jwt_auth_cognito 0.1.0

data/lib/jwt_auth_cognito/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module JwtAuthCognito
+  VERSION = "0.1.0"
+end

data/lib/jwt_auth_cognito.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+require_relative "jwt_auth_cognito/version"
+require_relative "jwt_auth_cognito/configuration"
+require_relative "jwt_auth_cognito/jwks_service"
+require_relative "jwt_auth_cognito/redis_service"
+require_relative "jwt_auth_cognito/token_blacklist_service"
+require_relative "jwt_auth_cognito/jwt_validator"
+
+module JwtAuthCognito
+  class Error < StandardError; end
+  class ValidationError < Error; end
+  class BlacklistError < Error; end
+  class ConfigurationError < Error; end
+  
+  # Specific JWT error types (matching Node.js implementation)
+  class TokenExpiredError < ValidationError; end
+  class TokenNotActiveError < ValidationError; end
+  class TokenFormatError < ValidationError; end
+  class TokenRevokedError < ValidationError; end
+  class JWKSError < ValidationError; end
+  class RedisConnectionError < BlacklistError; end
+
+  # Configure the gem
+  def self.configure
+    yield(configuration)
+  end
+
+  def self.configuration
+    @configuration ||= Configuration.new
+  end
+
+  def self.reset_configuration!
+    @configuration = Configuration.new
+  end
+end
+
+# Cargar tareas Rake si estamos en Rails
+if defined?(Rails::Railtie)
+  require_relative "jwt_auth_cognito/railtie"
+end

data/lib/tasks/jwt_auth_cognito.rake

@@ -0,0 +1,290 @@
+# frozen_string_literal: true
+
+namespace :jwt_auth_cognito do
+  desc "Genera archivo de configuración para jwt_auth_cognito"
+  task :install do
+    puts "🚀 Instalando jwt_auth_cognito..."
+    
+    # Verificar si estamos en una aplicación Rails
+    unless defined?(Rails)
+      puts "❌ Error: Este comando debe ejecutarse desde una aplicación Rails"
+      exit 1
+    end
+
+    config_file = Rails.root.join('config', 'initializers', 'jwt_auth_cognito.rb')
+    env_file = Rails.root.join('.env.example')
+
+    # Crear directorio si no existe
+    FileUtils.mkdir_p(File.dirname(config_file))
+
+    # Generar archivo de configuración
+    if File.exist?(config_file)
+      print "El archivo #{config_file} ya existe. ¿Sobrescribir? (y/N): "
+      response = STDIN.gets.chomp.downcase
+      
+      unless %w[y yes sí si].include?(response)
+        puts "⏭️  Instalación cancelada"
+        exit 0
+      end
+    end
+
+    # Contenido del archivo de configuración
+    config_content = generate_config_content
+
+    File.write(config_file, config_content)
+    puts "✅ Archivo de configuración creado: #{config_file}"
+
+    # Generar/actualizar .env.example
+    env_content = generate_env_content
+    
+    if File.exist?(env_file)
+      existing_content = File.read(env_file)
+      unless existing_content.include?('COGNITO_USER_POOL_ID')
+        File.write(env_file, existing_content + "\n" + env_content)
+        puts "✅ Variables agregadas a .env.example"
+      else
+        puts "ℹ️  Variables ya existen en .env.example"
+      end
+    else
+      File.write(env_file, env_content)
+      puts "✅ Archivo .env.example creado"
+    end
+
+    show_next_steps
+  end
+
+  desc "Muestra la configuración actual de jwt_auth_cognito"
+  task :config do
+    puts "📋 Configuración actual de jwt_auth_cognito:"
+    puts "=" * 50
+    
+    config = JwtAuthCognito.configuration
+    
+    puts "🏛️  AWS Cognito:"
+    puts "   Region: #{config.cognito_region || '❌ NO CONFIGURADO'}"
+    puts "   User Pool ID: #{config.cognito_user_pool_id || '❌ NO CONFIGURADO'}"
+    puts "   Client ID: #{config.cognito_client_id || '❌ NO CONFIGURADO'}"
+    puts "   Client Secret: #{config.has_client_secret? ? '✅ CONFIGURADO' : '⚠️  NO CONFIGURADO'}"
+    
+    puts "\n🗄️  Redis:"
+    puts "   Host: #{config.redis_host}"
+    puts "   Puerto: #{config.redis_port}"
+    puts "   Base de datos: #{config.redis_db}"
+    puts "   TLS: #{config.redis_ssl ? '✅ HABILITADO' : '❌ DESHABILITADO'}"
+    puts "   Password: #{config.redis_password ? '✅ CONFIGURADO' : '❌ NO CONFIGURADO'}"
+    
+    puts "\n⚙️  Configuración:"
+    puts "   Modo de validación: #{config.validation_mode}"
+    puts "   Cache JWKS TTL: #{config.jwks_cache_ttl}s"
+    puts "   Entorno: #{config.environment}"
+    
+    puts "\n🔍 URLs:"
+    begin
+      puts "   JWKS URL: #{config.jwks_url}"
+      puts "   Cognito Issuer: #{config.cognito_issuer}"
+    rescue => e
+      puts "   ❌ Error generando URLs: #{e.message}"
+    end
+  end
+
+  desc "Prueba la conexión a Redis"
+  task :test_redis do
+    puts "🔧 Probando conexión a Redis..."
