keyless 1.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: a742a4e768b944a62453aa8cc6d94e1afd138a5cd3d4059ed6f970ade717618d
+  data.tar.gz: 0c8e5392cc8443b303ddbfe67672ca54a56462041d84e95e4adcbddbb66bbc78
+SHA512:
+  metadata.gz: 23f6a2b71ce821364c0c66aed4f585c80e74a4412bf204a08f95b265ab3790eacea59dcb1d5e5c8496bf1d06f2b0cf0d32c162f7a824f34a79a9bb0124d3b41a
+  data.tar.gz: fd1d10b84e31ca6eb624832a3c2426b2df9989fe9ceb14c1c5638d87c3673be66c0d6972c3f50bc0cbd6fb73dde677a01e82be8cecddf472c94a2ae644a79085

data/.editorconfig

@@ -0,0 +1,30 @@
+# http://editorconfig.org
+root = true
+
+[*]
+indent_style = space
+indent_size = 2
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+
+[*.md]
+trim_trailing_whitespace = true
+
+[*.json]
+indent_style = space
+indent_size = 2
+
+[*.yml]
+indent_style = space
+indent_size = 2
+
+[Makefile]
+trim_trailing_whitespace = true
+indent_style = tab
+indent_size = 4
+
+[*.sh]
+indent_style = space
+indent_size = 2

data/.gitignore

@@ -0,0 +1,12 @@
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/doc/api/
+/pkg/
+/spec/reports/
+/tmp/
+/Gemfile.lock
+
+# rspec failure tracking
+.rspec_status

data/.rspec

@@ -0,0 +1,3 @@
+--format documentation
+--color
+--require spec_helper

data/.rubocop.yml

@@ -0,0 +1,41 @@
+require: rubocop-rspec
+
+Rails:
+  Enabled: true
+
+Documentation:
+  Enabled: true
+
+AllCops:
+  DisplayCopNames: true
+  TargetRubyVersion: 2.3
+  Exclude:
+    - db/schema.rb
+    - bin/**/*
+    - db/migrate/**/*
+    - vendor/cache/**/*
+    - vendor/bundle/**/*
+    - build/**/*
+
+Metrics/BlockLength:
+  Exclude:
+    - Rakefile
+    - keyless.gemspec
+    - spec/**/*.rb
+    - '**/*.rake'
+
+# Document all the things.
+Style/DocumentationMethod:
+  Enabled: true
+  RequireForNonPublicMethods: true
+
+# It's a deliberate idiom in RSpec.
+# See: https://github.com/bbatsov/rubocop/issues/4222
+Lint/AmbiguousBlockAssociation:
+  Exclude:
+    - "spec/**/*"
+
+# Because +expect_any_instance_of().to have_received()+ is not
+# supported with the +with(hash_including)+ matchers
+RSpec/MessageSpies:
+  EnforcedStyle: receive

data/.simplecov

@@ -0,0 +1,3 @@
+SimpleCov.start 'test_frameworks' do
+  add_filter '/vendor/bundle/'
+end

data/.travis.yml

@@ -0,0 +1,20 @@
+env:
+  global:
+    - CC_TEST_REPORTER_ID=ecb753423174dbd8e4aaf04fb62bf4ef9c2a54904ac49a33fdf2b908b3c5e5f3
+
+sudo: false
+language: ruby
+rvm:
+  - 2.6
+  - 2.5
+  - 2.4
+
+before_install: gem install bundler
+
+before_script:
+  - curl -L https://codeclimate.com/downloads/test-reporter/test-reporter-latest-linux-amd64 > ./cc-test-reporter
+  - chmod +x ./cc-test-reporter
+  - ./cc-test-reporter before-build
+script: bundle exec rake
+after_script:
+  - ./cc-test-reporter after-build --exit-code $TRAVIS_TEST_RESULT

data/CHANGELOG.md

@@ -0,0 +1,8 @@
+### 1.0.1
+
+* Renamed the Gem to `keyless`.
+
+### 1.0.0
+
+* Initial release, extracted from former [grape-jwt-authentication](https://github.com/hausgold/grape-jwt-authentication)
+code at v1.3.0.

