jwt-authorizer 1.0.0.beta1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 428eced648fcb226781a748396f9bf30f3647af418ab5c6e059ef3312f92b416
+  data.tar.gz: ec06ac75857191c25081b8a179067a1c216712b05c7bfb11b742f42d45d03509
+SHA512:
+  metadata.gz: 12889b5f4b086638b400f5b7fe49182a68b06e054d80e97409334cc5f88a239fbabfdbb643bf1451f07f3b33ce222ce795cb7ab53025255ca17a9f618b9c1e0e
+  data.tar.gz: 2a7d53727bd6d7defa4567f218c5b84914edbad8100ad9ea80e6bb281fa53444661c73c3989bf32c3ce4225bd64e50e21017e19a720a1e9e66ca21e5a77ab997

data/.codeclimate.yml

@@ -0,0 +1,6 @@
+version: "2"
+plugins:
+  rubocop:
+    enabled: true
+  bundler-audit:
+    enabled: true

data/.gitignore

@@ -0,0 +1,11 @@
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+
+# rspec failure tracking
+.rspec_status

data/.rspec

@@ -0,0 +1,3 @@
+--format progress
+--color
+--require spec_helper

data/.rubocop.yml

@@ -0,0 +1,26 @@
+AllCops:
+  TargetRubyVersion: 2.4
+  Exclude:
+    - "db/schema.rb"
+
+Lint/MissingCopEnableDirective:
+  Enabled: false
+
+Style/Documentation:
+  Enabled: false
+
+Style/Encoding:
+  Enabled: false
+
+Metrics/LineLength:
+  Max: 125
+
+Metrics/BlockLength:
+  Exclude:
+    - "spec/**/*.rb"
+
+StringLiterals:
+  EnforcedStyle: double_quotes
+
+DotPosition:
+  EnforcedStyle: leading

data/.travis.yml

@@ -0,0 +1,14 @@
+sudo: false
+language: ruby
+cache: bundler
+rvm:
+  - 2.4.3
+  - 2.5.0
+before_install: gem install bundler -v 1.16.1
+before_script:
+  - curl -L https://codeclimate.com/downloads/test-reporter/test-reporter-latest-linux-amd64 > ./cc-test-reporter
+  - chmod +x ./cc-test-reporter
+  - ./cc-test-reporter before-build
+script: bundle exec rspec
+after_script:
+  - ./cc-test-reporter after-build --exit-code $TRAVIS_TEST_RESULT

data/CHANGELOG.md

@@ -0,0 +1,3 @@
+## 1.0.0
+
+- First release :fireworks:

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,74 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as
+contributors and maintainers pledge to making participation in our project and
+our community a harassment-free experience for everyone, regardless of age, body
+size, disability, ethnicity, gender identity and expression, level of experience,
+nationality, personal appearance, race, religion, or sexual identity and
+orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment
+include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or
+advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic
+  address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable
+behavior and are expected to take appropriate and fair corrective action in
+response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community. Examples of
+representing a project or community include using an official project e-mail
+address, posting via an official social media account, or acting as an appointed
+representative at an online or offline event. Representation of a project may be
+further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting the project team at michal.begejowicz@codesthq.com. All
+complaints will be reviewed and investigated and will result in a response that
+is deemed necessary and appropriate to the circumstances. The project team is
+obligated to maintain confidentiality with regard to the reporter of an incident.
+Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good
+faith may face temporary or permanent repercussions as determined by other
+members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
+available at [http://contributor-covenant.org/version/1/4][version]
+
+[homepage]: http://contributor-covenant.org
+[version]: http://contributor-covenant.org/version/1/4/

data/Gemfile

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+source "https://rubygems.org"
+
+git_source(:github) { |repo_name| "https://github.com/#{repo_name}" }
+
+# Specify your gem's dependencies in jwt-authorizer.gemspec
+gemspec

