faye-authentication 0.4.0 → 1.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 9a617e82b1d7184dc0ce7016b8736c6e412500f3
-  data.tar.gz: 640960f50c1a742c704bd4ded7930817caf22ee4
+  metadata.gz: 9ced587e82c17d594caf427c14ea7d844ab085af
+  data.tar.gz: 55b71c17bb0bbafb9240b42fba0662cccb6f0064
 SHA512:
-  metadata.gz: c130a9cef8388dcc2666842339aea83206c3500e155c45b67ab5751ba29a339a8786e95c54cf754aeb8362d78cca94d120f8d2a3151bece77ee44c47e4121609
-  data.tar.gz: 09ef066a4f2cbaddb41ac92175a0dbe58e9c3d6e8e78cb21c775bf9300a0f8026eea4cf0d89dc0b5a5a09bbaba1aa7f0c7b1d91549ad5db5a3209d8f220dff25
+  metadata.gz: fb749a65cbfcf3afd65901272950028c3dee2605d28ec3d2ac6bacd9b6e53eaaf2c547f96d71670a62ad0147db8d00b021a7c38c1cec36922c5d347d7b713530
+  data.tar.gz: 9d708c3c18d56b1e42cba5fc83e300f18d0e7e8d49dad06cdebd531fd1c75b3f12e9f130974f665bd7aeda8c1347d559d19c6253a3cfffacde0356ab7b06762c

data/.drone.yml

@@ -0,0 +1,10 @@
+image: ruby2.0.0
+cache:
+  - /tmp/bundler
+env:
+  - RAILS_ENV=test
+script:
+  - gem install bundler
+  - sudo chown ubuntu:ubuntu /tmp/bundler
+  - bundle install --path /tmp/bundler
+  - bundle exec rake

data/CHANGELOG.md

@@ -1,3 +1,10 @@
+## 0.5.0
+ - Add support for faye 1.1 (unreleased for now)
+ - Drop support for faye < 1.1
+ - More extensibility regarding public channels, extensions now take an options
+   hash with a whitelist lambda / function that will be called with the channel
+   name so developers can implement their own logic
+
 ## 0.4.0
   - Channels beginning by ``/public/`` do not require authentication anymore,
   However, globbing with public channels still require authentication.

data/Gemfile

@@ -1,7 +1,4 @@
 source 'https://rubygems.org'
 
 # Specify your gem's dependencies in faye-authentication.gemspec
-group :development do
-  gem 'rspec-eventmachine', '~> 0.1', github: 'jcoglan/rspec-eventmachine'
-end
 gemspec

data/README.md

@@ -40,15 +40,8 @@ Or install it yourself as:
 
 ### Channels requiring authentication
 
-All channels require authentication, except channels beginning by ``/public/``
-
-However, globbing, even on ``/public/`` channels will require authentication.
-
-Example :
-
-- ``/public/foo`` does not require authentication
-- ``/public/bar/*`` requires authentication
-
+All channels require authentication by default, however, it is possible to provide
+a lambda to the faye extensions to let them know which channels are public.
 
 ### Authentication endpoint requirements
 
@@ -56,15 +49,14 @@ The endpoint will receive a POST request, and shall return a JSON hash with a ``
 
 The parameters sent to the endpoint are the following :
 
-````
+```json
 {
-  'message' =>
-    {
-      'channel'   => '/foo/bar',
-      'clientId'  => '123abc'
+    "message" : {
+        "channel": "/foo/bar",
+        "clientId": "123abc"
     }
 }
-````
+```
 
 If the endpoint returns an error, the message won't be signed and the server will reject it.
 
@@ -72,7 +64,7 @@ You can use ``Faye::Authentication.sign`` to generate the signature from the mes
 
 Example (For a Rails application)
 
-````ruby
+```ruby
 def auth
   if current_user.can?(:read, params[:message][:channel])
     render json: {signature: Faye::Authentication.sign(params[:message].slice(:channel,:clientId), 'your shared secret key')}
@@ -81,38 +73,53 @@ def auth
   end
 end
 
-````
+```
 
 A Ruby HTTP Client is also available for publishing messages to your faye server
 without the hassle of using EventMachine :
 
-````ruby
+```ruby
 Faye::Authentication::HTTPClient.publish('http://localhost:9290/faye', '/channel', 'data', 'your private key')
-````
+```
 ### Javascript client extension
 
 Add the extension to your faye client :
 
