jwt_auth_cognito 0.1.0 → 0.3.0

data/lib/jwt_auth_cognito/api_key_validator.rb

@@ -0,0 +1,79 @@
+# frozen_string_literal: true
+
+require 'json'
+
+module JwtAuthCognito
+  class ApiKeyValidator
+    def initialize(config)
+      @config = config
+      @redis_service = RedisService.new(config)
+    end
+
+    def validate_api_key(api_key)
+      # Validate basic format (64 hex characters)
+      return { valid: false, error: 'Invalid API key format' } unless api_key&.match?(/\A[a-fA-F0-9]{64}\z/)
+
+      begin
+        key_data = @redis_service.get("api-keys:#{api_key}")
+        return { valid: false, error: 'API key not found' } unless key_data
+
+        parsed = JSON.parse(key_data)
+
+        # Verify it's active
+        return { valid: false, error: 'API key is inactive' } unless parsed['isActive']
+
+        # Update last used (fire and forget for performance)
+        update_last_used(api_key, parsed)
+
+        {
+          valid: true,
+          key_data: {
+            name: parsed['name'],
+            permissions: parsed['permissions'],
+            app_id: parsed['appId'],
+            scope: parsed['scope'],
+            created_at: parsed['createdAt'],
+            last_used: parsed['lastUsed'],
+            is_active: parsed['isActive'],
+            metadata: parsed['metadata'] || {}
+          }
+        }
+      rescue StandardError => e
+        puts "Error validating API key: #{e.message}"
+        { valid: false, error: 'API key validation failed' }
+      end
+    end
+
+    def has_permission?(key_data, permission)
+      key_data[:permissions]&.include?(permission) || false
+    end
+
+    def system_api_key?(key_data)
+      key_data[:scope] == 'system'
+    end
+
+    def client_api_key?(key_data)
+      key_data[:scope] == 'client'
+    end
+
+    def can_access_app?(key_data, app_id)
+      # System API keys can access any app
+      return true if key_data[:scope] == 'system'
+
+      # App API keys can only access their specific app
+      context_app_id = key_data[:app_id] || key_data[:metadata]&.dig('appId')
+      context_app_id == app_id
+    end
+
+    private
+
+    def update_last_used(api_key, key_data)
+      Thread.new do
+        key_data['lastUsed'] = (Time.now.to_f * 1000).to_i
+        @redis_service.set("api-keys:#{api_key}", key_data.to_json)
+      rescue StandardError => e
+        puts "Error updating last used timestamp: #{e.message}"
+      end
+    end
+  end
+end

data/lib/jwt_auth_cognito/configuration.rb

@@ -7,34 +7,40 @@ module JwtAuthCognito
                   :redis_ssl, :redis_timeout, :redis_connect_timeout, :redis_read_timeout,
                   :redis_ca_cert_path, :redis_ca_cert_name, :redis_verify_mode,
                   :redis_tls_min_version, :redis_tls_max_version,
-                  :jwks_cache_ttl, :validation_mode, :environment
+                  :redis_ca_cert_ssm_path, :redis_ca_cert_ssm_name,
+                  :jwks_cache_ttl, :validation_mode, :environment,
+                  :enable_api_key_validation, :enable_user_data_retrieval
 
