jwt_signed_request 2.5.0 → 2.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 6a4b6d9d7869c58d436404dc533c1918dc21a8fb
-  data.tar.gz: 4e87bacd334d5cafe414f6d350eb6b6c556fb2c1
+SHA256:
+  metadata.gz: fb9e7a555755580bb4b37387799d44d3bc4d67d7a157060fce83183827250d15
+  data.tar.gz: b4ed152d2dfa73fc961280a6d7c09fd480565195c280f76b71e6326268ba894d
 SHA512:
-  metadata.gz: ebea05eab2c08b118fa7fd01b329e8e48ad1385806a3d97ed7cb6c3642b4d58a7f19bbcf4234b5ad7c6aa87fd71abce1cec8f582144deaeff7f24edb8bcfa61e
-  data.tar.gz: 4b23e201723c6066820df703c7bdf4c8fa281c281beef379f3ffb4c13fa333f95d54c348fae53224ae44222258858c1431fb94a94d9f8925c2d36930ec2cfb03
+  metadata.gz: 6d7f1c2fe8ffac7c069d11231ae797fb92967cece0ed2c441167d02ebec178edb6d9474d02a0e4ec3d9a4840d8df0888cb6b00029f99190e0b24f1fceaf2f0f2
+  data.tar.gz: 0b38896799b5021d54266010534f5360819d95363b7f09a276e7b729df8d708bacd9c861e1ae194e3b6f2bd7894e7f32f2e1e60d486d00b07b84705d2cbc4713

data/README.md

@@ -19,7 +19,7 @@ $ bundle
 
 ## Generating EC Keys
 
-We should be using a public key encryption alogorithm such as **ES256**. To generate your public/private key pair using **ES256** run:
+We should be using a public key encryption algorithm such as **ES256**. To generate your public/private key pair using **ES256** run:
 
 ```sh
 $ openssl ecparam -genkey -name prime256v1 -noout -out myprivatekey.pem
@@ -30,24 +30,32 @@ Store and encrypt these in your application secrets.
 
 ## Configuration
 
-You can add signing and verification keys to the key store as your application needs them.
+You can add signing and verification keys to one or more key stores as your application needs them.
+
+For example, given the following keys:
 
 ```ruby
-private_key = <<-pem.gsub(/^\s+/, "")
+private_key = <<-PEM.gsub(/^\s+/, "")
     -----BEGIN EC PRIVATE KEY-----
     MHcCAQEEIBOQ3YIILYMV1glTKbF9oeZWzHe3SNQjAx4IbPIxNygQoAoGCCqGSM49
     AwEHoUQDQgAEuOC3ufTTnW0hVmCPNERb4LxaDE/OexDdlmXEjHYaixzYIduluGXd
     3cjg4H2gjqsY/NCpJ9nM8/AAINSrq+qPuA==
     -----END EC PRIVATE KEY-----
-  pem
+  PEM
 
-public_key = <<-pem.gsub(/^\s+/, "")
+public_key = <<-PEM.gsub(/^\s+/, "")
   -----BEGIN PUBLIC KEY-----
   MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEuOC3ufTTnW0hVmCPNERb4LxaDE/O
   exDdlmXEjHYaixzYIduluGXd3cjg4H2gjqsY/NCpJ9nM8/AAINSrq+qPuA==
   -----END PUBLIC KEY-----
-pem
+PEM
+```
+
+### Single key store
+
+If your application only needs a single key store, configure it like so:
 
+```ruby
 require 'openssl'
 
 JWTSignedRequest.configure_keys do |config|
@@ -65,9 +73,35 @@ JWTSignedRequest.configure_keys do |config|
 end
 ```
 
+### Multiple key stores
+
+If your application requires multiple key stores, configure them like so:
+
+```ruby
+key_store_id = 'widget_admin'
+
+JWTSignedRequest.configure_keys(key_store_id) do |config|
+  config.add_signing_key(
+    key_id: 'client_a',
+    key: OpenSSL::PKey::EC.new(private_key),
+    algorithm: 'ES256',
+  )
+
+  config.add_verification_key(
+    key_id: 'client_a',
+    key: OpenSSL::PKey::EC.new(public_key),
+    algorithm: 'ES256',
+  )
+end
+```
+
 ## Signing Requests
 
-If you have added your signing keys to the key store, you will only need to specify the `key_id` you are signing the requests with.
+If you have added your signing keys to a key store, you will only need to
+specify the `key_id` you are signing the requests with.
+
+If you are using multiple key stores, you will also need to pass the
+appropriate `key_store_id`.
 
 ### Using net/http
 
@@ -86,6 +120,7 @@ jwt_token = JWTSignedRequest.sign(
   body: "",
   key_id: 'my-key-id',                    # used for looking up key and kid header
   lookup_key_id: 'my-alt-key-id',         # optionally override lookup key
+  key_store_id: 'widget_admin',           # optionally specify named key store ID
   issuer: 'my-issuer'                     # optional
   additional_headers_to_sign: ['X-AUTH']  # optional
 )
@@ -97,7 +132,7 @@ res = Net::HTTP.start(uri.hostname, uri.port) {|http|
 }
 ```
 
