dev.github.io/blog/2017/01/25/jwt_secure_usage)
 - [A secure JWT authentication implementation for Rack and Rails](http://waiting-for-dev.github.io/blog/2017/01/26/a_secure_jwt_authentication_implementation_for_rack_and_rails)
 
-`devise-jwt` is just a thin layer on top of [`warden-jwt_auth`](https://github.com/waiting-for-dev/warden-jwt_auth) that configures it to be used out of the box with devise and Rails.
+`devise-jwt` is just a thin layer on top of [`warden-jwt_auth`](https://github.com/waiting-for-dev/warden-jwt_auth) that configures it to be used out of the box with Devise and Rails.
 
 ## Upgrade notes
 
@@ -31,7 +31,7 @@ For `Denylist`, you only need to update the `include` line you're using in your
 
 ```ruby
 # include Devise::JWT::RevocationStrategies::Blacklist # before
-include Devise::JWT::RevocationStrategies::Denylist 
+include Devise::JWT::RevocationStrategies::Denylist
 ```
 
 For `Allowlist`, you need to update the `include` line you're using in your user model:
@@ -61,11 +61,11 @@ Or install it yourself as:
 
 ## Usage
 
-First you need to configure devise to work in an API application. You can follow the instructions in this project wiki page [Configuring devise for APIs](https://github.com/waiting-for-dev/devise-jwt/wiki/Configuring-devise-for-APIs) (you are more than welcome to improve them).
+First, you need to configure Devise to work in an API application. You can follow the instructions in this project wiki page [Configuring Devise for APIs](https://github.com/waiting-for-dev/devise-jwt/wiki/Configuring-devise-for-APIs) (you are more than welcome to improve them).
 
 ### Secret key configuration
 
-First of all, you have to configure the secret key that will be used to sign generated tokens. You can do it in the devise initializer:
+You have to configure the secret key that will be used to sign generated tokens. You can do it in the Devise initializer:
 
 ```ruby
 Devise.setup do |config|
@@ -76,18 +76,66 @@ Devise.setup do |config|
 end
 ```
 
-**Important:** You are encouraged to use a secret different than your application `secret_key_base`. It is quite possible that some other component of your system is already using it. If several components share the same secret key, chances that a vulnerability in one of them has a wider impact increase. In rails, generating new secrets is as easy as `bundle exec rake secret`. Also, never share your secrets pushing it to a remote repository, you are better off using an environment variable like in the example.
+If you are using Encrypted Credentials (Rails 5.2+), you can store the secret key in `config/credentials.yml.enc`.
 
-Currently, HS256 algorithm is the one in use.
+Open your credentials editor using `bin/rails credentials:edit` and add `devise_jwt_secret_key`.
+
+> **Note** you may need to set `$EDITOR` depending on your specific environment.
+
+```yml
+
+# Other secrets...
+
+# Used as the base secret for Devise JWT
+devise_jwt_secret_key: abc...xyz
+```
+
+Add the following to the Devise initializer.
+
+```ruby
+Devise.setup do |config|
+  # ...
+  config.jwt do |jwt|
+    jwt.secret = Rails.application.credentials.devise_jwt_secret_key!
+  end
+end
+```
+
+> **Important:** You are encouraged to use a secret different than your application `secret_key_base`. It is quite possible that some other component of your system is already using it. If several components share the same secret key, chances that a vulnerability in one of them has a wider impact increase. In rails, generating new secrets is as easy as `bundle exec rake secret`. Also, never share your secrets pushing it to a remote repository, you are better off using an environment variable like in the example.
+
+Currently, HS256 algorithm is the one in use. You may configure a matching secret and algorithm name to use a different one (see [ruby-jwt](https://github.com/jwt/ruby-jwt#algorithms-and-usage) to see which are supported):
+
+```ruby
+Devise.setup do |config|
+  # ...
+  config.jwt do |jwt|
+    jwt.secret = OpenSSL::PKey::RSA.new(Rails.application.credentials.devise_jwt_secret_key!)
+    jwt.algorithm = Rails.application.credentials.devise_jwt_algorithm!
+  end
+end
+```
+
+If the algorithm is asymmetric (e.g. RS256) which necessitates a different decoding secret, configure the `decoding_secret` setting as well:
+
+```ruby
+Devise.setup do |config|
+  # ...
+  config.jwt do |jwt|
+    jwt.secret = OpenSSL::PKey::RSA.new(Rails.application.credentials.devise_jwt_private_key!)
+    jwt.decoding_secret = OpenSSL::PKey::RSA.new(Rails.application.credentials.devise_jwt_public_key!)
+    jwt.algorithm = 'RS256' # or some other asymmetric algorithm
+  end
+end
+```
 
