jwt_sessions 1.1.0 → 1.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: da93c28c622a3bac51b8f30be0190b0a3c79dda7
-  data.tar.gz: 29da1c13c80f4b89572d8f1c3ebe07dd031f775b
+  metadata.gz: a82e7a774b3c7707f9766cab5daaa7931c02575b
+  data.tar.gz: b31598139258b52483ccd593feae380c240d1c24
 SHA512:
-  metadata.gz: 4a21622dd516292d881f87a0b22f140b8dc7c17be838b200cfa7ccbcbb8a1a55a7e7bd075f3ea49982c06811a24fdda721f7625f3b821e4dfeff9583311942a2
-  data.tar.gz: b5897c5ef7e0a3be5db1dcc67df71fd0eb56f4a5f3ee5008782c881b006a34e139be045e6a30e7632f5231bf425c62de3b62b150a9e92895befa522802ef346b
+  metadata.gz: c34675a2622944e5e715302bea401442b335abbaeede9b3f77829cee3e7a1d0d1ecc22dc6874ec23954a50f1b91e110b5ab681b3bed538f8dedc8384f67a20b6
+  data.tar.gz: 1d7fb0b9052c9a1df4610282b1ab39e63b9a35d0fd5b77a5d35f83417ff8d0cd52d489f470a3feecf9ede8cffa568301801ab7e1262316be0c559dcf0e0296cf

data/README.md

@@ -20,6 +20,8 @@ XSS/CSRF safe JWT auth designed for SPA
     + [Expiration time](#expiration-time)
     + [CSRF and cookies](#csrf-and-cookies)
     + [Refresh token hijack protection](#refresh-token-hijack-protection)
+- [Flush Sessions](#flush-sessions)
+    + [Sessions Namespace](#sessions-namespace)
 - [Examples](#examples)
 - [TODO](#todo)
 - [Contributing](#contributing)
@@ -82,7 +84,7 @@ JWTSessions.algorithm = 'HS256'
 JWTSessions.encryption_key = Rails.application.secrets.secret_jwt_encryption_key
 ```
 
-Most of the encryption algorithms require private and public keys to sign a token, yet HMAC only require a single key, so you can use a shortcat `encryotion_key` to sign the token. For other algorithms you must specify a private and public keys separately.
+Most of the encryption algorithms require private and public keys to sign a token, yet HMAC only require a single key, so you can use a shortcat `encryption_key` to sign the token. For other algorithms you must specify a private and public keys separately.
 
 ```ruby
 JWTSessions.algorithm   = 'RS256'
@@ -381,6 +383,42 @@ session = JwtSessions::Session.new(payload: payload)
 session.refresh(refresh_token) { |refresh_token_uid, access_token_expiration| ... }
 ```
 
+## Flush Sessions
+
+Flush session by refresh token. The method returns number of flushed sessions.
