jwt_keeper 2.0.0 → 3.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: bd966e0e79df17e42e2f825289387dcb9f386bde
-  data.tar.gz: 32aaa2f138fd3102ea431b3b244fc77e6736bf3a
+SHA256:
+  metadata.gz: b2c902b7848d7fe72b7ad437badc5cf549b299d4b2ae2dc9150b7f42d63855a3
+  data.tar.gz: 77a18a0cfeb2b198f13affa3792feaeb1235d5fa2f6ae599038bb3e2245b41b2
 SHA512:
-  metadata.gz: 842033c9c72f8c350a22c84075d78a8609beb43109bbfa10cb52eaea72034baa99609c862f2a6dc4d6866203c9ef15bfcabd091ef809d4b748fa5ee3519ee6b9
-  data.tar.gz: fca8a945722eace48870831e435e6628bd48a666dd7ced51d5066d0bee138b1837b9b838aded1b947464db5d4c73ddd9fa4211b7f39f97f022ae199551d3cde6
+  metadata.gz: bc177da58d088bdaeeba97049628d0908f05ef9bd717674a34b511a14e70289604a87647c01853ec3aeb988fb80cd95f4c4a96d0741a1133efc72f2138b9bd98
+  data.tar.gz: 97dde3b11a5584357028abb7d9523d548c53ccb8e0211a4b31089f177747c1d9fca7521bf4984837a540ec2c46080a51adacd30e322fcd4408e6d8d732cad21e

data/.rubocop.yml

@@ -1,8 +1,8 @@
 # inherit_from: .rubocop_todo.yml
 AllCops:
   Include:
-    - 'Gemfile'
-    - 'Rakefile'
+    - '**/Gemfile'
+    - '**/Rakefile'
     - '**/*.rake'
 Documentation:
   Enabled: false

data/.travis.yml

@@ -1,20 +1,26 @@
 language: ruby
+cache: bundler
 rvm:
-  - 2.0.0
-  - 2.1.8
-  - 2.2.4
-  - 2.3.0
+  - 2.4.5
+  - 2.5.3
+  - 2.6.1
   - ruby-head
 matrix:
   allow_failures:
     - rvm: ruby-head
-addons:
-  code_climate:
-    repo_token: f69bb189f348c1d7992d8ed8690d0a2c9c885c1aac45e2f4d48732034592b37b
 services:
   - redis-server
 env:
   global:
     - REDIS_URL=redis://localhost:6379
+    - CC_TEST_REPORTER_ID=f69bb189f348c1d7992d8ed8690d0a2c9c885c1aac45e2f4d48732034592b37b
+before_script:
+  - curl -L https://codeclimate.com/downloads/test-reporter/test-reporter-latest-linux-amd64 > ./cc-test-reporter
+  - chmod +x ./cc-test-reporter
+  - ./cc-test-reporter before-build
+script:
+  - bundle exec rspec
+after_script:
+  - ./cc-test-reporter after-build --exit-code $TRAVIS_TEST_RESULT
 notifications:
   email: false

data/Gemfile

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 source 'https://rubygems.org'
 
 gemspec

data/README.md

@@ -1,4 +1,5 @@
 # JWT Keeper
+[![Gem Version](https://img.shields.io/gem/v/jwt_keeper.svg?maxAge=2592000)](https://rubygems.org/gems/jwt_keeper)
 [![Build Status](https://img.shields.io/travis/sirwolfgang/jwt_keeper/master.svg)](https://travis-ci.org/sirwolfgang/jwt_keeper)
 [![Dependency Status](https://img.shields.io/gemnasium/sirwolfgang/jwt_keeper.svg)](https://gemnasium.com/sirwolfgang/jwt_keeper)
 [![Code Climate](https://img.shields.io/codeclimate/github/sirwolfgang/jwt_keeper.svg)](https://codeclimate.com/github/sirwolfgang/jwt_keeper)
@@ -8,9 +9,9 @@
 An managing interface layer for handling the creation and validation of JWTs.
 
 ## Setup
- - Add `gem 'jwt_keeper', '~> 2.0'` to Gemfile
+ - Add `gem 'jwt_keeper'` to Gemfile
  - Run `rails generate keeper:install`
- - Configure `config/initializers/keeper.rb`
+ - Configure `config/initializers/jwt_keeper.rb`
  - Done
 