+    
+    begin
+      redis_service = JwtAuthCognito::RedisService.new
+      redis_service.send(:connect_redis)
+      puts "✅ Conexión a Redis exitosa"
+    rescue => e
+      puts "❌ Error conectando a Redis: #{e.message}"
+      puts "\n💡 Verifica tu configuración de Redis en las variables de entorno"
+    end
+  end
+
+  desc "Prueba la configuración de Cognito"
+  task :test_cognito do
+    puts "🔧 Probando configuración de Cognito..."
+    
+    config = JwtAuthCognito.configuration
+    
+    begin
+      config.validate!
+      puts "✅ Configuración básica de Cognito válida"
+      
+      # Probar JWKS
+      jwks_service = JwtAuthCognito::JwksService.new
+      jwks_service.send(:fetch_jwks)
+      puts "✅ Conexión a JWKS exitosa"
+      
+    rescue => e
+      puts "❌ Error en configuración de Cognito: #{e.message}"
+      puts "\n💡 Verifica tus variables de entorno de Cognito"
+    end
+  end
+
+  desc "Limpia todos los tokens de la blacklist"
+  task :clear_blacklist do
+    print "⚠️  ¿Estás seguro de que quieres limpiar toda la blacklist? (y/N): "
+    response = STDIN.gets.chomp.downcase
+    
+    if %w[y yes sí si].include?(response)
+      begin
+        blacklist_service = JwtAuthCognito::TokenBlacklistService.new
+        count = blacklist_service.clear_all_blacklisted_tokens
+        puts "✅ #{count} tokens eliminados de la blacklist"
+      rescue => e
+        puts "❌ Error limpiando blacklist: #{e.message}"
+      end
+    else
+      puts "⏭️  Operación cancelada"
+    end
+  end
+
+  private
+
+  def generate_config_content
+    has_redis_config = defined?(Rails) && File.exist?(Rails.root.join('config', 'redis.yml'))
+    
+    <<~CONFIG
+      # frozen_string_literal: true
+
+      # Configuración de JWT Auth Cognito
+      # Generado automáticamente el #{Time.now.strftime('%Y-%m-%d %H:%M:%S')}
+
+      JwtAuthCognito.configure do |config|
+        # =============================================================================
+        # CONFIGURACIÓN DE AWS COGNITO
+        # =============================================================================
+        
+        # User Pool ID de tu Cognito (requerido)
+        config.cognito_user_pool_id = ENV['COGNITO_USER_POOL_ID']
+        
+        # Región de AWS donde está tu Cognito (requerido)
+        config.cognito_region = ENV['COGNITO_REGION'] || ENV['AWS_REGION'] || 'us-east-1'
+        
+        # Client ID de tu aplicación en Cognito (requerido para validación de audiencia)
+        config.cognito_client_id = ENV['COGNITO_CLIENT_ID']
+        
+        # Client Secret de tu aplicación en Cognito (opcional, para mayor seguridad)
+        # Si tu User Pool App Client está configurado con client secret, esto es requerido
+        config.cognito_client_secret = ENV['COGNITO_CLIENT_SECRET']
+
+        # =============================================================================
+        # CONFIGURACIÓN DE REDIS (para blacklist de tokens)
+        # =============================================================================
+        
+      #{redis_config_section(has_redis_config)}
+        
+        # Configuración de timeouts para Redis
+        config.redis_timeout = ENV['REDIS_TIMEOUT']&.to_i || 5
+        config.redis_connect_timeout = ENV['REDIS_CONNECT_TIMEOUT']&.to_i || 10
+        config.redis_read_timeout = ENV['REDIS_READ_TIMEOUT']&.to_i || 10
+
+        # =============================================================================
