jwt_signed_request 2.5.1 → 3.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 79cbd2415ebe2ccd5475a7dcce55816100def17b35e7e74b0f30e41062969f35
-  data.tar.gz: 8ca7449ac266884163f7cf73b9f89aebc463099ecc3193619b5199f5d1b185a4
+  metadata.gz: a232713f444aa93fe62190f100a0ee0b74550c5f8426095c131b79ec035c1260
+  data.tar.gz: df9755b248452d267d2a0631ea16af0d81476a501dde8367b980fe53e6b9c210
 SHA512:
-  metadata.gz: bd580744d0f274948091f1424e34289c01c95a66027434dbbdc2eccdf7bc7a4aa0905ad19dc2574b86640f7035040a790b6bfb36d0006ecda156664e0498e48a
-  data.tar.gz: e607c1345c5293afb153bbc173590a785b4472366ba383d984be39de0c2f8ca6c64a19ce9627b9df54865d6988e6ac2e7c1c33ef91a5911bf7189065e0ffb2a1
+  metadata.gz: 6e8ca9735e699cb864d1a73869d8b09cfda8e8decebae2b7343bd2168f1f4fe2baed43c02ee52e7d76c761de3af66aacdf69667805a097d14ae04f4896db238a
+  data.tar.gz: ffb84c36f824f1e8d4ad22718136fa4350ea56a28e842c098f7038abd9c31e3c3b1e168f0546ed281018cd54c91abfbd24add657cf2f705ba230db87f89ab17c

data/README.md

@@ -19,7 +19,7 @@ $ bundle
 
 ## Generating EC Keys
 
-We should be using a public key encryption alogorithm such as **ES256**. To generate your public/private key pair using **ES256** run:
+We should be using a public key encryption algorithm such as **ES256**. To generate your public/private key pair using **ES256** run:
 
 ```sh
 $ openssl ecparam -genkey -name prime256v1 -noout -out myprivatekey.pem
@@ -30,24 +30,32 @@ Store and encrypt these in your application secrets.
 
 ## Configuration
 
-You can add signing and verification keys to the key store as your application needs them.
+You can add signing and verification keys to one or more key stores as your application needs them.
+
+For example, given the following keys:
 
 ```ruby
-private_key = <<-pem.gsub(/^\s+/, "")
+private_key = <<-PEM.gsub(/^\s+/, "")
     -----BEGIN EC PRIVATE KEY-----
     MHcCAQEEIBOQ3YIILYMV1glTKbF9oeZWzHe3SNQjAx4IbPIxNygQoAoGCCqGSM49
     AwEHoUQDQgAEuOC3ufTTnW0hVmCPNERb4LxaDE/OexDdlmXEjHYaixzYIduluGXd
     3cjg4H2gjqsY/NCpJ9nM8/AAINSrq+qPuA==
     -----END EC PRIVATE KEY-----
-  pem
+  PEM
 
-public_key = <<-pem.gsub(/^\s+/, "")
+public_key = <<-PEM.gsub(/^\s+/, "")
   -----BEGIN PUBLIC KEY-----
   MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEuOC3ufTTnW0hVmCPNERb4LxaDE/O
   exDdlmXEjHYaixzYIduluGXd3cjg4H2gjqsY/NCpJ9nM8/AAINSrq+qPuA==
   -----END PUBLIC KEY-----
-pem
+PEM
+```
+
+### Single key store
 
+If your application only needs a single key store, configure it like so:
+
+```ruby
 require 'openssl'
 