-### Using faraday
+### Using Faraday
 
 ```ruby
 require 'faraday'
@@ -105,10 +140,14 @@ require 'openssl'
 require 'jwt_signed_request/middlewares/faraday'
 
 conn = Faraday.new(url: URI.parse('http://example.com')) do |faraday|
-  faraday.use JWTSignedRequest::Middlewares::Faraday,
-    key_id: 'my-key-id',
-    issuer: 'my-issuer',                    # optional
-    additional_headers_to_sign: ['X-AUTH']  # optional
+  faraday.use(
+    JWTSignedRequest::Middlewares::Faraday,
+      key_id: 'my-key-id',
+      key_store_id: 'my-key-store-id',        # optional
+      issuer: 'my-issuer',                    # optional
+      additional_headers_to_sign: ['X-AUTH'], # optional
+      bearer_schema: true,                    # optional
+    )
 
   faraday.adapter Faraday.default_adapter
 end
@@ -119,10 +158,23 @@ conn.post do |req|
 end
 ```
 
-## Verifying Requests
+#### Additional options
+
+##### bearer_schema (boolean)
 
-Please make sure you have added your verification keys to the key store. Doing so will allow the server to verify requests signed by different signing keys.
+Determines whether to use the [Bearer schema](https://auth0.com/docs/jwt#how-do-json-web-tokens-work-) when assigning the JWT token to the `Authorization` request header
 
+| bearer_schema value | Authorization header value|
+|---------------------|---------------------------|
+| false (default) | `<jwt_token>` |
+| true | `Bearer <jwt_token>` |
+
+
+## Verifying Requests
+
+Please make sure you have added your verification keys to the appropriate key
+store. Doing so will allow the server to verify requests signed by different
+signing keys.
 
 ## Using Rails
 
@@ -136,7 +188,11 @@ class APIController < ApplicationController
 
   def verify_request
     begin
-      JWTSignedRequest.verify(request: request)
+      JWTSignedRequest.verify(
+        request: request,
+        # Use optional `key_store_id` kwarg when working with multiple key stores, eg:
+        key_store_id: 'widget_admin',
+      )
 
     rescue JWTSignedRequest::UnauthorizedRequestError => e
       render :json => {}, :status => :unauthorized
@@ -158,9 +214,12 @@ JWT tokens contain an expiry timestamp. If communication delays are large (or sy
 
 ```ruby
 class Server < Sinatra::Base
-  use JWTSignedRequest::Middlewares::Rack,
-     exclude_paths: /public|health/,          # optional regex
-     leeway: 100                              # optional
+  use(
+    JWTSignedRequest::Middlewares::Rack,
+    exclude_paths: /public|health/,          # optional regex
+    leeway: 100,                             # optional
+    key_store_id: 'my-key-store-id',         # optional
+  )
  end
 ```
 

data/lib/jwt_signed_request.rb

@@ -9,22 +9,22 @@ require 'jwt_signed_request/errors'
 module JWTSignedRequest
   extend self
 
-  DEFAULT_ALGORITHM = 'ES256'.freeze
-  EMPTY_BODY = "".freeze
+  DEFAULT_ALGORITHM = 'ES256'
+  EMPTY_BODY = ''
 
-  def configure_keys
-    yield(key_store)
+  def configure_keys(key_store_id = nil)
+    yield KeyStore.find(key_store_id)
   end
 
-  def key_store
-    @key_store ||= KeyStore.new
+  def key_store(id = nil)
+    KeyStore.find(id)
   end
 
-  def sign(*args)
-    Sign.call(*args)
+  def sign(**args)
+    Sign.call(**args)
   end
 
