jwt_keeper 2.0.0

data/spec/lib/keeper/controller_spec.rb

@@ -0,0 +1,188 @@
+require 'spec_helper'
+
+RSpec.describe JWTKeeper do
+  describe 'Controller' do
+    include_context 'initialize config'
+
+    let(:token) { JWTKeeper::Token.create(claim: "Jet fuel can't melt steel beams") }
+    subject(:test_controller) do
+      instance = Class.new do
+        attr_accessor :request, :response
+        include RSpec::Mocks::ExampleMethods
+        include JWTKeeper::Controller
+
+        def session
+          { return_to_url: 'http://www.example.com' }
+        end
+
+        def root_path
+          '/'
+        end
+
+        def regenerate_claims(_old_token)
+          { regenerate_claims: true }
+        end
+
+        def redirect_to(path, message = nil)
+        end
+      end.new
+
+      instance.request =
+        instance_double('Request', headers: { 'Authorization' => "Bearer #{token}" })
+      instance.response =
+        instance_double('Response', headers: {})
+      instance
+    end
+
+    describe '#included' do
+      it { is_expected.to respond_to(:require_authentication) }
+      it { is_expected.to respond_to(:authentication_token) }
+      it { is_expected.to respond_to(:authentication_token=) }
+      it { is_expected.to respond_to(:redirect_back_or_to) }
+      it { is_expected.to respond_to(:not_authenticated) }
+      it { is_expected.to respond_to(:authenticated) }
+    end
+
+    describe '#require_authentication' do
+      context 'with valid token' do
+        before do
+          allow(test_controller).to receive(:authenticated)
+        end
+
+        it 'calls authenticated' do
+          subject.require_authentication
+          expect(subject).to have_received(:authenticated).once
+        end
+
+        it 'does not rotates the token' do
+          expect { subject.require_authentication }.to_not change {
+            subject.authentication_token.id
+          }
+        end
+      end
+
+      context 'with expired token' do
+        let(:token) { JWTKeeper::Token.create(exp: 3.hours.ago) }
+        before do
+          allow(test_controller).to receive(:not_authenticated)
+        end
+
+        it 'calls not_authenticated' do
+          subject.require_authentication
+          expect(subject).to have_received(:not_authenticated).once
+        end
+      end
+
+      context 'with pending token' do
+        let(:token) do
+          token = JWTKeeper::Token.create({})
+          JWTKeeper::Token.rotate(token.id)
+          token
+        end
+        before(:each) do
+          allow(test_controller).to receive(:authenticated)
+        end
+
+        it 'calls authenticated' do
+          subject.require_authentication
+          expect(subject).to have_received(:authenticated).once
+        end
+
+        it 'rotates the token' do
+          expect { subject.require_authentication }.to change {
+            subject.authentication_token.id
+          }
+        end
+      end
+
+      context 'with version_mismatch token' do
+        let(:token) { JWTKeeper::Token.create(ver: 'mismatch') }
+        before(:each) do
+          allow(test_controller).to receive(:authenticated)
+        end
+
+        it 'calls authenticated' do
+          subject.require_authentication
+          expect(subject).to have_received(:authenticated).once
+        end
+
+        it 'rotates the token' do
+          expect { subject.require_authentication }.to change {
+            subject.authentication_token.id
+          }
+        end
+      end
+    end
+
+    describe '#regenerate_claims' do
+      let(:token) do
+        token = JWTKeeper::Token.create({})
+        JWTKeeper::Token.rotate(token.id)
+        token
+      end
+      before(:each) do
+        allow(test_controller).to receive(:authenticated)
+      end
+
+      it 'is used to update the token claims on rotation' do
+        expect(subject.authentication_token.claims[:regenerate_claims]).to be nil
+        expect { subject.require_authentication }.to change(subject, :authentication_token)
+        expect(subject.authentication_token.claims[:regenerate_claims]).to be true
+      end
+    end
+
+    describe '#respond_with_authentication' do
+      before do
+        subject.authentication_token = token
+      end
+
+      it 'sets the reponses token with the authentication_token' do
+        subject.respond_with_authentication
+        expect(subject.response.headers['Authorization']).to eq "Bearer #{token}"
+      end
+    end
+
+    describe '#authentication_token' do
+      context 'valid request in token' do
+        it 'returns the decoded token from the current request' do
+          expect(subject.authentication_token.claims[:claim]).to eq "Jet fuel can't melt steel beams"
+        end
+      end
+      context 'no token in request' do
+        before do
+          token = JWTKeeper::Token.create(exp: 3.hours.ago)
+          subject.request =
+            instance_double('Request', headers: { 'Authorization' => "Bearer #{token}" })
+        end
+
+        it 'returns nil' do
+          expect(subject.authentication_token).to be nil
+        end
+      end
+    end
+
+    describe '#redirect_back_or_to' do
+      let(:path) { 'http://www.example.com' }
+
+      before do
+        allow(test_controller).to receive(:redirect_to)
+      end
+
+      it 'it calls redirect_to' do
+        subject.redirect_back_or_to(path)
+        expect(subject).to have_received(:redirect_to).with(path, anything)
+      end
+    end
+
+    describe '#not_authenticated' do
+      before do
+        allow(test_controller).to receive(:redirect_to)
+      end
+
+      it 'it calls redirect_to' do
+        subject.not_authenticated
+        expect(subject).to have_received(:redirect_to).with('/')
+      end
+    end
+  end
+end

