jwt-authenticator 1.0.0.rc1 → 1.0.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c128a8bddd8a546812be283f492f8dc6463073ff067c0e0eecb70891ed4695fb
-  data.tar.gz: eb1e0781bbda0d8445340790f28251c7a513b624683e2e140cca86e3c74ec3eb
+  metadata.gz: eaa8560f1c1d204b1cf8556ac75896308d0437314df557504b5bd23717baa920
+  data.tar.gz: 7c220c3fd1b755c7944bdd061c2e0abe3c32d67a4d969b88199aa22a02042a02
 SHA512:
-  metadata.gz: 9582a70c04c9c136973eebad066ea834a7d320a6e0c4bc6385d76ac0f9cae68d1bc76ae63b10f1699b46da2a55b2bbd19ad6af11a4dcc5f539a5826a3e6817c8
-  data.tar.gz: c034bc475866eacd92fde3a3f774da618461d7ed7a19b828fde16f2e945dd8d758686713b842479acaa30aee83f0624582bae59affc4e7d323a19c192252cbd9
+  metadata.gz: ded7a7c6e21793017ab1a94ffff357580cfa3233076fca1c51b282065d8d5a09a398166571f1b54861580e5897f1163e3e4c6010fb1fd2baab0493a8ece0e127
+  data.tar.gz: 9215e3daada467a86df5b3012449293916eaa3d82d3425efb445c1e3826bbcbed1e76b003627c9df46a871dbe19da2d09c6fdfd7f31657550cd733d31eb4dcb3

data/.gitignore

@@ -0,0 +1,5 @@
+*.gem
+.bundle
+pkg/
+tmp/
+/.idea

data/.ruby-version

@@ -0,0 +1 @@
+2.7.1

data/Gemfile

@@ -0,0 +1,9 @@
+# encoding: UTF-8
+# frozen_string_literal: true
+
+source "https://rubygems.org"
+
+gemspec
+
+gem "rake", "~> 12.3"
+gem "test-unit", "~> 3.2"

data/Gemfile.lock

@@ -0,0 +1,41 @@
+PATH
+  remote: .
+  specs:
+    jwt-authenticator (1.0.4)
+      activesupport (>= 4.0, < 6.0)
+      jwt (~> 2.1)
+      method-not-implemented (~> 1.0)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    activesupport (5.2.4.4)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      i18n (>= 0.7, < 2)
+      minitest (~> 5.1)
+      tzinfo (~> 1.1)
+    concurrent-ruby (1.1.7)
+    i18n (1.8.5)
+      concurrent-ruby (~> 1.0)
+    jwt (2.2.2)
+    method-not-implemented (1.0.1)
+    minitest (5.14.2)
+    power_assert (1.2.0)
+    rake (12.3.3)
+    test-unit (3.3.6)
+      power_assert
+    thread_safe (0.3.6)
+    tzinfo (1.2.7)
+      thread_safe (~> 0.1)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bundler (>= 1.7, < 3.0)
+  jwt-authenticator!
+  rake (~> 12.3)
+  test-unit (~> 3.2)
+
+BUNDLED WITH
+   2.1.4

data/LICENSE

@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright 2018 Yaroslav Konoplov <eahome00@gmail.com>
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

data/README.md

@@ -0,0 +1,43 @@
+# JSON Web Token authentication Ruby service
+
+The gem provides easy & extendable way to perform JSON Web Token authentication.
+
+## Usage
+
+Please, see the code sample below.
+
+```ruby
+module MyAPI
+  #
+  # Define JWT verification options using variables below:
+  # 
+  #   MY_API_JWT_VERIFY_EXP
+  #   MY_API_JWT_VERIFY_NBF
+  #   MY_API_JWT_ISS
+  #   MY_API_JWT_VERIFY_IAT
+  #   MY_API_JWT_VERIFY_JTI
+  #   MY_API_JWT_AUD (could be comma-separated)
+  #   MY_API_JWT_SUB
+  #   MY_API_JWT_ALG (could be comma-separated)
+  #   MY_API_JWT_LEEWAY
+  #   MY_API_JWT_IAT_LEEWAY
+  #   MY_API_JWT_EXP_LEEWAY
+  #   MY_API_JWT_NBF_LEEWAY
+  # 
+  class JWTAuthenticator < JWT::Authenticator
+    def call(*)
+      payload, = super
+      # You may want to do some additional checks here like verifying JTI is not revoked.
+      # You also can return any value you want. For example, here we can return user.
+      User.new(payload.slice(:uid, :email, :level)) 
+    end
+
+  protected
+  
+    def public_key(header)
+      # You have to determine what key should be user for signature verification (based on «header») and return public key.
+      # The returned value must be instance of OpenSSL::PKey::RSA.
+    end
+  end
+end
+```

