RubyGems - jwt_signed_request - Versions diffs - 2.5.4 → 2.6.0 - Mend

jwt_signed_request 2.5.4 → 2.6.0

Files changed (10) hide show

checksums.yaml +4 -4
data/README.md +64 -18
data/lib/jwt_signed_request.rb +6 -6
data/lib/jwt_signed_request/key_store.rb +18 -10
data/lib/jwt_signed_request/middlewares/faraday.rb +5 -14
data/lib/jwt_signed_request/middlewares/rack.rb +21 -22
data/lib/jwt_signed_request/sign.rb +19 -5
data/lib/jwt_signed_request/verify.rb +9 -4
data/lib/jwt_signed_request/version.rb +1 -1
metadata +5 -5

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 67651a9db5318ca7f01399d88435341f421ef7b0c94f69554150794908f2b87f
-  data.tar.gz: e1f4aed3bf88ca12d3ab2c11d4621d23dae4bbae0393683861764af4da0593a6
+  metadata.gz: fb9e7a555755580bb4b37387799d44d3bc4d67d7a157060fce83183827250d15
+  data.tar.gz: b4ed152d2dfa73fc961280a6d7c09fd480565195c280f76b71e6326268ba894d
 SHA512:
-  metadata.gz: b9242de7ec84a4d0a5c69025127d900e1fc4289219b8d2f9c14b2d8caa6aee2c3f28facd5ab1df764f5fb735b5ed83d7396b7160d1738a03dfc65d97a76c6017
-  data.tar.gz: 0bf336ac071d40ae4d16f76143e8f821a3fba4c4fbd8b47fb94e6a13e33695bb7a0556adce2e19d651e4daafaee5a484d45ae4c0f2c62abfd9fa090105ab854b
+  metadata.gz: 6d7f1c2fe8ffac7c069d11231ae797fb92967cece0ed2c441167d02ebec178edb6d9474d02a0e4ec3d9a4840d8df0888cb6b00029f99190e0b24f1fceaf2f0f2
+  data.tar.gz: 0b38896799b5021d54266010534f5360819d95363b7f09a276e7b729df8d708bacd9c861e1ae194e3b6f2bd7894e7f32f2e1e60d486d00b07b84705d2cbc4713