data/Gemfile

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+source 'https://rubygems.org'
+
+git_source(:github) { |repo_name| "https://github.com/#{repo_name}" }
+
+# Specify your gem's dependencies in keyless.gemspec
+gemspec

data/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2017 HAUSGOLD | talocasa GmbH
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,279 @@
+![keyless](doc/assets/project.svg)
+
+[![Build Status](https://travis-ci.com/hausgold/keyless.svg?branch=master)](https://travis-ci.com/hausgold/keyless)
+[![Gem Version](https://badge.fury.io/rb/keyless.svg)](https://badge.fury.io/rb/keyless)
+[![API docs](https://img.shields.io/badge/docs-API-blue.svg)](https://www.rubydoc.info/gems/keyless)
+
+This gem is dedicated to easily integrate a JWT authentication to your
+ruby application. The real authentication
+functionality must be provided by the user and this makes this gem highy
+flexible on the JWT verification level.
+
+- [Installation](#installation)
+- [Configuration](#configuration)
+  - [Authenticator](#authenticator)
+  - [RSA public key helper](#rsa-public-key-helper)
+    - [RSA public key location (URL)](#rsa-public-key-location-url)
+    - [RSA public key caching](#rsa-public-key-caching)
+    - [RSA public key cache expiration](#rsa-public-key-cache-expiration)
+  - [JWT instance helper](#jwt-instance-helper)
+    - [Issuer verification](#issuer-verification)
+    - [Beholder (audience) verification](#beholder-audience-verification)
+    - [Custom JWT verification options](#custom-jwt-verification-options)
+    - [Custom JWT verification key](#custom-jwt-verification-key)
+  - [Full RSA256 example](#full-rsa256-example)
+- [Development](#development)
+- [Contributing](#contributing)
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'keyless'
+```
+
+And then execute:
+
+```bash
+$ bundle
+```
+
+Or install it yourself as:
+
+```bash
+$ gem install keyless
+```
+
+## Configuration
+
+This gem is quite customizable and flexible to fulfill your needs. You can make
+use of some parts and leave other if you do not care about them. We are not
+going to force the way how to verify JWT or work with them. Here comes a
+overview of the configurations you can do.
+
+### Authenticator
+
+The authenticator function which must be defined by the user to verify the
+given JSON Web Token. Here comes all your logic to lookup the related user on
+your database, the token claim verification and/or the token cryptographic
+signing. The function must return true or false to indicate the validity of the
+token.
+
+```ruby
+Keyless.configure do |conf|
+  conf.authenticator = proc do |token|
+    # Verify the token the way you like. (true, false)
+  end
+end
+```
+
+### RSA public key helper
+
+We provide a straightforward solution to deal with the provision of RSA public
+keys.  Somethimes you want to distribute them by file to each machine and have
+a local access, and somethimes you provide an endpoint on your identity
+provider to fetch the RSA public key via HTTP/HTTPS.  The `RsaPublicKey` class
+helps you to fulfill this task easily.
+
+**Heads up!** You can skip this if you do not care about RSA verification or
+have your own mechanism.
+
+```ruby
+# Get your public key, by using the global configuration
+public_key = Keyless::RsaPublicKey.fetch
+# => OpenSSL::PKey::RSA
+
+# Using a local configuration
+fetcher = Keyless::RsaPublicKey.instance
+fetcher.url = 'https://your.identity.provider/rsa_public_key'
+public_key = fetcher.fetch
+# => OpenSSL::PKey::RSA
+```
+
+The following examples show you how to configure the
+`Keyless::RsaPublicKey` class the global way. This is useful
+for a shared initializer place.
+
+#### RSA public key location (URL)
+
+Whenever you want to use the `RsaPublicKey` class you configure the default URL
+on the singleton instance, or use the gem configure method and set it up
+accordingly.  We allow the fetch of the public key from a remote server
+(HTTP/HTTPS) or from a local file which is accessible by the ruby process.
+Specify the URL or the local path here. Not specified by default.
+
+```ruby
+Keyless.configure do |conf|
+  # Local file
+  conf.rsa_public_key_url = '/tmp/jwt_rsa.pub'
+  # Remote URL
+  conf.rsa_public_key_url = 'https://your.identity.provider/rsa_public_key'
+end
+```
+
+#### RSA public key caching
+
+You can configure the `RsaPublickey` class to enable/disable caching. For a
+remote public key location it is handy to cache the result for some time to
+keep the traffic low to the resource server.  For a local file you can skip
+this. Disabled by default.
+
+```ruby
+Keyless.configure do |conf|
+  conf.rsa_public_key_caching = true
+end
+```
+
+#### RSA public key cache expiration
+
+When you make use of the cache of the `RsaPublicKey` class you can fine tune
+the expiration time. The RSA public key from your identity
