devise-sssecrets 0.1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/.rspec +3 -0
- data/.rubocop.yml +13 -0
- data/LICENSE.txt +21 -0
- data/README.md +96 -0
- data/Rakefile +12 -0
- data/devise-sssecrets.gemspec +36 -0
- data/lib/devise/sssecrets/version.rb +7 -0
- data/lib/devise/sssecrets.rb +53 -0
- data/sig/devise/sssecrets.rbs +6 -0
- metadata +54 -0
checksums.yaml
ADDED
@@ -0,0 +1,7 @@
|
|
1
|
+
---
|
2
|
+
SHA256:
|
3
|
+
metadata.gz: 621c723b76901be8d81412e1f45769c7852e96b5e1be9aff5a06e2d62e9b9b1b
|
4
|
+
data.tar.gz: a4209d93c6b96a236e00976763975b61b027d63a44d2752a45c3ebeaea1e1070
|
5
|
+
SHA512:
|
6
|
+
metadata.gz: f771b4a63f571024bc822347f914c8f92cb63fae01c3a999b0ca21aa218b5d18c49195ff441c55c4de5cfee3bdee8659e360cc90fbe6622f0d2d58ce9fc6d1e9
|
7
|
+
data.tar.gz: 7996c2c639367c0e6f75a1f6f75a83c7307e205c42d3ed9024bf7e779411ceda6a1f211b4121e98fe8e289024e3c73ccc54996c5c282eec372fa782b465fb460
|
data/.rspec
ADDED
data/.rubocop.yml
ADDED
data/LICENSE.txt
ADDED
@@ -0,0 +1,21 @@
|
|
1
|
+
The MIT License (MIT)
|
2
|
+
|
3
|
+
Copyright (c) 2023 Charlton Trezevant
|
4
|
+
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining a copy
|
6
|
+
of this software and associated documentation files (the "Software"), to deal
|
7
|
+
in the Software without restriction, including without limitation the rights
|
8
|
+
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
9
|
+
copies of the Software, and to permit persons to whom the Software is
|
10
|
+
furnished to do so, subject to the following conditions:
|
11
|
+
|
12
|
+
The above copyright notice and this permission notice shall be included in
|
13
|
+
all copies or substantial portions of the Software.
|
14
|
+
|
15
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
16
|
+
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
17
|
+
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
18
|
+
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
19
|
+
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
20
|
+
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
21
|
+
THE SOFTWARE.
|
data/README.md
ADDED
@@ -0,0 +1,96 @@
|
|
1
|
+
# Devise::Sssecrets - Sssecrets For Devise's Friendly Token Generator
|
2
|
+
|
3
|
+
## Purpose
|
4
|
+
|
5
|
+
[Sssecrets](https://github.com/chtzvt/sssecrets) is a handy gem for generating secure tokens that are easy for static analysis tools to identify. It works great as a standalone tool, but there are cases where developers may want to integrate it with authentication frameworks like [Devise](https://github.com/heartcombo/devise).
|
6
|
+
|
7
|
+
This gem provides a module to use sssecrets with Devise as a drop-in replacement for the framework's [built-in friendly token generator](https://github.com/heartcombo/devise/blob/main/lib/devise.rb#L507). By introducing the use of sssecrets for token generation and enabling the configuration of token prefixes and organizations, developers can generate secure and unique tokens with consistent, configurable, identifiable prefixes to suit various use cases.
|
8
|
+
|
9
|
+
To learn more about the sssecrets gem and the case for using structured secrets in your application, check out the [Sssecrets repository](https://github.com/chtzvt/sssecrets).
|
10
|
+
|
11
|
+
## Why Structured Secrets?
|
12
|
+
|
13
|
+
If you're a developer and your application issues some kind of access tokens (API keys, PATs, etc), it's important to format these in a way that both identifies the string as a secret token and provides insight into its permissions.
|
14
|
+
|
15
|
+
[Simple Structured Secrets](https://github.com/chtzvt/sssecrets) help solve this problem: They're a compact format with properties that are optimized for detection with static analysis tools. That makes it possible to automatically detect when secrets are leaked in a codebase using features like [GitHub Secret Scanning](https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning) or GitLab Secret Detection.
