jwt_signed_request 1.2.2 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 6fa8c63dbbcbd416f397ff940a5456134d94e764
-  data.tar.gz: 794b7c510557b12ed9947eba5e1c82b79c944ff1
+  metadata.gz: 6fb3525b6977202315ff48f351757ed3e9c6c010
+  data.tar.gz: 3e7f295a2d568f8350d67354f03433f4869b72e8
 SHA512:
-  metadata.gz: fe0c6c4b1149b267fae6a00818fd818e8731e1d9bcac00b495abe6751d70f5f7e7ae88ed857fea012c05a3a29132ff2e148b488d6ecab566d4d3f523d63d702c
-  data.tar.gz: 9951441f024bf82334b30099a6ee4d586c6f49a550c1bc32a3c9cc261eebd9d49b4f68c635663e8c3f0679f580fd4a11e680518591b6377f16590c9607b55309
+  metadata.gz: 537683653302ef5695e2ec9cf78ad2e368aff14db1bdf854ed16aa0ed82a5902457e980d0594b297f591fe1837da9aee7871ed4c8c10bb7099a52e1f0eadcab5
+  data.tar.gz: e29633992973869ceb8f8857f8b7bef580f5bf632c8b80e26a141c9501eb8e51625916d250481580f26ce22d4a5c429f9693e924825d46b2687852bf148ee99b

data/README.md

@@ -28,9 +28,46 @@ $ openssl ec -in myprivatekey.pem -pubout -out mypubkey.pem
 
 Store and encrypt these in your application secrets.
 
+## Configuration
+
+You can add signing and verification keys to the key store as your application needs them.
+
+```ruby
+private_key = <<-pem.gsub(/^\s+/, "")
+    -----BEGIN EC PRIVATE KEY-----
+    MHcCAQEEIBOQ3YIILYMV1glTKbF9oeZWzHe3SNQjAx4IbPIxNygQoAoGCCqGSM49
+    AwEHoUQDQgAEuOC3ufTTnW0hVmCPNERb4LxaDE/OexDdlmXEjHYaixzYIduluGXd
+    3cjg4H2gjqsY/NCpJ9nM8/AAINSrq+qPuA==
+    -----END EC PRIVATE KEY-----
+  pem
+
+public_key = <<-pem.gsub(/^\s+/, "")
+  -----BEGIN PUBLIC KEY-----
+  MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEuOC3ufTTnW0hVmCPNERb4LxaDE/O
+  exDdlmXEjHYaixzYIduluGXd3cjg4H2gjqsY/NCpJ9nM8/AAINSrq+qPuA==
+  -----END PUBLIC KEY-----
+pem
+
+require 'openssl'
+
+JWTSignedRequest.configure_keys do |config|
+  config.add_signing_key(
+    key_id: 'client_a',
+    key: OpenSSL::PKey::EC.new(private_key),
+    algorithm: 'ES256',
+  )
+
+  config.add_verification_key(
+    key_id: 'client_a',
+    key: OpenSSL::PKey::EC.new(public_key),
+    algorithm: 'ES256',
+  )
+end
+```
+
 ## Signing Requests
 
-If you are using an asymmetrical encryption algorithm such as ES256 you will sign your requests using the private key.
+If you have added your signing keys to the key store, you will only need to specify the `key_id` you are signing the requests with.
 
 ### Using net/http
 
@@ -40,14 +77,6 @@ require 'uri'
 require 'openssl'
 require 'jwt_signed_request'
 
-private_key = """
------BEGIN EC PRIVATE KEY-----
-MHcCAQEEIBOQ3YIILYMV1glTKbF9oeZWzHe3SNQjAx4IbPIxNygQoAoGCCqGSM49
-AwEHoUQDQgAEuOC3ufTTnW0hVmCPNERb4LxaDE/OexDdlmXEjHYaixzYIduluGXd
-3cjg4H2gjqsY/NCpJ9nM8/AAINSrq+qPuA==
------END EC PRIVATE KEY-----
-"""
-
 uri = URI('http://example.com')
 req = Net::HTTP::Get.new(uri)
 
@@ -56,9 +85,7 @@ req['Authorization'] = JWTSignedRequest.sign(
   path: req.path,
   headers: {"Content-Type" => "application/json"},
   body: "",
-  secret_key: OpenSSL::PKey::EC.new(private_key),
-  algorithm: 'ES256',                     # optional (default: ES256)
-  key_id: 'my-key-id',                    # optional
+  key_id: 'my-key-id',
   issuer: 'my-issuer'                     # optional
   additional_headers_to_sign: ['X-AUTH']  # optional
 )
@@ -75,19 +102,9 @@ require 'faraday'
 require 'openssl'
 require 'jwt_signed_request/middlewares/faraday'
 
