jwt_auth_cognito 0.1.0 → 0.3.0

data/lib/jwt_auth_cognito/jwt_validator.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-require "jwt"
+require 'jwt'
 
 module JwtAuthCognito
   class JwtValidator
@@ -8,44 +8,108 @@ module JwtAuthCognito
       @config = config
       @jwks_service = JwksService.new(config)
       @blacklist_service = TokenBlacklistService.new(config)
+      @api_key_validator = config.enable_api_key_validation ? ApiKeyValidator.new(config) : nil
+      @user_data_service = config.enable_user_data_retrieval ? UserDataService.new(nil, config.user_data_config) : nil
+      @initialized = false
+    end
+
+    def initialize!
+      return if @initialized
+
+      begin
+        @jwks_service.initialize!
+        @blacklist_service.initialize! if @blacklist_service.respond_to?(:initialize!)
+        @user_data_service&.initialize!
+        @initialized = true
+      rescue StandardError => e
+        ErrorUtils.log_error(e, 'JWT Validator initialization failed')
+        raise JwtAuthCognito::ConfigurationError, ErrorUtils::JWT_ERROR_MESSAGES['INITIALIZATION_FAILED']
+      end
     end
 
     def validate_token(token, options = {})
+      validate_token_with_api_key(token, nil, options)
+    end
+
+    def validate_token_with_api_key(token, api_key = nil, options = {})
       @config.validate!
-      
-      # Check blacklist first
-      if @blacklist_service.is_blacklisted?(token)
-        return { valid: false, error: "Token has been revoked" }
+
+      # Validate API key if provided and enabled
+      api_key_data = nil
+      if api_key && @config.enable_api_key_validation && @api_key_validator
+        api_key_result = @api_key_validator.validate_api_key(api_key)
+        return { valid: false, error: api_key_result[:error] || 'API key validation failed' } unless api_key_result[:valid]
+
+        api_key_data = api_key_result[:key_data]
       end
 
+      # Check blacklist first
+      return { valid: false, error: 'Token has been revoked' } if @blacklist_service.is_blacklisted?(token)
+
       # Choose validation method based on configuration
-      case @config.validation_mode
-      when :secure
-        validate_token_secure(token, options)
-      when :basic
-        validate_token_basic(token, options)
-      else
-        raise ConfigurationError, "Invalid validation_mode: #{@config.validation_mode}"
+      result = case @config.validation_mode
+               when :secure
+                 validate_token_secure(token, options)
+               when :basic
+                 validate_token_basic(token, options)
+               else
+                 raise ConfigurationError, "Invalid validation_mode: #{@config.validation_mode}"
+               end
+
+      # Add API key data to result if validation succeeded
+      result[:api_key] = api_key_data if result[:valid] && api_key_data
+
+      result
+    end
+
+    def validate_token_enriched(token, api_key = nil, options = {})
+      # First, perform standard token validation
+      basic_result = validate_token_with_api_key(token, api_key, options)
+
+      # If basic validation fails, return early
+      return basic_result unless basic_result[:valid] && basic_result[:payload]
+
+      # If user data retrieval is not enabled, return basic result
+      return basic_result unless @config.enable_user_data_retrieval && @user_data_service
+
+      # Extract user ID from the token
+      user_id = basic_result[:payload]['sub']
+      unless user_id
+        puts 'Token does not contain sub claim, cannot retrieve user data'
+        return basic_result
+      end
+
+      begin
+        # Get comprehensive user data from Redis
+        user_data = @user_data_service.get_comprehensive_user_data(user_id)
+
+        # Add user data to the result
+        enriched_result = basic_result.dup
+        enriched_result[:user_permissions] = user_data['permissions']
+        enriched_result[:user_organizations] = user_data['organizations']
+        enriched_result[:applications] = user_data['applications']
+
+        enriched_result
+      rescue StandardError => e
+        ErrorUtils.log_error(e, 'User data retrieval failed')
+        # Return basic result even if user data retrieval fails
+        basic_result
       end
     end
 
     def validate_access_token(token)
       result = validate_token(token)
-      
-      if result[:valid] && result[:payload]["token_use"] != "access"
-        return { valid: false, error: "Token is not an access token" }
-      end
-      
+
+      return { valid: false, error: 'Token is not an access token' } if result[:valid] && result[:payload]['token_use'] != 'access'
+
       result
     end
 
     def validate_id_token(token)
       result = validate_token(token)
-      
-      if result[:valid] && result[:payload]["token_use"] != "id"
-        return { valid: false, error: "Token is not an ID token" }
-      end
-      
+
+      return { valid: false, error: 'Token is not an ID token' } if result[:valid] && result[:payload]['token_use'] != 'id'
+
       result
     end
 
