jwt_keeper 2.0.0 → 3.0.0

data/lib/jwt_keeper/controller.rb

@@ -1,66 +1,69 @@
 module JWTKeeper
   module Controller
-    def self.included(klass)
-      klass.class_eval do
-        include InstanceMethods
-      end
-    end
+    extend ActiveSupport::Concern
 
-    module InstanceMethods
-      # Available to be used as a before_action by the application's controllers. This is
-      # the main logical section for decoding, and automatically rotating tokens
-      def require_authentication
-        token = authentication_token
-        return not_authenticated if token.nil?
+    module ClassMethods
+    end
 
-        if token.version_mismatch? || token.pending?
-          new_claims = regenerate_claims(token)
-          token.rotate(new_claims)
-          self.authentication_token = token
-        end
+    # Available to be used as a before_action by the application's controllers. This is
+    # the main logical section for decoding, and automatically rotating tokens
+    def require_authentication
+      token = read_authentication_token
 
-        authenticated(token)
+      if token.nil?
+        clear_authentication_token
+        return not_authenticated
       end
 
-      # Invoked by the require_authentication method as part of the automatic rotation
-      # process. The application should override this method to include the necessary
-      # claims.
-      def regenerate_claims(old_token)
+      if token.version_mismatch? || token.pending?
+        new_claims = regenerate_claims(token)
+        token.rotate(new_claims)
       end
 
-      # Moves the authentication_token from the request to the response
-      def respond_with_authentication
-        response.headers['Authorization'] = request.headers['Authorization']
-      end
+      write_authentication_token(token)
+      authenticated(token)
+    end
 
-      # Decodes and returns the token
-      def authentication_token
-        return nil unless request.headers['Authorization']
-        JWTKeeper::Token.find(request.headers['Authorization'].split.last)
-      end
+    # Decodes and returns the token
+    def read_authentication_token
+      return nil unless request.headers['Authorization']
+      @authentication_token ||=
+        JWTKeeper::Token.find(
+          request.headers['Authorization'].split.last,
+          cookies.signed['jwt_keeper']
+        )
+    end
 
-      # Assigns a token to the request to act as a single source of truth
-      def authentication_token=(token)
-        request.headers['Authorization'] = "Bearer #{token.to_jwt}"
-      end
+    # Encodes and writes the token
+    def write_authentication_token(token)
+      return clear_authentication_token if token.nil?
+      response.headers['Authorization'] = "Bearer #{token.to_jwt}"
+      cookies.signed['jwt_keeper'] = token.to_cookie
+      @authentication_token = token
+    end
 
-      # Used when a user tries to access a page while logged out, is asked to login,
-      # and we want to return him back to the page he originally wanted.
-      def redirect_back_or_to(url, flash_hash = {})
-        redirect_to(session[:return_to_url] || url, flash: flash_hash)
-        session[:return_to_url] = nil
-      end
+    # delets the authentication token
+    def clear_authentication_token
+      response.headers['Authorization'] = nil
+      cookies.delete('jwt_keeper')
+      @authentication_token = nil
+    end
 
-      # The default action for denying non-authenticated connections.
-      # You can override this method in your controllers
-      def not_authenticated
-        redirect_to root_path
-      end
+    # The default action for denying non-authenticated connections.
+    # You can override this method in your controllers
+    def not_authenticated
+      redirect_to root_path
+    end
 
-      # The default action for accepting authenticated connections.
-      # You can override this method in your controllers
-      def authenticated(token)
-      end
+    # The default action for accepting authenticated connections.
+    # You can override this method in your controllers
+    def authenticated(token)
+    end
+
+    # Invoked by the require_authentication method as part of the automatic rotation
+    # process. The application should override this method to include the necessary
+    # claims.
+    def regenerate_claims(old_token)
     end
   end
 end

data/lib/jwt_keeper/engine.rb

@@ -5,7 +5,7 @@ module JWTKeeper
   # The Sorcery engine takes care of extending ActiveRecord (if used) and ActionController,
   # With the plugin logic.
   class Engine < ::Rails::Engine
-    initializer 'extend Controller with keeper' do |_app|
+    initializer 'extend Controller with jwt_keeper' do |_app|
       ActionController::Base.send(:include, JWTKeeper::Controller)
     end
   end

data/lib/jwt_keeper/token.rb

@@ -1,10 +1,11 @@
 module JWTKeeper
   class Token
-    attr_accessor :claims
+    attr_accessor :claims, :cookie_secret
 
