jwt-auth 4.2.0 → 5.0.0

data/lib/jwt/auth/configuration.rb

@@ -3,7 +3,10 @@
 module JWT
   module Auth
     class << self
-      attr_accessor :model, :secret, :token_lifetime
+      attr_accessor :model,
+                    :secret,
+                    :refresh_token_lifetime,
+                    :access_token_lifetime
 
       def configure
         yield JWT::Auth

data/lib/jwt/auth/refresh_token.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+require 'jwt/auth/configuration'
+
+module JWT
+  module Auth
+    ##
+    # JWT refresh token
+    #
+    class RefreshToken < Token
+      def type
+        :refresh
+      end
+
+      def lifetime
+        JWT::Auth.refresh_token_lifetime
+      end
+    end
+  end
+end

data/lib/jwt/auth/token.rb

@@ -1,7 +1,5 @@
 # frozen_string_literal: true
 
-# require 'active_support/core_ext/numeric/time'
-
 require 'jwt/auth/configuration'
 
 module JWT
@@ -10,68 +8,67 @@ module JWT
     # In-memory representation of JWT
     #
     class Token
-      attr_accessor :issued_at, :subject, :token_version
+      attr_accessor :issued_at,
+                    :subject,
+                    :version
+
+      def initialize(params = {})
+        params.each { |key, value| send "#{key}=", value }
+      end
 
       def valid?
         # Reload subject to prevent caching the old token_version
-        subject && subject.reload
+        subject&.reload
 
-        return false if subject.nil? || issued_at.nil? || token_version.nil?
+        return false if subject.nil? || issued_at.nil? || version.nil?
         return false if Time.at(issued_at + lifetime.to_i).past?
         return false if Time.at(issued_at).future?
-        return false if token_version != subject.token_version
+        return false if version != subject.token_version
 
         true
       rescue ActiveRecord::RecordNotFound
         false
       end
 
-      def renew!
-        self.issued_at = nil
-        self.token_version = nil
-      end
-
       def to_jwt
         JWT.encode payload, JWT::Auth.secret
       end
 
-      def self.from_user(subject)
-        token = self.new
-        token.subject = subject
-
-        token
-      end
-
-      def payload
-        {
-          :iat => issued_at || Time.now.to_i,
-          :sub => subject.id,
-          :ver => token_version || subject.token_version
-        }
+      ##
+      # Override this method in subclasses
+      #
+      def type
+        raise NotImplementedError
       end
 
+      ##
+      # Override this method in subclasses
+      #
       def lifetime
-        JWT::Auth.token_lifetime
+        raise NotImplementedError
       end
 
       class << self
-        def from_token(token)
-          begin
-            @decoded_payload = JWT.decode(token, JWT::Auth.secret).first
-          rescue JWT::DecodeError
-            @decoded_payload = {}
+        def from_jwt(token)
+          @decoded_payload = JWT.decode(token, JWT::Auth.secret).first
+
+          params = {
+            :issued_at => @decoded_payload['iat'],
+            :version => @decoded_payload['ver'],
+            :subject => model.find_by_token(:id => @decoded_payload['sub'],
+                                            :token_version => @decoded_payload['ver'])
+          }
+
+          case @decoded_payload['typ']
+          when 'access'
+            return AccessToken.new params
+          when 'refresh'
+            return RefreshToken.new params
+          else
+            return nil
           end
-
-          token = self.new
-          token.issued_at = @decoded_payload['iat']
-          token.token_version = @decoded_payload['ver']
-
-          if @decoded_payload['sub']
-            find_method = model.respond_to?(:find_by_token) ? :find_by_token : :find_by
-            token.subject = model.send find_method, :id => @decoded_payload['sub'], :token_version => @decoded_payload['ver']
-          end
-
-          token
+        rescue JWT::DecodeError
+          nil
         end
 
         private
@@ -80,6 +77,17 @@ module JWT
           const_get JWT::Auth.model
         end
       end
+
+      private
+
+      def payload
+        {
+          :iat => issued_at || Time.now.to_i,
+          :sub => subject.id,
+          :ver => version || subject.token_version,
+          :typ => type
+        }
+      end
     end
   end
 end

