faye-authentication 0.1.0 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: cfd708e9dbb1900470d238f7d427ba3a6bd4322c
-  data.tar.gz: 5d087943cf31d1ffe01f645039d8c9c034fdeacd
+  metadata.gz: 184e59a30a70d8300c56d55355689fc266f4c1d8
+  data.tar.gz: e27e148c68384f0f1f8d74cec6e7bbd92769dd51
 SHA512:
-  metadata.gz: 7fa639d27c2ce7ecd9876355b241cb3db5c490f8082db95c156410f16bc3ee5790bc88020a2d4055c2a4f341569e3696299794bb52e672514d16390c2f0a5e93
-  data.tar.gz: 4f2d0c80f71e1defc714a0a76da7472390dfb19b300b469c3d71d1f38189b418364912fa3988da35048598db584f55ea0bc6bc6891e464a9f632567e4229e85b
+  metadata.gz: 62c1b8a62630230868e2f748219970745e72a868dcafdc3de4112c82f25a25e4ee0f7de829caa7b7e85fdf017040287b13d7ce6b47495a9475f3aa6f772a0c81
+  data.tar.gz: 8dd4d44413f43949c21512b3932f3f06659ee1ff5193eed99c5ef75cba04218b68dfafcb33042b9af251d1169bf984538d6e29e4b2b4e255e3d4c735e37060f3

data/CHANGELOG.md

@@ -0,0 +1,5 @@
+## 0.2.0
+
+  - Use JWT instead of HMAC for signing the messages
+  - Allow expiration of the signature
+  - The client javascript extension now takes the faye client as its frst parameter

data/README.md

@@ -1,19 +1,25 @@
-# Faye::Authentication [![Build Status](https://travis-ci.org/josevalim/rails-footnotes.svg?branch=master)](https://travis-ci.org/josevalim/rails-footnotes) [![Code Climate](https://codeclimate.com/github/dimelo/faye-authentication.png)](https://codeclimate.com/github/dimelo/faye-authentication)
+# Faye::Authentication [![Build Status](https://travis-ci.org/dimelo/faye-authentication.svg?branch=master)](https://travis-ci.org/dimelo/faye-authentication) [![Code Climate](https://codeclimate.com/github/dimelo/faye-authentication.png)](https://codeclimate.com/github/dimelo/faye-authentication)
 
 Authentification implementation for faye
 
-Currently Implemented :
-  - Javascript Client Extention
-  - Ruby Server Extension
-  - Ruby utils for signing messages
-  - **Want another one ? Pull requests are welcome.**
+## Principle
+
+This project implements (channel,client_id) authentication on channel subscription and publication and delegate it to an external HTTP endpoint through JWT tupple signature based on a shared secret key between Faye server and the endpoint.
 
-The authentication is performed through an Ajax Call to the webserver (JQuery needed).
+On channel subscription the JS client performe an Ajax Call to an HTTP endpoint to be granted a signature that will be provided to Faye Server to connect and publish to channel. The authentication of the endpoint itself is up to you but in the general case this will be a session authenticated resource of your app and you will decide to provide the signature or not depending on your own business logic.
 
-For each channel and client id pair, a signature is added to the message.
+This signature is required and valid for each channel and client id tupple and rely on JWT for security.
 
-Thanks to a shared key, the Faye Server will check the signature and reject the
-message if the signature is incorrect or not present.
+The Faye server will verify the (channel,client_id) tupple signature and reject the message if the signature
+is incorrect or not present.
+
+## Current support
+
+Currently Implemented :
+  - Javascript Client Extention (JQuery needed)
+  - Ruby Faye Server Extension
+  - Ruby utils to signing messages in your webapp
+  - **Want another one ? Pull requests are welcome.**
 
 ## Installation
 
@@ -31,26 +37,9 @@ Or install it yourself as:
 
 ## Usage
 
-### Javascript client extension
-
-Add the extension to your faye client :
-
-````javascript
-var client = new Faye.Client('http://my.server/faye');
-client.add_extension(new FayeAuthentication());
-````
-
-By default, when sending a subscribe request or publishing a message, the extension
-will issue an AJAX request to ``/faye/auth``
-
-If you wish to change the endpoint, you can supply it as the first argument of the extension constructor :
+### Authentication endpoint requirements
 
-    client.add_extension(new FayeAuthentication('/my_custom_auth_endpoint'));
-
-
-### Ruby utils
-
-The endpoint will a POST request, and shall return a JSON hash with a ``signature`` key.
+The endpoint will receive a POST request, and shall return a JSON hash with a ``signature`` key.
 
