jwt_signed_request 2.1.3 → 2.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +5 -5
- data/README.md +1 -1
- data/lib/jwt_signed_request/errors.rb +16 -0
- data/lib/jwt_signed_request/verify.rb +40 -8
- data/lib/jwt_signed_request/version.rb +1 -1
- data/lib/jwt_signed_request.rb +1 -8
- metadata +4 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
|
-
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
2
|
+
SHA256:
|
|
3
|
+
metadata.gz: e3c77d8fa516ef20dd47873584e1533ce01ccda49d0486825177f53e74d165b0
|
|
4
|
+
data.tar.gz: f54b28aaebb16861a13d129541a2e75a5260d6f19c58c757670952bb3568f8f8
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: f862b757d5387bcf0ec6f71af7d80b77a8e9d5d906e6957abea7f891c2e452c4a27cac096170f44c24798291feb62d03166f943487044999948d815358f3d1fc
|
|
7
|
+
data.tar.gz: e67c0b8346883be09a595f2038de8c0e10400230c2cb90d209c66f1a15a9b6c53282cbf28c19c00e84599bbde8787396d319594c163f9acd93f16df833a3f4fd
|
data/README.md
CHANGED
|
@@ -190,7 +190,7 @@ Many thanks to the following contributors to this gem:
|
|
|
190
190
|
- Odin Dutton - [@twe4ked](https://github.com/twe4ked)
|
|
191
191
|
- Sebastian von Conrad - [@vonconrad](https://github.com/vonconrad)
|
|
192
192
|
- Zubin Henner- [@zubin](https://github.com/zubin)
|
|
193
|
-
-
|
|
193
|
+
- Glenn Tweedie - [@nocache](https://github.com/nocache)
|
|
194
194
|
- Giancarlo Salamanca - [@salamagd](https://github.com/salamagd)
|
|
195
195
|
- Ben Axnick - [@bentheax](https://github.com/bentheax)
|
|
196
196
|
- Glen Stampoultzis - [@gstamp](https://github.com/gstamp)
|
|
@@ -0,0 +1,16 @@
|
|
|
1
|
+
module JWTSignedRequest
|
|
2
|
+
UnauthorizedRequestError = Class.new(StandardError)
|
|
3
|
+
MissingAuthorizationHeaderError = Class.new(UnauthorizedRequestError)
|
|
4
|
+
JWTDecodeError = Class.new(UnauthorizedRequestError)
|
|
5
|
+
|
|
6
|
+
RequestVerificationFailedError = Class.new(UnauthorizedRequestError)
|
|
7
|
+
RequestBodyVerificationFailedError = Class.new(RequestVerificationFailedError)
|
|
8
|
+
RequestHeaderVerificationFailedError = Class.new(RequestVerificationFailedError)
|
|
9
|
+
RequestMethodVerificationFailedError = Class.new(RequestVerificationFailedError)
|
|
10
|
+
RequestPathVerificationFailedError = Class.new(RequestVerificationFailedError)
|
|
11
|
+
RequestQueryVerificationFailedError = Class.new(RequestVerificationFailedError)
|
|
12
|
+
|
|
13
|
+
MissingKeyIdError = Class.new(UnauthorizedRequestError)
|
|
14
|
+
UnknownKeyIdError = Class.new(UnauthorizedRequestError)
|
|
15
|
+
AlgorithmMismatchError = Class.new(UnauthorizedRequestError)
|
|
16
|
+
end
|
|
@@ -1,4 +1,5 @@
|
|
|
1
1
|
require 'jwt_signed_request/headers'
|
|
2
|
+
require 'jwt_signed_request/errors'
|
|
2
3
|
|
|
3
4
|
module JWTSignedRequest
|
|
4
5
|
class Verify
|
|
@@ -20,9 +21,7 @@ module JWTSignedRequest
|
|
|
20
21
|
raise MissingAuthorizationHeaderError, "Missing Authorization header in the request"
|
|
21
22
|
end
|
|
22
23
|
|
|
23
|
-
|
|
24
|
-
raise RequestVerificationFailedError, "Request failed verification"
|
|
25
|
-
end
|
|
24
|
+
verify_request!
|
|
26
25
|
end
|
|
27
26
|
|
|
28
27
|
private
|
|
@@ -68,11 +67,28 @@ module JWTSignedRequest
|
|
|
68
67
|
end
|
|
69
68
|
end
|
|
70
69
|
|
|
71
|
-
def
|
|
72
|
-
claims['method'].to_s
|
|
73
|
-
|
|
74
|
-
|
|
75
|
-
|
|
70
|
+
def verify_request!
