fb-jwt-auth 0.1.0 → 0.2.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.circleci/config.yml +63 -0
- data/Changelog.md +9 -0
- data/README.md +19 -1
- data/lib/fb/jwt/auth.rb +39 -18
- data/lib/fb/jwt/auth/service_token_client.rb +19 -4
- data/lib/fb/jwt/auth/version.rb +1 -1
- metadata +6 -5
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: f86d88c60d096a604b4c0e3bd40acb9e6869c99011f91f14eb9488b7e9d4f4ae
|
|
4
|
+
data.tar.gz: f79a60753d8fee05024b3303a6d03d1fb28d13db6d788a3b3ca24e2c16a8707f
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 52b523c492ba637761d84f15c0d374e1920d1c0e7210cf8fbbfefee2df9efcee10abaf75a6f9942266794c509616717da55cadb38916c48d31372cb0c7b92c6f
|
|
7
|
+
data.tar.gz: 9870d7e4d6854fb21cc07fc8903661fca1fac308ce716866bd2d9bbee95fdfafe32deb47c3f54fbb14112ae88b25e2262fbec35ebe34a5d0ddd95de8f40c20ee
|
|
@@ -0,0 +1,63 @@
|
|
|
1
|
+
version: 2.1
|
|
2
|
+
orbs:
|
|
3
|
+
slack: circleci/slack@3.4.2
|
|
4
|
+
|
|
5
|
+
jobs:
|
|
6
|
+
test:
|
|
7
|
+
docker:
|
|
8
|
+
- image: cimg/ruby:2.7.2
|
|
9
|
+
steps:
|
|
10
|
+
- checkout
|
|
11
|
+
- run:
|
|
12
|
+
name: Install
|
|
13
|
+
command: bundle install
|
|
14
|
+
- run:
|
|
15
|
+
name: Test
|
|
16
|
+
command: bundle exec rspec
|
|
17
|
+
- slack/status: &slack_status
|
|
18
|
+
fail_only: true
|
|
19
|
+
only_for_branches: main
|
|
20
|
+
failure_message: ":facepalm: Failed job $CIRCLE_JOB :homer-disappear:"
|
|
21
|
+
include_job_number_field: false
|
|
22
|
+
publish:
|
|
23
|
+
docker:
|
|
24
|
+
- image: cimg/ruby:2.7.2
|
|
25
|
+
steps:
|
|
26
|
+
- checkout
|
|
27
|
+
- run:
|
|
28
|
+
name: Install
|
|
29
|
+
command: bundle install
|
|
30
|
+
- run:
|
|
31
|
+
name: Setup Rubygems
|
|
32
|
+
command: |
|
|
33
|
+
mkdir ~/.gem
|
|
34
|
+
echo -e "---\r\n:rubygems_api_key: $RUBYGEMS_API_KEY" > ~/.gem/credentials
|
|
35
|
+
chmod 0600 /home/circleci/.gem/credentials
|
|
36
|
+
- run:
|
|
37
|
+
name: Publish to Rubygems
|
|
38
|
+
command: |
|
|
39
|
+
set -e
|
|
40
|
+
|
|
41
|
+
VERSION=$(ruby -e "require './lib/fb/jwt/auth/version.rb'; puts Fb::Jwt::Auth::VERSION")
|
|
42
|
+
PUBLISHED_VERSION=$(curl https://rubygems.org/api/v1/versions/fb-jwt-auth/latest.json | sed -e 's/[{}]/''/g' | sed s/\"//g | awk -v RS=',' -F: '$1=="version"{print $2}')
|
|
43
|
+
|
|
44
|
+
if [ "$VERSION" != "$PUBLISHED_VERSION" ]
|
|
45
|
+
then
|
|
46
|
+
bundle exec gem build fb-jwt-auth.gemspec
|
|
47
|
+
bundle exec gem push fb-jwt-auth-*.gem
|
|
48
|
+
curl -X POST -H 'Content-type: application/json' --data "{\"text\":\":woohoo: Successfully published ${CIRCLE_PROJECT_REPONAME} ${VERSION} :ship_it_parrot:\"}" "$SLACK_WEBHOOK"
|
|
49
|
+
fi
|
|
50
|
+
- slack/status: *slack_status
|
|
51
|
+
|
|
52
|
+
workflows:
|
|
53
|
+
commit-workflow:
|
|
54
|
+
jobs:
|
|
55
|
+
- test
|
|
56
|
+
- publish:
|
|
57
|
+
requires:
|
|
58
|
+
- test
|
|
59
|
+
filters:
|
|
60
|
+
tags:
|
|
61
|
+
only: /.*/
|
|
62
|
+
branches:
|
|
63
|
+
only: main
|
data/Changelog.md
CHANGED
data/README.md
CHANGED
|
@@ -18,11 +18,29 @@ Or install it yourself as:
|
|
|
18
18
|
|
|
19
19
|
## Usage
|
|
20
20
|
|
|
21
|
-
```
|
|
21
|
+
```ruby
|
|
22
22
|
Fb::Jwt::Auth.configure do |config|
|
|
23
|
+
# Service token cache domain
|
|
24
|
+
#
|
|
23
25
|
config.service_token_cache_root_url = ENV['SERVICE_TOKEN_CACHE_ROOT_URL']
|
|
24
26
|
end
|
|
27
|
+
```
|
|
28
|
+
|
|
29
|
+
### Using other endpoint versions
|
|
25
30
|
|
|
31
|
+
Service token cache can have different versions of authenticating a service.
