jwt_keeper 2.0.0 → 3.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: bd966e0e79df17e42e2f825289387dcb9f386bde
-  data.tar.gz: 32aaa2f138fd3102ea431b3b244fc77e6736bf3a
+  metadata.gz: 82b55239d3d3c73d4308ffe4deae76f9946c5f69
+  data.tar.gz: 524f61adf98731f7c9b8a23d54188c86d433b70e
 SHA512:
-  metadata.gz: 842033c9c72f8c350a22c84075d78a8609beb43109bbfa10cb52eaea72034baa99609c862f2a6dc4d6866203c9ef15bfcabd091ef809d4b748fa5ee3519ee6b9
-  data.tar.gz: fca8a945722eace48870831e435e6628bd48a666dd7ced51d5066d0bee138b1837b9b838aded1b947464db5d4c73ddd9fa4211b7f39f97f022ae199551d3cde6
+  metadata.gz: be39c5cf7875634fb3140d6b76e78bbc46b9c3978799e3e9cf2bc394de49c7f814052e7bdfddad25c5fa1497a84b9de6db89b41ba098207b76f374038b0fa65e
+  data.tar.gz: f8903ede2c42bee6eb3135d14d3b98ee22cf4e1dd8a1e818bd4c6d3be5ad470e5304e50515c59287af1e5194e05718b29a4d7899cceb675c72b9f66e32fad42a

data/.rubocop.yml

@@ -1,8 +1,8 @@
 # inherit_from: .rubocop_todo.yml
 AllCops:
   Include:
-    - 'Gemfile'
-    - 'Rakefile'
+    - '**/Gemfile'
+    - '**/Rakefile'
     - '**/*.rake'
 Documentation:
   Enabled: false

data/.travis.yml

@@ -1,8 +1,9 @@
 language: ruby
+cache: bundler
 rvm:
-  - 2.0.0
-  - 2.1.8
-  - 2.2.4
+  - 2.0
+  - 2.1
+  - 2.2
   - 2.3.0
   - ruby-head
 matrix:

data/README.md

@@ -8,9 +8,9 @@
 An managing interface layer for handling the creation and validation of JWTs.
 
 ## Setup
- - Add `gem 'jwt_keeper', '~> 2.0'` to Gemfile
+ - Add `gem 'jwt_keeper', '~> 3.0'` to Gemfile
  - Run `rails generate keeper:install`
- - Configure `config/initializers/keeper.rb`
+ - Configure `config/initializers/jwt_keeper.rb`
  - Done
 
 ## Basic Usage
@@ -29,8 +29,7 @@ raw_token_string = token.to_jwt
 
 ## Rails Usage
 The designed rails token flow is to receive and respond to requests with the token being present in the `Authorization` part of the header. This is to allow us to seamlessly rotate the tokens on the fly without having to rebuff the request as part of the user flow. Automatic rotation happens as part of the `require_authentication` action, meaning that you will always get the latest token data as
-created by `generate_claims` in your controllers. This new token is added to the response with
-the `respond_with_authentication` action.
+created by `generate_claims` in your controllers. This new token is added to the response with the `respond_with_authentication` action.
 
 ```ruby
 class ApplicationController < ActionController::Base
@@ -81,3 +80,6 @@ Hard Invalidation is a permanent revocation of the token. The primary cases of t
 
 ### Soft Invalidation
 Soft Invalidation is the process of triggering a rotation upon the next time a token is seen in a request. On the global scale this is done when there is a version mismatch in the config. Utilizing the rails controller flow, this method works even if you have two different versions of your app deployed and requests bounce back and forth; Making rolling deployments and rollbacks completely seamless. To rotate a single token, like in the case of a change of user permissions, simply use the class(`Token.rotate`) method to flag the token for regeneration.