@@ -64,11 +128,34 @@ module JwtAuthCognito
     # Utility methods inspired by Node.js package
     def extract_token_from_header(authorization_header)
       return nil unless authorization_header
-      
+
       match = authorization_header.match(/\ABearer (.+)\z/)
       match ? match[1] : nil
     end
 
+    def extract_api_key_from_header(api_key_header)
+      # Support common API key header formats
+      return nil unless api_key_header
+
+      api_key_header.strip
+    end
+
+    def extract_api_key_from_headers(headers)
+      # Check various common API key header names (case insensitive)
+      api_key_headers = %w[x-api-key X-API-Key X-API-KEY X-Api-Key]
+
+      api_key_headers.each do |header_name|
+        # Convert headers to a case-insensitive hash for lookup
+        header_key = headers.keys.find { |key| key.downcase == header_name.downcase }
+        next unless header_key
+
+        value = headers[header_key]
+        return extract_api_key_from_header(value) if value
+      end
+
+      nil
+    end
+
     def decode_token(token)
       JWT.decode(token, nil, false).first
     rescue JWT::DecodeError => e
@@ -80,15 +167,15 @@ module JwtAuthCognito
       return payload if payload.is_a?(Hash) && payload[:error]
 
       {
-        sub: payload["sub"],
-        username: payload["cognito:username"] || payload["username"],
-        email: payload["email"],
-        token_use: payload["token_use"],
-        client_id: payload["aud"],
-        issued_at: payload["iat"] ? Time.at(payload["iat"]) : nil,
-        expires_at: payload["exp"] ? Time.at(payload["exp"]) : nil,
-        not_before: payload["nbf"] ? Time.at(payload["nbf"]) : nil,
-        jti: payload["jti"],
+        sub: payload['sub'],
+        username: payload['cognito:username'] || payload['username'],
+        email: payload['email'],
+        token_use: payload['token_use'],
+        client_id: payload['aud'],
+        issued_at: payload['iat'] ? Time.at(payload['iat']) : nil,
+        expires_at: payload['exp'] ? Time.at(payload['exp']) : nil,
+        not_before: payload['nbf'] ? Time.at(payload['nbf']) : nil,
+        jti: payload['jti'],
         has_client_secret: @config.has_client_secret?
       }
     end
@@ -107,7 +194,7 @@ module JwtAuthCognito
       payload = decode_token(token)
       return true if payload.is_a?(Hash) && payload[:error]
 
-      exp = payload["exp"]
+      exp = payload['exp']
       return false unless exp
 
       Time.now.to_i >= exp
@@ -117,18 +204,18 @@ module JwtAuthCognito
       payload = decode_token(token)
       return nil if payload.is_a?(Hash) && payload[:error]
 
-      exp = payload["exp"]
+      exp = payload['exp']
       return nil unless exp
 
       seconds = exp - Time.now.to_i
-      seconds > 0 ? seconds : 0
+      seconds.positive? ? seconds : 0
     end
 
     # Create a convenience factory method
     def self.create_cognito_validator(config = nil)
       if config
         old_config = JwtAuthCognito.configuration
-        JwtAuthCognito.configure { |c| c = config }
+        JwtAuthCognito.configure { |_c| config }
         validator = new
         JwtAuthCognito.instance_variable_set(:@configuration, old_config)
         validator
@@ -142,84 +229,75 @@ module JwtAuthCognito
     def validate_token_secure(token, options = {})
       # Use JWKS validation for production
       result = @jwks_service.validate_token_with_jwks(token)
-      
+
       if result[:valid]
         # Additional custom validations
         validate_custom_claims(result[:payload], options)
       end
-      
+
       result
     end
 