 ## Basic Usage
@@ -28,14 +29,15 @@ raw_token_string = token.to_jwt
 ```
 
 ## Rails Usage
-The designed rails token flow is to receive and respond to requests with the token being present in the `Authorization` part of the header. This is to allow us to seamlessly rotate the tokens on the fly without having to rebuff the request as part of the user flow. Automatic rotation happens as part of the `require_authentication` action, meaning that you will always get the latest token data as
-created by `generate_claims` in your controllers. This new token is added to the response with
-the `respond_with_authentication` action.
+The designed rails token flow is to receive and respond to requests with the token being present in the `Authorization` part of the header. This is to allow us to seamlessly rotate the tokens on the fly without having to rebuff the request as part of the user flow. Automatic rotation happens as part of the `require_authentication` action, meaning that you will always get the latest token data as created by `generate_claims` in your controllers. This new token is added to the response with the `write_authentication_token` action.
+
+```bash
+rake generate jwt_keeper:install
+```
 
 ```ruby
 class ApplicationController < ActionController::Base
   before_action :require_authentication
-  after_action :respond_with_authentication
 
   def not_authenticated
     # Overload to return status 401
@@ -47,7 +49,7 @@ class ApplicationController < ActionController::Base
 
   def regenerate_claims(old_token)
     # Overload to update claims on automatic rotation.
-    current_user = User.find(authentication_token.claims[:uid])
+    current_user = User.find(old_token.claims[:uid])
     { uid: current_user.id, usn: current_user.email }
   end
 end
@@ -56,22 +58,25 @@ end
 ```ruby
 class SessionsController < ApplicationController
   skip_before_action :require_authentication, only: :create
-  skip_after_action :respond_with_authentication, only: :destroy
 
   # POST /sessions
   def create
-    authentication_token = JWTKeeper::Token.create({ uid: @user.id, usn: @user.email })
+    token = JWTKeeper::Token.create(uid: @user.id, usn: @user.email)
+    write_authentication_token(token)
   end
 
   # PATCH/PUT /sessions
   def update
-    authentication_token = request_token.rotate(generate_claims)
+    token = read_authentication_token
+    token.rotate
+    write_authentication_token(token)
   end
 
   # DELETE /sessions
   def destroy
-    request_token.revoke
-    authentication_token = nil
+    token = read_authentication_token
+    token.revoke
+    clear_authentication_token
   end
 ```
 
@@ -81,3 +86,6 @@ Hard Invalidation is a permanent revocation of the token. The primary cases of t
 
 ### Soft Invalidation
 Soft Invalidation is the process of triggering a rotation upon the next time a token is seen in a request. On the global scale this is done when there is a version mismatch in the config. Utilizing the rails controller flow, this method works even if you have two different versions of your app deployed and requests bounce back and forth; Making rolling deployments and rollbacks completely seamless. To rotate a single token, like in the case of a change of user permissions, simply use the class(`Token.rotate`) method to flag the token for regeneration.
+
+## Cookie Locking
+Cookie locking is the practice of securing the JWT by pairing it with a secure/httponly cookie. When a JWT is created, part of the secret used to sign it is a one time generated key that is stored in a matching cookie. The cookie and JWT thus must be sent together to be considered valid. The effective result makes it extremely hard to hijack a session by stealing the JWT. This reduces the surface area of XSS considerably.

data/Rakefile

@@ -1,7 +1,11 @@
+# frozen_string_literal: true
+
 require 'bundler/gem_tasks'
 require 'rspec/core/rake_task'
 
-RSpec::Core::RakeTask.new
+RSpec::Core::RakeTask.new(:spec) do |t|
+  t.rspec_opts = '--format documentation'
+end
 
 task default: :spec
 task test: :spec

data/jwt_keeper.gemspec

@@ -9,11 +9,11 @@ Gem::Specification.new do |spec|
   spec.authors       = ['David Rivera', 'Zane Wolfgang Pickett']
   spec.email         = ['david.r.rivera193@gmail.com', 'sirwolfgang@users.noreply.github.com']
   spec.summary       = 'JWT for Rails made easy'
-  spec.description   = 'It is a keeper'
+  spec.description   = 'A managing interface layer for handling the creation and validation of JWTs'
   spec.homepage      = 'https://github.com/sirwolfgang/jwt_keeper'
   spec.license       = 'MIT'
 
-  spec.files         = `git ls-files -z`.split("\x0")
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(/^example\//) }
   spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
   spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
   spec.require_paths = ['lib']
@@ -23,14 +23,14 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'yard'
   spec.add_development_dependency 'rubocop'
   spec.add_development_dependency 'dotenv'
+  spec.add_development_dependency 'pry'
 
-  spec.add_development_dependency 'rspec', '~> 3.4'
+  spec.add_development_dependency 'rspec', '~> 3.8'
   spec.add_development_dependency 'fuubar'
   spec.add_development_dependency 'simplecov'
-  spec.add_development_dependency 'codeclimate-test-reporter'
 
