RubyGems - jwt_sessions - Versions diffs - 1.0.2 → 1.1.0 - Mend

jwt_sessions 1.0.2 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

checksums.yaml +4 -4
data/README.md +54 -10
data/lib/jwt_sessions/authorization.rb +4 -2
data/lib/jwt_sessions/session.rb +6 -4
data/lib/jwt_sessions/token.rb +4 -13
data/lib/jwt_sessions/version.rb +1 -1
data/lib/jwt_sessions.rb +55 -18
data/test/units/jwt_sessions/test_session.rb +1 -1
data/test/units/jwt_sessions/test_token.rb +116 -8
data/test/units/test_jwt_sessions.rb +5 -1
metadata +8 -8

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 143a1452f628f1d201801cc8b7b4855de56479fb
-  data.tar.gz: e648fe573c4239e2359d808b5fb93e58d253cf59
+  metadata.gz: da93c28c622a3bac51b8f30be0190b0a3c79dda7
+  data.tar.gz: 29da1c13c80f4b89572d8f1c3ebe07dd031f775b
 SHA512:
-  metadata.gz: d81c0bda06caebed8b38ca9649de98c3e5680859beb7059fd5f0534239f1aeb5b859c0e6f0582bb4585de44b7eef83136fa735d1ac2f7fa6107949e82dd777bb
-  data.tar.gz: 7e717dc3a0326c81239d1ce12937182bcc5f7d59df884f9eb4e7513f7a398b8c42984b97865e8bdc6f1a3efc75e8b8c96225b04ff76c64adf44f95508cdc57e7
+  metadata.gz: 4a21622dd516292d881f87a0b22f140b8dc7c17be838b200cfa7ccbcbb8a1a55a7e7bd075f3ea49982c06811a24fdda721f7625f3b821e4dfeff9583311942a2
+  data.tar.gz: b5897c5ef7e0a3be5db1dcc67df71fd0eb56f4a5f3ee5008782c881b006a34e139be045e6a30e7632f5231bf425c62de3b62b150a9e92895befa522802ef346b

data/README.md CHANGED Viewed

@@ -1,6 +1,7 @@
 # jwt_sessions
 [![Gem Version](https://badge.fury.io/rb/jwt_sessions.svg)](https://badge.fury.io/rb/jwt_sessions)
 [![Maintainability](https://api.codeclimate.com/v1/badges/53de11b8334933b1c0ef/maintainability)](https://codeclimate.com/github/tuwukee/jwt_sessions/maintainability)
+[![Codacy Badge](https://api.codacy.com/project/badge/Grade/c86efdfca81448919ec3e1c1e48fc152)](https://www.codacy.com/app/tuwukee/jwt_sessions?utm_source=github.com&amp;utm_medium=referral&amp;utm_content=tuwukee/jwt_sessions&amp;utm_campaign=Badge_Grade)
 [![Build Status](https://travis-ci.org/tuwukee/jwt_sessions.svg?branch=master)](https://travis-ci.org/tuwukee/jwt_sessions)
 XSS/CSRF safe JWT auth designed for SPA
@@ -77,9 +78,18 @@ Specify an encryption key for JSON Web Tokens in `config/initializers/jwt_sessio
 It's adviced to store the key itself within the app secrets.
 ```ruby
+JWTSessions.algorithm = 'HS256'
 JWTSessions.encryption_key = Rails.application.secrets.secret_jwt_encryption_key
 ```
+Most of the encryption algorithms require private and public keys to sign a token, yet HMAC only require a single key, so you can use a shortcat `encryotion_key` to sign the token. For other algorithms you must specify a private and public keys separately.
+```ruby
+JWTSessions.algorithm   = 'RS256'
+JWTSessions.private_key = OpenSSL::PKey::RSA.generate(2048)
+JWTSessions.public_key  = JWTSessions.private_key.public_key
+```
 Generate access/refresh/csrf tokens with a custom payload. \
 The payload will be available in the controllers once the access (or refresh) token is authorized. \
 Access/refresh tokens contain expiration time in their payload. Yet expiration times are also added to the output just in case.