-private_key = """
------BEGIN EC PRIVATE KEY-----
-MHcCAQEEIBOQ3YIILYMV1glTKbF9oeZWzHe3SNQjAx4IbPIxNygQoAoGCCqGSM49
-AwEHoUQDQgAEuOC3ufTTnW0hVmCPNERb4LxaDE/OexDdlmXEjHYaixzYIduluGXd
-3cjg4H2gjqsY/NCpJ9nM8/AAINSrq+qPuA==
------END EC PRIVATE KEY-----
-"""
-
 conn = Faraday.new(url: URI.parse('http://example.com')) do |faraday|
   faraday.use JWTSignedRequest::Middlewares::Faraday,
-    secret_key: OpenSSL::PKey::EC.new(private_key),
-    algorithm: 'ES256',                     # optional (default: ES256)
-    key_id: 'my-key-id',                    # optional
+    key_id: 'my-key-id',
     issuer: 'my-issuer',                    # optional
     additional_headers_to_sign: ['X-AUTH']  # optional
 
@@ -102,19 +119,13 @@ end
 
 ## Verifying Requests
 
-If you are using an asymmetrical encryption algorithm such as ES256 you will verify the request using the public key.
+Please make sure you have added your verification keys to the key store. Doing so will allow the server to verify requests signed by different signing keys.
+
 
 ## Using Rails
 
 ```ruby
 class APIController < ApplicationController
-  PUBLIC_KEY = """
------BEGIN PUBLIC KEY-----
-MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEuOC3ufTTnW0hVmCPNERb4LxaDE/O
-exDdlmXEjHYaixzYIduluGXd3cjg4H2gjqsY/NCpJ9nM8/AAINSrq+qPuA==
------END PUBLIC KEY-----
-  """
-
   before_action :verify_request
 
   ...
@@ -123,10 +134,7 @@ exDdlmXEjHYaixzYIduluGXd3cjg4H2gjqsY/NCpJ9nM8/AAINSrq+qPuA==
 
   def verify_request
     begin
-      JWTSignedRequest.verify(
-        request: request,
-        secret_key: OpenSSL::PKey::EC.new(PUBLIC_KEY)
-      )
+      JWTSignedRequest.verify(request: request)
 
     rescue JWTSignedRequest::UnauthorizedRequestError => e
       render :json => {}, :status => :unauthorized
@@ -141,26 +149,24 @@ end
 JWT tokens contain an expiry timestamp. If communication delays are large (or system clocks are sufficiently out of synch), you may need to increase the 'leeway' when verifying. For example:
 
 ```ruby
-  JWTSignedRequest.verify(request: request, secret_key: 'my_public_key', leeway: 55)
+  JWTSignedRequest.verify(request: request, leeway: 55)
 ```
 
 ## Using Rack Middleware
 
