jwt_sessions 1.3.0 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 4bdd67c0de6950cd6f99bc26f1500c06367f76f4
-  data.tar.gz: aa5c2c26f7e15cac228492af9a9b4a1571dab08b
+  metadata.gz: 6ab2b9607a84bdecaea7ec538b3ba194ae0d57e4
+  data.tar.gz: 3ade912f52efd6078fb676697187145c23e39024
 SHA512:
-  metadata.gz: 9399b04dd8484864cb084ef80f284389ec04eb6b22cc8b46e95a5c3670849e6c5c069f10613d058e13c2817809990ab207e360b0a4ed5a0ce656686c7b90c87a
-  data.tar.gz: 88cc2e5441dc8b0afae1e167ca9b7a3d4f68796927824e8b03727a42a7e83451c790a05ad8fb9050f69b23facae1265f9b7a51a43170a2285ca48df157a99e9b
+  metadata.gz: 7761b2f89cf64203f8f82cef4e95c28f6ea602cee0a22d56318bbfd1299cb6e2c3b50ad41b840fddd458dc53b0b249b3d7820a99405b67b2ffb532b900f15d51
+  data.tar.gz: d4e087880bfc893c983c7187d2c206c521efe3beb0c0c245161e0c614bc59868a05c474c9479a36f778966c4ab017c220fd9e866448afd83f9444c59f5f5b33c

data/README.md

@@ -341,7 +341,7 @@ class UsersController < ApplicationController
 end
 ```
 
-Claims are also supported by `JWTSessions::Session`, you can pass `access_claims` and `refresh_claims` options in the initializer
+Claims are also supported by `JWTSessions::Session`, you can pass `access_claims` and `refresh_claims` options in the initializer.
 
 ##### Request headers and cookies names
 
@@ -367,7 +367,7 @@ JWTSessions.refresh_exp_time = 604800 # 1 week in seconds
 #### CSRF and cookies
 
 In case when you use cookies as your tokens transport it gets vulnerable to CSRF. That's why both login and refresh methods of the `Session` class produce CSRF tokens for you. `Authorization` mixin expects that this token is sent with all requests except GET and HEAD in a header specified among this gem's settings (X-CSRF-Token by default). Verification will be done automatically and `Authorization` exception will be raised in case of mismatch between the token from the header and the one stored in session. \
-Although you don't need to mitigate BREACH attacks it's still possible to generate a new masked token with the access token
+Although you don't need to mitigate BREACH attacks it's still possible to generate a new masked token with the access token.
 
 ```ruby
 session = JWTSessions::Session.new
@@ -376,15 +376,13 @@ session.masked_csrf(access_token)
 
 ##### Refresh with access token
 
-Sometimes it's not secure enough to store the refresh tokens in web / JS clients.
-That's why you have a possibility to operate only with an access token, and to not pass the refresh to the client at all.
-Session accepts `refresh_by_access_allowed: true` setting, which links the access token to the according refresh token.
+Sometimes it's not secure enough to store the refresh tokens in web / JS clients. \
+That's why you have a possibility to operate only by an access token, and to not pass the refresh to the client at all. \
+Session accepts `refresh_by_access_allowed: true` setting, which links the access token to the according refresh token. \
 Example Rails login controller, which passes an access token token via cookies and renders CSRF.
 
 ```ruby
 class LoginController < ApplicationController
-  include ActionController::Cookies
-
   def create
     user = User.find_by!(email: params[:email])
     if user.authenticate(params[:password])
@@ -392,7 +390,10 @@ class LoginController < ApplicationController
       payload = { user_id: user.id }
       session = JWTSessions::Session.new(payload: payload, refresh_by_access_allowed: true)
       tokens = session.login
-      cookies[JWTSessions.access_cookie] = tokens[:access]
+      response.set_cookie(JWTSessions.access_cookie,
+                          value: tokens[:access],
+                          httponly: true,
+                          secure: Rails.env.production?)
 
       render json: { csrf: tokens[:csrf] }
     else
@@ -405,22 +406,26 @@ end
 The gem provides an ability to refresh the session by access token.
 
