keypairs 1.3.3 → 1.3.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f204cbb9214023154fb4b23804e6a18b0e6bd929592616fe2cd12b2cd5a180ac
-  data.tar.gz: 487339606bd6d7f0d5b90628147e613784dec153165821172efe26565b4351ba
+  metadata.gz: 0ca0b0aafcf04e00a791643b69542ffc336a4b852bc1935b7798a6cd3fe00a68
+  data.tar.gz: eba505a66b6fe00f9c0a0e640be2ebf74bb0a4771ea2ca24ede8268edec4abbc
 SHA512:
-  metadata.gz: 38fc480ca4a36beee8c5b5c4658359c0cea284e66a6143e9a5cd8c51247d984b1bdd947b8b6f2e32243c94bd3d0212f7e6d27050cab0eda95140eb0b8be45676
-  data.tar.gz: c9b87af55f4f38a0397a89c25be5a8d7e82b1daa7bb7bd3ef5cd0094c05c8f12a6b7476b146d2d4fc8b8bac42443adedea7db866aa046b294a3f8722bac83ba3
+  metadata.gz: a279637cc14ceb82db2baa122600abafdc448ada9bb30303c66f62742098e07e04cb95edbe1ea5454192ebefd2bfae3813606c15293ae64afe0784394b4fd0d2
+  data.tar.gz: 416eca93ef18ef827deed738307584938b8363036d562438dc7a72a12420d20bc85d33f48507a8554d8ee7b62c8972819d90da238e2e2c47dc09e0c5ebdca4a0

data/lib/keypair.rb

@@ -34,7 +34,7 @@ require 'jwt'
 # @attr [Time] not_before The time before which no payloads may be signed using the keypair.
 # @attr [Time] not_after The time after which no payloads may be signed using the keypair.
 # @attr [Time] expires_at The time after which the keypair may not be used for signature validation.
-class Keypair < ActiveRecord::Base
+class Keypair < ActiveRecord::Base # rubocop:disable Metrics/ClassLength
   ALGORITHM = 'RS256'
   ROTATION_INTERVAL = 1.month
 
@@ -133,13 +133,27 @@ class Keypair < ActiveRecord::Base
       # Change the default algorithm to match the encoding algorithm
       algorithm: ALGORITHM,
       # Load our own keyset as valid keys
-      jwks: keyset,
+      jwks: jwk_loader_cached,
       # If the `sub` is provided, validate that it matches the payload `sub`
       verify_sub: true
     )
     JWT.decode(id_token, nil, true, options).first.with_indifferent_access
   end
 
+  # options[:invalidate] will be `true` if a matching `kid` was not found
+  # https://github.com/jwt/ruby-jwt/blob/master/lib/jwt/jwk/key_finder.rb#L31
+  def self.jwk_loader_cached
+    lambda do |options|
+      cached_jwks(force: options[:invalidate]) || {}
+    end
+  end
+
+  def self.cached_jwks(force: false)
+    Rails.cache.fetch('keypairs/Keypair/jwks', force: force, skip_nil: true) do
+      keyset
+    end
+  end
+
   # JWT encodes the payload with this keypair.
   # It automatically adds the security attributes +iat+, +exp+ and +nonce+ to the payload.
   # It automatically sets the +kid+ in the header.

data/lib/keypairs/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Keypairs
-  VERSION = '1.3.3'
+  VERSION = '1.3.4'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: keypairs
 version: !ruby/object:Gem::Version
-  version: 1.3.3
+  version: 1.3.4
 platform: ruby
 authors:
 - Stef Schenkelaars
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-12-14 00:00:00.000000000 Z
+date: 2024-08-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: actionpack
@@ -222,16 +222,16 @@ dependencies:
   name: sqlite3
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '1.4'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "~>"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '1.4'
 - !ruby/object:Gem::Dependency
   name: timecop
   requirement: !ruby/object:Gem::Requirement
@@ -283,7 +283,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.10
+rubygems_version: 3.5.11
 signing_key: 
 specification_version: 4
 summary: Manage application level keypairs with automatic rotation and JWT support