-````javascript
+```javascript
 var client = new Faye.Client('http://my.server/faye');
 client.addExtension(new FayeAuthentication(client));
-````
+```
 
 By default, when sending a subscribe request or publishing a message, the extension
 will issue an AJAX request to ``/faye/auth``
 
 If you wish to change the endpoint, you can supply it as the second argument of the extension constructor, the first one being the client :
+````javascript
+client.addExtension(new FayeAuthentication(client, '/my_custom_auth_endpoint'));
+````
+
+If you want to specify some channels for which you don't want the extension to
+call your endpoint, you can pass an options object with a ``whitelist`` key mapping
+to a function :
+
+````javascript
+function channelWhitelist(channel) {
+  // Allow channels beginning with /public but disallow globbing
+  return (channel.lastIndexOf('/public/', 0) === 0 && channel.indexOf('*') == -1);
+}
+
+client.addExtension(new FayeAuthentication(client, '/faye/auth', {whitelist: channelWhitelist}));
+````
 
-    client.addExtension(new FayeAuthentication(client, '/my_custom_auth_endpoint'));
 
 ### Ruby Faye server extension
 
 Instanciate the extension with your secret key and add it to the server :
 
-````ruby
+```ruby
 server = Faye::RackAdapter.new(:mount => '/faye', :timeout => 15)
 server.add_extension Faye::Authentication::ServerExtension.new('your shared secret key')
-````
+```
 
 Faye::Authentication::ServerExtension expect that :
 - a ``signature`` is present in the message for publish/subscribe request
@@ -121,14 +128,28 @@ Faye::Authentication::ServerExtension expect that :
 
 Otherwise Faye Server will refuse the message.
 
+If you want to specify some channels for which you don't want the extension require
+authentication, you can pass an options hash with a ``whitelist`` key mapping
+to a lambda :
+
+````ruby
+channel_whitelist = lambda do |channel|
+  # Allow channels beginning with /public but disallow globbing
+  channel.start_with?('/public/') and not channel.include?('*')
+end
+
+server = Faye::RackAdapter.new(:mount => '/faye', :timeout => 15)
+server.add_extension Faye::Authentication::ServerExtension.new('your shared secret key', {whitelist: channel_whitelist})
+````
+
 ### Ruby Faye client extension
 
 This extension allows the ruby ``Faye::Client`` to auto-sign its messages before sending them to the server.
 
-````ruby
+```ruby
 client = Faye::Client.new('http://localhost:9292/faye')
 client.add_extension Faye::Authentication::ClientExtension.new('your shared secret key')
-````
+```
 
 ## Contributing
 

data/VERSION

@@ -0,0 +1 @@
+1.6.0

data/app/assets/javascripts/faye-authentication.js

@@ -1,8 +1,9 @@
-function FayeAuthentication(client, endpoint) {
+function FayeAuthentication(client, endpoint, options) {
   this._client = client;
   this._endpoint = endpoint || '/faye/auth';
   this._signatures = {};
   this._outbox = {};
+  this._options = options || {};
 }
 
 FayeAuthentication.prototype.endpoint = function() {
@@ -49,16 +50,18 @@ FayeAuthentication.prototype.outgoing = function(message, callback) {
 };
 
 FayeAuthentication.prototype.authentication_required = function(message) {
-  var subscription_or_channel = message.subscription || message.channel
-  return (!this.public_channel(subscription_or_channel) && (message.channel == '/meta/subscribe' || message.channel.lastIndexOf('/meta/', 0) !== 0))
-};
-
-FayeAuthentication.prototype.public_channel = function(channel) {
-  if (channel.lastIndexOf('/public/', 0) === 0) {
-    return (channel.indexOf('*') == -1);
-  } else {
+  var subscription_or_channel = message.subscription || message.channel;
+  if (message.channel == '/meta/subscribe' || message.channel.lastIndexOf('/meta/', 0) !== 0)
+    if(this._options.whitelist) {
+      try {
+        return (!this._options.whitelist(subscription_or_channel));
+      } catch (e) {
+        this.error("Error caught when evaluating whitelist function : " + e.message);
+      }
+    } else
+      return (true);
+  else
     return (false);
-  }
 };
 