 ```ruby
-tokens = session.refresh_by_access(access_token)
+session = JWTSessions::Session.new(payload: payload, refresh_by_access_allowed: true)
+tokens  = session.refresh_by_access_payload
 ```
 
-In case of token forgery and successful refresh performed by an atacker - the original user will have to logout.
-To protect the endpoint use before_action `authorize_refresh_by_access_request!`.
-Example Rails refresh by access controller with cookies as token transport.
+In case of token forgery and successful refresh performed by an atacker - the original user will have to logout. \
+To protect the endpoint use before_action `authorize_refresh_by_access_request!`. \
+Example Rails refresh by access controller with cookies as token transport. \
+As refresh should be performed once the access token is already expired we need to use `claimless_payload` method in order to skip JWT expiration validation (and other claims) so we can proceed.
 
 ```ruby
 class RefreshController < ApplicationController
-  include ActionController::Cookies
   before_action :authorize_refresh_by_access_request!
 
   def create
-    session = JWTSessions::Session.new(payload: payload, refresh_by_access_allowed: true)
-    tokens = session.refresh_by_access(found_token)
-    cookies[JWTSessions.access_cookie] = tokens[:access]
+    session = JWTSessions::Session.new(payload: claimless_payload, refresh_by_access_allowed: true)
+    tokens  = session.refresh_by_access_payload
+    response.set_cookie(JWTSessions.access_cookie,
+                        value: tokens[:access],
+                        httponly: true,
+                        secure: Rails.env.production?)
 
     render json: { csrf: tokens[:csrf] }
   end
@@ -440,7 +445,7 @@ session.refresh(refresh_token) { |refresh_token_uid, access_token_expiration| ..
 
 ## Flush Sessions
 
-Flush session by refresh token. The method returns number of flushed sessions.
+Flush a session by its refresh token. The method returns number of flushed sessions.
 
 ```ruby
 session = JWTSessions::Session.new
@@ -448,6 +453,14 @@ tokens = session.login
 session.flush_by_token(tokens[:refresh]) # => 1
 ```
 