 ### Model configuration
 
 You have to tell which user models you want to be able to authenticate with JWT tokens. For them, the authentication process will be like this:
 
-- A user authenticates through devise create session request (for example, using the standard `:database_authenticatable` module).
+- A user authenticates through Devise create session request (for example, using the standard `:database_authenticatable` module).
 - If the authentication succeeds, a JWT token is dispatched to the client in the `Authorization` response header, with format `Bearer #{token}` (tokens are also dispatched on a successful sign up).
 - The client can use this token to authenticate following requests for the same user, providing it in the `Authorization` request header, also with format `Bearer #{token}`
-- When the client visits devise destroy session request, the token is revoked.
+- When the client visits Devise destroy session request, the token is revoked.
 
 See [request_formats](#request_formats) configuration option if you are using paths with a format segment (like `.json`) in order to use it properly.
 
@@ -102,7 +150,7 @@ class User < ApplicationRecord
 end
 ```
 
-If you need to add something to the JWT payload, you can do it defining a `jwt_payload` method in the user model. It must return a `Hash`. For instance:
+If you need to add something to the JWT payload, you can do it by defining a `jwt_payload` method in the user model. It must return a `Hash`. For instance:
 
 ```ruby
 def jwt_payload
@@ -136,11 +184,11 @@ end
 #### Session storage caveat
 
 If you are working with a Rails application that has session storage enabled
-and a default devise setup, chances are that same origin requests will be
+and a default Devise setup, chances are the same origin requests will be
 authenticated from the session regardless of a token being present in the
 headers or not.
 
-This is so because of the following default devise workflow:
+This is so because of the following default Devise workflow:
 
 - When a user signs in with `:database_authenticatable` strategy, the user is
   stored in the session unless one of the following conditions is met:
@@ -150,13 +198,13 @@ This is so because of the following default devise workflow:
     protection](http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection.html)
     handles an unverified request (but this is usually deactivated for API
     requests).
-- Warden (the engine below devise), authenticates any request that has the user
-  in the session without even reaching to any strategy (`:jwt_authenticatable`
+- Warden (the engine below Devise), authenticates any request that the user has
+  in the session without requiring a strategy (`:jwt_authenticatable`
   in our case).
 
 So, if you want to avoid this caveat you have three options:
 
-- Disable the session. If you are developing an API, probably you don't need
+- Disable the session. If you are developing an API, you probably don't need
   it. In order to disable it, change `config/initializers/session_store.rb` to:
   ```ruby
   Rails.application.config.session_store :disabled
@@ -169,7 +217,7 @@ So, if you want to avoid this caveat you have three options:
   config.skip_session_storage = [:http_auth, :params_auth]
   ```
 - If you are using Devise for another model (e.g. `AdminUser`) and doesn't want
-  to disable session storage for devise entirely, you can disable it on a
+  to disable session storage for Devise entirely, you can disable it on a
   per-model basis:
   ```ruby
   class User < ApplicationRecord
@@ -184,7 +232,7 @@ So, if you want to avoid this caveat you have three options:
 
 #### JTIMatcher
 
-Here, the model class acts itself as the revocation strategy. It needs a new string column with name `jti` to be added to the user. `jti` stands for JWT ID, and it is a standard claim meant to uniquely identify a token.
+Here, the model class acts as the revocation strategy. It needs a new string column named `jti` to be added to the user. `jti` stands for JWT ID, and it is a standard claim meant to uniquely identify a token.
 
 It works like the following:
 
@@ -229,7 +277,7 @@ end
 
 #### Denylist
 
-In this strategy, a database table is used as a list of revoked JWT tokens. The `jti` claim, which uniquely identifies a token, is persisted. The `exp` claim is also stored to allow the clean-up of staled tokens.
+In this strategy, a database table is used as a list of revoked JWT tokens. The `jti` claim, which uniquely identifies a token, is persisted. The `exp` claim is also stored to allow the clean-up of stale tokens.
 
 In order to use it, you need to create the denylist table in a migration:
 
@@ -244,7 +292,7 @@ end
 ```
 For performance reasons, it is better if the `jti` column is an index.
 
