jwt_sessions 1.2.1 → 1.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 1252d6b636f396716b493926fcca3b05a4554c99
-  data.tar.gz: 2d9e3dfaae57e7d86815387168a59d9fceb11a3b
+  metadata.gz: 4bdd67c0de6950cd6f99bc26f1500c06367f76f4
+  data.tar.gz: aa5c2c26f7e15cac228492af9a9b4a1571dab08b
 SHA512:
-  metadata.gz: 6c0ebdfffa676b2f885dac0764801ad93426002f3b579339277e6c80a7c01f9b98394a28deb250f23fe4419c2cea282d1cd1738d4b95bdc87453b3c25b1ddb0c
-  data.tar.gz: 3e861393dc58de0eac408022b9c0ac342d262bfb0f5654303704c2126f583b93a3560a7dee1c07d18ffcbfda2e9b472d6e9ec6926ea9d0e53ed8426c067d641a
+  metadata.gz: 9399b04dd8484864cb084ef80f284389ec04eb6b22cc8b46e95a5c3670849e6c5c069f10613d058e13c2817809990ab207e360b0a4ed5a0ce656686c7b90c87a
+  data.tar.gz: 88cc2e5441dc8b0afae1e167ca9b7a3d4f68796927824e8b03727a42a7e83451c790a05ad8fb9050f69b23facae1265f9b7a51a43170a2285ca48df157a99e9b

data/README.md

@@ -19,9 +19,11 @@ XSS/CSRF safe JWT auth designed for SPA
     + [Request headers and cookies names](#request-headers-and-cookies-names)
     + [Expiration time](#expiration-time)
     + [CSRF and cookies](#csrf-and-cookies)
+    + [Refresh with access token](#refresh-with-access-token)
     + [Refresh token hijack protection](#refresh-token-hijack-protection)
 - [Flush Sessions](#flush-sessions)
     + [Sessions Namespace](#sessions-namespace)
+    + [Logout](#logout)
 - [Examples](#examples)
 - [Contributing](#contributing)
 - [License](#license)
@@ -372,6 +374,60 @@ session = JWTSessions::Session.new
 session.masked_csrf(access_token)
 ```
 
+##### Refresh with access token
+
+Sometimes it's not secure enough to store the refresh tokens in web / JS clients.
+That's why you have a possibility to operate only with an access token, and to not pass the refresh to the client at all.
+Session accepts `refresh_by_access_allowed: true` setting, which links the access token to the according refresh token.
+Example Rails login controller, which passes an access token token via cookies and renders CSRF.
+
+```ruby
+class LoginController < ApplicationController
+  include ActionController::Cookies
+
+  def create
+    user = User.find_by!(email: params[:email])
+    if user.authenticate(params[:password])
+
+      payload = { user_id: user.id }
+      session = JWTSessions::Session.new(payload: payload, refresh_by_access_allowed: true)
+      tokens = session.login
+      cookies[JWTSessions.access_cookie] = tokens[:access]
+
+      render json: { csrf: tokens[:csrf] }
+    else
+      render json: 'Invalid email or password', status: :unauthorized
+    end
+  end
+end
+```
+
+The gem provides an ability to refresh the session by access token.
+
+```ruby
+tokens = session.refresh_by_access(access_token)
+```
+
+In case of token forgery and successful refresh performed by an atacker - the original user will have to logout.
+To protect the endpoint use before_action `authorize_refresh_by_access_request!`.
+Example Rails refresh by access controller with cookies as token transport.
+
+```ruby
+class RefreshController < ApplicationController
+  include ActionController::Cookies
+  before_action :authorize_refresh_by_access_request!
+
+  def create
+    session = JWTSessions::Session.new(payload: payload, refresh_by_access_allowed: true)
+    tokens = session.refresh_by_access(found_token)
+    cookies[JWTSessions.access_cookie] = tokens[:access]
+
+    render json: { csrf: tokens[:csrf] }
+  end
+end
+
+```
+
 #### Refresh token hijack protection
 
 There is a security recommendation regarding the usage of refresh tokens: only perform refresh when an access token gets expired. \
@@ -418,6 +474,13 @@ To force flush of all app sessions
 JWTSessions::Session.flush_all
 ```
 
+##### Logout
+
+To logout you need to remove both access and refresh tokens from the store.
+Flush sessions methods can be used to perform logout.
+Refresh token or refresh token UID is required to flush a session.
+To logout with an access token `refresh_by_access_allowed` setting should be set to true on an access token creation. If logout by access token is allowed it's recommended to ignore the expiration claim and to allow to logout with expired access token.
+
 ## Examples
 
 [Rails API](test/support/dummy_api) \

data/lib/jwt_sessions/access_token.rb

@@ -1,6 +1,8 @@
+# frozen_string_literal: true
+
 module JWTSessions
   class AccessToken
-    attr_reader :token, :payload, :uid, :expiration, :csrf, :store
+    attr_reader :payload, :uid, :expiration, :csrf, :store
 
     def initialize(csrf, payload, store, uid = SecureRandom.uuid, expiration = JWTSessions.access_expiration)
       @csrf       = csrf
@@ -8,13 +10,24 @@ module JWTSessions
       @expiration = expiration
       @payload    = payload
       @store      = store
-      @token      = Token.encode(payload.merge(uid: uid, exp: expiration.to_i))
     end
 
     def destroy
       store.destroy_access(uid)
     end
 
+    def refresh_uid=(uid)
+      self.payload['ruid'] = uid
+    end
+
+    def refresh_uid
+      payload['ruid']
+    end
+
+    def token
+      Token.encode(payload.merge(uid: uid, exp: expiration.to_i))
+    end
+
     class << self
       def create(csrf, payload, store)
         new(csrf, payload, store).tap do |inst|

