keycloak-api-rails 0.11.1 → 0.12.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 90c326858b9b9eb917fb48a1de41b8bb04bda9ee9c335c9d54cc32a2cf1e6cf1
-  data.tar.gz: 0f2e7ffb1ff96cf183db47552561d7bde77c98178f2568874ef1ddfe55c09a9f
+  metadata.gz: d0e8e7c47df127347543955ffc2ed362dc9c2efb549bc970f0efdd519f8cfb1a
+  data.tar.gz: 5b77f9cf1171a36db3d80c6cd31e0df8f0acb00a58916e9b7a4fdcfdec331ecd
 SHA512:
-  metadata.gz: c9bf1dd58e9da0fbc485c12cf9dc73ccb31d88bef5158107a8d141542380a818d89fc90810cdfb3a867048d854ed616d0b640d8edb17d9d48999cc2ec8469b77
-  data.tar.gz: 39e57c6bacf0c31bb94bfdd53e454745bb3c100e831b804e840183b80b6472338731b01a5fcb70c9b46029c01e118670a3f4e503bf6003bbb449c60915a4c0f1
+  metadata.gz: 38edbedbe88b629c6c6728eda1b60670cd9dd6b03f6246c4bfd79bcc6fd3832922c504b91c15f4f4c7e86128e4d143800f5562292cf0f38877e73f0f39f4a8ff
+  data.tar.gz: d6e9d6ca5a7d5a531e09e7e2fe63d026bd53f088ceabbb2484e59ab36ac1aee234d949ac30c342f67a2784442dacfb1d502762f35999d977d8175189c19193fa

data/CHANGELOG.md

@@ -5,14 +5,23 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.12.0] - 2023-04-11
+
+* Introduce Opt-in mode as an alternative configuration (thanks to @theSteveMitchell)
+
+## [0.11.2] - 2022-03-30
+
+* Update `Gemfile.lock` to avoid wrong CVE detections. The version of Rails should always be specified by the parent project. This change has no functional impact.
+* Update `json-jwt` to `>=1.13.0`
+
 ## [0.11.1] - 2019-11-27
 
 * When a token validation error occurs, do not log it as a `warn` (but as an `info` instead)
 
 ## [0.11.0] - 2019-11-21
 
-* Remove dependency to `rest-client` (thanks to @@loicvigneron)
-* Access Authorization Party from ENV (thanks to @@loicvigneron)
-* New configuration option: `ca_certificate_file` (thanks to @@loicvigneron)
+* Remove dependency to `rest-client` (thanks to @loicvigneron)
+* Access Authorization Party from ENV (thanks to @loicvigneron)
+* New configuration option: `ca_certificate_file` (thanks to @loicvigneron)
 * Access the token from ENV
 * Upgrade `json-jwt` to `1.11.0`

data/Dockerfile

@@ -1,5 +1,8 @@
-FROM ruby:2.5.0
-RUN mkdir -p /usr/src/app/lib/keycloak-api-rails
+FROM ruby:2.7.5-slim-bullseye
+
+RUN apt-get update -qq && apt-get install -y build-essential git ruby-dev && apt-get clean && \
+  mkdir -p /usr/src/app/lib/keycloak-api-rails
+
 WORKDIR /usr/src/app
 