data/lib/jwt/auth/version.rb

@@ -1,7 +1,9 @@
 # frozen_string_literal: true
 
+require 'yaml'
+
 module JWT
   module Auth
-    VERSION = '4.2.0'
+    VERSION = YAML.load_file File.join __dir__, '..', '..', '..', 'version.yml'
   end
 end

data/spec/controllers/content_controller_spec.rb

@@ -0,0 +1,95 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe ContentController do
+  ##
+  # Configuration
+  #
+  ##
+  # Test variables
+  #
+  let(:user) { User.create :activated => true }
+
+  let(:headers) do
+    { 'Authorization' => "Bearer #{token.to_jwt}" }
+  end
+
+  # Ensure the user is created, which autoloads the model and initializes the JWT::Auth.model configuration entry
+  before { user }
+
+  ##
+  # Tests
+  #
+  describe 'GET /unauthenticated' do
+    subject { get :unauthenticated }
+
+    context 'when no token was specified' do
+      it { is_expected.to have_http_status :no_content }
+    end
+
+    context 'when a refresh token was specified' do
+      let(:token) { JWT::Auth::RefreshToken.new :subject => user }
+
+      before { @request.headers.merge! headers }
+
+      it { is_expected.to have_http_status :unauthorized }
+
+      context 'when the token was invalid' do
+        before { user.increment! :token_version }
+
+        it { is_expected.to have_http_status :unauthorized }
+      end
+    end
+
+    context 'when an access token was specified' do
+      let(:token) { JWT::Auth::AccessToken.new :subject => user }
+
+      before { @request.headers.merge! headers }
+
+      it { is_expected.to have_http_status :no_content }
+
+      context 'when the token was invalid' do
+        before { user.increment! :token_version }
+
+        it { is_expected.to have_http_status :unauthorized }
+      end
+    end
+  end
+
+  describe 'GET /authenticated' do
+    subject { get :authenticated }
+
+    context 'when no token was specified' do
+      it { is_expected.to have_http_status :unauthorized }
+    end
+
+    context 'when a refresh token was specified' do
+      let(:token) { JWT::Auth::RefreshToken.new :subject => user }
+
+      before { @request.headers.merge! headers }
+
+      it { is_expected.to have_http_status :unauthorized }
+
+      context 'when the token was invalid' do
+        before { user.increment! :token_version }
+
+        it { is_expected.to have_http_status :unauthorized }
+      end
+    end
+
+    context 'when an access token was specified' do
+      let(:token) { JWT::Auth::AccessToken.new :subject => user }
+
+      before { @request.headers.merge! headers }
+
+      it { is_expected.to have_http_status :no_content }
+
+      context 'when the token was invalid' do
+        before { user.increment! :token_version }
+
+        it { is_expected.to have_http_status :unauthorized }
+      end
+    end
+  end
+end

