fridge 0.2.4 → 0.4.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: baa2d0014ae145e09c68dc53c816938ad272aa3d
-  data.tar.gz: 7f34e028cb347f9da11e1d52d6f7443dc7f470bb
+SHA256:
+  metadata.gz: 769896062879cb0dc6c7c69f095a5cedab11beaa0c30cb3e302dfc15eb842343
+  data.tar.gz: 657ca035209d5be3fcb78aaa74cc418bf764726622ccc3d90e0cab900ad4cf13
 SHA512:
-  metadata.gz: 586f9c3edb3356d64068ca3b9c43741411238423b6cdb0d6a63041fed790b13e47c3d1d43c7ea6ef1c4e290b04f03cf253e4a6da40a2d0d9a89b01d72cb866fa
-  data.tar.gz: 7d3dff29fffe39c8f656180e091639f4b2139a513fa024e2d0d189f5436cb4d39f2dacab4867987e57e781380359a3281e3d61fee5db8fe5a8fff723bc68ed91
+  metadata.gz: 1500d9599ef57f700c52c2362086a3c9e0ac1853c2182e72e1f24ffe0583ccdc38bcaca4d7c9e53b792d93b164ae7ac1510af721e7b1359e2e07998da44388b2
+  data.tar.gz: e18539fb6ae2d73dac73005348bc78015dc2a708e6d4e3f10b7b430ed8368f16f73d58d876ca6afdfb3dcf41d41b165d4291eac3ef6cb11c03c61ff87574fc72

data/.github/CODEOWNERS

@@ -0,0 +1 @@
+*   @dawenster

data/.travis.yml

@@ -1,3 +1,5 @@
+sudo: false
 rvm:
-  - 2.0.0
-  - jruby
+  - 2.2
+  - 2.5
+  - 2.6

data/Gemfile

@@ -1,4 +1,7 @@
 source 'https://rubygems.org'
 
+gem 'activesupport', '~> 4.0'
+gem 'nokogiri', '~> 1.9.1'
+
 # Specify your gem's dependencies in fridge.gemspec
 gemspec

data/README.md

@@ -80,4 +80,4 @@ store_session_cookie(access_token)
 
 MIT License, see [LICENSE](LICENSE.md) for details.
 
-Copyright (c) 2014 [Aptible](https://www.aptible.com), Frank Macreery, and contributors.
+Copyright (c) 2019 [Aptible](https://www.aptible.com) and contributors.

data/fridge.gemspec

@@ -1,4 +1,5 @@
 # encoding: utf-8
+
 lib = File.expand_path('../lib', __FILE__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 
@@ -16,17 +17,17 @@ Gem::Specification.new do |spec|
   spec.license       = 'MIT'
 
   spec.files         = `git ls-files`.split($RS)
-  spec.test_files    = spec.files.grep(/^spec\//)
+  spec.test_files    = spec.files.grep(%r{^spec/})
   spec.require_paths = ['lib']
 
   spec.add_dependency 'gem_config'
-  spec.add_dependency 'jwt', '~> 0.1.13'
+  spec.add_dependency 'jwt', '~> 1.5.6'
 
-  spec.add_development_dependency 'bundler', '~> 1.5'
   spec.add_development_dependency 'aptible-tasks'
-  spec.add_development_dependency 'rake'
+  spec.add_development_dependency 'bundler', '~> 1.5'
+  spec.add_development_dependency 'pry'
   spec.add_development_dependency 'rails'
-  spec.add_development_dependency 'rspec', '~> 2.0'
+  spec.add_development_dependency 'rake'
+  spec.add_development_dependency 'rspec', '~> 3.0'
   spec.add_development_dependency 'rspec-rails'
-  spec.add_development_dependency 'pry'
 end

data/lib/fridge.rb

@@ -4,6 +4,7 @@ require 'fridge/version'
 require 'fridge/access_token'
 require 'fridge/serialization_error'
 require 'fridge/invalid_token'
+require 'fridge/expired_token'
 
 require 'fridge/railtie' if defined?(Rails)
 
@@ -14,7 +15,9 @@ module Fridge
     has :private_key, classes: [String]
     has :public_key, classes: [String]
 
-    has :signing_algorithm, values: %w(RS512 RS256), default: 'RS512'
+    # rubocop:disable Style/PercentLiteralDelimiters
+    has :signing_algorithm, values: %w[RS512 RS256], default: 'RS512'
+    # rubocop:enable Style/PercentLiteralDelimiters
 