 COPY Gemfile /usr/src/app/

data/Gemfile.lock

@@ -1,167 +1,192 @@
 PATH
   remote: .
   specs:
-    keycloak-api-rails (0.11.1)
+    keycloak-api-rails (0.12.0)
       json-jwt (>= 1.11.0)
       rails (>= 4.2)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    actioncable (6.0.1)
-      actionpack (= 6.0.1)
+    actioncable (7.0.4.3)
+      actionpack (= 7.0.4.3)
+      activesupport (= 7.0.4.3)
       nio4r (~> 2.0)
       websocket-driver (>= 0.6.1)
-    actionmailbox (6.0.1)
-      actionpack (= 6.0.1)
-      activejob (= 6.0.1)
-      activerecord (= 6.0.1)
-      activestorage (= 6.0.1)
-      activesupport (= 6.0.1)
+    actionmailbox (7.0.4.3)
+      actionpack (= 7.0.4.3)
+      activejob (= 7.0.4.3)
+      activerecord (= 7.0.4.3)
+      activestorage (= 7.0.4.3)
+      activesupport (= 7.0.4.3)
       mail (>= 2.7.1)
-    actionmailer (6.0.1)
-      actionpack (= 6.0.1)
-      actionview (= 6.0.1)
-      activejob (= 6.0.1)
+      net-imap
+      net-pop
+      net-smtp
+    actionmailer (7.0.4.3)
+      actionpack (= 7.0.4.3)
+      actionview (= 7.0.4.3)
+      activejob (= 7.0.4.3)
+      activesupport (= 7.0.4.3)
       mail (~> 2.5, >= 2.5.4)
+      net-imap
+      net-pop
+      net-smtp
       rails-dom-testing (~> 2.0)
-    actionpack (6.0.1)
-      actionview (= 6.0.1)
-      activesupport (= 6.0.1)
-      rack (~> 2.0)
+    actionpack (7.0.4.3)
+      actionview (= 7.0.4.3)
+      activesupport (= 7.0.4.3)
+      rack (~> 2.0, >= 2.2.0)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actiontext (6.0.1)
-      actionpack (= 6.0.1)
-      activerecord (= 6.0.1)
-      activestorage (= 6.0.1)
-      activesupport (= 6.0.1)
+    actiontext (7.0.4.3)
+      actionpack (= 7.0.4.3)
+      activerecord (= 7.0.4.3)
+      activestorage (= 7.0.4.3)
+      activesupport (= 7.0.4.3)
+      globalid (>= 0.6.0)
       nokogiri (>= 1.8.5)
-    actionview (6.0.1)
-      activesupport (= 6.0.1)
+    actionview (7.0.4.3)
+      activesupport (= 7.0.4.3)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activejob (6.0.1)
-      activesupport (= 6.0.1)
+    activejob (7.0.4.3)
+      activesupport (= 7.0.4.3)
       globalid (>= 0.3.6)
-    activemodel (6.0.1)
-      activesupport (= 6.0.1)
-    activerecord (6.0.1)
-      activemodel (= 6.0.1)
-      activesupport (= 6.0.1)
-    activestorage (6.0.1)
-      actionpack (= 6.0.1)
-      activejob (= 6.0.1)
-      activerecord (= 6.0.1)
-      marcel (~> 0.3.1)
-    activesupport (6.0.1)
+    activemodel (7.0.4.3)
+      activesupport (= 7.0.4.3)
+    activerecord (7.0.4.3)
+      activemodel (= 7.0.4.3)
+      activesupport (= 7.0.4.3)
+    activestorage (7.0.4.3)
+      actionpack (= 7.0.4.3)
+      activejob (= 7.0.4.3)
+      activerecord (= 7.0.4.3)
+      activesupport (= 7.0.4.3)
+      marcel (~> 1.0)
+      mini_mime (>= 1.1.0)
+    activesupport (7.0.4.3)
       concurrent-ruby (~> 1.0, >= 1.0.2)
-      i18n (>= 0.7, < 2)
-      minitest (~> 5.1)
-      tzinfo (~> 1.1)
-      zeitwerk (~> 2.2)
-    aes_key_wrap (1.0.1)
-    bindata (2.4.4)
-    builder (3.2.3)
-    byebug (9.1.0)
-    concurrent-ruby (1.1.5)
-    crass (1.0.5)
-    diff-lcs (1.3)
-    erubi (1.9.0)
-    globalid (0.4.2)
-      activesupport (>= 4.2.0)
-    i18n (1.7.0)
+      i18n (>= 1.6, < 2)
+      minitest (>= 5.1)
+      tzinfo (~> 2.0)
+    aes_key_wrap (1.1.0)
+    bindata (2.4.15)
+    builder (3.2.4)
+    byebug (11.1.3)
+    concurrent-ruby (1.2.2)
+    crass (1.0.6)
+    date (3.3.3)
+    diff-lcs (1.5.0)
+    erubi (1.12.0)
+    faraday (2.7.4)
+      faraday-net_http (>= 2.0, < 3.1)
+      ruby2_keywords (>= 0.0.4)
+    faraday-follow_redirects (0.3.0)
+      faraday (>= 1, < 3)
+    faraday-net_http (3.0.2)
+    globalid (1.1.0)
+      activesupport (>= 5.0)
+    i18n (1.12.0)
       concurrent-ruby (~> 1.0)
-    json-jwt (1.11.0)
+    json-jwt (1.16.3)
       activesupport (>= 4.2)
       aes_key_wrap
       bindata
-    loofah (2.4.0)