+
+```ruby
+session = JWTSessions::Session.new
+tokens = session.login
+session.flush_by_token(tokens[:refresh]) # => 1
+```
+
+Or by refresh token UID
+
+```ruby
+session.flush_by_uid(uid) # => 1
+```
+
+##### Sessions namespace
+
+It's possible to group sessions by custom namespaces
+
+```ruby
+session = JWTSessions::Session.new(namespace: 'account-1')
+```
+
+and selectively flush sessions by namespace
+
+```ruby
+session = JWTSessions::Session.new(namespace: 'ie-sessions')
+session.flush_namespaced # will flush all sessions that belong to the same namespace
+```
+
+To force flush of all app sessions
+```ruby
+JWTSessions::Session.flush_all
+```
+
 ## Examples
 
 [Rails API](test/support/dummy_api) \

data/lib/jwt_sessions.rb

@@ -25,7 +25,6 @@ module JWTSessions
   DEFAULT_SETTINGS_KEYS = %i[access_cookie
                              access_exp_time
                              access_header
-                             algorithm
                              csrf_header
                              redis_db_name
                              redis_host
@@ -74,6 +73,10 @@ module JWTSessions
     @algorithm = algo
   end
 
+  def algorithm
+    @algorithm ||= DEFAULT_ALGORITHM
+  end
+
   def token_store
     RedisTokenStore.instance(redis_host, redis_port, redis_db_name, token_prefix)
   end
@@ -110,7 +113,6 @@ module JWTSessions
     Time.now.to_i + refresh_exp_time.to_i
   end
 
-
   def header_by(token_type)
     send("#{token_type}_header")
   end

data/lib/jwt_sessions/authorization.rb

@@ -16,6 +16,7 @@ module JWTSessions
         end
         # triggers token decode and jwt claim checks
         payload
+        invalid_authorization unless session_exists?(token_type)
         check_csrf(token_type)
       end
     end
@@ -50,6 +51,10 @@ module JWTSessions
       JWTSessions::Session.new.valid_csrf?(found_token, csrf_token, token_type)
     end
 
+    def session_exists?(token_type)
+      JWTSessions::Session.new.session_exists?(found_token, token_type)
+    end
+
     def cookieless_auth(token_type)
       @_csrf_check = false
       @_raw_token = token_from_headers(token_type)

data/lib/jwt_sessions/redis_token_store.rb

@@ -43,26 +43,38 @@ module JWTSessions
       store.expireat(key, expiration)
     end
 
-    def fetch_refresh(uid)
-      keys   = [:csrf, :access_uid, :access_expiration, :expiration]
-      values = store.hmget(refresh_key(uid), *keys).compact
+    def fetch_refresh(uid, namespace)
+      keys   = %i[csrf access_uid access_expiration expiration]
+      values = store.hmget(refresh_key(uid, namespace), *keys).compact
       return {} if values.length != keys.length
-      keys.each_with_index.inject({}) { |acc, (key, index)| acc[key] = values[index]; acc }
+      keys.each_with_index.each_with_object({}) { |(key, index), acc| acc[key] = values[index]; }
     end
 
-    def persist_refresh(uid, access_expiration, access_uid, csrf, expiration)
-      key = refresh_key(uid)
-      update_refresh(uid, access_expiration, access_uid, csrf)
+    def persist_refresh(uid, access_expiration, access_uid, csrf, expiration, namespace = nil)
+      ns = namespace || ''
+      key = refresh_key(uid, ns)
+      update_refresh(uid, access_expiration, access_uid, csrf, ns)
       store.hset(key, :expiration, expiration)
       store.expireat(key, expiration)
     end
 
-    def update_refresh(uid, access_expiration, access_uid, csrf)
-      store.hmset(refresh_key(uid), :csrf, csrf, :access_expiration, access_expiration, :access_uid, access_uid)
+    def update_refresh(uid, access_expiration, access_uid, csrf, namespace = nil)
+      store.hmset(refresh_key(uid, namespace),
+                  :csrf, csrf,
+                  :access_expiration, access_expiration,
+                  :access_uid, access_uid)
     end
 
-    def destroy_refresh(uid)
-      store.del(refresh_key(uid))
+    def all_in_namespace(namespace)
+      keys = store.keys(refresh_key('*', namespace))
+      (keys || []).each_with_object({}) do |key, acc|
+        uid = uid_from_key(key)
