fb-jwt-auth 0.2.0 → 0.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f86d88c60d096a604b4c0e3bd40acb9e6869c99011f91f14eb9488b7e9d4f4ae
-  data.tar.gz: f79a60753d8fee05024b3303a6d03d1fb28d13db6d788a3b3ca24e2c16a8707f
+  metadata.gz: d2a0ab54dae6b316b53e5518a6e85e0fd9da9608a68be9cf3e153755b1f3a5d8
+  data.tar.gz: f41116c14483ef87b5be6ea47632d0eb634c748ea273e4e3b108ea94afb4ec32
 SHA512:
-  metadata.gz: 52b523c492ba637761d84f15c0d374e1920d1c0e7210cf8fbbfefee2df9efcee10abaf75a6f9942266794c509616717da55cadb38916c48d31372cb0c7b92c6f
-  data.tar.gz: 9870d7e4d6854fb21cc07fc8903661fca1fac308ce716866bd2d9bbee95fdfafe32deb47c3f54fbb14112ae88b25e2262fbec35ebe34a5d0ddd95de8f40c20ee
+  metadata.gz: 4245369f210cb3f722308859890d81fa0c3c2cf76dad469c0cbad3aa563d06a0576248bc13cb609179fe1376c5de661b644d9e62d8f7245e546ce172d352d642
+  data.tar.gz: 957cb3c0640e3f173c2c8683f54d5de37acd9ba35194973c7cb3fa7822eae21104aadab615dfc97c3638087df245f40c40d2fc15fb94a037bf76280e0699d7f8

data/.gitignore

@@ -11,3 +11,4 @@
 .rspec_status
 Gemfile.lock
 .byebug_history
+*.gem

data/Changelog.md

@@ -1,3 +1,18 @@
+# 0.5.0
+* Do not base64 decode private key
+
+# 0.4.0
+* Generate the access token
+
+# 0.3.0
+* Request non cached version of public key if first validition fails
+
+# v0.2.2
+* Add token not present exception when token is empty
+
+# v0.2.1
+* Add better error messages
+
 # v0.2.0
 