     # Initalizes a new web token
     # @param private_claims [Hash] the custom claims to encode
-    def initialize(private_claims = {})
+    def initialize(private_claims = {}, cookie_secret = nil)
+      @cookie_secret = cookie_secret
       @claims = {
         nbf: DateTime.now.to_i, # not before
         iat: DateTime.now.to_i, # issued at
@@ -18,17 +19,18 @@ module JWTKeeper
     # @param private_claims [Hash] the custom claims to encode
     # @return [Token] token object
     def self.create(private_claims)
-      new(private_claims)
+      cookie_secret = SecureRandom.hex(16) if JWTKeeper.configuration.cookie_lock
+      new(private_claims, cookie_secret)
     end
 
     # Decodes and validates an existing token
     # @param raw_token [String] the raw token
     # @return [Token] token object
-    def self.find(raw_token)
-      claims = decode(raw_token)
+    def self.find(raw_token, cookie_secret = nil)
+      claims = decode(raw_token, cookie_secret)
       return nil if claims.nil?
 
-      new_token = new(claims)
+      new_token = new(claims, cookie_secret)
       return nil if new_token.revoked?
       new_token
     end
@@ -60,8 +62,10 @@ module JWTKeeper
       revoke
 
       new_claims ||= claims.except(:iss, :aud, :exp, :nbf, :iat, :jti)
-      new_token = self.class.new(new_claims)
+      new_token = self.class.create(new_claims)
+
       @claims = new_token.claims
+      @cookie_secret = new_token.cookie_secret
       self
     end
 
@@ -98,7 +102,7 @@ module JWTKeeper
     # Checks if the token invalid?
     # @return [Boolean]
     def invalid?
-      self.class.decode(encode).nil? || revoked?
+      self.class.decode(encode, cookie_secret).nil? || revoked?
     end
 
     # Encodes the jwt
@@ -108,9 +112,18 @@ module JWTKeeper
     end
     alias to_s to_jwt
 
+    # Encodes the cookie
+    # @return [Hash]
+    def to_cookie
+      {
+        value: cookie_secret,
+        expires: Time.at(claims[:exp])
+      }.merge(JWTKeeper.configuration.cookie_options)
+    end
+
     # @!visibility private
-    def self.decode(raw_token)
-      JWT.decode(raw_token, JWTKeeper.configuration.secret, true,
+    def self.decode(raw_token, cookie_secret)
+      JWT.decode(raw_token, JWTKeeper.configuration.secret.to_s + cookie_secret.to_s, true,
                  algorithm: JWTKeeper.configuration.algorithm,
                  verify_iss: true,
                  verify_aud: true,
@@ -118,7 +131,6 @@ module JWTKeeper
                  verify_sub: false,
                  verify_jti: false,
                  leeway: 0,
-
                  iss: JWTKeeper.configuration.issuer,
                  aud: JWTKeeper.configuration.audience
                 ).first.symbolize_keys
@@ -131,7 +143,10 @@ module JWTKeeper
 
     # @!visibility private
     def encode
-      JWT.encode(claims, JWTKeeper.configuration.secret, JWTKeeper.configuration.algorithm)
+      JWT.encode(claims,
+                 JWTKeeper.configuration.secret.to_s + cookie_secret.to_s,
+                 JWTKeeper.configuration.algorithm
+                )
     end
   end
 end

data/lib/jwt_keeper/version.rb

@@ -1,4 +1,4 @@
 # Gem Version
 module JWTKeeper
-  VERSION = '2.0.0'.freeze
+  VERSION = '3.0.0'.freeze
 end

data/spec/lib/{keeper → jwt_keeper}/controller_spec.rb

@@ -6,8 +6,20 @@ RSpec.describe JWTKeeper do
 
     let(:token) { JWTKeeper::Token.create(claim: "Jet fuel can't melt steel beams") }
     subject(:test_controller) do
+      cookies_klass = Class.new(Hash) do
+        def signed
+          self
+        end
+      end
+
+      message_klass = Class.new(Hash) do
+        def headers
+          self
+        end
+      end
+
       instance = Class.new do
-        attr_accessor :request, :response
+        attr_accessor :request, :response, :cookies
         include RSpec::Mocks::ExampleMethods
         include JWTKeeper::Controller
 