data/Rakefile

@@ -0,0 +1,7 @@
+# encoding: UTF-8
+# frozen_string_literal: true
+
+require "rake/testtask"
+
+ENV["TESTOPTS"] = "--verbose"
+Rake::TestTask.new { |t| t.libs << "test" }

data/jwt-authenticator.gemspec

@@ -0,0 +1,24 @@
+# encoding: UTF-8
+# frozen_string_literal: true
+
+require File.expand_path("../lib/jwt-authenticator/version", __FILE__)
+
+Gem::Specification.new do |s|
+  s.name                  = "jwt-authenticator"
+  s.version               = JWT::Authenticator::VERSION
+  s.author                = "Yaroslav Konoplov"
+  s.email                 = "eahome00@gmail.com"
+  s.summary               = "JSON Web Token authentication Ruby service."
+  s.description           = "The gem provides easy & extendable way to perform JSON Web Token authentication."
+  s.homepage              = "https://github.com/ruby-jwt/jwt-authenticator"
+  s.license               = "Apache-2.0"
+  s.files                 = `git ls-files -z`.split("\x0")
+  s.test_files            = `git ls-files -z -- {test,spec,features}/*`.split("\x0")
+  s.require_paths         = ["lib"]
+  s.required_ruby_version = "~> 2.5"
+
+  s.add_dependency             "jwt", "~> 2.1"
+  s.add_dependency             "method-not-implemented", "~> 1.0"
+  s.add_dependency             "activesupport", ">= 4.0", "< 6.0"
+  s.add_development_dependency "bundler", ">= 1.7", "< 3.0"
+end

data/lib/jwt-authenticator.rb

@@ -0,0 +1,78 @@
+# encoding: UTF-8
+# frozen_string_literal: true
+
+require "jwt"
+require "method-not-implemented"
+require "active_support/core_ext/string/inflections"
+require "active_support/core_ext/object/blank"
+require "active_support/core_ext/string/filters"
+require "active_support/core_ext/hash/keys"
+require "jwt-authenticator/version"
+
+class JWT::Authenticator
+  include Singleton
+
+  def initialize
+    @verification_options = token_verification_options_from_environment \
+      self.class.name.split("::")[0...-1].join("_").underscore.upcase.gsub(/_?JWT\z/, "") + "_JWT"
+  end
+
+  def call(token)
+    error! "Token is missing.", 101 if token.blank?
+    token_type, token_value = token.to_s.squish.split(" ")
+    error! "Token type is not provided or invalid.", 102 unless token_type == "Bearer"
+    returned = JWT.decode(token_value, nil, true, @verification_options) { |header| public_key(header.deep_symbolize_keys) }
+    returned.map(&:deep_symbolize_keys)
+  rescue JWT::ExpiredSignature => e
+    error!(e.inspect, 104)
+  rescue JWT::DecodeError => e
+    error!(e.inspect, 103)
+  end
+
+protected
+
+  def public_key(header)
+    method_not_implemented
+  end
+
+  def token_verification_options_from_environment(namespace)
+    namespace = namespace.gsub(/_+\z/, "")
+    { verify_expiration: ENV["#{namespace}_VERIFY_EXP"] != "false",
+      verify_not_before: ENV["#{namespace}_VERIFY_NBF"] != "false",
+      iss:               ENV["#{namespace}_ISS"].to_s.split(",").map(&:squish).reject(&:blank?).presence, # Comma-separated values.
+      verify_iat:        ENV["#{namespace}_VERIFY_IAT"] != "false",
+      verify_jti:        ENV["#{namespace}_VERIFY_JTI"] != "false",
+      aud:               ENV["#{namespace}_AUD"].to_s.split(",").map(&:squish).reject(&:blank?).presence, # Comma-separated values.
+      sub:               ENV["#{namespace}_SUB"].to_s.squish.presence,
+      algorithms:        ENV["#{namespace}_ALG"].to_s.split(",").map(&:squish).reject(&:blank?).presence, # Comma-separated values.
+      leeway:            ENV["#{namespace}_LEEWAY"].to_s.squish.yield_self { |n| n.to_i if n.present? },
+      iat_leeway:        ENV["#{namespace}_IAT_LEEWAY"].to_s.squish.yield_self { |n| n.to_i if n.present? },
+      exp_leeway:        ENV["#{namespace}_EXP_LEEWAY"].to_s.squish.yield_self { |n| n.to_i if n.present? },
+      nbf_leeway:        ENV["#{namespace}_NBF_LEEWAY"].to_s.squish.yield_self { |n| n.to_i if n.present? }
+    }.tap { |options|
+      options.merge! \
+        verify_sub: options[:sub].present?,
+        verify_iss: options[:iss].present?,
+        verify_aud: options[:aud].present?
+    }.compact
+  end
+
+  def error!(message, code = nil)
+    raise Error.new(message, code)
+  end
+
+  class << self
+    def call(token)
+      instance.call(token)
+    end
+  end
+
+  class Error < StandardError
+    attr_reader :code
+
+    def initialize(message, code = nil)
+      super(message)
+      @code = code
+    end
+  end
+end

