jwt_sessions 3.1.1 → 3.2.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +12 -0
- data/README.md +5 -5
- data/lib/jwt_sessions/authorization.rb +21 -7
- data/lib/jwt_sessions/version.rb +1 -1
- data/test/units/jwt_sessions/test_authorization.rb +26 -0
- metadata +4 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 6c854c98d87a1ae3683d7da2b348b1a69c68eb5cdb3a0d2f4c4620d3d68d8cd8
|
4
|
+
data.tar.gz: '08f6cd7403c177ede2a978b84d1a8e6af20fd2ce456862232db0c2ce037c8f0d'
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: f88e79937c85b711097691a4fcedfc525ea3ea862468d36caaab80753b259e30e551ac3a4e8c5d2bef675468320b39eaf7c496ddc44c0b0b88e30b6d4036d6a3
|
7
|
+
data.tar.gz: db343e3b2bc0a9a8946d74dda1887495c99cae8c60a4c7a83a229c24c7a4b79fcd4fb3a2eaeef5cd0f02e049dda4a7970c4028542524cf818a662da8a55387bd
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,15 @@
|
|
1
|
+
## 3.2.1 (September 11, 2023)
|
2
|
+
|
3
|
+
Support:
|
4
|
+
|
5
|
+
- switched the positions of #should_check_csrf? and @_csrf_check in the code logic for the sake of minor perf improvement.
|
6
|
+
|
7
|
+
## 3.2.0 (June 20, 2023)
|
8
|
+
|
9
|
+
Features:
|
10
|
+
|
11
|
+
- payload can be accessed without auth - it's going to be resolved into an empty hash.
|
12
|
+
|
1
13
|
## 3.1.1 (May 6, 2023)
|
2
14
|
|
3
15
|
Bugfixes:
|
data/README.md
CHANGED
@@ -119,7 +119,7 @@ Available `JWTSessions::Session.new` options:
|
|
119
119
|
|
120
120
|
- **payload**: a hash object with session data which will be included into an access token payload. Default is an empty hash.
|
121
121
|
- **refresh_payload**: a hash object with session data which will be included into a refresh token payload. Default is the value of the access payload.
|
122
|
-
- **access_claims**: a hash object with [JWT claims](https://github.com/jwt/ruby-jwt#support-for-reserved-claim-names) which will be validated within the access token payload. For example, `{
|
122
|
+
- **access_claims**: a hash object with [JWT claims](https://github.com/jwt/ruby-jwt#support-for-reserved-claim-names) which will be validated within the access token payload. For example, `JWTSessions::Session.new(payload: { user_id: 1, aud: ['admin'], verify_aud: true })` means that the token can be used only by "admin" audience. Also, the endpoint can automatically validate claims instead. See `token_claims` method.
|
123
123
|
- **refresh_claims**: a hash object with [JWT claims](https://github.com/jwt/ruby-jwt#support-for-reserved-claim-names) which will be validated within the refresh token payload.
|
124
124
|
- **namespace**: a string object which helps to group sessions by a custom criteria. For example, sessions can be grouped by user ID, making it possible to logout the user from all devices. More info [Sessions Namespace](#sessions-namespace).
|
125
125
|
- **refresh_by_access_allowed**: a boolean value. Default is false. It links access and refresh tokens (adds refresh token ID to access payload), making it possible to perform a session refresh by the last expired access token. See [Refresh with access token](#refresh-with-access-token).
|
@@ -131,7 +131,7 @@ Helper methods within `Authorization` mixin:
|
|
131
131
|
- **authorize_access_request!**: validates access token within the request.
|
132
132
|
- **authorize_refresh_request!**: validates refresh token within the request.
|
133
133
|
- **found_token**: a raw token found within the request.
|
134
|
-
- **payload**: a decoded token's payload.
|
134
|
+
- **payload**: a decoded token's payload. Returns an empty hash in case the token is absent in the request headers/cookies.
|
135
135
|
- **claimless_payload**: a decoded token's payload without claims validation (can be used for checking data of an expired token).
|
136
136
|
- **token_claims**: the method should be defined by a developer and is expected to return a hash-like object with claims to be validated within a token's payload.
|
137
137
|
|
@@ -426,9 +426,9 @@ class UsersController < ApplicationController
|
|
426
426
|
|
427
427
|
def token_claims
|
428
428
|
{
|
429
|
-
|
430
|
-
|
431
|
-
|
429
|
+
aud: ["admin", "staff"],
|
430
|
+
verify_aud: true, # can be used locally instead of a global setting
|
431
|
+
exp_leeway: 15 # will be used instead of default leeway only for exp claim
|
432
432
|
}
|
433
433
|
end
|
434
434
|
end
|
@@ -55,11 +55,11 @@ module JWTSessions
|
|
55
55
|
end
|
56
56
|
|
57
57
|
def refresh_by_access_invalid?
