firebase_id_token 2.3.2 → 2.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 04e416cf72a26dfef4ba1555005cce301af06b10d68c34cb31873e4de4204307
-  data.tar.gz: b35dbae1fcb4f1da7e6a240be49662ec090e70f22e9e940a2173583c35a3e91b
+  metadata.gz: eef2d227ba8e21f033a7d4c68f7d973a6d25b26e1c1900f43784606f1020332c
+  data.tar.gz: 2899b73b48998f8e14337eada01a76980e02fd1994821afd8a902f23ec40dfd5
 SHA512:
-  metadata.gz: 59a99e199abc3b4280500cc6202b78d125cb89874c7e4c0fc19956c25f89362ec8262af785fcfd1efd38c8a429dc5a231c6cca39b0a170c007cf7d2962c84429
-  data.tar.gz: c3654c443865086ba7aaaa66a5851ea6cf6549fc590ae24055491c0b44619a22399ea148d34e7e245dd5fc7ccf0bad0e04a2c3a3d1746ba1b40088db212e8f0b
+  metadata.gz: 7f64121a625def6dd48f7090fd5bfe25ed3ca754510a993b3dc9124b865e92c5610010a156c5520359c9c93d7301e8dfe9c4a46630f99df50b84742a61129fbf
+  data.tar.gz: 6b0fd92129b034f482fe8ed910a23e9f7201d42d510b03100f974e7adc919d9125915885c5211cf1c1cbf42363c72a987e3a1b493047aec27193317e2569d4f8

data/.travis.yml

@@ -1,7 +1,7 @@
 sudo: false
 language: ruby
 rvm:
-  - 2.4.0
-before_install: gem install bundler -v 1.14.6
+  - 2.6.3
+before_install: gem install bundler -v 1.17.2
 services:
   - redis-server

data/CHANGELOG.md

@@ -0,0 +1,105 @@
+# Changelog
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+### Fixed
+- Rake development dependency vulnerability [CVE-2020-8130](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8130).
+
+### Changed
+- Using Bundler 1.17.2.
+
+### Added
+- Ability to raise errors when verifying tokens.
+- `FirebaseIdToken::Certificates.find!` method.
+- `FirebaseIdToken::Signatures.verify!` method.
+- `FirebaseIdToken::Exceptions::CertificateNotFound` exception.
+- `:raise_error` option to `FirebaseIdToken::Signature.verify`.
+- `CHANGELOG.md` file.
+
+## [2.3.2] - 2020-02-15
+
+### Fixed
+- Certificate fixture not accessible when packing Gem into Rails application.
+
+### Changed
+- Bumped Bundler version to 1.14.
+
+## [2.3.1] - 2019-08-13
+
+### Fixed
+- Certificate fixture reading issue.
+
+### Added
+- Test mode.
+- Test mode documentation.
+
+## [2.3.0] - 2018-06-18
+
+### Changed
+- Started to use [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+- Runtime dependencies versions upgraded.
+- Use Redis `>= 3.3.3`.
+
+## [2.2.0] - 2018-05-21
+*Nothing tracked, release skipped.*
+
+## [2.1.0] - 2018-04-09
+
+### Fixed
+- `FirebaseIdToken::Signature.verify` now returns `nil` for newly issued tokens.
+
+## [2.0.0] - 2017-12-09
+
+### Fixed
+- Typo on Rake task `force_request` name.
+
+## [1.3.0] - 2017-09-15
+
+### Changed
+- Renamed `Certificates.request_anyway` to `Certificates.request!` (`Certificates.request_anyway` was kept for backwards compatibility.
+
+### Fixed
+- Documentaiton typos.
+- Initializer typos.
+
+## [1.2.2] - 2017-04-29
+
+### Changed
+- Recommended people to use cron tasks instead of background jobs.
+- Set certificates TTL based on cache-control's max-age.
+- Documentation now warns about request during application start in Rails.
+
+### Fixed
+- Documentation typos.
+
+## [1.2.1] - 2017-04-27
+
+### Changed
+- Small improvements on documentation.
+
+## [1.2.0] - 2017-04-26
+
+### Changed
+- The Gem was marked as "ready to use".
+
+## [1.1.0] - 2017-04-26
+*Nothing tracked.*
+
+## [1.0.0] - 2017-04-26
+*Version removed.*
+
+## [0.1.0] - 2017-04-23
+*Version removed.*
+
+[2.3.2]: https://github.com/fschuindt/firebase_id_token/compare/2.3.1...2.3.2
+[2.3.1]: https://github.com/fschuindt/firebase_id_token/compare/2.3.0...2.3.1
+[2.3.0]: https://github.com/fschuindt/firebase_id_token/compare/2.0.0...2.3.0
+[2.1.0]: https://github.com/fschuindt/firebase_id_token/compare/2.0.0...2.1.0
+[2.0.0]: https://github.com/fschuindt/firebase_id_token/compare/1.3.0...2.0.0
+[1.3.0]: https://github.com/fschuindt/firebase_id_token/compare/1.2.2...1.3.0
+[1.2.2]: https://github.com/fschuindt/firebase_id_token/compare/1.2.1...1.2.2
+[1.2.1]: https://github.com/fschuindt/firebase_id_token/compare/1.2.0...1.2.1