+
+## Cookie Locking
+Cookie locking is the practice of securing the JWT by pairing it with a secure/httponly cookie. When a JWT is created, part of the secret used to sign it is a one time generated key that is stored in a matching cookie. The cookie and JWT thus must be sent together to be considered valid. The effective result makes it extremely hard to hijack a session by stealing the JWT. This reduces the surface area of XSS considerably.

data/Rakefile

@@ -1,7 +1,9 @@
 require 'bundler/gem_tasks'
 require 'rspec/core/rake_task'
 
-RSpec::Core::RakeTask.new
+RSpec::Core::RakeTask.new(:spec) do |t|
+  t.rspec_opts = '--format documentation'
+end
 
 task default: :spec
 task test: :spec

data/example/.gitignore

@@ -0,0 +1,15 @@
+# See https://help.github.com/articles/ignoring-files for more about ignoring files.
+#
+# If you find yourself ignoring temporary files generated by your text editor
+# or operating system, you probably want to add a global ignore instead:
+#   git config --global core.excludesfile '~/.gitignore_global'
+
+# Ignore bundler config.
+/.bundle
+
+# Ignore all logfiles and tempfiles.
+/log/*
+!/log/.keep
+/tmp
+
+.env

data/example/Gemfile

@@ -0,0 +1,15 @@
+source 'https://rubygems.org'
+
+gem 'rails', '4.2.6'
+gem 'puma'
+
+gem 'jwt_keeper', path: '..'
+
+group :development, :test do
+  gem 'dotenv-rails'
+
+  gem 'pry'
+  gem 'pry-stack_explorer'
+  gem 'pry-rescue'
+  gem 'pry-byebug'
+end

data/example/Rakefile

@@ -0,0 +1,6 @@
+# Add your own tasks in files placed in lib/tasks ending in .rake,
+# for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
+
+require File.expand_path('../config/application', __FILE__)
+
+Rails.application.load_tasks

data/example/app/controllers/application_controller.rb

@@ -0,0 +1,27 @@
+class ApplicationController < ActionController::Base
+  protect_from_forgery with: :exception
+  skip_before_action :verify_authenticity_token
+
+  before_action :default_format_json
+  before_action :require_authentication
+
+  private
+
+  def default_format_json
+    request.format ||= 'json'
+  end
+
+  def not_authenticated
+    respond_to do |format|
+      format.json { head :unauthorized }
+    end
+  end
+
+  def authenticated(decoded_token)
+    @current_user_id = decoded_token.claims[:uid] # Hold off on database calls until necessary
+  end
+
+  def current_user
+    @current_user ||= { id: @current_user_id }
+  end
+end

data/example/app/controllers/sessions_controller.rb

@@ -0,0 +1,52 @@
+class SessionsController < ApplicationController
+  skip_before_action :require_authentication, only: :create
+
+  # GET /session
+  def show
+    token = read_authentication_token
+
+    respond_to do |format|
+      format.json { render json: token }
+    end
+  end
+
+  # POST /session
+  def create
+    @user = { id: 1 }
+
+    respond_to do |format|
+      if @user
+        write_authentication_token(JWTKeeper::Token.create(uid: @user[:id]))
+        format.json { head :created }
+      else
+        clear_authentication_token
+        format.json { head :unauthorized }
+      end
+    end
+  end
+
+  # PATCH/PUT /session
+  def update
+    token = read_authentication_token
+
+    respond_to do |format|
+      if token.rotate
+        write_authentication_token(token)
+        format.json { head :created }
+      else
+        clear_authentication_token
+        format.json { head :unauthorized }
+      end
+    end
+  end
+
+  # DELETE /session
+  def destroy
+    read_authentication_token.revoke
+
+    respond_to do |format|
+      clear_authentication_token
+      format.json { head :no_content }
+    end
+  end
+end

data/example/bin/bundle

@@ -0,0 +1,3 @@
+#!/usr/bin/env ruby
+ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../Gemfile', __FILE__)
+load Gem.bin_path('bundler', 'bundle')

data/example/bin/rails

@@ -0,0 +1,9 @@
+#!/usr/bin/env ruby
+begin
+  load File.expand_path('../spring', __FILE__)
+rescue LoadError => e
+  raise unless e.message.include?('spring')
+end
+APP_PATH = File.expand_path('../../config/application', __FILE__)
+require_relative '../config/boot'
+require 'rails/commands'

data/example/bin/rake

@@ -0,0 +1,9 @@
+#!/usr/bin/env ruby
+begin
+  load File.expand_path('../spring', __FILE__)
+rescue LoadError => e
+  raise unless e.message.include?('spring')
+end
+require_relative '../config/boot'
+require 'rake'
+Rake.application.run

data/example/bin/setup

@@ -0,0 +1,29 @@
+#!/usr/bin/env ruby
+require 'pathname'
+
+# path to your application root.
