faye-authentication 1.9.0 → 1.13

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 8a23b39985abaf9a9b77bb686e9dd9b7779c1dbd
-  data.tar.gz: f6ac3cd6d79171cb0a56e1d7a928397605347035
+SHA256:
+  metadata.gz: 7df2f00525686219899b087a97cd26dda4d0beb817de711c7009e0b1f2d73172
+  data.tar.gz: 87ed8fcf147384cf3c2a2f43ef32488e0592cac79e00f5360b4dd4b95d40bde6
 SHA512:
-  metadata.gz: bfc5f3e28c62c4e374057a0fd00384c32df7d24b6cf30c3377692cdf3616abed95a0721d16b540113e0edfc4b2f057965810789ceed2c2daadc39c917190cb01
-  data.tar.gz: a35a542c86ec95b394aeccf0a3fb7f5e24fb487def4b4984d4ac283e77b7e73120f7ae35a9461e7185a39a4c1ee5f889ebc685a4156310118bba4a8f67c16357
+  metadata.gz: 4b3cd29b0f5384af09976d723a30d2878e172ff15a9c125b109b27ff3592ce684446474799f8e035664cdc9af0458d005143ef05fed3539b31347a3eed627a5a
+  data.tar.gz: fba06b490b06c432ea3fdd7bd897c55f75f1ee2e20c7e68f59e8900037a454d007a1665ec251d04fc83387540e152ee459cfae4c1296909fa3b68db697ba07b2

data/.gitignore

@@ -2,6 +2,7 @@
 *.rbc
 .bundle
 .config
+.ruby-version
 .yardoc
 Gemfile.lock
 InstalledFiles

data/.travis.yml

@@ -1,4 +1,5 @@
 language: ruby
 rvm:
-  - 2.1.2
-  - 1.9.3
+  - 2.6.5
+  - 2.5.7
+  - 2.4.9

data/CHANGELOG.md

@@ -1,5 +1,22 @@
+## 1.13
+  - Fix [CVE-2020-11020](https://github.com/faye/faye/security/advisories/GHSA-qpg4-4w7w-2mq5)
+
+## 1.12
+  - No longer retry and fetch a new signature after errors unrelated to `Faye::Authentication` (#15)
+  - Internal:
+    - Fix rspec and jasmine specs (#14)
+    - Replace `phantomjs` with `chromeheadless` for jasmine specs (#14)
+    - Updated Travis settings with last ruby versions (#14)
+
+## 1.11.0
+  - Optional authentication for `Faye::Authentication::HTTPClient` (#12)
+
+## 1.10.0
+  - Remove signature from the server response (#11)
+
 ## 1.8.1
   - Fix bad parameter passed to Net::HTTP::Post in HTTP Client (thanks @evserykh)
+
 ## 1.8.0
  - Wait a delay before trying to fetch a signature after an error
 

data/README.md

@@ -1,4 +1,4 @@
-# Faye::Authentication [![Build Status](https://travis-ci.org/dimelo/faye-authentication.svg?branch=master)](https://travis-ci.org/dimelo/faye-authentication) [![Code Climate](https://codeclimate.com/github/dimelo/faye-authentication.png)](https://codeclimate.com/github/dimelo/faye-authentication)
+# Faye::Authentication [![Build Status](https://travis-ci.org/jarthod/faye-authentication.svg?branch=master)](https://travis-ci.org/jarthod/faye-authentication)
 
 Authentification implementation for faye
 

data/VERSION

@@ -1 +1 @@
-1.9.0
+1.13

data/app/assets/javascripts/faye-authentication.js

@@ -8,6 +8,7 @@ function FayeAuthentication(client, endpoint, options) {
   this._waiting_signatures = [];
   this._timer = null;
   this.logger = Faye.logger;
+  this.ERROR_LIST = ['Expired signature', 'Required argument not signed', 'Invalid signature']
 }
 
