jwt_auth_cognito 0.1.0

data/lib/jwt_auth_cognito/configuration.rb

@@ -0,0 +1,83 @@
+# frozen_string_literal: true
+
+module JwtAuthCognito
+  class Configuration
+    attr_accessor :cognito_user_pool_id, :cognito_region, :cognito_client_id, :cognito_client_secret,
+                  :redis_host, :redis_port, :redis_password, :redis_db,
+                  :redis_ssl, :redis_timeout, :redis_connect_timeout, :redis_read_timeout,
+                  :redis_ca_cert_path, :redis_ca_cert_name, :redis_verify_mode,
+                  :redis_tls_min_version, :redis_tls_max_version,
+                  :jwks_cache_ttl, :validation_mode, :environment
+
+    def initialize
+      @cognito_region = ENV['COGNITO_REGION'] || ENV['AWS_REGION'] || "us-east-1"
+      @cognito_user_pool_id = ENV['COGNITO_USER_POOL_ID']
+      @cognito_client_id = ENV['COGNITO_CLIENT_ID']
+      @cognito_client_secret = ENV['COGNITO_CLIENT_SECRET']
+      
+      # Redis configuration with environment variables
+      @redis_host = ENV['REDIS_HOST'] || "localhost"
+      @redis_port = (ENV['REDIS_PORT'] || 6379).to_i
+      @redis_password = ENV['REDIS_PASSWORD']
+      @redis_db = (ENV['REDIS_DB'] || 0).to_i
+      @redis_ssl = ENV['REDIS_TLS'] == 'true' || ENV['REDIS_SSL'] == 'true'
+      @redis_timeout = (ENV['REDIS_TIMEOUT'] || 5).to_i
+      @redis_connect_timeout = (ENV['REDIS_CONNECT_TIMEOUT'] || 10).to_i
+      @redis_read_timeout = (ENV['REDIS_READ_TIMEOUT'] || 10).to_i
+      
+      # TLS specific configuration
+      @redis_ca_cert_path = ENV['REDIS_CA_CERT_PATH']
+      @redis_ca_cert_name = ENV['REDIS_CA_CERT_NAME']
+      @redis_verify_mode = ENV['REDIS_VERIFY_MODE'] || 'peer'
+      @redis_tls_min_version = ENV['REDIS_TLS_MIN_VERSION'] || 'TLSv1.2'
+      @redis_tls_max_version = ENV['REDIS_TLS_MAX_VERSION'] || 'TLSv1.3'
+      
+      @jwks_cache_ttl = (ENV['JWKS_CACHE_TTL'] || 3600).to_i # 1 hour
+      @environment = ENV['RAILS_ENV'] || ENV['RACK_ENV'] || ENV['NODE_ENV'] || 'development'
+      @validation_mode = production? ? :secure : :basic
+    end
+
+    def production?
+      @environment == 'production'
+    end
+
+    def development?
+      @environment == 'development'
+    end
+
+    def cognito_issuer
+      "https://cognito-idp.#{cognito_region}.amazonaws.com/#{cognito_user_pool_id}"
+    end
+
+    def jwks_url
+      "#{cognito_issuer}/.well-known/jwks.json"
+    end
+
+    def validate!
+      raise ConfigurationError, "cognito_user_pool_id is required" unless cognito_user_pool_id
+      raise ConfigurationError, "cognito_region is required" unless cognito_region
+      raise ConfigurationError, "redis_host is required" unless redis_host
+    end
+
+    def has_client_secret?
+      !cognito_client_secret.nil? && !cognito_client_secret.empty?
+    end
+
+    def calculate_secret_hash(identifier)
+      return "" unless has_client_secret?
+      return "" unless cognito_client_id
+
+      message = identifier + cognito_client_id
+      
+      require 'openssl'
+      require 'base64'
+      
+      begin
+        hmac = OpenSSL::HMAC.digest('SHA256', cognito_client_secret, message)
+        Base64.encode64(hmac).strip
+      rescue => e
+        raise ConfigurationError, "Error calculating secret hash: #{e.message}"
+      end
+    end
+  end
+end