-Note: if you used the denylist strategy before vesion 0.4.0 you may not have the field *exp.* If not, run the following migration:
+Note: if you used the denylist strategy before version 0.4.0 you may not have the field *exp.* If not, run the following migration:
 
 ```ruby
 class AddExpirationTimeToJWTDenylist < ActiveRecord::Migration
@@ -276,9 +324,9 @@ end
 
 #### Allowlist
 
-Here, the model itself acts also as a revocation strategy, but it needs to have
+Here, the model itself also acts as a revocation strategy, but it needs to have
 a one-to-many association with another table which stores the tokens (in fact
-their `jti` claim, which uniquely identifies them) valids for each user record.
+their `jti` claim, which uniquely identifies them) that are valid for each user record.
 
 The workflow is as the following:
 
@@ -296,7 +344,7 @@ devices for the same user.
 
 The `exp` claim is also stored to allow the clean-up of staled tokens.
 
-In order to use it, you have to create yourself the associated table and model.
+In order to use it, you have to create the associated table and model.
 The association table must be called `allowlisted_jwts`:
 
 ```ruby
@@ -313,7 +361,7 @@ def change
   add_index :allowlisted_jwts, :jti, unique: true
 end
 ```
-Important: You are encouraged to set a unique index in the jti column. This way we can be sure at the database level that there aren't two valid tokens with same jti at the same time. Definining `foreign_key: { on_delete: :cascade }, null: false` on `t.references :your_user_table` helps to keep referential integrity of your database.
+Important: You are encouraged to set a unique index in the `jti` column. This way we can be sure at the database level that there aren't two valid tokens with the same `jti` at the same time. Defining `foreign_key: { on_delete: :cascade }, null: false` on `t.references :your_user_table` helps to keep referential integrity of your database.
 
 And then, the model:
 
@@ -355,7 +403,7 @@ end
 
 #### Custom strategies
 
-You can also implement your own strategies. They just need to implement two methods: `jwt_revoked?` and `revoke_jwt`, both of them accepting as parameters the JWT payload and the user record, in this order.
+You can also implement your own strategies. They just need to implement two methods: `jwt_revoked?` and `revoke_jwt`, both of them accept the JWT payload and the user record as parameters, in this order.
 
 For instance:
 
@@ -379,10 +427,10 @@ end
 ### Testing
 
 Models configured with `:jwt_authenticatable` usually won't be retrieved from
-the session. For this reason, `sign_in` devise testing helper methods won't
+the session. For this reason, `sign_in` Devise testing helper methods won't
 work as expected.
 
-What you need to do in order to authenticate test environment requests is the
+What you need to do to authenticate test environment requests is the
 same that you will do in production: to provide a valid token in the
 `Authorization` header (in the form of `Bearer #{token}`) at every request.
 
@@ -420,7 +468,7 @@ Usually you will wrap this in your own test helper.
 
 ### Configuration reference
 
-This library can be configured calling `jwt` on devise config object:
+This library can be configured calling `jwt` on Devise config object:
 