@@ -290,9 +300,46 @@ JWTSessions.algorithm = 'HS256'
 You need to specify a secret to use for HMAC, this setting doesn't have a default value.
 ```ruby
-JWTSessions.secret = 'secret'
+JWTSessions.encryption_key = 'secret'
+```
+If you are using another algorithm like RSA/ECDSA/EDDSA you should specify private and public keys.
+```ruby
+JWTSessions.private_key = 'abcd'
+JWTSessions.public_key  = 'efjh'
+```
+NOTE: ED25519 and HS512256 require rbnacl installation in order to make it work.
+jwt_sessions only uses `exp` claim by default when it decodes tokens, you can specify which additional claims to use by
+setting `jwt_options`. You can also specify leeway to account for clock skew.
+```ruby
+JWTSessions.jwt_options.verify_iss = true
+JWTSessions.jwt_options.verify_sub = true
+JWTSessions.jwt_options.verify_iat = true
+JWTSessions.jwt_options.verify_aud = true
+JWTSessions.jwt_options.leeway     = 30 # seconds
 ```
+To pass options like `sub`, `aud`, `iss`, or leeways you should specify a method called `token_claims` in your controller.
+```ruby
+class UsersController < ApplicationController
+  before_action :authorize_access_request!
+  def token_claims
+    {
+      aud: ['admin', 'staff'],
+      exp_leeway: 15 # will be used instead of default leeway only for exp claim
+    }
+  end
+end
+```
+Claims are also supported by `JWTSessions::Session`, you can pass `access_claims` and `refresh_claims` options in the initializer
 ##### Request headers and cookies names
 Default request headers/cookies names can be re-configured
@@ -307,7 +354,7 @@ JWTSessions.csrf_header    = 'X-CSRF-Token'
 ##### Expiration time
-Acces token must have a short life span, while refresh tokens can be stored for a longer time period
+Access token must have a short life span, while refresh tokens can be stored for a longer time period
 ```ruby
 JWTSessions.access_exp_time = 3600 # 1 hour in seconds
@@ -341,17 +388,14 @@ session.refresh(refresh_token) { |refresh_token_uid, access_token_expiration| ..
 ## TODO
-Ability to specify public and private keys for RSA/EDCSA/EDDSA, there are no default values for keys. \
-You can use instructions from [ruby-jwt](https://github.com/jwt/ruby-jwt) to generate keys corresponding keys.
-```ruby
-JWTSessions.private_key = 'private_key'
-JWTSessions.public_key  = 'public_key_for_private'
-```
+Session cleanup by uid or refresh token instance. \
+Refresh token namespaces to allow centralized token cleanup per namespace (scenarios like password reset). \
+Documentation for code.
 ## Contributing
-Fork & Pull Request
+Fork & Pull Request \
+RbNaCl and sodium cryptographic library are required for tests
 ## License

data/lib/jwt_sessions/authorization.rb CHANGED Viewed

@@ -14,7 +14,8 @@ module JWTSessions
         rescue Errors::Unauthorized
           cookie_based_auth(token_type)
         end
-        invalid_authorization unless Token.valid_payload?(payload)
+        # triggers token decode and jwt claim checks
+        payload
         check_csrf(token_type)
       end
     end
@@ -83,7 +84,8 @@ module JWTSessions
     end
     def payload
-      @_payload ||= Token.decode(found_token).first
+      claims = respond_to?(:token_claims) ? token_claims : {}
+      @_payload ||= Token.decode(found_token, claims).first
     end
   end
 end

data/lib/jwt_sessions/session.rb CHANGED Viewed

@@ -9,6 +9,8 @@ module JWTSessions
       @store           = options.fetch(:store, JWTSessions.token_store)
       @refresh_payload = options.fetch(:refresh_payload, {})
       @payload         = options.fetch(:payload, {})
+      @access_claims   = options.fetch(:access_claims, {})
+      @refresh_claims  = options.fetch(:refresh_claims, {})
     end
     def login
@@ -60,17 +62,17 @@ module JWTSessions
     end
     def access_token_data(token)
-      uid = token_uid(token, :access)
+      uid = token_uid(token, :access, @access_claims)
       store.fetch_access(uid)
     end
     def refresh_token_data(token)
-      uid = token_uid(token, :refresh)
+      uid = token_uid(token, :refresh, @refresh_claims)
       retrieve_refresh_token(uid)
     end
-    def token_uid(token, type)
-      token_payload = JWTSessions::Token.decode(token).first
+    def token_uid(token, type, claims)
+      token_payload = JWTSessions::Token.decode(token, claims).first
       uid           = token_payload.fetch('uid', nil)
       if uid.nil?
