jwt_auth_cognito 1.0.0.pre.beta.1 → 1.0.0.pre.beta.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4b2b634f054c3fc1bfda6e0e63ffca5138547b23b11eff699faf23152491764a
-  data.tar.gz: df5e63158c0ac35b9530dc09ce74cf207a08897a8480c1aa5bcb1b9c177bd6e3
+  metadata.gz: 87913fe629cb36042e7d267bbb0cf3a814a8eb1289971a7192f600be8cf781b3
+  data.tar.gz: fe5b1f73de56acc80cc5f646a095093436255ee3b857534d6f5db2b0c34c2274
 SHA512:
-  metadata.gz: 034cd66eeb8c72a3446f32a74f1f73b17e78c4c24f566c2bbaacb017568d4e73faee63c9c53c4aecd658b11ee472d8912a9e87da1695a869590210b8c820b2ae
-  data.tar.gz: f00152cc1067ebda1630768f93ab7fb5053372c13e67b94ef08f6cdc5fde421e008c326c6ea454d0839b71b525dbf1daf16a94aa14fbb759ceb07dd150cd9477
+  metadata.gz: 41826e498618bd98a002e66a4f015610249645a15652528b540545114af8d8336c52f6186edc9a85dcd23159798ed6fdbd8f3038073704ef5fa9c61ec03ed0cf
+  data.tar.gz: 643d331d2b80d775d7011f86d1a76614425064d36e0513dc50e18a3a96fb1757c71a13303690d017743d70c1c783c60bd532c060f6b4299c64145855cb8eb98b

data/.rubocop.yml

@@ -75,4 +75,7 @@ Metrics/CyclomaticComplexity:
   Enabled: false
 
 Metrics/PerceivedComplexity:
+  Enabled: false
+
+Metrics/ClassLength:
   Enabled: false

data/CHANGELOG.md

@@ -7,6 +7,25 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [1.0.0-beta.3] - 2025-01-16
+
+### Fixed
+
+- **System API Key Bypass**: Fixed appId validation to correctly bypass for system API keys
+  - System API keys now have transversal access to all applications as intended
+  - App API keys continue to be restricted to their specific application
+  - Uses existing `can_access_app?` method from `ApiKeyValidator` for consistent logic
+  - Maintains security while allowing system-level administrative access
+
+## [1.0.0-beta.2] - 2025-01-16
+
+### Improved
+
+- **Documentation Enhancement**: Added Redis configuration documentation to main usage patterns
+  - Updated README.md with complete Redis connection setup in factory method
+  - Enhanced CLAUDE.md with Redis configuration in the main usage pattern
+  - Improved clarity on how to connect Redis for token blacklisting and user data enrichment
+
 ## [0.3.0] - 2024-01-15
 
 ### Added

data/CLAUDE.md

@@ -145,6 +145,56 @@ ENV['REDIS_CA_CERT'] = "-----BEGIN CERTIFICATE-----..."
 - **Backward Compatibility**: All functionality works without client secret configuration
 - **Security Integration**: Secret hash automatically included in blacklist operations when configured
 
+### System API Key Support
+- **System API Key Bypass**: API keys with scope 'system' can access any application (transversal access)
+- **App API Key Restrictions**: API keys with scope 'app' are restricted to their specific application
+- **Automatic Detection**: Uses existing `can_access_app?` method from `ApiKeyValidator` for consistent logic
+- **Security Maintained**: Preserves security boundaries while enabling administrative functionality
+
+## 🚀 Main Usage Pattern with Redis Connection
+
+### ✨ Complete Setup with Redis Connection
+
+```ruby
+# Create validator with Redis connection for blacklist and user data
+validator = JwtAuthCognito.create_cognito_validator(
+  region: 'us-east-1',
+  user_pool_id: 'us-east-1_ExamplePool',
+  client_id: 'your-client-id',
+  client_secret: 'your-client-secret', # Optional
+  redis_config: {
+    # Redis configuration for token blacklisting and user data enrichment
+    host: ENV['REDIS_HOST'] || 'localhost',
+    port: ENV['REDIS_PORT']&.to_i || 6379,
+    password: ENV['REDIS_PASSWORD'],
+    db: ENV['REDIS_DB']&.to_i || 0,
+
+    # TLS configuration for secure connections
+    tls: ENV['REDIS_TLS'] == 'true',
+    ca_cert_path: ENV['REDIS_CA_CERT_PATH'],
+    ca_cert_name: ENV['REDIS_CA_CERT_NAME'],
+    verify_mode: ENV['REDIS_VERIFY_MODE'] || 'peer'
+  },
+  enable_user_data_retrieval: true
+)
+
+# Initialize Redis connection and services
+validator.initialize!
+
+# 🌟 Main validation method with complete functionality
+result = validator.validate_token_enriched(token)
+
+if result[:valid]
+  puts "✅ Valid token:"
+  puts "User: #{result[:sub]}"
+  puts "Permissions: #{result[:user_permissions]}"
+  puts "Organizations: #{result[:user_organizations]}"
+  puts "Applications: #{result[:applications]}"
+else
+  puts "❌ Invalid token: #{result[:error]}"
+end
+```
+
 ## Environment Configuration
 