+      faraday (~> 2.0)
+      faraday-follow_redirects
+    loofah (2.20.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
-    mail (2.7.1)
+    mail (2.8.1)
       mini_mime (>= 0.1.1)
-    marcel (0.3.3)
-      mimemagic (~> 0.3.2)
-    method_source (0.9.2)
-    mimemagic (0.3.3)
-    mini_mime (1.0.2)
-    mini_portile2 (2.4.0)
-    minitest (5.13.0)
-    nio4r (2.5.2)
-    nokogiri (1.10.5)
-      mini_portile2 (~> 2.4.0)
-    rack (2.0.7)
-    rack-test (1.1.0)
-      rack (>= 1.0, < 3)
-    rails (6.0.1)
-      actioncable (= 6.0.1)
-      actionmailbox (= 6.0.1)
-      actionmailer (= 6.0.1)
-      actionpack (= 6.0.1)
-      actiontext (= 6.0.1)
-      actionview (= 6.0.1)
-      activejob (= 6.0.1)
-      activemodel (= 6.0.1)
-      activerecord (= 6.0.1)
-      activestorage (= 6.0.1)
-      activesupport (= 6.0.1)
-      bundler (>= 1.3.0)
-      railties (= 6.0.1)
-      sprockets-rails (>= 2.0.0)
+      net-imap
+      net-pop
+      net-smtp
+    marcel (1.0.2)
+    method_source (1.0.0)
+    mini_mime (1.1.2)
+    mini_portile2 (2.8.1)
+    minitest (5.18.0)
+    net-imap (0.3.4)
+      date
+      net-protocol
+    net-pop (0.1.2)
+      net-protocol
+    net-protocol (0.2.1)
+      timeout
+    net-smtp (0.3.3)
+      net-protocol
+    nio4r (2.5.9)
+    nokogiri (1.14.3)
+      mini_portile2 (~> 2.8.0)
+      racc (~> 1.4)
+    racc (1.6.2)
+    rack (2.2.6.4)
+    rack-test (2.1.0)
+      rack (>= 1.3)
+    rails (7.0.4.3)
+      actioncable (= 7.0.4.3)
+      actionmailbox (= 7.0.4.3)
+      actionmailer (= 7.0.4.3)
+      actionpack (= 7.0.4.3)
+      actiontext (= 7.0.4.3)
+      actionview (= 7.0.4.3)
+      activejob (= 7.0.4.3)
+      activemodel (= 7.0.4.3)
+      activerecord (= 7.0.4.3)
+      activestorage (= 7.0.4.3)
+      activesupport (= 7.0.4.3)
+      bundler (>= 1.15.0)
+      railties (= 7.0.4.3)
     rails-dom-testing (2.0.3)
       activesupport (>= 4.2.0)
       nokogiri (>= 1.6)
-    rails-html-sanitizer (1.3.0)
-      loofah (~> 2.3)
-    railties (6.0.1)
-      actionpack (= 6.0.1)
-      activesupport (= 6.0.1)
+    rails-html-sanitizer (1.5.0)
+      loofah (~> 2.19, >= 2.19.1)
+    railties (7.0.4.3)
+      actionpack (= 7.0.4.3)
+      activesupport (= 7.0.4.3)
       method_source
-      rake (>= 0.8.7)
-      thor (>= 0.20.3, < 2.0)
-    rake (13.0.1)
-    rspec (3.7.0)
-      rspec-core (~> 3.7.0)
-      rspec-expectations (~> 3.7.0)
-      rspec-mocks (~> 3.7.0)
-    rspec-core (3.7.1)
-      rspec-support (~> 3.7.0)
-    rspec-expectations (3.7.0)
+      rake (>= 12.2)
+      thor (~> 1.0)
+      zeitwerk (~> 2.5)
+    rake (13.0.6)
+    rspec (3.12.0)
+      rspec-core (~> 3.12.0)
+      rspec-expectations (~> 3.12.0)
+      rspec-mocks (~> 3.12.0)
+    rspec-core (3.12.1)
+      rspec-support (~> 3.12.0)
+    rspec-expectations (3.12.2)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.7.0)
-    rspec-mocks (3.7.0)
+      rspec-support (~> 3.12.0)
+    rspec-mocks (3.12.5)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.7.0)
-    rspec-support (3.7.0)
-    sprockets (4.0.0)
+      rspec-support (~> 3.12.0)
+    rspec-support (3.12.0)
+    ruby2_keywords (0.0.5)
+    thor (1.2.1)
+    timecop (0.9.6)
+    timeout (0.3.2)
+    tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
-      rack (> 1, < 3)
-    sprockets-rails (3.2.1)
-      actionpack (>= 4.0)
-      activesupport (>= 4.0)
-      sprockets (>= 3.0.0)
-    thor (0.20.3)
-    thread_safe (0.3.6)
-    timecop (0.9.1)
-    tzinfo (1.2.5)
-      thread_safe (~> 0.1)
-    websocket-driver (0.7.1)
+    websocket-driver (0.7.5)
       websocket-extensions (>= 0.1.0)
-    websocket-extensions (0.1.4)
-    zeitwerk (2.2.1)
+    websocket-extensions (0.1.5)
+    zeitwerk (2.6.7)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
-  byebug (= 9.1.0)
+  byebug (= 11.1.3)
   keycloak-api-rails!
-  rspec (= 3.7.0)
-  timecop (= 0.9.1)
+  rspec (= 3.12.0)
+  timecop (= 0.9.6)
 