         message = "#{type.to_s.capitalize} token payload does not contain token uid"

data/lib/jwt_sessions/token.rb CHANGED Viewed

@@ -7,30 +7,21 @@ module JWTSessions
     class << self
       def encode(payload)
         exp_payload = meta.merge(payload)
-        JWT.encode(exp_payload, JWTSessions.encryption_key, JWTSessions.algorithm)
+        JWT.encode(exp_payload, JWTSessions.private_key, JWTSessions.algorithm)
       end
-      def decode(token)
-        JWT.decode(token, JWTSessions.encryption_key, true, { algorithm: JWTSessions.algorithm, verify_expiration: false })
+      def decode(token, claims = {})
+        decode_options = { algorithm: JWTSessions.algorithm }.merge(JWTSessions.jwt_options.to_h).merge(claims)
+        JWT.decode(token, JWTSessions.public_key, JWTSessions.validate?, decode_options)
       rescue JWT::DecodeError => e
         raise Errors::Unauthorized, e.message
       rescue StandardError
         raise Errors::Unauthorized, 'could not decode a token'
       end
-      def valid_payload?(payload)
-        !expired?(payload)
-      end
       def meta
         { exp: JWTSessions.access_expiration }
       end
-      def expired?(payload)
-        Time.at(payload['exp']) < Time.now
-      rescue StandardError
-        raise Errors::Unauthorized, 'invalid payload expiration time'
-      end
     end
   end
 end

data/lib/jwt_sessions/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module JWTSessions
-  VERSION = '1.0.2'
+  VERSION = '1.1.0'
 end

data/lib/jwt_sessions.rb CHANGED Viewed

@@ -18,6 +18,10 @@ module JWTSessions
   attr_writer :token_store
+  NONE = 'none'
+  JWTOptions = Struct.new(*JWT::DefaultOptions::DEFAULT_OPTIONS.keys)
   DEFAULT_SETTINGS_KEYS = %i[access_cookie
                              access_exp_time
                              access_header
@@ -30,19 +34,19 @@ module JWTSessions
                              refresh_exp_time
                              refresh_header
                              token_prefix].freeze
-  DEFAULT_REDIS_HOST = '127.0.0.1'
-  DEFAULT_REDIS_PORT = '6379'
-  DEFAULT_REDIS_DB_NAME = 'jwtokens'
-  DEFAULT_TOKEN_PREFIX = 'jwt_'
-  DEFAULT_ALGORITHM = 'HS256'
-  DEFAULT_ACCESS_EXP_TIME = 3600 # 1 hour in seconds
-  DEFAULT_REFRESH_EXP_TIME = 604800 # 1 week in seconds
-  DEFAULT_ACCESS_COOKIE = 'jwt_access'
-  DEFAULT_ACCESS_HEADER = 'Authorization'
-  DEFAULT_REFRESH_COOKIE = 'jwt_refresh'
-  DEFAULT_REFRESH_HEADER = 'X-Refresh-Token'
-  DEFAULT_CSRF_HEADER = 'X-CSRF-Token'
+  DEFAULT_REDIS_HOST       = '127.0.0.1'
+  DEFAULT_REDIS_PORT       = '6379'
+  DEFAULT_REDIS_DB_NAME    = 'jwtokens'
+  DEFAULT_TOKEN_PREFIX     = 'jwt_'
+  DEFAULT_ALGORITHM        = 'HS256'
+  DEFAULT_ACCESS_EXP_TIME  = 3600 # 1 hour in seconds
+  DEFAULT_REFRESH_EXP_TIME = 604800 # 1 week in seconds
+  DEFAULT_ACCESS_COOKIE    = 'jwt_access'
+  DEFAULT_ACCESS_HEADER    = 'Authorization'
+  DEFAULT_REFRESH_COOKIE   = 'jwt_refresh'
+  DEFAULT_REFRESH_HEADER   = 'X-Refresh-Token'
+  DEFAULT_CSRF_HEADER      = 'X-CSRF-Token'
   DEFAULT_SETTINGS_KEYS.each do |setting|
     var_name = :"@#{setting}"
@@ -61,13 +65,41 @@ module JWTSessions
     end
   end
+  def jwt_options