data/spec/lib/keeper/datastore_spec.rb

@@ -0,0 +1,70 @@
+RSpec.describe JWTKeeper::Datastore do
+  include_context 'initialize config'
+  let(:jti) { SecureRandom.uuid }
+
+  describe '.rotate' do
+    before { described_class.rotate(jti, 30) }
+
+    it 'stores a token_id with a soft expiry' do
+      expect(described_class.send(:get, jti)).to eq 'soft'
+    end
+  end
+
+  describe '.pending?' do
+    context 'with a missing token' do
+      it 'returns false' do
+        expect(described_class.pending?(jti)).to be false
+      end
+    end
+
+    context 'with a revoked token' do
+      before { described_class.revoke(jti, 30) }
+
+      it 'returns false' do
+        expect(described_class.pending?(jti)).to be false
+      end
+    end
+
+    context 'with a pending token' do
+      before { described_class.rotate(jti, 30) }
+
+      it 'returns true' do
+        expect(described_class.pending?(jti)).to be true
+      end
+    end
+  end
+
+  describe '.revoke' do
+    before do
+      described_class.revoke(jti, 30)
+    end
+
+    it 'stores a token_id with a hard expiry' do
+      expect(described_class.send(:get, jti)).to eq 'hard'
+    end
+  end
+
+  describe '.revoked?' do
+    context 'with a missing token' do
+      it 'returns false' do
+        expect(described_class.revoked?(jti)).to be false
+      end
+    end
+
+    context 'with a revoked token' do
+      before { described_class.revoke(jti, 30) }
+
+      it 'returns true' do
+        expect(described_class.revoked?(jti)).to be true
+      end
+    end
+
+    context 'with a pending token' do
+      before { described_class.rotate(jti, 30) }
+
+      it 'returns false' do
+        expect(described_class.revoked?(jti)).to be false
+      end
+    end
+  end
+end

data/spec/lib/keeper/token_spec.rb

@@ -0,0 +1,180 @@
+require 'spec_helper'
+
+module JWTKeeper
+  RSpec.describe Token do
+    include_context 'initialize config'
+    let(:private_claims) { { claim: "Jet fuel can't melt steel beams" } }
+    let(:raw_token)      { described_class.create(private_claims).to_jwt }
+
+    describe '.create' do
+      subject { described_class.create(private_claims) }
+
+      it { is_expected.to be_instance_of described_class }
+      it { expect(subject.claims[:claim]).to eql private_claims[:claim] }
+    end
+
+    describe '.find' do
+      subject { described_class.find(raw_token) }
+
+      it { is_expected.to be_instance_of described_class }
+      it { expect(subject.claims[:claim]).to eql private_claims[:claim] }
+
+      context 'with invalid token' do
+        let(:private_claims) { { exp: 1.hour.ago } }
+
+        it { is_expected.to be nil }
+      end
+
+      context 'with revoked token' do
+        before { described_class.find(raw_token).revoke }
+
+        it { is_expected.to be nil }
+      end
+    end
+
+    describe '.rotate' do
+      subject(:token) { described_class.create(private_claims) }
+      before(:each) { described_class.rotate(token.id) }
+
+      it 'marks the token for rotation' do
+        expect(token.pending?).to eq true
+      end
+    end
+
+    describe '.revoke' do
+      subject(:token) { described_class.create(private_claims) }
+
+      it 'invalidates the token' do
+        expect(token.valid?).to eq true
+        expect(token.revoked?).to eq false
+
+        expect(described_class.revoke(token.claims[:jti]))
+
+        expect(token.valid?).to eq false
+        expect(token.revoked?).to eq true
+      end
+    end
+
+    describe '#revoke' do
+      subject(:token) { described_class.create(private_claims) }
+
+      it 'invalidates the token' do
+        expect(token.valid?).to eq true
+        expect(token.revoked?).to eq false
+
+        expect(token.revoke)
+
+        expect(token.valid?).to eq false
+        expect(token.revoked?).to eq true
+      end
+    end
+
+    describe '#revoked?' do
+      subject(:token) { described_class.create(private_claims) }
+
+      context 'with a revoked token' do
+        before { token.revoke }
+
+        it { is_expected.to be_revoked }
+      end
+
+      context 'with a pending token' do
+        before { described_class.rotate(token.id) }
+
+        it { is_expected.not_to be_revoked }
+      end
+
+      context 'with a valid token' do
+        it { is_expected.not_to be_revoked }
+      end
+    end
+
+    describe '#pending?' do
+      subject(:token) { described_class.create(private_claims) }
+
+      context 'with a revoked token' do
+        before { token.revoke }
+
+        it { is_expected.not_to be_pending }
+      end
+
+      context 'with a config pending token' do
+        before { token.claims[:ver] = 'version' }
+
+        it { is_expected.to_not be_pending }
+      end
+
+      context 'with a redis pending token' do
+        before { described_class.rotate(token.id) }
+
+        it { is_expected.to be_pending }
+      end
+
+      context 'with a valid token' do
+        it { is_expected.not_to be_pending }
+      end
+    end
+
+    describe '#version_mismatch?' do
+      subject(:token) { described_class.create(private_claims) }
+
+      context 'with a revoked token' do
+        before { token.revoke }
+
+        it { is_expected.not_to be_version_mismatch }
+      end
+
+      context 'with a config pending token' do
+        before { token.claims[:ver] = 'version' }
+
+        it { is_expected.to be_version_mismatch }
+      end
+
+      context 'with a redis pending token' do
+        before { described_class.rotate(token.id) }
+
+        it { is_expected.to_not be_version_mismatch }
+      end
+
+      context 'with a valid token' do
+        it { is_expected.not_to be_version_mismatch }
+      end
+    end
+
+    describe '#rotate' do
+      let(:old_token) { described_class.create(private_claims) }
+      let(:new_token) { old_token.dup.rotate }
+      before { new_token }
+
+      it { expect(old_token).to be_invalid }
+      it { expect(new_token).to be_valid }
+      it { expect(old_token.claims[:claim]).to eq new_token.claims[:claim] }
+    end
+
+    describe '#valid?' do
+      subject { described_class.create(private_claims) }
+
+      context 'when invalid' do
+        before { JWTKeeper.configure(JWTKeeper::Configuration.new(test_config.merge(expiry: -1.hours))) }
+        it { is_expected.not_to be_valid }
+      end
+
+      context 'when valid' do
+        it { is_expected.to be_valid }
+      end
+    end
+
+    describe '#invalid?' do
+      subject { described_class.create(private_claims) }
+
+      context 'when invalid' do
+        before { JWTKeeper.configure(JWTKeeper::Configuration.new(test_config.merge(expiry: -1.hours))) }
+        it { is_expected.to be_invalid }
+      end
+
+      context 'when valid' do
+        it { is_expected.not_to be_invalid }
+      end
+    end
+  end
+end

