fridge 0.3.1 → 0.4.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 28164c99b4a71e24796559da6b1fc0663d0f42c9
-  data.tar.gz: db5603732b2c608dd063cdf0b3c8e6cf33f8ead6
+SHA256:
+  metadata.gz: f2d340550f97b33c430967cef5b8de4a59b73acfdd5a1ce62ad3ee7d17a6f8c9
+  data.tar.gz: 06a758734a6b6e668043c3bffe2cf350495325dfdab4f73948e2788f97d5c89d
 SHA512:
-  metadata.gz: 44f92c7854c7d359fe5cf9596b165c9ff93815f9f1d0040782f2b230de38a47ea314aed24bc48ed531d4fffb880dacd0cbaa85c83261f8739f0b17b5727245e4
-  data.tar.gz: 2fbf80cfddbade814f62fb21e9492f393d155a5df6e55e49ebf310ee5a4c5218382277d473c518f1b93b7978e592a7edaeac213fc7f0e5d57db3aa48309451c1
+  metadata.gz: d8b53167a69aaf39d60b4abbe6ad347968efddc1b2333dc12136b730600d65ab0c72fc8c7416d190b33fc55ce3571d8b98cbf1322c7a0eddd46c46517114cc0c
+  data.tar.gz: 0632f0de72e4654663256000e201568745697a05170e49191d31598a9a5bd2f6158871379253bee1302d3b10ebf76c5a6b84d2baae803cf8fd935bb4324a47b3

data/.github/CODEOWNERS

@@ -0,0 +1 @@
+*   @dawenster

data/.travis.yml

@@ -1,4 +1,5 @@
 sudo: false
 rvm:
-  - 2.0.0
-  - jruby
+  - 2.2
+  - 2.5
+  - 2.6

data/Gemfile

@@ -1,4 +1,7 @@
 source 'https://rubygems.org'
 
+gem 'activesupport', '~> 4.0'
+gem 'nokogiri', '~> 1.9.1'
+
 # Specify your gem's dependencies in fridge.gemspec
 gemspec

data/README.md

@@ -80,6 +80,4 @@ store_session_cookie(access_token)
 
 MIT License, see [LICENSE](LICENSE.md) for details.
 
-Copyright (c) 2014 [Aptible](https://www.aptible.com) and contributors.
-
-[<img src="https://s.gravatar.com/avatar/f7790b867ae619ae0496460aa28c5861?s=60" style="border-radius: 50%;" alt="@fancyremarker" />](https://github.com/fancyremarker)
+Copyright (c) 2019 [Aptible](https://www.aptible.com) and contributors.

data/fridge.gemspec

@@ -1,4 +1,5 @@
 # encoding: utf-8
+
 lib = File.expand_path('../lib', __FILE__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 
@@ -20,13 +21,13 @@ Gem::Specification.new do |spec|
   spec.require_paths = ['lib']
 
   spec.add_dependency 'gem_config'
-  spec.add_dependency 'jwt', '~> 0.1.13'
+  spec.add_dependency 'jwt', '~> 1.5.6'
 
-  spec.add_development_dependency 'bundler', '~> 1.5'
   spec.add_development_dependency 'aptible-tasks'
-  spec.add_development_dependency 'rake'
+  spec.add_development_dependency 'bundler', '~> 1.5'
+  spec.add_development_dependency 'pry'
   spec.add_development_dependency 'rails'
-  spec.add_development_dependency 'rspec', '~> 2.0'
+  spec.add_development_dependency 'rake'
+  spec.add_development_dependency 'rspec', '~> 3.0'
   spec.add_development_dependency 'rspec-rails'
-  spec.add_development_dependency 'pry'
 end

data/lib/fridge.rb

@@ -4,6 +4,7 @@ require 'fridge/version'
 require 'fridge/access_token'
 require 'fridge/serialization_error'
 require 'fridge/invalid_token'
+require 'fridge/expired_token'
 
 require 'fridge/railtie' if defined?(Rails)
 
@@ -14,7 +15,9 @@ module Fridge
     has :private_key, classes: [String]
     has :public_key, classes: [String]
 