@@ -27,20 +39,21 @@ RSpec.describe JWTKeeper do
         end
       end.new
 
-      instance.request =
-        instance_double('Request', headers: { 'Authorization' => "Bearer #{token}" })
-      instance.response =
-        instance_double('Response', headers: {})
+      instance.request  = message_klass.new
+      instance.response = message_klass.new
+      instance.cookies  = cookies_klass.new
+      instance.request['Authorization'] = "Bearer #{token}"
       instance
     end
 
     describe '#included' do
       it { is_expected.to respond_to(:require_authentication) }
-      it { is_expected.to respond_to(:authentication_token) }
-      it { is_expected.to respond_to(:authentication_token=) }
-      it { is_expected.to respond_to(:redirect_back_or_to) }
+      it { is_expected.to respond_to(:read_authentication_token) }
+      it { is_expected.to respond_to(:write_authentication_token) }
+      it { is_expected.to respond_to(:clear_authentication_token) }
       it { is_expected.to respond_to(:not_authenticated) }
       it { is_expected.to respond_to(:authenticated) }
+      it { is_expected.to respond_to(:regenerate_claims) }
     end
 
     describe '#require_authentication' do
@@ -56,7 +69,7 @@ RSpec.describe JWTKeeper do
 
         it 'does not rotates the token' do
           expect { subject.require_authentication }.to_not change {
-            subject.authentication_token.id
+            subject.read_authentication_token.id
           }
         end
       end
@@ -90,7 +103,7 @@ RSpec.describe JWTKeeper do
 
         it 'rotates the token' do
           expect { subject.require_authentication }.to change {
-            subject.authentication_token.id
+            subject.read_authentication_token.id
           }
         end
       end
@@ -108,7 +121,7 @@ RSpec.describe JWTKeeper do
 
         it 'rotates the token' do
           expect { subject.require_authentication }.to change {
-            subject.authentication_token.id
+            subject.read_authentication_token.id
           }
         end
       end
@@ -125,52 +138,27 @@ RSpec.describe JWTKeeper do
       end
 
       it 'is used to update the token claims on rotation' do
-        expect(subject.authentication_token.claims[:regenerate_claims]).to be nil
-        expect { subject.require_authentication }.to change(subject, :authentication_token)
-        expect(subject.authentication_token.claims[:regenerate_claims]).to be true
+        expect(subject.read_authentication_token.claims[:regenerate_claims]).to be nil
+        subject.require_authentication
+        expect(subject.read_authentication_token.claims[:regenerate_claims]).to be true
       end
     end
 
-    describe '#respond_with_authentication' do
-      before do
-        subject.authentication_token = token
+    describe '#clear_authentication_token' do
+      before :each do
+        subject.write_authentication_token(JWTKeeper::Token.create({}))
       end
 
-      it 'sets the reponses token with the authentication_token' do
-        subject.respond_with_authentication
-        expect(subject.response.headers['Authorization']).to eq "Bearer #{token}"
+      it 'clears the cookie' do
+        expect(subject.cookies.signed['jwt_keeper']).not_to be_nil
+        subject.clear_authentication_token
+        expect(subject.cookies.signed['jwt_keeper']).to be_nil
       end
-    end
 
-    describe '#authentication_token' do
-      context 'valid request in token' do
-        it 'returns the decoded token from the current request' do
-          expect(subject.authentication_token.claims[:claim]).to eq "Jet fuel can't melt steel beams"
-        end
-      end
-      context 'no token in request' do
-        before do
-          token = JWTKeeper::Token.create(exp: 3.hours.ago)
-          subject.request =
-            instance_double('Request', headers: { 'Authorization' => "Bearer #{token}" })
-        end
-
-        it 'returns nil' do
-          expect(subject.authentication_token).to be nil
-        end
-      end
-    end
-
-    describe '#redirect_back_or_to' do
-      let(:path) { 'http://www.example.com' }
-
-      before do
-        allow(test_controller).to receive(:redirect_to)
-      end
-
-      it 'it calls redirect_to' do
-        subject.redirect_back_or_to(path)
-        expect(subject).to have_received(:redirect_to).with(path, anything)
+      it 'clears the header' do
+        expect(subject.response.headers['Authorization']).not_to be_nil
+        subject.clear_authentication_token
+        expect(subject.response.headers['Authorization']).to be_nil
       end
     end
 

data/spec/lib/{keeper → jwt_keeper}/token_spec.rb

@@ -4,13 +4,19 @@ module JWTKeeper
   RSpec.describe Token do
     include_context 'initialize config'
     let(:private_claims) { { claim: "Jet fuel can't melt steel beams" } }
-    let(:raw_token)      { described_class.create(private_claims).to_jwt }
+    let(:token)          { described_class.create(private_claims) }
+    let(:raw_token)      { token.to_jwt }
 
     describe '.create' do
       subject { described_class.create(private_claims) }
 
       it { is_expected.to be_instance_of described_class }
       it { expect(subject.claims[:claim]).to eql private_claims[:claim] }
+
+      context 'with cookie_lock enabled' do
+        before { JWTKeeper.configure(JWTKeeper::Configuration.new(config.merge(cookie_lock: true))) }
+        it { expect(subject.cookie_secret).not_to be_empty }
+      end
     end
 
     describe '.find' do
@@ -21,15 +27,25 @@ module JWTKeeper
 
       context 'with invalid token' do
         let(:private_claims) { { exp: 1.hour.ago } }
-
         it { is_expected.to be nil }
       end
 
       context 'with revoked token' do
         before { described_class.find(raw_token).revoke }
+        it { is_expected.to be nil }
+      end
 