data/README.md CHANGED

@@ -30,24 +30,32 @@ Store and encrypt these in your application secrets.
 ## Configuration
-You can add signing and verification keys to the key store as your application needs them.
+You can add signing and verification keys to one or more key stores as your application needs them.
+For example, given the following keys:
 ```ruby
-private_key = <<-pem.gsub(/^\s+/, "")
+private_key = <<-PEM.gsub(/^\s+/, "")
     -----BEGIN EC PRIVATE KEY-----
     MHcCAQEEIBOQ3YIILYMV1glTKbF9oeZWzHe3SNQjAx4IbPIxNygQoAoGCCqGSM49
     AwEHoUQDQgAEuOC3ufTTnW0hVmCPNERb4LxaDE/OexDdlmXEjHYaixzYIduluGXd
     3cjg4H2gjqsY/NCpJ9nM8/AAINSrq+qPuA==
     -----END EC PRIVATE KEY-----
-  pem
+  PEM
-public_key = <<-pem.gsub(/^\s+/, "")
+public_key = <<-PEM.gsub(/^\s+/, "")
   -----BEGIN PUBLIC KEY-----
   MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEuOC3ufTTnW0hVmCPNERb4LxaDE/O
   exDdlmXEjHYaixzYIduluGXd3cjg4H2gjqsY/NCpJ9nM8/AAINSrq+qPuA==
   -----END PUBLIC KEY-----
-pem
+PEM
+```
+### Single key store
+If your application only needs a single key store, configure it like so:
+```ruby
 require 'openssl'
 JWTSignedRequest.configure_keys do |config|
@@ -65,9 +73,35 @@ JWTSignedRequest.configure_keys do |config|
 end
 ```
+### Multiple key stores
+If your application requires multiple key stores, configure them like so:
+```ruby
+key_store_id = 'widget_admin'
+JWTSignedRequest.configure_keys(key_store_id) do |config|
+  config.add_signing_key(
+    key_id: 'client_a',
+    key: OpenSSL::PKey::EC.new(private_key),
+    algorithm: 'ES256',
+  )
+  config.add_verification_key(
+    key_id: 'client_a',
+    key: OpenSSL::PKey::EC.new(public_key),
+    algorithm: 'ES256',
+  )
+end
+```
 ## Signing Requests
-If you have added your signing keys to the key store, you will only need to specify the `key_id` you are signing the requests with.
+If you have added your signing keys to a key store, you will only need to
+specify the `key_id` you are signing the requests with.
+If you are using multiple key stores, you will also need to pass the
+appropriate `key_store_id`.
 ### Using net/http
@@ -86,6 +120,7 @@ jwt_token = JWTSignedRequest.sign(
   body: "",
   key_id: 'my-key-id',                    # used for looking up key and kid header
   lookup_key_id: 'my-alt-key-id',         # optionally override lookup key
+  key_store_id: 'widget_admin',           # optionally specify named key store ID
   issuer: 'my-issuer'                     # optional
   additional_headers_to_sign: ['X-AUTH']  # optional
 )
@@ -97,7 +132,7 @@ res = Net::HTTP.start(uri.hostname, uri.port) {|http|
 }
 ```
-### Using faraday
+### Using Faraday
 ```ruby
 require 'faraday'
@@ -105,11 +140,14 @@ require 'openssl'
 require 'jwt_signed_request/middlewares/faraday'
 conn = Faraday.new(url: URI.parse('http://example.com')) do |faraday|
-  faraday.use JWTSignedRequest::Middlewares::Faraday,
-    key_id: 'my-key-id',
-    issuer: 'my-issuer',                    # optional
-    additional_headers_to_sign: ['X-AUTH'], # optional
-    bearer_schema: true                     # optional
+  faraday.use(
+    JWTSignedRequest::Middlewares::Faraday,
+      key_id: 'my-key-id',
+      key_store_id: 'my-key-store-id',        # optional
+      issuer: 'my-issuer',                    # optional
+      additional_headers_to_sign: ['X-AUTH'], # optional
+      bearer_schema: true,                    # optional
+    )
   faraday.adapter Faraday.default_adapter
 end
@@ -134,8 +172,9 @@ Determines whether to use the [Bearer schema](https://auth0.com/docs/jwt#how-do-
 ## Verifying Requests
-Please make sure you have added your verification keys to the key store. Doing so will allow the server to verify requests signed by different signing keys.
+Please make sure you have added your verification keys to the appropriate key
+store. Doing so will allow the server to verify requests signed by different
+signing keys.
 ## Using Rails
@@ -149,7 +188,11 @@ class APIController < ApplicationController
   def verify_request
     begin
-      JWTSignedRequest.verify(request: request)
+      JWTSignedRequest.verify(
+        request: request,
+        # Use optional `key_store_id` kwarg when working with multiple key stores, eg:
+        key_store_id: 'widget_admin',
+      )
     rescue JWTSignedRequest::UnauthorizedRequestError => e
       render :json => {}, :status => :unauthorized
@@ -171,9 +214,12 @@ JWT tokens contain an expiry timestamp. If communication delays are large (or sy
 ```ruby
 class Server < Sinatra::Base
-  use JWTSignedRequest::Middlewares::Rack,
-     exclude_paths: /public|health/,          # optional regex
-     leeway: 100                              # optional
+  use(
+    JWTSignedRequest::Middlewares::Rack,
+    exclude_paths: /public|health/,          # optional regex
+    leeway: 100,                             # optional
+    key_store_id: 'my-key-store-id',         # optional
+  )
  end
 ```

data/lib/jwt_signed_request.rb CHANGED

@@ -9,15 +9,15 @@ require 'jwt_signed_request/errors'
 module JWTSignedRequest
   extend self
-  DEFAULT_ALGORITHM = 'ES256'.freeze
-  EMPTY_BODY = "".freeze
+  DEFAULT_ALGORITHM = 'ES256'
+  EMPTY_BODY = ''
-  def configure_keys
-    yield(key_store)
+  def configure_keys(key_store_id = nil)
+    yield KeyStore.find(key_store_id)
   end
-  def key_store
-    @key_store ||= KeyStore.new
+  def key_store(id = nil)
+    KeyStore.find(id)
   end
   def sign(**args)