     # A validator must raise an exception or return a false value for an
     # invalid token

data/lib/fridge/access_token.rb

@@ -2,10 +2,9 @@ require 'jwt'
 
 module Fridge
   class AccessToken
-    attr_accessor :id, :issuer, :subject, :scope, :expires_at,
+    attr_accessor :id, :issuer, :subject, :scope, :expires_at, :actor,
                   :jwt, :attributes
 
-    # rubocop:disable MethodLength
     def initialize(jwt_or_options = nil)
       options = case jwt_or_options
                 when String
@@ -15,13 +14,12 @@ module Fridge
                 when Hash then jwt_or_options
                 else {}
                 end
-      [:id, :issuer, :subject, :scope, :expires_at].each do |key|
+
+      [:id, :issuer, :subject, :scope, :expires_at, :actor].each do |key|
         send "#{key}=", options.delete(key)
       end
-      self.attributes = options.reject { |_, v| v.nil? }
-      self.attributes = Hash[attributes.map { |k, v| [k.to_sym, v] }]
+      self.attributes = options
     end
-    # rubocop:enable MethodLength
 
     def to_s
       serialize
@@ -29,38 +27,36 @@ module Fridge
 
     def serialize
       return jwt if jwt
+
       validate_parameters!
       validate_private_key!
       encode_and_sign
     end
 
     def encode_and_sign
-      JWT.encode({
-        id: id,
-        iss: issuer,
-        sub: subject,
-        scope: scope,
-        exp: expires_at.to_i
-      }.merge(attributes), private_key, algorithm)
-    rescue
+      h = {}
+      [:id, :issuer, :subject, :scope, :expires_at, :actor].each do |key|
+        h[key] = send(key)
+      end
+      h.merge!(attributes)
+      h = encode_for_jwt(h)
+      JWT.encode(h, private_key, algorithm)
+    rescue StandardError
       raise SerializationError, 'Invalid private key or signing algorithm'
     end
 
-    # rubocop:disable MethodLength
     def decode_and_verify(jwt)
-      hash = JWT.decode(jwt, public_key)
-      base = {
-        id: hash.delete('id'),
-        issuer: hash.delete('iss'),
-        subject: hash.delete('sub'),
-        scope: hash.delete('scope'),
-        expires_at: Time.at(hash.delete('exp'))
-      }
-      base.merge(hash)
-    rescue JWT::DecodeError
-      raise InvalidToken, 'Invalid access token'
+      payload, _header = JWT.decode(jwt, public_key, true, algorithm: algorithm)
+      decode_from_jwt(payload)
+    rescue JWT::ExpiredSignature => e
+      raise ExpiredToken, e.message
+    rescue JWT::DecodeError => e
+      raise InvalidToken, e.message
+    end
+
+    def downgrade
+      self.scope = 'read'
     end
-    # rubocop:enable MethodLength
 
     def valid?
       !expired?
@@ -72,8 +68,9 @@ module Fridge
 
     def private_key
       return unless config.private_key
+
       @private_key ||= OpenSSL::PKey::RSA.new(config.private_key)
-    rescue
+    rescue StandardError
       nil
     end
 
@@ -83,7 +80,7 @@ module Fridge
       elsif config.public_key
         @public_key ||= OpenSSL::PKey::RSA.new(config.public_key)
       end
-    rescue
+    rescue StandardError
       nil
     end
 
@@ -105,19 +102,72 @@ module Fridge
       end
     end
 
+    def respond_to_missing?(method, include_private = false)
+      attributes.key?(method) || super
+    end
+
     def validate_parameters!
       [:subject, :expires_at].each do |attribute|
         next if send(attribute)
-        fail SerializationError, "Missing attribute: #{attribute}"
+
+        raise SerializationError, "Missing attribute: #{attribute}"
       end
     end
 
     def validate_private_key!
-      fail SerializationError, 'No private key configured' unless private_key
+      raise SerializationError, 'No private key configured' unless private_key
     end
 