 BUNDLED WITH
-   1.17.3
+   2.1.4

data/README.md

@@ -1,16 +1,16 @@
 # Keycloak-Rails-Api
 
-This gem aims at validates Keycloak JWT token in Ruby On Rails APIs.
+This gem validates Keycloak JWT token for Ruby On Rails APIs.
 
 ## Install
 
 ```ruby
-gem "keycloak-api-rails", "0.11.1"
+gem "keycloak-api-rails", "0.12.0"
 ```
 
 ## Token validation
 
-Tokens send (through query strings or Authorization headers) to this Railtie Middleware are validated against a Keycloak public key. This public key is downloaded every day by default (this interval can be changed through `public_key_cache_ttl`).
+Tokens sent (through query strings or Authorization headers) are validated against a Keycloak public key. This public key is downloaded every day by default (this interval can be changed through `public_key_cache_ttl`).
 
 ## Pass token to the API
 
@@ -21,6 +21,20 @@ Tokens send (through query strings or Authorization headers) to this Railtie Mid
 
 _If both method are used at the same time, The query string as a higher priority when reading given tokens._
 
+## Opt-in vs. Opt-out validation
+
+By default, Keycloak-api-rails installs as a Rack Middleware. It processes all requests before any application logic. URIs/Paths can be excluded (opted-out) from this validation using the 'skip_paths' config option
+
+Alternatively, it can be configured to `opt-in` to validation. In this case, no Rack middleware is used, and controllers can request (opt-in) by including the module `Keycloak::authentication` and calling `keycloak_authenticate`, for example in a `before_action`, like so: 
+
+```ruby
+class MyApiController < ActionController::Base
+  include Keycloak::Authentication
+
+  before_action :keycloak_authenticate
+end
+```
+
 ## When a token is validated
 
