knock 1.3.0 → 1.4.0

checksums.yaml

@@ -1,15 +1,15 @@
 ---
 !binary "U0hBMQ==":
   metadata.gz: !binary |-
-    OWQzZTFhZmNhYTg2YjZmZDhmMzkyZjRkYzRiMTg0ZmE0MTVhOGE1MA==
+    MzVhZjdkMGZhZTMxMWVmYTU1MTRiMTU1OWM4ZTdhZTAyYmEzZWZiNw==
   data.tar.gz: !binary |-
-    OWRjZDEyZmY3MDk0MTYzM2QwMmM0NDQxYTJjOGEwZWM2ZjBmMjBjYQ==
+    YWYwZTAzM2EwY2MxMzU4Nzg3N2ZmNzkwY2Y5NzhlOWZiOTFiMzVlMg==
 SHA512:
   metadata.gz: !binary |-
-    ZmRkZjFjOGViZTJhNjhmNWFlZmQ5ZGIwMzI2MjQ5YjRiOWI5ZWY3MGRjN2Rj
-    ZmE5NjY3YzVlNTE1MDAxYmNlOThhYmZkMzBlMjY0ZDI1MmNmYjMzYWY3ODc5
-    MDZkNjZhYjM5M2EzY2FjMzczNTYyN2Y0MTM5MmMwMTIxZTRjMmE=
+    MjhlOTdhZTBkNTE0NjQzMjBjYWE4M2JlMDA1YjI3ODgyZjFkYzhhYThjOWQ3
+    NGQ1ZjllMzBmZjUzZTdmYjRhYTcyYzQ3MDM4YzAxODNlNzkxMzg2MDlkZGVl
+    ODI4ZTE2N2YwMDE1OWViMGIzOGI0ZDQ5ODU5YzU3ODc1ZTc2NWU=
   data.tar.gz: !binary |-
-    M2RlNjA2ZTFjOTdkMDZlMTllNjA1MzViZjIzODNhYTNlZWM2MjNlNjVjZWJi
-    NzdkNDk5YzIzMWViNzEzMjRhZjEwMjNmNWNmMTZmNjA1NDhlMzU4NDM0NzZk
-    ZmM2NzA3MzQ5MzVkZDA2NzBkMjljMzY5ZmVjOWZiNWZhOTgxY2E=
+    MGJjNjQyOWQ3YzA2ZTU0MzY4ZTI3MGFlY2E0ZDdkMjZhNDJjNmI1YTEzMmZi
+    ZDQ3NDA2NGM2YzA1MTc1M2I4MmI2MThjMzc4MTYzZTQwNzA3MGJkYTJkNWFl
+    ZjBjZDk3OGRmMWFkNWY5OTA0NWRlYzhmY2EzM2YxMjdmY2I2YzM=

data/app/model/knock/auth_token.rb

@@ -6,11 +6,13 @@ module Knock
 
     def initialize payload: {}, token: nil
       if token.present?
-        @payload, _ = JWT.decode token, key, true, verify_claims
+        @payload, _ = JWT.decode token, decode_key, true, options
         @token = token
       else
         @payload = payload
-        @token = JWT.encode(claims.merge(payload), key, 'HS256')
+        @token = JWT.encode claims.merge(payload),
+          secret_key,
+          Knock.token_signature_algorithm
       end
     end
 
@@ -19,10 +21,20 @@ module Knock
     end
 
   private
-    def key
+    def secret_key
       Knock.token_secret_signature_key.call
     end
 
+    def decode_key
+      Knock.token_public_key || secret_key
+    end
+
+    def options
+      verify_claims.merge({
+        algorithm: Knock.token_signature_algorithm
+      })
+    end
+
     def claims
       {
         exp: Knock.token_lifetime.from_now.to_i,
@@ -32,7 +44,7 @@ module Knock
 
     def verify_claims
       {
-        aud: Knock.token_audience, verify_claims: Knock.token_audience.present?
+        aud: Knock.token_audience, verify_aud: Knock.token_audience.present?
       }
     end
   end

data/lib/generators/templates/knock.rb

@@ -18,8 +18,10 @@ Knock.setup do |config|
   ## AuthTokenController parameters. It also uses the same variable to enforce
   ## permitted values in the controller.
   ##
+  ## You must raise ActiveRecord::RecordNotFound if the resource cannot be retrieved.
+  ##
   ## Default:
-  # self.current_user_from_handle = -> (handle) { User.find_by! Knock.handle_attr => handle }
+  # config.current_user_from_handle = -> (handle) { User.find_by! Knock.handle_attr => handle }
 