+    @jwt_options ||= JWTOptions.new(*JWT::DefaultOptions::DEFAULT_OPTIONS.values)
+  end
+  def algorithm=(algo)
+    raise Errors::Malconfigured, "algorithm #{algo} is not supported" unless supported_algos.include?(algo)
+    @algorithm = algo
+  end
   def token_store
     RedisTokenStore.instance(redis_host, redis_port, redis_db_name, token_prefix)
   end
-  def encryption_key
-    raise Errors::Malconfigured, 'encryption_key is not specified' unless @encryption_key
-    @encryption_key
+  def validate?
+    algorithm != NONE
+  end
+  [:public_key, :private_key].each do |key|
+    var_name = :"@#{key}"
+    define_method("#{key}") do
+      return nil if algorithm == NONE
+      var = instance_variable_get(var_name)
+      raise Errors::Malconfigured, "#{key} is not specified" unless var
+      var
+    end
+    define_method("#{key}=") do |val|
+      instance_variable_set(var_name, val)
+    end
+  end
+  # should be used for hmac only
+  def encryption_key=(key)
+    @public_key  = key
+    @private_key = key
   end
   def access_expiration
@@ -78,9 +110,6 @@ module JWTSessions
     Time.now.to_i + refresh_exp_time.to_i
   end
-  def encryption_key=(key)
-    @encryption_key = key
-  end
   def header_by(token_type)
     send("#{token_type}_header")
@@ -89,4 +118,12 @@ module JWTSessions
   def cookie_by(token_type)
     send("#{token_type}_cookie")
   end
+  private
+  def supported_algos
+    # TODO once ECDSA is fixed in ruby-jwt it can be added to the list of algos just the same way others are added
+    algos = JWT::Algos.constants - [:Unsupported, :Ecdsa]
+    algos.map { |algo| JWT::Algos.const_get(algo)::SUPPORTED }.flatten + [NONE, *JWT::Algos::Ecdsa::SUPPORTED.split(' ')]
+  end
 end

data/test/units/jwt_sessions/test_session.rb CHANGED Viewed

@@ -39,10 +39,10 @@ class TestSession < Minitest::Test
     JWTSessions.access_exp_time = 0
     @session = JWTSessions::Session.new(payload: payload)
     @tokens = session.login
+    JWTSessions.access_exp_time = 3600
     refreshed_tokens = session.refresh(tokens[:refresh]) do
       raise JWTSessions::Errors::Unauthorized
     end
-    JWTSessions.access_exp_time = 3600
     decoded_access = JWTSessions::Token.decode(refreshed_tokens[:access]).first
     assert_equal EXPECTED_KEYS, refreshed_tokens.keys.sort
     assert_equal payload[:test], decoded_access['test']

data/test/units/jwt_sessions/test_token.rb CHANGED Viewed

@@ -2,17 +2,128 @@
 require 'minitest/autorun'
 require 'jwt_sessions'
+require 'pry'
+nacl_supported_versions = {
+  'ruby'  => ['~> 2.2.6', '~> 2.3.0', '~> 2.4.2'],
+  'jruby' => ['~> 9.1.6.0']
+}.each_with_object([]) do |(platform, versions), acc|
+  acc.concat(versions.map { |version| Gem::Dependency.new(platform, version) })
+end
+nacl_supported = nacl_supported_versions.any? { |version| version.match?(RUBY_ENGINE, RUBY_VERSION) }
+$uses_nacl = !!(defined?(RbNaCl) || require('rbnacl') if nacl_supported)
 class TestToken < Minitest::Test
   attr_reader :payload
   def setup
-    JWTSessions.encryption_key = 'super secret'
     @payload = { 'user_id' => 1, 'secret' => 'mystery' }
+    JWTSessions.encryption_key = 'abcdefghijklmnopqrstuvwxyzABCDEF'
+  end