+APP_ROOT = Pathname.new File.expand_path('../../', __FILE__)
+
+Dir.chdir APP_ROOT do
+  # This script is a starting point to setup your application.
+  # Add necessary setup steps to this file:
+
+  puts '== Installing dependencies =='
+  system 'gem install bundler --conservative'
+  system 'bundle check || bundle install'
+
+  # puts "\n== Copying sample files =="
+  # unless File.exist?("config/database.yml")
+  #   system "cp config/database.yml.sample config/database.yml"
+  # end
+
+  puts "\n== Preparing database =="
+  system 'bin/rake db:setup'
+
+  puts "\n== Removing old logs and tempfiles =="
+  system 'rm -f log/*'
+  system 'rm -rf tmp/cache'
+
+  puts "\n== Restarting application server =="
+  system 'touch tmp/restart.txt'
+end

data/example/bin/spring

@@ -0,0 +1,15 @@
+#!/usr/bin/env ruby
+
+# This file loads spring without using Bundler, in order to be fast.
+# It gets overwritten when you run the `spring binstub` command.
+
+unless defined?(Spring)
+  require 'rubygems'
+  require 'bundler'
+
+  if (match = Bundler.default_lockfile.read.match(/^GEM$.*?^    (?:  )*spring \((.*?)\)$.*?^$/m))
+    Gem.paths = { 'GEM_PATH' => [Bundler.bundle_path.to_s, *Gem.path].uniq.join(Gem.path_separator) }
+    gem 'spring', match[1]
+    require 'spring/binstub'
+  end
+end

data/example/config/application.rb

@@ -0,0 +1,32 @@
+require File.expand_path('../boot', __FILE__)
+
+require 'rails'
+# Pick the frameworks you want:
+# require "active_model/railtie"
+# require "active_job/railtie"
+# require "active_record/railtie"
+require 'action_controller/railtie'
+# require "action_mailer/railtie"
+require 'action_view/railtie'
+# require "sprockets/railtie"
+# require "rails/test_unit/railtie"
+
+# Require the gems listed in Gemfile, including any gems
+# you've limited to :test, :development, or :production.
+Bundler.require(*Rails.groups)
+
+module Example
+  class Application < Rails::Application
+    # Settings in config/environments/* take precedence over those specified here.
+    # Application configuration should go into files in config/initializers
+    # -- all .rb files in that directory are automatically loaded.
+
+    # Set Time.zone default to the specified zone and make Active Record auto-convert to this zone.
+    # Run "rake -D time" for a list of tasks for finding time zone names. Default is UTC.
+    # config.time_zone = 'Central Time (US & Canada)'
+
+    # The default locale is :en and all translations from config/locales/*.rb,yml are auto loaded.
+    # config.i18n.load_path += Dir[Rails.root.join('my', 'locales', '*.{rb,yml}').to_s]
+    # config.i18n.default_locale = :de
+  end
+end

data/example/config/boot.rb

@@ -0,0 +1,3 @@
+ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../Gemfile', __FILE__)
+
+require 'bundler/setup' # Set up gems listed in the Gemfile.

data/example/config/environment.rb

@@ -0,0 +1,5 @@
+# Load the Rails application.