+        acc[uid] = fetch_refresh(uid, namespace)
+      end
+    end
+
+    def destroy_refresh(uid, namespace)
+      store.del(refresh_key(uid, namespace))
     end
 
     def destroy_access(uid)
@@ -75,8 +87,21 @@ module JWTSessions
       "#{prefix}_access_#{uid}"
     end
 
-    def refresh_key(uid)
-      "#{prefix}_refresh_#{uid}"
+    def refresh_key(uid, namespace = nil)
+      if namespace
+        "#{prefix}_#{namespace}_refresh_#{uid}"
+      else
+        wildcard_refresh_key(uid)
+      end
+    end
+
+    def wildcard_refresh_key(uid)
+      keys = store.keys(refresh_key(uid, '*')) || []
+      keys.first
+    end
+
+    def uid_from_key(key)
+      key.split('_').last
     end
   end
 end

data/lib/jwt_sessions/refresh_token.rb

@@ -2,39 +2,58 @@
 
 module JWTSessions
   class RefreshToken
-    attr_reader :expiration, :uid, :token, :csrf, :access_uid, :access_expiration, :store
+    attr_reader :expiration, :uid, :token, :csrf, :access_uid, :access_expiration, :store, :namespace
 
-    def initialize(csrf, access_uid, access_expiration, store, payload = {}, uid = SecureRandom.uuid, expiration = JWTSessions.refresh_expiration)
+    def initialize(csrf,
+                   access_uid,
+                   access_expiration,
+                   store,
+                   options = {})
       @csrf              = csrf
       @access_uid        = access_uid
       @access_expiration = access_expiration
-      @uid               = uid
-      @expiration        = expiration
       @store             = store
-      @token             = Token.encode(payload.merge(uid: uid, exp: expiration.to_i))
+      @uid               = options.fetch(:uid, SecureRandom.uuid)
+      @expiration        = options.fetch(:expiration, JWTSessions.refresh_expiration)
+      @namespace         = options.fetch(:namespace, nil)
+      @token             = Token.encode(options.fetch(:payload, {}).merge(uid: uid, exp: expiration.to_i))
     end
 
     class << self
-      def create(csrf, access_uid, access_expiration, store, payload)
-        inst = new(csrf, access_uid, access_expiration, store, payload)
+      def create(csrf, access_uid, access_expiration, store, payload, namespace)
+        inst = new(csrf, access_uid, access_expiration, store, payload: payload, namespace: namespace)
         inst.send(:persist_in_store)
         inst
       end
 
-      def find(uid, store)
-        token_attrs = store.fetch_refresh(uid)
+      def all(namespace, store)
+        tokens = store.all_in_namespace(namespace)
+        tokens.map do |uid, token_attrs|
+          build_with_token_attrs(store, uid, token_attrs, namespace)
+        end
+      end
+
+      def find(uid, store, namespace)
+        token_attrs = store.fetch_refresh(uid, namespace)
         raise Errors::Unauthorized, 'Refresh token not found' if token_attrs.empty?
+        build_with_token_attrs(store, uid, token_attrs, namespace)
+      end
+
+      def destroy(uid, store, namespace)
+        store.destroy_refresh(uid, namespace)
+      end
+
+      private
+
+      def build_with_token_attrs(store, uid, token_attrs, namespace)
         new(token_attrs[:csrf],
             token_attrs[:access_uid],
             token_attrs[:access_expiration],
             store,
-            {},
-            uid,
-            token_attrs[:expiration])
-      end
-
-      def destroy(uid, store)
-        store.destroy_refresh(uid)
+            namespace: namespace,
+            payload: {},
+            uid: uid,
+            expiration: token_attrs[:expiration])
       end
     end
 
@@ -42,17 +61,17 @@ module JWTSessions
       @csrf              = csrf
       @access_uid        = access_uid
       @access_expiration = access_expiration
-      store.update_refresh(uid, access_uid, access_expiration, csrf)
+      store.update_refresh(uid, access_uid, access_expiration, csrf, namespace)
     end
 
     def destroy
-      store.destroy_refresh(uid)
+      store.destroy_refresh(uid, namespace)
     end
 
     private
 
     def persist_in_store
-      store.persist_refresh(uid, access_expiration, access_uid, csrf, expiration)