+provider should not change this frequent, so a cache for at least one hour is
+fine. You should not set it lower than one minute. Keep this setting in mind
+when you change keys. Your infrastructure could be inoperable for this
+configured time.  One hour by default.
+
+```ruby
+Keyless.configure do |conf|
+  conf.rsa_public_key_expiration = 1.hour
+end
+```
+
+### JWT instance helper
+
+We ship a little wrapper class to ease the validation of JSON Web Tokens with
+the help of the great [ruby-jwt](https://github.com/jwt/ruby-jwt) library. This
+wrapper class provides some helpers like `#access_token?`, `#refresh_token?` or
+`#expires_at` which returns a ActiveSupport time-zoned representation of the
+token expiration timestamp. It is initially opinionated to RSA verification,
+but can be tuned to verify HMAC or ECDSA signed tokens. It integrated well with
+the `RsaPublicKey` fetcher class. (by default)
+
+**Heads up!** You can skip this if you have your own JWT verification mechanism.
+
+```ruby
+# A raw JWT (no signing, payload: {test: true})
+raw_token = 'eyJ0eXAiOiJKV1QifQ.eyJ0ZXN0Ijp0cnVlfQ.'
+
+# Parse the raw token and create a instance of it
+token = Keyless::Jwt.new(raw_token)
+
+# Access the payload easily (recursive-open-struct)
+token.payload.test
+# => true
+
+# Validate the token (we assume you configured the verification key, an/or
+# you own custom JWT verification options here)
+token.valid?
+# => true
+```
+
+The following examples show you how to configure the
+`Keyless::Jwt` class the global way. This is useful for a
+shared initializer place.
+
+#### Issuer verification
+
+The JSON Web Token issuer which should be used for verification. When `nil` we
+also turn off the verification by default. (See the default JWT options)
+
+```ruby
+Keyless.configure do |conf|
+  conf.jwt_issuer = 'your-identity-provider'
+end
+```
+
+#### Beholder (audience) verification
+
+The resource server (namely the one which configures this right now)
+which MUST be present on the JSON Web Token audience claim. When `nil` we
+also turn off the verification by default. (See the default JWT options)
+
+```ruby
+Keyless.configure do |conf|
+  conf.jwt_beholder = 'your-resource-server'
+end
+```
+
+#### Custom JWT verification options
+
+You can configure a different JSON Web Token verification option hash if your
+algorithm differs or you want some extra/different options.  Just watch out
+that you have to pass a proc to this configuration property. On the
+`Keyless::Jwt` class it has to be a simple hash. The default
+is here the `RS256` algorithm with enabled expiration check, and issuer+audience
+check when the `jwt_issuer` / `jwt_beholder` are configured accordingly.
+
+```ruby
+Keyless.configure do |conf|
+  conf.jwt_options = proc do
+    # See: https://github.com/jwt/ruby-jwt
+    { algorithm: 'HS256' }
+  end
+end
+```
+
+#### Custom JWT verification key
+
+You can configure your own verification key on the `Jwt` wrapper class.  This
+way you can pass your HMAC secret or your ECDSA public key to the JSON Web
+Token validation method. Here you need to pass a proc, on the
+`Keyless::Jwt` class it has to be a scalar value. By default
+we use the `RsaPublicKey` class to retrieve the RSA public key.
+
+```ruby
+Keyless.configure do |conf|
+  conf.jwt_verification_key = proc do
+    # Retrieve your verification key (RSA, ECDSA, HMAC secret)
+    # the way you like, and pass it back here.
+  end
+end
+```
+
+### Full RSA256 example
+
+Here comes a full example of the opinionated `RSA256` algorithm usage with a
+remote RSA public key location, enabled caching and a full token payload
+verification.
+
+```ruby
+# On an initializer ..
+Keyless.configure do |conf|
+  # The remote RSA public key location and enabled caching to limit the
+  # traffic on the remote server.
+  conf.rsa_public_key_url = 'https://your.identity.provider/rsa_public_key'
+  conf.rsa_public_key_caching = true
+  conf.rsa_public_key_expiration = 10.minutes
+
+  # Configure the JWT wrapper.
+  conf.jwt_issuer = 'The Identity Provider'
+  conf.jwt_beholder = 'example-api'
+
+  # Custom verification logic.
+  conf.authenticator = proc do |token|
+    # Parse and instantiate a JWT verification instance
+    jwt = Keyless::Jwt.new(token)
+
+    # We just allow valid access tokens
+    jwt.access_token? && jwt.valid?
+  end
+end
+```
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run
+`bundle exec rake spec` to run the tests. You can also run `bin/console` for an
+interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To
+release a new version, update the version number in `version.rb`, and then run
+`bundle exec rake release`, which will create a git tag for the version, push
+git commits and tags, and push the `.gem` file to
+[rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at
+https://github.com/hausgold/keyless.