+require File.expand_path('../application', __FILE__)
+
+# Initialize the Rails application.
+Rails.application.initialize!

data/example/config/environments/development.rb

@@ -0,0 +1,24 @@
+Rails.application.configure do
+  # Settings specified here will take precedence over those in config/application.rb.
+
+  # In the development environment your application's code is reloaded on
+  # every request. This slows down response time but is perfect for development
+  # since you don't have to restart the web server when you make code changes.
+  config.cache_classes = false
+
+  # Do not eager load code on boot.
+  config.eager_load = false
+
+  # Show full error reports and disable caching.
+  config.consider_all_requests_local       = true
+  config.action_controller.perform_caching = false
+
+  # Don't care if the mailer can't send.
+  # config.action_mailer.raise_delivery_errors = false
+
+  # Print deprecation notices to the Rails logger.
+  config.active_support.deprecation = :log
+
+  # Raises error for missing translations
+  # config.action_view.raise_on_missing_translations = true
+end

data/example/config/environments/production.rb

@@ -0,0 +1,63 @@
+Rails.application.configure do
+  # Settings specified here will take precedence over those in config/application.rb.
+
+  # Code is not reloaded between requests.
+  config.cache_classes = true
+
+  # Eager load code on boot. This eager loads most of Rails and
+  # your application in memory, allowing both threaded web servers
+  # and those relying on copy on write to perform better.
+  # Rake tasks automatically ignore this option for performance.
+  config.eager_load = true
+
+  # Full error reports are disabled and caching is turned on.
+  config.consider_all_requests_local       = false
+  config.action_controller.perform_caching = true
+
+  # Enable Rack::Cache to put a simple HTTP cache in front of your application
+  # Add `rack-cache` to your Gemfile before enabling this.
+  # For large-scale production use, consider using a caching reverse proxy like
+  # NGINX, varnish or squid.
+  # config.action_dispatch.rack_cache = true
+
+  # Disable serving static files from the `/public` folder by default since
+  # Apache or NGINX already handles this.
+  config.serve_static_files = ENV['RAILS_SERVE_STATIC_FILES'].present?
+
+  # Specifies the header that your server uses for sending files.
+  # config.action_dispatch.x_sendfile_header = 'X-Sendfile' # for Apache
+  # config.action_dispatch.x_sendfile_header = 'X-Accel-Redirect' # for NGINX
+
+  # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
+  # config.force_ssl = true
+
+  # Use the lowest log level to ensure availability of diagnostic information
+  # when problems arise.
+  config.log_level = :debug
+
+  # Prepend all log lines with the following tags.
+  # config.log_tags = [ :subdomain, :uuid ]
+
+  # Use a different logger for distributed setups.
+  # config.logger = ActiveSupport::TaggedLogging.new(SyslogLogger.new)
+
+  # Use a different cache store in production.
+  # config.cache_store = :mem_cache_store
+
+  # Enable serving of images, stylesheets, and JavaScripts from an asset server.
+  # config.action_controller.asset_host = 'http://assets.example.com'
+
+  # Ignore bad email addresses and do not raise email delivery errors.
+  # Set this to true and configure the email server for immediate delivery to raise delivery errors.
+  # config.action_mailer.raise_delivery_errors = false
+
+  # Enable locale fallbacks for I18n (makes lookups for any locale fall back to
+  # the I18n.default_locale when a translation cannot be found).
+  config.i18n.fallbacks = true
+
+  # Send deprecation notices to registered listeners.
+  config.active_support.deprecation = :notify
+
+  # Use default logging formatter so that PID and timestamp are not suppressed.
+  config.log_formatter = ::Logger::Formatter.new
+end

data/example/config/environments/test.rb

@@ -0,0 +1,42 @@
+Rails.application.configure do
+  # Settings specified here will take precedence over those in config/application.rb.
+
+  # The test environment is used exclusively to run your application's
+  # test suite. You never need to work with it otherwise. Remember that
+  # your test database is "scratch space" for the test suite and is wiped
+  # and recreated between test runs. Don't rely on the data there!
