jwt-rack 0.0.0 → 0.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bef98cd84654986f72aac0d1b8fc9a64f762bd0e784e39929e15893a3868c586
-  data.tar.gz: 8b70bf2c4dcd2ea7b92fed3c6121c834195eb9365a320acacbd7ff639ad20f2e
+  metadata.gz: 75d32bd64c673a5aac017606f4599fb69dbbff77ff1bd1e2ce24539d1394c4d5
+  data.tar.gz: 602cf6f50f172758e1be322196091e27ccfa1dadb7b50574b2e985e60013edee
 SHA512:
-  metadata.gz: fe5702dd93cecb195a467a1f037c67a7d052ebabb67714d131ed118e34755b6c2155bec6b13853c4df8d0ad9c49a7c578efa2d2bc4de106b1919ee5e9a286eda
-  data.tar.gz: 28ec9ecb2e24e958cee55899054589ff55a35dc7bb86f9e80cb322e958747157de2f37e60b249878c792e454100d4b7c6608c066b1c319a5c51cc03f200d7328
+  metadata.gz: f5b44a1728ec958adee9246e5e59c37e975683d4bb46c6147c610bd5d0083906c38dc7811182d574ce87b78e747c574c0a4a1582ed1a7e6fd66723168d77bce7
+  data.tar.gz: 65eca4b7d2f3ea28d6e2ad842ed1b71b48c7c8db5834ba675b9c29213da6b258488056e1b403976587f1466160c37411d9c68a41d2e7db9555f3f317d5938743

data/.gitignore

@@ -7,5 +7,7 @@
 /spec/reports/
 /tmp/
 
+Gemfile.lock
+
 # rspec failure tracking
 .rspec_status

data/Gemfile

@@ -1,4 +1,6 @@
-source "https://rubygems.org"
+# frozen_string_literal: true
+
+source 'https://rubygems.org'
 
 # Specify your gem's dependencies in jwt-rack.gemspec
 gemspec

data/README.md

@@ -8,6 +8,8 @@
 
 This gem provides JSON Web Token (JWT) based authentication.
 
+#### TODO: Mention original gem [source](https://github.com/eparreno/rack-jwt)
+
 ## Requirements
 
 - Ruby 2.3.8 or greater

data/Rakefile

@@ -1,6 +1,8 @@
-require "bundler/gem_tasks"
-require "rspec/core/rake_task"
+# frozen_string_literal: true
+
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
 
 RSpec::Core::RakeTask.new(:spec)
 
-task :default => :spec
+task default: :spec

data/bin/console

@@ -1,7 +1,8 @@
 #!/usr/bin/env ruby
+# frozen_string_literal: true
 
-require "bundler/setup"
-require "jwt/rack"
+require 'bundler/setup'
+require 'jwt/rack'
 
 # You can add fixtures and/or initialization code here to make experimenting
 # with your gem easier. You can also use a different console, if you like.
@@ -10,5 +11,5 @@ require "jwt/rack"
 # require "pry"
 # Pry.start
 
-require "irb"
+require 'irb'
 IRB.start(__FILE__)

data/jwt-rack.gemspec

@@ -1,41 +1,44 @@
-lib = File.expand_path("lib", __dir__)
+# frozen_string_literal: true
+
+lib = File.expand_path('lib', __dir__)
 $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
-require "jwt/rack/version"
+require 'jwt/rack/version'
 
 Gem::Specification.new do |spec|
-  spec.name          = "jwt-rack"
-  spec.version       = Jwt::Rack::VERSION
-  spec.authors       = ["Yaroslav Savchuk"]
-  spec.email         = ["savchukyarpolk@gmail.com"]
+  spec.name          = 'jwt-rack'
+  spec.version       = JWT::Rack::VERSION
+  spec.authors       = ['Yaroslav Savchuk']
+  spec.email         = ['savchukyarpolk@gmail.com']
 
-  spec.summary       = %q{Rack middleware that provides authentication based on JSON Web Tokens.}
-  spec.description   = %q{Rack middleware that provides authentication based on JSON Web Tokens.}
-  spec.homepage      = "https://github.com/ysv/jwt-rack"
-  spec.license       = "MIT"
+  spec.summary       = 'Rack middleware that provides authentication based on JSON Web Tokens.'
+  spec.description   = 'Rack middleware that provides authentication based on JSON Web Tokens.'
+  spec.homepage      = 'https://github.com/ysv/jwt-rack'
+  spec.license       = 'MIT'
 