 The parameters sent to the endpoint are the following :
 
@@ -73,7 +62,7 @@ Example (For a Rails application)
 ````ruby
 def auth
   if current_user.can?(:read, params[:message][:channel])
-    render json: {signature: Faye::Authentication.sign(params[:message], 'your private key')}
+    render json: {signature: Faye::Authentication.sign(params[:message].slice(:channel,:clientId), 'your shared secret key')}
   else
     render json: {error: 'Not authorized'}, status: 403
   end
@@ -85,8 +74,23 @@ A Ruby HTTP Client is also available for publishing messages to your faye server
 without the hassle of using EventMachine :
 
 ````ruby
-Faye::Authentication::HTTPClient.publish('/channel', 'data', 'your private key')
+Faye::Authentication::HTTPClient.publish('http://localhost:9290/faye', '/channel', 'data', 'your private key')
 ````
+### Javascript client extension
+
+Add the extension to your faye client :
+
+````javascript
+var client = new Faye.Client('http://my.server/faye');
+client.addExtension(new FayeAuthentication(client));
+````
+
+By default, when sending a subscribe request or publishing a message, the extension
+will issue an AJAX request to ``/faye/auth``
+
+If you wish to change the endpoint, you can supply it as the second argument of the extension constructor, the first one being the client :
+
+    client.addExtension(new FayeAuthentication(client, '/my_custom_auth_endpoint'));
 
 ### Faye server extension
 
@@ -94,9 +98,16 @@ Instanciate the extension with your secret key and add it to the server :
 