+  config.cache_classes = true
+
+  # Do not eager load code on boot. This avoids loading your whole application
+  # just for the purpose of running a single test. If you are using a tool that
+  # preloads Rails for running tests, you may have to set it to true.
+  config.eager_load = false
+
+  # Configure static file server for tests with Cache-Control for performance.
+  config.serve_static_files   = true
+  config.static_cache_control = 'public, max-age=3600'
+
+  # Show full error reports and disable caching.
+  config.consider_all_requests_local       = true
+  config.action_controller.perform_caching = false
+
+  # Raise exceptions instead of rendering exception templates.
+  config.action_dispatch.show_exceptions = false
+
+  # Disable request forgery protection in test environment.
+  config.action_controller.allow_forgery_protection = false
+
+  # Tell Action Mailer not to deliver emails to the real world.
+  # The :test delivery method accumulates sent emails in the
+  # ActionMailer::Base.deliveries array.
+  # config.action_mailer.delivery_method = :test
+
+  # Randomize the order test cases are executed.
+  config.active_support.test_order = :random
+
+  # Print deprecation notices to the stderr.
+  config.active_support.deprecation = :stderr
+
+  # Raises error for missing translations
+  # config.action_view.raise_on_missing_translations = true
+end

data/example/config/initializers/backtrace_silencer.rb

@@ -0,0 +1 @@
+Rails.backtrace_cleaner.remove_silencers!

data/example/config/initializers/cookies_serializer.rb

@@ -0,0 +1,3 @@
+# Be sure to restart your server when you modify this file.
+
+Rails.application.config.action_dispatch.cookies_serializer = :json

data/example/config/initializers/filter_parameter_logging.rb

@@ -0,0 +1,4 @@
+# Be sure to restart your server when you modify this file.
+
+# Configure sensitive parameters which will be filtered from the log file.
+Rails.application.config.filter_parameters += [:password]

data/example/config/initializers/jwt_keeper.rb

@@ -0,0 +1,11 @@
+JWTKeeper.configure do |config|
+  config.expiry           = 1.hour
+  config.algorithm        = 'HS512'
+  config.secret           = 'secret'
+  config.issuer           = '.localhost'
+  config.audience         = 'localhost'
+  config.redis_connection = Redis.new(url: ENV['REDIS_URL'])
+  config.version          = 1
+  config.cookie_lock      = true
+  config.cookie_secure    = !(Rails.env.test? || Rails.env.development?)
+end

data/example/config/initializers/session_store.rb

@@ -0,0 +1,3 @@
+# Be sure to restart your server when you modify this file.
+
+Rails.application.config.session_store :cookie_store, key: '_example_session'

data/example/config/initializers/wrap_parameters.rb

@@ -0,0 +1,9 @@
+# Be sure to restart your server when you modify this file.
+
+# This file contains settings for ActionController::ParamsWrapper which
+# is enabled by default.
+
+# Enable parameter wrapping for JSON. You can disable this by setting :format to an empty array.
+ActiveSupport.on_load(:action_controller) do
+  wrap_parameters format: [:json] if respond_to?(:wrap_parameters)
+end

data/example/config/locales/en.yml

@@ -0,0 +1,23 @@
+# Files in the config/locales directory are used for internationalization
+# and are automatically loaded by Rails. If you want to use locales other
+# than English, add the necessary files in this directory.
+#
+# To use the locales, use `I18n.t`:
+#
+#     I18n.t 'hello'
+#
+# In views, this is aliased to just `t`:
+#
+#     <%= t('hello') %>
+#
+# To use a different locale, set it with `I18n.locale`:
+#
+#     I18n.locale = :es
+#
+# This would use the information in config/locales/es.yml.
+#
+# To learn more, please read the Rails Internationalization guide
+# available at http://guides.rubyonrails.org/i18n.html.