 ```ruby
 Devise.setup do |config|
@@ -431,17 +479,17 @@ end
 ```
 #### secret
 
-Secret key used to sign generated JWT tokens. You must set it.
+Secret key is used to sign generated JWT tokens. You must set it.
 
 #### expiration_time
 
 Number of seconds while a JWT is valid after its generation. After that, it won't be valid anymore, even if it hasn't been revoked.
 
-Defaults to 3600 (1 hour).
+Defaults to 3600 seconds (1 hour).
 
 #### dispatch_requests
 
-Besides the create session one, additional requests where JWT tokens should be dispatched.
+Besides the create session one, there are additional requests where JWT tokens should be dispatched.
 
 It must be a bidimensional array, each item being an array of two elements: the request method and a regular expression that must match the request path.
 
@@ -458,7 +506,7 @@ jwt.dispatch_requests = [
 
 #### revocation_requests
 
-Besides the destroy session one, additional requests where JWT tokens should be revoked.
+Besides the destroy session one, there are additional requests where JWT tokens should be revoked.
 
 It must be a bidimensional array, each item being an array of two elements: the request method and a regular expression that must match the request path.
 
@@ -477,7 +525,7 @@ jwt.revocation_requests = [
 
 Request formats that must be processed (in order to dispatch or revoke tokens).
 
-It must be a hash of devise scopes as keys and an array of request formats as
+It must be a hash of Devise scopes as keys and an array of request formats as
 values. When a scope is not present or if it has a nil item, requests without
 format will be taken into account.
 

data/devise-jwt.gemspec

@@ -27,7 +27,6 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "bundler", "> 1"
   spec.add_development_dependency "rake", "~> 13.0"
   spec.add_development_dependency "rspec"
-  spec.add_development_dependency "pry-byebug", "~> 3.7"
   # Needed to test the rails fixture application
   spec.add_development_dependency 'rails', '~> 6.0'
   spec.add_development_dependency 'sqlite3', '~> 1.3'

data/lib/devise/jwt/version.rb

@@ -2,6 +2,6 @@
 
 module Devise
   module JWT
-    VERSION = '0.9.0'
+    VERSION = '0.10.0'
   end
 end

data/lib/devise/jwt.rb

@@ -17,9 +17,7 @@ module Devise
   #
   # @see Warden::JWTAuth
   def self.jwt
-    Warden::JWTAuth.config.to_h
     yield(Devise::JWT.config)
-    Devise::JWT.config.to_h
   end
 
   add_module(:jwt_authenticatable, strategy: :jwt)
@@ -38,6 +36,12 @@ module Devise
             default: Warden::JWTAuth.config.secret,
             constructor: ->(value) { forward_to_warden(:secret, value) })
 
+    setting(:decoding_secret,
+            constructor: ->(value) { forward_to_warden(:decoding_secret, value) })
+
+    setting(:algorithm,
+            constructor: ->(value) { forward_to_warden(:algorithm, value) })
+
     setting(:expiration_time,
             default: Warden::JWTAuth.config.expiration_time,
             constructor: ->(value) { forward_to_warden(:expiration_time, value) })

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: devise-jwt
 version: !ruby/object:Gem::Version
-  version: 0.9.0
+  version: 0.10.0
 platform: ruby
 authors:
 - Marc Busqué
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2021-09-21 00:00:00.000000000 Z
+date: 2022-09-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: devise
@@ -80,20 +80,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-- !ruby/object:Gem::Dependency
-  name: pry-byebug
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.7'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '3.7'
 - !ruby/object:Gem::Dependency
   name: rails
   requirement: !ruby/object:Gem::Requirement
@@ -200,10 +186,13 @@ extensions: []
 extra_rdoc_files: []
 files:
 - ".codeclimate.yml"
+- ".github/FUNDING.yml"
+- ".github/dependabot.yml"
+- ".github/workflows/ci.yml"
+- ".github/workflows/lint.yml"
 - ".gitignore"
 - ".rspec"
 - ".rubocop.yml"
-- ".travis.yml"
 - CHANGELOG.md
 - CODE_OF_CONDUCT.md
 - Dockerfile
@@ -248,7 +237,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.2
+rubygems_version: 3.0.3.1
 signing_key: 
 specification_version: 4
 summary: JWT authentication for devise

data/.travis.yml

@@ -1,21 +0,0 @@
-language: ruby
-cache: bundler
-rvm:
-  - 2.6
-  - 2.7
-  - 3.0
-  - ruby-head
-before_install:
-  - gem update --system --no-doc
-  - gem install bundler
-script:
-  - bundle exec rspec
-  - bundle exec rubocop
-  - bundle exec codeclimate-test-reporter
-jobs:
-  allow_failures:
-    - rvm: ruby-head
-addons:
-  code_climate:
-    repo_token:
-      secure: OWVschEUE+pVEQFR9dgtCUVmf2GJF3e7RTvX9M3CS7fhLyWqDlHdkCxmxCGJQDBVXR59ReCni2sbbRgkfqekkggLEG3gvHl2uof9+PVVRXTbDDDydwDGHLvcT8ZVJOHVgqgX899j6eBSsqdtSB7rMEdMOYBYDw35/yd844LkaW+sOWUbx0SJSo0V0QtJe3DC7vTAo/EEGTQs7WRGcXa6Pg9RlWiK7ThVoEbXQ4GDdjS5mWsQer4QcdnOfiuBL8mC3XAX+wJyBIqAVetAmhFKtwH+pKYMqRbcI/iBSaHslGowLr+tQW/tLO9XZsz95C6037XUse6BUJ5U9mYsgcnebslVJnuQ4dyXTXwQ2e1Fzy4iYr9Iz2Yhr3EjchXOvXh0D2BDPLCZMF98W/hsPZ4hPq/FhfjdfJXHcuqU6k7Ozr6UTwMmuNMvR7af2hXGaralTPOH8SVh/RtxpWsAocNA4n1b7dhdpMLKDNZ7GxdunDo5zJ03HUH4d0SDexnx3xSpfR/q+FJDHNxfD7KVAsgQYnrNjde/DnYszV2E3EAUVWF71ZaNQIvDyS1gyBjjvkSGRGL5tY7z+sdaRfE68toidgl2eR08vt/eYo3DIIzwPvI5N/BTv/Xm8vQ+jfwxCF6Ezr1TJTZW4auoMBAVqrr4HoO6T7VHTOeUD0Bukp7KBfQ=