|
|
71
|
+
unless request.request_method.casecmp(claims['method'].to_s) == 0
|
|
72
|
+
raise RequestMethodVerificationFailedError,
|
|
73
|
+
"Request failed method verification.\nexpected:#{claims['method']}\nreceived:#{request.request_method}"
|
|
74
|
+
end
|
|
75
|
+
unless parsed_claims_uri.path == request.path
|
|
76
|
+
raise RequestPathVerificationFailedError,
|
|
77
|
+
"Request failed path verification.\nexpected:#{parsed_claims_uri.path}\nreceived:#{request.path}"
|
|
78
|
+
end
|
|
79
|
+
unless claims_query_values == request_query_values
|
|
80
|
+
raise RequestQueryVerificationFailedError,
|
|
81
|
+
"Request failed query string verification.\nexpected:#{claims_query_values}\nreceived:#{request_query_values}"
|
|
82
|
+
end
|
|
83
|
+
unless claims['body_sha'] == Digest::SHA256.hexdigest(request_body)
|
|
84
|
+
raise RequestBodyVerificationFailedError,
|
|
85
|
+
"Request failed body verification.\nexpected:#{claims['body_sha']}\
|
|
86
|
+
received:#{Digest::SHA256.hexdigest(request_body)}"
|
|
87
|
+
end
|
|
88
|
+
unless verified_headers?
|
|
89
|
+
raise RequestHeaderVerificationFailedError,
|
|
90
|
+
"Request failed header verification.\nexpected:#{claims['headers']}"
|
|
91
|
+
end
|
|
76
92
|
end
|
|
77
93
|
|
|
78
94
|
def request_body
|
|
@@ -92,5 +108,21 @@ module JWTSignedRequest
|
|
|
92
108
|
Headers.fetch(header_key, request) == header_value
|
|
93
109
|
end
|
|
94
110
|
end
|
|
111
|
+
|
|
112
|
+
def parsed_claims_uri
|
|
113
|
+
@parsed_claims_uri ||= URI.parse(claims['path'])
|
|
114
|
+
end
|
|
115
|
+
|
|
116
|
+
def standard_query_values(path)
|
|
117
|
+
URI.decode_www_form(path.query).sort if path && path.query
|
|
118
|
+
end
|
|
119
|
+
|
|
120
|
+
def claims_query_values
|
|
121
|
+
standard_query_values(parsed_claims_uri)
|
|
122
|
+
end
|
|
123
|
+
|
|
124
|
+
def request_query_values
|
|
125
|
+
standard_query_values(URI.parse(request.fullpath))
|
|
126
|
+
end
|
|
95
127
|
end
|
|
96
128
|
end
|
data/lib/jwt_signed_request.rb
CHANGED
|
@@ -2,6 +2,7 @@ require 'jwt'
|
|
|
2
2
|
require 'jwt_signed_request/key_store'
|
|
3
3
|
require 'jwt_signed_request/sign'
|
|
4
4
|
require 'jwt_signed_request/verify'
|
|
5
|
+
require 'jwt_signed_request/errors'
|
|
5
6
|
|
|
6
7
|
module JWTSignedRequest
|
|
7
8
|
extend self
|
|
@@ -9,14 +10,6 @@ module JWTSignedRequest
|
|
|
9
10
|
DEFAULT_ALGORITHM = 'ES256'.freeze
|
|
10
11
|
EMPTY_BODY = "".freeze
|
|
11
12
|
|
|
12
|
-
UnauthorizedRequestError = Class.new(StandardError)
|
|
13
|
-
MissingAuthorizationHeaderError = Class.new(UnauthorizedRequestError)
|
|
14
|
-
JWTDecodeError = Class.new(UnauthorizedRequestError)
|
|
15
|
-
RequestVerificationFailedError = Class.new(UnauthorizedRequestError)
|
|
16
|
-
MissingKeyIdError = Class.new(UnauthorizedRequestError)
|
|
17
|
-
UnknownKeyIdError = Class.new(UnauthorizedRequestError)
|
|
18
|
-
AlgorithmMismatchError = Class.new(UnauthorizedRequestError)
|
|
19
|
-
|
|
20
13
|
def configure_keys
|
|
21
14
|
yield(key_store)
|
|
22
15
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: jwt_signed_request
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.
|
|
4
|
+
version: 2.2.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Envato
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2018-04-05 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: jwt
|
|
@@ -118,6 +118,7 @@ files:
|
|
|
118
118
|
- README.md
|
|
119
119
|
- lib/jwt_signed_request.rb
|
|
120
120
|
- lib/jwt_signed_request/claims.rb
|
|
121
|
+
- lib/jwt_signed_request/errors.rb
|
|
121
122
|
- lib/jwt_signed_request/headers.rb
|
|
122
123
|
- lib/jwt_signed_request/key_store.rb
|
|
123
124
|
- lib/jwt_signed_request/middlewares/faraday.rb
|
|
@@ -144,7 +145,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
144
145
|
version: '0'
|
|
145
146
|
requirements: []
|
|
146
147
|
rubyforge_project:
|
|
147
|
-
rubygems_version: 2.6
|
|
148
|
+
rubygems_version: 2.7.6
|
|
148
149
|
signing_key:
|
|
149
150
|
specification_version: 4
|
|
150
151
|
summary: JWT request signing and verification for Internal APIs
|