-  spec.metadata["homepage_uri"] = spec.homepage
-  spec.metadata["source_code_uri"] = "https://github.com/ysv/jwt-rack"
-  spec.metadata["changelog_uri"] = "https://github.com/ysv/jwt-rack/blob/master/CHANGELOG.md"
+  spec.metadata['homepage_uri'] = spec.homepage
+  spec.metadata['source_code_uri'] = 'https://github.com/ysv/jwt-rack'
+  spec.metadata['changelog_uri'] = 'https://github.com/ysv/jwt-rack/blob/master/CHANGELOG.md'
 
   # Specify which files should be added to the gem when it is released.
   # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
-  spec.files         = Dir.chdir(File.expand_path('..', __FILE__)) do
+  spec.files = Dir.chdir(File.expand_path(__dir__)) do
     `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
   end
-  spec.bindir        = "exe"
+  spec.bindir        = 'exe'
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
-  spec.require_paths = ["lib"]
+  spec.require_paths = ['lib']
 
   spec.platform      = Gem::Platform::RUBY
   spec.required_ruby_version = '>= 2.3.8'
 
-  spec.add_development_dependency 'bundler',   '>= 1.16.2'
-  spec.add_development_dependency 'rake',      '>= 12.0.0'
+  spec.add_development_dependency 'bundler', '>= 1.16.2'
+  spec.add_development_dependency 'pry-byebug', '~> 3.7'
   spec.add_development_dependency 'rack-test', '>= 1.0.0'
+  spec.add_development_dependency 'rake',      '>= 12.0.0'
+  spec.add_development_dependency 'rbnacl',    '>= 6.0.1'
   spec.add_development_dependency 'rspec',     '>= 3.8.0'
   spec.add_development_dependency 'simplecov', '>= 0.16.0'
-  spec.add_development_dependency 'rbnacl',    '>= 6.0.1'
 
+  spec.add_runtime_dependency 'jwt', '~> 2.1.0'
   spec.add_runtime_dependency 'rack'
-  spec.add_runtime_dependency 'jwt',  '~> 2.1.0'
 end

data/lib/jwt/rack.rb

@@ -1,8 +1,10 @@
-require "jwt/rack/version"
+# frozen_string_literal: true
 
-module Jwt
+require 'jwt/rack/version'
+
+module JWT
   module Rack
-    class Error < StandardError; end
-    # Your code goes here...
+    autoload :Auth,  'jwt/rack/auth'
+    autoload :Token, 'jwt/rack/token'
   end
 end