-    has :signing_algorithm, values: %w(RS512 RS256), default: 'RS512'
+    # rubocop:disable Style/PercentLiteralDelimiters
+    has :signing_algorithm, values: %w[RS512 RS256], default: 'RS512'
+    # rubocop:enable Style/PercentLiteralDelimiters
 
     # A validator must raise an exception or return a false value for an
     # invalid token

data/lib/fridge/access_token.rb

@@ -5,7 +5,6 @@ module Fridge
     attr_accessor :id, :issuer, :subject, :scope, :expires_at, :actor,
                   :jwt, :attributes
 
-    # rubocop:disable MethodLength
     def initialize(jwt_or_options = nil)
       options = case jwt_or_options
                 when String
@@ -21,7 +20,6 @@ module Fridge
       end
       self.attributes = options
     end
-    # rubocop:enable MethodLength
 
     def to_s
       serialize
@@ -29,6 +27,7 @@ module Fridge
 
     def serialize
       return jwt if jwt
+
       validate_parameters!
       validate_private_key!
       encode_and_sign
@@ -42,18 +41,18 @@ module Fridge
       h.merge!(attributes)
       h = encode_for_jwt(h)
       JWT.encode(h, private_key, algorithm)
-    rescue
+    rescue StandardError
       raise SerializationError, 'Invalid private key or signing algorithm'
     end
 
-    # rubocop:disable MethodLength
     def decode_and_verify(jwt)
-      hash = JWT.decode(jwt, public_key)
-      decode_from_jwt(hash)
-    rescue JWT::DecodeError
-      raise InvalidToken, 'Invalid access token'
+      payload, _header = JWT.decode(jwt, public_key, true, algorithm: algorithm)
+      decode_from_jwt(payload)
+    rescue JWT::ExpiredSignature => e
+      raise ExpiredToken, e.message
+    rescue JWT::DecodeError => e
+      raise InvalidToken, e.message
     end
-    # rubocop:enable MethodLength
 
     def downgrade
       self.scope = 'read'
@@ -69,8 +68,9 @@ module Fridge
 
     def private_key
       return unless config.private_key
+
       @private_key ||= OpenSSL::PKey::RSA.new(config.private_key)
-    rescue
+    rescue StandardError
       nil
     end
 
@@ -80,7 +80,7 @@ module Fridge
       elsif config.public_key
         @public_key ||= OpenSSL::PKey::RSA.new(config.public_key)
       end
-    rescue
+    rescue StandardError
       nil
     end
 
@@ -102,19 +102,24 @@ module Fridge
       end
     end
 
+    def respond_to_missing?(method, include_private = false)
+      attributes.key?(method) || super
+    end
+
     def validate_parameters!
       [:subject, :expires_at].each do |attribute|
         next if send(attribute)
-        fail SerializationError, "Missing attribute: #{attribute}"
+
+        raise SerializationError, "Missing attribute: #{attribute}"
       end
     end
 
     def validate_private_key!
-      fail SerializationError, 'No private key configured' unless private_key
+      raise SerializationError, 'No private key configured' unless private_key
     end
 
     def validate_public_key!
-      fail SerializationError, 'No public key configured' unless public_key
+      raise SerializationError, 'No public key configured' unless public_key
     end
 
     # Internally, we use "subject" to refer to "sub", and so on. We also
@@ -122,6 +127,8 @@ module Fridge
     # mapping from Fridge to JWT and vice-versa.
 
     def encode_for_jwt(hash)
+      hash = hash.dup
+
       out = {
         id: hash.delete(:id),
         iss: hash.delete(:issuer),
@@ -143,6 +150,8 @@ module Fridge
     end
 
     def decode_from_jwt(hash)
+      hash = hash.dup
+
       out = {
         id: hash.delete('id'),
         issuer: hash.delete('iss'),

data/lib/fridge/expired_token.rb

@@ -0,0 +1,4 @@
+module Fridge
+  class ExpiredToken < InvalidToken
+  end
+end

data/lib/fridge/rails_helpers.rb

@@ -21,6 +21,7 @@ module Fridge
 
     def current_token
       return unless bearer_token
+
       @current_token ||= AccessToken.new(bearer_token).tap do |token|
         validate_token!(token)
       end
@@ -41,10 +42,11 @@ module Fridge
 
     def session_token
       return unless session_cookie
+
       @session_token ||= AccessToken.new(session_cookie).tap do |token|
         validate_token!(token).downgrade
       end
-    rescue
+    rescue StandardError
       clear_session_cookie
     end
 