 FayeAuthentication.prototype.incoming = function(message, callback) {
@@ -69,8 +72,12 @@ FayeAuthentication.prototype.incoming = function(message, callback) {
     outbox_message.message.retried = true;
     delete outbox_message.message.id;
     delete this._outbox[message.id];
-    this._client._send(outbox_message.message, callback);
+    this._client._sendMessage(outbox_message.message, {}, callback);
   }
   else
     callback(message);
 };
+
+$(function() {
+  Faye.extend(FayeAuthentication.prototype, Faye.Logging);
+});

data/faye-authentication.gemspec

@@ -18,13 +18,14 @@ Gem::Specification.new do |spec|
   spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
   spec.require_paths = ["lib"]
 
-  spec.add_runtime_dependency 'jwt', '~> 1'
+  spec.add_runtime_dependency 'jwt', '~> 1.2'
+  spec.add_runtime_dependency 'faye', '~> 1.0'
 
   spec.add_development_dependency "bundler", "~> 1.5"
   spec.add_development_dependency "rake", '~> 10.3'
   spec.add_development_dependency 'rspec', '~> 3.0'
+  spec.add_development_dependency 'rspec-eventmachine', '~> 0.2'
   spec.add_development_dependency 'jasmine', '~> 2.0'
-  spec.add_development_dependency 'faye', '~> 1.0'
   spec.add_development_dependency 'rack', '~> 1.5'
   spec.add_development_dependency 'thin', '~> 1.6'
   spec.add_development_dependency 'webmock', '~> 1.18'

data/lib/faye/authentication/client_extension.rb

@@ -8,7 +8,7 @@ module Faye
       end
 
       def outgoing(message, callback)
-        if Faye::Authentication.authentication_required?(message)
+        if Faye::Authentication.authentication_required?(message, @options)
           message['signature'] = Faye::Authentication.sign({channel: message['subscription'] || message['channel'], clientId: message['clientId']}, @secret, @options)
         end
         callback.call(message)

data/lib/faye/authentication/server_extension.rb

@@ -5,12 +5,13 @@ module Faye
     class ServerExtension
       include Faye::Logging
 
-      def initialize(secret)
+      def initialize(secret, options = {})
+        @options = options
         @secret = secret.to_s
       end
 
       def incoming(message, callback)
-        if Faye::Authentication.authentication_required?(message)
+        if Faye::Authentication.authentication_required?(message, @options)
           begin
             Faye::Authentication.validate(message['signature'],
                                           message['subscription'] || message['channel'],

data/lib/faye/authentication/version.rb

@@ -1,5 +1,5 @@
 module Faye
   module Authentication
-    VERSION = "0.4.0"
+    VERSION = File.read(File.join(File.dirname(__FILE__),'..', '..', '..', 'VERSION') ).strip
   end
 end

data/lib/faye/authentication.rb

@@ -1,4 +1,5 @@
 require 'jwt'
+require 'faye/mixins/logging'
 require 'faye/authentication/version'
 require 'faye/authentication/server_extension'
 require 'faye/authentication/client_extension'
@@ -7,6 +8,9 @@ require 'faye/authentication/engine'
 
 module Faye
   module Authentication
+
+    extend Faye::Logging
+
     class AuthError < StandardError; end
     class ExpiredError < AuthError; end
     class PayloadError < AuthError; end
@@ -19,9 +23,12 @@ module Faye
 
     # Return signed payload or raise
     def self.decode(signature, secret)
-      payload, _ = JWT.decode(signature, secret) rescue raise(AuthError)
-      raise ExpiredError if Time.at(payload['exp'].to_i) < Time.now
+      payload, _ = JWT.decode(signature, secret)
       payload
+    rescue JWT::ExpiredSignature
+      raise ExpiredError
+    rescue
+      raise AuthError
     end
 
     # Return true if signature is valid and correspond to channel and clientId or raise
@@ -32,13 +39,18 @@ module Faye
       true
     end
 
-    def self.authentication_required?(message)
+    def self.authentication_required?(message, options = {})
       subscription_or_channel = message['subscription'] || message['channel']
-      !public_channel?(subscription_or_channel) && (message['channel'] == '/meta/subscribe' || (!(message['channel'].start_with?('/meta/'))))
-    end
-
-    def self.public_channel?(channel)
-      channel.start_with?('/public/') and not channel.include?('*')
+      return false unless (message['channel'] == '/meta/subscribe' || (!(message['channel'].start_with?('/meta/'))))
+      whitelist_proc = options[:whitelist]
+      if whitelist_proc
+        begin
+          return !whitelist_proc.call(subscription_or_channel)
+        rescue => e
+          error("Error caught when evaluating whitelist lambda : #{e.message}")
+        end
+      end
+      true
     end
 
   end

data/spec/javascripts/faye-authentication_spec.js

@@ -14,6 +14,103 @@ describe('faye-authentication', function() {
 
   });
 
