jwt_signed_request 1.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 753794ac95f697ec022de56fe9d4db85265e4920
+  data.tar.gz: 16109643b05330e94cd586f246e57039892fa2ee
+SHA512:
+  metadata.gz: 85f8a16181085937c113444c211d7e0eba0ecfe865d6e829576589713825df3263f392f44a4edb08ccf2ad3986bcf702964622ed9f8e69dc28f56d85a0f83283
+  data.tar.gz: dbbd9e2db0bfe7c0ca0c53f233af500f02aa878dfdf52edefe8408b7629b18d11da4a05016873e6361a96fb1626175e187410523e0954c9bcd558a3197bad9ff

data/README.md

@@ -0,0 +1,178 @@
+# JWT Signed Request
+
+Request signing and verification for Internal APIs using JWT.
+
+## Getting Started
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'jwt_signed_request'
+```
+
+then run:
+
+```sh
+$ bundle
+```
+
+## Generating EC Keys
+
+We should be using a public key encryption alogorithm such as **ES256**. To generate your public/private key pair using **ES256** run:
+
+```sh
+$ openssl ecparam -genkey -name prime256v1 -noout -out myprivatekey.pem
+$ openssl ec -in myprivatekey.pem -pubout -out mypubkey.pem
+```
+
+Store and encrypt these in your application secrets.
+
+## Signing Requests
+
+If you are using an asymmetrical encryption algorithm such as ES256 you will sign your requests using the private key.
+
+### Using net/http
+
+```ruby
+require 'net/http'
+require 'uri'
+require 'openssl'
+require 'jwt_signed_request'
+
+private_key = """
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIBOQ3YIILYMV1glTKbF9oeZWzHe3SNQjAx4IbPIxNygQoAoGCCqGSM49
+AwEHoUQDQgAEuOC3ufTTnW0hVmCPNERb4LxaDE/OexDdlmXEjHYaixzYIduluGXd
+3cjg4H2gjqsY/NCpJ9nM8/AAINSrq+qPuA==
+-----END EC PRIVATE KEY-----
+"""
+
+uri = URI('http://example.com')
+req = Net::HTTP::Get.new(uri)
+
+req['Authorization'] = JWTSignedRequest.sign(
+  method: req.method,
+  path: req.path,
+  headers: {"Content-Type" => "application/json"},
+  body: "",
+  secret_key: OpenSSL::PKey::EC.new(private_key),
+  algorithm: 'ES256',                     # optional (default: ES256)
+  key_id: 'my-key-id',                    # optional
+  issuer: 'my-issuer'                     # optional
+  additional_headers_to_sign: ['X-AUTH']  # optional
+)
+
+res = Net::HTTP.start(uri.hostname, uri.port) {|http|
+  http.request(req)
+}
+```
+
+### Using faraday
+
+```ruby
+require 'faraday'
+require 'openssl'
+require 'jwt_signed_request/middlewares/faraday'
+
+private_key = """
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIBOQ3YIILYMV1glTKbF9oeZWzHe3SNQjAx4IbPIxNygQoAoGCCqGSM49
+AwEHoUQDQgAEuOC3ufTTnW0hVmCPNERb4LxaDE/OexDdlmXEjHYaixzYIduluGXd
+3cjg4H2gjqsY/NCpJ9nM8/AAINSrq+qPuA==
+-----END EC PRIVATE KEY-----
+"""
+
+conn = Faraday.new(url: URI.parse('http://example.com')) do |faraday|
+  faraday.use JWTSignedRequest::Middlewares::Faraday,
+    secret_key: OpenSSL::PKey::EC.new(private_key),
+    algorithm: 'EC256',                     # optional (default: ES256)
+    key_id: 'my-key-id',                    # optional
+    issuer: 'my-issuer',                    # optional
+    additional_headers_to_sign: ['X-AUTH']  # optional
+
+  faraday.adapter Faraday.default_adapter
+end
+
+conn.post do |req|
+  req.url 'http://example.com'
+  req.body = '{ "name": "Unagi" }'
+end
+```
+
+## Verifying Requests
+
+If you are using an asymmetrical encryption algorithm such as ES256 you will verify the request using the public key.
+
+## Using Rails
+
+```ruby
+class APIController < ApplicationController
+  PUBLIC_KEY = """
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEuOC3ufTTnW0hVmCPNERb4LxaDE/O
+exDdlmXEjHYaixzYIduluGXd3cjg4H2gjqsY/NCpJ9nM8/AAINSrq+qPuA==
+-----END PUBLIC KEY-----
+  """
+
+  before_action :verify_request
+
+  ...
+
+  private
+
+  def verify_request
+    begin
+      JWTSignedRequest.verify(
+        request: request,
+        secret_key: OpenSSL::PKey::EC.new(PUBLIC_KEY)
+      )
+
+    rescue JWTSignedRequest::UnauthorizedRequestError => e
+      render :json => {}, :status => :unauthorized
+    end
+  end
+
+end
+```
+
+## Using Rack Middleware
+
+```ruby
+PUBLIC_KEY = """
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEuOC3ufTTnW0hVmCPNERb4LxaDE/O
+exDdlmXEjHYaixzYIduluGXd3cjg4H2gjqsY/NCpJ9nM8/AAINSrq+qPuA==
+-----END PUBLIC KEY-----
+"""
+
+class Server < Sinatra::Base
+  use JWTSignedRequest::Middlewares::Rack
+     secret_key: OpenSSL::PKey::EC.new(PUBLIC_KEY)
+ end
+```
+
+## Maintainers
+- [Toan Nguyen](https://github.com/yoshdog)
+
+## License
+
+`JWTSignedRequest` uses MIT license. See
+[`LICENSE.txt`](https://github.com/envato/jwt_signed_request/blob/master/LICENSE.txt) for
+details.
+
+## Code of conduct
+
+We welcome contribution from everyone. Read more about it in
+[`CODE_OF_CONDUCT.md`](https://github.com/envato/jwt_signed_request/blob/master/CODE_OF_CONDUCT.md)
+
+## Contributing
+
+For bug fixes, documentation changes, and small features:
+
+1. Fork it ( https://github.com/[my-github-username]/jwt_signed_request/fork )
+2. Create your feature branch (git checkout -b my-new-feature)
+3. Commit your changes (git commit -am 'Add some feature')
+4. Push to the branch (git push origin my-new-feature)
+5. Create a new Pull Request
+
+For larger new features: Do everything as above, but first also make contact with the project maintainers to be sure your change fits with the project direction and you won't be wasting effort going in the wrong direction