|
16
|
+
|
17
|
+
Here's an example. HashiCorp Vault's API access tokens look like this ([ref](https://developer.hashicorp.com/vault/api-docs#authentication)):
|
18
|
+
|
19
|
+
`f3b09679-3001-009d-2b80-9c306ab81aa6`
|
20
|
+
|
21
|
+
You might think that this is pretty is a pretty easy pattern to search for, but here's the issue: It's just a [UUID string](https://en.wikipedia.org/wiki/Universally_unique_identifier).
|
22
|
+
|
23
|
+
While random, strings in this format are used in many places for non-sensitive purposes. Meaning that, given a random UUID formatted string, it's impossible to know whether it's a sensitive API credential or a garden-variety identifier for something mundane. In cases like these, secret scanning can't help much.
|
24
|
+
|
25
|
+
### Prefix Configuration
|
26
|
+
|
27
|
+
Token prefixes are a simple and effective method to make tokens identifiable. [Slack](https://api.slack.com/authentication/token-types), [Stripe](https://stripe.com/docs/api/authentication), [GitHub](https://github.blog/2021-04-05-behind-githubs-new-authentication-token-formats/#identifiable-prefixes), and others have adopted this approach to great effect.
|
28
|
+
|
29
|
+
Sssecrets allows you to provide two abbreviated strings, `org` and `type`, which together make up the token prefix. Generally, `org` would be used to specify an overarching identifier (like your company or app), while `type` is intended to identify the token type (i.e., OAuth tokens, refresh tokens, etc) in some way. To maintain a compact and consistent format for Sssecret tokens, `org` and `type` together should not exceed 10 characters in length.
|
30
|
+
|
31
|
+
The overridden `Devise#friendly_token` implementation has been extended to accept two optional parameters:
|
32
|
+
|
33
|
+
- `prefix_type`: Specifies the type of the token prefix. If not provided, it defaults to `:default`.
|
34
|
+
|
35
|
+
- `org`: Specifies the organization for the friendly token. If not provided, the default organization is used.
|
36
|
+
|
37
|
+
_Note: the [original implementation's](https://github.com/heartcombo/devise/blob/main/lib/devise.rb#L507) `length` parameter is now ignored._
|
38
|
+
|
39
|
+
## How to Use
|
40
|
+
|
41
|
+
Before you begin, add `devise-sssecrets` to your gemfile and install it.
|
42
|
+
|
43
|
+
1. Open your Devise initializer file at `config/initializers/devise.rb`.
|
44
|
+
|
45
|
+
2. Use the `Devise.setup` block to configure your token organization and types.
|
46
|
+
|
47
|
+
```ruby
|
48
|
+
Devise.setup do |config|
|
49
|
+
config.friendly_token_org = 'dv' # Set your sssecret token organization. Defaults to "dv".
|
50
|
+
config.friendly_token_types[:default] = 'ft' # Add your sssecret token types like so. Default is "ft".
|
51
|
+
config.friendly_token_types[:user] = 'usr'
|
52
|
+
config.friendly_token_types[:admin] = 'adm'
|
53
|
+
|
54
|
+
# Any other Devise configuration...
|
55
|
+
end
|
56
|
+
```
|
57
|
+
|
58
|
+
3. Call `Devise#friendly_token` with your desired parameters to generate friendly tokens based on the configured sssecrets prefixes and organization.
|
59
|
+
|
60
|
+
## Example
|
61
|
+
|
62
|
+
```ruby
|
63
|
+
# Generate a friendly token with the default org 'dv' and default type of 'ft'
|
64
|
+
token_with_default_prefix = Devise.friendly_token
|
65
|
+
"dvft_3MU5bK5MChmzOmxCsQIhb7CEXgdcPj3tNmF9"
|
66
|
+
|
67
|
+
# Generate a friendly token with the 'org' of 'test' and type of 'user'
|
68
|
+
token_with_user_prefix = Devise.friendly_token(org: "test", prefix_type: :user)
|
69
|
+
"testusr_cFl9hMJTxPRxpnHBmiUNgKizhilscT4RfLk2"
|
70
|
+
|
71
|
+
# Generate a friendly token with the default 'org' and type of 'admin'
|
72
|
+
token_with_admin_prefix = Devise.friendly_token(prefix_type: :admin)
|
73
|
+
"dvadm_2Srrwf5IWVubTHmqBTVmvAraHgeCYO11ezUh"
|
74
|
+
```
|
75
|
+
|
76
|
+
## Tests
|
77
|
+
|
78
|
+
Tests are included in this repository:
|
79
|
+
|
80
|
+
```shell
|
81
|
+
bundle exec rspec spec/devise/sssecrets_spec.rb
|
82
|
+
```
|
83
|
+
|
84
|
+
## Development
|
85
|
+
|
86
|
+
After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
|
87
|
+
|
88
|
+
To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and the created tag, and push the `.gem` file to [rubygems.org](https://rubygems.org).