 The gem supports extensive environment variable configuration for deployment flexibility:
@@ -152,7 +202,7 @@ The gem supports extensive environment variable configuration for deployment fle
 ### AWS Cognito Configuration
 ```bash
 COGNITO_REGION=us-east-1
-COGNITO_USER_POOL_ID=us-east-1_AbCdEfGhI  
+COGNITO_USER_POOL_ID=us-east-1_AbCdEfGhI
 COGNITO_CLIENT_ID=your-client-id
 COGNITO_CLIENT_SECRET=your-client-secret  # Optional for enhanced security
 ```

data/README.md

@@ -162,21 +162,41 @@ end
 ### Factory Method para Configuración Simplificada (Nuevo v0.3.0)
 
 ```ruby
-# Crear validador con una línea
+# Crear validador con conexión Redis completa
 validator = JwtAuthCognito.create_cognito_validator(
   region: 'us-east-1',
   user_pool_id: 'us-east-1_ExamplePool',
   client_id: 'your-client-id',
   redis_config: {
-    host: 'localhost',
-    port: 6379,
-    tls: true
+    # Configuración básica de Redis
+    host: ENV['REDIS_HOST'] || 'localhost',
+    port: ENV['REDIS_PORT']&.to_i || 6379,
+    password: ENV['REDIS_PASSWORD'],
+    db: ENV['REDIS_DB']&.to_i || 0,
+
+    # Configuración TLS para conexiones seguras
+    tls: ENV['REDIS_TLS'] == 'true',
+    ca_cert_path: ENV['REDIS_CA_CERT_PATH'],
+    ca_cert_name: ENV['REDIS_CA_CERT_NAME']
   },
   enable_user_data_retrieval: true
 )
 
-# Usar inmediatamente
+# Inicializar conexiones (incluye Redis)
+validator.initialize!
+
+# Usar inmediatamente con validación enriquecida
 result = validator.validate_token_enriched(token)
+
+if result[:valid]
+  puts "✅ Token válido con datos enriquecidos:"
+  puts "Usuario: #{result[:sub]}"
+  puts "Permisos: #{result[:user_permissions]}"
+  puts "Organizaciones: #{result[:user_organizations]}"
+  puts "Aplicaciones: #{result[:applications]}"
+else
+  puts "❌ Token inválido: #{result[:error]}"
+end
 ```
 
 ### Manejo Mejorado de Errores (Nuevo v0.3.0)

data/lib/jwt_auth_cognito/jwt_validator.rb

@@ -420,6 +420,14 @@ module JwtAuthCognito
 
       return { valid: true } unless app_id
 
+      # Check API key access to the application using existing logic
+      api_key_data_symbolized = api_key_data.transform_keys(&:to_sym)
+      return { valid: false, error: "API key does not have access to application #{app_id}" } unless @api_key_validator.can_access_app?(api_key_data_symbolized, app_id)
+
+      # System API keys can access any application (bypass user validation)
+      return { valid: true } if api_key_data['scope'] == 'system'
+
+      # For non-system API keys, verify user has access to the application
       user_id = payload['sub']
       return { valid: false, error: 'Token missing user ID (sub claim)' } unless user_id
 

data/lib/jwt_auth_cognito/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module JwtAuthCognito
-  VERSION = '1.0.0-beta.1'
+  VERSION = '1.0.0-beta.3'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: jwt_auth_cognito
 version: !ruby/object:Gem::Version
-  version: 1.0.0.pre.beta.1
+  version: 1.0.0.pre.beta.3
 platform: ruby
 authors:
 - The Optimal
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2025-09-15 00:00:00.000000000 Z
+date: 2025-09-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-ssm