data/lib/jwt_auth_cognito/jwks_service.rb

@@ -0,0 +1,141 @@
+# frozen_string_literal: true
+
+require "net/http"
+require "json"
+require "jwt"
+require "openssl"
+require "base64"
+
+module JwtAuthCognito
+  class JwksService
+    def initialize(config = JwtAuthCognito.configuration)
+      @config = config
+      @cache = {}
+      @cache_timestamps = {}
+    end
+
+    def validate_token_with_jwks(token)
+      @config.validate!
+      
+      header = JWT.decode(token, nil, false).last
+      kid = header["kid"]
+      
+      raise ValidationError, "Token missing key ID (kid)" unless kid
+      
+      public_key = get_public_key(kid)
+      decoded_token = JWT.decode(
+        token,
+        public_key,
+        true,
+        {
+          algorithm: "RS256",
+          iss: @config.cognito_issuer,
+          verify_iss: true,
+          aud: @config.cognito_client_id,
+          verify_aud: @config.cognito_client_id ? true : false
+        }
+      )
+      
+      payload = decoded_token.first
+      validate_token_claims(payload)
+      
+      {
+        valid: true,
+        payload: payload,
+        sub: payload["sub"],
+        username: payload["cognito:username"] || payload["username"],
+        token_use: payload["token_use"]
+      }
+    rescue JWT::DecodeError => e
+      { valid: false, error: "JWT decode error: #{e.message}" }
+    rescue ValidationError => e
+      { valid: false, error: e.message }
+    rescue StandardError => e
+      { valid: false, error: "Validation error: #{e.message}" }
+    end
+
+    private
+
+    def get_public_key(kid)
+      # Check cache first
+      if @cache[kid] && cache_valid?(kid)
+        return @cache[kid]
+      end
+
+      # Fetch JWKS
+      jwks = fetch_jwks
+      key_data = jwks["keys"].find { |key| key["kid"] == kid }
+      
+      raise ValidationError, "Key ID not found in JWKS" unless key_data
+      
+      # Convert JWK to PEM
+      public_key = jwk_to_pem(key_data)
+      
+      # Cache the key
+      @cache[kid] = public_key
+      @cache_timestamps[kid] = Time.now
+      
+      public_key
+    end
+
+    def fetch_jwks
+      uri = URI(@config.jwks_url)
+      
+      Net::HTTP.start(uri.host, uri.port, use_ssl: uri.scheme == "https", open_timeout: 10, read_timeout: 10) do |http|
+        request = Net::HTTP::Get.new(uri)
+        response = http.request(request)
+        
+        raise ValidationError, "Failed to fetch JWKS: #{response.code}" unless response.code == "200"
+        
+        JSON.parse(response.body)
+      end
+    rescue JSON::ParserError => e
+      raise ValidationError, "Invalid JWKS JSON: #{e.message}"
+    rescue StandardError => e
+      raise ValidationError, "Failed to fetch JWKS: #{e.message}"
+    end
+
+    def jwk_to_pem(key_data)
+      # Convert JWK RSA key to PEM format
+      n = base64url_decode(key_data["n"])
+      e = base64url_decode(key_data["e"])
+      
+      key = OpenSSL::PKey::RSA.new
+      key.n = OpenSSL::BN.new(n, 2)
+      key.e = OpenSSL::BN.new(e, 2)
+      
+      key
+    end
+
+    def base64url_decode(str)
+      str += "=" * (4 - str.length.modulo(4))
+      Base64.decode64(str.tr("-_", "+/"))
+    end
+
+    def cache_valid?(kid)
+      return false unless @cache_timestamps[kid]
+      
+      Time.now - @cache_timestamps[kid] < @config.jwks_cache_ttl
+    end
+
+    def validate_token_claims(payload)
+      now = Time.now.to_i
+      
+      # Check expiration
+      raise ValidationError, "Token has expired" if payload["exp"] && payload["exp"] < now
+      
+      # Check not before
+      raise ValidationError, "Token not yet valid" if payload["nbf"] && payload["nbf"] > now
+      
+      # Check issued at (allow some clock skew)
+      if payload["iat"] && payload["iat"] > now + 300
+        raise ValidationError, "Token issued in the future"
+      end
+      
+      # Check token use
+      unless %w[access id].include?(payload["token_use"])
+        raise ValidationError, "Invalid token_use claim"
+      end
+    end
+  end
+end