|
|
32
|
+
|
|
33
|
+
You can configure the version:
|
|
34
|
+
|
|
35
|
+
```ruby
|
|
36
|
+
Fb::Jwt::Auth.configure do |config|
|
|
37
|
+
config.service_token_cache_api_version = :v3
|
|
38
|
+
end
|
|
39
|
+
```
|
|
40
|
+
|
|
41
|
+
### Verifying the token
|
|
42
|
+
|
|
43
|
+
```ruby
|
|
26
44
|
Fb::Jwt::Auth.new(
|
|
27
45
|
access_token: request.headers['x-access-token-v2'],
|
|
28
46
|
key: 'fb-editor', # service name
|
data/lib/fb/jwt/auth.rb
CHANGED
|
@@ -6,13 +6,7 @@ require 'active_support/core_ext'
|
|
|
6
6
|
module Fb
|
|
7
7
|
module Jwt
|
|
8
8
|
class Auth
|
|
9
|
-
|
|
10
|
-
@@service_token_cache_root_url = value
|
|
11
|
-
end
|
|
12
|
-
|
|
13
|
-
def self.service_token_cache_root_url
|
|
14
|
-
@@service_token_cache_root_url
|
|
15
|
-
end
|
|
9
|
+
cattr_accessor :service_token_cache_root_url, :service_token_cache_api_version
|
|
16
10
|
|
|
17
11
|
def self.configure(&block)
|
|
18
12
|
yield self
|
|
@@ -29,9 +23,15 @@ module Fb
|
|
|
29
23
|
class TokenExpiredError < StandardError
|
|
30
24
|
end
|
|
31
25
|
|
|
26
|
+
class IssuerNotPresentError < StandardError
|
|
27
|
+
end
|
|
28
|
+
|
|
29
|
+
class NamespaceNotPresentError < StandardError
|
|
30
|
+
end
|
|
31
|
+
|
|
32
32
|
attr_accessor :token, :key, :leeway, :logger
|
|
33
33
|
|
|
34
|
-
def initialize(token:, key
|
|
34
|
+
def initialize(token:, key: nil, leeway:, logger:)
|
|
35
35
|
@token = token
|
|
36
36
|
@key = key
|
|
37
37
|
@leeway = leeway
|
|
@@ -41,15 +41,11 @@ module Fb
|
|
|
41
41
|
def verify!
|
|
42
42
|
raise TokenNotPresentError if token.nil?