-  spec.add_dependency 'redis', '~> 3.3'
-  spec.add_dependency 'rails', '~> 4.2'
-  spec.add_dependency 'activesupport', '~> 4.2'
-  spec.add_dependency 'jwt', '~> 1.5'
+  spec.add_dependency 'redis'
+  spec.add_dependency 'rails'
+  spec.add_dependency 'activesupport'
+  spec.add_dependency 'jwt', '>= 1.5'
 end

data/lib/generators/{keeper → jwt_keeper}/install/install_generator.rb

@@ -1,6 +1,6 @@
 require 'rails/generators/base'
 
-module JWTKeeper
+module JwtKeeper
   class InstallGenerator < Rails::Generators::Base
     source_root File.expand_path('../../../templates', __FILE__)
 
@@ -9,7 +9,7 @@ module JWTKeeper
     # @example Install
     #   rails generate keeper:install
     def copy_files
-      copy_file 'jwt_keeper.rb', 'config/initializers/keeper.rb'
+      copy_file 'jwt_keeper.rb', 'config/initializers/jwt_keeper.rb'
     end
   end
 end

data/lib/generators/templates/jwt_keeper.rb

@@ -1,6 +1,6 @@
 JWTKeeper.configure do |config|
   # The time to expire for the tokens
-  # config.expiry           = 24.hours
+  # config.expiry           = 1.hour
 
   # The hashing method to for the tokens
   # Options:
@@ -28,5 +28,16 @@ JWTKeeper.configure do |config|
   # config.redis_connection = Redis.new(connection_options)
 
   # A unique idenfitier for the token version.
-  # config.version = 1
+  # config.version          = 1
+
+  # Use a httponly/secure cookie secret to prevent session hijacking
+  # config.cookie_lock      = true
+
+  # Used to turn off TLS only mode on the cookie, for development mode. Defaults to true
+  # config.cookie_secure    = !(Rails.env.test? || Rails.env.development?)
+
+  # Used to limit or lock down the allowed domains for the jwt/cookie
+  # http://api.rubyonrails.org/classes/ActionDispatch/Cookies.html
+  # Defaults the value of :all
+  # config.cookie_domain    = :all
 end

data/lib/jwt_keeper/configuration.rb

@@ -7,7 +7,10 @@ module JWTKeeper
       issuer:           'api.example.com',
       audience:         'example.com',
       redis_connection: nil,
-      version:          nil
+      version:          nil,
+      cookie_lock:      false,
+      cookie_secure:    true,
+      cookie_domain:    :all
     }.freeze
 
     # Creates a new Configuration from the passed in parameters
@@ -26,5 +29,14 @@ module JWTKeeper
         ver: JWTKeeper.configuration.version               # Version
       }
     end
+
+    # @!visibility private
+    def cookie_options
+      {
+        domain: JWTKeeper.configuration.cookie_domain,
+        secure: JWTKeeper.configuration.cookie_secure,
+        httponly: true
+      }
+    end
   end
 end

data/lib/jwt_keeper/controller.rb

@@ -1,66 +1,74 @@
 module JWTKeeper
   module Controller
-    def self.included(klass)
-      klass.class_eval do
-        include InstanceMethods
-      end
-    end
+    extend ActiveSupport::Concern
 
-    module InstanceMethods
-      # Available to be used as a before_action by the application's controllers. This is
-      # the main logical section for decoding, and automatically rotating tokens
-      def require_authentication
-        token = authentication_token
-        return not_authenticated if token.nil?
+    # Available to be used as a before_action by the application's controllers. This is
+    # the main logical section for decoding, and automatically rotating tokens
+    # @return [void]
+    def require_authentication
+      token = read_authentication_token
 
-        if token.version_mismatch? || token.pending?
-          new_claims = regenerate_claims(token)
-          token.rotate(new_claims)
-          self.authentication_token = token
-        end
-
-        authenticated(token)
+      if token.nil?
+        clear_authentication_token
+        return not_authenticated
       end
 
-      # Invoked by the require_authentication method as part of the automatic rotation
-      # process. The application should override this method to include the necessary
-      # claims.
-      def regenerate_claims(old_token)
+      if token.version_mismatch? || token.pending?
+        new_claims = regenerate_claims(token)
+        token.rotate(new_claims)
       end
 
-      # Moves the authentication_token from the request to the response
-      def respond_with_authentication
-        response.headers['Authorization'] = request.headers['Authorization']
-      end
+      write_authentication_token(token)
+      authenticated(token)
+    end
 
-      # Decodes and returns the token
-      def authentication_token
-        return nil unless request.headers['Authorization']
-        JWTKeeper::Token.find(request.headers['Authorization'].split.last)
-      end
+    # Decodes and returns the token
+    # @return [Token] the token read from request
+    def read_authentication_token
+      return nil unless request.headers['Authorization']
+      @authentication_token ||=
+        JWTKeeper::Token.find(
+          request.headers['Authorization'].split.last,
+          cookies.signed['jwt_keeper']
+        )
+    end
 
