jwt_sessions 3.1.1 → 3.2.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +12 -0
- data/README.md +5 -5
- data/lib/jwt_sessions/authorization.rb +21 -7
- data/lib/jwt_sessions/version.rb +1 -1
- data/test/units/jwt_sessions/test_authorization.rb +26 -0
- metadata +4 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 6c854c98d87a1ae3683d7da2b348b1a69c68eb5cdb3a0d2f4c4620d3d68d8cd8
|
|
4
|
+
data.tar.gz: '08f6cd7403c177ede2a978b84d1a8e6af20fd2ce456862232db0c2ce037c8f0d'
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: f88e79937c85b711097691a4fcedfc525ea3ea862468d36caaab80753b259e30e551ac3a4e8c5d2bef675468320b39eaf7c496ddc44c0b0b88e30b6d4036d6a3
|
|
7
|
+
data.tar.gz: db343e3b2bc0a9a8946d74dda1887495c99cae8c60a4c7a83a229c24c7a4b79fcd4fb3a2eaeef5cd0f02e049dda4a7970c4028542524cf818a662da8a55387bd
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,15 @@
|
|
|
1
|
+
## 3.2.1 (September 11, 2023)
|
|
2
|
+
|
|
3
|
+
Support:
|
|
4
|
+
|
|
5
|
+
- switched the positions of #should_check_csrf? and @_csrf_check in the code logic for the sake of minor perf improvement.
|
|
6
|
+
|
|
7
|
+
## 3.2.0 (June 20, 2023)
|
|
8
|
+
|
|
9
|
+
Features:
|
|
10
|
+
|
|
11
|
+
- payload can be accessed without auth - it's going to be resolved into an empty hash.
|
|
12
|
+
|
|
1
13
|
## 3.1.1 (May 6, 2023)
|
|
2
14
|
|
|
3
15
|
Bugfixes:
|
data/README.md
CHANGED
|
@@ -119,7 +119,7 @@ Available `JWTSessions::Session.new` options:
|
|
|
119
119
|
|
|
120
120
|
- **payload**: a hash object with session data which will be included into an access token payload. Default is an empty hash.
|
|
121
121
|
- **refresh_payload**: a hash object with session data which will be included into a refresh token payload. Default is the value of the access payload.
|
|
122
|
-
- **access_claims**: a hash object with [JWT claims](https://github.com/jwt/ruby-jwt#support-for-reserved-claim-names) which will be validated within the access token payload. For example, `{
|
|
122
|
+
- **access_claims**: a hash object with [JWT claims](https://github.com/jwt/ruby-jwt#support-for-reserved-claim-names) which will be validated within the access token payload. For example, `JWTSessions::Session.new(payload: { user_id: 1, aud: ['admin'], verify_aud: true })` means that the token can be used only by "admin" audience. Also, the endpoint can automatically validate claims instead. See `token_claims` method.
|
|
123
123
|
- **refresh_claims**: a hash object with [JWT claims](https://github.com/jwt/ruby-jwt#support-for-reserved-claim-names) which will be validated within the refresh token payload.
|
|
124
124
|
- **namespace**: a string object which helps to group sessions by a custom criteria. For example, sessions can be grouped by user ID, making it possible to logout the user from all devices. More info [Sessions Namespace](#sessions-namespace).
|
|
125
125
|
- **refresh_by_access_allowed**: a boolean value. Default is false. It links access and refresh tokens (adds refresh token ID to access payload), making it possible to perform a session refresh by the last expired access token. See [Refresh with access token](#refresh-with-access-token).
|
|
@@ -131,7 +131,7 @@ Helper methods within `Authorization` mixin:
|
|
|
131
131
|
- **authorize_access_request!**: validates access token within the request.
|
|
132
132
|
- **authorize_refresh_request!**: validates refresh token within the request.
|
|
133
133
|
- **found_token**: a raw token found within the request.
|
|
134
|
-
- **payload**: a decoded token's payload.
|
|
134
|
+
- **payload**: a decoded token's payload. Returns an empty hash in case the token is absent in the request headers/cookies.
|
|
135
135
|
- **claimless_payload**: a decoded token's payload without claims validation (can be used for checking data of an expired token).
|
|
136
136
|
- **token_claims**: the method should be defined by a developer and is expected to return a hash-like object with claims to be validated within a token's payload.
|
|
137
137
|
|
|
@@ -426,9 +426,9 @@ class UsersController < ApplicationController
|
|
|
426
426
|
|
|
427
427
|
def token_claims
|
|
428
428
|
{
|
|
429
|
-
|
|
430
|
-
|
|
431
|
-
|
|
429
|
+
aud: ["admin", "staff"],
|
|
430
|
+
verify_aud: true, # can be used locally instead of a global setting
|
|
431
|
+
exp_leeway: 15 # will be used instead of default leeway only for exp claim
|
|
432
432
|
}
|
|
433
433
|
end
|
|
434
434
|
end
|
|
@@ -55,11 +55,11 @@ module JWTSessions
|
|
|
55
55
|
end
|
|
56
56
|
|
|
57
57
|
def refresh_by_access_invalid?