data/lib/jwt/rack/auth.rb

@@ -0,0 +1,212 @@
+# frozen_string_literal: true
+
+require 'jwt'
+
+module JWT
+  module Rack
+    # Authentication middleware
+    class Auth
+      attr_reader :secret
+      attr_reader :verify
+      attr_reader :options
+      attr_reader :exclude
+
+      SUPPORTED_ALGORITHMS = [
+        'none',
+        'HS256',
+        'HS384',
+        'HS512',
+        'RS256',
+        'RS384',
+        'RS512',
+        'ES256',
+        'ES384',
+        'ES512',
+        ('ED25519' if defined?(RbNaCl))
+      ].compact.freeze
+
+      DEFAULT_ALGORITHM = 'HS256'
+
+      # The last segment gets dropped for 'none' algorithm since there is no
+      # signature so both of these patterns are valid. All character chunks
+      # are base64url format and periods.
+      #   Bearer abc123.abc123.abc123
+      #   Bearer abc123.abc123.
+      BEARER_TOKEN_REGEX = %r{
+        ^Bearer\s{1}(       # starts with Bearer and a single space
+        [a-zA-Z0-9\-\_]+\.  # 1 or more chars followed by a single period
+        [a-zA-Z0-9\-\_]+\.  # 1 or more chars followed by a single period
+        [a-zA-Z0-9\-\_]*    # 0 or more chars, no trailing chars
+        )$
+      }x.freeze
+
+      JWT_DECODE_ERRORS = [
+        ::JWT::DecodeError,
+        ::JWT::VerificationError,
+        ::JWT::ExpiredSignature,
+        ::JWT::IncorrectAlgorithm,
+        ::JWT::ImmatureSignature,
+        ::JWT::InvalidIssuerError,
+        ::JWT::InvalidIatError,
+        ::JWT::InvalidAudError,
+        ::JWT::InvalidSubError,
+        ::JWT::InvalidJtiError,
+        ::JWT::InvalidPayload
+      ].freeze
+
+      MissingAuthHeader = Class.new(StandardError)
+      InvalidAuthHeaderFormat = Class.new(StandardError)
+
+      ERRORS_TO_RESCUE = (JWT_DECODE_ERRORS + [MissingAuthHeader, InvalidAuthHeaderFormat]).freeze
+
+      # Initialization should fail fast with an ArgumentError
+      # if any args are invalid.
+      def initialize(app, opts = {})
+        @app     = app
+        @secret  = opts.fetch(:secret, nil)
+        @verify  = opts.fetch(:verify, true)
+        @options = opts.fetch(:options, {})
+        @exclude = opts.fetch(:exclude, [])
+
+        @on_error = opts.fetch(:on_error, method(:default_on_error))
+
+        @secret = @secret.strip if @secret.is_a?(String)
+        @options[:algorithm] = DEFAULT_ALGORITHM if @options[:algorithm].nil?
+
+        check_secret_type!
+        check_secret!
+        check_secret_and_verify_for_none_alg!
+        check_verify_type!
+        check_options_type!
+        check_valid_algorithm!
+        check_exclude_type!
+        check_on_error_callable!
+      end
+
+      def call(env)
+        if path_matches_excluded_path?(env)
+          @app.call(env)
+        else
+          verify_token(env)
+        end
+      end
+
+      private
+
+      def verify_token(env)
+        raise MissingAuthHeader if missing_auth_header?(env)
+        raise InvalidAuthHeaderFormat if invalid_auth_header?(env)
+
+        # extract the token from the Authorization: Bearer header
+        # with a regex capture group.
+        token = BEARER_TOKEN_REGEX.match(env['HTTP_AUTHORIZATION'])[1]
+
+        decoded_token = Token.decode(token, @secret, @verify, @options)
+        env['jwt.payload'] = decoded_token.first
+        env['jwt.header'] = decoded_token.last
+        @app.call(env)
+      rescue *ERRORS_TO_RESCUE => e
+        @on_error.call(e)
+      end
+
+      def check_secret_type!
+        unless Token.secret_of_valid_type?(@secret)
+          raise ArgumentError, 'secret argument must be a valid type'
+        end
+      end
+
+      def check_secret!
+        if @secret.nil? || (@secret.is_a?(String) && @secret.empty?)
+          unless @options[:algorithm] == 'none'
+            raise ArgumentError, 'secret argument can only be nil/empty for the "none" algorithm'
+          end
+        end
+      end
+
+      def check_secret_and_verify_for_none_alg!
+        if @options && @options[:algorithm] && @options[:algorithm] == 'none'
+          unless @secret.nil? && @verify.is_a?(FalseClass)
+            raise ArgumentError, 'when "none" the secret must be "nil" and verify "false"'
+          end
+        end
+      end
+
+      def check_verify_type!
+        unless verify.is_a?(TrueClass) || verify.is_a?(FalseClass)
+          raise ArgumentError, 'verify argument must be true or false'
+        end
+      end
+
+      def check_options_type!
+        raise ArgumentError, 'options argument must be a Hash' unless options.is_a?(Hash)
+      end
+
+      def check_valid_algorithm!
+        unless @options &&
+               @options[:algorithm] &&
+               SUPPORTED_ALGORITHMS.include?(@options[:algorithm])
+          raise ArgumentError, 'algorithm argument must be a supported type'
+        end
+      end
+
+      def check_exclude_type!
+        raise ArgumentError, 'exclude argument must be an Array' unless @exclude.is_a?(Array)
+
+        @exclude.each do |x|
+          raise ArgumentError, 'each exclude Array element must be a String' unless x.is_a?(String)
+
+          raise ArgumentError, 'each exclude Array element must not be empty' if x.empty?
+
+          unless x.start_with?('/')
+            raise ArgumentError, 'each exclude Array element must start with a /'
+          end
+        end
+      end
+
+      def check_on_error_callable!
+        unless @on_error.respond_to?(:call)
+          raise ArgumentError, 'on_error argument must respond to call'
+        end
+      end
+
+      def path_matches_excluded_path?(env)
+        @exclude.any? { |ex| env['PATH_INFO'].start_with?(ex) }
+      end
+
+      def valid_auth_header?(env)
+        env['HTTP_AUTHORIZATION'] =~ BEARER_TOKEN_REGEX
+      end
+
+      def invalid_auth_header?(env)
+        !valid_auth_header?(env)
+      end
+
+      def missing_auth_header?(env)
+        env['HTTP_AUTHORIZATION'].nil? || env['HTTP_AUTHORIZATION'].strip.empty?
+      end
+
+      def default_on_error(error)
+        error_message = {
+          ::JWT::DecodeError => 'Invalid JWT token : Decode Error',
+          ::JWT::VerificationError => 'Invalid JWT token : Signature Verification Error',
+          ::JWT::ExpiredSignature => 'Invalid JWT token : Expired Signature (exp)',
+          ::JWT::IncorrectAlgorithm => 'Invalid JWT token : Incorrect Key Algorithm',
+          ::JWT::ImmatureSignature => 'Invalid JWT token : Immature Signature (nbf)',
+          ::JWT::InvalidIssuerError => 'Invalid JWT token : Invalid Issuer (iss)',
+          ::JWT::InvalidIatError => 'Invalid JWT token : Invalid Issued At (iat)',
+          ::JWT::InvalidAudError => 'Invalid JWT token : Invalid Audience (aud)',
+          ::JWT::InvalidSubError => 'Invalid JWT token : Invalid Subject (sub)',
+          ::JWT::InvalidJtiError => 'Invalid JWT token : Invalid JWT ID (jti)',
+          ::JWT::InvalidPayload => 'Invalid JWT token : Invalid Payload',
+          MissingAuthHeader => 'Missing Authorization header',
+          InvalidAuthHeaderFormat => 'Invalid Authorization header format'
+        }
+        message = error_message.fetch(error.class)
+        body    = { error: message }.to_json
+        headers = { 'Content-Type' => 'application/json', 'Content-Length' => body.bytesize.to_s }
+
+        [401, headers, [body]]
+      end
+    end
+  end
+end

