firebase_id_token 2.3.2 → 2.5.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 04e416cf72a26dfef4ba1555005cce301af06b10d68c34cb31873e4de4204307
-  data.tar.gz: b35dbae1fcb4f1da7e6a240be49662ec090e70f22e9e940a2173583c35a3e91b
+  metadata.gz: 789eeab7c0ec306d0a64b2c7564f590fdf54d2d93891d8c15f6797a49dada26a
+  data.tar.gz: 236c1161cb5141fa7b1658660463431715a3a449c48e94fbc3424df92101dd7a
 SHA512:
-  metadata.gz: 59a99e199abc3b4280500cc6202b78d125cb89874c7e4c0fc19956c25f89362ec8262af785fcfd1efd38c8a429dc5a231c6cca39b0a170c007cf7d2962c84429
-  data.tar.gz: c3654c443865086ba7aaaa66a5851ea6cf6549fc590ae24055491c0b44619a22399ea148d34e7e245dd5fc7ccf0bad0e04a2c3a3d1746ba1b40088db212e8f0b
+  metadata.gz: 8e5d277ce83b6deb7d9434d62d4545b405d6bd7a7248588fca7b21209cfac8181bd1593d96b11119a64652a76f4d3463f28ab0645e2c3d3f5c3d5cce8a0b4644
+  data.tar.gz: 8eddfe41e764ce2ab21b797fd27853d96466cde7339bd7ef56021f1d835e92dd388cdabb0f027a112abce83a1d5cbc0b6a36e24332e9bc453d67ad9a9f3f29df

data/.travis.yml

@@ -1,7 +1,7 @@
 sudo: false
 language: ruby
 rvm:
-  - 2.4.0
-before_install: gem install bundler -v 1.14.6
+  - 2.6.3
+before_install: gem install bundler -v 1.17.2
 services:
   - redis-server

data/CHANGELOG.md

@@ -0,0 +1,127 @@
+# Changelog
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+## [2.5.1] - 2022-08-15
+
+### Fixed
+- "[New caching doesn't honor request! calls](https://github.com/fschuindt/firebase_id_token/issues/35)", by reverting "[Caching certificates on memory.](https://github.com/fschuindt/firebase_id_token/pull/33)", PR #33.
+
+## [2.5.0] - 2022-04-13
+
+### Fixed
+- Local Code Execution through Argument Injection via dash leading git url parameter in Gemfile [CVE-2021-43809](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43809).
+- Dependency Confusion in Bundler [CVE-2020-36327](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36327).
+- Insecure path handling in Bundler [CVE-2019-3881](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3881).
+
+### Changed
+- Using Bundler 2.3.11.
+- Using `Time.current` instead of `Time.now` to work with timezones [PR 34](https://github.com/fschuindt/firebase_id_token/pull/34).
+- Caching certificates on memory using `Thread` to avoid unnecessary calls into Redis [PR 33](https://github.com/fschuindt/firebase_id_token/pull/33).
+
+## [2.4.0] - 2020-05-02
+
+### Fixed
+- Rake development dependency vulnerability [CVE-2020-8130](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8130).
+
+### Changed
+- Using Bundler 1.17.2.
+
+### Added
+- Ability to raise errors when verifying tokens.
+- `FirebaseIdToken::Certificates.find!` method.
+- `FirebaseIdToken::Signatures.verify!` method.
+- `FirebaseIdToken::Exceptions::CertificateNotFound` exception.
+- `:raise_error` option to `FirebaseIdToken::Signature.verify`.
+- `CHANGELOG.md` file.
+
+## [2.3.2] - 2020-02-15
+
+### Fixed
+- Certificate fixture not accessible when packing Gem into Rails application.
+
+### Changed
+- Bumped Bundler version to 1.14.
+
+## [2.3.1] - 2019-08-13
+
+### Fixed
+- Certificate fixture reading issue.
+
+### Added
+- Test mode.
+- Test mode documentation.
+
+## [2.3.0] - 2018-06-18
+
+### Changed
+- Started to use [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+- Runtime dependencies versions upgraded.