data/Gemfile.lock

@@ -0,0 +1,71 @@
+PATH
+  remote: .
+  specs:
+    jwt-authorizer (1.0.0.beta1)
+      jwt (~> 2.1)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    ast (2.4.0)
+    coderay (1.1.2)
+    diff-lcs (1.3)
+    docile (1.1.5)
+    json (2.1.0)
+    jwt (2.1.0)
+    method_source (0.9.0)
+    parallel (1.12.1)
+    parser (2.5.0.2)
+      ast (~> 2.4.0)
+    powerpack (0.1.1)
+    pry (0.11.3)
+      coderay (~> 1.1.0)
+      method_source (~> 0.9.0)
+    rack (2.0.4)
+    rainbow (3.0.0)
+    rake (12.3.0)
+    rspec (3.7.0)
+      rspec-core (~> 3.7.0)
+      rspec-expectations (~> 3.7.0)
+      rspec-mocks (~> 3.7.0)
+    rspec-core (3.7.1)
+      rspec-support (~> 3.7.0)
+    rspec-expectations (3.7.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.7.0)
+    rspec-mocks (3.7.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.7.0)
+    rspec-support (3.7.1)
+    rubocop (0.53.0)
+      parallel (~> 1.10)
+      parser (>= 2.5)
+      powerpack (~> 0.1)
+      rainbow (>= 2.2.2, < 4.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (~> 1.0, >= 1.0.1)
+    ruby-progressbar (1.9.0)
+    simplecov (0.15.1)
+      docile (~> 1.1.0)
+      json (>= 1.8, < 3)
+      simplecov-html (~> 0.10.0)
+    simplecov-html (0.10.2)
+    timecop (0.9.1)
+    unicode-display_width (1.3.0)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bundler (~> 1.16)
+  jwt-authorizer!
+  pry (~> 0.11)
+  rack (~> 2.0)
+  rake (~> 12.0)
+  rspec (~> 3.0)
+  rubocop (~> 0.53)
+  simplecov (~> 0.15)
+  timecop (~> 0.9)
+
+BUNDLED WITH
+   1.16.1

