jwt-auth 3.0.0 → 3.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 4fc903bec961f43790b39851ed465e98ee4db262
-  data.tar.gz: 2c54dc88944789086ec0ef2cfb11f33b3ec63520
+  metadata.gz: 7cd012fc046f4777af5d9ee5f6265f5ca2d62af9
+  data.tar.gz: 9170ff259b31aa1867b40da3572db62b4b1af852
 SHA512:
-  metadata.gz: 6caaeac87553b3fb5fc3ab08e7c0806cb01ba40cac74e8b11bf739517383687289dd9f157a22b81b9571029c58ff04cc8f499abb6e0059a2f32016d5c05aa13d
-  data.tar.gz: 89da2604d876f84c21836acfb6cf11e47c3d542a01514ee2d2d6d4b653c5f081f60ce670e1dfb67a3f532f8d3f9ae803af65e9bd3f65b1a19105cee23b62f8e4
+  metadata.gz: cee44e1a66ed06d4ecb6298542b45b13c72a2806c271805c2e8772dcab5b755ad4f9cf9c862c8f507a511744fa52c28e600c458b48ef50b555ca6ae1e946afb1
+  data.tar.gz: b34a80b8d6bb0f0cf068b4505101edbc9030f96bcccf3bd5b5bcb5ffe55b7e7fd77726177dbb2ac68b3fe1981edf2c68ecdd5a04a54d7b2ff2d2ab9dbb4c8eda

data/.gitignore

@@ -1,25 +1,54 @@
 *.gem
 *.rbc
-.bundle
-.config
-.yardoc
+/.config
+/coverage/
+/InstalledFiles
+/pkg/
+/spec/reports/
+/spec/examples.txt
+/test/tmp/
+/test/version_tmp/
+/tmp/
+.byebug_history
+
+# Used by dotenv library to load environment variables.
+# .env
+
+## Specific to RubyMotion:
+.dat*
+.repl_history
+build/
+*.bridgesupport
+build-iPhoneOS/
+build-iPhoneSimulator/
+
+## Specific to RubyMotion (use of CocoaPods):
+#
+# We recommend against adding the Pods directory to your .gitignore. However
+# you should judge for yourself, the pros and cons are mentioned at:
+# https://guides.cocoapods.org/using/using-cocoapods.html#should-i-check-the-pods-directory-into-source-control
+#
+# vendor/Pods/
+
+## Documentation cache and generated files:
+/.yardoc/
+/_yardoc/
+/doc/
+/rdoc/
+
+## Environment normalization:
+/.bundle/
+/vendor/bundle
+/lib/bundler/man/
+
+# for a library or gem, you might want to ignore these files since the code is
+# intended to run in multiple environments; otherwise, check them in:
 Gemfile.lock
-InstalledFiles
-_yardoc
-coverage
-doc/
-lib/bundler/man
-pkg
-rdoc
-spec/reports
-test/tmp
-test/version_tmp
-tmp
-*.bundle
-*.so
-*.o
-*.a
-mkmf.log
 .ruby-version
 .ruby-gemset
+
+# unless supporting rvm < 1.11.0 or doing something fancy, ignore this:
+.rvmrc
+
+# IDE files
 .idea

data/.travis.yml

@@ -0,0 +1,11 @@
+language: ruby
+rvm:
+  - 2.4.0
+cache:
+  bundler: true
+env:
+  - RAILS_ENV=test CI=true TRAVIS=true
+install:
+  - bundle install
+script:
+  - bundle exec rspec

data/README.md

@@ -1,4 +1,4 @@
-# JWT::Auth
+# JWT::Auth [![Travis](https://travis-ci.org/floriandejonckheere/jwt-auth.svg?branch=master)](https://travis-ci.org/floriandejonckheere/jwt-auth) [![Coverage Status](https://coveralls.io/repos/github/floriandejonckheere/jwt-auth/badge.svg)](https://coveralls.io/github/floriandejonckheere/jwt-auth)
 
 JWT-based authentication middleware for Rails API without Devise
 

data/jwt-auth.gemspec

@@ -6,28 +6,31 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 
 require 'jwt/auth/version'
 
-Gem::Specification.new do |spec|
-  spec.name          = 'jwt-auth'
-  spec.version       = JWT::Auth::VERSION
-  spec.authors       = ['Florian Dejonckheere']
-  spec.email         = ['florian@floriandejonckheere.be']
-  spec.summary       = 'JWT-based authentication for Rails API without Devise'
-  spec.description   = 'Authentication middleware for Rails API that uses JWTs, without depending on Devise'
-  spec.homepage      = 'https://github.com/floriandejonckheere/jwt-auth'
-  spec.license       = 'MIT'
+Gem::Specification.new do |gem|
+  gem.name          = 'jwt-auth'
+  gem.version       = JWT::Auth::VERSION
+  gem.authors       = ['Florian Dejonckheere']
+  gem.email         = ['florian@floriandejonckheere.be']
+  gem.summary       = 'JWT-based authentication for Rails API'
+  gem.description   = 'Authentication middleware for Rails API that uses JWTs'
+  gem.homepage      = 'https://github.com/floriandejonckheere/jwt-auth'
+  gem.license       = 'MIT'
 