data/lib/jwt-authenticator/version.rb

@@ -0,0 +1,8 @@
+# encoding: UTF-8
+# frozen_string_literal: true
+
+module JWT
+  class Authenticator
+    VERSION = "1.0.4"
+  end
+end

data/test/helper.rb

@@ -0,0 +1,50 @@
+# encoding: UTF-8
+# frozen_string_literal: true
+
+Bundler.require
+
+Test::Unit::TestCase.test_order = :random
+
+require "active_support/inflections"
+require "active_support/core_ext/kernel/reporting"
+require "securerandom"
+require "openssl"
+require "base64"
+require "set"
+
+ActiveSupport::Inflector.inflections do |inflect|
+  inflect.acronym "API"
+  inflect.acronym "v1"
+  inflect.acronym "v2"
+end
+
+module MyAPIv1
+  class JWTAuthenticator < JWT::Authenticator
+
+  end
+end
+
+ENV["MY_API_V2_JWT_ISS"] = "foo"
+ENV["MY_API_V2_JWT_AUD"] = "foo,bar,baz"
+ENV["MY_API_V2_JWT_SUB"] = "session"
+ENV["MY_API_V2_JWT_ALG"] = "RS256"
+ENV["MY_API_V2_JWT_KEY"] = Base64.urlsafe_encode64(OpenSSL::PKey::RSA.generate(2048).to_pem)
+
+module MyAPIv2
+  class JWTAuthenticator < JWT::Authenticator
+
+  private
+
+    def public_key(*)
+      OpenSSL::PKey.read(Base64.urlsafe_decode64(ENV["MY_API_V2_JWT_KEY"])).public_key
+    end
+  end
+end
+
+module MyAPI
+  module V3
+    class JWTAuthenticator < JWT::Authenticator
+
+    end
+  end
+end