data/lib/jwt_sessions/authorization.rb

@@ -21,6 +21,17 @@ module JWTSessions
       end
     end
 
+    def authorize_refresh_by_access_request!
+      begin
+        cookieless_auth(:access)
+      rescue Errors::Unauthorized
+        cookie_based_auth(:access)
+      end
+      # only latest access token can be used for refresh
+      invalid_authorization unless session_exists?(:access)
+      check_csrf(:access)
+    end
+
     private
 
     def invalid_authorization

data/lib/jwt_sessions/session.rb

@@ -2,16 +2,24 @@
 
 module JWTSessions
   class Session
-    attr_reader :access_token, :refresh_token, :csrf_token
-    attr_accessor :payload, :store, :refresh_payload, :namespace
+    attr_reader :access_token,
+                :refresh_token,
+                :csrf_token
+
+    attr_accessor :payload,
+                  :store,
+                  :refresh_payload,
+                  :namespace,
+                  :refresh_by_access_allowed
 
     def initialize(options = {})
-      @store           = options.fetch(:store, JWTSessions.token_store)
-      @refresh_payload = options.fetch(:refresh_payload, {})
-      @payload         = options.fetch(:payload, {})
-      @access_claims   = options.fetch(:access_claims, {})
-      @refresh_claims  = options.fetch(:refresh_claims, {})
-      @namespace       = options.fetch(:namespace, nil)
+      @store                     = options.fetch(:store, JWTSessions.token_store)
+      @refresh_payload           = options.fetch(:refresh_payload, {})
+      @payload                   = options.fetch(:payload, {})
+      @access_claims             = options.fetch(:access_claims, {})
+      @refresh_claims            = options.fetch(:refresh_claims, {})
+      @namespace                 = options.fetch(:namespace, nil)
+      @refresh_by_access_allowed = options.fetch(:refresh_by_access_allowed, false)
     end
 
     def login
@@ -42,6 +50,12 @@ module JWTSessions
       refresh_by_uid(&block)
     end
 
+    def refresh_by_access(token, &block)
+      ruid = access_token_ruid(token)
+      retrieve_refresh_token(ruid)
+      refresh_by_uid(&block)
+    end
+
     def flush_by_token(token)
       uid = token_uid(token, :refresh, @refresh_claims)
       flush_by_uid(uid)
@@ -119,6 +133,22 @@ module JWTSessions
       uid
     end
 
+    def access_token_ruid(token)
+      token_payload  = JWTSessions::Token.decode(token, @access_claims).first
+
+      # ensure access token exists in the store
+      uid            = token_payload.fetch('uid', nil)
+      data           = store.fetch_access(uid)
+      raise Errors::Unauthorized, 'Access token not found' if data.empty?
+
+      ruid = token_payload.fetch('ruid', nil)
+      if ruid.nil?
+        message = "Access token payload does not contain refresh uid"
+        raise Errors::InvalidPayload, message
+      end
+      ruid
+    end
+
     def retrieve_refresh_token(uid)
       @_refresh = RefreshToken.find(uid, store, namespace)
     end
@@ -149,6 +179,13 @@ module JWTSessions
     def update_refresh_token
       @_refresh.update(@_access.uid, @_access.expiration, @_csrf.encoded)
       @refresh_token = @_refresh.token
+      link_access_to_refresh
+    end
+
+    def link_access_to_refresh
+      return unless refresh_by_access_allowed
+      @_access.refresh_uid = @_refresh.uid
+      @access_token = @_access.token
     end
 
     def create_csrf_token
@@ -164,6 +201,7 @@ module JWTSessions
                                       refresh_payload,
                                       namespace)
       @refresh_token = @_refresh.token
+      link_access_to_refresh
     end
 
     def create_access_token

data/lib/jwt_sessions/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module JWTSessions
-  VERSION = '1.2.1'
+  VERSION = '1.3.0'
 end

data/test/units/jwt_sessions/test_session.rb

@@ -33,6 +33,16 @@ class TestSession < Minitest::Test
     assert_equal payload[:test], decoded_access['test']
   end
 
+  def test_refresh_by_access
+    session = JWTSessions::Session.new(payload: payload, refresh_by_access_allowed: true)
+    tokens = session.login
+    refreshed_tokens = session.refresh_by_access(tokens[:access])
+    decoded_access = JWTSessions::Token.decode(refreshed_tokens[:access]).first
+    assert_equal EXPECTED_KEYS, refreshed_tokens.keys.sort
+    assert_equal payload[:test], decoded_access['test']
+    assert_equal session.instance_variable_get('@_refresh').uid, decoded_access['ruid']
+  end
+
   def test_refresh_with_block_not_expired
     assert_raises JWTSessions::Errors::Unauthorized do
       session.refresh(tokens[:refresh]) do

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: jwt_sessions
 version: !ruby/object:Gem::Version
-  version: 1.2.1
+  version: 1.3.0
 platform: ruby
 authors:
 - Yulia Oletskaya
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-05-03 00:00:00.000000000 Z
+date: 2018-06-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jwt
@@ -54,58 +54,58 @@ dependencies:
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '1.16'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '1.16'
 - !ruby/object:Gem::Dependency
   name: minitest
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '5.11'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '5.11'
 - !ruby/object:Gem::Dependency
   name: pry
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '0.11'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '0.11'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '12.3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '12.3'
 description: XSS/CSRF safe JWT auth designed for SPA
 email: yulia.oletskaya@gmail.com
 executables: []