+      store.persist_refresh(uid, access_expiration, access_uid, csrf, expiration, namespace)
     end
   end
 end

data/lib/jwt_sessions/session.rb

@@ -3,7 +3,7 @@
 module JWTSessions
   class Session
     attr_reader :access_token, :refresh_token, :csrf_token
-    attr_accessor :payload, :store, :refresh_payload
+    attr_accessor :payload, :store, :refresh_payload, :namespace
 
     def initialize(options = {})
       @store           = options.fetch(:store, JWTSessions.token_store)
@@ -11,6 +11,7 @@ module JWTSessions
       @payload         = options.fetch(:payload, {})
       @access_claims   = options.fetch(:access_claims, {})
       @refresh_claims  = options.fetch(:refresh_claims, {})
+      @namespace       = options.fetch(:namespace, nil)
     end
 
     def login
@@ -25,6 +26,13 @@ module JWTSessions
       send(:"valid_#{token_type}_csrf?", token, csrf_token)
     end
 
+    def session_exists?(token, token_type = :access)
+      send(:"#{token_type}_token_data", token)
+      true
+    rescue Errors::Unauthorized
+      false
+    end
+
     def masked_csrf(access_token)
       csrf(access_token).token
     end
@@ -34,6 +42,35 @@ module JWTSessions
       refresh_by_uid(&block)
     end
 
+    def flush_by_token(token)
+      uid = token_uid(token, :refresh, @refresh_claims)
+      flush_by_uid(uid)
+    end
+
+    def flush_by_uid(uid)
+      token = retrieve_refresh_token(uid)
+
+      AccessToken.destroy(token.access_uid, store)
+      token.destroy
+    end
+
+    def flush_namespaced
+      return 0 unless namespace
+      tokens = RefreshToken.all(namespace, store)
+      tokens.each do |token|
+        AccessToken.destroy(token.access_uid, store)
+        token.destroy
+      end.count
+    end
+
+    def self.flush_all(store = JWTSessions.token_store)
+      tokens = RefreshToken.all(nil, store)
+      tokens.each do |token|
+        AccessToken.destroy(token.access_uid, store)
+        token.destroy
+      end.count
+    end
+
     private
 
     def valid_access_csrf?(access_token, csrf_token)
@@ -52,7 +89,6 @@ module JWTSessions
 
     def csrf(access_token)
       token_data = access_token_data(access_token)
-      raise Errors::Unauthorized, 'Access token not found' if token_data.empty?
       CSRFToken.new(token_data[:csrf])
     end
 
@@ -63,7 +99,9 @@ module JWTSessions
 
     def access_token_data(token)
       uid = token_uid(token, :access, @access_claims)
-      store.fetch_access(uid)
+      data = store.fetch_access(uid)
+      raise Errors::Unauthorized, 'Access token not found' if data.empty?
+      data
     end
 
     def refresh_token_data(token)
@@ -82,15 +120,17 @@ module JWTSessions
     end
 
     def retrieve_refresh_token(uid)
-      @_refresh = RefreshToken.find(uid, store)
+      @_refresh = RefreshToken.find(uid, store, namespace)
     end
 
     def tokens_hash
-      { csrf: csrf_token,
+      {
+        csrf: csrf_token,
         access: access_token,
         access_expires_at: Time.at(@_access.expiration.to_i),
         refresh: refresh_token,
-        refresh_expires_at: Time.at(@_refresh.expiration.to_i) }
+        refresh_expires_at: Time.at(@_refresh.expiration.to_i)
+      }
     end
 
     def check_refresh_on_time
@@ -121,7 +161,8 @@ module JWTSessions
                                       @_access.uid,
                                       @_access.expiration,
                                       store,
-                                      @refresh_payload)
+                                      refresh_payload,
+                                      namespace)
       @refresh_token = @_refresh.token
     end
 

data/lib/jwt_sessions/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module JWTSessions
-  VERSION = '1.1.0'
+  VERSION = '1.2.0'
 end

data/test/units/jwt_sessions/test_refresh_token.rb

@@ -14,7 +14,8 @@ class TestRefreshToken < Minitest::Test
                                              @access_uid,
                                              JWTSessions.access_expiration - 5,