   ## Current user retrieval when validating token
   ## --------------------------------------------
@@ -28,6 +30,8 @@ Knock.setup do |config|
   ## By default, it assumes you have a model called `User` and that
   ## the user_id is stored in the 'sub' claim.
   ##
+  ## You must raise ActiveRecord::RecordNotFound if the resource cannot be retrieved.
+  ##
   ## Default:
   # config.current_user_from_token = -> (claims) { User.find claims['sub'] }
 
@@ -44,7 +48,7 @@ Knock.setup do |config|
   ## Audience claim
   ## --------------
   ##
-  ## Configure the audience claim to indentify the recipients that the token
+  ## Configure the audience claim to identify the recipients that the token
   ## is intended for.
   ##
   ## Default:
@@ -53,6 +57,13 @@ Knock.setup do |config|
   ## If using Auth0, uncomment the line below
   # config.token_audience = -> { Rails.application.secrets.auth0_client_id }
 
+  ## Signature algorithm
+  ## -------------------
+  ##
+  ## Configure the algorithm used to encode the token
+  ##
+  ## Default:
+  # config.token_signature_algorithm = 'HS256'
 
   ## Signature key
   ## -------------
@@ -65,4 +76,11 @@ Knock.setup do |config|
   ## If using Auth0, uncomment the line below
   # config.token_secret_signature_key = -> { JWT.base64url_decode Rails.application.secrets.auth0_client_secret }
 
+  ## Public key
+  ## ----------
+  ##
+  ## Configure the public key used to decode tokens, if required.
+  ##
+  ## Default:
+  # config.token_public_key = nil
 end

data/lib/knock.rb

@@ -6,10 +6,10 @@ module Knock
   self.handle_attr = :email
 
   mattr_accessor :current_user_from_handle
-  self.current_user_from_handle = -> (handle) { User.find_by! Knock.handle_attr => handle }
+  self.current_user_from_handle = -> handle { User.find_by! Knock.handle_attr => handle }
 
   mattr_accessor :current_user_from_token
-  self.current_user_from_token = -> (claims) { User.find claims['sub'] }
+  self.current_user_from_token = -> claims { User.find claims['sub'] }
 
   mattr_accessor :token_lifetime
   self.token_lifetime = 1.day
@@ -17,9 +17,15 @@ module Knock
   mattr_accessor :token_audience
   self.token_audience = nil
 
+  mattr_accessor :token_signature_algorithm
+  self.token_signature_algorithm = 'HS256'
+
   mattr_accessor :token_secret_signature_key
   self.token_secret_signature_key = -> { Rails.application.secrets.secret_key_base }
 
+  mattr_accessor :token_public_key
+  self.token_public_key = nil
+
   # Default way to setup Knock. Run `rails generate knock:install` to create
   # a fresh initializer with all configuration values.
   def self.setup

data/lib/knock/authenticable.rb

@@ -1,12 +1,16 @@
 module Knock::Authenticable
-  attr_reader :current_user
+  def current_user
+    @current_user ||= begin
+      token = params[:token] ||
+        request.headers['Authorization'].match(/^Bearer (.*)$/)[1]
 
-  def authenticate
-    begin
-      token = request.headers['Authorization'].split(' ').last
-      @current_user = Knock::AuthToken.new(token: token).current_user
+      Knock::AuthToken.new(token: token).current_user
     rescue
-      head :unauthorized
+      nil
     end
   end
+
+  def authenticate
+    head :unauthorized unless current_user
+  end
 end

data/lib/knock/version.rb

@@ -1,3 +1,3 @@
 module Knock
-  VERSION = "1.3.0"
+  VERSION = "1.4.0"
 end

data/test/dummy/app/controllers/current_users_controller.rb

@@ -0,0 +1,9 @@
+class CurrentUsersController < ApplicationController
+  def show
+    if current_user
+      head :ok
+    else
+      head :not_found
+    end
+  end
+end