data/spec/lib/keeper_spec.rb

@@ -0,0 +1,38 @@
+require 'spec_helper'
+
+RSpec.describe JWTKeeper do
+  describe '#configure' do
+    let(:test_config) do
+      {
+        algorithm:        'HS256',
+        secret:           'secret',
+        expiry:           24.hours,
+        issuer:           'api.example.com',
+        audience:         'example.com',
+        redis_connection: Redis.new(url: ENV['REDIS_URL'])
+      }
+    end
+
+    context 'without block' do
+      before do
+        described_class.configure(JWTKeeper::Configuration.new(test_config))
+      end
+
+      it 'sets the configuration based on param' do
+        expect(described_class.configuration.secret).to eql test_config[:secret]
+      end
+    end
+
+    context 'with block' do
+      before do
+        described_class.configure do |config|
+          config.secret = test_config[:secret]
+        end
+      end
+
+      it 'sets configuration based on the block' do
+        expect(described_class.configuration.secret).to eql test_config[:secret]
+      end
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,58 @@
+require 'dotenv'
+Dotenv.load
+
+require 'simplecov'
+require 'codeclimate-test-reporter'
+
+SimpleCov.formatter =
+  SimpleCov::Formatter::MultiFormatter.new([
+                                             SimpleCov::Formatter::HTMLFormatter,
+                                             CodeClimate::TestReporter::Formatter
+                                           ])
+SimpleCov.start
+
+require 'rails'
+require 'jwt_keeper'
+
+RSpec.configure do |config|
+  config.expect_with :rspec do |expectations|
+    expectations.include_chain_clauses_in_custom_matcher_descriptions = true
+  end
+
+  config.mock_with :rspec do |mocks|
+    mocks.verify_partial_doubles = true
+  end
+
+  config.filter_run :focus
+  config.run_all_when_everything_filtered = true
+  config.example_status_persistence_file_path = 'spec/examples.txt'
+  config.disable_monkey_patching!
+
+  config.default_formatter = 'doc' if config.files_to_run.one?
+
+  # config.profile_examples = 10
+
+  # Run specs in random order to surface order dependencies. If you find an
+  # order dependency and want to debug it, you can fix the order by providing
+  # the seed, which is printed after each run.
+  #     --seed 1234
+  config.order = :random
+  Kernel.srand config.seed
+end
+
+RSpec.shared_context 'initialize config' do
+  let(:test_config) do
+    {
+      algorithm:        'HS256',
+      secret:           'secret',
+      expiry:           24.hours,
+      issuer:           'api.example.com',
+      audience:         'example.com',
+      redis_connection: Redis.new(url: ENV['REDIS_URL'])
+    }
+  end
+
+  before(:each) do
+    JWTKeeper.configure(JWTKeeper::Configuration.new(test_config))
+  end
+end