RubyGems - jwt_signed_request - Versions diffs - 2.5.4 → 2.6.0 - Mend

jwt_signed_request 2.5.4 → 2.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

checksums.yaml +4 -4
data/README.md +64 -18
data/lib/jwt_signed_request.rb +6 -6
data/lib/jwt_signed_request/key_store.rb +18 -10
data/lib/jwt_signed_request/middlewares/faraday.rb +5 -14
data/lib/jwt_signed_request/middlewares/rack.rb +21 -22
data/lib/jwt_signed_request/sign.rb +19 -5
data/lib/jwt_signed_request/verify.rb +9 -4
data/lib/jwt_signed_request/version.rb +1 -1
metadata +5 -5

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 67651a9db5318ca7f01399d88435341f421ef7b0c94f69554150794908f2b87f
-  data.tar.gz: e1f4aed3bf88ca12d3ab2c11d4621d23dae4bbae0393683861764af4da0593a6
+  metadata.gz: fb9e7a555755580bb4b37387799d44d3bc4d67d7a157060fce83183827250d15
+  data.tar.gz: b4ed152d2dfa73fc961280a6d7c09fd480565195c280f76b71e6326268ba894d
 SHA512:
-  metadata.gz: b9242de7ec84a4d0a5c69025127d900e1fc4289219b8d2f9c14b2d8caa6aee2c3f28facd5ab1df764f5fb735b5ed83d7396b7160d1738a03dfc65d97a76c6017
-  data.tar.gz: 0bf336ac071d40ae4d16f76143e8f821a3fba4c4fbd8b47fb94e6a13e33695bb7a0556adce2e19d651e4daafaee5a484d45ae4c0f2c62abfd9fa090105ab854b
+  metadata.gz: 6d7f1c2fe8ffac7c069d11231ae797fb92967cece0ed2c441167d02ebec178edb6d9474d02a0e4ec3d9a4840d8df0888cb6b00029f99190e0b24f1fceaf2f0f2
+  data.tar.gz: 0b38896799b5021d54266010534f5360819d95363b7f09a276e7b729df8d708bacd9c861e1ae194e3b6f2bd7894e7f32f2e1e60d486d00b07b84705d2cbc4713