+  def teardown
+    JWTSessions.algorithm = JWTSessions::DEFAULT_ALGORITHM
+    JWTSessions.instance_variable_set(:'@jwt_options', JWTSessions::JWTOptions.new(*JWT::DefaultOptions::DEFAULT_OPTIONS.values))
+  end
+  def test_rsa_token_decode
+    JWTSessions.algorithm   = 'RS256'
+    JWTSessions.private_key = OpenSSL::PKey::RSA.generate 2048
+    JWTSessions.public_key  = JWTSessions.private_key.public_key
+    token   = JWTSessions::Token.encode(payload)
+    decoded = JWTSessions::Token.decode(token).first
+    assert_equal payload['user_id'], decoded['user_id']
+    assert_equal payload['secret'], decoded['secret']
+  end
+  def test_eddsa_token_decode
+    skip unless $uses_nacl
+    JWTSessions.algorithm   = 'ED25519'
+    JWTSessions.private_key = ::RbNaCl::Signatures::Ed25519::SigningKey.new('abcdefghijklmnopqrstuvwxyzABCDEF')
+    JWTSessions.public_key  = JWTSessions.private_key.verify_key
+    token   = JWTSessions::Token.encode(payload)
+    decoded = JWTSessions::Token.decode(token).first
+    assert_equal payload['user_id'], decoded['user_id']
+    assert_equal payload['secret'], decoded['secret']
+  end
+  def test_ecdsa_token_decode
+    JWTSessions.algorithm   = 'ES256'
+    JWTSessions.private_key = OpenSSL::PKey::EC.new 'prime256v1'
+    JWTSessions.private_key.generate_key
+    JWTSessions.public_key             = OpenSSL::PKey::EC.new JWTSessions.private_key
+    JWTSessions.public_key.private_key = nil
+    token   = JWTSessions::Token.encode(payload)
+    decoded = JWTSessions::Token.decode(token).first
+    assert_equal payload['user_id'], decoded['user_id']
+    assert_equal payload['secret'], decoded['secret']
+  end
+  def test_hmac_token_decode
+    JWTSessions.encryption_key = 'abcdefghijklmnopqrstuvwxyzABCDEF'
+    token   = JWTSessions::Token.encode(payload)
+    decoded = JWTSessions::Token.decode(token).first
+    assert_equal payload['user_id'], decoded['user_id']
+    assert_equal payload['secret'], decoded['secret']
+  end
+  def test_token_sub_claim
+    JWTSessions.encryption_key = 'abcdefghijklmnopqrstuvwxyzABCDEF'
+    JWTSessions.jwt_options.verify_sub = true
+    token   = JWTSessions::Token.encode(payload.merge(sub: 'subject'))
+    decoded = JWTSessions::Token.decode(token, { sub: 'subject' }).first
+    assert_equal payload['user_id'], decoded['user_id']
+    assert_equal payload['secret'], decoded['secret']
+    assert_raises JWTSessions::Errors::Unauthorized do
+      JWTSessions::Token.decode(token, { sub: 'different subject' })
+    end
+  end
+  def test_token_iss_claim
+    JWTSessions.encryption_key = 'abcdefghijklmnopqrstuvwxyzABCDEF'
+    JWTSessions.jwt_options.verify_iss = true
+    token   = JWTSessions::Token.encode(payload.merge(iss: 'Me'))
+    decoded = JWTSessions::Token.decode(token, { iss: 'Me' }).first
+    assert_equal payload['user_id'], decoded['user_id']
+    assert_equal payload['secret'], decoded['secret']
+    assert_raises JWTSessions::Errors::Unauthorized do
+      JWTSessions::Token.decode(token, { iss: 'Not Me' })
+    end
+  end
+  def test_token_aud_claim
+    JWTSessions.encryption_key = 'abcdefghijklmnopqrstuvwxyzABCDEF'
+    JWTSessions.jwt_options.verify_aud = true