     def validate_public_key!
-      fail SerializationError, 'No public key configured' unless public_key
+      raise SerializationError, 'No public key configured' unless public_key
+    end
+
+    # Internally, we use "subject" to refer to "sub", and so on. We also
+    # represent some objects (expiry) differently. These functions do the
+    # mapping from Fridge to JWT and vice-versa.
+
+    def encode_for_jwt(hash)
+      hash = hash.dup
+
+      out = {
+        id: hash.delete(:id),
+        iss: hash.delete(:issuer),
+        sub: hash.delete(:subject),
+        scope: hash.delete(:scope)
+      }.delete_if { |_, v| v.nil? }
+
+      # Unfortunately, nil.to_i returns 0, which means we can't
+      # easily clean out exp if we include it although it wasn't passed
+      # in like we do for other keys. So, we only include it if it's
+      # actually passed in and non-nil. Either way, we delete the keys.
+      hash.delete(:expires_at).tap { |e| out[:exp] = e.to_i if e }
+      hash.delete(:actor).tap { |a| out[:act] = encode_for_jwt(a) if a }
+
+      # Extra attributes passed through as-is
+      out.merge!(hash)
+
+      out
+    end
+
+    def decode_from_jwt(hash)
+      hash = hash.dup
+
+      out = {
+        id: hash.delete('id'),
+        issuer: hash.delete('iss'),
+        subject: hash.delete('sub'),
+        scope: hash.delete('scope')
+      }.delete_if { |_, v| v.nil? }
+
+      hash.delete('exp').tap { |e| out[:expires_at] = Time.at(e) if e }
+      hash.delete('act').tap { |a| out[:actor] = decode_from_jwt(a) if a }
+
+      # Extra attributes
+      hash.delete_if { |_, v| v.nil? }
+      hash = Hash[hash.map { |k, v| [k.to_sym, v] }]
+      out.merge!(hash)
+
+      out
     end
   end
 end

data/lib/fridge/expired_token.rb

@@ -0,0 +1,4 @@
+module Fridge
+  class ExpiredToken < InvalidToken
+  end
+end

data/lib/fridge/rails_helpers.rb

@@ -15,8 +15,13 @@ module Fridge
       current_token.subject if current_token
     end
 
+    def token_actor
+      current_token.actor if current_token
+    end
+
     def current_token
       return unless bearer_token
+
       @current_token ||= AccessToken.new(bearer_token).tap do |token|
         validate_token!(token)
       end
@@ -31,12 +36,17 @@ module Fridge
       session_token.subject if session_token
     end
 
+    def session_actor
+      session_token.actor if session_token
+    end
+
     def session_token
       return unless session_cookie
+
       @session_token ||= AccessToken.new(session_cookie).tap do |token|
-        validate_token!(token)
+        validate_token!(token).downgrade
       end
-    rescue
+    rescue StandardError
       clear_session_cookie
     end
 
@@ -44,7 +54,7 @@ module Fridge
     def validate_token(access_token)
       validator = Fridge.configuration.validator
       validator.call(access_token) && access_token
-    rescue
+    rescue StandardError
       false
     end
 
@@ -54,7 +64,7 @@ module Fridge
       if validator.call(access_token)
         access_token
       else
-        fail InvalidToken
+        raise InvalidToken, 'Rejected by validator'
       end
     end
 
@@ -83,7 +93,7 @@ module Fridge
     end
 
     def write_shared_cookie(name, value, options = {})
-      fail 'Can only write string cookie values' unless value.is_a?(String)
+      raise 'Can only write string cookie values' unless value.is_a?(String)
 
       cookies[name] = {
         value: value,
@@ -95,9 +105,10 @@ module Fridge
       cookies[name]
     end
 
-    def fetch_shared_cookie(name, &block)
+    def fetch_shared_cookie(name)
       return read_shared_cookie(name) if read_shared_cookie(name)
-      write_shared_cookie(block.call)
+
+      write_shared_cookie(yield)
     end
 
     def delete_shared_cookie(name)

data/lib/fridge/version.rb

@@ -1,3 +1,3 @@
 module Fridge
-  VERSION = '0.2.4'
+  VERSION = '0.4.2'.freeze
 end

data/spec/fixtures/app.rb

@@ -1,7 +1,3 @@
-require 'active_support/all'
-require 'action_controller'
-require 'action_dispatch'
-
 module Rails
   class App
     def env_config
@@ -10,6 +6,7 @@ module Rails
 
     def routes
       return @routes if defined?(@routes)
+
       @routes = ActionDispatch::Routing::RouteSet.new
       @routes.draw do
         resources :posts
@@ -19,6 +16,6 @@ module Rails
   end
 