data/Rakefile

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
+
+RSpec::Core::RakeTask.new(:spec)
+
+task default: :spec

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "keyless"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/doc/assets/project.svg

@@ -0,0 +1,68 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg
+   xmlns:dc="http://purl.org/dc/elements/1.1/"
+   xmlns:cc="http://creativecommons.org/ns#"
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.1"
+   id="Ebene_1"
+   x="0px"
+   y="0px"
+   viewBox="0 0 800 200"
+   xml:space="preserve"
+   width="800"
+   height="200"><metadata
+   id="metadata33"><rdf:RDF><cc:Work
+       rdf:about=""><dc:format>image/svg+xml</dc:format><dc:type
+         rdf:resource="http://purl.org/dc/dcmitype/StillImage" /><dc:title></dc:title></cc:Work></rdf:RDF></metadata><defs
+   id="defs31" />
+<style
+   type="text/css"
+   id="style2">
+    .st0{fill-rule:evenodd;clip-rule:evenodd;fill:#E73E11;}
+    .st1{fill-rule:evenodd;clip-rule:evenodd;fill:#0371B9;}
+    .st2{fill:#132E48;}
+    .st3{font-family:'OpenSans-Bold';}
+    .st4{font-size:29.5168px;}
+    .st5{fill-rule:evenodd;clip-rule:evenodd;fill:none;}
+    .st6{opacity:0.5;fill:#132E48;}
+    .st7{font-family:'OpenSans';}
+    .st8{font-size:12px;}
+</style>
+<g
+   transform="translate(0,1.53584)"
+   id="g828"><g
+   transform="translate(35.93985,35.66416)"
+   id="g8">
+    <path
+   style="clip-rule:evenodd;fill:#e73e11;fill-rule:evenodd"
+   id="path4"
+   d="m -0.1,124.4 c 0,0 33.7,-123.2 66.7,-123.2 12.8,0 26.9,21.9 38.8,47.2 -23.6,27.9 -66.6,59.7 -94,76 -7.1,0 -11.5,0 -11.5,0 z"
+   class="st0" />
+    <path
+   style="clip-rule:evenodd;fill:#0371b9;fill-rule:evenodd"
+   id="path6"
+   d="m 88.1,101.8 c 13.5,-10.4 18.4,-16.2 27.1,-25.4 10,25.7 16.7,48 16.7,48 0,0 -41.4,0 -78,0 14.6,-7.9 18.7,-10.7 34.2,-22.6 z"
+   class="st1" />
+</g><text
+   y="106.40316"
+   x="192.43155"
+   style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-size:29.51733398px;font-family:'Open Sans', sans-serif;-inkscape-font-specification:'OpenSans-Bold, Bold';font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-feature-settings:normal;text-align:start;writing-mode:lr-tb;text-anchor:start;fill:#132e48"
+   id="text10"
+   class="st2 st3 st4">keyless</text>
+<rect
+   style="clip-rule:evenodd;fill:none;fill-rule:evenodd"
+   id="rect12"
+   height="24"
+   width="314.5"
+   class="st5"
+   y="118.06416"
+   x="194.23985" /><text
+   y="127.22146"
+   x="194.21715"
+   style="font-size:12px;font-family:'Open Sans', sans-serif;opacity:0.5;fill:#132e48;-inkscape-font-specification:'Open Sans, sans-serif, Normal';font-weight:normal;font-style:normal;font-stretch:normal;font-variant:normal;text-anchor:start;text-align:start;writing-mode:lr;font-variant-ligatures:normal;font-variant-caps:normal;font-variant-numeric:normal;font-feature-settings:normal;"
+   id="text14"
+   class="st6 st7 st8">A reusable JWT authentication concern</text>
+</g>
+</svg>