+- Use Redis `>= 3.3.3`.
+
+## [2.2.0] - 2018-05-21
+*Nothing tracked, release skipped.*
+
+## [2.1.0] - 2018-04-09
+
+### Fixed
+- `FirebaseIdToken::Signature.verify` now returns `nil` for newly issued tokens.
+
+## [2.0.0] - 2017-12-09
+
+### Fixed
+- Typo on Rake task `force_request` name.
+
+## [1.3.0] - 2017-09-15
+
+### Changed
+- Renamed `Certificates.request_anyway` to `Certificates.request!` (`Certificates.request_anyway` was kept for backwards compatibility.
+
+### Fixed
+- Documentaiton typos.
+- Initializer typos.
+
+## [1.2.2] - 2017-04-29
+
+### Changed
+- Recommended people to use cron tasks instead of background jobs.
+- Set certificates TTL based on cache-control's max-age.
+- Documentation now warns about request during application start in Rails.
+
+### Fixed
+- Documentation typos.
+
+## [1.2.1] - 2017-04-27
+
+### Changed
+- Small improvements on documentation.
+
+## [1.2.0] - 2017-04-26
+
+### Changed
+- The Gem was marked as "ready to use".
+
+## [1.1.0] - 2017-04-26
+*Nothing tracked.*
+
+## [1.0.0] - 2017-04-26
+*Version removed.*
+
+## [0.1.0] - 2017-04-23
+*Version removed.*
+
+[2.5.1]: https://github.com/fschuindt/firebase_id_token/compare/2.5.0...2.5.1
+[2.5.0]: https://github.com/fschuindt/firebase_id_token/compare/2.4.0...2.5.0
+[2.4.0]: https://github.com/fschuindt/firebase_id_token/compare/2.3.2...2.4.0
+[2.3.2]: https://github.com/fschuindt/firebase_id_token/compare/2.3.1...2.3.2
+[2.3.1]: https://github.com/fschuindt/firebase_id_token/compare/2.3.0...2.3.1
+[2.3.0]: https://github.com/fschuindt/firebase_id_token/compare/2.0.0...2.3.0
+[2.1.0]: https://github.com/fschuindt/firebase_id_token/compare/2.0.0...2.1.0
+[2.0.0]: https://github.com/fschuindt/firebase_id_token/compare/1.3.0...2.0.0
+[1.3.0]: https://github.com/fschuindt/firebase_id_token/compare/1.2.2...1.3.0
+[1.2.2]: https://github.com/fschuindt/firebase_id_token/compare/1.2.1...1.2.2
+[1.2.1]: https://github.com/fschuindt/firebase_id_token/compare/1.2.0...1.2.1

data/README.md

@@ -29,7 +29,7 @@ gem install firebase_id_token
 
 or in your Gemfile
 ```
-gem 'firebase_id_token', '~> 2.3.1'
+gem 'firebase_id_token', '~> 2.5.1'
 ```
 then
 ```

data/docker-compose.yml

@@ -0,0 +1,9 @@
+version: '3'
+
+services:
+  redis:
+    image: redis:5-alpine
+    ports:
+      - "6379:6379"
+    expose:
+      - 6379

data/firebase_id_token.gemspec

@@ -22,8 +22,8 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ['lib']
 
-  spec.add_development_dependency 'bundler'
-  spec.add_development_dependency 'rake', '~> 10.0'
+  spec.add_development_dependency 'bundler', '~> 2.3', '>= 2.3.11'
+  spec.add_development_dependency 'rake', '~> 12.3', '>= 12.3.3'
   spec.add_development_dependency 'rspec', '~> 3.0'
   spec.add_development_dependency 'redcarpet', '~> 3.4', '>= 3.4.0'
   spec.add_development_dependency 'simplecov', '~> 0.14.1'

data/lib/firebase_id_token/certificates.rb

@@ -111,13 +111,34 @@ module FirebaseIdToken
     #   FirebaseIdToken::Certificates.request
     #   cert = FirebaseIdToken::Certificates.find "1d6d01f4w7d54c7[...]"
     #   #=> <OpenSSL::X509::Certificate: subject=#<OpenSSL [...]
-    def self.find(kid)
+    def self.find(kid, raise_error: false)
       certs = new.local_certs
       raise Exceptions::NoCertificatesError if certs.empty?