@@ -52,7 +54,7 @@ module Fridge
     def validate_token(access_token)
       validator = Fridge.configuration.validator
       validator.call(access_token) && access_token
-    rescue
+    rescue StandardError
       false
     end
 
@@ -62,7 +64,7 @@ module Fridge
       if validator.call(access_token)
         access_token
       else
-        fail InvalidToken
+        raise InvalidToken, 'Rejected by validator'
       end
     end
 
@@ -86,12 +88,12 @@ module Fridge
     end
 
     def clear_session_cookie
-      cookies.delete fridge_cookie_name, domain: :all
+      cookies.delete fridge_cookie_name, domain: auth_domain
       nil
     end
 
     def write_shared_cookie(name, value, options = {})
-      fail 'Can only write string cookie values' unless value.is_a?(String)
+      raise 'Can only write string cookie values' unless value.is_a?(String)
 
       cookies[name] = {
         value: value,
@@ -103,9 +105,10 @@ module Fridge
       cookies[name]
     end
 
-    def fetch_shared_cookie(name, &block)
+    def fetch_shared_cookie(name)
       return read_shared_cookie(name) if read_shared_cookie(name)
-      write_shared_cookie(block.call)
+
+      write_shared_cookie(yield)
     end
 
     def delete_shared_cookie(name)
@@ -118,8 +121,18 @@ module Fridge
 
     def fridge_cookie_options
       secure = !Rails.env.development?
-      options = { domain: :all, secure: secure, httponly: true }
+      options = { domain: auth_domain, secure: secure, httponly: true }
       options.merge(Fridge.configuration.cookie_options)
     end
+
+    def auth_domain
+      domain = URI.parse(Aptible::Auth.configuration.root_url).host
+
+      # On localhost we fall back to the default setting b/c browsers won't set
+      # cookies if localhost is named
+      domain == 'localhost' ? :all : domain
+    rescue StandardError
+      'auth.aptible.com'
+    end
   end
 end

data/lib/fridge/version.rb

@@ -1,3 +1,3 @@
 module Fridge
-  VERSION = '0.3.1'
+  VERSION = '0.4.4'.freeze
 end

data/spec/fixtures/app.rb

@@ -1,7 +1,3 @@
-require 'active_support/all'
-require 'action_controller'
-require 'action_dispatch'
-
 module Rails
   class App
     def env_config
@@ -10,6 +6,7 @@ module Rails
 
     def routes
       return @routes if defined?(@routes)
+
       @routes = ActionDispatch::Routing::RouteSet.new
       @routes.draw do
         resources :posts
@@ -19,6 +16,6 @@ module Rails
   end
 
   def self.application
-    @app ||= App.new
+    @application ||= App.new
   end
 end

data/spec/fridge/access_token_spec.rb

@@ -14,13 +14,17 @@ describe Fridge::AccessToken do
     end
 
     it 'should accept a JWT' do
-      jwt = JWT.encode({ id: 'foobar', exp: 0 }, private_key, 'RS512')
+      jwt = JWT.encode(
+        { id: 'foobar', exp: Time.now.to_i + 10 },
+        private_key, 'RS512'
+      )
       access_token = described_class.new(jwt)
       expect(access_token.id).to eq 'foobar'
     end
 
     it 'should raise an error on an invalid JWT' do
-      expect { described_class.new('foobar') }.to raise_error
+      expect { described_class.new('foobar') }
+        .to raise_error Fridge::InvalidToken
     end
 
     it 'should raise an error on an incorrectly signed JWT' do
@@ -28,11 +32,19 @@ describe Fridge::AccessToken do
       expect { described_class.new(jwt) }.to raise_error Fridge::InvalidToken
     end
 