 ```ruby
-PUBLIC_KEY = """
------BEGIN PUBLIC KEY-----
-MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEuOC3ufTTnW0hVmCPNERb4LxaDE/O
-exDdlmXEjHYaixzYIduluGXd3cjg4H2gjqsY/NCpJ9nM8/AAINSrq+qPuA==
------END PUBLIC KEY-----
-"""
-
 class Server < Sinatra::Base
   use JWTSignedRequest::Middlewares::Rack,
-     secret_key: OpenSSL::PKey::EC.new(PUBLIC_KEY),
      exclude_paths: /public|health/              # optional regex
  end
 ```
 
+## Backwards Compability
+
+Please note that the way we sign and verify requests has changed in version 2.x.x. For documentation on how to use older versions please look [here](https://github.com/envato/jwt_signed_request/blob/master/VERSION_1.md).
+
+We are only supporting the old API for the next couple of releases of version 2.x.x so please upgrade ASAP.
+
 ## Maintainers
 - [Toan Nguyen](https://github.com/yoshdog)
 

data/lib/jwt_signed_request/claims.rb

@@ -4,19 +4,16 @@ require 'rack/utils'
 
 module JWTSignedRequest
   class Claims
-    EMPTY_HEADERS = [].freeze
-
     def self.generate(args)
       new(**args).generate
     end
 
-    def initialize(method:, path:, headers:, body:, additional_headers_to_sign: EMPTY_HEADERS, timeout: DEFAULT_TIMEOUT, issuer:)
+    def initialize(method:, path:, headers:, body:, additional_headers_to_sign:, issuer:)
       @method = method
       @path = path
-      @headers = headers
+      @headers = headers || EMPTY_HEADERS
       @body = body
-      @additional_headers_to_sign = additional_headers_to_sign
-      @timeout = timeout
+      @additional_headers_to_sign = additional_headers_to_sign || EMPTY_HEADERS
       @issuer = issuer
     end
 
@@ -36,7 +33,7 @@ module JWTSignedRequest
 
     private
 
-    attr_reader :method, :path, :headers, :body, :additional_headers_to_sign, :timeout, :issuer
+    attr_reader :method, :path, :headers, :body, :additional_headers_to_sign, :issuer
 
     HEADERS_TO_SIGN = %w(
       Content-Type
@@ -51,6 +48,14 @@ module JWTSignedRequest
 
     private_constant :DEFAULT_TIMEOUT
 
+    EMPTY_HEADERS = [].freeze
+
+    private_constant :EMPTY_HEADERS
+
+    def timeout
+      DEFAULT_TIMEOUT
+    end
+
     def formatted_body
       case body
         when String

data/lib/jwt_signed_request/key_store.rb

@@ -0,0 +1,32 @@
+module JWTSignedRequest
+  class KeyStore
+    def initialize
+      @signing_keys = {}
+      @verification_keys = {}
+    end
+
+    def add_signing_key(key_id:, key:, algorithm:)
+      @signing_keys.store(key_id,
+        {
+          key: key,
+          algorithm: algorithm
+        })
+    end
+
+    def add_verification_key(key_id:, key:, algorithm:)
+      @verification_keys.store(key_id,
+        {
+          key: key,
+          algorithm: algorithm
+        })
+    end
+
+    def get_signing_key(key_id:)
+      @signing_keys.fetch(key_id, {})
+    end
+
+    def get_verification_key(key_id:)
+      @verification_keys.fetch(key_id, {})
+    end
+  end
+end

data/lib/jwt_signed_request/middlewares/faraday.rb

@@ -15,7 +15,6 @@ module JWTSignedRequest
           path:       env[:url].request_uri,
           headers:    env[:request_headers],
           body:       env.fetch(:body, ::JWTSignedRequest::EMPTY_BODY),
-          secret_key: options[:secret_key],
           **optional_settings
         )
 
@@ -29,6 +28,7 @@ module JWTSignedRequest
 
       def optional_settings
         {
+          secret_key:                 options[:secret_key],
           algorithm:                  options[:algorithm],
           additional_headers_to_sign: options[:additional_headers_to_sign],
           key_id:                     options[:key_id],

data/lib/jwt_signed_request/middlewares/rack.rb

@@ -8,7 +8,7 @@ module JWTSignedRequest
 
       def initialize(app, options = {})
         @app = app
-        @secret_key = options.fetch(:secret_key)
+        @secret_key = options[:secret_key]
         @algorithm = options[:algorithm]
         @exclude_paths = options[:exclude_paths]
       end
@@ -16,11 +16,13 @@ module JWTSignedRequest
       def call(env)
         begin
           unless excluded_path?(env)
-            ::JWTSignedRequest.verify(
+            args = {
               request: ::Rack::Request.new(env),
               secret_key: secret_key,
               algorithm: algorithm
-            )
+            }.reject { |_, value| value.nil? }
+
+            ::JWTSignedRequest.verify(**args)
           end
 
           app.call(env)

data/lib/jwt_signed_request/sign.rb