data/README.md

@@ -29,7 +29,7 @@ gem install firebase_id_token
 
 or in your Gemfile
 ```
-gem 'firebase_id_token', '~> 2.3.1'
+gem 'firebase_id_token', '~> 2.4.0'
 ```
 then
 ```

data/docker-compose.yml

@@ -0,0 +1,9 @@
+version: '3'
+
+services:
+  redis:
+    image: redis:5-alpine
+    ports:
+      - "6379:6379"
+    expose:
+      - 6379

data/firebase_id_token.gemspec

@@ -22,8 +22,8 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ['lib']
 
-  spec.add_development_dependency 'bundler'
-  spec.add_development_dependency 'rake', '~> 10.0'
+  spec.add_development_dependency 'bundler', '~> 1.17', '>= 1.17.2'
+  spec.add_development_dependency 'rake', '~> 12.3', '>= 12.3.3'
   spec.add_development_dependency 'rspec', '~> 3.0'
   spec.add_development_dependency 'redcarpet', '~> 3.4', '>= 3.4.0'
   spec.add_development_dependency 'simplecov', '~> 0.14.1'

data/lib/firebase_id_token.rb

@@ -7,6 +7,7 @@ require 'firebase_id_token/version'
 require 'firebase_id_token/exceptions/no_certificates_error'
 require 'firebase_id_token/exceptions/certificates_request_error'
 require 'firebase_id_token/exceptions/certificates_ttl_error'
+require 'firebase_id_token/exceptions/certificate_not_found'
 require 'firebase_id_token/configuration'
 require 'firebase_id_token/certificates'
 require 'firebase_id_token/signature'
@@ -49,7 +50,7 @@ module FirebaseIdToken
 
   def self.configuration
     @configuration ||= Configuration.new
-  end 
+  end
 
   # Resets Configuration to defaults.
   def self.reset

data/lib/firebase_id_token/certificates.rb

@@ -111,13 +111,34 @@ module FirebaseIdToken
     #   FirebaseIdToken::Certificates.request
     #   cert = FirebaseIdToken::Certificates.find "1d6d01f4w7d54c7[...]"
     #   #=> <OpenSSL::X509::Certificate: subject=#<OpenSSL [...]
-    def self.find(kid)
+    def self.find(kid, raise_error: false)
       certs = new.local_certs
       raise Exceptions::NoCertificatesError if certs.empty?
 
-      if certs[kid]
-        OpenSSL::X509::Certificate.new certs[kid]
-      end
+      return OpenSSL::X509::Certificate.new certs[kid] if certs[kid]
+
+      return unless raise_error
+
+      raise Exceptions::CertificateNotFound,
+        "Unable to find a certificate with `#{kid}`."
+    end
+
+    # Returns a `OpenSSL::X509::Certificate` object of the requested Key ID
+    # (KID) if there's one.
+    #
+    # @raise {Exceptions::CertificateNotFound} if it cannot be found.
+    #
+    # @raise {Exceptions::NoCertificatesError} if the Redis certificates
+    # database is empty.
+    #
+    # @param [String] kid Key ID
+    # @return [OpenSSL::X509::Certificate]
+    # @example
+    #   FirebaseIdToken::Certificates.request
+    #   cert = FirebaseIdToken::Certificates.find! "1d6d01f4w7d54c7[...]"
+    #   #=> <OpenSSL::X509::Certificate: subject=#<OpenSSL [...]
+    def self.find!(kid)
+      find(kid, raise_error: true)
     end
 
     # Returns the current certificates TTL (Time-To-Live) in seconds. *Zero

data/lib/firebase_id_token/exceptions/certificate_not_found.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+module FirebaseIdToken
+  module Exceptions
+    # @see FirebaseIdToken::Certificates.find!
+    class CertificateNotFound < StandardError; end
+  end
+end

data/lib/firebase_id_token/signature.rb

@@ -42,9 +42,25 @@ module FirebaseIdToken
     # Note that it will raise a {Exceptions::NoCertificatesError} if the Redis
     # certificates database is empty. Ensure to call {Certificates.request}