-  def verify(*args)
-    Verify.call(*args)
+  def verify(**args)
+    Verify.call(**args)
   end
 end

data/lib/jwt_signed_request/key_store.rb

@@ -2,25 +2,33 @@
 
 module JWTSignedRequest
   class KeyStore
+    def self.find(id)
+      all[id]
+    end
+
+    private_class_method def self.all
+      @all ||= Hash.new { |result, key| result[key] = KeyStore.new }
+    end
+
     def initialize
       @signing_keys = {}
       @verification_keys = {}
     end
 
     def add_signing_key(key_id:, key:, algorithm:)
-      @signing_keys.store(key_id,
-        {
-          key: key,
-          algorithm: algorithm
-        })
+      @signing_keys.store(
+        key_id,
+        key: key,
+        algorithm: algorithm,
+      )
     end
 
     def add_verification_key(key_id:, key:, algorithm:)
-      @verification_keys.store(key_id,
-        {
-          key: key,
-          algorithm: algorithm
-        })
+      @verification_keys.store(
+        key_id,
+        key: key,
+        algorithm: algorithm,
+      )
     end
 
     def get_signing_key(key_id:)

data/lib/jwt_signed_request/middlewares/faraday.rb

@@ -6,36 +6,38 @@ require 'jwt_signed_request'
 module JWTSignedRequest
   module Middlewares
     class Faraday < Faraday::Middleware
-      def initialize(app, options)
+      def initialize(app, bearer_schema: nil, **options)
+        @bearer_schema = bearer_schema
         @options = options
         super(app)
       end
 
       def call(env)
-        jwt_token = ::JWTSignedRequest.sign(
+        env[:body] ||= ::JWTSignedRequest::EMPTY_BODY
+
+        @jwt_token = ::JWTSignedRequest.sign(
           method:     env[:method],
           path:       env[:url].request_uri,
           headers:    env[:request_headers],
-          body:       env.fetch(:body, ::JWTSignedRequest::EMPTY_BODY),
-          **optional_settings
+          body:       env[:body],
+          **options,
         )
 
-        env[:request_headers].store("Authorization", "Bearer #{jwt_token}")
+        env[:request_headers].store("Authorization", authorization_header)
+
         app.call(env)
       end
 
       private
 
-      attr_reader :app, :env, :options
+      attr_reader :app, :env, :bearer_schema, :options, :jwt_token
+
+      def authorization_header
+        bearer_schema? ? "Bearer #{jwt_token}" : jwt_token
+      end
 
-      def optional_settings
-        {
-          secret_key:                 options[:secret_key],
-          algorithm:                  options[:algorithm],
-          additional_headers_to_sign: options[:additional_headers_to_sign],
-          key_id:                     options[:key_id],
-          issuer:                     options[:issuer],
-        }.reject { |_, value| value.nil? }
+      def bearer_schema?
+        bearer_schema == true
       end
     end
   end

data/lib/jwt_signed_request/middlewares/rack.rb

@@ -8,41 +8,40 @@ module JWTSignedRequest
     class Rack
       UNAUTHORIZED_STATUS_CODE = 401
 
-      def initialize(app, options = {})
+      def initialize(app, secret_key: nil, algorithm: nil, leeway: nil, exclude_paths: nil, key_store_id: nil)
         @app = app
-        @secret_key = options[:secret_key]
-        @algorithm = options[:algorithm]
-        @leeway = options[:leeway]
-        @exclude_paths = options[:exclude_paths]
+        @secret_key = secret_key
+        @algorithm = algorithm
+        @leeway = leeway
+        @exclude_paths = exclude_paths
+        @key_store_id = key_store_id
       end
 
       def call(env)
-        begin
-          unless excluded_path?(env)
-            args = {
-              request: ::Rack::Request.new(env),
-              secret_key: secret_key,
-              algorithm: algorithm,
-              leeway: leeway
-            }.reject { |_, value| value.nil? }
-
-            ::JWTSignedRequest.verify(**args)
-          end
-
-          app.call(env)
-        rescue ::JWTSignedRequest::UnauthorizedRequestError => e
-          [UNAUTHORIZED_STATUS_CODE, {'Content-Type' => 'application/json'} , []]
-        end
+        ::JWTSignedRequest.verify(**verification_args(env)) unless excluded_path?(env)
+        app.call(env)
+      rescue ::JWTSignedRequest::UnauthorizedRequestError
+        [UNAUTHORIZED_STATUS_CODE, {'Content-Type' => 'application/json'}, []]
       end
 
       private
 
-      attr_reader :app, :secret_key, :algorithm, :leeway, :exclude_paths
+      attr_reader :app, :secret_key, :algorithm, :leeway, :exclude_paths, :key_store_id
 