|
89
|
+
|
90
|
+
## Contributing
|
91
|
+
|
92
|
+
Bug reports and pull requests are welcome on GitHub at https://github.com/[chtzvt]/devise-sssecrets.
|
93
|
+
|
94
|
+
## License
|
95
|
+
|
96
|
+
The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
|
data/Rakefile
ADDED
@@ -0,0 +1,36 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require_relative "lib/devise/sssecrets/version"
|
4
|
+
|
5
|
+
Gem::Specification.new do |spec|
|
6
|
+
spec.name = "devise-sssecrets"
|
7
|
+
spec.version = Devise::Sssecrets::VERSION
|
8
|
+
spec.authors = ["Charlton Trezevant"]
|
9
|
+
|
10
|
+
spec.summary = "Sssecrets module for Devise"
|
11
|
+
spec.homepage = "https://github.com/chtzvt/devise-sssecrets"
|
12
|
+
spec.license = "MIT"
|
13
|
+
spec.required_ruby_version = ">= 2.6.0"
|
14
|
+
|
15
|
+
spec.metadata["homepage_uri"] = spec.homepage
|
16
|
+
spec.metadata["source_code_uri"] = "https://github.com/chtzvt/devise-sssecrets"
|
17
|
+
spec.metadata["changelog_uri"] = "https://github.com/chtzvt/devise-sssecrets"
|
18
|
+
|
19
|
+
# Specify which files should be added to the gem when it is released.
|
20
|
+
# The `git ls-files -z` loads the files in the RubyGem that have been added into git.
|
21
|
+
spec.files = Dir.chdir(__dir__) do
|
22
|
+
`git ls-files -z`.split("\x0").reject do |f|
|
23
|
+
(File.expand_path(f) == __FILE__) ||
|
24
|
+
f.start_with?(*%w[bin/ test/ spec/ features/ .git .circleci appveyor Gemfile])
|
25
|
+
end
|
26
|
+
end
|
27
|
+
spec.bindir = "exe"
|
28
|
+
spec.executables = spec.files.grep(%r{\Aexe/}) { |f| File.basename(f) }
|
29
|
+
spec.require_paths = ["lib"]
|
30
|
+
|
31
|
+
# Uncomment to register a new dependency of your gem
|
32
|
+
# spec.add_dependency "example-gem", "~> 1.0"
|
33
|
+
|
34
|
+
# For more information and examples about making a new gem, check out our
|
35
|
+
# guide at: https://bundler.io/guides/creating_gem.html
|
36
|
+
end
|
@@ -0,0 +1,53 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require "devise"
|
4
|
+
require "sssecrets"