data/lib/jwt_auth_cognito/jwt_validator.rb

@@ -0,0 +1,225 @@
+# frozen_string_literal: true
+
+require "jwt"
+
+module JwtAuthCognito
+  class JwtValidator
+    def initialize(config = JwtAuthCognito.configuration)
+      @config = config
+      @jwks_service = JwksService.new(config)
+      @blacklist_service = TokenBlacklistService.new(config)
+    end
+
+    def validate_token(token, options = {})
+      @config.validate!
+      
+      # Check blacklist first
+      if @blacklist_service.is_blacklisted?(token)
+        return { valid: false, error: "Token has been revoked" }
+      end
+
+      # Choose validation method based on configuration
+      case @config.validation_mode
+      when :secure
+        validate_token_secure(token, options)
+      when :basic
+        validate_token_basic(token, options)
+      else
+        raise ConfigurationError, "Invalid validation_mode: #{@config.validation_mode}"
+      end
+    end
+
+    def validate_access_token(token)
+      result = validate_token(token)
+      
+      if result[:valid] && result[:payload]["token_use"] != "access"
+        return { valid: false, error: "Token is not an access token" }
+      end
+      
+      result
+    end
+
+    def validate_id_token(token)
+      result = validate_token(token)
+      
+      if result[:valid] && result[:payload]["token_use"] != "id"
+        return { valid: false, error: "Token is not an ID token" }
+      end
+      
+      result
+    end
+
+    def validate_multiple_tokens(tokens)
+      tokens.map { |token| validate_token(token) }
+    end
+
+    def revoke_token(token, user_id: nil)
+      @blacklist_service.add_to_blacklist(token, user_id: user_id)
+    end
+
+    def revoke_user_tokens(user_id)
+      @blacklist_service.invalidate_user_tokens(user_id)
+    end
+
+    # Utility methods inspired by Node.js package
+    def extract_token_from_header(authorization_header)
+      return nil unless authorization_header
+      
+      match = authorization_header.match(/\ABearer (.+)\z/)
+      match ? match[1] : nil
+    end
+
+    def decode_token(token)
+      JWT.decode(token, nil, false).first
+    rescue JWT::DecodeError => e
+      { error: "Failed to decode token: #{e.message}" }
+    end
+
+    def get_token_info(token)
+      payload = decode_token(token)
+      return payload if payload.is_a?(Hash) && payload[:error]
+
+      {
+        sub: payload["sub"],
+        username: payload["cognito:username"] || payload["username"],
+        email: payload["email"],
+        token_use: payload["token_use"],
+        client_id: payload["aud"],
+        issued_at: payload["iat"] ? Time.at(payload["iat"]) : nil,
+        expires_at: payload["exp"] ? Time.at(payload["exp"]) : nil,
+        not_before: payload["nbf"] ? Time.at(payload["nbf"]) : nil,
+        jti: payload["jti"],
+        has_client_secret: @config.has_client_secret?
+      }
+    end
+
+    # Calculate secret hash for Cognito operations (when client secret is configured)
+    def calculate_secret_hash(identifier)
+      @config.calculate_secret_hash(identifier)
+    end
+
+    # Check if client secret is configured
+    def has_client_secret?
+      @config.has_client_secret?
+    end
+
+    def is_token_expired?(token)
+      payload = decode_token(token)
+      return true if payload.is_a?(Hash) && payload[:error]
+
+      exp = payload["exp"]
+      return false unless exp
+
+      Time.now.to_i >= exp
+    end
+
+    def get_time_to_expiry(token)
+      payload = decode_token(token)
+      return nil if payload.is_a?(Hash) && payload[:error]
+
+      exp = payload["exp"]
+      return nil unless exp
+
+      seconds = exp - Time.now.to_i
+      seconds > 0 ? seconds : 0
+    end
+
+    # Create a convenience factory method
+    def self.create_cognito_validator(config = nil)
+      if config
+        old_config = JwtAuthCognito.configuration
+        JwtAuthCognito.configure { |c| c = config }
+        validator = new
+        JwtAuthCognito.instance_variable_set(:@configuration, old_config)
+        validator
+      else
+        new
+      end
+    end
+
+    private
+
+    def validate_token_secure(token, options = {})
+      # Use JWKS validation for production
+      result = @jwks_service.validate_token_with_jwks(token)
+      
+      if result[:valid]
+        # Additional custom validations
+        validate_custom_claims(result[:payload], options)
+      end
+      
+      result
+    end
+
+    def validate_token_basic(token, options = {})
+      # Basic validation without signature verification (development only)
+      begin
+        payload, header = JWT.decode(token, nil, false)
+        
+        # Basic claim validation
+        validate_basic_claims(payload)
+        validate_custom_claims(payload, options)
+        
+        {
+          valid: true,
+          payload: payload,
+          sub: payload["sub"],
+          username: payload["cognito:username"] || payload["username"],
+          token_use: payload["token_use"]
+        }
+      rescue JWT::DecodeError => e
+        { valid: false, error: "JWT decode error: #{e.message}" }
+      rescue ValidationError => e
+        { valid: false, error: e.message }
+      rescue StandardError => e
+        { valid: false, error: "Validation error: #{e.message}" }
+      end
+    end
+
+    def validate_basic_claims(payload)
+      now = Time.now.to_i
+      
+      # Check expiration
+      raise ValidationError, "Token has expired" if payload["exp"] && payload["exp"] < now
+      
+      # Check issuer
+      expected_issuer = @config.cognito_issuer
+      if payload["iss"] != expected_issuer
+        raise ValidationError, "Invalid issuer. Expected: #{expected_issuer}, got: #{payload["iss"]}"
+      end
+      
+      # Check token use
+      unless %w[access id].include?(payload["token_use"])
+        raise ValidationError, "Invalid token_use claim"
+      end
+    end
+
+    def validate_custom_claims(payload, options)
+      # Validate specific user ID if provided
+      if options[:user_id] && payload["sub"] != options[:user_id]
+        raise ValidationError, "Token subject does not match expected user ID"
+      end
+      
+      # Validate specific client ID if provided
+      if options[:client_id] && payload["aud"] != options[:client_id]
+        raise ValidationError, "Token audience does not match expected client ID"
+      end
+      
+      # Validate token type if specified
+      if options[:token_use] && payload["token_use"] != options[:token_use]
+        raise ValidationError, "Token use does not match expected type"
+      end
+      
+      # Custom scope validation
+      if options[:required_scopes]
+        token_scopes = payload["scope"]&.split(" ") || []
+        required_scopes = Array(options[:required_scopes])
+        
+        missing_scopes = required_scopes - token_scopes
+        if missing_scopes.any?
+          raise ValidationError, "Token missing required scopes: #{missing_scopes.join(", ")}"
+        end
+      end
+    end
+  end
+end