 
-      if certs[kid]
-        OpenSSL::X509::Certificate.new certs[kid]
-      end
+      return OpenSSL::X509::Certificate.new certs[kid] if certs[kid]
+
+      return unless raise_error
+
+      raise Exceptions::CertificateNotFound,
+        "Unable to find a certificate with `#{kid}`."
+    end
+
+    # Returns a `OpenSSL::X509::Certificate` object of the requested Key ID
+    # (KID) if there's one.
+    #
+    # @raise {Exceptions::CertificateNotFound} if it cannot be found.
+    #
+    # @raise {Exceptions::NoCertificatesError} if the Redis certificates
+    # database is empty.
+    #
+    # @param [String] kid Key ID
+    # @return [OpenSSL::X509::Certificate]
+    # @example
+    #   FirebaseIdToken::Certificates.request
+    #   cert = FirebaseIdToken::Certificates.find! "1d6d01f4w7d54c7[...]"
+    #   #=> <OpenSSL::X509::Certificate: subject=#<OpenSSL [...]
+    def self.find!(kid)
+      find(kid, raise_error: true)
     end
 
     # Returns the current certificates TTL (Time-To-Live) in seconds. *Zero

data/lib/firebase_id_token/exceptions/certificate_not_found.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+module FirebaseIdToken
+  module Exceptions
+    # @see FirebaseIdToken::Certificates.find!
+    class CertificateNotFound < StandardError; end
+  end
+end

data/lib/firebase_id_token/signature.rb

@@ -42,9 +42,25 @@ module FirebaseIdToken
     # Note that it will raise a {Exceptions::NoCertificatesError} if the Redis
     # certificates database is empty. Ensure to call {Certificates.request}
     # before, ideally in a background job if you are using Rails.
+    #
+    # If you would like this to raise and error, rather than silently failing,
+    # you can with the `raise_error` parameter. Example:
+    #
+    #   FirebaseIdToken::Signature
+    #     .verify(token, raise_error: Rails.env.development?)
+    #
+    # @param raise_error [Boolean] default: false
     # @return [nil, Hash]
-    def self.verify(jwt_token)
-      new(jwt_token).verify
+    def self.verify(jwt_token, raise_error: false)
+      new(jwt_token, raise_error: raise_error).verify
+    end
+
+    # Equivalent to `.verify(jwt_token, raise_error: true)`.
+    #
+    # @see {Signature.verify}
+    # @return [Hash]
+    def self.verify!(jwt_token)
+      new(jwt_token, raise_error: true).verify
     end
 