|
5
|
+
|
6
|
+
# This module provides a devise extension to use Sssecrets instead
|
7
|
+
# of Devise's default friendly token generator.
|
8
|
+
#
|
9
|
+
# Please consult the link below to learn more about Structured Secrets and
|
10
|
+
# the sssecrets gem.
|
11
|
+
#
|
12
|
+
# @see https://github.com/chtzvt/sssecrets
|
13
|
+
module Devise
|
14
|
+
mattr_accessor :friendly_token_types
|
15
|
+
mattr_accessor :friendly_token_org
|
16
|
+
|
17
|
+
# Configuration block to set multiple token prefixes with sssecrets types and org
|
18
|
+
# The available sssecret token prefixes (org and types) can be set up in your Devise
|
19
|
+
# configuration block:
|
20
|
+
#
|
21
|
+
# Devise.setup do |config|
|
22
|
+
# config.friendly_token_org = 'dv' # Set your sssecret token organization. Defaults to "dv".
|
23
|
+
# config.friendly_token_types[:default] = 'ft' # Add your sssecret token types like so. Default is "ft".
|
24
|
+
# config.friendly_token_types[:user] = 'usr'
|
25
|
+
# config.friendly_token_types[:admin] = 'adm'
|
26
|
+
# # Any other Devise configuration...
|
27
|
+
# end
|
28
|
+
def self.setup
|
29
|
+
self.friendly_token_types = { default: "ft" }
|
30
|
+
self.friendly_token_org = "dv"
|
31
|
+
yield(self)
|
32
|
+
end
|
33
|
+
|
34
|
+
def self.sssecrets_type_for(type)
|
35
|
+
friendly_token_types[type] || friendly_token_types[:default] || "ft"
|
36
|
+
end
|
37
|
+
|
38
|
+
# The overridden Devise#friendly_token implementation has been extended to accept two optional parameters:
|
39
|
+
#
|
40
|
+
# prefix_type: Specifies the type of the token prefix. If not provided, it defaults to :default.
|
41
|
+
# org: Specifies the organization for the friendly token. If not provided, the default organization is used.
|
42
|
+
#
|
43
|
+
# Note: the original implementation's length parameter is now ignored.
|
44
|
+
def self.friendly_token(**kwargs)
|
45
|
+
type = kwargs[:type] || :default
|
46
|
+
org = kwargs[:org] || friendly_token_org || "dv"
|
47
|
+
|
48
|
+
generator = SimpleStructuredSecrets.new(org, sssecrets_type_for(type))
|
49
|
+
generator.generate
|
50
|
+
end
|
51
|
+
end
|
52
|
+
|
53
|
+
Devise.add_module(:sssecrets, insert_at: 0)
|
metadata
ADDED
@@ -0,0 +1,54 @@
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
2
|
+
name: devise-sssecrets
|
3
|
+
version: !ruby/object:Gem::Version
|
4
|
+
version: 0.1.0
|
5
|
+
platform: ruby
|
6
|
+
authors:
|
7
|
+
- Charlton Trezevant
|
8
|
+
autorequire:
|
9
|
+
bindir: exe
|
10
|
+
cert_chain: []
|
11
|
+
date: 2023-07-25 00:00:00.000000000 Z
|
12
|
+
dependencies: []
|
13
|
+
description:
|
14
|
+
email:
|
15
|
+
executables: []
|
16
|
+
extensions: []
|
17
|
+
extra_rdoc_files: []
|
18
|
+
files:
|
19
|
+
- ".rspec"
|
20
|
+
- ".rubocop.yml"
|
21
|
+
- LICENSE.txt
|
22
|
+
- README.md
|
23
|
+
- Rakefile
|
24
|
+
- devise-sssecrets.gemspec
|
25
|
+
- lib/devise/sssecrets.rb
|
26
|
+
- lib/devise/sssecrets/version.rb
|
27
|
+
- sig/devise/sssecrets.rbs
|
28
|
+
homepage: https://github.com/chtzvt/devise-sssecrets
|
29
|
+
licenses:
|
30
|
+
- MIT
|
31
|
+
metadata:
|
32
|
+
homepage_uri: https://github.com/chtzvt/devise-sssecrets
|
33
|
+
source_code_uri: https://github.com/chtzvt/devise-sssecrets
|
34
|
+
changelog_uri: https://github.com/chtzvt/devise-sssecrets
|
35
|
+
post_install_message:
|
36
|
+
rdoc_options: []
|
37
|
+
require_paths:
|
38
|
+
- lib
|
39
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
40
|
+
requirements:
|
41
|
+
- - ">="
|
42
|
+
- !ruby/object:Gem::Version
|
43
|
+
version: 2.6.0
|
44
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
45
|
+
requirements:
|
46
|
+
- - ">="
|
47
|
+
- !ruby/object:Gem::Version
|
48
|
+
version: '0'
|
49
|
+
requirements: []
|
50
|
+
rubygems_version: 3.4.17
|
51
|
+
signing_key:
|
52
|
+
specification_version: 4
|
53
|
+
summary: Sssecrets module for Devise
|
54
|
+
test_files: []
|