+    it 'should raise an error on an expired JWT' do
+      jwt = JWT.encode(
+        { id: 'foobar', exp: Time.now.to_i - 10 },
+        private_key, 'RS512'
+      )
+      expect { described_class.new(jwt) }.to raise_error(Fridge::ExpiredToken)
+    end
+
     # http://bit.ly/jwt-none-vulnerability
     it 'should raise an error with { "alg": "none" }' do
       jwt = "#{Base64.encode64({ typ: 'JWT', alg: 'none' }.to_json).chomp}." \
             "#{Base64.encode64({ id: 'foobar' }.to_json).chomp}"
-      expect(JWT.decode(jwt, nil, false)).to eq('id' => 'foobar')
+      expect(JWT.decode(jwt, nil, false)[0]).to eq('id' => 'foobar')
       expect { described_class.new(jwt) }.to raise_error Fridge::InvalidToken
     end
   end
@@ -81,8 +93,8 @@ describe Fridge::AccessToken do
     end
 
     it 'should represent :exp in seconds since the epoch' do
-      hash = JWT.decode(subject.serialize, public_key)
-      expect(hash['exp']).to be_a Fixnum
+      hash, = JWT.decode(subject.serialize, public_key)
+      expect(hash['exp']).to be_a Integer
     end
 
     it 'should be deterministic' do
@@ -102,6 +114,8 @@ describe Fridge::AccessToken do
 
       expect(copy.attributes[:foo]).to eq 'bar'
       expect(copy.foo).to eq 'bar'
+      expect(copy.respond_to?(:foo)).to be_truthy
+      expect(copy.respond_to?(:bar)).to be_falsey
     end
 
     it 'should raise an error if required attributes are missing' do
@@ -119,13 +133,24 @@ describe Fridge::AccessToken do
       # test that, although eventually we'll want to see symbols back.
       actor_s = { 'sub' => 'foo', 'username' => 'test',
                   'act' => { 'sub' => 'bar' } }
-      hash = JWT.decode(subject.serialize, public_key)
+      hash, = JWT.decode(subject.serialize, public_key)
       expect(hash['act']).to eq(actor_s)
 
       # Now, check that we properly get symbols back
       new = described_class.new(subject.serialize)
       expect(new.actor).to eq(actor)
     end
+
+    it 'should be idempotent' do
+      subject = described_class.new(options)
+      expect(subject.serialize).to eq(subject.serialize)
+    end
+
+    it 'should be idempotent with an actor' do
+      actor = { subject: 'foo', username: 'test', actor: { subject: 'bar' } }
+      subject = described_class.new(options.merge(actor: actor))
+      expect(subject.serialize).to eq(subject.serialize)
+    end
   end
 
   describe '#expired?' do

data/spec/fridge/rails_helpers_spec.rb

@@ -1,218 +1,239 @@
 require 'spec_helper'
 require 'fixtures/app'
-require 'fixtures/controller'
-require 'rspec/rails'
 
-# http://say26.com/rspec-testing-controllers-outside-of-a-rails-application
-describe Controller, type: :controller do
-  context Fridge::RailsHelpers do
-    let(:organization_url) do
-      "https://auth.aptible.com/users/#{SecureRandom.uuid}"
+describe Fridge::RailsHelpers do
+  include RSpec::Rails::ControllerExampleGroup
+
+  controller(ActionController::Base) { include Fridge::RailsHelpers }
+
+  let(:organization_url) do
+    "https://auth.aptible.com/users/#{SecureRandom.uuid}"
+  end
+  let(:private_key) { OpenSSL::PKey::RSA.new(1024) }
+  let(:public_key) { OpenSSL::PKey::RSA.new(private_key.public_key) }
+
+  let(:options) do
+    {
+      subject: "https://auth.aptible.com/users/#{SecureRandom.uuid}",
+      expires_at: Time.now + 3600
+    }
+  end
+  let(:access_token) { Fridge::AccessToken.new(options) }
+
+  let(:cookies) { controller.send(:cookies) }
+
+  before { Fridge.configuration.private_key = private_key.to_s }
+  before { Fridge.configuration.public_key = public_key.to_s }
+
+  describe '#bearer_token' do
+    it 'returns the bearer token from the Authorization: header' do
+      request.env['HTTP_AUTHORIZATION'] = 'Bearer foobar'
+      expect(controller.bearer_token).to eq 'foobar'
     end
-    let(:private_key) { OpenSSL::PKey::RSA.new(1024) }
-    let(:public_key) { OpenSSL::PKey::RSA.new(private_key.public_key) }
 