-  spec.files         = `git ls-files -z`.split("\x0")
-  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
-  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
-  spec.require_paths = ['lib']
+  gem.files         = `git ls-files -z`.split("\x0")
+  gem.executables   = gem.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.require_paths = ['lib']
 
-  spec.add_dependency 'jwt', '~> 1.5'
-  spec.add_dependency 'rails', '~> 5.0'
+  gem.add_runtime_dependency 'jwt', '~> 1.5'
+  gem.add_runtime_dependency 'rails', '~> 5.1'
 
-  spec.add_development_dependency 'bundler', '~> 1.14'
-  spec.add_development_dependency 'rubocop', '~> 0.48'
-  spec.add_development_dependency 'rake', '~> 12.0'
-  spec.add_development_dependency 'rspec', '~> 3.5'
-  spec.add_development_dependency 'rspec-rails', '~> 3.5'
-  spec.add_development_dependency 'byebug'
+  gem.add_development_dependency 'bundler', '~> 1.15'
+  gem.add_development_dependency 'rubocop', '~> 0.49'
+  gem.add_development_dependency 'rake', '~> 12.0'
+  gem.add_development_dependency 'rspec', '~> 3.6'
+  gem.add_development_dependency 'rspec-rails', '~> 3.6'
+  gem.add_development_dependency 'rdoc', '~> 5.1'
+  gem.add_development_dependency 'coveralls', '~> 0.8'
+  gem.add_development_dependency 'byebug'
+  gem.add_development_dependency 'sqlite3'
 end

data/lib/jwt/auth/authentication.rb

@@ -12,21 +12,21 @@ module JWT
       # Current user helper
       #
       def current_user
-        jwt&.subject
+        jwt && jwt.subject
       end
 
       ##
       # Authenticate a request
       #
       def authenticate_user
-        raise JWT::Auth::UnauthorizedError unless jwt&.valid?
+        raise JWT::Auth::UnauthorizedError unless jwt && jwt.valid?
       end
 
       ##
       # Add JWT header to response
       #
       def renew_token
-        return unless jwt&.valid?
+        return unless jwt && jwt.valid?
         jwt.renew!
         response.headers['Authorization'] = "Bearer #{jwt.to_jwt}"
       end

data/lib/jwt/auth/token.rb

@@ -13,11 +13,16 @@ module JWT
       attr_accessor :expiration, :subject, :token_version
 
       def valid?
+        # Reload subject to prevent caching the old token_version
+        subject && subject.reload
+
         return false if subject.nil? || expiration.nil? || token_version.nil?
         return false if Time.at(expiration).past?
         return false if token_version != subject.token_version
 
         true
+      rescue ActiveRecord::RecordNotFound
+        false
       end
 
       def renew!
@@ -42,14 +47,20 @@ module JWT
       end
 
       def self.from_token(token)
-        payload = JWT.decode(token, JWT::Auth.secret).first
+        begin
+          payload = JWT.decode(token, JWT::Auth.secret).first
+        rescue JWT::ExpiredSignature
+          payload = {}
+        end
 
         token = JWT::Auth::Token.new
         token.expiration = payload['exp']
         token.token_version = payload['ver']
 
-        find_method = JWT::Auth.model.respond_to?(:find_by_token) ? :find_by_token : :find_by
-        token.subject = JWT::Auth.model.send find_method, :id => payload['sub'], :token_version => payload['ver']
+        if payload['sub']
+          find_method = JWT::Auth.model.respond_to?(:find_by_token) ? :find_by_token : :find_by
+          token.subject = JWT::Auth.model.send find_method, :id => payload['sub'], :token_version => payload['ver']
+        end
 
         token
       end

data/lib/jwt/auth/version.rb

@@ -2,6 +2,6 @@
 
 module JWT
   module Auth
-    VERSION = '3.0.0'
+    VERSION = '3.0.1'
   end
 end