data/README.md CHANGED

@@ -30,24 +30,32 @@ Store and encrypt these in your application secrets.
 ## Configuration
-You can add signing and verification keys to the key store as your application needs them.
+You can add signing and verification keys to one or more key stores as your application needs them.
+For example, given the following keys:
 ```ruby
-private_key = <<-pem.gsub(/^\s+/, "")
+private_key = <<-PEM.gsub(/^\s+/, "")
     -----BEGIN EC PRIVATE KEY-----
     MHcCAQEEIBOQ3YIILYMV1glTKbF9oeZWzHe3SNQjAx4IbPIxNygQoAoGCCqGSM49
     AwEHoUQDQgAEuOC3ufTTnW0hVmCPNERb4LxaDE/OexDdlmXEjHYaixzYIduluGXd
     3cjg4H2gjqsY/NCpJ9nM8/AAINSrq+qPuA==
     -----END EC PRIVATE KEY-----
-  pem
+  PEM
-public_key = <<-pem.gsub(/^\s+/, "")
+public_key = <<-PEM.gsub(/^\s+/, "")
   -----BEGIN PUBLIC KEY-----
   MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEuOC3ufTTnW0hVmCPNERb4LxaDE/O
   exDdlmXEjHYaixzYIduluGXd3cjg4H2gjqsY/NCpJ9nM8/AAINSrq+qPuA==
   -----END PUBLIC KEY-----
-pem
+PEM
+```
+### Single key store
+If your application only needs a single key store, configure it like so:
+```ruby
 require 'openssl'
 JWTSignedRequest.configure_keys do |config|
@@ -65,9 +73,35 @@ JWTSignedRequest.configure_keys do |config|
 end
 ```
+### Multiple key stores
+If your application requires multiple key stores, configure them like so:
+```ruby
+key_store_id = 'widget_admin'
+JWTSignedRequest.configure_keys(key_store_id) do |config|
+  config.add_signing_key(
+    key_id: 'client_a',
+    key: OpenSSL::PKey::EC.new(private_key),
+    algorithm: 'ES256',
+  )
+  config.add_verification_key(
+    key_id: 'client_a',
+    key: OpenSSL::PKey::EC.new(public_key),
+    algorithm: 'ES256',
+  )
+end
+```
 ## Signing Requests
-If you have added your signing keys to the key store, you will only need to specify the `key_id` you are signing the requests with.
+If you have added your signing keys to a key store, you will only need to
+specify the `key_id` you are signing the requests with.
+If you are using multiple key stores, you will also need to pass the
+appropriate `key_store_id`.
 ### Using net/http
@@ -86,6 +120,7 @@ jwt_token = JWTSignedRequest.sign(
   body: "",
   key_id: 'my-key-id',                    # used for looking up key and kid header
   lookup_key_id: 'my-alt-key-id',         # optionally override lookup key
+  key_store_id: 'widget_admin',           # optionally specify named key store ID
   issuer: 'my-issuer'                     # optional
   additional_headers_to_sign: ['X-AUTH']  # optional
 )
@@ -97,7 +132,7 @@ res = Net::HTTP.start(uri.hostname, uri.port) {|http|
 }
 ```
-### Using faraday
+### Using Faraday
 ```ruby
 require 'faraday'
@@ -105,11 +140,14 @@ require 'openssl'
 require 'jwt_signed_request/middlewares/faraday'
 conn = Faraday.new(url: URI.parse('http://example.com')) do |faraday|
-  faraday.use JWTSignedRequest::Middlewares::Faraday,
-    key_id: 'my-key-id',
-    issuer: 'my-issuer',                    # optional
-    additional_headers_to_sign: ['X-AUTH'], # optional
-    bearer_schema: true                     # optional
+  faraday.use(
+    JWTSignedRequest::Middlewares::Faraday,
+      key_id: 'my-key-id',
+      key_store_id: 'my-key-store-id',        # optional
+      issuer: 'my-issuer',                    # optional
+      additional_headers_to_sign: ['X-AUTH'], # optional
+      bearer_schema: true,                    # optional
+    )
   faraday.adapter Faraday.default_adapter
 end
@@ -134,8 +172,9 @@ Determines whether to use the [Bearer schema](https://auth0.com/docs/jwt#how-do-
 ## Verifying Requests
-Please make sure you have added your verification keys to the key store. Doing so will allow the server to verify requests signed by different signing keys.
+Please make sure you have added your verification keys to the appropriate key
+store. Doing so will allow the server to verify requests signed by different
+signing keys.
 ## Using Rails
@@ -149,7 +188,11 @@ class APIController < ApplicationController
   def verify_request
     begin
-      JWTSignedRequest.verify(request: request)
+      JWTSignedRequest.verify(
+        request: request,
+        # Use optional `key_store_id` kwarg when working with multiple key stores, eg:
+        key_store_id: 'widget_admin',
+      )
     rescue JWTSignedRequest::UnauthorizedRequestError => e
       render :json => {}, :status => :unauthorized
@@ -171,9 +214,12 @@ JWT tokens contain an expiry timestamp. If communication delays are large (or sy
 ```ruby
 class Server < Sinatra::Base
-  use JWTSignedRequest::Middlewares::Rack,
-     exclude_paths: /public|health/,          # optional regex
-     leeway: 100                              # optional
+  use(
+    JWTSignedRequest::Middlewares::Rack,
+    exclude_paths: /public|health/,          # optional regex
+    leeway: 100,                             # optional
+    key_store_id: 'my-key-store-id',         # optional
+  )
  end
 ```

data/lib/jwt_signed_request.rb CHANGED

@@ -9,15 +9,15 @@ require 'jwt_signed_request/errors'
 module JWTSignedRequest
   extend self
-  DEFAULT_ALGORITHM = 'ES256'.freeze
-  EMPTY_BODY = "".freeze
+  DEFAULT_ALGORITHM = 'ES256'
+  EMPTY_BODY = ''
-  def configure_keys
-    yield(key_store)
+  def configure_keys(key_store_id = nil)
+    yield KeyStore.find(key_store_id)
   end
-  def key_store
-    @key_store ||= KeyStore.new
+  def key_store(id = nil)
+    KeyStore.find(id)
   end
   def sign(**args)