data/test/dummy/config/routes.rb

@@ -1,4 +1,5 @@
 Rails.application.routes.draw do
   resources :protected_resources
+  resource :current_user
   mount Knock::Engine => "/knock"
 end

data/test/dummy/log/test.log

@@ -1,78 +1,146 @@
-   (2.9ms)  CREATE TABLE "users" ("id" INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL, "email" varchar NOT NULL, "password_digest" varchar NOT NULL, "created_at" datetime NOT NULL, "updated_at" datetime NOT NULL) 
-   (1.4ms)  CREATE TABLE "schema_migrations" ("version" varchar NOT NULL) 
+   (4.5ms)  CREATE TABLE "users" ("id" INTEGER PRIMARY KEY AUTOINCREMENT NOT NULL, "email" varchar NOT NULL, "password_digest" varchar NOT NULL, "created_at" datetime NOT NULL, "updated_at" datetime NOT NULL) 
+   (1.6ms)  CREATE TABLE "schema_migrations" ("version" varchar NOT NULL) 
    (0.1ms)  select sqlite_version(*)
-   (1.3ms)  CREATE UNIQUE INDEX "unique_schema_migrations" ON "schema_migrations" ("version")
+   (1.6ms)  CREATE UNIQUE INDEX "unique_schema_migrations" ON "schema_migrations" ("version")
    (0.1ms)  SELECT version FROM "schema_migrations"
-   (1.0ms)  INSERT INTO "schema_migrations" (version) VALUES ('20150713101607')
+   (1.5ms)  INSERT INTO "schema_migrations" (version) VALUES ('20150713101607')
   ActiveRecord::SchemaMigration Load (0.1ms)  SELECT "schema_migrations".* FROM "schema_migrations"
    (0.1ms)  begin transaction
   Fixture Delete (0.2ms)  DELETE FROM "users"
-  Fixture Insert (0.1ms)  INSERT INTO "users" ("email", "password_digest", "created_at", "updated_at", "id") VALUES ('one@example.net', '$2a$04$0mPmVn/CmWZkmHf15VY.JuVDRXH5EhKuCzFpsKH7.ySvtGWM4WLhW', '2015-07-23 14:58:31', '2015-07-23 14:58:31', 980190962)
-  Fixture Insert (0.1ms)  INSERT INTO "users" ("email", "password_digest", "created_at", "updated_at", "id") VALUES ('two@example.net', '$2a$04$h2eMNW1pZXYVkPzhnOGg3efpsw7/ENPysgUpdAi4o8u0K.wu/omDG', '2015-07-23 14:58:31', '2015-07-23 14:58:31', 298486374)
-   (45.0ms)  commit transaction
+  Fixture Insert (0.1ms)  INSERT INTO "users" ("email", "password_digest", "created_at", "updated_at", "id") VALUES ('one@example.net', '$2a$04$8Yam9pqovA3weu3n/l1Z4eJ7SP/xFw2yESJoXUcpqk89Fqn3mpY7C', '2016-01-02 04:04:33', '2016-01-02 04:04:33', 980190962)
+  Fixture Insert (0.1ms)  INSERT INTO "users" ("email", "password_digest", "created_at", "updated_at", "id") VALUES ('two@example.net', '$2a$04$pPSRVhAc5Awe4myXaw6EF.Xn.hJ/mWlUGSUA5UfiGbmm4l6O5QJ9u', '2016-01-02 04:04:33', '2016-01-02 04:04:33', 298486374)
+   (1.7ms)  commit transaction
+   (0.1ms)  begin transaction
+------------------------------------------------------
+Knock::AuthTokenControllerTest: test_responds_with_201
+------------------------------------------------------
+  User Load (0.3ms)  SELECT  "users".* FROM "users" WHERE "users"."id" = ? LIMIT 1  [["id", 980190962]]
+Processing by Knock::AuthTokenController#create as HTML
+  Parameters: {"auth"=>{"email"=>"one@example.net", "password"=>"[FILTERED]"}}
+  User Load (0.2ms)  SELECT  "users".* FROM "users" WHERE "users"."email" = ? LIMIT 1  [["email", "one@example.net"]]
+  User Load (0.1ms)  SELECT  "users".* FROM "users" WHERE "users"."email" = ? LIMIT 1  [["email", "one@example.net"]]
+Completed 201 Created in 7ms (Views: 0.3ms | ActiveRecord: 0.3ms)
+   (0.1ms)  rollback transaction
+   (0.1ms)  begin transaction
+-----------------------------------------------------------------------------
+Knock::AuthTokenControllerTest: test_responds_with_404_if_user_does_not_exist
+-----------------------------------------------------------------------------
+Processing by Knock::AuthTokenController#create as HTML
+  Parameters: {"auth"=>{"email"=>"wrong@example.net", "password"=>"[FILTERED]"}}
+  User Load (0.1ms)  SELECT  "users".* FROM "users" WHERE "users"."email" = ? LIMIT 1  [["email", "wrong@example.net"]]
+Completed 404 Not Found in 1ms (ActiveRecord: 0.1ms)
+   (0.1ms)  rollback transaction
+   (0.1ms)  begin transaction
+-----------------------------------------------------------------------------
+Knock::AuthTokenControllerTest: test_responds_with_404_if_password_is_invalid
+-----------------------------------------------------------------------------
+  User Load (0.1ms)  SELECT  "users".* FROM "users" WHERE "users"."id" = ? LIMIT 1  [["id", 980190962]]
+Processing by Knock::AuthTokenController#create as HTML
+  Parameters: {"auth"=>{"email"=>"one@example.net", "password"=>"[FILTERED]"}}
+  User Load (0.1ms)  SELECT  "users".* FROM "users" WHERE "users"."email" = ? LIMIT 1  [["email", "one@example.net"]]