data/keyless.gemspec

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+lib = File.expand_path('lib', __dir__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'keyless/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'keyless'
+  spec.version       = Keyless::VERSION
+  spec.authors       = ['Hermann Mayer', 'Christopher Mühl', 'Marcus Geißler']
+  spec.email         = ['hermann.mayer92@gmail.com', 'christopher@padarom.xyz', 'mg@hausgold.de']
+
+  spec.summary       = 'A reusable JWT authentication helper'
+  spec.description   = 'A reusable JWT authentication helper'
+  spec.homepage      = 'https://github.com/hausgold/keyless'
+
+  spec.files = `git ls-files -z`.split("\x0").reject do |f|
+    f.match(%r{^(test|spec|features)/})
+  end
+  spec.bindir        = 'exe'
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ['lib']
+
+  spec.add_development_dependency 'bundler', '>= 1.16', '< 3'
+  spec.add_development_dependency 'rake', '~> 10.0'
+  spec.add_development_dependency 'rspec', '~> 3.0'
+  spec.add_development_dependency 'simplecov', '~> 0.15'
+  spec.add_development_dependency 'timecop', '~> 0.9.1'
+  spec.add_development_dependency 'vcr', '~> 3.0'
+  spec.add_development_dependency 'webmock', '~> 3.1'
+
+  spec.add_runtime_dependency 'activesupport', '>= 3.2.0'
+  spec.add_runtime_dependency 'httparty'
+  spec.add_runtime_dependency 'jwt', '~> 2.1'
+  spec.add_runtime_dependency 'recursive-open-struct', '~> 1.0'
+end

data/lib/keyless.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+require 'active_support'
+require 'active_support/concern'
+require 'active_support/configurable'
+require 'active_support/cache'
+require 'active_support/core_ext/hash'
+require 'active_support/time'
+require 'active_support/time_with_zone'
+
+require 'jwt'
+
+require 'keyless/version'
+require 'keyless/configuration'
+require 'keyless/jwt'
+require 'keyless/rsa_public_key'
+
+# The JWT authentication concern.
+module Keyless
+  extend ActiveSupport::Concern
+
+  class << self
+    attr_writer :configuration
+  end
+
+  # Retrieve the current configuration object.
+  #
+  # @return [Configuration]
+  def self.configuration
+    @configuration ||= Configuration.new
+  end
+
+  # Configure the concern by providing a block which takes
+  # care of this task. Example:
+  #
+  #   Keyless.configure do |conf|
+  #     # conf.xyz = [..]
+  #   end
+  def self.configure
+    yield(configuration)
+  end
+
+  # Reset the current configuration with the default one.
+  def self.reset_configuration!
+    self.configuration = Configuration.new
+  end
+end

