jwt_auth_cognito 1.0.0.pre.beta.2 → 1.0.0.pre.beta.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.rubocop.yml +3 -0
- data/CHANGELOG.md +12 -0
- data/CLAUDE.md +6 -0
- data/lib/jwt_auth_cognito/jwt_validator.rb +8 -0
- data/lib/jwt_auth_cognito/version.rb +1 -1
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 87913fe629cb36042e7d267bbb0cf3a814a8eb1289971a7192f600be8cf781b3
|
|
4
|
+
data.tar.gz: fe5b1f73de56acc80cc5f646a095093436255ee3b857534d6f5db2b0c34c2274
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 41826e498618bd98a002e66a4f015610249645a15652528b540545114af8d8336c52f6186edc9a85dcd23159798ed6fdbd8f3038073704ef5fa9c61ec03ed0cf
|
|
7
|
+
data.tar.gz: 643d331d2b80d775d7011f86d1a76614425064d36e0513dc50e18a3a96fb1757c71a13303690d017743d70c1c783c60bd532c060f6b4299c64145855cb8eb98b
|
data/.rubocop.yml
CHANGED
data/CHANGELOG.md
CHANGED
|
@@ -7,6 +7,18 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
7
7
|
|
|
8
8
|
## [Unreleased]
|
|
9
9
|
|
|
10
|
+
## [1.0.0-beta.3] - 2025-01-16
|
|
11
|
+
|
|
12
|
+
### Fixed
|
|
13
|
+
|
|
14
|
+
- **System API Key Bypass**: Fixed appId validation to correctly bypass for system API keys
|
|
15
|
+
- System API keys now have transversal access to all applications as intended
|
|
16
|
+
- App API keys continue to be restricted to their specific application
|
|
17
|
+
- Uses existing `can_access_app?` method from `ApiKeyValidator` for consistent logic
|
|
18
|
+
- Maintains security while allowing system-level administrative access
|
|
19
|
+
|
|
20
|
+
## [1.0.0-beta.2] - 2025-01-16
|
|
21
|
+
|
|
10
22
|
### Improved
|
|
11
23
|
|
|
12
24
|
- **Documentation Enhancement**: Added Redis configuration documentation to main usage patterns
|
data/CLAUDE.md
CHANGED
|
@@ -145,6 +145,12 @@ ENV['REDIS_CA_CERT'] = "-----BEGIN CERTIFICATE-----..."
|
|
|
145
145
|
- **Backward Compatibility**: All functionality works without client secret configuration
|
|
146
146
|
- **Security Integration**: Secret hash automatically included in blacklist operations when configured
|
|
147
147
|
|
|
148
|
+
### System API Key Support
|
|
149
|
+
- **System API Key Bypass**: API keys with scope 'system' can access any application (transversal access)
|
|
150
|
+
- **App API Key Restrictions**: API keys with scope 'app' are restricted to their specific application
|
|
151
|
+
- **Automatic Detection**: Uses existing `can_access_app?` method from `ApiKeyValidator` for consistent logic
|
|
152
|
+
- **Security Maintained**: Preserves security boundaries while enabling administrative functionality
|
|
153
|
+
|
|
148
154
|
## 🚀 Main Usage Pattern with Redis Connection
|
|
149
155
|
|
|
150
156
|
### ✨ Complete Setup with Redis Connection
|
|
@@ -420,6 +420,14 @@ module JwtAuthCognito
|
|
|
420
420
|
|
|
421
421
|
return { valid: true } unless app_id
|
|
422
422
|
|
|
423
|
+
# Check API key access to the application using existing logic
|
|
424
|
+
api_key_data_symbolized = api_key_data.transform_keys(&:to_sym)
|
|
425
|
+
return { valid: false, error: "API key does not have access to application #{app_id}" } unless @api_key_validator.can_access_app?(api_key_data_symbolized, app_id)
|
|
426
|
+
|
|
427
|
+
# System API keys can access any application (bypass user validation)
|
|
428
|
+
return { valid: true } if api_key_data['scope'] == 'system'
|
|
429
|
+
|
|
430
|
+
# For non-system API keys, verify user has access to the application
|
|
423
431
|
user_id = payload['sub']
|
|
424
432
|
return { valid: false, error: 'Token missing user ID (sub claim)' } unless user_id
|
|
425
433
|
|