|
58
|
-
|
58
|
+
@_csrf_check && should_check_csrf? && !JWTSessions::Session.new.valid_access_request?(retrieve_csrf, claimless_payload)
|
59
59
|
end
|
60
60
|
|
61
61
|
def check_csrf(token_type)
|
62
|
-
invalid_authorization if
|
62
|
+
invalid_authorization if @_csrf_check && should_check_csrf? && !valid_csrf_token?(retrieve_csrf, token_type)
|
63
63
|
end
|
64
64
|
|
65
65
|
def should_check_csrf?
|
@@ -102,16 +102,18 @@ module JWTSessions
|
|
102
102
|
token
|
103
103
|
end
|
104
104
|
|
105
|
-
def token_from_headers(token_type)
|
105
|
+
def token_from_headers(token_type, required: true)
|
106
106
|
raw_token = request_headers[JWTSessions.header_by(token_type)] || ""
|
107
107
|
token = raw_token.split(" ")[-1]
|
108
|
-
raise Errors::Unauthorized, "Token is not found"
|
108
|
+
raise Errors::Unauthorized, "Token is not found" if !token && required
|
109
|
+
|
109
110
|
token
|
110
111
|
end
|
111
112
|
|
112
|
-
def token_from_cookies(token_type)
|
113
|
+
def token_from_cookies(token_type, required: true)
|
113
114
|
token = request_cookies[JWTSessions.cookie_by(token_type)]
|
114
|
-
raise Errors::Unauthorized, "Token is not found"
|
115
|
+
raise Errors::Unauthorized, "Token is not found" if !token && required
|
116
|
+
|
115
117
|
token
|
116
118
|
end
|
117
119
|
|
@@ -119,9 +121,21 @@ module JWTSessions
|
|
119
121
|
@_raw_token
|
120
122
|
end
|
121
123
|
|
124
|
+
def fetch_access_token
|
125
|
+
if respond_to?(:request_headers)
|
126
|
+
token = token_from_headers(:access, required: false)
|
127
|
+
return token if token
|
128
|
+
end
|
129
|
+
|
130
|
+
token_from_cookies(:access, required: false) if respond_to?(:request_cookies)
|
131
|
+
end
|
132
|
+
|
122
133
|
def payload
|
134
|
+
return @_payload if defined? @_payload
|
135
|
+
|
123
136
|
claims = respond_to?(:token_claims) ? token_claims : {}
|
124
|
-
|
137
|
+
token = found_token || fetch_access_token
|
138
|
+
@_payload = token ? Token.decode(token, claims).first : {}
|
125
139
|
end
|
126
140
|
|
127
141
|
# retrieves tokens payload without JWT claims validation
|
data/lib/jwt_sessions/version.rb
CHANGED
@@ -0,0 +1,26 @@
|
|
1
|
+
# frozen_string_literal: true
|
2
|
+
|
3
|
+
require "minitest/autorun"
|
4
|
+
require "jwt_sessions"
|
5
|
+
|
6
|
+
class TestAuthorization < Minitest::Test
|
7
|
+
include JWTSessions::Authorization
|
8
|
+
|
9
|
+
def setup
|
10
|
+
JWTSessions.signing_key = "abcdefghijklmnopqrstuvwxyzABCDEF"
|
11
|
+
end
|
12
|
+
|
13
|
+
def test_payload_when_token_is_nil
|
14
|
+
@_raw_token = nil
|
15
|
+
|
16
|
+
assert_equal payload, {}
|
17
|
+
end
|
18
|
+
|
19
|
+
def test_payload_when_token_is_present
|
20
|
+
@_raw_token =
|
21
|
+
JWTSessions::Token.encode({ "user_id" => 1, "secret" => "mystery" })
|
22
|
+
|
23
|
+
assert_equal payload['user_id'], 1
|
24
|
+
assert_equal payload['secret'], 'mystery'
|
25
|
+
end
|
26
|
+
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: jwt_sessions
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 3.
|
4
|
+
version: 3.2.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Julija Alieckaja
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2023-
|
11
|
+
date: 2023-09-11 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: jwt
|
@@ -98,6 +98,7 @@ files:
|
|
98
98
|
- test/units/jwt_sessions/store_adapters/test_memory_store_adapter.rb
|
99
99
|
- test/units/jwt_sessions/store_adapters/test_redis_store_adapter.rb
|
100
100
|
- test/units/jwt_sessions/test_access_token.rb
|
101
|
+
- test/units/jwt_sessions/test_authorization.rb
|
101
102
|
- test/units/jwt_sessions/test_csrf_token.rb
|
102
103
|
- test/units/jwt_sessions/test_refresh_token.rb
|
103
104
|
- test/units/jwt_sessions/test_session.rb
|
@@ -137,6 +138,7 @@ test_files:
|
|
137
138
|
- test/units/jwt_sessions/store_adapters/test_memory_store_adapter.rb
|
138
139
|
- test/units/jwt_sessions/store_adapters/test_redis_store_adapter.rb
|
139
140
|
- test/units/jwt_sessions/test_access_token.rb
|
141
|
+
- test/units/jwt_sessions/test_authorization.rb
|
140
142
|
- test/units/jwt_sessions/test_csrf_token.rb
|
141
143
|
- test/units/jwt_sessions/test_refresh_token.rb
|
142
144
|
- test/units/jwt_sessions/test_session.rb
|