+        # CONFIGURACIÓN TLS PARA REDIS (PRODUCCIÓN)
+        # =============================================================================
+        
+        # Configuración de certificados CA para Redis TLS
+        config.redis_ca_cert_path = ENV['REDIS_CA_CERT_PATH']
+        config.redis_ca_cert_name = ENV['REDIS_CA_CERT_NAME']
+        
+        # Control de versiones TLS
+        config.redis_tls_min_version = ENV['REDIS_TLS_MIN_VERSION'] || 'TLSv1.2'
+        config.redis_tls_max_version = ENV['REDIS_TLS_MAX_VERSION'] || 'TLSv1.3'
+        config.redis_verify_mode = ENV['REDIS_VERIFY_MODE'] || 'peer'
+
+        # =============================================================================
+        # CONFIGURACIÓN DE VALIDACIÓN
+        # =============================================================================
+        
+        # Modo de validación: :secure (producción) o :basic (desarrollo)
+        config.validation_mode = Rails.env.production? ? :secure : :basic
+        
+        # Tiempo de cache para claves JWKS (en segundos)
+        config.jwks_cache_ttl = ENV['JWKS_CACHE_TTL']&.to_i || 3600 # 1 hora
+      end
+    CONFIG
+  end
+
+  def redis_config_section(has_redis_config)
+    if has_redis_config
+      <<~REDIS_CONFIG
+        # Integración con configuración existente de Redis
+          begin
+            redis_config = Rails.application.config_for(:redis)
+            config.redis_host = redis_config[:host] || ENV['REDIS_HOST'] || 'localhost'
+            config.redis_port = redis_config[:port] || ENV['REDIS_PORT']&.to_i || 6379
+            config.redis_password = redis_config[:password] || ENV['REDIS_PASSWORD']
+            config.redis_db = redis_config[:db] || ENV['REDIS_DB']&.to_i || 0
+            config.redis_ssl = redis_config[:ssl] || ENV['REDIS_TLS'] == 'true'
+          rescue StandardError
+            # Fallback si config/redis.yml no existe o tiene problemas
+            config.redis_host = ENV['REDIS_HOST'] || 'localhost'
+            config.redis_port = ENV['REDIS_PORT']&.to_i || 6379
+            config.redis_password = ENV['REDIS_PASSWORD']
+            config.redis_db = ENV['REDIS_DB']&.to_i || 0
+            config.redis_ssl = ENV['REDIS_TLS'] == 'true'
+          end
+      REDIS_CONFIG
+    else
+      <<~REDIS_CONFIG
+        config.redis_host = ENV['REDIS_HOST'] || 'localhost'
+          config.redis_port = ENV['REDIS_PORT']&.to_i || 6379
+          config.redis_password = ENV['REDIS_PASSWORD']
+          config.redis_db = ENV['REDIS_DB']&.to_i || 0
+          config.redis_ssl = ENV['REDIS_TLS'] == 'true'
+      REDIS_CONFIG
+    end
+  end
+
+  def generate_env_content
+    <<~ENV_CONTENT
+
+      # JWT Auth Cognito - Configuración
+      COGNITO_USER_POOL_ID=us-east-1_tu_user_pool_id
+      COGNITO_REGION=us-east-1
+      COGNITO_CLIENT_ID=tu_cognito_client_id
+      COGNITO_CLIENT_SECRET=tu_cognito_client_secret
+
+      # Redis para blacklist de tokens
+      REDIS_HOST=localhost
+      REDIS_PORT=6379
+      REDIS_PASSWORD=tu_redis_password
+      REDIS_DB=0
+      REDIS_TLS=false
+
+      # Redis TLS (para producción)
+      REDIS_CA_CERT_PATH=/ruta/a/certificados
+      REDIS_CA_CERT_NAME=redis-ca.crt
+      REDIS_TLS_MIN_VERSION=TLSv1.2
+      REDIS_TLS_MAX_VERSION=TLSv1.3
+
+      # Configuración adicional
+      JWKS_CACHE_TTL=3600
+    ENV_CONTENT
+  end
+
+  def show_next_steps
+    puts "\n" + "=" * 60
+    puts "🎉 ¡Instalación de jwt_auth_cognito completada!"