 JWTSignedRequest.configure_keys do |config|
@@ -65,9 +73,35 @@ JWTSignedRequest.configure_keys do |config|
 end
 ```
 
+### Multiple key stores
+
+If your application requires multiple key stores, configure them like so:
+
+```ruby
+key_store_id = 'widget_admin'
+
+JWTSignedRequest.configure_keys(key_store_id) do |config|
+  config.add_signing_key(
+    key_id: 'client_a',
+    key: OpenSSL::PKey::EC.new(private_key),
+    algorithm: 'ES256',
+  )
+
+  config.add_verification_key(
+    key_id: 'client_a',
+    key: OpenSSL::PKey::EC.new(public_key),
+    algorithm: 'ES256',
+  )
+end
+```
+
 ## Signing Requests
 
-If you have added your signing keys to the key store, you will only need to specify the `key_id` you are signing the requests with.
+If you have added your signing keys to a key store, you will only need to
+specify the `key_id` you are signing the requests with.
+
+If you are using multiple key stores, you will also need to pass the
+appropriate `key_store_id`.
 
 ### Using net/http
 
@@ -86,6 +120,7 @@ jwt_token = JWTSignedRequest.sign(
   body: "",
   key_id: 'my-key-id',                    # used for looking up key and kid header
   lookup_key_id: 'my-alt-key-id',         # optionally override lookup key
+  key_store_id: 'widget_admin',           # optionally specify named key store ID
   issuer: 'my-issuer'                     # optional
   additional_headers_to_sign: ['X-AUTH']  # optional
 )
@@ -97,7 +132,7 @@ res = Net::HTTP.start(uri.hostname, uri.port) {|http|
 }
 ```
 
-### Using faraday
+### Using Faraday
 
 ```ruby
 require 'faraday'
@@ -105,11 +140,14 @@ require 'openssl'
 require 'jwt_signed_request/middlewares/faraday'
 
 conn = Faraday.new(url: URI.parse('http://example.com')) do |faraday|
-  faraday.use JWTSignedRequest::Middlewares::Faraday,
-    key_id: 'my-key-id',
-    issuer: 'my-issuer',                    # optional
-    additional_headers_to_sign: ['X-AUTH'], # optional
-    bearer_schema: true                     # optional
+  faraday.use(
+    JWTSignedRequest::Middlewares::Faraday,
+      key_id: 'my-key-id',
+      key_store_id: 'my-key-store-id',        # optional
+      issuer: 'my-issuer',                    # optional
+      additional_headers_to_sign: ['X-AUTH'], # optional
+      bearer_schema: true,                    # optional
+    )
 
   faraday.adapter Faraday.default_adapter
 end
@@ -134,8 +172,9 @@ Determines whether to use the [Bearer schema](https://auth0.com/docs/jwt#how-do-
 
 ## Verifying Requests
 
-Please make sure you have added your verification keys to the key store. Doing so will allow the server to verify requests signed by different signing keys.
-
+Please make sure you have added your verification keys to the appropriate key
+store. Doing so will allow the server to verify requests signed by different
+signing keys.
 
 ## Using Rails
 
@@ -149,7 +188,11 @@ class APIController < ApplicationController
 
   def verify_request
     begin
-      JWTSignedRequest.verify(request: request)
+      JWTSignedRequest.verify(
+        request: request,
+        # Use optional `key_store_id` kwarg when working with multiple key stores, eg:
+        key_store_id: 'widget_admin',
+      )
 
     rescue JWTSignedRequest::UnauthorizedRequestError => e
       render :json => {}, :status => :unauthorized
@@ -171,9 +214,12 @@ JWT tokens contain an expiry timestamp. If communication delays are large (or sy
 