-    let(:options) do
-      {
-        subject: "https://auth.aptible.com/users/#{SecureRandom.uuid}",
-        expires_at: Time.now + 3600
-      }
+    it 'returns nil in the absence of an Authorization: header' do
+      request.env['HTTP_AUTHORIZATION'] = nil
+      expect(controller.bearer_token).to be_nil
     end
-    let(:access_token) { Fridge::AccessToken.new(options) }
+  end
 
-    let(:cookies) { controller.send(:cookies) }
+  describe '#token_subject' do
+    it 'returns the subject encoded in the token' do
+      controller.stub(:current_token) { access_token }
+      expect(controller.token_subject).to eq access_token.subject
+    end
 
-    before { Fridge.configuration.private_key = private_key.to_s }
-    before { Fridge.configuration.public_key = public_key.to_s }
+    it 'returns nil if no token is present' do
+      controller.stub(:current_token) { nil }
+      expect(controller.token_subject).to be_nil
+    end
+  end
 
-    describe '#bearer_token' do
-      it 'returns the bearer token from the Authorization: header' do
-        request.env['HTTP_AUTHORIZATION'] = 'Bearer foobar'
-        expect(controller.bearer_token).to eq 'foobar'
-      end
+  describe '#token_scope' do
+    it 'returns the scope encoded in the token' do
+      controller.stub(:current_token) { access_token }
+      expect(controller.token_scope).to eq access_token.scope
+    end
 
-      it 'returns nil in the absence of an Authorization: header' do
-        request.env['HTTP_AUTHORIZATION'] = nil
-        expect(controller.bearer_token).to be_nil
-      end
+    it 'returns nil if no token is present' do
+      controller.stub(:current_token) { nil }
+      expect(controller.token_scope).to be_nil
     end
+  end
 
-    describe '#token_subject' do
-      it 'returns the subject encoded in the token' do
-        controller.stub(:current_token) { access_token }
-        expect(controller.token_subject).to eq access_token.subject
-      end
+  describe '#current_token' do
+    before { controller.stub(:bearer_token) { access_token.serialize } }
 
-      it 'returns nil if no token is present' do
-        controller.stub(:current_token) { nil }
-        expect(controller.token_subject).to be_nil
-      end
+    it 'should raise an error if the token is not a valid JWT' do
+      controller.stub(:bearer_token) { 'foobar' }
+      expect { controller.current_token }.to raise_error Fridge::InvalidToken
     end
 
-    describe '#token_scope' do
-      it 'returns the scope encoded in the token' do
-        controller.stub(:current_token) { access_token }
-        expect(controller.token_scope).to eq access_token.scope
-      end
-
-      it 'returns nil if no token is present' do
-        controller.stub(:current_token) { nil }
-        expect(controller.token_scope).to be_nil
-      end
+    it 'should raise an error if the token has expired' do
+      access_token.expires_at = Time.now - 3600
+      expect { controller.current_token }.to raise_error Fridge::InvalidToken
     end
 
-    describe '#current_token' do
-      before { controller.stub(:bearer_token) { access_token.serialize } }
+    it 'should raise an error if custom validation fails' do
+      Fridge.configuration.validator = ->(_) { false }
+      expect { controller.current_token }.to raise_error Fridge::InvalidToken
+    end
 
-      it 'should raise an error if the token is not a valid JWT' do
-        controller.stub(:bearer_token) { 'foobar' }
-        expect { controller.current_token }.to raise_error Fridge::InvalidToken
-      end
+    it 'should not raise an error if a valid token is passed' do
+      expect { controller.current_token }.not_to raise_error
+    end
 
-      it 'should raise an error if the token has expired' do
-        access_token.expires_at = Time.now - 3600
-        expect { controller.current_token }.to raise_error Fridge::InvalidToken
-      end
+    it 'should return the token if a valid token is passed' do
+      expect(controller.current_token.id).to eq access_token.id
+    end
+  end
 