 In Rails controller, the request `env` variables has two more properties:
@@ -39,6 +53,7 @@ All options have a default value. However, all of them can be changed in your in
 | `realm_id` | `nil`| String | Required | Realm's name (not id, actually) | `master` |
 | `logger` | `Logger.new(STDOUT)`| Logger | Optional | The logger used by `keycloak-api-rails` | `Rails.logger` | 
 | `skip_paths` | `{}`| Hash of methods and paths regexp | Optional | Paths whose the token must not be validatefd | `{ get: [/^\/health\/.+/] }`| 
+| `opt_in` | `false` | Boolean | Optional | When true, All requests will be validated (excluding requests matching `skip_paths`). When false, validation must be explicitly requested | `true`
 | `token_expiration_tolerance_in_seconds` | `10`| Logger | Optional | Number of seconds a token can expire before being rejected by the API. | `15` | 
 | `public_key_cache_ttl` | `86400`| Integer | Optional | Amount of time, in seconds, specifying maximum interval between two requests to {project_name} to retrieve new public keys. It is 86400 seconds (1 day) by default. At least once per this configured interval (1 day by default) will be new public key always downloaded. | `Rails.logger` | 
 | `custom_attributes` | `[]`| Array Of String | Optional | List of token attributes to read from each token and to add to their http request env | `["originalFirstName", "originalLastName"]` | 
@@ -59,6 +74,19 @@ Keycloak.configure do |config|
 end
 ```
 
+Or using opt-in configuration:
+
+```ruby
+Keycloak.configure do |config|
+  config.server_url = ENV["KEYCLOAK_SERVER_URL"]
+  config.realm_id   = ENV["KEYCLOAK_REALM_ID"]
+  config.logger     = Rails.logger
+  config.opt_in     = true
+end
+```
+
+When using `opt-in` is true, `skip_paths` is not used. 
+
 ## Use cases
 
 Once this gem is configured in your Rails project, you can read, validate and use tokens in your controllers.
@@ -77,6 +105,24 @@ class AuthenticatedController < ApplicationController
 end
 ```
 
+Or if using opt-in mode, the controller can request validation conditionally: 
+```ruby
+class MostlyAuthenticatedController < ApplicationController
+  include Keycloak::Authentication
+
+  before_action :keycloak_authenticate, only: show
+
+  def show
+    keycloak_id = Keycloak::Helper.current_user_id(request.env)
+    User.active.find_by(keycloak_id: keycloak_id)
+  end
+
+  def index 
+    # unauthenticated
+  end
+end
+```
+
 ### Roles
 
 `Keycloak::Helper.current_user_roles` can be use against a Rails request to read user's roles.

data/keycloak-api-rails.gemspec

@@ -18,7 +18,7 @@ Gem::Specification.new do |spec|
   spec.add_dependency "rails",       ">= 4.2"
   spec.add_dependency "json-jwt",    ">= 1.11.0"
 
-  spec.add_development_dependency "rspec",   "3.7.0"
-  spec.add_development_dependency "timecop", "0.9.1"
-  spec.add_development_dependency "byebug", "9.1.0"
+  spec.add_development_dependency "rspec",   "3.12.0"
+  spec.add_development_dependency "timecop", "0.9.6"
+  spec.add_development_dependency "byebug", "11.1.3"
 end