data/lib/jwt_signed_request/claims.rb

@@ -0,0 +1,81 @@
+require 'digest'
+require 'json'
+require 'rack/utils'
+
+module JWTSignedRequest
+  class Claims
+    EMPTY_HEADERS = [].freeze
+
+    def self.generate(args)
+      new(**args).generate
+    end
+
+    def initialize(method:, path:, headers:, body:, additional_headers_to_sign: EMPTY_HEADERS, timeout: DEFAULT_TIMEOUT, issuer:)
+      @method = method
+      @path = path
+      @headers = headers
+      @body = body
+      @additional_headers_to_sign = additional_headers_to_sign
+      @timeout = timeout
+      @issuer = issuer
+    end
+
+    private_class_method :new
+
+    def generate
+      result = {
+        method: method,
+        path: path,
+        headers: serialized_headers,
+        body_sha: body_sha,
+        exp: (Time.now + timeout).to_i
+      }
+      result[:iss] = issuer if issuer
+      result
+    end
+
+    private
+
+    attr_reader :method, :path, :headers, :body, :additional_headers_to_sign, :timeout, :issuer
+
+    HEADERS_TO_SIGN = %w(
+      Content-Type
+      Content-Length
+      Date
+      User-Agent
+    ).freeze
+
+    private_constant :HEADERS_TO_SIGN
+
+    DEFAULT_TIMEOUT = 30.freeze
+
+    private_constant :DEFAULT_TIMEOUT
+
+    def formatted_body
+      case body
+        when String
+          body
+        when Array, Hash
+          Rack::Utils.build_query(body)
+      end
+    end
+
+    def body_sha
+      Digest::SHA256.hexdigest(formatted_body)
+    end
+
+    def headers_to_sign
+      HEADERS_TO_SIGN + additional_headers_to_sign
+    end
+
+    def filtered_headers
+      headers.select do |header_name, _|
+        headers_to_sign.include?(header_name)
+      end
+    end
+
+    def serialized_headers
+      JSON.dump(filtered_headers)
+    end
+  end
+end