     def validate_token_basic(token, options = {})
       # Basic validation without signature verification (development only)
-      begin
-        payload, header = JWT.decode(token, nil, false)
-        
-        # Basic claim validation
-        validate_basic_claims(payload)
-        validate_custom_claims(payload, options)
-        
-        {
-          valid: true,
-          payload: payload,
-          sub: payload["sub"],
-          username: payload["cognito:username"] || payload["username"],
-          token_use: payload["token_use"]
-        }
-      rescue JWT::DecodeError => e
-        { valid: false, error: "JWT decode error: #{e.message}" }
-      rescue ValidationError => e
-        { valid: false, error: e.message }
-      rescue StandardError => e
-        { valid: false, error: "Validation error: #{e.message}" }
-      end
+
+      payload, = JWT.decode(token, nil, false)
+
+      # Basic claim validation
+      validate_basic_claims(payload)
+      validate_custom_claims(payload, options)
+
+      {
+        valid: true,
+        payload: payload,
+        sub: payload['sub'],
+        username: payload['cognito:username'] || payload['username'],
+        token_use: payload['token_use']
+      }
+    rescue JWT::DecodeError => e
+      { valid: false, error: "JWT decode error: #{e.message}" }
+    rescue ValidationError => e
+      { valid: false, error: e.message }
+    rescue StandardError => e
+      { valid: false, error: "Validation error: #{e.message}" }
     end
 
     def validate_basic_claims(payload)
       now = Time.now.to_i
-      
+
       # Check expiration
-      raise ValidationError, "Token has expired" if payload["exp"] && payload["exp"] < now
-      
+      raise ValidationError, 'Token has expired' if payload['exp'] && payload['exp'] < now
+
       # Check issuer
       expected_issuer = @config.cognito_issuer
-      if payload["iss"] != expected_issuer
-        raise ValidationError, "Invalid issuer. Expected: #{expected_issuer}, got: #{payload["iss"]}"
-      end
-      
+      raise ValidationError, "Invalid issuer. Expected: #{expected_issuer}, got: #{payload['iss']}" if payload['iss'] != expected_issuer
+
       # Check token use
-      unless %w[access id].include?(payload["token_use"])
-        raise ValidationError, "Invalid token_use claim"
-      end
+      return if %w[access id].include?(payload['token_use'])
+
+      raise ValidationError, 'Invalid token_use claim'
     end
 
     def validate_custom_claims(payload, options)
       # Validate specific user ID if provided
-      if options[:user_id] && payload["sub"] != options[:user_id]
-        raise ValidationError, "Token subject does not match expected user ID"
-      end
-      
+      raise ValidationError, 'Token subject does not match expected user ID' if options[:user_id] && payload['sub'] != options[:user_id]
+
       # Validate specific client ID if provided
-      if options[:client_id] && payload["aud"] != options[:client_id]
-        raise ValidationError, "Token audience does not match expected client ID"
-      end
-      
+      raise ValidationError, 'Token audience does not match expected client ID' if options[:client_id] && payload['aud'] != options[:client_id]
+
       # Validate token type if specified
-      if options[:token_use] && payload["token_use"] != options[:token_use]
-        raise ValidationError, "Token use does not match expected type"
-      end
-      
+      raise ValidationError, 'Token use does not match expected type' if options[:token_use] && payload['token_use'] != options[:token_use]
+
       # Custom scope validation
-      if options[:required_scopes]
-        token_scopes = payload["scope"]&.split(" ") || []
-        required_scopes = Array(options[:required_scopes])
-        
-        missing_scopes = required_scopes - token_scopes
-        if missing_scopes.any?
-          raise ValidationError, "Token missing required scopes: #{missing_scopes.join(", ")}"
-        end
-      end
+      return unless options[:required_scopes]
+
+      token_scopes = payload['scope']&.split || []
+      required_scopes = Array(options[:required_scopes])
+
+      missing_scopes = required_scopes - token_scopes
+      return unless missing_scopes.any?
+
+      raise ValidationError, "Token missing required scopes: #{missing_scopes.join(', ')}"
     end
   end
-end
+end