+Completed 404 Not Found in 2ms (ActiveRecord: 0.1ms)
+   (0.1ms)  rollback transaction
+   (0.1ms)  begin transaction
+-------------------------------------------------------------------------
+Knock::AuthTokenTest: test_verify_audience_when_token_audience_is_present
+-------------------------------------------------------------------------
+   (0.1ms)  rollback transaction
+   (0.1ms)  begin transaction
+-------------------------------------------------
+Knock::AuthTokenTest: test_encode_tokens_with_RSA
+-------------------------------------------------
+   (0.1ms)  rollback transaction
+   (0.1ms)  begin transaction
+-------------------------------------------
+Knock::AuthTokenTest: test_verify_algorithm
+-------------------------------------------
+   (0.1ms)  rollback transaction
+   (0.1ms)  begin transaction
+----------------------------------------------------
+Knock::AuthTokenTest: test_decode_RSA_encoded_tokens
+----------------------------------------------------
+  User Load (0.1ms)  SELECT  "users".* FROM "users" WHERE "users"."id" = ? LIMIT 1  [["id", 980190962]]
+   (0.1ms)  rollback transaction
+   (0.1ms)  begin transaction
+-------------------------------------------------------------------------------------------
+ProtectedResourcesControllerTest: test_responds_with_unauthorized_with_invalid_token_in_url
+-------------------------------------------------------------------------------------------
+  User Load (0.1ms)  SELECT  "users".* FROM "users" WHERE "users"."id" = ? LIMIT 1  [["id", 980190962]]
+Processing by ProtectedResourcesController#index as HTML
+  Parameters: {"token"=>"invalid"}
+Filter chain halted as :authenticate rendered or redirected
+Completed 401 Unauthorized in 0ms (ActiveRecord: 0.0ms)
+   (0.1ms)  rollback transaction
    (0.1ms)  begin transaction
 -----------------------------------------------------------------
 ProtectedResourcesControllerTest: test_responds_with_unauthorized
 -----------------------------------------------------------------
+  User Load (0.1ms)  SELECT  "users".* FROM "users" WHERE "users"."id" = ? LIMIT 1  [["id", 980190962]]
+Processing by ProtectedResourcesController#index as HTML
+Filter chain halted as :authenticate rendered or redirected
+Completed 401 Unauthorized in 0ms (ActiveRecord: 0.0ms)
+   (0.1ms)  rollback transaction
+   (0.1ms)  begin transaction
+----------------------------------------------------------------------------------------------
+ProtectedResourcesControllerTest: test_responds_with_unauthorized_with_invalid_token_in_header
+----------------------------------------------------------------------------------------------
+  User Load (0.1ms)  SELECT  "users".* FROM "users" WHERE "users"."id" = ? LIMIT 1  [["id", 980190962]]
 Processing by ProtectedResourcesController#index as HTML
 Filter chain halted as :authenticate rendered or redirected
 Completed 401 Unauthorized in 0ms (ActiveRecord: 0.0ms)
    (0.1ms)  rollback transaction
    (0.1ms)  begin transaction
------------------------------------------------------------------------------
-ProtectedResourcesControllerTest: test_responds_with_success_if_authenticated
------------------------------------------------------------------------------
-  User Load (0.2ms)  SELECT  "users".* FROM "users" WHERE "users"."id" = ? LIMIT 1  [["id", 980190962]]
+------------------------------------------------------------------------------
+ProtectedResourcesControllerTest: test_responds_with_success_with_token_in_url
+------------------------------------------------------------------------------
+  User Load (0.1ms)  SELECT  "users".* FROM "users" WHERE "users"."id" = ? LIMIT 1  [["id", 980190962]]
 Processing by ProtectedResourcesController#index as HTML
+  Parameters: {"token"=>"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE0NTE3OTM4NzQsImF1ZCI6bnVsbCwic3ViIjo5ODAxOTA5NjJ9.o7HWlffQZN6ss8gZk4Nyl70T8TXpNFoVhr3lBZ5Jvnc"}
   User Load (0.1ms)  SELECT  "users".* FROM "users" WHERE "users"."id" = ? LIMIT 1  [["id", 980190962]]
-Completed 200 OK in 2ms (ActiveRecord: 0.1ms)
+Completed 200 OK in 1ms (ActiveRecord: 0.1ms)
    (0.1ms)  rollback transaction
-   (0.0ms)  begin transaction
+   (0.1ms)  begin transaction
 ------------------------------------------------------------------------------
 ProtectedResourcesControllerTest: test_has_a_current_user_after_authentication
 ------------------------------------------------------------------------------
   User Load (0.1ms)  SELECT  "users".* FROM "users" WHERE "users"."id" = ? LIMIT 1  [["id", 980190962]]