 ````ruby
 server = Faye::RackAdapter.new(:mount => '/faye', :timeout => 15)
-server.add_extension Faye::Authentication::Extension.new('your private key')
+server.add_extension Faye::Authentication::Extension.new('your shared secret key')
 ````
 
+Faye::Authentication::Extension expect that :
+- a ``signature`` is present in the message for publish/subscribe request
+- this signature is a valid JWT token
+- the JWT payload contains "channel", "clientId" and a expiration timestamp "exp" that is not in the past.
+
+Otherwise Faye Server will refuse the message.
+
 ## Contributing
 
 1. Fork it ( https://github.com/dimelo/faye-authentication/fork )

data/app/assets/javascripts/faye-authentication.js

@@ -1,6 +1,8 @@
-function FayeAuthentication(endpoint) {
+function FayeAuthentication(client, endpoint) {
+  this._client = client;
   this._endpoint = endpoint || '/faye/auth';
   this._signatures = {};
+  this._outbox = {};
 }
 
 FayeAuthentication.prototype.endpoint = function() {
@@ -11,15 +13,17 @@ FayeAuthentication.prototype.signMessage = function(message, callback) {
   var channel = message.subscription || message.channel;
   var clientId = message.clientId;
 
+  var self = this;
   if (!this._signatures[clientId])
     this._signatures[clientId] = {};
   if (this._signatures[clientId][channel]) {
     this._signatures[clientId][channel].then(function(signature) {
       message.signature = signature;
+      if (!message.retried)
+        self._outbox[message.id] = {message: message, clientId: clientId};
       callback(message);
     });
   } else {
-    var self = this;
     self._signatures[clientId][channel] = new Faye.Promise(function(success, failure) {
       $.post(self.endpoint(), {message: {channel: channel, clientId: clientId}}, function(response) {
         success(response.signature);
@@ -29,16 +33,19 @@ FayeAuthentication.prototype.signMessage = function(message, callback) {
     });
     self._signatures[clientId][channel].then(function(signature) {
       message.signature = signature;
+      if (!message.retried){
+        self._outbox[message.id] = {message: message, clientId: clientId};
+      }
       callback(message);
     });
   }
 }
 
 FayeAuthentication.prototype.outgoing = function(message, callback) {
-  if (message.channel === '/meta/subscribe') {
+  if (message.channel == '/meta/subscribe') {
     this.signMessage(message, callback);
   }
-  else if (/^\/meta\/(.*)/.exec(message.channel) === null) { // Publish
+  else if (!/^\/meta\/(.*)/.test(message.channel)) { // Publish
     this.signMessage(message, callback);
   }
   else
@@ -46,7 +53,15 @@ FayeAuthentication.prototype.outgoing = function(message, callback) {
 };
 
 FayeAuthentication.prototype.incoming = function(message, callback) {
-  if (message.error === 'Invalid signature')
-    this._signatures = {};
-  callback(message);
+  var outbox_message = this._outbox[message.id];
+  if (outbox_message && message.error) {
+    var channel = outbox_message.message.subscription || outbox_message.message.channel;
+    this._signatures[outbox_message.clientId][channel] = null;
+    outbox_message.message.retried = true;
+    delete outbox_message.message.id;
+    delete this._outbox[message.id];
+    this._client._send(outbox_message.message, callback);
+  }
+  else
+    callback(message);
 };

data/faye-authentication.gemspec

@@ -18,9 +18,11 @@ Gem::Specification.new do |spec|
   spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
   spec.require_paths = ["lib"]
 
+  spec.add_runtime_dependency 'jwt', '~> 1'
+
   spec.add_development_dependency "bundler", "~> 1.5"
   spec.add_development_dependency "rake", '~> 10.3'
-  spec.add_development_dependency 'rspec', '~> 3.0.0.rc1'
+  spec.add_development_dependency 'rspec', '~> 3.0'
   spec.add_development_dependency 'jasmine', '~> 2.0'
   spec.add_development_dependency 'faye', '~> 1.0'
   spec.add_development_dependency 'rack', '~> 1.5'

data/lib/faye/authentication/extension.rb

@@ -1,24 +1,33 @@
+require 'faye'
+
 module Faye
   module Authentication
     class Extension
+      include Faye::Logging
 
       def initialize(secret)
-        @secret = secret
+        @secret = secret.to_s
       end
 
       def incoming(message, callback)
         if message['channel'] == '/meta/subscribe' || !(message['channel'] =~ /^\/meta\/.*/)
-          unless Faye::Authentication.valid?({
-            'channel'   => message['subscription'] || message['channel'],
-            'clientId'  => message['clientId'],
-            'signature' => message['signature']
-            }, @secret)
-            message['error'] = 'Invalid signature'
+          begin
+            Faye::Authentication.validate(message['signature'], 
+                                          message['subscription'] || message['channel'], 
+                                          message['clientId'],
+                                          @secret)
+            debug("Authentication sucessful")
+          rescue AuthError => exception
+            message['error'] = case exception
+              when ExpiredError then 'Expired signature'
+              when PayloadError then 'Required argument not signed'
+              else 'Invalid signature'
+              end
+            debug("Authentication failed: #{message['error']}")
           end
         end
         callback.call(message)
       end
-