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2018 Michał Begejowicz
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,133 @@
+[![Build Status](https://travis-ci.org/codesthq/jwt-authorizer.svg?branch=master)](https://travis-ci.org/codesthq/jwt-authorizer) [![Test Coverage](https://api.codeclimate.com/v1/badges/5f975bb8720b7ee04326/test_coverage)](https://codeclimate.com/github/codesthq/jwt-authorizer/test_coverage) [![Maintainability](https://api.codeclimate.com/v1/badges/5f975bb8720b7ee04326/maintainability)](https://codeclimate.com/github/codesthq/jwt-authorizer/maintainability)
+
+# JWT::Authorizer
+
+`JWT::Authorizer` makes authorization with [JWT tokens](https://jwt.io/) simple. It allows creating and verifying JWT tokens according to rules (validations) set on specific `Authorizer` class.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'jwt-authorizer'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install jwt-authorizer
+
+## Usage
+
+### Configuration
+
+You can configure your `JWT::Authorizer` classes with `.configuration` and `.configure` options:
+
+```ruby
+JWT::Authorizer.configuration
+
+JWT::Authorizer.configure do |config|
+  config.expiry = 12 * 60 * 60
+  config.algorithm = "RS256"
+  config.secret = { private_key: nil, public_key: ENV["SECRET_KEY"] }
+end
+```
+
+`JWT::Authorizer` have following options available:
+
+* `algorithm` - determines algorithm used on signing and verifying JWT tokens. Defaults to `"HS256"`.
+* `secret` - for [`HMAC`](https://en.wikipedia.org/wiki/HMAC) algorithms it accepts simple `String` with symmetric key, for [`RSA`](https://en.wikipedia.org/wiki/RSA_(cryptosystem)) and [`ECDSA`](https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm) it requires hash with `:private_key` and `:public_key` keys.
+* `expiry` - sets default expiry for generated tokens. Defaults to 1 hour. It can be set to `nil` in order to not include `exp` claim in the token
+* `issuer` - sets `iss` claim in the token. Defaults to `nil`.
+* `allowed_issuers` - array of issuers that will be allowed on token verification. Defaults to empty array, tokens with any value in `iss` claim (and without this claim) will be valid. If array contains any elements, *only* listed issuers will be valid.
+
+Default options can be overriden during instantiation of `JWT::Authorizer` classes:
+
+```ruby
+JWT::Authorizer.configuration.expiry #=> 3600
+JWT::Authorizer.new(expiry: 60).expiry #=> 60
+```
+
+### Generating tokens
+
+To generate JWT token, create instance of `JWT::Authorizer` and call `#build` method. It accepts hash of additional claims you want in your token.
+
+```ruby
+JWT::Authorizer.configuration.secret = "hmac"
+JWT::Authorizer.new.build(level: :admin)
+#=> "eyJhbGciOiJIUzI1NiJ9.eyJleHAiOjE1MjAyODQ3MTcsImxldmVsIjoiYWRtaW4ifQ.nHRIBBjzteHuzygij-BlfXx3YIvfeO39Qh84hq729KQ"
+```
+
+### Verifying tokens
+
+To verify token, use `JWT::Authorizer#verify` method.
+
+```ruby
+JWT::Authorizer.configuration.secret = "hmac"
+token = "eyJhbGciOiJIUzI1NiJ9.eyJleHAiOjE1MjAyODUwMzd9.CO8K_mqXCZfu8W12tpYcBo1WyrLZAmEMmr8R-HM3a5E"
+JWT::Authorizer.new.verify(token)
+#=> [{"exp"=>1520285037}, {"alg"=>"HS256"}]
+JWT::Authorizer.new.verify(nil)
+# JWT::DecodeError: Nil JSON web token
+JWT::Authorizer.new.verify("eyJhbGciOiJIUzI1NiJ9.eyJleHAiOjB9.nooope")
+# JWT::VerificationError: Signature verification raised
+```
+
+### Validators
+
+You can use validators to verify non-standard claims.
+
+```ruby
+class AdminAuthorizer < JWT::Authorizer
+  validate :level, required: true do |value, _context|
+    raise JWT::DecodeError, "Level must be admin" unless value == "admin"
+  end
+end
+
+valid_token = "eyJhbGciOiJIUzI1NiJ9.eyJleHAiOjE1MjAyODUzMzksImxldmVsIjoiYWRtaW4ifQ.OeIPSbtqlmcSJ1tUkLb7HhhMSlcAXKkrZhSOhgvYRHE"
+AdminAuthorizer.new.verify(valid_token)
+# [{"exp"=>1520285339, "level"=>"admin"}, {"alg"=>"HS256"}]
+missing_claim = "eyJhbGciOiJIUzI1NiJ9.eyJleHAiOjE1MjAyODUzODd9.ncXmy81O64OjLNP4eCdAyVklAfGqdYiWp0K6FoI1pec"
+AdminAuthorizer.new.verify(missing_claim)
+# JWT::Authorizer::MissingClaim: Token is missing required claim: level
+invalid_value = "eyJhbGciOiJIUzI1NiJ9.eyJleHAiOjE1MjAyODU0MzQsImxldmVsIjoicmVndWxhciJ9.z16nhJcOpRJmDZdkrDrdo1TetQ9YZpYiQmBdc53lnV0"
+AdminAuthorizer.new.verify(invalid_value)
+# JWT::DecodeError: Level must be admin
+```
+
+`required` option is by default set to `false`. If set to `true`, given claim *must* be present in verified token.
+
+You can pass additional context to validators:
+
+```ruby
+class AdminAuthorizer < JWT::Authorizer
+  validate :path do |value, rack_request|
+    raise JWT::DecodeError, "invalid path" unless value == rack_request.path
+  end
+end
+
+AdminAuthorizer.new.verify(token, rack_request)
+```
+
+See [`JWT::RequestAuthorizer`](lib/jwt/request_authorizer.rb) and it's [spec](spec/jwt/request_authorizer_spec.rb) for examples.
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/[USERNAME]/jwt-authorizer. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the [Contributor Covenant](http://contributor-covenant.org) code of conduct.
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
+
+## Code of Conduct
+
+Everyone interacting in the JWT::Authorizer project’s codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/[USERNAME]/jwt-authorizer/blob/master/CODE_OF_CONDUCT.md).

data/Rakefile

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task default: :spec

data/bin/console

@@ -0,0 +1,11 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require "bundler/setup"
+require "jwt/authorizer"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+require "pry"
+Pry.start

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/jwt-authorizer.gemspec

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+lib = File.expand_path("lib", __dir__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require "jwt/authorizer/version"
+
+Gem::Specification.new do |spec|
+  spec.name          = "jwt-authorizer"
+  spec.version       = JWT::Authorizer::VERSION
+  spec.authors       = ["Michał Begejowicz"]
+  spec.email         = ["michal.begejowicz@codesthq.com"]
+
+  spec.summary       = "Authorization of requests for microservices based on JWT"
+  spec.description   = "Authorization of requests for microservices based on JWT"
+  spec.homepage      = "https://github.com/codesthq/jwt-authorizer"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^spec/}) }
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency "jwt", "~> 2.1"
+
+  spec.add_development_dependency "bundler", "~> 1.16"
+  spec.add_development_dependency "pry", "~> 0.11"
+  spec.add_development_dependency "rack", "~> 2.0"
+  spec.add_development_dependency "rake", "~> 12.0"
+  spec.add_development_dependency "rspec", "~> 3.0"
+  spec.add_development_dependency "rubocop", "~> 0.53"
+  spec.add_development_dependency "simplecov", "~> 0.15"
+  spec.add_development_dependency "timecop", "~> 0.9"
+end