@@ -0,0 +1,68 @@
+require 'jwt_signed_request/claims'
+
+module JWTSignedRequest
+  class Sign
+    def self.call(*args)
+      new(*args).call
+    end
+
+    def initialize(
+      method:,
+      path:,
+      body: EMPTY_BODY,
+      headers:,
+      secret_key: nil,
+      algorithm: nil,
+      key_id: nil,
+      issuer: nil,
+      additional_headers_to_sign: nil
+    )
+      @method = method
+      @path = path
+      @body = body
+      @headers = headers
+      @secret_key = secret_key
+      @algorithm = algorithm
+      @key_id = key_id
+      @issuer = issuer
+      @additional_headers_to_sign = additional_headers_to_sign
+    end
+
+    def call
+      JWT.encode(claims, secret_key, algorithm, additional_jwt_headers)
+    end
+
+    private
+
+    attr_reader \
+      :method, :path, :body, :headers,
+      :key_id, :issuer, :additional_headers_to_sign
+
+    def stored_key
+      @stored_key ||= JWTSignedRequest.key_store.get_signing_key(key_id: key_id)
+    end
+
+    def secret_key
+      @secret_key ||= stored_key.fetch(:key) { raise MissingKeyIdError }
+    end
+
+    def algorithm
+      @algorithm ||= stored_key.fetch(:algorithm, DEFAULT_ALGORITHM)
+    end
+
+    def additional_jwt_headers
+      key_id ? {kid: key_id} : {}
+    end
+
+    def claims
+      Claims.generate(
+        method: method,
+        path: path,
+        headers: headers,
+        body: body,
+        additional_headers_to_sign: additional_headers_to_sign,
+        issuer: issuer
+      )
+    end
+  end
+end

data/lib/jwt_signed_request/verify.rb

@@ -0,0 +1,96 @@
+require 'jwt_signed_request/headers'
+
+module JWTSignedRequest
+  class Verify
+    def self.call(*args)
+      new(*args).call
+    end
+
+    # TODO: secret_key & algorithm is deprecated and will be removed in future.
+    # For now we will support its functionaility
+    def initialize(request:, secret_key: nil, algorithm: nil, leeway: nil)
+      @request = request
+      @secret_key = secret_key
+      @algorithm = algorithm
+      @leeway = leeway
+    end
+
+    def call
+      if jwt_token.nil?
+        raise MissingAuthorizationHeaderError, "Missing Authorization header in the request"
+      end
+
+      unless verified_request?
+        raise RequestVerificationFailedError, "Request failed verification"
+      end
+    end
+
+    private
+
+    attr_reader :request, :leeway
+
+    def stored_key
+      jwt_header, _, _, _ = ::JWT.decoded_segments(jwt_token, false)
+      key_id = jwt_header.fetch('kid') { raise MissingKeyIdError }
+      signed_algorithm = jwt_header.fetch('alg')
+      JWTSignedRequest.key_store.get_verification_key(key_id: key_id).tap do |key|
+        if signed_algorithm != key[:algorithm]
+          raise AlgorithmMismatchError
+        end
+      end
+    end
+
+    def secret_key
+      @secret_key ||= stored_key.fetch(:key) { raise MissingKeyIdError }
+    end
+
+    def jwt_token
+      @jwt_token ||= Headers.fetch('Authorization', request)
+    end
+
+    def claims
+      @claims ||= begin
+        verify = true
+        options = {}
+
+        if leeway
+          # TODO: Once JWT v2.0.0 has been released, we should upgrade to it
+          # and start using `exp_leeway` instead 'leeway' will still work, but
+          # 'exp_leeway' is more explicit and is the documented way to do it.
+          #
+          # See https://github.com/jwt/ruby-jwt/pull/187.
+          options[:leeway] = leeway.to_i
+        end
+
+        JWT.decode(jwt_token, secret_key, verify, options)[0]
+      rescue ::JWT::DecodeError => e
+        raise JWTDecodeError, e.message
+      end
+    end
+
+    def verified_request?
+      claims['method'].to_s.downcase == request.request_method.downcase &&
+        claims['path'] == request.fullpath &&
+        claims['body_sha'] == Digest::SHA256.hexdigest(request_body) &&
+        verified_headers?
+    end
+
+    def request_body
+      string = request.body.read
+      request.body.rewind
+      string
+    end
+
+    def verified_headers?
+      parsed_headers = begin
+        JSON.parse(claims['headers'].to_s)
+      rescue JSON::ParserError
+        {}
+      end
+
+      parsed_headers.all? do |header_key, header_value|
+        Headers.fetch(header_key, request) == header_value
+      end
+    end
+  end
+end

data/lib/jwt_signed_request/version.rb

@@ -1,3 +1,3 @@
 module JWTSignedRequest
-  VERSION = "1.2.2".freeze
+  VERSION = "2.0.0".freeze
 end