data/lib/jwt/rack/token.rb

@@ -0,0 +1,72 @@
+# frozen_string_literal: true
+
+module JWT
+  module Rack
+    # Token encoding and decoding
+    class Token
+      # abc123.abc123.abc123    (w/ signature)
+      # abc123.abc123.          ('none')
+      TOKEN_REGEX = /\A([a-zA-Z0-9\-\_\~\+\\]+\.[a-zA-Z0-9\-\_\~\+\\]+\.[a-zA-Z0-9\-\_\~\+\\]*)\z/.freeze
+      DEFAULT_HEADERS = { typ: 'JWT' }.freeze
+
+      def self.encode(payload, secret, alg = 'HS256')
+        raise 'Invalid payload. Must be a Hash.' unless payload.is_a?(Hash)
+        raise 'Invalid secret type.'             unless secret_of_valid_type?(secret)
+        raise 'Unsupported algorithm'            unless algorithm_supported?(alg)
+
+        # if using an unsigned token ('none' alg) you *must* set the `secret`
+        # to `nil` in which case any user provided `secret` will be ignored.
+        if alg == 'none'
+          ::JWT.encode(payload, nil, alg, DEFAULT_HEADERS)
+        else
+          ::JWT.encode(payload, secret, alg, DEFAULT_HEADERS)
+        end
+      end
+
+      def self.decode(token, secret, verify, options = {})
+        raise 'Invalid token format.'     unless valid_token_format?(token)
+        raise 'Invalid secret type.'      unless secret_of_valid_type?(secret)
+        raise 'Unsupported verify value.' unless verify_of_valid_type?(verify)
+
+        options[:algorithm] = 'HS256'     if options[:algorithm].nil?
+        raise 'Unsupported algorithm'     unless algorithm_supported?(options[:algorithm])
+
+        # If using an unsigned 'none' algorithm token you *must* set the
+        # `secret` to `nil` and `verify` to `false` or it won't work per
+        # the ruby-jwt docs. Using 'none' is probably not recommended.
+        if options[:algorithm] == 'none'
+          ::JWT.decode(token, nil, false, options)
+        else
+          ::JWT.decode(token, secret, verify, options)
+        end
+      end
+
+      def self.secret_of_valid_type?(secret)
+        secret.nil? ||
+          secret.is_a?(String) ||
+          secret.is_a?(OpenSSL::PKey::RSA) ||
+          secret.is_a?(OpenSSL::PKey::EC)  ||
+          (defined?(RbNaCl) && secret.is_a?(RbNaCl::Signatures::Ed25519::SigningKey)) ||
+          (defined?(RbNaCl) && secret.is_a?(RbNaCl::Signatures::Ed25519::VerifyKey))
+      end
+
+      # Private Utility Class Methods
+      # See : https://gist.github.com/Integralist/bb8760d11a03c88da151
+
+      def self.valid_token_format?(token)
+        token =~ TOKEN_REGEX
+      end
+      private_class_method :valid_token_format?
+
+      def self.algorithm_supported?(alg)
+        JWT::Rack::Auth::SUPPORTED_ALGORITHMS.include?(alg)
+      end
+      private_class_method :algorithm_supported?
+
+      def self.verify_of_valid_type?(verify)
+        verify.nil? || verify.is_a?(FalseClass) || verify.is_a?(TrueClass)
+      end
+      private_class_method :verify_of_valid_type?
+    end
+  end
+end