data/lib/jwt_signed_request/key_store.rb CHANGED

@@ -2,25 +2,33 @@
 module JWTSignedRequest
   class KeyStore
+    def self.find(id)
+      all[id]
+    end
+    private_class_method def self.all
+      @all ||= Hash.new { |result, key| result[key] = KeyStore.new }
+    end
     def initialize
       @signing_keys = {}
       @verification_keys = {}
     end
     def add_signing_key(key_id:, key:, algorithm:)
-      @signing_keys.store(key_id,
-        {
-          key: key,
-          algorithm: algorithm
-        })
+      @signing_keys.store(
+        key_id,
+        key: key,
+        algorithm: algorithm,
+      )
     end
     def add_verification_key(key_id:, key:, algorithm:)
-      @verification_keys.store(key_id,
-        {
-          key: key,
-          algorithm: algorithm
-        })
+      @verification_keys.store(
+        key_id,
+        key: key,
+        algorithm: algorithm,
+      )
     end
     def get_signing_key(key_id:)

data/lib/jwt_signed_request/middlewares/faraday.rb CHANGED

@@ -6,7 +6,8 @@ require 'jwt_signed_request'
 module JWTSignedRequest
   module Middlewares
     class Faraday < Faraday::Middleware
-      def initialize(app, options)
+      def initialize(app, bearer_schema: nil, **options)
+        @bearer_schema = bearer_schema
         @options = options
         super(app)
       end
@@ -19,7 +20,7 @@ module JWTSignedRequest
           path:       env[:url].request_uri,
           headers:    env[:request_headers],
           body:       env[:body],
-          **optional_settings
+          **options,
         )
         env[:request_headers].store("Authorization", authorization_header)
@@ -29,24 +30,14 @@ module JWTSignedRequest
       private
-      attr_reader :app, :env, :options, :jwt_token
+      attr_reader :app, :env, :bearer_schema, :options, :jwt_token
       def authorization_header
         bearer_schema? ? "Bearer #{jwt_token}" : jwt_token
       end
       def bearer_schema?
-        options[:bearer_schema] == true
-      end
-      def optional_settings
-        {
-          secret_key:                 options[:secret_key],
-          algorithm:                  options[:algorithm],
-          additional_headers_to_sign: options[:additional_headers_to_sign],
-          key_id:                     options[:key_id],
-          issuer:                     options[:issuer],
-        }.reject { |_, value| value.nil? }
+        bearer_schema == true
       end
     end
   end

data/lib/jwt_signed_request/middlewares/rack.rb CHANGED

@@ -8,41 +8,40 @@ module JWTSignedRequest
     class Rack
       UNAUTHORIZED_STATUS_CODE = 401
-      def initialize(app, options = {})
+      def initialize(app, secret_key: nil, algorithm: nil, leeway: nil, exclude_paths: nil, key_store_id: nil)
         @app = app
-        @secret_key = options[:secret_key]
-        @algorithm = options[:algorithm]
-        @leeway = options[:leeway]
-        @exclude_paths = options[:exclude_paths]
+        @secret_key = secret_key
+        @algorithm = algorithm
+        @leeway = leeway
+        @exclude_paths = exclude_paths
+        @key_store_id = key_store_id
       end
       def call(env)
-        begin
-          unless excluded_path?(env)
-            args = {
-              request: ::Rack::Request.new(env),
-              secret_key: secret_key,
-              algorithm: algorithm,
-              leeway: leeway
-            }.reject { |_, value| value.nil? }
-            ::JWTSignedRequest.verify(**args)
-          end
-          app.call(env)
-        rescue ::JWTSignedRequest::UnauthorizedRequestError => e
-          [UNAUTHORIZED_STATUS_CODE, {'Content-Type' => 'application/json'} , []]
-        end
+        ::JWTSignedRequest.verify(**verification_args(env)) unless excluded_path?(env)
+        app.call(env)
+      rescue ::JWTSignedRequest::UnauthorizedRequestError
+        [UNAUTHORIZED_STATUS_CODE, {'Content-Type' => 'application/json'}, []]
       end
       private
-      attr_reader :app, :secret_key, :algorithm, :leeway, :exclude_paths
+      attr_reader :app, :secret_key, :algorithm, :leeway, :exclude_paths, :key_store_id
       def excluded_path?(env)
         !exclude_paths.nil? &&
           env['PATH_INFO'].match(exclude_paths)
       end
+      def verification_args(env)
+        {
+          request: ::Rack::Request.new(env),
+          secret_key: secret_key,
+          algorithm: algorithm,
+          leeway: leeway,
+          key_store_id: key_store_id,
+        }
+      end
     end
   end
 end