 Processing by ProtectedResourcesController#index as HTML
-  User Load (0.0ms)  SELECT  "users".* FROM "users" WHERE "users"."id" = ? LIMIT 1  [["id", 980190962]]
-Completed 200 OK in 0ms (ActiveRecord: 0.0ms)
+  User Load (0.1ms)  SELECT  "users".* FROM "users" WHERE "users"."id" = ? LIMIT 1  [["id", 980190962]]
+Completed 200 OK in 1ms (ActiveRecord: 0.1ms)
    (0.1ms)  rollback transaction
    (0.1ms)  begin transaction
-------------------------------------------------------
-Knock::AuthTokenControllerTest: test_responds_with_201
-------------------------------------------------------
+---------------------------------------------------------------------------------------
+ProtectedResourcesControllerTest: test_responds_with_success_with_valid_token_in_header
+---------------------------------------------------------------------------------------
   User Load (0.1ms)  SELECT  "users".* FROM "users" WHERE "users"."id" = ? LIMIT 1  [["id", 980190962]]
-Processing by Knock::AuthTokenController#create as HTML
-  Parameters: {"auth"=>{"email"=>"one@example.net", "password"=>"[FILTERED]"}}
-  User Load (0.2ms)  SELECT  "users".* FROM "users" WHERE "users"."email" = ? LIMIT 1  [["email", "one@example.net"]]
-  User Load (0.0ms)  SELECT  "users".* FROM "users" WHERE "users"."email" = ? LIMIT 1  [["email", "one@example.net"]]
-Completed 201 Created in 3ms (Views: 0.2ms | ActiveRecord: 0.2ms)
-   (0.1ms)  rollback transaction
-   (0.1ms)  begin transaction
------------------------------------------------------------------------------
-Knock::AuthTokenControllerTest: test_responds_with_404_if_password_is_invalid
------------------------------------------------------------------------------
+Processing by ProtectedResourcesController#index as HTML
   User Load (0.1ms)  SELECT  "users".* FROM "users" WHERE "users"."id" = ? LIMIT 1  [["id", 980190962]]
-Processing by Knock::AuthTokenController#create as HTML
-  Parameters: {"auth"=>{"email"=>"one@example.net", "password"=>"[FILTERED]"}}
-  User Load (0.1ms)  SELECT  "users".* FROM "users" WHERE "users"."email" = ? LIMIT 1  [["email", "one@example.net"]]
-Completed 404 Not Found in 2ms (ActiveRecord: 0.1ms)
-   (0.1ms)  rollback transaction
-   (0.0ms)  begin transaction
------------------------------------------------------------------------------
-Knock::AuthTokenControllerTest: test_responds_with_404_if_user_does_not_exist
------------------------------------------------------------------------------
-Processing by Knock::AuthTokenController#create as HTML
-  Parameters: {"auth"=>{"email"=>"wrong@example.net", "password"=>"[FILTERED]"}}
-  User Load (0.1ms)  SELECT  "users".* FROM "users" WHERE "users"."email" = ? LIMIT 1  [["email", "wrong@example.net"]]
-Completed 404 Not Found in 1ms (ActiveRecord: 0.1ms)
+Completed 200 OK in 1ms (ActiveRecord: 0.1ms)
    (0.1ms)  rollback transaction
    (0.1ms)  begin transaction
----------------------------------------
-KnockTest: test_setup_block_yields_self
----------------------------------------
-   (0.0ms)  rollback transaction
+--------------------------------------------------
+CurrentUsersControllerTest: test_responds_with_200
+--------------------------------------------------
+  User Load (0.2ms)  SELECT  "users".* FROM "users" WHERE "users"."id" = ? LIMIT 1  [["id", 980190962]]
+Processing by CurrentUsersController#show as HTML
+  User Load (0.1ms)  SELECT  "users".* FROM "users" WHERE "users"."id" = ? LIMIT 1  [["id", 980190962]]
+Completed 200 OK in 1ms (ActiveRecord: 0.1ms)
+   (0.1ms)  rollback transaction
    (0.1ms)  begin transaction
+---------------------------------------------------------------------------
+CurrentUsersControllerTest: test_responds_with_404_if_user_is_not_logged_in
+---------------------------------------------------------------------------
+  User Load (0.1ms)  SELECT  "users".* FROM "users" WHERE "users"."id" = ? LIMIT 1  [["id", 980190962]]
+Processing by CurrentUsersController#show as HTML
+Completed 404 Not Found in 0ms (ActiveRecord: 0.0ms)
+   (0.1ms)  rollback transaction
+   (0.1ms)  begin transaction
 ----------------------------------------------------------------
 InstallGeneratorTest: test_Assert_all_files_are_properly_created
 ----------------------------------------------------------------
-   (0.1ms)  rollback transaction
+   (0.1ms)  rollback transaction
+   (0.1ms)  begin transaction
+---------------------------------------
+KnockTest: test_setup_block_yields_self
+---------------------------------------
+   (0.1ms)  rollback transaction