   def self.application
-    @app ||= App.new
+    @application ||= App.new
   end
 end

data/spec/fridge/access_token_spec.rb

@@ -1,4 +1,5 @@
 require 'spec_helper'
+require 'json'
 
 describe Fridge::AccessToken do
   describe '#initialize' do
@@ -13,19 +14,39 @@ describe Fridge::AccessToken do
     end
 
     it 'should accept a JWT' do
-      jwt = JWT.encode({ id: 'foobar', exp: 0 }, private_key, 'RS512')
+      jwt = JWT.encode(
+        { id: 'foobar', exp: Time.now.to_i + 10 },
+        private_key, 'RS512'
+      )
       access_token = described_class.new(jwt)
       expect(access_token.id).to eq 'foobar'
     end
 
     it 'should raise an error on an invalid JWT' do
-      expect { described_class.new('foobar') }.to raise_error
+      expect { described_class.new('foobar') }
+        .to raise_error Fridge::InvalidToken
     end
 
     it 'should raise an error on an incorrectly signed JWT' do
       jwt = JWT.encode({ id: 'foobar' }, OpenSSL::PKey::RSA.new(1024), 'RS512')
       expect { described_class.new(jwt) }.to raise_error Fridge::InvalidToken
     end
+
+    it 'should raise an error on an expired JWT' do
+      jwt = JWT.encode(
+        { id: 'foobar', exp: Time.now.to_i - 10 },
+        private_key, 'RS512'
+      )
+      expect { described_class.new(jwt) }.to raise_error(Fridge::ExpiredToken)
+    end
+
+    # http://bit.ly/jwt-none-vulnerability
+    it 'should raise an error with { "alg": "none" }' do
+      jwt = "#{Base64.encode64({ typ: 'JWT', alg: 'none' }.to_json).chomp}." \
+            "#{Base64.encode64({ id: 'foobar' }.to_json).chomp}"
+      expect(JWT.decode(jwt, nil, false)[0]).to eq('id' => 'foobar')
+      expect { described_class.new(jwt) }.to raise_error Fridge::InvalidToken
+    end
   end
 
   describe '#serialize' do
@@ -72,8 +93,8 @@ describe Fridge::AccessToken do
     end
 
     it 'should represent :exp in seconds since the epoch' do
-      hash = JWT.decode(subject.serialize, public_key)
-      expect(hash['exp']).to be_a Fixnum
+      hash, = JWT.decode(subject.serialize, public_key)
+      expect(hash['exp']).to be_a Integer
     end
 
     it 'should be deterministic' do
@@ -93,12 +114,43 @@ describe Fridge::AccessToken do
 
       expect(copy.attributes[:foo]).to eq 'bar'
       expect(copy.foo).to eq 'bar'
+      expect(copy.respond_to?(:foo)).to be_truthy
+      expect(copy.respond_to?(:bar)).to be_falsey
     end
 
     it 'should raise an error if required attributes are missing' do
       subject.subject = nil
       expect { subject.serialize }.to raise_error Fridge::SerializationError
     end
+
+    it 'should encode and decode :actor as :act' do
+      # The `act` field can recursively encode additional
+      # claims, so we check those too.
+      actor = { subject: 'foo', username: 'test', actor: { subject: 'bar' } }
+      subject = described_class.new(options.merge(actor: actor))
+
+      # The JWT lib will return everything as strings, so we'll
+      # test that, although eventually we'll want to see symbols back.
+      actor_s = { 'sub' => 'foo', 'username' => 'test',
+                  'act' => { 'sub' => 'bar' } }
+      hash, = JWT.decode(subject.serialize, public_key)
+      expect(hash['act']).to eq(actor_s)
+
+      # Now, check that we properly get symbols back
+      new = described_class.new(subject.serialize)
+      expect(new.actor).to eq(actor)
+    end
+
+    it 'should be idempotent' do
+      subject = described_class.new(options)
+      expect(subject.serialize).to eq(subject.serialize)
+    end
+
+    it 'should be idempotent with an actor' do
+      actor = { subject: 'foo', username: 'test', actor: { subject: 'bar' } }
+      subject = described_class.new(options.merge(actor: actor))
+      expect(subject.serialize).to eq(subject.serialize)
+    end
   end
 
   describe '#expired?' do
@@ -117,4 +169,10 @@ describe Fridge::AccessToken do
       expect(subject).not_to be_expired
     end
   end
+
+  describe '#downgrade' do
+    it 'sets the token scope to :read' do
+      expect { subject.downgrade }.to change(subject, :scope).to('read')
+    end
+  end
 end

data/spec/fridge/rails_helpers_spec.rb

@@ -1,204 +1,218 @@
 require 'spec_helper'
 require 'fixtures/app'
-require 'fixtures/controller'
-require 'rspec/rails'
 