 FayeAuthentication.prototype.endpoint = function() {
@@ -34,14 +35,14 @@ FayeAuthentication.prototype.resolveWaitingSignatures = function() {
         return (e.channel == params.channel && e.clientId == params.clientId);
       })[0];
       if (typeof signature === 'undefined') {
-        self.logger.error('No signature found in ajax reply for channel ' + params.channel + ' and clientId ' + params.clientId);
+        self.logger.error('[Faye] No signature found in ajax reply for channel ' + params.channel + ' and clientId ' + params.clientId);
       } else if (signature && !signature.signature) {
-        self.logger.error('Error when fetching signature for channel ' + params.channel + ' and clientId ' + params.clientId + ', error was : "' + signature.error + '"');
+        self.logger.error('[Faye] Error when fetching signature for channel ' + params.channel + ' and clientId ' + params.clientId + ', error was : "' + signature.error + '"');
       }
       FayeAuthentication.Promise.resolve(self._signatures[params.clientId][params.channel], signature ? signature.signature : null);
     });
   }, 'json').fail(function(xhr, textStatus, e) {
-    self.logger.error('Failure when trying to fetch JWT signature for data "' + JSON.stringify(messages) + '", error was : ' + textStatus);
+    self.logger.error('[Faye] Failure when trying to fetch JWT signature for data "' + JSON.stringify(messages) + '", error was : ' + textStatus);
     $.each(messages, function(key, params) {
       FayeAuthentication.Promise.resolve(self._signatures[params.clientId][params.channel], null);
     });
@@ -91,12 +92,12 @@ FayeAuthentication.prototype.outgoing = function(message, callback) {
 
 FayeAuthentication.prototype.authentication_required = function(message) {
   var subscription_or_channel = message.subscription || message.channel;
-  if (message.channel == '/meta/subscribe' || message.channel.lastIndexOf('/meta/', 0) !== 0) {
+  if (message.channel.lastIndexOf('/meta/subscribe') === 0 || message.channel.lastIndexOf('/meta/', 0) !== 0) {
     if(this._options.whitelist) {
       try {
         return (!this._options.whitelist(subscription_or_channel));
       } catch (e) {
-        this.logger.error("Error caught when evaluating whitelist function : " + e.message);
+        this.logger.error("[Faye] Error caught when evaluating whitelist function : " + e.message);
       }
     }
     return (true);
@@ -106,7 +107,7 @@ FayeAuthentication.prototype.authentication_required = function(message) {
 
 FayeAuthentication.prototype.incoming = function(message, callback) {
   var outbox_message = this._outbox[message.id];
-  if (outbox_message && message.error) {
+  if (outbox_message && message.error && this.ERROR_LIST.indexOf(message.error) != -1) {
     var channel = outbox_message.message.subscription || outbox_message.message.channel;
     this._signatures[outbox_message.clientId][channel] = null;
     outbox_message.message.retried = true;

data/faye-authentication.gemspec

@@ -6,11 +6,11 @@ require 'faye/authentication/version'
 Gem::Specification.new do |spec|
   spec.name          = "faye-authentication"
   spec.version       = Faye::Authentication::VERSION
-  spec.authors       = ["Adrien Siami"]
-  spec.email         = ["adrien.siami@dimelo.com"]
+  spec.authors       = ["Adrien Siami", "Adrien Rey-Jarthon", "Cyril Le Roy", "Fabien Chaynes"]
+  spec.email         = ["adrien.siami@gmail.com", "jobs@adrienjarthon.com", "cyril.leroy44@gmail.com", "fabien.chaynes@ringcentral.com"]
   spec.summary       =
   spec.description   = "A faye extension to add authentication mechanisms"
-  spec.homepage      = "https://github.com/dimelo/faye-authentication"
+  spec.homepage      = "https://github.com/jarthod/faye-authentication"
   spec.license       = "MIT"
 
   spec.files         = `git ls-files -z`.split("\x0")
@@ -21,12 +21,13 @@ Gem::Specification.new do |spec|
   spec.add_runtime_dependency 'jwt', '>= 1.2'
   spec.add_runtime_dependency 'faye', '>= 1.0'
 