 ```ruby
 class Server < Sinatra::Base
-  use JWTSignedRequest::Middlewares::Rack,
-     exclude_paths: /public|health/,          # optional regex
-     leeway: 100                              # optional
+  use(
+    JWTSignedRequest::Middlewares::Rack,
+    exclude_paths: /public|health/,          # optional regex
+    leeway: 100,                             # optional
+    key_store_id: 'my-key-store-id',         # optional
+  )
  end
 ```
 
@@ -223,3 +269,33 @@ For bug fixes, documentation changes, and small features:
 5. Create a new Pull Request
 
 For larger new features: Do everything as above, but first also make contact with the project maintainers to be sure your change fits with the project direction and you won't be wasting effort going in the wrong direction
+
+### Compatibility
+
+Compatibility with multiple versions of the [JWT gem] is tested via the [appraisal gem].
+
+Configured versions are defined in [Appraisals](./Appraisals), which at time of writing looked like this:
+
+```ruby
+# Latest JWT minor versions
+# Source: https://rubygems.org/gems/jwt/versions
+%w[
+  1.5.6
+  2.0.0
+  2.1.0
+  2.2.1
+].each do |jwt_version|
+```
+
+Run the test suite like this:
+
+```sh
+# Test all configured versions
+bundle exec appraisal rspec
+
+# Target a specific configured version
+bundle exec appraisal jwt-1.5.6 rspec
+```
+
+[JWT gem]: https://github.com/jwt/ruby-jwt
+[appraisal gem]: https://github.com/thoughtbot/appraisal

data/lib/jwt_signed_request.rb

@@ -9,22 +9,22 @@ require 'jwt_signed_request/errors'
 module JWTSignedRequest
   extend self
 
-  DEFAULT_ALGORITHM = 'ES256'.freeze
-  EMPTY_BODY = "".freeze
+  DEFAULT_ALGORITHM = 'ES256'
+  EMPTY_BODY = ''
 
-  def configure_keys
-    yield(key_store)
+  def configure_keys(key_store_id = nil)
+    yield KeyStore.find(key_store_id)
   end
 
-  def key_store
-    @key_store ||= KeyStore.new
+  def key_store(id = nil)
+    KeyStore.find(id)
   end
 
-  def sign(*args)
-    Sign.call(*args)
+  def sign(**args)
+    Sign.call(**args)
   end
 
-  def verify(*args)
-    Verify.call(*args)
+  def verify(**args)
+    Verify.call(**args)
   end
 end

data/lib/jwt_signed_request/key_store.rb

@@ -2,25 +2,33 @@
 
 module JWTSignedRequest
   class KeyStore
+    def self.find(id)
+      all[id]
+    end
+
+    private_class_method def self.all
+      @all ||= Hash.new { |result, key| result[key] = KeyStore.new }
+    end
+
     def initialize
       @signing_keys = {}
       @verification_keys = {}
     end
 
     def add_signing_key(key_id:, key:, algorithm:)
-      @signing_keys.store(key_id,
-        {
-          key: key,
-          algorithm: algorithm
-        })
+      @signing_keys.store(
+        key_id,
+        key: key,
+        algorithm: algorithm,
+      )
     end
 
     def add_verification_key(key_id:, key:, algorithm:)
-      @verification_keys.store(key_id,
-        {
-          key: key,
-          algorithm: algorithm
-        })
+      @verification_keys.store(
+        key_id,
+        key: key,
+        algorithm: algorithm,
+      )
     end
 
     def get_signing_key(key_id:)

data/lib/jwt_signed_request/middlewares/faraday.rb

@@ -6,18 +6,22 @@ require 'jwt_signed_request'
 module JWTSignedRequest
   module Middlewares
     class Faraday < Faraday::Middleware
-      def initialize(app, options)
+      def initialize(app, bearer_schema: nil, **options)
+        @bearer_schema = bearer_schema
         @options = options
-        super(app)
+
+        initializer_args_requires_options? ? super(app, options) : super(app)
       end
 
       def call(env)
+        env[:body] ||= ::JWTSignedRequest::EMPTY_BODY
+
         @jwt_token = ::JWTSignedRequest.sign(
           method:     env[:method],
           path:       env[:url].request_uri,
           headers:    env[:request_headers],
-          body:       env.fetch(:body, ::JWTSignedRequest::EMPTY_BODY),
-          **optional_settings
+          body:       env[:body],
+          **options,
         )
 
