RubyGems - jwt_sessions - Versions diffs - 1.0.0 → 1.0.1 - Mend

jwt_sessions 1.0.0 → 1.0.1

Files changed (4) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: bfd4418b2bba47f5127afce7c69075372ed995f1
-  data.tar.gz: 5d51066a3533865f9c329d203f87819b704d47d8
+  metadata.gz: 5168d7361bdf008db2c14204b698bed8926aa0fc
+  data.tar.gz: 7a218c9787fef9375a260064adaaf69f31d53e78
 SHA512:
-  metadata.gz: 39ee0e2618f6e10577e88ed8c574799888c84e73a4d757d800487b30cb901fb6042e7b53a05e57b6b30f7c2f5f46c78c2fd35ec44653b0f6fa99ef5d7fb0a14c
-  data.tar.gz: 1a84c6f9d28a1b5571d114b9d6fd2fba37dacc3d0f4eec340e5699728425712ccc271374cd94019a3d54bdc258db579da793e00ca61f7fc66274b24557ebde39
+  metadata.gz: 5646630d2e046bf3f6519f384e21306ba109127f53cf831d06164e39d8805396f7a3e561a3afe702c647308faca3cee949300726e3e0134e3fb24563c1330981
+  data.tar.gz: 902ef70ff8adfe56771ebbab3f06b330bf762a81fc13e9c555df0eaab4b8dfd7ca30b95d84355cfaf4bf11c3508c0e015bcba744bf7eb39095d7c4f6b3b9f4c1