+  describe('authentication_required', function() {
+
+    beforeEach(function() {
+      this.auth = new FayeAuthentication(new Faye.Client('http://example.com'));
+      Faye.logger = null;
+    });
+
+    function sharedExamplesForSubscribeAndPublish() {
+      it('returns true if no options is passed', function() {
+        expect(this.auth.authentication_required(this.message)).toBe(true);
+      });
+
+      it('calls function with subscription or channel', function() {
+        this.auth._options.whitelist = function(message) { return(true); }
+        spyOn(this.auth._options, 'whitelist');
+        this.auth.authentication_required(this.message);
+        expect(this.auth._options.whitelist).toHaveBeenCalledWith(this.message.subscription || this.message.channel);
+      });
+
+      it('logs error if the function throws', function() {
+        this.auth._options.whitelist = function(message) { throw new Error("boom"); }
+        Faye.logger = {error: function() {}};
+        spyOn(Faye.logger, 'error');
+        this.auth.authentication_required(this.message);
+        expect(Faye.logger.error).toHaveBeenCalledWith('[Faye] Error caught when evaluating whitelist function : boom');
+      });
+
+      it ('returns false if function returns true', function() {
+        this.auth._options.whitelist = function(message) { return(true); }
+        expect(this.auth.authentication_required(this.message)).toBe(false);
+      });
+
+      it ('returns true if function returns false', function() {
+        this.auth._options.whitelist = function(message) { return(false); }
+        expect(this.auth.authentication_required(this.message)).toBe(true);
+      });
+    }
+
+    function sharedExamplesForMetaExceptPublish() {
+      it('returns false if no options is passed', function() {
+        expect(this.auth.authentication_required(this.message)).toBe(false);
+      });
+
+      it ('returns false if function returns true', function() {
+        this.auth._options.whitelist = function(message) { return(true); }
+        expect(this.auth.authentication_required(this.message)).toBe(false);
+      });
+
+      it ('returns false if function returns false', function() {
+        this.auth._options.whitelist = function(message) { return(false); }
+        expect(this.auth.authentication_required(this.message)).toBe(false);
+      });
+    }
+
+    describe('publish', function() {
+
+      beforeEach(function() {
+        this.message = {'channel': '/foobar'};
+      });
+
+      sharedExamplesForSubscribeAndPublish();
+    });
+
+    describe('subscribe', function() {
+      beforeEach(function() {
+        this.message = {'channel': '/meta/subscribe', 'subscription': '/foobar'};
+      });
+
+      sharedExamplesForSubscribeAndPublish();
+    });
+
+    describe('handshake', function() {
+      beforeEach(function() {
+        this.message = {'channel': '/meta/handshake'};
+      });
+
+      sharedExamplesForMetaExceptPublish();
+    });
+
+    describe('connect', function() {
+      beforeEach(function() {
+        this.message = {'channel': '/meta/connect'};
+      });
+
+      sharedExamplesForMetaExceptPublish();
+    });
+
+    describe('unsubscribe', function() {
+      beforeEach(function() {
+        this.message = {'channel': '/meta/unsubscribe', 'handshake': '/foobar'};
+      });
+
+      sharedExamplesForMetaExceptPublish();
+    });
+
+  });
+
   describe('extension', function() {
     beforeEach(function() {
       jasmine.Ajax.install();
@@ -54,87 +151,93 @@ describe('faye-authentication', function() {
           'responseText': '{"signature": "foobarsignature"}'
         });
 
-        this.fake_transport = {connectionType: "fake", endpoint: {}, send: function() {}};
-        spyOn(this.fake_transport, 'send');
+        this.dispatcher = {connectionType: "fake", sendMessage: function() {}, selectTransport: function() { }};
+        spyOn(this.dispatcher, 'sendMessage');
+        spyOn(this.dispatcher, 'selectTransport');
+        Faye.extend(this.dispatcher, Faye.Publisher)
       });
 
       it('should add the signature to subscribe message', function(done) {
         var self = this;
 
         this.client.handshake(function() {
-          self.client._transport = self.fake_transport
+          self.client._dispatcher = self.dispatcher;
           self.client.subscribe('/foobar');
-        }, this.client);
 