-  spec.add_development_dependency "bundler", "~> 1.5"
-  spec.add_development_dependency "rake", '~> 10.3'
-  spec.add_development_dependency 'rspec', '~> 3.0'
-  spec.add_development_dependency 'rspec-eventmachine', '~> 0.2'
-  spec.add_development_dependency 'jasmine', '~> 2.0'
-  spec.add_development_dependency 'rack', '~> 1.5'
-  spec.add_development_dependency 'thin', '~> 1.6'
-  spec.add_development_dependency 'webmock', '~> 1.18'
+  spec.add_development_dependency 'bundler'
+  spec.add_development_dependency 'rake'
+  spec.add_development_dependency 'rspec'
+  spec.add_development_dependency 'rspec-eventmachine'
+  spec.add_development_dependency 'jasmine'
+  spec.add_development_dependency 'chrome_remote'
+  spec.add_development_dependency 'rack'
+  spec.add_development_dependency 'thin'
+  spec.add_development_dependency 'webmock'
 end

data/lib/faye/authentication.rb

@@ -41,7 +41,8 @@ module Faye
 
     def self.authentication_required?(message, options = {})
       subscription_or_channel = message['subscription'] || message['channel']
-      return false unless (message['channel'] == '/meta/subscribe' || (!(message['channel'].start_with?('/meta/'))))
+      return false if message['channel'].nil?
+      return false unless (message['channel'].start_with?('/meta/subscribe') || (!(message['channel'].start_with?('/meta/'))))
       whitelist_proc = options[:whitelist]
       if whitelist_proc
         begin

data/lib/faye/authentication/http_client.rb

@@ -4,16 +4,16 @@ module Faye
   module Authentication
     class HTTPClient
 
-      def self.publish(url, channel, data, key)
+      def self.publish(url, channel, data, key, options = {})
         uri = URI(url)
-        req = prepare_request(uri.request_uri, channel, data, key)
+        req = prepare_request(uri.request_uri, channel, data, key, options)
         Net::HTTP.start(uri.hostname, uri.port, :use_ssl => uri.scheme == 'https') { |http| http.request(req) }
       end
 
-      def self.prepare_request(uri, channel, data, key)
+      def self.prepare_request(uri, channel, data, key, options = {})
         req = Net::HTTP::Post.new(uri)
         message = {'channel' => channel, 'clientId' => 'http'}
-        message['signature'] = Faye::Authentication.sign(message, key)
+        message['signature'] = Faye::Authentication.sign(message, key) if Faye::Authentication.authentication_required?(message, options)
         message['data'] = data
         req.set_form_data(message: JSON.dump(message))
         req

data/lib/faye/authentication/server_extension.rb

@@ -26,6 +26,7 @@ module Faye
               end
             debug("Authentication failed: #{message['error']}")
           end
+          message.delete('signature')
         end
         callback.call(message)
       end

data/spec/javascripts/faye-authentication_spec.js

@@ -27,8 +27,8 @@ describe('faye-authentication', function() {
   describe('authentication_required', function() {
 
     beforeEach(function() {
+      Faye.logger = {error: function() {}};
       this.auth = new FayeAuthentication(new Faye.Client('http://example.com'));
-      Faye.logger = null;
     });
 
     function sharedExamplesForSubscribeAndPublish() {
@@ -45,7 +45,6 @@ describe('faye-authentication', function() {
 
       it('logs error if the function throws', function() {
         this.auth._options.whitelist = function(message) { throw new Error("boom"); }
-        Faye.logger = {error: function() {}};
         spyOn(Faye.logger, 'error');
         this.auth.authentication_required(this.message);
         expect(Faye.logger.error).toHaveBeenCalledWith('[Faye] Error caught when evaluating whitelist function : boom');
@@ -95,6 +94,14 @@ describe('faye-authentication', function() {
       sharedExamplesForSubscribeAndPublish();
     });
 