-      # Assigns a token to the request to act as a single source of truth
-      def authentication_token=(token)
-        request.headers['Authorization'] = "Bearer #{token.to_jwt}"
-      end
+    # Encodes and writes the token
+    # @param token [Token] The token to be written
+    # @return [Token] the token written to response
+    def write_authentication_token(token)
+      return clear_authentication_token if token.nil?
+      response.headers['Authorization'] = "Bearer #{token.to_jwt}"
+      cookies.signed['jwt_keeper'] = token.to_cookie
+      @authentication_token = token
+    end
 
-      # Used when a user tries to access a page while logged out, is asked to login,
-      # and we want to return him back to the page he originally wanted.
-      def redirect_back_or_to(url, flash_hash = {})
-        redirect_to(session[:return_to_url] || url, flash: flash_hash)
-        session[:return_to_url] = nil
-      end
+    # delets the authentication token
+    # @return [void]
+    def clear_authentication_token
+      response.headers['Authorization'] = nil
+      cookies.delete('jwt_keeper')
+      @authentication_token = nil
+    end
 
-      # The default action for denying non-authenticated connections.
-      # You can override this method in your controllers
-      def not_authenticated
-        redirect_to root_path
-      end
+    # The default action for denying non-authenticated connections.
+    # You can override this method in your controllers
+    # @return [void]
+    def not_authenticated
+      redirect_to root_path
+    end
 
-      # The default action for accepting authenticated connections.
-      # You can override this method in your controllers
-      def authenticated(token)
-      end
+    # The default action for accepting authenticated connections.
+    # You can override this method in your controllers
+    # @return [void]
+    def authenticated(token)
+    end
+
+    # Invoked by the require_authentication method as part of the automatic rotation
+    # process. The application should override this method to include the necessary
+    # claims.
+    # @return [void]
+    def regenerate_claims(old_token)
     end
   end
 end

data/lib/jwt_keeper/engine.rb

@@ -2,10 +2,9 @@ require 'jwt_keeper'
 require 'rails'
 
 module JWTKeeper
-  # The Sorcery engine takes care of extending ActiveRecord (if used) and ActionController,
-  # With the plugin logic.
+  # Includes JWTKeeper into ActionController
   class Engine < ::Rails::Engine
-    initializer 'extend Controller with keeper' do |_app|
+    initializer 'extend Controller with jwt_keeper' do |_app|
       ActionController::Base.send(:include, JWTKeeper::Controller)
     end
   end

data/lib/jwt_keeper/token.rb

@@ -1,10 +1,15 @@
 module JWTKeeper
+  # This class acts as the main interface to wrap the concerns of JWTs. Handling everything from
+  # encoding to invalidation.
   class Token
-    attr_accessor :claims
+    attr_accessor :claims, :cookie_secret
 
     # Initalizes a new web token
     # @param private_claims [Hash] the custom claims to encode
-    def initialize(private_claims = {})
+    # @param cookie_secret [String] the cookie secret to use during encoding
+    # @return [void]
+    def initialize(private_claims = {}, cookie_secret = nil)
+      @cookie_secret = cookie_secret
       @claims = {
         nbf: DateTime.now.to_i, # not before
         iat: DateTime.now.to_i, # issued at
@@ -12,23 +17,26 @@ module JWTKeeper
       }
       @claims.merge!(JWTKeeper.configuration.base_claims)
       @claims.merge!(private_claims)
+      @claims[:exp] = @claims[:exp].to_i if @claims[:exp].is_a?(Time)
     end
 
     # Creates a new web token
     # @param private_claims [Hash] the custom claims to encode
     # @return [Token] token object
     def self.create(private_claims)
-      new(private_claims)
+      cookie_secret = SecureRandom.hex(16) if JWTKeeper.configuration.cookie_lock
+      new(private_claims, cookie_secret)
     end
 
     # Decodes and validates an existing token
     # @param raw_token [String] the raw token
+    # @param cookie_secret [String] the cookie secret
     # @return [Token] token object
-    def self.find(raw_token)
-      claims = decode(raw_token)
+    def self.find(raw_token, cookie_secret = nil)
+      claims = decode(raw_token, cookie_secret)
       return nil if claims.nil?
 