     end
   end
 end

data/lib/faye/authentication/http_client.rb

@@ -7,8 +7,9 @@ module Faye
       def self.publish(url, channel, data, key)
         uri = URI(url)
         req = Net::HTTP::Post.new(url)
-        message = {'channel' => channel, 'data' => data, 'clientId' => 'http'}
+        message = {'channel' => channel, 'clientId' => 'http'} 
         message['signature'] = Faye::Authentication.sign(message, key)
+        message['data'] = data
         req.set_form_data(message: JSON.dump(message))
         Net::HTTP.start(uri.hostname, uri.port, :use_ssl => uri.scheme == 'https') { |http| http.request(req) }
       end

data/lib/faye/authentication/version.rb

@@ -1,5 +1,5 @@
 module Faye
   module Authentication
-    VERSION = "0.1.0"
+    VERSION = "0.2.0"
   end
 end

data/lib/faye/authentication.rb

@@ -1,32 +1,34 @@
-require "faye/authentication/version"
+require 'jwt'
+require 'faye/authentication/version'
 require 'faye/authentication/extension'
 require 'faye/authentication/http_client'
 require 'faye/authentication/engine'
 
 module Faye
   module Authentication
+    class AuthError < StandardError; end
+    class ExpiredError < AuthError; end
+    class PayloadError < AuthError; end
 
-    def self.sign(message, secret)
-      OpenSSL::HMAC.hexdigest('sha1', secret, "#{message['channel']}-#{message['clientId']}")
+    # Return jwt signature, pass hash of payload including channel and client_id 
+    def self.sign(payload, secret, options = {})
+      options = {expires_at: Time.now + 12*3600, algorithm: 'HS256'}.merge(options)
+      JWT.encode(payload.merge(exp: options[:expires_at].to_i), secret, options[:algorithm])
     end
 
-    def self.valid?(message, secret)
-      signature = message.delete('signature')
-      return false unless signature
-      secure_compare(signature, sign(message, secret))
+    # Return signed payload or raise
+    def self.decode(signature, secret)
+      payload, _ = JWT.decode(signature, secret) rescue raise(AuthError)
+      raise ExpiredError if Time.at(payload['exp'].to_i) < Time.now
+      payload
     end
 
-    # constant-time comparison algorithm to prevent timing attacks
-    # Copied from ActiveSupport::MessageVerifier
-    def self.secure_compare(a, b)
-      return false unless a.bytesize == b.bytesize
-
-      l = a.unpack "C#{a.bytesize}"
-
-      res = 0
-      b.each_byte { |byte| res |= byte ^ l.shift }
-      res == 0
+    # Return true if signature is valid and correspond to channel and clientId or raise
+    def self.validate(signature, channel, clientId, secret)
+      payload = self.decode(signature, secret)
+      raise PayloadError if channel.to_s.empty? || clientId.to_s.empty?
+      raise PayloadError unless channel == payload['channel'] && clientId == payload['clientId']
+      true
     end
-
   end
 end

data/spec/javascripts/faye-authentication_spec.js

@@ -3,12 +3,12 @@ describe('faye-authentication', function() {
   describe('constructor', function() {
 
     it('sets endpoint to /faye by default', function() {
-      var auth = new FayeAuthentication();
+      var auth = new FayeAuthentication(new Faye.Client('http://example.com'));
       expect(auth.endpoint()).toBe('/faye/auth');
     });
 
     it('can specify a custom endpoint', function() {
-      var auth = new FayeAuthentication('/custom');
+      var auth = new FayeAuthentication(new Faye.Client('http://example.com'), '/custom');
       expect(auth.endpoint()).toBe('/custom');
     });
 
@@ -41,7 +41,6 @@ describe('faye-authentication', function() {
       var self = this;
       setTimeout(function() {
         var request = jasmine.Ajax.requests.mostRecent();
-        console.log(request);
         expect(request.data()['message[channel]'][0]).toBe('/foobar');
         done();
       }, 500);

data/spec/javascripts/faye-extension_spec.js

@@ -24,14 +24,15 @@ describe('Faye extension', function() {
 
   describe('With extension', function() {
     beforeEach(function() {
-      this.extension = new FayeAuthentication();
+      this.extension = new FayeAuthentication(this.client);
       this.client.addExtension(this.extension);
     });
 
     function stubSignature(context, callback) {
       var self = context;
       self.client.handshake(function() {
-        var signature = CryptoJS.HmacSHA1("/foobar-" + self.client._clientId, "macaroni").toString();
+        var jwtsign = new jwt.WebToken('{"clientId": "' + self.client._clientId + '", "channel": "/foobar", "exp": 2803694528}', '{"alg": "HS256"}');
+        var signature = jwtsign.serialize("macaroni");
 
         jasmine.Ajax.stubRequest('/faye/auth').andReturn({
           'responseText': '{"signature": "' + signature + '"}'
@@ -58,17 +59,46 @@ describe('Faye extension', function() {
       });
     });
 
-    it('clears the signatures when receiving an error from the server', function(done) {
-      this.extension._signatures = {'123': []};
+    it('tries to get a new signature immediately when the used signature is bad or expired', function(done) {
       jasmine.Ajax.stubRequest('/faye/auth').andReturn({
         'responseText': '{"signature": "bad"}'
       });
       var self = this;
       this.client.subscribe('/toto').then(undefined, function() {
-        expect(Object.keys(self.extension._signatures).length).toBe(0);
+        expect(jasmine.Ajax.requests.count()).toBe(3); // Handshake + auth * 2