data/test/dummy/test/controllers/current_users_controller_test.rb

@@ -0,0 +1,23 @@
+require 'test_helper'
+
+class CurrentUsersControllerTest < ActionController::TestCase
+  setup do
+    @user = users(:one)
+    @token = Knock::AuthToken.new(payload: { sub: @user.id }).token
+  end
+
+  def authenticate token: @token
+    @request.env['HTTP_AUTHORIZATION'] = "Bearer #{token}"
+  end
+
+  test "responds with 404 if user is not logged in" do
+    get :show
+    assert_response :not_found
+  end
+
+  test "responds with 200" do
+    authenticate
+    get :show
+    assert_response :success
+  end
+end

data/test/dummy/test/controllers/protected_resources_controller_test.rb

@@ -1,10 +1,13 @@
 require 'test_helper'
 
 class ProtectedResourcesControllerTest < ActionController::TestCase
-  def authenticate
+  def setup
     @user = users(:one)
     @token = Knock::AuthToken.new(payload: { sub: @user.id }).token
-    @request.env['HTTP_AUTHORIZATION'] = "Bearer #{@token}"
+  end
+
+  def authenticate token: @token
+    @request.env['HTTP_AUTHORIZATION'] = "Bearer #{token}"
   end
 
   test "responds with unauthorized" do
@@ -12,12 +15,28 @@ class ProtectedResourcesControllerTest < ActionController::TestCase
     assert_response :unauthorized
   end
 