data/lib/jwt_signed_request/headers.rb

@@ -0,0 +1,68 @@
+# We need a way to pull out the headers from a RAW Rack ENV hash.
+#
+# We took out the bits we need to lookup the headers from:
+# https://github.com/rails/rails/blob/master/actionpack/lib/action_dispatch/http/headers.rb
+#
+# We didn't want to include actionpack as a dependency of the library as it brings in alot of
+# other dependencies.
+
+module JWTSignedRequest
+  class Headers
+    def self.fetch(key, request)
+      new(request).fetch(key)
+    end
+
+    def initialize(request)
+      @request = request
+    end
+
+    def fetch(key)
+      env_key = env_name(key)
+      request_env[env_key]
+    end
+
+    private
+
+    attr_reader :request
+
+    def request_env
+      request.env
+    end
+
+    CGI_VARIABLES = Set.new(%W[
+      AUTH_TYPE
+      CONTENT_LENGTH
+      CONTENT_TYPE
+      GATEWAY_INTERFACE
+      HTTPS
+      PATH_INFO
+      PATH_TRANSLATED
+      QUERY_STRING
+      REMOTE_ADDR
+      REMOTE_HOST
+      REMOTE_IDENT
+      REMOTE_USER
+      REQUEST_METHOD
+      SCRIPT_NAME
+      SERVER_NAME
+      SERVER_PORT
+      SERVER_PROTOCOL
+      SERVER_SOFTWARE
+    ]).freeze
+
+    private_constant :CGI_VARIABLES
+
+    HTTP_HEADER = /\A[A-Za-z0-9-]+\z/
+
+    private_constant :HTTP_HEADER
+
+    def env_name(key)
+      key = key.to_s
+      if key =~ HTTP_HEADER
+        key = key.upcase.tr('-', '_')
+        key = "HTTP_" + key unless CGI_VARIABLES.include?(key)
+      end
+      key
+    end
+  end
+end

data/lib/jwt_signed_request/middlewares/faraday.rb

@@ -0,0 +1,40 @@
+require 'faraday'
+require 'jwt_signed_request'
+
+module JWTSignedRequest
+  module Middlewares
+    class Faraday < Faraday::Middleware
+      def initialize(app, options)
+        @options = options
+        super(app)
+      end
+
+      def call(env)
+        jwt_token = ::JWTSignedRequest.sign(
+          method:     env[:method],
+          path:       env[:url].request_uri,
+          headers:    env[:request_headers],
+          body:       env.fetch(:body, ::JWTSignedRequest::EMPTY_BODY),
+          secret_key: options[:secret_key],
+          **optional_settings
+        )
+
+        env[:request_headers].store("Authorization", jwt_token)
+        app.call(env)
+      end
+
+      private
+
+      attr_reader :app, :env, :options
+
+      def optional_settings
+        {
+          algorithm:                  options[:algorithm],
+          additional_headers_to_sign: options[:additional_headers_to_sign],
+          key_id:                     options[:key_id],
+          issuer:                     options[:issuer],
+        }.reject { |_, value| value.nil? }
+      end
+    end
+  end
+end

data/lib/jwt_signed_request/middlewares/rack.rb

@@ -0,0 +1,34 @@
+require 'rack'
+require 'jwt_signed_request'
+
+module JWTSignedRequest
+  module Middlewares
+    class Rack
+      UNAUTHORIZED_STATUS_CODE = 401.freeze
+
+      def initialize(app, options = {})
+        @app = app
+        @secret_key = options.fetch(:secret_key)
+        @algorithm = options[:algorithm]
+      end
+
+      def call(env)
+        begin
+          ::JWTSignedRequest.verify(
+            request: ::Rack::Request.new(env),
+            secret_key: secret_key,
+            algorithm: algorithm
+          )
+
+          app.call(env)
+        rescue ::JWTSignedRequest::UnauthorizedRequestError => e
+          [UNAUTHORIZED_STATUS_CODE, {'Content-Type' => 'application/json'} , []]
+        end
+      end
+
+      private
+
+      attr_reader :app, :secret_key, :algorithm
+    end
+  end
+end