+
+en:
+  hello: "Hello world"

data/example/config/routes.rb

@@ -0,0 +1,3 @@
+Rails.application.routes.draw do
+  resource :session, only: [:show, :create, :update, :destroy]
+end

data/example/config/secrets.yml

@@ -0,0 +1,22 @@
+# Be sure to restart your server when you modify this file.
+
+# Your secret key is used for verifying the integrity of signed cookies.
+# If you change this key, all old signed cookies will become invalid!
+
+# Make sure the secret is at least 30 characters and all random,
+# no regular words or you'll be exposed to dictionary attacks.
+# You can use `rake secret` to generate a secure secret key.
+
+# Make sure the secrets in this file are kept private
+# if you're sharing your code publicly.
+
+development:
+  secret_key_base: 82e9f5f97a6b624896c35b930acb75d5d5d9df9aa363a21b4173e8a370480ffd7f329a280223a22f03fc07afd2d28c15fae09087eef781506ffea4954e16e12f
+
+test:
+  secret_key_base: 516e709c30b7198b27d1b2c724e6eaffb13ac2ef0b7d22da67771afdf36f0c6d995e788d12e1da042e739be29d4b2c29ced96d6153f0ad296749570689d9bb4e
+
+# Do not keep production secrets in the repository,
+# instead read values from the environment.
+production:
+  secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>

data/example/config.ru

@@ -0,0 +1,4 @@
+# This file is used by Rack-based servers to start the application.
+
+require ::File.expand_path('../config/environment', __FILE__)
+run Rails.application

data/example/example.env

@@ -0,0 +1 @@
+REDIS_URL=redis://:password@localhost:port

data/lib/generators/{keeper → jwt_keeper}/install/install_generator.rb

@@ -9,7 +9,7 @@ module JWTKeeper
     # @example Install
     #   rails generate keeper:install
     def copy_files
-      copy_file 'jwt_keeper.rb', 'config/initializers/keeper.rb'
+      copy_file 'jwt_keeper.rb', 'config/initializers/jwt_keeper.rb'
     end
   end
 end

data/lib/generators/templates/jwt_keeper.rb

@@ -1,6 +1,6 @@
 JWTKeeper.configure do |config|
   # The time to expire for the tokens
-  # config.expiry           = 24.hours
+  # config.expiry           = 1.hour
 
   # The hashing method to for the tokens
   # Options:
@@ -28,5 +28,16 @@ JWTKeeper.configure do |config|
   # config.redis_connection = Redis.new(connection_options)
 
   # A unique idenfitier for the token version.
-  # config.version = 1
+  # config.version          = 1
+
+  # Use a httponly/secure cookie secret to prevent session hijacking
+  # config.cookie_lock      = true
+
+  # Used to turn off TLS only mode on the cookie, for development mode. Defaults to true
+  # config.cookie_secure    = !(Rails.env.test? || Rails.env.development?)
+
+  # Used to limit or lock down the allowed domains for the jwt/cookie
+  # http://api.rubyonrails.org/classes/ActionDispatch/Cookies.html
+  # Defaults the value of :all
+  # config.cookie_domain    = :all
 end

data/lib/jwt_keeper/configuration.rb

@@ -7,7 +7,10 @@ module JWTKeeper
       issuer:           'api.example.com',
       audience:         'example.com',
       redis_connection: nil,
-      version:          nil
+      version:          nil,
+      cookie_lock:      false,
+      cookie_secure:    true,
+      cookie_domain:    :all
     }.freeze
 
     # Creates a new Configuration from the passed in parameters
@@ -26,5 +29,14 @@ module JWTKeeper
         ver: JWTKeeper.configuration.version               # Version
       }
     end
+
+    # @!visibility private
+    def cookie_options
+      {
+        domain: JWTKeeper.configuration.cookie_domain,
+        secure: JWTKeeper.configuration.cookie_secure,
+        httponly: true
+      }
+    end
   end
 end