-      it 'should raise an error if custom validation fails' do
-        Fridge.configuration.validator = ->(_) { false }
-        expect { controller.current_token }.to raise_error Fridge::InvalidToken
-      end
+  describe '#session_subject' do
+    it 'returns the subject encoded in the session' do
+      controller.stub(:session_token) { access_token }
+      expect(controller.session_subject).to eq access_token.subject
+    end
 
-      it 'should not raise an error if a valid token is passed' do
-        expect { controller.current_token }.not_to raise_error
-      end
+    it 'returns nil if no session is present' do
+      controller.stub(:session_token) { nil }
+      expect(controller.session_subject).to be_nil
+    end
+  end
 
-      it 'should return the token if a valid token is passed' do
-        expect(controller.current_token.id).to eq access_token.id
-      end
+  describe '#session_token' do
+    it 'should delete all cookies on error' do
+      cookies[:fridge_session] = 'foobar'
+      controller.session_token
+      expect(cookies.deleted?(:fridge_session, domain: 'auth.aptible.com'))
+        .to be true
     end
 
-    describe '#session_subject' do
-      it 'returns the subject encoded in the session' do
-        controller.stub(:session_token) { access_token }
-        expect(controller.session_subject).to eq access_token.subject
-      end
+    it 'should return nil on error' do
+      cookies[:fridge_session] = 'foobar'
+      expect(controller.session_token).to be_nil
+    end
 
-      it 'returns nil if no session is present' do
-        controller.stub(:session_token) { nil }
-        expect(controller.session_subject).to be_nil
-      end
+    it 'should return the token stored in :fridge_session' do
+      cookies[:fridge_session] = access_token.serialize
+      expect(controller.session_token.id).to eq access_token.id
     end
 
-    describe '#session_token' do
-      it 'should delete all cookies on error' do
-        cookies[:fridge_session] = 'foobar'
-        controller.session_token
-        expect(cookies.deleted?(:fridge_session, domain: :all)).to be true
-      end
+    context 'with a non-:read scope' do
+      before { options.merge!(scope: 'manage') }
 
-      it 'should return nil on error' do
-        cookies[:fridge_session] = 'foobar'
-        expect(controller.session_token).to be_nil
+      it 'should downgrade the token' do
+        cookies[:fridge_session] = access_token.serialize
+        expect(controller.session_token.scope).to eq 'read'
       end
 
-      it 'should return the token stored in :fridge_session' do
+      it 'should not change the validity of a token' do
         cookies[:fridge_session] = access_token.serialize
-        expect(controller.session_token.id).to eq access_token.id
+        expect(controller.session_token).to be_valid
       end
+    end
+  end
 
-      context 'with a non-:read scope' do
-        before { options.merge!(scope: 'manage') }
-
-        it 'should downgrade the token' do
-          cookies[:fridge_session] = access_token.serialize
-          expect(controller.session_token.scope).to eq 'read'
-        end
+  describe '#validate_token' do
+    it 'should return false if the token is invalid' do
+      Fridge.configuration.validator = ->(_) { false }
+      expect(controller.validate_token(access_token)).to be false
+    end
 
-        it 'should not change the validity of a token' do
-          cookies[:fridge_session] = access_token.serialize
-          expect(controller.session_token).to be_valid
-        end
-      end
+    it 'should return false if the token validator fails' do
+      Fridge.configuration.validator = ->(_) { raise 'Foobar' }
+      expect(controller.validate_token(access_token)).to be false
     end
 
-    describe '#validate_token' do
-      it 'should return false if the token is invalid' do
-        Fridge.configuration.validator = ->(_) { false }
-        expect(controller.validate_token(access_token)).to be false
-      end
+    it 'should return the token if valid' do
+      Fridge.configuration.validator = ->(_) { true }
+      expect(controller.validate_token(access_token)).to eq access_token
+    end
+  end
 
-      it 'should return false if the token validator fails' do
-        Fridge.configuration.validator = ->(_) { fail 'Foobar' }
-        expect(controller.validate_token(access_token)).to be false
-      end
+  describe '#validate_token' do
+    it 'should raise an exception if the token is invalid' do
+      Fridge.configuration.validator = ->(_) { false }
+      expect { controller.validate_token!(access_token) }
+        .to raise_error Fridge::InvalidToken
+    end
 