data/lib/jwt_auth_cognito/railtie.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module JwtAuthCognito
+  class Railtie < Rails::Railtie
+    rake_tasks do
+      load "tasks/jwt_auth_cognito.rake"
+    end
+
+    generators do
+      require "generators/jwt_auth_cognito/install_generator"
+    end
+  end
+end

data/lib/jwt_auth_cognito/redis_service.rb

@@ -0,0 +1,194 @@
+# frozen_string_literal: true
+
+require "redis"
+require "digest"
+require "openssl"
+
+module JwtAuthCognito
+  class RedisService
+    BLACKLIST_PREFIX = "jwt_blacklist:"
+    USER_TOKENS_PREFIX = "user_tokens:"
+
+    def initialize(config = JwtAuthCognito.configuration)
+      @config = config
+      @redis = nil
+    end
+
+    def save_revoked_token(token_id, ttl = nil)
+      connect_redis
+      key = "#{BLACKLIST_PREFIX}#{token_id}"
+      
+      if ttl
+        @redis.setex(key, ttl, "revoked")
+      else
+        @redis.set(key, "revoked")
+      end
+      
+      true
+    rescue Redis::BaseError => e
+      raise BlacklistError, "Failed to save revoked token: #{e.message}"
+    end
+
+    def is_token_revoked?(token_id)
+      connect_redis
+      key = "#{BLACKLIST_PREFIX}#{token_id}"
+      result = @redis.exists?(key)
+      result.is_a?(Integer) ? result > 0 : result
+    rescue Redis::BaseError => e
+      # Graceful degradation - if Redis is down, don't block validation
+      false
+    end
+
+    def clear_revoked_tokens
+      connect_redis
+      keys = @redis.keys("#{BLACKLIST_PREFIX}*")
+      @redis.del(*keys) if keys.any?
+      keys.length
+    rescue Redis::BaseError => e
+      raise BlacklistError, "Failed to clear revoked tokens: #{e.message}"
+    end
+
+    def invalidate_user_tokens(user_id)
+      connect_redis
+      
+      # Get all tokens for the user
+      user_key = "#{USER_TOKENS_PREFIX}#{user_id}"
+      token_ids = @redis.smembers(user_key)
+      
+      # Add all tokens to blacklist
+      token_ids.each do |token_id|
+        save_revoked_token(token_id)
+      end
+      
+      # Clear the user's token set
+      @redis.del(user_key)
+      
+      token_ids.length
+    rescue Redis::BaseError => e
+      raise BlacklistError, "Failed to invalidate user tokens: #{e.message}"
+    end
+
+    def track_user_token(user_id, token_id, ttl = nil)
+      connect_redis
+      
+      user_key = "#{USER_TOKENS_PREFIX}#{user_id}"
+      @redis.sadd(user_key, token_id)
+      
+      # Set expiration on the user's token set
+      @redis.expire(user_key, ttl) if ttl
+      
+      true
+    rescue Redis::BaseError => e
+      # Non-critical operation, log but don't fail
+      false
+    end
+
+    def generate_token_id(token)
+      # Try to extract jti from token first
+      begin  
+        payload = JWT.decode(token, nil, false).first
+        return payload["jti"] if payload["jti"]
+      rescue JWT::DecodeError
+        # Fall back to hash if token can't be decoded
+      end
+      
+      # Generate hash-based ID
+      Digest::SHA256.hexdigest(token)[0, 16]
+    end
+
+    private
+
+    def connect_redis
+      return @redis if @redis
+
+      redis_options = build_redis_options
+      
+      # Retry logic with exponential backoff (similar to Node.js implementation)
+      max_retries = 3
+      retry_count = 0
+      
+      begin
+        @redis = Redis.new(redis_options)
+        @redis.ping # Test connection
+        @redis
+      rescue Redis::BaseError => e
+        retry_count += 1
+        if retry_count <= max_retries
+          sleep(0.1 * (2 ** retry_count)) # Exponential backoff
+          retry
+        else