data/lib/keycloak-api-rails/authentication.rb

@@ -0,0 +1,57 @@
+module Keycloak
+  module Authentication
+    extend ActiveSupport::Concern
+
+    included do
+      if respond_to?(:helper_method)
+        helper_method :keycloak_authenticate
+      end
+    end
+
+    protected
+
+    def keycloak_authenticate
+      
+      env = request.env
+      method = env["REQUEST_METHOD"]
+      path   = env["PATH_INFO"]
+      uri    = env["REQUEST_URI"]
+
+      logger.debug("Start authentication for #{method} : #{path}")
+      token         = service.read_token(uri, env)
+      decoded_token = service.decode_and_verify(token)
+      authentication_succeeded(env, decoded_token)
+      
+    rescue TokenError => e
+      authentication_failed(e.message)
+    end
+
+    def authentication_failed(message)
+      logger.info(message)
+      [401, {"Content-Type" => "application/json"}, [ { error: message }.to_json]]
+    end
+
+    def authentication_succeeded(env, decoded_token)
+      Helper.assign_current_user_id(env, decoded_token)
+      Helper.assign_current_authorized_party(env, decoded_token)
+      Helper.assign_current_user_email(env, decoded_token)
+      Helper.assign_current_user_locale(env, decoded_token)
+      Helper.assign_current_user_custom_attributes(env, decoded_token, config.custom_attributes)
+      Helper.assign_realm_roles(env, decoded_token)
+      Helper.assign_resource_roles(env, decoded_token)
+      Helper.assign_keycloak_token(env, decoded_token)
+    end
+
+    def service
+      Keycloak.service
+    end
+
+    def logger
+      Keycloak.logger
+    end
+
+    def config
+      Keycloak.config
+    end
+  end
+end

data/lib/keycloak-api-rails/configuration.rb

@@ -4,6 +4,7 @@ module Keycloak
     config_accessor :server_url
     config_accessor :realm_id
     config_accessor :skip_paths
+    config_accessor :opt_in
     config_accessor :token_expiration_tolerance_in_seconds
     config_accessor :public_key_cache_ttl
     config_accessor :custom_attributes

data/lib/keycloak-api-rails/middleware.rb

@@ -10,7 +10,7 @@ module Keycloak
       path   = env["PATH_INFO"]
       uri    = env["REQUEST_URI"]
 
-      if service.need_authentication?(method, path, env)
+      if service.need_middleware_authentication?(method, path, env)
         logger.debug("Start authentication for #{method} : #{path}")
         token         = service.read_token(uri, env)
         decoded_token = service.decode_and_verify(token)

data/lib/keycloak-api-rails/service.rb

@@ -4,6 +4,7 @@ module Keycloak
     def initialize(key_resolver)
       @key_resolver                          = key_resolver
       @skip_paths                            = Keycloak.config.skip_paths
+      @opt_in                                = Keycloak.config.opt_in
       @logger                                = Keycloak.config.logger
       @token_expiration_tolerance_in_seconds = Keycloak.config.token_expiration_tolerance_in_seconds
     end
@@ -34,8 +35,8 @@ module Keycloak
       Helper.read_token_from_query_string(uri) || Helper.read_token_from_headers(headers)
     end
 
-    def need_authentication?(method, path, headers)
-      !should_skip?(method, path) && !is_preflight?(method, headers)
+    def need_middleware_authentication?(method, path, headers)
+      !is_preflight?(method, headers) && (!@opt_in && !should_skip?(method, path))
     end
 
     private

data/lib/keycloak-api-rails/version.rb

@@ -1,3 +1,3 @@
 module Keycloak
-  VERSION = "0.11.1"
+  VERSION = "0.12.0"
 end

data/lib/keycloak-api-rails.rb

@@ -4,6 +4,7 @@ require "uri"
 require "date"
 require "net/http"
 
+require_relative "keycloak-api-rails/authentication"
 require_relative "keycloak-api-rails/configuration"
 require_relative "keycloak-api-rails/http_client"
 require_relative "keycloak-api-rails/token_error"
@@ -46,6 +47,7 @@ module Keycloak
       config.realm_id                               = nil
       config.logger                                 = ::Logger.new(STDOUT)
       config.skip_paths                             = {}
+      config.opt_in                                 = false
       config.token_expiration_tolerance_in_seconds  = 10
       config.public_key_cache_ttl                   = 86400
       config.custom_attributes                      = []

