moj-simple-jwt-auth 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: '069216a49c032609b1b2d4bb2b9fa9841efb7ff086d6eabec5f5f3394be7c6f7'
+  data.tar.gz: 6d6571c76a08ca15844b6e3251f900f53fcdcf981b90f3a5509835b80acf4306
+SHA512:
+  metadata.gz: 1dfe076548da296f2233ae2b1103c01e5dad5940cbd6a2133b35258f41a24b36fe785681f940d191c57f3a1d92de96dbd968746a986f3e2a958e8150552644da
+  data.tar.gz: ff1c2a743a8f8d03c2a3f9d61cf8ba423e38fbd3b07847a85c7e78d5cd04c81c74615ee39baab1a3af233c87c87fb0651a9e95c873feb1336bbf4731d0aeb76e

data/.github/workflows/main.yml

@@ -0,0 +1,28 @@
+name: Tests
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    name: Testing with Ruby ${{ matrix.ruby }}
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby: ['3.0.4', '3.1.2']
+
+    steps:
+    - uses: actions/checkout@v3
+
+    - name: Set up Ruby
+      uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: ${{ matrix.ruby }}
+        bundler-cache: true
+
+    - name: Run the default task
+      run: bundle exec rake

data/.gitignore

@@ -0,0 +1,11 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+.rspec_status
+*.gem

data/.rspec

@@ -0,0 +1,3 @@
+--format documentation
+--color
+--require spec_helper

data/.rubocop.yml

@@ -0,0 +1,24 @@
+AllCops:
+  TargetRubyVersion: 3.0
+  SuggestExtensions: false
+  NewCops: enable
+  Exclude:
+    - 'spec/**/*'
+    - 'vendor/**/*'
+    - 'vendor/bundle/**/*'
+
+####################################
+## Customization for this project ##
+####################################
+
+Style/Documentation:
+  Enabled: false
+
+Style/MultilineIfModifier:
+  Enabled: false
+
+Metrics/AbcSize:
+  Max: 20
+
+Metrics/MethodLength:
+  Max: 14

data/Gemfile

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+source 'https://rubygems.org'
+gemspec
+
+gem 'rake'
+gem 'rspec'
+gem 'rubocop'
+gem 'simplecov'
+
+# Transient dependencies, not part of the final gem
+# Used for the middleware classes
+gem 'faraday'
+gem 'grape'

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2023 Ministry of Justice
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,51 @@
+# Simple JWT Auth ruby gem
+
+A basic wrapper around [ruby-jwt gem](https://github.com/jwt/ruby-jwt) that includes two middlewares, one for Faraday 
+to facilitate generating the JWT token and sending it in the Authorization Bearer header, and another for Grape to facilitate 
+the verification of this token and handling of the payload in the rack env.
+
+## Installation
+
+```ruby
+# directly from Github
+gem 'moj-simple-jwt-auth', github: 'ministryofjustice/moj-simple-jwt-auth'
+
+# or from RubyGems
+gem 'moj-simple-jwt-auth', '0.0.1'
+```
+
+You can lock it to a specific version, branch or sha if you want too.
+
+## Usage
+
+You need to configure the gem before you can use it. You can do this, for example with an initializer:
+
+```ruby
+require 'simple_jwt_auth'
+
+SimpleJwtAuth.configure do |config|
+  config.logger.level = Logger::DEBUG # default level is `info`
+  config.exp_seconds = 120 # default is 30 seconds
+  config.issuer = 'MyAppName' # only needed for consumers
+  config.secrets_config = { 'MyAppName' => 'qwerty' }
+end
+````
+
+For the **consumer** side, you usually only need to configure the `secrets_config` with one key (your issuer name) and one secret.  
+For the **producer** side (the API service for instance) you will need to configure a map of all allowed issuers with their corresponding secrets. 
+
+There are several options you can configure, like expiration, leeway, logging, and more. Please refer to the [Configuration class](lib/simple_jwt_auth/configuration.rb) for more details.
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `bundle exec rake` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+This gem uses rubocop and simplecov (at 100% coverage).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/ministryofjustice/moj-simple-jwt-auth.
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
+
+RSpec::Core::RakeTask.new(:spec)
+load 'tasks/rubocop.rake'
+
+task(:default).prerequisites << :rubocop
+task(:default).prerequisites << :spec