data/lib/jwt_signed_request/key_store.rb CHANGED

@@ -2,25 +2,33 @@
 module JWTSignedRequest
   class KeyStore
+    def self.find(id)
+      all[id]
+    end
+    private_class_method def self.all
+      @all ||= Hash.new { |result, key| result[key] = KeyStore.new }
+    end
     def initialize
       @signing_keys = {}
       @verification_keys = {}
     end
     def add_signing_key(key_id:, key:, algorithm:)
-      @signing_keys.store(key_id,
-        {
-          key: key,
-          algorithm: algorithm
-        })
+      @signing_keys.store(
+        key_id,
+        key: key,
+        algorithm: algorithm,
+      )
     end
     def add_verification_key(key_id:, key:, algorithm:)
-      @verification_keys.store(key_id,
-        {
-          key: key,
-          algorithm: algorithm
-        })
+      @verification_keys.store(
+        key_id,
+        key: key,
+        algorithm: algorithm,
+      )
     end
     def get_signing_key(key_id:)

data/lib/jwt_signed_request/middlewares/faraday.rb CHANGED

@@ -6,7 +6,8 @@ require 'jwt_signed_request'
 module JWTSignedRequest
   module Middlewares
     class Faraday < Faraday::Middleware
-      def initialize(app, options)
+      def initialize(app, bearer_schema: nil, **options)
+        @bearer_schema = bearer_schema
         @options = options
         super(app)
       end
@@ -19,7 +20,7 @@ module JWTSignedRequest
           path:       env[:url].request_uri,
           headers:    env[:request_headers],
           body:       env[:body],
-          **optional_settings
+          **options,
         )
         env[:request_headers].store("Authorization", authorization_header)
@@ -29,24 +30,14 @@ module JWTSignedRequest
       private
-      attr_reader :app, :env, :options, :jwt_token
+      attr_reader :app, :env, :bearer_schema, :options, :jwt_token
       def authorization_header
         bearer_schema? ? "Bearer #{jwt_token}" : jwt_token
       end
       def bearer_schema?
-        options[:bearer_schema] == true
-      end
-      def optional_settings
-        {
-          secret_key:                 options[:secret_key],
-          algorithm:                  options[:algorithm],
-          additional_headers_to_sign: options[:additional_headers_to_sign],
-          key_id:                     options[:key_id],
-          issuer:                     options[:issuer],
-        }.reject { |_, value| value.nil? }
+        bearer_schema == true
       end
     end
   end

data/lib/jwt_signed_request/middlewares/rack.rb CHANGED

@@ -8,41 +8,40 @@ module JWTSignedRequest
     class Rack
       UNAUTHORIZED_STATUS_CODE = 401
-      def initialize(app, options = {})
+      def initialize(app, secret_key: nil, algorithm: nil, leeway: nil, exclude_paths: nil, key_store_id: nil)
         @app = app
-        @secret_key = options[:secret_key]
-        @algorithm = options[:algorithm]
-        @leeway = options[:leeway]
-        @exclude_paths = options[:exclude_paths]
+        @secret_key = secret_key
+        @algorithm = algorithm
+        @leeway = leeway
+        @exclude_paths = exclude_paths
+        @key_store_id = key_store_id
       end
       def call(env)
-        begin
-          unless excluded_path?(env)
-            args = {
-              request: ::Rack::Request.new(env),
-              secret_key: secret_key,
-              algorithm: algorithm,
-              leeway: leeway
-            }.reject { |_, value| value.nil? }
-            ::JWTSignedRequest.verify(**args)
-          end
-          app.call(env)
-        rescue ::JWTSignedRequest::UnauthorizedRequestError => e
-          [UNAUTHORIZED_STATUS_CODE, {'Content-Type' => 'application/json'} , []]
-        end
+        ::JWTSignedRequest.verify(**verification_args(env)) unless excluded_path?(env)
+        app.call(env)
+      rescue ::JWTSignedRequest::UnauthorizedRequestError
+        [UNAUTHORIZED_STATUS_CODE, {'Content-Type' => 'application/json'}, []]
       end
       private
-      attr_reader :app, :secret_key, :algorithm, :leeway, :exclude_paths
+      attr_reader :app, :secret_key, :algorithm, :leeway, :exclude_paths, :key_store_id
       def excluded_path?(env)
         !exclude_paths.nil? &&
           env['PATH_INFO'].match(exclude_paths)
       end
+      def verification_args(env)
+        {
+          request: ::Rack::Request.new(env),
+          secret_key: secret_key,
+          algorithm: algorithm,
+          leeway: leeway,
+          key_store_id: key_store_id,
+        }
+      end
     end
   end
 end