data/lib/jwt/authorizer/builder.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module JWT
+  class Authorizer
+    module Builder
+      def build(claims = {})
+        payload = default_claims.merge!(claims)
+        JWT.encode payload, secret[:private], algorithm
+      end
+
+      private
+
+      def default_claims
+        {}.tap do |result|
+          result[:exp] = (Time.now + expiry).to_i if expiry
+          result[:iss] = issuer if issuer
+        end
+      end
+    end
+  end
+end

data/lib/jwt/authorizer/claim_validator.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module JWT
+  class Authorizer
+    class MissingClaim < StandardError
+      attr_reader :claim
+
+      def initialize(claim)
+        @claim = claim
+        super("Token is missing required claim: #{claim}")
+      end
+    end
+
+    class ClaimValidator
+      attr_reader :name, :required, :verifier
+
+      def initialize(name:, required: false, &block)
+        @name = name.to_s
+        @required = required
+        @verifier = block
+      end
+
+      def validate(token, context)
+        value = token.dig(0, name)
+        raise MissingClaim, name if required && !value
+        return unless value
+
+        verifier.call(value, context)
+      end
+    end
+  end
+end

data/lib/jwt/authorizer/configurable.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+module JWT
+  class Authorizer
+    module Configurable
+      def self.included(base)
+        base.extend(ClassMethods)
+        base.extend(Forwardable)
+        base.delegate %i[algorithm secret expiry issuer allowed_issuers] => :@config
+      end
+
+      def initialize(**options)
+        @config = self.class.configuration.dup.merge(options)
+      end
+
+      module ClassMethods
+        def inherited(subclass)
+          subclass.instance_variable_set("@configuration", configuration.dup)
+          super
+        end
+
+        def configuration
+          @configuration ||= Configuration.new
+        end
+
+        def configure
+          yield configuration
+          configuration
+        end
+
+        def new(*args)
+          configuration.freeze unless configuration.frozen?
+          super
+        end
+      end
+    end
+  end
+end

data/lib/jwt/authorizer/configuration.rb

@@ -0,0 +1,77 @@
+# frozen_string_literal: true
+
+module JWT
+  class Authorizer
+    class Configuration
+      ATTRIBUTES = %i[algorithm secret expiry issuer allowed_issuers].freeze
+
+      ALGORITHMS = {
+        "HS256" => :hmac, "HS512256" => :hmac, "HS384" => :hmac, "HS512" => :hmac,
+        "RS256" => :rsa, "RS384" => :rsa, "RS512" => :rsa,
+        "ES256" => :ecdsa, "ES384" => :ecdsa, "ES512" => :ecdsa
+      }.freeze
+
+      def initialize
+        @algorithm = "HS256"
+        @expiry = 60 * 60
+        @allowed_issuers = []
+      end
+
+      attr_accessor :expiry, :allowed_issuers, :issuer
+      attr_reader :secret, :algorithm
+
+      def algorithm=(value)
+        assert_algorithm_valid(value)
+        @algorithm = value.to_s
+      end
+
+      def secret=(hmac_key = nil, private_key: nil, public_key: nil)
+        @secret = case algorithm_type
+                  when :hmac
+                    { private: hmac_key, public: hmac_key }
+                  else
+                    { private: private_key, public: public_key }
+                  end
+      end
+
+      def algorithm_type
+        ALGORITHMS[algorithm]
+      end
+
+      def to_h
+        ATTRIBUTES.each_with_object({}) { |attribute, hash| hash[attribute] = send(attribute) }
+      end
+
+      def merge(options)
+        unpermitted_options = options.keys.map(&:to_sym) - ATTRIBUTES
+        raise ArgumentError, "Unpermitted options: #{unpermitted_options.join(', ')}" if unpermitted_options.any?
+
+        options.each do |key, value|
+          send("#{key}=", value)
+        end
+
+        self
+      end
+
+      def dup
+        super.tap do |new_config|
+          new_config.instance_variable_set("@allowed_issuers", allowed_issuers.dup)
+          new_config.instance_variable_set("@secret", secret.dup)
+        end
+      end
+
+      def freeze
+        super
+        allowed_issuers.freeze
+        secret.freeze
+      end
+
+      private
+
+      def assert_algorithm_valid(algorithm)
+        return if ALGORITHMS.key?(algorithm.to_s)
+        raise ArgumentError, "Unknown algorithm: #{algorithm}. Should be one of: #{ALGORITHMS.keys.join(', ')}"
+      end
+    end
+  end
+end