-      new_token = new(claims)
+      new_token = new(claims, cookie_secret)
       return nil if new_token.revoked?
       new_token
     end
@@ -37,12 +45,14 @@ module JWTKeeper
     # is inherently ignored by the token's exp check and then rewritten with the revokation on
     # rotate.
     # @param token_jti [String] the token unique id
+    # @return [void]
     def self.rotate(token_jti)
       Datastore.rotate(token_jti, JWTKeeper.configuration.expiry.from_now.to_i)
     end
 
     # Revokes a web token
     # @param token_jti [String] the token unique id
+    # @return [void]
     def self.revoke(token_jti)
       Datastore.revoke(token_jti, JWTKeeper.configuration.expiry.from_now.to_i)
     end
@@ -55,17 +65,20 @@ module JWTKeeper
 
     # Revokes and creates a new web token
     # @param new_claims [Hash] Used to override and update claims during rotation
-    # @return [String] new token
+    # @return [Token]
     def rotate(new_claims = nil)
       revoke
 
       new_claims ||= claims.except(:iss, :aud, :exp, :nbf, :iat, :jti)
-      new_token = self.class.new(new_claims)
+      new_token = self.class.create(new_claims)
+
       @claims = new_token.claims
+      @cookie_secret = new_token.cookie_secret
       self
     end
 
     # Revokes a web token
+    # @return [void]
     def revoke
       return if invalid?
       Datastore.revoke(id, claims[:exp] - DateTime.now.to_i)
@@ -98,19 +111,28 @@ module JWTKeeper
     # Checks if the token invalid?
     # @return [Boolean]
     def invalid?
-      self.class.decode(encode).nil? || revoked?
+      self.class.decode(encode, cookie_secret).nil? || revoked?
     end
 
     # Encodes the jwt
-    # @return [String]
+    # @return [String] the encoded jwt
     def to_jwt
       encode
     end
     alias to_s to_jwt
 
+    # Encodes the cookie
+    # @return [Hash] the cookie options
+    def to_cookie
+      {
+        value: cookie_secret,
+        expires: Time.at(claims[:exp])
+      }.merge(JWTKeeper.configuration.cookie_options)
+    end
+
     # @!visibility private
-    def self.decode(raw_token)
-      JWT.decode(raw_token, JWTKeeper.configuration.secret, true,
+    def self.decode(raw_token, cookie_secret)
+      JWT.decode(raw_token, JWTKeeper.configuration.secret.to_s + cookie_secret.to_s, true,
                  algorithm: JWTKeeper.configuration.algorithm,
                  verify_iss: true,
                  verify_aud: true,
@@ -118,7 +140,6 @@ module JWTKeeper
                  verify_sub: false,
                  verify_jti: false,
                  leeway: 0,
-
                  iss: JWTKeeper.configuration.issuer,
                  aud: JWTKeeper.configuration.audience
                 ).first.symbolize_keys
@@ -131,7 +152,10 @@ module JWTKeeper
 
     # @!visibility private
     def encode
-      JWT.encode(claims, JWTKeeper.configuration.secret, JWTKeeper.configuration.algorithm)
+      JWT.encode(claims,
+                 JWTKeeper.configuration.secret.to_s + cookie_secret.to_s,
+                 JWTKeeper.configuration.algorithm
+                )
     end
   end
 end

data/lib/jwt_keeper/version.rb

@@ -1,4 +1,4 @@
 # Gem Version
 module JWTKeeper
-  VERSION = '2.0.0'.freeze
+  VERSION = '3.3.0'.freeze
 end

data/spec/lib/{keeper → jwt_keeper}/controller_spec.rb

@@ -4,10 +4,22 @@ RSpec.describe JWTKeeper do
   describe 'Controller' do
     include_context 'initialize config'
 
-    let(:token) { JWTKeeper::Token.create(claim: "Jet fuel can't melt steel beams") }
+    let(:token) { JWTKeeper::Token.create(claim: "The Earth is Flat") }
     subject(:test_controller) do
+      cookies_klass = Class.new(Hash) do
+        def signed
+          self
+        end
+      end
+
+      message_klass = Class.new(Hash) do
+        def headers
+          self
+        end
+      end
+
       instance = Class.new do
-        attr_accessor :request, :response
+        attr_accessor :request, :response, :cookies
         include RSpec::Mocks::ExampleMethods
         include JWTKeeper::Controller
 
@@ -27,20 +39,21 @@ RSpec.describe JWTKeeper do
         end
       end.new
 
-      instance.request =
-        instance_double('Request', headers: { 'Authorization' => "Bearer #{token}" })
-      instance.response =
-        instance_double('Response', headers: {})
+      instance.request  = message_klass.new
+      instance.response = message_klass.new
+      instance.cookies  = cookies_klass.new
+      instance.request['Authorization'] = "Bearer #{token}"
       instance
     end
 
     describe '#included' do
       it { is_expected.to respond_to(:require_authentication) }
-      it { is_expected.to respond_to(:authentication_token) }
-      it { is_expected.to respond_to(:authentication_token=) }
-      it { is_expected.to respond_to(:redirect_back_or_to) }
+      it { is_expected.to respond_to(:read_authentication_token) }
+      it { is_expected.to respond_to(:write_authentication_token) }
+      it { is_expected.to respond_to(:clear_authentication_token) }
       it { is_expected.to respond_to(:not_authenticated) }
       it { is_expected.to respond_to(:authenticated) }
+      it { is_expected.to respond_to(:regenerate_claims) }
     end
 