data/spec/keycloak-api-rails/authentication_spec.rb

@@ -0,0 +1,32 @@
+require "spec_helper"
+
+describe Keycloak::Authentication do
+  class ExampleController < ActionController::Base
+    include Keycloak::Authentication
+    # Mark protected methods public so they may be called in tests
+    public(*Keycloak::Authentication.protected_instance_methods)
+  end
+
+  let(:controller) { ExampleController.new }
+  let(:token) { 'keycloak_valid_token'}
+  let(:headers) do
+    {
+      'REQUEST_METHOD' => :get,
+      'REQUEST_URI' => 'http://www.an-url.io',
+      'HTTP_AUTHORIZATION' => "Bearer #{token}"
+    }
+  end
+
+  describe "#keycloak_authenticate" do
+    before do
+      # Mock request object because we aren't using real request spec
+      allow(controller).to receive(:request).and_return(double("request", env: headers ))
+    end
+
+    it "it authenticates with request header" do
+      expect_any_instance_of(Keycloak::Service).to receive(:decode_and_verify).with(token).and_return("A User")
+      expect(controller).to receive(:authentication_succeeded)
+      controller.keycloak_authenticate
+    end
+  end
+end

data/spec/keycloak-api-rails/service_spec.rb

@@ -103,7 +103,7 @@ RSpec.describe Keycloak::Service do
     end
   end
 
-  describe "#need_authentication?" do
+  describe "#need_middleware_authentication?" do
 
     let(:method)  { nil }
     let(:path)    { nil }
@@ -115,7 +115,7 @@ RSpec.describe Keycloak::Service do
         post:   [/^\/skip/],
         get:    [/^\/skip/]
       }
-      @result = service.need_authentication?(method, path, headers)
+      @result = service.need_middleware_authentication?(method, path, headers)
     end
 
     context "when method is nil" do
@@ -175,6 +175,18 @@ RSpec.describe Keycloak::Service do
         expect(@result).to be false
       end
     end
+
+    context "when configured as opt_in" do
+      before do
+        Keycloak.config.opt_in = true
+        service2 = Keycloak::Service.new(key_resolver)
+        @result = service2.need_middleware_authentication?(method, path, headers)
+      end
+
+      it "should return false" do
+        expect(@result).to be false
+      end
+    end
   end
 
   describe "#read_token" do

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: keycloak-api-rails
 version: !ruby/object:Gem::Version
-  version: 0.11.1
+  version: 0.12.0
 platform: ruby
 authors:
 - Lorent Lempereur
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-11-27 00:00:00.000000000 Z
+date: 2023-04-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -44,42 +44,42 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 3.7.0
+        version: 3.12.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 3.7.0
+        version: 3.12.0
 - !ruby/object:Gem::Dependency
   name: timecop
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.9.1
+        version: 0.9.6
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.9.1
+        version: 0.9.6
 - !ruby/object:Gem::Dependency
   name: byebug
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 9.1.0
+        version: 11.1.3
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 9.1.0
+        version: 11.1.3
 description: Rails middleware that validates Authorization token emitted by Keycloak
 email:
 - lorent.lempereur.dev@gmail.com
@@ -97,6 +97,7 @@ files:
 - README.md
 - keycloak-api-rails.gemspec
 - lib/keycloak-api-rails.rb
+- lib/keycloak-api-rails/authentication.rb
 - lib/keycloak-api-rails/configuration.rb
 - lib/keycloak-api-rails/helper.rb
 - lib/keycloak-api-rails/http_client.rb
@@ -107,6 +108,7 @@ files:
 - lib/keycloak-api-rails/service.rb
 - lib/keycloak-api-rails/token_error.rb
 - lib/keycloak-api-rails/version.rb
+- spec/keycloak-api-rails/authentication_spec.rb
 - spec/keycloak-api-rails/helper_spec.rb
 - spec/keycloak-api-rails/public_key_cached_resolver_spec.rb
 - spec/keycloak-api-rails/service_spec.rb
@@ -133,7 +135,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.0.3.1
 signing_key: 
 specification_version: 4
 summary: Rails middleware that validates Authorization token emitted by Keycloak