-# http://say26.com/rspec-testing-controllers-outside-of-a-rails-application
-describe Controller, type: :controller do
-  context Fridge::RailsHelpers do
-    let(:organization_url) do
-      "https://auth.aptible.com/users/#{SecureRandom.uuid}"
+describe Fridge::RailsHelpers do
+  include RSpec::Rails::ControllerExampleGroup
+
+  controller(ActionController::Base) { include Fridge::RailsHelpers }
+
+  let(:organization_url) do
+    "https://auth.aptible.com/users/#{SecureRandom.uuid}"
+  end
+  let(:private_key) { OpenSSL::PKey::RSA.new(1024) }
+  let(:public_key) { OpenSSL::PKey::RSA.new(private_key.public_key) }
+
+  let(:options) do
+    {
+      subject: "https://auth.aptible.com/users/#{SecureRandom.uuid}",
+      expires_at: Time.now + 3600
+    }
+  end
+  let(:access_token) { Fridge::AccessToken.new(options) }
+
+  let(:cookies) { controller.send(:cookies) }
+
+  before { Fridge.configuration.private_key = private_key.to_s }
+  before { Fridge.configuration.public_key = public_key.to_s }
+
+  describe '#bearer_token' do
+    it 'returns the bearer token from the Authorization: header' do
+      request.env['HTTP_AUTHORIZATION'] = 'Bearer foobar'
+      expect(controller.bearer_token).to eq 'foobar'
     end
-    let(:private_key) { OpenSSL::PKey::RSA.new(1024) }
-    let(:public_key) { OpenSSL::PKey::RSA.new(private_key.public_key) }
 
-    let(:options) do
-      {
-        subject: "https://auth.aptible.com/users/#{SecureRandom.uuid}",
-        expires_at: Time.now + 3600
-      }
+    it 'returns nil in the absence of an Authorization: header' do
+      request.env['HTTP_AUTHORIZATION'] = nil
+      expect(controller.bearer_token).to be_nil
     end
-    let(:access_token) { Fridge::AccessToken.new(options) }
+  end
 
-    let(:cookies) { controller.send(:cookies) }
+  describe '#token_subject' do
+    it 'returns the subject encoded in the token' do
+      controller.stub(:current_token) { access_token }
+      expect(controller.token_subject).to eq access_token.subject
+    end
 
-    before { Fridge.configuration.private_key = private_key.to_s }
-    before { Fridge.configuration.public_key = public_key.to_s }
+    it 'returns nil if no token is present' do
+      controller.stub(:current_token) { nil }
+      expect(controller.token_subject).to be_nil
+    end
+  end
 
-    describe '#bearer_token' do
-      it 'returns the bearer token from the Authorization: header' do
-        request.env['HTTP_AUTHORIZATION'] = 'Bearer foobar'
-        expect(controller.bearer_token).to eq 'foobar'
-      end
+  describe '#token_scope' do
+    it 'returns the scope encoded in the token' do
+      controller.stub(:current_token) { access_token }
+      expect(controller.token_scope).to eq access_token.scope
+    end
 
-      it 'returns nil in the absence of an Authorization: header' do
-        request.env['HTTP_AUTHORIZATION'] = nil
-        expect(controller.bearer_token).to be_nil
-      end
+    it 'returns nil if no token is present' do
+      controller.stub(:current_token) { nil }
+      expect(controller.token_scope).to be_nil
     end
+  end
 
-    describe '#token_subject' do
-      it 'returns the subject encoded in the token' do
-        controller.stub(:current_token) { access_token }
-        expect(controller.token_subject).to eq access_token.subject
-      end
+  describe '#current_token' do
+    before { controller.stub(:bearer_token) { access_token.serialize } }
 