data/README.md CHANGED

@@ -21,7 +21,7 @@ jwt_sessions itself uses `ext` claim and `HS256` signing by default.
 Put this line in your Gemfile
-```
+```ruby
 gem 'jwt_sessions'
 ```
@@ -39,7 +39,7 @@ bundle install
 Include `JWTSessions::RailsAuthorization` in your controllers, add `JWTSessions::Errors::Unauthorized` exceptions handling if needed.
-```
+```ruby
 class ApplicationController < ActionController::API
   include JWTSessions::RailsAuthorization
   rescue_from JWTSessions::Errors::Unauthorized, with: :not_authorized
@@ -55,14 +55,14 @@ end
 Specify an encryption key for JSON Web Tokens in `config/initializers/jwt_session.rb` \
 It's adviced to store the key itself within the app secrets.
-```
+```ruby
 JWTSessions.encryption_key = Rails.application.secrets.secret_jwt_encryption_key
 ```
 Generate access/refresh/csrf tokens with a custom payload. \
 The payload will be available in the controllers once the access (or refresh) token is authorized.
-```
+```ruby
 > payload = { user_id: user.id }
 => {:user_id=>1}
@@ -80,7 +80,7 @@ Refresh controller - to be able to get a new access token using refresh token af
 Here is example of a simple login controller, which returns set of tokens as a plain JSON response. \
 It's also possible to set tokens as cookies in the response instead.
-```
+```ruby
 class LoginController < ApplicationController
   def create
     user = User.find_by!(email: params[:email])
@@ -97,14 +97,14 @@ end
 Since it's not required to pass an access token when you want to perform a refresh you may need to have some data in the payload of the refresh token to allow you to construct a payload of the new access token during refresh.
-```
+```ruby
 session = JWTSessions::Session.new(payload: payload, refresh_payload: refresh_payload)
 ```
 Now you can build a refresh endpoint. To protect the endpoint use before_action `authorize_refresh_request!`. \
 In the example `found_token` - is a token fetched from request headers or cookies.
-```
+```ruby
 class RefreshController < ApplicationController
   before_action :authorize_refresh_request!
@@ -129,7 +129,7 @@ POST /refresh
 Now when there're login and refresh endpoints, you can protect the rest of your secure controllers with `before_action :authorize_access_request!`.
-```
+```ruby
 class UsersController < ApplicationController
   before_action :authorize_access_request!
@@ -151,7 +151,7 @@ GET /users
 The `payload` method is available to fetch encoded data from the token.
-```
+```ruby
 def current_user
   @current_user ||= User.find(payload['user_id'])
 end
@@ -163,7 +163,7 @@ You must include `JWTSessions::Authorization` module to your auth class and impl
 1. request_headers
-```
+```ruby
 def request_headers
   # must return hash-like object with request headers
 end
@@ -171,7 +171,7 @@ end
 2. request_cookies
-```
+```ruby
 def request_cookies
   # must return hash-like object with request cookies
 end
@@ -179,22 +179,28 @@ end
 3. request_method
-```
+```ruby
 def request_method
   # must return current request verb as a string in upcase, f.e. 'GET', 'HEAD', 'POST', 'PATCH', etc
 end
 ```
-Example Sinatra app
+Example Sinatra app.
+NOTE: Since rack updates HTTP headers by using `HTTP_` prefix, upcasing and using underscores for sake of simplicity JWTSessions tokens header names are converted to rack-style in this example.
-```
+```ruby
 require 'sinatra/base'
+JWTSessions.access_header = 'authorization'
+JWTSessions.refresh_header = 'x_refresh_token'
+JWTSessions.csrf_header = 'x_csrf_token'
+JWTSessions.encryption_key = 'secret key'
 class SimpleApp < Sinatra::Base
   include JWTSessions::Authorization
   def request_headers
-    request.headers
+    env.inject({}){|acc, (k,v)| acc[$1.downcase] = v if k =~ /^http_(.*)/i; acc}
   end
   def request_cookies
@@ -205,13 +211,33 @@ class SimpleApp < Sinatra::Base
     request.request_method
   end
+  before do
+    content_type 'application/json'
+  end
+  post '/login' do
+    access_payload = { key: 'access value' }
+    refresh_payload = { key: 'refresh value' }
+    session = JWTSessions::Session.new(payload: access_payload, refresh_payload: refresh_payload)
+    session.login.to_json
+  end
+  # POST /refresh
+  # x_refresh_token: ...
   post '/refresh' do
-    content_type :json
     authorize_refresh_request!
-    session = JWTSessions::Session.new(payload: payload)
+    access_payload = { key: 'reloaded access value' }
+    session = JWTSessions::Session.new(payload: access_payload, refresh_payload: payload)
     session.refresh(found_token).to_json
   end
+  # GEY /payload
+  # authorization: Bearer ...
+  get '/payload' do
+    authorize_access_request!
+    payload.to_json
+  end
   ....
 end
 ```
@@ -224,7 +250,7 @@ List of configurable settings with their default values.
 Default token store configurations
-```
+```ruby
 JWTSessions.redis_host    = '127.0.0.1'
 JWTSessions.redis_port    = '6379'
 JWTSessions.redis_db_name = 'jwtokens'
@@ -233,28 +259,21 @@ JWTSessions.token_prefix  = 'jwt_' # used for redis db keys
 ##### JWT encryption
-```
+```ruby
 JWTSessions.algorithm = 'HS256'
 ```
 You need to specify a secret to use for HMAC, this setting doesn't have a default value.
-```
+```ruby
 JWTSessions.secret = 'secret'
 ```
-Or you need to specify public and private keys for RSA/EDCSA/EDDSA, there are no default values for keys. You can use instructions from [ruby-jwt](https://github.com/jwt/ruby-jwt) to generate keys corresponding keys.
-```
-JWTSessions.private_key = 'private_key'
-JWTSessions.public_key  = 'public_key_for_private'
-```
 ##### Request headers and cookies names
 Default request headers/cookies names can be re-configured
-```
+```ruby
 JWTSessions.access_header  = 'Authorization'
 JWTSessions.access_cookie  = 'jwt_access'
 JWTSessions.refresh_header = 'X-Refresh-Token'
@@ -266,7 +285,7 @@ JWTSessions.csrf_header    = 'X-CSRF-Token'
 Acces token must have a short life span, while refresh tokens can be stored for a longer time period
-```
+```ruby
 JWTSessions.access_exp_time = 3600 # 1 hour in seconds
 JWTSessions.refresh_exp_time = 604800 # 1 week in seconds
 ```
@@ -276,7 +295,7 @@ JWTSessions.refresh_exp_time = 604800 # 1 week in seconds
 In case when you use cookies as your tokens transport it gets vulnerable to CSRF. That's why both login and refresh methods of the `Session` class produce CSRF tokens for you. `Authorization` mixin expects that this token is sent with all requests except GET and HEAD in a header specified among this gem's settings (X-CSRF-Token by default). Verification will be done automatically and `Authorization` exception will be raised in case of mismatch between the token from the header and the one stored in session. \
 Although you don't need to mitigate BREACH attacks it's still possible to generate a new masked token with the access token
-```
+```ruby
 session = JWTSessions::Session.new
 session.masked_csrf(access_token)
 ```
@@ -286,11 +305,21 @@ session.masked_csrf(access_token)
 There is a security recommendation regarding the usage of refresh tokens: only perform refresh when an access token gets expired. \
 Since sessions are always defined by a pair of tokens and there can't be multiple access tokens for a single refresh token simultaneous usage of the refresh token by multiple users can be easily noticed as refresh will be perfomed before the expiration of the access token by one of the users. Because of that `refresh` method of the `Session` class supports optional block as one of its arguments which will be executed only in case of refresh being performed before the expiration of the access token.
-```
+```ruby
 session = JwtSessions::Session.new(payload: payload)
 session.refresh(refresh_token) { |refresh_token_uid, access_token_expiration| ... }
 ```
+## TODO
+Ability to specify public and private keys for RSA/EDCSA/EDDSA, there are no default values for keys. \
+You can use instructions from [ruby-jwt](https://github.com/jwt/ruby-jwt) to generate keys corresponding keys.
+```ruby
+JWTSessions.private_key = 'private_key'
+JWTSessions.public_key  = 'public_key_for_private'
+```
 ## Contributing
 Fork & Pull Request

data/lib/jwt_sessions/version.rb CHANGED

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module JWTSessions
-  VERSION = '1.0.0'
+  VERSION = '1.0.1'
 end

metadata CHANGED

@@ -1,27 +1,27 @@
 --- !ruby/object:Gem::Specification
 name: jwt_sessions
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.0.1
 platform: ruby
 authors:
 - Yulia Oletskaya
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2018-04-16 00:00:00.000000000 Z
+date: 2018-04-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jwt
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '1.4'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '1.4'
 - !ruby/object:Gem::Dependency