data/lib/keyless/configuration.rb

@@ -0,0 +1,82 @@
+# frozen_string_literal: true
+
+module Keyless
+  # The configuration for the JWT authentication concern.
+  class Configuration
+    include ActiveSupport::Configurable
+
+    # The authenticator function which must be defined by the user to
+    # verify the given JSON Web Token. Here comes all your logic to lookup
+    # the related user on your database, the token claim verification
+    # and/or the token cryptographic signing. The function must return true
+    # or false to indicate the validity of the token.
+    #
+    #   Keyless.configure do |conf|
+    #     conf.authenticator = proc do |token|
+    #       # Verify the token the way you like.
+    #     end
+    #   end
+    config_accessor(:authenticator) { proc { false } }
+
+    # Whenever you want to use the {RsaPublicKey} class you configure the
+    # default URL on the singleton instance, or use the gem configure
+    # method and set it up accordingly.  We allow the fetch of the public
+    # key from a remote server (HTTP/HTTPS) or from a local file which is
+    # accessible by the ruby process.  Specify the URL or the local path
+    # here.
+    config_accessor(:rsa_public_key_url) { nil }
+
+    # You can preconfigure the {RsaPublickey} class to enable/disable
+    # caching. For a remote public key location it is handy to cache the
+    # result for some time to keep the traffic low to this resource server.
+    # For a local file you can skip this.
+    config_accessor(:rsa_public_key_caching) { false }
+
+    # When you make use of the caching of the {RsaPublicKey} class you can
+    # fine tune the expiration time of this cache. The RSA public key from
+    # your identity provider should not change this frequent, so a cache
+    # for at least one hour is fine. You should not set it lower than one
+    # minute. Keep this setting in mind when you change keys. Your
+    # infrastructure could be inoperable for this configured time.
+    config_accessor(:rsa_public_key_expiration) { 1.hour }
+
+    # The JSON Web Token isser which should be used for verification.
+    config_accessor(:jwt_issuer) { nil }
+
+    # The resource server (namely the one which configures this right now)
+    # which MUST be present on the JSON Web Token audience claim.
+    config_accessor(:jwt_beholder) { nil }
+
+    # You can configure a different JSON Web Token verification option hash
+    # if your algorithm differs or you want some extra/different options.
+    # Just watch out that you have to pass a proc to this configuration
+    # property. On the {Keyless::Jwt} class it has to be
+    # a simple hash. The default is here the RS256 algorithm with enabled
+    # expiration check, and issuer+audience check when the
+    # {jwt_issuer}/{jwt_beholder} are configured accordingly.
+    config_accessor(:jwt_options) do
+      proc do
+        conf = ::Keyless.configuration
+        { algorithm: 'RS256',
+          exp_leeway: 30.seconds.to_i,
+          iss: conf.jwt_issuer,
+          verify_iss: !conf.jwt_issuer.nil?,
+          aud: conf.jwt_beholder,
+          verify_aud: !conf.jwt_beholder.nil?,
+          # @TODO: https://github.com/jwt/ruby-jwt/issues/247
+          verify_iat: false }
+      end
+    end
+
+    # You can configure your own verification key on the Jwt wrapper class.
+    # This way you can pass your HMAC secret or your ECDSA public key to
+    # the JSON Web Token validation method. Here you need to pass a proc,
+    # on the {Keyless::Jwt} class it has to be a scalar
+    # value. By default we use the
+    # {Keyless::RsaPublicKey} class to retrieve the RSA
+    # public key.
+    config_accessor(:jwt_verification_key) do
+      proc { RsaPublicKey.instance.fetch }
+    end
+  end
+end