data/test/test-jwt-authenticator.rb

@@ -0,0 +1,190 @@
+# encoding: UTF-8
+# frozen_string_literal: true
+
+require_relative "helper"
+
+class JWTAuthenticatorTest < Test::Unit::TestCase
+  test "gem version" do
+    assert defined?(JWT::Authenticator::VERSION)
+  end
+
+  test "singleton" do
+    assert_equal 1, ([JWT::Authenticator] * 3).map(&:instance).map(&:object_id).uniq.count
+  end
+
+  test "loading token verification options from environment" do
+    default = {
+      verify_aud: false,
+      verify_expiration: true,
+      verify_iat: true,
+      verify_iss: false,
+      verify_jti: true,
+      verify_not_before: true,
+      verify_sub: false }
+
+    assert_equal(default, my_api_v1_token_verification_options)
+
+    modify_environment "MY_API_V1_JWT_VERIFY_EXP", "false" do
+      assert_equal(default.merge(verify_expiration: false), my_api_v1_token_verification_options)
+    end
+
+    modify_environment "MY_API_V1_JWT_VERIFY_NBF", "false" do
+      assert_equal(default.merge(verify_not_before: false), my_api_v1_token_verification_options)
+    end
+
+    modify_environment "MY_API_V1_JWT_ISS", " foo " do
+      assert_equal(default.merge(iss: %w[foo], verify_iss: true), my_api_v1_token_verification_options)
+    end
+
+    modify_environment "MY_API_V1_JWT_VERIFY_IAT", "false" do
+      assert_equal(default.merge(verify_iat: false), my_api_v1_token_verification_options)
+    end
+
+    modify_environment "MY_API_V1_JWT_VERIFY_JTI", "false" do
+      assert_equal(default.merge(verify_jti: false), my_api_v1_token_verification_options)
+    end
+
+    modify_environment "MY_API_V1_JWT_AUD", "foo, bar, baz" do
+      assert_equal(default.merge(aud: %w[foo bar baz], verify_aud: true), my_api_v1_token_verification_options)
+    end
+
+    modify_environment "MY_API_V1_JWT_SUB", " session " do
+      assert_equal(default.merge(sub: "session", verify_sub: true), my_api_v1_token_verification_options)
+    end
+
+    modify_environment "MY_API_V1_JWT_ALG", " RS256" do
+      assert_equal(default.merge(algorithms: %w[RS256]), my_api_v1_token_verification_options)
+    end
+
+    modify_environment "MY_API_V1_JWT_LEEWAY", "30" do
+      assert_equal(default.merge(leeway: 30), my_api_v1_token_verification_options)
+    end
+
+    modify_environment "MY_API_V1_JWT_IAT_LEEWAY", "30" do
+      assert_equal(default.merge(iat_leeway: 30), my_api_v1_token_verification_options)
+    end
+
+    modify_environment "MY_API_V1_JWT_EXP_LEEWAY", "30" do
+      assert_equal(default.merge(exp_leeway: 30), my_api_v1_token_verification_options)
+    end
+
+    modify_environment "MY_API_V1_JWT_NBF_LEEWAY", "30" do
+      assert_equal(default.merge(nbf_leeway: 30), my_api_v1_token_verification_options)
+    end
+  end
+
+  test "blank token" do
+    error = assert_raises(JWT::Authenticator::Error) { JWT::Authenticator.instance.call(" ") }
+    assert_match(/\bmissing\b/i, error.message)
+    assert_equal(101, error.code)
+  end
+
+  test "token with invalid type" do
+    error = assert_raises(JWT::Authenticator::Error) { JWT::Authenticator.instance.call("Beer XXX.YYY.ZZZ") }
+    assert_match(/\binvalid\b/i, error.message)
+    assert_equal(102, error.code)
+  end
+
+  test "token decoding and verification" do
+    jwt = my_api_v2_jwt_encode(my_api_v2_jwt_payload)
+    payload, header = my_api_v2_jwt_decode(jwt)
+    assert %i[jti iss aud sub dat].to_set == payload.keys.to_set
+    assert %i[alg].to_set == header.keys.to_set
+  end
+
+  test "wrong iss" do
+    jwt = my_api_v2_jwt_encode(my_api_v2_jwt_payload.merge(iss: "qux"))
+    error = assert_raises(JWT::Authenticator::Error) { my_api_v2_jwt_decode(jwt) }
+    assert_match(/\binvalid issuer\b/i, error.message)
+    assert_equal(103, error.code)
+  end
+
+  test "missing iss" do
+    jwt = my_api_v2_jwt_encode(my_api_v2_jwt_payload.tap { |p| p.delete(:iss) })
+    error = assert_raises(JWT::Authenticator::Error) { my_api_v2_jwt_decode(jwt) }
+    assert_match(/\binvalid issuer\b/i, error.message)
+    assert_equal(103, error.code)
+  end
+
+  test "missing aud" do
+    jwt = my_api_v2_jwt_encode(my_api_v2_jwt_payload.tap { |p| p.delete(:aud) })
+    error = assert_raises(JWT::Authenticator::Error) { my_api_v2_jwt_decode(jwt) }
+    assert_match(/\binvalid audience\b/i, error.message)
+    assert_equal(103, error.code)
+  end
+
+  test "wrong aud" do
+    jwt = my_api_v2_jwt_encode(my_api_v2_jwt_payload.merge(aud: "qux"))
+    error = assert_raises(JWT::Authenticator::Error) { my_api_v2_jwt_decode(jwt) }
+    assert_match(/\binvalid audience\b/i, error.message)
+    assert_equal(103, error.code)
+  end
+
+  test "missing sub" do
