jwt_sessions 3.1.1 → 3.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e1264eae87a9f5dc03028ee842e83da499f4d9d3f819d10b676f1bcde974cc2a
-  data.tar.gz: a29d5d6d8a07d24f275072536c7cd912e041aeec6d4c9392eeebf30b9c6337a1
+  metadata.gz: f73b9f84080047130ad1d468d79418be979c742de84603a06c9933d8a185d935
+  data.tar.gz: 14e06ad9f9262b12a7b05339ed93f0c45cdc9d2ee39f526ff69bef99a0851ff0
 SHA512:
-  metadata.gz: 4abc1c449bd2692b00797c42c235d52dd4f67e30176e77d04da79a29fd5828ee73696908745ce8432af2cc8514523b24d4128158822ce412f2e9d6092550ad91
-  data.tar.gz: 6b7006560ab05859b51c9add771f029b68c0f09a391fe576c47b6e97ba72b1bdbabb8c787262a07553962e24bdccb2148c2bf960f614af56e497f8c18e9a4c7a
+  metadata.gz: e4a0a9d70804717e8a310c77be865bff624f3e824800a0df35d082be906e79120012dde275d4cbe1d9b18dd51445b570ad081488d7a6df201fefaa154ad71aff
+  data.tar.gz: 4964b5277b235c50715f6886965693a9fda64735d7d5b0b90d599929c06d743110a72fc27efcb7d250fc85b141d6fb441adc54bdaddc2daf41e9382a28d563be

data/CHANGELOG.md

@@ -1,3 +1,9 @@
+## 3.2.0 (June 20, 2023)
+
+Features:
+
+ - payload can be accessed without auth - it's going to be resolved into an empty hash.
+
 ## 3.1.1 (May 6, 2023)
 
 Bugfixes:

data/README.md

@@ -119,7 +119,7 @@ Available `JWTSessions::Session.new` options:
 
 - **payload**: a hash object with session data which will be included into an access token payload. Default is an empty hash.
 - **refresh_payload**: a hash object with session data which will be included into a refresh token payload. Default is the value of the access payload.
-- **access_claims**: a hash object with [JWT claims](https://github.com/jwt/ruby-jwt#support-for-reserved-claim-names) which will be validated within the access token payload. For example, `{ "aud" => ["admin"], "verify_aud" => true }` means that the token can be used only by "admin" audience. Also, the endpoint can automatically validate claims instead. See `token_claims` method.
+- **access_claims**: a hash object with [JWT claims](https://github.com/jwt/ruby-jwt#support-for-reserved-claim-names) which will be validated within the access token payload. For example, `JWTSessions::Session.new(payload: { user_id: 1, aud: ['admin'], verify_aud: true })` means that the token can be used only by "admin" audience. Also, the endpoint can automatically validate claims instead. See `token_claims` method.
 - **refresh_claims**: a hash object with [JWT claims](https://github.com/jwt/ruby-jwt#support-for-reserved-claim-names) which will be validated within the refresh token payload.
 - **namespace**: a string object which helps to group sessions by a custom criteria. For example, sessions can be grouped by user ID, making it possible to logout the user from all devices. More info [Sessions Namespace](#sessions-namespace).
 - **refresh_by_access_allowed**: a boolean value. Default is false. It links access and refresh tokens (adds refresh token ID to access payload), making it possible to perform a session refresh by the last expired access token. See [Refresh with access token](#refresh-with-access-token).
@@ -131,7 +131,7 @@ Helper methods within `Authorization` mixin:
 - **authorize_access_request!**: validates access token within the request.
 - **authorize_refresh_request!**: validates refresh token within the request.
 - **found_token**: a raw token found within the request.
-- **payload**: a decoded token's payload.
+- **payload**: a decoded token's payload. Returns an empty hash in case the token is absent in the request headers/cookies.
 - **claimless_payload**: a decoded token's payload without claims validation (can be used for checking data of an expired token).
 - **token_claims**: the method should be defined by a developer and is expected to return a hash-like object with claims to be validated within a token's payload.
 