+          raise BlacklistError, "Failed to connect to Redis after #{max_retries} retries: #{e.message}"
+        end
+      end
+    end
+
+    def build_redis_options
+      options = {
+        host: @config.redis_host,
+        port: @config.redis_port,
+        db: @config.redis_db,
+        timeout: @config.redis_timeout,
+        connect_timeout: @config.redis_connect_timeout,
+        read_timeout: @config.redis_read_timeout
+      }
+
+      options[:password] = @config.redis_password if @config.redis_password
+
+      # Enhanced TLS configuration (matching Node.js implementation)
+      if @config.redis_ssl
+        options[:ssl] = true
+        options[:ssl_params] = build_ssl_params
+      end
+
+      options
+    end
+
+    def build_ssl_params
+      ssl_params = {}
+      
+      # Set TLS version constraints
+      if @config.redis_tls_min_version
+        ssl_params[:min_version] = parse_tls_version(@config.redis_tls_min_version)
+      end
+      
+      if @config.redis_tls_max_version
+        ssl_params[:max_version] = parse_tls_version(@config.redis_tls_max_version)
+      end
+      
+      # CA certificate configuration
+      if @config.redis_ca_cert_path && @config.redis_ca_cert_name
+        ca_cert_file = File.join(@config.redis_ca_cert_path, @config.redis_ca_cert_name)
+        if File.exist?(ca_cert_file)
+          ssl_params[:ca_file] = ca_cert_file
+        end
+      end
+      
+      # Verification mode
+      case @config.redis_verify_mode
+      when 'none'
+        ssl_params[:verify_mode] = OpenSSL::SSL::VERIFY_NONE
+      when 'peer'
+        ssl_params[:verify_mode] = OpenSSL::SSL::VERIFY_PEER
+      else
+        ssl_params[:verify_mode] = OpenSSL::SSL::VERIFY_PEER
+      end
+      
+      ssl_params
+    end
+
+    def parse_tls_version(version_string)
+      case version_string.upcase
+      when 'TLSV1.2'
+        :TLSv1_2
+      when 'TLSV1.3'
+        :TLSv1_3
+      when 'TLSV1.1'
+        :TLSv1_1
+      when 'TLSV1'
+        :TLSv1
+      else
+        :TLSv1_2 # Default to TLS 1.2
+      end
+    end
+  end
+end

data/lib/jwt_auth_cognito/token_blacklist_service.rb

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+module JwtAuthCognito
+  class TokenBlacklistService
+    def initialize(config = JwtAuthCognito.configuration)
+      @config = config
+      @redis_service = RedisService.new(config)
+    end
+
+    def add_to_blacklist(token, user_id: nil)
+      token_id = @redis_service.generate_token_id(token)
+      ttl = calculate_ttl(token)
+      
+      result = @redis_service.save_revoked_token(token_id, ttl)
+      
+      # Track token for user if provided
+      if user_id
+        @redis_service.track_user_token(user_id, token_id, ttl)
+      end
+      
+      result
+    end
+
+    def is_blacklisted?(token)
+      token_id = @redis_service.generate_token_id(token)
+      @redis_service.is_token_revoked?(token_id)
+    end
+
+    def invalidate_user_tokens(user_id)
+      @redis_service.invalidate_user_tokens(user_id)
+    end
+
+    def clear_all_blacklisted_tokens
+      @redis_service.clear_revoked_tokens
+    end
+
+    private
+
+    def calculate_ttl(token)
+      begin
+        payload = JWT.decode(token, nil, false).first
+        exp = payload["exp"]
+        
+        if exp
+          ttl = exp - Time.now.to_i
+          return ttl > 0 ? ttl : 1 # At least 1 second TTL
+        end
+      rescue JWT::DecodeError
+        # If we can't decode the token, use a default TTL
+      end
+      
+      # Default TTL of 1 day if we can't determine expiration
+      86400
+    end
+  end
+end