-        setTimeout(function() {
-          var calls = self.fake_transport.send.calls.all();
-          var last_call = calls[calls.length - 1];
-          var message = last_call.args[0].message;
-          expect(message.channel).toBe('/meta/subscribe');
-          expect(message.signature).toBe('foobarsignature');
-          done();
-        }, 500);
+          setTimeout(function() {
+            var calls = self.dispatcher.sendMessage.calls.all();
+            var last_call = calls[calls.length - 1];
+            var message = last_call.args[0];
+            expect(message.channel).toBe('/meta/subscribe');
+            expect(message.signature).toBe('foobarsignature');
+            done();
+          }, 300);
 
+        }, this.client);
       });
 
       it('should add the signature to publish message', function(done) {
         var self = this;
 
         this.client.handshake(function() {
-          self.client._transport = self.fake_transport
+          self.client._dispatcher = self.dispatcher;
           self.client.publish('/foobar', {text: 'hallo'});
-        }, this.client);
 
-        setTimeout(function() {
-          var calls = self.fake_transport.send.calls.all();
-          var last_call = calls[calls.length - 1];
-          var message = last_call.args[0].message;
-          expect(message.channel).toBe('/foobar');
-          expect(message.signature).toBe('foobarsignature');
-          done();
-        }, 500);
+          setTimeout(function() {
+            var calls = self.dispatcher.sendMessage.calls.all();
+            var last_call = calls[calls.length - 1];
+            var message = last_call.args[0];
+            expect(message.channel).toBe('/foobar');
+            expect(message.signature).toBe('foobarsignature');
+            done();
+          }, 300);
+
+        }, this.client);
       });
 
       it('preserves messages integrity', function(done) {
         var self = this;
 
         this.client.handshake(function() {
-          self.client._transport = self.fake_transport
+          self.client._dispatcher = self.dispatcher;
           self.client.publish('/foo', {text: 'hallo'});
           self.client.subscribe('/foo');
-        }, this.client);
 
-        setTimeout(function() {
-          var calls = self.fake_transport.send.calls.all();
-          var subscribe_call = calls[calls.length - 1];
-          var publish_call = calls[calls.length - 2];
-          var subscribe_message = subscribe_call.args[0].message;
-          var publish_message = publish_call.args[0].message;
-          expect(publish_message.channel).toBe('/foo');
-          expect(subscribe_message.channel).toBe('/meta/subscribe');
-          expect(publish_message.signature).toBe('foobarsignature');
-          expect(subscribe_message.signature).toBe('foobarsignature');
-          done();
-        }, 500);
-      });
+          setTimeout(function() {
+            var calls = self.dispatcher.sendMessage.calls.all();
+            var subscribe_call = calls[calls.length - 1];
+            var publish_call = calls[calls.length - 2];
+            var subscribe_message = subscribe_call.args[0];
+            var publish_message = publish_call.args[0];
+            expect(publish_message.channel).toBe('/foo');
+            expect(subscribe_message.channel).toBe('/meta/subscribe');
+            expect(publish_message.signature).toBe('foobarsignature');
+            expect(subscribe_message.signature).toBe('foobarsignature');
+            done();
+          }, 300);
 
+        }, this.client);
+      });
 
-      it('does not add the signature to a public message', function(done) {
+      it('does not add the signature if authentication is not required', function(done) {
         var self = this;
 
+        spyOn(this.auth, 'authentication_required').and.returnValue(false);
+
         this.client.handshake(function() {
-          self.client._transport = self.fake_transport
-          self.client.publish('/public/foo', {text: 'hallo'});
+          self.client._dispatcher = self.dispatcher;
+          self.client.publish('/foobar', {text: 'hallo'});
+
+          setTimeout(function() {
+            var calls = self.dispatcher.sendMessage.calls.all();
+            var last_call = calls[calls.length - 1];
+            var message = last_call.args[0];
+            expect(message.channel).toBe('/foobar');
+            expect(message.signature).toBe(undefined);
+            done();
+          }, 300);
         }, this.client);
 
-        setTimeout(function() {
-          var calls = self.fake_transport.send.calls.all();
-          var last_call = calls[calls.length - 1];
-          var message = last_call.args[0].message;
-          expect(message.channel).toBe('/public/foo');
-          expect(message.signature).toBe(undefined);
-          done();
-        }, 500);
       });
 
     });