data/lib/jwt_signed_request/sign.rb CHANGED

@@ -18,7 +18,8 @@ module JWTSignedRequest
       key_id: nil,
       lookup_key_id: key_id,
       issuer: nil,
-      additional_headers_to_sign: nil
+      additional_headers_to_sign: nil,
+      key_store_id: nil
     )
       @method = method
       @path = path
@@ -30,6 +31,7 @@ module JWTSignedRequest
       @lookup_key_id = lookup_key_id
       @issuer = issuer
       @additional_headers_to_sign = additional_headers_to_sign
+      @key_store_id = key_store_id
     end
     def call
@@ -38,12 +40,24 @@ module JWTSignedRequest
     private
-    attr_reader \
-      :method, :path, :body, :headers,
-      :key_id, :lookup_key_id, :issuer, :additional_headers_to_sign
+    attr_reader(
+      :method,
+      :path,
+      :body,
+      :headers,
+      :key_id,
+      :lookup_key_id,
+      :issuer,
+      :additional_headers_to_sign,
+      :key_store_id,
+    )
     def stored_key
-      @stored_key ||= JWTSignedRequest.key_store.get_signing_key(key_id: lookup_key_id)
+      @stored_key ||= key_store.get_signing_key(key_id: lookup_key_id)
+    end
+    def key_store
+      KeyStore.find(key_store_id)
     end
     def secret_key

data/lib/jwt_signed_request/verify.rb CHANGED

@@ -11,12 +11,13 @@ module JWTSignedRequest
     end
     # TODO: secret_key & algorithm is deprecated and will be removed in future.
-    # For now we will support its functionaility
-    def initialize(request:, secret_key: nil, algorithm: nil, leeway: nil)
+    # For now we will support its functionality
+    def initialize(request:, secret_key: nil, algorithm: nil, leeway: nil, key_store_id: nil)
       @request = request
       @secret_key = secret_key
       @algorithm = algorithm
       @leeway = leeway
+      @key_store_id = key_store_id
     end
     def call
@@ -29,19 +30,23 @@ module JWTSignedRequest
     private
-    attr_reader :request, :leeway
+    attr_reader :request, :leeway, :key_store_id
     def stored_key
       _body, jwt_header = ::JWT.decode(jwt_token, nil, false)
       key_id = jwt_header.fetch('kid') { raise MissingKeyIdError }
       signed_algorithm = jwt_header.fetch('alg')
-      JWTSignedRequest.key_store.get_verification_key(key_id: key_id).tap do |key|
+      key_store.get_verification_key(key_id: key_id).tap do |key|
         if signed_algorithm != key[:algorithm]
           raise AlgorithmMismatchError
         end
       end
     end
+    def key_store
+      KeyStore.find(key_store_id)
+    end
     def algorithm
       @algorithm ||= stored_key.fetch(:algorithm) { raise MissingAlgorithmError }
     end

data/lib/jwt_signed_request/version.rb CHANGED

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module JWTSignedRequest
-  VERSION = '2.5.4'
+  VERSION = '2.6.0'
 end

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: jwt_signed_request
 version: !ruby/object:Gem::Version
-  version: 2.5.4
+  version: 2.6.0
 platform: ruby
 authors:
 - Envato
-autorequire:
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-05-01 00:00:00.000000000 Z
+date: 2020-08-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jwt
@@ -132,7 +132,7 @@ metadata:
   bug_tracker_uri: https://github.com/envato/jwt_signed_request/issues
   changelog_uri: https://github.com/envato/jwt_signed_request/blob/master/CHANGELOG.md
   source_code_uri: https://github.com/envato/jwt_signed_request
-post_install_message:
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -148,7 +148,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubygems_version: 3.1.2
-signing_key:
+signing_key:
 specification_version: 4
 summary: JWT request signing and verification for Internal APIs
 test_files: []