         done();
       });
+    });
+
+    it('calls the success callback for a successfully retried message', function(done) {
+
+      this.client.subscribe('/foo').then(function() {
+        expect(jasmine.Ajax.requests.count()).toBe(3); // Handshake + auth * 2
+        done();
+      }, function(e) { console.log(e)});
+
+      setTimeout(function() {
+        var request = jasmine.Ajax.requests.mostRecent();
+        var params = queryString.parse(request.params);
+
+        var jwtsign_bad   = new jwt.WebToken('{"clientId": "' + params['message[clientId]'] + '", "channel": "/foo", "exp": 1}', '{"alg": "HS256"}');
+        var signature_bad = jwtsign_bad.serialize("macaroni");
+
+        var jwtsign_good   = new jwt.WebToken('{"clientId": "' + params['message[clientId]'] + '", "channel": "/foo", "exp": 2803694528}', '{"alg": "HS256"}');
+        var signature_good = jwtsign_good.serialize("macaroni");
+
+        request.response({
+          'status' : 200,
+          'responseText': '{"signature": "' + signature_bad + '"}'
+        });
+
+        jasmine.Ajax.stubRequest('/faye/auth').andReturn({
+          'responseText': '{"signature": "' + signature_good + '"}'
+        });
+
+      }, 1000);
 
     });
+
   });
 });

data/spec/javascripts/support/jasmine_helper.rb

@@ -19,6 +19,8 @@ FAYE_SECRET_KEY = 'macaroni'
 fork do
     Faye::WebSocket.load_adapter('thin')
     faye = Faye::RackAdapter.new(:mount => '/faye')
+    #require 'logger'
+    #Faye.logger = Logger.new(STDOUT)
     faye.add_extension Faye::Authentication::Extension.new(FAYE_SECRET_KEY)
    Rack::Handler::Thin.run faye, :Port => 9296
 end.tap do |id|

data/spec/lib/faye/authentication/http_client_spec.rb

@@ -6,8 +6,9 @@ describe Faye::Authentication::HTTPClient do
   describe '.publish' do
 
     it 'should publish a HTTP request with correct params' do
-      message = {'channel' => '/foo/bar', 'data' => 'hello', 'clientId' => 'http'}
+      message = {'channel' => '/foo/bar', 'clientId' => 'http'}
       message['signature'] = Faye::Authentication.sign(message, 'my private key')
+      message['data'] = 'hello'
       request = stub_request(:post, "http://www.example.com").with(:body => {:message => JSON.dump(message)}).to_return(:status => 200, :body => "", :headers => {})
       Faye::Authentication::HTTPClient.publish('http://www.example.com', '/foo/bar', "hello", 'my private key')
       expect(request).to have_been_made

data/spec/lib/faye/authentication_spec.rb

@@ -3,21 +3,55 @@ require 'faye/authentication'
 
 describe Faye::Authentication do
 
+  let(:channel) { '/foo/bar' }
+  let(:clientId) { '42' }
+  let(:message) { {'channel' => channel, 'clientId' => clientId, 'text' => 'whatever'} }
   let(:secret) { 'helloworld' }
+  let(:signature) { Faye::Authentication.sign(message, secret) }
+ 
+  describe '#sign' do
+    it 'returns with a default expiry'
+  end
+
+  describe '#decode' do
+    it 'returns the payload if the message is correctly signed' do
+      expect(Faye::Authentication.decode(signature, secret)).to include(message)
+    end
+
+    it 'raises error if the message if keys differ' do
+      expect { Faye::Authentication.decode(signature, secret + 'foo') }.to raise_error(Faye::Authentication::AuthError)
+    end
+
+    it 'raises error if the expiry is in the past' do
+      signature = Faye::Authentication.sign(message, secret, expires_at: Time.now - 1)
+      expect { Faye::Authentication.decode(signature, secret) }.to raise_error(Faye::Authentication::ExpiredError)
+    end
+
+    it 'return the payload if the expiry is in the future' do
+      signature = Faye::Authentication.sign(message, secret, expires_at: Time.now + 10)
+      expect { Faye::Authentication.decode(signature, secret) }.not_to raise_error
+    end
+  end
 
-  describe '#valid?' do
+  describe '#validate' do
     it 'returns true if the message is correctly signed' do
-      message = {'channel' => '/foo/bar', 'clientId' => '42', 'text' => 'whatever'}
-      signature = Faye::Authentication.sign(message, secret)
-      message['signature'] = signature
-      expect(Faye::Authentication.valid?(message, secret)).to be(true)
+      expect(Faye::Authentication.validate(signature, channel, clientId, secret)).to be(true)
+    end
+
+    it 'raises if the channel differs' do
+      expect { Faye::Authentication.validate(signature, channel + '1', clientId, secret) }.to raise_error(Faye::Authentication::PayloadError)
+    end
+
+    it 'raises if the channel is not defined' do
+      expect { Faye::Authentication.validate(signature, '', clientId, secret) }.to raise_error(Faye::Authentication::PayloadError)
+    end
+
+    it 'raises if the channel differs' do
+      expect { Faye::Authentication.validate(signature, channel, clientId + '1', secret) }.to raise_error(Faye::Authentication::PayloadError)
     end
 
-    it 'returns false if the message if keys differ' do
-      message = {'channel' => '/foo/bar', 'clientId' => '42', 'text' => 'whatever'}
-      signature = Faye::Authentication.sign(message, secret)
-      message['signature'] = signature
-      expect(Faye::Authentication.valid?(message, secret + 'foo')).to be(false)
+    it 'raises if the channel is not defined' do
+      expect { Faye::Authentication.validate(signature, channel, nil, secret) }.to raise_error(Faye::Authentication::PayloadError)
     end
   end