data/lib/jwt_auth_cognito/railtie.rb

@@ -3,11 +3,11 @@
 module JwtAuthCognito
   class Railtie < Rails::Railtie
     rake_tasks do
-      load "tasks/jwt_auth_cognito.rake"
+      load 'tasks/jwt_auth_cognito.rake'
     end
 
     generators do
-      require "generators/jwt_auth_cognito/install_generator"
+      require 'generators/jwt_auth_cognito/install_generator'
     end
   end
-end
+end

data/lib/jwt_auth_cognito/redis_service.rb

@@ -1,13 +1,13 @@
 # frozen_string_literal: true
 
-require "redis"
-require "digest"
-require "openssl"
+require 'redis'
+require 'digest'
+require 'openssl'
 
 module JwtAuthCognito
   class RedisService
-    BLACKLIST_PREFIX = "jwt_blacklist:"
-    USER_TOKENS_PREFIX = "user_tokens:"
+    BLACKLIST_PREFIX = 'jwt_blacklist:'
+    USER_TOKENS_PREFIX = 'user_tokens:'
 
     def initialize(config = JwtAuthCognito.configuration)
       @config = config
@@ -17,13 +17,13 @@ module JwtAuthCognito
     def save_revoked_token(token_id, ttl = nil)
       connect_redis
       key = "#{BLACKLIST_PREFIX}#{token_id}"
-      
+
       if ttl
-        @redis.setex(key, ttl, "revoked")
+        @redis.setex(key, ttl, 'revoked')
       else
-        @redis.set(key, "revoked")
+        @redis.set(key, 'revoked')
       end
-      
+
       true
     rescue Redis::BaseError => e
       raise BlacklistError, "Failed to save revoked token: #{e.message}"
@@ -33,8 +33,8 @@ module JwtAuthCognito
       connect_redis
       key = "#{BLACKLIST_PREFIX}#{token_id}"
       result = @redis.exists?(key)
-      result.is_a?(Integer) ? result > 0 : result
-    rescue Redis::BaseError => e
+      result.is_a?(Integer) ? result.positive? : result
+    rescue Redis::BaseError
       # Graceful degradation - if Redis is down, don't block validation
       false
     end
@@ -50,19 +50,19 @@ module JwtAuthCognito
 
     def invalidate_user_tokens(user_id)
       connect_redis
-      
+
       # Get all tokens for the user
       user_key = "#{USER_TOKENS_PREFIX}#{user_id}"
       token_ids = @redis.smembers(user_key)
-      
+
       # Add all tokens to blacklist
       token_ids.each do |token_id|
         save_revoked_token(token_id)
       end
-      
+
       # Clear the user's token set
       @redis.del(user_key)
-      
+
       token_ids.length
     rescue Redis::BaseError => e
       raise BlacklistError, "Failed to invalidate user tokens: #{e.message}"
@@ -70,28 +70,28 @@ module JwtAuthCognito
 
     def track_user_token(user_id, token_id, ttl = nil)
       connect_redis
-      
+
       user_key = "#{USER_TOKENS_PREFIX}#{user_id}"
       @redis.sadd(user_key, token_id)
-      
+
       # Set expiration on the user's token set
       @redis.expire(user_key, ttl) if ttl
-      
+
       true
-    rescue Redis::BaseError => e
+    rescue Redis::BaseError
       # Non-critical operation, log but don't fail
       false
     end
 
     def generate_token_id(token)
       # Try to extract jti from token first
-      begin  
+      begin
         payload = JWT.decode(token, nil, false).first
-        return payload["jti"] if payload["jti"]
+        return payload['jti'] if payload['jti']
       rescue JWT::DecodeError
         # Fall back to hash if token can't be decoded
       end
-      
+
       # Generate hash-based ID
       Digest::SHA256.hexdigest(token)[0, 16]
     end
@@ -102,23 +102,21 @@ module JwtAuthCognito
       return @redis if @redis
 
       redis_options = build_redis_options
-      
+
       # Retry logic with exponential backoff (similar to Node.js implementation)
       max_retries = 3
       retry_count = 0
-      
+
       begin
         @redis = Redis.new(redis_options)
         @redis.ping # Test connection
         @redis
       rescue Redis::BaseError => e
         retry_count += 1
-        if retry_count <= max_retries
-          sleep(0.1 * (2 ** retry_count)) # Exponential backoff
-          retry
-        else
-          raise BlacklistError, "Failed to connect to Redis after #{max_retries} retries: #{e.message}"
-        end
+        raise BlacklistError, "Failed to connect to Redis after #{max_retries} retries: #{e.message}" unless retry_count <= max_retries
+
+        sleep(0.1 * (2**retry_count)) # Exponential backoff
+        retry
       end
     end
 