+    describe('subscribe with prefix', function() {
+      beforeEach(function() {
+        this.message = {'channel': '/meta/subscribe/x', 'subscription': '/foobar'};
+      });
+
+      sharedExamplesForSubscribeAndPublish();
+    });
+
     describe('handshake', function() {
       beforeEach(function() {
         this.message = {'channel': '/meta/handshake'};

data/spec/javascripts/faye-extension_spec.js

@@ -1,5 +1,6 @@
 describe('Faye extension', function() {
   beforeEach(function() {
+    Faye.logger = {error: function() {}};
     this.client = new Faye.Client('http://localhost:9296/faye');
     jasmine.Ajax.install();
   });
@@ -10,13 +11,15 @@ describe('Faye extension', function() {
 
   describe('Without extension', function() {
     it('fails to subscribe', function(done) {
-      this.client.subscribe('/foobar').then(undefined, function() {
+      this.client.subscribe('/foobar').then(undefined, function(e) {
+        expect(e.message).toBe('Invalid signature')
         done();
       });
     });
 
     it('fails to publish', function(done) {
-      this.client.publish('/foobar', {text: 'whatever'}).then(undefined, function() {
+      this.client.publish('/foobar', {text: 'whatever'}).then(undefined, function(e) {
+        expect(e.message).toBe('Invalid signature')
         done();
       });
     });
@@ -71,7 +74,6 @@ describe('Faye extension', function() {
         this.dispatcher = {connectionType: "fake", clientId: '1234', sendMessage: function() {}, selectTransport: function() { }};
         spyOn(this.dispatcher, 'sendMessage');
         spyOn(this.dispatcher, 'selectTransport');
-        Faye.extend(this.dispatcher, Faye.Publisher)
       });
 
       it('should add the signature to subscribe message', function(done) {
@@ -318,5 +320,44 @@ describe('Faye extension', function() {
 
     });
 
+    it('does not retry if the error is unrelated to authentication', function(done) {
+      other_client = new Faye.Client('http://localhost:9296/faye');
+      auth_extension = new FayeAuthentication(other_client, null, { retry_delay: 100 });
+      tweak_extension = {
+        incoming: function(message, callback) {
+          console.log('message',message)
+          if (message.error) {
+            message.error = 'Not an Authentication error';
+          }
+          callback(message);
+        }
+      }
+      other_client.addExtension(tweak_extension);
+      other_client.addExtension(this.extension);
+
+      jasmine.Ajax.stubRequest('/faye/auth').andReturn({
+        'responseText': '{"signature": "bad"}'
+      });
+
+      var finished = false;
+      other_client.subscribe('/toto').then(undefined, function() {
+        finished = true;
+      });
+
+      setTimeout(function() {
+
+        // Initial 200ms batching delay
+
+        setTimeout(function() {
+          expect(finished).toBe(true);
+        }, 200 + 80); // 2nd Batching delay + 80 ms
+
+        setTimeout(function() {
+          expect(finished).toBe(true);
+          done();
+        }, 200 + 200); // 2nd Batching delay + 200 ms
+      }, 200);
+    });
+
   });
 });

data/spec/javascripts/support/jasmine_helper.rb

@@ -1,13 +1,10 @@
 #Use this file to set/override Jasmine configuration options
 #You can remove it if you don't need it.
 #This file is loaded *after* jasmine.yml is interpreted.
-#
-#Example: using a different boot file.
-#Jasmine.configure do |config|
-#   config.boot_dir = '/absolute/path/to/boot_dir'
-#   config.boot_files = lambda { ['/absolute/path/to/boot_dir/file.js'] }
-#end
-#
+
+Jasmine.configure do |config|
+  config.runner_browser = :chromeheadless
+end
 
 require 'faye'
 require 'faye/authentication'

data/spec/lib/faye/authentication/http_client_spec.rb

@@ -9,11 +9,22 @@ describe Faye::Authentication::HTTPClient do
       message = {'channel' => '/foo/bar', 'clientId' => 'http'}
       message['signature'] = Faye::Authentication.sign(message, 'my private key')
       message['data'] = 'hello'
-      request = stub_request(:post, "http://www.example.com").with(:body => {:message => JSON.dump(message)}).to_return(:status => 200, :body => "", :headers => {})
+      request = stub_request(:post, "http://www.example.com").with(body: {message: JSON.dump(message)}).to_return(status: 200, body: "", headers: {})
       Faye::Authentication::HTTPClient.publish('http://www.example.com', '/foo/bar', "hello", 'my private key')
       expect(request).to have_been_made
     end
 