+Flush a session by its access token.
+
+```ruby
+session = JWTSessions::Session.new(refresh_by_access_allowed: true)
+tokens = session.login
+session.flush_by_access_token(tokens[:access]) # => 1
+```
+
 Or by refresh token UID
 
 ```ruby
@@ -476,9 +489,9 @@ JWTSessions::Session.flush_all
 
 ##### Logout
 
-To logout you need to remove both access and refresh tokens from the store.
-Flush sessions methods can be used to perform logout.
-Refresh token or refresh token UID is required to flush a session.
+To logout you need to remove both access and refresh tokens from the store. \
+Flush sessions methods can be used to perform logout. \
+Refresh token or refresh token UID is required to flush a session. \
 To logout with an access token `refresh_by_access_allowed` setting should be set to true on an access token creation. If logout by access token is allowed it's recommended to ignore the expiration claim and to allow to logout with expired access token.
 
 ## Examples

data/lib/jwt_sessions/access_token.rb

@@ -8,7 +8,7 @@ module JWTSessions
       @csrf       = csrf
       @uid        = uid
       @expiration = expiration
-      @payload    = payload
+      @payload    = payload.merge('uid' => uid, 'exp' => expiration.to_i)
       @store      = store
     end
 
@@ -25,7 +25,7 @@ module JWTSessions
     end
 
     def token
-      Token.encode(payload.merge(uid: uid, exp: expiration.to_i))
+      Token.encode(payload)
     end
 
     class << self

data/lib/jwt_sessions/authorization.rb

@@ -27,9 +27,8 @@ module JWTSessions
       rescue Errors::Unauthorized
         cookie_based_auth(:access)
       end
-      # only latest access token can be used for refresh
-      invalid_authorization unless session_exists?(:access)
-      check_csrf(:access)
+
+      invalid_authorization if should_check_csrf? && @_csrf_check && !JWTSessions::Session.new.valid_access_request?(retrieve_csrf, claimless_payload)
     end
 
     private
@@ -103,5 +102,10 @@ module JWTSessions
       claims = respond_to?(:token_claims) ? token_claims : {}
       @_payload ||= Token.decode(found_token, claims).first
     end
+
+    # retrieves tokens payload without JWT claims validation
+    def claimless_payload
+      @_claimless_payload ||= Token.decode!(found_token).first
+    end
   end
 end

data/lib/jwt_sessions/refresh_token.rb

@@ -16,7 +16,7 @@ module JWTSessions
       @uid               = options.fetch(:uid, SecureRandom.uuid)
       @expiration        = options.fetch(:expiration, JWTSessions.refresh_expiration)
       @namespace         = options.fetch(:namespace, nil)
-      @token             = Token.encode(options.fetch(:payload, {}).merge(uid: uid, exp: expiration.to_i))
+      @token             = Token.encode(options.fetch(:payload, {}).merge('uid' => uid, 'exp' => expiration.to_i))
     end
 
     class << self
@@ -33,7 +33,7 @@ module JWTSessions
         end
       end
 
-      def find(uid, store, namespace)
+      def find(uid, store, namespace = nil)
         token_attrs = store.fetch_refresh(uid, namespace)
         raise Errors::Unauthorized, 'Refresh token not found' if token_attrs.empty?
         build_with_token_attrs(store, uid, token_attrs, namespace)
@@ -61,7 +61,7 @@ module JWTSessions
       @csrf              = csrf
       @access_uid        = access_uid
       @access_expiration = access_expiration
-      store.update_refresh(uid, access_uid, access_expiration, csrf, namespace)
+      store.update_refresh(uid, access_expiration, access_uid, csrf, namespace)
     end
 
     def destroy

data/lib/jwt_sessions/session.rb

@@ -50,12 +50,19 @@ module JWTSessions
       refresh_by_uid(&block)
     end
 
-    def refresh_by_access(token, &block)
-      ruid = access_token_ruid(token)
+    def refresh_by_access_payload(&block)
+      raise Errors::InvalidPayload if payload.nil?
+      ruid = retrive_ruid_from(payload)
       retrieve_refresh_token(ruid)
       refresh_by_uid(&block)
     end
 
+    def flush_by_access_payload
+      raise Errors::InvalidPayload if payload.nil?
+      ruid = retrive_ruid_from(payload)
+      flush_by_uid(ruid)
+    end
+
     def flush_by_token(token)
       uid = token_uid(token, :refresh, @refresh_claims)
       flush_by_uid(uid)
@@ -85,6 +92,19 @@ module JWTSessions
       end.count
     end
 
+    def valid_access_request?(external_csrf_token, external_payload)
+      ruid = external_payload.fetch('ruid', nil)
+      uid  = external_payload.fetch('uid', nil)
+      if ruid.nil? || uid.nil?
+        message = 'Token payload is invalid'
+        raise Errors::InvalidPayload, message
+      end
+      refresh_token = RefreshToken.find(ruid, JWTSessions.token_store)
+      return false unless uid == refresh_token.access_uid
+
+      CSRFToken.new(refresh_token.csrf).valid_authenticity_token?(external_csrf_token)
+    end
+
     private
 
     def valid_access_csrf?(access_token, csrf_token)
@@ -133,14 +153,7 @@ module JWTSessions
       uid
     end
 