     describe '#require_authentication' do
@@ -56,7 +69,7 @@ RSpec.describe JWTKeeper do
 
         it 'does not rotates the token' do
           expect { subject.require_authentication }.to_not change {
-            subject.authentication_token.id
+            subject.read_authentication_token.id
           }
         end
       end
@@ -90,7 +103,7 @@ RSpec.describe JWTKeeper do
 
         it 'rotates the token' do
           expect { subject.require_authentication }.to change {
-            subject.authentication_token.id
+            subject.read_authentication_token.id
           }
         end
       end
@@ -108,7 +121,7 @@ RSpec.describe JWTKeeper do
 
         it 'rotates the token' do
           expect { subject.require_authentication }.to change {
-            subject.authentication_token.id
+            subject.read_authentication_token.id
           }
         end
       end
@@ -125,52 +138,27 @@ RSpec.describe JWTKeeper do
       end
 
       it 'is used to update the token claims on rotation' do
-        expect(subject.authentication_token.claims[:regenerate_claims]).to be nil
-        expect { subject.require_authentication }.to change(subject, :authentication_token)
-        expect(subject.authentication_token.claims[:regenerate_claims]).to be true
+        expect(subject.read_authentication_token.claims[:regenerate_claims]).to be nil
+        subject.require_authentication
+        expect(subject.read_authentication_token.claims[:regenerate_claims]).to be true
       end
     end
 
-    describe '#respond_with_authentication' do
-      before do
-        subject.authentication_token = token
+    describe '#clear_authentication_token' do
+      before :each do
+        subject.write_authentication_token(JWTKeeper::Token.create({}))
       end
 
-      it 'sets the reponses token with the authentication_token' do
-        subject.respond_with_authentication
-        expect(subject.response.headers['Authorization']).to eq "Bearer #{token}"
+      it 'clears the cookie' do
+        expect(subject.cookies.signed['jwt_keeper']).not_to be_nil
+        subject.clear_authentication_token
+        expect(subject.cookies.signed['jwt_keeper']).to be_nil
       end
-    end
 
-    describe '#authentication_token' do
-      context 'valid request in token' do
-        it 'returns the decoded token from the current request' do
-          expect(subject.authentication_token.claims[:claim]).to eq "Jet fuel can't melt steel beams"
-        end
-      end
-      context 'no token in request' do
-        before do
-          token = JWTKeeper::Token.create(exp: 3.hours.ago)
-          subject.request =
-            instance_double('Request', headers: { 'Authorization' => "Bearer #{token}" })
-        end
-
-        it 'returns nil' do
-          expect(subject.authentication_token).to be nil
-        end
-      end
-    end
-
-    describe '#redirect_back_or_to' do
-      let(:path) { 'http://www.example.com' }
-
-      before do
-        allow(test_controller).to receive(:redirect_to)
-      end
-
-      it 'it calls redirect_to' do
-        subject.redirect_back_or_to(path)
-        expect(subject).to have_received(:redirect_to).with(path, anything)
+      it 'clears the header' do
+        expect(subject.response.headers['Authorization']).not_to be_nil
+        subject.clear_authentication_token
+        expect(subject.response.headers['Authorization']).to be_nil
       end
     end
 

data/spec/lib/{keeper → jwt_keeper}/token_spec.rb

@@ -3,14 +3,27 @@ require 'spec_helper'
 module JWTKeeper
   RSpec.describe Token do
     include_context 'initialize config'
-    let(:private_claims) { { claim: "Jet fuel can't melt steel beams" } }
-    let(:raw_token)      { described_class.create(private_claims).to_jwt }
+    let(:private_claims) { { claim: "The Earth is Flat" } }
+    let(:token)          { described_class.create(private_claims) }
+    let(:raw_token)      { token.to_jwt }
 
     describe '.create' do
       subject { described_class.create(private_claims) }
 
       it { is_expected.to be_instance_of described_class }
       it { expect(subject.claims[:claim]).to eql private_claims[:claim] }
+
+      context 'with cookie_lock enabled' do
+        before { JWTKeeper.configure(JWTKeeper::Configuration.new(config.merge(cookie_lock: true))) }
+        it { expect(subject.cookie_secret).not_to be_empty }
+      end
+
+      context 'when overiding default claims' do
+        let(:private_claims) { { exp: 1.minute.from_now.to_i } }
+
+        it { is_expected.to be_instance_of described_class }
+        it { expect(subject.claims[:exp]).to eql private_claims[:exp] }
+      end
     end
 
     describe '.find' do
@@ -21,15 +34,32 @@ module JWTKeeper
 
       context 'with invalid token' do
         let(:private_claims) { { exp: 1.hour.ago } }
-
         it { is_expected.to be nil }
       end
 
