jwt_sessions 2.4.3 → 2.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: dfe0f1d0591603e0e98e783a50887e647460b880
-  data.tar.gz: 6ddf78aa6c589ec6f51a775d81d033dbd8d69d59
+SHA256:
+  metadata.gz: cb5fdf14070b5d76ee868b427684fba6797cada31600e28b3346c601d7a3079e
+  data.tar.gz: fb709c41d45a11ea6e5b2d93f991326c0ddd4a562995dc837099af138b86ee08
 SHA512:
-  metadata.gz: 8bfeb3ae48e6d3689bfc34cf02ac92e4d16be9f1a0c56562f4a598432600e7e6ffd9281e8ba6a20053bb6737ca26017e2b9ad8b6b1250b0268850a310bdfe2eb
-  data.tar.gz: 1977d53805eba13b7da95dc1b8ff767ef8764c130be49d1a476e791ac95fa56a7de1dfa77eafd9646674835c995b593aaaa62a74d1e7e3f0143e4e81b8c21300
+  metadata.gz: 742c465fe4f58ca7327cc1257b98e21f658e891c12e5637bde92c8ca48010a284db43ec8af0ff53454f6642927a1de1cb2b5473619d7c5ecdaba706fba6e4527
+  data.tar.gz: 6247a76e67522e23211a6a6791312d6c50b06598b34743a92f7c32ec841a75928a6eae08d17fc3968fb9cff3ec886efcf7e0a19fe7bea9291dc7b0560fd0a658

data/README.md

@@ -15,10 +15,11 @@ XSS/CSRF safe JWT auth designed for SPA
     - [Rails integration](#rails-integration)
     - [Non-Rails usage](#non-rails-usage)
   - [Configuration](#configuration)
-        - [Token store](#token-store)
-        - [JWT signature](#jwt-signature)
-        - [Request headers and cookies names](#request-headers-and-cookies-names)
-        - [Expiration time](#expiration-time)
+      - [Token store](#token-store)
+      - [JWT signature](#jwt-signature)
+      - [Request headers and cookies names](#request-headers-and-cookies-names)
+      - [Expiration time](#expiration-time)
+      - [Exceptions](#exceptions)
       - [CSRF and cookies](#csrf-and-cookies)
         - [Refresh with access token](#refresh-with-access-token)
       - [Refresh token hijack protection](#refresh-token-hijack-protection)
@@ -441,6 +442,15 @@ JWTSessions.refresh_exp_time = 604800 # 1 week in seconds
 
 It is defined globally, but can be overridden on a session level. See `JWTSessions::Session.new` options for more info.
 
+##### Exceptions
+
+`JWTSessions::Errors::Error` - base class, all possible exceptions are inhereted from it. \
+`JWTSessions::Errors::Malconfigured` - some required gem settings are empty, or methods are not implemented. \
+`JWTSessions::Errors::InvalidPayload` - token's payload doesn't contain required keys or they are invalid. \
+`JWTSessions::Errors::Unauthorized` - token can't be decoded or JWT claims are invalid. \
+`JWTSessions::Errors::ClaimsVerification` - JWT claims are invalid (inherited from `JWTSessions::Errors::Unauthorized`). \
+`JWTSessions::Errors::Expired` - token is expired (inherited from `JWTSessions::Errors::Unauthorized`).
+
 #### CSRF and cookies
 
 When you use cookies as your tokens transport it becomes vulnerable to CSRF. That is why both the login and refresh methods of the `Session` class produce CSRF tokens for you. `Authorization` mixin expects that this token is sent with all requests except GET and HEAD in a header specified among this gem's settings (`X-CSRF-Token` by default). Verification will be done automatically and the `Authorization` exception will be raised in case of a mismatch between the token from the header and the one stored in the session. \
@@ -455,7 +465,7 @@ session.masked_csrf(access_token)
 
 Sometimes it is not secure enough to store the refresh tokens in web / JS clients. \
 This is why you have the option to only use an access token and to not pass the refresh token to the client at all. \
-Session accepts `refresh_by_access_allowed: true` setting, which links the access token to the corresponding refresh token. \
+Session accepts `refresh_by_access_allowed: true` setting, which links the access token to the corresponding refresh token.
 