+      context 'with bad cookie' do
+        subject { described_class.find(raw_token, 'BAD_COOKIE') }
         it { is_expected.to be nil }
       end
+
+      context 'with valid cookie' do
+        before { JWTKeeper.configure(JWTKeeper::Configuration.new(config.merge(cookie_lock: true))) }
+        subject { described_class.find(raw_token, token.cookie_secret) }
+
+        it { is_expected.to be_instance_of described_class }
+      end
     end
 
     describe '.rotate' do
@@ -142,6 +158,7 @@ module JWTKeeper
     end
 
     describe '#rotate' do
+      before { JWTKeeper.configure(JWTKeeper::Configuration.new(config.merge(cookie_lock: true))) }
       let(:old_token) { described_class.create(private_claims) }
       let(:new_token) { old_token.dup.rotate }
       before { new_token }
@@ -149,13 +166,14 @@ module JWTKeeper
       it { expect(old_token).to be_invalid }
       it { expect(new_token).to be_valid }
       it { expect(old_token.claims[:claim]).to eq new_token.claims[:claim] }
+      it { expect(old_token.cookie_secret).not_to eq new_token.cookie_secret }
     end
 
     describe '#valid?' do
       subject { described_class.create(private_claims) }
 
       context 'when invalid' do
-        before { JWTKeeper.configure(JWTKeeper::Configuration.new(test_config.merge(expiry: -1.hours))) }
+        before { JWTKeeper.configure(JWTKeeper::Configuration.new(config.merge(expiry: -1.hours))) }
         it { is_expected.not_to be_valid }
       end
 
@@ -168,13 +186,26 @@ module JWTKeeper
       subject { described_class.create(private_claims) }
 
       context 'when invalid' do
-        before { JWTKeeper.configure(JWTKeeper::Configuration.new(test_config.merge(expiry: -1.hours))) }
+        before { JWTKeeper.configure(JWTKeeper::Configuration.new(config.merge(expiry: -1.hours))) }
         it { is_expected.to be_invalid }
       end
 
       context 'when valid' do
         it { is_expected.not_to be_invalid }
       end
+
+      context 'with cookie_lock enabled' do
+        before { JWTKeeper.configure(JWTKeeper::Configuration.new(config.merge(cookie_lock: true))) }
+
+        context 'when invalid' do
+          before { JWTKeeper.configure(JWTKeeper::Configuration.new(config.merge(expiry: -1.hours))) }
+          it { is_expected.to be_invalid }
+        end
+
+        context 'when valid' do
+          it { is_expected.not_to be_invalid }
+        end
+      end
     end
   end
 end

data/spec/lib/jwt_keeper_spec.rb

@@ -0,0 +1,29 @@
+require 'spec_helper'
+
+RSpec.describe JWTKeeper do
+  describe '#configure' do
+    let(:new_config) { { secret: '#configure-secret' } }
+
+    context 'without block' do
+      before do
+        described_class.configure(JWTKeeper::Configuration.new(new_config))
+      end
+
+      it 'sets the configuration based on param' do
+        expect(described_class.configuration.secret).to eql new_config[:secret]
+      end
+    end
+
+    context 'with block' do
+      before do
+        described_class.configure do |config|
+          config.secret = new_config[:secret]
+        end
+      end
+
+      it 'sets configuration based on the block' do
+        expect(described_class.configuration.secret).to eql new_config[:secret]
+      end
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -41,18 +41,20 @@ RSpec.configure do |config|
 end
 