       context 'with revoked token' do
         before { described_class.find(raw_token).revoke }
-
         it { is_expected.to be nil }
       end
+
+      context 'describe with cookie locking' do
+        before { JWTKeeper.configure(JWTKeeper::Configuration.new(config.merge(cookie_lock: true))) }
+
+        context 'with no cookie' do
+          subject { described_class.find(raw_token, nil) }
+          it { is_expected.to be nil }
+        end
+
+        context 'with bad cookie' do
+          subject { described_class.find(raw_token, 'BAD_COOKIE') }
+          it { is_expected.to be nil }
+        end
+
+        context 'with valid cookie' do
+          subject { described_class.find(raw_token, token.cookie_secret) }
+          it { is_expected.to be_instance_of described_class }
+        end
+      end
     end
 
     describe '.rotate' do
@@ -142,6 +172,7 @@ module JWTKeeper
     end
 
     describe '#rotate' do
+      before { JWTKeeper.configure(JWTKeeper::Configuration.new(config.merge(cookie_lock: true))) }
       let(:old_token) { described_class.create(private_claims) }
       let(:new_token) { old_token.dup.rotate }
       before { new_token }
@@ -149,13 +180,14 @@ module JWTKeeper
       it { expect(old_token).to be_invalid }
       it { expect(new_token).to be_valid }
       it { expect(old_token.claims[:claim]).to eq new_token.claims[:claim] }
+      it { expect(old_token.cookie_secret).not_to eq new_token.cookie_secret }
     end
 
     describe '#valid?' do
       subject { described_class.create(private_claims) }
 
       context 'when invalid' do
-        before { JWTKeeper.configure(JWTKeeper::Configuration.new(test_config.merge(expiry: -1.hours))) }
+        before { JWTKeeper.configure(JWTKeeper::Configuration.new(config.merge(expiry: -1.hours))) }
         it { is_expected.not_to be_valid }
       end
 
@@ -168,13 +200,26 @@ module JWTKeeper
       subject { described_class.create(private_claims) }
 
       context 'when invalid' do
-        before { JWTKeeper.configure(JWTKeeper::Configuration.new(test_config.merge(expiry: -1.hours))) }
+        before { JWTKeeper.configure(JWTKeeper::Configuration.new(config.merge(expiry: -1.hours))) }
         it { is_expected.to be_invalid }
       end
 
       context 'when valid' do
         it { is_expected.not_to be_invalid }
       end
+
+      context 'with cookie_lock enabled' do
+        before { JWTKeeper.configure(JWTKeeper::Configuration.new(config.merge(cookie_lock: true))) }
+
+        context 'when invalid' do
+          before { JWTKeeper.configure(JWTKeeper::Configuration.new(config.merge(expiry: -1.hours))) }
+          it { is_expected.to be_invalid }
+        end
+
+        context 'when valid' do
+          it { is_expected.not_to be_invalid }
+        end
+      end
     end
   end
 end

data/spec/lib/jwt_keeper_spec.rb

@@ -0,0 +1,29 @@
+require 'spec_helper'
+
+RSpec.describe JWTKeeper do
+  describe '#configure' do
+    let(:new_config) { { secret: '#configure-secret' } }
+
+    context 'without block' do
+      before do
+        described_class.configure(JWTKeeper::Configuration.new(new_config))
+      end
+
+      it 'sets the configuration based on param' do
+        expect(described_class.configuration.secret).to eql new_config[:secret]
+      end
+    end
+
+    context 'with block' do
+      before do
+        described_class.configure do |config|
+          config.secret = new_config[:secret]
+        end
+      end
+
+      it 'sets configuration based on the block' do
+        expect(described_class.configuration.secret).to eql new_config[:secret]
+      end
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -1,15 +1,13 @@
+require 'pry'
 require 'dotenv'
 Dotenv.load
 
 require 'simplecov'
-require 'codeclimate-test-reporter'
 
-SimpleCov.formatter =
-  SimpleCov::Formatter::MultiFormatter.new([
-                                             SimpleCov::Formatter::HTMLFormatter,
-                                             CodeClimate::TestReporter::Formatter
-                                           ])
-SimpleCov.start
+SimpleCov.formatter = SimpleCov::Formatter::HTMLFormatter
+SimpleCov.start do
+  add_filter '/spec/'
+end
 
 require 'rails'
 require 'jwt_keeper'
@@ -41,18 +39,20 @@ RSpec.configure do |config|
 end
 