-      it 'returns nil if no token is present' do
-        controller.stub(:current_token) { nil }
-        expect(controller.token_subject).to be_nil
-      end
+    it 'should raise an error if the token is not a valid JWT' do
+      controller.stub(:bearer_token) { 'foobar' }
+      expect { controller.current_token }.to raise_error Fridge::InvalidToken
     end
 
-    describe '#token_scope' do
-      it 'returns the scope encoded in the token' do
-        controller.stub(:current_token) { access_token }
-        expect(controller.token_scope).to eq access_token.scope
-      end
-
-      it 'returns nil if no token is present' do
-        controller.stub(:current_token) { nil }
-        expect(controller.token_scope).to be_nil
-      end
+    it 'should raise an error if the token has expired' do
+      access_token.expires_at = Time.now - 3600
+      expect { controller.current_token }.to raise_error Fridge::InvalidToken
     end
 
-    describe '#current_token' do
-      before { controller.stub(:bearer_token) { access_token.serialize } }
+    it 'should raise an error if custom validation fails' do
+      Fridge.configuration.validator = ->(_) { false }
+      expect { controller.current_token }.to raise_error Fridge::InvalidToken
+    end
 
-      it 'should raise an error if the token is not a valid JWT' do
-        controller.stub(:bearer_token) { 'foobar' }
-        expect { controller.current_token }.to raise_error Fridge::InvalidToken
-      end
+    it 'should not raise an error if a valid token is passed' do
+      expect { controller.current_token }.not_to raise_error
+    end
 
-      it 'should raise an error if the token has expired' do
-        access_token.expires_at = Time.now - 3600
-        expect { controller.current_token }.to raise_error Fridge::InvalidToken
-      end
+    it 'should return the token if a valid token is passed' do
+      expect(controller.current_token.id).to eq access_token.id
+    end
+  end
 
-      it 'should raise an error if custom validation fails' do
-        Fridge.configuration.validator = ->(_) { false }
-        expect { controller.current_token }.to raise_error Fridge::InvalidToken
-      end
+  describe '#session_subject' do
+    it 'returns the subject encoded in the session' do
+      controller.stub(:session_token) { access_token }
+      expect(controller.session_subject).to eq access_token.subject
+    end
 
-      it 'should not raise an error if a valid token is passed' do
-        expect { controller.current_token }.not_to raise_error
-      end
+    it 'returns nil if no session is present' do
+      controller.stub(:session_token) { nil }
+      expect(controller.session_subject).to be_nil
+    end
+  end
 
-      it 'should return the token if a valid token is passed' do
-        expect(controller.current_token.id).to eq access_token.id
-      end
+  describe '#session_token' do
+    it 'should delete all cookies on error' do
+      cookies[:fridge_session] = 'foobar'
+      controller.session_token
+      expect(cookies.deleted?(:fridge_session, domain: :all)).to be true
     end
 
-    describe '#session_subject' do
-      it 'returns the subject encoded in the session' do
-        controller.stub(:session_token) { access_token }
-        expect(controller.session_subject).to eq access_token.subject
-      end
+    it 'should return nil on error' do
+      cookies[:fridge_session] = 'foobar'
+      expect(controller.session_token).to be_nil
+    end
 
-      it 'returns nil if no session is present' do
-        controller.stub(:session_token) { nil }
-        expect(controller.session_subject).to be_nil
-      end
+    it 'should return the token stored in :fridge_session' do
+      cookies[:fridge_session] = access_token.serialize
+      expect(controller.session_token.id).to eq access_token.id
     end
 
-    describe '#session_token' do
-      it 'should delete all cookies on error' do
-        cookies[:fridge_session] = 'foobar'
-        controller.session_token
-        expect(cookies.deleted?(:fridge_session, domain: :all)).to be_true
-      end
+    context 'with a non-:read scope' do
+      before { options.merge!(scope: 'manage') }
 
-      it 'should return nil on error' do
-        cookies[:fridge_session] = 'foobar'
-        expect(controller.session_token).to be_nil
+      it 'should downgrade the token' do
+        cookies[:fridge_session] = access_token.serialize
+        expect(controller.session_token.scope).to eq 'read'
       end
 
-      it 'should return the token stored in :fridge_session' do
+      it 'should not change the validity of a token' do
         cookies[:fridge_session] = access_token.serialize
-        expect(controller.session_token.id).to eq access_token.id
+        expect(controller.session_token).to be_valid
       end
     end
+  end
 