data/spec/controllers/tokens_controller_spec.rb

@@ -0,0 +1,140 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+RSpec.describe TokensController do
+  ##
+  # Configuration
+  #
+  ##
+  # Test variables
+  #
+  let(:user) { User.create :activated => true, :email => 'foo@bar', :password => 'foobar' }
+
+  let(:headers) do
+    { 'Authorization' => "Bearer #{token.to_jwt}" }
+  end
+
+  # Ensure the user is created, which autoloads the model and initializes the JWT::Auth.model configuration entry
+  before { user }
+
+  ##
+  # Tests
+  #
+  describe 'POST /' do
+    let(:user) { User.create :activated => activated, :email => 'foo@bar', :password => 'foobar' }
+    let(:activated) { true }
+    let(:password) { 'foobar' }
+
+    subject { post :create, :params => { :email => 'foo@bar', :password => password } }
+
+    it { is_expected.to have_http_status :no_content }
+    it { is_expected.to return_token JWT::Auth::RefreshToken }
+
+    context 'when the credentials are incorrect' do
+      let(:password) { 'barfoo' }
+
+      it { is_expected.to have_http_status :unauthorized }
+      it { is_expected.not_to return_token }
+    end
+
+    context 'when the user is not activated' do
+      let(:activated) { false }
+
+      it { is_expected.to have_http_status :unauthorized }
+      it { is_expected.not_to return_token }
+
+      context 'when the credentials are incorrect' do
+        let(:password) { 'barfoo' }
+
+        it { is_expected.to have_http_status :unauthorized }
+        it { is_expected.not_to return_token }
+      end
+    end
+  end
+
+  describe 'PATCH /' do
+    let(:user) { User.create :activated => activated, :email => 'foo@bar', :password => 'foobar' }
+    let(:activated) { true }
+
+    subject { patch :update }
+
+    context 'when no token is present' do
+      it { is_expected.to have_http_status :unauthorized }
+      it { is_expected.not_to return_token }
+    end
+
+    context 'when a refresh token is present' do
+      let(:token) { JWT::Auth::RefreshToken.new :subject => user }
+
+      before { @request.headers.merge! headers }
+
+      it { is_expected.to have_http_status :no_content }
+      it { is_expected.to return_token JWT::Auth::AccessToken }
+
+      context 'when the token is invalid' do
+        before { user.increment! :token_version }
+
+        it { is_expected.to have_http_status :unauthorized }
+        it { is_expected.not_to return_token }
+      end
+    end
+
+    context 'when an access token is present' do
+      let(:token) { JWT::Auth::AccessToken.new :subject => user }
+
+      before { @request.headers.merge! headers }
+
+      it { is_expected.to have_http_status :unauthorized }
+      it { is_expected.not_to return_token }
+
+      context 'when the token is invalid' do
+        before { user.increment! :token_version }
+
+        it { is_expected.to have_http_status :unauthorized }
+        it { is_expected.not_to return_token }
+      end
+    end
+
+    context 'when the user is not activated' do
+      let(:activated) { false }
+
+      context 'when no token is present' do
+        it { is_expected.to have_http_status :unauthorized }
+        it { is_expected.not_to return_token }
+      end
+
+      context 'when a refresh token is present' do
+        let(:token) { JWT::Auth::RefreshToken.new :subject => user }
+
+        before { @request.headers.merge! headers }
+
+        it { is_expected.to have_http_status :unauthorized }
+        it { is_expected.not_to return_token }
+
+        context 'when the token is invalid' do
+          before { user.increment! :token_version }
+
+          it { is_expected.to have_http_status :unauthorized }
+          it { is_expected.not_to return_token }
+        end
+      end
+
+      context 'when an access token is present' do
+        let(:token) { JWT::Auth::AccessToken.new :subject => user }
+
+        before { @request.headers.merge! headers }
+
+        it { is_expected.to have_http_status :unauthorized }
+        it { is_expected.not_to return_token }
+
+        context 'when the token is invalid' do
+          before { user.increment! :token_version }
+
+          it { is_expected.to have_http_status :unauthorized }
+          it { is_expected.not_to return_token }
+        end
+      end
+    end
+  end
+end

data/spec/dummy/Rakefile

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # Add your own tasks in files placed in lib/tasks ending in .rake,
 # for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
 

data/spec/dummy/app/channels/application_cable/channel.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module ApplicationCable
   class Channel < ActionCable::Channel::Base
   end

data/spec/dummy/app/channels/application_cable/connection.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module ApplicationCable
   class Connection < ActionCable::Connection::Base
   end

data/spec/dummy/app/controllers/application_controller.rb

@@ -1,10 +1,15 @@
+# frozen_string_literal: true
+
 class ApplicationController < ActionController::Base
-  protect_from_forgery with: :exception
+  protect_from_forgery :with => :exception
 
   include JWT::Auth::Authentication
 
   rescue_from JWT::Auth::UnauthorizedError, :with => :handle_unauthorized
 
+  # Validate validity of token (if present) on all routes
+  before_action :validate_token
+
   protected
 
   def handle_unauthorized