     def initialize
-      @cognito_region = ENV['COGNITO_REGION'] || ENV['AWS_REGION'] || "us-east-1"
-      @cognito_user_pool_id = ENV['COGNITO_USER_POOL_ID']
-      @cognito_client_id = ENV['COGNITO_CLIENT_ID']
-      @cognito_client_secret = ENV['COGNITO_CLIENT_SECRET']
-      
+      @cognito_region = ENV['COGNITO_REGION'] || ENV['AWS_REGION'] || 'us-east-1'
+      @cognito_user_pool_id = ENV.fetch('COGNITO_USER_POOL_ID', nil)
+      @cognito_client_id = ENV.fetch('COGNITO_CLIENT_ID', nil)
+      @cognito_client_secret = ENV.fetch('COGNITO_CLIENT_SECRET', nil)
+
       # Redis configuration with environment variables
-      @redis_host = ENV['REDIS_HOST'] || "localhost"
+      @redis_host = ENV['REDIS_HOST'] || 'localhost'
       @redis_port = (ENV['REDIS_PORT'] || 6379).to_i
-      @redis_password = ENV['REDIS_PASSWORD']
+      @redis_password = ENV.fetch('REDIS_PASSWORD', nil)
       @redis_db = (ENV['REDIS_DB'] || 0).to_i
       @redis_ssl = ENV['REDIS_TLS'] == 'true' || ENV['REDIS_SSL'] == 'true'
       @redis_timeout = (ENV['REDIS_TIMEOUT'] || 5).to_i
       @redis_connect_timeout = (ENV['REDIS_CONNECT_TIMEOUT'] || 10).to_i
       @redis_read_timeout = (ENV['REDIS_READ_TIMEOUT'] || 10).to_i
-      
+
       # TLS specific configuration
-      @redis_ca_cert_path = ENV['REDIS_CA_CERT_PATH']
-      @redis_ca_cert_name = ENV['REDIS_CA_CERT_NAME']
+      @redis_ca_cert_path = ENV.fetch('REDIS_CA_CERT_PATH', nil)
+      @redis_ca_cert_name = ENV.fetch('REDIS_CA_CERT_NAME', nil)
+      @redis_ca_cert_ssm_path = ENV.fetch('REDIS_CA_CERT_SSM_PATH', nil)
+      @redis_ca_cert_ssm_name = ENV.fetch('REDIS_CA_CERT_SSM_NAME', nil)
       @redis_verify_mode = ENV['REDIS_VERIFY_MODE'] || 'peer'
       @redis_tls_min_version = ENV['REDIS_TLS_MIN_VERSION'] || 'TLSv1.2'
       @redis_tls_max_version = ENV['REDIS_TLS_MAX_VERSION'] || 'TLSv1.3'
-      
+
       @jwks_cache_ttl = (ENV['JWKS_CACHE_TTL'] || 3600).to_i # 1 hour
       @environment = ENV['RAILS_ENV'] || ENV['RACK_ENV'] || ENV['NODE_ENV'] || 'development'
       @validation_mode = production? ? :secure : :basic
+      @enable_api_key_validation = ENV['ENABLE_API_KEY_VALIDATION'] == 'true'
+      @enable_user_data_retrieval = ENV['ENABLE_USER_DATA_RETRIEVAL'] == 'true'
     end
 
     def production?
@@ -54,9 +60,9 @@ module JwtAuthCognito
     end
 
     def validate!
-      raise ConfigurationError, "cognito_user_pool_id is required" unless cognito_user_pool_id
-      raise ConfigurationError, "cognito_region is required" unless cognito_region
-      raise ConfigurationError, "redis_host is required" unless redis_host
+      raise ConfigurationError, 'cognito_user_pool_id is required' unless cognito_user_pool_id
+      raise ConfigurationError, 'cognito_region is required' unless cognito_region
+      raise ConfigurationError, 'redis_host is required' unless redis_host
     end
 
     def has_client_secret?
@@ -64,20 +70,31 @@ module JwtAuthCognito
     end
 
     def calculate_secret_hash(identifier)
-      return "" unless has_client_secret?
-      return "" unless cognito_client_id
+      return '' unless has_client_secret?
+      return '' unless cognito_client_id
 
       message = identifier + cognito_client_id
-      
+
       require 'openssl'
       require 'base64'
-      
+
       begin
         hmac = OpenSSL::HMAC.digest('SHA256', cognito_client_secret, message)
         Base64.encode64(hmac).strip
-      rescue => e
+      rescue StandardError => e
         raise ConfigurationError, "Error calculating secret hash: #{e.message}"
       end
     end
+
+    def user_data_config
+      {
+        enable_user_data_retrieval: enable_user_data_retrieval,
+        include_applications: ENV['INCLUDE_APPLICATIONS'] != 'false',
+        include_organizations: ENV['INCLUDE_ORGANIZATIONS'] != 'false',
+        include_roles: ENV['INCLUDE_ROLES'] != 'false',
+        include_effective_permissions: ENV['INCLUDE_EFFECTIVE_PERMISSIONS'] == 'true',
+        cache_timeout: (ENV['USER_DATA_CACHE_TIMEOUT'] || 300).to_i
+      }
+    end
   end
-end
+end