-    def access_token_ruid(token)
-      token_payload  = JWTSessions::Token.decode(token, @access_claims).first
-
-      # ensure access token exists in the store
-      uid            = token_payload.fetch('uid', nil)
-      data           = store.fetch_access(uid)
-      raise Errors::Unauthorized, 'Access token not found' if data.empty?
-
+    def retrive_ruid_from(token_payload)
       ruid = token_payload.fetch('ruid', nil)
       if ruid.nil?
         message = "Access token payload does not contain refresh uid"
@@ -186,6 +199,7 @@ module JWTSessions
       return unless refresh_by_access_allowed
       @_access.refresh_uid = @_refresh.uid
       @access_token = @_access.token
+      @payload = @_access.payload
     end
 
     def create_csrf_token

data/lib/jwt_sessions/token.rb

@@ -19,6 +19,13 @@ module JWTSessions
         raise Errors::Unauthorized, 'could not decode a token'
       end
 
+      def decode!(token)
+        decode_options = { algorithm: JWTSessions.algorithm }
+        JWT.decode(token, JWTSessions.public_key, false, decode_options)
+      rescue StandardError
+        raise Errors::Unauthorized, 'could not decode a token'
+      end
+
       def meta
         { exp: JWTSessions.access_expiration }
       end

data/lib/jwt_sessions/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module JWTSessions
-  VERSION = '1.3.0'
+  VERSION = '2.0.0'
 end

data/test/units/jwt_sessions/test_session.rb

@@ -33,14 +33,54 @@ class TestSession < Minitest::Test
     assert_equal payload[:test], decoded_access['test']
   end
 
-  def test_refresh_by_access
+  def test_refresh_by_access_payload
     session = JWTSessions::Session.new(payload: payload, refresh_by_access_allowed: true)
-    tokens = session.login
-    refreshed_tokens = session.refresh_by_access(tokens[:access])
+    session.login
+    access1 = session.instance_variable_get('@_access')
+    sleep(1)
+    refreshed_tokens = session.refresh_by_access_payload
+    access2 = session.instance_variable_get('@_access')
     decoded_access = JWTSessions::Token.decode(refreshed_tokens[:access]).first
     assert_equal EXPECTED_KEYS, refreshed_tokens.keys.sort
     assert_equal payload[:test], decoded_access['test']
     assert_equal session.instance_variable_get('@_refresh').uid, decoded_access['ruid']
+    assert_equal access2.expiration > access1.expiration, true
+  end
+
+  def test_refresh_by_access_payload_expired
+    JWTSessions.access_exp_time = 0
+    session = JWTSessions::Session.new(payload: payload, refresh_by_access_allowed: true)
+    session.login
+    refreshed_tokens = session.refresh_by_access_payload
+    decoded_access = JWTSessions::Token.decode!(refreshed_tokens[:access]).first
+    JWTSessions.access_exp_time = 3600
+    assert_equal EXPECTED_KEYS, refreshed_tokens.keys.sort
+    assert_equal payload[:test], decoded_access['test']
+    assert_equal session.instance_variable_get('@_refresh').uid, decoded_access['ruid']
+  end
+
+  def test_refresh_by_access_payload_with_block_expired
+    JWTSessions.access_exp_time = 0
+    session = JWTSessions::Session.new(payload: payload, refresh_by_access_allowed: true)
+    session.login
+    refreshed_tokens = session.refresh_by_access_payload do
+      raise JWTSessions::Errors::Unauthorized
+    end
+    decoded_access = JWTSessions::Token.decode!(refreshed_tokens[:access]).first
+    JWTSessions.access_exp_time = 3600
+    assert_equal EXPECTED_KEYS, refreshed_tokens.keys.sort
+    assert_equal payload[:test], decoded_access['test']
+    assert_equal session.instance_variable_get('@_refresh').uid, decoded_access['ruid']
+  end
+
+  def test_refresh_by_access_payload_with_block_not_expired
+    session = JWTSessions::Session.new(payload: payload, refresh_by_access_allowed: true)
+    session.login
+    assert_raises JWTSessions::Errors::Unauthorized do
+      session.refresh_by_access_payload do
+        raise JWTSessions::Errors::Unauthorized
+      end
+    end
   end
 
   def test_refresh_with_block_not_expired
@@ -76,6 +116,19 @@ class TestSession < Minitest::Test
     end
   end
 
+  def test_flush_by_access_token
+    session = JWTSessions::Session.new(payload: payload, refresh_by_access_allowed: true)
+    session.login
+    refresh_token = session.instance_variable_get(:"@_refresh")
+    uid = refresh_token.uid
+
+    session.flush_by_access_payload
+
+    assert_raises JWTSessions::Errors::Unauthorized do
+      JWTSessions::RefreshToken.find(uid, JWTSessions.token_store, nil)
+    end
+  end
+
   def test_flush_by_uid
     refresh_token = @session.instance_variable_get(:"@_refresh")
     uid = refresh_token.uid

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: jwt_sessions
 version: !ruby/object:Gem::Version
-  version: 1.3.0
+  version: 2.0.0
 platform: ruby
 authors:
 - Yulia Oletskaya
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-06-15 00:00:00.000000000 Z
+date: 2018-06-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jwt