 RSpec.shared_context 'initialize config' do
-  let(:test_config) do
+  let(:config) do
     {
       algorithm:        'HS256',
       secret:           'secret',
       expiry:           24.hours,
       issuer:           'api.example.com',
       audience:         'example.com',
-      redis_connection: Redis.new(url: ENV['REDIS_URL'])
+      redis_connection: Redis.new(url: ENV['REDIS_URL']),
+      version:          nil,
+      cookie_lock:      false
     }
   end
 
   before(:each) do
-    JWTKeeper.configure(JWTKeeper::Configuration.new(test_config))
+    JWTKeeper.configure(JWTKeeper::Configuration.new(config))
   end
 end

metadata

@@ -1,15 +1,15 @@
 --- !ruby/object:Gem::Specification
 name: jwt_keeper
 version: !ruby/object:Gem::Version
-  version: 2.0.0
+  version: 3.3.0
 platform: ruby
 authors:
 - David Rivera
 - Zane Wolfgang Pickett
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2016-04-21 00:00:00.000000000 Z
+date: 2020-12-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -82,35 +82,35 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: rspec
+  name: pry
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '3.4'
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '3.4'
+        version: '0'
 - !ruby/object:Gem::Dependency
-  name: fuubar
+  name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '3.8'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '3.8'
 - !ruby/object:Gem::Dependency
-  name: simplecov
+  name: fuubar
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -124,7 +124,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: codeclimate-test-reporter
+  name: simplecov
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -141,59 +141,60 @@ dependencies:
   name: redis
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '3.3'
+        version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '3.3'
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rails
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '4.2'
+        version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '4.2'
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: activesupport
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '4.2'
+        version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '4.2'
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: jwt
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '1.5'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '1.5'
-description: It is a keeper
+description: A managing interface layer for handling the creation and validation of
+  JWTs
 email:
 - david.r.rivera193@gmail.com
 - sirwolfgang@users.noreply.github.com
@@ -213,7 +214,7 @@ files:
 - docker-compose.yml
 - example.env
 - jwt_keeper.gemspec
-- lib/generators/keeper/install/install_generator.rb
+- lib/generators/jwt_keeper/install/install_generator.rb
 - lib/generators/templates/jwt_keeper.rb
 - lib/jwt_keeper.rb
 - lib/jwt_keeper/configuration.rb
@@ -223,17 +224,17 @@ files:
 - lib/jwt_keeper/exceptions.rb
 - lib/jwt_keeper/token.rb
 - lib/jwt_keeper/version.rb
-- spec/lib/keeper/configuration_spec.rb
-- spec/lib/keeper/controller_spec.rb
-- spec/lib/keeper/datastore_spec.rb
-- spec/lib/keeper/token_spec.rb
-- spec/lib/keeper_spec.rb
+- spec/lib/jwt_keeper/configuration_spec.rb
+- spec/lib/jwt_keeper/controller_spec.rb
+- spec/lib/jwt_keeper/datastore_spec.rb
+- spec/lib/jwt_keeper/token_spec.rb
+- spec/lib/jwt_keeper_spec.rb
 - spec/spec_helper.rb
 homepage: https://github.com/sirwolfgang/jwt_keeper
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -248,16 +249,14 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.5.1
-signing_key: 
+rubygems_version: 3.1.4
+signing_key:
 specification_version: 4
 summary: JWT for Rails made easy
 test_files:
-- spec/lib/keeper/configuration_spec.rb
-- spec/lib/keeper/controller_spec.rb
-- spec/lib/keeper/datastore_spec.rb
-- spec/lib/keeper/token_spec.rb
-- spec/lib/keeper_spec.rb
+- spec/lib/jwt_keeper/configuration_spec.rb
+- spec/lib/jwt_keeper/controller_spec.rb
+- spec/lib/jwt_keeper/datastore_spec.rb
+- spec/lib/jwt_keeper/token_spec.rb
+- spec/lib/jwt_keeper_spec.rb
 - spec/spec_helper.rb
-has_rdoc: 

data/spec/lib/keeper_spec.rb

@@ -1,38 +0,0 @@
-require 'spec_helper'
-
-RSpec.describe JWTKeeper do
-  describe '#configure' do
-    let(:test_config) do
-      {
-        algorithm:        'HS256',
-        secret:           'secret',
-        expiry:           24.hours,
-        issuer:           'api.example.com',
-        audience:         'example.com',
-        redis_connection: Redis.new(url: ENV['REDIS_URL'])
-      }
-    end
-
-    context 'without block' do
-      before do
-        described_class.configure(JWTKeeper::Configuration.new(test_config))
-      end
-
-      it 'sets the configuration based on param' do
-        expect(described_class.configuration.secret).to eql test_config[:secret]
-      end
-    end
-
-    context 'with block' do
-      before do
-        described_class.configure do |config|
-          config.secret = test_config[:secret]
-        end
-      end
-
-      it 'sets configuration based on the block' do
-        expect(described_class.configuration.secret).to eql test_config[:secret]
-      end
-    end
-  end
-end