data/lib/jwt_signed_request/version.rb

@@ -0,0 +1,3 @@
+module JWTSignedRequest
+  VERSION = "1.0.1".freeze
+end

data/lib/jwt_signed_request.rb

@@ -0,0 +1,68 @@
+require 'jwt'
+require 'jwt_signed_request/claims'
+require 'jwt_signed_request/headers'
+
+module JWTSignedRequest
+  DEFAULT_ALGORITHM = 'ES256'.freeze
+  EMPTY_BODY = "".freeze
+
+  UnauthorizedRequestError = Class.new(StandardError)
+  MissingAuthorizationHeaderError = Class.new(UnauthorizedRequestError)
+  JWTDecodeError = Class.new(UnauthorizedRequestError)
+  RequestVerificationFailedError = Class.new(UnauthorizedRequestError)
+
+  def self.sign(method:, path:, body: EMPTY_BODY, headers:, secret_key:, algorithm: DEFAULT_ALGORITHM, key_id: nil, issuer: nil, additional_headers_to_sign: Claims::EMPTY_HEADERS)
+    additional_jwt_headers = key_id ? {kid: key_id} : {}
+    JWT.encode(
+      Claims.generate(
+        method: method,
+        path: path,
+        headers: headers,
+        body: body,
+        additional_headers_to_sign: additional_headers_to_sign,
+        issuer: issuer
+      ),
+      secret_key,
+      algorithm,
+      additional_jwt_headers
+    )
+  end
+
+  def self.verify(request:, secret_key:, algorithm: nil)
+    jwt_token = Headers.fetch('Authorization', request)
+    algorithm ||= DEFAULT_ALGORITHM
+
+    if jwt_token.nil?
+      raise MissingAuthorizationHeaderError, "Missing Authorization header in the request"
+    end
+
+    begin
+      claims = JWT.decode(jwt_token, secret_key, algorithm)[0]
+      unless verified_request?(request: request, claims: claims)
+        raise RequestVerificationFailedError, "Request failed verification"
+      end
+
+    rescue ::JWT::DecodeError => e
+      raise JWTDecodeError, e.message
+    end
+  end
+
+  def self.verified_request?(request:, claims:)
+    claims['method'].downcase == request.request_method.downcase &&
+      claims['path'] == request.fullpath &&
+      claims['body_sha'] == Digest::SHA256.hexdigest(request.body.read || "") &&
+      verified_headers?(request: request, claims: claims)
+  end
+
+  private_class_method :verified_request?
+
+  def self.verified_headers?(request:, claims:)
+    parsed_headers = JSON.parse(claims['headers'])
+
+    parsed_headers.all? do |header_key, header_value|
+      Headers.fetch(header_key, request) == header_value
+    end
+  end
+
+  private_class_method :verified_headers?
+end

metadata

@@ -0,0 +1,149 @@
+--- !ruby/object:Gem::Specification
+name: jwt_signed_request
+version: !ruby/object:Gem::Version
+  version: 1.0.1
+platform: ruby
+authors:
+- Toan Nguyen
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2016-09-20 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rack
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rack-test
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: timecop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: ''
+email:
+- toan.nguyen@envato.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- README.md
+- lib/jwt_signed_request.rb
+- lib/jwt_signed_request/claims.rb
+- lib/jwt_signed_request/headers.rb
+- lib/jwt_signed_request/middlewares/faraday.rb
+- lib/jwt_signed_request/middlewares/rack.rb
+- lib/jwt_signed_request/version.rb
+homepage: https://github.com/envato/jwt_signed_request
+licenses: []
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.5.1
+signing_key: 
+specification_version: 4
+summary: JWT request signing and verification for Internal APIs
+test_files: []
+has_rdoc: