fb-jwt-auth 0.1.0 → 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.circleci/config.yml +63 -0
- data/Changelog.md +9 -0
- data/README.md +19 -1
- data/lib/fb/jwt/auth.rb +39 -18
- data/lib/fb/jwt/auth/service_token_client.rb +19 -4
- data/lib/fb/jwt/auth/version.rb +1 -1
- metadata +6 -5
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: f86d88c60d096a604b4c0e3bd40acb9e6869c99011f91f14eb9488b7e9d4f4ae
|
|
4
|
+
data.tar.gz: f79a60753d8fee05024b3303a6d03d1fb28d13db6d788a3b3ca24e2c16a8707f
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 52b523c492ba637761d84f15c0d374e1920d1c0e7210cf8fbbfefee2df9efcee10abaf75a6f9942266794c509616717da55cadb38916c48d31372cb0c7b92c6f
|
|
7
|
+
data.tar.gz: 9870d7e4d6854fb21cc07fc8903661fca1fac308ce716866bd2d9bbee95fdfafe32deb47c3f54fbb14112ae88b25e2262fbec35ebe34a5d0ddd95de8f40c20ee
|
|
@@ -0,0 +1,63 @@
|
|
|
1
|
+
version: 2.1
|
|
2
|
+
orbs:
|
|
3
|
+
slack: circleci/slack@3.4.2
|
|
4
|
+
|
|
5
|
+
jobs:
|
|
6
|
+
test:
|
|
7
|
+
docker:
|
|
8
|
+
- image: cimg/ruby:2.7.2
|
|
9
|
+
steps:
|
|
10
|
+
- checkout
|
|
11
|
+
- run:
|
|
12
|
+
name: Install
|
|
13
|
+
command: bundle install
|
|
14
|
+
- run:
|
|
15
|
+
name: Test
|
|
16
|
+
command: bundle exec rspec
|
|
17
|
+
- slack/status: &slack_status
|
|
18
|
+
fail_only: true
|
|
19
|
+
only_for_branches: main
|
|
20
|
+
failure_message: ":facepalm: Failed job $CIRCLE_JOB :homer-disappear:"
|
|
21
|
+
include_job_number_field: false
|
|
22
|
+
publish:
|
|
23
|
+
docker:
|
|
24
|
+
- image: cimg/ruby:2.7.2
|
|
25
|
+
steps:
|
|
26
|
+
- checkout
|
|
27
|
+
- run:
|
|
28
|
+
name: Install
|
|
29
|
+
command: bundle install
|
|
30
|
+
- run:
|
|
31
|
+
name: Setup Rubygems
|
|
32
|
+
command: |
|
|
33
|
+
mkdir ~/.gem
|
|
34
|
+
echo -e "---\r\n:rubygems_api_key: $RUBYGEMS_API_KEY" > ~/.gem/credentials
|
|
35
|
+
chmod 0600 /home/circleci/.gem/credentials
|
|
36
|
+
- run:
|
|
37
|
+
name: Publish to Rubygems
|
|
38
|
+
command: |
|
|
39
|
+
set -e
|
|
40
|
+
|
|
41
|
+
VERSION=$(ruby -e "require './lib/fb/jwt/auth/version.rb'; puts Fb::Jwt::Auth::VERSION")
|
|
42
|
+
PUBLISHED_VERSION=$(curl https://rubygems.org/api/v1/versions/fb-jwt-auth/latest.json | sed -e 's/[{}]/''/g' | sed s/\"//g | awk -v RS=',' -F: '$1=="version"{print $2}')
|
|
43
|
+
|
|
44
|
+
if [ "$VERSION" != "$PUBLISHED_VERSION" ]
|
|
45
|
+
then
|
|
46
|
+
bundle exec gem build fb-jwt-auth.gemspec
|
|
47
|
+
bundle exec gem push fb-jwt-auth-*.gem
|
|
48
|
+
curl -X POST -H 'Content-type: application/json' --data "{\"text\":\":woohoo: Successfully published ${CIRCLE_PROJECT_REPONAME} ${VERSION} :ship_it_parrot:\"}" "$SLACK_WEBHOOK"
|
|
49
|
+
fi
|
|
50
|
+
- slack/status: *slack_status
|
|
51
|
+
|
|
52
|
+
workflows:
|
|
53
|
+
commit-workflow:
|
|
54
|
+
jobs:
|
|
55
|
+
- test
|
|
56
|
+
- publish:
|
|
57
|
+
requires:
|
|
58
|
+
- test
|
|
59
|
+
filters:
|
|
60
|
+
tags:
|
|
61
|
+
only: /.*/
|
|
62
|
+
branches:
|
|
63
|
+
only: main
|
data/Changelog.md
CHANGED
data/README.md
CHANGED
|
@@ -18,11 +18,29 @@ Or install it yourself as:
|
|
|
18
18
|
|
|
19
19
|
## Usage
|
|
20
20
|
|
|
21
|
-
```
|
|
21
|
+
```ruby
|
|
22
22
|
Fb::Jwt::Auth.configure do |config|
|
|
23
|
+
# Service token cache domain
|
|
24
|
+
#
|
|
23
25
|
config.service_token_cache_root_url = ENV['SERVICE_TOKEN_CACHE_ROOT_URL']
|
|
24
26
|
end
|
|
27
|
+
```
|
|
28
|
+
|
|
29
|
+
### Using other endpoint versions
|
|
25
30
|
|
|
31
|
+
Service token cache can have different versions of authenticating a service.