data/lib/jwt_auth_cognito/error_utils.rb

@@ -0,0 +1,110 @@
+# frozen_string_literal: true
+
+module JwtAuthCognito
+  module ErrorUtils
+    JWT_ERROR_MESSAGES = {
+      'TOKEN_EXPIRED' => 'Token has expired',
+      'INVALID_TOKEN' => 'Invalid token format',
+      'TOKEN_NOT_ACTIVE' => 'Token not active yet',
+      'INVALID_SIGNATURE' => 'Invalid token signature',
+      'SIGNATURE_VERIFICATION_FAILED' => 'Token signature verification failed',
+      'INVALID_AUDIENCE' => 'Invalid token audience',
+      'INVALID_ISSUER' => 'Invalid token issuer',
+      'VALIDATION_TIMEOUT' => 'Token validation timeout',
+      'TOKEN_REVOKED' => 'Token has been revoked',
+      'API_KEY_INVALID' => 'Invalid API key',
+      'API_KEY_EXPIRED' => 'API key has expired',
+      'INITIALIZATION_FAILED' => 'Service initialization failed',
+      'REDIS_CONNECTION_FAILED' => 'Redis connection failed',
+      'USER_DATA_RETRIEVAL_FAILED' => 'User data retrieval failed'
+    }.freeze
+
+    def self.extract_error_details(error, context = nil)
+      message = 'Unknown error occurred'
+      code = nil
+
+      case error
+      when JwtAuthCognito::TokenExpiredError
+        message = 'Token has expired'
+        code = 'TOKEN_EXPIRED'
+      when JwtAuthCognito::TokenNotActiveError
+        message = 'Token not active yet'
+        code = 'TOKEN_NOT_ACTIVE'
+      when JwtAuthCognito::TokenFormatError
+        message = 'Invalid token format'
+        code = 'INVALID_TOKEN'
+      when JwtAuthCognito::TokenRevokedError
+        message = 'Token has been revoked'
+        code = 'TOKEN_REVOKED'
+      when JwtAuthCognito::JWKSError
+        message = 'Invalid token signature'
+        code = 'INVALID_SIGNATURE'
+      when JwtAuthCognito::RedisConnectionError
+        message = 'Redis connection failed'
+        code = 'REDIS_CONNECTION_FAILED'
+      when StandardError
+        message = error.message
+
+        # Check message content for specific error patterns
+        case message
+        when /expired/i
+          message = 'Token has expired'
+          code = 'TOKEN_EXPIRED'
+        when /invalid.*signature/i, /signature.*verification.*failed/i
+          message = 'Invalid token signature'
+          code = 'INVALID_SIGNATURE'
+        when /invalid.*audience/i, /aud/
+          message = 'Invalid token audience'
+          code = 'INVALID_AUDIENCE'
+        when /invalid.*issuer/i, /iss/
+          message = 'Invalid token issuer'
+          code = 'INVALID_ISSUER'
+        when /not.*active/i, /nbf/
+          message = 'Token not active yet'
+          code = 'TOKEN_NOT_ACTIVE'
+        when /invalid.*format/i, /malformed/i
+          message = 'Invalid token format'
+          code = 'INVALID_TOKEN'
+        end
+      when String
+        message = error
+      else
+        message = error.to_s
+      end
+
+      {
+        message: message,
+        code: code,
+        context: context
+      }.compact
+    end
+
+    def self.log_error(error, context = nil)
+      details = extract_error_details(error, context)
+      log_message = if details[:context]
+                      "#{details[:context]}: #{details[:message]}"
+                    else
+                      details[:message]
+                    end
+
+      log_message += " (#{details[:code]})" if details[:code]
+
+      puts "ERROR: #{log_message}"
+    end
+
+    def self.get_user_friendly_error_message(error)
+      details = extract_error_details(error)
+      details[:message]
+    end
+
+    def self.format_validation_error(error, context = nil)
+      details = extract_error_details(error, context)
+
+      {
+        valid: false,
+        error: details[:message],
+        error_code: details[:code]
+      }.compact
+    end
+  end
+end

data/lib/jwt_auth_cognito/jwks_service.rb

@@ -1,10 +1,10 @@
 # frozen_string_literal: true
 
-require "net/http"
-require "json"
-require "jwt"
-require "openssl"
-require "base64"
+require 'net/http'
+require 'json'
+require 'jwt'
+require 'openssl'
+require 'base64'
 
 module JwtAuthCognito
   class JwksService
@@ -16,35 +16,35 @@ module JwtAuthCognito
 
