jwt_auth_cognito 1.0.0.pre.beta.8 → 1.0.0.pre.beta.9
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +26 -0
- data/README.md +3 -7
- data/lib/jwt_auth_cognito/jwks_service.rb +11 -28
- data/lib/jwt_auth_cognito/version.rb +1 -1
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 5ec0550d58a587e152aa1a4c41cfce13691bb016f0b12e4525a671bc7fda153b
|
|
4
|
+
data.tar.gz: 77a05aeb998b6bdeb8df90ffc93a78a3ad1c3565aeda43d4bdcf069713bb6295
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 5a5f6a72cfebb9e1f805ba53b3561c544b2afc18f993af0759da596c02401e6bda2725a58837e2b5db1b818a5f44ae730c8b9057aa0a481530e8f3c035b70ae1
|
|
7
|
+
data.tar.gz: 21e84bde860ae1d70dce2ecf5d32a40bcd6fb18af8eb815de9c6079de7996a9a488871c3b91eca0fd649c41d900863c155948e9c96caff507c75b3de3b9110b1
|
data/CHANGELOG.md
CHANGED
|
@@ -7,6 +7,32 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
7
7
|
|
|
8
8
|
## [Unreleased]
|
|
9
9
|
|
|
10
|
+
## [1.0.0-beta.9] - 2025-01-22
|
|
11
|
+
|
|
12
|
+
### Fixed
|
|
13
|
+
|
|
14
|
+
- **JWKS OpenSSL Compatibility**: Complete reimplementation of JWK handling to eliminate OpenSSL version compatibility issues
|
|
15
|
+
- Replaced manual JWK to PEM conversion with JWT gem's native JWK support
|
|
16
|
+
- Removed complex OpenSSL version-specific fallback logic (40+ lines → 8 lines)
|
|
17
|
+
- Eliminates "undefined method 'n=' for OpenSSL::PKey::RSA" and "set_key= is incompatible with OpenSSL 3.0" errors
|
|
18
|
+
- Uses `JWT::JWK.import()` for robust, library-managed key conversion
|
|
19
|
+
- Aligned approach with Node.js jwt-auth-package implementation for consistency
|
|
20
|
+
|
|
21
|
+
- **TLS Configuration**: Removed problematic TLS versioning from Redis SSL configuration
|
|
22
|
+
- Eliminated redis_tls_min_version and redis_tls_max_version parameters
|
|
23
|
+
- Simplified SSL configuration to focus on certificate validation and verify mode
|
|
24
|
+
- Resolves "unrecognized version TLSv1_2" errors
|
|
25
|
+
- Maintains backward compatibility with existing Redis SSL setups
|
|
26
|
+
|
|
27
|
+
### Improved
|
|
28
|
+
|
|
29
|
+
- **Code Quality**: Significantly simplified and more maintainable JWKS implementation
|
|
30
|
+
- Reduced complexity and eliminated OpenSSL version-specific code paths
|
|
31
|
+
- Better error handling with specific JWT::JWKError exceptions
|
|
32
|
+
- Enhanced reliability by leveraging well-tested JWT gem capabilities
|
|
33
|
+
- All tests passing (74 examples, 0 failures)
|
|
34
|
+
- RuboCop compliant with no style violations
|
|
35
|
+
|
|
10
36
|
## [1.0.0-beta.6] - 2025-01-22
|
|
11
37
|
|
|
12
38
|
### Fixed
|
data/README.md
CHANGED
|
@@ -5,7 +5,7 @@ Una gema Ruby para validar tokens JWT de AWS Cognito de forma offline con funcio
|
|
|
5
5
|
## Características
|
|
6
6
|
|
|
7
7
|
- **Validación JWT Offline**: Valida tokens JWT de Cognito sin llamar a las APIs de AWS
|
|
8
|
-
- **Soporte JWKS**: Recuperación automática y cache de claves públicas desde el endpoint JWKS de Cognito
|
|
8
|
+
- **Soporte JWKS**: Recuperación automática y cache de claves públicas desde el endpoint JWKS de Cognito con compatibilidad total OpenSSL
|
|
9
9
|
- **Blacklist de Tokens**: Gestión de revocación y blacklist de tokens basada en Redis con soporte TLS completo
|
|
10
10
|
- **Configuración Flexible**: Soporte para modos de validación seguro (producción) y básico (desarrollo)
|
|
11
11
|
- **Gestión de Tokens de Usuario**: Rastrear e invalidar todos los tokens de un usuario específico
|
|
@@ -53,9 +53,7 @@ JwtAuthCognito.configure do |config|
|
|
|
53
53
|
config.redis_ssl = true
|
|
54
54
|
config.redis_ca_cert_path = 'redis' # AWS SSM path
|
|
55
55
|
config.redis_ca_cert_name = 'ca-cert' # AWS SSM parameter name
|
|
56
|
-
config.