data/lib/jwt/authorizer/validation.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+module JWT
+  class Authorizer
+    module Validation
+      def self.included(base)
+        base.extend(ClassMethods)
+      end
+
+      def verify(token, context = nil)
+        super(token).tap do |decoded|
+          validate_token(decoded, context)
+        end
+      end
+
+      private
+
+      def validate_token(token, context)
+        self.class.validators.each do |validator|
+          validator.validate(token, context)
+        end
+      end
+
+      module ClassMethods
+        def inherited(subclass)
+          subclass.instance_variable_set("@validators", validators.dup)
+          super
+        end
+
+        def validators
+          @validators ||= []
+        end
+
+        def validate(claim_name, required: false, &block)
+          validators << ClaimValidator.new(name: claim_name, required: required, &block)
+        end
+      end
+    end
+  end
+end

data/lib/jwt/authorizer/verifier.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module JWT
+  class Authorizer
+    module Verifier
+      def verify(token)
+        JWT.decode token, secret[:public], true, decode_options
+      end
+
+      private
+
+      def decode_options
+        {}.tap do |result|
+          if allowed_issuers.any?
+            result[:iss] = allowed_issuers
+            result[:verify_iss] = true
+          end
+          result[:algorithm] = algorithm
+        end
+      end
+    end
+  end
+end

data/lib/jwt/authorizer/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module JWT
+  class Authorizer
+    VERSION = "1.0.0.beta1"
+  end
+end

data/lib/jwt/authorizer.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+require "jwt/authorizer/version"
+require "jwt"
+
+require "jwt/authorizer/builder"
+require "jwt/authorizer/configuration"
+require "jwt/authorizer/configurable"
+require "jwt/authorizer/verifier"
+
+require "jwt/authorizer/claim_validator"
+require "jwt/authorizer/validation"
+
+module JWT
+  class Authorizer
+    include Configurable
+    include Builder
+    include Verifier
+    include Validation
+  end
+end
+
+require "jwt/request_authorizer"

data/lib/jwt/request_authorizer.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+module JWT
+  class RequestAuthorizer < Authorizer
+    class << self
+      attr_writer :token_extractor
+
+      def token_extractor
+        @token_extractor ||= proc { |req| req.env["X-Auth-Token"] || req.params["_t"] }
+      end
+    end
+
+    validate :path, required: true do |value, rack_req|
+      raise JWT::DecodeError, "Unexpected path: #{value}" unless value == rack_req.path
+    end
+
+    validate :verb, required: true do |value, rack_req|
+      raise JWT::DecodeError, "Unexpected request method: #{value}" unless value.to_s.upcase == rack_req.request_method
+    end
+
+    def verify(rack_request)
+      token = self.class.token_extractor.call(rack_request)
+
+      super(token, rack_request)
+    end
+  end
+end

metadata

@@ -0,0 +1,194 @@
+--- !ruby/object:Gem::Specification
+name: jwt-authorizer
+version: !ruby/object:Gem::Version
+  version: 1.0.0.beta1
+platform: ruby
+authors:
+- Michał Begejowicz
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2018-03-06 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.1'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.16'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.16'
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.11'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.11'
+- !ruby/object:Gem::Dependency
+  name: rack
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '12.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.53'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.53'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.15'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.15'
+- !ruby/object:Gem::Dependency
+  name: timecop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.9'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.9'
+description: Authorization of requests for microservices based on JWT
+email:
+- michal.begejowicz@codesthq.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".codeclimate.yml"
+- ".gitignore"
+- ".rspec"
+- ".rubocop.yml"
+- ".travis.yml"
+- CHANGELOG.md
+- CODE_OF_CONDUCT.md
+- Gemfile
+- Gemfile.lock
+- LICENSE.txt
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- jwt-authorizer.gemspec
+- lib/jwt/authorizer.rb
+- lib/jwt/authorizer/builder.rb
+- lib/jwt/authorizer/claim_validator.rb
+- lib/jwt/authorizer/configurable.rb
+- lib/jwt/authorizer/configuration.rb
+- lib/jwt/authorizer/validation.rb
+- lib/jwt/authorizer/verifier.rb
+- lib/jwt/authorizer/version.rb
+- lib/jwt/request_authorizer.rb
+homepage: https://github.com/codesthq/jwt-authorizer
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">"
+    - !ruby/object:Gem::Version
+      version: 1.3.1
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.7.3
+signing_key: 
+specification_version: 4
+summary: Authorization of requests for microservices based on JWT
+test_files: []