     # before, ideally in a background job if you are using Rails.
+    #
+    # If you would like this to raise and error, rather than silently failing,
+    # you can with the `raise_error` parameter. Example:
+    #
+    #   FirebaseIdToken::Signature
+    #     .verify(token, raise_error: Rails.env.development?)
+    #
+    # @param raise_error [Boolean] default: false
     # @return [nil, Hash]
-    def self.verify(jwt_token)
-      new(jwt_token).verify
+    def self.verify(jwt_token, raise_error: false)
+      new(jwt_token, raise_error: raise_error).verify
+    end
+
+    # Equivalent to `.verify(jwt_token, raise_error: true)`.
+    #
+    # @see {Signature.verify}
+    # @return [Hash]
+    def self.verify!(jwt_token)
+      new(jwt_token, raise_error: true).verify
     end
 
     attr_accessor :firebase_id_token_certificates
@@ -52,21 +68,21 @@ module FirebaseIdToken
     # Loads attributes: `:project_ids` from {FirebaseIdToken::Configuration},
     # and `:kid`, `:jwt_token` from the related `jwt_token`.
     # @param [String] jwt_token Firebase ID Token
-    def initialize(jwt_token)
+    def initialize(jwt_token, raise_error: false)
+      @raise_error = raise_error
       @project_ids = FirebaseIdToken.configuration.project_ids
       @kid = extract_kid(jwt_token)
       @jwt_token = jwt_token
       @firebase_id_token_certificates = FirebaseIdToken.configuration.certificates
-
     end
 
     # @see Signature.verify
     def verify
-      certificate = firebase_id_token_certificates.find(@kid)
-      if certificate
-        payload = decode_jwt_payload(@jwt_token, certificate.public_key)
-        authorize payload
-      end
+      certificate = firebase_id_token_certificates.find(@kid, raise_error: @raise_error)
+      return unless certificate
+
+      payload = decode_jwt_payload(@jwt_token, certificate.public_key)
+      authorize payload
     end
 
     private
@@ -74,13 +90,17 @@ module FirebaseIdToken
     def extract_kid(jwt_token)
       JWT.decode(jwt_token, nil, false).last['kid']
     rescue StandardError
-      'none'
+      return 'none' unless @raise_error
+
+      raise
     end
 
     def decode_jwt_payload(token, cert_key)
       JWT.decode(token, cert_key, true, JWT_DEFAULTS).first
     rescue StandardError
-      nil
+      return nil unless @raise_error
+
+      raise
     end
 
     def authorize(payload)

data/lib/firebase_id_token/testing/certificates.rb

@@ -12,10 +12,10 @@ module FirebaseIdToken
     # + {Certificates.private_key}
     # + {Certificates.certificate}
     class Certificates
-      # `.find` is stabbed to always return the same certificate.
+      # `.find` is stubbed to always return the same certificate.
       # @param [String] kid Key ID
       # @return [nil, OpenSSL::X509::Certificate]
-      def self.find(kid)
+      def self.find(kid, raise_error: false)
         cert = certificate
         OpenSSL::X509::Certificate.new cert
       end

data/lib/firebase_id_token/version.rb

@@ -1,3 +1,3 @@
 module FirebaseIdToken
-  VERSION = '2.3.2'
+  VERSION = '2.4.0'
 end

data/spec/firebase_id_token/certificates_spec.rb

@@ -128,6 +128,28 @@ module FirebaseIdToken
       end
     end
 
+    describe '.find!' do
+      context 'without certificates in Redis database' do
+        it 'raises a exception' do
+          expect{ described_class.find!(kid)}.
+            to raise_error(Exceptions::NoCertificatesError)
+        end
+      end
+      context 'with certificates in Redis database' do