data/spec/authentication_spec.rb

@@ -0,0 +1,95 @@
+# frozen_string_listeral: true
+
+require 'rails_helper'
+
+RSpec.describe AuthenticationController, :type => :request do
+  let(:user) { User.create :activated => true }
+
+  let(:headers) do
+    {
+      'Authorization' => "Bearer #{JWT::Auth::Token.from_user(user).to_jwt}"
+    }
+  end
+
+  describe 'GET /public' do
+    context 'activated user' do
+      it 'is accessible without token' do
+        get '/public'
+
+        expect(response.status).to eq 204
+      end
+
+      it 'is accessible with token' do
+        get '/public', :headers => headers
+
+        expect(response.status).to eq 204
+      end
+
+      it 'renews the token' do
+        get '/public', :headers => headers
+
+        jwt = response.headers['Authorization'].scan(/Bearer (.*)$/).flatten.last
+        token = JWT::Auth::Token.from_token jwt
+
+        expect(token).to be_valid
+      end
+    end
+
+    context 'disabled user' do
+      let(:user) { User.new }
+
+      it 'is accessible without token' do
+        get '/public'
+
+        expect(response.status).to eq 204
+      end
+
+      it 'is accessible with token' do
+        get '/public', :headers => headers
+
+        expect(response.status).to eq 204
+      end
+    end
+  end
+
+  describe 'GET /private' do
+    context 'activated user' do
+      it 'is not accessible without token' do
+        get '/private'
+
+        expect(response.status).to eq 401
+      end
+
+      it 'is accessible with token' do
+        get '/private', :headers => headers
+
+        expect(response.status).to eq 204
+      end
+
+      it 'renews the token' do
+        get '/private', :headers => headers
+
+        jwt = response.headers['Authorization'].scan(/Bearer (.*)$/).flatten.last
+        token = JWT::Auth::Token.from_token jwt
+
+        expect(token).to be_valid
+      end
+    end
+
+    context 'disabled user' do
+      let(:user) { User.new }
+
+      it 'is not accessible without token' do
+        get '/private'
+
+        expect(response.status).to eq 401
+      end
+
+      it 'is not accessible with token' do
+        get '/private', :headers => headers
+
+        expect(response.status).to eq 401
+      end
+    end
+  end
+end

data/spec/configuration_spec.rb

@@ -13,6 +13,6 @@ RSpec.describe JWT::Auth do
 
     expect(subject.token_lifetime).to eq 24.hours
     expect(subject.secret).to eq 'mysecret'
-    expect(subject.model).to eq DummyUser
+    expect(subject.model).to eq User
   end
 end

data/spec/dummy/.gitignore

@@ -0,0 +1,41 @@
+# See https://help.github.com/articles/ignoring-files for more about ignoring files.
+#
+# If you find yourself ignoring temporary files generated by your text editor
+# or operating system, you probably want to add a global ignore instead:
+#   git config --global core.excludesfile '~/.gitignore_global'
+
+# Ignore bundler config.
+/.bundle
+/.gem
+
+# Ignore the default SQLite database.
+/db/*.sqlite3
+/db/*.sqlite3-journal
+
+# Ignore all logfiles and tempfiles.
+/log/*
+/tmp/*
+!/log/.keep
+!/tmp/.keep
+
+# Ignore Byebug command history file.
+.byebug_history
+
+# IDE files
+.idea
+
+# Webpack files
+node_modules
+/client/public
+
+# Private files
+*.env
+config/*.pem
+config/*.pub
+
+# Coverage report
+coverage/
+
+/.gem
+/.vscode
+.DS_Store

data/spec/dummy/Rakefile

@@ -0,0 +1,6 @@
+# Add your own tasks in files placed in lib/tasks ending in .rake,
+# for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
+
+require_relative 'config/application'
+
+Rails.application.load_tasks

data/spec/dummy/app/assets/config/manifest.js

@@ -0,0 +1,4 @@
+
+//= link_tree ../images
+//= link_directory ../javascripts .js
+//= link_directory ../stylesheets .css

data/spec/dummy/app/assets/javascripts/application.js

@@ -0,0 +1,13 @@
+// This is a manifest file that'll be compiled into application.js, which will include all the files
+// listed below.
+//
+// Any JavaScript/Coffee file within this directory, lib/assets/javascripts, vendor/assets/javascripts,
+// or any plugin's vendor/assets/javascripts directory can be referenced here using a relative path.
+//
+// It's not advisable to add code directly here, but if you do, it'll appear at the bottom of the
+// compiled file. JavaScript code in this file should be added after the last require_* statement.
+//
+// Read Sprockets README (https://github.com/rails/sprockets#sprockets-directives) for details
+// about supported directives.
+//
+//= require_tree .

data/spec/dummy/app/assets/javascripts/cable.js

@@ -0,0 +1,13 @@
+// Action Cable provides the framework to deal with WebSockets in Rails.
+// You can generate new channels where WebSocket features live using the `rails generate channel` command.
+//
+//= require action_cable
+//= require_self
+//= require_tree ./channels
+
+(function() {
+  this.App || (this.App = {});
+
+  App.cable = ActionCable.createConsumer();
+
+}).call(this);

data/spec/dummy/app/assets/stylesheets/application.css

@@ -0,0 +1,15 @@
+/*
+ * This is a manifest file that'll be compiled into application.css, which will include all the files
+ * listed below.
+ *
+ * Any CSS and SCSS file within this directory, lib/assets/stylesheets, vendor/assets/stylesheets,
+ * or any plugin's vendor/assets/stylesheets directory can be referenced here using a relative path.
+ *
+ * You're free to add application-wide styles to this file and they'll appear at the bottom of the
+ * compiled file so the styles you add here take precedence over styles defined in any other CSS/SCSS
+ * files in this directory. Styles in this file should be added after the last require_* statement.
+ * It is generally better to create a new file per style scope.
+ *
+ *= require_tree .
+ *= require_self
+ */

data/spec/dummy/app/channels/application_cable/channel.rb

@@ -0,0 +1,4 @@
+module ApplicationCable
+  class Channel < ActionCable::Channel::Base
+  end
+end