-      it 'should return the token if valid' do
-        Fridge.configuration.validator = ->(_) { true }
-        expect(controller.validate_token(access_token)).to eq access_token
-      end
+    it 'should return the token if valid' do
+      Fridge.configuration.validator = ->(_) { true }
+      expect(controller.validate_token!(access_token)).to eq access_token
     end
+  end
 
-    describe '#validate_token' do
-      it 'should raise an exception if the token is invalid' do
-        Fridge.configuration.validator = ->(_) { false }
-        expect { controller.validate_token!(access_token) }.to raise_error
-      end
+  describe '#sessionize_token' do
+    it 'should set a session cookie' do
+      Rails.stub_chain(:env, :development?) { false }
+      controller.sessionize_token(access_token)
+      expect(cookies[:fridge_session]).to eq access_token.serialize
+    end
+  end
 
-      it 'should return the token if valid' do
-        Fridge.configuration.validator = ->(_) { true }
-        expect(controller.validate_token!(access_token)).to eq access_token
-      end
+  describe '#fridge_cookie_name' do
+    it 'is configurable' do
+      Fridge.configuration.cookie_name = 'foobar'
+      expect(controller.fridge_cookie_name).to eq 'foobar'
     end
+  end
 
-    describe '#sessionize_token' do
-      it 'should set a session cookie' do
-        Rails.stub_chain(:env, :development?) { false }
-        controller.sessionize_token(access_token)
-        expect(cookies[:fridge_session]).to eq access_token.serialize
-      end
+  describe '#write_shared_cookie' do
+    before { Rails.stub_chain(:env, :development?) { false } }
+
+    it 'should save cookie' do
+      controller.write_shared_cookie(:organization_url, organization_url)
+      expect(cookies[:organization_url]).to eq organization_url
     end
+  end
 
-    describe '#fridge_cookie_name' do
-      it 'is configurable' do
-        Fridge.configuration.cookie_name = 'foobar'
-        expect(controller.fridge_cookie_name).to eq 'foobar'
-      end
+  describe '#read_shared_cookie' do
+    it 'should read cookie' do
+      cookies[:organization_url] = { value: organization_url }
+      expect(controller.read_shared_cookie(:organization_url)).to(
+        eq organization_url
+      )
     end
+  end
 
-    describe '#write_shared_cookie' do
-      before { Rails.stub_chain(:env, :development?) { false } }
+  describe '#delete_shared_cookie' do
+    before { Rails.stub_chain(:env, :development?) { false } }
 
-      it 'should save cookie' do
-        controller.write_shared_cookie(:organization_url, organization_url)
-        expect(cookies[:organization_url]).to eq organization_url
-      end
+    it 'should delete cookie' do
+      controller.write_shared_cookie(:organization_url, organization_url)
+      controller.delete_shared_cookie(:organization_url)
+      expect(cookies[:organization_url]).to be_nil
     end
+  end
 
-    describe '#read_shared_cookie' do
-      it 'should read cookie' do
-        cookies[:organization_url] = { value: organization_url }
-        expect(controller.read_shared_cookie(:organization_url)).to(
-          eq organization_url
-        )
-      end
-    end
+  describe '#fridge_cookie_options' do
+    before { Rails.stub_chain(:env, :development?) { false } }
 
-    describe '#delete_shared_cookie' do
-      before { Rails.stub_chain(:env, :development?) { false } }
+    it 'are configurable' do
+      Fridge.configuration.cookie_options = { foobar: true }
+      options = controller.fridge_cookie_options
+      expect(options[:domain]).to eq 'auth.aptible.com'
+      expect(options[:foobar]).to eq true
+    end
 
-      it 'should delete cookie' do
-        controller.write_shared_cookie(:organization_url, organization_url)
-        controller.delete_shared_cookie(:organization_url)
-        expect(cookies[:organization_url]).to be_nil
+    it 'restricts cookies to the specific subdomain' do
+      auth = class_double('Aptible::Auth').as_stubbed_const
+      allow(auth).to receive_message_chain(:configuration, :root_url) do
+        'https://auth-bob.aptible-sandbox.com'
       end
-    end
 