|
|
32
|
+
|
|
33
|
+
You can configure the version:
|
|
34
|
+
|
|
35
|
+
```ruby
|
|
36
|
+
Fb::Jwt::Auth.configure do |config|
|
|
37
|
+
config.service_token_cache_api_version = :v3
|
|
38
|
+
end
|
|
39
|
+
```
|
|
40
|
+
|
|
41
|
+
### Verifying the token
|
|
42
|
+
|
|
43
|
+
```ruby
|
|
26
44
|
Fb::Jwt::Auth.new(
|
|
27
45
|
access_token: request.headers['x-access-token-v2'],
|
|
28
46
|
key: 'fb-editor', # service name
|
data/lib/fb/jwt/auth.rb
CHANGED
|
@@ -6,13 +6,7 @@ require 'active_support/core_ext'
|
|
|
6
6
|
module Fb
|
|
7
7
|
module Jwt
|
|
8
8
|
class Auth
|
|
9
|
-
|
|
10
|
-
@@service_token_cache_root_url = value
|
|
11
|
-
end
|
|
12
|
-
|
|
13
|
-
def self.service_token_cache_root_url
|
|
14
|
-
@@service_token_cache_root_url
|
|
15
|
-
end
|
|
9
|
+
cattr_accessor :service_token_cache_root_url, :service_token_cache_api_version
|
|
16
10
|
|
|
17
11
|
def self.configure(&block)
|
|
18
12
|
yield self
|
|
@@ -29,9 +23,15 @@ module Fb
|
|
|
29
23
|
class TokenExpiredError < StandardError
|
|
30
24
|
end
|
|
31
25
|
|
|
26
|
+
class IssuerNotPresentError < StandardError
|
|
27
|
+
end
|
|
28
|
+
|
|
29
|
+
class NamespaceNotPresentError < StandardError
|
|
30
|
+
end
|
|
31
|
+
|
|
32
32
|
attr_accessor :token, :key, :leeway, :logger
|
|
33
33
|
|
|
34
|
-
def initialize(token:, key
|
|
34
|
+
def initialize(token:, key: nil, leeway:, logger:)
|
|
35
35
|
@token = token
|
|
36
36
|
@key = key
|
|
37
37
|
@leeway = leeway
|
|
@@ -41,15 +41,11 @@ module Fb
|
|
|
41
41
|
def verify!
|
|
42
42
|
raise TokenNotPresentError if token.nil?