@@ -426,9 +426,9 @@ class UsersController < ApplicationController
 
   def token_claims
     {
-      "aud" => ["admin", "staff"],
-      "verify_aud" => true, # can be used locally instead of a global setting
-      "exp_leeway" => 15 # will be used instead of default leeway only for exp claim
+      aud: ["admin", "staff"],
+      verify_aud: true, # can be used locally instead of a global setting
+      exp_leeway: 15 # will be used instead of default leeway only for exp claim
     }
   end
 end

data/lib/jwt_sessions/authorization.rb

@@ -102,16 +102,18 @@ module JWTSessions
       token
     end
 
-    def token_from_headers(token_type)
+    def token_from_headers(token_type, required: true)
       raw_token = request_headers[JWTSessions.header_by(token_type)] || ""
       token = raw_token.split(" ")[-1]
-      raise Errors::Unauthorized, "Token is not found" unless token
+      raise Errors::Unauthorized, "Token is not found" if !token && required
+
       token
     end
 
-    def token_from_cookies(token_type)
+    def token_from_cookies(token_type, required: true)
       token = request_cookies[JWTSessions.cookie_by(token_type)]
-      raise Errors::Unauthorized, "Token is not found" unless token
+      raise Errors::Unauthorized, "Token is not found" if !token && required
+
       token
     end
 
@@ -119,9 +121,21 @@ module JWTSessions
       @_raw_token
     end
 
+    def fetch_access_token
+      if respond_to?(:request_headers)
+        token = token_from_headers(:access, required: false)
+        return token if token
+      end
+
+      token_from_cookies(:access, required: false) if respond_to?(:request_cookies)
+    end
+
     def payload
+      return @_payload if defined? @_payload
+
       claims = respond_to?(:token_claims) ? token_claims : {}
-      @_payload ||= Token.decode(found_token, claims).first
+      token = found_token || fetch_access_token
+      @_payload = token ? Token.decode(token, claims).first : {}
     end
 
     # retrieves tokens payload without JWT claims validation

data/lib/jwt_sessions/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module JWTSessions
-  VERSION = "3.1.1"
+  VERSION = "3.2.0"
 end

data/test/units/jwt_sessions/test_authorization.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+require "minitest/autorun"
+require "jwt_sessions"
+
+class TestAuthorization < Minitest::Test
+  include JWTSessions::Authorization
+
+  def setup
+    JWTSessions.signing_key = "abcdefghijklmnopqrstuvwxyzABCDEF"
+  end
+
+  def test_payload_when_token_is_nil
+    @_raw_token = nil
+
+    assert_equal payload, {}
+  end
+
+  def test_payload_when_token_is_present
+    @_raw_token =
+      JWTSessions::Token.encode({ "user_id" => 1, "secret" => "mystery" })
+
+    assert_equal payload['user_id'], 1
+    assert_equal payload['secret'], 'mystery'
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: jwt_sessions
 version: !ruby/object:Gem::Version
-  version: 3.1.1
+  version: 3.2.0
 platform: ruby
 authors:
 - Julija Alieckaja
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-05-06 00:00:00.000000000 Z
+date: 2023-06-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jwt
@@ -98,6 +98,7 @@ files:
 - test/units/jwt_sessions/store_adapters/test_memory_store_adapter.rb
 - test/units/jwt_sessions/store_adapters/test_redis_store_adapter.rb
 - test/units/jwt_sessions/test_access_token.rb
+- test/units/jwt_sessions/test_authorization.rb
 - test/units/jwt_sessions/test_csrf_token.rb
 - test/units/jwt_sessions/test_refresh_token.rb
 - test/units/jwt_sessions/test_session.rb
@@ -137,6 +138,7 @@ test_files:
 - test/units/jwt_sessions/store_adapters/test_memory_store_adapter.rb
 - test/units/jwt_sessions/store_adapters/test_redis_store_adapter.rb
 - test/units/jwt_sessions/test_access_token.rb
+- test/units/jwt_sessions/test_authorization.rb
 - test/units/jwt_sessions/test_csrf_token.rb
 - test/units/jwt_sessions/test_refresh_token.rb
 - test/units/jwt_sessions/test_session.rb