data/lib/jwt_signed_request/sign.rb CHANGED

@@ -18,7 +18,8 @@ module JWTSignedRequest
       key_id: nil,
       lookup_key_id: key_id,
       issuer: nil,
-      additional_headers_to_sign: nil
+      additional_headers_to_sign: nil,
+      key_store_id: nil
     )
       @method = method
       @path = path
@@ -30,6 +31,7 @@ module JWTSignedRequest
       @lookup_key_id = lookup_key_id
       @issuer = issuer
       @additional_headers_to_sign = additional_headers_to_sign
+      @key_store_id = key_store_id
     end
     def call
@@ -38,12 +40,24 @@ module JWTSignedRequest
     private
-    attr_reader \
-      :method, :path, :body, :headers,
-      :key_id, :lookup_key_id, :issuer, :additional_headers_to_sign
+    attr_reader(
+      :method,
+      :path,
+      :body,
+      :headers,
+      :key_id,
+      :lookup_key_id,
+      :issuer,
+      :additional_headers_to_sign,
+      :key_store_id,
+    )
     def stored_key
-      @stored_key ||= JWTSignedRequest.key_store.get_signing_key(key_id: lookup_key_id)
+      @stored_key ||= key_store.get_signing_key(key_id: lookup_key_id)
+    end
+    def key_store
+      KeyStore.find(key_store_id)
     end
     def secret_key

data/lib/jwt_signed_request/verify.rb CHANGED

@@ -11,12 +11,13 @@ module JWTSignedRequest
     end
     # TODO: secret_key & algorithm is deprecated and will be removed in future.
-    # For now we will support its functionaility
-    def initialize(request:, secret_key: nil, algorithm: nil, leeway: nil)
+    # For now we will support its functionality
+    def initialize(request:, secret_key: nil, algorithm: nil, leeway: nil, key_store_id: nil)
       @request = request
       @secret_key = secret_key
       @algorithm = algorithm
       @leeway = leeway
+      @key_store_id = key_store_id
     end
     def call
@@ -29,19 +30,23 @@ module JWTSignedRequest
     private
-    attr_reader :request, :leeway
+    attr_reader :request, :leeway, :key_store_id
     def stored_key
       _body, jwt_header = ::JWT.decode(jwt_token, nil, false)
       key_id = jwt_header.fetch('kid') { raise MissingKeyIdError }
       signed_algorithm = jwt_header.fetch('alg')
-      JWTSignedRequest.key_store.get_verification_key(key_id: key_id).tap do |key|
+      key_store.get_verification_key(key_id: key_id).tap do |key|
         if signed_algorithm != key[:algorithm]
           raise AlgorithmMismatchError
         end
       end
     end
+    def key_store
+      KeyStore.find(key_store_id)
+    end
     def algorithm
       @algorithm ||= stored_key.fetch(:algorithm) { raise MissingAlgorithmError }
     end

data/lib/jwt_signed_request/version.rb CHANGED

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module JWTSignedRequest
-  VERSION = '2.5.4'
+  VERSION = '2.6.0'
 end

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: jwt_signed_request
 version: !ruby/object:Gem::Version
-  version: 2.5.4
+  version: 2.6.0
 platform: ruby
 authors:
 - Envato
-autorequire:
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-05-01 00:00:00.000000000 Z
+date: 2020-08-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jwt
@@ -132,7 +132,7 @@ metadata:
   bug_tracker_uri: https://github.com/envato/jwt_signed_request/issues
   changelog_uri: https://github.com/envato/jwt_signed_request/blob/master/CHANGELOG.md
   source_code_uri: https://github.com/envato/jwt_signed_request
-post_install_message:
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -148,7 +148,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubygems_version: 3.1.2
-signing_key:
+signing_key:
 specification_version: 4
 summary: JWT request signing and verification for Internal APIs
 test_files: []