-    describe '#validate_token' do
-      it 'should return false if the token is invalid' do
-        Fridge.configuration.validator = ->(_) { false }
-        expect(controller.validate_token(access_token)).to be_false
-      end
+  describe '#validate_token' do
+    it 'should return false if the token is invalid' do
+      Fridge.configuration.validator = ->(_) { false }
+      expect(controller.validate_token(access_token)).to be false
+    end
 
-      it 'should return false if the token validator fails' do
-        Fridge.configuration.validator = ->(_) { fail 'Foobar' }
-        expect(controller.validate_token(access_token)).to be_false
-      end
+    it 'should return false if the token validator fails' do
+      Fridge.configuration.validator = ->(_) { raise 'Foobar' }
+      expect(controller.validate_token(access_token)).to be false
+    end
 
-      it 'should return the token if valid' do
-        Fridge.configuration.validator = ->(_) { true }
-        expect(controller.validate_token(access_token)).to eq access_token
-      end
+    it 'should return the token if valid' do
+      Fridge.configuration.validator = ->(_) { true }
+      expect(controller.validate_token(access_token)).to eq access_token
     end
+  end
 
-    describe '#validate_token' do
-      it 'should raise an exception if the token is invalid' do
-        Fridge.configuration.validator = ->(_) { false }
-        expect { controller.validate_token!(access_token) }.to raise_error
-      end
+  describe '#validate_token' do
+    it 'should raise an exception if the token is invalid' do
+      Fridge.configuration.validator = ->(_) { false }
+      expect { controller.validate_token!(access_token) }
+        .to raise_error Fridge::InvalidToken
+    end
 
-      it 'should return the token if valid' do
-        Fridge.configuration.validator = ->(_) { true }
-        expect(controller.validate_token!(access_token)).to eq access_token
-      end
+    it 'should return the token if valid' do
+      Fridge.configuration.validator = ->(_) { true }
+      expect(controller.validate_token!(access_token)).to eq access_token
     end
+  end
 
-    describe '#sessionize_token' do
-      it 'should set a session cookie' do
-        Rails.stub_chain(:env, :development?) { false }
-        controller.sessionize_token(access_token)
-        expect(cookies[:fridge_session]).to eq access_token.serialize
-      end
+  describe '#sessionize_token' do
+    it 'should set a session cookie' do
+      Rails.stub_chain(:env, :development?) { false }
+      controller.sessionize_token(access_token)
+      expect(cookies[:fridge_session]).to eq access_token.serialize
     end
+  end
 
-    describe '#fridge_cookie_name' do
-      it 'is configurable' do
-        Fridge.configuration.cookie_name = 'foobar'
-        expect(controller.fridge_cookie_name).to eq 'foobar'
-      end
+  describe '#fridge_cookie_name' do
+    it 'is configurable' do
+      Fridge.configuration.cookie_name = 'foobar'
+      expect(controller.fridge_cookie_name).to eq 'foobar'
     end
+  end
 
-    describe '#write_shared_cookie' do
-      before { Rails.stub_chain(:env, :development?) { false } }
+  describe '#write_shared_cookie' do
+    before { Rails.stub_chain(:env, :development?) { false } }
 
-      it 'should save cookie' do
-        controller.write_shared_cookie(:organization_url, organization_url)
-        expect(cookies[:organization_url]).to eq organization_url
-      end
+    it 'should save cookie' do
+      controller.write_shared_cookie(:organization_url, organization_url)
+      expect(cookies[:organization_url]).to eq organization_url
     end
+  end
 
-    describe '#read_shared_cookie' do
-      it 'should read cookie' do
-        cookies[:organization_url] = { value: organization_url }
-        expect(controller.read_shared_cookie(:organization_url)).to(
-          eq organization_url
-        )
-      end
+  describe '#read_shared_cookie' do
+    it 'should read cookie' do
+      cookies[:organization_url] = { value: organization_url }
+      expect(controller.read_shared_cookie(:organization_url)).to(
+        eq organization_url
+      )
     end
+  end
 
-    describe '#delete_shared_cookie' do
-      before { Rails.stub_chain(:env, :development?) { false } }
+  describe '#delete_shared_cookie' do
+    before { Rails.stub_chain(:env, :development?) { false } }
 