+    puts "=" * 60
+    puts "\n📋 PRÓXIMOS PASOS:"
+    puts "\n1. 🔧 Configura las variables de entorno:"
+    puts "   - Edita .env (si usas dotenv) o configura variables del sistema"
+    puts "   - Como mínimo configura: COGNITO_USER_POOL_ID, COGNITO_REGION, COGNITO_CLIENT_ID"
+    
+    puts "\n2. 🧪 Prueba la configuración:"
+    puts "   rake jwt_auth_cognito:config          # Ver configuración actual"
+    puts "   rake jwt_auth_cognito:test_cognito    # Probar Cognito"
+    puts "   rake jwt_auth_cognito:test_redis      # Probar Redis"
+    
+    puts "\n3. 🚀 Reinicia tu aplicación Rails"
+    
+    puts "\n4. 📖 Usa la gema en tu código:"
+    puts "   validator = JwtAuthCognito::JwtValidator.new"
+    puts "   result = validator.validate_token(jwt_token)"
+    
+    puts "\n💡 Para más ejemplos, revisa el README de la gema"
+    puts "=" * 60
+  end
+end

metadata

@@ -0,0 +1,207 @@
+--- !ruby/object:Gem::Specification
+name: jwt_auth_cognito
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- The Optimal
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2025-06-16 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: redis
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 4.2.5
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '6.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 4.2.5
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '6.0'
+- !ruby/object:Gem::Dependency
+  name: openssl
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.1.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.1.0
+- !ruby/object:Gem::Dependency
+  name: json
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.17'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.17'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '13.0'
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+description: Gema Ruby para validar tokens JWT de AWS Cognito de forma offline con
+  funcionalidad de blacklist basada en Redis y soporte TLS completo
+email:
+- contact@theoptimal.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- CHANGELOG.md
+- CLAUDE.md
+- Gemfile
+- LICENSE.txt
+- PUBLISH_GUIDE.md
+- README.md
+- Rakefile
+- jwt_auth_cognito.gemspec
+- lib/generators/jwt_auth_cognito/install_generator.rb
+- lib/generators/jwt_auth_cognito/templates/jwt_auth_cognito.rb.erb
+- lib/jwt_auth_cognito.rb
+- lib/jwt_auth_cognito/configuration.rb
+- lib/jwt_auth_cognito/jwks_service.rb
+- lib/jwt_auth_cognito/jwt_validator.rb
+- lib/jwt_auth_cognito/railtie.rb
+- lib/jwt_auth_cognito/redis_service.rb
+- lib/jwt_auth_cognito/token_blacklist_service.rb
+- lib/jwt_auth_cognito/version.rb
+- lib/tasks/jwt_auth_cognito.rake
+homepage: https://github.com/theoptimal/jwt-auth-cognito
+licenses:
+- MIT
+metadata:
+  allowed_push_host: https://rubygems.org
+  homepage_uri: https://github.com/theoptimal/jwt-auth-cognito
+  source_code_uri: https://github.com/theoptimal/jwt-auth-cognito
+  changelog_uri: https://github.com/theoptimal/jwt-auth-cognito/blob/main/CHANGELOG.md
+  documentation_uri: https://github.com/theoptimal/jwt-auth-cognito/blob/main/README.md
+  bug_tracker_uri: https://github.com/theoptimal/jwt-auth-cognito/issues
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 2.7.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.1.6
+signing_key: 
+specification_version: 4
+summary: Validación offline de JWT con AWS Cognito y blacklist Redis
+test_files: []