-  test "responds with success if authenticated" do
+  test "responds with success with valid token in header" do
     authenticate
     get :index
     assert_response :success
   end
 
+  test "responds with unauthorized with invalid token in header" do
+    authenticate token: "invalid"
+    get :index
+    assert_response :unauthorized
+  end
+
+  test "responds with success with token in url" do
+    get :index, token: @token
+    assert_response :success
+  end
+
+  test "responds with unauthorized with invalid token in url" do
+    get :index, token: "invalid"
+    assert_response :unauthorized
+  end
+
   test "has a current_user after authentication" do
     authenticate
     get :index

data/test/model/knock/auth_token_test.rb

@@ -0,0 +1,51 @@
+require 'test_helper'
+require 'jwt'
+
+module Knock
+  class AuthTokenTest < ActiveSupport::TestCase
+    test "verify algorithm" do
+      Knock.token_signature_algorithm = 'RS256'
+      key = Knock.token_secret_signature_key.call
+
+      token = JWT.encode({sub: '1'}, key, 'HS256')
+
+      assert_raises(JWT::IncorrectAlgorithm) {
+        AuthToken.new(token: token)
+      }
+    end
+
+    test "decode RSA encoded tokens" do
+      user = users(:one)
+      rsa_private = OpenSSL::PKey::RSA.generate 2048
+      Knock.token_public_key = rsa_private.public_key
+      Knock.token_signature_algorithm = 'RS256'
+
+      token = JWT.encode({sub: user.id}, rsa_private, 'RS256')
+
+      assert_nothing_raised { AuthToken.new(token: token) }
+    end
+
+    test "encode tokens with RSA" do
+      rsa_private = OpenSSL::PKey::RSA.generate 2048
+      Knock.token_secret_signature_key = -> { rsa_private }
+      Knock.token_signature_algorithm = 'RS256'
+
+      token = AuthToken.new(payload: {sub: '1'}).token
+
+      payload, header = JWT.decode token, rsa_private.public_key, true
+      assert_equal payload['sub'], '1'
+      assert_equal header['alg'], 'RS256'
+    end
+
+    test "verify audience when token_audience is present" do
+      Knock.token_audience = 'bar'
+      key = Knock.token_secret_signature_key.call
+
+      token = JWT.encode({sub: 'foo'}, key, 'HS256')
+
+      assert_raises(JWT::InvalidAudError) {
+        AuthToken.new token: token
+      }
+    end
+  end
+end

data/test/test_helper.rb

@@ -21,3 +21,18 @@ if ActiveSupport::TestCase.respond_to?(:fixture_path=)
   ActiveSupport::TestCase.fixture_path = File.expand_path("../fixtures", __FILE__)
   ActiveSupport::TestCase.fixtures :all
 end
+
+# Make sure knock global configuration is reset before every tests
+# to avoid order dependent failures.
+class ActiveSupport::TestCase
+  setup :reset_knock_configuration
+
+  private
+
+  def reset_knock_configuration
+    Knock.token_signature_algorithm = 'HS256'
+    Knock.token_secret_signature_key = -> { Rails.application.secrets.secret_key_base }
+    Knock.token_public_key = nil
+    Knock.token_audience = nil
+  end
+end

data/test/tmp/config/initializers/knock.rb

@@ -18,8 +18,10 @@ Knock.setup do |config|
   ## AuthTokenController parameters. It also uses the same variable to enforce
   ## permitted values in the controller.
   ##
+  ## You must raise ActiveRecord::RecordNotFound if the resource cannot be retrieved.
+  ##
   ## Default:
-  # self.current_user_from_handle = -> (handle) { User.find_by! Knock.handle_attr => handle }
+  # config.current_user_from_handle = -> (handle) { User.find_by! Knock.handle_attr => handle }
 