+    token   = JWTSessions::Token.encode(payload.merge(aud: ['young', 'old']))
+    decoded = JWTSessions::Token.decode(token, { aud: ['young'] }).first
+    assert_equal payload['user_id'], decoded['user_id']
+    assert_equal payload['secret'], decoded['secret']
+    assert_raises JWTSessions::Errors::Unauthorized do
+      JWTSessions::Token.decode(token, { aud: ['adult'] })
+    end
+  end
+  def test_token_leeway_decode
+    JWTSessions.encryption_key = 'abcdefghijklmnopqrstuvwxyzABCDEF'
+    JWTSessions.jwt_options.leeway = 50
+    token   = JWTSessions::Token.encode(payload.merge(exp: Time.now.to_i - 20))
+    decoded = JWTSessions::Token.decode(token).first
+    assert_equal payload['user_id'], decoded['user_id']
+    assert_equal payload['secret'], decoded['secret']
+    token   = JWTSessions::Token.encode(payload.merge(exp: Time.now.to_i - 100))
+    assert_raises JWTSessions::Errors::Unauthorized do
+      JWTSessions::Token.decode(token)
+    end
   end
-  def test_valid_token_decode
-    token = JWTSessions::Token.encode(payload)
+  def test_none_token_decode
+    JWTSessions.algorithm = JWTSessions::NONE
+    token   = JWTSessions::Token.encode(payload)
     decoded = JWTSessions::Token.decode(token).first
     assert_equal payload['user_id'], decoded['user_id']
     assert_equal payload['secret'], decoded['secret']
@@ -31,12 +142,9 @@ class TestToken < Minitest::Test
   end
   def test_payload_exp_time
+    token = JWTSessions::Token.encode(payload.merge(exp: Time.now.to_i - (3600 * 24)))
     assert_raises JWTSessions::Errors::Unauthorized do
-      JWTSessions::Token.valid_payload?(payload)
+      JWTSessions::Token.decode(token)
     end
-    payload['exp'] = Time.now - (3600 * 24)
-    assert_equal false, JWTSessions::Token.valid_payload?(payload)
-    payload['exp'] = Time.now + (3600 * 24)
-    assert_equal true, JWTSessions::Token.valid_payload?(payload)
   end
 end

data/test/units/test_jwt_sessions.rb CHANGED Viewed

@@ -21,7 +21,11 @@ class TestJWTSessions < Minitest::Test
   def test_encryption_key
     JWTSessions.encryption_key = nil
     assert_raises JWTSessions::Errors::Malconfigured do
-      JWTSessions.encryption_key
+      JWTSessions.private_key
+    end
+    assert_raises JWTSessions::Errors::Malconfigured do
+      JWTSessions.public_key
     end
   end

metadata CHANGED Viewed

@@ -1,29 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: jwt_sessions
 version: !ruby/object:Gem::Version
-  version: 1.0.2
+  version: 1.1.0
 platform: ruby
 authors:
 - Yulia Oletskaya
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2018-04-19 00:00:00.000000000 Z
+date: 2018-04-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jwt
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.4'
+        version: '2.1'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.4'
+        version: '2.1'
 - !ruby/object:Gem::Dependency
   name: redis
   requirement: !ruby/object:Gem::Requirement
@@ -86,14 +86,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '12.3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '12.3'
 description: XSS/CSRF safe JWT auth designed for SPA
 email: yulia.oletskaya@gmail.com
 executables: []