data/bin/console

@@ -0,0 +1,15 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require 'bundler/setup'
+require_relative '../lib/simple_jwt_auth'
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require 'irb'
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/lib/simple_jwt_auth/claims.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module SimpleJwtAuth
+  class Claims
+    include Traits::Configurable
+
+    def initialize
+      @now = Time.now.to_i
+    end
+
+    def merge(other_hash)
+      to_h.merge(other_hash)
+    end
+
+    def to_h
+      {
+        iat: @now,
+        exp: @now + config.exp_seconds,
+        iss: config.issuer
+      }
+    end
+  end
+end

data/lib/simple_jwt_auth/configuration.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+module SimpleJwtAuth
+  class Configuration
+    attr_accessor :logger,
+                  :exp_seconds,
+                  :exp_leeway,
+                  :algorithm,
+                  :issuer,
+                  :secrets_config
+
+    def initialize
+      # Defaults to stdout and level info, can be configured
+      @logger = ::Logger.new($stdout)
+      @logger.level = ::Logger::INFO
+
+      # https://www.rfc-editor.org/rfc/rfc7519#section-4.1.4
+      @exp_seconds = 30
+
+      # Small leeway to account for clock skew (seconds)
+      @exp_leeway = 10
+
+      # HMAC SHA-256 hash algorithm
+      @algorithm = 'HS256'
+
+      # A map of issuers and corresponding secrets
+      @secrets_config = {}
+    end
+  end
+
+  # Get current configuration
+  #
+  # @return [SimpleJwtAuth::Configuration] current configuration
+  #
+  def self.configuration
+    @configuration ||= Configuration.new
+  end
+
+  # Configure the gem
+  #
+  # Any attributes listed in +attr_accessor+ can be configured
+  #
+  # @example
+  #   SimpleJwtAuth.configure do |config|
+  #     config.issuer = 'MyApp'
+  #     config.exp_seconds = 120
+  #   end
+  #
+  def self.configure
+    yield configuration
+  end
+end

data/lib/simple_jwt_auth/decode.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+module SimpleJwtAuth
+  class Decode
+    include Traits::Configurable
+
+    def initialize(token, options = {})
+      @token = token
+      @options = options
+    end
+
+    def call
+      JWT.decode(token, nil, true, options) do |_headers, payload|
+        issuer = payload['iss']
+
+        config.logger.debug "Decoding JWT token from issuer: #{issuer}"
+        secrets.secret_for(issuer)
+      end
+    end
+
+    private
+
+    attr_reader :token
+
+    def options
+      @options.merge(
+        required_claims: %w[iss iat exp],
+        algorithm: config.algorithm,
+        exp_leeway: config.exp_leeway,
+        nbf_leeway: config.exp_leeway,
+        iss: secrets.issuers,
+        verify_iss: true,
+        verify_iat: true
+      )
+    end
+  end
+end

data/lib/simple_jwt_auth/encode.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+module SimpleJwtAuth
+  class Encode
+    include Traits::Configurable
+
+    def initialize(payload: {}, claims: {}, header_fields: {})
+      @payload = payload
+      @claims = claims
+      @header_fields = header_fields
+    end
+
+    def call
+      jwt_payload = payload.merge(claims)
+      issuer = jwt_payload.fetch(:iss)
+
+      config.logger.debug "Encoding JWT payload: #{jwt_payload}"
+
+      JWT.encode(
+        jwt_payload,
+        secrets.secret_for(issuer),
+        config.algorithm,
+        header_fields
+      )
+    end
+
+    private
+
+    attr_reader :payload, :header_fields
+
+    def claims
+      Claims.new.merge(@claims)
+    end
+  end
+end

data/lib/simple_jwt_auth/errors.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+module SimpleJwtAuth
+  module Errors
+    class UndefinedIssuer < StandardError; end
+    class UnknownIssuer < StandardError; end
+  end
+end

data/lib/simple_jwt_auth/middleware/faraday/jwt.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module SimpleJwtAuth
+  module Middleware
+    module Faraday
+      class Jwt < ::Faraday::Middleware
+        AUTH_HEADER = 'Authorization'
+        AUTH_SCHEME = 'Bearer'
+
+        def initialize(app = nil, **kwargs)
+          @kwargs = kwargs
+          super(app)
+        end
+
+        def on_request(env)
+          env.request_headers[AUTH_HEADER] = [AUTH_SCHEME, jwt_token].join(' ')
+        end
+
+        private
+
+        def jwt_token
+          SimpleJwtAuth::Encode.new(**@kwargs).call
+        end
+      end
+    end
+  end
+end
+
+# :nocov:
+Faraday::Request.register_middleware(
+  jwt: SimpleJwtAuth::Middleware::Faraday::Jwt
+)
+# :nocov:

data/lib/simple_jwt_auth/middleware/grape/jwt.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+module SimpleJwtAuth
+  module Middleware
+    module Grape
+      class Jwt < ::Grape::Middleware::Auth::Base
+        ENV_AUTH_KEY = 'HTTP_AUTHORIZATION'
+        ENV_PAYLOAD_KEY = 'grape_jwt.payload'
+
+        def call(env)
+          return app.call(env) if test_env?(env)
+
+          token = env.fetch(ENV_AUTH_KEY, '').split.last
+
+          begin
+            payload, _header = SimpleJwtAuth::Decode.new(token).call
+            env[ENV_PAYLOAD_KEY] = payload
+
+            logger.debug "Authorized request, JWT payload: #{payload}"
+
+            app.call(env)
+          rescue JWT::DecodeError => e
+            logger.warn "Unauthorized request, JWT error: #{e.message}"
+
+            [401, { 'Content-Type' => 'application/json' }, [{ status: 401, error: e.message }.to_json]]
+          end
+        end
+
+        private
+
+        def test_env?(env)
+          env['rack.test'] == true
+        end
+
+        def logger
+          SimpleJwtAuth.configuration.logger
+        end
+      end
+    end
+  end
+end
+
+# :nocov:
+Grape::Middleware::Auth::Strategies.add(
+  :jwt, SimpleJwtAuth::Middleware::Grape::Jwt, ->(options) { [options] }
+)
+# :nocov:

data/lib/simple_jwt_auth/secrets.rb

@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+module SimpleJwtAuth
+  class Secrets
+    def initialize(secrets)
+      @secrets = secrets
+    end
+
+    # Get all configured issuers
+    #
+    # @return [Array] list of configured issuers
+    #
+    def issuers
+      secrets.keys
+    end
+
+    # Get secret for a specific issuer
+    # Used when decoding, to retrieve the secret for an issuer
+    #
+    # @param issuer [String] The issuer to retrieve their secret
+    #
+    # @raise [SimpleJwtAuth::Errors::UndefinedIssuer]
+    # @raise [SimpleJwtAuth::Errors::UnknownIssuer]
+    #
+    # @return [String] issuer secret
+    #
+    def secret_for(issuer)
+      raise(
+        Errors::UndefinedIssuer, 'issuer has not been configured'
+      ) unless issuer
+
+      raise(
+        Errors::UnknownIssuer, "issuer `#{issuer}` is not recognized"
+      ) unless secrets.key?(issuer)
+
+      secrets.fetch(issuer)
+    end
+
+    private
+
+    attr_reader :secrets
+  end
+
+  # Get current secrets
+  #
+  # @return [SimpleJwtAuth::Secrets] current secrets
+  #
+  def self.secrets
+    @secrets ||= Secrets.new(configuration.secrets_config)
+  end
+end