+    jwt = my_api_v2_jwt_encode(my_api_v2_jwt_payload.tap { |p| p.delete(:sub) })
+    error = assert_raises(JWT::Authenticator::Error) { my_api_v2_jwt_decode(jwt) }
+    assert_match(/\binvalid subject\b/i, error.message)
+    assert_equal(103, error.code)
+  end
+
+  test "wrong sub" do
+    jwt = my_api_v2_jwt_encode(my_api_v2_jwt_payload.merge(sub: "qux"))
+    error = assert_raises(JWT::Authenticator::Error) { my_api_v2_jwt_decode(jwt) }
+    assert_match(/\binvalid subject\b/i, error.message)
+    assert_equal(103, error.code)
+  end
+
+  test "token is expired" do
+    jwt = my_api_v2_jwt_encode(my_api_v2_jwt_payload.merge(exp: Time.now.to_i - 5))
+    error = assert_raises(JWT::Authenticator::Error) { my_api_v2_jwt_decode(jwt) }
+    assert_match(/\bexpired\b/i, error.message)
+    assert_equal(104, error.code)
+  end
+
+  test "missing jti" do
+    jwt = my_api_v2_jwt_encode(my_api_v2_jwt_payload.tap { |p| p.delete(:jti) })
+    error = assert_raises(JWT::Authenticator::Error) { my_api_v2_jwt_decode(jwt) }
+    assert_match(/\bmissing jti\b/i, error.message)
+    assert_equal(103, error.code)
+  end
+
+  test "issued at in future" do
+    jwt = my_api_v2_jwt_encode(my_api_v2_jwt_payload.merge(iat: Time.now.to_i + 30))
+    error = assert_raises(JWT::Authenticator::Error) { my_api_v2_jwt_decode(jwt) }
+    assert_match(/\binvalid iat\b/i, error.message)
+    assert_equal(103, error.code)
+  end
+
+  test "loading token verification options from environment (authenticator nested under multiple modules)" do
+    ENV["MY_API_V3_JWT_ISS"] = "bar"
+    authenticator = MyAPI::V3::JWTAuthenticator.instance
+    assert_equal([ENV["MY_API_V3_JWT_ISS"]], authenticator.instance_variable_get(:@verification_options)[:iss])
+  end
+
+private
+
+  def my_api_v1_token_verification_options
+    silence_warnings { Singleton.__init__(MyAPIv1::JWTAuthenticator) }
+    MyAPIv1::JWTAuthenticator.instance.instance_variable_get(:@verification_options)
+  end
+
+  def modify_environment(var, val)
+    prev = ENV[var]
+    ENV[var] = val
+    yield
+  ensure
+    ENV[var] = prev
+  end
+
+  def my_api_v2_jwt_payload
+    { iss: "foo", jti: SecureRandom.uuid, aud: %w[bar baz], sub: "session", dat: {} }
+  end
+
+  def my_api_v2_jwt_encode(payload)
+    JWT.encode(payload, OpenSSL::PKey.read(Base64.urlsafe_decode64(ENV["MY_API_V2_JWT_KEY"])), "RS256")
+  end
+
+  def my_api_v2_jwt_decode(jwt)
+    MyAPIv2::JWTAuthenticator.call("Bearer " + jwt)
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: jwt-authenticator
 version: !ruby/object:Gem::Version
-  version: 1.0.0.rc1
+  version: 1.0.4
 platform: ruby
 authors:
 - Yaroslav Konoplov
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-09-02 00:00:00.000000000 Z
+date: 2020-10-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jwt
@@ -16,28 +16,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.1.0
+        version: '2.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.1.0
+        version: '2.1'
 - !ruby/object:Gem::Dependency
   name: method-not-implemented
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.0.1
+        version: '1.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.0.1
+        version: '1.0'
 - !ruby/object:Gem::Dependency
   name: activesupport
   requirement: !ruby/object:Gem::Requirement
@@ -62,23 +62,41 @@ dependencies:
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '1.7'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '1.7'
-description: JWT auth.
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+description: The gem provides easy & extendable way to perform JSON Web Token authentication.
 email: eahome00@gmail.com
 executables: []
 extensions: []
 extra_rdoc_files: []
-files: []
-homepage: https://github.com/yivo/jwt-authenticator
+files:
+- ".gitignore"
+- ".ruby-version"
+- Gemfile
+- Gemfile.lock
+- LICENSE
+- README.md
+- Rakefile
+- jwt-authenticator.gemspec
+- lib/jwt-authenticator.rb
+- lib/jwt-authenticator/version.rb
+- test/helper.rb
+- test/test-jwt-authenticator.rb
+homepage: https://github.com/ruby-jwt/jwt-authenticator
 licenses:
 - Apache-2.0
 metadata: {}
@@ -88,18 +106,19 @@ require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - "~>"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: '2.5'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">"
+  - - ">="
     - !ruby/object:Gem::Version
-      version: 1.3.1
+      version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.6
+rubygems_version: 3.1.2
 signing_key: 
 specification_version: 4
-summary: JWT auth.
-test_files: []
+summary: JSON Web Token authentication Ruby service.
+test_files:
+- test/helper.rb
+- test/test-jwt-authenticator.rb