data/lib/jwt/rack/version.rb

@@ -1,5 +1,7 @@
-module Jwt
+# frozen_string_literal: true
+
+module JWT
   module Rack
-    VERSION = "0.0.0"
+    VERSION = '0.1.0'
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: jwt-rack
 version: !ruby/object:Gem::Version
-  version: 0.0.0
+  version: 0.1.0
 platform: ruby
 authors:
 - Yaroslav Savchuk
@@ -25,19 +25,19 @@ dependencies:
       - !ruby/object:Gem::Version
         version: 1.16.2
 - !ruby/object:Gem::Dependency
-  name: rake
+  name: pry-byebug
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 12.0.0
+        version: '3.7'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: 12.0.0
+        version: '3.7'
 - !ruby/object:Gem::Dependency
   name: rack-test
   requirement: !ruby/object:Gem::Requirement
@@ -53,61 +53,61 @@ dependencies:
       - !ruby/object:Gem::Version
         version: 1.0.0
 - !ruby/object:Gem::Dependency
-  name: rspec
+  name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 3.8.0
+        version: 12.0.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 3.8.0
+        version: 12.0.0
 - !ruby/object:Gem::Dependency
-  name: simplecov
+  name: rbnacl
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.16.0
+        version: 6.0.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 0.16.0
+        version: 6.0.1
 - !ruby/object:Gem::Dependency
-  name: rbnacl
+  name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 6.0.1
+        version: 3.8.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 6.0.1
+        version: 3.8.0
 - !ruby/object:Gem::Dependency
-  name: rack
+  name: simplecov
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
-  type: :runtime
+        version: 0.16.0
+  type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 0.16.0
 - !ruby/object:Gem::Dependency
   name: jwt
   requirement: !ruby/object:Gem::Requirement
@@ -122,6 +122,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 2.1.0
+- !ruby/object:Gem::Dependency
+  name: rack
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: Rack middleware that provides authentication based on JSON Web Tokens.
 email:
 - savchukyarpolk@gmail.com
@@ -141,6 +155,8 @@ files:
 - bin/setup
 - jwt-rack.gemspec
 - lib/jwt/rack.rb
+- lib/jwt/rack/auth.rb
+- lib/jwt/rack/token.rb
 - lib/jwt/rack/version.rb
 homepage: https://github.com/ysv/jwt-rack
 licenses:
@@ -164,7 +180,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubyforge_project: 
+rubygems_version: 2.7.8
 signing_key: 
 specification_version: 4
 summary: Rack middleware that provides authentication based on JSON Web Tokens.