     attr_accessor :firebase_id_token_certificates
@@ -52,21 +68,21 @@ module FirebaseIdToken
     # Loads attributes: `:project_ids` from {FirebaseIdToken::Configuration},
     # and `:kid`, `:jwt_token` from the related `jwt_token`.
     # @param [String] jwt_token Firebase ID Token
-    def initialize(jwt_token)
+    def initialize(jwt_token, raise_error: false)
+      @raise_error = raise_error
       @project_ids = FirebaseIdToken.configuration.project_ids
       @kid = extract_kid(jwt_token)
       @jwt_token = jwt_token
       @firebase_id_token_certificates = FirebaseIdToken.configuration.certificates
-
     end
 
     # @see Signature.verify
     def verify
-      certificate = firebase_id_token_certificates.find(@kid)
-      if certificate
-        payload = decode_jwt_payload(@jwt_token, certificate.public_key)
-        authorize payload
-      end
+      certificate = firebase_id_token_certificates.find(@kid, raise_error: @raise_error)
+      return unless certificate
+
+      payload = decode_jwt_payload(@jwt_token, certificate.public_key)
+      authorize payload
     end
 
     private
@@ -74,13 +90,17 @@ module FirebaseIdToken
     def extract_kid(jwt_token)
       JWT.decode(jwt_token, nil, false).last['kid']
     rescue StandardError
-      'none'
+      return 'none' unless @raise_error
+
+      raise
     end
 
     def decode_jwt_payload(token, cert_key)
       JWT.decode(token, cert_key, true, JWT_DEFAULTS).first
     rescue StandardError
-      nil
+      return nil unless @raise_error
+
+      raise
     end
 
     def authorize(payload)
@@ -97,8 +117,8 @@ module FirebaseIdToken
     end
 
     def still_valid?(payload)
-      payload['exp'].to_i > Time.now.to_i &&
-      payload['iat'].to_i <= Time.now.to_i
+      payload['exp'].to_i > Time.current.to_i &&
+      payload['iat'].to_i <= Time.current.to_i
     end
 
     def issuer_authorized?(payload)

data/lib/firebase_id_token/testing/certificates.rb

@@ -12,10 +12,10 @@ module FirebaseIdToken
     # + {Certificates.private_key}
     # + {Certificates.certificate}
     class Certificates
-      # `.find` is stabbed to always return the same certificate.
+      # `.find` is stubbed to always return the same certificate.
       # @param [String] kid Key ID
       # @return [nil, OpenSSL::X509::Certificate]
-      def self.find(kid)
+      def self.find(kid, raise_error: false)
         cert = certificate
         OpenSSL::X509::Certificate.new cert
       end

data/lib/firebase_id_token/version.rb

@@ -1,3 +1,3 @@
 module FirebaseIdToken
-  VERSION = '2.3.2'
+  VERSION = '2.5.1'
 end

data/lib/firebase_id_token.rb

@@ -7,6 +7,7 @@ require 'firebase_id_token/version'
 require 'firebase_id_token/exceptions/no_certificates_error'
 require 'firebase_id_token/exceptions/certificates_request_error'
 require 'firebase_id_token/exceptions/certificates_ttl_error'
+require 'firebase_id_token/exceptions/certificate_not_found'
 require 'firebase_id_token/configuration'
 require 'firebase_id_token/certificates'
 require 'firebase_id_token/signature'
@@ -49,7 +50,7 @@ module FirebaseIdToken
 
   def self.configuration
     @configuration ||= Configuration.new
-  end 
+  end
 
   # Resets Configuration to defaults.
   def self.reset

data/spec/firebase_id_token/certificates_spec.rb

@@ -128,6 +128,28 @@ module FirebaseIdToken
       end
     end
 
+    describe '.find!' do
+      context 'without certificates in Redis database' do
+        it 'raises a exception' do
+          expect{ described_class.find!(kid)}.