 Example Rails login controller, which passes an access token token via cookies and renders CSRF:
 
@@ -490,7 +500,18 @@ tokens  = session.refresh_by_access_payload
 
 In case of token forgery and successful refresh performed by an attacker the original user will have to logout. \
 To protect the endpoint use the before_action `authorize_refresh_by_access_request!`. \
-Refresh should be performed once the access token is already expired and we need to use the `claimless_payload` method in order to skip JWT expiration validation (and other claims) in order to proceed. \
+Refresh should be performed once the access token is already expired and we need to use the `claimless_payload` method in order to skip JWT expiration validation (and other claims) in order to proceed.
+
+Optionally `refresh_by_access_payload` accepts a block argument (the same way `refresh` method does).
+The block will be called if the refresh action is performed before the access token is expired.
+Thereby it's possible to prohibit users from making refresh calls while their access token is still active.
+
+```ruby
+tokens = session.refresh_by_access_payload do
+  # here goes malicious activity alert
+  raise JWTSessions::Errors::Unauthorized, "Refresh action is performed before the expiration of the access token."
+end
+```
 
 Example Rails refresh by access controller with cookies as token transport:
 

data/lib/jwt_sessions/errors.rb

@@ -5,5 +5,6 @@ module JWTSessions
     class InvalidPayload < Error; end
     class Unauthorized < Error; end
     class ClaimsVerification < Unauthorized; end
+    class Expired < ClaimsVerification; end
   end
 end

data/lib/jwt_sessions/token.rb

@@ -13,7 +13,9 @@ module JWTSessions
       def decode(token, claims = {})
         decode_options = { algorithm: JWTSessions.algorithm }.merge(JWTSessions.jwt_options.to_h).merge(claims)
         JWT.decode(token, JWTSessions.public_key, JWTSessions.validate?, decode_options)
-      rescue JWT::InvalidIssuerError, JWT::InvalidIatError, JWT::InvalidAudError, JWT::InvalidSubError, JWT::InvalidJtiError, JWT::ExpiredSignature => e
+      rescue JWT::ExpiredSignature => e
+        raise Errors::Expired, e.message
+      rescue JWT::InvalidIssuerError, JWT::InvalidIatError, JWT::InvalidAudError, JWT::InvalidSubError, JWT::InvalidJtiError => e
         raise Errors::ClaimsVerification, e.message
       rescue JWT::DecodeError => e
         raise Errors::Unauthorized, e.message

data/lib/jwt_sessions/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module JWTSessions
-  VERSION = "2.4.3"
+  VERSION = "2.5.0"
 end

data/test/units/jwt_sessions/test_token.rb

@@ -142,7 +142,7 @@ class TestToken < Minitest::Test
 
   def test_payload_exp_time
     token = JWTSessions::Token.encode(payload.merge(exp: Time.now.to_i - (3600 * 24)))
-    assert_raises JWTSessions::Errors::Unauthorized do
+    assert_raises JWTSessions::Errors::Expired do
       JWTSessions::Token.decode(token)
     end
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: jwt_sessions
 version: !ruby/object:Gem::Version
-  version: 2.4.3
+  version: 2.5.0
 platform: ruby
 authors:
 - Yulia Oletskaya
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-09-13 00:00:00.000000000 Z
+date: 2020-04-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jwt
@@ -136,18 +136,17 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.6.13
+rubygems_version: 3.0.3
 signing_key: 
 specification_version: 4
 summary: JWT Sessions
 test_files:
 - test/units/test_jwt_sessions.rb
 - test/units/test_token_store.rb
-- test/units/jwt_sessions/store_adapters/test_memory_store_adapter.rb
-- test/units/jwt_sessions/store_adapters/test_redis_store_adapter.rb
-- test/units/jwt_sessions/test_access_token.rb
 - test/units/jwt_sessions/test_csrf_token.rb
+- test/units/jwt_sessions/test_access_token.rb
+- test/units/jwt_sessions/store_adapters/test_redis_store_adapter.rb
+- test/units/jwt_sessions/store_adapters/test_memory_store_adapter.rb
+- test/units/jwt_sessions/test_token.rb
 - test/units/jwt_sessions/test_refresh_token.rb
 - test/units/jwt_sessions/test_session.rb
-- test/units/jwt_sessions/test_token.rb