jwt_auth_cognito 1.0.0.pre.beta.13 → 1.0.0.pre.beta.14
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +21 -0
- data/README.md +2 -0
- data/lib/jwt_auth_cognito/redis_service.rb +4 -1
- data/lib/jwt_auth_cognito/version.rb +1 -1
- data/lib/jwt_auth_cognito.rb +5 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 77eed5e47f35c5f0a7e693bab6c09e70cf2ea950670273d203ff3611d94b8a70
|
|
4
|
+
data.tar.gz: 21a499f3e1ad917bf9587cd8695e2dc44cceb7fb77f3ada93185ae2ed855c0d7
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 2fb3defb3e11e9cc318ac1d387cf58c99fa6b1b3152bc34841db21645fb6a6fa67ab99af956fb4fd539aeaa44132df9994bc55256f9bb4412e30ebd112801c6a
|
|
7
|
+
data.tar.gz: cba58be12f1fd5dfe1d199a83e27e60fa851bedfd1b39a2d7b8a0f6c2669c99c9f4459fbe6390977aef177c1c797abecd83ffb447e966615d6556ac8192acf3c
|
data/CHANGELOG.md
CHANGED
|
@@ -7,6 +7,27 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
7
7
|
|
|
8
8
|
## [Unreleased]
|
|
9
9
|
|
|
10
|
+
## [1.0.0-beta.14] - 2026-06-18
|
|
11
|
+
|
|
12
|
+
### Changed
|
|
13
|
+
|
|
14
|
+
- **`create_cognito_validator` enables identity enrichment by default.** The
|
|
15
|
+
convenience constructor always receives the region, so
|
|
16
|
+
`validate(token, enrich_user_data: true)` now returns `payload['email']`
|
|
17
|
+
without extra setup. Pass `enable_user_identity_enrichment: false` to opt out.
|
|
18
|
+
The `configure` + `JwtValidator.new` path stays opt-in (gated on
|
|
19
|
+
`config.enable_user_identity_enrichment`), since it may run without Cognito
|
|
20
|
+
network access. Mirrors the npm package's `createCognitoValidatorAsync` default.
|
|
21
|
+
|
|
22
|
+
### Fixed
|
|
23
|
+
|
|
24
|
+
- **`RedisService#set` hardened against `SETEX key 0`**: `0` is truthy in Ruby, so
|
|
25
|
+
`set(key, value, 0)` would have issued `SETEX key 0` (rejected by Redis with
|
|
26
|
+
"ERR invalid expire time"). `set` now attaches an expiry only for a positive TTL;
|
|
27
|
+
a nil/non-positive ttl persists the key with a plain `SET`. Current callers were
|
|
28
|
+
unaffected (`update_last_used` passes no TTL); this prevents the footgun and
|
|
29
|
+
matches the npm package's `RedisService.set` behavior.
|
|
30
|
+
|
|
10
31
|
## [1.0.0-beta.13] - 2026-06-17
|
|
11
32
|
|
|
12
33
|
### Added
|
data/README.md
CHANGED
|
@@ -120,6 +120,8 @@ Estas opciones permiten control granular sobre qué características están acti
|
|
|
120
120
|
|
|
121
121
|
Los **access tokens de Cognito NO incluyen `email`** (solo los ID tokens lo traen). Si tu backend valida el access token y necesita el email (p. ej. para trazabilidad/logging), habilita `enable_user_identity_enrichment`. La gema obtiene los atributos del usuario con `GetUser` —autorizado por el propio scope `aws.cognito.signin.user.admin` del access token, **sin credenciales AWS IAM**— y los fusiona en el `payload`.
|
|
122
122
|
|
|
123
|
+
> **Con `create_cognito_validator(...)` está activado por defecto** (ese constructor siempre recibe la región): `validate(token, enrich_user_data: true)` ya trae `payload['email']`. Para desactivarlo pasa `enable_user_identity_enrichment: false`. El path `configure` + `JwtValidator.new` de abajo sí requiere el flag explícito (puede correr sin acceso de red a Cognito).
|
|
124
|
+
|
|
123
125
|
```ruby
|
|
124
126
|
JwtAuthCognito.configure do |config|
|
|
125
127
|
config.cognito_region = 'us-east-1'
|
|
@@ -105,7 +105,10 @@ module JwtAuthCognito
|
|
|
105
105
|
|
|
106
106
|
def set(key, value, ttl = nil)
|
|
107
107
|
connect_redis
|
|
108
|
-
|
|
108
|
+
# Only attach an expiry for a positive TTL. A nil or non-positive ttl (note:
|
|
109
|
+
# 0 is truthy in Ruby) means a persistent key — `SETEX key 0` is rejected by
|
|
110
|
+
# Redis with "ERR invalid expire time", so fall back to a plain SET.
|
|
111
|
+
if ttl&.positive?
|
|
109
112
|
@redis.setex(key, ttl, value)
|
|
110
113
|
else
|
|
111
114
|
@redis.set(key, value)
|
data/lib/jwt_auth_cognito.rb
CHANGED
|
@@ -42,9 +42,13 @@ module JwtAuthCognito
|
|
|
42
42
|
end
|
|
43
43
|
|
|
44
44
|
# Convenience factory method to create a Cognito validator
|
|
45
|
+
# Convenience constructor. Identity enrichment (email on access tokens) is ON
|
|
46
|
+
# by default here because the region is always provided; pass
|
|
47
|
+
# enable_user_identity_enrichment: false to opt out. (The configure +
|
|
48
|
+
# JwtValidator.new path keeps it opt-in, gated on config.enable_user_identity_enrichment.)
|
|
45
49
|
def self.create_cognito_validator(region:, user_pool_id:, client_id: nil, client_secret: nil, redis_config: {},
|
|
46
50
|
enable_api_key_validation: false, enable_user_data_retrieval: false,
|
|
47
|
-
enable_user_identity_enrichment:
|
|
51
|
+
enable_user_identity_enrichment: true)
|
|
48
52
|
old_config = configuration.dup
|
|
49
53
|
|
|
50
54
|
configure do |config|
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: jwt_auth_cognito
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.0.0.pre.beta.
|
|
4
|
+
version: 1.0.0.pre.beta.14
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- The Optimal
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2026-06-
|
|
11
|
+
date: 2026-06-18 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: aws-sdk-cognitoidentityprovider
|