|
|
43
43
|
|
|
44
|
+
application_details = find_application_info
|
|
45
|
+
|
|
44
46
|
begin
|
|
45
|
-
hmac_secret = public_key(
|
|
46
|
-
payload, _header =
|
|
47
|
-
token,
|
|
48
|
-
hmac_secret,
|
|
49
|
-
true,
|
|
50
|
-
exp_leeway: leeway,
|
|
51
|
-
algorithm: 'RS256'
|
|
52
|
-
)
|
|
47
|
+
hmac_secret = public_key(application_details)
|
|
48
|
+
payload, _header = decode(hmac_secret: hmac_secret)
|
|
53
49
|
rescue StandardError => e
|
|
54
50
|
error_message = "Couldn't parse that token - error #{e}"
|
|
55
51
|
logger.debug(error_message)
|
|
@@ -71,8 +67,33 @@ module Fb
|
|
|
71
67
|
payload
|
|
72
68
|
end
|
|
73
69
|
|
|
74
|
-
def
|
|
75
|
-
|
|
70
|
+
def decode(verify: true, hmac_secret: nil)
|
|
71
|
+
JWT.decode(
|
|
72
|
+
token,
|
|
73
|
+
hmac_secret,
|
|
74
|
+
verify,
|
|
75
|
+
exp_leeway: leeway,
|
|
76
|
+
algorithm: 'RS256'
|
|
77
|
+
)
|
|
78
|
+
end
|
|
79
|
+
|
|
80
|
+
def find_application_info
|
|
81
|
+
return { application: key } if key
|
|
82
|
+
|
|
83
|
+
payload, _header = decode(verify: false)
|
|
84
|
+
application = payload['iss']
|
|
85
|
+
namespace = payload['namespace']
|
|
86
|
+
|
|
87
|
+
raise IssuerNotPresentError unless application
|
|
88
|
+
raise NamespaceNotPresentError unless namespace
|
|
89
|
+
|
|
90
|
+
{ application: application, namespace: namespace}
|
|
91
|
+
end
|
|
92
|
+
|
|
93
|
+
def public_key(attributes)
|
|
94
|
+
OpenSSL::PKey::RSA.new(
|
|
95
|
+
ServiceTokenClient.new(attributes).public_key
|
|
96
|
+
)
|
|
76
97
|
end
|
|
77
98
|
end
|
|
78
99
|
end
|
|
@@ -5,11 +5,18 @@ require 'base64'
|
|
|
5
5
|
class Fb::Jwt::Auth::ServiceTokenClient
|
|
6
6
|
class ServiceTokenCacheError < StandardError; end
|
|
7
7
|
|
|
8
|
-
|
|
8
|
+
ENDPOINTS = {
|
|
9
|
+
v2: '/service/v2/%{application}',
|
|
10
|
+
v3: '/v3/applications/%{application}/namespaces/%{namespace}'
|
|
11
|
+
}
|
|
9
12
|
|
|
10
|
-
|
|
11
|
-
|
|
13
|
+
attr_accessor :application, :namespace, :root_url, :api_version
|
|
14
|
+
|
|
15
|
+
def initialize(application:, namespace: nil)
|
|
16
|
+
@application = application
|
|
17
|
+
@namespace = namespace
|
|
12
18
|
@root_url = Fb::Jwt::Auth.service_token_cache_root_url
|
|
19
|
+
@api_version = Fb::Jwt::Auth.service_token_cache_api_version || :v2
|
|
13
20
|
end
|
|
14
21
|
|
|
15
22
|
def public_key
|
|
@@ -32,6 +39,14 @@ class Fb::Jwt::Auth::ServiceTokenClient
|
|
|
32
39
|
private
|
|
33
40
|
|
|
34
41
|
def public_key_uri
|
|
35
|
-
URI.join(
|
|
42
|
+
URI.join(root_url, version_url)
|
|
43
|
+
end
|
|
44
|
+
|
|
45
|
+
def version_url
|
|
46
|
+
if api_version == :v3
|
|
47
|
+
ENDPOINTS[api_version] % { application: application, namespace: namespace }
|
|
48
|
+
else
|
|
49
|
+
ENDPOINTS[api_version] % { application: application }
|
|
50
|
+
end
|
|
36
51
|
end
|
|
37
52
|
end
|
data/lib/fb/jwt/auth/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: fb-jwt-auth
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.2.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Form builder developers
|
|
8
|
-
autorequire:
|
|
8
|
+
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2020-10-
|
|
11
|
+
date: 2020-10-23 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: jwt
|
|
@@ -59,6 +59,7 @@ executables: []
|
|
|
59
59
|
extensions: []
|
|
60
60
|
extra_rdoc_files: []
|
|
61
61
|
files:
|
|
62
|
+
- ".circleci/config.yml"
|
|
62
63
|
- ".gitignore"
|
|
63
64
|
- ".rspec"
|
|
64
65
|
- ".ruby-version"
|
|
@@ -81,7 +82,7 @@ metadata:
|
|
|
81
82
|
homepage_uri: https://github.com/ministryofjustice/fb-jwt-auth
|
|
82
83
|
source_code_uri: https://github.com/ministryofjustice/fb-jwt-auth
|
|
83
84
|
changelog_uri: https://github.com/ministryofjustice/fb-jwt-auth/blob/main/Changelog.md
|
|
84
|
-
post_install_message:
|
|
85
|
+
post_install_message:
|
|
85
86
|
rdoc_options: []
|
|
86
87
|
require_paths:
|
|
87
88
|
- lib
|
|
@@ -97,7 +98,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
97
98
|
version: '0'
|
|
98
99
|
requirements: []
|
|
99
100
|
rubygems_version: 3.1.4
|
|
100
|
-
signing_key:
|
|
101
|
+
signing_key:
|
|
101
102
|
specification_version: 4
|
|
102
103
|
summary: JWT authentication done in form builder team
|
|
103
104
|
test_files: []
|