 RSpec.shared_context 'initialize config' do
-  let(:test_config) do
+  let(:config) do
     {
       algorithm:        'HS256',
       secret:           'secret',
       expiry:           24.hours,
       issuer:           'api.example.com',
       audience:         'example.com',
-      redis_connection: Redis.new(url: ENV['REDIS_URL'])
+      redis_connection: Redis.new(url: ENV['REDIS_URL']),
+      version:          nil,
+      cookie_lock:      false
     }
   end
 
   before(:each) do
-    JWTKeeper.configure(JWTKeeper::Configuration.new(test_config))
+    JWTKeeper.configure(JWTKeeper::Configuration.new(config))
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: jwt_keeper
 version: !ruby/object:Gem::Version
-  version: 2.0.0
+  version: 3.0.0
 platform: ruby
 authors:
 - David Rivera
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-04-21 00:00:00.000000000 Z
+date: 2016-04-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -212,8 +212,36 @@ files:
 - Rakefile
 - docker-compose.yml
 - example.env
+- example/.gitignore
+- example/Gemfile
+- example/Rakefile
+- example/app/controllers/application_controller.rb
+- example/app/controllers/sessions_controller.rb
+- example/bin/bundle
+- example/bin/rails
+- example/bin/rake
+- example/bin/setup
+- example/bin/spring
+- example/config.ru
+- example/config/application.rb
+- example/config/boot.rb
+- example/config/environment.rb
+- example/config/environments/development.rb
+- example/config/environments/production.rb
+- example/config/environments/test.rb
+- example/config/initializers/backtrace_silencer.rb
+- example/config/initializers/cookies_serializer.rb
+- example/config/initializers/filter_parameter_logging.rb
+- example/config/initializers/jwt_keeper.rb
+- example/config/initializers/session_store.rb
+- example/config/initializers/wrap_parameters.rb
+- example/config/locales/en.yml
+- example/config/routes.rb
+- example/config/secrets.yml
+- example/example.env
+- example/log/.keep
 - jwt_keeper.gemspec
-- lib/generators/keeper/install/install_generator.rb
+- lib/generators/jwt_keeper/install/install_generator.rb
 - lib/generators/templates/jwt_keeper.rb
 - lib/jwt_keeper.rb
 - lib/jwt_keeper/configuration.rb
@@ -223,11 +251,11 @@ files:
 - lib/jwt_keeper/exceptions.rb
 - lib/jwt_keeper/token.rb
 - lib/jwt_keeper/version.rb
-- spec/lib/keeper/configuration_spec.rb
-- spec/lib/keeper/controller_spec.rb
-- spec/lib/keeper/datastore_spec.rb
-- spec/lib/keeper/token_spec.rb
-- spec/lib/keeper_spec.rb
+- spec/lib/jwt_keeper/configuration_spec.rb
+- spec/lib/jwt_keeper/controller_spec.rb
+- spec/lib/jwt_keeper/datastore_spec.rb
+- spec/lib/jwt_keeper/token_spec.rb
+- spec/lib/jwt_keeper_spec.rb
 - spec/spec_helper.rb
 homepage: https://github.com/sirwolfgang/jwt_keeper
 licenses:
@@ -254,10 +282,10 @@ signing_key:
 specification_version: 4
 summary: JWT for Rails made easy
 test_files:
-- spec/lib/keeper/configuration_spec.rb
-- spec/lib/keeper/controller_spec.rb
-- spec/lib/keeper/datastore_spec.rb
-- spec/lib/keeper/token_spec.rb
-- spec/lib/keeper_spec.rb
+- spec/lib/jwt_keeper/configuration_spec.rb
+- spec/lib/jwt_keeper/controller_spec.rb
+- spec/lib/jwt_keeper/datastore_spec.rb
+- spec/lib/jwt_keeper/token_spec.rb
+- spec/lib/jwt_keeper_spec.rb
 - spec/spec_helper.rb
 has_rdoc: 

data/spec/lib/keeper_spec.rb

@@ -1,38 +0,0 @@
-require 'spec_helper'
-
-RSpec.describe JWTKeeper do
-  describe '#configure' do
-    let(:test_config) do
-      {
-        algorithm:        'HS256',
-        secret:           'secret',
-        expiry:           24.hours,
-        issuer:           'api.example.com',
-        audience:         'example.com',
-        redis_connection: Redis.new(url: ENV['REDIS_URL'])
-      }
-    end
-
-    context 'without block' do
-      before do
-        described_class.configure(JWTKeeper::Configuration.new(test_config))
-      end
-
-      it 'sets the configuration based on param' do
-        expect(described_class.configuration.secret).to eql test_config[:secret]
-      end
-    end
-
-    context 'with block' do
-      before do
-        described_class.configure do |config|
-          config.secret = test_config[:secret]
-        end
-      end
-
-      it 'sets configuration based on the block' do
-        expect(described_class.configuration.secret).to eql test_config[:secret]
-      end
-    end
-  end
-end