         env[:request_headers].store("Authorization", authorization_header)
@@ -27,24 +31,18 @@ module JWTSignedRequest
 
       private
 
-      attr_reader :app, :env, :options, :jwt_token
+      attr_reader :app, :env, :bearer_schema, :options, :jwt_token
 
       def authorization_header
         bearer_schema? ? "Bearer #{jwt_token}" : jwt_token
       end
 
       def bearer_schema?
-        options[:bearer_schema] == true
+        bearer_schema == true
       end
 
-      def optional_settings
-        {
-          secret_key:                 options[:secret_key],
-          algorithm:                  options[:algorithm],
-          additional_headers_to_sign: options[:additional_headers_to_sign],
-          key_id:                     options[:key_id],
-          issuer:                     options[:issuer],
-        }.reject { |_, value| value.nil? }
+      def initializer_args_requires_options?
+        Gem::Version.new(::Faraday::VERSION) >= Gem::Version.new('1.2.0')
       end
     end
   end

data/lib/jwt_signed_request/middlewares/rack.rb

@@ -8,41 +8,40 @@ module JWTSignedRequest
     class Rack
       UNAUTHORIZED_STATUS_CODE = 401
 
-      def initialize(app, options = {})
+      def initialize(app, secret_key: nil, algorithm: nil, leeway: nil, exclude_paths: nil, key_store_id: nil)
         @app = app
-        @secret_key = options[:secret_key]
-        @algorithm = options[:algorithm]
-        @leeway = options[:leeway]
-        @exclude_paths = options[:exclude_paths]
+        @secret_key = secret_key
+        @algorithm = algorithm
+        @leeway = leeway
+        @exclude_paths = exclude_paths
+        @key_store_id = key_store_id
       end
 
       def call(env)
-        begin
-          unless excluded_path?(env)
-            args = {
-              request: ::Rack::Request.new(env),
-              secret_key: secret_key,
-              algorithm: algorithm,
-              leeway: leeway
-            }.reject { |_, value| value.nil? }
-
-            ::JWTSignedRequest.verify(**args)
-          end
-
-          app.call(env)
-        rescue ::JWTSignedRequest::UnauthorizedRequestError => e
-          [UNAUTHORIZED_STATUS_CODE, {'Content-Type' => 'application/json'} , []]
-        end
+        ::JWTSignedRequest.verify(**verification_args(env)) unless excluded_path?(env)
+        app.call(env)
+      rescue ::JWTSignedRequest::UnauthorizedRequestError
+        [UNAUTHORIZED_STATUS_CODE, {'Content-Type' => 'application/json'}, []]
       end
 
       private
 
-      attr_reader :app, :secret_key, :algorithm, :leeway, :exclude_paths
+      attr_reader :app, :secret_key, :algorithm, :leeway, :exclude_paths, :key_store_id
 
       def excluded_path?(env)
         !exclude_paths.nil? &&
           env['PATH_INFO'].match(exclude_paths)
       end
+
+      def verification_args(env)
+        {
+          request: ::Rack::Request.new(env),
+          secret_key: secret_key,
+          algorithm: algorithm,
+          leeway: leeway,
+          key_store_id: key_store_id,
+        }
+      end
     end
   end
 end

data/lib/jwt_signed_request/sign.rb

@@ -4,8 +4,8 @@ require 'jwt_signed_request/claims'
 
 module JWTSignedRequest
   class Sign
-    def self.call(*args)
-      new(*args).call
+    def self.call(**args)
+      new(**args).call
     end
 
     def initialize(
@@ -18,7 +18,8 @@ module JWTSignedRequest
       key_id: nil,
       lookup_key_id: key_id,
       issuer: nil,
-      additional_headers_to_sign: nil
+      additional_headers_to_sign: nil,
+      key_store_id: nil
     )
       @method = method
       @path = path
@@ -30,6 +31,7 @@ module JWTSignedRequest
       @lookup_key_id = lookup_key_id
       @issuer = issuer
       @additional_headers_to_sign = additional_headers_to_sign
+      @key_store_id = key_store_id
     end
 
     def call
@@ -38,12 +40,24 @@ module JWTSignedRequest
 
     private
 
-    attr_reader \
-      :method, :path, :body, :headers,
-      :key_id, :lookup_key_id, :issuer, :additional_headers_to_sign