|
|
58
|
-
|
|
58
|
+
@_csrf_check && should_check_csrf? && !JWTSessions::Session.new.valid_access_request?(retrieve_csrf, claimless_payload)
|
|
59
59
|
end
|
|
60
60
|
|
|
61
61
|
def check_csrf(token_type)
|
|
62
|
-
invalid_authorization if
|
|
62
|
+
invalid_authorization if @_csrf_check && should_check_csrf? && !valid_csrf_token?(retrieve_csrf, token_type)
|
|
63
63
|
end
|
|
64
64
|
|
|
65
65
|
def should_check_csrf?
|
|
@@ -102,16 +102,18 @@ module JWTSessions
|
|
|
102
102
|
token
|
|
103
103
|
end
|
|
104
104
|
|
|
105
|
-
def token_from_headers(token_type)
|
|
105
|
+
def token_from_headers(token_type, required: true)
|
|
106
106
|
raw_token = request_headers[JWTSessions.header_by(token_type)] || ""
|
|
107
107
|
token = raw_token.split(" ")[-1]
|
|
108
|
-
raise Errors::Unauthorized, "Token is not found"
|
|
108
|
+
raise Errors::Unauthorized, "Token is not found" if !token && required
|
|
109
|
+
|
|
109
110
|
token
|
|
110
111
|
end
|
|
111
112
|
|
|
112
|
-
def token_from_cookies(token_type)
|
|
113
|
+
def token_from_cookies(token_type, required: true)
|
|
113
114
|
token = request_cookies[JWTSessions.cookie_by(token_type)]
|
|
114
|
-
raise Errors::Unauthorized, "Token is not found"
|
|
115
|
+
raise Errors::Unauthorized, "Token is not found" if !token && required
|
|
116
|
+
|
|
115
117
|
token
|
|
116
118
|
end
|
|
117
119
|
|
|
@@ -119,9 +121,21 @@ module JWTSessions
|
|
|
119
121
|
@_raw_token
|
|
120
122
|
end
|
|
121
123
|
|
|
124
|
+
def fetch_access_token
|
|
125
|
+
if respond_to?(:request_headers)
|
|
126
|
+
token = token_from_headers(:access, required: false)
|
|
127
|
+
return token if token
|
|
128
|
+
end
|
|
129
|
+
|
|
130
|
+
token_from_cookies(:access, required: false) if respond_to?(:request_cookies)
|
|
131
|
+
end
|
|
132
|
+
|
|
122
133
|
def payload
|
|
134
|
+
return @_payload if defined? @_payload
|
|
135
|
+
|
|
123
136
|
claims = respond_to?(:token_claims) ? token_claims : {}
|
|
124
|
-
|
|
137
|
+
token = found_token || fetch_access_token
|
|
138
|
+
@_payload = token ? Token.decode(token, claims).first : {}
|
|
125
139
|
end
|
|
126
140
|
|
|
127
141
|
# retrieves tokens payload without JWT claims validation
|
data/lib/jwt_sessions/version.rb
CHANGED
|
@@ -0,0 +1,26 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require "minitest/autorun"
|
|
4
|
+
require "jwt_sessions"
|
|
5
|
+
|
|
6
|
+
class TestAuthorization < Minitest::Test
|
|
7
|
+
include JWTSessions::Authorization
|
|
8
|
+
|
|
9
|
+
def setup
|
|
10
|
+
JWTSessions.signing_key = "abcdefghijklmnopqrstuvwxyzABCDEF"
|
|
11
|
+
end
|
|
12
|
+
|
|
13
|
+
def test_payload_when_token_is_nil
|
|
14
|
+
@_raw_token = nil
|
|
15
|
+
|
|
16
|
+
assert_equal payload, {}
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
def test_payload_when_token_is_present
|
|
20
|
+
@_raw_token =
|
|
21
|
+
JWTSessions::Token.encode({ "user_id" => 1, "secret" => "mystery" })
|
|
22
|
+
|
|
23
|
+
assert_equal payload['user_id'], 1
|
|
24
|
+
assert_equal payload['secret'], 'mystery'
|
|
25
|
+
end
|
|
26
|
+
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: jwt_sessions
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 3.
|
|
4
|
+
version: 3.2.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Julija Alieckaja
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2023-
|
|
11
|
+
date: 2023-09-11 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: jwt
|
|
@@ -98,6 +98,7 @@ files:
|
|
|
98
98
|
- test/units/jwt_sessions/store_adapters/test_memory_store_adapter.rb
|
|
99
99
|
- test/units/jwt_sessions/store_adapters/test_redis_store_adapter.rb
|
|
100
100
|
- test/units/jwt_sessions/test_access_token.rb
|
|
101
|
+
- test/units/jwt_sessions/test_authorization.rb
|
|
101
102
|
- test/units/jwt_sessions/test_csrf_token.rb
|
|
102
103
|
- test/units/jwt_sessions/test_refresh_token.rb
|
|
103
104
|
- test/units/jwt_sessions/test_session.rb
|
|
@@ -137,6 +138,7 @@ test_files:
|
|
|
137
138
|
- test/units/jwt_sessions/store_adapters/test_memory_store_adapter.rb
|
|
138
139
|
- test/units/jwt_sessions/store_adapters/test_redis_store_adapter.rb
|
|
139
140
|
- test/units/jwt_sessions/test_access_token.rb
|
|
141
|
+
- test/units/jwt_sessions/test_authorization.rb
|
|
140
142
|
- test/units/jwt_sessions/test_csrf_token.rb
|
|
141
143
|
- test/units/jwt_sessions/test_refresh_token.rb
|
|
142
144
|
- test/units/jwt_sessions/test_session.rb
|