       def excluded_path?(env)
         !exclude_paths.nil? &&
           env['PATH_INFO'].match(exclude_paths)
       end
+
+      def verification_args(env)
+        {
+          request: ::Rack::Request.new(env),
+          secret_key: secret_key,
+          algorithm: algorithm,
+          leeway: leeway,
+          key_store_id: key_store_id,
+        }
+      end
     end
   end
 end

data/lib/jwt_signed_request/sign.rb

@@ -4,8 +4,8 @@ require 'jwt_signed_request/claims'
 
 module JWTSignedRequest
   class Sign
-    def self.call(*args)
-      new(*args).call
+    def self.call(**args)
+      new(**args).call
     end
 
     def initialize(
@@ -18,7 +18,8 @@ module JWTSignedRequest
       key_id: nil,
       lookup_key_id: key_id,
       issuer: nil,
-      additional_headers_to_sign: nil
+      additional_headers_to_sign: nil,
+      key_store_id: nil
     )
       @method = method
       @path = path
@@ -30,6 +31,7 @@ module JWTSignedRequest
       @lookup_key_id = lookup_key_id
       @issuer = issuer
       @additional_headers_to_sign = additional_headers_to_sign
+      @key_store_id = key_store_id
     end
 
     def call
@@ -38,12 +40,24 @@ module JWTSignedRequest
 
     private
 
-    attr_reader \
-      :method, :path, :body, :headers,
-      :key_id, :lookup_key_id, :issuer, :additional_headers_to_sign
+    attr_reader(
+      :method,
+      :path,
+      :body,
+      :headers,
+      :key_id,
+      :lookup_key_id,
+      :issuer,
+      :additional_headers_to_sign,
+      :key_store_id,
+    )
 
     def stored_key
-      @stored_key ||= JWTSignedRequest.key_store.get_signing_key(key_id: lookup_key_id)
+      @stored_key ||= key_store.get_signing_key(key_id: lookup_key_id)
+    end
+
+    def key_store
+      KeyStore.find(key_store_id)
     end
 
     def secret_key

data/lib/jwt_signed_request/verify.rb

@@ -6,17 +6,18 @@ require 'jwt/version'
 
 module JWTSignedRequest
   class Verify
-    def self.call(*args)
-      new(*args).call
+    def self.call(**args)
+      new(**args).call
     end
 
     # TODO: secret_key & algorithm is deprecated and will be removed in future.
-    # For now we will support its functionaility
-    def initialize(request:, secret_key: nil, algorithm: nil, leeway: nil)
+    # For now we will support its functionality
+    def initialize(request:, secret_key: nil, algorithm: nil, leeway: nil, key_store_id: nil)
       @request = request
       @secret_key = secret_key
       @algorithm = algorithm
       @leeway = leeway
+      @key_store_id = key_store_id
     end
 
     def call
@@ -29,19 +30,23 @@ module JWTSignedRequest
 
     private
 
-    attr_reader :request, :leeway
+    attr_reader :request, :leeway, :key_store_id
 
     def stored_key
       _body, jwt_header = ::JWT.decode(jwt_token, nil, false)
       key_id = jwt_header.fetch('kid') { raise MissingKeyIdError }
       signed_algorithm = jwt_header.fetch('alg')
-      JWTSignedRequest.key_store.get_verification_key(key_id: key_id).tap do |key|
+      key_store.get_verification_key(key_id: key_id).tap do |key|
         if signed_algorithm != key[:algorithm]
           raise AlgorithmMismatchError
         end
       end
     end
 
+    def key_store
+      KeyStore.find(key_store_id)
+    end
+
     def algorithm
       @algorithm ||= stored_key.fetch(:algorithm) { raise MissingAlgorithmError }
     end

data/lib/jwt_signed_request/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module JWTSignedRequest
-  VERSION = '2.5.0'.freeze
+  VERSION = '2.6.0'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: jwt_signed_request
 version: !ruby/object:Gem::Version
-  version: 2.5.0
+  version: 2.6.0
 platform: ruby
 authors:
 - Envato
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-01-22 00:00:00.000000000 Z
+date: 2020-08-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jwt
@@ -17,9 +17,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 1.5.0
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: 2.2.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -27,9 +24,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 1.5.0
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: 2.2.0
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
@@ -138,7 +132,7 @@ metadata:
   bug_tracker_uri: https://github.com/envato/jwt_signed_request/issues
   changelog_uri: https://github.com/envato/jwt_signed_request/blob/master/CHANGELOG.md
   source_code_uri: https://github.com/envato/jwt_signed_request
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -153,9 +147,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.6.13
-signing_key: 
+rubygems_version: 3.1.2
+signing_key:
 specification_version: 4
 summary: JWT request signing and verification for Internal APIs
 test_files: []