+    it 'should not add a signature if the channel is whitelisted' do
+      message = {'channel' => '/foo/bar', 'clientId' => 'http'}
+      message['data'] = 'hello'
+      request = stub_request(:post, "http://www.example.com").with(body: {message: JSON.dump(message)}).to_return(status: 200, body: "", headers: {})
+      whitelist = lambda do |channel|
+        channel.start_with?('/foo/')
+      end
+      Faye::Authentication::HTTPClient.publish('http://www.example.com', '/foo/bar', "hello", 'my private key', { whitelist: whitelist })
+      expect(request).to have_been_made
+    end
+
   end
 
 end

data/spec/lib/faye/authentication/server_extension_spec.rb

@@ -33,6 +33,11 @@ describe Faye::Authentication::ServerExtension do
         context 'with signature' do
           before { message['signature'] = Faye::Authentication.sign(message.merge({'channel' => channel}), secret) }
           it_should_behave_like 'signature_has_no_error'
+
+          it 'removes the signature in the response' do
+            subject
+            expect(@result).not_to have_key('signature')
+          end
         end
 
         context 'without signature' do

data/spec/lib/faye/authentication_spec.rb

@@ -95,6 +95,10 @@ describe Faye::Authentication do
       it 'returns false if lambda returns true' do
         expect(Faye::Authentication.authentication_required?(message, {whitelist: lambda { |message| true }})).to be(false)
       end
+
+      it 'returns false if channel is nil' do
+        expect(Faye::Authentication.authentication_required?('clientId' => clientId, 'text' => 'whatever')).to be(false)
+      end
     end
 
     shared_examples 'meta_except_subscribe' do
@@ -128,6 +132,11 @@ describe Faye::Authentication do
       it_behaves_like 'subscribe_and_publish'
     end
 
+    context 'subscribe with prefix' do
+      let(:message) { {'channel' => '/meta/subscribe/x', 'subscription' => '/foobar'} }
+      it_behaves_like 'subscribe_and_publish'
+    end
+
     context 'handshake' do
       let(:message) { {'channel' => '/meta/handshake'} }
       it_behaves_like 'meta_except_subscribe'

metadata

@@ -1,14 +1,17 @@
 --- !ruby/object:Gem::Specification
 name: faye-authentication
 version: !ruby/object:Gem::Version
-  version: 1.9.0
+  version: '1.13'
 platform: ruby
 authors:
 - Adrien Siami
+- Adrien Rey-Jarthon
+- Cyril Le Roy
+- Fabien Chaynes
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-08-02 00:00:00.000000000 Z
+date: 2020-05-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jwt
@@ -42,117 +45,134 @@ dependencies:
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.5'
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.5'
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '10.3'
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '10.3'
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '3.0'
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rspec-eventmachine
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '0.2'
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '0.2'
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: jasmine
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: chrome_remote
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.5'
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.5'
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: thin
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.6'
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.6'
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: webmock
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.18'
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.18'
+        version: '0'
 description: A faye extension to add authentication mechanisms
 email:
-- adrien.siami@dimelo.com
+- adrien.siami@gmail.com
+- jobs@adrienjarthon.com
+- cyril.leroy44@gmail.com
+- fabien.chaynes@ringcentral.com
 executables: []
 extensions: []
 extra_rdoc_files: []
@@ -160,6 +180,7 @@ files:
 - ".drone.yml"
 - ".gitignore"
 - ".rspec"
+- ".ruby-version"
 - ".travis.yml"
 - CHANGELOG.md
 - Gemfile
@@ -190,7 +211,7 @@ files:
 - spec/utils/javascripts/jwt.js
 - spec/utils/javascripts/mock-ajax.js
 - spec/utils/javascripts/query-string.js
-homepage: https://github.com/dimelo/faye-authentication
+homepage: https://github.com/jarthod/faye-authentication
 licenses:
 - MIT
 metadata: {}
@@ -210,7 +231,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.5.1
+rubygems_version: 2.7.6
 signing_key: 
 specification_version: 4
 summary: A faye extension to add authentication mechanisms
@@ -230,4 +251,3 @@ test_files:
 - spec/utils/javascripts/jwt.js
 - spec/utils/javascripts/mock-ajax.js
 - spec/utils/javascripts/query-string.js
-has_rdoc: