RubyGems - lp_token_auth - Versions diffs - 1.0.0 → 2.0.0 - Mend

lp_token_auth 1.0.0 → 2.0.0

Files changed (9) hide show

checksums.yaml +4 -4
data/Gemfile.lock +12 -10
data/README.md +4 -0
data/lib/generators/lp_token_auth/rsa_generator.rb +17 -0
data/lib/lp_token_auth/core.rb +16 -2
data/lib/lp_token_auth/version.rb +1 -1
data/lp_token_auth.gemspec +2 -1
data/migration-guide.md +20 -0
metadata +25 -9

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 59c0d31cd9c148207586c1f0c31022d4575cda78cf5df1563d430e23bd0841f6
-  data.tar.gz: af9418070c5b8a6d13d9a39e47a836373491958eb35a84af4409cdc498f6fdbf
+  metadata.gz: c9ad11f1250f5fe138d57dd234bd1be887dd681c180c9c845fa47e2e105bd523
+  data.tar.gz: ca8ceee02fcb2a82bf8f8674aa2f512178ff8b4c1803dd436eaa295ea3b94e3b
 SHA512:
-  metadata.gz: 7d1aa825486f5c3468eb1de6ddc876dc513b2ebb4a48342303a055aa014e56c8e78caefae5e916707c3398a4689f6dfde0bf3ca9fc6e0c5186564f8261c23f4b
-  data.tar.gz: 8e80ae686d1778a1518cc0c48d9b7818ad19e927be3c77a8ce4b99cf3515e011fa99b3cde4b49a813931261810bb6911028172db1c8db5d1ad94af8fbca21727
+  metadata.gz: ce31eea46cef645deeef72b92dce9b26844f407edc87190304bdd2eb39dfcbc39d0fc3b6fa69149df591c345c5aee06254facabd433aa63202a0e1435f4fa710
+  data.tar.gz: 84f50dca0334a2fb83a9efa1a93145fffe5e544a83cde1d24bec7e8d3ecb2a6f5d307755d10e3d598c82a1a069bdc33e09ac3de764f1b10d43e264605d3d647e

data/Gemfile.lock CHANGED Viewed

@@ -1,24 +1,26 @@
 PATH
   remote: .
   specs:
-    lp_token_auth (0.3.0)
+    lp_token_auth (2.0.0)
+      jwe (~> 0.4.0)
       jwt (>= 1.5.6)
 GEM
   remote: https://rubygems.org/
   specs:
-    codeclimate-test-reporter (1.0.5)
-      simplecov
+    codeclimate-test-reporter (1.0.9)
+      simplecov (<= 0.13)
     docile (1.1.5)
-    json (2.0.3)
-    jwt (1.5.6)
-    minitest (5.10.2)
-    rake (10.5.0)
+    json (2.5.1)
+    jwe (0.4.0)
+    jwt (2.2.3)
+    minitest (5.14.4)
+    rake (12.3.3)
     simplecov (0.13.0)
       docile (~> 1.1.0)
       json (>= 1.8, < 3)
       simplecov-html (~> 0.10.0)
-    simplecov-html (0.10.0)
+    simplecov-html (0.10.2)
 PLATFORMS
   ruby
@@ -27,8 +29,8 @@ DEPENDENCIES
   codeclimate-test-reporter (~> 1.0.0)
   lp_token_auth!
   minitest (~> 5.10, >= 5.10.1)
-  rake (~> 10.4, >= 10.4.2)
+  rake (~> 12.3, >= 12.3.3)
   simplecov
 BUNDLED WITH
-   1.16.1
+   2.2.17

data/README.md CHANGED Viewed

@@ -9,6 +9,7 @@ Simple token authentication logic with JWTs for Rails apps. No baked in routing,
 * [Installation](#installation)
 * [Usage](#usage)
 * [Examples](#examples)
+* [Migration Guide](#migration-guide)
 ## Installation
 Add this line to your application's Gemfile:
@@ -46,6 +47,9 @@ Or install it yourself as:
   + `current_user` - This returns the current user identified by `authenticate!`. It is available after logging in the user or authenticating.
 3. All errors will return an instance of `LpTokenAuth::Error`
+## Migration Guide
+[Migration Guide](https://github.com/LaunchPadLab/lp_token_auth/blob/master/migration-guide.md)
 ## Examples
 ### Controller
 ```

data/lib/generators/lp_token_auth/rsa_generator.rb ADDED Viewed

@@ -0,0 +1,17 @@
+require 'openssl'
+module LpTokenAuth
+  module Generators
+    class RsaGenerator < Rails::Generators::Base
+      desc 'Generate an RSA key and add to Gemfile'
+      def generate_rsa
+        key = OpenSSL::PKey::RSA.generate(2048)
+        arr = key.to_s.split("\n")
+        str = arr.join("\\n")
+        puts str
+      end
+    end
+  end
+end

data/lib/lp_token_auth/core.rb CHANGED Viewed

@@ -1,4 +1,5 @@
 require 'jwt'
+require 'jwe'
 require 'lp_token_auth/error'
 module LpTokenAuth
@@ -21,19 +22,22 @@ module LpTokenAuth
         payload[:exp] = (Time.now + LpTokenAuth.config.get_option(:expires) * 60 * 60).to_i
       end
-      JWT.encode(
+      jwt = JWT.encode(
         payload,
         LpTokenAuth.config.get_option(:secret),
         LpTokenAuth.config.get_option(:algorithm)
       )
+      JWE.encrypt(jwt, private_key, enc: ENV['JWE_ENCRYPTION'] || 'A256GCM')
     end
     # Decodes the JWT token
     # @param [String] token the token to decode
     # @raise [LpTokenAuth::Error] if the token is expired, or if any errors occur during decoding
     # @return [Array] decoded token
-    def decode!(token)
+    def decode!(encrypted_token)
       begin
+        token = JWE.decrypt(encrypted_token, private_key)
         JWT.decode(
           token,
           LpTokenAuth.config.get_option(:secret),
@@ -56,5 +60,15 @@ module LpTokenAuth
         raise LpTokenAuth::Error, "id must be a string or integer, you provided #{id}"
       end
     end
+    private
+    def private_key
+        raise LpTokenAuth::Error, 'You do not have a private key.' if ENV['JWE_PRIVATE_KEY'].nil?
+        OpenSSL::PKey::RSA.new(ENV['JWE_PRIVATE_KEY'].split("\\n").join("\n"))
+      rescue OpenSSL::PKey::RSAError => msg
+        raise LpTokenAuth::Error, 'Your private key is formatted incorrectly.'
+    end
   end
 end

data/lib/lp_token_auth/version.rb CHANGED Viewed

@@ -1,4 +1,4 @@
 module LpTokenAuth
   # Current version of LpTokenAuth
-  VERSION = '1.0.0'.freeze
+  VERSION = '2.0.0'.freeze
 end

data/lp_token_auth.gemspec CHANGED Viewed

@@ -16,6 +16,7 @@ Gem::Specification.new do |s|
   s.files                 = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
   s.add_dependency        'jwt', '>= 1.5.6'
-  s.add_development_dependency 'rake', '~> 10.4', '>= 10.4.2'
+  s.add_dependency        'jwe', '~> 0.4.0'
+  s.add_development_dependency 'rake', '~> 12.3', '>= 12.3.3'
   s.add_development_dependency 'minitest', '~> 5.10', '>= 5.10.1'
 end

data/migration-guide.md ADDED Viewed

@@ -0,0 +1,20 @@
+# Migration Guide
+*Note: this guide assumes you are upgrading from LP Token Auth from v1 to v2. This update pertains to the gem `lp_token_auth`. If you want to continue using the previous version of the gem, point the gem to the correct github branch, as found here: https://bundler.io/guides/git.html*
+The purpose of this update is to increase the security of our JWT payloads by using JWE.
+This version change will end all user sessions. This will requre users to sign in upon implementing the changes. All other features of previous authentication, such as duration are not affected. Aside from re-signing in, users will not be affected.
+This version contains the following breaking changes:
+1. Includes the [jwe](https://github.com/jwt/ruby-jwe) gem. This will require a `bundle update` to install this gem.
+2. Requires 1 new environment variable and an optional environment variable to specify the encryption.
+   `JWE_PRIVATE_KEY` contains an RSA key.
+   `JWE_ENCRYPTION` is optional and specifies the encryption used. The default encryption is `A256GCM`.
+The RSA key is generated by running `bundle exec rails generate lp_token_auth:rsa`. This rake task will output a formatted RSA key to your console.
+**Common Pitfalls in Copy and Pasting RSA Keys**
+The generated RSA key is formatted as a string on a single line with newline characters (\n) at the end of each line. Commonly, there are errors in copy and pasting a string without explicit newline characters. The single line string with newline characters included should avoid most of these errors.
+Please keep in mind this is for the most common use case of using the `JWE_PRIVATE_KEY` in the `.env.[environment]` file. If you are encountering an error during your migration, consider the format of your RSA string.

metadata CHANGED Viewed

@@ -1,11 +1,11 @@
 --- !ruby/object:Gem::Specification
 name: lp_token_auth
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 2.0.0
 platform: ruby
 authors:
 - Dave Corwin
-autorequire:
+autorequire:
 bindir: bin
 cert_chain: []
 date: 2017-02-03 00:00:00.000000000 Z
@@ -24,26 +24,40 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 1.5.6
+- !ruby/object:Gem::Dependency
+  name: jwe
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.4.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.4.0
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.4'
+        version: '12.3'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 10.4.2
+        version: 12.3.3
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.4'
+        version: '12.3'
     - - ">="
       - !ruby/object:Gem::Version
-        version: 10.4.2
+        version: 12.3.3
 - !ruby/object:Gem::Dependency
   name: minitest
   requirement: !ruby/object:Gem::Requirement
@@ -80,6 +94,7 @@ files:
 - README.md
 - Rakefile
 - lib/generators/lp_token_auth/install_generator.rb
+- lib/generators/lp_token_auth/rsa_generator.rb
 - lib/generators/lp_token_auth/templates/initializer.rb.erb
 - lib/lp_token_auth.rb
 - lib/lp_token_auth/config.rb
@@ -88,11 +103,12 @@ files:
 - lib/lp_token_auth/error.rb
 - lib/lp_token_auth/version.rb
 - lp_token_auth.gemspec
+- migration-guide.md
 homepage: https://github.com/launchpadlab/lp_token_auth
 licenses:
 - MIT
 metadata: {}
-post_install_message:
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -107,8 +123,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.1.4
-signing_key:
+rubygems_version: 3.2.17
+signing_key:
 specification_version: 4
 summary: Auth!
 test_files: []