-      it 'should delete cookie' do
-        controller.write_shared_cookie(:organization_url, organization_url)
-        controller.delete_shared_cookie(:organization_url)
-        expect(cookies[:organization_url]).to be_nil
-      end
+    it 'should delete cookie' do
+      controller.write_shared_cookie(:organization_url, organization_url)
+      controller.delete_shared_cookie(:organization_url)
+      expect(cookies[:organization_url]).to be_nil
     end
+  end
 
-    describe '#fridge_cookie_options' do
-      before { Rails.stub_chain(:env, :development?) { false } }
+  describe '#fridge_cookie_options' do
+    before { Rails.stub_chain(:env, :development?) { false } }
 
-      it 'are configurable' do
-        Fridge.configuration.cookie_options = { foobar: true }
-        options = controller.fridge_cookie_options
-        expect(options[:domain]).to eq :all
-        expect(options[:foobar]).to eq true
-      end
+    it 'are configurable' do
+      Fridge.configuration.cookie_options = { foobar: true }
+      options = controller.fridge_cookie_options
+      expect(options[:domain]).to eq :all
+      expect(options[:foobar]).to eq true
     end
   end
 end

data/spec/spec_helper.rb

@@ -1,14 +1,22 @@
 $LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
 $LOAD_PATH.unshift(File.dirname(__FILE__))
 
+require 'active_support/all'
+require 'action_controller'
+require 'action_dispatch'
+require 'action_view'
+
+require 'fridge'
+require 'fridge/rails_helpers'
+
+require 'rspec'
+require 'rspec/rails'
+
 # Load shared spec files
 Dir["#{File.dirname(__FILE__)}/shared/**/*.rb"].each do |file|
   require file
 end
 
-# Require library up front
-require 'fridge'
-
 RSpec.configure do |config|
   config.before { Fridge.configuration.reset }
 end

metadata

@@ -1,139 +1,139 @@
 --- !ruby/object:Gem::Specification
 name: fridge
 version: !ruby/object:Gem::Version
-  version: 0.2.4
+  version: 0.4.2
 platform: ruby
 authors:
 - Frank Macreery
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2014-09-30 00:00:00.000000000 Z
+date: 2020-07-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: gem_config
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: jwt
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.1.13
+        version: 1.5.6
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.1.13
+        version: 1.5.6
 - !ruby/object:Gem::Dependency
-  name: bundler
+  name: aptible-tasks
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.5'
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '1.5'
+        version: '0'
 - !ruby/object:Gem::Dependency
-  name: aptible-tasks
+  name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '1.5'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '1.5'
 - !ruby/object:Gem::Dependency
-  name: rake
+  name: pry
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: rails
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: rspec
+  name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '0'
 - !ruby/object:Gem::Dependency
-  name: rspec-rails
+  name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '3.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '3.0'
 - !ruby/object:Gem::Dependency
-  name: pry
+  name: rspec-rails
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 description: Token validation for distributed resource servers
@@ -143,9 +143,10 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- .gitignore
-- .rspec
-- .travis.yml
+- ".github/CODEOWNERS"
+- ".gitignore"
+- ".rspec"
+- ".travis.yml"
 - Gemfile
 - LICENSE.md
 - README.md
@@ -153,13 +154,13 @@ files:
 - fridge.gemspec
 - lib/fridge.rb
 - lib/fridge/access_token.rb
+- lib/fridge/expired_token.rb
 - lib/fridge/invalid_token.rb
 - lib/fridge/rails_helpers.rb
 - lib/fridge/railtie.rb
 - lib/fridge/serialization_error.rb
 - lib/fridge/version.rb
 - spec/fixtures/app.rb
-- spec/fixtures/controller.rb
 - spec/fridge/access_token_spec.rb
 - spec/fridge/rails_helpers_spec.rb
 - spec/spec_helper.rb
@@ -167,29 +168,27 @@ homepage: https://github.com/aptible/fridge
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.2.2
-signing_key: 
+rubygems_version: 3.0.3
+signing_key:
 specification_version: 4
 summary: Token validation for distributed resource servers
 test_files:
 - spec/fixtures/app.rb
-- spec/fixtures/controller.rb
 - spec/fridge/access_token_spec.rb
 - spec/fridge/rails_helpers_spec.rb
 - spec/spec_helper.rb

data/spec/fixtures/controller.rb

@@ -1,5 +0,0 @@
-require 'fridge/rails_helpers'
-
-class Controller < ActionController::Base
-  include Fridge::RailsHelpers
-end