data/lib/keyless/jwt.rb

@@ -0,0 +1,109 @@
+# frozen_string_literal: true
+
+require 'recursive-open-struct'
+
+module Keyless
+  # A easy to use model for verification of JSON Web Tokens. This is just a
+  # wrapper class for the excellent ruby-jwt gem. It's completely up to you
+  # to use it. But be aware, its a bit optinionated by default.
+  class Jwt
+    # All the following JWT verification issues lead to a failed validation.
+    RESCUE_JWT_EXCEPTIONS = [
+      ::JWT::DecodeError,
+      ::JWT::VerificationError,
+      ::JWT::ExpiredSignature,
+      ::JWT::IncorrectAlgorithm,
+      ::JWT::ImmatureSignature,
+      ::JWT::InvalidIssuerError,
+      ::JWT::InvalidIatError,
+      ::JWT::InvalidAudError,
+      ::JWT::InvalidSubError,
+      ::JWT::InvalidJtiError,
+      ::JWT::InvalidPayload
+    ].freeze
+
+    # :reek:Attribute because its fine to be extern-modifiable at these
+    # instances
+    attr_reader :payload, :token
+    attr_writer :verification_key, :jwt_options
+    attr_accessor :issuer, :beholder
+
+    # Setup a new JWT instance. You have to pass the raw JSON Web Token to
+    # the initializer. Example:
+    #
+    #   Jwt.new('j.w.t')
+    #   # => <Jwt>
+    #
+    # @return [Jwt]
+    def initialize(token)
+      parsed_payload = JWT.decode(token, nil, false).first.symbolize_keys
+      @token = token
+      @payload = RecursiveOpenStruct.new(parsed_payload)
+    end
+
+    # Checks if the payload says this is a refresh token.
+    #
+    # @return [Boolean] Whenever this is a access token
+    def access_token?
+      payload.typ == 'access'
+    end
+
+    # Checks if the payload says this is a refresh token.
+    #
+    # @return [Boolean] Whenever this is a refresh token
+    def refresh_token?
+      payload.typ == 'refresh'
+    end
+
+    # Retrives the expiration date from the payload when set.
+    #
+    # @return [nil|ActiveSupport::TimeWithZone] The expiration date
+    def expires_at
+      exp = payload.exp
+      return nil unless exp
+
+      Time.zone.at(exp)
+    end
+
+    # Deliver the public key for verification by default. This uses the
+    # {RsaPublicKey} class, but you can configure the verification key the
+    # way you like. (Especially for different algorithms, like HMAC or
+    # ECDSA) Just make use of the same named setter.
+    #
+    # @return [OpenSSL::PKey::RSA|Mixed] The verification key
+    def verification_key
+      unless @verification_key
+        conf = ::Keyless.configuration
+        return conf.jwt_verification_key.call
+      end
+      @verification_key
+    end
+
+    # This getter passes back the default JWT verification option hash
+    # which is optinionated.  You can change this the way you like by
+    # configuring your options with the help of the same named setter.
+    #
+    # @return [Hash] The JWT verification options hash
+    def jwt_options
+      unless @jwt_options
+        conf = ::Keyless.configuration
+        return conf.jwt_options.call
+      end
+      @jwt_options
+    end
+
+    # Verify the current token by our hard and strict rules. Whenever the
+    # token was not parsed from a string, we encode the current state to a
+    # JWT string representation and check this.
+    #
+    # @return [Boolean] Whenever the token is valid or not
+    #
+    # :reek:NilCheck because we have to check the token
+    #                origin and react on it
+    def valid?
+      JWT.decode(token, verification_key, true, jwt_options) && true
+    rescue *RESCUE_JWT_EXCEPTIONS
+      false
+    end
+  end
+end