+        it 'returns a OpenSSL::X509::Certificate when it finds the kid' do
+          described_class.request
+          expect(described_class.find!(kid)).to be_a(OpenSSL::X509::Certificate)
+        end
+
+        it 'raises a CertificateNotFound error when it can not find the kid' do
+          described_class.request
+          expect { described_class.find!('') }
+            .to raise_error(Exceptions::CertificateNotFound, /Unable to find/)
+        end
+      end
+
+    end
+
     describe '.ttl' do
       it 'returns a positive number when has certificates in Redis' do
         described_class.request

data/spec/firebase_id_token/signature_spec.rb

@@ -3,11 +3,14 @@ require 'spec_helper'
 module FirebaseIdToken
   describe Signature do
     let(:jwt) { JSON.parse File.read('spec/fixtures/files/jwt.json') }
+    let(:raise_certificates_error) { false }
 
-    let (:mock_certificates) {
-      allow(Certificates).to receive(:find).with(an_instance_of(String)) {
-        OpenSSL::X509::Certificate.new(jwt['certificate']) }
-    }
+    let(:mock_certificates) do
+      allow(Certificates)
+        .to(receive(:find))
+        .with(an_instance_of(String), raise_error: raise_certificates_error)
+        .and_return(OpenSSL::X509::Certificate.new(jwt['certificate']))
+    end
 
     before :each do
       mock_certificates
@@ -29,5 +32,22 @@ module FirebaseIdToken
         expect(described_class.verify('aaa')).to be(nil)
       end
     end
+
+    describe '#verify!' do
+      let(:raise_certificates_error) { true }
+      it 'returns a Hash when the signature is valid' do
+        expect(described_class.verify!(jwt['jwt_token'])).to be_a(Hash)
+      end
+
+      it 'raises an error when the signature is invalid' do
+        expect { described_class.verify!(jwt['bad_jwt_token']) }
+          .to raise_error(JWT::VerificationError)
+      end
+
+      it 'raises an error with a invalid key format' do
+        expect { described_class.verify!('aaa') }
+          .to raise_error(JWT::DecodeError, /too many/)
+      end
+    end
   end
 end

metadata

@@ -1,43 +1,55 @@
 --- !ruby/object:Gem::Specification
 name: firebase_id_token
 version: !ruby/object:Gem::Version
-  version: 2.3.2
+  version: 2.4.0
 platform: ruby
 authors:
 - Fernando Schuindt
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-02-15 00:00:00.000000000 Z
+date: 2020-05-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.17'
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 1.17.2
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.17'
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 1.17.2
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '12.3'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 12.3.3
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '12.3'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 12.3.3
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -214,6 +226,7 @@ files:
 - ".rspec"
 - ".travis.yml"
 - ".yardopts"
+- CHANGELOG.md
 - CODE_OF_CONDUCT.md
 - Gemfile
 - LICENSE.txt
@@ -221,10 +234,12 @@ files:
 - Rakefile
 - bin/console
 - bin/setup
+- docker-compose.yml
 - firebase_id_token.gemspec
 - lib/firebase_id_token.rb
 - lib/firebase_id_token/certificates.rb
 - lib/firebase_id_token/configuration.rb
+- lib/firebase_id_token/exceptions/certificate_not_found.rb
 - lib/firebase_id_token/exceptions/certificates_request_error.rb
 - lib/firebase_id_token/exceptions/certificates_ttl_error.rb
 - lib/firebase_id_token/exceptions/no_certificates_error.rb