data/lib/jwt_signed_request.rb

@@ -1,8 +1,11 @@
 require 'jwt'
-require 'jwt_signed_request/claims'
-require 'jwt_signed_request/headers'
+require 'jwt_signed_request/key_store'
+require 'jwt_signed_request/sign'
+require 'jwt_signed_request/verify'
 
 module JWTSignedRequest
+  extend self
+
   DEFAULT_ALGORITHM = 'ES256'.freeze
   EMPTY_BODY = "".freeze
 
@@ -10,83 +13,23 @@ module JWTSignedRequest
   MissingAuthorizationHeaderError = Class.new(UnauthorizedRequestError)
   JWTDecodeError = Class.new(UnauthorizedRequestError)
   RequestVerificationFailedError = Class.new(UnauthorizedRequestError)
+  MissingKeyIdError = Class.new(UnauthorizedRequestError)
+  UnknownKeyIdError = Class.new(UnauthorizedRequestError)
+  AlgorithmMismatchError = Class.new(UnauthorizedRequestError)
 
-  def self.sign(method:, path:,
-                body: EMPTY_BODY, headers:,
-                secret_key:, algorithm: DEFAULT_ALGORITHM,
-                key_id: nil, issuer: nil,
-                additional_headers_to_sign: Claims::EMPTY_HEADERS)
-    additional_jwt_headers = key_id ? {kid: key_id} : {}
-    JWT.encode(
-      Claims.generate(
-        method: method,
-        path: path,
-        headers: headers,
-        body: body,
-        additional_headers_to_sign: additional_headers_to_sign,
-        issuer: issuer
-      ),
-      secret_key,
-      algorithm,
-      additional_jwt_headers
-    )
-  end
-
-  def self.verify(request:, secret_key:, algorithm: nil, leeway: nil)
-    # TODO: algorithm is deprecated and will be removed in future
-    verify = true
-    options = {}
-    if leeway
-      # TODO: Once JWT v2.0.0 has been released, we should upgrade to it and start using `exp_leeway` instead
-      #  'leeway' will still work, but 'exp_leeway' is more explicit and is the documented way to do it.
-      #  see https://github.com/jwt/ruby-jwt/pull/187
-      options[:leeway] = leeway.to_i
-    end
-    jwt_token = Headers.fetch('Authorization', request)
-
-    if jwt_token.nil?
-      raise MissingAuthorizationHeaderError, "Missing Authorization header in the request"
-    end
-
-    begin
-      claims = JWT.decode(jwt_token, secret_key, verify, options)[0]
-      unless verified_request?(request: request, claims: claims)
-        raise RequestVerificationFailedError, "Request failed verification"
-      end
-
-    rescue ::JWT::DecodeError => e
-      raise JWTDecodeError, e.message
-    end
+  def configure_keys
+    yield(key_store)
   end
 
-  def self.verified_request?(request:, claims:)
-    claims['method'].to_s.downcase == request.request_method.downcase &&
-      claims['path'] == request.fullpath &&
-      claims['body_sha'] == Digest::SHA256.hexdigest(request_body(request: request)) &&
-      verified_headers?(request: request, claims: claims)
+  def key_store
+    @key_store ||= KeyStore.new
   end
 
-  private_class_method :verified_request?
-
-  def self.request_body(request:)
-    string = request.body.read
-    request.body.rewind
-    string
+  def sign(*args)
+    Sign.call(*args)
   end
 
-  private_class_method :request_body
-
-  def self.verified_headers?(request:, claims:)
-    parsed_headers = begin
-      JSON.parse(claims['headers'].to_s)
-    rescue JSON::ParserError
-      {}
-    end
-
-    parsed_headers.all? do |header_key, header_value|
-      Headers.fetch(header_key, request) == header_value
-    end
+  def verify(*args)
+    Verify.call(*args)
   end
-
-  private_class_method :verified_headers?
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: jwt_signed_request
 version: !ruby/object:Gem::Version
-  version: 1.2.2
+  version: 2.0.0
 platform: ruby
 authors:
 - Toan Nguyen
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-05-11 00:00:00.000000000 Z
+date: 2017-06-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jwt
@@ -119,8 +119,11 @@ files:
 - lib/jwt_signed_request.rb
 - lib/jwt_signed_request/claims.rb
 - lib/jwt_signed_request/headers.rb
+- lib/jwt_signed_request/key_store.rb
 - lib/jwt_signed_request/middlewares/faraday.rb
 - lib/jwt_signed_request/middlewares/rack.rb
+- lib/jwt_signed_request/sign.rb
+- lib/jwt_signed_request/verify.rb
 - lib/jwt_signed_request/version.rb
 homepage: https://github.com/envato/jwt_signed_request
 licenses: []
@@ -141,7 +144,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.5.2
+rubygems_version: 2.6.11
 signing_key: 
 specification_version: 4
 summary: JWT request signing and verification for Internal APIs