+    attr_reader(
+      :method,
+      :path,
+      :body,
+      :headers,
+      :key_id,
+      :lookup_key_id,
+      :issuer,
+      :additional_headers_to_sign,
+      :key_store_id,
+    )
 
     def stored_key
-      @stored_key ||= JWTSignedRequest.key_store.get_signing_key(key_id: lookup_key_id)
+      @stored_key ||= key_store.get_signing_key(key_id: lookup_key_id)
+    end
+
+    def key_store
+      KeyStore.find(key_store_id)
     end
 
     def secret_key

data/lib/jwt_signed_request/verify.rb

@@ -6,17 +6,18 @@ require 'jwt/version'
 
 module JWTSignedRequest
   class Verify
-    def self.call(*args)
-      new(*args).call
+    def self.call(**args)
+      new(**args).call
     end
 
     # TODO: secret_key & algorithm is deprecated and will be removed in future.
-    # For now we will support its functionaility
-    def initialize(request:, secret_key: nil, algorithm: nil, leeway: nil)
+    # For now we will support its functionality
+    def initialize(request:, secret_key: nil, algorithm: nil, leeway: nil, key_store_id: nil)
       @request = request
       @secret_key = secret_key
       @algorithm = algorithm
       @leeway = leeway
+      @key_store_id = key_store_id
     end
 
     def call
@@ -29,19 +30,23 @@ module JWTSignedRequest
 
     private
 
-    attr_reader :request, :leeway
+    attr_reader :request, :leeway, :key_store_id
 
     def stored_key
       _body, jwt_header = ::JWT.decode(jwt_token, nil, false)
       key_id = jwt_header.fetch('kid') { raise MissingKeyIdError }
       signed_algorithm = jwt_header.fetch('alg')
-      JWTSignedRequest.key_store.get_verification_key(key_id: key_id).tap do |key|
+      key_store.get_verification_key(key_id: key_id).tap do |key|
         if signed_algorithm != key[:algorithm]
           raise AlgorithmMismatchError
         end
       end
     end
 
+    def key_store
+      KeyStore.find(key_store_id)
+    end
+
     def algorithm
       @algorithm ||= stored_key.fetch(:algorithm) { raise MissingAlgorithmError }
     end

data/lib/jwt_signed_request/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module JWTSignedRequest
-  VERSION = '2.5.1'.freeze
+  VERSION = '3.0.0'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: jwt_signed_request
 version: !ruby/object:Gem::Version
-  version: 2.5.1
+  version: 3.0.0
 platform: ruby
 authors:
 - Envato
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-01-30 00:00:00.000000000 Z
+date: 2021-01-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jwt
@@ -17,9 +17,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 1.5.0
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: 2.2.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -27,9 +24,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 1.5.0
-    - - "<"
-      - !ruby/object:Gem::Version
-        version: 2.2.0
 - !ruby/object:Gem::Dependency
   name: rack
   requirement: !ruby/object:Gem::Requirement
@@ -45,7 +39,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: bundler
+  name: appraisal
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -59,7 +53,21 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: rake
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2'
+- !ruby/object:Gem::Dependency
+  name: rack-test
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -73,7 +81,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
-  name: rack-test
+  name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -138,7 +146,7 @@ metadata:
   bug_tracker_uri: https://github.com/envato/jwt_signed_request/issues
   changelog_uri: https://github.com/envato/jwt_signed_request/blob/master/CHANGELOG.md
   source_code_uri: https://github.com/envato/jwt_signed_request
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -153,9 +161,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.6
-signing_key: 
+rubygems_version: 3.1.2
+signing_key:
 specification_version: 4
 summary: JWT request signing and verification for Internal APIs
 test_files: []