data/lib/simple_jwt_auth/traits/configurable.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module SimpleJwtAuth
+  module Traits
+    module Configurable
+      private
+
+      def config
+        SimpleJwtAuth.configuration
+      end
+
+      def secrets
+        SimpleJwtAuth.secrets
+      end
+    end
+  end
+end

data/lib/simple_jwt_auth/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module SimpleJwtAuth
+  VERSION = '0.0.1'
+end

data/lib/simple_jwt_auth.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+require 'jwt'
+require 'logger'
+
+require_relative 'simple_jwt_auth/version'
+require_relative 'simple_jwt_auth/configuration'
+require_relative 'simple_jwt_auth/secrets'
+require_relative 'simple_jwt_auth/errors'
+
+require_relative 'simple_jwt_auth/traits/configurable'
+
+require_relative 'simple_jwt_auth/claims'
+require_relative 'simple_jwt_auth/encode'
+require_relative 'simple_jwt_auth/decode'
+
+# Middleware helpers
+require_relative 'simple_jwt_auth/middleware/faraday/jwt' if defined?(Faraday)
+require_relative 'simple_jwt_auth/middleware/grape/jwt' if defined?(Grape)
+
+module SimpleJwtAuth
+end

data/lib/tasks/rubocop.rake

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+if Gem.loaded_specs.key?('rubocop')
+  require 'rubocop/rake_task'
+  RuboCop::RakeTask.new
+
+  task(:default).prerequisites << task(:rubocop)
+end

data/simple-jwt-auth.gemspec

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+lib = File.expand_path('lib', __dir__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'simple_jwt_auth/version'
+
+Gem::Specification.new do |spec|
+  spec.name     = 'moj-simple-jwt-auth'
+  spec.version  = SimpleJwtAuth::VERSION
+
+  spec.authors  = ['Jesus Laiz']
+  spec.email    = ['zheileman@users.noreply.github.com']
+
+  spec.summary  = 'Simple JWT Auth ruby gem with middleware for Faraday and Grape.'
+  spec.homepage = 'https://github.com/ministryofjustice/moj-simple-jwt-auth'
+  spec.license  = 'MIT'
+
+  spec.metadata = {
+    'rubygems_mfa_required' => 'true'
+  }
+
+  spec.files = Dir.chdir(File.expand_path(__dir__)) do
+    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  end
+
+  spec.bindir        = 'exe'
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ['lib']
+  spec.required_ruby_version = '>= 3.0.0'
+
+  spec.add_dependency 'json'
+  spec.add_dependency 'jwt'
+end

metadata

@@ -0,0 +1,95 @@
+--- !ruby/object:Gem::Specification
+name: moj-simple-jwt-auth
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Jesus Laiz
+autorequire:
+bindir: exe
+cert_chain: []
+date: 2023-02-14 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: json
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description:
+email:
+- zheileman@users.noreply.github.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".github/workflows/main.yml"
+- ".gitignore"
+- ".rspec"
+- ".rubocop.yml"
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- lib/simple_jwt_auth.rb
+- lib/simple_jwt_auth/claims.rb
+- lib/simple_jwt_auth/configuration.rb
+- lib/simple_jwt_auth/decode.rb
+- lib/simple_jwt_auth/encode.rb
+- lib/simple_jwt_auth/errors.rb
+- lib/simple_jwt_auth/middleware/faraday/jwt.rb
+- lib/simple_jwt_auth/middleware/grape/jwt.rb
+- lib/simple_jwt_auth/secrets.rb
+- lib/simple_jwt_auth/traits/configurable.rb
+- lib/simple_jwt_auth/version.rb
+- lib/tasks/rubocop.rake
+- simple-jwt-auth.gemspec
+homepage: https://github.com/ministryofjustice/moj-simple-jwt-auth
+licenses:
+- MIT
+metadata:
+  rubygems_mfa_required: 'true'
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 3.0.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.3.7
+signing_key:
+specification_version: 4
+summary: Simple JWT Auth ruby gem with middleware for Faraday and Grape.
+test_files: []