data/lib/keyless/rsa_public_key.rb

@@ -0,0 +1,128 @@
+# frozen_string_literal: true
+
+require 'singleton'
+require 'openssl'
+require 'httparty'
+
+module Keyless
+  # A common purpose RSA public key fetching/caching helper. With the help
+  # of this class you are able to retrieve the RSA public key from a remote
+  # server or a local file. This is naturally only useful if you care about
+  # JSON Web Token which are signed by the RSA algorithm.
+  class RsaPublicKey
+    # A internal exception handling for failed fetch attempts.
+    class FetchError < StandardError; end
+
+    include Singleton
+
+    # Setup all the getters and setters.
+    attr_accessor :cache
+    attr_writer :url, :expiration, :caching
+
+    # Setup the instance.
+    def initialize
+      @expiration = 1.hour
+      @cache = ActiveSupport::Cache::MemoryStore.new
+    end
+
+    # Just a simple shortcut class method to access the fetch method
+    # without specifying the singleton instance.
+    #
+    # @return [OpenSSL::PKey::RSA]
+    def self.fetch
+      instance.fetch
+    end
+
+    # Configure the single instance. This is just a wrapper (like tap)
+    # to the instance itself.
+    def configure
+      yield(self)
+    end
+
+    # Fetch the public key with the help of the configuration.  You can
+    # configure the public key location (local file, remote (HTTP/HTTPS)
+    # file), whenever we should cache and how long to cache.
+    #
+    # @return [OpenSSL::PKey::RSA]
+    def fetch
+      encoded_key = if cache?
+                      cache.fetch('encoded_key', expires_in: expiration) do
+                        fetch_encoded_key
+                      end
+                    else
+                      fetch_encoded_key
+                    end
+
+      OpenSSL::PKey::RSA.new(encoded_key)
+    end
+
+    # Fetch the encoded (DER, or PEM) public key from a remote or local
+    # location.
+    #
+    # @return [String] The encoded public key
+    def fetch_encoded_key
+      raise ArgumentError, 'No URL for RsaPublicKey configured' unless url
+
+      if remote?
+        res = HTTParty.get(url)
+        raise FetchError, res.inspect unless (200..299).include? res.code
+        res.body
+      else
+        File.read(url)
+      end
+    end
+
+    # A helper for the caching configuration.
+    #
+    # @return [Boolean]
+    def cache?
+      caching && true
+    end
+
+    # A helper to determine if the configured URL is on a remote server or
+    # it is local on the filesystem. Whenever the configured URL specifies
+    # the HTTP/HTTPS protocol, we assume it is remote.
+    #
+    # @return [Boolean]
+    def remote?
+      !(url =~ /^https?/).nil?
+    end
+
+    # This getter passes back the default RSA public key.  You can change
+    # this the way you like by configuring your URL with the help of the
+    # same named setter.
+    #
+    # @return [String] The configured public key location
+    def url
+      unless @url
+        conf = ::Keyless.configuration
+        return conf.rsa_public_key_url
+      end
+      @url
+    end
+
+    # This getter passes back the default public key cache expiration time.
+    # You can change this time with the help of the same named setter.
+    #
+    # @return [Integer] The configured cache expiration time
+    def expiration
+      unless @expiration
+        conf = ::Keyless.configuration
+        return conf.rsa_public_key_expiration
+      end
+      @expiration
+    end
+
+    # This getter passes back the caching flag. You can change this flag
+    # with the help of the same named setter.
+    #
+    # @return [Boolean] Whenever we should cache or not
+    def caching
+      unless @caching
+        conf = ::Keyless.configuration
+        return conf.rsa_public_key_caching
+      end
+      @caching
+    end
+  end
+end

data/lib/keyless/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module Keyless
+  VERSION = '1.0.1'.freeze
+end

metadata

@@ -0,0 +1,226 @@
+--- !ruby/object:Gem::Specification
+name: keyless
+version: !ruby/object:Gem::Version
+  version: 1.0.1
+platform: ruby
+authors:
+- Hermann Mayer
+- Christopher Mühl
+- Marcus Geißler
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2020-09-01 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.16'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.16'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.15'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.15'
+- !ruby/object:Gem::Dependency
+  name: timecop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.9.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.9.1
+- !ruby/object:Gem::Dependency
+  name: vcr
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.1'
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.2.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.2.0
+- !ruby/object:Gem::Dependency
+  name: httparty
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.1'
+- !ruby/object:Gem::Dependency
+  name: recursive-open-struct
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+description: A reusable JWT authentication helper
+email:
+- hermann.mayer92@gmail.com
+- christopher@padarom.xyz
+- mg@hausgold.de
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".editorconfig"
+- ".gitignore"
+- ".rspec"
+- ".rubocop.yml"
+- ".simplecov"
+- ".travis.yml"
+- CHANGELOG.md
+- Gemfile
+- LICENSE
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- doc/assets/project.svg
+- keyless.gemspec
+- lib/keyless.rb
+- lib/keyless/configuration.rb
+- lib/keyless/jwt.rb
+- lib/keyless/rsa_public_key.rb
+- lib/keyless/version.rb
+homepage: https://github.com/hausgold/keyless
+licenses: []
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.0.8
+signing_key: 
+specification_version: 4
+summary: A reusable JWT authentication helper
+test_files: []