     def validate_token_with_jwks(token)
       @config.validate!
-      
+
       header = JWT.decode(token, nil, false).last
-      kid = header["kid"]
-      
-      raise ValidationError, "Token missing key ID (kid)" unless kid
-      
+      kid = header['kid']
+
+      raise ValidationError, 'Token missing key ID (kid)' unless kid
+
       public_key = get_public_key(kid)
       decoded_token = JWT.decode(
         token,
         public_key,
         true,
         {
-          algorithm: "RS256",
+          algorithm: 'RS256',
           iss: @config.cognito_issuer,
           verify_iss: true,
           aud: @config.cognito_client_id,
           verify_aud: @config.cognito_client_id ? true : false
         }
       )
-      
+
       payload = decoded_token.first
       validate_token_claims(payload)
-      
+
       {
         valid: true,
         payload: payload,
-        sub: payload["sub"],
-        username: payload["cognito:username"] || payload["username"],
-        token_use: payload["token_use"]
+        sub: payload['sub'],
+        username: payload['cognito:username'] || payload['username'],
+        token_use: payload['token_use']
       }
     rescue JWT::DecodeError => e
       { valid: false, error: "JWT decode error: #{e.message}" }
@@ -58,35 +58,33 @@ module JwtAuthCognito
 
     def get_public_key(kid)
       # Check cache first
-      if @cache[kid] && cache_valid?(kid)
-        return @cache[kid]
-      end
+      return @cache[kid] if @cache[kid] && cache_valid?(kid)
 
       # Fetch JWKS
       jwks = fetch_jwks
-      key_data = jwks["keys"].find { |key| key["kid"] == kid }
-      
-      raise ValidationError, "Key ID not found in JWKS" unless key_data
-      
+      key_data = jwks['keys'].find { |key| key['kid'] == kid }
+
+      raise ValidationError, 'Key ID not found in JWKS' unless key_data
+
       # Convert JWK to PEM
       public_key = jwk_to_pem(key_data)
-      
+
       # Cache the key
       @cache[kid] = public_key
       @cache_timestamps[kid] = Time.now
-      
+
       public_key
     end
 
     def fetch_jwks
       uri = URI(@config.jwks_url)
-      
-      Net::HTTP.start(uri.host, uri.port, use_ssl: uri.scheme == "https", open_timeout: 10, read_timeout: 10) do |http|
+
+      Net::HTTP.start(uri.host, uri.port, use_ssl: uri.scheme == 'https', open_timeout: 10, read_timeout: 10) do |http|
         request = Net::HTTP::Get.new(uri)
         response = http.request(request)
-        
-        raise ValidationError, "Failed to fetch JWKS: #{response.code}" unless response.code == "200"
-        
+
+        raise ValidationError, "Failed to fetch JWKS: #{response.code}" unless response.code == '200'
+
         JSON.parse(response.body)
       end
     rescue JSON::ParserError => e
@@ -97,45 +95,43 @@ module JwtAuthCognito
 
     def jwk_to_pem(key_data)
       # Convert JWK RSA key to PEM format
-      n = base64url_decode(key_data["n"])
-      e = base64url_decode(key_data["e"])
-      
+      n = base64url_decode(key_data['n'])
+      e = base64url_decode(key_data['e'])
+
       key = OpenSSL::PKey::RSA.new
       key.n = OpenSSL::BN.new(n, 2)
       key.e = OpenSSL::BN.new(e, 2)
-      
+
       key
     end
 
     def base64url_decode(str)
-      str += "=" * (4 - str.length.modulo(4))
-      Base64.decode64(str.tr("-_", "+/"))
+      str += '=' * (4 - str.length.modulo(4))
+      Base64.decode64(str.tr('-_', '+/'))
     end
 
     def cache_valid?(kid)
       return false unless @cache_timestamps[kid]
-      
+
       Time.now - @cache_timestamps[kid] < @config.jwks_cache_ttl
     end
 
     def validate_token_claims(payload)
       now = Time.now.to_i
-      
+
       # Check expiration
-      raise ValidationError, "Token has expired" if payload["exp"] && payload["exp"] < now
-      
+      raise ValidationError, 'Token has expired' if payload['exp'] && payload['exp'] < now
+
       # Check not before
-      raise ValidationError, "Token not yet valid" if payload["nbf"] && payload["nbf"] > now
-      
+      raise ValidationError, 'Token not yet valid' if payload['nbf'] && payload['nbf'] > now
+
       # Check issued at (allow some clock skew)
-      if payload["iat"] && payload["iat"] > now + 300
-        raise ValidationError, "Token issued in the future"
-      end
-      
+      raise ValidationError, 'Token issued in the future' if payload['iat'] && payload['iat'] > now + 300
+
       # Check token use
-      unless %w[access id].include?(payload["token_use"])
-        raise ValidationError, "Invalid token_use claim"
-      end
+      return if %w[access id].include?(payload['token_use'])
+
+      raise ValidationError, 'Invalid token_use claim'
     end
   end
-end
+end