 * Add service token cache v3 implementation

data/README.md

@@ -25,6 +25,16 @@ Fb::Jwt::Auth.configure do |config|
   config.service_token_cache_root_url = ENV['SERVICE_TOKEN_CACHE_ROOT_URL']
 end
 ```
+In order to generate the service access token we need to use `Fb::Jwt::Auth::ServiceAccessToken.new.generate` or if you require a subject, `Fb::Jwt::Auth::ServiceAccessToken.new(subject: subject).generate`
+
+In the case you need to configure the service access token as a client
+```ruby
+Fb::Jwt::Auth.configure do |config|
+  config.issuer = 'fb-editor'
+  config.namespace = 'formbuilder-saas-test'
+  config.encoded_private_key = 'base64 encoded private key'
+end
+```
 
 ### Using other endpoint versions
 

data/lib/fb/jwt/auth.rb

@@ -1,18 +1,23 @@
 require 'fb/jwt/auth/version'
 require 'openssl'
 require 'jwt'
-require 'active_support/core_ext'
+require 'active_support/all'
 
 module Fb
   module Jwt
     class Auth
-      cattr_accessor :service_token_cache_root_url, :service_token_cache_api_version
+      cattr_accessor :service_token_cache_root_url,
+                     :service_token_cache_api_version,
+                     :encoded_private_key,
+                     :issuer,
+                     :namespace
 
       def self.configure(&block)
         yield self
       end
 
       autoload :ServiceTokenClient, 'fb/jwt/auth/service_token_client'
+      autoload :ServiceAccessToken, 'fb/jwt/auth/service_access_token'
 
       class TokenNotPresentError < StandardError
       end
@@ -39,15 +44,14 @@ module Fb
       end
 
       def verify!
-        raise TokenNotPresentError if token.nil?
+        raise TokenNotPresentError.new('Token is not present') if token.blank?
 
         application_details = find_application_info
 
         begin
-          hmac_secret = public_key(application_details)
-          payload, _header = decode(hmac_secret: hmac_secret)
+          payload, _header = retrieve_and_decode_public_key(application_details)
         rescue StandardError => e
-          error_message = "Couldn't parse that token - error #{e}"
+          error_message = "Token is not valid: error #{e}"
           logger.debug(error_message)
           raise TokenNotValidError.new(error_message)
         end
@@ -57,7 +61,7 @@ module Fb
         iat_skew = payload['iat'].to_i - Time.zone.now.to_i
 
         if iat_skew.abs > leeway.to_i
-          error_message = "iat skew is #{iat_skew}, max is #{leeway} - INVALID"
+          error_message = "Token has expired: iat skew is #{iat_skew}, max is #{leeway}"
           logger.debug(error_message)
 
           raise TokenExpiredError.new(error_message)
@@ -67,6 +71,15 @@ module Fb
         payload
       end
 
+      def retrieve_and_decode_public_key(application_details)
+        hmac_secret = public_key(application_details)
+        decode(hmac_secret: hmac_secret)
+      rescue JWT::VerificationError
+        logger.debug('First validation failed. Requesting non cached public key')
+        hmac_secret = public_key(application_details.merge(ignore_cache: true))
+        decode(hmac_secret: hmac_secret)
+      end
+
       def decode(verify: true, hmac_secret: nil)
         JWT.decode(
           token,
@@ -84,8 +97,8 @@ module Fb
         application = payload['iss']
         namespace = payload['namespace']
 
-        raise IssuerNotPresentError unless application
-        raise NamespaceNotPresentError unless namespace
+        raise IssuerNotPresentError.new('Issuer is not present in the token') unless application
+        raise NamespaceNotPresentError.new('Namespace is not present in the token') unless namespace
 
         { application: application, namespace: namespace}
       end

data/lib/fb/jwt/auth/service_access_token.rb

@@ -0,0 +1,43 @@
+module Fb
+  module Jwt
+    class Auth
+      class ServiceAccessToken
+        attr_reader :encoded_private_key,
+                    :issuer,
+                    :subject,
+                    :namespace
+
+        def initialize(subject: nil)
+          @subject = subject
+          @encoded_private_key = Fb::Jwt::Auth.encoded_private_key
+          @namespace = Fb::Jwt::Auth.namespace
+          @issuer = Fb::Jwt::Auth.issuer
+        end
+
+        def generate
+          return '' if encoded_private_key.blank?
+
+          private_key = OpenSSL::PKey::RSA.new(encoded_private_key.chomp)
+
+          JWT.encode(
+            token,
+            private_key,
+            'RS256'
+          )
+        end
+
+        private
+
+        def token
+          payload = {
+            iss: issuer,
+            iat: Time.current.to_i
+          }
+          payload[:sub] = subject if subject.present?
+          payload[:namespace] = namespace if namespace.present?
+          payload
+        end
+      end
+    end
+  end
+end

data/lib/fb/jwt/auth/service_token_client.rb

@@ -12,9 +12,10 @@ class Fb::Jwt::Auth::ServiceTokenClient
 
   attr_accessor :application, :namespace, :root_url, :api_version
 
-  def initialize(application:, namespace: nil)
+  def initialize(application:, namespace: nil, ignore_cache: false)
     @application = application
     @namespace = namespace
+    @ignore_cache = ignore_cache
     @root_url = Fb::Jwt::Auth.service_token_cache_root_url
     @api_version = Fb::Jwt::Auth.service_token_cache_api_version || :v2
   end
@@ -38,8 +39,14 @@ class Fb::Jwt::Auth::ServiceTokenClient
 
   private
 
+  attr_reader :ignore_cache
+
   def public_key_uri
-    URI.join(root_url, version_url)
+    URI.join(root_url, "#{version_url}#{query_param}")
+  end
+
+  def query_param
+    ignore_cache ? '?ignore_cache=true' : ''
   end
 
   def version_url

data/lib/fb/jwt/auth/version.rb

@@ -1,7 +1,7 @@
 module Fb
   module Jwt
     class Auth
-      VERSION = "0.2.0"
+      VERSION = "0.5.0"
     end
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: fb-jwt-auth
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.5.0
 platform: ruby
 authors:
 - Form builder developers
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-10-23 00:00:00.000000000 Z
+date: 2021-01-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jwt
@@ -73,6 +73,7 @@ files:
 - bin/setup
 - fb-jwt-auth.gemspec
 - lib/fb/jwt/auth.rb
+- lib/fb/jwt/auth/service_access_token.rb
 - lib/fb/jwt/auth/service_token_client.rb
 - lib/fb/jwt/auth/version.rb
 homepage: https://github.com/ministryofjustice/fb-jwt-auth