                                              JWTSessions.token_store,
-                                             {})
+                                             {},
+                                             nil)
   end
 
   def test_update
@@ -27,15 +28,15 @@ class TestRefreshToken < Minitest::Test
   end
 
   def test_find
-    found_token = JWTSessions::RefreshToken.find(token.uid, JWTSessions.token_store)
+    found_token = JWTSessions::RefreshToken.find(token.uid, JWTSessions.token_store, nil)
     assert_equal found_token.access_uid, token.access_uid
     token.destroy
   end
 
   def test_destroy
-    JWTSessions::RefreshToken.destroy(token.uid, JWTSessions.token_store)
+    JWTSessions::RefreshToken.destroy(token.uid, JWTSessions.token_store, nil)
     assert_raises JWTSessions::Errors::Unauthorized do
-      JWTSessions::RefreshToken.find(token.uid, JWTSessions.token_store)
+      JWTSessions::RefreshToken.find(token.uid, JWTSessions.token_store, nil)
     end
   end
 end

data/test/units/jwt_sessions/test_session.rb

@@ -14,6 +14,12 @@ class TestSession < Minitest::Test
     @tokens = session.login
   end
 
+  def teardown
+    redis = Redis.new
+    keys = redis.keys('jwt_*')
+    keys.each { |k| redis.del(k) }
+  end
+
   def test_login
     decoded_access = JWTSessions::Token.decode(tokens[:access]).first
     assert_equal EXPECTED_KEYS, tokens.keys.sort
@@ -47,4 +53,62 @@ class TestSession < Minitest::Test
     assert_equal EXPECTED_KEYS, refreshed_tokens.keys.sort
     assert_equal payload[:test], decoded_access['test']
   end
+
+  def test_flush_by_token
+    refresh_token = @session.instance_variable_get(:"@_refresh")
+    uid = refresh_token.uid
+    assert_equal refresh_token.token, JWTSessions::RefreshToken.find(uid, JWTSessions.token_store, nil).token
+
+    @session.flush_by_token(refresh_token.token)
+
+    assert_raises JWTSessions::Errors::Unauthorized do
+      JWTSessions::RefreshToken.find(uid, JWTSessions.token_store, nil)
+    end
+  end
+
+  def test_flush_by_uid
+    refresh_token = @session.instance_variable_get(:"@_refresh")
+    uid = refresh_token.uid
+
+    @session.flush_by_uid(uid)
+
+    assert_raises JWTSessions::Errors::Unauthorized do
+      JWTSessions::RefreshToken.find(uid, JWTSessions.token_store, nil)
+    end
+  end
+
+  def test_flush_namespaced
+    namespace = 'test_namespace'
+    @session1 = JWTSessions::Session.new(payload: payload, namespace: namespace)
+    @session2 = JWTSessions::Session.new(payload: payload, namespace: namespace)
+    @session1.login
+    @session2.login
+
+    flushed_count = @session1.flush_namespaced
+
+    assert_equal 2, flushed_count
+    assert_raises JWTSessions::Errors::Unauthorized do
+      refresh_token = @session1.instance_variable_get(:"@_refresh")
+      JWTSessions::RefreshToken.find(refresh_token.uid, JWTSessions.token_store, nil)
+    end
+
+    assert_raises JWTSessions::Errors::Unauthorized do
+      refresh_token = @session2.instance_variable_get(:"@_refresh")
+      JWTSessions::RefreshToken.find(refresh_token.uid, JWTSessions.token_store, nil)
+    end
+
+    refresh_token = @session.instance_variable_get(:"@_refresh")
+    flushed_count = @session.flush_namespaced
+    assert_equal 0, flushed_count
+    assert_equal refresh_token.token, JWTSessions::RefreshToken.find(refresh_token.uid, JWTSessions.token_store, nil).token
+  end
+
+  def test_flush_all
+    refresh_token = @session.instance_variable_get(:"@_refresh")
+    flushed_count = JWTSessions::Session.flush_all
+    assert_equal 1, flushed_count
+    assert_raises JWTSessions::Errors::Unauthorized do
+      JWTSessions::RefreshToken.find(refresh_token.uid, JWTSessions.token_store, nil).token
+    end
+  end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: jwt_sessions
 version: !ruby/object:Gem::Version
-  version: 1.1.0
+  version: 1.2.0
 platform: ruby
 authors:
 - Yulia Oletskaya
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-04-21 00:00:00.000000000 Z
+date: 2018-04-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jwt