|
|
43
43
|
|
|
44
|
+
application_details = find_application_info
|
|
45
|
+
|
|
44
46
|
begin
|
|
45
|
-
hmac_secret = public_key(
|
|
46
|
-
payload, _header =
|
|
47
|
-
token,
|
|
48
|
-
hmac_secret,
|
|
49
|
-
true,
|
|
50
|
-
exp_leeway: leeway,
|
|
51
|
-
algorithm: 'RS256'
|
|
52
|
-
)
|
|
47
|
+
hmac_secret = public_key(application_details)
|
|
48
|
+
payload, _header = decode(hmac_secret: hmac_secret)
|
|
53
49
|
rescue StandardError => e
|
|
54
50
|
error_message = "Couldn't parse that token - error #{e}"
|
|
55
51
|
logger.debug(error_message)
|
|
@@ -71,8 +67,33 @@ module Fb
|
|
|
71
67
|
payload
|
|
72
68
|
end
|
|
73
69
|
|
|
74
|
-
def
|
|
75
|
-
|
|
70
|
+
def decode(verify: true, hmac_secret: nil)
|
|
71
|
+
JWT.decode(
|
|
72
|
+
token,
|
|
73
|
+
hmac_secret,
|
|
74
|
+
verify,
|
|
75
|
+
exp_leeway: leeway,
|
|
76
|
+
algorithm: 'RS256'
|
|
77
|
+
)
|
|
78
|
+
end
|
|
79
|
+
|
|
80
|
+
def find_application_info
|
|
81
|
+
return { application: key } if key
|
|
82
|
+
|
|
83
|
+
payload, _header = decode(verify: false)
|
|
84
|
+
application = payload['iss']
|
|
85
|
+
namespace = payload['namespace']
|
|
86
|
+
|
|
87
|
+
raise IssuerNotPresentError unless application
|
|
88
|
+
raise NamespaceNotPresentError unless namespace
|
|
89
|
+
|
|
90
|
+
{ application: application, namespace: namespace}
|
|
91
|
+
end
|
|
92
|
+
|
|
93
|
+
def public_key(attributes)
|
|
94
|
+
OpenSSL::PKey::RSA.new(
|
|
95
|
+
ServiceTokenClient.new(attributes).public_key
|
|
96
|
+
)
|
|
76
97
|
end
|
|
77
98
|
end
|
|
78
99
|
end
|
|
@@ -5,11 +5,18 @@ require 'base64'
|
|
|
5
5
|
class Fb::Jwt::Auth::ServiceTokenClient
|
|
6
6
|
class ServiceTokenCacheError < StandardError; end
|
|
7
7
|
|
|
8
|
-
|
|
8
|
+
ENDPOINTS = {
|
|
9
|
+
v2: '/service/v2/%{application}',
|
|
10
|
+
v3: '/v3/applications/%{application}/namespaces/%{namespace}'
|
|
11
|
+
}
|
|
9
12
|
|
|
10
|
-
|
|
11
|
-
|
|
13
|
+
attr_accessor :application, :namespace, :root_url, :api_version
|
|
14
|
+
|
|
15
|
+
def initialize(application:, namespace: nil)
|
|
16
|
+
@application = application
|
|
17
|
+
@namespace = namespace
|
|
12
18
|
@root_url = Fb::Jwt::Auth.service_token_cache_root_url
|
|
19
|
+
@api_version = Fb::Jwt::Auth.service_token_cache_api_version || :v2
|
|
13
20
|
end
|
|
14
21
|
|
|
15
22
|
def public_key
|
|
@@ -32,6 +39,14 @@ class Fb::Jwt::Auth::ServiceTokenClient
|
|
|
32
39
|
private
|
|
33
40
|
|
|
34
41
|
def public_key_uri
|
|
35
|
-
URI.join(
|
|
42
|
+
URI.join(root_url, version_url)
|
|
43
|
+
end
|
|
44
|
+
|
|
45
|
+
def version_url
|
|
46
|
+
if api_version == :v3
|
|
47
|
+
ENDPOINTS[api_version] % { application: application, namespace: namespace }
|
|
48
|
+
else
|
|
49
|
+
ENDPOINTS[api_version] % { application: application }
|
|
50
|
+
end
|
|
36
51
|
end
|
|
37
52
|
end
|
data/lib/fb/jwt/auth/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: fb-jwt-auth
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.2.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Form builder developers
|
|
8
|
-
autorequire:
|
|
8
|
+
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2020-10-
|
|
11
|
+
date: 2020-10-23 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: jwt
|
|
@@ -59,6 +59,7 @@ executables: []
|
|
|
59
59
|
extensions: []
|
|
60
60
|
extra_rdoc_files: []
|
|
61
61
|
files:
|
|
62
|
+
- ".circleci/config.yml"
|
|
62
63
|
- ".gitignore"
|
|
63
64
|
- ".rspec"
|
|
64
65
|
- ".ruby-version"
|
|
@@ -81,7 +82,7 @@ metadata:
|
|
|
81
82
|
homepage_uri: https://github.com/ministryofjustice/fb-jwt-auth
|
|
82
83
|
source_code_uri: https://github.com/ministryofjustice/fb-jwt-auth
|
|
83
84
|
changelog_uri: https://github.com/ministryofjustice/fb-jwt-auth/blob/main/Changelog.md
|
|
84
|
-
post_install_message:
|
|
85
|
+
post_install_message:
|
|
85
86
|
rdoc_options: []
|
|
86
87
|
require_paths:
|
|
87
88
|
- lib
|
|
@@ -97,7 +98,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
97
98
|
version: '0'
|
|
98
99
|
requirements: []
|
|
99
100
|
rubygems_version: 3.1.4
|
|
100
|
-
signing_key:
|
|
101
|
+
signing_key:
|
|
101
102
|
specification_version: 4
|
|
102
103
|
summary: JWT authentication done in form builder team
|
|
103
104
|
test_files: []
|