@@ -145,35 +143,76 @@ module JwtAuthCognito
 
     def build_ssl_params
       ssl_params = {}
-      
+
       # Set TLS version constraints
-      if @config.redis_tls_min_version
-        ssl_params[:min_version] = parse_tls_version(@config.redis_tls_min_version)
+      ssl_params[:min_version] = parse_tls_version(@config.redis_tls_min_version) if @config.redis_tls_min_version
+
+      ssl_params[:max_version] = parse_tls_version(@config.redis_tls_max_version) if @config.redis_tls_max_version
+
+      # CA certificate configuration with multiple sources
+      ca_cert_data = load_ca_certificate
+      if ca_cert_data
+        # Create a temporary file for the CA certificate
+        require 'tempfile'
+        temp_file = Tempfile.new('redis_ca_cert')
+        temp_file.write(ca_cert_data)
+        temp_file.close
+        ssl_params[:ca_file] = temp_file.path
+
+        # Store reference to prevent garbage collection
+        @temp_ca_file = temp_file
       end
-      
-      if @config.redis_tls_max_version
-        ssl_params[:max_version] = parse_tls_version(@config.redis_tls_max_version)
+
+      # Verification mode
+      ssl_params[:verify_mode] = case @config.redis_verify_mode
+                                 when 'none'
+                                   OpenSSL::SSL::VERIFY_NONE
+                                 when 'peer'
+                                   OpenSSL::SSL::VERIFY_PEER
+                                 else
+                                   OpenSSL::SSL::VERIFY_PEER
+                                 end
+
+      ssl_params
+    end
+
+    def load_ca_certificate
+      # Priority order for certificate loading (matching Node.js implementation):
+      # 1. SSM Parameter Store (for auth-service compatibility)
+      # 2. Local file system
+      # 3. Environment variable
+
+      # 1. Try SSM Parameter Store first (for auth-service compatibility)
+      if @config.redis_ca_cert_ssm_path && @config.redis_ca_cert_ssm_name
+        begin
+          puts '🔍 Loading CA certificate from SSM...'
+          return JwtAuthCognito::SSMService.get_ca_certificate(
+            @config.redis_ca_cert_ssm_path,
+            @config.redis_ca_cert_ssm_name
+          )
+        rescue StandardError => e
+          puts "⚠️  Failed to load certificate from SSM: #{e.message}"
+          puts '⚠️  Falling back to file system...'
+        end
       end
-      
-      # CA certificate configuration
+
+      # 2. Try local file system
       if @config.redis_ca_cert_path && @config.redis_ca_cert_name
         ca_cert_file = File.join(@config.redis_ca_cert_path, @config.redis_ca_cert_name)
         if File.exist?(ca_cert_file)
-          ssl_params[:ca_file] = ca_cert_file
+          puts "📁 Loading CA certificate from file system: #{ca_cert_file}"
+          return File.read(ca_cert_file)
         end
       end
-      
-      # Verification mode
-      case @config.redis_verify_mode
-      when 'none'
-        ssl_params[:verify_mode] = OpenSSL::SSL::VERIFY_NONE
-      when 'peer'
-        ssl_params[:verify_mode] = OpenSSL::SSL::VERIFY_PEER
-      else
-        ssl_params[:verify_mode] = OpenSSL::SSL::VERIFY_PEER
+
+      # 3. Try environment variable
+      if ENV['REDIS_CA_CERT']
+        puts '🌍 Loading CA certificate from environment variable'
+        return ENV['REDIS_CA_CERT']
       end
-      
-      ssl_params
+
+      puts '⚠️  No CA certificate found, proceeding without certificate validation'
+      nil
     end
 
     def parse_tls_version(version_string)
@@ -191,4 +230,4 @@ module JwtAuthCognito
       end
     end
   end
-end
+end