|
|
57
|
-
config.redis_tls_max_version = 'TLSv1.3'
|
|
58
|
-
config.redis_verify_mode = 'peer'
|
|
56
|
+
config.redis_verify_mode = 'peer' # 'peer' para validación estricta, 'none' para desarrollo
|
|
59
57
|
|
|
60
58
|
# Opcional: Configuraciones de cache y validación
|
|
61
59
|
config.jwks_cache_ttl = 3600 # 1 hora
|
|
@@ -88,9 +86,7 @@ REDIS_TLS=true
|
|
|
88
86
|
# Configuración TLS de Redis (compatible con auth-service)
|
|
89
87
|
REDIS_CA_CERT_PATH=redis # Para AWS SSM (path del parámetro)
|
|
90
88
|
REDIS_CA_CERT_NAME=ca-cert # Para AWS SSM (nombre del parámetro)
|
|
91
|
-
|
|
92
|
-
REDIS_TLS_MAX_VERSION=TLSv1_3
|
|
93
|
-
REDIS_VERIFY_MODE=peer
|
|
89
|
+
REDIS_VERIFY_MODE=peer # 'peer' para validación estricta, 'none' para desarrollo
|
|
94
90
|
|
|
95
91
|
# Configuración de cache
|
|
96
92
|
JWKS_CACHE_TTL=3600
|
|
@@ -66,8 +66,8 @@ module JwtAuthCognito
|
|
|
66
66
|
|
|
67
67
|
raise ValidationError, 'Key ID not found in JWKS' unless key_data
|
|
68
68
|
|
|
69
|
-
# Convert JWK to
|
|
70
|
-
public_key =
|
|
69
|
+
# Convert JWK to key using JWT gem's native support
|
|
70
|
+
public_key = jwk_to_key(key_data)
|
|
71
71
|
|
|
72
72
|
# Cache the key
|
|
73
73
|
@cache[kid] = public_key
|
|
@@ -93,33 +93,16 @@ module JwtAuthCognito
|
|
|
93
93
|
raise ValidationError, "Failed to fetch JWKS: #{e.message}"
|
|
94
94
|
end
|
|
95
95
|
|
|
96
|
-
def
|
|
97
|
-
#
|
|
98
|
-
|
|
99
|
-
e = base64url_decode(key_data['e'])
|
|
100
|
-
|
|
101
|
-
# Create RSA key using method compatible with OpenSSL 3.0+
|
|
102
|
-
n_bn = OpenSSL::BN.new(n, 2)
|
|
103
|
-
e_bn = OpenSSL::BN.new(e, 2)
|
|
104
|
-
|
|
105
|
-
# Use the new constructor that accepts modulus and exponent
|
|
106
|
-
key = OpenSSL::PKey::RSA.new
|
|
107
|
-
|
|
108
|
-
# For OpenSSL 3.0+ compatibility, use set_key method if available
|
|
109
|
-
if key.respond_to?(:set_key)
|
|
110
|
-
key.set_key(n_bn, e_bn, nil)
|
|
111
|
-
else
|
|
112
|
-
# Fallback for older OpenSSL versions
|
|
113
|
-
key.n = n_bn
|
|
114
|
-
key.e = e_bn
|
|
115
|
-
end
|
|
116
|
-
|
|
117
|
-
key
|
|
118
|
-
end
|
|
96
|
+
def jwk_to_key(key_data)
|
|
97
|
+
# Use JWT gem's native JWK support instead of manual OpenSSL conversion
|
|
98
|
+
# This eliminates OpenSSL version compatibility issues
|
|
119
99
|
|
|
120
|
-
|
|
121
|
-
|
|
122
|
-
|
|
100
|
+
jwk = JWT::JWK.import(key_data)
|
|
101
|
+
jwk.keypair
|
|
102
|
+
rescue JWT::JWKError => e
|
|
103
|
+
raise ValidationError, "Invalid JWK format: #{e.message}"
|
|
104
|
+
rescue StandardError => e
|
|
105
|
+
raise ValidationError, "Failed to convert JWK to key: #{e.message}"
|
|
123
106
|
end
|
|
124
107
|
|
|
125
108
|
def cache_valid?(kid)
|