+            to raise_error(Exceptions::NoCertificatesError)
+        end
+      end
+      context 'with certificates in Redis database' do
+        it 'returns a OpenSSL::X509::Certificate when it finds the kid' do
+          described_class.request
+          expect(described_class.find!(kid)).to be_a(OpenSSL::X509::Certificate)
+        end
+
+        it 'raises a CertificateNotFound error when it can not find the kid' do
+          described_class.request
+          expect { described_class.find!('') }
+            .to raise_error(Exceptions::CertificateNotFound, /Unable to find/)
+        end
+      end
+
+    end
+
     describe '.ttl' do
       it 'returns a positive number when has certificates in Redis' do
         described_class.request

data/spec/firebase_id_token/signature_spec.rb

@@ -3,11 +3,14 @@ require 'spec_helper'
 module FirebaseIdToken
   describe Signature do
     let(:jwt) { JSON.parse File.read('spec/fixtures/files/jwt.json') }
+    let(:raise_certificates_error) { false }
 
-    let (:mock_certificates) {
-      allow(Certificates).to receive(:find).with(an_instance_of(String)) {
-        OpenSSL::X509::Certificate.new(jwt['certificate']) }
-    }
+    let(:mock_certificates) do
+      allow(Certificates)
+        .to(receive(:find))
+        .with(an_instance_of(String), raise_error: raise_certificates_error)
+        .and_return(OpenSSL::X509::Certificate.new(jwt['certificate']))
+    end
 
     before :each do
       mock_certificates
@@ -29,5 +32,22 @@ module FirebaseIdToken
         expect(described_class.verify('aaa')).to be(nil)
       end
     end
+
+    describe '#verify!' do
+      let(:raise_certificates_error) { true }
+      it 'returns a Hash when the signature is valid' do
+        expect(described_class.verify!(jwt['jwt_token'])).to be_a(Hash)
+      end
+
+      it 'raises an error when the signature is invalid' do
+        expect { described_class.verify!(jwt['bad_jwt_token']) }
+          .to raise_error(JWT::VerificationError)
+      end
+
+      it 'raises an error with a invalid key format' do
+        expect { described_class.verify!('aaa') }
+          .to raise_error(JWT::DecodeError, /too many/)
+      end
+    end
   end
 end

metadata

@@ -1,43 +1,55 @@
 --- !ruby/object:Gem::Specification
 name: firebase_id_token
 version: !ruby/object:Gem::Version
-  version: 2.3.2
+  version: 2.5.1
 platform: ruby
 authors:
 - Fernando Schuindt
-autorequire: 
+autorequire:
 bindir: exe
 cert_chain: []
-date: 2020-02-15 00:00:00.000000000 Z
+date: 2022-08-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.3'
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 2.3.11
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.3'
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 2.3.11
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '12.3'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 12.3.3
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '12.3'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 12.3.3
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -56,22 +68,22 @@ dependencies:
   name: redcarpet
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 3.4.0
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.4'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.4.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 3.4.0
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.4'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.4.0
 - !ruby/object:Gem::Dependency
   name: simplecov
   requirement: !ruby/object:Gem::Requirement
@@ -90,22 +102,22 @@ dependencies:
   name: codeclimate-test-reporter
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 1.0.0
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.0.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 1.0.0
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.0.0
 - !ruby/object:Gem::Dependency
   name: pry
   requirement: !ruby/object:Gem::Requirement
@@ -144,22 +156,22 @@ dependencies:
   name: redis-namespace
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 1.6.0
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.6'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.6.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 1.6.0
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.6'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 1.6.0
 - !ruby/object:Gem::Dependency
   name: httparty
   requirement: !ruby/object:Gem::Requirement
@@ -184,22 +196,22 @@ dependencies:
   name: jwt
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 2.1.0
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.1'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.1.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: 2.1.0
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.1'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.1.0
 description: A Ruby gem to verify the signature of Firebase ID Tokens. It uses Redis
   to store Google's x509 certificates and manage their expiration time, so you don't
   need to request Google's API in every execution and can access it as fast as reading
@@ -214,6 +226,7 @@ files:
 - ".rspec"
 - ".travis.yml"
 - ".yardopts"
+- CHANGELOG.md
 - CODE_OF_CONDUCT.md
 - Gemfile
 - LICENSE.txt
@@ -221,10 +234,12 @@ files:
 - Rakefile
 - bin/console
 - bin/setup
+- docker-compose.yml
 - firebase_id_token.gemspec
 - lib/firebase_id_token.rb
 - lib/firebase_id_token/certificates.rb
 - lib/firebase_id_token/configuration.rb
+- lib/firebase_id_token/exceptions/certificate_not_found.rb
 - lib/firebase_id_token/exceptions/certificates_request_error.rb
 - lib/firebase_id_token/exceptions/certificates_ttl_error.rb
 - lib/firebase_id_token/exceptions/no_certificates_error.rb
@@ -245,7 +260,7 @@ homepage: https://github.com/fschuindt/firebase_id_token
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -260,8 +275,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
-signing_key: 
+rubygems_version: 3.1.4
+signing_key:
 specification_version: 4
 summary: A Firebase ID Token verifier.
 test_files: []