-    describe '#fridge_cookie_options' do
-      before { Rails.stub_chain(:env, :development?) { false } }
+      options = controller.fridge_cookie_options
+      expect(options[:domain]).to eq 'auth-bob.aptible-sandbox.com'
+    end
 
-      it 'are configurable' do
-        Fridge.configuration.cookie_options = { foobar: true }
-        options = controller.fridge_cookie_options
-        expect(options[:domain]).to eq :all
-        expect(options[:foobar]).to eq true
+    it 'handles local development using defaults' do
+      auth = class_double('Aptible::Auth').as_stubbed_const
+      allow(auth).to receive_message_chain(:configuration, :root_url) do
+        'https://localhost:4000'
       end
+
+      options = controller.fridge_cookie_options
+      expect(options[:domain]).to eq :all
     end
   end
 end

data/spec/spec_helper.rb

@@ -1,14 +1,22 @@
 $LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
 $LOAD_PATH.unshift(File.dirname(__FILE__))
 
+require 'active_support/all'
+require 'action_controller'
+require 'action_dispatch'
+require 'action_view'
+
+require 'fridge'
+require 'fridge/rails_helpers'
+
+require 'rspec'
+require 'rspec/rails'
+
 # Load shared spec files
 Dir["#{File.dirname(__FILE__)}/shared/**/*.rb"].each do |file|
   require file
 end
 
-# Require library up front
-require 'fridge'
-
 RSpec.configure do |config|
   config.before { Fridge.configuration.reset }
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: fridge
 version: !ruby/object:Gem::Version
-  version: 0.3.1
+  version: 0.4.4
 platform: ruby
 authors:
 - Frank Macreery
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2016-03-01 00:00:00.000000000 Z
+date: 2021-05-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: gem_config
@@ -30,14 +30,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.1.13
+        version: 1.5.6
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.1.13
+        version: 1.5.6
+- !ruby/object:Gem::Dependency
+  name: aptible-tasks
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -53,7 +67,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '1.5'
 - !ruby/object:Gem::Dependency
-  name: aptible-tasks
+  name: pry
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -67,7 +81,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: rake
+  name: rails
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -81,7 +95,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: rails
+  name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -100,14 +114,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '3.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '3.0'
 - !ruby/object:Gem::Dependency
   name: rspec-rails
   requirement: !ruby/object:Gem::Requirement
@@ -122,20 +136,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-- !ruby/object:Gem::Dependency
-  name: pry
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
 description: Token validation for distributed resource servers
 email:
 - frank@macreery.com
@@ -143,6 +143,7 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/CODEOWNERS"
 - ".gitignore"
 - ".rspec"
 - ".travis.yml"
@@ -153,13 +154,13 @@ files:
 - fridge.gemspec
 - lib/fridge.rb
 - lib/fridge/access_token.rb
+- lib/fridge/expired_token.rb
 - lib/fridge/invalid_token.rb
 - lib/fridge/rails_helpers.rb
 - lib/fridge/railtie.rb
 - lib/fridge/serialization_error.rb
 - lib/fridge/version.rb
 - spec/fixtures/app.rb
-- spec/fixtures/controller.rb
 - spec/fridge/access_token_spec.rb
 - spec/fridge/rails_helpers_spec.rb
 - spec/spec_helper.rb
@@ -167,7 +168,7 @@ homepage: https://github.com/aptible/fridge
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -182,14 +183,12 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.4.5.1
-signing_key: 
+rubygems_version: 3.0.3
+signing_key:
 specification_version: 4
 summary: Token validation for distributed resource servers
 test_files:
 - spec/fixtures/app.rb
-- spec/fixtures/controller.rb
 - spec/fridge/access_token_spec.rb
 - spec/fridge/rails_helpers_spec.rb
 - spec/spec_helper.rb

data/spec/fixtures/controller.rb

@@ -1,5 +0,0 @@
-require 'fridge/rails_helpers'
-
-class Controller < ActionController::Base
-  include Fridge::RailsHelpers
-end