   ## Current user retrieval when validating token
   ## --------------------------------------------
@@ -28,6 +30,8 @@ Knock.setup do |config|
   ## By default, it assumes you have a model called `User` and that
   ## the user_id is stored in the 'sub' claim.
   ##
+  ## You must raise ActiveRecord::RecordNotFound if the resource cannot be retrieved.
+  ##
   ## Default:
   # config.current_user_from_token = -> (claims) { User.find claims['sub'] }
 
@@ -44,7 +48,7 @@ Knock.setup do |config|
   ## Audience claim
   ## --------------
   ##
-  ## Configure the audience claim to indentify the recipients that the token
+  ## Configure the audience claim to identify the recipients that the token
   ## is intended for.
   ##
   ## Default:
@@ -53,6 +57,13 @@ Knock.setup do |config|
   ## If using Auth0, uncomment the line below
   # config.token_audience = -> { Rails.application.secrets.auth0_client_id }
 
+  ## Signature algorithm
+  ## -------------------
+  ##
+  ## Configure the algorithm used to encode the token
+  ##
+  ## Default:
+  # config.token_signature_algorithm = 'HS256'
 
   ## Signature key
   ## -------------
@@ -65,4 +76,11 @@ Knock.setup do |config|
   ## If using Auth0, uncomment the line below
   # config.token_secret_signature_key = -> { JWT.base64url_decode Rails.application.secrets.auth0_client_secret }
 
+  ## Public key
+  ## ----------
+  ##
+  ## Configure the public key used to decode tokens, if required.
+  ##
+  ## Default:
+  # config.token_public_key = nil
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: knock
 version: !ruby/object:Gem::Version
-  version: 1.3.0
+  version: 1.4.0
 platform: ruby
 authors:
 - Arnaud MESUREUR
@@ -9,20 +9,20 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-07-23 00:00:00.000000000 Z
+date: 2016-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - ! '>='
       - !ruby/object:Gem::Version
         version: '4.2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - ! '>='
       - !ruby/object:Gem::Version
         version: '4.2'
 - !ruby/object:Gem::Dependency
@@ -93,6 +93,7 @@ files:
 - test/dummy/app/assets/javascripts/application.js
 - test/dummy/app/assets/stylesheets/application.css
 - test/dummy/app/controllers/application_controller.rb
+- test/dummy/app/controllers/current_users_controller.rb
 - test/dummy/app/controllers/protected_resources_controller.rb
 - test/dummy/app/helpers/application_helper.rb
 - test/dummy/app/models/user.rb
@@ -128,12 +129,14 @@ files:
 - test/dummy/public/422.html
 - test/dummy/public/500.html
 - test/dummy/public/favicon.ico
+- test/dummy/test/controllers/current_users_controller_test.rb
 - test/dummy/test/controllers/protected_resources_controller_test.rb
 - test/dummy/test/fixtures/users.yml
 - test/dummy/test/models/user_test.rb
 - test/fixtures/users.yml
 - test/generators/install_generator_test.rb
 - test/knock_test.rb
+- test/model/knock/auth_token_test.rb
 - test/test_helper.rb
 - test/tmp/config/initializers/knock.rb
 homepage: https://github.com/nsarno/knock
@@ -167,6 +170,7 @@ test_files:
 - test/dummy/app/assets/javascripts/application.js
 - test/dummy/app/assets/stylesheets/application.css
 - test/dummy/app/controllers/application_controller.rb
+- test/dummy/app/controllers/current_users_controller.rb
 - test/dummy/app/controllers/protected_resources_controller.rb
 - test/dummy/app/helpers/application_helper.rb
 - test/dummy/app/models/user.rb
@@ -202,11 +206,13 @@ test_files:
 - test/dummy/public/422.html
 - test/dummy/public/500.html
 - test/dummy/public/favicon.ico
+- test/dummy/test/controllers/current_users_controller_test.rb
 - test/dummy/test/controllers/protected_resources_controller_test.rb
 - test/dummy/test/fixtures/users.yml
 - test/dummy/test/models/user_test.rb
 - test/fixtures/users.yml
 - test/generators/install_generator_test.rb
 - test/knock_test.rb
+- test/model/knock/auth_token_test.rb
 - test/test_helper.rb
 - test/tmp/config/initializers/knock.rb